Attempt to fix minio ldap auth

cluster/apps/database/minio/minio.sops.yaml

@@ -11,8 +11,8 @@ stringData:
     MINIO_IDENTITY_LDAP_SERVER_INSECURE: ENC[AES256_GCM,data:1rM=,iv:SKhuvzcjXy7FJqZeMTtO3alvWa2E1YYRAkM4T1YnDc0=,tag:znUtC3Q0okedbOv7zVOUgQ==,type:str]
     MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN: ENC[AES256_GCM,data:33aRyIxdLvW0+I2YDwh8VifqoYoWrIL84ORiQHqqFlFvZaiimTWBNg46BhI8IC4e,iv:qeo9vFoqidUoPI19CQwP4SDqTWuNEWFvTKmipoKZwPs=,tag:7GIwLOBq4ni9ELGLdsYgNw==,type:str]
     MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD: ENC[AES256_GCM,data:pIuhgM5tnwYEUTH9D6lHoDhovoGNLV/hCKhWyPmk7hCAyT2UY1I8jGIXdErpF9YZkLcs74pMuQrJZyjg,iv:fP6UzgfOxRmmoGzDmeqO02liSzxbc3LXDkWffUY5rFU=,tag:gAPlBlSmk3sRaoFoA6uytA==,type:str]
-    MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN: ENC[AES256_GCM,data:DWnv61mf/MxeiT7qxv3Qs0XN03662En/pV0=,iv:38NWSoL8moO3W/Hja1M5WMdzfWmsZ4UDQKGJhQhR7CQ=,tag:lRAFgi7Fv6cSZScdIlPKZA==,type:str]
+    MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN: ENC[AES256_GCM,data:02OYrQjYtrGR6wEZJsQbx09MdnulkfqekarDs8h/5QPZvvk=,iv:as6fwRCKLoDRtAsE3LhAR2WQ8M+fa3oxKrsXmbUDg9M=,tag:eb5yN3brZehHH82aHkXYhQ==,type:str]
-    MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER: ENC[AES256_GCM,data:+F8SwQ8NnYkegYOJWAjAbeytMQ==,iv:KRBpb/ss3dYJA9CeARi4BHrUIwq8jsmXQ0N5sT/fA0M=,tag:SmBeODb3/2qV/hQTINflMA==,type:str]
+    MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER: ENC[AES256_GCM,data:gb8mewlGeToPCKWzqi2K+1Dr4D9BaQejcJhAbtTJXi6dPxBm1wM/pw==,iv:Iey3fRyFa+pHhTfPz6+KEhQgoCH9QaElgCEab0Uw11I=,tag:HLcARuBJqLXZMK4nVk2jKw==,type:str]
     MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN: ENC[AES256_GCM,data:/NShkg0AAnNNvADI0M3p47GjTrbUYAsyKB65bP21e2WFoF8f,iv:G7qgm3JD7lD7qc0fUVraUf5SFCgLndjnwRbbQH4KGVQ=,tag:xmpu0Y+23MMIBjER4PKXYg==,type:str]
     MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER: ENC[AES256_GCM,data:ua2lxGZOEosUk5h71qlMVsxHOTua/nUEiXPkrGqXX69SDOlR6CofDg==,iv:Lzr/kDtpJ0QU/eIlB16L0Wsym48m20a7sAbI4xsaXKs=,tag:LaognVNlPVCOXPkRWyz3Zg==,type:str]
 sops:
@@ -21,8 +21,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2023-04-26T02:24:15Z"
+    lastmodified: "2023-05-02T01:04:37Z"
-    mac: ENC[AES256_GCM,data:gXmUc+E90HtcgNA/JJWyHSeb3CsSNRTlKdR3bEnE5PI23AiXCx0ZAXJi1c1JiOKxIOQNiHh2BtTwHdP7BHjAYERah1N3iWlVBvGMPt/sPO+SC1kSsaauqW0B/XFoEguULviLqP01Mt/V4f+JqsdWQJaraTkwHVlwEz646/XJrbA=,iv:9lCXv8SNXWSJAW7gA+wguY+Zf81YwlG3INereKTRUUs=,tag:AguuU1vSIGt49BhMYItrMA==,type:str]
+    mac: ENC[AES256_GCM,data:gDdMq2TKdDFcB62nOeUImdE5+iUKTdg1Yy58NgaENnGytCven1zjHEEAB1gRFAMHrzpgEkYpMKmeamVduetDGFriZD0CCJzfm6FyTtzZ9h7l1KrXowJJtSrycI7PJSylx2cwdqCBBw0JJzrcVUWr1UcLMvOuKtnWNcajmQCqiCc=,iv:vXXPDmATomJ5gLESj+gJ5NCTWcNJxd0HFixN2oQrIXw=,tag:AHVUyQginmTkTS/+cnZ6YQ==,type:str]
     pgp:
         - created_at: "2023-04-07T01:57:22Z"
           enc: |

cluster/apps/monitoring/mimir/helm-release.yaml

@@ -0,0 +1,188 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: mimir
+  namespace: monitoring
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: mimir-distributed
+      version: 2.8.x
+      sourceRef:
+        kind: HelmRepository
+        name: grafana-charts
+        namespace: flux-system
+
+  values:
+    global:
+      extraEnvFrom:
+      - secretRef:
+        name: mimir-secret
+
+    mimir:
+      structuredConfig:
+        common:
+          storage:
+            backend: s3
+            s3:
+              endpoint: minio.database:9000
+              access_key_id: $${S3_ACCESS_KEY}
+              secret_access_key: $${S3_SECRET_KEY}
+              insecure: true
+              bucket_name: mimir
+
+    compactor:
+      persistentVolume:
+        size: 20Gi
+      resources:
+        limits:
+          memory: 2.1Gi
+        requests:
+          cpu: 1
+          memory: 1.5Gi
+
+    distributor:
+      replicas: 2
+      resources:
+        limits:
+          memory: 5.7Gi
+        requests:
+          cpu: 2
+          memory: 4Gi
+
+    ingester:
+      persistentVolume:
+        size: 50Gi
+      replicas: 3
+      resources:
+        limits:
+          memory: 12Gi
+        requests:
+          cpu: 3.5
+          memory: 8Gi
+      topologySpreadConstraints: {}
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - labelSelector:
+                matchExpressions:
+                  - key: target # support for enterprise.legacyLabels
+                    operator: In
+                    values:
+                      - ingester
+              topologyKey: 'kubernetes.io/hostname'
+
+            - labelSelector:
+                matchExpressions:
+                  - key: app.kubernetes.io/component
+                    operator: In
+                    values:
+                      - ingester
+              topologyKey: 'kubernetes.io/hostname'
+
+      zoneAwareReplication:
+        topologyKey: 'kubernetes.io/hostname'
+
+    admin-cache:
+      enabled: true
+      replicas: 2
+
+    chunks-cache:
+      enabled: true
+      replicas: 2
+
+    index-cache:
+      enabled: true
+      replicas: 3
+
+    metadata-cache:
+      enabled: true
+
+    results-cache:
+      enabled: true
+      replicas: 2
+
+    minio:
+      enabled: false
+
+    # Deployed by kube-prometheus-stack
+    alertmanager:
+      enabled: false
+
+    overrides_exporter:
+      replicas: 1
+      resources:
+        limits:
+          memory: 128Mi
+        requests:
+          cpu: 100m
+          memory: 128Mi
+
+    querier:
+      replicas: 1
+      resources:
+        limits:
+          memory: 5.6Gi
+        requests:
+          cpu: 2
+          memory: 4Gi
+
+    query_frontend:
+      replicas: 1
+      resources:
+        limits:
+          memory: 2.8Gi
+        requests:
+          cpu: 2
+          memory: 2Gi
+
+    ruler:
+      replicas: 1
+      resources:
+        limits:
+          memory: 2.8Gi
+        requests:
+          cpu: 1
+          memory: 2Gi
+
+    store_gateway:
+      persistentVolume:
+        size: 10Gi
+      replicas: 3
+      resources:
+        limits:
+          memory: 2.1Gi
+        requests:
+          cpu: 1
+          memory: 1.5Gi
+      topologySpreadConstraints: {}
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - labelSelector:
+                matchExpressions:
+                  - key: target # support for enterprise.legacyLabels
+                    operator: In
+                    values:
+                      - store-gateway
+              topologyKey: 'kubernetes.io/hostname'
+
+            - labelSelector:
+                matchExpressions:
+                  - key: app.kubernetes.io/component
+                    operator: In
+                    values:
+                      - store-gateway
+              topologyKey: 'kubernetes.io/hostname'
+      zoneAwareReplication:
+        topologyKey: 'kubernetes.io/hostname'
+
+    nginx:
+      replicas: 1
+      resources:
+        limits:
+          memory: 731Mi
+        requests:
+          cpu: 1
+          memory: 512Mi

cluster/apps/monitoring/mimir/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./mimir.sops.yaml
+- ./helm-release.yaml

cluster/apps/monitoring/mimir/mimir.sops.yaml

@@ -0,0 +1,61 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: mimir-secret
+    namespace: monitoring
+stringData:
+    S3_ACCESS_KEY: ENC[AES256_GCM,data:jfnHq3DE,iv:Ft3d/tbvCKuTDHmCXZJgYl5xVBOwIj0Zkc9+JgILDAI=,tag:5bcZBsODsA9Pi2vf5OGsHg==,type:str]
+    S3_SECRET_KEY: ENC[AES256_GCM,data:3WpNKx1d,iv:M5xewbvJm+U8td7kIpkPImd2gDIFfVTGVIR5BJtfoB8=,tag:X78jSBvcHbSIu6S8W8yZNA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2023-05-01T22:12:24Z"
+    mac: ENC[AES256_GCM,data:SywFZE0Kj1lx1X1f5chgW7qycPwQvHkRz/35F/hKBLjr0UXI1T9D3IIQeNZlTrxJwSiCvm/+FxMxbF4hJBfZ61Z2jfgwDINghPkoNJothgV0dlPtFTfApgK2BfNqWffhPc3Qj4cmuQZV6kG0h05CbKL4PN89DQ/aEDPPbKI01lo=,iv:x1ZGglUJM/PT5gZgvxRR411pSFmlDkEADrd3arCqFdY=,tag:0xlalnODXYns3CpuDxt9vQ==,type:str]
+    pgp:
+        - created_at: "2023-04-07T01:57:22Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAzKleRwoSoixAQ/9Hi4VyrUXV7LvbCFiLbyfv314lMGwrAf+2po/4Lr1hANe
+            KiwpfthiNheAjNaGCG6v2C1rx2Wrr5G3+rMik/1TLWbg2u9zZU4mWO8bwJUGXKDo
+            /T1nl47f09UPDtQ6KiG0nPf3M0Ovmk3d63R3zpY4Q7uE4uhLNDr0KD9mp7MmRCbZ
+            PO++tdiZa67z9owNDh/NSnQr9Y6JwjlxlkJl5SJ76vaK/SaOi/j86mOm9CV6SQmk
+            cLOwiO7JxV8I4gD9jlLdYEPS+nqztX5eHLRoaXsAQrX4DdWNnOF0C2sk9nMHwQTb
+            W8/SVmg7TiVVL6qVCXgUCgFRXllrlGlXlfv+W6ruuZIBv2MAA1V+afl5A3/KVvE6
+            FDq9YrJ4XfZPCD2ZByM2386L8MiUwkfF/3uge38MT/WDU2DTT+g7jV3UQs+Awi8f
+            N4YBVBcp5jGTkMD0347GPfPF7kdiN/YFZ/Ws1jf/EsS6vOpKNlPn64fVJfTSfdie
+            rvNxksi8Y4vpwEngy38t7JRfpJniDo9iK9EwhXMChYXnWkiz/B3vMoii496B7TzO
+            9gKd4v7kFA6iXI+wqbYrZfOGeLZlMI99pwTatNL4fo9ABJ7JScISzTvS7p/xB6Ae
+            JPdlA0Tf8wP4RYz8YYRcNlfEQPZYb4kHj5r9Ei59InHzwKfq9GyKKvluS0/k3NHU
+            aAEJAhCVkPuIHluRLHsjVEbKbFzSJUG8p/hSSmQnfk3CT36/dJhgv3jzoL+1/Sx1
+            o8OwWPmNq8TuX9SaXfhfy/EGMulWgRaztxt9D+0+wgc8IOAPp+0SYUsaOa0T9+Pl
+            pjU1GRaK5AlT
+            =mItp
+            -----END PGP MESSAGE-----
+          fp: 2CC2B3631D5C3393901335DB68F95C5D753EE1E5
+        - created_at: "2023-04-07T01:57:22Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4WLYkVpP8xtAQ/9FQGyKS1wEodU9ZVZ8kxijp6aFtMCmL/I5HBEhbSLj0P9
+            TVD0QwnUPZqf7zlWrAh6TspyLQdRMt9JAYZCPyLgu//FdKfBJNYeU3+aWj/lMtJ4
+            Twgs7NPtGbRJcpF+a4NmAOIqzKfJI+h714BLFoWrGtUmTE9/dBHh2yxADSgprY1o
+            /4J8aHQfaqg5JwijP3PhtRMxla4YQfhqf0JRAcmQPKUDuxT2QG/wp59Fq/665aaO
+            JFWiCOPBqTtEhY4ML4EYNUV+Cd7UT7LOXC+Xzuj1eEGMV1Pmqd1u1UyQKvHOOXhT
+            AfGeCub+ZONGfmcDcY5gEMnbSCGcQEvipA3dBIIFklgnxM00jmcJ1Ojo1+MYynpl
+            E1XLOaolRWinlDNXA62k8iWG33hcxHGSzkHrsQjtqrrD2PdHS1RmTJ8Hn+iuRUn6
+            /fGk8ZQJ7oMPsZNyfiM0OdwSXxJ4rQUtGkHHd727S4K6nXC6OLxXCzl7lYG7QKcP
+            RVrbFMNv01aToyNGhLmcSxUYdQ4oc+nv65rNZDsdbi34T+dlULboJDkwV6JrJ5dz
+            hlu3ySgijZuRD5bfpfKB2RScu2ixEijOIyk1oXBB2Dhyh1ezc3qnAw8xkGr9W2SE
+            roBuu95mZsIZEtfMS5hxwGyWzSCENnbkSukQhUoIjRXryly7MQgNZ5FMX+f5n3DU
+            aAEJAhBJcIEidIhFVqDkezzMcofKl3MlXWqkfTUV3vsjz6EpN1FwhpZ3prTexUcM
+            9XCx9Wq1kMpjkphWETh2lSAafyIz6R/d4zWV5IWIeDh+USYT9z0Rprp4URka4Wjx
+            fux0T5xDbgq5
+            =eiXM
+            -----END PGP MESSAGE-----
+          fp: 8DF31C9F48A24F525FFB1815FC96C52B59328E95
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3

cluster/apps/monitoring/varken/helm-release.yaml

@@ -0,0 +1,45 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: varken
+  namespace: monitoring
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: app-template
+      version: 1.3.x
+      sourceRef:
+        kind: HelmRepository
+        name: bjws-charts
+        namespace: flux-system
+
+  values:
+    image:
+      repository: ghcr.io/boerderij/varken:nightly
+      tag: develop
+
+    probes:
+      liveness:
+        enabled: false
+
+    serviceMonitor:
+      main:
+        enabled: true
+
+        labels:
+          release: kube-prometheus-stack
+
+        endpoints:
+        - port: http
+          scheme: http
+          path: /metrics
+          interval: 1m
+          scrapeTimeout: 10s
+
+#    resources:
+#      requests:
+#        cpu: 1m
+#        memory: 140Mi
+#      limits:
+#        memory: 300Mi

cluster/apps/monitoring/varken/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./helm-release.yaml

cluster/core/helm-repositories.yaml

@@ -15,3 +15,12 @@ metadata:
 spec:
   interval: 1m
   url: https://bjw-s.github.io/helm-charts
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: grafana-charts
+  namespace: flux-system
+spec:
+  interval: 1m
+  url: https://grafana.github.io/helm-charts