Kubernetes: add monitoring (victoria metrics)

Author: YuryHrytsuk

charts/calico-configuration/templates/globalpolicy.yaml

@@ -8,7 +8,7 @@ spec:
   # "calico-system", "calico-apiserver", "tigera-operator" -- calico namespaces (when installed via scripts [local deployment])
   # TODO: other namespaces are to be removed from this list (once appropriate network policies are created)
   namespaceSelector:
-    kubernetes.io/metadata.name not in {"kube-public", "kube-system", "kube-node-lease", "calico-system", "calico-apiserver", "tigera-operator", "reflector", "traefik", "victoria-logs", "csi-s3", "portainer", "topolvm", "local-path-storage", "longhorn"}
+    kubernetes.io/metadata.name not in {"kube-public", "kube-system", "kube-node-lease", "calico-system", "calico-apiserver", "tigera-operator", "reflector", "traefik", "victoria-logs", "csi-s3", "portainer", "topolvm", "local-path-storage", "longhorn", "victoria-metrics-operator"}
   types:
     - Ingress
     - Egress

charts/victoria-metrics-k8s-stack/namespace.yaml

@@ -0,0 +1,15 @@
+# namespace with defined pod security standard
+# inspired from https://aro-labs.com/pod-security-standards/
+# official doc: https://kubernetes.io/docs/concepts/security/pod-security-standards/
+#
+# Warning: if pod / container does not meet enforced standards, it will not be deployed (silently)
+# execute `kubectl -n <namespace> events` to see errors (e.g.)
+#   Error creating: pods "xyz" is forbidden: violates PodSecurity "baseline:latest": privileged
+#   container "xyz" must not set securityContext.privileged to true
+#
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
+  labels:
+    pod-security.kubernetes.io/enforce: restricted

charts/victoria-metrics-k8s-stack/values.yaml.gotmpl

@@ -0,0 +1,83 @@
+vmsingle:
+  # values documented here https://docs.victoriametrics.com/operator/api/#vmsingle
+  spec:
+    replicaCount: 2
+    port: "8428"  # must be string or field validation fails
+    useStrictSecurity: true
+
+    # podSecurityContext: &restrictedPodSecurityContext
+    #   enabled: true
+    #   runAsNonRoot: true
+    #   runAsUser: 1000
+    #   privileged: false
+
+    securityContext: &restrictedSecurityContext
+      enabled: true
+      capabilities:
+        drop: ["ALL"]
+      readOnlyRootFilesystem: true
+      allowPrivilegeEscalation: false
+      seccompProfile:
+        type: RuntimeDefault
+
+    topologySpreadConstraints:
+      - maxSkew: 1
+        topologyKey: "kubernetes.io/hostname"
+        whenUnsatisfiable: DoNotSchedule
+        # hardcoded due to https://github.com/VictoriaMetrics/helm-charts/issues/2219
+        labelSelector:
+          matchLabels:
+            app: server
+            app.kubernetes.io/instance: victoria-metrics
+            app.kubernetes.io/name: victoria-metrics-k8s-stack
+# we manage operator and crds in separate chart
+# it is easier to delete victoria metrics charts
+# separately this way
+victoria-metrics-operator:
+  enabled: false
+
+alertmanager:
+  enabled: false
+
+vmagent:
+  enabled: false
+
+vmalert:
+  enabled: false
+
+grafana:
+  enabled: false
+
+prometheus-node-exporter:
+  enabled: false
+
+kube-state-metrics:
+  enabled: false
+
+kubelet:
+  enabled: false
+
+kubeApiServer:
+  enabled: false
+
+kubeControllerManager:
+  enabled: false
+
+coreDns:
+  # -- Enabled CoreDNS metrics scraping
+  enabled: false
+
+kubeEtcd:
+  enabled: false
+
+kubeScheduler:
+  # -- Enable KubeScheduler metrics scraping
+  enabled: false
+
+defaultDashboards:
+  # -- Enable custom dashboards installation
+  enabled: false
+
+defaultRules:
+  # -- Enable custom alerting rules installation
+  create: false

charts/victoria-metrics-operator/namespace.yaml

@@ -0,0 +1,15 @@
+# namespace with defined pod security standard
+# inspired from https://aro-labs.com/pod-security-standards/
+# official doc: https://kubernetes.io/docs/concepts/security/pod-security-standards/
+#
+# Warning: if pod / container does not meet enforced standards, it will not be deployed (silently)
+# execute `kubectl -n <namespace> events` to see errors (e.g.)
+#   Error creating: pods "xyz" is forbidden: violates PodSecurity "baseline:latest": privileged
+#   container "xyz" must not set securityContext.privileged to true
+#
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: victoria-metrics-operator
+  labels:
+    pod-security.kubernetes.io/enforce: restricted

charts/victoria-metrics-operator/values.yaml.gotmpl

@@ -0,0 +1,8 @@
+securityContext:
+  seccompProfile:
+    type: RuntimeDefault
+
+admissionWebhooks:
+  certManager:
+    # avoid new cert generation on every helm run
+    enabled: true

charts/victoria-metrics-stack/Chart.lock

@@ -0,0 +1,9 @@
+dependencies:
+- name: victoria-metrics-single
+  repository: https://victoriametrics.github.io/helm-charts/
+  version: 0.25.2
+- name: victoria-metrics-agent
+  repository: https://victoriametrics.github.io/helm-charts/
+  version: 0.26.2
+digest: sha256:e9a8c4ed4495ecfcf9962a6aa7fc9f6a6e8813e69a20daa9bb38b2d9a018c50e
+generated: "2025-10-26T12:42:21.158234622+01:00"

charts/victoria-metrics-stack/Chart.yaml

@@ -0,0 +1,39 @@
+apiVersion: v2
+name: victoria-metrics-stack
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.128.0"
+
+dependencies:
+  - name: victoria-metrics-single
+    version: 0.25.2
+    repository: &victoria-metrics-repo "https://victoriametrics.github.io/helm-charts/"
+    condition: victoria-metrics-single.enabled
+
+  # - name: victoria-metrics-auth
+  #   version: 0.19.7
+  #   repository: *victoria-metrics-repo
+
+  - name: victoria-metrics-agent
+    version: 0.26.2
+    repository: *victoria-metrics-repo
+    condition: victoria-metrics-agent.enabled

charts/victoria-metrics-stack/namespace.yaml

@@ -0,0 +1,15 @@
+# namespace with defined pod security standard
+# inspired from https://aro-labs.com/pod-security-standards/
+# official doc: https://kubernetes.io/docs/concepts/security/pod-security-standards/
+#
+# Warning: if pod / container does not meet enforced standards, it will not be deployed (silently)
+# execute `kubectl -n <namespace> events` to see errors (e.g.)
+#   Error creating: pods "xyz" is forbidden: violates PodSecurity "baseline:latest": privileged
+#   container "xyz" must not set securityContext.privileged to true
+#
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
+  labels:
+    pod-security.kubernetes.io/enforce: restricted

charts/victoria-metrics-stack/templates/networkpolicies.yaml

@@ -0,0 +1,40 @@
+apiVersion: projectcalico.org/v3
+kind: NetworkPolicy
+metadata:
+  name: vm-server-network-policy
+spec:
+  selector: >-
+    app.kubernetes.io/name == "victoria-metrics-single"
+    && app.kubernetes.io/instance == "{{ .Release.Name }}"
+  ingress:
+    - action: Allow
+      protocol: TCP
+      destination:
+        ports:
+          - {{ index .Values "victoria-metrics-single" "server" "service" "servicePort" }}
+
+---
+
+apiVersion: projectcalico.org/v3
+kind: NetworkPolicy
+metadata:
+  name: vm-agent-network-policy
+spec:
+  selector: >-
+    app.kubernetes.io/name == "victoria-metrics-agent"
+    && app.kubernetes.io/instance == "{{ .Release.Name }}"
+  egress:
+    - action: Allow
+      protocol: TCP
+      destination:
+        nets:
+          - 10.0.0.0/8
+          - 172.16.0.0/12
+          - 192.168.0.0/16
+        ports:
+          - 6443
+    - action: Allow
+      protocol: TCP
+      destination:
+        ports:
+          - {{ index .Values "victoria-metrics-single" "server" "service" "servicePort" }}

charts/victoria-metrics-stack/values.yaml.gotmpl

@@ -0,0 +1,50 @@
+victoria-metrics-single:
+  enabled: true
+
+  server:
+    replicaCount: 2
+
+    service:
+      servicePort: 8428
+
+    mode: statefulSet
+
+    # avoid name to long (>63 char) error
+    fullnameOverride: vm-server
+
+    podSecurityContext: &restrictedPodSecurityContext
+      enabled: true
+      runAsNonRoot: true
+      runAsUser: 1000
+      privileged: false
+
+    securityContext: &restrictedSecurityContext
+      enabled: true
+      capabilities:
+        drop: ["ALL"]
+      readOnlyRootFilesystem: true
+      allowPrivilegeEscalation: false
+      seccompProfile:
+        type: RuntimeDefault
+
+victoria-metrics-agent:
+  enabled: true
+  fullnameOverride: vm-agent
+
+  config:
+    global:
+      scrape_interval: 20s
+
+  service:
+    enabled: true
+    servicePort: 8429
+
+  remoteWrite:
+    - url: "http://vm-server-0.vm-server.{{ .Release.Namespace }}.svc.cluster.local:8428/api/v1/write"
+    - url: "http://vm-server-1.vm-server.{{ .Release.Namespace }}.svc.cluster.local:8428/api/v1/write"
+
+  podSecurityContext: *restrictedPodSecurityContext
+  securityContext: *restrictedSecurityContext
+
+
+victoria-metrics-auth: