diff --git a/cluster/apps/kustomization.yaml b/cluster/apps/kustomization.yaml index a8c6cb4..4ee2bb0 100644 --- a/cluster/apps/kustomization.yaml +++ b/cluster/apps/kustomization.yaml @@ -7,4 +7,5 @@ resources: - ./download - ./management - ./tools -- ./irc \ No newline at end of file +- ./irc +- ./monitoring \ No newline at end of file diff --git a/cluster/apps/monitoring/kube-prometheus-stack/helm-release.yaml b/cluster/apps/monitoring/kube-prometheus-stack/helm-release.yaml new file mode 100644 index 0000000..639c538 --- /dev/null +++ b/cluster/apps/monitoring/kube-prometheus-stack/helm-release.yaml @@ -0,0 +1,79 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: kube-prometheus-stack + namespace: monitoring +spec: + interval: 5m + chart: + spec: + chart: kube-prometheus-stack + version: 45.10.x + sourceRef: + kind: HelmRepository + name: prometheus-community-charts + namespace: flux-system + + values: + + # Temporarily disable + alertmanager: + ingress: + enabled: true + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd + hosts: + - host: &alertmanager-host alertmanager.${SECRET_NEW_DOMAIN} + paths: + - path: / + pathType: Prefix + service: + number: 9093 + tls: + - hosts: + - *alertmanager-host + secretName: wildcard-main-tls + + grafana: + ingress: + enabled: true + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd + hosts: + - host: &grafana-host grafana.${SECRET_NEW_DOMAIN} + paths: + - path: / + pathType: Prefix + service: + name: http-web + tls: + - hosts: + - *grafana-host + secretName: wildcard-main-tls + + # Enable this when the cluster expands to have more than a single node + kubeEtcd: + enabled: false + + prometheus: + ingress: + enabled: true + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd + hosts: + - host: &prometheus-host metrics.${SECRET_NEW_DOMAIN} + paths: + - path: / + pathType: Prefix + service: + port: 9090 + tls: + - hosts: + - *prometheus-host + secretName: wildcard-main-tls diff --git a/cluster/apps/monitoring/kube-prometheus-stack/helm-repository.yaml b/cluster/apps/monitoring/kube-prometheus-stack/helm-repository.yaml new file mode 100644 index 0000000..a705018 --- /dev/null +++ b/cluster/apps/monitoring/kube-prometheus-stack/helm-repository.yaml @@ -0,0 +1,8 @@ +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: prometheus-community-charts + namespace: flux-system +spec: + interval: 1m + url: https://prometheus-community.github.io/helm-charts \ No newline at end of file diff --git a/cluster/apps/monitoring/kube-prometheus-stack/kustomization.yaml b/cluster/apps/monitoring/kube-prometheus-stack/kustomization.yaml new file mode 100644 index 0000000..14a2c31 --- /dev/null +++ b/cluster/apps/monitoring/kube-prometheus-stack/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./helm-repository.yaml +- ./helm-release.yaml \ No newline at end of file diff --git a/cluster/apps/monitoring/kustomization.yaml b/cluster/apps/monitoring/kustomization.yaml new file mode 100644 index 0000000..4e710c0 --- /dev/null +++ b/cluster/apps/monitoring/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./namespace.yaml +- ./network_policy.yaml +- ./kube-prometheus-stack \ No newline at end of file diff --git a/cluster/apps/monitoring/namespace.yaml b/cluster/apps/monitoring/namespace.yaml new file mode 100644 index 0000000..ecd0387 --- /dev/null +++ b/cluster/apps/monitoring/namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: monitoring + labels: + name: monitoring \ No newline at end of file diff --git a/cluster/apps/monitoring/network_policy.yaml b/cluster/apps/monitoring/network_policy.yaml new file mode 100644 index 0000000..393e732 --- /dev/null +++ b/cluster/apps/monitoring/network_policy.yaml @@ -0,0 +1,25 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: deny-most-allow-some + namespace: monitoring +spec: + # Apply to all pods in this namespace + podSelector: {} + ingress: + - from: + # Allow all pods in this namespace + - namespaceSelector: + matchLabels: + name: "monitoring" +# - podSelector: {} + + # Allow traefik pods + - namespaceSelector: + matchLabels: + name: "traefik" + + # Allow all pods with this label + - podSelector: + matchLabels: + needsMonitoring: "yes" \ No newline at end of file