♻️ flux kustomizations

kubernetes/apps/monitoring/thanos/app/helmrelease.yaml

@@ -0,0 +1,123 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: thanos
+  namespace: monitoring
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: thanos
+      version: 11.6.5
+      sourceRef:
+        kind: HelmRepository
+        name: bitnami
+        namespace: flux-system
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  values:
+    image:
+      registry: quay.io
+      repository: thanos/thanos
+      tag: v0.29.0
+    objstoreConfig:
+      type: s3
+    query:
+      enabled: true
+      replicaCount: 2
+      podAntiAffinityPreset: hard
+      replicaLabels:
+        - replica
+      dnsDiscovery:
+        sidecarsService: kube-prometheus-stack-thanos-discovery
+        sidecarsNamespace: monitoring
+        stores:
+          - "dnssrv+_grpc._tcp.kube-prometheus-stack-thanos-discovery"
+          - "thanos-store.${SECRET_DOMAIN}:443"
+      ingress:
+        enabled: true
+        hostname: &host "thanos-query.${SECRET_CLUSTER_DOMAIN}"
+        annotations:
+          auth.home.arpa/enabled: "true"
+        ingressClassName: "nginx"
+        tls: true
+        extraTls:
+          - hosts:
+              - *host
+      resources:
+        requests:
+          cpu: 15m
+          memory: 64M
+        limits:
+          memory: 99M
+    queryFrontend:
+      enabled: true
+    bucketweb:
+      enabled: true
+      refresh: "10m"
+    compactor:
+      enabled: true
+      extraFlags:
+        - "--compact.concurrency"
+        - "4"
+      retentionResolutionRaw: 14d
+      retentionResolution5m: 14d
+      retentionResolution1h: 30d
+      ingress:
+        enabled: true
+        hostname: &host "thanos-compactor.${SECRET_CLUSTER_DOMAIN}"
+        ingressClassName: "nginx"
+        tls: true
+        extraTls:
+          - hosts:
+              - *host
+      persistence:
+        enabled: true
+        storageClass: "rook-ceph-block"
+        size: 15Gi
+    storegateway:
+      enabled: true
+      resources:
+        requests:
+          cpu: 23m
+          memory: 204M
+        limits:
+          memory: 226M
+      persistence:
+        enabled: true
+        storageClass: "rook-ceph-block"
+        size: 512Mi
+    ruler:
+      enabled: false
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: true
+  valuesFrom:
+    - kind: Secret
+      name: thanos
+      valuesKey: S3_BUCKET_NAME
+      targetPath: objstoreConfig.config.bucket
+    - kind: Secret
+      name: thanos
+      valuesKey: S3_BUCKET_HOST
+      targetPath: objstoreConfig.config.endpoint
+    - kind: Secret
+      name: thanos
+      valuesKey: S3_BUCKET_REGION
+      targetPath: objstoreConfig.config.region
+    - kind: Secret
+      name: thanos
+      valuesKey: S3_ACCESS_KEY
+      targetPath: objstoreConfig.config.access_key
+    - kind: Secret
+      name: thanos
+      valuesKey: S3_SECRET_KEY
+      targetPath: objstoreConfig.config.secret_key

kubernetes/apps/monitoring/thanos/app/kustomization.yaml

@@ -0,0 +1,8 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: monitoring
+resources:
+  - ./secret.sops.yaml
+  - ./helmrelease.yaml

kubernetes/apps/monitoring/thanos/app/readme.md

@@ -0,0 +1,67 @@
+# Development
+
+## thanos
+
+### S3 Configuration
+
+1. Create `~/.mc/config.json`
+
+    ```json
+    {
+        "version": "10",
+        "aliases": {
+            "minio": {
+                "url": "https://s3.<domain>",
+                "accessKey": "<access-key>",
+                "secretKey": "<secret-key>",
+                "api": "S3v4",
+                "path": "auto"
+            }
+        }
+    }
+    ```
+
+2. Create the thanos user and password
+
+    ```sh
+    mc admin user add minio thanos <super-secret-password>
+    ```
+
+3. Create the thanos bucket
+
+    ```sh
+    mc mb minio/thanos
+    ```
+
+4. Create `thanos-user-policy.json`
+
+    ```json
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Action": [
+                    "s3:ListBucket",
+                    "s3:PutObject",
+                    "s3:GetObject",
+                    "s3:DeleteObject"
+                ],
+                "Effect": "Allow",
+                "Resource": ["arn:aws:s3:::thanos/*", "arn:aws:s3:::thanos"],
+                "Sid": ""
+            }
+        ]
+    }
+    ```
+
+5. Apply the bucket policies
+
+    ```sh
+    mc admin policy add minio thanos-private thanos-user-policy.json
+    ```
+
+6. Associate private policy with the user
+
+    ```sh
+    mc admin policy set minio thanos-private user=thanos
+    ```

kubernetes/apps/monitoring/thanos/app/secret.sops.yaml

@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+    name: thanos
+    namespace: monitoring
+stringData:
+    S3_BUCKET_NAME: ENC[AES256_GCM,data:0q5tjzGN,iv:RYjlKFAJpR6NSjimSAf8JrS2t1mUGSCAjusrYhTyiuw=,tag:AAIwBbmYoflm5M1EVbHM4A==,type:str]
+    S3_BUCKET_HOST: ENC[AES256_GCM,data:/9U/cHXmbGnbDCNm37zy0PzRbt5RI2LN7g==,iv:LLCrwkc6k3mXbJVWa2FivgEsbQKa9OyJWpe47BwExB8=,tag:qji0SWdaSgp8tNANSSB9Hg==,type:str]
+    S3_BUCKET_REGION: ""
+    S3_ACCESS_KEY: ENC[AES256_GCM,data:zTvAiBiukR1RP5eACMfgBsoTbwI=,iv:IIMUgN5SO+0i9/8w8QHpRgiTzQsOELqgMZAsARvcZJQ=,tag:lIvDTJ8i5UiOkZRMLrgV7g==,type:str]
+    S3_SECRET_KEY: ENC[AES256_GCM,data:mUHk2N4tcbh3si26uZx3J/gkXWH4gqk4/vJfJ3J03mreNsD8VlNePw==,iv:+wS4yLwKrFALFF51BLxXFpP0ROlR7qdBTVpFCJ/tizM=,tag:VJr9s444GB5GPft/8897mw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxSHQ5b3RRYjdGd3JYQkxh
+            cnRBTlJuMm9NTU96TFRpSEg0K2UrdnJ1V1VjCkZpRmwvSmZ3ZHJNaGNNS21mUytt
+            VXRMVzhSemx4NGZYSUtCS3g3Q281dXcKLS0tIC94NCtGVWF2U055NEZJTmtpenVM
+            L3c2WElEOU4rS0hrU1NPQ1NPZitDVDgKaN3P5xK1O1i9lTSAGJU+GIxbIoTb5OMO
+            if3medB2nPLEt5BUY2datTbswXiT3E9rFyka/Maq6afZjFiixK5mFQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-11-22T22:26:04Z"
+    mac: ENC[AES256_GCM,data:ANDShRftczGroCYNFKa/WdF22PgZ9yA6xhxdfe7/HHs0vQU48Q8nOrOT66P+8HDRV63I5ddodOurVtztFyGc8I0YdU2Bg1P2rnEmStfJsGGidTIqNloopCArsAH2UJj/fxwUA3dxswFURvgIagpjfdWHYGT2vzma44CORrk5vpU=,iv:KiFlpjLy+hj6V2dUoZeBdr3eq22So4G2oAA2QutF3UU=,tag:fkpjbQFU0Habj3d+6mNZLQ==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3

kubernetes/apps/monitoring/thanos/ks.yaml

@@ -0,0 +1,25 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomization_v1beta2.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: cluster-apps-thanos-app
+  namespace: flux-system
+  labels:
+    substitution.flux.home.arpa/enabled: "true"
+spec:
+  dependsOn:
+    - name: cluster-apps-kube-prometheus-stack-app
+  path: ./kubernetes/apps/monitoring/thanos/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops-kubernetes
+  healthChecks:
+    - apiVersion: helm.toolkit.fluxcd.io/v2beta1
+      kind: HelmRelease
+      name: thanos
+      namespace: monitoring
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m