merge: resolve conflicts with monitoring chart (main)

Integrates monitoring chart CI, Makefile, and gitignore changes
alongside cloudflare-tunnel additions.

Author: privsim

.github/workflows/helm-ci.yml

@@ -44,6 +44,22 @@ jobs:
             --set traffic.enabled=true \
             --set dashboard.enabled=true > /dev/null
 
+  monitoring-lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: azure/setup-helm@v4
+        with:
+          version: v3.14.0
+      - name: Add VictoriaMetrics Helm repo
+        run: helm repo add vm https://victoriametrics.github.io/helm-charts/ && helm repo update
+      - name: Build dependencies
+        run: helm dependency build helm/monitoring/
+      - name: Lint monitoring chart
+        run: helm lint helm/monitoring/
+      - name: Template monitoring chart
+        run: helm template monitoring helm/monitoring/ > /dev/null
+
   tunnel-lint:
     runs-on: ubuntu-latest
     steps:
@@ -95,7 +111,7 @@ jobs:
         run: pip install yamllint
       - name: Lint YAML files
         run: |
-          yamllint -d relaxed helm/disentangle/Chart.yaml helm/disentangle/values.yaml helm/disentangle/values.schema.json helm/cloudflare-tunnel/Chart.yaml helm/cloudflare-tunnel/values.yaml gitops/
+          yamllint -d relaxed helm/disentangle/Chart.yaml helm/disentangle/values.yaml helm/disentangle/values.schema.json helm/monitoring/Chart.yaml helm/monitoring/values.yaml helm/cloudflare-tunnel/Chart.yaml helm/cloudflare-tunnel/values.yaml gitops/
 
   helm-unittest:
     runs-on: ubuntu-latest

.gitignore

@@ -10,6 +10,7 @@ Thumbs.db
 
 # Helm
 helm/disentangle/charts/
+helm/monitoring/charts/
 helm/cloudflare-tunnel/charts/
 *.tgz
 .helm/

Makefile

@@ -1,6 +1,7 @@
-.PHONY: help lint test test-unit test-golden test-policy test-integration test-all clean lint-tunnel template-tunnel
+.PHONY: help lint test test-unit test-golden test-policy test-integration test-all clean lint-monitoring template-monitoring deps-monitoring lint-tunnel template-tunnel
 
 CHART_DIR := helm/disentangle
+MONITORING_CHART_DIR := helm/monitoring
 TUNNEL_CHART_DIR := helm/cloudflare-tunnel
 NAMESPACE := disentangle-test
 RELEASE := test-release
@@ -10,11 +11,20 @@ help: ## Show this help
 
 # === Linting ===
 
-lint: lint-helm lint-tunnel lint-yaml lint-shell ## Run all linters
+lint: lint-helm lint-monitoring lint-tunnel lint-yaml lint-shell ## Run all linters
 
 lint-helm: ## Lint Helm chart
 	helm lint $(CHART_DIR)
 
+lint-monitoring: ## Lint monitoring chart
+	helm lint $(MONITORING_CHART_DIR)
+
+template-monitoring: ## Render monitoring chart templates
+	helm template monitoring $(MONITORING_CHART_DIR) > /dev/null
+
+deps-monitoring: ## Build monitoring chart dependencies
+	helm dependency build $(MONITORING_CHART_DIR)
+
 lint-tunnel: ## Lint cloudflare-tunnel chart
 	helm lint $(TUNNEL_CHART_DIR)
 

helm/monitoring/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

helm/monitoring/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: victoria-metrics-k8s-stack
+  repository: https://victoriametrics.github.io/helm-charts/
+  version: 0.72.4
+digest: sha256:ce97f0e91953a2f1776a9efe8db4afd0e8a12b174752d1cb7d2e937c9433a3d3
+generated: "2026-03-06T17:58:17.814692-07:00"

helm/monitoring/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+name: disentangle-monitoring
+description: Monitoring stack for Disentangle Network (VictoriaMetrics + Grafana)
+type: application
+version: 0.1.0
+appVersion: "0.1.0"
+license: Apache-2.0
+dependencies:
+  - name: victoria-metrics-k8s-stack
+    version: "0.72.x"
+    repository: https://victoriametrics.github.io/helm-charts/

helm/monitoring/values.yaml

@@ -0,0 +1,196 @@
+# Monitoring stack values tuned for Oracle Cloud Always Free tier
+# 2 ARM64 nodes, 4 OCPUs + 24GB RAM each, limited block volume quota
+#
+# Total monitoring resource budget (requests):
+#   CPU:  ~400m  (of 8000m available across 2 nodes)
+#   RAM:  ~576Mi (of 48Gi available across 2 nodes)
+
+victoria-metrics-k8s-stack:
+
+  # --- VMSingle (metrics storage) ---
+  vmsingle:
+    enabled: true
+    spec:
+      retentionPeriod: "7d"
+      replicaCount: 1
+      extraArgs: {}
+      # Use emptyDir instead of PVC to avoid consuming block volume quota
+      # (OCI Always Free tier: 200Gi total, 150Gi already used by protocol nodes)
+      storage: {}
+      resources:
+        requests:
+          cpu: 100m
+          memory: 256Mi
+        limits:
+          cpu: 500m
+          memory: 1Gi
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+      containers:
+        - name: vmsingle
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            seccompProfile:
+              type: RuntimeDefault
+
+  # --- VMAgent (scrape + remote write) ---
+  vmagent:
+    enabled: true
+    spec:
+      port: "8429"
+      selectAllByDefault: true
+      scrapeInterval: 30s
+      extraArgs:
+        promscrape.streamParse: "true"
+        promscrape.dropOriginalLabels: "true"
+      resources:
+        requests:
+          cpu: 50m
+          memory: 128Mi
+        limits:
+          cpu: 200m
+          memory: 256Mi
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+      containers:
+        - name: vmagent
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            seccompProfile:
+              type: RuntimeDefault
+
+  # --- VMAlert (recording rules evaluation) ---
+  # Kept enabled for recording rules but with minimal resources
+  vmalert:
+    enabled: true
+    spec:
+      port: "8080"
+      selectAllByDefault: true
+      evaluationInterval: 30s
+      extraArgs:
+        http.pathPrefix: "/"
+        # Alertmanager is disabled; sink alert notifications to blackhole
+        notifier.blackhole: "true"
+      resources:
+        requests:
+          cpu: 50m
+          memory: 64Mi
+        limits:
+          cpu: 200m
+          memory: 256Mi
+
+  # --- Alertmanager (DISABLED - not needed for initial deployment) ---
+  alertmanager:
+    enabled: false
+
+  # --- Grafana ---
+  grafana:
+    enabled: true
+    # Use emptyDir for SQLite database (no PVC needed)
+    persistence:
+      enabled: false
+    resources:
+      requests:
+        cpu: 100m
+        memory: 256Mi
+      limits:
+        cpu: 500m
+        memory: 512Mi
+    securityContext:
+      runAsNonRoot: true
+      runAsUser: 472
+      runAsGroup: 472
+      fsGroup: 472
+    containerSecurityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+          - ALL
+      readOnlyRootFilesystem: false
+      seccompProfile:
+        type: RuntimeDefault
+    sidecar:
+      dashboards:
+        enabled: true
+        label: grafana_dashboard
+        labelValue: "1"
+        folder: /var/lib/grafana/dashboards
+        defaultFolderName: default
+        provider:
+          name: default
+          orgid: 1
+      datasources:
+        enabled: true
+        label: grafana_datasource
+        labelValue: "1"
+
+  # --- Node Exporter (DaemonSet - runs on each node) ---
+  prometheus-node-exporter:
+    enabled: true
+    resources:
+      requests:
+        cpu: 50m
+        memory: 64Mi
+      limits:
+        cpu: 100m
+        memory: 128Mi
+    service:
+      labels:
+        jobLabel: node-exporter
+    extraArgs:
+      - --collector.filesystem.ignored-mount-points=^/(dev|proc|sys|var/lib/docker/.+|var/lib/kubelet/.+)($|/)
+      - --collector.filesystem.ignored-fs-types=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|erofs|sysfs|tracefs)$
+
+  # --- Kube State Metrics ---
+  kube-state-metrics:
+    enabled: true
+    resources:
+      requests:
+        cpu: 100m
+        memory: 128Mi
+      limits:
+        cpu: 200m
+        memory: 256Mi
+
+  # --- VMAuth (not needed for single-node setup) ---
+  vmauth:
+    enabled: false
+
+  # --- VMCluster (not needed - using VMSingle) ---
+  vmcluster:
+    enabled: false
+
+  # --- Operator ---
+  victoria-metrics-operator:
+    enabled: true
+    crds:
+      plain: true
+      cleanup:
+        enabled: true
+    operator:
+      disable_prometheus_converter: false
+
+  # --- Default dashboards ---
+  defaultDashboards:
+    enabled: true
+    defaultTimezone: utc
+
+  # --- Default rules (recording + alerting) ---
+  defaultRules:
+    create: true
+
+  # TODO: Add custom Grafana dashboard ConfigMaps for Disentangle-specific
+  # metrics (P2P peers, DAG height, mining rate, RPC latency) once the
+  # protocol node exposes a Prometheus /metrics endpoint.