diff --git a/charts/Makefile b/charts/Makefile index 391e44f3..6b63312e 100644 --- a/charts/Makefile +++ b/charts/Makefile @@ -52,11 +52,6 @@ helmfile-diff: .check-helmfile-installed helmfile.yaml ## Shows the differences @set -a; source $(REPO_CONFIG_LOCATION); set +a; \ $(HELMFILE) -f $(REPO_BASE_DIR)/charts/helmfile.yaml diff -.PHONY: helmfile-delete -helmfile-delete: .check-helmfile-installed helmfile.yaml ## Deletes the helmfile configuration - @set -a; source $(REPO_CONFIG_LOCATION); set +a; \ - $(HELMFILE) -f $(REPO_BASE_DIR)/charts/helmfile.yaml delete - .PHONY: up up: helmfile-apply ## Start the stack diff --git a/charts/traefik/values.common.yaml.gotmpl b/charts/traefik/values.common.yaml.gotmpl index 330d49bf..936ffb86 100644 --- a/charts/traefik/values.common.yaml.gotmpl +++ b/charts/traefik/values.common.yaml.gotmpl @@ -133,6 +133,27 @@ extraObjects: - 172.16.0.0/12 - 192.168.0.0/16 +- apiVersion: traefik.io/v1alpha1 + kind: Middleware + metadata: + name: metrics-strip-prefix + namespace: {{.Release.Namespace}} + spec: + stripPrefix: + prefixes: + - /metrics + + # a (href) links do not work properly without trailing slash +- apiVersion: traefik.io/v1alpha1 + kind: Middleware + metadata: + name: metrics-path-append-slash + namespace: {{ .Release.Namespace }} + spec: + redirectRegex: + regex: "^(https?://[^/]+/metrics)$" + replacement: "${1}/" + - apiVersion: networking.k8s.io/v1 kind: Ingress metadata: diff --git a/charts/victoria-metrics-k8s-stack/namespace.yaml b/charts/victoria-metrics-k8s-stack/namespace.yaml new file mode 100644 index 00000000..1534f210 --- /dev/null +++ b/charts/victoria-metrics-k8s-stack/namespace.yaml @@ -0,0 +1,15 @@ +# namespace with defined pod security standard +# inspired from https://aro-labs.com/pod-security-standards/ +# official doc: https://kubernetes.io/docs/concepts/security/pod-security-standards/ +# +# Warning: if pod / container does not meet enforced standards, it will not be deployed (silently) +# execute `kubectl -n events` to see errors (e.g.) +# Error creating: pods "xyz" is forbidden: violates PodSecurity "baseline:latest": privileged +# container "xyz" must not set securityContext.privileged to true +# +apiVersion: v1 +kind: Namespace +metadata: + name: monitoring + labels: + pod-security.kubernetes.io/enforce: restricted diff --git a/charts/victoria-metrics-k8s-stack/values.yaml.gotmpl b/charts/victoria-metrics-k8s-stack/values.yaml.gotmpl new file mode 100644 index 00000000..2b63245a --- /dev/null +++ b/charts/victoria-metrics-k8s-stack/values.yaml.gotmpl @@ -0,0 +1,84 @@ +vmsingle: + # values documented here https://docs.victoriametrics.com/operator/api/#vmsingle + spec: + replicaCount: 1 + port: "8428" # must be string or field validation fails + useStrictSecurity: true + + # podSecurityContext: &restrictedPodSecurityContext + # enabled: true + # runAsNonRoot: true + # runAsUser: 1000 + # privileged: false + + # securityContext: &restrictedSecurityContext + # enabled: true + # capabilities: + # drop: ["ALL"] + # readOnlyRootFilesystem: true + # allowPrivilegeEscalation: false + # seccompProfile: + # type: RuntimeDefault + + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: "kubernetes.io/hostname" + whenUnsatisfiable: DoNotSchedule + # hardcoded due to https://github.com/VictoriaMetrics/helm-charts/issues/2219 + labelSelector: + matchLabels: + app: server + app.kubernetes.io/instance: victoria-metrics + app.kubernetes.io/name: victoria-metrics-k8s-stack + +# we manage operator and crds in separate chart +# it is easier to delete victoria metrics charts +# separately this way +victoria-metrics-operator: + enabled: false + +alertmanager: + enabled: false + +vmagent: + enabled: false + +vmalert: + enabled: false + +grafana: + enabled: false + +prometheus-node-exporter: + enabled: false + +kube-state-metrics: + enabled: false + +kubelet: + enabled: false + +kubeApiServer: + enabled: false + +kubeControllerManager: + enabled: false + +coreDns: + # -- Enabled CoreDNS metrics scraping + enabled: false + +kubeEtcd: + enabled: false + +kubeScheduler: + # -- Enable KubeScheduler metrics scraping + enabled: false + +defaultDashboards: + # -- Enable custom dashboards installation + enabled: false + +defaultRules: + # -- Enable custom alerting rules installation + create: false diff --git a/charts/victoria-metrics-operator/namespace.yaml b/charts/victoria-metrics-operator/namespace.yaml new file mode 100644 index 00000000..ec72ccbc --- /dev/null +++ b/charts/victoria-metrics-operator/namespace.yaml @@ -0,0 +1,15 @@ +# namespace with defined pod security standard +# inspired from https://aro-labs.com/pod-security-standards/ +# official doc: https://kubernetes.io/docs/concepts/security/pod-security-standards/ +# +# Warning: if pod / container does not meet enforced standards, it will not be deployed (silently) +# execute `kubectl -n events` to see errors (e.g.) +# Error creating: pods "xyz" is forbidden: violates PodSecurity "baseline:latest": privileged +# container "xyz" must not set securityContext.privileged to true +# +apiVersion: v1 +kind: Namespace +metadata: + name: victoria-metrics-operator + labels: + pod-security.kubernetes.io/enforce: restricted diff --git a/charts/victoria-metrics-operator/values.yaml.gotmpl b/charts/victoria-metrics-operator/values.yaml.gotmpl new file mode 100644 index 00000000..46900c4c --- /dev/null +++ b/charts/victoria-metrics-operator/values.yaml.gotmpl @@ -0,0 +1,28 @@ +operator: + disable_prometheus_converter: true + +securityContext: + seccompProfile: + type: RuntimeDefault + +admissionWebhooks: + certManager: + # avoid new cert generation on every helm run + enabled: true + +extraObjects: +- apiVersion: projectcalico.org/v3 + kind: NetworkPolicy + metadata: + name: victoria-metrics-operator-network-policy + spec: + egress: + - action: Allow + protocol: TCP + destination: + nets: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + ports: + - 6443 diff --git a/charts/victoria-metrics-stack/Chart.lock b/charts/victoria-metrics-stack/Chart.lock new file mode 100644 index 00000000..a1f2915e --- /dev/null +++ b/charts/victoria-metrics-stack/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: victoria-metrics-k8s-stack + repository: https://victoriametrics.github.io/helm-charts/ + version: 0.62.0 +digest: sha256:1bf510e968425917526abc435f4f69961cd0a940cc0f59af3a2a4f0107e9e549 +generated: "2025-11-01T10:25:28.465780639+01:00" diff --git a/charts/victoria-metrics-stack/Chart.yaml b/charts/victoria-metrics-stack/Chart.yaml new file mode 100644 index 00000000..be3af0d5 --- /dev/null +++ b/charts/victoria-metrics-stack/Chart.yaml @@ -0,0 +1,40 @@ +apiVersion: v2 +name: victoria-metrics-stack +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.0.1 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.128.0" + +dependencies: + - name: victoria-metrics-k8s-stack + version: 0.62.0 + repository: "https://victoriametrics.github.io/helm-charts/" + condition: victoria-metrics-single.enabled + +# - name: victoria-metrics-auth +# version: 0.19.7 +# repository: *victoria-metrics-repo +# condition: victoria-metrics-auth.enabled + +# - name: victoria-metrics-agent +# version: 0.26.2 +# repository: *victoria-metrics-repo +# condition: victoria-metrics-agent.enabled diff --git a/charts/victoria-metrics-stack/namespace.yaml b/charts/victoria-metrics-stack/namespace.yaml new file mode 100644 index 00000000..86c84def --- /dev/null +++ b/charts/victoria-metrics-stack/namespace.yaml @@ -0,0 +1,15 @@ +# namespace with defined pod security standard +# inspired from https://aro-labs.com/pod-security-standards/ +# official doc: https://kubernetes.io/docs/concepts/security/pod-security-standards/ +# +# Warning: if pod / container does not meet enforced standards, it will not be deployed (silently) +# execute `kubectl -n events` to see errors (e.g.) +# Error creating: pods "xyz" is forbidden: violates PodSecurity "baseline:latest": privileged +# container "xyz" must not set securityContext.privileged to true +# +apiVersion: v1 +kind: Namespace +metadata: + name: victoria-metrics-stack + labels: + pod-security.kubernetes.io/enforce: restricted diff --git a/charts/victoria-metrics-stack/networkpolicies/vm-agent.yaml b/charts/victoria-metrics-stack/networkpolicies/vm-agent.yaml new file mode 100644 index 00000000..a27788af --- /dev/null +++ b/charts/victoria-metrics-stack/networkpolicies/vm-agent.yaml @@ -0,0 +1,23 @@ +apiVersion: projectcalico.org/v3 +kind: NetworkPolicy +metadata: + name: vm-agent-network-policy +spec: + selector: >- + app.kubernetes.io/name == "victoria-metrics-agent" + && app.kubernetes.io/instance == "{{ .Release.Name }}" + egress: + - action: Allow + protocol: TCP + destination: + nets: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + ports: + - 6443 + - action: Allow + protocol: TCP + destination: + ports: + - {{ index .Values "victoria-metrics-single" "server" "service" "servicePort" }} diff --git a/charts/victoria-metrics-stack/networkpolicies/vm-auth.yaml b/charts/victoria-metrics-stack/networkpolicies/vm-auth.yaml new file mode 100644 index 00000000..efee32cf --- /dev/null +++ b/charts/victoria-metrics-stack/networkpolicies/vm-auth.yaml @@ -0,0 +1,20 @@ +apiVersion: projectcalico.org/v3 +kind: NetworkPolicy +metadata: + name: vm-auth-network-policy +spec: + selector: >- + app.kubernetes.io/name == "victoria-metrics-auth" + && app.kubernetes.io/instance == "{{ .Release.Name }}" + ingress: + - action: Allow + protocol: TCP + destination: + ports: + - {{ index .Values "victoria-metrics-auth" "service" "servicePort" }} + egress: + - action: Allow + protocol: TCP + destination: + ports: + - {{ index .Values "victoria-metrics-single" "server" "service" "servicePort" }} diff --git a/charts/victoria-metrics-stack/networkpolicies/vm-server.yaml b/charts/victoria-metrics-stack/networkpolicies/vm-server.yaml new file mode 100644 index 00000000..3a2758d6 --- /dev/null +++ b/charts/victoria-metrics-stack/networkpolicies/vm-server.yaml @@ -0,0 +1,14 @@ +apiVersion: projectcalico.org/v3 +kind: NetworkPolicy +metadata: + name: vm-server-network-policy +spec: + selector: >- + app.kubernetes.io/name == "victoria-metrics-single" + && app.kubernetes.io/instance == "{{ .Release.Name }}" + ingress: + - action: Allow + protocol: TCP + destination: + ports: + - {{ index .Values "victoria-metrics-single" "server" "service" "servicePort" }} diff --git a/charts/victoria-metrics-stack/templates/vmsingle.yaml b/charts/victoria-metrics-stack/templates/vmsingle.yaml new file mode 100644 index 00000000..de69f81a --- /dev/null +++ b/charts/victoria-metrics-stack/templates/vmsingle.yaml @@ -0,0 +1,17 @@ +{{ range $i, $e := until ( .Values.vmsingle.instanceCount | int ) }} +apiVersion: operator.victoriametrics.com/v1beta1 +kind: VMSingle +metadata: + name: vmsingle-{{ $i }} + namespace: {{ $.Release.Namespace }} + labels: + app.kubernetes.io/name: vmsingle + app.kubernetes.io/instance: vmsingle-{{ $i }} + app.kubernetes.io/component: monitoring + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: {{ $.Release.Name }} + app.kubernetes.io/version: {{ $.Values.vmsingle.spec.image.tag }} + helm.sh/chart: {{ $.Chart.Name }}-{{ $.Chart.Version }} +spec: {{ toYaml $.Values.vmsingle.spec | nindent 2 }} +--- +{{- end }} diff --git a/charts/victoria-metrics-stack/values.old.yaml.gotmpl b/charts/victoria-metrics-stack/values.old.yaml.gotmpl new file mode 100644 index 00000000..fcf4b955 --- /dev/null +++ b/charts/victoria-metrics-stack/values.old.yaml.gotmpl @@ -0,0 +1,96 @@ +victoria-metrics-single: + enabled: false + + server: + replicaCount: 2 + + service: + servicePort: 8428 + + mode: statefulSet + + # avoid name to long (>63 char) error + fullnameOverride: vm-server + + podSecurityContext: &restrictedPodSecurityContext + enabled: true + runAsNonRoot: true + runAsUser: 1000 + privileged: false + + securityContext: &restrictedSecurityContext + enabled: true + capabilities: + drop: ["ALL"] + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + +victoria-metrics-agent: + enabled: false + fullnameOverride: vm-agent + + config: + global: + scrape_interval: 20s + + service: + enabled: true + servicePort: 8429 + + remoteWrite: + - url: "http://vm-server-0.vm-server.{{ .Release.Namespace }}.svc.cluster.local:8428/api/v1/write" + - url: "http://vm-server-1.vm-server.{{ .Release.Namespace }}.svc.cluster.local:8428/api/v1/write" + + podSecurityContext: *restrictedPodSecurityContext + securityContext: *restrictedSecurityContext + + resources: + limits: + cpu: 2 + memory: 1Gi + requests: + cpu: 0.5 + memory: 256Mi + +victoria-metrics-auth: + enabled: false + fullnameOverride: vm-auth + + service: + servicePort: 8427 + + ingress: + enabled: true + annotations: + namespace: {{ .Release.Namespace }} + traefik.ingress.kubernetes.io/router.tls: "true" + traefik.ingress.kubernetes.io/router.middlewares: >- + traefik-metrics-path-append-slash@kubernetescrd, + traefik-metrics-strip-prefix@kubernetescrd, + traefik-traefik-basic-auth@kubernetescrd + traefik.ingress.kubernetes.io/router.entrypoints: websecure + hosts: + - name: {{ requiredEnv "K8S_MONITORING_FQDN" }} + path: + - /metrics + port: http + + podSecurityContext: *restrictedPodSecurityContext + securityContext: *restrictedSecurityContext + + resources: + limits: + cpu: 0.5 + memory: 256Mi + requests: + cpu: 100m + memory: 128Mi + + config: + unauthorized_user: + url_prefix: + - "http://vm-server-0.vm-server.{{ .Release.Namespace }}.svc.cluster.local:8428/" + - "http://vm-server-1.vm-server.{{ .Release.Namespace }}.svc.cluster.local:8428/" + load_balancing_policy: first_available diff --git a/charts/victoria-metrics-stack/values.yaml.gotmpl b/charts/victoria-metrics-stack/values.yaml.gotmpl new file mode 100644 index 00000000..528da2e1 --- /dev/null +++ b/charts/victoria-metrics-stack/values.yaml.gotmpl @@ -0,0 +1,78 @@ +vmsingle: + instanceCount: 2 # number of separate / independent vmsingle servers` + spec: # values documented here https://docs.victoriametrics.com/operator/api/#vmsingle + image: + tag: v1.128.0 + port: "8428" # must be string or field validation fails + useStrictSecurity: true + podMetadata: + labels: + app.kubernetes.io/name: vmsingle + app.kubernetes.io/part-of: {{ .Release.Name }} + + # does not work in 1-node clusters + # https://github.com/kubernetes/kubernetes/issues/105072 + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: "kubernetes.io/hostname" + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/name: vmsingle + app.kubernetes.io/part-of: {{ .Release.Name }} + +victoria-metrics-k8s-stack: + vmsingle: + enabled: false + + # we manage operator and crds in separate chart + # it is easier to delete victoria metrics charts + # separately this way + victoria-metrics-operator: + enabled: false + + alertmanager: + enabled: false + + vmagent: + enabled: false + + vmalert: + enabled: false + + grafana: + enabled: false + + prometheus-node-exporter: + enabled: false + + kube-state-metrics: + enabled: false + + kubelet: + enabled: false + + kubeApiServer: + enabled: false + + kubeControllerManager: + enabled: false + + coreDns: + # -- Enabled CoreDNS metrics scraping + enabled: false + + kubeEtcd: + enabled: false + + kubeScheduler: + # -- Enable KubeScheduler metrics scraping + enabled: false + + defaultDashboards: + # -- Enable custom dashboards installation + enabled: false + + defaultRules: + # -- Enable custom alerting rules installation + create: false