add further payloads

Author: soerenschneider

clusters/argo-svc.dd.soeren.cloud/apps/mosquitto/kustomization.yaml

@@ -0,0 +1,31 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: mosquitto
+resources:
+  - ../../../../apps/mosquitto
+  - namespace.yaml
+components:
+  - ../../../../apps/mosquitto/components/istio
+  - ../../../../apps/mosquitto/components/tls
+  - ../../../../apps/mosquitto/components/exporter
+patches:
+  - target:
+      kind: VirtualService
+      name: mosquitto
+    patch: |-
+      - op: replace
+        path: "/spec/hosts"
+        value:
+          - "mosquitto.svc.dd.soeren.cloud"
+  - target:
+      kind: Certificate
+      name: mosquitto
+    patch: |-
+      - op: replace
+        path: "/spec/commonName"
+        value: "mosquitto.svc.dd.soeren.cloud"
+      - op: replace
+        path: "/spec/dnsNames"
+        value:
+          - "mosquitto.svc.dd.soeren.cloud"

clusters/argo-svc.dd.soeren.cloud/apps/mosquitto/namespace.yaml

@@ -0,0 +1,7 @@
+---
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: mosquitto
+  labels:
+    name: mosquitto

clusters/argo-svc.dd.soeren.cloud/k8s-infra/monitoring/blackbox-exporter/config.yaml

@@ -0,0 +1,40 @@
+---
+modules:
+  dns_soerenschneider:
+    dns:
+      query_name: router.ez.soeren.cloud
+      query_type: A
+      validate_answer_rrs:
+        fail_if_not_matches_regexp:
+          - "router.ez.soeren.cloud.\t.*\tIN\tA\t.*192\\.168\\.2\\.3"
+    prober: dns
+  http:
+    http:
+      tls_config:
+        cert_file: /certs/tls.crt
+        key_file: /certs/tls.key
+      valid_status_codes:
+        - 200
+        - 204
+        - 301
+        - 302
+        - 403
+        - 404
+    prober: http
+    timeout: 5s
+  http_2xx:
+    prober: http
+    timeout: 5s
+  icmp:
+    icmp:
+      preferred_ip_protocol: ip4
+    prober: icmp
+    timeout: 2s
+  tcp_cert:
+    prober: tcp
+    tcp:
+      tls: true
+    timeout: 2s
+  tcp_connect:
+    prober: tcp
+    timeout: 2s

clusters/argo-svc.dd.soeren.cloud/k8s-infra/monitoring/blackbox-exporter/kustomization.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: monitoring
+resources:
+  - ../../../../../apps/monitoring/blackbox_exporter
+components:
+  - ../../../../../apps/monitoring/blackbox_exporter/components/custom-config
+  - ../../../../../apps/monitoring/blackbox_exporter/components/reverse-proxy
+  - ../../../../../apps/monitoring/blackbox_exporter/components/tls-client-cert
+configMapGenerator:
+  - name: blackbox-exporter-config
+    files:
+      - config.yaml

clusters/argo-svc.dd.soeren.cloud/k8s-infra/monitoring/karma/karma.yaml

@@ -0,0 +1,68 @@
+---
+alertmanager:
+  interval: 60s
+  servers:
+    - name: local
+      uri: http://router.dd.soeren.cloud:9093
+      timeout: 10s
+      proxy: true
+      readonly: false
+      headers:
+        X-Auth-Test: some-token-or-other-string
+annotations:
+  default:
+    hidden: false
+  hidden:
+    - help
+  visible: []
+custom:
+  css: /custom.css
+  js: /custom.js
+debug: false
+filters:
+  default:
+    - "@receiver!=deadman"
+    - "@state=active"
+karma:
+  name: karma-prod
+labels:
+  color:
+    static:
+      - job
+    unique:
+      - cluster
+      - instance
+      - "@receiver"
+  keep: []
+  strip: []
+listen:
+  address: "0.0.0.0"
+  port: 8000
+  cors:
+    allowedOrigins:
+      - https://example.com
+log:
+  config: false
+  level: info
+silences:
+  comments:
+    linkDetect:
+      rules:
+        - regex: "(DEVOPS-[0-9]+)"
+          uriTemplate: https://jira.example.com/browse/$1
+receivers:
+  keep: []
+  strip: []
+silenceForm:
+  strip:
+    labels:
+      - job
+  defaultAlertmanagers:
+    - local
+ui:
+  refresh: 30s
+  hideFiltersWhenIdle: true
+  colorTitlebar: false
+  minimalGroupWidth: 420
+  alertsPerGroup: 5
+  collapseGroups: collapsedOnMobile

clusters/argo-svc.dd.soeren.cloud/k8s-infra/monitoring/karma/kustomization.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: monitoring
+resources:
+  - ../../../../../apps/monitoring/karma
+components:
+  - ../../../../../apps/monitoring/karma/components/reverse-proxy
+patches:
+  - target:
+      kind: Deployment
+      name: karma
+    patch: |-
+      - op: add
+        path: /spec/template/spec/priorityClassName
+        value: prod-low-prio
+configMapGenerator:
+  - name: karma-config
+    files:
+      - karma.yaml

clusters/argo-svc.dd.soeren.cloud/k8s-infra/monitoring/karma/networkpolicy.yaml

@@ -0,0 +1,60 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: karma
+spec:
+  podSelector:
+    matchLabels:
+      app: karma
+  policyTypes:
+    - Egress
+    - Ingress
+  ingress:
+    - ports:
+        - protocol: TCP
+          port: karma
+      from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: istio-system
+          podSelector:
+            matchLabels:
+              istio: ingressgateway
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: monitoring
+          podSelector:
+            matchLabels:
+              app: prometheus
+  egress:
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: monitoring
+          podSelector:
+            matchLabels:
+              app: prometheus
+    - to:
+        - ipBlock:
+            cidr: 10.0.0.0/8
+      ports:
+        - protocol: TCP
+          port: 80
+        - protocol: TCP
+          port: 443
+        - protocol: TCP
+          port: 9093
+    - to:
+        - ipBlock:
+            cidr: 192.168.0.0/16
+      ports:
+        - protocol: TCP
+          port: 9093
+        - protocol: TCP
+          port: 443
+    - to:
+        - ipBlock:
+            cidr: 0.0.0.0/0
+            except:
+              - 192.168.0.0/16

clusters/argo-svc.dd.soeren.cloud/k8s-infra/monitoring/kube-state-metrics/kustomization.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: monitoring
+resources:
+  - ../../../../../apps/monitoring/kube-state-metrics
+components:
+  - ../../../../../apps/monitoring/kube-state-metrics/components/rbac

clusters/argo-svc.dd.soeren.cloud/k8s-infra/monitoring/kustomization.yaml

@@ -0,0 +1,32 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: monitoring
+resources:
+  - namespace.yaml
+  - blackbox-exporter
+  - karma
+  - kube-state-metrics
+  - prometheus
+  - pushgateway
+  - vmalert
+components:
+  - ../../../../apps/monitoring/components/tls-client-cert
+  - ../../../../apps/monitoring/components/reverse-proxy
+  - ../../../../apps/monitoring/components/reverse-proxy-istio
+patches:
+  - target:
+      kind: VirtualService
+      name: monitoring-reverse-proxy
+    patch: |-
+      - op: "replace"
+        path: "/spec/hosts"
+        value:
+          - "monitoring.svc.dd.soeren.cloud"
+  - target:
+      kind: Issuer
+      name: vault-issuer
+    patch: |-
+      - op: "replace"
+        path: "/spec/vault/auth/kubernetes/mountPath"
+        value: "/v1/auth/svc.dd.soeren.cloud"

clusters/argo-svc.dd.soeren.cloud/k8s-infra/monitoring/namespace.yaml

@@ -0,0 +1,7 @@
+---
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: monitoring
+  labels:
+    name: monitoring