diff --git a/helmfile.yaml b/helmfile.yaml new file mode 100644 index 0000000..e69de29 diff --git a/installations/applications/helmfile.yaml b/installations/applications/helmfile.yaml index cdfa277..52b95e9 100644 --- a/installations/applications/helmfile.yaml +++ b/installations/applications/helmfile.yaml @@ -21,7 +21,8 @@ repositories: url: https://charts.min.io/ - name: bedag url: https://bedag.github.io/helm-charts/ - + - name: grafana + url: https://grafana.github.io/helm-charts releases: - name: authentik @@ -45,7 +46,7 @@ releases: - name: gitea chart: gitea/gitea - version: 10.3.0 + version: 10.4.0 namespace: applications inherit: - template: default-env-values @@ -133,8 +134,16 @@ releases: - name: mealie chart: softplayer-oci/mealie namespace: applications - version: 0.1.0 + version: 0.3.0 inherit: - template: default-env-values - template: default-env-secrets - template: ext-database + + - name: grafana + chart: grafana/grafana + namespace: applications + version: 8.3.6 + inherit: + - template: default-env-values + - template: default-env-secrets diff --git a/installations/development/helmfile.yaml b/installations/development/helmfile.yaml new file mode 100644 index 0000000..05596e8 --- /dev/null +++ b/installations/development/helmfile.yaml @@ -0,0 +1,12 @@ +{{ readFile "../../common/templates.yaml" }} + +bases: + - ../../common/environments.yaml + +repositories: + - name: argo + url: https://argoproj.github.io/argo-helm + +releases: + - name: badhouseplants + namespace: platform diff --git a/installations/monitoring/helmfile.yaml b/installations/monitoring/helmfile.yaml new file mode 100644 index 0000000..f956aa5 --- /dev/null +++ b/installations/monitoring/helmfile.yaml @@ -0,0 +1,21 @@ +{{ readFile "../../common/templates.yaml" }} + +bases: + - ../../common/environments.yaml + +repositories: + - name: bedag + url: https://bedag.github.io/helm-charts/ + - name: prometheus-community + url: https://prometheus-community.github.io/helm-charts + + +releases: + - name: prometheus + chart: prometheus-community/kube-prometheus-stack + namespace: monitoring + version: 61.3.2 + inherit: + - template: default-env-values + - template: default-env-secrets + - template: crd-management-hook diff --git a/values/badhouseplants/secrets.grafana.yaml b/values/badhouseplants/secrets.grafana.yaml new file mode 100644 index 0000000..c5545a9 --- /dev/null +++ b/values/badhouseplants/secrets.grafana.yaml @@ -0,0 +1,23 @@ +grafana.ini: + auth.generic_oauth: + client_secret: ENC[AES256_GCM,data:HZ7FEe5zCU8wBVqCNtWZbJmJOp9QY4/z0B/FRPm76cSb1zsmbDkPS8dKxF8SYYtR+v1UWdCfe8NZp0RtqV6MQx9HQRMIHwwbHQ/b2BvEs9Q/Q+V+6/uwdIMWYu7+uFwVs9c5OUdRmA3jJgGy6mV5ZBxdiBI6NGHJk4WpT6AXn+E=,iv:o8DHlwqywfyr+FHTh8J0N67xixX2dIgxgsOYYKiLAFo=,tag:unKLJUZbI11pfOJjXgbu7w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2eFpXVi9PeWVvdlQ5cEJS + Yyt0L1F6UTQveVVpbXBnZE0xQ3hsb1Y3NG53ClRncVFtRVo1UHZjaDJyWkNoK1hZ + OStkM3ZmOU5SY3hFZ3lPOGtyakZBdlEKLS0tIFpuZVdMS1VVRmg5MDRIVzhISTJs + MUZJeDdqeUJrTVkvZ0NKZ0tvd0doaXcKZ2b/Gatfw4GlX3N1FDwziBvTrM3g+asd + 92IVTZ5BGht2MbfcKAPJFcMr0KQKo8rVejDvYunkAZB94ICNr36MVQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-07-25T11:05:53Z" + mac: ENC[AES256_GCM,data:m0JDoCSmvktNHIHb6DrDiB7Zecv8wwn4y4UN51IHnYQRuL5qdqHq9ntWiozDy2KQO5Xw7bSHB2Yb3XN5Byt5cUy7I3BIYYn7MiQjIzOWcjIJJvN2YzDzLeA+wieizM5anEgwCuhRsvGUkWs/OUylHOaSbX6ma2fBPtvMqieCa1s=,iv:lpKiI9y8AQfhfWc3KmSdyDEFks+i8FeZ/QedC7Ai35w=,tag:VhRsg1FIct4V1+jSxBKmKg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/values/badhouseplants/secrets.postgres.yaml b/values/badhouseplants/secrets.postgres.yaml index a3223c8..0165eff 100644 --- a/values/badhouseplants/secrets.postgres.yaml +++ b/values/badhouseplants/secrets.postgres.yaml @@ -1,7 +1,7 @@ global: postgresql: auth: - postgresPassword: ENC[AES256_GCM,data:NopZyPWiTKPPVzLcvVLN3JgMQjQ=,iv:rWVhR2wChvQSIa7eBPrvnWO2ydLZ2D8oF87INiy8NX4=,tag:Xb0qbED6QXu5QBgHY6hrOA==,type:str] + postgresPassword: ENC[AES256_GCM,data:5u1PvGD7qiNp+fKRKd0k1NZ9Cmg=,iv:QD1xBqO1v4pKoQn+PpVVn/9gfgiQcVIOC+iwykS1fU8=,tag:/sZyLhKlSXQgq9NaE9SeAA==,type:str] sops: kms: [] gcp_kms: [] @@ -11,14 +11,14 @@ sops: - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVbENvMm1YQzlSV3UrSEJ4 - VTZ1RWVKTlpsUDFzQlVjMlJEZmIvaldHVXlFCm9SVzN3Z0dwTGo1Y3dnaHhvSmpi - bDIrMlJhbHhKUmRZejdkTmJiSDYvY2MKLS0tIFpRbkwySVh2MDlNWEFNZHVtY2Ns - Wmh3Z29ZSlBhbmFJNkFQZlE3aXpMMk0K14rSXjSF08xkil+fFJpeMV+6XChTJ2/3 - OQecJtg+0NQPyvC+kR5qKq8roiSzNNJgTVg2wwKMdukKVVTbEGi0gA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBibDUrRXlidmtidDBqQlFF + eU5ibmpFR003bmtOQTZ1R1VoSi90b3hVQUZnCjEwS0pkYWtWVzBjZjVBY3h6R2xx + d1cxbldsay9UVG1zODF5VUp2NExzcVUKLS0tIC8vdDB2M0YxTWpqQnl2RjJmZUxv + U1hxODZZdzRQZFZrVElSNW1oU21GMkEKGorPMRXGZp3RD95/CPUiNqjEArUH4ZYj + 5UTYtScymvZ5zCPGsMYqmjGFPTg/HiEBAhVed03Smd7z/FmwdCchlA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-21T12:58:01Z" - mac: ENC[AES256_GCM,data:ShHWH9RIL4rJ5X0IvThOtyM28AC+1bJLr4PJJdYSLtV9T7Wcs2LbmWxtM2tpRyzMeZjYKJrsstGYgxBevr1BpfGBIeR4+JCwrbdK4AOq2VbLMpH7nMOU/huuUpxOopweRBTwZOEMRBkSkEk4qPvebLHEqUi6aNGdtxOINmHv/fA=,iv:C/iJOSshanbhSQ9Be712aSN2B8aXndPpP4655SQONeQ=,tag:BAJIzrYfh8a59OzkxDOrbw==,type:str] + lastmodified: "2024-07-25T15:16:56Z" + mac: ENC[AES256_GCM,data:uYaO2/51oCs1/ZZfWMwID+gv9XZetDZWyfG94KvCjn+2uMRNc9GgZok30CKFaDmi2D6oipoXyV3uz7BXgqHSk9rA/GTKoNzq8AEiSADXwnBneoQ8ftGZcGdr0V1R1gcsCtlu65kXsROksEK1pS0XQEMq5/zIftcL8wcOe7brnvA=,iv:UlCPOm4tEPqLW2Z5r6lcSZzF5nrRWmOdfz4z0J2mtww=,tag:o/bhbNe1/Gi+KWx1/xEg7Q==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.7.3 \ No newline at end of file + version: 3.9.0 diff --git a/values/badhouseplants/values.argo-badhouseplants.net b/values/badhouseplants/values.argo-badhouseplants.net new file mode 100644 index 0000000..c130530 --- /dev/null +++ b/values/badhouseplants/values.argo-badhouseplants.net @@ -0,0 +1,87 @@ +applications: {} +# guestbook: +# namespace: argocd +# additionalLabels: {} +# additionalAnnotations: {} +# finalizers: +# - resources-finalizer.argocd.argoproj.io +# project: guestbook +# source: +# repoURL: https://github.com/argoproj/argocd-example-apps.git +# targetRevision: HEAD +# path: guestbook +# directory: +# recurse: true +# # ArgoCD v2.6 or later +# sources: +# - chart: elasticsearch +# repoURL: https://helm.elastic.co +# targetRevision: 8.5.1 +# - repoURL: https://github.com/argoproj/argocd-example-apps.git +# path: guestbook +# targetRevision: HEAD +# destination: +# server: https://kubernetes.default.svc +# namespace: guestbook +# syncPolicy: +# automated: +# prune: false +# selfHeal: false +# syncOptions: +# - CreateNamespace=true +# revisionHistoryLimit: null +# ignoreDifferences: +# - group: apps +# kind: Deployment +# jsonPointers: +# - /spec/replicas +# info: +# - name: url +# value: https://argoproj.github.io/ + +# -- Deploy Argo CD Projects within this helm release +# @default -- `{}` (See [values.yaml]) +## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/ +projects: {} +# guestbook: +# namespace: argocd +# additionalLabels: {} +# additionalAnnotations: {} +# permitOnlyProjectScopedClusters: false +# finalizers: +# - resources-finalizer.argocd.argoproj.io +# description: Example Project +# sourceRepos: +# - '*' +# destinations: +# - namespace: guestbook +# server: https://kubernetes.default.svc +# clusterResourceWhitelist: [] +# clusterResourceBlacklist: [] +# namespaceResourceBlacklist: +# - group: '' +# kind: ResourceQuota +# - group: '' +# kind: LimitRange +# - group: '' +# kind: NetworkPolicy +# orphanedResources: {} +# roles: [] +# namespaceResourceWhitelist: +# - group: 'apps' +# kind: Deployment +# - group: 'apps' +# kind: StatefulSet +# orphanedResources: {} +# roles: [] +# syncWindows: +# - kind: allow +# schedule: '10 1 * * *' +# duration: 1h +# applications: +# - '*-prod' +# manualSync: true +# signatureKeys: +# - keyID: ABCDEF1234567890 +# sourceNamespaces: +# - argocd diff --git a/values/badhouseplants/values.grafana.yaml b/values/badhouseplants/values.grafana.yaml new file mode 100644 index 0000000..4bccba8 --- /dev/null +++ b/values/badhouseplants/values.grafana.yaml @@ -0,0 +1,44 @@ +assertNoLeakedSecrets: false +ingress: + enabled: true + ingressClassName: traefik + annotations: + kubernetes.io/ingress.class: traefik + kubernetes.io/tls-acme: "true" + kubernetes.io/ingress.allow-http: "false" + kubernetes.io/ingress.global-static-ip-name: "" + cert-manager.io/cluster-issuer: badhouseplants-issuer-http01 + traefik.ingress.kubernetes.io/router.entrypoints: web,websecure + path: / + pathType: Prefix + hosts: + - grafana.badhouseplants.net + tls: + - secretName: grafana.badhouseplants.net + hosts: + - grafana.badhouseplants.net +datasources: + datasources.yaml: + apiVersion: 1 + datasources: + - name: Prometheus + type: prometheus + url: http://prometheus-operated.monitoring.svc.cluster.local:9090 + access: proxy + isDefault: true +grafana.ini: + server: + root_url: https://grafana.badhouseplants.net + auth: + signout_redirect_url: "https://authentik.badhouseplants.net/application/o/grafana/end-session/" + oauth_auto_login: true + auth.generic_oauth: + name: authentik + enabled: true + client_id: "grafana" + scopes: "openid profile email" + auth_url: "https://authentik.badhouseplants.net/application/o/authorize/" + token_url: "https://authentik.badhouseplants.net/application/o/token/" + api_url: "https://authentik.badhouseplants.net/application/o/userinfo/" + # Optionally map user groups to Grafana roles + role_attribute_path: contains(groups, 'Admins') && 'Admin' || contains(groups, 'DevOps') && 'Editor' || 'Viewer' diff --git a/values/badhouseplants/values.namespaces.yaml b/values/badhouseplants/values.namespaces.yaml index d1d78ed..a93d5c2 100644 --- a/values/badhouseplants/values.namespaces.yaml +++ b/values/badhouseplants/values.namespaces.yaml @@ -1,5 +1,5 @@ namespaces: - - name: longhorn-system + - name: monitoring - name: databases - name: applications - name: development diff --git a/values/badhouseplants/values.prometheus.yaml b/values/badhouseplants/values.prometheus.yaml index 2ee10c9..6750b7f 100644 --- a/values/badhouseplants/values.prometheus.yaml +++ b/values/badhouseplants/values.prometheus.yaml @@ -3,24 +3,16 @@ # -- Istio extenstion. Just because I'm # -- not using ingress nginx # ------------------------------------------ -istio: - enabled: true - istio: - - name: grafana-https - gateway: istio-system/badhouseplants-net - kind: http - hostname: "grafana.badhouseplants.net" - service: prometheus-grafana - port: 80 - coreDns: enabled: false kubeEtcd: enabled: false kubelet: - enabled: false + enabled: true kubeApiServer: enabled: false +grafana: + enabled: false prometheus-node-exporter: prometheus: @@ -85,64 +77,3 @@ prometheus: resources: requests: storage: 12Gi - -grafana: - assertNoLeakedSecrets: false - persistence: - enabled: true - size: 2Gi - grafana.ini: - server: - root_url: https://grafana.badhouseplants.net - auth.generic_oauth: - name: Gitea - icon: signin - enabled: true - allow_sign_up: true - auto_login: false - client_id: 0ce70a7d-f267-44cc-9686-71048277e51d - scopes: openid profile email groups - empty_scopes: false - auth_url: https://git.badhouseplants.net/login/oauth/authorize - token_url: https://git.badhouseplants.net/login/oauth/access_token - api_url: https://git.badhouseplants.net/login/oauth/userinfo - tls_skip_verify_insecure: false - use_pkce: true - role_attribute_path: contains(groups, 'badhouseplants:owners') && 'Admin' || 'Viewer' - - dashboardProviders: - dashboardproviders.yaml: - apiVersion: 1 - providers: - - name: 'default' - orgId: 1 - folder: '' - type: file - disableDeletion: true - editable: false - options: - path: /var/lib/grafana/dashboards/default - - dashboards: - default: - gitea-dashboard: - gnetId: 13192 - revision: 1 - datasource: Prometheus - argo-dashboard: - gnetId: 14584 - revision: 1 - datasource: Prometheus - - datasources: - loki.yaml: - apiVersion: 1 - datasources: - - name: Loki - type: loki - access: proxy - uid: loki - editable: false - url: http://loki.monitoring-system:3100/ - jsonData: - maxLines: 1000