freezer/mareshq-gitops-legacy
Archived
1
0
Fork 0
Code Activity

Compare commits

base: freezer:1ed317195481ef72ae978f1de94e293a20f7e64b
Branches Tags
freezer:main
freezer:app-rancher
...
compare: freezer:d410d564f34dc39806d7b97916289ce44fe491e4
Branches Tags
freezer:main
freezer:app-rancher

10 commits
1ed3171954 ... d410d564f3

Author SHA1 Message Date
Vojtech Mares
d410d564f3
wip 2024-01-25 17:07:18 +01:00
Vojtech Mares
2eed379533
feat(cherry/kube-prometheus-stack): federate data from lychee prometheus 2023-10-03 20:51:29 +02:00
Vojtech Mares
4577bacd0f
refactor(appsets/node-problem-detector): downgrade to helm chart 2.3.10 2023-10-03 20:34:24 +02:00
Vojtech Mares
12525660cd
fix(appsets/prometheus_: missing ingressClassName 2023-10-03 20:23:16 +02:00
Vojtech Mares
88e41eb5cc
fix(appsets/prometheus): syncOptions: ServerSideApply=true 2023-10-03 20:16:32 +02:00
Vojtech Mares
3122d80ee1
feat(appsets): add node-problem-detector 2023-10-03 20:12:17 +02:00
Vojtech Mares
005fe949d6
feat(appsets): add prometheus 2023-10-03 20:11:58 +02:00
Vojtech Mares
9ed52183d5
feat(cherry/kube-prometheus-stack): add additionalScrapeConfigs 2023-10-03 19:24:21 +02:00
Vojtech Mares
f38e6d5a3c
feat(cherry/uptime-kuma): add argocd finalizers 2023-10-03 15:50:24 +02:00
Vojtech Mares
be21c1c298
feat(cherry/ingress-nginx): enablem metrics 2023-10-03 15:49:51 +02:00
10 changed files with 345 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

46
appsets/node-problem-detector.yaml Normal file
View file

@ -0,0 +1,46 @@
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: universal-cert-manager
annotations:
argocd.argoproj.io/sync-wave: "3"
spec:
generators:
- list:
elements:
- cluster: cherry
url: https://kubernetes.default.svc
- cluster: lychee
url: https://172.16.152.1:6443
syncPolicy:
applicationsSync: sync
template:
metadata:
name: "{{cluster}}-node-problem-detector"
annotations:
argocd.argoproj.io/sync-wave: "5"
spec:
project: monitoring
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
source:
chart: node-problem-detector
repoURL: https://charts.deliveryhero.io/
targetRevision: 2.3.10
helm:
releaseName: node-problem-detector
valuesObject:
metrics:
enabled: true
serviceMonitor:
enabled: true
prometheusRule:
enabled: true
destination:
server: "{{url}}"
namespace: monitoring

103
appsets/prometheus.yaml Normal file
View file

@ -0,0 +1,103 @@
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: universal-prometheus
annotations:
argocd.argoproj.io/sync-wave: "2"
spec:
generators:
- list:
elements:
- cluster: lychee
url: https://172.16.152.1:6443
syncPolicy:
applicationsSync: create-update
preserveResourcesOnDeletion: true
template:
metadata:
name: "{{cluster}}-prometheus"
annotations:
argocd.argoproj.io/sync-wave: "5"
spec:
project: monitoring
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
- ServerSideApply=true
source:
chart: kube-prometheus-stack
repoURL: https://prometheus-community.github.io/helm-charts
targetRevision: 51.2.0
helm:
releaseName: prometheus
values: |
fullnameOverride: "prometheus"
prometheus:
ingress:
enabled: true
ingressClassName: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- prometheus.{{cluster}}.k8s.vxm.cz
paths:
- /
pathType: Prefix
tls:
- hosts:
- prometheus.{{cluster}}.k8s.vxm.cz
secretName: prometheus-ingress-tls
prometheusSpec:
serviceMonitorSelectorNilUsesHelmValues: false
podMonitorSelectorNilUsesHelmValues: false
ruleSelectorNilUsesHelmValues: false
storageSpec:
volumeClaimTemplate:
spec:
storageClassName: hcloud-volumes
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 20Gi
serviceMonitor:
selfMonitor: true
grafana:
enabled: false
alertmanager:
enabled: true
ingress:
enabled: true
ingressClassName: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- alertmanager.{{cluster}}.k8s.vxm.cz
paths:
- /
pathType: Prefix
tls:
- hosts:
- alertmanager.{{cluster}}.k8s.vxm.cz
secretName: alertmanager-ingress-tls
alertmanagerSpec:
resources:
limits:
cpu: 250m
memory: 256Mi
requests:
cpu: 100m
memory: 256Mi
destination:
server: "{{url}}"
namespace: monitoring

38
clusters/cherry/apps/blackbox-exporter.yaml Normal file
View file

@ -0,0 +1,38 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: cherry-blackbox-exporter
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: monitoring
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
destination:
server: https://kubernetes.default.svc
namespace: monitoring
source:
chart: prometheus-blackbox-exporter
repoURL: https://prometheus-community.github.io/helm-charts
targetRevision: 8.4.0
helm:
releaseName: blackbox-exporter
valuesObject:
releaseLabel: true
pspEnabled: false
resources:
limits:
cpu: 100m
memory: 300Mi
requests:
cpu: 50m
memory: 50Mi
serviceMonitor:
selfMonitor:
enabled: true

26
clusters/cherry/apps/hcloud-cloud-controller-manager.yaml Normal file
View file

@ -0,0 +1,26 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: cherry-hcloud-cloud-controller-manager
namespace: argocd
spec:
project: infrastructure
syncPolicy:
automated:
prune: true
selfHeal: true
destination:
server: https://kubernetes.default.svc
namespace: kube-system
source:
chart: hcloud-cloud-controller-manager
repoURL: https://charts.hetzner.cloud
targetRevision: 1.18.0
helm:
releaseName: hcloud-cloud-controller-manager
valuesObject:
controller:
hcloudToken:
existingSecret:
name: hcloud-token
key: token

4
clusters/cherry/apps/ingress-nginx.yaml
View file

@ -55,6 +55,10 @@ spec:
type: ClusterIP type: ClusterIP
hostPort: hostPort:
enabled: true enabled: true
metrics:
enabled: true
serviceMonitor:
enabled: true
config: config:
allow-snippet-annotations: "true" allow-snippet-annotations: "true"
generate-request-id: "true" generate-request-id: "true"

28
clusters/cherry/apps/kube-prometheus-stack.yaml
View file

@ -107,6 +107,34 @@ spec:
requests: requests:
storage: 50Gi storage: 50Gi
additionalScrapeConfigs:
- job_name: "node-exporter"
metrics_path: "/metrics"
static_configs:
- targets:
- 172.16.1.1:9100
- 172.16.1.2:9100
- maple.vxm.cz:9100
- alder.vxm.cz:9100
# See: https://developers.mattermost.com/blog/cloud-monitoring/
- job_name: "federate"
scrape_interval: 15s
honor_labels: true
metrics_path: "/federate"
params:
'match[]':
- '{job="prometheus"}'
- '{__name__=~"job:.*"}'
static_configs:
- targets:
- prometheus.lychee.k8s.vxm.cz.
labels:
clusterID: lychee
serviceMonitor: serviceMonitor:
selfMonitor: true selfMonitor: true

2
clusters/cherry/apps/uptime-kuma.yaml
View file

@ -3,6 +3,8 @@ kind: Application
metadata: metadata:
name: uptime-kuma name: uptime-kuma
namespace: argocd namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec: spec:
project: monitoring project: monitoring
syncPolicy: syncPolicy:

33
clusters/cherry/manifests/vault/ca.yaml Normal file
View file

@ -0,0 +1,33 @@
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: selfsigned
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: server-selfsigned-ca
spec:
isCA: true
commonName: Vault Server CA
secretName: server-ca
duration: 87660h # 10 years
privateKey:
algorithm: RSA
size: 4096
issuerRef:
name: selfsigned
kind: Issuer
group: cert-manager.io
additionalOutputFormats:
- type: CombinedPEM
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: server-ca-issuer
spec:
ca:
secretName: server-ca

21
clusters/cherry/manifests/vault/certificate.yaml Normal file
View file

@ -0,0 +1,21 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: server
spec:
secretName: server-tls
duration: 24h
renewBefore: 144m # 10% of 24h
dnsNames:
- vault-0.vault-internal
- vault-1.vault-internal
- vault-2.vault-internal
- vault-0.vault-internal.vault
- vault-1.vault-internal.vault
- vault-2.vault-internal.vault
- vault-0.vault-internal.vault.svc
- vault-1.vault-internal.vault.svc
- vault-2.vault-internal.vault.svc
issuerRef:
name: server-ca-issuer
commonName: Server Certificate

44
vault-unseal.sh Executable file
View file

@ -0,0 +1,44 @@
#!/usr/bin/env bash
UNSEAL_KEYS="xxx yyy zzz"
VAULT_PODS=$(kubectl get pods -n vault -l app.kubernetes.io/name=vault -o jsonpath='{.items[*].metadata.name}')
echo ""
echo "Unsealing Vault..."
echo ""
echo "Deleting existing pods..."
echo ""
kubectl delete pods -n vault $VAULT_PODS >> /dev/null
echo "Waiting for new pods to become ready..."
echo ""
kubectl wait --for=condition=ready --timeout=180s pods -n vault -l app.kubernetes.io/name=vault >> /dev/null
echo "Unsealing Vault pods..."
echo ""
for pod in $VAULT_PODS
do
echo "Unsealing $pod..."
for key in $UNSEAL_KEYS
do
kubectl exec -n vault -it $pod -- vault operator unseal $key >> /dev/null
sleep 1
done
echo "$pod unsealed!"
echo ""
done
echo "Vault unsealed!"
echo ""
echo ""
echo ""