shpaq/auricom-home-cluster
1
0
Fork 0
mirror of https://github.com/auricom/home-cluster.git synced 2025-09-17 18:24:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

new talos cluster

Browse Source
This commit is contained in:
auricom
2022-11-19 04:47:32 +01:00
parent 42346bd99b
commit 4ac38f95e9
548 changed files with 1642 additions and 2331 deletions
Download Patch File Download Diff File Expand all files Collapse all files

122
kubernetes/cluster-0/apps/monitoring/thanos/helm-release.yaml Normal file
View File

@@ -0,0 +1,122 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: thanos
namespace: monitoring
spec:
interval: 15m
chart:
spec:
chart: thanos
version: 11.6.1
sourceRef:
kind: HelmRepository
name: bitnami
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
values:
image:
registry: quay.io
repository: thanos/thanos
tag: v0.29.0
objstoreConfig:
type: s3
query:
enabled: true
replicaCount: 2
podAntiAffinityPreset: hard
replicaLabels:
- replica
dnsDiscovery:
sidecarsService: kube-prometheus-stack-thanos-discovery
sidecarsNamespace: monitoring
stores:
- "dnssrv+_grpc._tcp.kube-prometheus-stack-thanos-discovery"
- "thanos-store.${SECRET_DOMAIN}:443"
ingress:
enabled: true
hostname: &host "thanos-query.${SECRET_CLUSTER_DOMAIN}"
annotations:
auth.home.arpa/enabled: "true"
ingressClassName: "nginx"
tls: true
extraTls:
- hosts:
- *host
resources:
requests:
cpu: 15m
memory: 64M
limits:
memory: 99M
queryFrontend:
enabled: true
bucketweb:
enabled: true
refresh: "10m"
compactor:
enabled: true
extraFlags:
- "--compact.concurrency"
- "4"
retentionResolutionRaw: 14d
retentionResolution5m: 14d
retentionResolution1h: 30d
ingress:
enabled: true
hostname: &host "thanos-compactor.${SECRET_CLUSTER_DOMAIN}"
ingressClassName: "nginx"
tls: true
extraTls:
- hosts:
- *host
persistence:
enabled: true
storageClass: "rook-ceph-block"
size: 15Gi
storegateway:
enabled: true
resources:
requests:
cpu: 23m
memory: 204M
limits:
memory: 226M
persistence:
enabled: true
storageClass: "rook-ceph-block"
size: 512Mi
ruler:
enabled: false
metrics:
enabled: true
serviceMonitor:
enabled: true
valuesFrom:
- kind: Secret
name: thanos
valuesKey: S3_BUCKET_NAME
targetPath: objstoreConfig.config.bucket
- kind: Secret
name: thanos
valuesKey: S3_BUCKET_HOST
targetPath: objstoreConfig.config.endpoint
- kind: Secret
name: thanos
valuesKey: S3_BUCKET_REGION
targetPath: objstoreConfig.config.region
- kind: Secret
name: thanos
valuesKey: S3_ACCESS_KEY
targetPath: objstoreConfig.config.access_key
- kind: Secret
name: thanos
valuesKey: S3_SECRET_KEY
targetPath: objstoreConfig.config.secret_key

6
kubernetes/cluster-0/apps/monitoring/thanos/kustomization.yaml Normal file
View File

@@ -0,0 +1,6 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- secret.sops.yaml
- helm-release.yaml

68
kubernetes/cluster-0/apps/monitoring/thanos/readme.md Normal file
View File

@@ -0,0 +1,68 @@
# Development
## thanos
### S3 Configuration
1. Create `~/.mc/config.json`
```json
{
"version": "10",
"aliases": {
"minio": {
"url": "https://s3.<domain>",
"accessKey": "<access-key>",
"secretKey": "<secret-key>",
"api": "S3v4",
"path": "auto"
}
}
}
```
2. Create the thanos user and password
```sh
mc admin user add minio thanos <super-secret-password>
```
3. Create the thanos bucket
```sh
mc mb minio/thanos
```
4. Create `thanos-user-policy.json`
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::thanos/*", "arn:aws:s3:::thanos"],
"Sid": ""
}
]
}
```
5. Apply the bucket policies
```sh
mc admin policy add minio thanos-private thanos-user-policy.json
```
6. Associate private policy with the user
```sh
mc admin policy set minio thanos-private user=thanos
```

32
kubernetes/cluster-0/apps/monitoring/thanos/secret.sops.yaml Normal file
View File

@@ -0,0 +1,32 @@
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: thanos
namespace: monitoring
stringData:
S3_BUCKET_NAME: ENC[AES256_GCM,data:0q5tjzGN,iv:RYjlKFAJpR6NSjimSAf8JrS2t1mUGSCAjusrYhTyiuw=,tag:AAIwBbmYoflm5M1EVbHM4A==,type:str]
S3_BUCKET_HOST: ENC[AES256_GCM,data:1foL7G96e5Tl76fLQ2tAl27achvc9nvB,iv:wwW3T28eKx478OFMP4a3otf4ao/pKjp2DwXMsYl1TKA=,tag:stskcPwQ7ojSIjYSWwru+A==,type:str]
S3_BUCKET_REGION: ""
S3_ACCESS_KEY: ENC[AES256_GCM,data:zTvAiBiukR1RP5eACMfgBsoTbwI=,iv:IIMUgN5SO+0i9/8w8QHpRgiTzQsOELqgMZAsARvcZJQ=,tag:lIvDTJ8i5UiOkZRMLrgV7g==,type:str]
S3_SECRET_KEY: ENC[AES256_GCM,data:mUHk2N4tcbh3si26uZx3J/gkXWH4gqk4/vJfJ3J03mreNsD8VlNePw==,iv:+wS4yLwKrFALFF51BLxXFpP0ROlR7qdBTVpFCJ/tizM=,tag:VJr9s444GB5GPft/8897mw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxSHQ5b3RRYjdGd3JYQkxh
cnRBTlJuMm9NTU96TFRpSEg0K2UrdnJ1V1VjCkZpRmwvSmZ3ZHJNaGNNS21mUytt
VXRMVzhSemx4NGZYSUtCS3g3Q281dXcKLS0tIC94NCtGVWF2U055NEZJTmtpenVM
L3c2WElEOU4rS0hrU1NPQ1NPZitDVDgKaN3P5xK1O1i9lTSAGJU+GIxbIoTb5OMO
if3medB2nPLEt5BUY2datTbswXiT3E9rFyka/Maq6afZjFiixK5mFQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-11-11T23:17:47Z"
mac: ENC[AES256_GCM,data:rZvSwE5R8AIFdbLVP0+MfN9vdUJpOZGuxnmtAQE8EJnE6qv5lesM8atA/6o8AsyuX/2quydQBz3j/pw9tk7bSB9E29Nv/dvnp5JIcq3Im+s2gGercuN1cTABMZ67Sa/ZN6lHCU7xY0u+3Wlv1tXOYgXuGnssQ+y7qdNSaAJpbwA=,iv:56AoYRPby+ZV9SdjXMwJWk8XpdDhIzrw6FMtBBCQLsU=,tag:zzCWi+tUhUEjuGgHENU0hQ==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3