From 198733316afca24ca8b80d780a93e12943385443 Mon Sep 17 00:00:00 2001
From: gwg313 <gwg313@pm.me>
Date: Mon, 18 May 2026 02:10:14 -0400
Subject: [PATCH] add kube-prometheus-stack

Signed-off-by: gwg313 <gwg313@pm.me>

remove vals

Signed-off-by: gwg313 <gwg313@pm.me>
---
 management/platform-apps/kustomization.yaml   |  1 +
 .../platform-apps/kyverno-policies.yaml       |  1 +
 management/platform-apps/monitoring.yaml      | 23 +++++++++++++++++++
 .../generate-ns-network-baseline.yaml         |  1 +
 .../policies/require-requests-limits.yaml     |  1 +
 platform/monitoring/Chart.yaml                |  9 ++++++++
 platform/monitoring/templates/namespace.yaml  |  8 +++++++
 platform/monitoring/values.yaml               |  0
 8 files changed, 44 insertions(+)
 create mode 100644 management/platform-apps/monitoring.yaml
 create mode 100644 platform/monitoring/Chart.yaml
 create mode 100644 platform/monitoring/templates/namespace.yaml
 create mode 100644 platform/monitoring/values.yaml

diff --git a/management/platform-apps/kustomization.yaml b/management/platform-apps/kustomization.yaml
index af31fc0..3da3d20 100644
--- a/management/platform-apps/kustomization.yaml
+++ b/management/platform-apps/kustomization.yaml
@@ -8,6 +8,7 @@ resources:
   - tetragon-policies.yaml
   - sealed-secrets.yaml
   - cert-manager.yaml
+  - monitoring.yaml
   - nfs-subdir.yaml
   - forgejo.yaml
   - navidrome.yaml
diff --git a/management/platform-apps/kyverno-policies.yaml b/management/platform-apps/kyverno-policies.yaml
index ea889cc..46be8cc 100644
--- a/management/platform-apps/kyverno-policies.yaml
+++ b/management/platform-apps/kyverno-policies.yaml
@@ -21,3 +21,4 @@ spec:
     syncOptions:
       - CreateNamespace=false
       - ServerSideApply=true
+      - Replace=true # <-- Policies have immutable fields so this helps deal with updates
diff --git a/management/platform-apps/monitoring.yaml b/management/platform-apps/monitoring.yaml
new file mode 100644
index 0000000..3c9c545
--- /dev/null
+++ b/management/platform-apps/monitoring.yaml
@@ -0,0 +1,23 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: monitoring
+  namespace: argocd
+  annotations:
+    argoproj.io/sync-wave: "-5"
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/gwg313/homelab-gitops.git
+    targetRevision: main
+    path: platform/monitoring
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: monitoring
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true
diff --git a/platform/kyverno/policies/generate-ns-network-baseline.yaml b/platform/kyverno/policies/generate-ns-network-baseline.yaml
index 25c1900..0ab73a5 100644
--- a/platform/kyverno/policies/generate-ns-network-baseline.yaml
+++ b/platform/kyverno/policies/generate-ns-network-baseline.yaml
@@ -29,6 +29,7 @@ spec:
                 - cert-manager
                 - sealed-secrets
                 - nfs-subdir-external-provisioner
+                - monitoring
       generate:
         apiVersion: cilium.io/v2
         kind: CiliumNetworkPolicy
diff --git a/platform/kyverno/policies/require-requests-limits.yaml b/platform/kyverno/policies/require-requests-limits.yaml
index 1dd188c..63f5c11 100644
--- a/platform/kyverno/policies/require-requests-limits.yaml
+++ b/platform/kyverno/policies/require-requests-limits.yaml
@@ -33,6 +33,7 @@ spec:
                 - cert-manager
                 - sealed-secrets
                 - nfs-subdir-external-provisioner
+                - monitoring
       validate:
         message: "Resource discipline violation: Containers must declare cpu/memory requests and limits."
         pattern:
diff --git a/platform/monitoring/Chart.yaml b/platform/monitoring/Chart.yaml
new file mode 100644
index 0000000..d4e7d34
--- /dev/null
+++ b/platform/monitoring/Chart.yaml
@@ -0,0 +1,9 @@
+apiVersion: v2
+name: cluster-monitoring
+description: chart for cluster monitoring stack
+type: application
+version: 1.0.0
+dependencies:
+  - name: kube-prometheus-stack
+    version: "85.1.3"
+    repository: "https://prometheus-community.github.io/helm-charts"
diff --git a/platform/monitoring/templates/namespace.yaml b/platform/monitoring/templates/namespace.yaml
new file mode 100644
index 0000000..a5aece4
--- /dev/null
+++ b/platform/monitoring/templates/namespace.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged
diff --git a/platform/monitoring/values.yaml b/platform/monitoring/values.yaml
new file mode 100644
index 0000000..e69de29