From bfce08329d5915a2734a3b7eeef8bfe6c83828d0 Mon Sep 17 00:00:00 2001 From: gwg313 Date: Mon, 18 May 2026 02:10:14 -0400 Subject: [PATCH] add kube-prometheus-stack Signed-off-by: gwg313 remove vals Signed-off-by: gwg313 --- management/platform-apps/kustomization.yaml | 1 + .../platform-apps/kyverno-policies.yaml | 1 + management/platform-apps/monitoring.yaml | 23 +++++++++++++++++++ .../generate-ns-network-baseline.yaml | 1 + .../policies/require-requests-limits.yaml | 1 + platform/monitoring/Chart.yaml | 9 ++++++++ .../templates/alertmanager-config-sealed.yaml | 18 +++++++++++++++ .../templates/grafana-secrets-sealed.yaml | 19 +++++++++++++++ platform/monitoring/templates/namespace.yaml | 11 +++++++++ platform/monitoring/values.yaml | 17 ++++++++++++++ 10 files changed, 101 insertions(+) create mode 100644 management/platform-apps/monitoring.yaml create mode 100644 platform/monitoring/Chart.yaml create mode 100644 platform/monitoring/templates/alertmanager-config-sealed.yaml create mode 100644 platform/monitoring/templates/grafana-secrets-sealed.yaml create mode 100644 platform/monitoring/templates/namespace.yaml create mode 100644 platform/monitoring/values.yaml diff --git a/management/platform-apps/kustomization.yaml b/management/platform-apps/kustomization.yaml index af31fc0..3da3d20 100644 --- a/management/platform-apps/kustomization.yaml +++ b/management/platform-apps/kustomization.yaml @@ -8,6 +8,7 @@ resources: - tetragon-policies.yaml - sealed-secrets.yaml - cert-manager.yaml + - monitoring.yaml - nfs-subdir.yaml - forgejo.yaml - navidrome.yaml diff --git a/management/platform-apps/kyverno-policies.yaml b/management/platform-apps/kyverno-policies.yaml index ea889cc..46be8cc 100644 --- a/management/platform-apps/kyverno-policies.yaml +++ b/management/platform-apps/kyverno-policies.yaml @@ -21,3 +21,4 @@ spec: syncOptions: - CreateNamespace=false - ServerSideApply=true + - Replace=true # <-- Policies have immutable fields so this helps deal with updates diff --git a/management/platform-apps/monitoring.yaml b/management/platform-apps/monitoring.yaml new file mode 100644 index 0000000..3c9c545 --- /dev/null +++ b/management/platform-apps/monitoring.yaml @@ -0,0 +1,23 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: monitoring + namespace: argocd + annotations: + argoproj.io/sync-wave: "-5" +spec: + project: default + source: + repoURL: https://github.com/gwg313/homelab-gitops.git + targetRevision: main + path: platform/monitoring + destination: + server: https://kubernetes.default.svc + namespace: monitoring + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - ServerSideApply=true diff --git a/platform/kyverno/policies/generate-ns-network-baseline.yaml b/platform/kyverno/policies/generate-ns-network-baseline.yaml index 25c1900..0ab73a5 100644 --- a/platform/kyverno/policies/generate-ns-network-baseline.yaml +++ b/platform/kyverno/policies/generate-ns-network-baseline.yaml @@ -29,6 +29,7 @@ spec: - cert-manager - sealed-secrets - nfs-subdir-external-provisioner + - monitoring generate: apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy diff --git a/platform/kyverno/policies/require-requests-limits.yaml b/platform/kyverno/policies/require-requests-limits.yaml index 1dd188c..63f5c11 100644 --- a/platform/kyverno/policies/require-requests-limits.yaml +++ b/platform/kyverno/policies/require-requests-limits.yaml @@ -33,6 +33,7 @@ spec: - cert-manager - sealed-secrets - nfs-subdir-external-provisioner + - monitoring validate: message: "Resource discipline violation: Containers must declare cpu/memory requests and limits." pattern: diff --git a/platform/monitoring/Chart.yaml b/platform/monitoring/Chart.yaml new file mode 100644 index 0000000..d4e7d34 --- /dev/null +++ b/platform/monitoring/Chart.yaml @@ -0,0 +1,9 @@ +apiVersion: v2 +name: cluster-monitoring +description: chart for cluster monitoring stack +type: application +version: 1.0.0 +dependencies: + - name: kube-prometheus-stack + version: "85.1.3" + repository: "https://prometheus-community.github.io/helm-charts" diff --git a/platform/monitoring/templates/alertmanager-config-sealed.yaml b/platform/monitoring/templates/alertmanager-config-sealed.yaml new file mode 100644 index 0000000..eca9849 --- /dev/null +++ b/platform/monitoring/templates/alertmanager-config-sealed.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: alertmanager-custom-config + namespace: monitoring + + annotations: + argocd.argoproj.io/sync-wave: "-2" +spec: + encryptedData: + alertmanager.yaml: AgAkK7qOn8qBcmFGRsbCRh4+UM3s4vn0oQggZNXJe2nlMLzTOu25hbRbCYJNV7C+pRfZmMyoD+Ixh69VJMRee3N0deuMYMgxTrqFhn0uUkUWNqjPU+s3PiCT3Dueu+1bxgUy4yjvRoZuAyouxSbOH9TjrfUnZFOzNc+au/FXekUZDpliV5qs6vUILLyNV5LpHP2ueZ0GPOMAyZk+jdsvi3wN9Ap/Rd5QjZOYKW+f0QVkoPvDjpiLrPUioXnRIvLaoVeukXVDMYaYMiwRoz5nKvFF8xgKSATPX4Be9qGWofBHiAhOAAqpzuyeGTbw7NRFeRQ3iVHe/A1N32GxSe3MDnOkdrytIxMMMxRH2h+iQgmkmUgPYt506AYyYBHtEsy+KmL0q03Ieywk5i9OLJ99kCRW/ybTNYWwuAppfVeXL/eW6WPVE+zFly+WOnNIKEha6O8YKwCbp1FEdxTefI9l9OP7uqypYc020W5W+GNpoOs4GWCnLTqCnAt0JhcPurFkfvzLH8F9TKM5vbzkwL4s3TLK1ELjWJ9fNhfU3/RIM2Kj9DifaLohYvyShaWpr22C3LE9970O8vt/Mc0pmI/Tth0tXmCbfaUJ/7UYktJPnCllVY9GSJbXrGVI3ed7rhmttuXvcezVuZWlG2C4Sr+HyXJnygg79S/l3kbU0R9U40OROAxS1PkNWuScep5ab+KUU6LojAVN39OkSLcJs7oW8QNr+/Qwx3nXDHFfFLVCHHbU9WfVwISTNzffGJvRLSuRuR6sU4rjDQN1pCSeVRN/Xajw+UI5I7bOJdmSPrUgKjw8UnSBDWqScb4tNLWobGKsN1u26o4uTKQGXnO9+L+UDib4QrXp/P5NqfvVfEbKiHPz8U7l5vPITEfi3y36bD0khp33UZTIswp+t8EtexepfqC81+s2ynJFTEDhdxGl2fW+g+dcDcyk+pO0aueYiHX29QXnLYMy4Ni3IWXnP8FsK+/AYt8wERhXhAribXdPuQBG4X2OPdYVqOCQeMczSLTO8ZAP2GbnJIca88tJVc/1OFk4y/4Ek7z4ftqm9k6cGWgzlk01hqsua4+TLj5TuBFCXqVTfEKoKU/rBpm2zu2LdePijAZRGU9nmvLMdvyHd4zO7NxggWdUIomR8poyPavZamyz1f7hjCGOeGz936zS1/vOwjxynr9Hc8VIWwgfqZkK7HhHxG8YwKx+5lKDLZnr8rzDh3QgS4VBCY3tDzFe6Y9KmkJULnd7iSbfEaurhbJE8SJ2x23VVQWwAI6Tnqk7rSO/031lVSYMKSYpArFmRHz1aBsPbgZTiz3++o/lTsbRB3GPaYx2jgdqkRqG4OOJmF00DrMw9F/NOMctzZBeSsp4HH2SPoowf+g/KK575X6LwlkX2ymqxP44H1dwxe4y/4xXapLDKByHpluEy1Rd+TI+Y5VUfjs7LlWBCN8L/WaA/bt/jk6MnpJe2GvBwpIkdH/lCcekFjq/Q4beIqiRZgzMXnBhGSzdmGeAX+vja8bbX+81wRCi/nJT2aHA1DIS4Rj0Uz1C7JucGlG6Gh5C1A== + template: + metadata: + creationTimestamp: null + name: alertmanager-custom-config + namespace: monitoring diff --git a/platform/monitoring/templates/grafana-secrets-sealed.yaml b/platform/monitoring/templates/grafana-secrets-sealed.yaml new file mode 100644 index 0000000..a80901c --- /dev/null +++ b/platform/monitoring/templates/grafana-secrets-sealed.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: kube-prometheus-stack-grafana + namespace: monitoring + annotations: + argocd.argoproj.io/sync-wave: "-2" +spec: + encryptedData: + admin-password: AgCdmekbfg75MUC/4us+SE5QQrnqeBRQjUKzlnINYQo9Z4zw5TO+x4MpFR8Jsf48ZcP4xbOldZfWNf4Y5hv2SVxonuluEDtKH1z38n/Jz4BRRUNkJkfQPmzShwkCvu2QbtVdQEqIxDW6ekksrD+Nk0IRoV1dNEr2ajNcZjzfrbBM4AvcpNkVg0vy4lH2HP+ckecdJ59gRrrUZ4ysgSJKRsz9fYtBtfuYMVVmtyCai/QHaeXYXhoX2VKuxf5G6HSGqbY7dTOy9MoEHIjnxF8v+GMieBoHpLo+uhuSOP8cZ+0oBSAbr3MVfA1QSz2DIsewnVFa+x0xFgtlltVrpLoW6AkQu71je/9tzfc1OKfftsBCYUWaMfFpnx/jFgUla1ntkiqmQaL1yGmA8QbTa9LGjAbADsWFTp3FOjExWYDfQ1VMLukHolNau+aSvf31PgNbovX/e+WlMfGk2RNN41EAFc1q1s20hO/mrMq42WJ38HBs93iQgFSKGiw551x6eIzK4uIqD/8ghMjKCGUmDgUxibrwR4nbeprLU0wviASN5ABHYiNwzhpZlupe/VAKiwiGCAY9Ni8wUfwF/GUyujnh88UvgvIW2KY5bJOLMPx2QnfVLZlUH8d/Fzy4RwHPLt1vi6mYSOYdDf/USNlXTIO2AZAQJFVkFQxW/7Hgb2u6M9h2tHRejXkFmoWFK7B5+xOGiQ7SxevRC9TiqBHQzk0kbXSviPWvHmMXMDVi + admin-user: AgABVgocIJ0WxsJ2qB3twb0sLpA2yoOsOYSNVtKqokGIeamDQqhAltOJcUH9H4PgHqG/miK55AaV/XOoM56Nnj0Any5LOSQv829IIvpgJCWF3jplU1nL74kDt/crh3i/c2i9NReUubPrE+B2Bgzb751CxOrjAG4vvo2dJYQNE3ZmgRHSNrRuHrWDejDLVWnZMkCLBw3CfEXqaw5AvU1Gb0z2/UHu5j19XzBX9kDPhnMCKATEdAbi0x/S+eWh4jbyDs60IrfzovtJQsw9IrVKcFz+BxlHVQPdRw8H3cZ10Imu/c6Y5dKFdyX+pK+A8nlvH9oCgpH02D5ITJDK1GkPq2zEE6J4wVbcR9vFqUwAEZlwWI/H6J11jdoGFcxEFc5XcJfouAcrdrKH1j82wd5SUJMLdZN8MQ+ATNZfPjji0fyxAuZKi/Bs24QlGQg3R6iOIFHHE47HuyksWiGR171hQ0NBTKkDGQfMvKV5K65IgFumGw9f2weWrOzkWQoUljDkqDv7cF0f9iNAuZPjrYapk8/ebKugvobnHoKgY1eLm3/A3NCuWjjPwiark2tpaMsfeVxLLKgzRVLxQm4C8hPnvkjV7E+F17p483/s+NlHSFkLQh5o9Su+mbuAJJQutrDa4zlI0d42t3sDnwCOOfgwweMcqdViqmmhuMNbGY1SRWicmBdmZOokBeGCdUl5ZOi6aEtaoXJzp2k= + template: + metadata: + creationTimestamp: null + name: kube-prometheus-stack-grafana + namespace: monitoring + type: Opaque diff --git a/platform/monitoring/templates/namespace.yaml b/platform/monitoring/templates/namespace.yaml new file mode 100644 index 0000000..1fed658 --- /dev/null +++ b/platform/monitoring/templates/namespace.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: monitoring + labels: + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/audit: privileged + pod-security.kubernetes.io/warn: privileged + + annotations: + argocd.argoproj.io/sync-wave: "-2" diff --git a/platform/monitoring/values.yaml b/platform/monitoring/values.yaml new file mode 100644 index 0000000..3651ceb --- /dev/null +++ b/platform/monitoring/values.yaml @@ -0,0 +1,17 @@ +kube-prometheus-stack: + grafana: + defaultDashboardsTimezone: browser + grafana.ini: + date_formats: + default_timezone: browser + admin: + existingSecret: kube-prometheus-stack-grafana + userKey: admin-user + passwordKey: admin-password + + alertmanager: + enabled: true + + alertmanagerSpec: + useExistingSecret: true + configSecret: alertmanager-custom-config