diff --git a/.github/scripts/helm-repos.sh b/.github/scripts/helm-repos.sh index 771d9523..a96bf63d 100755 --- a/.github/scripts/helm-repos.sh +++ b/.github/scripts/helm-repos.sh @@ -5,3 +5,4 @@ helm repo add vector https://helm.vector.dev helm repo add prometheus-community https://prometheus-community.github.io/helm-charts helm repo add cert-manager https://charts.jetstack.io helm repo add open-telemetry https://open-telemetry.github.io/opentelemetry-helm-charts +helm repo add victoria-metrics https://victoriametrics.github.io/helm-charts \ No newline at end of file diff --git a/.github/workflows/cd.yaml b/.github/workflows/cd.yaml index 4e289d51..1179c8ac 100644 --- a/.github/workflows/cd.yaml +++ b/.github/workflows/cd.yaml @@ -22,7 +22,7 @@ jobs: # - uses: actions/setup-go@v2 with: - go-version: '1.17.2' + go-version: '1.23.0' - name: Install extra tooling run: | @@ -56,7 +56,7 @@ jobs: - name: Install Helm uses: azure/setup-helm@v1 with: - version: v3.7.2 + version: v3.15.3 - name: Add dependency chart repos run: ./.github/scripts/helm-repos.sh diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index d4f2f92c..87d91162 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -31,7 +31,7 @@ jobs: - uses: actions/setup-go@v2 with: - go-version: "1.17.2" + go-version: '1.23.0' - name: Install extra tooling run: | @@ -57,7 +57,7 @@ jobs: - name: Set up Helm uses: azure/setup-helm@v3 with: - version: v3.12.1 + version: v3.15.3 - uses: actions/setup-python@v2 with: @@ -69,7 +69,7 @@ jobs: - name: Setup polaris uses: fairwindsops/polaris/.github/actions/setup-polaris@master with: - version: 8.2.4 + version: 9.2.1 - name: Run chart-testing (lint) run: | @@ -79,7 +79,7 @@ jobs: - name: Run chart-testing (list-changed) id: list-changed run: | - changed=$(ct list-changed --target-branch main) + changed=$(ct list-changed --target-branch main --excluded-charts aoi) if [[ -n "$changed" ]]; then echo "changed=true" >> $GITHUB_OUTPUT fi @@ -110,4 +110,4 @@ jobs: if: steps.list-changed.outputs.changed == 'true' - name: Run chart-testing (install) - run: ct install --config ct.yaml + run: ct install --config ct.yaml --excluded-charts aoi diff --git a/charts/aoi/.gitignore b/charts/aoi/.gitignore new file mode 100644 index 00000000..d2fc6872 --- /dev/null +++ b/charts/aoi/.gitignore @@ -0,0 +1,2 @@ +# Ignore dependencies downloaded by helm +charts/ \ No newline at end of file diff --git a/charts/aoi/.helmignore b/charts/aoi/.helmignore new file mode 100644 index 00000000..02694846 --- /dev/null +++ b/charts/aoi/.helmignore @@ -0,0 +1,2 @@ +.gitignore +CHANGELOG.md \ No newline at end of file diff --git a/charts/aoi/CHANGELOG.MD b/charts/aoi/CHANGELOG.MD new file mode 100644 index 00000000..3e94b9e0 --- /dev/null +++ b/charts/aoi/CHANGELOG.MD @@ -0,0 +1 @@ +# WiP \ No newline at end of file diff --git a/charts/aoi/Chart.lock b/charts/aoi/Chart.lock new file mode 100644 index 00000000..5e709518 --- /dev/null +++ b/charts/aoi/Chart.lock @@ -0,0 +1,15 @@ +dependencies: +- name: grafana + repository: https://grafana.github.io/helm-charts + version: 7.3.7 +- name: victoria-metrics-single + repository: https://victoriametrics.github.io/helm-charts/ + version: 0.9.17 +- name: victoria-metrics-single + repository: https://victoriametrics.github.io/helm-charts/ + version: 0.9.17 +- name: victoria-metrics-alert + repository: https://victoriametrics.github.io/helm-charts/ + version: 0.9.4 +digest: sha256:63740c51ac34e8d7d64616b5e8e47f3b6cfc14383a445f8ac51ff8e7b9fbb71f +generated: "2024-09-04T09:41:39.608788+02:00" diff --git a/charts/aoi/Chart.yaml b/charts/aoi/Chart.yaml new file mode 100644 index 00000000..9d11efb1 --- /dev/null +++ b/charts/aoi/Chart.yaml @@ -0,0 +1,32 @@ +apiVersion: v2 +name: aoi +description: A Helm chart for Netic application operations infrastructure +type: application +version: 0.1.20 +home: https://github.com/neticdk/k8s-oaas-observability +sources: + - https://github.com/neticdk/k8s-oaas-observability +maintainers: + - name: alex5517 + email: ash@netic.dk + - name: mathiasfm + email: mfm@netic.dk +dependencies: + - name: grafana + version: 7.3.7 + repository: https://grafana.github.io/helm-charts + condition: grafana.enabled + - name: victoria-metrics-single + alias: victoria-metrics-single-1 + version: 0.9.17 + repository: https://victoriametrics.github.io/helm-charts/ + condition: global.tsdb.enabled + - name: victoria-metrics-single + alias: victoria-metrics-single-2 + version: 0.9.17 + repository: https://victoriametrics.github.io/helm-charts/ + condition: global.tsdb.high_availability.enabled + - name: victoria-metrics-alert + version: 0.9.4 + repository: https://victoriametrics.github.io/helm-charts/ + condition: alerting.enabled diff --git a/charts/aoi/README.md b/charts/aoi/README.md new file mode 100644 index 00000000..5d4e27a8 --- /dev/null +++ b/charts/aoi/README.md @@ -0,0 +1,228 @@ +# aoi + +![Version: 0.1.20](https://img.shields.io/badge/Version-0.1.20-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) + +A Helm chart for Netic application operations infrastructure + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| alex5517 | | | +| mathiasfm | | | + +## Source Code + +* + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| https://grafana.github.io/helm-charts | grafana | 7.3.7 | +| https://victoriametrics.github.io/helm-charts/ | victoria-metrics-alert | 0.9.4 | +| https://victoriametrics.github.io/helm-charts/ | victoria-metrics-single-1(victoria-metrics-single) | 0.9.17 | +| https://victoriametrics.github.io/helm-charts/ | victoria-metrics-single-2(victoria-metrics-single) | 0.9.17 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| alerting.clusterId | string | `""` | Value of the label (cluster_id) | +| alerting.clusterWideNamespace.bootstrapConfig | object | `{"externalSecretsStore":{},"git":{"bitbucket":{},"github":{},"gitlab":{}},"vault":{}}` | overwrite options configured in global.bootstrapConfig | +| alerting.clusterWideNamespace.bootstrapConfig.externalSecretsStore | object | `{}` | overwrite externalSecretStore options, make sure to include all options in overwrite, it is not merged with globally defined options. | +| alerting.clusterWideNamespace.bootstrapConfig.git.github | object | `{}` | overwrite git options, make sure to include all options in overwrite, it is not merged with globally defined options. | +| alerting.clusterWideNamespace.bootstrapConfig.vault | object | `{}` | overwrite vault options, make sure to include all options in overwrite, it is not merged with globally defined options. | +| alerting.clusterWideNamespace.enabled | bool | `false` | Create alerting namespace for cluster-wide alert definitions | +| alerting.clusterWideNamespace.name | string | `"application-operations-alerting"` | | +| alerting.clusterWideNamespace.projectBootstrap | object | `{"git":{}}` | Options to configure the projectBootstrap used for cluster-wide alert namespace. | +| alerting.enabled | bool | `false` | Enable deploying alerting components | +| alerting.helmRelease | object | `{"values":{"alertmanager":{"configReloader":{"image":{"pullPolicy":"Always","registry":"ghcr.io","repository":"neticdk/inotifywait-reloader","tag":"v0.0.2"},"resources":{"limits":{"memory":"96Mi"},"requests":{"cpu":"10m","memory":"96Mi"}},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true}},"emailPasswordMount":false,"image":{"registry":"docker.io","repository":"prom/alertmanager","tag":"v0.27.0"},"podSecurityContext":{"fsGroup":2000,"runAsGroup":3000,"runAsUser":1000},"priorityClassName":"secure-cloud-stack-tenant-namespace-application-critical","resources":{"limits":{"memory":"64Mi"},"requests":{"cpu":"10m","memory":"64Mi"}},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true}},"server":{"configReloader":{"image":{"pullPolicy":"Always","registry":"docker.io","repository":"kiwigrid/k8s-sidecar","tag":"1.26.1@sha256:b8d5067137fec093cf48670dc3a1dbb38f9e734f3a6683015c2e89a45db5fd16"},"resources":{"limits":{"memory":"96Mi"},"requests":{"cpu":"10m","memory":"96Mi"}},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true}},"image":{"pullPolicy":"Always","registry":"docker.io","repository":"victoriametrics/vmalert"},"podSecurityContext":{"fsGroup":2000,"runAsGroup":3000,"runAsUser":1000},"priorityClassName":"secure-cloud-stack-tenant-namespace-application-critical","resources":{"limits":{"memory":"64Mi"},"requests":{"cpu":"10m","memory":"64Mi"}},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true}}}}` | Values to configure for the victoria-metrics-alert helm chart. https://github.com/VictoriaMetrics/helm-charts/blob/master/charts/victoria-metrics-alert/values.yaml | +| alerting.helmRelease.values.alertmanager.emailPasswordMount | bool | `false` | Boolean that is used to mount the secret aoi-alertmanager-email-password into the alertmanager container | +| alerting.helmRepository | string | `nil` | Override the default helmRepository used to deploy alerting components | +| alerting.namespaces | list | `[]` | List of namespaces which should have alerting components deployed | +| authProxy.affinity | list | `[]` | | +| authProxy.annotations | object | `{}` | | +| authProxy.enabled | bool | `true` | Enable filtering of Prometheus Queries based on client JWT token (Grafana) | +| authProxy.extraArgs | list | `[]` | | +| authProxy.extraEnv | list | `[]` | | +| authProxy.extraEnvFrom | list | `[]` | | +| authProxy.image.registry | string | `"registry.netic.dk"` | | +| authProxy.image.repository | string | `"netic-oaas/cortex-proxy"` | | +| authProxy.image.tag | string | `"v1.0.4"` | | +| authProxy.nodeSelector | object | `{}` | | +| authProxy.podAnnotations | object | `{}` | | +| authProxy.podLabels | object | `{}` | | +| authProxy.podManagementPolicy | string | `"Parallel"` | | +| authProxy.podSecurityContext.fsGroup | int | `2000` | | +| authProxy.podSecurityContext.runAsGroup | int | `3000` | | +| authProxy.podSecurityContext.runAsNonRoot | bool | `true` | | +| authProxy.podSecurityContext.runAsUser | int | `1000` | | +| authProxy.priorityClassName | string | `nil` | | +| authProxy.replicas | int | `1` | | +| authProxy.resources.limits.memory | string | `"64Mi"` | | +| authProxy.resources.requests.cpu | string | `"100m"` | | +| authProxy.resources.requests.memory | string | `"64Mi"` | | +| authProxy.selectorLabels | object | `{}` | | +| authProxy.service.annotations | object | `{}` | | +| authProxy.service.labels | object | `{}` | | +| authProxy.terminationGracePeriodSeconds | int | `30` | | +| authProxy.tolerations | list | `[]` | | +| authProxy.topologySpauthProxyConstraints | list | `[]` | | +| dashboards.bootstrapConfig | object | `{"externalSecretsStore":{},"git":{"bitbucket":{},"github":{},"gitlab":{}},"vault":{}}` | overwrite options configured in global.bootstrapConfig | +| dashboards.bootstrapConfig.externalSecretsStore | object | `{}` | overwrite externalSecretStore options, make sure to include all options in overwrite, it is not merged with globally defined options. | +| dashboards.bootstrapConfig.git.github | object | `{}` | overwrite git options, make sure to include all options in overwrite, it is not merged with globally defined options. | +| dashboards.bootstrapConfig.vault | object | `{}` | overwrite vault options, make sure to include all options in overwrite, it is not merged with globally defined options. | +| dashboards.projectBootstrap | object | `{"git":{}}` | Options to configure the projectBootstrap used for tenant dashboard namespace | +| externalSecret.vaultDataFromKey | string | `nil` | | +| externalSecret.vaultMountPath | string | `nil` | | +| externalSecret.vaultPath | string | `nil` | | +| externalSecret.vaultServer | string | `nil` | | +| global.annotations | object | `{}` | | +| global.bootstrapConfig | object | `{"externalSecretsStore":{},"git":{"bitbucket":{},"flavor":"github","github":{},"gitlab":{}},"vault":{}}` | Options to configure the bootstrapConfig globally can be overwritten for dashboards and clusterWideNamespace alerting namespace. .Values.dashboards.bootstrapConfig .Values.alerting.clusterWideNamespace.bootstrapConfig | +| global.bootstrapConfig.git.flavor | string | `"github"` | Which git flavor to use, currently only supports github, gitlab and bitbucket | +| global.clusterDomain | string | `"cluster.local"` | | +| global.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | | +| global.containerSecurityContext.capabilities.drop[0] | string | `"ALL"` | | +| global.containerSecurityContext.readOnlyRootFilesystem | bool | `true` | | +| global.image.pullPolicy | string | `"Always"` | | +| global.imagePullSecrets | list | `[]` | | +| global.podAnnotations | object | `{}` | | +| global.podLabels | object | `{}` | | +| global.priorityClassName | string | `nil` | Default priorityClassName to use | +| global.revisionHistoryLimit | int | `5` | | +| global.serviceAnnotations | object | `{}` | | +| global.serviceLabels | object | `{}` | | +| global.tsdb.enabled | bool | `true` | | +| global.tsdb.high_availability.enabled | bool | `false` | Enable high-availability for tsdb (Victoria-metrics-single) | +| grafana.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | | +| grafana.containerSecurityContext.capabilities.drop[0] | string | `"ALL"` | | +| grafana.containerSecurityContext.readOnlyRootFilesystem | bool | `true` | | +| grafana.enabled | bool | `true` | If true deploy Grafana for tenant dashboards | +| grafana.image.pullPolicy | string | `"Always"` | | +| grafana.ingress.enabled | bool | `false` | | +| grafana.ingress.fqdn | string | `nil` | | +| grafana.podPortName | string | `"http"` | | +| grafana.priorityClassName | string | `"secure-cloud-stack-tenant-namespace-application-critical"` | | +| grafana.resources.limits.memory | string | `"256Mi"` | | +| grafana.resources.requests.cpu | string | `"100m"` | | +| grafana.resources.requests.memory | string | `"256Mi"` | | +| grafana.sidecar.dashboards.enabled | bool | `true` | | +| grafana.sidecar.dashboards.folderAnnotation | string | `"grafana_dashboard_folder"` | override grafana folder using annotation | +| grafana.sidecar.dashboards.label | string | `"application-operations-dashboards"` | Load configmaps with label key | +| grafana.sidecar.dashboards.provider.disableDelete | bool | `true` | | +| grafana.sidecar.dashboards.provider.foldersFromFilesStructure | bool | `true` | | +| grafana.sidecar.dashboards.searchNamespace | list | `["application-operations-dashboards"]` | Watch for configmaps in namespaces | +| grafana.sidecar.datasources.enabled | bool | `true` | | +| grafana.sidecar.datasources.label | string | `"aoi_grafana_datasource"` | | +| grafana.sidecar.imagePullPolicy | string | `"Always"` | | +| grafana.sidecar.resources.limits.memory | string | `"96Mi"` | | +| grafana.sidecar.resources.requests.cpu | string | `"50m"` | | +| grafana.sidecar.resources.requests.memory | string | `"96Mi"` | | +| grafana.sidecar.securityContext.allowPrivilegeEscalation | bool | `false` | | +| grafana.sidecar.securityContext.capabilities.drop[0] | string | `"ALL"` | | +| grafana.sidecar.securityContext.readOnlyRootFilesystem | bool | `true` | | +| grafana.testFramework.enabled | bool | `false` | | +| prometheus.configReloader.image.pullPolicy | string | `"Always"` | | +| prometheus.configReloader.image.registry | string | `"quay.io"` | | +| prometheus.configReloader.image.repository | string | `"prometheus-operator/prometheus-config-reloader"` | | +| prometheus.configReloader.image.tag | string | `"v0.76.1@sha256:31410de3f01e8ee4e3fd692345d247e7ef57351ce58b21c89d71639d50d1f424"` | | +| prometheus.configReloader.resources.limits.memory | string | `"25Mi"` | | +| prometheus.configReloader.resources.requests.cpu | string | `"10m"` | | +| prometheus.configReloader.resources.requests.memory | string | `"25Mi"` | | +| prometheus.configReloader.securityContext.allowPrivilegeEscalation | bool | `false` | | +| prometheus.configReloader.securityContext.capabilities.drop[0] | string | `"ALL"` | | +| prometheus.configReloader.securityContext.readOnlyRootFilesystem | bool | `true` | | +| prometheus.externalLabels | object | `{}` | labels to add to all metrics. externalLabels: cluster_id: "${cluster_provider}_${cluster_name}" cluster: ${cluster_name} cluster_type: "${cluster_type}" prometheus_cluster: ${cluster_name}/aoi-prometheus provider: "${cluster_provider}" | +| prometheus.extraVolumeMounts | list | `[]` | | +| prometheus.extraVolumes | list | `[]` | | +| prometheus.image.pullPolicy | string | `"Always"` | | +| prometheus.image.registry | string | `"docker.io"` | | +| prometheus.image.repository | string | `"victoriametrics/vmagent"` | | +| prometheus.image.tag | string | `"v1.100.1@sha256:18959c254d474d150fd74534b8183e1a800d18d673a408b0c7d20e3febe6f4fe"` | | +| prometheus.persistence.size | string | `"60Gi"` | | +| prometheus.podAnnotations | object | `{}` | | +| prometheus.podSecurityContext.allowPrivilegeEscalation | bool | `false` | | +| prometheus.podSecurityContext.capabilities.drop[0] | string | `"ALL"` | | +| prometheus.podSecurityContext.fsGroup | int | `2000` | | +| prometheus.podSecurityContext.readOnlyRootFilesystem | bool | `true` | | +| prometheus.podSecurityContext.runAsGroup | int | `3000` | | +| prometheus.podSecurityContext.runAsNonRoot | bool | `true` | | +| prometheus.podSecurityContext.runAsUser | int | `1000` | | +| prometheus.priorityClassName | string | `nil` | | +| prometheus.relabelConfig | string | `"- source_labels: [cluster_id, namespace]\n separator: _\n regex: (.*)\n target_label: namespace_id\n replacement: $1\n action: replace\n"` | relabel configs to apply to samples before ingestion. | +| prometheus.resources.limits.memory | string | `"768Mi"` | | +| prometheus.resources.requests.cpu | string | `"100m"` | | +| prometheus.resources.requests.memory | string | `"256Mi"` | | +| promxy.affinity | list | `[]` | | +| promxy.annotations | object | `{}` | | +| promxy.config | string | `"##\n### Promxy configuration\n##\npromxy:\n server_groups:\n - static_configs:\n - targets:\n - victoria-metrics-single-1-server.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }}:8428\n labels:\n replica: 1\n http_client:\n dial_timeout: 1s\n ignore_error: true\n remote_read: true\n remote_read_path: /api/v1\n - static_configs:\n - targets:\n - victoria-metrics-single-2-server.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }}:8428\n labels:\n replica: 2\n http_client:\n dial_timeout: 1s\n ignore_error: true\n remote_read: true\n remote_read_path: /api/v1\n"` | | +| promxy.extraArgs | list | `[]` | | +| promxy.extraEnv | list | `[]` | | +| promxy.extraEnvFrom | list | `[]` | | +| promxy.image.registry | string | `"quay.io"` | | +| promxy.image.repository | string | `"jacksontj/promxy"` | | +| promxy.image.tag | string | `"v0.0.85@sha256:115686ce1eb8e37696304b191ce33f13db1c0d7ec8f3ef36501f12bb74f83b9e"` | | +| promxy.nodeSelector | object | `{}` | | +| promxy.podAnnotations | object | `{}` | | +| promxy.podLabels | object | `{}` | | +| promxy.podManagementPolicy | string | `"Parallel"` | | +| promxy.podSecurityContext.fsGroup | int | `2000` | | +| promxy.podSecurityContext.runAsGroup | int | `3000` | | +| promxy.podSecurityContext.runAsNonRoot | bool | `true` | | +| promxy.podSecurityContext.runAsUser | int | `1000` | | +| promxy.priorityClassName | string | `nil` | | +| promxy.replicas | int | `1` | | +| promxy.resources.limits.memory | string | `"64Mi"` | | +| promxy.resources.requests.cpu | string | `"50m"` | | +| promxy.resources.requests.memory | string | `"64Mi"` | | +| promxy.selectorLabels | object | `{}` | | +| promxy.service.annotations | object | `{}` | | +| promxy.service.labels | object | `{}` | | +| promxy.terminationGracePeriodSeconds | int | `30` | | +| promxy.tolerations | list | `[]` | | +| promxy.topologySpauthProxyConstraints | list | `[]` | | +| victoria-metrics-alert.rbac.create | bool | `false` | | +| victoria-metrics-alert.server.configMap | string | `"null"` | | +| victoria-metrics-alert.server.enabled | bool | `false` | | +| victoria-metrics-alert.serviceAccount.create | bool | `false` | | +| victoria-metrics-single-1.rbac.create | bool | `false` | | +| victoria-metrics-single-1.server.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchExpressions[0].key | string | `"app.kubernetes.io/name"` | | +| victoria-metrics-single-1.server.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchExpressions[0].operator | string | `"In"` | | +| victoria-metrics-single-1.server.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchExpressions[0].values[0] | string | `"victoria-metrics-single-2"` | | +| victoria-metrics-single-1.server.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].topologyKey | string | `"topology.kubernetes.io/zone"` | | +| victoria-metrics-single-1.server.image.pullPolicy | string | `"Always"` | | +| victoria-metrics-single-1.server.podSecurityContext.fsGroup | int | `2000` | | +| victoria-metrics-single-1.server.podSecurityContext.runAsGroup | int | `3000` | | +| victoria-metrics-single-1.server.podSecurityContext.runAsUser | int | `1000` | | +| victoria-metrics-single-1.server.resources.limits.memory | string | `"1024Mi"` | | +| victoria-metrics-single-1.server.resources.requests.cpu | string | `"200m"` | | +| victoria-metrics-single-1.server.resources.requests.memory | string | `"1024Mi"` | | +| victoria-metrics-single-1.server.retentionPeriod | string | `"90d"` | Data retention period | +| victoria-metrics-single-1.server.securityContext.allowPrivilegeEscalation | bool | `false` | | +| victoria-metrics-single-1.server.securityContext.capabilities.drop[0] | string | `"ALL"` | | +| victoria-metrics-single-1.server.securityContext.readOnlyRootFilesystem | bool | `true` | | +| victoria-metrics-single-1.server.serviceMonitor.enabled | bool | `true` | | +| victoria-metrics-single-1.server.serviceMonitor.extraLabels."netic.dk/monitoring" | string | `"true"` | | +| victoria-metrics-single-2.rbac.create | bool | `false` | | +| victoria-metrics-single-2.server.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchExpressions[0].key | string | `"app.kubernetes.io/name"` | | +| victoria-metrics-single-2.server.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchExpressions[0].operator | string | `"In"` | | +| victoria-metrics-single-2.server.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchExpressions[0].values[0] | string | `"victoria-metrics-single-1"` | | +| victoria-metrics-single-2.server.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].topologyKey | string | `"topology.kubernetes.io/zone"` | | +| victoria-metrics-single-2.server.image.pullPolicy | string | `"Always"` | | +| victoria-metrics-single-2.server.podSecurityContext.fsGroup | int | `2000` | | +| victoria-metrics-single-2.server.podSecurityContext.runAsGroup | int | `3000` | | +| victoria-metrics-single-2.server.podSecurityContext.runAsUser | int | `1000` | | +| victoria-metrics-single-2.server.resources.limits.memory | string | `"1024Mi"` | | +| victoria-metrics-single-2.server.resources.requests.cpu | string | `"200m"` | | +| victoria-metrics-single-2.server.resources.requests.memory | string | `"1024Mi"` | | +| victoria-metrics-single-2.server.retentionPeriod | string | `"90d"` | Data retention period | +| victoria-metrics-single-2.server.securityContext.allowPrivilegeEscalation | bool | `false` | | +| victoria-metrics-single-2.server.securityContext.capabilities.drop[0] | string | `"ALL"` | | +| victoria-metrics-single-2.server.securityContext.readOnlyRootFilesystem | bool | `true` | | +| victoria-metrics-single-2.server.serviceMonitor.enabled | bool | `true` | | +| victoria-metrics-single-2.server.serviceMonitor.extraLabels."netic.dk/monitoring" | string | `"true"` | | +| victoriaMetrics.persistentVolume.size | string | `"5Gi"` | Size of the volume. Should be calculated based on the metrics you send and retention policy you set. | + diff --git a/charts/aoi/ci/default-values.yaml b/charts/aoi/ci/default-values.yaml new file mode 100644 index 00000000..33e07cc5 --- /dev/null +++ b/charts/aoi/ci/default-values.yaml @@ -0,0 +1,6 @@ +global: + priorityClassName: "secure-cloud-stack-tenant-namespace-application-critical" + +victoria-metrics-single-1: + server: + priorityClassName: "secure-cloud-stack-tenant-namespace-application-critical" diff --git a/charts/aoi/templates/_helpers.tpl b/charts/aoi/templates/_helpers.tpl new file mode 100644 index 00000000..f4c21ed4 --- /dev/null +++ b/charts/aoi/templates/_helpers.tpl @@ -0,0 +1,114 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "aoi.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "aoi.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "aoi.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "aoi.labels" -}} +helm.sh/chart: {{ include "aoi.chart" . }} +{{ include "aoi.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "aoi.selectorLabels" -}} +app.kubernetes.io/name: {{ include "aoi.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "aoi.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "aoi.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Create the hostname for the read path to tsdb. +*/}} +{{- define "aoi.readHost" -}} +{{- if .Values.global.tsdb.high_availability.enabled }} +{{- printf "promxy" }} +{{- else }} +{{- printf "victoria-metrics-single-1-server" }} +{{- end }} +{{- end }} + +{{/* +Create the port for the read path to tsdb. +*/}} +{{- define "aoi.readPort" -}} +{{- if .Values.global.tsdb.high_availability.enabled }} +{{- printf "8082" }} +{{- else }} +{{- printf "8428" }} +{{- end }} +{{- end }} + +{{/* +metrics read url +*/}} +{{- define "aoi.readUrl" -}} +{{- printf "http://%s-%s.%s.svc.%s:%s" (include "aoi.name" . ) (include "aoi.readHost" . ) .Release.Namespace .Values.global.clusterDomain (include "aoi.readPort" . ) }} +{{- end }} + + +{{/* +metrics read url for grafana +*/}} +{{- define "aoi.grafanaReadUrl" -}} +{{- if .Values.authProxy.enabled }} +{{- printf "http://%s-auth-proxy.%s.svc.%s:8080" (include "aoi.name" . ) .Release.Namespace .Values.global.clusterDomain }} +{{- else }} +{{- printf "http://%s-%s.%s.svc.%s:%s" (include "aoi.name" . ) (include "aoi.readHost" . ) .Release.Namespace .Values.global.clusterDomain (include "aoi.readPort" . ) }} +{{- end }} +{{- end }} + +{{/* +Create the lable value for victoria-metrics kubernetes/name lable. +*/}} +{{- define "aoi.vmLableName" -}} +{{- if .Values.global.tsdb.high_availability.enabled }} +{{- printf "promxy" }} +{{- else }} +{{- printf "victoria-metrics-single-1" }} +{{- end }} +{{- end }} diff --git a/charts/aoi/templates/application-operations-alerting/HelmRelease.yaml b/charts/aoi/templates/application-operations-alerting/HelmRelease.yaml new file mode 100644 index 00000000..d9ea78bd --- /dev/null +++ b/charts/aoi/templates/application-operations-alerting/HelmRelease.yaml @@ -0,0 +1,125 @@ +{{- if .Values.alerting.enabled }} +{{- range $i, $namespace := (include "aoi.alerting.namespaces" . | fromJsonArray) }} +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: victoria-metrics-alert + namespace: {{ $namespace }} +spec: + chart: + spec: + chart: victoria-metrics-alert + version: {{ include "aoi.alerting.chartVersion" $ }} + sourceRef: + kind: HelmRepository + name: victoria-metrics + interval: 5m + interval: 5m + timeout: 15m + values: + serviceAccount: + create: false + name: victoria-metrics-alert-config-reloader + rbac: + create: false + server: + {{- include "aoi.serverPriorityClassName" $ | nindent 6 }} + image: + repository: "{{ $.Values.alerting.helmRelease.values.server.image.registry }}/{{ $.Values.alerting.helmRelease.values.server.image.repository }}" + pullPolicy: {{ $.Values.alerting.helmRelease.values.server.image.pullPolicy }} + podLabels: + netic.dk/allow-prometheus-scraping: "true" + resources: + {{- toYaml $.Values.alerting.helmRelease.values.server.resources | nindent 8 }} + extraArgs: + rule: '/tmp/rules/*.yaml' + extraVolumes: + - name: alert-rules + emptyDir: {} + extraVolumeMounts: + - name: alert-rules + mountPath: /tmp/rules + datasource: + {{- if eq $namespace $.Values.alerting.clusterWideNamespace.name }} + url: "{{ include "aoi.readUrl" $ }}" + {{- else }} + url: "{{ include "aoi.readUrl" $ }}?extra_label=namespace_id={{ $.Values.alerting.clusterId }}_{{ $namespace }}" + {{- end }} + securityContext: + {{- toYaml $.Values.alerting.helmRelease.values.server.securityContext | nindent 8 }} + extraContainers: + - name: config-reloader + image: "{{ $.Values.alerting.helmRelease.values.server.configReloader.image.registry }}/{{ $.Values.alerting.helmRelease.values.server.configReloader.image.repository }}:{{ $.Values.alerting.helmRelease.values.server.configReloader.image.tag }}" + imagePullPolicy: {{ $.Values.alerting.helmRelease.values.server.configReloader.image.pullPolicy }} + resources: + {{- toYaml $.Values.alerting.helmRelease.values.server.configReloader.resources | nindent 12 }} + securityContext: + {{- toYaml $.Values.alerting.helmRelease.values.server.configReloader.securityContext | nindent 12 }} + env: + - name: IGNORE_ALREADY_PROCESSED + value: "true" + - name: METHOD + value: WATCH + - name: LABEL + value: application-operations-alerting + - name: FOLDER + value: /tmp/rules + - name: RESOURCE + value: configmap + - name: REQ_URL + value: http://localhost:8880/-/reload + - name: REQ_METHOD + value: GET + volumeMounts: + - name: alert-rules + mountPath: /tmp/rules + podSecurityContext: + {{- toYaml $.Values.alerting.helmRelease.values.server.podSecurityContext | nindent 8 }} + alertmanager: + enabled: true + {{- include "aoi.alertmanagerPriorityClassName" $ | nindent 6 }} + image: "{{ $.Values.alerting.helmRelease.values.alertmanager.image.registry }}/{{ $.Values.alerting.helmRelease.values.alertmanager.image.repository }}" + tag: "{{ $.Values.alerting.helmRelease.values.alertmanager.image.tag }}" + resources: + {{- toYaml $.Values.alerting.helmRelease.values.alertmanager.resources | nindent 8 }} + configMap: "alertmanager-config" + securityContext: + {{- toYaml $.Values.alerting.helmRelease.values.alertmanager.securityContext | nindent 8 }} + podSecurityContext: + {{- toYaml $.Values.alerting.helmRelease.values.alertmanager.podSecurityContext | nindent 8 }} + extraContainers: + - name: config-reloader + image: "{{ $.Values.alerting.helmRelease.values.alertmanager.configReloader.image.registry }}/{{ $.Values.alerting.helmRelease.values.alertmanager.configReloader.image.repository }}:{{ $.Values.alerting.helmRelease.values.alertmanager.configReloader.image.tag }}" + imagePullPolicy: {{ $.Values.alerting.helmRelease.values.alertmanager.configReloader.image.pullPolicy }} + resources: + {{- toYaml $.Values.alerting.helmRelease.values.alertmanager.configReloader.resources | nindent 12 }} + securityContext: + {{- toYaml $.Values.alerting.helmRelease.values.alertmanager.configReloader.securityContext | nindent 12 }} + env: + - name: WATCH_PATHS + value: /tmp/config + - name: REQ_URL + value: http://localhost:9093/-/reload + - name: REQ_METHOD + value: POST + volumeMounts: + - name: config + mountPath: /tmp/config + {{- if $.Values.alerting.helmRelease.values.alertmanager.emailPasswordMount }} + extraVolumeMounts: + - name: email-password + readOnly: true + mountPath: /etc/email-password + extraVolumes: + - name: email-password + secret: + optional: true + secretName: aoi-alertmanager-email-password + {{- end }} + serviceMonitor: + enabled: true + extraLabels: + netic.dk/monitoring: "true" +{{- end }} +{{- end }} diff --git a/charts/aoi/templates/application-operations-alerting/HelmRepository.yaml b/charts/aoi/templates/application-operations-alerting/HelmRepository.yaml new file mode 100644 index 00000000..f206d358 --- /dev/null +++ b/charts/aoi/templates/application-operations-alerting/HelmRepository.yaml @@ -0,0 +1,14 @@ +{{- if .Values.alerting.enabled }} +{{- range $i, $namespace := (include "aoi.alerting.namespaces" . | fromJsonArray) }} +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: victoria-metrics + namespace: {{ $namespace }} +spec: + interval: 30m0s + url: {{ include "aoi.alerting.helmRepository" $ }} + type: {{ include "aoi.alerting.helmRepository.type" $ }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/aoi/templates/application-operations-alerting/_helpers.tpl b/charts/aoi/templates/application-operations-alerting/_helpers.tpl new file mode 100644 index 00000000..1b2b3b94 --- /dev/null +++ b/charts/aoi/templates/application-operations-alerting/_helpers.tpl @@ -0,0 +1,88 @@ +{{/* +list of namespaces that should have alerting enabled +*/}} +{{- define "aoi.alerting.namespaces" -}} + {{ $newList := list }} + {{- if .Values.alerting.clusterWideNamespace.enabled }} + {{ $newList = prepend .Values.alerting.namespaces .Values.alerting.clusterWideNamespace.name }} + {{- else }} + {{ $newList = .Values.alerting.namespaces }} + {{- end }} + {{ toJson $newList }} +{{- end }} + +{{/* +HelmRepository for victoria-metrics-alert +*/}} +{{- define "aoi.alerting.helmRepository" -}} + {{- range $i, $dep := .Chart.Dependencies }} + {{- if eq $dep.Name "victoria-metrics-alert" }} + {{- default $dep.Repository $.Values.alerting.helmRepository }} + {{- end }} + {{- end }} +{{- end }} + +{{/* +HelmRepository type +*/}} +{{- define "aoi.alerting.helmRepository.type" -}} + {{- if hasPrefix "oci" ( include "aoi.alerting.helmRepository" . ) }} + {{- print "oci" -}} + {{- else }} + {{- print "default" -}} + {{- end }} +{{- end }} + +{{/* +Helm chart version for victoria-metrics-alert +*/}} +{{- define "aoi.alerting.chartVersion" -}} + {{- range $i, $dep := .Chart.Dependencies }} + {{- if eq $dep.Name "victoria-metrics-alert" }} + {{- $dep.Version }} + {{- end }} + {{- end }} +{{- end }} + +{{/* +promxy priority class name +*/}} +{{- define "aoi.serverPriorityClassName" -}} +{{- $pcn := coalesce .Values.global.priorityClassName .Values.alerting.helmRelease.values.server.priorityClassName -}} +{{- if $pcn -}} +priorityClassName: {{ $pcn }} +{{- end }} +{{- end }} + +{{/* +promxy priority class name +*/}} +{{- define "aoi.alertmanagerPriorityClassName" -}} +{{- $pcn := coalesce .Values.global.priorityClassName .Values.alerting.helmRelease.values.alertmanager.priorityClassName -}} +{{- if $pcn -}} +priorityClassName: {{ $pcn }} +{{- end }} +{{- end }} + +{{/* +Create the git config for bootstrapConfig. +*/}} +{{- define "aoi.alerting.bootstrapConfig" -}} +git: +{{- if eq .Values.global.bootstrapConfig.git.flavor "github" }} + github: + {{- default .Values.global.bootstrapConfig.git.github .Values.alerting.clusterWideNamespace.bootstrapConfig.git.github | toYaml | nindent 4}} +{{- else if eq .Values.global.bootstrapConfig.git.flavor "gitlab" }} + gitlab: + {{- default .Values.global.bootstrapConfig.git.gitlab .Values.alerting.clusterWideNamespace.bootstrapConfig.git.gitlab | toYaml | nindent 4}} +{{- else if eq .Values.global.bootstrapConfig.git.flavor "bitbucket" }} + bitbucket: + {{- default .Values.global.bootstrapConfig.git.bitbucket .Values.alerting.clusterWideNamespace.bootstrapConfig.git.bitbucket | toYaml | nindent 4}} +{{- else }} +{{ fail "Invalid git flavor. Supported git flavors (github,gitlab,bitbucket)" }} +{{- end }} +vault: +{{- default .Values.global.bootstrapConfig.vault .Values.alerting.clusterWideNamespace.bootstrapConfig.vault | toYaml | nindent 2}} +externalSecretsStore: +{{- default .Values.global.bootstrapConfig.externalSecretsStore .Values.alerting.clusterWideNamespace.bootstrapConfig.externalSecretsStore | toYaml | nindent 2}} +{{- end }} diff --git a/charts/aoi/templates/application-operations-alerting/bootstrapconfig.yaml b/charts/aoi/templates/application-operations-alerting/bootstrapconfig.yaml new file mode 100644 index 00000000..a3e01d38 --- /dev/null +++ b/charts/aoi/templates/application-operations-alerting/bootstrapconfig.yaml @@ -0,0 +1,62 @@ +{{- if and .Values.alerting.enabled .Values.alerting.clusterWideNamespace.enabled }} +--- +apiVersion: project.tcs.trifork.com/v1alpha1 +kind: BootstrapConfig +metadata: + name: application-operations-alerting + namespace: netic-gitops-system +spec: + sizes: + application-operations-alerting: + limitRange: + limits: + - type: Container + default: + memory: 1Mi + defaultRequest: + cpu: "1m" + memory: 1Mi + resourceQuota: + hard: + requests.cpu: "1" + requests.memory: "1Gi" + requests.storage: "100Gi" + limits.memory: "1Gi" + persistentvolumeclaims: "1" + count/deployments.apps: "2" + rules: # Role rules for deployment user + - apiGroups: [""] + resources: ["services", "configmaps", "secrets", "persistentvolumeclaims"] + verbs: ["*"] + - apiGroups: ["apps"] + resources: ["deployments", "statefulsets", "replicasets"] + verbs: ["*"] + - apiGroups: ["monitoring.coreos.com"] + resources: ["servicemonitors", "podmonitors"] + verbs: ["*"] + - apiGroups: ["policy"] + resources: ["poddisruptionbudgets"] + verbs: ["*"] + - apiGroups: ["helm.toolkit.fluxcd.io"] + resources: ["helmreleases"] + verbs: ["*"] + - apiGroups: ["source.toolkit.fluxcd.io"] + resources: ["helmrepositories"] + verbs: ["*"] + + networkPolicies: # Default network policies - deny-all will always be added + default-egress: + podSelector: {} + policyTypes: + - Egress + egress: + - ports: + - protocol: TCP + port: 53 + - protocol: UDP + port: 53 + + labels: + netic.dk/enforce-policies: "true" + {{- include "aoi.alerting.bootstrapConfig" . | nindent 2 }} +{{- end }} diff --git a/charts/aoi/templates/application-operations-alerting/networkpolicy.yaml b/charts/aoi/templates/application-operations-alerting/networkpolicy.yaml new file mode 100644 index 00000000..468c4ad9 --- /dev/null +++ b/charts/aoi/templates/application-operations-alerting/networkpolicy.yaml @@ -0,0 +1,124 @@ +{{- if .Values.alerting.enabled }} +{{- range $i, $namespace := (include "aoi.alerting.namespaces" . | fromJsonArray) }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: vmalert-alertmanager-egress + namespace: {{ $namespace }} +spec: + podSelector: + matchLabels: + app: alertmanager + app.kubernetes.io/instance: victoria-metrics-alert + app.kubernetes.io/name: victoria-metrics-alert + policyTypes: + - Egress + egress: + - ports: + - port: 443 + protocol: TCP +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: vmalert-alertmanager-ingress + namespace: {{ $namespace }} +spec: + podSelector: + matchLabels: + app: alertmanager + app.kubernetes.io/instance: victoria-metrics-alert + app.kubernetes.io/name: victoria-metrics-alert + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: server + app.kubernetes.io/instance: victoria-metrics-alert + app.kubernetes.io/name: victoria-metrics-alert + ports: + - port: web + protocol: TCP +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: vmalert-server-egress + namespace: {{ $namespace }} +spec: + podSelector: + matchLabels: + app: server + app.kubernetes.io/instance: victoria-metrics-alert + app.kubernetes.io/name: victoria-metrics-alert + policyTypes: + - Egress + egress: + - ports: + - port: 6443 + protocol: TCP + - ports: + - port: 443 + protocol: TCP + - to: + - podSelector: + matchLabels: + app: alertmanager + app.kubernetes.io/instance: victoria-metrics-alert + app.kubernetes.io/name: victoria-metrics-alert + ports: + - port: web + protocol: TCP + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: {{ $.Release.Namespace }} + podSelector: + matchLabels: + app: server + app.kubernetes.io/name: {{ include "aoi.vmLableName" $ }} + ports: + - port: http + protocol: TCP +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: vmalert-server-ingress + namespace: {{ $namespace }} +spec: + podSelector: + matchLabels: + app: server + app.kubernetes.io/instance: victoria-metrics-alert + app.kubernetes.io/name: victoria-metrics-alert + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: prometheus-scrape-ingress + namespace: {{ $namespace }} +spec: + ingress: + - from: + - namespaceSelector: {} + podSelector: + matchLabels: + app.kubernetes.io/name: prometheus + ports: + - port: metrics + protocol: TCP + - port: http + protocol: TCP + podSelector: + matchLabels: + netic.dk/allow-prometheus-scraping: "true" + policyTypes: + - Ingress +{{- end }} +{{- end }} diff --git a/charts/aoi/templates/application-operations-alerting/projectbootstrap.yaml b/charts/aoi/templates/application-operations-alerting/projectbootstrap.yaml new file mode 100644 index 00000000..2090bc05 --- /dev/null +++ b/charts/aoi/templates/application-operations-alerting/projectbootstrap.yaml @@ -0,0 +1,24 @@ +{{- if and .Values.alerting.enabled .Values.alerting.clusterWideNamespace.enabled }} +--- +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Values.alerting.clusterWideNamespace.name }} + labels: + netic.dk/monitoring: "true" + annotations: + netic.dk/alerting: "true" +--- +apiVersion: project.tcs.trifork.com/v1alpha1 +kind: ProjectBootstrap +metadata: + name: {{ .Values.alerting.clusterWideNamespace.name }} + namespace: netic-gitops-system +spec: + namespace: {{ .Values.alerting.clusterWideNamespace.name }} + config: + ref: application-operations-alerting + size: application-operations-alerting + git: + {{- toYaml .Values.alerting.clusterWideNamespace.projectBootstrap.git | nindent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/aoi/templates/application-operations-alerting/rbac.yaml b/charts/aoi/templates/application-operations-alerting/rbac.yaml new file mode 100644 index 00000000..776068c5 --- /dev/null +++ b/charts/aoi/templates/application-operations-alerting/rbac.yaml @@ -0,0 +1,39 @@ +{{- if .Values.alerting.enabled }} +{{- range $i, $namespace := (include "aoi.alerting.namespaces" . | fromJsonArray) }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: victoria-metrics-alert-config-reloader + namespace: {{ $namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: config-reloader-role + namespace: {{ $namespace }} +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - watch + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: config-reloader-rolebinding + namespace: {{ $namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: config-reloader-role +subjects: + - kind: ServiceAccount + name: victoria-metrics-alert-config-reloader + namespace: {{ $namespace }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/aoi/templates/application-operations-dashboards/_helpers.tpl b/charts/aoi/templates/application-operations-dashboards/_helpers.tpl new file mode 100644 index 00000000..9abc44ca --- /dev/null +++ b/charts/aoi/templates/application-operations-dashboards/_helpers.tpl @@ -0,0 +1,22 @@ +{{/* +Create the git config for bootstrapConfig. +*/}} +{{- define "aoi.dashboards.bootstrapConfig" -}} +git: +{{- if eq .Values.global.bootstrapConfig.git.flavor "github" }} + github: + {{- default .Values.global.bootstrapConfig.git.github .Values.dashboards.bootstrapConfig.git.github | toYaml | nindent 4}} +{{- else if eq .Values.global.bootstrapConfig.git.flavor "gitlab" }} + gitlab: + {{- default .Values.global.bootstrapConfig.git.gitlab .Values.dashboards.bootstrapConfig.git.gitlab | toYaml | nindent 4}} +{{- else if eq .Values.global.bootstrapConfig.git.flavor "bitbucket" }} + bitbucket: + {{- default .Values.global.bootstrapConfig.git.bitbucket .Values.dashboards.bootstrapConfig.git.bitbucket | toYaml | nindent 4}} +{{- else }} +{{ fail "Invalid git flavor. Supported git flavors (github,gitlab,bitbucket)" }} +{{- end }} +vault: +{{- default .Values.global.bootstrapConfig.vault .Values.dashboards.bootstrapConfig.vault | toYaml | nindent 2}} +externalSecretsStore: +{{- default .Values.global.bootstrapConfig.externalSecretsStore .Values.dashboards.bootstrapConfig.externalSecretsStore | toYaml | nindent 2}} +{{- end }} diff --git a/charts/aoi/templates/application-operations-dashboards/bootstrapconfig.yaml b/charts/aoi/templates/application-operations-dashboards/bootstrapconfig.yaml new file mode 100644 index 00000000..26b454ce --- /dev/null +++ b/charts/aoi/templates/application-operations-dashboards/bootstrapconfig.yaml @@ -0,0 +1,37 @@ +{{- if .Values.grafana.enabled }} +--- +apiVersion: project.tcs.trifork.com/v1alpha1 +kind: BootstrapConfig +metadata: + name: application-operations-dashboards + namespace: netic-gitops-system +spec: + sizes: + application-operations-dashboards: + limitRange: + limits: + - type: Container + default: + cpu: "1m" + memory: 1Mi + defaultRequest: + cpu: "1m" + memory: 1Mi + resourceQuota: + hard: + requests.cpu: "0" + requests.memory: "0Gi" + requests.storage: "0Gi" + limits.cpu: "0" + limits.memory: "0Gi" + persistentvolumeclaims: "0" + count/deployments.apps: "0" + rules: # Role rules for deployment user + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["*"] + + labels: + netic.dk/enforce-policies: "true" + {{- include "aoi.dashboards.bootstrapConfig" . | nindent 2 }} +{{- end }} diff --git a/charts/aoi/templates/application-operations-dashboards/projectbootstrap.yaml b/charts/aoi/templates/application-operations-dashboards/projectbootstrap.yaml new file mode 100644 index 00000000..c9cef579 --- /dev/null +++ b/charts/aoi/templates/application-operations-dashboards/projectbootstrap.yaml @@ -0,0 +1,16 @@ +{{- if .Values.grafana.enabled }} +--- +apiVersion: project.tcs.trifork.com/v1alpha1 +kind: ProjectBootstrap +metadata: + name: application-operations-dashboards + namespace: netic-gitops-system +spec: + namespace: application-operations-dashboards + config: + ref: application-operations-dashboards + size: application-operations-dashboards + git: + {{- toYaml .Values.dashboards.projectBootstrap.git | nindent 4 }} + metadata: {} +{{- end }} diff --git a/charts/aoi/templates/auth-proxy/_helpers-authProxy.tpl b/charts/aoi/templates/auth-proxy/_helpers-authProxy.tpl new file mode 100644 index 00000000..b4c04fca --- /dev/null +++ b/charts/aoi/templates/auth-proxy/_helpers-authProxy.tpl @@ -0,0 +1,39 @@ +{{/* +authProxy fullname +*/}} +{{- define "aoi.authProxyFullname" -}} +{{ include "aoi.name" . }}-auth-proxy +{{- end }} + +{{/* +authProxy common labels +*/}} +{{- define "aoi.authProxyLabels" -}} +{{ include "aoi.labels" . }} +app.kubernetes.io/component: auth-proxy +{{- end }} + +{{/* +authProxy selector labels +*/}} +{{- define "aoi.authProxySelectorLabels" -}} +{{ include "aoi.selectorLabels" . }} +app.kubernetes.io/component: auth-proxy +{{- end }} + +{{/* +authProxy priority class name +*/}} +{{- define "aoi.authProxyPriorityClassName" -}} +{{- $pcn := coalesce .Values.global.priorityClassName .Values.authProxy.priorityClassName -}} +{{- if $pcn }} +priorityClassName: {{ $pcn }} +{{- end }} +{{- end }} + +{{/* +authProxy upstreamUrl +*/}} +{{- define "aoi.upstreamUrl" -}} +{{- printf "http://%s-%s.%s.svc.%s:%s" (include "aoi.name" . ) (include "aoi.readHost" . ) .Release.Namespace .Values.global.clusterDomain (include "aoi.readPort" . ) }} +{{- end }} diff --git a/charts/aoi/templates/auth-proxy/deployment-auth-proxy.yaml b/charts/aoi/templates/auth-proxy/deployment-auth-proxy.yaml new file mode 100644 index 00000000..47fa6744 --- /dev/null +++ b/charts/aoi/templates/auth-proxy/deployment-auth-proxy.yaml @@ -0,0 +1,93 @@ +{{- if .Values.authProxy.enabled }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "aoi.authProxyFullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "aoi.authProxyLabels" . | nindent 4 }} + annotations: + {{- with .Values.global.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.authProxy.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.authProxy.replicas }} + strategy: + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }} + selector: + matchLabels: + {{- include "aoi.authProxySelectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + {{- with .Values.global.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.authProxy.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "aoi.authProxySelectorLabels" . | nindent 8 }} + {{- with .Values.global.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.authProxy.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.authProxy.selectorLabels }} + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + spec: + {{- with .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- include "aoi.authProxyPriorityClassName" . | nindent 6 }} + securityContext: + {{- toYaml .Values.authProxy.podSecurityContext | nindent 8 }} + terminationGracePeriodSeconds: {{ .Values.authProxy.terminationGracePeriodSeconds }} + containers: + - name: proxy + image: "{{ .Values.authProxy.image.registry }}/{{ .Values.authProxy.image.repository }}:{{ .Values.authProxy.image.tag }}" + imagePullPolicy: {{ .Values.global.image.pullPolicy }} + args: + - --upstream={{ include "aoi.upstreamUrl" . }} + {{- with .Values.authProxy.extraArgs }} + {{- toYaml . | nindent 12 }} + {{- end }} + ports: + - name: http + containerPort: 8080 + protocol: TCP + {{- with .Values.authProxy.extraEnv }} + env: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.authProxy.extraEnvFrom }} + envFrom: + {{- toYaml . | nindent 12 }} + {{- end }} + securityContext: + {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + resources: + {{- toYaml .Values.authProxy.resources | nindent 12 }} + {{- with .Values.authProxy.affinity }} + affinity: + {{- tpl . $ | nindent 8 }} + {{- end }} + {{- with .Values.authProxy.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.authProxy.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/aoi/templates/auth-proxy/service-auth-proxy.yaml b/charts/aoi/templates/auth-proxy/service-auth-proxy.yaml new file mode 100644 index 00000000..a559ee0c --- /dev/null +++ b/charts/aoi/templates/auth-proxy/service-auth-proxy.yaml @@ -0,0 +1,32 @@ +{{- if .Values.authProxy.enabled }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "aoi.authProxyFullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "aoi.authProxyLabels" . | nindent 4 }} + {{- with .Values.global.serviceLabels }} + {{- toYaml . | nindent 4}} + {{- end }} + {{- with .Values.authProxy.service.labels }} + {{- toYaml . | nindent 4}} + {{- end }} + annotations: + {{- with .Values.global.serviceAnnotations }} + {{- toYaml . | nindent 4}} + {{- end }} + {{- with .Values.authProxy.service.annotations }} + {{- toYaml . | nindent 4}} + {{- end }} +spec: + type: ClusterIP + ports: + - name: http + port: 8080 + targetPort: http + protocol: TCP + selector: + {{- include "aoi.authProxySelectorLabels" . | nindent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/aoi/templates/externalsecrets.yaml b/charts/aoi/templates/externalsecrets.yaml new file mode 100644 index 00000000..c6f80ae9 --- /dev/null +++ b/charts/aoi/templates/externalsecrets.yaml @@ -0,0 +1,53 @@ +{{- if .Values.grafana.enabled }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: external-secrets + namespace: {{ .Release.Namespace }} +secrets: + - name: external-secrets-token +--- +apiVersion: v1 +kind: Secret +metadata: + name: external-secrets-token + namespace: {{ .Release.Namespace }} + annotations: + kubernetes.io/service-account.name: external-secrets +type: kubernetes.io/service-account-token +--- +apiVersion: external-secrets.io/v1beta1 +kind: SecretStore +metadata: + name: vault + namespace: {{ .Release.Namespace }} +spec: + provider: + vault: + server: {{ .Values.externalSecret.vaultServer }} + path: {{ .Values.externalSecret.vaultPath }} + version: "v2" + auth: + kubernetes: + mountPath: {{ .Values.externalSecret.vaultMountPath }} + role: "external-secrets" + secretRef: + name: external-secrets-token +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: aoi-grafana-oidc + namespace: {{ .Release.Namespace }} +spec: + refreshInterval: "60s" + secretStoreRef: + name: vault + kind: SecretStore + target: + name: aoi-grafana-oidc + dataFrom: + - extract: + key: {{ .Values.externalSecret.vaultDataFromKey }} +{{- end }} diff --git a/charts/aoi/templates/grafana-datasource.yaml b/charts/aoi/templates/grafana-datasource.yaml new file mode 100644 index 00000000..9ca93041 --- /dev/null +++ b/charts/aoi/templates/grafana-datasource.yaml @@ -0,0 +1,22 @@ +{{- if .Values.grafana.enabled }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: aoi-grafana-datasources + namespace: {{ .Release.Namespace }} + labels: + aoi_grafana_datasource: "1" +data: + datasource.yaml: | + apiVersion: 1 + datasources: + - name: VictoriaMetrics + uid: victoriametrics + type: prometheus + url: {{ include "aoi.grafanaReadUrl" . }} + access: proxy + isDefault: true + jsonData: + oauthPassThru: true +{{- end }} diff --git a/charts/aoi/templates/ingress.yaml b/charts/aoi/templates/ingress.yaml new file mode 100644 index 00000000..8ac5149a --- /dev/null +++ b/charts/aoi/templates/ingress.yaml @@ -0,0 +1,28 @@ +{{- if .Values.grafana.ingress.enabled }} +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + cert-manager.io/cluster-issuer: letsencrypt + kubernetes.io/tls-acme: "true" + name: {{ include "aoi.name" . }}-grafana-ingress + namespace: {{ $.Release.Namespace }} +spec: + rules: + - host: {{ include ".Values.grafana.ingress.fqdn" . }} + http: + paths: + - backend: + service: + name: {{ include "aoi.name" . }}-grafana + port: + name: service + path: / + pathType: Prefix + tls: + - hosts: + - {{ include ".Values.grafana.ingress.fqdn" . }} + secretName: {{ include "aoi.name" . }}-grafana-ingress-tls + +{{- end }} diff --git a/charts/aoi/templates/prometheus/_helpers-prometheus.tpl b/charts/aoi/templates/prometheus/_helpers-prometheus.tpl new file mode 100644 index 00000000..9bd4b841 --- /dev/null +++ b/charts/aoi/templates/prometheus/_helpers-prometheus.tpl @@ -0,0 +1,58 @@ +{{/* +prometheus fullname +*/}} +{{- define "aoi.prometheusFullname" -}} +{{ include "aoi.name" . }}-prometheus +{{- end }} + +{{/* +prometheus common labels +*/}} +{{- define "aoi.prometheusLabels" -}} +{{ include "aoi.labels" . }} +app.kubernetes.io/component: prometheus +{{- end }} + +{{/* +prometheus selector labels +*/}} +{{- define "aoi.prometheusSelectorLabels" -}} +{{ include "aoi.selectorLabels" . }} +app.kubernetes.io/component: prometheus +{{- end }} + +{{/* +prometheus priority class name +*/}} +{{- define "aoi.prometheusPriorityClassName" -}} +{{- $pcn := coalesce .Values.global.priorityClassName .Values.prometheus.priorityClassName -}} +{{- if $pcn }} +priorityClassName: {{ $pcn }} +{{- end }} +{{- end }} + + +{{/* +Create remotewrite url for tsdb. +*/}} +{{- define "aoi.prometheusWriteUrl" -}} +{{- if .Values.global.tsdb.high_availability.enabled }} +{{- printf "http://%s-victoria-metrics-single-1-server:8428/api/v1/write,http://%s-victoria-metrics-single-2-server:8428/api/v1/write" (include "aoi.name" . ) (include "aoi.name" . ) }} +{{- else }} +{{- printf "http://%s-victoria-metrics-single-1-server:8428/api/v1/write" (include "aoi.name" . ) }} +{{- end }} +{{- end }} + +{{/* +Create remotewrite.MaxDiskUsagePerURL for vmagent. +*/}} +{{- define "aoi.prometheusMaxDiskUsagePerURL" -}} +{{- $diskSize := trimSuffix "Gi" .Values.prometheus.persistence.size | int64 }} +{{- if .Values.global.tsdb.high_availability.enabled }} +{{- $ModifiedDiskSize := div (sub $diskSize 10) 2 | toString}} +{{- printf "%sGB,%sGB" $ModifiedDiskSize $ModifiedDiskSize }} +{{- else }} +{{- $ModifiedDiskSize := sub $diskSize 10 | toString}} +{{- printf "%sGB" $ModifiedDiskSize }} +{{- end }} +{{- end }} diff --git a/charts/aoi/templates/prometheus/clusterrole.yaml b/charts/aoi/templates/prometheus/clusterrole.yaml new file mode 100644 index 00000000..4a2d0651 --- /dev/null +++ b/charts/aoi/templates/prometheus/clusterrole.yaml @@ -0,0 +1,32 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "aoi.prometheusFullname" . }} +rules: + - apiGroups: + - "" + resources: + - nodes + - nodes/metrics + - services + - endpoints + - pods + verbs: + - get + - list + - watch + - apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch + - nonResourceURLs: + - /metrics + - /metrics/cadvisor + verbs: + - get diff --git a/charts/aoi/templates/prometheus/clusterrolebinding.yaml b/charts/aoi/templates/prometheus/clusterrolebinding.yaml new file mode 100644 index 00000000..be07c055 --- /dev/null +++ b/charts/aoi/templates/prometheus/clusterrolebinding.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "aoi.prometheusFullname" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "aoi.prometheusFullname" . }} +subjects: + - kind: ServiceAccount + name: prometheus + namespace: {{ .Release.Namespace }} diff --git a/charts/aoi/templates/prometheus/prometheus-relabel.yaml b/charts/aoi/templates/prometheus/prometheus-relabel.yaml new file mode 100644 index 00000000..9b796f16 --- /dev/null +++ b/charts/aoi/templates/prometheus/prometheus-relabel.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: remote-write-relabel + namespace: {{ .Release.Namespace }} +data: + relabel_config.yaml: | + {{- tpl .Values.prometheus.relabelConfig . | nindent 4 }} \ No newline at end of file diff --git a/charts/aoi/templates/prometheus/prometheus.yaml b/charts/aoi/templates/prometheus/prometheus.yaml new file mode 100644 index 00000000..d736ce8a --- /dev/null +++ b/charts/aoi/templates/prometheus/prometheus.yaml @@ -0,0 +1,83 @@ +--- +apiVersion: monitoring.coreos.com/v1 +kind: Prometheus +metadata: + name: {{ include "aoi.prometheusFullname" . }} + namespace: {{ .Release.Namespace }} +spec: + configMaps: + - remote-write-relabel + containers: + - name: prometheus + args: + - -httpListenAddr=:9090 + - -promscrape.config=/etc/prometheus/config_out/prometheus.env.yaml + - -promscrape.config.strictParse=false + - -promscrape.maxScrapeSize=25165824 # 24 MiB # Default value 16777216 + - -remoteWrite.url={{- include "aoi.prometheusWriteUrl" . }} + - -remoteWrite.urlRelabelConfig=/etc/prometheus/configmaps/remote-write-relabel/relabel_config.yaml + - -remoteWrite.tmpDataPath=/prometheus + - -remoteWrite.maxDiskUsagePerURL={{- include "aoi.prometheusMaxDiskUsagePerURL" . }} + image: "{{ .Values.prometheus.image.registry }}/{{ .Values.prometheus.image.repository }}:{{ .Values.prometheus.image.tag }}" + pullPolicy: "{{ .Values.prometheus.image.pullPolicy }}" + resources: + {{- toYaml .Values.prometheus.resources | nindent 8 }} + securityContext: + {{- toYaml .Values.prometheus.podSecurityContext | nindent 8 }} + - name: config-reloader + image: "{{ .Values.prometheus.configReloader.image.registry }}/{{ .Values.prometheus.configReloader.image.repository }}:{{ .Values.prometheus.configReloader.image.tag }}" + pullPolicy: "{{ .Values.prometheus.configReloader.image.pullPolicy }}" + resources: + {{- toYaml .Values.prometheus.configReloader.resources | nindent 8 }} + securityContext: + {{- toYaml .Values.prometheus.configReloader.securityContext | nindent 8 }} + evaluationInterval: 30s + externalLabels: {{ .Values.prometheus.externalLabels | toYaml | nindent 4 }} + podMetadata: + annotations: + {{- toYaml .Values.prometheus.podAnnotations | nindent 6 }} + labels: + {{- include "aoi.prometheusSelectorLabels" . | nindent 6 }} + {{- with .Values.global.podLabels }} + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.prometheus.podLabels }} + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.prometheus.selectorLabels }} + {{- tpl (toYaml .) $ | nindent 6 }} + {{- end }} + podMonitorNamespaceSelector: + matchLabels: {} + podMonitorSelector: + matchLabels: {} + ruleNamespaceSelector: + matchLabels: {} + ruleSelector: + matchLabels: {} + serviceMonitorNamespaceSelector: + matchLabels: {} + serviceMonitorSelector: + matchLabels: {} + portName: web + {{- include "aoi.prometheusPriorityClassName" . | nindent 2 }} + replicas: 1 + resources: + {{- toYaml .Values.prometheus.resources | nindent 4 }} + storage: + volumeClaimTemplate: + spec: + resources: + requests: + storage: {{ .Values.prometheus.persistence.size }} + scrapeInterval: 30s + securityContext: + {{- toYaml .Values.prometheus.podSecurityContext | nindent 4 }} + serviceAccountName: prometheus + version: v2.39.0 + {{- if .Values.prometheus.extraVolumes }} + {{ toYaml .Values.prometheus.extraVolumes | nindent 2}} + {{- end }} + {{- if .Values.prometheus.extraVolumeMounts }} + {{ toYaml .Values.prometheus.extraVolumeMounts | nindent 2}} + {{- end }} diff --git a/charts/aoi/templates/prometheus/sa.yaml b/charts/aoi/templates/prometheus/sa.yaml new file mode 100644 index 00000000..d96879d6 --- /dev/null +++ b/charts/aoi/templates/prometheus/sa.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: prometheus + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/charts/aoi/templates/promxy/_helpers-promxy.tpl b/charts/aoi/templates/promxy/_helpers-promxy.tpl new file mode 100644 index 00000000..7a3038b7 --- /dev/null +++ b/charts/aoi/templates/promxy/_helpers-promxy.tpl @@ -0,0 +1,32 @@ +{{/* +promxy fullname +*/}} +{{- define "aoi.promxyFullname" -}} +{{ include "aoi.name" . }}-promxy +{{- end }} + +{{/* +promxy common labels +*/}} +{{- define "aoi.promxyLabels" -}} +{{ include "aoi.labels" . }} +app.kubernetes.io/component: promxy +{{- end }} + +{{/* +promxy selector labels +*/}} +{{- define "aoi.promxySelectorLabels" -}} +{{ include "aoi.selectorLabels" . }} +app.kubernetes.io/component: promxy +{{- end }} + +{{/* +promxy priority class name +*/}} +{{- define "aoi.promxyPriorityClassName" -}} +{{- $pcn := coalesce .Values.global.priorityClassName .Values.promxy.priorityClassName -}} +{{- if $pcn }} +priorityClassName: {{ $pcn }} +{{- end }} +{{- end }} diff --git a/charts/aoi/templates/promxy/configmap-promxy.yaml b/charts/aoi/templates/promxy/configmap-promxy.yaml new file mode 100644 index 00000000..b4440291 --- /dev/null +++ b/charts/aoi/templates/promxy/configmap-promxy.yaml @@ -0,0 +1,13 @@ +{{- if .Values.global.tsdb.high_availability.enabled }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "aoi.promxyFullname" . }}-config + namespace: {{ .Release.Namespace }} + labels: + {{- include "aoi.promxyLabels" . | nindent 4 }} +data: + config.yaml: | + {{- tpl .Values.promxy.config . | nindent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/aoi/templates/promxy/deployment-promxy.yaml b/charts/aoi/templates/promxy/deployment-promxy.yaml new file mode 100644 index 00000000..ae55ef70 --- /dev/null +++ b/charts/aoi/templates/promxy/deployment-promxy.yaml @@ -0,0 +1,122 @@ +{{- if .Values.global.tsdb.high_availability.enabled }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "aoi.promxyFullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "aoi.promxyLabels" . | nindent 4 }} + annotations: + {{- with .Values.global.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.promxy.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.promxy.replicas }} + strategy: + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }} + selector: + matchLabels: + {{- include "aoi.promxySelectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + {{- with .Values.global.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.promxy.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "aoi.promxySelectorLabels" . | nindent 8 }} + {{- with .Values.global.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.promxy.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.promxy.selectorLabels }} + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + spec: + {{- with .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- include "aoi.promxyPriorityClassName" . | nindent 6 }} + securityContext: + {{- toYaml .Values.promxy.podSecurityContext | nindent 8 }} + terminationGracePeriodSeconds: {{ .Values.promxy.terminationGracePeriodSeconds }} + containers: + - name: proxy + image: "{{ .Values.promxy.image.registry }}/{{ .Values.promxy.image.repository }}:{{ .Values.promxy.image.tag }}" + imagePullPolicy: {{ .Values.global.image.pullPolicy }} + args: + - --config=/etc/promxy/config.yaml + - --log-level=info + {{- with .Values.promxy.extraArgs }} + {{- toYaml . | nindent 12 }} + {{- end }} + command: + - /bin/promxy + livenessProbe: + failureThreshold: 6 + httpGet: + path: /-/healthy + port: http + scheme: HTTP + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 3 + readinessProbe: + failureThreshold: 120 + httpGet: + path: /-/ready + port: http + scheme: HTTP + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 3 + ports: + - name: http + containerPort: 8082 + protocol: TCP + volumeMounts: + - mountPath: "/etc/promxy/" + name: aoi-promxy-config + readOnly: true + {{- with .Values.promxy.extraEnv }} + env: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.promxy.extraEnvFrom }} + envFrom: + {{- toYaml . | nindent 12 }} + {{- end }} + securityContext: + {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + resources: + {{- toYaml .Values.promxy.resources | nindent 12 }} + {{- with .Values.promxy.affinity }} + affinity: + {{- tpl . $ | nindent 8 }} + {{- end }} + {{- with .Values.promxy.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.promxy.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - configMap: + name: aoi-promxy-config + name: aoi-promxy-config +{{- end }} diff --git a/charts/aoi/templates/promxy/service-auth-promxy.yaml b/charts/aoi/templates/promxy/service-auth-promxy.yaml new file mode 100644 index 00000000..0ad2fbe4 --- /dev/null +++ b/charts/aoi/templates/promxy/service-auth-promxy.yaml @@ -0,0 +1,32 @@ +{{- if .Values.global.tsdb.high_availability.enabled }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "aoi.promxyFullname" . }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "aoi.promxyLabels" . | nindent 4 }} + {{- with .Values.global.serviceLabels }} + {{- toYaml . | nindent 4}} + {{- end }} + {{- with .Values.promxy.service.labels }} + {{- toYaml . | nindent 4}} + {{- end }} + annotations: + {{- with .Values.global.serviceAnnotations }} + {{- toYaml . | nindent 4}} + {{- end }} + {{- with .Values.promxy.service.annotations }} + {{- toYaml . | nindent 4}} + {{- end }} +spec: + type: ClusterIP + ports: + - name: http + port: 8082 + targetPort: http + protocol: TCP + selector: + {{- include "aoi.promxySelectorLabels" . | nindent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/aoi/templates/pvc-victoria-metrics.yaml b/charts/aoi/templates/pvc-victoria-metrics.yaml new file mode 100644 index 00000000..3f5dba73 --- /dev/null +++ b/charts/aoi/templates/pvc-victoria-metrics.yaml @@ -0,0 +1,33 @@ +{{- if .Values.global.tsdb.enabled }} +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: server-volume-aoi-victoria-metrics-single-1-server-0 + namespace: application-operations-system +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.victoriaMetrics.persistentVolume.size }} + volumeMode: Filesystem +{{- end }} +{{- if .Values.global.tsdb.high_availability.enabled }} + +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: server-volume-aoi-victoriaMetrics-single-2-server-0 + namespace: application-operations-system +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.victoriaMetrics.persistentVolume.size }} + storageClassName: default + volumeMode: Filesystem + +{{- end }} diff --git a/charts/aoi/templates/validate.yaml b/charts/aoi/templates/validate.yaml new file mode 100644 index 00000000..42e7374f --- /dev/null +++ b/charts/aoi/templates/validate.yaml @@ -0,0 +1,16 @@ +{{/* validate flux CRDs */}} +{{- if .Values.alerting.enabled }} + {{- if not (.Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1beta2") }} + {{ fail "alerting requires source.toolkit.fluxcd.io/v1beta2 CRDs." }} + {{- end }} + {{- if not (.Capabilities.APIVersions.Has "helm.toolkit.fluxcd.io/v2beta1") }} + {{ fail "alerting requires helm.toolkit.fluxcd.io/v2beta1 CRDs." }} + {{- end }} +{{- end }} + +{{/* validate cluster_id is defined */}} +{{- if .Values.alerting.enabled }} + {{- if (eq .Values.alerting.clusterId "") }} + {{ fail "alerting is enabled, clusterId must be defined and set to the value of the label cluster_id" }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/aoi/values.yaml b/charts/aoi/values.yaml new file mode 100644 index 00000000..6e08cea4 --- /dev/null +++ b/charts/aoi/values.yaml @@ -0,0 +1,491 @@ +# Global definitions used for components directly managed by this chart +global: + clusterDomain: "cluster.local" + tsdb: + enabled: true + high_availability: + # -- Enable high-availability for tsdb (Victoria-metrics-single) + enabled: false + # -- Default priorityClassName to use + priorityClassName: null + serviceLabels: {} + serviceAnnotations: {} + image: + pullPolicy: Always + revisionHistoryLimit: 5 + annotations: {} + podAnnotations: {} + podLabels: {} + imagePullSecrets: [] + containerSecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + # -- Options to configure the bootstrapConfig globally can be overwritten for dashboards and clusterWideNamespace alerting namespace. + # .Values.dashboards.bootstrapConfig + # .Values.alerting.clusterWideNamespace.bootstrapConfig + bootstrapConfig: + git: + # -- Which git flavor to use, currently only supports github, gitlab and bitbucket + flavor: "github" + github: {} + gitlab: {} + bitbucket: {} + vault: {} + externalSecretsStore: {} + + +# Namespace for tenant dashboards +dashboards: + # -- overwrite options configured in global.bootstrapConfig + bootstrapConfig: + git: + # -- overwrite git options, make sure to include all options in overwrite, it is not merged with globally defined options. + github: {} + gitlab: {} + bitbucket: {} + # -- overwrite vault options, make sure to include all options in overwrite, it is not merged with globally defined options. + vault: {} + # -- overwrite externalSecretStore options, make sure to include all options in overwrite, it is not merged with globally defined options. + externalSecretsStore: {} + # -- Options to configure the projectBootstrap used for tenant dashboard namespace + projectBootstrap: + git: {} + +# Prometheus Queries are filtered using client JWT token (Grafana) +authProxy: + # -- Enable filtering of Prometheus Queries based on client JWT token (Grafana) + enabled: true + replicas: 1 + image: + registry: registry.netic.dk + repository: netic-oaas/cortex-proxy + tag: v1.0.4 + priorityClassName: null + annotations: {} + podAnnotations: {} + podLabels: {} + selectorLabels: {} + podSecurityContext: + runAsUser: 1000 + runAsGroup: 3000 + fsGroup: 2000 + runAsNonRoot: true + service: + annotations: {} + labels: {} + extraArgs: [] + extraEnv: [] + extraEnvFrom: [] + resources: + limits: + memory: 64Mi + requests: + cpu: 100m + memory: 64Mi + terminationGracePeriodSeconds: 30 + affinity: [] + nodeSelector: {} + topologySpauthProxyConstraints: [] + tolerations: [] + podManagementPolicy: "Parallel" + + +prometheus: + image: + registry: docker.io + repository: victoriametrics/vmagent + tag: v1.100.1@sha256:18959c254d474d150fd74534b8183e1a800d18d673a408b0c7d20e3febe6f4fe + pullPolicy: Always + resources: + limits: + memory: 768Mi + requests: + cpu: 100m + memory: 256Mi + priorityClassName: null + podAnnotations: {} + podSecurityContext: + allowPrivilegeEscalation: false + runAsUser: 1000 + runAsGroup: 3000 + fsGroup: 2000 + runAsNonRoot: true + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + # -- labels to add to all metrics. + # externalLabels: + # cluster_id: "${cluster_provider}_${cluster_name}" + # cluster: ${cluster_name} + # cluster_type: "${cluster_type}" + # prometheus_cluster: ${cluster_name}/aoi-prometheus + # provider: "${cluster_provider}" + externalLabels: {} + # -- relabel configs to apply to samples before ingestion. + relabelConfig: | + - source_labels: [cluster_id, namespace] + separator: _ + regex: (.*) + target_label: namespace_id + replacement: $1 + action: replace + persistence: + size: 60Gi + configReloader: + image: + registry: quay.io + repository: prometheus-operator/prometheus-config-reloader + tag: v0.76.1@sha256:31410de3f01e8ee4e3fd692345d247e7ef57351ce58b21c89d71639d50d1f424 + pullPolicy: Always + resources: + limits: + memory: 25Mi + requests: + cpu: 10m + memory: 25Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + extraVolumes: [] + extraVolumeMounts: [] + +# Used in HA mode to route request to one or the other tsdb - https://github.com/jacksontj/promxy?tab=readme-ov-file#why-promxy +promxy: + replicas: 1 + image: + registry: quay.io + repository: jacksontj/promxy + tag: v0.0.85@sha256:115686ce1eb8e37696304b191ce33f13db1c0d7ec8f3ef36501f12bb74f83b9e + priorityClassName: null + annotations: {} + podAnnotations: {} + podLabels: {} + selectorLabels: {} + podSecurityContext: + runAsUser: 1000 + runAsGroup: 3000 + fsGroup: 2000 + runAsNonRoot: true + service: + annotations: {} + labels: {} + extraArgs: [] + extraEnv: [] + extraEnvFrom: [] + resources: + limits: + memory: 64Mi + requests: + cpu: 50m + memory: 64Mi + terminationGracePeriodSeconds: 30 + affinity: [] + nodeSelector: {} + topologySpauthProxyConstraints: [] + tolerations: [] + podManagementPolicy: "Parallel" + config: | + ## + ### Promxy configuration + ## + promxy: + server_groups: + - static_configs: + - targets: + - victoria-metrics-single-1-server.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }}:8428 + labels: + replica: 1 + http_client: + dial_timeout: 1s + ignore_error: true + remote_read: true + remote_read_path: /api/v1 + - static_configs: + - targets: + - victoria-metrics-single-2-server.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }}:8428 + labels: + replica: 2 + http_client: + dial_timeout: 1s + ignore_error: true + remote_read: true + remote_read_path: /api/v1 + + +externalSecret: + vaultServer: null + vaultPath: null + vaultMountPath: null + vaultDataFromKey: null + + +grafana: + # -- If true deploy Grafana for tenant dashboards + enabled: true + image: + pullPolicy: Always + testFramework: + enabled: false + containerSecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + priorityClassName: "secure-cloud-stack-tenant-namespace-application-critical" + resources: + limits: + memory: 256Mi + requests: + cpu: 100m + memory: 256Mi + podPortName: http + # sidecar used to provision tenant dashboards found as configmaps in the namespace application-operations-dashboards with label aoi_dashboard + sidecar: + imagePullPolicy: Always + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + resources: + limits: + memory: 96Mi + requests: + cpu: 50m + memory: 96Mi + dashboards: + enabled: true + # -- Load configmaps with label key + label: application-operations-dashboards + # -- Watch for configmaps in namespaces + searchNamespace: + - application-operations-dashboards + # -- override grafana folder using annotation + folderAnnotation: grafana_dashboard_folder + provider: + disableDelete: true + foldersFromFilesStructure: true + datasources: + enabled: true + label: aoi_grafana_datasource + ingress: + enabled: false + fqdn: null + +victoriaMetrics: + persistentVolume: + # -- Size of the volume. Should be calculated based on the metrics you send and retention policy you set. + size: 5Gi + +victoria-metrics-single-1: + rbac: + create: false + server: + # -- Data retention period + retentionPeriod: 90d + image: + pullPolicy: Always + # Try to not schedule victoria-metrics-single-1 in same zone as victoria-metrics-single-2 + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - victoria-metrics-single-2 + topologyKey: topology.kubernetes.io/zone + resources: + limits: + memory: 1024Mi + requests: + cpu: 200m + memory: 1024Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + podSecurityContext: + runAsUser: 1000 + runAsGroup: 3000 + fsGroup: 2000 + serviceMonitor: + enabled: true + extraLabels: + netic.dk/monitoring: "true" + +victoria-metrics-single-2: + rbac: + create: false + server: + # -- Data retention period + retentionPeriod: 90d + image: + pullPolicy: Always + # Try to not schedule victoria-metrics-single-2 in same zone as victoria-metrics-single-1 + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - victoria-metrics-single-1 + topologyKey: topology.kubernetes.io/zone + resources: + limits: + memory: 1024Mi + requests: + cpu: 200m + memory: 1024Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + podSecurityContext: + runAsUser: 1000 + runAsGroup: 3000 + fsGroup: 2000 + serviceMonitor: + enabled: true + extraLabels: + netic.dk/monitoring: "true" + +alerting: + # -- Enable deploying alerting components + enabled: false + # -- Value of the label (cluster_id) + clusterId: "" + clusterWideNamespace: + # -- Create alerting namespace for cluster-wide alert definitions + enabled: false + name: application-operations-alerting + # -- overwrite options configured in global.bootstrapConfig + bootstrapConfig: + git: + # -- overwrite git options, make sure to include all options in overwrite, it is not merged with globally defined options. + github: {} + gitlab: {} + bitbucket: {} + # -- overwrite vault options, make sure to include all options in overwrite, it is not merged with globally defined options. + vault: {} + # -- overwrite externalSecretStore options, make sure to include all options in overwrite, it is not merged with globally defined options. + externalSecretsStore: {} + # -- Options to configure the projectBootstrap used for cluster-wide alert namespace. + projectBootstrap: + git: {} + # -- List of namespaces which should have alerting components deployed + namespaces: [] + # -- Override the default helmRepository used to deploy alerting components + helmRepository: null + # -- Values to configure for the victoria-metrics-alert helm chart. https://github.com/VictoriaMetrics/helm-charts/blob/master/charts/victoria-metrics-alert/values.yaml + helmRelease: + values: + server: + priorityClassName: "secure-cloud-stack-tenant-namespace-application-critical" + image: + registry: docker.io + repository: victoriametrics/vmalert + pullPolicy: Always + resources: + limits: + memory: 64Mi + requests: + cpu: 10m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + configReloader: + image: + registry: docker.io + repository: kiwigrid/k8s-sidecar + tag: "1.26.1@sha256:b8d5067137fec093cf48670dc3a1dbb38f9e734f3a6683015c2e89a45db5fd16" + pullPolicy: Always + resources: + limits: + memory: 96Mi + requests: + cpu: 10m + memory: 96Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + podSecurityContext: + runAsUser: 1000 + runAsGroup: 3000 + fsGroup: 2000 + alertmanager: + # -- Boolean that is used to mount the secret aoi-alertmanager-email-password into the alertmanager container + emailPasswordMount: false + priorityClassName: "secure-cloud-stack-tenant-namespace-application-critical" + image: + registry: docker.io + repository: prom/alertmanager + tag: "v0.27.0" + resources: + limits: + memory: 64Mi + requests: + cpu: 10m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + configReloader: + image: + registry: ghcr.io + repository: neticdk/inotifywait-reloader + tag: "v0.0.2" + pullPolicy: Always + resources: + limits: + memory: 96Mi + requests: + cpu: 10m + memory: 96Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + podSecurityContext: + runAsUser: 1000 + runAsGroup: 3000 + fsGroup: 2000 + +# This is here to disable everything from the victoria-metrics-alert helm chart in chart.yaml since it is only used for versioning +# Do not change! +victoria-metrics-alert: + serviceAccount: + create: false + rbac: + create: false + server: + enabled: false + configMap: "null" diff --git a/ct.yaml b/ct.yaml index a68c9b48..a7521a00 100644 --- a/ct.yaml +++ b/ct.yaml @@ -4,6 +4,7 @@ chart-repos: - prometheus-community=https://prometheus-community.github.io/helm-charts - vector=https://helm.vector.dev - open-telemetry=https://open-telemetry.github.io/opentelemetry-helm-charts + - victoria-metrics=https://victoriametrics.github.io/helm-charts excluded-charts: - prometheus additional-commands: diff --git a/polaris.yaml b/polaris.yaml index 420d66e2..01e5c933 100644 --- a/polaris.yaml +++ b/polaris.yaml @@ -6,10 +6,13 @@ checks: pullPolicyNotAlways: warning readinessProbeMissing: warning livenessProbeMissing: warning - metadataAndNameMismatched: ignore + metadataAndInstanceMismatched: ignore pdbDisruptionsIsZero: warning missingPodDisruptionBudget: ignore topologySpreadConstraint: warning + hpaMaxAvailability: warning + hpaMinAvailability: warning + pdbMinAvailableGreaterThanHPAMinReplicas: warning # efficiency cpuRequestsMissing: warning @@ -60,8 +63,8 @@ exemptions: - release-name-prometheus-operator-admission-patch - release-name-prometheus-operator-admission-create - release-name-opentelemetry-operator-cert-manager # OpenTelemetry Operator chart test - - release-name-opentelemetry-operator-metrics # OpenTelemetry Operator chart test - - release-name-opentelemetry-operator-webhook # OpenTelemetry Operator chart test + - release-name-opentelemetry-operator-metrics # OpenTelemetry Operator chart test + - release-name-opentelemetry-operator-webhook # OpenTelemetry Operator chart test - release-name-opentelemetry-operator-cert-manager - release-name-opentelemetry-operator-metrics - release-name-opentelemetry-operator-webhook