ITISFoundation · YuryHrytsuk · Oct 28, 2025 · Oct 28, 2025 · Oct 29, 2025 · Oct 29, 2025
@@ -52,11 +52,6 @@ helmfile-diff: .check-helmfile-installed helmfile.yaml ## Shows the differences
 	@set -a; source $(REPO_CONFIG_LOCATION); set +a; \
 	$(HELMFILE) -f $(REPO_BASE_DIR)/charts/helmfile.yaml diff
 
-.PHONY: helmfile-delete
-helmfile-delete: .check-helmfile-installed helmfile.yaml ## Deletes the helmfile configuration
-	@set -a; source $(REPO_CONFIG_LOCATION); set +a; \
-	$(HELMFILE) -f $(REPO_BASE_DIR)/charts/helmfile.yaml delete
-
 .PHONY: up
 up: helmfile-apply ## Start the stack
 

@@ -133,6 +133,27 @@ extraObjects:
         - 172.16.0.0/12
         - 192.168.0.0/16
 
+- apiVersion: traefik.io/v1alpha1
+  kind: Middleware
+  metadata:
+    name: metrics-strip-prefix
+    namespace: {{.Release.Namespace}}
+  spec:
+    stripPrefix:
+      prefixes:
+      - /metrics
+
+  # a (href) links do not work properly without trailing slash
+- apiVersion: traefik.io/v1alpha1
+  kind: Middleware
+  metadata:
+    name: metrics-path-append-slash
+    namespace: {{ .Release.Namespace }}
+  spec:
+    redirectRegex:
+      regex: "^(https?://[^/]+/metrics)$"
+      replacement: "${1}/"
+
 - apiVersion: networking.k8s.io/v1
   kind: Ingress
   metadata:

@@ -0,0 +1,15 @@
+# namespace with defined pod security standard
+# inspired from https://aro-labs.com/pod-security-standards/
+# official doc: https://kubernetes.io/docs/concepts/security/pod-security-standards/
+#
+# Warning: if pod / container does not meet enforced standards, it will not be deployed (silently)
+# execute `kubectl -n <namespace> events` to see errors (e.g.)
+#   Error creating: pods "xyz" is forbidden: violates PodSecurity "baseline:latest": privileged
+#   container "xyz" must not set securityContext.privileged to true
+#
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
+  labels:
+    pod-security.kubernetes.io/enforce: restricted
@@ -0,0 +1,84 @@
+vmsingle:
+  # values documented here https://docs.victoriametrics.com/operator/api/#vmsingle
+  spec:
+    replicaCount: 1
+    port: "8428"  # must be string or field validation fails
+    useStrictSecurity: true
+
+    # podSecurityContext: &restrictedPodSecurityContext
+    #   enabled: true
+    #   runAsNonRoot: true
+    #   runAsUser: 1000
+    #   privileged: false
+
+    # securityContext: &restrictedSecurityContext
+    #   enabled: true
+    #   capabilities:
+    #     drop: ["ALL"]
+    #   readOnlyRootFilesystem: true
+    #   allowPrivilegeEscalation: false
+    #   seccompProfile:
+    #     type: RuntimeDefault
+
+    topologySpreadConstraints:
+      - maxSkew: 1
+        topologyKey: "kubernetes.io/hostname"
+        whenUnsatisfiable: DoNotSchedule
+        # hardcoded due to https://github.com/VictoriaMetrics/helm-charts/issues/2219
+        labelSelector:
+          matchLabels:
+            app: server
+            app.kubernetes.io/instance: victoria-metrics
+            app.kubernetes.io/name: victoria-metrics-k8s-stack
+
+# we manage operator and crds in separate chart
+# it is easier to delete victoria metrics charts
+# separately this way
+victoria-metrics-operator:
+  enabled: false
+
+alertmanager:
+  enabled: false
+
+vmagent:
+  enabled: false
+
+vmalert:
+  enabled: false
+
+grafana:
+  enabled: false
+
+prometheus-node-exporter:
+  enabled: false
+
+kube-state-metrics:
+  enabled: false
+
+kubelet:
+  enabled: false
+
+kubeApiServer:
+  enabled: false
+
+kubeControllerManager:
+  enabled: false
+
+coreDns:
+  # -- Enabled CoreDNS metrics scraping
+  enabled: false
+
+kubeEtcd:
+  enabled: false
+
+kubeScheduler:
+  # -- Enable KubeScheduler metrics scraping
+  enabled: false
+
+defaultDashboards:
+  # -- Enable custom dashboards installation
+  enabled: false
+
+defaultRules:
+  # -- Enable custom alerting rules installation
+  create: false
@@ -0,0 +1,15 @@
+# namespace with defined pod security standard
+# inspired from https://aro-labs.com/pod-security-standards/
+# official doc: https://kubernetes.io/docs/concepts/security/pod-security-standards/
+#
+# Warning: if pod / container does not meet enforced standards, it will not be deployed (silently)
+# execute `kubectl -n <namespace> events` to see errors (e.g.)
+#   Error creating: pods "xyz" is forbidden: violates PodSecurity "baseline:latest": privileged
+#   container "xyz" must not set securityContext.privileged to true
+#
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: victoria-metrics-operator
+  labels:
+    pod-security.kubernetes.io/enforce: restricted
@@ -0,0 +1,28 @@
+operator:
+  disable_prometheus_converter: true
+
+securityContext:
+  seccompProfile:
+    type: RuntimeDefault
+
+admissionWebhooks:
+  certManager:
+    # avoid new cert generation on every helm run
+    enabled: true
+
+extraObjects:
+- apiVersion: projectcalico.org/v3
+  kind: NetworkPolicy
+  metadata:
+    name: victoria-metrics-operator-network-policy
+  spec:
+    egress:
+      - action: Allow
+        protocol: TCP
+        destination:
+          nets:
+            - 10.0.0.0/8
+            - 172.16.0.0/12
+            - 192.168.0.0/16
+          ports:
+            - 6443
@@ -0,0 +1,6 @@
+dependencies:
+- name: victoria-metrics-k8s-stack
+  repository: https://victoriametrics.github.io/helm-charts/
+  version: 0.62.0
+digest: sha256:1bf510e968425917526abc435f4f69961cd0a940cc0f59af3a2a4f0107e9e549
+generated: "2025-11-01T10:25:28.465780639+01:00"
@@ -0,0 +1,40 @@
+apiVersion: v2
+name: victoria-metrics-stack
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.0.1
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.128.0"
+
+dependencies:
+  - name: victoria-metrics-k8s-stack
+    version: 0.62.0
+    repository: "https://victoriametrics.github.io/helm-charts/"
+    condition: victoria-metrics-single.enabled
+
+#   - name: victoria-metrics-auth
+#     version: 0.19.7
+#     repository: *victoria-metrics-repo
+#     condition: victoria-metrics-auth.enabled
+
+#   - name: victoria-metrics-agent
+#     version: 0.26.2
+#     repository: *victoria-metrics-repo
+#     condition: victoria-metrics-agent.enabled
@@ -0,0 +1,15 @@
+# namespace with defined pod security standard
+# inspired from https://aro-labs.com/pod-security-standards/
+# official doc: https://kubernetes.io/docs/concepts/security/pod-security-standards/
+#
+# Warning: if pod / container does not meet enforced standards, it will not be deployed (silently)
+# execute `kubectl -n <namespace> events` to see errors (e.g.)
+#   Error creating: pods "xyz" is forbidden: violates PodSecurity "baseline:latest": privileged
+#   container "xyz" must not set securityContext.privileged to true
+#
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: victoria-metrics-stack
+  labels:
+    pod-security.kubernetes.io/enforce: restricted
@@ -0,0 +1,23 @@
+apiVersion: projectcalico.org/v3
+kind: NetworkPolicy
+metadata:
+  name: vm-agent-network-policy
+spec:
+  selector: >-
+    app.kubernetes.io/name == "victoria-metrics-agent"
+    && app.kubernetes.io/instance == "{{ .Release.Name }}"
+  egress:
+    - action: Allow
+      protocol: TCP
+      destination:
+        nets:
+          - 10.0.0.0/8
+          - 172.16.0.0/12
+          - 192.168.0.0/16
+        ports:
+          - 6443
+    - action: Allow
+      protocol: TCP
+      destination:
+        ports:
+          - {{ index .Values "victoria-metrics-single" "server" "service" "servicePort" }}
@@ -0,0 +1,20 @@
+apiVersion: projectcalico.org/v3
+kind: NetworkPolicy
+metadata:
+  name: vm-auth-network-policy
+spec:
+  selector: >-
+    app.kubernetes.io/name == "victoria-metrics-auth"
+    && app.kubernetes.io/instance == "{{ .Release.Name }}"
+  ingress:
+    - action: Allow
+      protocol: TCP
+      destination:
+        ports:
+          - {{ index .Values "victoria-metrics-auth" "service" "servicePort" }}
+  egress:
+    - action: Allow
+      protocol: TCP
+      destination:
+        ports:
+          - {{ index .Values "victoria-metrics-single" "server" "service" "servicePort" }}
@@ -0,0 +1,14 @@
+apiVersion: projectcalico.org/v3
+kind: NetworkPolicy
+metadata:
+  name: vm-server-network-policy
+spec:
+  selector: >-
+    app.kubernetes.io/name == "victoria-metrics-single"
+    && app.kubernetes.io/instance == "{{ .Release.Name }}"
+  ingress:
+    - action: Allow
+      protocol: TCP
+      destination:
+        ports:
+          - {{ index .Values "victoria-metrics-single" "server" "service" "servicePort" }}
@@ -0,0 +1,17 @@
+{{ range $i, $e := until ( .Values.vmsingle.instanceCount | int ) }}
+apiVersion: operator.victoriametrics.com/v1beta1
+kind: VMSingle
+metadata:
+  name: vmsingle-{{ $i }}
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: vmsingle
+    app.kubernetes.io/instance: vmsingle-{{ $i }}
+    app.kubernetes.io/component: monitoring
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/part-of: {{ $.Release.Name }}
+    app.kubernetes.io/version: {{ $.Values.vmsingle.spec.image.tag }}
+    helm.sh/chart: {{ $.Chart.Name }}-{{ $.Chart.Version }}
+spec: {{ toYaml $.Values.vmsingle.spec | nindent 2 }}
+---
+{{- end }}