├── .gitattributes
├── .github
└── workflows
│ ├── diff.yaml
│ ├── promotion.yml
│ └── test.yaml
├── LICENSE
├── README.md
├── apps
├── base
│ ├── airflow
│ │ ├── helm-release.yaml
│ │ ├── helm-repo.yaml
│ │ ├── kustomization.yaml
│ │ ├── namespace.yaml
│ │ ├── virtual-service.yaml
│ │ └── webserver-secret-key.yaml
│ ├── alloy
│ │ ├── config.alloy
│ │ ├── helm-release.yaml
│ │ ├── kustomization.yaml
│ │ └── namespace.yaml
│ ├── argocd
│ │ ├── helm-release.yaml
│ │ ├── helm-repo.yaml
│ │ ├── kustomization.yaml
│ │ ├── namespace.yaml
│ │ └── virtual-service.yaml
│ ├── aws-load-balancer-controller
│ │ ├── helm-release.yaml
│ │ ├── helm-repo.yaml
│ │ ├── kustomization.yaml
│ │ └── vm-rule.yaml
│ ├── blackbox-exporter
│ │ ├── blackbox-exporter.json
│ │ ├── helm-release.yaml
│ │ ├── kustomization.yaml
│ │ ├── namespace.yaml
│ │ └── vm-rule.yaml
│ ├── capacitor
│ │ ├── kustomization.yaml
│ │ ├── oci-repo.yaml
│ │ ├── release.yaml
│ │ └── virtual-service.yaml
│ ├── cert-manager
│ │ ├── dashboards
│ │ │ └── cert-manager.json
│ │ ├── helm-release.yaml
│ │ ├── helm-repo.yaml
│ │ ├── kustomization.yaml
│ │ ├── namespace.yaml
│ │ └── vm-rule.yaml
│ ├── clickhouse-operator
│ │ ├── dashboards
│ │ │ ├── Altinity_ClickHouse_Operator_dashboard.json
│ │ │ └── ClickHouse_Queries_dashboard.json
│ │ ├── helm-release.yaml
│ │ ├── helm-repo.yaml
│ │ ├── kustomization.yaml
│ │ └── namespace.yaml
│ ├── cloudnative-pg
│ │ ├── README.md
│ │ ├── helm-release.yaml
│ │ ├── helm-repo.yaml
│ │ ├── kustomization.yaml
│ │ ├── namespace.yaml
│ │ └── prometheus-rule.yaml
│ ├── cluster-autoscaler
│ │ ├── dashboards
│ │ │ └── cluster-autoscaler.json
│ │ ├── helm-release.yaml
│ │ ├── helm-repo.yaml
│ │ ├── kustomization.yaml
│ │ └── vm-rule.yaml
│ ├── dragonfly-operator
│ │ ├── helm-release.yaml
│ │ ├── kustomization.yaml
│ │ ├── namespace.yaml
│ │ └── oci-repo.yaml
│ ├── eck-operator
│ │ ├── helm-release.yaml
│ │ ├── helm-repo.yaml
│ │ ├── kustomization.yaml
│ │ └── namespace.yaml
│ ├── external-dns
│ │ ├── edns-dashboard.json
│ │ ├── helm-release-private.yaml
│ │ ├── helm-release-public.yaml
│ │ ├── helm-repo.yaml
│ │ ├── kustomization.yaml
│ │ ├── namespace.yaml
│ │ └── vm-rule.yaml
│ ├── external-secrets
│ │ ├── eso-dashboard.json
│ │ ├── helm-release.yaml
│ │ ├── helm-repo.yaml
│ │ ├── kustomization.yaml
│ │ ├── namespace.yaml
│ │ └── vm-rule.yaml
│ ├── flux-monitoring
│ │ ├── dashboards
│ │ │ ├── cluster.json
│ │ │ └── control-plane.json
│ │ ├── kustomization.yaml
│ │ ├── podmonitor.yaml
│ │ └── vm-rule.yaml
│ ├── helm-exporter
│ │ ├── dashboards
│ │ │ └── grafana-helm-exporter.json
│ │ ├── helm-release.yaml
│ │ ├── helm-repo.yaml
│ │ ├── kustomization.yaml
│ │ └── namespace.yaml
│ ├── httpbin
│ │ ├── gateway.yaml
│ │ ├── httpbin.yaml
│ │ ├── kustomization.yaml
│ │ ├── namespace.yaml
│ │ └── virtual-service.yaml
│ ├── istio
│ │ ├── helm-istio-gw-private.yaml
│ │ ├── helm-release.yaml
│ │ ├── helm-repo.yaml
│ │ ├── kustomization.yaml
│ │ ├── namespace.yaml
│ │ └── telemetry.yaml
│ ├── jenkins-server
│ │ ├── gateway.yaml
│ │ ├── helm-release.yaml
│ │ ├── helm-repo.yaml
│ │ ├── kustomization.yaml
│ │ ├── namespace.yaml
│ │ └── virtual-service.yaml
│ ├── k8s-event-logger
│ │ ├── helm-release.yaml
│ │ ├── helm-repo.yaml
│ │ ├── kustomization.yaml
│ │ └── namespace.yaml
│ ├── keda
│ │ ├── helm-release.yaml
│ │ ├── helm-repo.yaml
│ │ ├── kustomization.yaml
│ │ └── namespace.yaml
│ ├── kro
│ │ ├── README.md
│ │ ├── helm-release.yaml
│ │ ├── kustomization.yaml
│ │ ├── namespace.yaml
│ │ └── oci-repo.yaml
│ ├── kubelinks
│ │ ├── gateway.yaml
│ │ ├── helm-release.yaml
│ │ ├── helm-repo.yaml
│ │ ├── kustomization.yaml
│ │ ├── namespace.yaml
│ │ └── virtual-service.yaml
│ ├── kyverno
│ │ ├── README.md
│ │ ├── helm-release.yaml
│ │ ├── helm-repo.yaml
│ │ ├── kustomization.yaml
│ │ └── namespace.yaml
│ ├── loki
│ │ ├── datasource.yaml
│ │ ├── helm-release-loki.yaml
│ │ ├── helm-repo.yaml
│ │ ├── kustomization.yaml
│ │ └── namespace.yaml
│ ├── metrics-server
│ │ ├── helm-release.yaml
│ │ ├── helm-repo.yaml
│ │ ├── kustomization.yaml
│ │ └── namespace.yaml
│ ├── minio-operator
│ │ ├── helm-release.yaml
│ │ ├── helm-repo.yaml
│ │ ├── kustomization.yaml
│ │ └── namespace.yaml
│ ├── ollama
│ │ ├── helm-release.yaml
│ │ ├── helm-repo.yaml
│ │ ├── kustomization.yaml
│ │ ├── namespace.yaml
│ │ └── virtual-service.yaml
│ ├── oomkill-exporter
│ │ ├── daemonset.yaml
│ │ ├── kustomization.yaml
│ │ ├── namespace.yaml
│ │ ├── podscrape.yaml
│ │ └── vm-rule.yaml
│ ├── pgadmin
│ │ ├── helm-release.yaml
│ │ ├── helm-repo.yaml
│ │ ├── kustomization.yaml
│ │ ├── namespace.yaml
│ │ └── virtual-service.yaml
│ ├── reflector
│ │ ├── helm-release.yaml
│ │ ├── helm-repo.yaml
│ │ ├── kustomization.yaml
│ │ ├── namespace.yaml
│ │ ├── rm-reflector-ns.yaml
│ │ ├── rm-reflector-release.yaml
│ │ └── rm-reflector-repo.yaml
│ ├── reloader
│ │ ├── helm-release.yaml
│ │ ├── helm-repo.yaml
│ │ ├── kustomization.yaml
│ │ └── namespace.yaml
│ ├── seaweedfs
│ │ ├── helm-release.yaml
│ │ ├── helm-repo.yaml
│ │ ├── kustomization.yaml
│ │ ├── namespace.yaml
│ │ └── s3-secret.yaml
│ ├── strimzi
│ │ ├── helm-release.yaml
│ │ ├── helm-repo.yaml
│ │ ├── kustomization.yaml
│ │ ├── namespace.yaml
│ │ └── strimzi-pod-monitor.yaml
│ ├── valkey-operator
│ │ ├── README.md
│ │ └── kustomization.yaml
│ ├── victoria-logs
│ │ ├── README.md
│ │ ├── datasource.yaml
│ │ ├── helm-release.yaml
│ │ ├── helm-repo.yaml
│ │ ├── kustomization.yaml
│ │ ├── namespace.yaml
│ │ └── virtual-service.yaml
│ ├── victoria-metrics-k8s-stack
│ │ ├── gateway-grafana.yaml
│ │ ├── gateway-vm.yaml
│ │ ├── grafana-dashboardDefinitions.yaml
│ │ ├── helm-release.yaml
│ │ ├── helm-repo.yaml
│ │ ├── kube-state-metrics-config.yaml
│ │ ├── kustomization.yaml
│ │ ├── kustomizeconfig.yaml
│ │ ├── namespace.yaml
│ │ ├── virtual-service-grafana.yaml
│ │ ├── virtual-service-vm.yaml
│ │ └── vm-rule.yaml
│ └── x509-certificate-exporter
│ │ ├── helm-release.yaml
│ │ ├── helm-repo.yaml
│ │ ├── kustomization.yaml
│ │ └── namespace.yaml
└── bundles
│ ├── docker-flex
│ ├── docker-flex.yaml
│ └── kustomization.yaml
│ └── docker-stable
│ ├── docker-stable.yaml
│ └── kustomization.yaml
├── clusters
├── dummy
│ └── kustomization.yaml
└── homelab
│ ├── RECOVER.md
│ ├── clickhouse
│ ├── kustomization.yaml
│ ├── namespace.yaml
│ └── simple-01.yaml
│ ├── flux-promotion
│ ├── gh-dispatch.yaml
│ ├── gh-provider.yaml
│ └── kustomization.yaml
│ ├── istio
│ ├── kustomization.yaml
│ └── wildcard-gateway.yaml
│ ├── kustomization.yaml
│ ├── minio-loki
│ ├── helm-release.yaml
│ ├── kustomization.yaml
│ ├── minio-loki-user-secret.yaml
│ ├── namespace.yaml
│ └── virtual-service.yaml
│ ├── pg-airflow
│ ├── cluster.yaml
│ ├── kustomization.yaml
│ ├── namespace.yaml
│ └── pg-airflow-user-secret.yaml
│ ├── redis
│ ├── cluster.yaml
│ ├── kustomization.yaml
│ └── namespace.yaml
│ ├── valkey-sample
│ ├── README.md
│ ├── kustomization.yaml
│ ├── namespace.yaml
│ └── sample.yaml
│ └── victoria-metrics-k8s-stack
│ └── helm-release.yaml
├── flex-stable.drawio.svg
├── fluxcd-promote.drawio.svg
├── renovate.json
└── scripts
├── diff.sh
└── validate.sh
/.gitattributes:
--------------------------------------------------------------------------------
1 | *.yml linguist-detectable=true
2 | *.yml linguist-language=YAML
3 | *.yaml linguist-detectable=true
4 | *.yaml linguist-language=YAML
5 |
--------------------------------------------------------------------------------
/.github/workflows/diff.yaml:
--------------------------------------------------------------------------------
1 | name: diff
2 |
3 | on:
4 | pull_request:
5 |
6 | permissions:
7 | contents: write
8 | pull-requests: write
9 | issues: write
10 |
11 | jobs:
12 | manifests:
13 | runs-on: ubuntu-latest
14 | steps:
15 | - name: Checkout
16 | uses: actions/checkout@v4
17 | with:
18 | fetch-depth: 0
19 | - name: Setup yq
20 | uses: fluxcd/pkg/actions/yq@main
21 | - name: Setup kustomize
22 | uses: fluxcd/pkg/actions/kustomize@main
23 | - name: Validate manifests
24 | run: ./scripts/diff.sh
25 | env:
26 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
27 |
--------------------------------------------------------------------------------
/.github/workflows/promotion.yml:
--------------------------------------------------------------------------------
1 | name: Promotion HR
2 | on:
3 | repository_dispatch:
4 | types:
5 | - HelmRelease/**
6 |
7 | permissions:
8 | contents: write
9 | pull-requests: write
10 |
11 | jobs:
12 | promote:
13 | name: promotion
14 | runs-on: ubuntu-latest
15 | if: |
16 | github.event.client_payload.metadata.env == 'staging' &&
17 | github.event.client_payload.severity == 'info'
18 | steps:
19 | # Checkout main branch.
20 | - uses: actions/checkout@v4
21 | with:
22 | ref: main
23 |
24 | # Parse the event metadata to determine the chart version deployed on staging.
25 | - name: Get chart version from staging
26 | id: staging
27 | run: |
28 | HELMRELEASE=$(echo ${{ github.event.client_payload.involvedObject.name }})
29 | NAMESPACE=$(echo ${{ github.event.client_payload.involvedObject.namespace }})
30 | VERSION=$(echo ${{ github.event.client_payload.metadata.revision }} | cut -d '@' -f1)
31 | TYPE=$(echo ${{ github.event.client_payload.metadata.type }})
32 | echo VERSION=${VERSION} >> $GITHUB_OUTPUT
33 | echo HELMRELEASE=${HELMRELEASE} >> $GITHUB_OUTPUT
34 | echo NAMESPACE=${NAMESPACE} >> $GITHUB_OUTPUT
35 | echo TYPE=${TYPE} >> $GITHUB_OUTPUT
36 |
37 | # Patch the chart version in the production Helm release manifest.
38 | - name: Set chart version in production
39 | id: production
40 | env:
41 | HELM_RELEASE: ${{ steps.staging.outputs.helmrelease }}
42 | NAMESPACE: ${{ steps.staging.outputs.namespace }}
43 | CHART_VERSION: ${{ steps.staging.outputs.version }}
44 | TYPE: ${{ steps.staging.outputs.type }}
45 | run: |
46 | echo "Set ${NAMESPACE}/${HELM_RELEASE} chart version to ${CHART_VERSION} in ${TYPE}-stable"
47 | curv=$(yq '. | select(.metadata.name==env(HELM_RELEASE) and .metadata.namespace==env(NAMESPACE)) | .spec.chart.spec.version' apps/bundles/$TYPE-stable/$TYPE-stable.yaml)
48 | echo "Current Version: $curv"
49 | echo " New Version: $CHART_VERSION"
50 | if [ -n "$curv" ] && [ "$CHART_VERSION" != "$curv" ]; then
51 | yq -i '(. | select(.metadata.name == env(HELM_RELEASE) and .metadata.namespace==env(NAMESPACE)) | .spec.chart.spec.version ) = env(CHART_VERSION) ' apps/bundles/$TYPE-stable/$TYPE-stable.yaml
52 | echo CHANGES=true >> $GITHUB_OUTPUT
53 | echo CURV=${curv} >> $GITHUB_OUTPUT
54 | echo "Changes detected, chart version updated to ${CHART_VERSION}"
55 | else
56 | echo "No candidates found"
57 | fi
58 |
59 | # Open a Pull Request if an upgraded is needed in production.
60 | - name: Open promotion PR
61 | uses: peter-evans/create-pull-request@v7
62 | if: ${{ steps.production.outputs.changes }}
63 | with:
64 | branch: staging-promotion-${{ github.run_number }}
65 | delete-branch: true
66 | token: ${{ secrets.PROMO_PAT }}
67 | commit-message: Update ${{ steps.staging.outputs.helmrelease }} to v${{ steps.staging.outputs.version }}
68 | title: "feat: Promote ${{ steps.staging.outputs.namespace }}/${{ steps.staging.outputs.helmrelease }} release to ${{ steps.staging.outputs.version }} in ${{ steps.staging.outputs.type }}-stable"
69 | body: |
70 | **Automated PR**
71 | HelmRelease ${{ steps.staging.outputs.namespace }}/${{ steps.staging.outputs.helmrelease }} was upgraded from ${{ steps.production.outputs.curv }} to version ${{ steps.staging.outputs.version }} in ${{ steps.staging.outputs.type }}-flex.
72 | Promote to stable.
73 |
--------------------------------------------------------------------------------
/.github/workflows/test.yaml:
--------------------------------------------------------------------------------
1 | name: test
2 |
3 | on:
4 | pull_request:
5 | push:
6 | branches:
7 | - "main"
8 |
9 | jobs:
10 | manifests:
11 | runs-on: ubuntu-latest
12 | steps:
13 | - name: Checkout
14 | uses: actions/checkout@v4
15 | - name: Setup yq
16 | uses: fluxcd/pkg/actions/yq@main
17 | - name: Setup kubeconform
18 | uses: fluxcd/pkg/actions/kubeconform@main
19 | - name: Setup kustomize
20 | uses: fluxcd/pkg/actions/kustomize@main
21 | - name: Validate manifests
22 | run: ./scripts/validate.sh
23 |
--------------------------------------------------------------------------------
/apps/base/airflow/helm-release.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: helm.toolkit.fluxcd.io/v2
2 | kind: HelmRelease
3 | metadata:
4 | name: airflow
5 | namespace: airflow
6 | spec:
7 | releaseName: airflow
8 | chart:
9 | spec:
10 | chart: airflow
11 | sourceRef:
12 | kind: HelmRepository
13 | name: apache-airflow
14 | namespace: airflow
15 | interval: 15m
16 | timeout: 5m
17 | install:
18 | remediation:
19 | retries: 3
20 | upgrade:
21 | remediation:
22 | retries: 3
23 | # Defaults: https://github.com/apache/airflow/blob/main/chart/values.yaml
24 | values:
25 | postgresql:
26 | enabled: false
27 | createUserJob:
28 | useHelmHooks: false
29 | applyCustomEnv: false
30 | migrateDatabaseJob:
31 | useHelmHooks: false
32 | applyCustomEnv: false
33 | data:
34 | metadataSecretName: pg-airflow-user-secret
35 | webserverSecretKeySecretName: webserver-secret-key
36 |
--------------------------------------------------------------------------------
/apps/base/airflow/helm-repo.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: source.toolkit.fluxcd.io/v1
2 | kind: HelmRepository
3 | metadata:
4 | name: apache-airflow
5 | namespace: airflow
6 | spec:
7 | interval: 120m
8 | url: https://airflow.apache.org
9 |
--------------------------------------------------------------------------------
/apps/base/airflow/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - namespace.yaml
5 | - webserver-secret-key.yaml
6 | - helm-repo.yaml
7 | - helm-release.yaml
8 | - virtual-service.yaml
9 |
--------------------------------------------------------------------------------
/apps/base/airflow/namespace.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: airflow
5 |
--------------------------------------------------------------------------------
/apps/base/airflow/virtual-service.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: networking.istio.io/v1beta1
3 | kind: VirtualService
4 | metadata:
5 | name: airflow-virtualservice
6 | namespace: airflow
7 | spec:
8 | gateways:
9 | - istio-ingress/wildcard-gateway
10 | hosts:
11 | - airflow.${cluster_subdomain}
12 | http:
13 | - route:
14 | - destination:
15 | host: airflow-webserver.airflow.svc.cluster.local
16 | port:
17 | number: 8080
18 |
--------------------------------------------------------------------------------
/apps/base/airflow/webserver-secret-key.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: generators.external-secrets.io/v1alpha1
2 | kind: Password
3 | metadata:
4 | name: webserver-secret-key
5 | namespace: airflow
6 | spec:
7 | length: 16
8 | symbols: 0
9 | ---
10 | apiVersion: external-secrets.io/v1
11 | kind: ExternalSecret
12 | metadata:
13 | name: webserver-secret-key
14 | namespace: airflow
15 | spec:
16 | refreshInterval: 0s
17 | refreshPolicy: CreatedOnce
18 | target:
19 | name: webserver-secret-key
20 | template:
21 | engineVersion: v2
22 | data:
23 | webserver-secret-key: "{{ .password }}"
24 | dataFrom:
25 | - sourceRef:
26 | generatorRef:
27 | apiVersion: generators.external-secrets.io/v1alpha1
28 | kind: Password
29 | name: webserver-secret-key
30 |
--------------------------------------------------------------------------------
/apps/base/alloy/config.alloy:
--------------------------------------------------------------------------------
1 | // discovery.kubernetes allows you to find scrape targets from Kubernetes resources.
2 | // It watches cluster state and ensures targets are continually synced with what is currently running in your cluster.
3 | discovery.kubernetes "pod" {
4 | role = "pod"
5 | }
6 |
7 | // discovery.relabel rewrites the label set of the input targets by applying one or more relabeling rules.
8 | // If no rules are defined, then the input targets are exported as-is.
9 | discovery.relabel "pod_logs" {
10 | targets = discovery.kubernetes.pod.targets
11 |
12 | // Label creation - "namespace" field from "__meta_kubernetes_namespace"
13 | rule {
14 | source_labels = ["__meta_kubernetes_namespace"]
15 | action = "replace"
16 | target_label = "namespace"
17 | }
18 |
19 | // Label creation - "pod" field from "__meta_kubernetes_pod_name"
20 | rule {
21 | source_labels = ["__meta_kubernetes_pod_name"]
22 | action = "replace"
23 | target_label = "pod"
24 | }
25 |
26 | // Label creation - "container" field from "__meta_kubernetes_pod_container_name"
27 | rule {
28 | source_labels = ["__meta_kubernetes_pod_container_name"]
29 | action = "replace"
30 | target_label = "container"
31 | }
32 |
33 | // Label creation - "app" field from "__meta_kubernetes_pod_label_app_kubernetes_io_name"
34 | rule {
35 | source_labels = ["__meta_kubernetes_pod_label_app_kubernetes_io_name"]
36 | action = "replace"
37 | target_label = "app"
38 | }
39 |
40 | // Label creation - "job" field from "__meta_kubernetes_namespace" and "__meta_kubernetes_pod_container_name"
41 | // Concatenate values __meta_kubernetes_namespace/__meta_kubernetes_pod_container_name
42 | rule {
43 | source_labels = ["__meta_kubernetes_namespace", "__meta_kubernetes_pod_container_name"]
44 | action = "replace"
45 | target_label = "job"
46 | separator = "/"
47 | replacement = "$1"
48 | }
49 |
50 | // Label creation - "container" field from "__meta_kubernetes_pod_uid" and "__meta_kubernetes_pod_container_name"
51 | // Concatenate values __meta_kubernetes_pod_uid/__meta_kubernetes_pod_container_name.log
52 | rule {
53 | source_labels = ["__meta_kubernetes_pod_uid", "__meta_kubernetes_pod_container_name"]
54 | action = "replace"
55 | target_label = "__path__"
56 | separator = "/"
57 | replacement = "/var/log/pods/*$1/*.log"
58 | }
59 |
60 | // Label creation - "container_runtime" field from "__meta_kubernetes_pod_container_id"
61 | rule {
62 | source_labels = ["__meta_kubernetes_pod_container_id"]
63 | action = "replace"
64 | target_label = "container_runtime"
65 | regex = "^(\\S+):\\/\\/.+$"
66 | replacement = "$1"
67 | }
68 | }
69 |
70 | // loki.source.kubernetes tails logs from Kubernetes containers using the Kubernetes API.
71 | loki.source.kubernetes "pod_logs" {
72 | targets = discovery.relabel.pod_logs.output
73 | forward_to = [loki.process.pod_logs.receiver]
74 | }
75 |
76 | // loki.process receives log entries from other Loki components, applies one or more processing stages,
77 | // and forwards the results to the list of receivers in the component’s arguments.
78 | loki.process "pod_logs" {
79 | stage.static_labels {
80 | values = {
81 | cluster = "${cluster_name}",
82 | }
83 | }
84 |
85 | forward_to = [loki.write.default.receiver]
86 | }
87 |
88 | loki.write "default" {
89 | endpoint {
90 | url = "http://loki-gateway.loki/loki/api/v1/push"
91 | }
92 | external_labels = {}
93 | }
94 |
--------------------------------------------------------------------------------
/apps/base/alloy/helm-release.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: helm.toolkit.fluxcd.io/v2
2 | kind: HelmRelease
3 | metadata:
4 | name: alloy
5 | namespace: alloy
6 | spec:
7 | releaseName: alloy
8 | chart:
9 | spec:
10 | chart: alloy
11 | sourceRef:
12 | kind: HelmRepository
13 | name: grafana
14 | namespace: loki
15 | interval: 15m
16 | timeout: 15m
17 | install:
18 | remediation:
19 | retries: 3
20 | upgrade:
21 | remediation:
22 | retries: 3
23 | # Default values: https://github.com/grafana/alloy/blob/main/operations/helm/charts/alloy/values.yaml
24 | values:
25 | alloy:
26 | # resources:
27 | # limits:
28 | # memory: 128Mi
29 | # requests:
30 | # cpu: 20m
31 | # memory: 128Mi
32 | # mounts:
33 | # varlog: true
34 | # dockercontainers: true
35 | configMap:
36 | create: false
37 | name: alloy-config
38 | key: config.alloy
39 |
--------------------------------------------------------------------------------
/apps/base/alloy/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - namespace.yaml
5 | - helm-release.yaml
6 | configMapGenerator:
7 | - name: alloy-config
8 | namespace: alloy
9 | files:
10 | - config.alloy
11 | options:
12 | disableNameSuffixHash: true
13 | # labels:
14 | # kustomize.toolkit.fluxcd.io/substitute: disabled
15 |
--------------------------------------------------------------------------------
/apps/base/alloy/namespace.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: alloy
5 |
--------------------------------------------------------------------------------
/apps/base/argocd/helm-release.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: helm.toolkit.fluxcd.io/v2
2 | kind: HelmRelease
3 | metadata:
4 | name: argocd
5 | namespace: argocd
6 | spec:
7 | interval: 15m
8 | timeout: 15m
9 | chart:
10 | spec:
11 | chart: argo-cd
12 | sourceRef:
13 | kind: HelmRepository
14 | name: argo
15 | namespace: argocd
16 | interval: 5m
17 | releaseName: argocd
18 | install:
19 | remediation:
20 | retries: 3
21 | upgrade:
22 | remediation:
23 | retries: 34
24 | # Default values: https://github.com/argoproj/argo-helm/blob/main/charts/argo-cd/values.yaml
25 | values:
26 | global:
27 | domain: argocd.${cluster_subdomain}
28 | networkPolicy:
29 | create: true
30 | configs:
31 | params:
32 | server.insecure: true
33 | dex:
34 | enabled: false
35 |
--------------------------------------------------------------------------------
/apps/base/argocd/helm-repo.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: source.toolkit.fluxcd.io/v1
2 | kind: HelmRepository
3 | metadata:
4 | name: argo
5 | namespace: argocd
6 | spec:
7 | interval: 120m
8 | url: https://argoproj.github.io/argo-helm
9 |
--------------------------------------------------------------------------------
/apps/base/argocd/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - helm-repo.yaml
5 | - helm-release.yaml
6 | - namespace.yaml
7 | - virtual-service.yaml
8 |
--------------------------------------------------------------------------------
/apps/base/argocd/namespace.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: argocd
5 |
--------------------------------------------------------------------------------
/apps/base/argocd/virtual-service.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: networking.istio.io/v1beta1
3 | kind: VirtualService
4 | metadata:
5 | name: argocd-virtualservice
6 | namespace: argocd
7 | spec:
8 | gateways:
9 | - istio-ingress/wildcard-gateway
10 | hosts:
11 | - argocd.${cluster_subdomain}
12 | http:
13 | - route:
14 | - destination:
15 | host: argocd-server.argocd.svc.cluster.local
16 | port:
17 | number: 80
18 |
--------------------------------------------------------------------------------
/apps/base/aws-load-balancer-controller/helm-release.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: helm.toolkit.fluxcd.io/v2
2 | kind: HelmRelease
3 | metadata:
4 | name: aws-load-balancer-controller
5 | namespace: kube-system
6 | spec:
7 | releaseName: aws-load-balancer-controller
8 | chart:
9 | spec:
10 | chart: aws-load-balancer-controller
11 | sourceRef:
12 | kind: HelmRepository
13 | name: eks
14 | namespace: kube-system
15 | interval: 15m
16 | timeout: 15m
17 | install:
18 | remediation:
19 | retries: 3
20 | upgrade:
21 | remediation:
22 | retries: 3
23 | # Default values: https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/helm/aws-load-balancer-controller/values.yaml
24 | values:
25 | clusterName: ${cluster_name}
26 | serviceAccount:
27 | annotations:
28 | eks.amazonaws.com/role-arn: arn:aws:iam::${aws_account_id}:role/${cluster_name}-irsa-load-balancer-controller
29 | serviceMonitor:
30 | enabled: true
31 |
--------------------------------------------------------------------------------
/apps/base/aws-load-balancer-controller/helm-repo.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: source.toolkit.fluxcd.io/v1
2 | kind: HelmRepository
3 | metadata:
4 | name: eks
5 | namespace: kube-system
6 | spec:
7 | interval: 120m
8 | url: https://aws.github.io/eks-charts
9 |
--------------------------------------------------------------------------------
/apps/base/aws-load-balancer-controller/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - helm-repo.yaml
5 | - helm-release.yaml
6 | - vm-rule.yaml
--------------------------------------------------------------------------------
/apps/base/aws-load-balancer-controller/vm-rule.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: operator.victoriametrics.com/v1beta1
2 | kind: VMRule
3 | metadata:
4 | name: vmrule-aws-lb-controller
5 | namespace: kube-system
6 | spec:
7 | groups:
8 | - name: aws-lb-controller.rules
9 | rules:
10 | - alert: AWSLBIngressControllerReconcileErrors
11 | expr: increase(controller_runtime_reconcile_errors_total{controller="ingress"}[5m]) > 0
12 | for: 5m
13 | labels:
14 | severity: critical
15 | component: platform
16 | service: aws-load-balancer-controller
17 | annotations:
18 | summary: "AWS LB Ingress controller reconciliation errors"
19 | description: "AWS LB ingress controller has encountered errors while reconciling its state."
20 |
21 | - alert: AWSLBServiceControllerReconcileErrors
22 | expr: increase(controller_runtime_reconcile_errors_total{controller="service"}[5m]) > 0
23 | for: 5m
24 | labels:
25 | severity: critical
26 | component: platform
27 | service: aws-load-balancer-controller
28 | annotations:
29 | summary: "AWS LB Service controller reconciliation errors"
30 | description: "AWS LB Service controller has encountered errors while reconciling its state."
31 |
32 | - alert: AWSLBTargetGroupBindingControllerReconcileErrors
33 | expr: increase(controller_runtime_reconcile_errors_total{controller="targetGroupBinding"}[5m]) > 0
34 | for: 5m
35 | labels:
36 | severity: critical
37 | component: platform
38 | service: aws-load-balancer-controller
39 | annotations:
40 | summary: "AWS LB TargetGroupBinding controller reconciliation errors"
41 | description: "AWS LB TargetGroupBinding controller has encountered errors while reconciling its state."
42 |
--------------------------------------------------------------------------------
/apps/base/blackbox-exporter/helm-release.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: helm.toolkit.fluxcd.io/v2
2 | kind: HelmRelease
3 | metadata:
4 | name: blackbox-exporter
5 | namespace: blackbox-exporter
6 | spec:
7 | interval: 15m
8 | timeout: 15m
9 | chart:
10 | spec:
11 | chart: prometheus-blackbox-exporter
12 | sourceRef:
13 | kind: HelmRepository
14 | name: prometheus-community
15 | namespace: flux-system
16 | interval: 5m
17 | releaseName: blackbox-exporter
18 | install:
19 | remediation:
20 | retries: 3
21 | upgrade:
22 | remediation:
23 | retries: 3
24 | # Default values: https://github.com/prometheus-community/helm-charts/blob/main/charts/prometheus-blackbox-exporter/values.yaml
25 | values:
26 | serviceMonitor:
27 | selfMonitor:
28 | enabled: true
29 | config:
30 | modules:
31 | http_2xx:
32 | prober: http
33 | timeout: 5s
34 | http:
35 | valid_http_versions: ["HTTP/1.1", "HTTP/2.0"]
36 | follow_redirects: true
37 | preferred_ip_protocol: "ip4"
38 | tls_config:
39 | insecure_skip_verify: true
40 |
--------------------------------------------------------------------------------
/apps/base/blackbox-exporter/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - helm-release.yaml
5 | - vm-rule.yaml
6 | - namespace.yaml
7 | configMapGenerator:
8 | - name: blackbox-exporter-dashboards
9 | namespace: blackbox-exporter
10 | files:
11 | - blackbox-exporter.json
12 | options:
13 | disableNameSuffixHash: true
14 | labels:
15 | grafana_dashboard: "1"
16 | app.kubernetes.io/part-of: blackbox-exporter
17 | app.kubernetes.io/component: blackbox-exporter
18 | kustomize.toolkit.fluxcd.io/substitute: disabled
19 |
--------------------------------------------------------------------------------
/apps/base/blackbox-exporter/namespace.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: blackbox-exporter
5 |
--------------------------------------------------------------------------------
/apps/base/blackbox-exporter/vm-rule.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: operator.victoriametrics.com/v1beta1
2 | kind: VMRule
3 | metadata:
4 | name: vmrule-blackbox-exporter
5 | namespace: blackbox-exporter
6 | spec:
7 | groups:
8 | - name: BlackboxExporter
9 | rules:
10 | - alert: BlackboxProbeFailed
11 | expr: "probe_success == 0"
12 | for: 1m
13 | labels:
14 | severity: critical
15 | annotations:
16 | summary: Blackbox probe failed (instance {{ $labels.instance }})
17 | #description: "Probe failed\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
18 |
19 | - alert: BlackboxConfigurationReloadFailure
20 | expr: "blackbox_exporter_config_last_reload_successful != 1"
21 | for: 1m
22 | labels:
23 | severity: warning
24 | annotations:
25 | summary: Blackbox configuration reload failure (instance {{ $labels.instance }})
26 | #description: "Blackbox configuration reload failure\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
27 |
28 | - alert: BlackboxSlowProbe
29 | expr: "avg_over_time(probe_duration_seconds[1m]) > 1"
30 | for: 1m
31 | labels:
32 | severity: warning
33 | annotations:
34 | summary: Blackbox slow probe (instance {{ $labels.instance }})
35 | description: "Blackbox probe took more than 1s to complete VALUE = {{ $value }}"
36 |
37 | - alert: BlackboxProbeHttpFailure
38 | expr: "probe_http_status_code <= 199 OR probe_http_status_code >= 400"
39 | for: 1m
40 | labels:
41 | severity: critical
42 | annotations:
43 | summary: Blackbox probe HTTP failure (instance {{ $labels.instance }})
44 | description: "HTTP status code is not 200-399 VALUE = {{ $value }}"
45 |
46 | - alert: BlackboxSslCertificateWillExpireSoon
47 | expr: "3 <= round((last_over_time(probe_ssl_earliest_cert_expiry[10m]) - time()) / 86400, 0.1) < 20"
48 | for: 1m
49 | labels:
50 | severity: warning
51 | annotations:
52 | summary: Blackbox SSL certificate will expire soon (instance {{ $labels.instance }})
53 | description: "SSL certificate expires in less than 20 days VALUE = {{ $value }}"
54 |
55 | - alert: BlackboxSslCertificateWillExpireSoon
56 | expr: "0 <= round((last_over_time(probe_ssl_earliest_cert_expiry[10m]) - time()) / 86400, 0.1) < 3"
57 | for: 1m
58 | labels:
59 | severity: critical
60 | annotations:
61 | summary: Blackbox SSL certificate will expire soon (instance {{ $labels.instance }})
62 | description: "SSL certificate expires in less than 3 days VALUE = {{ $value }}"
63 |
64 | - alert: BlackboxSslCertificateExpired
65 | expr: "round((last_over_time(probe_ssl_earliest_cert_expiry[10m]) - time()) / 86400, 0.1) < 0"
66 | for: 1m
67 | labels:
68 | severity: critical
69 | annotations:
70 | summary: Blackbox SSL certificate expired (instance {{ $labels.instance }})
71 | description: "SSL certificate has expired already VALUE = {{ $value }}"
72 |
73 | - alert: BlackboxProbeSlowHttp
74 | expr: "avg_over_time(probe_http_duration_seconds[1m]) > 1"
75 | for: 1m
76 | labels:
77 | severity: warning
78 | annotations:
79 | summary: Blackbox probe slow HTTP (instance {{ $labels.instance }})
80 | description: "HTTP request took more than 1s VALUE = {{ $value }}"
81 |
82 | - alert: BlackboxProbeSlowPing
83 | expr: "avg_over_time(probe_icmp_duration_seconds[1m]) > 1"
84 | for: 1m
85 | labels:
86 | severity: warning
87 | annotations:
88 | summary: Blackbox probe slow ping (instance {{ $labels.instance }})
89 | description: "Blackbox ping took more than 1s VALUE = {{ $value }}"
90 |
--------------------------------------------------------------------------------
/apps/base/capacitor/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - oci-repo.yaml
5 | - release.yaml
6 | - virtual-service.yaml
7 |
--------------------------------------------------------------------------------
/apps/base/capacitor/oci-repo.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: source.toolkit.fluxcd.io/v1beta2
2 | kind: OCIRepository
3 | metadata:
4 | name: capacitor
5 | namespace: flux-system
6 | spec:
7 | interval: 12h
8 | url: oci://ghcr.io/gimlet-io/capacitor-manifests
9 | ref:
10 | semver: ">=0.1.0"
11 |
--------------------------------------------------------------------------------
/apps/base/capacitor/release.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.toolkit.fluxcd.io/v1
2 | kind: Kustomization
3 | metadata:
4 | name: capacitor
5 | namespace: flux-system
6 | spec:
7 | targetNamespace: flux-system
8 | interval: 1h
9 | retryInterval: 2m
10 | timeout: 5m
11 | wait: true
12 | prune: true
13 | path: "./"
14 | sourceRef:
15 | kind: OCIRepository
16 | name: capacitor
17 |
--------------------------------------------------------------------------------
/apps/base/capacitor/virtual-service.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: networking.istio.io/v1beta1
3 | kind: VirtualService
4 | metadata:
5 | name: capacitor-virtualservice
6 | namespace: flux-system
7 | spec:
8 | gateways:
9 | - istio-ingress/wildcard-gateway
10 | hosts:
11 | - capacitor.${cluster_subdomain}
12 | http:
13 | - route:
14 | - destination:
15 | host: capacitor
16 | port:
17 | number: 9000
18 |
--------------------------------------------------------------------------------
/apps/base/cert-manager/helm-release.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: helm.toolkit.fluxcd.io/v2
2 | kind: HelmRelease
3 | metadata:
4 | name: cert-manager
5 | namespace: cert-manager
6 | spec:
7 | releaseName: cert-manager
8 | chart:
9 | spec:
10 | chart: cert-manager
11 | sourceRef:
12 | kind: HelmRepository
13 | name: jetstack
14 | namespace: cert-manager
15 | interval: 15m
16 | timeout: 5m
17 | install:
18 | crds: Skip
19 | remediation:
20 | retries: 3
21 | upgrade:
22 | crds: Skip
23 | remediation:
24 | retries: 3
25 | # Default values: https://github.com/cert-manager/cert-manager/blob/master/deploy/charts/cert-manager/values.yaml
26 | values:
27 | installCRDs: false
28 | prometheus:
29 | servicemonitor:
30 | enabled: true
31 | # serviceAccount:
32 | # annotations:
33 | # eks.amazonaws.com/role-arn: arn:aws:iam::${aws_account_id}:role/${cluster_name}-irsa-cert-manager
34 |
--------------------------------------------------------------------------------
/apps/base/cert-manager/helm-repo.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: source.toolkit.fluxcd.io/v1
2 | kind: HelmRepository
3 | metadata:
4 | name: jetstack
5 | namespace: cert-manager
6 | spec:
7 | interval: 120m
8 | url: https://charts.jetstack.io
9 |
--------------------------------------------------------------------------------
/apps/base/cert-manager/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - namespace.yaml
5 | - helm-repo.yaml
6 | - helm-release.yaml
7 | # mixin rules and dashboard
8 | - vm-rule.yaml
9 | namespace: cert-manager
10 | configMapGenerator:
11 | - name: cert-manager-grafana-dashboards
12 | files:
13 | - dashboards/cert-manager.json
14 | options:
15 | disableNameSuffixHash: true
16 | labels:
17 | grafana_dashboard: "1"
18 | app.kubernetes.io/part-of: cert-manager
19 | app.kubernetes.io/component: monitoring
20 | kustomize.toolkit.fluxcd.io/substitute: disabled
21 |
--------------------------------------------------------------------------------
/apps/base/cert-manager/namespace.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: cert-manager
5 |
--------------------------------------------------------------------------------
/apps/base/cert-manager/vm-rule.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: operator.victoriametrics.com/v1beta1
2 | kind: VMRule
3 | metadata:
4 | name: vmrule-cert-manager
5 | namespace: cert-manager
6 | spec:
7 | groups:
8 | - name: cert-manager
9 | rules:
10 | - alert: CertManagerAbsent
11 | annotations:
12 | description:
13 | New certificates will not be able to be minted, and existing ones
14 | can't be renewed until cert-manager is back.
15 | runbook_url: https://github.com/imusmanmalik/cert-manager-mixin/blob/main/RUNBOOK.md#certmanagerabsent
16 | summary: Cert Manager has disappeared from Prometheus service discovery.
17 | expr: absent(up{job="cert-manager"})
18 | for: 10m
19 | labels:
20 | severity: critical
21 | - name: certificates
22 | rules:
23 | - alert: CertManagerCertExpirySoon
24 | annotations:
25 | dashboard_url: https://grafana.${cluster_subdomain}/d/TvuRo2iMk/cert-manager
26 | description:
27 | The domain that this cert covers will be unavailable after {{ $value
28 | | humanizeDuration }}. Clients using endpoints that this cert protects will
29 | start to fail in {{ $value | humanizeDuration }}.
30 | runbook_url: https://github.com/imusmanmalik/cert-manager-mixin/blob/main/RUNBOOK.md#certmanagercertexpirysoon
31 | summary:
32 | The cert `{{ $labels.name }}` is {{ $value | humanizeDuration }} from
33 | expiry, it should have renewed over a week ago.
34 | expr: |
35 | avg by (exported_namespace, namespace, name) (
36 | certmanager_certificate_expiration_timestamp_seconds - time()
37 | ) < (21 * 24 * 3600) # 21 days in seconds
38 | for: 1h
39 | labels:
40 | severity: warning
41 | - alert: CertManagerCertExpiryVerySoon
42 | annotations:
43 | dashboard_url: https://grafana.${cluster_subdomain}/d/TvuRo2iMk/cert-manager
44 | description:
45 | The domain that this cert covers will be unavailable after {{ $value
46 | | humanizeDuration }}. Clients using endpoints that this cert protects will
47 | start to fail in {{ $value | humanizeDuration }}.
48 | runbook_url: https://github.com/imusmanmalik/cert-manager-mixin/blob/main/RUNBOOK.md#certmanagercertexpirysoon
49 | summary:
50 | The cert `{{ $labels.name }}` is {{ $value | humanizeDuration }} from
51 | expiry, it should have renewed over a week ago.
52 | expr: |
53 | avg by (exported_namespace, namespace, name) (
54 | certmanager_certificate_expiration_timestamp_seconds - time()
55 | ) < (7 * 24 * 3600) # 7 days in seconds
56 | for: 1h
57 | labels:
58 | severity: critical
59 | - alert: CertManagerCertNotReady
60 | annotations:
61 | dashboard_url: https://grafana.${cluster_subdomain}/d/TvuRo2iMk/cert-manager
62 | description:
63 | This certificate has not been ready to serve traffic for at least
64 | 10m. If the cert is being renewed or there is another valid cert, the ingress
65 | controller _may_ be able to serve that instead.
66 | runbook_url: https://github.com/imusmanmalik/cert-manager-mixin/blob/main/RUNBOOK.md#certmanagercertnotready
67 | summary: The cert `{{ $labels.name }}` is not ready to serve traffic.
68 | expr: |
69 | max by (name, exported_namespace, namespace, condition) (
70 | certmanager_certificate_ready_status{condition!="True"} == 1
71 | )
72 | for: 10m
73 | labels:
74 | severity: critical
75 | - alert: CertManagerHittingRateLimits
76 | annotations:
77 | dashboard_url: hhttps://grafana.${cluster_subdomain}/d/TvuRo2iMk/cert-manager
78 | description:
79 | Depending on the rate limit, cert-manager may be unable to generate
80 | certificates for up to a week.
81 | runbook_url: https://github.com/imusmanmalik/cert-manager-mixin/blob/main/RUNBOOK.md#certmanagerhittingratelimits
82 | summary: Cert manager hitting LetsEncrypt rate limits.
83 | expr: |
84 | sum by (host) (
85 | rate(certmanager_http_acme_client_request_count{status="429"}[5m])
86 | ) > 0
87 | for: 5m
88 | labels:
89 | severity: critical
90 |
--------------------------------------------------------------------------------
/apps/base/clickhouse-operator/helm-release.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: helm.toolkit.fluxcd.io/v2
2 | kind: HelmRelease
3 | metadata:
4 | name: clickhouse-operator
5 | namespace: clickhouse-operator
6 | spec:
7 | interval: 15m
8 | timeout: 15m
9 | chart:
10 | spec:
11 | chart: altinity-clickhouse-operator
12 | sourceRef:
13 | kind: HelmRepository
14 | name: clickhouse-operator
15 | interval: 5m
16 | releaseName: clickhouse-operator
17 | install:
18 | remediation:
19 | retries: 3
20 | upgrade:
21 | remediation:
22 | retries: 3
23 | # Default values: https://github.com/Altinity/clickhouse-operator/blob/master/deploy/helm/clickhouse-operator/values.yaml
24 | values:
25 | configs:
26 | files:
27 | config.yaml:
28 | watch:
29 | namespaces: [".*"]
30 | operator:
31 | resources:
32 | limits:
33 | memory: 256Mi
34 | requests:
35 | cpu: 100m
36 | memory: 256Mi
37 | metrics:
38 | enabled: true
39 | resources:
40 | limits:
41 | memory: 128Mi
42 | requests:
43 | cpu: 100m
44 | memory: 128Mi
45 | serviceMonitor:
46 | enabled: true
47 | dashboards:
48 | enabled: false
49 | additionalLabels:
50 | grafana_dashboard: "1"
51 |
--------------------------------------------------------------------------------
/apps/base/clickhouse-operator/helm-repo.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: source.toolkit.fluxcd.io/v1
2 | kind: HelmRepository
3 | metadata:
4 | name: clickhouse-operator
5 | namespace: clickhouse-operator
6 | spec:
7 | interval: 120m
8 | url: https://docs.altinity.com/clickhouse-operator/
9 |
--------------------------------------------------------------------------------
/apps/base/clickhouse-operator/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - helm-repo.yaml
5 | - helm-release.yaml
6 | - namespace.yaml
7 | configMapGenerator:
8 | - name: clickhouse-grafana-dashboards
9 | namespace: clickhouse-operator
10 | files:
11 | - dashboards/Altinity_ClickHouse_Operator_dashboard.json
12 | - dashboards/ClickHouse_Queries_dashboard.json
13 | options:
14 | disableNameSuffixHash: true
15 | labels:
16 | grafana_dashboard: "1"
17 | kustomize.toolkit.fluxcd.io/substitute: disabled
18 |
--------------------------------------------------------------------------------
/apps/base/clickhouse-operator/namespace.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: clickhouse-operator
5 |
--------------------------------------------------------------------------------
/apps/base/cloudnative-pg/README.md:
--------------------------------------------------------------------------------
1 | ### Documentation
2 | [CloudNative-PG](https://cloudnative-pg.io/documentation/1.23/)
3 |
4 | ### Prometheus Rules
5 | ```
6 | https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/main/docs/src/samples/monitoring/prometheusrule.yaml
7 | ```
8 |
--------------------------------------------------------------------------------
/apps/base/cloudnative-pg/helm-release.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: helm.toolkit.fluxcd.io/v2
2 | kind: HelmRelease
3 | metadata:
4 | name: cnpg
5 | namespace: cnpg-system
6 | spec:
7 | releaseName: cnpg
8 | chart:
9 | spec:
10 | chart: cloudnative-pg
11 | sourceRef:
12 | kind: HelmRepository
13 | name: cnpg
14 | namespace: cnpg-system
15 | interval: 5m
16 | install:
17 | crds: Skip
18 | remediation:
19 | retries: 3
20 | upgrade:
21 | crds: Skip
22 | # Default values: https://github.com/cloudnative-pg/charts/blob/main/charts/cloudnative-pg/values.yaml
23 | values:
24 | crds:
25 | create: false
26 | monitoring:
27 | podMonitorEnabled: true
28 | grafanaDashboard:
29 | create: true
30 |
--------------------------------------------------------------------------------
/apps/base/cloudnative-pg/helm-repo.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: source.toolkit.fluxcd.io/v1
2 | kind: HelmRepository
3 | metadata:
4 | name: cnpg
5 | namespace: cnpg-system
6 | spec:
7 | interval: 120m
8 | url: https://cloudnative-pg.github.io/charts
9 |
--------------------------------------------------------------------------------
/apps/base/cloudnative-pg/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - namespace.yaml
5 | - helm-repo.yaml
6 | - helm-release.yaml
7 | - prometheus-rule.yaml
8 |
--------------------------------------------------------------------------------
/apps/base/cloudnative-pg/namespace.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: cnpg-system
5 |
--------------------------------------------------------------------------------
/apps/base/cloudnative-pg/prometheus-rule.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: monitoring.coreos.com/v1
2 | kind: PrometheusRule
3 | metadata:
4 | name: cnpg-default-alerts
5 | namespace: cnpg-system
6 | spec:
7 | groups:
8 | - name: cnp-default.rules
9 | rules:
10 | - alert: LongRunningTransaction
11 | annotations:
12 | description: Pod {{ $labels.pod }} is taking more than 5 minutes (300 seconds) for a query.
13 | summary: A query is taking longer than 5 minutes.
14 | expr: |-
15 | cnpg_backends_max_tx_duration_seconds > 300
16 | for: 1m
17 | labels:
18 | severity: warning
19 | - alert: BackendsWaiting
20 | annotations:
21 | description: Pod {{ $labels.pod }} has been waiting for longer than 5 minutes
22 | summary: If a backend is waiting for longer than 5 minutes
23 | expr: |-
24 | cnpg_backends_waiting_total > 300
25 | for: 1m
26 | labels:
27 | severity: warning
28 | - alert: PGDatabase
29 | annotations:
30 | description: Over 150,000,000 transactions from frozen xid on pod {{ $labels.pod }}
31 | summary: Number of transactions from the frozen XID to the current one
32 | expr: |-
33 | cnpg_pg_database_xid_age > 150000000
34 | for: 1m
35 | labels:
36 | severity: warning
37 | - alert: PGReplication
38 | annotations:
39 | description: Standby is lagging behind by over 300 seconds (5 minutes)
40 | summary: The standby is lagging behind the primary
41 | expr: |-
42 | cnpg_pg_replication_lag > 300
43 | for: 1m
44 | labels:
45 | severity: warning
46 | - alert: LastFailedArchiveTime
47 | annotations:
48 | description: Archiving failed for {{ $labels.pod }}
49 | summary: Checks the last time archiving failed. Will be < 0 when it has not failed.
50 | expr: |-
51 | (cnpg_pg_stat_archiver_last_failed_time - cnpg_pg_stat_archiver_last_archived_time) > 1
52 | for: 1m
53 | labels:
54 | severity: warning
55 | - alert: DatabaseDeadlockConflicts
56 | annotations:
57 | description: There are over 10 deadlock conflicts in {{ $labels.pod }}
58 | summary: Checks the number of database conflicts
59 | expr: |-
60 | cnpg_pg_stat_database_deadlocks > 10
61 | for: 1m
62 | labels:
63 | severity: warning
64 | - alert: ReplicaFailingReplication
65 | annotations:
66 | description: Replica {{ $labels.pod }} is failing to replicate
67 | summary: Checks if the replica is failing to replicate
68 | expr: |-
69 | cnpg_pg_replication_in_recovery > cnpg_pg_replication_is_wal_receiver_up
70 | for: 1m
71 | labels:
72 | severity: warning
73 |
--------------------------------------------------------------------------------
/apps/base/cluster-autoscaler/helm-release.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: helm.toolkit.fluxcd.io/v2
2 | kind: HelmRelease
3 | metadata:
4 | name: cluster-autoscaler
5 | namespace: kube-system
6 | spec:
7 | releaseName: cluster-autoscaler
8 | chart:
9 | spec:
10 | chart: cluster-autoscaler
11 | sourceRef:
12 | kind: HelmRepository
13 | name: autoscaler
14 | namespace: kube-system
15 | interval: 15m
16 | timeout: 15m
17 | install:
18 | remediation:
19 | retries: 3
20 | upgrade:
21 | remediation:
22 | retries: 3
23 | # Default values: https://github.com/kubernetes/autoscaler/blob/master/charts/cluster-autoscaler/values.yaml
24 | values:
25 | replicaCount: 2
26 | awsRegion: ${aws_default_region}
27 | rbac:
28 | serviceAccount:
29 | name: "cluster-autoscaler-aws"
30 | annotations:
31 | eks.amazonaws.com/role-arn: arn:aws:iam::${aws_account_id}:role/${cluster_name}-irsa-cluster-autoscaler
32 | autoDiscovery:
33 | clusterName: ${cluster_name}
34 | serviceMonitor:
35 | enabled: true
36 |
--------------------------------------------------------------------------------
/apps/base/cluster-autoscaler/helm-repo.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: source.toolkit.fluxcd.io/v1
2 | kind: HelmRepository
3 | metadata:
4 | name: autoscaler
5 | namespace: kube-system
6 | spec:
7 | interval: 120m
8 | url: https://kubernetes.github.io/autoscaler
9 |
--------------------------------------------------------------------------------
/apps/base/cluster-autoscaler/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - helm-repo.yaml
5 | - helm-release.yaml
6 | - vm-rule.yaml
7 | namespace: kube-system
8 | configMapGenerator:
9 | - name: cluster-autoscaler-grafana-dashboards
10 | files:
11 | - dashboards/cluster-autoscaler.json
12 | options:
13 | disableNameSuffixHash: true
14 | labels:
15 | grafana_dashboard: "1"
16 | app.kubernetes.io/part-of: cluster-autoscaler
17 | app.kubernetes.io/component: monitoring
18 | kustomize.toolkit.fluxcd.io/substitute: disabled
--------------------------------------------------------------------------------
/apps/base/cluster-autoscaler/vm-rule.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: operator.victoriametrics.com/v1beta1
2 | kind: VMRule
3 | metadata:
4 | name: vmrule-cluster-autoscaler
5 | namespace: kube-system
6 | spec:
7 | groups:
8 | - name: cluster-autoscaler
9 | rules:
10 | - alert: ClusterAutoscalerUnschedulablePods
11 | expr: cluster_autoscaler_unschedulable_pods_count{service="cluster-autoscaler"} > 0
12 | for: 20m
13 | labels:
14 | severity: info
15 | annotations:
16 | summary: Cluster Autoscaler has {{ "{{ $value }}" }} unschedulable pods
17 | description: The cluster autoscaler is unable to scale up and is alerting that there are unschedulable pods because of this condition. This may be caused by the cluster autoscaler reaching its resources limits, or by Kubernetes waiting for new nodes to become ready.
18 | runbook_url: https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/proposals/metrics.md
19 |
20 | - alert: ClusterAutoscalerNotSafeToScale
21 | expr: cluster_autoscaler_cluster_safe_to_autoscale{service="cluster-autoscaler"} !=1
22 | for: 15m
23 | labels:
24 | severity: warning
25 | annotations:
26 | summary: Cluster Autoscaler is reporting that the cluster is not ready for scaling
27 | description: The cluster autoscaler has detected that the number of unready nodes is too high and it is not safe to continute scaling operations. It makes this determination by checking that the number of ready nodes is greater than the minimum ready count (default of 3) and the ratio of unready to ready nodes is less than the maximum unready node percentage (default of 45%). If either of those conditions are not true then the cluster autoscaler will enter an unsafe to scale state until the conditions change.
28 | runbook_url: https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/proposals/metrics.md
29 |
30 | - alert: ClusterAutoscalerUnableToScaleCPULimitReached
31 | expr: cluster_autoscaler_cluster_cpu_current_cores >= cluster_autoscaler_cpu_limits_cores{direction="maximum"}
32 | for: 15m
33 | labels:
34 | severity: info
35 | annotations:
36 | summary: Cluster Autoscaler has reached its CPU core limit and is unable to scale out
37 | description: The number of total cores in the cluster has exceeded the maximum number set on the cluster autoscaler. This is calculated by summing the cpu capacity for all nodes in the cluster and comparing that number against the maximum cores value set for the cluster autoscaler (default 320000 cores).
38 | runbook_url: https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/proposals/metrics.md
39 |
40 | - alert: ClusterAutoscalerUnableToScaleMemoryLimitReached
41 | expr: cluster_autoscaler_cluster_memory_current_bytes >= cluster_autoscaler_memory_limits_bytes{direction="maximum"}
42 | for: 15m
43 | labels:
44 | severity: info
45 | annotations:
46 | summary: Cluster Autoscaler has reached its Memory bytes limit and is unable to scale out
47 | description: The number of total bytes of RAM in the cluster has exceeded the maximum number set on the cluster autoscaler. This is calculated by summing the memory capacity for all nodes in the cluster and comparing that number against the maximum memory bytes value set for the cluster autoscaler (default 6400000 gigabytes).
48 | runbook_url: https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/proposals/metrics.md
49 |
50 | - alert: ClusterAutoscalerErrorsTotal
51 | expr: rate(cluster_autoscaler_errors_total[5m]) != 0
52 | for: 1m
53 | labels:
54 | severity: warning
55 | annotations:
56 | summary: Cluster Autoscaler has encountered error(s)
57 | description: Cluster Autoscaler has encountered errors.
58 | runbook_url: https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/proposals/metrics.md
59 |
60 | - alert: ClusterAutoscalerFailedSclaleUpsTotal
61 | expr: rate(cluster_autoscaler_failed_scale_ups_total[5m]) != 0
62 | for: 1m
63 | labels:
64 | severity: info
65 | annotations:
66 | summary: Cluster Autoscaler has failed to scale up
67 | description: Cluster Autoscaler has failed to scale up. This includes both getting error from cloud provider and new nodes failing to boot up and register within timeout. It does not include reaching maximum cluster size (as CA doesn't attempt scale-up at all in that case).
68 | runbook_url: https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/proposals/metrics.md
69 |
70 | - alert: ClusterAutoscalerSkippedScaleEventsCount
71 | expr: rate(cluster_autoscaler_skipped_scale_events_count[5m]) != 0
72 | for: 15m
73 | labels:
74 | severity: info
75 | annotations:
76 | summary: Cluster Autoscaler has declined to scale cluster
77 | description: Cluster Autoscaler has declined to scale a node group because of a resource limit being reached or similar internal event.
78 | runbook_url: https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/proposals/metrics.md
--------------------------------------------------------------------------------
/apps/base/dragonfly-operator/helm-release.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: helm.toolkit.fluxcd.io/v2
2 | kind: HelmRelease
3 | metadata:
4 | name: dragonfly-operator
5 | namespace: dragonfly-operator-system
6 | spec:
7 | releaseName: dragonfly-operator
8 | chartRef:
9 | kind: OCIRepository
10 | name: dragonfly-operator
11 | namespace: dragonfly-operator-system
12 | interval: 15m
13 | timeout: 5m
14 | install:
15 | remediation:
16 | retries: 3
17 | upgrade:
18 | remediation:
19 | retries: 3
20 | # Defaults: https://github.com/dragonflydb/dragonfly-operator/blob/main/charts/dragonfly-operator/values.yaml
21 | values:
22 | serviceMonitor:
23 | enabled: true
24 | grafanaDashboard:
25 | enabled: true
26 |
--------------------------------------------------------------------------------
/apps/base/dragonfly-operator/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - namespace.yaml
5 | - oci-repo.yaml
6 | - helm-release.yaml
7 |
--------------------------------------------------------------------------------
/apps/base/dragonfly-operator/namespace.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: dragonfly-operator-system
5 |
--------------------------------------------------------------------------------
/apps/base/dragonfly-operator/oci-repo.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: source.toolkit.fluxcd.io/v1beta2
2 | kind: OCIRepository
3 | metadata:
4 | name: dragonfly-operator
5 | namespace: dragonfly-operator-system
6 | spec:
7 | interval: 120m
8 | url: oci://ghcr.io/dragonflydb/dragonfly-operator/helm/dragonfly-operator
9 | ref:
10 | semver: ">=1.0.0"
11 |
--------------------------------------------------------------------------------
/apps/base/eck-operator/helm-release.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: helm.toolkit.fluxcd.io/v2
2 | kind: HelmRelease
3 | metadata:
4 | name: elastic-operator
5 | namespace: elastic-system
6 | spec:
7 | releaseName: elastic-operator
8 | chart:
9 | spec:
10 | chart: eck-operator
11 | sourceRef:
12 | kind: HelmRepository
13 | name: elastic
14 | namespace: elastic-system
15 | interval: 15m
16 | install:
17 | remediation:
18 | retries: 3
19 | # Default values: https://github.com/elastic/cloud-on-k8s/blob/main/deploy/eck-operator/values.yaml
20 | values:
21 | installCRDs: false
22 | webhook:
23 | enabled: false
24 | config:
25 | validateStorageClass: false
26 |
--------------------------------------------------------------------------------
/apps/base/eck-operator/helm-repo.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: source.toolkit.fluxcd.io/v1
2 | kind: HelmRepository
3 | metadata:
4 | name: elastic
5 | namespace: elastic-system
6 | spec:
7 | interval: 120m
8 | url: https://helm.elastic.co
9 |
--------------------------------------------------------------------------------
/apps/base/eck-operator/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - namespace.yaml
5 | - helm-repo.yaml
6 | - helm-release.yaml
7 |
--------------------------------------------------------------------------------
/apps/base/eck-operator/namespace.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: elastic-system
5 |
--------------------------------------------------------------------------------
/apps/base/external-dns/helm-release-private.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: helm.toolkit.fluxcd.io/v2
2 | kind: HelmRelease
3 | metadata:
4 | name: external-dns-private
5 | namespace: external-dns
6 | spec:
7 | releaseName: external-dns-private
8 | chart:
9 | spec:
10 | chart: external-dns
11 | sourceRef:
12 | kind: HelmRepository
13 | name: external-dns
14 | namespace: external-dns
15 | interval: 5m
16 | install:
17 | crds: CreateReplace
18 | remediation:
19 | retries: 3
20 | upgrade:
21 | crds: CreateReplace
22 | # Defaults: https://github.com/kubernetes-sigs/external-dns/blob/master/charts/external-dns/values.yaml
23 | values:
24 | sources:
25 | - istio-gateway
26 | txtPrefix: txt.
27 | domainFilters:
28 | - ${cluster_subdomain}
29 | securityContext:
30 | runAsNonRoot: true
31 | runAsUser: 65534
32 | readOnlyRootFilesystem: true
33 | capabilities:
34 | drop: ["ALL"]
35 | allowPrivilegeEscalation: false
36 |
--------------------------------------------------------------------------------
/apps/base/external-dns/helm-release-public.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: helm.toolkit.fluxcd.io/v2
2 | kind: HelmRelease
3 | metadata:
4 | name: external-dns-public
5 | namespace: external-dns
6 | spec:
7 | releaseName: external-dns-public
8 | chart:
9 | spec:
10 | chart: external-dns
11 | sourceRef:
12 | kind: HelmRepository
13 | name: external-dns
14 | namespace: external-dns
15 | interval: 5m
16 | install:
17 | crds: CreateReplace
18 | remediation:
19 | retries: 3
20 | upgrade:
21 | crds: CreateReplace
22 | # Defaults: https://github.com/kubernetes-sigs/external-dns/blob/master/charts/external-dns/values.yaml
23 | values:
24 | sources:
25 | - istio-gateway
26 | txtPrefix: txt.
27 | domainFilters:
28 | - ${cluster_subdomain}
29 | securityContext:
30 | runAsNonRoot: true
31 | runAsUser: 65534
32 | readOnlyRootFilesystem: true
33 | capabilities:
34 | drop: ["ALL"]
35 | allowPrivilegeEscalation: false
36 |
--------------------------------------------------------------------------------
/apps/base/external-dns/helm-repo.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: source.toolkit.fluxcd.io/v1
2 | kind: HelmRepository
3 | metadata:
4 | name: external-dns
5 | namespace: external-dns
6 | spec:
7 | interval: 120m
8 | url: https://kubernetes-sigs.github.io/external-dns/
9 |
--------------------------------------------------------------------------------
/apps/base/external-dns/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - namespace.yaml
5 | - helm-repo.yaml
6 | - helm-release-public.yaml
7 | - helm-release-private.yaml
8 | - vm-rule.yaml
9 | configMapGenerator:
10 | - name: external-dns-dashboards
11 | namespace: external-dns
12 | files:
13 | - edns-dashboard.json
14 | options:
15 | disableNameSuffixHash: true
16 | labels:
17 | grafana_dashboard: "1"
18 | app.kubernetes.io/part-of: external-dns
19 | app.kubernetes.io/component: external-dns
20 | kustomize.toolkit.fluxcd.io/substitute: disabled
21 |
--------------------------------------------------------------------------------
/apps/base/external-dns/namespace.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: external-dns
--------------------------------------------------------------------------------
/apps/base/external-dns/vm-rule.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: operator.victoriametrics.com/v1beta1
2 | kind: VMRule
3 | metadata:
4 | name: vmrule-external-dns
5 | namespace: external-dns
6 | spec:
7 | groups:
8 | - name: external-dns
9 | rules:
10 | - alert: ExternalDNSSyncError
11 | annotations:
12 | summary: ExternalDNSSyncError {{ $labels.name }}
13 | description: |
14 | Synchronization of the DNS records `{{ $labels.name }}` in namespace `{{ $labels.exported_namespace }}` is failing.
15 | Check for errors in the Status field of the associated external-dns object.
16 | expr: sum(increase(external_dns_registry_errors_total[5m])) by (service) > 0
17 | for: 10m
18 | labels:
19 | severity: warning
20 |
--------------------------------------------------------------------------------
/apps/base/external-secrets/helm-release.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: helm.toolkit.fluxcd.io/v2
2 | kind: HelmRelease
3 | metadata:
4 | name: external-secrets
5 | namespace: external-secrets
6 | spec:
7 | releaseName: external-secrets
8 | chart:
9 | spec:
10 | chart: external-secrets
11 | sourceRef:
12 | kind: HelmRepository
13 | name: external-secrets
14 | namespace: external-secrets
15 | interval: 15m
16 | timeout: 5m
17 | install:
18 | crds: Skip
19 | remediation:
20 | retries: 3
21 | upgrade:
22 | crds: Skip
23 | remediation:
24 | retries: 3
25 | # Defaults: https://github.com/external-secrets/external-secrets/blob/main/deploy/charts/external-secrets/values.yaml
26 | values:
27 | installCRDs: false
28 | serviceMonitor:
29 | enabled: true
30 |
--------------------------------------------------------------------------------
/apps/base/external-secrets/helm-repo.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: source.toolkit.fluxcd.io/v1
2 | kind: HelmRepository
3 | metadata:
4 | name: external-secrets
5 | namespace: external-secrets
6 | spec:
7 | interval: 120m
8 | url: https://charts.external-secrets.io
9 |
--------------------------------------------------------------------------------
/apps/base/external-secrets/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - namespace.yaml
5 | - helm-repo.yaml
6 | - helm-release.yaml
7 | - vm-rule.yaml
8 | configMapGenerator:
9 | - name: external-secrets-dashboards
10 | namespace: external-secrets
11 | files:
12 | - eso-dashboard.json
13 | options:
14 | disableNameSuffixHash: true
15 | labels:
16 | grafana_dashboard: "1"
17 | app.kubernetes.io/part-of: external-secrets
18 | app.kubernetes.io/component: external-secrets
19 | kustomize.toolkit.fluxcd.io/substitute: disabled
20 |
--------------------------------------------------------------------------------
/apps/base/external-secrets/namespace.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: external-secrets
5 |
--------------------------------------------------------------------------------
/apps/base/external-secrets/vm-rule.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: operator.victoriametrics.com/v1beta1
2 | kind: VMRule
3 | metadata:
4 | name: vmrule-external-secrets
5 | namespace: external-secrets
6 | spec:
7 | groups:
8 | - name: external-secrets
9 | rules:
10 | - alert: SecretSyncError
11 | annotations:
12 | summary: SecretSyncError {{ $labels.name }}
13 | description: |
14 | Synchronization of the Secret `{{ $labels.name }}` in namespace `{{ $labels.exported_namespace }}` is failing.
15 | Check for errors in the Status field of the associated ExternalSecret object.
16 | expr: sum(increase(controller_runtime_reconcile_total{service=~"external-secrets.*",result="error"}[1m])) by (result) > 0
17 | for: 10m
18 | labels:
19 | severity: warning
20 |
--------------------------------------------------------------------------------
/apps/base/flux-monitoring/kustomization.yaml:
--------------------------------------------------------------------------------
1 | # https://github.com/fluxcd/flux2-monitoring-example/tree/main/monitoring/configs
2 | apiVersion: kustomize.config.k8s.io/v1beta1
3 | kind: Kustomization
4 | namespace: monitoring
5 | resources:
6 | - podmonitor.yaml
7 | - vm-rule.yaml
8 | configMapGenerator:
9 | - name: flux-grafana-dashboards
10 | files:
11 | - dashboards/control-plane.json
12 | - dashboards/cluster.json
13 | options:
14 | disableNameSuffixHash: true
15 | labels:
16 | grafana_dashboard: "1"
17 | app.kubernetes.io/part-of: flux
18 | app.kubernetes.io/component: monitoring
19 | kustomize.toolkit.fluxcd.io/substitute: disabled
20 |
--------------------------------------------------------------------------------
/apps/base/flux-monitoring/podmonitor.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: monitoring.coreos.com/v1
2 | kind: PodMonitor
3 | metadata:
4 | name: flux-system
5 | labels:
6 | app.kubernetes.io/part-of: flux
7 | app.kubernetes.io/component: monitoring
8 | spec:
9 | namespaceSelector:
10 | matchNames:
11 | - flux-system
12 | selector:
13 | matchExpressions:
14 | - key: app
15 | operator: In
16 | values:
17 | - helm-controller
18 | - source-controller
19 | - kustomize-controller
20 | - notification-controller
21 | - image-automation-controller
22 | - image-reflector-controller
23 | podMetricsEndpoints:
24 | - port: http-prom
25 | relabelings:
26 | # https://github.com/prometheus-operator/prometheus-operator/issues/4816
27 | - sourceLabels: [__meta_kubernetes_pod_phase]
28 | action: keep
29 | regex: Running
30 |
--------------------------------------------------------------------------------
/apps/base/flux-monitoring/vm-rule.yaml:
--------------------------------------------------------------------------------
1 | # https://github.com/cozystack/cozystack/blob/main/packages/system/monitoring-agents/alerts/flux.yaml
2 | ---
3 | apiVersion: operator.victoriametrics.com/v1beta1
4 | kind: VMRule
5 | metadata:
6 | name: vmrule-fluxcd
7 | namespace: monitoring
8 | spec:
9 | groups:
10 | - name: flux-resources-alerts
11 | rules:
12 | - alert: HelmReleaseNotReady
13 | expr: gotk_resource_info{customresource_kind="HelmRelease", ready!="True"} > 0
14 | for: 5m
15 | labels:
16 | severity: critical
17 | service: fluxcd
18 | exported_instance: "{{ $labels.exported_namespace }}/{{ $labels.name }}"
19 | annotations:
20 | summary: "HelmRelease {{ $labels.name }} in namespace {{ $labels.exported_namespace }} is not ready"
21 | description: "HelmRelease {{ $labels.name }} in namespace {{ $labels.exported_namespace }} is in an unready state for more than 15 minutes."
22 |
23 | - alert: GitRepositorySyncFailed
24 | expr: gotk_resource_info{customresource_kind="GitRepository", ready!="True"} > 0
25 | for: 5m
26 | labels:
27 | severity: critical
28 | service: fluxcd
29 | exported_instance: "{{ $labels.exported_namespace }}/{{ $labels.name }}"
30 | annotations:
31 | summary: "GitRepository {{ $labels.name }} in namespace {{ $labels.exported_namespace }} sync failed"
32 | description: "GitRepository {{ $labels.name }} in namespace {{ $labels.exported_namespace }} has not been successfully synced for more than 15 minutes."
33 |
34 | - alert: KustomizationNotApplied
35 | expr: gotk_resource_info{customresource_kind="Kustomization", ready!="True"} > 0
36 | for: 5m
37 | labels:
38 | severity: critical
39 | service: fluxcd
40 | exported_instance: "{{ $labels.exported_namespace }}/{{ $labels.name }}"
41 | annotations:
42 | summary: "Kustomization {{ $labels.name }} in namespace {{ $labels.exported_namespace }} is not applied"
43 | description: "Kustomization {{ $labels.name }} in namespace {{ $labels.exported_namespace }} is not successfully applied for more than 15 minutes."
44 |
45 | - alert: ImageRepositorySyncFailed
46 | expr: gotk_resource_info{customresource_kind="ImageRepository", ready!="True"} > 0
47 | for: 5m
48 | labels:
49 | severity: critical
50 | service: fluxcd
51 | exported_instance: "{{ $labels.exported_namespace }}/{{ $labels.name }}"
52 | annotations:
53 | summary: "ImageRepository {{ $labels.name }} in namespace {{ $labels.exported_namespace }} sync failed"
54 | description: "ImageRepository {{ $labels.name }} in namespace {{ $labels.exported_namespace }} has not been successfully synced for more than 15 minutes."
55 |
56 | - alert: HelmChartFailed
57 | expr: gotk_resource_info{customresource_kind="HelmChart", ready!="True"} > 0
58 | for: 5m
59 | labels:
60 | severity: critical
61 | service: fluxcd
62 | exported_instance: "{{ $labels.exported_namespace }}/{{ $labels.name }}"
63 | annotations:
64 | summary: "HelmChart {{ $labels.name }} in namespace {{ $labels.exported_namespace }} has failed"
65 | description: "HelmChart {{ $labels.name }} in namespace {{ $labels.exported_namespace }} is not ready for more than 15 minutes."
66 |
67 | - alert: HelmReleaseSuspended
68 | expr: gotk_resource_info{customresource_kind="HelmRelease", suspended="true"} > 0
69 | for: 5m
70 | labels:
71 | severity: warning
72 | service: fluxcd
73 | exported_instance: "{{ $labels.exported_namespace }}/{{ $labels.name }}"
74 | annotations:
75 | summary: "HelmRelease {{ $labels.name }} in namespace {{ $labels.exported_namespace }} is suspended"
76 | description: "HelmRelease {{ $labels.name }} in namespace {{ $labels.exported_namespace }} has been suspended."
77 |
78 | - alert: GitRepositorySuspended
79 | expr: gotk_resource_info{customresource_kind="GitRepository", suspended="true"} > 0
80 | for: 5m
81 | labels:
82 | severity: warning
83 | service: fluxcd
84 | exported_instance: "{{ $labels.exported_namespace }}/{{ $labels.name }}"
85 | annotations:
86 | summary: "GitRepository {{ $labels.name }} in namespace {{ $labels.exported_namespace }} is suspended"
87 | description: "GitRepository {{ $labels.name }} in namespace {{ $labels.exported_namespace }} has been suspended."
88 |
89 | - alert: KustomizationSuspended
90 | expr: gotk_resource_info{customresource_kind="Kustomization", suspended="true"} > 0
91 | for: 5m
92 | labels:
93 | severity: warning
94 | service: fluxcd
95 | exported_instance: "{{ $labels.exported_namespace }}/{{ $labels.name }}"
96 | annotations:
97 | summary: "Kustomization {{ $labels.name }} in namespace {{ $labels.exported_namespace }} is suspended"
98 | description: "Kustomization {{ $labels.name }} in namespace {{ $labels.exported_namespace }} has been suspended."
99 |
100 | - alert: ImageRepositorySuspended
101 | expr: gotk_resource_info{customresource_kind="ImageRepository", suspended="true"} > 0
102 | for: 5m
103 | labels:
104 | severity: warning
105 | service: fluxcd
106 | exported_instance: "{{ $labels.exported_namespace }}/{{ $labels.name }}"
107 | annotations:
108 | summary: "ImageRepository {{ $labels.name }} in namespace {{ $labels.exported_namespace }} is suspended"
109 | description: "ImageRepository {{ $labels.name }} in namespace {{ $labels.exported_namespace }} has been suspended."
110 |
111 | - alert: HelmChartSuspended
112 | expr: gotk_resource_info{customresource_kind="HelmChart", suspended="true"} > 0
113 | for: 5m
114 | labels:
115 | severity: warning
116 | service: fluxcd
117 | exported_instance: "{{ $labels.exported_namespace }}/{{ $labels.name }}"
118 | annotations:
119 | summary: "HelmChart {{ $labels.name }} in namespace {{ $labels.exported_namespace }} is suspended"
120 | description: "HelmChart {{ $labels.name }} in namespace {{ $labels.exported_namespace }} has been suspended."
121 |
--------------------------------------------------------------------------------
/apps/base/helm-exporter/dashboards/grafana-helm-exporter.json:
--------------------------------------------------------------------------------
1 | {
2 | "annotations": {
3 | "list": [
4 | {
5 | "builtIn": 1,
6 | "datasource": {
7 | "type": "datasource",
8 | "uid": "grafana"
9 | },
10 | "enable": true,
11 | "hide": true,
12 | "iconColor": "rgba(0, 211, 255, 1)",
13 | "name": "Annotations & Alerts",
14 | "target": {
15 | "limit": 100,
16 | "matchAny": false,
17 | "tags": [],
18 | "type": "dashboard"
19 | },
20 | "type": "dashboard"
21 | }
22 | ]
23 | },
24 | "description": "Helm stats",
25 | "editable": true,
26 | "fiscalYearStartMonth": 0,
27 | "gnetId": 9367,
28 | "graphTooltip": 0,
29 | "links": [],
30 | "liveNow": false,
31 | "panels": [
32 | {
33 | "datasource": {},
34 | "fieldConfig": {
35 | "defaults": {
36 | "color": {
37 | "mode": "thresholds"
38 | },
39 | "custom": {
40 | "align": "auto",
41 | "cellOptions": {
42 | "type": "auto"
43 | },
44 | "inspect": false
45 | },
46 | "decimals": 2,
47 | "displayName": "",
48 | "mappings": [
49 | {
50 | "options": {
51 | "0": {
52 | "index": 1,
53 | "text": "UNKNOWN"
54 | },
55 | "1": {
56 | "index": 0,
57 | "text": "DEPLOYED"
58 | },
59 | "2": {
60 | "index": 3,
61 | "text": "DELETED"
62 | },
63 | "3": {
64 | "index": 4,
65 | "text": "SUPERSEDED"
66 | },
67 | "5": {
68 | "index": 5,
69 | "text": "DELETING"
70 | },
71 | "6": {
72 | "index": 6,
73 | "text": "PENDING_INSTALL"
74 | },
75 | "7": {
76 | "index": 7,
77 | "text": "PENDING_UPGRADE"
78 | },
79 | "8": {
80 | "index": 8,
81 | "text": "PENDING_ROLLBACK"
82 | },
83 | "-1": {
84 | "index": 2,
85 | "text": "FAILED"
86 | }
87 | },
88 | "type": "value"
89 | }
90 | ],
91 | "thresholds": {
92 | "mode": "absolute",
93 | "steps": [
94 | {
95 | "color": "green",
96 | "value": null
97 | },
98 | {
99 | "color": "red",
100 | "value": 80
101 | }
102 | ]
103 | },
104 | "unit": "short"
105 | },
106 | "overrides": [
107 | {
108 | "matcher": {
109 | "id": "byName",
110 | "options": "Value"
111 | },
112 | "properties": [
113 | {
114 | "id": "unit",
115 | "value": "short"
116 | },
117 | {
118 | "id": "decimals",
119 | "value": 2
120 | },
121 | {
122 | "id": "custom.cellOptions",
123 | "value": {
124 | "type": "color-background"
125 | }
126 | },
127 | {
128 | "id": "custom.align"
129 | },
130 | {
131 | "id": "thresholds",
132 | "value": {
133 | "mode": "absolute",
134 | "steps": [
135 | {
136 | "color": "rgba(245, 54, 54, 0.9)",
137 | "value": null
138 | },
139 | {
140 | "color": "#629e51",
141 | "value": 0
142 | },
143 | {
144 | "color": "#1f78c1",
145 | "value": 2
146 | }
147 | ]
148 | }
149 | }
150 | ]
151 | }
152 | ]
153 | },
154 | "gridPos": {
155 | "h": 21,
156 | "w": 24,
157 | "x": 0,
158 | "y": 0
159 | },
160 | "id": 2,
161 | "links": [],
162 | "options": {
163 | "cellHeight": "sm",
164 | "footer": {
165 | "countRows": false,
166 | "fields": "",
167 | "reducer": [
168 | "sum"
169 | ],
170 | "show": false
171 | },
172 | "showHeader": true
173 | },
174 | "pluginVersion": "10.1.2",
175 | "targets": [
176 | {
177 | "datasource": {
178 | "type": "prometheus",
179 | "uid": "prometheus"
180 | },
181 | "editorMode": "code",
182 | "exemplar": false,
183 | "expr": "min(helm_chart_info{chart=~\"$chart\", namespace=~\"$namespace\", release=~\"$release\"}) by (chart, release, namespace, version, latestVersion) != 2",
184 | "format": "table",
185 | "instant": true,
186 | "intervalFactor": 1,
187 | "legendFormat": "",
188 | "range": false,
189 | "refId": "A"
190 | }
191 | ],
192 | "title": "Helm Releases",
193 | "transformations": [
194 | {
195 | "id": "filterFieldsByName",
196 | "options": {}
197 | },
198 | {
199 | "id": "organize",
200 | "options": {
201 | "excludeByName": {
202 | "Time": true
203 | },
204 | "indexByName": {
205 | "Time": 0,
206 | "Value": 6,
207 | "chart": 1,
208 | "latestVersion": 5,
209 | "namespace": 2,
210 | "release": 3,
211 | "version": 4
212 | },
213 | "renameByName": {
214 | "Value": "Status",
215 | "chart": "Chart Name",
216 | "latestVersion": "Latest Version",
217 | "namespace": "Namespace",
218 | "release": "Release Name",
219 | "version": "Installed Version"
220 | }
221 | }
222 | }
223 | ],
224 | "type": "table"
225 | }
226 | ],
227 | "refresh": "",
228 | "schemaVersion": 38,
229 | "style": "dark",
230 | "tags": [
231 | "helm",
232 | "helm-chart-info"
233 | ],
234 | "templating": {
235 | "list": [
236 | {
237 | "allValue": ".*",
238 | "current": {
239 | "selected": true,
240 | "text": "All",
241 | "value": "$__all"
242 | },
243 | "datasource": {
244 | "type": "prometheus",
245 | "uid": "P4169E866C3094E38"
246 | },
247 | "definition": "",
248 | "hide": 0,
249 | "includeAll": true,
250 | "multi": false,
251 | "name": "chart",
252 | "options": [],
253 | "query": {
254 | "query": "label_values(helm_chart_info, chart)",
255 | "refId": "Prometheus-chart-Variable-Query"
256 | },
257 | "refresh": 1,
258 | "regex": "",
259 | "skipUrlSync": false,
260 | "sort": 0,
261 | "tagValuesQuery": "",
262 | "tagsQuery": "",
263 | "type": "query",
264 | "useTags": false
265 | },
266 | {
267 | "allValue": ".*",
268 | "current": {
269 | "selected": false,
270 | "text": "All",
271 | "value": "$__all"
272 | },
273 | "definition": "",
274 | "hide": 0,
275 | "includeAll": true,
276 | "multi": false,
277 | "name": "release",
278 | "options": [],
279 | "query": {
280 | "query": "label_values(helm_chart_info, release)",
281 | "refId": "Prometheus-release-Variable-Query"
282 | },
283 | "refresh": 1,
284 | "regex": "",
285 | "skipUrlSync": false,
286 | "sort": 0,
287 | "tagValuesQuery": "",
288 | "tagsQuery": "",
289 | "type": "query",
290 | "useTags": false
291 | },
292 | {
293 | "allValue": ".*",
294 | "current": {
295 | "selected": false,
296 | "text": "All",
297 | "value": "$__all"
298 | },
299 | "definition": "",
300 | "hide": 0,
301 | "includeAll": true,
302 | "multi": false,
303 | "name": "namespace",
304 | "options": [],
305 | "query": {
306 | "query": "label_values(helm_chart_info, namespace)",
307 | "refId": "Prometheus-namespace-Variable-Query"
308 | },
309 | "refresh": 1,
310 | "regex": "",
311 | "skipUrlSync": false,
312 | "sort": 0,
313 | "tagValuesQuery": "",
314 | "tagsQuery": "",
315 | "type": "query",
316 | "useTags": false
317 | }
318 | ]
319 | },
320 | "time": {
321 | "from": "now-5m",
322 | "to": "now"
323 | },
324 | "timepicker": {
325 | "refresh_intervals": [
326 | "5s",
327 | "10s",
328 | "30s",
329 | "1m",
330 | "5m",
331 | "15m",
332 | "30m",
333 | "1h",
334 | "2h",
335 | "1d"
336 | ],
337 | "time_options": [
338 | "5m",
339 | "15m",
340 | "1h",
341 | "6h",
342 | "12h",
343 | "24h",
344 | "2d",
345 | "7d",
346 | "30d"
347 | ]
348 | },
349 | "timezone": "",
350 | "title": "Helm Exporter",
351 | "uid": "Gqncyvfmz",
352 | "version": 2,
353 | "weekStart": ""
354 | }
--------------------------------------------------------------------------------
/apps/base/helm-exporter/helm-release.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: helm.toolkit.fluxcd.io/v2
2 | kind: HelmRelease
3 | metadata:
4 | name: helm-exporter
5 | namespace: helm-exporter
6 | spec:
7 | releaseName: helm-exporter
8 | chart:
9 | spec:
10 | chart: helm-exporter
11 | sourceRef:
12 | kind: HelmRepository
13 | name: sstarcher
14 | namespace: helm-exporter
15 | interval: 15m
16 | timeout: 5m
17 | install:
18 | remediation:
19 | retries: 3
20 | upgrade:
21 | remediation:
22 | retries: 3
23 | # Defaults: https://github.com/sstarcher/helm-exporter/blob/master/helm/values.yaml
24 | values:
25 | intervalDuration: 300s
26 | serviceMonitor:
27 | interval: 300s
28 | create: true
29 | podSecurityContext:
30 | fsGroup: 2000
31 | securityContext:
32 | #runAsUser: 1000
33 | runAsGroup: 2000
34 | allowPrivilegeEscalation: false
35 | capabilities:
36 | drop:
37 | - ALL
38 | #runAsNonRoot: true
39 | config:
40 | helmRegistries:
41 | override:
42 | - registry:
43 | url: "https://shanestarcher.com/helm-charts/"
44 | charts:
45 | - helm-exporter
46 | - registry:
47 | url: "https://kubernetes.github.io/autoscaler/"
48 | charts:
49 | - cluster-autoscaler
50 | - registry:
51 | url: "https://aws.github.io/eks-charts"
52 | charts:
53 | - aws-load-balancer-controller
54 | - registry:
55 | url: "https://charts.jetstack.io"
56 | charts:
57 | - cert-manager
58 | - registry:
59 | url: "https://kubernetes-sigs.github.io/external-dns/"
60 | charts:
61 | - external-dns
62 | - registry:
63 | url: "https://istio-release.storage.googleapis.com/charts"
64 | charts:
65 | - base
66 | - istiod
67 | - gateway
68 | - registry:
69 | url: "https://victoriametrics.github.io/helm-charts/"
70 | charts:
71 | - victoria-metrics-k8s-stack
72 | - victoria-logs-single
73 | - registry:
74 | url: "https://kubernetes-sigs.github.io/metrics-server/"
75 | charts:
76 | - metrics-server
77 | - registry:
78 | url: "https://fluent.github.io/helm-charts"
79 | charts:
80 | - fluent-bit
81 | - registry:
82 | url: "https://kkirara.github.io/KubeLinks"
83 | charts:
84 | - kubelinks
85 | - registry:
86 | url: https://emberstack.github.io/helm-charts
87 | charts:
88 | - reflector
89 | - registry:
90 | url: https://charts.external-secrets.io
91 | charts:
92 | - external-secrets
93 | - registry:
94 | url: https://charts.deliveryhero.io
95 | charts:
96 | - k8s-event-logger
97 | - registry:
98 | url: https://kedacore.github.io/charts
99 | charts:
100 | - keda
101 | - registry:
102 | url: https://prometheus-community.github.io/helm-charts
103 | charts:
104 | - prometheus-blackbox-exporter
105 | - prometheus-operator-crds
106 | - registry:
107 | url: https://kubernetes-sigs.github.io/aws-efs-csi-driver
108 | charts:
109 | - aws-efs-csi-driver
110 | - registry:
111 | url: https://argoproj.github.io/argo-helm
112 | charts:
113 | - argo-cd
114 | - registry:
115 | url: https://app.getambassador.io
116 | charts:
117 | - telepresence
118 | - registry:
119 | url: https://cloudnative-pg.github.io/charts
120 | charts:
121 | - cloudnative-pg
122 | - registry:
123 | url: https://charts.jenkins.io
124 | charts:
125 | - jenkins
126 | - registry:
127 | url: https://strimzi.io/charts
128 | charts:
129 | - strimzi-kafka-operator
130 | - registry:
131 | url: https://helm.runix.net
132 | charts:
133 | - pgadmin4
134 | - registry:
135 | url: https://airflow.apache.org
136 | charts:
137 | - airflow
138 | - registry:
139 | url: https://operator.min.io
140 | charts:
141 | - operator
142 | - tenant
143 | - registry:
144 | url: https://grafana.github.io/helm-charts
145 | charts:
146 | - loki
147 | - alloy
148 | - registry:
149 | url: https://helm.elastic.co
150 | charts:
151 | - eck-operator-crds
152 | - eck-operator
153 | - registry:
154 | url: https://charts.enix.io
155 | charts:
156 | - x509-certificate-exporter
157 | - registry:
158 | url: https://stakater.github.io/stakater-charts
159 | charts:
160 | - reloader
161 | - registry:
162 | url: https://seaweedfs.github.io/seaweedfs/helm
163 | charts:
164 | - seaweedfs
165 | - registry:
166 | url: https://docs.altinity.com/clickhouse-operator/
167 | charts:
168 | - altinity-clickhouse-operator
169 | - registry:
170 | url: https://kyverno.github.io/kyverno/
171 | charts:
172 | - kyverno
173 |
--------------------------------------------------------------------------------
/apps/base/helm-exporter/helm-repo.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: source.toolkit.fluxcd.io/v1
2 | kind: HelmRepository
3 | metadata:
4 | name: sstarcher
5 | namespace: helm-exporter
6 | spec:
7 | interval: 120m
8 | url: https://shanestarcher.com/helm-charts/
9 |
--------------------------------------------------------------------------------
/apps/base/helm-exporter/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - namespace.yaml
5 | - helm-repo.yaml
6 | - helm-release.yaml
7 | configMapGenerator:
8 | - name: grafana-helm-exporter
9 | namespace: helm-exporter
10 | files:
11 | - dashboards/grafana-helm-exporter.json
12 | options:
13 | labels:
14 | grafana_dashboard: "1"
15 | app.kubernetes.io/part-of: helm-exporter
16 | app.kubernetes.io/component: monitoring
--------------------------------------------------------------------------------
/apps/base/helm-exporter/namespace.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: helm-exporter
--------------------------------------------------------------------------------
/apps/base/httpbin/gateway.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: networking.istio.io/v1
2 | kind: Gateway
3 | metadata:
4 | name: httpbin-gateway
5 | namespace: httpbin
6 | spec:
7 | selector:
8 | istio: ingress-private
9 | servers:
10 | - hosts:
11 | - httpbin.${cluster_subdomain}
12 | port:
13 | name: http
14 | number: 80
15 | protocol: HTTP
16 | tls:
17 | httpsRedirect: true
18 | - hosts:
19 | - httpbin.${cluster_subdomain}
20 | port:
21 | name: https
22 | number: 443
23 | protocol: HTTPS
24 | tls:
25 | credentialName: localhost-direct
26 | mode: SIMPLE
27 |
--------------------------------------------------------------------------------
/apps/base/httpbin/httpbin.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ServiceAccount
3 | metadata:
4 | name: httpbin
5 | namespace: httpbin
6 | ---
7 | apiVersion: v1
8 | kind: Service
9 | metadata:
10 | name: httpbin
11 | namespace: httpbin
12 | labels:
13 | app: httpbin
14 | service: httpbin
15 | spec:
16 | ports:
17 | - name: http
18 | port: 8000
19 | targetPort: 8080
20 | selector:
21 | app: httpbin
22 | ---
23 | apiVersion: apps/v1
24 | kind: Deployment
25 | metadata:
26 | name: httpbin
27 | namespace: httpbin
28 | spec:
29 | replicas: 1
30 | selector:
31 | matchLabels:
32 | app: httpbin
33 | version: v1
34 | template:
35 | metadata:
36 | labels:
37 | app: httpbin
38 | version: v1
39 | spec:
40 | serviceAccountName: httpbin
41 | containers:
42 | - image: docker.io/mccutchen/go-httpbin:2.18.1
43 | imagePullPolicy: IfNotPresent
44 | name: httpbin
45 | ports:
46 | - containerPort: 8080
47 |
--------------------------------------------------------------------------------
/apps/base/httpbin/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - namespace.yaml
5 | - httpbin.yaml
6 | - virtual-service.yaml
7 | #- gateway.yaml
8 |
--------------------------------------------------------------------------------
/apps/base/httpbin/namespace.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: httpbin
5 |
--------------------------------------------------------------------------------
/apps/base/httpbin/virtual-service.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: networking.istio.io/v1beta1
3 | kind: VirtualService
4 | metadata:
5 | name: httpbin-virtualservice
6 | namespace: httpbin
7 | spec:
8 | gateways:
9 | - istio-ingress/wildcard-gateway
10 | hosts:
11 | - httpbin.${cluster_subdomain}
12 | http:
13 | - route:
14 | - destination:
15 | host: httpbin.httpbin.svc.cluster.local
16 | port:
17 | number: 8000
18 |
--------------------------------------------------------------------------------
/apps/base/istio/helm-istio-gw-private.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: helm.toolkit.fluxcd.io/v2
3 | kind: HelmRelease
4 | metadata:
5 | name: istio-ingress-private
6 | namespace: istio-ingress
7 | spec:
8 | releaseName: istio-ingress-private
9 | chart:
10 | spec:
11 | chart: gateway
12 | sourceRef:
13 | kind: HelmRepository
14 | name: istio
15 | namespace: istio-system
16 | interval: 5m
17 | install:
18 | crds: Skip
19 | remediation:
20 | retries: 3
21 | upgrade:
22 | crds: Skip
23 | # Default values: https://github.com/istio/istio/blob/master/manifests/charts/gateway/values.yaml
24 | values:
25 | autoscaling:
26 | minReplicas: 1
27 | maxReplicas: 4
28 |
--------------------------------------------------------------------------------
/apps/base/istio/helm-release.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: helm.toolkit.fluxcd.io/v2
2 | kind: HelmRelease
3 | metadata:
4 | name: istiod
5 | namespace: istio-system
6 | spec:
7 | releaseName: istiod
8 | chart:
9 | spec:
10 | chart: istiod
11 | sourceRef:
12 | kind: HelmRepository
13 | name: istio
14 | namespace: istio-system
15 | interval: 5m
16 | install:
17 | crds: Skip
18 | remediation:
19 | retries: 3
20 | upgrade:
21 | crds: Skip
22 | # Default values
23 | values:
24 | pilot:
25 | autoscaleMin: 1
26 | meshConfig:
27 | ingressClass: istio
28 | ingressService: istio-ingress-public
29 | ingressSelector: ingress-public
30 |
--------------------------------------------------------------------------------
/apps/base/istio/helm-repo.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: source.toolkit.fluxcd.io/v1
2 | kind: HelmRepository
3 | metadata:
4 | name: istio
5 | namespace: istio-system
6 | spec:
7 | interval: 120m
8 | url: https://istio-release.storage.googleapis.com/charts
9 |
--------------------------------------------------------------------------------
/apps/base/istio/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | #- namespace.yaml
5 | #- helm-repo.yaml
6 | - helm-release.yaml
7 | - helm-istio-gw-private.yaml
8 | #- helm-istio-gw-public.yaml
9 | - telemetry.yaml
10 | #- monitors.yaml
11 | #- prometheusrule.yaml
12 |
--------------------------------------------------------------------------------
/apps/base/istio/namespace.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: v1
3 | kind: Namespace
4 | metadata:
5 | name: istio-system
6 | ---
7 | apiVersion: v1
8 | kind: Namespace
9 | metadata:
10 | name: istio-ingress
11 | labels:
12 | istio-injection: enabled
--------------------------------------------------------------------------------
/apps/base/istio/telemetry.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: telemetry.istio.io/v1alpha1
2 | kind: Telemetry
3 | metadata:
4 | name: mesh-default
5 | namespace: istio-ingress
6 | spec:
7 | accessLogging:
8 | - providers:
9 | - name: envoy
--------------------------------------------------------------------------------
/apps/base/jenkins-server/gateway.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: networking.istio.io/v1beta1
2 | kind: Gateway
3 | metadata:
4 | name: istio-gateway-jenkins
5 | namespace: jenkins
6 | annotations:
7 | istio: ingress-private
8 | spec:
9 | selector:
10 | istio: ingress-private
11 | servers:
12 | - hosts:
13 | - jenkins.${cluster_subdomain}
14 | port:
15 | name: http
16 | number: 80
17 | protocol: HTTP2
18 | tls:
19 | httpsRedirect: true
20 | - hosts:
21 | - jenkins.${cluster_subdomain}
22 | port:
23 | name: https-tls
24 | number: 443
25 | protocol: HTTPS
26 | tls:
27 | mode: SIMPLE
28 | credentialName: localhost-direct
29 |
--------------------------------------------------------------------------------
/apps/base/jenkins-server/helm-release.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: helm.toolkit.fluxcd.io/v2
2 | kind: HelmRelease
3 | metadata:
4 | name: jenkins
5 | namespace: jenkins
6 | spec:
7 | releaseName: jenkins
8 | chart:
9 | spec:
10 | chart: jenkins
11 | sourceRef:
12 | kind: HelmRepository
13 | name: jenkins
14 | namespace: jenkins
15 | interval: 5m
16 | timeout: 30m0s
17 | install:
18 | remediation:
19 | retries: 3
20 | # Defaults: https://github.com/jenkinsci/helm-charts/blob/main/charts/jenkins/values.yaml
21 | values:
22 | controller:
23 | jenkinsUrl: jenkins.${cluster_subdomain}
24 | jenkinsUrlProtocol: "https"
25 | additionalPlugins:
26 | - azure-ad
27 | - ssh-agent
28 | - credentials-binding
29 | - timestamper
30 | - ws-cleanup
31 | - aws-credentials
32 | - pipeline-aws
33 | - jobConfigHistory
34 | - envinject
35 | agent:
36 | podTemplates:
37 | multitool: |
38 | - name: multitool
39 | label: multitool
40 | serviceAccount: jenkins-agent
41 | containers:
42 | - name: docker-awscli-kubectl
43 | image: guitarrapc/docker-awscli-kubectl
44 | command: "/bin/sh -c"
45 | args: "cat"
46 | ttyEnabled: true
47 | privileged: true
48 | serviceAccountAgent:
49 | create: true
50 |
--------------------------------------------------------------------------------
/apps/base/jenkins-server/helm-repo.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: source.toolkit.fluxcd.io/v1
2 | kind: HelmRepository
3 | metadata:
4 | name: jenkins
5 | namespace: jenkins
6 | spec:
7 | interval: 120m
8 | url: https://charts.jenkins.io
9 |
--------------------------------------------------------------------------------
/apps/base/jenkins-server/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - namespace.yaml
5 | - helm-repo.yaml
6 | - helm-release.yaml
7 | - virtual-service.yaml
8 | #- gateway.yaml
9 |
--------------------------------------------------------------------------------
/apps/base/jenkins-server/namespace.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: jenkins
5 |
--------------------------------------------------------------------------------
/apps/base/jenkins-server/virtual-service.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: networking.istio.io/v1alpha3
3 | kind: VirtualService
4 | metadata:
5 | name: jenkins
6 | namespace: jenkins
7 | spec:
8 | hosts:
9 | - "jenkins.${cluster_subdomain}"
10 | gateways:
11 | - istio-ingress/wildcard-gateway
12 | http:
13 | - match: []
14 | route:
15 | - destination:
16 | host: jenkins
17 | port:
18 | number: 8080
19 |
--------------------------------------------------------------------------------
/apps/base/k8s-event-logger/helm-release.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: helm.toolkit.fluxcd.io/v2
2 | kind: HelmRelease
3 | metadata:
4 | name: k8s-event-logger
5 | namespace: k8s-event-logger
6 | spec:
7 | interval: 15m
8 | timeout: 15m
9 | chart:
10 | spec:
11 | chart: k8s-event-logger
12 | sourceRef:
13 | kind: HelmRepository
14 | name: deliveryhero
15 | namespace: flux-system
16 | interval: 5m
17 | releaseName: k8s-event-logger
18 | install:
19 | remediation:
20 | retries: 3
21 | upgrade:
22 | remediation:
23 | retries: 3
24 | # Default values: https://github.com/deliveryhero/helm-charts/blob/master/stable/k8s-event-logger/values.yaml
25 | #values:
26 |
--------------------------------------------------------------------------------
/apps/base/k8s-event-logger/helm-repo.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: source.toolkit.fluxcd.io/v1
2 | kind: HelmRepository
3 | metadata:
4 | name: deliveryhero
5 | namespace: flux-system
6 | spec:
7 | interval: 120m
8 | url: https://charts.deliveryhero.io
9 |
--------------------------------------------------------------------------------
/apps/base/k8s-event-logger/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - helm-repo.yaml
5 | - helm-release.yaml
6 | - namespace.yaml
7 |
--------------------------------------------------------------------------------
/apps/base/k8s-event-logger/namespace.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: k8s-event-logger
5 |
--------------------------------------------------------------------------------
/apps/base/keda/helm-release.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: helm.toolkit.fluxcd.io/v2
2 | kind: HelmRelease
3 | metadata:
4 | name: keda
5 | namespace: keda
6 | spec:
7 | interval: 15m
8 | timeout: 15m
9 | chart:
10 | spec:
11 | chart: keda
12 | sourceRef:
13 | kind: HelmRepository
14 | name: kedacore
15 | interval: 5m
16 | releaseName: keda
17 | install:
18 | remediation:
19 | retries: 3
20 | upgrade:
21 | remediation:
22 | retries: 3
23 | # Default values: https://github.com/kedacore/charts/blob/main/keda/values.yaml
24 | values:
25 | clusterName: ${cluster_name}
26 | # resources:
27 | # # -- Manage [resource request & limits] of KEDA operator pod
28 | # operator:
29 | # limits:
30 | # cpu: null
31 | # memory: 200Mi
32 | # requests:
33 | # cpu: 10m
34 | # memory: 200Mi
35 | # # -- Manage [resource request & limits] of KEDA metrics apiserver pod
36 | # metricServer:
37 | # limits:
38 | # cpu: null
39 | # memory: 100Mi
40 | # requests:
41 | # cpu: 10m
42 | # memory: 100Mi
43 | # # -- Manage [resource request & limits] of KEDA admission webhooks pod
44 | # webhooks:
45 | # limits:
46 | # cpu: null
47 | # memory: 100Mi
48 | # requests:
49 | # cpu: 10m
50 | # memory: 100Mi
51 | prometheus:
52 | metricServer:
53 | enabled: true
54 | serviceMonitor:
55 | enabled: true
56 | operator:
57 | enabled: true
58 | serviceMonitor:
59 | enabled: true
60 | prometheusRules:
61 | enabled: true
62 | alerts:
63 | - alert: KedaScalerErrors
64 | annotations:
65 | description: Keda scaledObject {{ $labels.scaledObject }} is experiencing errors with {{ $labels.scaler }} scaler
66 | summary: Keda Scaler {{ $labels.scaler }} Errors
67 | expr: sum by ( scaledObject , scaler) (rate(keda_metrics_adapter_scaler_errors[2m])) > 0
68 | for: 2m
69 | webhooks:
70 | enabled: true
71 | serviceMonitor:
72 | enabled: true
73 |
--------------------------------------------------------------------------------
/apps/base/keda/helm-repo.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: source.toolkit.fluxcd.io/v1
2 | kind: HelmRepository
3 | metadata:
4 | name: kedacore
5 | namespace: keda
6 | spec:
7 | interval: 120m
8 | url: https://kedacore.github.io/charts
9 |
--------------------------------------------------------------------------------
/apps/base/keda/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - helm-repo.yaml
5 | - helm-release.yaml
6 | - namespace.yaml
7 |
--------------------------------------------------------------------------------
/apps/base/keda/namespace.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: keda
5 |
--------------------------------------------------------------------------------
/apps/base/kro/README.md:
--------------------------------------------------------------------------------
1 | # kro
2 | Kube Resource Orchestrator
3 |
4 | documentation: https://kro.run/
5 |
--------------------------------------------------------------------------------
/apps/base/kro/helm-release.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: helm.toolkit.fluxcd.io/v2
2 | kind: HelmRelease
3 | metadata:
4 | name: kro
5 | namespace: kro
6 | spec:
7 | releaseName: kro
8 | chartRef:
9 | kind: OCIRepository
10 | name: kro
11 | namespace: kro
12 | interval: 15m
13 | timeout: 5m
14 | install:
15 | remediation:
16 | retries: 3
17 | upgrade:
18 | remediation:
19 | retries: 3
20 | # Defaults: https://github.com/kro-run/kro/blob/main/helm/values.yaml
21 | values:
22 | metrics:
23 | service:
24 | create: true
25 |
--------------------------------------------------------------------------------
/apps/base/kro/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - namespace.yaml
5 | - oci-repo.yaml
6 | - helm-release.yaml
7 |
--------------------------------------------------------------------------------
/apps/base/kro/namespace.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: kro
5 |
--------------------------------------------------------------------------------
/apps/base/kro/oci-repo.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: source.toolkit.fluxcd.io/v1beta2
2 | kind: OCIRepository
3 | metadata:
4 | name: kro
5 | namespace: kro
6 | spec:
7 | interval: 120m
8 | url: oci://ghcr.io/kro-run/kro/kro
9 | ref:
10 | semver: ">=0.2.0"
11 |
--------------------------------------------------------------------------------
/apps/base/kubelinks/gateway.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: networking.istio.io/v1beta1
2 | kind: Gateway
3 | metadata:
4 | name: kubelinks-gateway
5 | namespace: kubelinks
6 | spec:
7 | selector:
8 | istio: ingress-private
9 | servers:
10 | - hosts:
11 | - links.${cluster_subdomain}
12 | port:
13 | name: http
14 | number: 80
15 | protocol: HTTP
16 | tls:
17 | httpsRedirect: true
18 | - hosts:
19 | - links.${cluster_subdomain}
20 | port:
21 | name: https
22 | number: 443
23 | protocol: HTTPS
24 | tls:
25 | credentialName: localhost-direct
26 | mode: SIMPLE
27 |
--------------------------------------------------------------------------------
/apps/base/kubelinks/helm-release.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: helm.toolkit.fluxcd.io/v2
2 | kind: HelmRelease
3 | metadata:
4 | name: kubelinks
5 | namespace: kubelinks
6 | spec:
7 | releaseName: kubelinks
8 | chart:
9 | spec:
10 | chart: kubelinks
11 | sourceRef:
12 | kind: HelmRepository
13 | name: kkirara
14 | namespace: kubelinks
15 | interval: 15m
16 | timeout: 15m
17 | install:
18 | remediation:
19 | retries: 3
20 | upgrade:
21 | remediation:
22 | retries: 3
23 | # Default values: https://github.com/kkirara/KubeLinks/blob/master/charts/kubelinks/values.yaml
24 | #values:
25 |
--------------------------------------------------------------------------------
/apps/base/kubelinks/helm-repo.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: source.toolkit.fluxcd.io/v1
2 | kind: HelmRepository
3 | metadata:
4 | name: kkirara
5 | namespace: kubelinks
6 | spec:
7 | interval: 120m
8 | url: https://kkirara.github.io/KubeLinks
9 |
--------------------------------------------------------------------------------
/apps/base/kubelinks/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - helm-repo.yaml
5 | - helm-release.yaml
6 | - namespace.yaml
7 | #- gateway.yaml
8 | - virtual-service.yaml
9 |
--------------------------------------------------------------------------------
/apps/base/kubelinks/namespace.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: kubelinks
5 |
--------------------------------------------------------------------------------
/apps/base/kubelinks/virtual-service.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: networking.istio.io/v1beta1
3 | kind: VirtualService
4 | metadata:
5 | name: kubelinks-virtualservice
6 | namespace: kubelinks
7 | spec:
8 | gateways:
9 | - istio-ingress/wildcard-gateway
10 | hosts:
11 | - links.${cluster_subdomain}
12 | http:
13 | - route:
14 | - destination:
15 | host: kubelinks.kubelinks.svc.cluster.local
16 | port:
17 | number: 80
18 |
--------------------------------------------------------------------------------
/apps/base/kyverno/README.md:
--------------------------------------------------------------------------------
1 | # Kyverno
2 |
3 | Kyverno is a policy engine designed for cloud native platform engineering teams.
4 |
5 | * [Documentation](https://kyverno.io/docs/)
6 | * [Helm Chart Source](https://github.com/kyverno/kyverno/tree/main/charts/kyverno)
7 |
--------------------------------------------------------------------------------
/apps/base/kyverno/helm-release.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: helm.toolkit.fluxcd.io/v2
2 | kind: HelmRelease
3 | metadata:
4 | name: kyverno
5 | namespace: kyverno
6 | spec:
7 | releaseName: kyverno
8 | chart:
9 | spec:
10 | chart: kyverno
11 | sourceRef:
12 | kind: HelmRepository
13 | name: kyverno
14 | namespace: kyverno
15 | interval: 15m
16 | timeout: 15m
17 | install:
18 | remediation:
19 | retries: 3
20 | upgrade:
21 | remediation:
22 | retries: 3
23 | # Default values: https://github.com/kyverno/kyverno/blob/main/charts/kyverno/values.yaml
24 | values:
25 | grafana:
26 | enabled: true
27 | admissionController:
28 | serviceMonitor:
29 | enabled: true
30 | backgroundController:
31 | serviceMonitor:
32 | enabled: true
33 | cleanupController:
34 | serviceMonitor:
35 | enabled: true
36 | reportsController:
37 | serviceMonitor:
38 | enabled: true
39 |
--------------------------------------------------------------------------------
/apps/base/kyverno/helm-repo.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: source.toolkit.fluxcd.io/v1
2 | kind: HelmRepository
3 | metadata:
4 | name: kyverno
5 | namespace: kyverno
6 | spec:
7 | interval: 120m
8 | url: https://kyverno.github.io/kyverno/
9 |
--------------------------------------------------------------------------------
/apps/base/kyverno/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - helm-repo.yaml
5 | - helm-release.yaml
6 | - namespace.yaml
7 |
--------------------------------------------------------------------------------
/apps/base/kyverno/namespace.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: kyverno
5 |
--------------------------------------------------------------------------------
/apps/base/loki/datasource.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: loki-datasource
5 | namespace: loki
6 | labels:
7 | grafana_datasource: "1"
8 | data:
9 | loki-datasource.yaml: |-
10 | apiVersion: 1
11 | datasources:
12 | - name: Loki
13 | type: loki
14 | access: proxy
15 | url: http://loki-gateway.loki
16 | version: 1
17 | isDefault: false
18 | editable: false
19 | orgId: 1
20 | uid: loki
21 | jsonData:
22 | maxLines: 100
23 | timeout: 600
24 |
--------------------------------------------------------------------------------
/apps/base/loki/helm-release-loki.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: helm.toolkit.fluxcd.io/v2
2 | kind: HelmRelease
3 | metadata:
4 | name: loki
5 | namespace: loki
6 | spec:
7 | releaseName: loki
8 | chart:
9 | spec:
10 | chart: loki
11 | sourceRef:
12 | kind: HelmRepository
13 | name: grafana
14 | namespace: loki
15 | interval: 15m
16 | timeout: 15m
17 | install:
18 | remediation:
19 | retries: 3
20 | upgrade:
21 | remediation:
22 | retries: 3
23 | valuesFrom:
24 | - kind: Secret
25 | name: minio-loki-env-configuration
26 | valuesKey: helm-release-loki-values
27 | # Default values: https://github.com/grafana/loki/blob/main/production/helm/loki/values.yaml
28 | values:
29 | lokiCanary:
30 | enabled: false
31 | test:
32 | enabled: false
33 | loki:
34 | auth_enabled: false
35 | commonConfig:
36 | replication_factor: 1
37 | schemaConfig:
38 | configs:
39 | - from: "2024-04-15"
40 | object_store: s3
41 | store: tsdb
42 | schema: v13
43 | index:
44 | prefix: index_
45 | period: 24h
46 | storage:
47 | bucketNames:
48 | admin: admin
49 | chunks: chunks
50 | ruler: ruler
51 | type: s3
52 | ingester:
53 | chunk_encoding: snappy
54 | pattern_ingester:
55 | enabled: true
56 | server:
57 | http_server_write_timeout: 5m
58 | http_server_read_timeout: 5m
59 | grpc_server_max_recv_msg_size: 104857600
60 | grpc_server_max_send_msg_size: 104857600
61 | limits_config:
62 | max_global_streams_per_user: 10000
63 | max_line_size_truncate: true
64 | volume_enabled: true
65 | querier:
66 | max_concurrent: 4
67 | frontend:
68 | compress_responses: true
69 | log_queries_longer_than: 30s
70 | query_stats_enabled: true
71 | rulerConfig:
72 | external_url: https://grafana.${cluster_subdomain}
73 | storage:
74 | type: local
75 | local:
76 | directory: /rules
77 | rule_path: /rules/fake
78 | alertmanager_url: http://vmalertmanager-victoria-metrics-k8s-stack.monitoring.svc:9093
79 | enable_api: true
80 | ring:
81 | kvstore:
82 | store: inmemory
83 | enable_alertmanager_v2: true
84 | memcachedExporter:
85 | resources:
86 | requests:
87 | cpu: 10m
88 | memory: 100Mi
89 | limits:
90 | memory: 100Mi
91 | sidecar:
92 | rules:
93 | searchNamespace: ALL
94 | folder: /rules/fake
95 | resources:
96 | requests:
97 | cpu: 10m
98 | memory: 100Mi
99 | limits:
100 | memory: 100Mi
101 | backend:
102 | replicas: 1
103 | resources:
104 | requests:
105 | cpu: 100m
106 | memory: 256Mi
107 | limits:
108 | memory: 256Mi
109 | read:
110 | replicas: 1
111 | resources:
112 | requests:
113 | cpu: 100m
114 | memory: 512Mi
115 | limits:
116 | memory: 512Mi
117 | write:
118 | replicas: 1
119 | resources:
120 | requests:
121 | cpu: 100m
122 | memory: 256Mi
123 | limits:
124 | memory: 256Mi
125 | gateway:
126 | resources:
127 | requests:
128 | cpu: 100m
129 | memory: 256Mi
130 | limits:
131 | memory: 256Mi
132 | chunksCache:
133 | allocatedMemory: 1024
134 | monitoring:
135 | dashboards:
136 | enabled: true
137 | serviceMonitor:
138 | enabled: true
139 | deploymentMode: SimpleScalable
140 |
141 | # Zero out replica counts of other deployment modes
142 | singleBinary:
143 | replicas: 0
144 | ingester:
145 | replicas: 0
146 | querier:
147 | replicas: 0
148 | queryFrontend:
149 | replicas: 0
150 | queryScheduler:
151 | replicas: 0
152 | distributor:
153 | replicas: 0
154 | compactor:
155 | replicas: 0
156 | indexGateway:
157 | replicas: 0
158 | bloomCompactor:
159 | replicas: 0
160 | bloomGateway:
161 | replicas: 0
162 |
--------------------------------------------------------------------------------
/apps/base/loki/helm-repo.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: source.toolkit.fluxcd.io/v1
2 | kind: HelmRepository
3 | metadata:
4 | name: grafana
5 | namespace: loki
6 | spec:
7 | interval: 120m
8 | url: https://grafana.github.io/helm-charts
9 |
--------------------------------------------------------------------------------
/apps/base/loki/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - namespace.yaml
5 | - helm-repo.yaml
6 | - helm-release-loki.yaml
7 | - datasource.yaml
8 |
--------------------------------------------------------------------------------
/apps/base/loki/namespace.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: loki
5 |
--------------------------------------------------------------------------------
/apps/base/metrics-server/helm-release.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: helm.toolkit.fluxcd.io/v2
2 | kind: HelmRelease
3 | metadata:
4 | name: metrics-server
5 | namespace: metrics-server
6 | spec:
7 | releaseName: metrics-server
8 | chart:
9 | spec:
10 | chart: metrics-server
11 | sourceRef:
12 | kind: HelmRepository
13 | name: metrics-server
14 | namespace: metrics-server
15 | interval: 15m
16 | install:
17 | remediation:
18 | retries: 3
19 | upgrade:
20 | remediation:
21 | retries: 3
22 | # Default values: https://github.com/kubernetes-sigs/metrics-server/blob/master/charts/metrics-server/values.yaml
23 | #values:
24 |
--------------------------------------------------------------------------------
/apps/base/metrics-server/helm-repo.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: source.toolkit.fluxcd.io/v1
2 | kind: HelmRepository
3 | metadata:
4 | name: metrics-server
5 | namespace: metrics-server
6 | spec:
7 | interval: 120m
8 | url: https://kubernetes-sigs.github.io/metrics-server/
9 |
--------------------------------------------------------------------------------
/apps/base/metrics-server/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - namespace.yaml
5 | - helm-repo.yaml
6 | - helm-release.yaml
--------------------------------------------------------------------------------
/apps/base/metrics-server/namespace.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: metrics-server
5 |
--------------------------------------------------------------------------------
/apps/base/minio-operator/helm-release.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: helm.toolkit.fluxcd.io/v2
2 | kind: HelmRelease
3 | metadata:
4 | name: operator
5 | namespace: minio-operator
6 | spec:
7 | releaseName: operator
8 | chart:
9 | spec:
10 | chart: operator
11 | sourceRef:
12 | kind: HelmRepository
13 | name: minio-operator
14 | namespace: minio-operator
15 | interval: 15m
16 | timeout: 15m
17 | install:
18 | remediation:
19 | retries: 3
20 | upgrade:
21 | remediation:
22 | retries: 3
23 | # Default values: https://github.com/minio/operator/blob/master/helm/operator/values.yaml
24 | #values:
25 |
--------------------------------------------------------------------------------
/apps/base/minio-operator/helm-repo.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: source.toolkit.fluxcd.io/v1
2 | kind: HelmRepository
3 | metadata:
4 | name: minio-operator
5 | namespace: minio-operator
6 | spec:
7 | interval: 120m
8 | url: https://operator.min.io
9 |
--------------------------------------------------------------------------------
/apps/base/minio-operator/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - namespace.yaml
5 | - helm-repo.yaml
6 | - helm-release.yaml
7 |
--------------------------------------------------------------------------------
/apps/base/minio-operator/namespace.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: minio-operator
5 |
--------------------------------------------------------------------------------
/apps/base/ollama/helm-release.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: helm.toolkit.fluxcd.io/v2
2 | kind: HelmRelease
3 | metadata:
4 | name: open-webui
5 | namespace: ollama
6 | spec:
7 | releaseName: open-webui
8 | chart:
9 | spec:
10 | chart: open-webui
11 | sourceRef:
12 | kind: HelmRepository
13 | name: open-webui
14 | namespace: ollama
15 | interval: 15m
16 | timeout: 15m
17 | install:
18 | remediation:
19 | retries: 3
20 | upgrade:
21 | remediation:
22 | retries: 3
23 | # Default webui values: https://github.com/open-webui/helm-charts/blob/main/charts/open-webui/values.yaml
24 | # ollama sub-values: https://github.com/otwld/ollama-helm/blob/main/values.yaml
25 | values:
26 | ollama:
27 | ollama:
28 | gpu:
29 | enabled: true
30 | type: "nvidia"
31 | number: 1
32 | models:
33 | - llama3
34 | persistentVolume:
35 | enabled: true
36 |
--------------------------------------------------------------------------------
/apps/base/ollama/helm-repo.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: source.toolkit.fluxcd.io/v1
2 | kind: HelmRepository
3 | metadata:
4 | name: open-webui
5 | namespace: ollama
6 | spec:
7 | interval: 120m
8 | url: https://helm.openwebui.com/
9 |
--------------------------------------------------------------------------------
/apps/base/ollama/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - helm-repo.yaml
5 | - helm-release.yaml
6 | - namespace.yaml
7 | - virtual-service.yaml
8 |
--------------------------------------------------------------------------------
/apps/base/ollama/namespace.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: ollama
5 |
--------------------------------------------------------------------------------
/apps/base/ollama/virtual-service.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: networking.istio.io/v1beta1
3 | kind: VirtualService
4 | metadata:
5 | name: ollama-virtualservice
6 | namespace: ollama
7 | spec:
8 | gateways:
9 | - istio-ingress/wildcard-gateway
10 | hosts:
11 | - ollama-web.${cluster_subdomain}
12 | http:
13 | - route:
14 | - destination:
15 | host: open-webui.ollama.svc.cluster.local
16 | port:
17 | number: 80
18 |
--------------------------------------------------------------------------------
/apps/base/oomkill-exporter/daemonset.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: DaemonSet
3 | metadata:
4 | name: oomkill-exporter
5 | namespace: oomkill-exporter
6 | labels:
7 | app: oomkill-exporter
8 | spec:
9 | selector:
10 | matchLabels:
11 | app: oomkill-exporter
12 | template:
13 | metadata:
14 | labels:
15 | app: oomkill-exporter
16 | spec:
17 | containers:
18 | - name: oomkill-exporter
19 | image: sapcc/kubernetes-oomkill-exporter:0.5.1
20 | imagePullPolicy: IfNotPresent
21 | args:
22 | - -logtostderr
23 | - -v=5
24 | securityContext:
25 | privileged: true
26 | resources:
27 | limits:
28 | memory: 100Mi
29 | requests:
30 | cpu: 20m
31 | memory: 100Mi
32 | volumeMounts:
33 | - name: kmsg
34 | mountPath: /dev/kmsg
35 | readOnly: true
36 | - name: containerd
37 | mountPath: /run/containerd/containerd.sock
38 | ports:
39 | - name: metrics
40 | containerPort: 9102
41 | tolerations:
42 | - operator: Exists
43 | volumes:
44 | - name: kmsg
45 | hostPath:
46 | path: /dev/kmsg
47 | - name: containerd
48 | hostPath:
49 | path: /run/containerd/containerd.sock
50 |
--------------------------------------------------------------------------------
/apps/base/oomkill-exporter/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - namespace.yaml
5 | - daemonset.yaml
6 | - podscrape.yaml
7 | - vm-rule.yaml
8 |
--------------------------------------------------------------------------------
/apps/base/oomkill-exporter/namespace.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: oomkill-exporter
5 |
--------------------------------------------------------------------------------
/apps/base/oomkill-exporter/podscrape.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: operator.victoriametrics.com/v1beta1
2 | kind: VMPodScrape
3 | metadata:
4 | name: oomkill-exporter
5 | namespace: oomkill-exporter
6 | spec:
7 | podMetricsEndpoints:
8 | - port: metrics
9 | scheme: http
10 | selector:
11 | matchLabels:
12 | app: oomkill-exporter
13 |
--------------------------------------------------------------------------------
/apps/base/oomkill-exporter/vm-rule.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: operator.victoriametrics.com/v1beta1
2 | kind: VMRule
3 | metadata:
4 | name: oomkill-exporter
5 | namespace: oomkill-exporter
6 | spec:
7 | groups:
8 | - name: OOMKILL
9 | rules:
10 | - alert: OOMKillDetected
11 | expr: sum by(namespace, pod_name) (changes(klog_pod_oomkill[5m])) >= 1
12 | for: 0m
13 | labels:
14 | severity: warning
15 | annotations:
16 | summary: "OOM Kill is detected for {{ $labels.pod_name }} in {{ $labels.namespace }}"
17 |
--------------------------------------------------------------------------------
/apps/base/pgadmin/helm-release.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: helm.toolkit.fluxcd.io/v2
2 | kind: HelmRelease
3 | metadata:
4 | name: pgadmin4
5 | namespace: pgadmin
6 | spec:
7 | releaseName: pgadmin4
8 | chart:
9 | spec:
10 | chart: pgadmin4
11 | sourceRef:
12 | kind: HelmRepository
13 | name: runix
14 | namespace: pgadmin
15 | interval: 5m
16 | install:
17 | remediation:
18 | retries: 3
19 | # Defaults: https://github.com/rowanruseler/helm-charts/blob/main/charts/pgadmin4/values.yaml
20 | # values:
21 |
--------------------------------------------------------------------------------
/apps/base/pgadmin/helm-repo.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: source.toolkit.fluxcd.io/v1
2 | kind: HelmRepository
3 | metadata:
4 | name: runix
5 | namespace: pgadmin
6 | spec:
7 | interval: 120m
8 | url: https://helm.runix.net
9 |
--------------------------------------------------------------------------------
/apps/base/pgadmin/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - namespace.yaml
5 | - helm-repo.yaml
6 | - helm-release.yaml
7 | - virtual-service.yaml
8 |
--------------------------------------------------------------------------------
/apps/base/pgadmin/namespace.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: pgadmin
5 |
--------------------------------------------------------------------------------
/apps/base/pgadmin/virtual-service.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: networking.istio.io/v1beta1
3 | kind: VirtualService
4 | metadata:
5 | name: pgadmin-virtualservice
6 | namespace: pgadmin
7 | spec:
8 | gateways:
9 | - istio-ingress/wildcard-gateway
10 | hosts:
11 | - pgadmin.${cluster_subdomain}
12 | http:
13 | - route:
14 | - destination:
15 | host: pgadmin4.pgadmin.svc.cluster.local
16 | port:
17 | number: 80
18 |
--------------------------------------------------------------------------------
/apps/base/reflector/helm-release.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: helm.toolkit.fluxcd.io/v2
2 | kind: HelmRelease
3 | metadata:
4 | name: reflector
5 | namespace: reflector
6 | spec:
7 | releaseName: reflector
8 | chart:
9 | spec:
10 | chart: reflector
11 | sourceRef:
12 | kind: HelmRepository
13 | name: emberstack
14 | namespace: reflector
15 | interval: 5m
16 | install:
17 | remediation:
18 | retries: 3
19 | # Defaults: https://github.com/emberstack/kubernetes-reflector/blob/main/src/helm/reflector/values.yaml
20 | # values:
21 |
--------------------------------------------------------------------------------
/apps/base/reflector/helm-repo.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: source.toolkit.fluxcd.io/v1
2 | kind: HelmRepository
3 | metadata:
4 | name: emberstack
5 | namespace: reflector
6 | spec:
7 | interval: 120m
8 | url: https://emberstack.github.io/helm-charts
9 |
--------------------------------------------------------------------------------
/apps/base/reflector/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - namespace.yaml
5 | - helm-repo.yaml
6 | - helm-release.yaml
7 |
--------------------------------------------------------------------------------
/apps/base/reflector/namespace.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: reflector
5 |
--------------------------------------------------------------------------------
/apps/base/reflector/rm-reflector-ns.yaml:
--------------------------------------------------------------------------------
1 | $patch: delete
2 | apiVersion: v1
3 | kind: Namespace
4 | metadata:
5 | name: reflector
6 |
--------------------------------------------------------------------------------
/apps/base/reflector/rm-reflector-release.yaml:
--------------------------------------------------------------------------------
1 | $patch: delete
2 | apiVersion: helm.toolkit.fluxcd.io/v2
3 | kind: HelmRelease
4 | metadata:
5 | name: reflector
6 | namespace: reflector
7 |
--------------------------------------------------------------------------------
/apps/base/reflector/rm-reflector-repo.yaml:
--------------------------------------------------------------------------------
1 | $patch: delete
2 | apiVersion: source.toolkit.fluxcd.io/v1
3 | kind: HelmRepository
4 | metadata:
5 | name: emberstack
6 | namespace: reflector
7 |
--------------------------------------------------------------------------------
/apps/base/reloader/helm-release.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: helm.toolkit.fluxcd.io/v2
2 | kind: HelmRelease
3 | metadata:
4 | name: reloader
5 | namespace: reloader
6 | spec:
7 | releaseName: reloader
8 | chart:
9 | spec:
10 | chart: reloader
11 | sourceRef:
12 | kind: HelmRepository
13 | name: stakater
14 | namespace: reloader
15 | interval: 5m
16 | install:
17 | remediation:
18 | retries: 3
19 | # Defaults: https://github.com/stakater/Reloader/blob/master/deployments/kubernetes/chart/reloader/values.yaml
20 | # values:
21 |
--------------------------------------------------------------------------------
/apps/base/reloader/helm-repo.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: source.toolkit.fluxcd.io/v1
2 | kind: HelmRepository
3 | metadata:
4 | name: stakater
5 | namespace: reloader
6 | spec:
7 | interval: 120m
8 | url: https://stakater.github.io/stakater-charts
9 |
--------------------------------------------------------------------------------
/apps/base/reloader/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - namespace.yaml
5 | - helm-repo.yaml
6 | - helm-release.yaml
7 |
--------------------------------------------------------------------------------
/apps/base/reloader/namespace.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: reloader
5 |
--------------------------------------------------------------------------------
/apps/base/seaweedfs/helm-release.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: helm.toolkit.fluxcd.io/v2
2 | kind: HelmRelease
3 | metadata:
4 | name: seaweedfs
5 | namespace: seaweedfs
6 | spec:
7 | releaseName: seaweedfs
8 | chart:
9 | spec:
10 | chart: seaweedfs
11 | sourceRef:
12 | kind: HelmRepository
13 | name: seaweedfs
14 | namespace: seaweedfs
15 | interval: 5m
16 | install:
17 | remediation:
18 | retries: 3
19 | # Defaults: https://github.com/seaweedfs/seaweedfs/blob/master/k8s/charts/seaweedfs/values.yaml
20 | values:
21 | filer:
22 | s3:
23 | enabled: true
24 | enableAuth: true
25 | existingConfigSecret: s3-secret
26 |
--------------------------------------------------------------------------------
/apps/base/seaweedfs/helm-repo.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: source.toolkit.fluxcd.io/v1
2 | kind: HelmRepository
3 | metadata:
4 | name: seaweedfs
5 | namespace: seaweedfs
6 | spec:
7 | interval: 120m
8 | url: https://seaweedfs.github.io/seaweedfs/helm
9 |
--------------------------------------------------------------------------------
/apps/base/seaweedfs/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - namespace.yaml
5 | - s3-secret.yaml
6 | - helm-repo.yaml
7 | - helm-release.yaml
8 |
--------------------------------------------------------------------------------
/apps/base/seaweedfs/namespace.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: seaweedfs
5 |
--------------------------------------------------------------------------------
/apps/base/seaweedfs/s3-secret.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: generators.external-secrets.io/v1alpha1
2 | kind: Password
3 | metadata:
4 | name: s3-secret
5 | namespace: seaweedfs
6 | spec:
7 | length: 24
8 | symbols: 0
9 | ---
10 | apiVersion: external-secrets.io/v1
11 | kind: ExternalSecret
12 | metadata:
13 | name: s3-secret
14 | namespace: seaweedfs
15 | spec:
16 | refreshInterval: 0s
17 | refreshPolicy: CreatedOnce
18 | target:
19 | name: s3-secret
20 | template:
21 | engineVersion: v2
22 | # metadata:
23 | # annotations:
24 | # reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
25 | # reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
26 | # reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "loki"
27 | data:
28 | seaweedfs_s3_config: '{"identities":[{"name":"anvAdmin","credentials":[{"accessKey":"qJ+Ok8tkhlq8PQ==","secretKey":"{{ .password }}"}],"actions":["Admin","Read","Write"]}]}'
29 | dataFrom:
30 | - sourceRef:
31 | generatorRef:
32 | apiVersion: generators.external-secrets.io/v1alpha1
33 | kind: Password
34 | name: s3-secret
35 |
--------------------------------------------------------------------------------
/apps/base/strimzi/helm-release.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: helm.toolkit.fluxcd.io/v2
2 | kind: HelmRelease
3 | metadata:
4 | name: strimzi-kafka-operator
5 | namespace: strimzi
6 | spec:
7 | releaseName: strimzi-kafka-operator
8 | chart:
9 | spec:
10 | chart: strimzi-kafka-operator
11 | sourceRef:
12 | kind: HelmRepository
13 | name: strimzi
14 | namespace: strimzi
15 | interval: 15m
16 | timeout: 15m0s
17 | install:
18 | crds: Skip
19 | remediation:
20 | retries: 3
21 | upgrade:
22 | crds: Skip
23 | # Defaults: https://github.com/strimzi/strimzi-kafka-operator/blob/main/helm-charts/helm3/strimzi-kafka-operator/values.yaml
24 | values:
25 | watchAnyNamespace: true
26 |
--------------------------------------------------------------------------------
/apps/base/strimzi/helm-repo.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: source.toolkit.fluxcd.io/v1
2 | kind: HelmRepository
3 | metadata:
4 | name: strimzi
5 | namespace: strimzi
6 | spec:
7 | interval: 120m
8 | url: https://strimzi.io/charts/
9 |
--------------------------------------------------------------------------------
/apps/base/strimzi/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | namespace: strimzi
4 | resources:
5 | - namespace.yaml
6 | - helm-repo.yaml
7 | - helm-release.yaml
8 | - strimzi-pod-monitor.yaml
9 | configMapGenerator:
10 | - name: strimzi-dashboards
11 | namespace: strimzi
12 | files:
13 | - https://raw.githubusercontent.com/strimzi/strimzi-kafka-operator/main/examples/metrics/grafana-dashboards/strimzi-cruise-control.json
14 | - https://raw.githubusercontent.com/strimzi/strimzi-kafka-operator/main/examples/metrics/grafana-dashboards/strimzi-kafka-bridge.json
15 | - https://raw.githubusercontent.com/strimzi/strimzi-kafka-operator/main/examples/metrics/grafana-dashboards/strimzi-kafka-connect.json
16 | - https://raw.githubusercontent.com/strimzi/strimzi-kafka-operator/main/examples/metrics/grafana-dashboards/strimzi-kafka-exporter.json
17 | - https://raw.githubusercontent.com/strimzi/strimzi-kafka-operator/main/examples/metrics/grafana-dashboards/strimzi-kafka-mirror-maker-2.json
18 | - https://raw.githubusercontent.com/strimzi/strimzi-kafka-operator/main/examples/metrics/grafana-dashboards/strimzi-kafka-oauth.json
19 | - https://raw.githubusercontent.com/strimzi/strimzi-kafka-operator/main/examples/metrics/grafana-dashboards/strimzi-kafka.json
20 | - https://raw.githubusercontent.com/strimzi/strimzi-kafka-operator/main/examples/metrics/grafana-dashboards/strimzi-kraft.json
21 | - https://raw.githubusercontent.com/strimzi/strimzi-kafka-operator/main/examples/metrics/grafana-dashboards/strimzi-operators.json
22 | options:
23 | labels:
24 | grafana_dashboard: "1"
25 | kustomize.toolkit.fluxcd.io/substitute: disabled
26 |
--------------------------------------------------------------------------------
/apps/base/strimzi/namespace.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: strimzi
5 |
--------------------------------------------------------------------------------
/apps/base/strimzi/strimzi-pod-monitor.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: monitoring.coreos.com/v1
2 | kind: PodMonitor
3 | metadata:
4 | name: cluster-operator-metrics
5 | labels:
6 | app: strimzi
7 | spec:
8 | selector:
9 | matchLabels:
10 | strimzi.io/kind: cluster-operator
11 | podMetricsEndpoints:
12 | - path: /metrics
13 | port: http
14 | ---
15 | apiVersion: monitoring.coreos.com/v1
16 | kind: PodMonitor
17 | metadata:
18 | name: entity-operator-metrics
19 | labels:
20 | app: strimzi
21 | spec:
22 | selector:
23 | matchLabels:
24 | app.kubernetes.io/name: entity-operator
25 | podMetricsEndpoints:
26 | - path: /metrics
27 | port: healthcheck
28 | ---
29 | apiVersion: monitoring.coreos.com/v1
30 | kind: PodMonitor
31 | metadata:
32 | name: bridge-metrics
33 | labels:
34 | app: strimzi
35 | spec:
36 | selector:
37 | matchLabels:
38 | strimzi.io/kind: KafkaBridge
39 | podMetricsEndpoints:
40 | - path: /metrics
41 | port: rest-api
42 | ---
43 | apiVersion: monitoring.coreos.com/v1
44 | kind: PodMonitor
45 | metadata:
46 | name: kafka-resources-metrics
47 | labels:
48 | app: strimzi
49 | spec:
50 | selector:
51 | matchExpressions:
52 | - key: "strimzi.io/kind"
53 | operator: In
54 | values: ["Kafka", "KafkaConnect", "KafkaMirrorMaker2"]
55 | podMetricsEndpoints:
56 | - path: /metrics
57 | port: tcp-prometheus
58 | relabelings:
59 | - separator: ;
60 | regex: __meta_kubernetes_pod_label_(strimzi_io_.+)
61 | replacement: $1
62 | action: labelmap
63 | - sourceLabels: [__meta_kubernetes_namespace]
64 | separator: ;
65 | regex: (.*)
66 | targetLabel: namespace
67 | replacement: $1
68 | action: replace
69 | - sourceLabels: [__meta_kubernetes_pod_name]
70 | separator: ;
71 | regex: (.*)
72 | targetLabel: kubernetes_pod_name
73 | replacement: $1
74 | action: replace
75 | - sourceLabels: [__meta_kubernetes_pod_node_name]
76 | separator: ;
77 | regex: (.*)
78 | targetLabel: node_name
79 | replacement: $1
80 | action: replace
81 | - sourceLabels: [__meta_kubernetes_pod_host_ip]
82 | separator: ;
83 | regex: (.*)
84 | targetLabel: node_ip
85 | replacement: $1
86 | action: replace
87 |
--------------------------------------------------------------------------------
/apps/base/valkey-operator/README.md:
--------------------------------------------------------------------------------
1 | # Valkey Operator
2 |
3 | The **Valkey Operator** is a Kubernetes operator designed to provision valkey (redis) clusters
4 |
5 |
6 | For detailed usage examples, refer to the [documentation](https://github.com/hyperspike/valkey-operator).
7 |
--------------------------------------------------------------------------------
/apps/base/valkey-operator/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - https://github.com/hyperspike/valkey-operator/releases/download/v0.0.59/install.yaml
5 | namespace: valkey-operator-system
6 |
--------------------------------------------------------------------------------
/apps/base/victoria-logs/README.md:
--------------------------------------------------------------------------------
1 | # Victoria Logs Single - Base Installation
2 |
3 | VictoriaLogs is an open-source, user-friendly database for logs from VictoriaMetrics.
4 |
5 | * [Documentation](https://docs.victoriametrics.com/victorialogs/)
6 | * [Helm Chart Information](https://github.com/VictoriaMetrics/helm-charts/tree/master/charts/victoria-logs-single)
7 | * [Datasource Information](https://docs.victoriametrics.com/victorialogs/victorialogs-datasource/)
8 | * Grafana configuration is managed as part of the [Victoria Metrics K8s Stack](https://github.com/brainfair/awesome-flux-infra/tree/main/apps/base/victoria-metrics-k8s-stack)
9 |
--------------------------------------------------------------------------------
/apps/base/victoria-logs/datasource.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: vls-datasource
5 | namespace: victoria-logs
6 | labels:
7 | grafana_datasource: "1"
8 | data:
9 | vls-datasource.yaml: |-
10 | apiVersion: 1
11 | datasources:
12 | - name: VictoriaLogs
13 | type: victoriametrics-logs-datasource
14 | access: proxy
15 | url: http://vls-victoria-logs-single-server.victoria-logs:9428
16 | isDefault: false
17 | editable: false
18 | orgId: 1
19 | uid: vls
20 |
--------------------------------------------------------------------------------
/apps/base/victoria-logs/helm-release.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: helm.toolkit.fluxcd.io/v2
2 | kind: HelmRelease
3 | metadata:
4 | name: vls
5 | namespace: victoria-logs
6 | spec:
7 | releaseName: vls
8 | chart:
9 | spec:
10 | chart: victoria-logs-single
11 | sourceRef:
12 | kind: HelmRepository
13 | name: vm
14 | namespace: victoria-logs
15 | interval: 15m
16 | timeout: 15m
17 | install:
18 | remediation:
19 | retries: 3
20 | upgrade:
21 | remediation:
22 | retries: 3
23 | # Defaults: https://github.com/VictoriaMetrics/helm-charts/blob/master/charts/victoria-logs-single/values.yaml
24 | values:
25 | server:
26 | persistentVolume:
27 | enabled: true
28 | size: 10Gi
29 | vmServiceScrape:
30 | enabled: true
31 | vector:
32 | enabled: true
33 | dashboards:
34 | enabled: true
35 | labels:
36 | grafana_dashboard: "1"
37 |
--------------------------------------------------------------------------------
/apps/base/victoria-logs/helm-repo.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: source.toolkit.fluxcd.io/v1
2 | kind: HelmRepository
3 | metadata:
4 | name: vm
5 | namespace: victoria-logs
6 | spec:
7 | interval: 120m
8 | url: https://victoriametrics.github.io/helm-charts/
9 |
--------------------------------------------------------------------------------
/apps/base/victoria-logs/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - namespace.yaml
5 | - helm-repo.yaml
6 | - helm-release.yaml
7 | - virtual-service.yaml
8 | - datasource.yaml
9 |
--------------------------------------------------------------------------------
/apps/base/victoria-logs/namespace.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: victoria-logs
5 |
--------------------------------------------------------------------------------
/apps/base/victoria-logs/virtual-service.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: networking.istio.io/v1beta1
3 | kind: VirtualService
4 | metadata:
5 | name: vls-virtualservice
6 | namespace: victoria-logs
7 | spec:
8 | gateways:
9 | - istio-ingress/wildcard-gateway
10 | hosts:
11 | - vls.${cluster_subdomain}
12 | http:
13 | - route:
14 | - destination:
15 | host: vls-victoria-logs-single-server.victoria-logs.svc.cluster.local
16 | port:
17 | number: 9428
18 |
--------------------------------------------------------------------------------
/apps/base/victoria-metrics-k8s-stack/gateway-grafana.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: networking.istio.io/v1beta1
2 | kind: Gateway
3 | metadata:
4 | name: grafana-gateway
5 | namespace: monitoring
6 | spec:
7 | selector:
8 | istio: ingress-private
9 | servers:
10 | - hosts:
11 | - grafana.${cluster_subdomain}
12 | port:
13 | name: http
14 | number: 80
15 | protocol: HTTP
16 | tls:
17 | httpsRedirect: true
18 | - hosts:
19 | - grafana.${cluster_subdomain}
20 | port:
21 | name: https
22 | number: 443
23 | protocol: HTTPS
24 | tls:
25 | credentialName: localhost-direct
26 | mode: SIMPLE
27 |
--------------------------------------------------------------------------------
/apps/base/victoria-metrics-k8s-stack/gateway-vm.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: networking.istio.io/v1beta1
2 | kind: Gateway
3 | metadata:
4 | name: vm-gateway
5 | namespace: monitoring
6 | spec:
7 | selector:
8 | istio: ingress-private
9 | servers:
10 | - hosts:
11 | - vmagent.${cluster_subdomain}
12 | - vmalert.${cluster_subdomain}
13 | - vmalertmanager.${cluster_subdomain}
14 | - vmsingle.${cluster_subdomain}
15 | port:
16 | name: http
17 | number: 80
18 | protocol: HTTP
19 | tls:
20 | httpsRedirect: true
21 | - hosts:
22 | - vmagent.${cluster_subdomain}
23 | - vmalert.${cluster_subdomain}
24 | - vmalertmanager.${cluster_subdomain}
25 | - vmsingle.${cluster_subdomain}
26 | port:
27 | name: https
28 | number: 443
29 | protocol: HTTPS
30 | tls:
31 | credentialName: localhost-direct
32 | mode: SIMPLE
33 |
--------------------------------------------------------------------------------
/apps/base/victoria-metrics-k8s-stack/helm-release.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: helm.toolkit.fluxcd.io/v2
2 | kind: HelmRelease
3 | metadata:
4 | name: victoria-metrics-k8s-stack
5 | namespace: monitoring
6 | spec:
7 | interval: 15m
8 | timeout: 15m
9 | chart:
10 | spec:
11 | chart: victoria-metrics-k8s-stack
12 | sourceRef:
13 | kind: HelmRepository
14 | name: vm
15 | interval: 5m
16 | releaseName: victoria-metrics-k8s-stack
17 | install:
18 | crds: Skip
19 | remediation:
20 | retries: 3
21 | upgrade:
22 | crds: Skip
23 | remediation:
24 | retries: 3
25 | # additional values file with KSM values
26 | valuesFrom:
27 | - kind: ConfigMap
28 | name: kube-state-metrics-config
29 | valuesKey: kube-state-metrics-config.yaml
30 | # Default values: https://github.com/VictoriaMetrics/helm-charts/blob/master/charts/victoria-metrics-k8s-stack/values.yaml
31 | values:
32 | ## disable vm operator crds, managed separetly by gitops-crds repo
33 | crds:
34 | enabled: false
35 | victoria-metrics-operator:
36 | admissionWebhooks:
37 | enable: false
38 | crd:
39 | create: false
40 | cleanup:
41 | enabled: true
42 | operator:
43 | disable_prometheus_converter: false
44 | enable_converter_ownership: true
45 | # resources:
46 | # limits:
47 | # memory: 100Mi
48 | # requests:
49 | # cpu: 14m
50 | # memory: 100Mi
51 | kube-state-metrics:
52 | prometheusScrape: false
53 | selfMonitor:
54 | enabled: true
55 | # resources:
56 | # limits:
57 | # memory: 500Mi
58 | # requests:
59 | # cpu: 10m
60 | # memory: 350Mi
61 | # affinity:
62 | # podAffinity:
63 | # requiredDuringSchedulingIgnoredDuringExecution:
64 | # - labelSelector:
65 | # matchExpressions:
66 | # - key: app.kubernetes.io/name
67 | # operator: In
68 | # values:
69 | # - vmsingle
70 | # topologyKey: failure-domain.beta.kubernetes.io/zone
71 | vmServiceScrape:
72 | spec:
73 | endpoints:
74 | - port: http
75 | honorLabels: true
76 | metricRelabelConfigs:
77 | - action: labeldrop
78 | regex: (uid|container_id|image_id)
79 | - port: metrics
80 | honorLabels: true
81 | metricRelabelConfigs:
82 | - action: labeldrop
83 | regex: (uid|container_id|image_id)
84 | jobLabel: app.kubernetes.io/name
85 | grafana:
86 | assertNoLeakedSecrets: false
87 | # resources:
88 | # limits:
89 | # memory: 200Mi
90 | # requests:
91 | # cpu: 19m
92 | # memory: 200Mi
93 | sidecar:
94 | datasources:
95 | searchNamespace: ALL
96 | dashboards:
97 | searchNamespace: ALL
98 | # resources:
99 | # limits:
100 | # memory: 150Mi
101 | # requests:
102 | # cpu: 10m
103 | # memory: 150Mi
104 | plugins:
105 | - https://storage.googleapis.com/integration-artifacts/grafana-lokiexplore-app/grafana-lokiexplore-app-latest.zip;grafana-lokiexplore-app
106 | - victoriametrics-logs-datasource
107 | grafana.ini:
108 | server:
109 | root_url: https://grafana.${cluster_subdomain}
110 | users:
111 | auto_assign_org_role: "Editor"
112 | auth.anonymous:
113 | enabled: true
114 | org_name: "Main Org."
115 | org_role: "Viewer"
116 | hide_version: true
117 | ingress:
118 | hosts:
119 | - grafana.${cluster_subdomain}
120 | # dashboards:
121 | # default:
122 | # istio-mesh-dashboard:
123 | # gnetId: 7639
124 | # revision: 194
125 | # datasource: VictoriaMetrics
126 | # istio-service-dashboard:
127 | # gnetId: 7636
128 | # revision: 194
129 | # datasource: VictoriaMetrics
130 | # istio-workload-dashboard:
131 | # gnetId: 7630
132 | # revision: 194
133 | # datasource: VictoriaMetrics
134 | # istio-performance-dashboard:
135 | # gnetId: 11829
136 | # revision: 194
137 | # datasource: VictoriaMetrics
138 | # istio-control-plane-dashboard:
139 | # gnetId: 7645
140 | # revision: 194
141 | # datasource: VictoriaMetrics
142 | # istio-wasm-dashboard:
143 | # gnetId: 13277
144 | # revision: 151
145 | # datasource: VictoriaMetrics
146 | prometheus-node-exporter:
147 | enabled: true
148 | kubeProxy:
149 | enabled: true
150 | vmScrape:
151 | spec:
152 | jobLabel: jobLabel
153 | namespaceSelector:
154 | matchNames: [kube-system]
155 | endpoints:
156 | - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
157 | port: http-metrics
158 | scheme: http
159 | kubeScheduler:
160 | enabled: false
161 | kubeEtcd:
162 | enabled: false
163 | kubeControllerManager:
164 | enabled: false
165 | defaultRules:
166 | rules:
167 | TooManyScrapeErrors:
168 | create: false
169 | TooHighChurnRate24h:
170 | create: false
171 | KubeHpaMaxedOut:
172 | create: false
173 | KubeMemoryOvercommit:
174 | create: false
175 | groups:
176 | etcd:
177 | create: false
178 | vmcluster:
179 | create: false
180 | vmsingle:
181 | spec:
182 | retentionPeriod: "7d"
183 | extraArgs:
184 | maxLabelsPerTimeseries: "40"
185 | search.maxUniqueTimeseries: "500000"
186 | # resources:
187 | # limits:
188 | # memory: "300Mi"
189 | # requests:
190 | # cpu: 300m
191 | # memory: "300Mi"
192 | # storage:
193 | # resources:
194 | # requests:
195 | # storage: 10Gi
196 | vmagent:
197 | spec:
198 | # affinity:
199 | # podAffinity:
200 | # requiredDuringSchedulingIgnoredDuringExecution:
201 | # - labelSelector:
202 | # matchExpressions:
203 | # - key: app.kubernetes.io/name
204 | # operator: In
205 | # values:
206 | # - vmsingle
207 | # topologyKey: failure-domain.beta.kubernetes.io/zone
208 | externalLabels:
209 | cluster: ${cluster_name}
210 | extraArgs:
211 | promscrape.maxScrapeSize: "33554432"
212 | # resources:
213 | # limits:
214 | # memory: "500Mi"
215 | # requests:
216 | # cpu: 87m
217 | # memory: "500Mi"
218 | ## istio hack for scraping pods from with istio mesh strict mtls
219 | podMetadata:
220 | annotations:
221 | proxy.istio.io/config: |-
222 | proxyMetadata:
223 | OUTPUT_CERTS: /etc/istio-certs/
224 | sidecar.istio.io/inject: "true"
225 | sidecar.istio.io/rewriteAppHTTPProbers: "true"
226 | sidecar.istio.io/userVolume: '[{"name": "istio-certs", "emptyDir": {"medium": "Memory"}}]'
227 | sidecar.istio.io/userVolumeMount: '[{"name": "istio-certs", "mountPath": "/etc/istio-certs/"}]'
228 | traffic.sidecar.istio.io/includeOutboundIPRanges: ""
229 | volumeMounts:
230 | - mountPath: /etc/istio-certs/
231 | name: istio-certs
232 | readOnly: true
233 | volumes:
234 | - emptyDir:
235 | medium: Memory
236 | name: istio-certs
237 | vmalert:
238 | spec:
239 | # affinity:
240 | # podAffinity:
241 | # requiredDuringSchedulingIgnoredDuringExecution:
242 | # - labelSelector:
243 | # matchExpressions:
244 | # - key: app.kubernetes.io/name
245 | # operator: In
246 | # values:
247 | # - vmsingle
248 | # topologyKey: failure-domain.beta.kubernetes.io/zone
249 | extraArgs:
250 | external.url: "https://grafana.${cluster_subdomain}"
251 | # resources:
252 | # limits:
253 | # memory: "250Mi"
254 | # requests:
255 | # cpu: 35m
256 | # memory: "250Mi"
257 | alertmanager:
258 | spec:
259 | disableNamespaceMatcher: true
260 | externalURL: "https://vmalertmanager.${cluster_subdomain}"
261 | # resources:
262 | # limits:
263 | # memory: "200Mi"
264 | # requests:
265 | # cpu: 10m
266 | # memory: "200Mi"
267 | config:
268 | global:
269 | resolve_timeout: 5m
270 | route:
271 | group_by: ["alertgroup", "job"]
272 | group_wait: 30s
273 | group_interval: 6m
274 | repeat_interval: 12h
275 | receiver: "null"
276 | routes:
277 | - receiver: "null"
278 | matchers:
279 | - alertname = "Watchdog"
280 | - receiver: "null"
281 | matchers:
282 | - alertname = "InfoInhibitor"
283 | inhibit_rules:
284 | - target_matchers:
285 | - severity=~"warning|info"
286 | source_matchers:
287 | - severity=critical
288 | equal:
289 | - cluster
290 | - namespace
291 | - alertname
292 | - target_matchers:
293 | - severity=info
294 | source_matchers:
295 | - severity=warning
296 | equal:
297 | - cluster
298 | - namespace
299 | - alertname
300 | - target_matchers:
301 | - severity=info
302 | source_matchers:
303 | - alertname=InfoInhibitor
304 | equal:
305 | - cluster
306 | - namespace
307 | receivers:
308 | - name: "null"
309 |
--------------------------------------------------------------------------------
/apps/base/victoria-metrics-k8s-stack/helm-repo.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: source.toolkit.fluxcd.io/v1
2 | kind: HelmRepository
3 | metadata:
4 | name: vm
5 | namespace: monitoring
6 | spec:
7 | interval: 120m
8 | url: https://victoriametrics.github.io/helm-charts/
9 |
--------------------------------------------------------------------------------
/apps/base/victoria-metrics-k8s-stack/kube-state-metrics-config.yaml:
--------------------------------------------------------------------------------
1 | kube-state-metrics:
2 | rbac:
3 | extraRules:
4 | - apiGroups:
5 | - source.toolkit.fluxcd.io
6 | - kustomize.toolkit.fluxcd.io
7 | - helm.toolkit.fluxcd.io
8 | - notification.toolkit.fluxcd.io
9 | - image.toolkit.fluxcd.io
10 | resources:
11 | - gitrepositories
12 | - buckets
13 | - helmrepositories
14 | - helmcharts
15 | - ocirepositories
16 | - kustomizations
17 | - helmreleases
18 | - alerts
19 | - providers
20 | - receivers
21 | - imagerepositories
22 | - imagepolicies
23 | - imageupdateautomations
24 | verbs: ["list", "watch"]
25 | customResourceState:
26 | enabled: true
27 | config:
28 | spec:
29 | resources:
30 | - groupVersionKind:
31 | group: kustomize.toolkit.fluxcd.io
32 | version: v1
33 | kind: Kustomization
34 | metricNamePrefix: gotk
35 | metrics:
36 | - name: "resource_info"
37 | help: "The current state of a GitOps Toolkit resource."
38 | each:
39 | type: Info
40 | info:
41 | labelsFromPath:
42 | name: [metadata, name]
43 | labelsFromPath:
44 | exported_namespace: [metadata, namespace]
45 | ready: [status, conditions, "[type=Ready]", status]
46 | suspended: [spec, suspend]
47 | revision: [status, lastAppliedRevision]
48 | source_name: [spec, sourceRef, name]
49 | - groupVersionKind:
50 | group: helm.toolkit.fluxcd.io
51 | version: v2beta2
52 | kind: HelmRelease
53 | metricNamePrefix: gotk
54 | metrics:
55 | - name: "resource_info"
56 | help: "The current state of a GitOps Toolkit resource."
57 | each:
58 | type: Info
59 | info:
60 | labelsFromPath:
61 | name: [metadata, name]
62 | labelsFromPath:
63 | exported_namespace: [metadata, namespace]
64 | ready: [status, conditions, "[type=Ready]", status]
65 | suspended: [spec, suspend]
66 | revision: [status, lastAppliedRevision]
67 | chart_name: [spec, chart, spec, chart]
68 | chart_source_name: [spec, chart, spec, sourceRef, name]
69 | - groupVersionKind:
70 | group: source.toolkit.fluxcd.io
71 | version: v1
72 | kind: GitRepository
73 | metricNamePrefix: gotk
74 | metrics:
75 | - name: "resource_info"
76 | help: "The current state of a GitOps Toolkit resource."
77 | each:
78 | type: Info
79 | info:
80 | labelsFromPath:
81 | name: [metadata, name]
82 | labelsFromPath:
83 | exported_namespace: [metadata, namespace]
84 | ready: [status, conditions, "[type=Ready]", status]
85 | suspended: [spec, suspend]
86 | revision: [status, artifact, revision]
87 | url: [spec, url]
88 | - groupVersionKind:
89 | group: source.toolkit.fluxcd.io
90 | version: v1beta2
91 | kind: Bucket
92 | metricNamePrefix: gotk
93 | metrics:
94 | - name: "resource_info"
95 | help: "The current state of a GitOps Toolkit resource."
96 | each:
97 | type: Info
98 | info:
99 | labelsFromPath:
100 | name: [metadata, name]
101 | labelsFromPath:
102 | exported_namespace: [metadata, namespace]
103 | ready: [status, conditions, "[type=Ready]", status]
104 | suspended: [spec, suspend]
105 | revision: [status, artifact, revision]
106 | endpoint: [spec, endpoint]
107 | bucket_name: [spec, bucketName]
108 | - groupVersionKind:
109 | group: source.toolkit.fluxcd.io
110 | version: v1beta2
111 | kind: HelmRepository
112 | metricNamePrefix: gotk
113 | metrics:
114 | - name: "resource_info"
115 | help: "The current state of a GitOps Toolkit resource."
116 | each:
117 | type: Info
118 | info:
119 | labelsFromPath:
120 | name: [metadata, name]
121 | labelsFromPath:
122 | exported_namespace: [metadata, namespace]
123 | ready: [status, conditions, "[type=Ready]", status]
124 | suspended: [spec, suspend]
125 | revision: [status, artifact, revision]
126 | url: [spec, url]
127 | - groupVersionKind:
128 | group: source.toolkit.fluxcd.io
129 | version: v1beta2
130 | kind: HelmChart
131 | metricNamePrefix: gotk
132 | metrics:
133 | - name: "resource_info"
134 | help: "The current state of a GitOps Toolkit resource."
135 | each:
136 | type: Info
137 | info:
138 | labelsFromPath:
139 | name: [metadata, name]
140 | labelsFromPath:
141 | exported_namespace: [metadata, namespace]
142 | ready: [status, conditions, "[type=Ready]", status]
143 | suspended: [spec, suspend]
144 | revision: [status, artifact, revision]
145 | chart_name: [spec, chart]
146 | chart_version: [spec, version]
147 | - groupVersionKind:
148 | group: source.toolkit.fluxcd.io
149 | version: v1beta2
150 | kind: OCIRepository
151 | metricNamePrefix: gotk
152 | metrics:
153 | - name: "resource_info"
154 | help: "The current state of a GitOps Toolkit resource."
155 | each:
156 | type: Info
157 | info:
158 | labelsFromPath:
159 | name: [metadata, name]
160 | labelsFromPath:
161 | exported_namespace: [metadata, namespace]
162 | ready: [status, conditions, "[type=Ready]", status]
163 | suspended: [spec, suspend]
164 | revision: [status, artifact, revision]
165 | url: [spec, url]
166 | - groupVersionKind:
167 | group: notification.toolkit.fluxcd.io
168 | version: v1beta3
169 | kind: Alert
170 | metricNamePrefix: gotk
171 | metrics:
172 | - name: "resource_info"
173 | help: "The current state of a GitOps Toolkit resource."
174 | each:
175 | type: Info
176 | info:
177 | labelsFromPath:
178 | name: [metadata, name]
179 | labelsFromPath:
180 | exported_namespace: [metadata, namespace]
181 | suspended: [spec, suspend]
182 | - groupVersionKind:
183 | group: notification.toolkit.fluxcd.io
184 | version: v1beta3
185 | kind: Provider
186 | metricNamePrefix: gotk
187 | metrics:
188 | - name: "resource_info"
189 | help: "The current state of a GitOps Toolkit resource."
190 | each:
191 | type: Info
192 | info:
193 | labelsFromPath:
194 | name: [metadata, name]
195 | labelsFromPath:
196 | exported_namespace: [metadata, namespace]
197 | suspended: [spec, suspend]
198 | - groupVersionKind:
199 | group: notification.toolkit.fluxcd.io
200 | version: v1
201 | kind: Receiver
202 | metricNamePrefix: gotk
203 | metrics:
204 | - name: "resource_info"
205 | help: "The current state of a GitOps Toolkit resource."
206 | each:
207 | type: Info
208 | info:
209 | labelsFromPath:
210 | name: [metadata, name]
211 | labelsFromPath:
212 | exported_namespace: [metadata, namespace]
213 | ready: [status, conditions, "[type=Ready]", status]
214 | suspended: [spec, suspend]
215 | webhook_path: [status, webhookPath]
216 |
--------------------------------------------------------------------------------
/apps/base/victoria-metrics-k8s-stack/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | ## Base
5 | - namespace.yaml
6 | - helm-repo.yaml
7 | - helm-release.yaml
8 | ## Extra rules
9 | #- vm-rule.yaml
10 | ## Istio Objects
11 | #- gateway-vm.yaml
12 | #- gateway-grafana.yaml
13 | - virtual-service-vm.yaml
14 | - virtual-service-grafana.yaml
15 | ## Mixin Dashboards
16 | ## synced from https://github.com/prometheus-operator/kube-prometheus/blob/main/manifests/grafana-dashboardDefinitions.yaml
17 | ## grafana_dashboard: "1" labels added to the usefull dashboards
18 | - grafana-dashboardDefinitions.yaml
19 | # generate configmap with additional KSM values
20 | configMapGenerator:
21 | - name: kube-state-metrics-config
22 | namespace: monitoring
23 | files:
24 | - kube-state-metrics-config.yaml
25 | options:
26 | labels:
27 | app.kubernetes.io/part-of: flux
28 | app.kubernetes.io/component: monitoring
29 | kustomize.toolkit.fluxcd.io/substitute: disabled
30 | configurations:
31 | - kustomizeconfig.yaml
32 |
--------------------------------------------------------------------------------
/apps/base/victoria-metrics-k8s-stack/kustomizeconfig.yaml:
--------------------------------------------------------------------------------
1 | nameReference:
2 | - kind: ConfigMap
3 | version: v1
4 | fieldSpecs:
5 | - path: spec/valuesFrom/name
6 | kind: HelmRelease
7 |
--------------------------------------------------------------------------------
/apps/base/victoria-metrics-k8s-stack/namespace.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: monitoring
5 | labels:
6 | istio-injection: enabled
7 |
--------------------------------------------------------------------------------
/apps/base/victoria-metrics-k8s-stack/virtual-service-grafana.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: networking.istio.io/v1beta1
3 | kind: VirtualService
4 | metadata:
5 | name: grafana-virtualservice
6 | namespace: monitoring
7 | spec:
8 | gateways:
9 | - istio-ingress/wildcard-gateway
10 | hosts:
11 | - grafana.${cluster_subdomain}
12 | http:
13 | - route:
14 | - destination:
15 | host: victoria-metrics-k8s-stack-grafana.monitoring.svc.cluster.local
16 | port:
17 | number: 80
18 |
--------------------------------------------------------------------------------
/apps/base/victoria-metrics-k8s-stack/virtual-service-vm.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: networking.istio.io/v1beta1
3 | kind: VirtualService
4 | metadata:
5 | name: vmagent-virtualservice
6 | namespace: monitoring
7 | spec:
8 | gateways:
9 | - istio-ingress/wildcard-gateway
10 | hosts:
11 | - vmagent.${cluster_subdomain}
12 | http:
13 | - route:
14 | - destination:
15 | host: vmagent-victoria-metrics-k8s-stack.monitoring.svc.cluster.local
16 | port:
17 | number: 8429
18 | ---
19 | apiVersion: networking.istio.io/v1beta1
20 | kind: VirtualService
21 | metadata:
22 | name: vmalert-virtualservice
23 | namespace: monitoring
24 | spec:
25 | gateways:
26 | - istio-ingress/wildcard-gateway
27 | hosts:
28 | - vmalert.${cluster_subdomain}
29 | http:
30 | - route:
31 | - destination:
32 | host: vmalert-victoria-metrics-k8s-stack.monitoring.svc.cluster.local
33 | port:
34 | number: 8080
35 | ---
36 | apiVersion: networking.istio.io/v1beta1
37 | kind: VirtualService
38 | metadata:
39 | name: vmalertmanager-virtualservice
40 | namespace: monitoring
41 | spec:
42 | gateways:
43 | - istio-ingress/wildcard-gateway
44 | hosts:
45 | - vmalertmanager.${cluster_subdomain}
46 | http:
47 | - route:
48 | - destination:
49 | host: vmalertmanager-victoria-metrics-k8s-stack.monitoring.svc.cluster.local
50 | port:
51 | number: 9093
52 | ---
53 | apiVersion: networking.istio.io/v1beta1
54 | kind: VirtualService
55 | metadata:
56 | name: vmsingle-virtualservice
57 | namespace: monitoring
58 | spec:
59 | gateways:
60 | - istio-ingress/wildcard-gateway
61 | hosts:
62 | - vmsingle.${cluster_subdomain}
63 | http:
64 | - route:
65 | - destination:
66 | host: vmsingle-victoria-metrics-k8s-stack.monitoring.svc.cluster.local
67 | port:
68 | number: 8429
69 |
--------------------------------------------------------------------------------
/apps/base/victoria-metrics-k8s-stack/vm-rule.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: operator.victoriametrics.com/v1beta1
2 | kind: VMRule
3 | metadata:
4 | name: victoria-metrics-k8s-stack-vm-health-extra
5 | namespace: monitoring
6 | spec:
7 | groups:
8 | - name: vm-health-extra
9 | rules:
10 | - alert: TooHighMemoryUsage90
11 | annotations:
12 | description: Too high memory usage may result into multiple issues such as OOMs or degraded performance. Consider to either increase available memory or decrease the load on the process.
13 | summary: It is more than 90% of memory used by "{{ $labels.job }}"("{{ $labels.instance }}")
14 | expr: (min_over_time(process_resident_memory_anon_bytes[10m]) / vm_available_memory_bytes) > 0.9
15 | for: 5m
16 | labels:
17 | severity: critical
--------------------------------------------------------------------------------
/apps/base/x509-certificate-exporter/helm-release.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: helm.toolkit.fluxcd.io/v2
2 | kind: HelmRelease
3 | metadata:
4 | name: x509-certificate-exporter
5 | namespace: x509-certificate-exporter
6 | spec:
7 | releaseName: x509-certificate-exporter
8 | chart:
9 | spec:
10 | chart: x509-certificate-exporter
11 | sourceRef:
12 | kind: HelmRepository
13 | name: enix
14 | namespace: x509-certificate-exporter
15 | interval: 15m
16 | timeout: 15m
17 | install:
18 | remediation:
19 | retries: 3
20 | upgrade:
21 | remediation:
22 | retries: 3
23 | # Defaults: https://github.com/enix/x509-certificate-exporter/blob/main/deploy/charts/x509-certificate-exporter/values.yaml
24 | values:
25 | grafana:
26 | createDashboard: true
27 | hostPathsExporter:
28 | daemonSets:
29 | nodes:
30 | watchFiles:
31 | - /var/lib/kubelet/pki/kubelet-client-current.pem
32 | - /etc/kubernetes/pki/apiserver.crt
33 | - /etc/kubernetes/pki/apiserver-etcd-client.crt
34 | - /etc/kubernetes/pki/apiserver-kubelet-client.crt
35 | - /etc/kubernetes/pki/ca.crt
36 | - /etc/kubernetes/pki/front-proxy-ca.crt
37 | - /etc/kubernetes/pki/front-proxy-client.crt
38 | - /etc/kubernetes/pki/etcd/ca.crt
39 | - /etc/kubernetes/pki/etcd/healthcheck-client.crt
40 | - /etc/kubernetes/pki/etcd/peer.crt
41 | - /etc/kubernetes/pki/etcd/server.crt
42 | watchKubeconfFiles:
43 | - /etc/kubernetes/admin.conf
44 | - /etc/kubernetes/controller-manager.conf
45 | - /etc/kubernetes/scheduler.conf
46 |
--------------------------------------------------------------------------------
/apps/base/x509-certificate-exporter/helm-repo.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: source.toolkit.fluxcd.io/v1
2 | kind: HelmRepository
3 | metadata:
4 | name: enix
5 | namespace: x509-certificate-exporter
6 | spec:
7 | interval: 120m
8 | url: https://charts.enix.io
9 |
--------------------------------------------------------------------------------
/apps/base/x509-certificate-exporter/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - namespace.yaml
5 | - helm-repo.yaml
6 | - helm-release.yaml
7 |
--------------------------------------------------------------------------------
/apps/base/x509-certificate-exporter/namespace.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: x509-certificate-exporter
5 |
--------------------------------------------------------------------------------
/apps/bundles/docker-flex/docker-flex.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: helm.toolkit.fluxcd.io/v2
3 | kind: HelmRelease
4 | metadata:
5 | name: victoria-metrics-k8s-stack
6 | namespace: monitoring
7 | spec:
8 | chart:
9 | spec:
10 | version: "0.50.0"
11 | chart: victoria-metrics-k8s-stack
12 | sourceRef:
13 | kind: HelmRepository
14 | name: vm
15 | values:
16 | prometheus-node-exporter:
17 | hostRootFsMount:
18 | enabled: false
19 | ---
20 | apiVersion: helm.toolkit.fluxcd.io/v2
21 | kind: HelmRelease
22 | metadata:
23 | name: kubelinks
24 | namespace: kubelinks
25 | spec:
26 | chart:
27 | spec:
28 | version: "0.4.10"
29 | chart: kubelinks
30 | sourceRef:
31 | kind: HelmRepository
32 | name: kkirara
33 | namespace: kubelinks
34 | ---
35 | apiVersion: helm.toolkit.fluxcd.io/v2
36 | kind: HelmRelease
37 | metadata:
38 | name: k8s-event-logger
39 | namespace: k8s-event-logger
40 | spec:
41 | chart:
42 | spec:
43 | version: "1.1.8"
44 | chart: k8s-event-logger
45 | sourceRef:
46 | kind: HelmRepository
47 | name: deliveryhero
48 | namespace: flux-system
49 | ---
50 | apiVersion: helm.toolkit.fluxcd.io/v2
51 | kind: HelmRelease
52 | metadata:
53 | name: metrics-server
54 | namespace: metrics-server
55 | spec:
56 | chart:
57 | spec:
58 | version: "3.12.2"
59 | chart: metrics-server
60 | sourceRef:
61 | kind: HelmRepository
62 | name: metrics-server
63 | namespace: metrics-server
64 | values:
65 | args:
66 | - --kubelet-insecure-tls
67 | ---
68 | apiVersion: helm.toolkit.fluxcd.io/v2
69 | kind: HelmRelease
70 | metadata:
71 | name: blackbox-exporter
72 | namespace: blackbox-exporter
73 | spec:
74 | chart:
75 | spec:
76 | version: "9.4.0"
77 | chart: prometheus-blackbox-exporter
78 | sourceRef:
79 | kind: HelmRepository
80 | name: prometheus-community
81 | namespace: flux-system
82 | ---
83 | apiVersion: helm.toolkit.fluxcd.io/v2
84 | kind: HelmRelease
85 | metadata:
86 | name: keda
87 | namespace: keda
88 | spec:
89 | chart:
90 | spec:
91 | version: "2.17.1"
92 | chart: keda
93 | sourceRef:
94 | kind: HelmRepository
95 | name: kedacore
96 | ---
97 | apiVersion: helm.toolkit.fluxcd.io/v2
98 | kind: HelmRelease
99 | metadata:
100 | name: istiod
101 | namespace: istio-system
102 | spec:
103 | chart:
104 | spec:
105 | version: "1.26.1"
106 | chart: istiod
107 | sourceRef:
108 | kind: HelmRepository
109 | name: istio
110 | namespace: istio-system
111 | ---
112 | apiVersion: helm.toolkit.fluxcd.io/v2
113 | kind: HelmRelease
114 | metadata:
115 | name: istio-ingress-private
116 | namespace: istio-ingress
117 | spec:
118 | chart:
119 | spec:
120 | version: "1.26.1"
121 | chart: gateway
122 | sourceRef:
123 | kind: HelmRepository
124 | name: istio
125 | namespace: istio-system
126 | ---
127 | apiVersion: helm.toolkit.fluxcd.io/v2
128 | kind: HelmRelease
129 | metadata:
130 | name: helm-exporter
131 | namespace: helm-exporter
132 | spec:
133 | chart:
134 | spec:
135 | version: "1.2.16+77ad21d"
136 | chart: helm-exporter
137 | sourceRef:
138 | kind: HelmRepository
139 | name: sstarcher
140 | namespace: helm-exporter
141 | ---
142 | apiVersion: helm.toolkit.fluxcd.io/v2
143 | kind: HelmRelease
144 | metadata:
145 | name: cnpg
146 | namespace: cnpg-system
147 | spec:
148 | chart:
149 | spec:
150 | version: "0.24.0"
151 | chart: cloudnative-pg
152 | sourceRef:
153 | kind: HelmRepository
154 | name: cnpg
155 | namespace: cnpg-system
156 | ---
157 | apiVersion: helm.toolkit.fluxcd.io/v2
158 | kind: HelmRelease
159 | metadata:
160 | name: cert-manager
161 | namespace: cert-manager
162 | spec:
163 | chart:
164 | spec:
165 | version: "v1.17.2"
166 | chart: cert-manager
167 | sourceRef:
168 | kind: HelmRepository
169 | name: jetstack
170 | namespace: cert-manager
171 | ---
172 | apiVersion: helm.toolkit.fluxcd.io/v2
173 | kind: HelmRelease
174 | metadata:
175 | name: reflector
176 | namespace: reflector
177 | spec:
178 | chart:
179 | spec:
180 | version: "9.1.7"
181 | chart: reflector
182 | sourceRef:
183 | kind: HelmRepository
184 | name: emberstack
185 | namespace: reflector
186 | ---
187 | apiVersion: helm.toolkit.fluxcd.io/v2
188 | kind: HelmRelease
189 | metadata:
190 | name: external-secrets
191 | namespace: external-secrets
192 | spec:
193 | chart:
194 | spec:
195 | version: "0.17.0"
196 | chart: external-secrets
197 | sourceRef:
198 | kind: HelmRepository
199 | name: external-secrets
200 | namespace: external-secrets
201 | ---
202 | apiVersion: helm.toolkit.fluxcd.io/v2
203 | kind: HelmRelease
204 | metadata:
205 | name: jenkins
206 | namespace: jenkins
207 | spec:
208 | chart:
209 | spec:
210 | version: "5.8.55"
211 | chart: jenkins
212 | sourceRef:
213 | kind: HelmRepository
214 | name: jenkins
215 | namespace: jenkins
216 | ---
217 | apiVersion: helm.toolkit.fluxcd.io/v2
218 | kind: HelmRelease
219 | metadata:
220 | name: argocd
221 | namespace: argocd
222 | spec:
223 | chart:
224 | spec:
225 | version: "8.0.14"
226 | chart: argo-cd
227 | sourceRef:
228 | kind: HelmRepository
229 | name: argo
230 | namespace: argocd
231 | ---
232 | apiVersion: helm.toolkit.fluxcd.io/v2
233 | kind: HelmRelease
234 | metadata:
235 | name: strimzi-kafka-operator
236 | namespace: strimzi
237 | spec:
238 | chart:
239 | spec:
240 | version: "0.46.0"
241 | chart: strimzi-kafka-operator
242 | sourceRef:
243 | kind: HelmRepository
244 | name: strimzi
245 | namespace: strimzi
246 | ---
247 | apiVersion: helm.toolkit.fluxcd.io/v2
248 | kind: HelmRelease
249 | metadata:
250 | name: pgadmin4
251 | namespace: pgadmin
252 | spec:
253 | chart:
254 | spec:
255 | version: "1.45.1"
256 | chart: pgadmin4
257 | sourceRef:
258 | kind: HelmRepository
259 | name: runix
260 | namespace: pgadmin
261 | ---
262 | apiVersion: helm.toolkit.fluxcd.io/v2
263 | kind: HelmRelease
264 | metadata:
265 | name: airflow
266 | namespace: airflow
267 | spec:
268 | chart:
269 | spec:
270 | version: "1.16.0"
271 | chart: airflow
272 | sourceRef:
273 | kind: HelmRepository
274 | name: apache-airflow
275 | namespace: airflow
276 | ---
277 | apiVersion: helm.toolkit.fluxcd.io/v2
278 | kind: HelmRelease
279 | metadata:
280 | name: operator
281 | namespace: minio-operator
282 | spec:
283 | chart:
284 | spec:
285 | version: "7.1.1"
286 | chart: operator
287 | sourceRef:
288 | kind: HelmRepository
289 | name: minio-operator
290 | namespace: minio-operator
291 | ---
292 | apiVersion: helm.toolkit.fluxcd.io/v2
293 | kind: HelmRelease
294 | metadata:
295 | name: loki
296 | namespace: loki
297 | spec:
298 | chart:
299 | spec:
300 | version: "6.30.1"
301 | chart: loki
302 | sourceRef:
303 | kind: HelmRepository
304 | name: grafana
305 | namespace: loki
306 | values:
307 | gateway:
308 | affinity:
309 | podAntiAffinity:
310 | requiredDuringSchedulingIgnoredDuringExecution:
311 | - labelSelector:
312 | matchLabels:
313 | app.kubernetes.io/component: placeholder-flux-bug-label
314 | topologyKey: kubernetes.io/hostname
315 | ---
316 | apiVersion: helm.toolkit.fluxcd.io/v2
317 | kind: HelmRelease
318 | metadata:
319 | name: alloy
320 | namespace: alloy
321 | spec:
322 | chart:
323 | spec:
324 | version: "1.0.3"
325 | chart: alloy
326 | sourceRef:
327 | kind: HelmRepository
328 | name: grafana
329 | namespace: loki
330 | ---
331 | apiVersion: helm.toolkit.fluxcd.io/v2
332 | kind: HelmRelease
333 | metadata:
334 | name: elastic-operator
335 | namespace: elastic-system
336 | spec:
337 | chart:
338 | spec:
339 | version: "3.0.0"
340 | chart: eck-operator
341 | sourceRef:
342 | kind: HelmRepository
343 | name: elastic
344 | namespace: elastic-system
345 | ---
346 | apiVersion: helm.toolkit.fluxcd.io/v2
347 | kind: HelmRelease
348 | metadata:
349 | name: x509-certificate-exporter
350 | namespace: x509-certificate-exporter
351 | spec:
352 | chart:
353 | spec:
354 | version: "3.18.1"
355 | chart: x509-certificate-exporter
356 | sourceRef:
357 | kind: HelmRepository
358 | name: enix
359 | namespace: x509-certificate-exporter
360 | ---
361 | apiVersion: helm.toolkit.fluxcd.io/v2
362 | kind: HelmRelease
363 | metadata:
364 | name: reloader
365 | namespace: reloader
366 | spec:
367 | chart:
368 | spec:
369 | version: "2.1.3"
370 | chart: reloader
371 | sourceRef:
372 | kind: HelmRepository
373 | name: stakater
374 | namespace: reloader
375 | ---
376 | apiVersion: helm.toolkit.fluxcd.io/v2
377 | kind: HelmRelease
378 | metadata:
379 | name: seaweedfs
380 | namespace: seaweedfs
381 | spec:
382 | chart:
383 | spec:
384 | version: "4.0.388"
385 | chart: seaweedfs
386 | sourceRef:
387 | kind: HelmRepository
388 | name: seaweedfs
389 | namespace: seaweedfs
390 | ---
391 | apiVersion: helm.toolkit.fluxcd.io/v2
392 | kind: HelmRelease
393 | metadata:
394 | name: clickhouse-operator
395 | namespace: clickhouse-operator
396 | spec:
397 | chart:
398 | spec:
399 | version: "0.25.0"
400 | chart: altinity-clickhouse-operator
401 | sourceRef:
402 | kind: HelmRepository
403 | name: clickhouse-operator
404 | ---
405 | apiVersion: helm.toolkit.fluxcd.io/v2
406 | kind: HelmRelease
407 | metadata:
408 | name: vls
409 | namespace: victoria-logs
410 | spec:
411 | chart:
412 | spec:
413 | version: "0.11.1"
414 | chart: victoria-logs-single
415 | sourceRef:
416 | kind: HelmRepository
417 | name: vm
418 | namespace: victoria-logs
419 | ---
420 | apiVersion: helm.toolkit.fluxcd.io/v2
421 | kind: HelmRelease
422 | metadata:
423 | name: kyverno
424 | namespace: kyverno
425 | spec:
426 | chart:
427 | spec:
428 | version: "3.4.1"
429 | chart: kyverno
430 | sourceRef:
431 | kind: HelmRepository
432 | name: kyverno
433 | namespace: kyverno
434 |
--------------------------------------------------------------------------------
/apps/bundles/docker-flex/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - ../../base/victoria-metrics-k8s-stack
5 | - ../../base/flux-monitoring
6 | - ../../base/kubelinks
7 | - ../../base/k8s-event-logger
8 | - ../../base/metrics-server
9 | - ../../base/blackbox-exporter
10 | - ../../base/keda
11 | - ../../base/istio
12 | - ../../base/helm-exporter
13 | - ../../base/cloudnative-pg
14 | - ../../base/cert-manager
15 | - ../../base/reflector
16 | - ../../base/external-secrets
17 | - ../../base/jenkins-server
18 | - ../../base/argocd
19 | - ../../base/strimzi
20 | - ../../base/pgadmin
21 | - ../../base/airflow
22 | - ../../base/capacitor
23 | - ../../base/minio-operator
24 | - ../../base/loki
25 | - ../../base/eck-operator
26 | - ../../base/oomkill-exporter
27 | - ../../base/x509-certificate-exporter
28 | - ../../base/reloader
29 | - ../../base/alloy
30 | - ../../base/dragonfly-operator
31 | - ../../base/seaweedfs
32 | - ../../base/clickhouse-operator
33 | - ../../base/httpbin
34 | - ../../base/kro
35 | - ../../base/victoria-logs
36 | - ../../base/kyverno
37 | - ../../base/valkey-operator
38 | patches:
39 | - path: docker-flex.yaml
40 |
--------------------------------------------------------------------------------
/apps/bundles/docker-stable/docker-stable.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: helm.toolkit.fluxcd.io/v2
3 | kind: HelmRelease
4 | metadata:
5 | name: victoria-metrics-k8s-stack
6 | namespace: monitoring
7 | spec:
8 | chart:
9 | spec:
10 | version: "0.49.0"
11 | values:
12 | prometheus-node-exporter:
13 | hostRootFsMount:
14 | enabled: false
15 | ---
16 | apiVersion: helm.toolkit.fluxcd.io/v2
17 | kind: HelmRelease
18 | metadata:
19 | name: kubelinks
20 | namespace: kubelinks
21 | spec:
22 | chart:
23 | spec:
24 | version: "0.4.10"
25 | ---
26 | apiVersion: helm.toolkit.fluxcd.io/v2
27 | kind: HelmRelease
28 | metadata:
29 | name: k8s-event-logger
30 | namespace: k8s-event-logger
31 | spec:
32 | chart:
33 | spec:
34 | version: "1.1.8"
35 | ---
36 | apiVersion: helm.toolkit.fluxcd.io/v2
37 | kind: HelmRelease
38 | metadata:
39 | name: metrics-server
40 | namespace: metrics-server
41 | spec:
42 | chart:
43 | spec:
44 | version: "3.12.2"
45 | values:
46 | args:
47 | - --kubelet-insecure-tls
48 | ---
49 | apiVersion: helm.toolkit.fluxcd.io/v2
50 | kind: HelmRelease
51 | metadata:
52 | name: blackbox-exporter
53 | namespace: blackbox-exporter
54 | spec:
55 | chart:
56 | spec:
57 | version: "9.4.0"
58 | ---
59 | apiVersion: helm.toolkit.fluxcd.io/v2
60 | kind: HelmRelease
61 | metadata:
62 | name: keda
63 | namespace: keda
64 | spec:
65 | chart:
66 | spec:
67 | version: "2.17.1"
68 | ---
69 | apiVersion: helm.toolkit.fluxcd.io/v2
70 | kind: HelmRelease
71 | metadata:
72 | name: istiod
73 | namespace: istio-system
74 | spec:
75 | chart:
76 | spec:
77 | version: "1.26.1"
78 | ---
79 | apiVersion: helm.toolkit.fluxcd.io/v2
80 | kind: HelmRelease
81 | metadata:
82 | name: istio-ingress-private
83 | namespace: istio-ingress
84 | spec:
85 | chart:
86 | spec:
87 | version: "1.26.1"
88 | ---
89 | apiVersion: helm.toolkit.fluxcd.io/v2
90 | kind: HelmRelease
91 | metadata:
92 | name: helm-exporter
93 | namespace: helm-exporter
94 | spec:
95 | chart:
96 | spec:
97 | version: "1.2.16+77ad21d"
98 | ---
99 | apiVersion: helm.toolkit.fluxcd.io/v2
100 | kind: HelmRelease
101 | metadata:
102 | name: cnpg
103 | namespace: cnpg-system
104 | spec:
105 | chart:
106 | spec:
107 | version: "0.24.0"
108 | ---
109 | apiVersion: helm.toolkit.fluxcd.io/v2
110 | kind: HelmRelease
111 | metadata:
112 | name: cert-manager
113 | namespace: cert-manager
114 | spec:
115 | chart:
116 | spec:
117 | version: "v1.17.2"
118 | ---
119 | apiVersion: helm.toolkit.fluxcd.io/v2
120 | kind: HelmRelease
121 | metadata:
122 | name: reflector
123 | namespace: reflector
124 | spec:
125 | chart:
126 | spec:
127 | version: "9.1.7"
128 | ---
129 | apiVersion: helm.toolkit.fluxcd.io/v2
130 | kind: HelmRelease
131 | metadata:
132 | name: external-secrets
133 | namespace: external-secrets
134 | spec:
135 | chart:
136 | spec:
137 | version: "0.17.0"
138 | ---
139 | apiVersion: helm.toolkit.fluxcd.io/v2
140 | kind: HelmRelease
141 | metadata:
142 | name: jenkins
143 | namespace: jenkins
144 | spec:
145 | chart:
146 | spec:
147 | version: "5.8.53"
148 | ---
149 | apiVersion: helm.toolkit.fluxcd.io/v2
150 | kind: HelmRelease
151 | metadata:
152 | name: argocd
153 | namespace: argocd
154 | spec:
155 | chart:
156 | spec:
157 | version: "8.0.13"
158 | ---
159 | apiVersion: helm.toolkit.fluxcd.io/v2
160 | kind: HelmRelease
161 | metadata:
162 | name: strimzi-kafka-operator
163 | namespace: strimzi
164 | spec:
165 | chart:
166 | spec:
167 | version: "0.46.0"
168 | ---
169 | apiVersion: helm.toolkit.fluxcd.io/v2
170 | kind: HelmRelease
171 | metadata:
172 | name: pgadmin4
173 | namespace: pgadmin
174 | spec:
175 | chart:
176 | spec:
177 | version: "1.45.1"
178 | ---
179 | apiVersion: helm.toolkit.fluxcd.io/v2
180 | kind: HelmRelease
181 | metadata:
182 | name: airflow
183 | namespace: airflow
184 | spec:
185 | chart:
186 | spec:
187 | version: "1.16.0"
188 | ---
189 | apiVersion: helm.toolkit.fluxcd.io/v2
190 | kind: HelmRelease
191 | metadata:
192 | name: operator
193 | namespace: minio-operator
194 | spec:
195 | chart:
196 | spec:
197 | version: "7.1.1"
198 | ---
199 | apiVersion: helm.toolkit.fluxcd.io/v2
200 | kind: HelmRelease
201 | metadata:
202 | name: loki
203 | namespace: loki
204 | spec:
205 | chart:
206 | spec:
207 | version: "6.30.0"
208 | values:
209 | gateway:
210 | affinity:
211 | podAntiAffinity:
212 | requiredDuringSchedulingIgnoredDuringExecution:
213 | - labelSelector:
214 | matchLabels:
215 | app.kubernetes.io/component: placeholder-flux-bug-label
216 | topologyKey: kubernetes.io/hostname
217 | ---
218 | apiVersion: helm.toolkit.fluxcd.io/v2
219 | kind: HelmRelease
220 | metadata:
221 | name: alloy
222 | namespace: alloy
223 | spec:
224 | chart:
225 | spec:
226 | version: "1.0.3"
227 | ---
228 | apiVersion: helm.toolkit.fluxcd.io/v2
229 | kind: HelmRelease
230 | metadata:
231 | name: elastic-operator
232 | namespace: elastic-system
233 | spec:
234 | chart:
235 | spec:
236 | version: "3.0.0"
237 | ---
238 | apiVersion: helm.toolkit.fluxcd.io/v2
239 | kind: HelmRelease
240 | metadata:
241 | name: x509-certificate-exporter
242 | namespace: x509-certificate-exporter
243 | spec:
244 | chart:
245 | spec:
246 | version: "3.18.1"
247 | ---
248 | apiVersion: helm.toolkit.fluxcd.io/v2
249 | kind: HelmRelease
250 | metadata:
251 | name: reloader
252 | namespace: reloader
253 | spec:
254 | chart:
255 | spec:
256 | version: "2.1.3"
257 | ---
258 | apiVersion: helm.toolkit.fluxcd.io/v2
259 | kind: HelmRelease
260 | metadata:
261 | name: seaweedfs
262 | namespace: seaweedfs
263 | spec:
264 | chart:
265 | spec:
266 | version: "4.0.388"
267 | ---
268 | apiVersion: helm.toolkit.fluxcd.io/v2
269 | kind: HelmRelease
270 | metadata:
271 | name: clickhouse-operator
272 | namespace: clickhouse-operator
273 | spec:
274 | chart:
275 | spec:
276 | version: "0.25.0"
277 | ---
278 | apiVersion: helm.toolkit.fluxcd.io/v2
279 | kind: HelmRelease
280 | metadata:
281 | name: vls
282 | namespace: victoria-logs
283 | spec:
284 | chart:
285 | spec:
286 | version: "0.11.1"
287 | ---
288 | apiVersion: helm.toolkit.fluxcd.io/v2
289 | kind: HelmRelease
290 | metadata:
291 | name: kyverno
292 | namespace: kyverno
293 | spec:
294 | chart:
295 | spec:
296 | version: "3.4.1"
297 |
--------------------------------------------------------------------------------
/apps/bundles/docker-stable/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - ../../base/victoria-metrics-k8s-stack
5 | - ../../base/flux-monitoring
6 | - ../../base/kubelinks
7 | - ../../base/k8s-event-logger
8 | - ../../base/metrics-server
9 | - ../../base/blackbox-exporter
10 | - ../../base/keda
11 | - ../../base/istio
12 | - ../../base/helm-exporter
13 | - ../../base/cloudnative-pg
14 | - ../../base/cert-manager
15 | - ../../base/reflector
16 | - ../../base/external-secrets
17 | - ../../base/jenkins-server
18 | - ../../base/argocd
19 | - ../../base/strimzi
20 | - ../../base/pgadmin
21 | - ../../base/airflow
22 | - ../../base/minio-operator
23 | - ../../base/loki
24 | - ../../base/eck-operator
25 | - ../../base/oomkill-exporter
26 | - ../../base/x509-certificate-exporter
27 | - ../../base/reloader
28 | - ../../base/alloy
29 | - ../../base/seaweedfs
30 | - ../../base/clickhouse-operator
31 | - ../../base/httpbin
32 | - ../../base/victoria-logs
33 | - ../../base/kyverno
34 | patches:
35 | - path: docker-stable.yaml
36 |
--------------------------------------------------------------------------------
/clusters/dummy/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | ## Base bundle
5 | - ../../apps/bundles/docker-stable
6 |
--------------------------------------------------------------------------------
/clusters/homelab/RECOVER.md:
--------------------------------------------------------------------------------
1 | # Recovery or Initialization Guide for Homelab Cluster
2 |
3 | ### Steps:
4 |
5 | 0. **Disable Custom Resources in Kustomize**
6 | This helps prevent dependency conflicts during initialization.
7 |
8 | 1. **Regenerate GitHub Token for Access**
9 | Generate a new GitHub token for accessing repositories.
10 |
11 | 2. **Bootstrap FluxCD**
12 | Use the [FluxCD bootstrap example](https://github.com/brainfair/awesome-flux-head?tab=readme-ov-file#bootstrap-fluxcd-example) to set up FluxCD. Follow the instructions carefully to ensure proper bootstrapping.
13 |
14 | 3. **Regenerate GitHub Token for Promotion Workflow**
15 | Create a Kubernetes secret with the new token:
16 | ```bash
17 | kubectl -n flux-system create secret generic github-token \
18 | --from-literal=token=${GITHUB_TOKEN}
19 | ```
20 |
21 | 4. **Generate or Reuse a Wildcard TLS Certificate**
22 | If needed, generate a wildcard TLS certificate using [this guide](https://gist.github.com/brainfair/d43c52c635f8a84a176b9a047fec1349). Alternatively, reuse previous certificate files. Then, create the secret:
23 | ```bash
24 | kubectl -n istio-ingress create secret tls localhost-direct \
25 | --key=domain.key --cert=domain.crt
26 | ```
27 |
28 | 5. **Re-enable Custom Resources**
29 | After resolving dependencies and ensuring proper setup, re-enable custom resources in Kustomize.
30 |
--------------------------------------------------------------------------------
/clusters/homelab/clickhouse/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | namespace: clickhouse
4 | resources:
5 | - namespace.yaml
6 | - simple-01.yaml
7 |
--------------------------------------------------------------------------------
/clusters/homelab/clickhouse/namespace.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: clickhouse
5 |
--------------------------------------------------------------------------------
/clusters/homelab/clickhouse/simple-01.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: "clickhouse.altinity.com/v1"
2 | kind: "ClickHouseInstallation"
3 | metadata:
4 | name: "simple-01"
5 | namespace: clickhouse
6 | spec:
7 | configuration:
8 | users:
9 | # printf 'test_password' | sha256sum
10 | test_user/password_sha256_hex: 10a6e6cc8311a3e2bcc09bf6c199adecd5dd59408c343e926b129c4914f3cb01
11 | # to allow access outside from kubernetes
12 | test_user/networks/ip:
13 | - 0.0.0.0/0
14 | clusters:
15 | - name: "simple"
16 |
--------------------------------------------------------------------------------
/clusters/homelab/flux-promotion/gh-dispatch.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: notification.toolkit.fluxcd.io/v1beta3
2 | kind: Alert
3 | metadata:
4 | name: github-dispatch
5 | namespace: flux-system
6 | spec:
7 | providerRef:
8 | name: github
9 | summary: "Trigger promotion"
10 | eventMetadata:
11 | env: staging
12 | type: docker
13 | cluster: ${cluster_name}
14 | eventSeverity: info
15 | eventSources:
16 | - kind: HelmRelease
17 | name: "*"
18 | namespace: argocd
19 | - kind: HelmRelease
20 | name: "*"
21 | namespace: blackbox-exporter
22 | - kind: HelmRelease
23 | name: "*"
24 | namespace: flux-system
25 | - kind: HelmRelease
26 | name: "*"
27 | namespace: kube-system
28 | - kind: HelmRelease
29 | name: "*"
30 | namespace: keda
31 | - kind: HelmRelease
32 | name: "*"
33 | namespace: monitoring
34 | - kind: HelmRelease
35 | name: "*"
36 | namespace: k8s-event-logger
37 | - kind: HelmRelease
38 | name: "*"
39 | namespace: kubelinks
40 | - kind: HelmRelease
41 | name: "*"
42 | namespace: metrics-server
43 | - kind: HelmRelease
44 | name: "*"
45 | namespace: helm-exporter
46 | - kind: HelmRelease
47 | name: "*"
48 | namespace: strimzi
49 | - kind: HelmRelease
50 | name: "*"
51 | namespace: external-secrets
52 | - kind: HelmRelease
53 | name: "*"
54 | namespace: external-dns
55 | - kind: HelmRelease
56 | name: "*"
57 | namespace: cert-manager
58 | - kind: HelmRelease
59 | name: "*"
60 | namespace: cnpg-system
61 | - kind: HelmRelease
62 | name: "*"
63 | namespace: istio-ingress
64 | - kind: HelmRelease
65 | name: "*"
66 | namespace: istio-system
67 | - kind: HelmRelease
68 | name: "*"
69 | namespace: jenkins
70 | - kind: HelmRelease
71 | name: "*"
72 | namespace: reflector
73 | - kind: HelmRelease
74 | name: "*"
75 | namespace: strimzi
76 | - kind: HelmRelease
77 | name: "*"
78 | namespace: pgadmin
79 | - kind: HelmRelease
80 | name: "*"
81 | namespace: airflow
82 | - kind: HelmRelease
83 | name: "*"
84 | namespace: minio-operator
85 | - kind: HelmRelease
86 | name: "*"
87 | namespace: loki
88 | - kind: HelmRelease
89 | name: "*"
90 | namespace: elastic-system
91 | - kind: HelmRelease
92 | name: "*"
93 | namespace: x509-certificate-exporter
94 | - kind: HelmRelease
95 | name: "*"
96 | namespace: reloader
97 | - kind: HelmRelease
98 | name: "*"
99 | namespace: alloy
100 | - kind: HelmRelease
101 | name: "*"
102 | namespace: dragonfly-operator-system
103 | - kind: HelmRelease
104 | name: "*"
105 | namespace: seaweedfs
106 | - kind: HelmRelease
107 | name: "*"
108 | namespace: clickhouse-operator
109 | - kind: HelmRelease
110 | name: "*"
111 | namespace: victoria-logs
112 | - kind: HelmRelease
113 | name: "*"
114 | namespace: kyverno
115 | inclusionList:
116 | - ".*.upgrade.*succeeded.*"
117 | exclusionList:
118 | - "^Helm upgrade succeeded for release .*victoria-metrics-crds.*"
119 |
--------------------------------------------------------------------------------
/clusters/homelab/flux-promotion/gh-provider.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: notification.toolkit.fluxcd.io/v1beta3
2 | kind: Provider
3 | metadata:
4 | name: github
5 | namespace: flux-system
6 | spec:
7 | type: githubdispatch
8 | address: https://github.com/brainfair/awesome-flux-infra
9 | secretRef:
10 | name: github-token
11 |
--------------------------------------------------------------------------------
/clusters/homelab/flux-promotion/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | # PR promotion dispatcher hook
5 | - gh-dispatch.yaml
6 | - gh-provider.yaml
7 |
--------------------------------------------------------------------------------
/clusters/homelab/istio/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - wildcard-gateway.yaml
5 |
--------------------------------------------------------------------------------
/clusters/homelab/istio/wildcard-gateway.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: networking.istio.io/v1beta1
2 | kind: Gateway
3 | metadata:
4 | name: wildcard-gateway
5 | namespace: istio-ingress
6 | spec:
7 | selector:
8 | istio: ingress-private
9 | servers:
10 | - hosts:
11 | - links.${cluster_subdomain}
12 | - grafana.${cluster_subdomain}
13 | - vmagent.${cluster_subdomain}
14 | - vmalert.${cluster_subdomain}
15 | - vmalertmanager.${cluster_subdomain}
16 | - vmsingle.${cluster_subdomain}
17 | - jenkins.${cluster_subdomain}
18 | - argocd.${cluster_subdomain}
19 | - pgadmin.${cluster_subdomain}
20 | - airflow.${cluster_subdomain}
21 | - capacitor.${cluster_subdomain}
22 | - minio-loki.${cluster_subdomain}
23 | - httpbin.${cluster_subdomain}
24 | - vls.${cluster_subdomain}
25 | port:
26 | name: http
27 | number: 80
28 | protocol: HTTP
29 | tls:
30 | httpsRedirect: true
31 | - hosts:
32 | - links.${cluster_subdomain}
33 | - grafana.${cluster_subdomain}
34 | - vmagent.${cluster_subdomain}
35 | - vmalert.${cluster_subdomain}
36 | - vmalertmanager.${cluster_subdomain}
37 | - vmsingle.${cluster_subdomain}
38 | - jenkins.${cluster_subdomain}
39 | - argocd.${cluster_subdomain}
40 | - pgadmin.${cluster_subdomain}
41 | - airflow.${cluster_subdomain}
42 | - capacitor.${cluster_subdomain}
43 | - minio-loki.${cluster_subdomain}
44 | - httpbin.${cluster_subdomain}
45 | - vls.${cluster_subdomain}
46 | port:
47 | name: https
48 | number: 443
49 | protocol: HTTPS
50 | tls:
51 | # certificate provided by https://get.localhost.direct/
52 | credentialName: localhost-direct
53 | mode: SIMPLE
54 |
--------------------------------------------------------------------------------
/clusters/homelab/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | ## Base bundle
5 | - ../../apps/bundles/docker-flex
6 | ## Customs
7 | - flux-promotion
8 | - istio
9 | - pg-airflow
10 | - minio-loki
11 | #- redis
12 | #- clickhouse
13 | - valkey-sample
14 | patches:
15 | - path: victoria-metrics-k8s-stack/helm-release.yaml
16 | # Example of removing a resource (reflector). PS: separate files because kinda bug https://github.com/kubernetes-sigs/kustomize/issues/5471
17 | #- path: ../../apps/base/reflector/rm-reflector-ns.yaml
18 | #- path: ../../apps/base/reflector/rm-reflector-release.yaml
19 | #- path: ../../apps/base/reflector/rm-reflector-repo.yaml
20 |
--------------------------------------------------------------------------------
/clusters/homelab/minio-loki/helm-release.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: helm.toolkit.fluxcd.io/v2
2 | kind: HelmRelease
3 | metadata:
4 | name: minio-loki
5 | namespace: minio-loki
6 | spec:
7 | releaseName: minio-loki
8 | chart:
9 | spec:
10 | chart: tenant
11 | version: 7.1.1
12 | sourceRef:
13 | kind: HelmRepository
14 | name: minio-operator
15 | namespace: minio-operator
16 | interval: 15m
17 | install:
18 | remediation:
19 | retries: 3
20 | upgrade:
21 | remediation:
22 | retries: 3
23 | # Default values: https://github.com/minio/operator/blob/master/helm/tenant/values.yaml
24 | values:
25 | secrets: ~
26 | tenant:
27 | name: minio-loki
28 | configSecret:
29 | name: minio-loki-env-configuration
30 | existingSecret: true
31 | pools:
32 | - servers: 1
33 | name: pool-0
34 | volumesPerServer: 1
35 | size: 10Gi
36 | securityContext:
37 | runAsUser: 1000
38 | runAsGroup: 1000
39 | fsGroup: 1000
40 | fsGroupChangePolicy: "OnRootMismatch"
41 | runAsNonRoot: true
42 | containerSecurityContext:
43 | runAsUser: 1000
44 | runAsGroup: 1000
45 | runAsNonRoot: true
46 | allowPrivilegeEscalation: false
47 | capabilities:
48 | drop:
49 | - ALL
50 | seccompProfile:
51 | type: RuntimeDefault
52 | buckets:
53 | - name: chunks
54 | - name: ruler
55 | - name: admin
56 |
--------------------------------------------------------------------------------
/clusters/homelab/minio-loki/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | resources:
4 | - namespace.yaml
5 | - minio-loki-user-secret.yaml
6 | - helm-release.yaml
7 | - virtual-service.yaml
8 |
--------------------------------------------------------------------------------
/clusters/homelab/minio-loki/minio-loki-user-secret.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: generators.external-secrets.io/v1alpha1
2 | kind: Password
3 | metadata:
4 | name: minio-loki-user-secret
5 | namespace: minio-loki
6 | spec:
7 | length: 24
8 | symbols: 0
9 | ---
10 | apiVersion: external-secrets.io/v1
11 | kind: ExternalSecret
12 | metadata:
13 | name: minio-loki-user-secret
14 | namespace: minio-loki
15 | spec:
16 | refreshInterval: 0s
17 | refreshPolicy: CreatedOnce
18 | target:
19 | name: minio-loki-env-configuration
20 | template:
21 | engineVersion: v2
22 | metadata:
23 | annotations:
24 | reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
25 | reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
26 | reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "loki"
27 | data:
28 | config.env: |
29 | export MINIO_ROOT_USER="minio"
30 | export MINIO_ROOT_PASSWORD="{{ .password }}"
31 | helm-release-loki-values: |
32 | loki:
33 | storage:
34 | s3:
35 | endpoint: https://minio.minio-loki.svc.cluster.local
36 | secretAccessKey: {{ .password }}
37 | accessKeyId: minio
38 | s3ForcePathStyle: true
39 | insecure: true
40 | http_config:
41 | insecure_skip_verify: true
42 | dataFrom:
43 | - sourceRef:
44 | generatorRef:
45 | apiVersion: generators.external-secrets.io/v1alpha1
46 | kind: Password
47 | name: minio-loki-user-secret
48 |
--------------------------------------------------------------------------------
/clusters/homelab/minio-loki/namespace.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: minio-loki
5 |
--------------------------------------------------------------------------------
/clusters/homelab/minio-loki/virtual-service.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: networking.istio.io/v1beta1
3 | kind: VirtualService
4 | metadata:
5 | name: minio-loki-virtualservice
6 | namespace: minio-loki
7 | spec:
8 | gateways:
9 | - istio-ingress/wildcard-gateway
10 | hosts:
11 | - minio-loki.${cluster_subdomain}
12 | http:
13 | - route:
14 | - destination:
15 | host: minio-loki-console.minio-loki.svc.cluster.local
16 | port:
17 | number: 9443
18 | ---
19 | apiVersion: networking.istio.io/v1beta1
20 | kind: DestinationRule
21 | metadata:
22 | name: minio-loki-console
23 | namespace: minio-loki
24 | spec:
25 | host: minio-loki-console
26 | trafficPolicy:
27 | tls:
28 | mode: SIMPLE
29 | insecureSkipVerify: true
30 |
--------------------------------------------------------------------------------
/clusters/homelab/pg-airflow/cluster.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: postgresql.cnpg.io/v1
3 | kind: Cluster
4 | metadata:
5 | name: pg-airflow
6 | namespace: pg-airflow
7 | spec:
8 | instances: 1
9 | imageName: ghcr.io/cloudnative-pg/postgis:14
10 | bootstrap:
11 | initdb:
12 | database: airflow
13 | owner: airflow
14 | secret:
15 | name: pg-airflow-user-secret
16 | storage:
17 | size: 10Gi
18 | monitoring:
19 | enablePodMonitor: true
20 |
--------------------------------------------------------------------------------
/clusters/homelab/pg-airflow/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | namespace: pg-airflow
4 | resources:
5 | - namespace.yaml
6 | - pg-airflow-user-secret.yaml
7 | - cluster.yaml
8 |
--------------------------------------------------------------------------------
/clusters/homelab/pg-airflow/namespace.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: pg-airflow
5 |
--------------------------------------------------------------------------------
/clusters/homelab/pg-airflow/pg-airflow-user-secret.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: generators.external-secrets.io/v1alpha1
2 | kind: Password
3 | metadata:
4 | name: pg-airflow-user-secret
5 | namespace: pg-airflow
6 | spec:
7 | length: 24
8 | symbols: 0
9 | ---
10 | apiVersion: external-secrets.io/v1
11 | kind: ExternalSecret
12 | metadata:
13 | name: pg-airflow-user-secret
14 | namespace: pg-airflow
15 | spec:
16 | refreshInterval: 0s
17 | refreshPolicy: CreatedOnce
18 | target:
19 | name: pg-airflow-user-secret
20 | template:
21 | engineVersion: v2
22 | type: kubernetes.io/basic-auth
23 | metadata:
24 | annotations:
25 | reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
26 | reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
27 | reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "airflow"
28 | data:
29 | username: airflow
30 | password: "{{ .password }}"
31 | connection: postgresql://airflow:{{ .password }}@pg-airflow-rw.pg-airflow:5432/airflow
32 | dataFrom:
33 | - sourceRef:
34 | generatorRef:
35 | apiVersion: generators.external-secrets.io/v1alpha1
36 | kind: Password
37 | name: pg-airflow-user-secret
38 |
--------------------------------------------------------------------------------
/clusters/homelab/redis/cluster.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: dragonflydb.io/v1alpha1
3 | kind: Dragonfly
4 | metadata:
5 | name: dragonfly
6 | namespace: redis
7 | spec:
8 | args:
9 | - "--default_lua_flags=allow-undeclared-keys,disable-atomicity"
10 | replicas: 1
11 | # resources:
12 | # requests:
13 | # cpu: 500m
14 | # memory: 500Mi
15 | # limits:
16 | # cpu: 600m
17 | # memory: 750Mi
18 | snapshot:
19 | cron: "0 2 * * *"
20 | persistentVolumeClaimSpec:
21 | accessModes:
22 | - ReadWriteOnce
23 | resources:
24 | requests:
25 | storage: 2Gi
26 |
--------------------------------------------------------------------------------
/clusters/homelab/redis/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | namespace: redis
4 | resources:
5 | - namespace.yaml
6 | - cluster.yaml
7 |
--------------------------------------------------------------------------------
/clusters/homelab/redis/namespace.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: redis
5 |
--------------------------------------------------------------------------------
/clusters/homelab/valkey-sample/README.md:
--------------------------------------------------------------------------------
1 | # Valkey Sample Example
2 |
3 | This repository contains a sample instance of the Valkey Operator.
4 |
5 | ## Overview
6 |
7 | The `valkey-sample` example demonstrates how to define and manage Valkey Instance using the Valkey Operator. For more details about the schema and available fields, refer to the [Valkey Operator CRD documentation](https://doc.crds.dev/github.com/hyperspike/valkey-operator).
8 |
9 |
10 | ## Reference
11 |
12 | For more information about the Valkey Operator and its schema, visit the [official documentation](https://github.com/hyperspike/valkey-operator).
13 |
--------------------------------------------------------------------------------
/clusters/homelab/valkey-sample/kustomization.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: kustomize.config.k8s.io/v1beta1
2 | kind: Kustomization
3 | namespace: valkey-sample
4 | resources:
5 | - namespace.yaml
6 | - sample.yaml
7 |
--------------------------------------------------------------------------------
/clusters/homelab/valkey-sample/namespace.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: valkey-sample
5 |
--------------------------------------------------------------------------------
/clusters/homelab/valkey-sample/sample.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: hyperspike.io/v1
2 | kind: Valkey
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: valkey-operator
6 | app.kubernetes.io/managed-by: kustomize
7 | name: valkey-sample
8 | namespace: valkey-sample
9 | spec:
10 | volumePermissions: true
11 |
--------------------------------------------------------------------------------
/clusters/homelab/victoria-metrics-k8s-stack/helm-release.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: helm.toolkit.fluxcd.io/v2
2 | kind: HelmRelease
3 | metadata:
4 | name: victoria-metrics-k8s-stack
5 | namespace: monitoring
6 | spec:
7 | values:
8 | defaultRules:
9 | disabled:
10 | TooManyScrapeErrors: true
11 |
--------------------------------------------------------------------------------
/renovate.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json",
3 | "extends": [
4 | "config:recommended"
5 | ],
6 | "kubernetes": {
7 | "managerFilePatterns": [
8 | "/\\.yaml$/"
9 | ]
10 | },
11 | "flux": {
12 | "managerFilePatterns": [
13 | "/apps/base/.+\\.yaml$/",
14 | "/apps/bundles/.+-flex/.+\\.yaml$/",
15 | "/clusters/.+\\.yaml$/"
16 | ]
17 | }
18 | }
19 |
--------------------------------------------------------------------------------
/scripts/diff.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | # Set base clusters directory
4 | CLUSTERS_DIR="./clusters"
5 |
6 | current_branch=$(git rev-parse --abbrev-ref HEAD 2>/dev/null)
7 |
8 | # Check if clusters directory exists
9 | if [ ! -d "$CLUSTERS_DIR" ]; then
10 | echo "Directory $CLUSTERS_DIR does not exist."
11 | exit 1
12 | fi
13 |
14 | if [ -n "$GITHUB_SHA" ] && [ -n "$GITHUB_REF" ] && [[ "$GITHUB_REF" == "refs/pull/"* ]]; then
15 | PR_NUMBER=$(echo "$GITHUB_REF" | sed 's/refs\/pull\/\([0-9]*\)\/merge/\1/')
16 | echo "Running in a GitHub PR Action. PR Number: $PR_NUMBER"
17 | IS_GITHUB_PR=true
18 | else
19 | echo "Not running in a GitHub PR Action."
20 | IS_GITHUB_PR=false
21 | fi
22 |
23 | # Loop through each subdirectory inside clusters
24 | for cluster_path in "$CLUSTERS_DIR"/*/; do
25 | # Remove trailing slash and get the cluster name
26 | cluster_name=$(basename "$cluster_path")
27 |
28 | echo "Processing cluster: $cluster_name new"
29 |
30 | # Navigate into the cluster directory
31 | cd "$cluster_path" || continue
32 |
33 | # Build and output to /tmp
34 | kustomize build . --load-restrictor LoadRestrictionsNone > "/tmp/${cluster_name}-new.yaml"
35 |
36 | # Return to original directory
37 | cd - > /dev/null
38 | done
39 |
40 | git fetch --all
41 | git checkout -f main &> /dev/null
42 |
43 | for cluster_path in "$CLUSTERS_DIR"/*/; do
44 | # Remove trailing slash and get the cluster name
45 | cluster_name=$(basename "$cluster_path")
46 |
47 | echo "Processing cluster: $cluster_name main"
48 |
49 | # Navigate into the cluster directory
50 | cd "$cluster_path" || continue
51 |
52 | # Build and output to /tmp
53 | kustomize build . --load-restrictor LoadRestrictionsNone > "/tmp/${cluster_name}-main.yaml"
54 |
55 | # Return to original directory
56 | cd - > /dev/null
57 | done
58 |
59 | git checkout -f "$current_branch" &> /dev/null
60 |
61 | for cluster_path in "$CLUSTERS_DIR"/*/; do
62 | cluster_name=$(basename "$cluster_path")
63 |
64 | diff -u --suppress-common-lines /tmp/${cluster_name}-new.yaml /tmp/${cluster_name}-main.yaml > /dev/null
65 | if ! [ $? -eq 0 ]; then
66 | echo "diff found in ${cluster_name}"
67 | if [ "$IS_GITHUB_PR" = true ]; then
68 | DIFF=$(diff -u --suppress-common-lines /tmp/${cluster_name}-main.yaml /tmp/${cluster_name}-new.yaml)
69 | COMMENT_BODY=$(jq -n \
70 | --arg cluster "$cluster_name" \
71 | --arg branch "$current_branch" \
72 | --arg diff "$DIFF" \
73 | '{
74 | body: "### Diff detected for cluster \($cluster):\n\n```diff\n\($diff)\n```"
75 | }')
76 | curl -X POST -H "Authorization: Bearer $GITHUB_TOKEN" \
77 | -H "Content-Type: application/json" \
78 | -d "$COMMENT_BODY" \
79 | "https://api.github.com/repos/$GITHUB_REPOSITORY/issues/$PR_NUMBER/comments"
80 | fi
81 | fi
82 | done
83 |
84 | # rm -f /tmp/*-new.yaml
85 | # rm -f /tmp/*-main.yaml
86 |
--------------------------------------------------------------------------------
/scripts/validate.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | # This script downloads the Flux OpenAPI schemas, then it validates the
4 | # Flux custom resources and the kustomize overlays using kubeconform.
5 | # This script is meant to be run locally and in CI before the changes
6 | # are merged on the main branch that's synced by Flux.
7 |
8 | # Copyright 2023 The Flux authors. All rights reserved.
9 | #
10 | # Licensed under the Apache License, Version 2.0 (the "License");
11 | # you may not use this file except in compliance with the License.
12 | # You may obtain a copy of the License at
13 | #
14 | # http://www.apache.org/licenses/LICENSE-2.0
15 | #
16 | # Unless required by applicable law or agreed to in writing, software
17 | # distributed under the License is distributed on an "AS IS" BASIS,
18 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19 | # See the License for the specific language governing permissions and
20 | # limitations under the License..
21 |
22 | # Prerequisites
23 | # - yq v4.34
24 | # - kustomize v5.0
25 | # - kubeconform v0.6
26 |
27 | set -o errexit
28 | set -o pipefail
29 |
30 | # mirror kustomize-controller build options
31 | kustomize_flags=("--load-restrictor=LoadRestrictionsNone")
32 | kustomize_config="kustomization.yaml"
33 |
34 | # skip Kubernetes Secrets due to SOPS fields failing validation
35 | kubeconform_flags=("-skip=Secret")
36 | kubeconform_config=("-strict" "-ignore-missing-schemas" "-schema-location" "default" "-schema-location" "/tmp/flux-crd-schemas" "-verbose")
37 |
38 | echo "INFO - Downloading Flux OpenAPI schemas"
39 | mkdir -p /tmp/flux-crd-schemas/master-standalone-strict
40 | curl -sL https://github.com/fluxcd/flux2/releases/latest/download/crd-schemas.tar.gz | tar zxf - -C /tmp/flux-crd-schemas/master-standalone-strict
41 |
42 | find . -type f -name '*.yaml' -print0 | while IFS= read -r -d $'\0' file;
43 | do
44 | echo "INFO - Validating $file"
45 | yq e 'true' "$file" > /dev/null
46 | done
47 |
48 | echo "INFO - Validating clusters"
49 | find ./clusters -maxdepth 2 -type f -name '*.yaml' -print0 | while IFS= read -r -d $'\0' file;
50 | do
51 | kubeconform "${kubeconform_flags[@]}" "${kubeconform_config[@]}" "${file}"
52 | if [[ ${PIPESTATUS[0]} != 0 ]]; then
53 | exit 1
54 | fi
55 | done
56 |
57 | echo "INFO - Validating kustomize overlays"
58 | find . -type f -name $kustomize_config -print0 | while IFS= read -r -d $'\0' file;
59 | do
60 | echo "INFO - Validating kustomization ${file/%$kustomize_config}"
61 | kustomize build "${file/%$kustomize_config}" "${kustomize_flags[@]}" | \
62 | kubeconform "${kubeconform_flags[@]}" "${kubeconform_config[@]}"
63 | if [[ ${PIPESTATUS[0]} != 0 ]]; then
64 | exit 1
65 | fi
66 | done
67 |
--------------------------------------------------------------------------------