From ff2bc13ca05dc7d37e20bb920bce9ab9ed3cb3f4 Mon Sep 17 00:00:00 2001 From: igonzalezcl <69816993+igonzalezcl@users.noreply.github.com> Date: Mon, 3 Nov 2025 16:03:12 -0300 Subject: [PATCH 1/2] (merken) install base software --- fleet/lib/alloy/fleet.yaml | 10 + fleet/lib/alloy/overlays/merken/values.yaml | 349 ++++++++++++++++++ fleet/lib/kube-prometheus-stack/fleet.yaml | 12 + .../overlays/merken/values.yaml | 295 +++++++++++++++ fleet/lib/loki/fleet.yaml | 10 + fleet/lib/loki/overlays/cp/values.yaml | 23 ++ fleet/lib/metallb-conf/fleet.yaml | 10 + .../merken/ipaddresspool-ingress.yaml | 21 ++ .../merken/ipaddresspool-reserved.yaml | 21 ++ fleet/lib/mimir/fleet.yaml | 9 + .../overlays/merken/kustomization.yaml | 8 + .../merken/obc-mimir-alertmanager.yaml | 7 + .../overlays/merken/obc-mimir-blocks.yaml | 7 + .../overlays/merken/obc-mimir-ruler.yaml | 7 + .../kustomize/overlays/merken/obc-mimir.yaml | 7 + fleet/lib/rook-ceph-cluster/fleet.yaml | 10 + .../overlays/merken/values.yaml | 70 ++++ fleet/lib/rook-ceph-conf/Chart.yaml | 2 + .../rook-ceph-conf/charts/merken/.helmignore | 23 ++ .../rook-ceph-conf/charts/merken/Chart.yaml | 6 + .../templates/cephobjectstore-o11y.yaml | 218 +++++++++++ .../charts/merken/templates/cm-cephcli.yaml | 16 + fleet/lib/rook-ceph-conf/fleet.yaml | 12 + fleet/lib/rook-ceph-conf/values.yaml | 2 + fleet/s/cp/c/merken/alloy | 1 + fleet/s/cp/c/merken/blackbox-exporter | 1 + fleet/s/cp/c/merken/cert-manager | 1 + fleet/s/cp/c/merken/cert-manager-conf | 1 + fleet/s/cp/c/merken/cert-manager-crds | 1 + fleet/s/cp/c/merken/external-secrets | 1 + fleet/s/cp/c/merken/external-secrets-conf | 1 + fleet/s/cp/c/merken/gnocpush | 1 + fleet/s/cp/c/merken/grafana-dashboards | 1 + fleet/s/cp/c/merken/ingress-nginx | 1 + fleet/s/cp/c/merken/kube-prometheus-stack | 1 + fleet/s/cp/c/merken/kube-prometheus-stack-pre | 1 + fleet/s/cp/c/merken/kyverno | 1 + fleet/s/cp/c/merken/kyverno-conf | 1 + fleet/s/cp/c/merken/loki | 1 + fleet/s/cp/c/merken/metallb | 1 + fleet/s/cp/c/merken/metallb-conf | 1 + fleet/s/cp/c/merken/mimir | 1 + fleet/s/cp/c/merken/prometheus-alerts | 1 + fleet/s/cp/c/merken/prometheus-operator-crds | 1 + fleet/s/cp/c/merken/rook-ceph | 1 + fleet/s/cp/c/merken/rook-ceph-cluster | 1 + fleet/s/cp/c/merken/rook-ceph-conf | 1 + fleet/s/cp/c/merken/rook-ceph-demo | 1 + fleet/s/cp/c/merken/snmp-exporter | 1 + fleet/s/cp/c/merken/snmp-exporter-pre | 1 + fleet/s/cp/c/merken/strimzi-kafka-dashboards | 1 + rke2/merken/external-secrets/.gitignore | 2 + rke2/merken/external-secrets/README.md | 1 + .../external-secrets/external-secrets.sh | 1 + .../external-secrets/fetch-credentials.sh | 1 + rke2/merken/external-secrets/onepass_item.sh | 2 + rke2/merken/external-secrets/~ | 2 + 57 files changed, 1191 insertions(+) create mode 100644 fleet/lib/alloy/overlays/merken/values.yaml create mode 100644 fleet/lib/kube-prometheus-stack/overlays/merken/values.yaml create mode 100644 fleet/lib/loki/overlays/cp/values.yaml create mode 100644 fleet/lib/metallb-conf/overlays/merken/ipaddresspool-ingress.yaml create mode 100644 fleet/lib/metallb-conf/overlays/merken/ipaddresspool-reserved.yaml create mode 100644 fleet/lib/mimir/kustomize/overlays/merken/kustomization.yaml create mode 100644 fleet/lib/mimir/kustomize/overlays/merken/obc-mimir-alertmanager.yaml create mode 100644 fleet/lib/mimir/kustomize/overlays/merken/obc-mimir-blocks.yaml create mode 100644 fleet/lib/mimir/kustomize/overlays/merken/obc-mimir-ruler.yaml create mode 100644 fleet/lib/mimir/kustomize/overlays/merken/obc-mimir.yaml create mode 100644 fleet/lib/rook-ceph-cluster/overlays/merken/values.yaml create mode 100644 fleet/lib/rook-ceph-conf/charts/merken/.helmignore create mode 100644 fleet/lib/rook-ceph-conf/charts/merken/Chart.yaml create mode 100644 fleet/lib/rook-ceph-conf/charts/merken/templates/cephobjectstore-o11y.yaml create mode 100644 fleet/lib/rook-ceph-conf/charts/merken/templates/cm-cephcli.yaml create mode 120000 fleet/s/cp/c/merken/alloy create mode 120000 fleet/s/cp/c/merken/blackbox-exporter create mode 120000 fleet/s/cp/c/merken/cert-manager create mode 120000 fleet/s/cp/c/merken/cert-manager-conf create mode 120000 fleet/s/cp/c/merken/cert-manager-crds create mode 120000 fleet/s/cp/c/merken/external-secrets create mode 120000 fleet/s/cp/c/merken/external-secrets-conf create mode 120000 fleet/s/cp/c/merken/gnocpush create mode 120000 fleet/s/cp/c/merken/grafana-dashboards create mode 120000 fleet/s/cp/c/merken/ingress-nginx create mode 120000 fleet/s/cp/c/merken/kube-prometheus-stack create mode 120000 fleet/s/cp/c/merken/kube-prometheus-stack-pre create mode 120000 fleet/s/cp/c/merken/kyverno create mode 120000 fleet/s/cp/c/merken/kyverno-conf create mode 120000 fleet/s/cp/c/merken/loki create mode 120000 fleet/s/cp/c/merken/metallb create mode 120000 fleet/s/cp/c/merken/metallb-conf create mode 120000 fleet/s/cp/c/merken/mimir create mode 120000 fleet/s/cp/c/merken/prometheus-alerts create mode 120000 fleet/s/cp/c/merken/prometheus-operator-crds create mode 120000 fleet/s/cp/c/merken/rook-ceph create mode 120000 fleet/s/cp/c/merken/rook-ceph-cluster create mode 120000 fleet/s/cp/c/merken/rook-ceph-conf create mode 120000 fleet/s/cp/c/merken/rook-ceph-demo create mode 120000 fleet/s/cp/c/merken/snmp-exporter create mode 120000 fleet/s/cp/c/merken/snmp-exporter-pre create mode 120000 fleet/s/cp/c/merken/strimzi-kafka-dashboards create mode 100644 rke2/merken/external-secrets/.gitignore create mode 120000 rke2/merken/external-secrets/README.md create mode 120000 rke2/merken/external-secrets/external-secrets.sh create mode 120000 rke2/merken/external-secrets/fetch-credentials.sh create mode 100644 rke2/merken/external-secrets/onepass_item.sh create mode 100644 rke2/merken/external-secrets/~ diff --git a/fleet/lib/alloy/fleet.yaml b/fleet/lib/alloy/fleet.yaml index 4c7ce6586..0fec01ffe 100644 --- a/fleet/lib/alloy/fleet.yaml +++ b/fleet/lib/alloy/fleet.yaml @@ -44,3 +44,13 @@ targetCustomizations: helm: valuesFiles: - overlays/antu/values.yaml + - name: merken + clusterSelector: + matchExpressions: + - key: management.cattle.io/cluster-display-name + operator: In + values: + - merken + helm: + valuesFiles: + - overlays/merken/values.yaml diff --git a/fleet/lib/alloy/overlays/merken/values.yaml b/fleet/lib/alloy/overlays/merken/values.yaml new file mode 100644 index 000000000..53b12d583 --- /dev/null +++ b/fleet/lib/alloy/overlays/merken/values.yaml @@ -0,0 +1,349 @@ +service: + enabled: true + type: LoadBalancer + annotations: + metallb.universe.tf/loadBalancerIPs: 139.229.161.80 + +controller: + type: deployment + replicaCount: 2 + +alloy: + mounts: + varlog: false + extraPorts: + - name: syslog-tcp + port: 1514 + targetPort: 1514 + protocol: TCP + - name: pfsense-udp + port: 5141 + targetPort: 5141 + protocol: UDP + - name: network-udp + port: 5142 + targetPort: 5142 + protocol: UDP + - name: openvpn-udp + port: 5143 + targetPort: 5143 + protocol: UDP + - name: rsyslog-udp + port: 5514 + targetPort: 5514 + protocol: UDP + - name: otelhttp + port: 4318 + targetPort: 4318 + protocol: TCP + configMap: + content: | + logging { + level = "{{ default "info" (get (default (dict) .ClusterLabels) "log_level") }}" + format = "logfmt" + } + + local.file_match "node_logs" { + path_targets = [{ + __path__ = "/var/log/*.log", + job = "node/syslog", + node_name = sys.env("HOSTNAME"), + cluster = "${ get .ClusterLabels "management.cattle.io/cluster-display-name" }", + }] + } + + loki.source.file "node_logs" { + targets = local.file_match.node_logs.targets + forward_to = [loki.write.send.receiver] + } + + discovery.kubernetes "pod" { + role = "pod" + } + + discovery.relabel "pod_logs" { + targets = discovery.kubernetes.pod.targets + + rule { + source_labels = ["__meta_kubernetes_namespace"] + action = "replace" + target_label = "namespace" + } + + rule { + source_labels = ["__meta_kubernetes_pod_name"] + action = "replace" + target_label = "pod" + } + + rule { + source_labels = ["__meta_kubernetes_pod_container_name"] + action = "replace" + target_label = "container" + } + + rule { + source_labels = ["__meta_kubernetes_pod_label_app_kubernetes_io_name"] + action = "replace" + target_label = "app" + } + + rule { + source_labels = ["__meta_kubernetes_namespace", "__meta_kubernetes_pod_container_name"] + action = "replace" + target_label = "job" + separator = "/" + replacement = "$1" + } + + rule { + source_labels = ["__meta_kubernetes_pod_uid", "__meta_kubernetes_pod_container_name"] + action = "replace" + target_label = "__path__" + separator = "/" + replacement = "/var/log/pods/*$1/*.log" + } + + rule { + source_labels = ["__meta_kubernetes_pod_container_id"] + action = "replace" + target_label = "container_runtime" + regex = "^(\\S+):\\/\\/.+$" + replacement = "$1" + } + } + + loki.source.kubernetes "pod_logs" { + targets = discovery.relabel.pod_logs.output + forward_to = [loki.process.pod_logs.receiver] + } + + loki.process "pod_logs" { + stage.static_labels { + values = { + cluster = "${ get .ClusterLabels "management.cattle.io/cluster-display-name" }", + job = "k8s/logs", + } + } + + stage.json { + expressions = { level = "level" } + } + + stage.template { + source = "level" + template = "{{`{{ lower .Value }}`}}" + } + + stage.labels { + values = { + severity = "level", + } + } + + forward_to = [loki.write.send.receiver] + } + + loki.source.kubernetes_events "cluster_events" { + job_name = "k8s/events" + log_format = "logfmt" + forward_to = [ + loki.process.cluster_events.receiver, + ] + } + + loki.process "cluster_events" { + forward_to = [loki.write.send.receiver] + stage.static_labels { + values = { + cluster = "${ get .ClusterLabels "management.cattle.io/cluster-display-name" }", + } + } + stage.regex { + expression = ".*name=(?P[^ ]+).*kind=(?P[^ ]+).*objectAPIversion=(?P[^ ]+).*type=(?P[^ ]+).*" + } + stage.labels { + values = { + name = "name", + kind = "kind", + apiVersion = "apiVersion", + type = "type", + } + } + } + + discovery.relabel "syslog" { + targets = [] + rule { + source_labels = ["__syslog_message_hostname"] + target_label = "host" + } + rule { + source_labels = ["__syslog_message_app_name"] + target_label = "app_name" + } + rule { + source_labels = ["__syslog_message_severity"] + target_label = "severity" + } + } + + loki.source.syslog "tcp" { + listener { + address = ":1514" + protocol = "tcp" + labels = { + component = "loki.source.syslog", + protocol = "tcp", + } + } + forward_to = [loki.relabel.relabel.receiver] + } + + loki.source.syslog "pfsense" { + listener { + address = ":5141" + protocol = "udp" + labels = { job = "pfsense" } + } + relabel_rules = discovery.relabel.syslog.rules + forward_to = [loki.process.pfsense.receiver] + } + + loki.source.syslog "network" { + listener { + address = ":5142" + protocol = "udp" + syslog_format = "rfc3164" + use_incoming_timestamp = true + rfc3164_default_to_current_year = true + labels = { job = "network" } + } + relabel_rules = discovery.relabel.syslog.rules + forward_to = [loki.write.send.receiver] + } + + loki.process "pfsense" { + stage.regex { + expression = "^(?P\\d+),(?P[^,]*),(?P[^,]*),(?P[^,]*),(?P[^,]*),(?P[^,]*),(?P[^,]*),(?P[^,]*),(?P\\d),(?P[^,]*),(?P[^,]*),(?P\\d+),(?P\\d+),(?P\\d+),(?P[^,]*),(?P\\d+),(?P[^,]*),(?P\\d+),(?P[^,]*),(?P[^,]*)(?:,(?P\\d+),(?P\\d+),(?P\\d+)(?:,(?P[^,]*),(?P\\d*),(?P\\d*),(?P\\d*)(?:,(?P[^,]*)(?:,(?P[^,]*))?)?)?)?$" + } + + stage.labels { + values = { + action = "", + direction = "", + proto = "", + iface = "iface", + rule = "", + dst_port = "dst_port", + dst_ip = "", + } + } + + stage.structured_metadata { + values = { + src_ip = "", + dst_ip = "", + src_port = "", + tcp_flags = "", + tracker = "", + } + } + + forward_to = [loki.write.send.receiver] + } + + otelcol.receiver.otlp "ingest" { + http { endpoint = ":4318" } + output { logs = [otelcol.exporter.loki.to_loki.input] } + } + + otelcol.exporter.loki "to_loki" { + forward_to = [loki.write.send.receiver] + } + + loki.relabel "relabel" { + rule { + source_labels = ["__syslog_message_hostname"] + target_label = "host" + } + forward_to = [loki.write.send.receiver] + } + + loki.process "openvpn" { + + stage.regex { + expression = "AUTH (?PSUCCESS|FAILURE)" + } + + stage.regex { + expression = "\\[stdout#(?P\\w+)\\]" + } + + stage.regex { + expression = "'status':\\s*(?P\\d+)" + } + + stage.regex { + expression = "'user':\\s*'(?P[^']+)'" + } + + stage.regex { + expression = "'reason':\\s*'(?P[^']+)'" + } + + stage.regex { + expression = "'session_id':\\s*'(?P[^']+)'" + } + + stage.regex { + expression = "'common_name':\\s*'(?P[^']+)'" + } + + stage.regex { + expression = "'auth method':\\s*'(?P[^']+)'" + } + + stage.labels { + values = { + auth_status = "", + stdout_level = "", + status = "", + user = "", + common_name = "", + auth_method = "", + } + } + + forward_to = [loki.write.send.receiver] + } + + loki.source.syslog "openvpn" { + listener { + address = ":5143" + protocol = "udp" + syslog_format = "rfc3164" + use_incoming_timestamp = false + labels = { job = "openvpn" } + } + relabel_rules = discovery.relabel.syslog.rules + forward_to = [loki.process.openvpn.receiver] + } + + loki.source.syslog "rsyslog" { + listener { + address = ":5514" + syslog_format = "rfc3164" + use_incoming_timestamp = false + protocol = "udp" + labels = { job = "node/rsyslog" } + } + relabel_rules = discovery.relabel.syslog.rules + forward_to = [loki.write.send.receiver] + } + + loki.write "send" { + endpoint { + url = "http://loki-gateway.loki.svc.cluster.local/loki/api/v1/push" + } + } diff --git a/fleet/lib/kube-prometheus-stack/fleet.yaml b/fleet/lib/kube-prometheus-stack/fleet.yaml index 966280aac..37a019bbe 100644 --- a/fleet/lib/kube-prometheus-stack/fleet.yaml +++ b/fleet/lib/kube-prometheus-stack/fleet.yaml @@ -75,6 +75,18 @@ targetCustomizations: - pvc/values.yaml - aggregator/values.yaml - overlays/antu/values.yaml + - name: merken + clusterSelector: + matchExpressions: + - key: management.cattle.io/cluster-display-name + operator: In + values: + - merken + helm: + valuesFiles: + - pvc/values.yaml + - aggregator/values.yaml + - overlays/merken/values.yaml - name: cl-nopvc clusterSelector: matchExpressions: diff --git a/fleet/lib/kube-prometheus-stack/overlays/merken/values.yaml b/fleet/lib/kube-prometheus-stack/overlays/merken/values.yaml new file mode 100644 index 000000000..c40e1755c --- /dev/null +++ b/fleet/lib/kube-prometheus-stack/overlays/merken/values.yaml @@ -0,0 +1,295 @@ +--- +prometheus: + prometheusSpec: + scrapeInterval: 10s + scrapeTimeout: 7s + configMaps: + - sd-snmp-network + - sd-snmp-power + - sd-snmp-raritan-pdu + secrets: + - puppetdb + additionalScrapeConfigs: + - job_name: blackbox-icmp-puppetdb + metrics_path: /probe + params: + module: [icmp] + puppetdb_sd_configs: + - &blackbox-icmp-puppetdb + url: https://puppetdb.dev.lsst.org:8443 + basic_auth: + username: svc_prometheus + password_file: /etc/prometheus/secrets/puppetdb/password + query: resources { type = "Class" and title = "Prometheus::Node_exporter" } + refresh_interval: 30s + follow_redirects: true + include_parameters: true + enable_http2: true + - <<: *blackbox-icmp-puppetdb + url: https://puppetdb.ls.lsst.org:8443 + - <<: *blackbox-icmp-puppetdb + url: https://puppetdb.cp.lsst.org:8443 + relabel_configs: + - source_labels: [__meta_puppetdb_certname] + target_label: __param_target + - source_labels: [__param_target] + target_label: instance + - target_label: __address__ + replacement: prometheus-blackbox-exporter.blackbox-exporter:9115 + - job_name: node-puppetdb + puppetdb_sd_configs: + - &node-puppetdb + url: https://puppetdb.dev.lsst.org:8443 + basic_auth: + username: svc_prometheus + password_file: /etc/prometheus/secrets/puppetdb/password + query: | + resources { + type = "Class" and title = "Profile::Core::Node_info" and + certname in resources[certname] { + type = "Class" and title = "Prometheus::Node_exporter" + } + } + refresh_interval: 30s + follow_redirects: true + include_parameters: true + enable_http2: true + port: 9100 + - <<: *node-puppetdb + url: https://puppetdb.ls.lsst.org:8443 + - <<: *node-puppetdb + url: https://puppetdb.cp.lsst.org:8443 + relabel_configs: + - source_labels: [__meta_puppetdb_certname] + target_label: instance + - source_labels: [__meta_puppetdb_environment] + target_label: environment + - source_labels: [__meta_puppetdb_parameter_site] + target_label: site + - source_labels: [__meta_puppetdb_parameter_role] + target_label: role + - source_labels: [__meta_puppetdb_parameter_cluster] + target_label: cluster + - job_name: blackbox-icmp-snmp + metrics_path: /probe + params: + module: [icmp] + file_sd_configs: + - files: + - /etc/prometheus/configmaps/sd-snmp-network/snmp-network.json + - /etc/prometheus/configmaps/sd-snmp-power/snmp-power.json + - /etc/prometheus/configmaps/sd-snmp-raritan-pdu/snmp-raritan-pdu.json + relabel_configs: + - source_labels: [__address__] + target_label: __param_target + - source_labels: [__meta_hostname] + target_label: instance + - source_labels: [__meta_network_function] + target_label: network_function + - target_label: __address__ + replacement: prometheus-blackbox-exporter.blackbox-exporter:9115 + - job_name: blackbox-snmp-raritan-pdu + metrics_path: /snmp + scrape_interval: 1m + scrape_timeout: 55s + params: + module: [raritan] + auth: [rubin_v2] + file_sd_configs: + - files: + - /etc/prometheus/configmaps/sd-snmp-raritan-pdu/snmp-raritan-pdu.json + relabel_configs: + - source_labels: [__address__] + target_label: __param_target + - source_labels: [__meta_hostname] + target_label: instance + - target_label: __address__ + replacement: prometheus-snmp-exporter.snmp-exporter:9116 + - job_name: blackbox-snmp-power + metrics_path: /snmp + file_sd_configs: + - files: + - /etc/prometheus/configmaps/sd-snmp-power/snmp-power.json + relabel_configs: + - source_labels: [__address__] + target_label: __param_target + - source_labels: [__meta_hostname] + target_label: instance + - source_labels: [__meta_auth] + target_label: __param_auth + - source_labels: [__meta_module] + target_label: __param_module + - target_label: __address__ + replacement: prometheus-snmp-exporter.snmp-exporter:9116 + - job_name: blackbox-snmp-network + metrics_path: /snmp + scrape_interval: 30s + scrape_timeout: 25s + params: + module: [if_mib] + auth: [rubin_v2] + file_sd_configs: + - files: + - /etc/prometheus/configmaps/sd-snmp-network/snmp-network.json + relabel_configs: + - source_labels: [__address__] + target_label: __param_target + - source_labels: [__meta_hostname] + target_label: instance + - source_labels: [__meta_network_function] + target_label: network_function + - target_label: __address__ + replacement: prometheus-snmp-exporter.snmp-exporter:9116 + - job_name: blackbox-snmp-arista-tunnel + metrics_path: /snmp + params: + module: [arista_tunnel] + auth: [rubin_v2] + file_sd_configs: + - files: + - /etc/prometheus/configmaps/sd-snmp-network/snmp-network.json + relabel_configs: + - source_labels: [__meta_hostname] + regex: .*ipsec.* + action: keep + - source_labels: [__address__] + target_label: __param_target + - source_labels: [__meta_hostname] + target_label: instance + - source_labels: [__meta_network_function] + target_label: network_function + - target_label: __address__ + replacement: prometheus-snmp-exporter.snmp-exporter:9116 + - job_name: deliverator-ls + scrape_interval: 100ms + puppetdb_sd_configs: + - url: https://puppetdb.ls.lsst.org:8443 + basic_auth: + username: svc_prometheus + password_file: /etc/prometheus/secrets/puppetdb/password + query: resources { type = "S3nd::Instance" } + refresh_interval: 30s + follow_redirects: true + include_parameters: true + enable_http2: true + relabel_configs: + - source_labels: [__meta_puppetdb_certname, __meta_puppetdb_parameter_port] + separator: ':' + target_label: __address__ + - source_labels: [__meta_puppetdb_certname] + target_label: instance + - source_labels: [__meta_puppetdb_parameter_port] + target_label: port + - source_labels: [__meta_puppetdb_title] + target_label: service + - target_label: site + replacement: ls + - job_name: deliverator-cp + scrape_interval: 100ms + puppetdb_sd_configs: + - url: https://puppetdb.cp.lsst.org:8443 + basic_auth: + username: svc_prometheus + password_file: /etc/prometheus/secrets/puppetdb/password + query: resources { type = "S3nd::Instance" } + refresh_interval: 30s + follow_redirects: true + include_parameters: true + enable_http2: true + relabel_configs: + - source_labels: [__meta_puppetdb_certname, __meta_puppetdb_parameter_port] + separator: ':' + target_label: __address__ + - source_labels: [__meta_puppetdb_certname] + target_label: instance + - source_labels: [__meta_puppetdb_parameter_port] + target_label: port + - source_labels: [__meta_puppetdb_title] + target_label: service + - target_label: site + replacement: cp +grafana: + grafana.ini: + server: + domain: &hostname grafana.${ .ClusterLabels.site }.lsst.org + root_url: https://grafana.${ .ClusterLabels.site }.lsst.org + ingress: + hosts: + - *hostname + tls: + - secretName: grafana-ingress-tls + hosts: + - *hostname + resources: + limits: + cpu: 4 + memory: 4Gi + requests: + cpu: 4 + memory: 4Gi + defaultDashboardsEnabled: false + +alertmanager: + config: + global: + resolve_timeout: 5m + route: + group_by: + - alertname + - namespace + - site + group_wait: 30s + group_interval: 5m + repeat_interval: 120h + receiver: blackhole + routes: + - receiver: blackhole + matchers: + - alertname = "InfoInhibitor" + - receiver: blackhole + matchers: + - alertname = "Watchdog" + - receiver: squadcast-alertmanager + matchers: + - prod = "true" + continue: true + - receiver: squadcast-alertmanager-oncall + matchers: + - oncall = "true" + continue: true + - receiver: gnocpush + continue: true + repeat_interval: 30s + group_interval: 30s + group_wait: 30s + group_by: + - gnoc + matchers: + - gnoc = "true" + receivers: + - name: blackhole + - name: gnocpush + webhook_configs: + - url: http://gnocpush.gnocpush:8080/alerts + - name: squadcast-alertmanager + webhook_configs: + - url_file: /etc/alertmanager/secrets/alertmanager-webhooks/squadcast-alertmanager + - name: squadcast-alertmanager-oncall + webhook_configs: + - url_file: /etc/alertmanager/secrets/alertmanager-webhooks/squadcast-alertmanager-oncall + inhibit_rules: + - source_matchers: + - alertname = "InfoInhibitor" + target_matchers: + - severity = "info" + equal: [namespace] + - source_matchers: + - severity = "critical" + target_matchers: + - severity =~ "info|warning" + equal: [alertname] + - source_matchers: + - severity = "warning" + target_matchers: + - severity = "info" + equal: [alertname] diff --git a/fleet/lib/loki/fleet.yaml b/fleet/lib/loki/fleet.yaml index 00fec7357..f693688e0 100644 --- a/fleet/lib/loki/fleet.yaml +++ b/fleet/lib/loki/fleet.yaml @@ -27,3 +27,13 @@ targetCustomizations: helm: valuesFiles: - overlays/dev/values.yaml + - name: cp + clusterSelector: + matchExpressions: + - key: site + operator: In + values: + - cp + helm: + valuesFiles: + - overlays/cp/values.yaml diff --git a/fleet/lib/loki/overlays/cp/values.yaml b/fleet/lib/loki/overlays/cp/values.yaml new file mode 100644 index 000000000..9ab9427d4 --- /dev/null +++ b/fleet/lib/loki/overlays/cp/values.yaml @@ -0,0 +1,23 @@ +gateway: + enabled: true + ingress: + enabled: true + ingressClassName: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt + nginx.ingress.kubernetes.io/backend-protocol: HTTP + nginx.ingress.kubernetes.io/proxy-read-timeout: "60" + nginx.ingress.kubernetes.io/proxy-send-timeout: "60" + nginx.ingress.kubernetes.io/client-body-buffer-size: 10m + hosts: + - host: loki.${ get .ClusterLabels "management.cattle.io/cluster-display-name" }.${ .ClusterLabels.site }.lsst.org + paths: + - path: / + pathType: Prefix + tls: + - secretName: tls-loki-ingress + hosts: + - loki.${ get .ClusterLabels "management.cattle.io/cluster-display-name" }.${ .ClusterLabels.site }.lsst.org +loki: + limits_config: + retention_period: 10d diff --git a/fleet/lib/metallb-conf/fleet.yaml b/fleet/lib/metallb-conf/fleet.yaml index 75647ece2..4d5dd33ab 100644 --- a/fleet/lib/metallb-conf/fleet.yaml +++ b/fleet/lib/metallb-conf/fleet.yaml @@ -219,3 +219,13 @@ targetCustomizations: yaml: overlays: - rancher.cp + - name: merken + clusterSelector: + matchExpressions: + - key: management.cattle.io/cluster-display-name + operator: In + values: + - merken + yaml: + overlays: + - merken diff --git a/fleet/lib/metallb-conf/overlays/merken/ipaddresspool-ingress.yaml b/fleet/lib/metallb-conf/overlays/merken/ipaddresspool-ingress.yaml new file mode 100644 index 000000000..8aac73926 --- /dev/null +++ b/fleet/lib/metallb-conf/overlays/merken/ipaddresspool-ingress.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: metallb.io/v1beta1 +kind: IPAddressPool +metadata: + name: ingress + namespace: metallb-system +spec: + addresses: + - 139.229.161.70/32 + autoAssign: false +--- +apiVersion: metallb.io/v1beta1 +kind: L2Advertisement +metadata: + name: ingress + namespace: metallb-system +spec: + ipAddressPools: + - ingress + interfaces: + - br1131 diff --git a/fleet/lib/metallb-conf/overlays/merken/ipaddresspool-reserved.yaml b/fleet/lib/metallb-conf/overlays/merken/ipaddresspool-reserved.yaml new file mode 100644 index 000000000..28288ca1c --- /dev/null +++ b/fleet/lib/metallb-conf/overlays/merken/ipaddresspool-reserved.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: metallb.io/v1beta1 +kind: IPAddressPool +metadata: + name: reserved + namespace: metallb-system +spec: + addresses: + - 139.229.161.80-139.229.161.100 + autoAssign: false +--- +apiVersion: metallb.io/v1beta1 +kind: L2Advertisement +metadata: + name: reserved + namespace: metallb-system +spec: + ipAddressPools: + - reserved + interfaces: + - br1130 diff --git a/fleet/lib/mimir/fleet.yaml b/fleet/lib/mimir/fleet.yaml index 509b4d401..047efc253 100644 --- a/fleet/lib/mimir/fleet.yaml +++ b/fleet/lib/mimir/fleet.yaml @@ -74,3 +74,12 @@ targetCustomizations: - overlays/pillan/values.yaml kustomize: dir: kustomize/overlays/pillan + - name: merken + clusterSelector: + matchExpressions: + - key: management.cattle.io/cluster-display-name + operator: In + values: + - merken + kustomize: + dir: kustomize/overlays/merken diff --git a/fleet/lib/mimir/kustomize/overlays/merken/kustomization.yaml b/fleet/lib/mimir/kustomize/overlays/merken/kustomization.yaml new file mode 100644 index 000000000..c37796827 --- /dev/null +++ b/fleet/lib/mimir/kustomize/overlays/merken/kustomization.yaml @@ -0,0 +1,8 @@ +--- +resources: + - ../../base +patches: + - path: obc-mimir-alertmanager.yaml + - path: obc-mimir-blocks.yaml + - path: obc-mimir-ruler.yaml + - path: obc-mimir.yaml diff --git a/fleet/lib/mimir/kustomize/overlays/merken/obc-mimir-alertmanager.yaml b/fleet/lib/mimir/kustomize/overlays/merken/obc-mimir-alertmanager.yaml new file mode 100644 index 000000000..94ce4aee9 --- /dev/null +++ b/fleet/lib/mimir/kustomize/overlays/merken/obc-mimir-alertmanager.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: objectbucket.io/v1alpha1 +kind: ObjectBucketClaim +metadata: + name: mimir-alertmanager +spec: + bucketName: merken-mimir-alertmanager diff --git a/fleet/lib/mimir/kustomize/overlays/merken/obc-mimir-blocks.yaml b/fleet/lib/mimir/kustomize/overlays/merken/obc-mimir-blocks.yaml new file mode 100644 index 000000000..a421dc350 --- /dev/null +++ b/fleet/lib/mimir/kustomize/overlays/merken/obc-mimir-blocks.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: objectbucket.io/v1alpha1 +kind: ObjectBucketClaim +metadata: + name: mimir-blocks +spec: + bucketName: merken-mimir-blocks diff --git a/fleet/lib/mimir/kustomize/overlays/merken/obc-mimir-ruler.yaml b/fleet/lib/mimir/kustomize/overlays/merken/obc-mimir-ruler.yaml new file mode 100644 index 000000000..07a23c1a2 --- /dev/null +++ b/fleet/lib/mimir/kustomize/overlays/merken/obc-mimir-ruler.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: objectbucket.io/v1alpha1 +kind: ObjectBucketClaim +metadata: + name: mimir-ruler +spec: + bucketName: merken-mimir-ruler diff --git a/fleet/lib/mimir/kustomize/overlays/merken/obc-mimir.yaml b/fleet/lib/mimir/kustomize/overlays/merken/obc-mimir.yaml new file mode 100644 index 000000000..823b2d459 --- /dev/null +++ b/fleet/lib/mimir/kustomize/overlays/merken/obc-mimir.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: objectbucket.io/v1alpha1 +kind: ObjectBucketClaim +metadata: + name: mimir +spec: + bucketName: merken-mimir diff --git a/fleet/lib/rook-ceph-cluster/fleet.yaml b/fleet/lib/rook-ceph-cluster/fleet.yaml index cce85fc3b..9df938880 100644 --- a/fleet/lib/rook-ceph-cluster/fleet.yaml +++ b/fleet/lib/rook-ceph-cluster/fleet.yaml @@ -194,3 +194,13 @@ targetCustomizations: helm: valuesFiles: - overlays/kona/values.yaml + - name: merken + clusterSelector: + matchExpressions: + - key: management.cattle.io/cluster-display-name + operator: In + values: + - merken + helm: + valuesFiles: + - overlays/merken/values.yaml diff --git a/fleet/lib/rook-ceph-cluster/overlays/merken/values.yaml b/fleet/lib/rook-ceph-cluster/overlays/merken/values.yaml new file mode 100644 index 000000000..5eaaf3eac --- /dev/null +++ b/fleet/lib/rook-ceph-cluster/overlays/merken/values.yaml @@ -0,0 +1,70 @@ +--- +cephClusterSpec: + mon: + count: 3 + cephConfig: + global: + osd_pool_default_pg_autoscale_mode: warn + rgw_override_bucket_index_max_shards: "401" + rgw_enable_usage_log: "false" + mgr: + mgr/balancer/upmap_max_deviation: "1" + osd: + osd_max_pg_per_osd_hard_ratio: "10" + osd_op_queue: wpq + osd_scrub_auto_repair: "true" + storage: + useAllNodes: false + useAllDevices: false + config: + osdsPerDevice: "1" + encryptedDevice: "true" + nodes: + - name: merken01 + devices: + - name: /dev/disk/by-id/nvme-Micron_9400_MTFDKCC30T7TGH_2409477E4278 + - name: merken02 + devices: + - name: /dev/disk/by-id/nvme-Micron_9400_MTFDKCC30T7TGH_2409477E41FC + - name: merken03 + devices: + - name: /dev/disk/by-id/nvme-Micron_9400_MTFDKCC30T7TGH_2409477E4237 + - name: merken04 + devices: + - name: /dev/disk/by-id/nvme-Micron_9400_MTFDKCC30T7TGH_2409477E42F4 + +cephBlockPools: + - name: replicapool + spec: + failureDomain: host + replicated: + size: 3 + requireSafeReplicaSize: true + quotas: + maxSize: 2Ti + enableRBDStats: true + parameters: + nodelete: "true" + nosizechange: "true" + pg_autoscale_mode: "off" + pg_num: "32" + storageClass: + name: rook-ceph-block + enabled: true + isDefault: true + reclaimPolicy: Delete + allowVolumeExpansion: true + mountOptions: + - discard + parameters: + clusterID: rook-ceph + pool: replicapool + imageFormat: "2" + imageFeatures: layering,fast-diff,object-map,deep-flatten,exclusive-lock + csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner + csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph + csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner + csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph + csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node + csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph + csi.storage.k8s.io/fstype: ext4 diff --git a/fleet/lib/rook-ceph-conf/Chart.yaml b/fleet/lib/rook-ceph-conf/Chart.yaml index a98bd19c2..886567013 100644 --- a/fleet/lib/rook-ceph-conf/Chart.yaml +++ b/fleet/lib/rook-ceph-conf/Chart.yaml @@ -34,3 +34,5 @@ dependencies: condition: subchart.elqui.enabled - name: kona condition: subchart.kona.enabled + - name: merken + condition: subchart.merken.enabled diff --git a/fleet/lib/rook-ceph-conf/charts/merken/.helmignore b/fleet/lib/rook-ceph-conf/charts/merken/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/fleet/lib/rook-ceph-conf/charts/merken/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/fleet/lib/rook-ceph-conf/charts/merken/Chart.yaml b/fleet/lib/rook-ceph-conf/charts/merken/Chart.yaml new file mode 100644 index 000000000..dc96bad07 --- /dev/null +++ b/fleet/lib/rook-ceph-conf/charts/merken/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +name: merken +description: A Helm chart for Kubernetes +type: application +version: 0.0.0 +appVersion: 0.0.0 diff --git a/fleet/lib/rook-ceph-conf/charts/merken/templates/cephobjectstore-o11y.yaml b/fleet/lib/rook-ceph-conf/charts/merken/templates/cephobjectstore-o11y.yaml new file mode 100644 index 000000000..716bf0fa3 --- /dev/null +++ b/fleet/lib/rook-ceph-conf/charts/merken/templates/cephobjectstore-o11y.yaml @@ -0,0 +1,218 @@ +--- +apiVersion: ceph.rook.io/v1 +kind: CephObjectRealm +metadata: + name: o11y + namespace: rook-ceph +spec: + defaultRealm: true +--- +apiVersion: ceph.rook.io/v1 +kind: CephObjectZoneGroup +metadata: + name: o11y + namespace: rook-ceph +spec: + realm: o11y +--- +apiVersion: ceph.rook.io/v1 +kind: CephObjectZone +metadata: + name: o11y + namespace: rook-ceph +spec: + zoneGroup: o11y +--- +apiVersion: ceph.rook.io/v1 +kind: CephObjectStore +metadata: + name: o11y + namespace: rook-ceph +spec: + allowUsersInNamespaces: + - loki + - mimir + preservePoolsOnDelete: false + gateway: + sslCertificateRef: + port: 80 + # securePort: 443 + instances: 3 + resources: + limits: + cpu: "4" + memory: 4Gi + requests: + cpu: "4" + memory: 4Gi + zone: + name: o11y +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: rook-ceph-rgw-ingress-o11y + namespace: rook-ceph + annotations: + cert-manager.io/cluster-issuer: letsencrypt + nginx.ingress.kubernetes.io/proxy-body-size: 1024m +spec: + ingressClassName: nginx + tls: + - hosts: + - &host s3.o11y.merken.cp.lsst.org + secretName: rook-ceph-rgw-ingress-tls-o11y + rules: + - host: *host + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: rook-ceph-rgw-o11y + port: + number: 80 +--- +apiVersion: ceph.rook.io/v1 +kind: CephBlockPool +metadata: + name: rgw.root + namespace: rook-ceph +spec: + application: rgw + failureDomain: host + name: .rgw.root + parameters: + nodelete: "true" + nosizechange: "true" + pg_autoscale_mode: "off" + pg_num: "8" + replicated: + size: 3 +--- +apiVersion: ceph.rook.io/v1 +kind: CephBlockPool +metadata: + name: o11y.rgw.control + namespace: rook-ceph +spec: + application: rgw + failureDomain: host + parameters: + nodelete: "true" + nosizechange: "true" + pg_autoscale_mode: "off" + pg_num: "8" + replicated: + size: 3 +--- +apiVersion: ceph.rook.io/v1 +kind: CephBlockPool +metadata: + name: o11y.rgw.meta + namespace: rook-ceph +spec: + application: rgw + failureDomain: host + parameters: + nodelete: "true" + nosizechange: "true" + pg_autoscale_mode: "off" + pg_num: "8" + replicated: + size: 3 +--- +apiVersion: ceph.rook.io/v1 +kind: CephBlockPool +metadata: + name: o11y.rgw.log + namespace: rook-ceph +spec: + application: rgw + failureDomain: host + parameters: + nodelete: "true" + nosizechange: "true" + pg_autoscale_mode: "off" + pg_num: "8" + replicated: + size: 3 +--- +apiVersion: ceph.rook.io/v1 +kind: CephBlockPool +metadata: + name: o11y.rgw.buckets.index + namespace: rook-ceph +spec: + application: rgw + failureDomain: host + parameters: + nodelete: "true" + nosizechange: "true" + pg_autoscale_mode: "off" + pg_num: "32" + replicated: + size: 3 +--- +apiVersion: ceph.rook.io/v1 +kind: CephBlockPool +metadata: + name: o11y.rgw.buckets.non-ec + namespace: rook-ceph +spec: + application: rgw + failureDomain: host + parameters: + nodelete: "true" + nosizechange: "true" + pg_autoscale_mode: "off" + pg_num: "8" + replicated: + size: 3 +--- +apiVersion: ceph.rook.io/v1 +kind: CephBlockPool +metadata: + name: o11y.rgw.otp + namespace: rook-ceph +spec: + application: rgw + failureDomain: host + parameters: + nodelete: "true" + nosizechange: "true" + pg_autoscale_mode: "off" + pg_num: "1" + replicated: + size: 3 +--- +apiVersion: ceph.rook.io/v1 +kind: CephBlockPool +metadata: + name: o11y.rgw.buckets.data + namespace: rook-ceph +spec: + application: rgw + erasureCoded: + dataChunks: 2 + codingChunks: 1 + failureDomain: host + parameters: + nodelete: "true" + nosizechange: "true" + pg_autoscale_mode: "off" + bulk: "true" + pg_num: "64" + quotas: + maxSize: 40Ti +--- +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: o11y +provisioner: rook-ceph.ceph.rook.io/bucket +parameters: + objectStoreName: o11y + objectStoreNamespace: rook-ceph +reclaimPolicy: Retain diff --git a/fleet/lib/rook-ceph-conf/charts/merken/templates/cm-cephcli.yaml b/fleet/lib/rook-ceph-conf/charts/merken/templates/cm-cephcli.yaml new file mode 100644 index 000000000..c3856854a --- /dev/null +++ b/fleet/lib/rook-ceph-conf/charts/merken/templates/cm-cephcli.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: cephcli + namespace: rook-ceph +data: + script: | + ceph mgr module enable nfs + ceph orch set backend "" + ceph mgr module disable rook + + ceph mgr module enable rook + ceph orch set backend rook + ceph device monitoring on + ceph config set global device_failure_prediction_mode local diff --git a/fleet/lib/rook-ceph-conf/fleet.yaml b/fleet/lib/rook-ceph-conf/fleet.yaml index 800892d12..f752a6a92 100644 --- a/fleet/lib/rook-ceph-conf/fleet.yaml +++ b/fleet/lib/rook-ceph-conf/fleet.yaml @@ -194,3 +194,15 @@ targetCustomizations: subchart: kona: enabled: true + - name: merken + clusterSelector: + matchExpressions: + - key: management.cattle.io/cluster-display-name + operator: In + values: + - merken + helm: + values: + subchart: + merken: + enabled: true diff --git a/fleet/lib/rook-ceph-conf/values.yaml b/fleet/lib/rook-ceph-conf/values.yaml index da24cf5ea..c0ca3ca74 100644 --- a/fleet/lib/rook-ceph-conf/values.yaml +++ b/fleet/lib/rook-ceph-conf/values.yaml @@ -28,3 +28,5 @@ subchart: enabled: false kona: enabled: false + merken: + enabled: false diff --git a/fleet/s/cp/c/merken/alloy b/fleet/s/cp/c/merken/alloy new file mode 120000 index 000000000..fe854e075 --- /dev/null +++ b/fleet/s/cp/c/merken/alloy @@ -0,0 +1 @@ +../../../../lib/alloy \ No newline at end of file diff --git a/fleet/s/cp/c/merken/blackbox-exporter b/fleet/s/cp/c/merken/blackbox-exporter new file mode 120000 index 000000000..d5df566b8 --- /dev/null +++ b/fleet/s/cp/c/merken/blackbox-exporter @@ -0,0 +1 @@ +../../../../lib/blackbox-exporter \ No newline at end of file diff --git a/fleet/s/cp/c/merken/cert-manager b/fleet/s/cp/c/merken/cert-manager new file mode 120000 index 000000000..dee4f0685 --- /dev/null +++ b/fleet/s/cp/c/merken/cert-manager @@ -0,0 +1 @@ +../../../../lib/cert-manager \ No newline at end of file diff --git a/fleet/s/cp/c/merken/cert-manager-conf b/fleet/s/cp/c/merken/cert-manager-conf new file mode 120000 index 000000000..82184f197 --- /dev/null +++ b/fleet/s/cp/c/merken/cert-manager-conf @@ -0,0 +1 @@ +../../../../lib/cert-manager-conf \ No newline at end of file diff --git a/fleet/s/cp/c/merken/cert-manager-crds b/fleet/s/cp/c/merken/cert-manager-crds new file mode 120000 index 000000000..16a9a09c7 --- /dev/null +++ b/fleet/s/cp/c/merken/cert-manager-crds @@ -0,0 +1 @@ +../../../../lib/cert-manager-crds \ No newline at end of file diff --git a/fleet/s/cp/c/merken/external-secrets b/fleet/s/cp/c/merken/external-secrets new file mode 120000 index 000000000..5269933cf --- /dev/null +++ b/fleet/s/cp/c/merken/external-secrets @@ -0,0 +1 @@ +../../../../lib/external-secrets \ No newline at end of file diff --git a/fleet/s/cp/c/merken/external-secrets-conf b/fleet/s/cp/c/merken/external-secrets-conf new file mode 120000 index 000000000..067f5bd9e --- /dev/null +++ b/fleet/s/cp/c/merken/external-secrets-conf @@ -0,0 +1 @@ +../../../../lib/external-secrets-conf \ No newline at end of file diff --git a/fleet/s/cp/c/merken/gnocpush b/fleet/s/cp/c/merken/gnocpush new file mode 120000 index 000000000..a2297d4d6 --- /dev/null +++ b/fleet/s/cp/c/merken/gnocpush @@ -0,0 +1 @@ +../../../../lib/gnocpush \ No newline at end of file diff --git a/fleet/s/cp/c/merken/grafana-dashboards b/fleet/s/cp/c/merken/grafana-dashboards new file mode 120000 index 000000000..ccccd3421 --- /dev/null +++ b/fleet/s/cp/c/merken/grafana-dashboards @@ -0,0 +1 @@ +../../../../lib/grafana-dashboards \ No newline at end of file diff --git a/fleet/s/cp/c/merken/ingress-nginx b/fleet/s/cp/c/merken/ingress-nginx new file mode 120000 index 000000000..4f1441ab0 --- /dev/null +++ b/fleet/s/cp/c/merken/ingress-nginx @@ -0,0 +1 @@ +../../../../lib/ingress-nginx \ No newline at end of file diff --git a/fleet/s/cp/c/merken/kube-prometheus-stack b/fleet/s/cp/c/merken/kube-prometheus-stack new file mode 120000 index 000000000..dac2ada60 --- /dev/null +++ b/fleet/s/cp/c/merken/kube-prometheus-stack @@ -0,0 +1 @@ +../../../../lib/kube-prometheus-stack \ No newline at end of file diff --git a/fleet/s/cp/c/merken/kube-prometheus-stack-pre b/fleet/s/cp/c/merken/kube-prometheus-stack-pre new file mode 120000 index 000000000..82dccb02e --- /dev/null +++ b/fleet/s/cp/c/merken/kube-prometheus-stack-pre @@ -0,0 +1 @@ +../../../../lib/kube-prometheus-stack-pre \ No newline at end of file diff --git a/fleet/s/cp/c/merken/kyverno b/fleet/s/cp/c/merken/kyverno new file mode 120000 index 000000000..46e4e285c --- /dev/null +++ b/fleet/s/cp/c/merken/kyverno @@ -0,0 +1 @@ +../../../../lib/kyverno \ No newline at end of file diff --git a/fleet/s/cp/c/merken/kyverno-conf b/fleet/s/cp/c/merken/kyverno-conf new file mode 120000 index 000000000..a428116f8 --- /dev/null +++ b/fleet/s/cp/c/merken/kyverno-conf @@ -0,0 +1 @@ +../../../../lib/kyverno-conf \ No newline at end of file diff --git a/fleet/s/cp/c/merken/loki b/fleet/s/cp/c/merken/loki new file mode 120000 index 000000000..874625b54 --- /dev/null +++ b/fleet/s/cp/c/merken/loki @@ -0,0 +1 @@ +../../../../lib/loki \ No newline at end of file diff --git a/fleet/s/cp/c/merken/metallb b/fleet/s/cp/c/merken/metallb new file mode 120000 index 000000000..ef5fb1fb0 --- /dev/null +++ b/fleet/s/cp/c/merken/metallb @@ -0,0 +1 @@ +../../../../lib/metallb \ No newline at end of file diff --git a/fleet/s/cp/c/merken/metallb-conf b/fleet/s/cp/c/merken/metallb-conf new file mode 120000 index 000000000..727384406 --- /dev/null +++ b/fleet/s/cp/c/merken/metallb-conf @@ -0,0 +1 @@ +../../../../lib/metallb-conf \ No newline at end of file diff --git a/fleet/s/cp/c/merken/mimir b/fleet/s/cp/c/merken/mimir new file mode 120000 index 000000000..30cd3d61a --- /dev/null +++ b/fleet/s/cp/c/merken/mimir @@ -0,0 +1 @@ +../../../../lib/mimir \ No newline at end of file diff --git a/fleet/s/cp/c/merken/prometheus-alerts b/fleet/s/cp/c/merken/prometheus-alerts new file mode 120000 index 000000000..c18cc8faf --- /dev/null +++ b/fleet/s/cp/c/merken/prometheus-alerts @@ -0,0 +1 @@ +../../../../lib/prometheus-alerts \ No newline at end of file diff --git a/fleet/s/cp/c/merken/prometheus-operator-crds b/fleet/s/cp/c/merken/prometheus-operator-crds new file mode 120000 index 000000000..f760b55a0 --- /dev/null +++ b/fleet/s/cp/c/merken/prometheus-operator-crds @@ -0,0 +1 @@ +../../../../lib/prometheus-operator-crds \ No newline at end of file diff --git a/fleet/s/cp/c/merken/rook-ceph b/fleet/s/cp/c/merken/rook-ceph new file mode 120000 index 000000000..c302c77d3 --- /dev/null +++ b/fleet/s/cp/c/merken/rook-ceph @@ -0,0 +1 @@ +../../../../lib/rook-ceph \ No newline at end of file diff --git a/fleet/s/cp/c/merken/rook-ceph-cluster b/fleet/s/cp/c/merken/rook-ceph-cluster new file mode 120000 index 000000000..3d5a0aff2 --- /dev/null +++ b/fleet/s/cp/c/merken/rook-ceph-cluster @@ -0,0 +1 @@ +../../../../lib/rook-ceph-cluster \ No newline at end of file diff --git a/fleet/s/cp/c/merken/rook-ceph-conf b/fleet/s/cp/c/merken/rook-ceph-conf new file mode 120000 index 000000000..5ab5c4ee1 --- /dev/null +++ b/fleet/s/cp/c/merken/rook-ceph-conf @@ -0,0 +1 @@ +../../../../lib/rook-ceph-conf \ No newline at end of file diff --git a/fleet/s/cp/c/merken/rook-ceph-demo b/fleet/s/cp/c/merken/rook-ceph-demo new file mode 120000 index 000000000..4dc248bfb --- /dev/null +++ b/fleet/s/cp/c/merken/rook-ceph-demo @@ -0,0 +1 @@ +../../../../lib/rook-ceph-demo \ No newline at end of file diff --git a/fleet/s/cp/c/merken/snmp-exporter b/fleet/s/cp/c/merken/snmp-exporter new file mode 120000 index 000000000..c8cec9a88 --- /dev/null +++ b/fleet/s/cp/c/merken/snmp-exporter @@ -0,0 +1 @@ +../../../../lib/snmp-exporter \ No newline at end of file diff --git a/fleet/s/cp/c/merken/snmp-exporter-pre b/fleet/s/cp/c/merken/snmp-exporter-pre new file mode 120000 index 000000000..5adb32f58 --- /dev/null +++ b/fleet/s/cp/c/merken/snmp-exporter-pre @@ -0,0 +1 @@ +../../../../lib/snmp-exporter-pre \ No newline at end of file diff --git a/fleet/s/cp/c/merken/strimzi-kafka-dashboards b/fleet/s/cp/c/merken/strimzi-kafka-dashboards new file mode 120000 index 000000000..6d48c9996 --- /dev/null +++ b/fleet/s/cp/c/merken/strimzi-kafka-dashboards @@ -0,0 +1 @@ +../../../../lib/strimzi-kafka-dashboards \ No newline at end of file diff --git a/rke2/merken/external-secrets/.gitignore b/rke2/merken/external-secrets/.gitignore new file mode 100644 index 000000000..7564f8b83 --- /dev/null +++ b/rke2/merken/external-secrets/.gitignore @@ -0,0 +1,2 @@ +secret-onepassword-connect-token.yaml +secret-onepassword-token.yaml diff --git a/rke2/merken/external-secrets/README.md b/rke2/merken/external-secrets/README.md new file mode 120000 index 000000000..da3703d40 --- /dev/null +++ b/rke2/merken/external-secrets/README.md @@ -0,0 +1 @@ +../../../template/external-secrets/README.md \ No newline at end of file diff --git a/rke2/merken/external-secrets/external-secrets.sh b/rke2/merken/external-secrets/external-secrets.sh new file mode 120000 index 000000000..8449c7f89 --- /dev/null +++ b/rke2/merken/external-secrets/external-secrets.sh @@ -0,0 +1 @@ +../../../template/external-secrets/external-secrets.sh \ No newline at end of file diff --git a/rke2/merken/external-secrets/fetch-credentials.sh b/rke2/merken/external-secrets/fetch-credentials.sh new file mode 120000 index 000000000..b72b7d149 --- /dev/null +++ b/rke2/merken/external-secrets/fetch-credentials.sh @@ -0,0 +1 @@ +../../../template/external-secrets/fetch-credentials.sh \ No newline at end of file diff --git a/rke2/merken/external-secrets/onepass_item.sh b/rke2/merken/external-secrets/onepass_item.sh new file mode 100644 index 000000000..ffe364ebb --- /dev/null +++ b/rke2/merken/external-secrets/onepass_item.sh @@ -0,0 +1,2 @@ +# shellcheck shell=sh +export ONEPASS_ITEM="connect.cp.lsst.org Access Token: merken.cp.lsst.org" diff --git a/rke2/merken/external-secrets/~ b/rke2/merken/external-secrets/~ new file mode 100644 index 000000000..ffe364ebb --- /dev/null +++ b/rke2/merken/external-secrets/~ @@ -0,0 +1,2 @@ +# shellcheck shell=sh +export ONEPASS_ITEM="connect.cp.lsst.org Access Token: merken.cp.lsst.org" From c438d3826cd14276910b4a1966929f874288954d Mon Sep 17 00:00:00 2001 From: Cristian Silva Date: Mon, 10 Nov 2025 11:20:44 -0300 Subject: [PATCH 2/2] (merken) fix metallb --- fleet/lib/alloy/overlays/merken/values.yaml | 2 +- .../overlays/merken/ipaddresspool-alloy.yaml | 21 +++++++++++++++++++ .../merken/ipaddresspool-ingress.yaml | 2 +- .../merken/ipaddresspool-reserved.yaml | 2 +- 4 files changed, 24 insertions(+), 3 deletions(-) create mode 100644 fleet/lib/metallb-conf/overlays/merken/ipaddresspool-alloy.yaml diff --git a/fleet/lib/alloy/overlays/merken/values.yaml b/fleet/lib/alloy/overlays/merken/values.yaml index 53b12d583..c7247a6ac 100644 --- a/fleet/lib/alloy/overlays/merken/values.yaml +++ b/fleet/lib/alloy/overlays/merken/values.yaml @@ -2,7 +2,7 @@ service: enabled: true type: LoadBalancer annotations: - metallb.universe.tf/loadBalancerIPs: 139.229.161.80 + metallb.universe.tf/address-pool: alloy controller: type: deployment diff --git a/fleet/lib/metallb-conf/overlays/merken/ipaddresspool-alloy.yaml b/fleet/lib/metallb-conf/overlays/merken/ipaddresspool-alloy.yaml new file mode 100644 index 000000000..299740df0 --- /dev/null +++ b/fleet/lib/metallb-conf/overlays/merken/ipaddresspool-alloy.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: metallb.io/v1beta1 +kind: IPAddressPool +metadata: + name: alloy + namespace: metallb-system +spec: + addresses: + - 139.229.161.107/32 + autoAssign: false +--- +apiVersion: metallb.io/v1beta1 +kind: L2Advertisement +metadata: + name: alloy + namespace: metallb-system +spec: + ipAddressPools: + - alloy + interfaces: + - br1131 diff --git a/fleet/lib/metallb-conf/overlays/merken/ipaddresspool-ingress.yaml b/fleet/lib/metallb-conf/overlays/merken/ipaddresspool-ingress.yaml index 8aac73926..25a2ec7b7 100644 --- a/fleet/lib/metallb-conf/overlays/merken/ipaddresspool-ingress.yaml +++ b/fleet/lib/metallb-conf/overlays/merken/ipaddresspool-ingress.yaml @@ -6,7 +6,7 @@ metadata: namespace: metallb-system spec: addresses: - - 139.229.161.70/32 + - 139.229.161.106/32 autoAssign: false --- apiVersion: metallb.io/v1beta1 diff --git a/fleet/lib/metallb-conf/overlays/merken/ipaddresspool-reserved.yaml b/fleet/lib/metallb-conf/overlays/merken/ipaddresspool-reserved.yaml index 28288ca1c..fd060493d 100644 --- a/fleet/lib/metallb-conf/overlays/merken/ipaddresspool-reserved.yaml +++ b/fleet/lib/metallb-conf/overlays/merken/ipaddresspool-reserved.yaml @@ -6,7 +6,7 @@ metadata: namespace: metallb-system spec: addresses: - - 139.229.161.80-139.229.161.100 + - 139.229.161.65-139.229.161.80 autoAssign: false --- apiVersion: metallb.io/v1beta1