From 49ad416dfc6c50ab0897f38e9df4547f7a1d0aca Mon Sep 17 00:00:00 2001 From: SeanOMik Date: Mon, 1 May 2023 21:04:54 -0400 Subject: [PATCH] Attempt to fix minio ldap auth --- cluster/apps/database/minio/minio.sops.yaml | 8 +- .../apps/monitoring/mimir/helm-release.yaml | 188 ++++++++++++++++++ .../apps/monitoring/mimir/kustomization.yaml | 5 + cluster/apps/monitoring/mimir/mimir.sops.yaml | 61 ++++++ .../apps/monitoring/varken/helm-release.yaml | 45 +++++ .../apps/monitoring/varken/kustomization.yaml | 4 + cluster/core/helm-repositories.yaml | 9 + 7 files changed, 316 insertions(+), 4 deletions(-) create mode 100644 cluster/apps/monitoring/mimir/helm-release.yaml create mode 100644 cluster/apps/monitoring/mimir/kustomization.yaml create mode 100644 cluster/apps/monitoring/mimir/mimir.sops.yaml create mode 100644 cluster/apps/monitoring/varken/helm-release.yaml create mode 100644 cluster/apps/monitoring/varken/kustomization.yaml diff --git a/cluster/apps/database/minio/minio.sops.yaml b/cluster/apps/database/minio/minio.sops.yaml index 6584a8a..8bad4a9 100644 --- a/cluster/apps/database/minio/minio.sops.yaml +++ b/cluster/apps/database/minio/minio.sops.yaml @@ -11,8 +11,8 @@ stringData: MINIO_IDENTITY_LDAP_SERVER_INSECURE: ENC[AES256_GCM,data:1rM=,iv:SKhuvzcjXy7FJqZeMTtO3alvWa2E1YYRAkM4T1YnDc0=,tag:znUtC3Q0okedbOv7zVOUgQ==,type:str] MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN: ENC[AES256_GCM,data:33aRyIxdLvW0+I2YDwh8VifqoYoWrIL84ORiQHqqFlFvZaiimTWBNg46BhI8IC4e,iv:qeo9vFoqidUoPI19CQwP4SDqTWuNEWFvTKmipoKZwPs=,tag:7GIwLOBq4ni9ELGLdsYgNw==,type:str] MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD: ENC[AES256_GCM,data:pIuhgM5tnwYEUTH9D6lHoDhovoGNLV/hCKhWyPmk7hCAyT2UY1I8jGIXdErpF9YZkLcs74pMuQrJZyjg,iv:fP6UzgfOxRmmoGzDmeqO02liSzxbc3LXDkWffUY5rFU=,tag:gAPlBlSmk3sRaoFoA6uytA==,type:str] - MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN: ENC[AES256_GCM,data:DWnv61mf/MxeiT7qxv3Qs0XN03662En/pV0=,iv:38NWSoL8moO3W/Hja1M5WMdzfWmsZ4UDQKGJhQhR7CQ=,tag:lRAFgi7Fv6cSZScdIlPKZA==,type:str] - MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER: ENC[AES256_GCM,data:+F8SwQ8NnYkegYOJWAjAbeytMQ==,iv:KRBpb/ss3dYJA9CeARi4BHrUIwq8jsmXQ0N5sT/fA0M=,tag:SmBeODb3/2qV/hQTINflMA==,type:str] + MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN: ENC[AES256_GCM,data:02OYrQjYtrGR6wEZJsQbx09MdnulkfqekarDs8h/5QPZvvk=,iv:as6fwRCKLoDRtAsE3LhAR2WQ8M+fa3oxKrsXmbUDg9M=,tag:eb5yN3brZehHH82aHkXYhQ==,type:str] + MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER: ENC[AES256_GCM,data:gb8mewlGeToPCKWzqi2K+1Dr4D9BaQejcJhAbtTJXi6dPxBm1wM/pw==,iv:Iey3fRyFa+pHhTfPz6+KEhQgoCH9QaElgCEab0Uw11I=,tag:HLcARuBJqLXZMK4nVk2jKw==,type:str] MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN: ENC[AES256_GCM,data:/NShkg0AAnNNvADI0M3p47GjTrbUYAsyKB65bP21e2WFoF8f,iv:G7qgm3JD7lD7qc0fUVraUf5SFCgLndjnwRbbQH4KGVQ=,tag:xmpu0Y+23MMIBjER4PKXYg==,type:str] MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER: ENC[AES256_GCM,data:ua2lxGZOEosUk5h71qlMVsxHOTua/nUEiXPkrGqXX69SDOlR6CofDg==,iv:Lzr/kDtpJ0QU/eIlB16L0Wsym48m20a7sAbI4xsaXKs=,tag:LaognVNlPVCOXPkRWyz3Zg==,type:str] sops: @@ -21,8 +21,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2023-04-26T02:24:15Z" - mac: ENC[AES256_GCM,data:gXmUc+E90HtcgNA/JJWyHSeb3CsSNRTlKdR3bEnE5PI23AiXCx0ZAXJi1c1JiOKxIOQNiHh2BtTwHdP7BHjAYERah1N3iWlVBvGMPt/sPO+SC1kSsaauqW0B/XFoEguULviLqP01Mt/V4f+JqsdWQJaraTkwHVlwEz646/XJrbA=,iv:9lCXv8SNXWSJAW7gA+wguY+Zf81YwlG3INereKTRUUs=,tag:AguuU1vSIGt49BhMYItrMA==,type:str] + lastmodified: "2023-05-02T01:04:37Z" + mac: ENC[AES256_GCM,data:gDdMq2TKdDFcB62nOeUImdE5+iUKTdg1Yy58NgaENnGytCven1zjHEEAB1gRFAMHrzpgEkYpMKmeamVduetDGFriZD0CCJzfm6FyTtzZ9h7l1KrXowJJtSrycI7PJSylx2cwdqCBBw0JJzrcVUWr1UcLMvOuKtnWNcajmQCqiCc=,iv:vXXPDmATomJ5gLESj+gJ5NCTWcNJxd0HFixN2oQrIXw=,tag:AHVUyQginmTkTS/+cnZ6YQ==,type:str] pgp: - created_at: "2023-04-07T01:57:22Z" enc: | diff --git a/cluster/apps/monitoring/mimir/helm-release.yaml b/cluster/apps/monitoring/mimir/helm-release.yaml new file mode 100644 index 0000000..afdbf51 --- /dev/null +++ b/cluster/apps/monitoring/mimir/helm-release.yaml @@ -0,0 +1,188 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: mimir + namespace: monitoring +spec: + interval: 5m + chart: + spec: + chart: mimir-distributed + version: 2.8.x + sourceRef: + kind: HelmRepository + name: grafana-charts + namespace: flux-system + + values: + global: + extraEnvFrom: + - secretRef: + name: mimir-secret + + mimir: + structuredConfig: + common: + storage: + backend: s3 + s3: + endpoint: minio.database:9000 + access_key_id: $${S3_ACCESS_KEY} + secret_access_key: $${S3_SECRET_KEY} + insecure: true + bucket_name: mimir + + compactor: + persistentVolume: + size: 20Gi + resources: + limits: + memory: 2.1Gi + requests: + cpu: 1 + memory: 1.5Gi + + distributor: + replicas: 2 + resources: + limits: + memory: 5.7Gi + requests: + cpu: 2 + memory: 4Gi + + ingester: + persistentVolume: + size: 50Gi + replicas: 3 + resources: + limits: + memory: 12Gi + requests: + cpu: 3.5 + memory: 8Gi + topologySpreadConstraints: {} + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: target # support for enterprise.legacyLabels + operator: In + values: + - ingester + topologyKey: 'kubernetes.io/hostname' + + - labelSelector: + matchExpressions: + - key: app.kubernetes.io/component + operator: In + values: + - ingester + topologyKey: 'kubernetes.io/hostname' + + zoneAwareReplication: + topologyKey: 'kubernetes.io/hostname' + + admin-cache: + enabled: true + replicas: 2 + + chunks-cache: + enabled: true + replicas: 2 + + index-cache: + enabled: true + replicas: 3 + + metadata-cache: + enabled: true + + results-cache: + enabled: true + replicas: 2 + + minio: + enabled: false + + # Deployed by kube-prometheus-stack + alertmanager: + enabled: false + + overrides_exporter: + replicas: 1 + resources: + limits: + memory: 128Mi + requests: + cpu: 100m + memory: 128Mi + + querier: + replicas: 1 + resources: + limits: + memory: 5.6Gi + requests: + cpu: 2 + memory: 4Gi + + query_frontend: + replicas: 1 + resources: + limits: + memory: 2.8Gi + requests: + cpu: 2 + memory: 2Gi + + ruler: + replicas: 1 + resources: + limits: + memory: 2.8Gi + requests: + cpu: 1 + memory: 2Gi + + store_gateway: + persistentVolume: + size: 10Gi + replicas: 3 + resources: + limits: + memory: 2.1Gi + requests: + cpu: 1 + memory: 1.5Gi + topologySpreadConstraints: {} + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: target # support for enterprise.legacyLabels + operator: In + values: + - store-gateway + topologyKey: 'kubernetes.io/hostname' + + - labelSelector: + matchExpressions: + - key: app.kubernetes.io/component + operator: In + values: + - store-gateway + topologyKey: 'kubernetes.io/hostname' + zoneAwareReplication: + topologyKey: 'kubernetes.io/hostname' + + nginx: + replicas: 1 + resources: + limits: + memory: 731Mi + requests: + cpu: 1 + memory: 512Mi \ No newline at end of file diff --git a/cluster/apps/monitoring/mimir/kustomization.yaml b/cluster/apps/monitoring/mimir/kustomization.yaml new file mode 100644 index 0000000..67f50b9 --- /dev/null +++ b/cluster/apps/monitoring/mimir/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./mimir.sops.yaml +- ./helm-release.yaml \ No newline at end of file diff --git a/cluster/apps/monitoring/mimir/mimir.sops.yaml b/cluster/apps/monitoring/mimir/mimir.sops.yaml new file mode 100644 index 0000000..6428203 --- /dev/null +++ b/cluster/apps/monitoring/mimir/mimir.sops.yaml @@ -0,0 +1,61 @@ +apiVersion: v1 +kind: Secret +metadata: + name: mimir-secret + namespace: monitoring +stringData: + S3_ACCESS_KEY: ENC[AES256_GCM,data:jfnHq3DE,iv:Ft3d/tbvCKuTDHmCXZJgYl5xVBOwIj0Zkc9+JgILDAI=,tag:5bcZBsODsA9Pi2vf5OGsHg==,type:str] + S3_SECRET_KEY: ENC[AES256_GCM,data:3WpNKx1d,iv:M5xewbvJm+U8td7kIpkPImd2gDIFfVTGVIR5BJtfoB8=,tag:X78jSBvcHbSIu6S8W8yZNA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2023-05-01T22:12:24Z" + mac: ENC[AES256_GCM,data:SywFZE0Kj1lx1X1f5chgW7qycPwQvHkRz/35F/hKBLjr0UXI1T9D3IIQeNZlTrxJwSiCvm/+FxMxbF4hJBfZ61Z2jfgwDINghPkoNJothgV0dlPtFTfApgK2BfNqWffhPc3Qj4cmuQZV6kG0h05CbKL4PN89DQ/aEDPPbKI01lo=,iv:x1ZGglUJM/PT5gZgvxRR411pSFmlDkEADrd3arCqFdY=,tag:0xlalnODXYns3CpuDxt9vQ==,type:str] + pgp: + - created_at: "2023-04-07T01:57:22Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMAzKleRwoSoixAQ/9Hi4VyrUXV7LvbCFiLbyfv314lMGwrAf+2po/4Lr1hANe + KiwpfthiNheAjNaGCG6v2C1rx2Wrr5G3+rMik/1TLWbg2u9zZU4mWO8bwJUGXKDo + /T1nl47f09UPDtQ6KiG0nPf3M0Ovmk3d63R3zpY4Q7uE4uhLNDr0KD9mp7MmRCbZ + PO++tdiZa67z9owNDh/NSnQr9Y6JwjlxlkJl5SJ76vaK/SaOi/j86mOm9CV6SQmk + cLOwiO7JxV8I4gD9jlLdYEPS+nqztX5eHLRoaXsAQrX4DdWNnOF0C2sk9nMHwQTb + W8/SVmg7TiVVL6qVCXgUCgFRXllrlGlXlfv+W6ruuZIBv2MAA1V+afl5A3/KVvE6 + FDq9YrJ4XfZPCD2ZByM2386L8MiUwkfF/3uge38MT/WDU2DTT+g7jV3UQs+Awi8f + N4YBVBcp5jGTkMD0347GPfPF7kdiN/YFZ/Ws1jf/EsS6vOpKNlPn64fVJfTSfdie + rvNxksi8Y4vpwEngy38t7JRfpJniDo9iK9EwhXMChYXnWkiz/B3vMoii496B7TzO + 9gKd4v7kFA6iXI+wqbYrZfOGeLZlMI99pwTatNL4fo9ABJ7JScISzTvS7p/xB6Ae + JPdlA0Tf8wP4RYz8YYRcNlfEQPZYb4kHj5r9Ei59InHzwKfq9GyKKvluS0/k3NHU + aAEJAhCVkPuIHluRLHsjVEbKbFzSJUG8p/hSSmQnfk3CT36/dJhgv3jzoL+1/Sx1 + o8OwWPmNq8TuX9SaXfhfy/EGMulWgRaztxt9D+0+wgc8IOAPp+0SYUsaOa0T9+Pl + pjU1GRaK5AlT + =mItp + -----END PGP MESSAGE----- + fp: 2CC2B3631D5C3393901335DB68F95C5D753EE1E5 + - created_at: "2023-04-07T01:57:22Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA4WLYkVpP8xtAQ/9FQGyKS1wEodU9ZVZ8kxijp6aFtMCmL/I5HBEhbSLj0P9 + TVD0QwnUPZqf7zlWrAh6TspyLQdRMt9JAYZCPyLgu//FdKfBJNYeU3+aWj/lMtJ4 + Twgs7NPtGbRJcpF+a4NmAOIqzKfJI+h714BLFoWrGtUmTE9/dBHh2yxADSgprY1o + /4J8aHQfaqg5JwijP3PhtRMxla4YQfhqf0JRAcmQPKUDuxT2QG/wp59Fq/665aaO + JFWiCOPBqTtEhY4ML4EYNUV+Cd7UT7LOXC+Xzuj1eEGMV1Pmqd1u1UyQKvHOOXhT + AfGeCub+ZONGfmcDcY5gEMnbSCGcQEvipA3dBIIFklgnxM00jmcJ1Ojo1+MYynpl + E1XLOaolRWinlDNXA62k8iWG33hcxHGSzkHrsQjtqrrD2PdHS1RmTJ8Hn+iuRUn6 + /fGk8ZQJ7oMPsZNyfiM0OdwSXxJ4rQUtGkHHd727S4K6nXC6OLxXCzl7lYG7QKcP + RVrbFMNv01aToyNGhLmcSxUYdQ4oc+nv65rNZDsdbi34T+dlULboJDkwV6JrJ5dz + hlu3ySgijZuRD5bfpfKB2RScu2ixEijOIyk1oXBB2Dhyh1ezc3qnAw8xkGr9W2SE + roBuu95mZsIZEtfMS5hxwGyWzSCENnbkSukQhUoIjRXryly7MQgNZ5FMX+f5n3DU + aAEJAhBJcIEidIhFVqDkezzMcofKl3MlXWqkfTUV3vsjz6EpN1FwhpZ3prTexUcM + 9XCx9Wq1kMpjkphWETh2lSAafyIz6R/d4zWV5IWIeDh+USYT9z0Rprp4URka4Wjx + fux0T5xDbgq5 + =eiXM + -----END PGP MESSAGE----- + fp: 8DF31C9F48A24F525FFB1815FC96C52B59328E95 + encrypted_regex: ^(data|stringData)$ + version: 3.7.3 diff --git a/cluster/apps/monitoring/varken/helm-release.yaml b/cluster/apps/monitoring/varken/helm-release.yaml new file mode 100644 index 0000000..c85aa8c --- /dev/null +++ b/cluster/apps/monitoring/varken/helm-release.yaml @@ -0,0 +1,45 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: varken + namespace: monitoring +spec: + interval: 5m + chart: + spec: + chart: app-template + version: 1.3.x + sourceRef: + kind: HelmRepository + name: bjws-charts + namespace: flux-system + + values: + image: + repository: ghcr.io/boerderij/varken:nightly + tag: develop + + probes: + liveness: + enabled: false + + serviceMonitor: + main: + enabled: true + + labels: + release: kube-prometheus-stack + + endpoints: + - port: http + scheme: http + path: /metrics + interval: 1m + scrapeTimeout: 10s + +# resources: +# requests: +# cpu: 1m +# memory: 140Mi +# limits: +# memory: 300Mi \ No newline at end of file diff --git a/cluster/apps/monitoring/varken/kustomization.yaml b/cluster/apps/monitoring/varken/kustomization.yaml new file mode 100644 index 0000000..ea3145d --- /dev/null +++ b/cluster/apps/monitoring/varken/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./helm-release.yaml \ No newline at end of file diff --git a/cluster/core/helm-repositories.yaml b/cluster/core/helm-repositories.yaml index 403bd1f..a65e683 100644 --- a/cluster/core/helm-repositories.yaml +++ b/cluster/core/helm-repositories.yaml @@ -15,3 +15,12 @@ metadata: spec: interval: 1m url: https://bjw-s.github.io/helm-charts +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: grafana-charts + namespace: flux-system +spec: + interval: 1m + url: https://grafana.github.io/helm-charts \ No newline at end of file