add kube-prometheus-stack

Signed-off-by: gwg313 <gwg313@pm.me> remove vals Signed-off-by: gwg313 <gwg313@pm.me>
2026-06-05 21:01:02 +00:00 · 2026-05-18 02:10:14 -04:00 · 2026-05-18 02:10:14 -04:00 · 198733316a
commit 198733316a
parent 231e6b3319
8 changed files with 44 additions and 0 deletions
--- a/management/platform-apps/kustomization.yaml
+++ b/management/platform-apps/kustomization.yaml
@ -8,6 +8,7 @@ resources:
  - tetragon-policies.yaml
  - sealed-secrets.yaml
  - cert-manager.yaml
+  - monitoring.yaml
  - nfs-subdir.yaml
  - forgejo.yaml
  - navidrome.yaml
--- a/management/platform-apps/kyverno-policies.yaml
+++ b/management/platform-apps/kyverno-policies.yaml
@ -21,3 +21,4 @@ spec:
    syncOptions:
      - CreateNamespace=false
      - ServerSideApply=true
+      - Replace=true # <-- Policies have immutable fields so this helps deal with updates
--- a/management/platform-apps/monitoring.yaml
+++ b/management/platform-apps/monitoring.yaml
@ -0,0 +1,23 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: monitoring
+  namespace: argocd
+  annotations:
+    argoproj.io/sync-wave: "-5"
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/gwg313/homelab-gitops.git
+    targetRevision: main
+    path: platform/monitoring
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: monitoring
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true
--- a/platform/kyverno/policies/generate-ns-network-baseline.yaml
+++ b/platform/kyverno/policies/generate-ns-network-baseline.yaml
@ -29,6 +29,7 @@ spec:
                - cert-manager
                - sealed-secrets
                - nfs-subdir-external-provisioner
+                - monitoring
      generate:
        apiVersion: cilium.io/v2
        kind: CiliumNetworkPolicy
--- a/platform/kyverno/policies/require-requests-limits.yaml
+++ b/platform/kyverno/policies/require-requests-limits.yaml
@ -33,6 +33,7 @@ spec:
                - cert-manager
                - sealed-secrets
                - nfs-subdir-external-provisioner
+                - monitoring
      validate:
        message: "Resource discipline violation: Containers must declare cpu/memory requests and limits."
        pattern:
--- a/platform/monitoring/Chart.yaml
+++ b/platform/monitoring/Chart.yaml
@ -0,0 +1,9 @@
+apiVersion: v2
+name: cluster-monitoring
+description: chart for cluster monitoring stack
+type: application
+version: 1.0.0
+dependencies:
+  - name: kube-prometheus-stack
+    version: "85.1.3"
+    repository: "https://prometheus-community.github.io/helm-charts"
--- a/platform/monitoring/templates/namespace.yaml
+++ b/platform/monitoring/templates/namespace.yaml
@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged
--- a/platform/monitoring/values.yaml
+++ b/platform/monitoring/values.yaml