diff --git a/iac/apps/fluent-bit/Chart.yaml b/iac/apps/fluent-bit/Chart.yaml new file mode 100644 index 0000000..ad8f846 --- /dev/null +++ b/iac/apps/fluent-bit/Chart.yaml @@ -0,0 +1,9 @@ +apiVersion: v2 +name: fluent-bit +description: Fluent Bit log processor and forwarder +type: application +version: 1.0.0 +dependencies: + - name: fluent-bit + version: 0.43.0 + repository: https://fluent.github.io/helm-charts diff --git a/iac/apps/fluent-bit/values.yaml b/iac/apps/fluent-bit/values.yaml new file mode 100644 index 0000000..45ff70b --- /dev/null +++ b/iac/apps/fluent-bit/values.yaml @@ -0,0 +1,70 @@ +fluent-bit: + resources: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "256Mi" + cpu: "200m" + + config: + service: | + [SERVICE] + Daemon Off + Flush 1 + Log_Level info + Parsers_File parsers.conf + HTTP_Server On + HTTP_Listen 0.0.0.0 + HTTP_Port 2020 + Health_Check On + + inputs: | + [INPUT] + Name tail + Path /var/log/containers/*.log + multiline.parser docker, cri + Tag kube.* + Mem_Buf_Limit 5MB + Skip_Long_Lines On + + filters: | + [FILTER] + Name kubernetes + Match kube.* + Kube_URL https://kubernetes.default.svc:443 + Kube_CA_File /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + Kube_Token_File /var/run/secrets/kubernetes.io/serviceaccount/token + Kube_Tag_Prefix kube.var.log.containers. + Merge_Log On + Keep_Log Off + K8S-Logging.Parser On + K8S-Logging.Exclude On + + [FILTER] + Name nest + Match kube.* + Operation lift + Nested_under kubernetes + Add_prefix k8s_ + + outputs: | + [OUTPUT] + Name stdout + Match * + + [OUTPUT] + Name forward + Match kube.* + Host otel-collector-opentelemetry-collector.otel-collector.svc.cluster.local + Port 8006 + tls off + + tolerations: + - key: node-role.kubernetes.io/master + operator: Exists + effect: NoSchedule + - operator: "Exists" + effect: "NoExecute" + - operator: "Exists" + effect: "NoSchedule" diff --git a/iac/apps/kong/Chart.yaml b/iac/apps/kong/Chart.yaml new file mode 100644 index 0000000..0ad45bd --- /dev/null +++ b/iac/apps/kong/Chart.yaml @@ -0,0 +1,9 @@ +apiVersion: v2 +name: kong +description: Kong API Gateway +type: application +version: 1.0.0 +dependencies: + - name: kong + version: 2.38.0 + repository: https://charts.konghq.com diff --git a/iac/apps/kong/values.yaml b/iac/apps/kong/values.yaml new file mode 100644 index 0000000..a427114 --- /dev/null +++ b/iac/apps/kong/values.yaml @@ -0,0 +1,50 @@ +kong: + env: + database: "off" + nginx_worker_processes: "2" + proxy_access_log: /dev/stdout + admin_access_log: /dev/stdout + admin_gui_access_log: /dev/stdout + portal_api_access_log: /dev/stdout + proxy_error_log: /dev/stderr + admin_error_log: /dev/stderr + admin_gui_error_log: /dev/stderr + portal_api_error_log: /dev/stderr + + ingressController: + enabled: true + installCRDs: false + env: + feature_gates: GatewayAlpha=true + + proxy: + enabled: true + type: LoadBalancer + annotations: {} + http: + enabled: true + servicePort: 80 + containerPort: 8000 + tls: + enabled: true + servicePort: 443 + containerPort: 8443 + + admin: + enabled: true + type: ClusterIP + http: + enabled: true + servicePort: 8001 + containerPort: 8001 + + resources: + requests: + memory: "256Mi" + cpu: "250m" + limits: + memory: "512Mi" + cpu: "500m" + + postgresql: + enabled: false diff --git a/iac/apps/labapiserver/Chart.yaml b/iac/apps/labapiserver/Chart.yaml new file mode 100644 index 0000000..e8bc34f --- /dev/null +++ b/iac/apps/labapiserver/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +name: labapiserver +description: Lab API Server - Go application +type: application +version: 1.0.0 +appVersion: "latest" diff --git a/iac/apps/labapiserver/values.yaml b/iac/apps/labapiserver/values.yaml new file mode 100644 index 0000000..4ba67da --- /dev/null +++ b/iac/apps/labapiserver/values.yaml @@ -0,0 +1,113 @@ +replicaCount: 2 + +image: + repository: ghcr.io/mvarshney/labapiserver + pullPolicy: IfNotPresent + tag: "latest" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + create: true + annotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/role: "labapiserver" + name: "" + +podAnnotations: + prometheus.io/scrape: "true" + prometheus.io/port: "8080" + prometheus.io/path: "/metrics" + +podSecurityContext: + runAsNonRoot: true + runAsUser: 1000 + fsGroup: 1000 + +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + +service: + type: ClusterIP + port: 80 + targetPort: 8080 + annotations: {} + +ingress: + enabled: true + className: "kong" + annotations: + konghq.com/strip-path: "true" + konghq.com/protocols: "http,https" + hosts: + - host: api.local + paths: + - path: /api + pathType: Prefix + tls: [] + +resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 250m + memory: 256Mi + +autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 10 + targetCPUUtilizationPercentage: 80 + targetMemoryUtilizationPercentage: 80 + +livenessProbe: + httpGet: + path: /healthz + port: 8080 + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 3 + +readinessProbe: + httpGet: + path: /readyz + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 3 + failureThreshold: 3 + +env: + - name: PORT + value: "8080" + - name: LOG_LEVEL + value: "info" + - name: OTEL_EXPORTER_OTLP_ENDPOINT + value: "otel-collector-opentelemetry-collector.otel-collector.svc.cluster.local:4317" + - name: OTEL_SERVICE_NAME + value: "labapiserver" + +# Vault secrets - these will be injected by Vault agent +vaultSecrets: + enabled: true + role: "labapiserver" + path: "secret/data/labapiserver" + secrets: + - key: "database_url" + envVar: "DATABASE_URL" + - key: "api_key" + envVar: "API_KEY" + +nodeSelector: {} + +tolerations: [] + +affinity: {} diff --git a/iac/apps/otel-collector/Chart.yaml b/iac/apps/otel-collector/Chart.yaml new file mode 100644 index 0000000..bce7432 --- /dev/null +++ b/iac/apps/otel-collector/Chart.yaml @@ -0,0 +1,9 @@ +apiVersion: v2 +name: otel-collector +description: OpenTelemetry Collector deployment +type: application +version: 1.0.0 +dependencies: + - name: opentelemetry-collector + version: 0.80.0 + repository: https://open-telemetry.github.io/opentelemetry-helm-charts diff --git a/iac/apps/otel-collector/values.yaml b/iac/apps/otel-collector/values.yaml new file mode 100644 index 0000000..8173e01 --- /dev/null +++ b/iac/apps/otel-collector/values.yaml @@ -0,0 +1,82 @@ +opentelemetry-collector: + mode: deployment + + resources: + requests: + memory: "256Mi" + cpu: "100m" + limits: + memory: "512Mi" + cpu: "200m" + + config: + receivers: + otlp: + protocols: + grpc: + endpoint: 0.0.0.0:4317 + http: + endpoint: 0.0.0.0:4318 + + prometheus: + config: + scrape_configs: + - job_name: 'otel-collector' + scrape_interval: 10s + static_configs: + - targets: ['0.0.0.0:8888'] + + processors: + batch: + timeout: 10s + send_batch_size: 1024 + + memory_limiter: + check_interval: 1s + limit_mib: 400 + + exporters: + prometheus: + endpoint: "0.0.0.0:8889" + + logging: + loglevel: info + + otlp: + endpoint: "prometheus-kube-prometheus-prometheus.prometheus.svc.cluster.local:9090" + tls: + insecure: true + + service: + pipelines: + traces: + receivers: [otlp] + processors: [memory_limiter, batch] + exporters: [logging] + + metrics: + receivers: [otlp, prometheus] + processors: [memory_limiter, batch] + exporters: [prometheus, logging] + + logs: + receivers: [otlp] + processors: [memory_limiter, batch] + exporters: [logging] + + ports: + otlp: + enabled: true + containerPort: 4317 + servicePort: 4317 + protocol: TCP + otlp-http: + enabled: true + containerPort: 4318 + servicePort: 4318 + protocol: TCP + metrics: + enabled: true + containerPort: 8889 + servicePort: 8889 + protocol: TCP diff --git a/iac/apps/prometheus/Chart.yaml b/iac/apps/prometheus/Chart.yaml new file mode 100644 index 0000000..7029e1e --- /dev/null +++ b/iac/apps/prometheus/Chart.yaml @@ -0,0 +1,9 @@ +apiVersion: v2 +name: prometheus +description: Prometheus monitoring stack +type: application +version: 1.0.0 +dependencies: + - name: kube-prometheus-stack + version: 55.5.0 + repository: https://prometheus-community.github.io/helm-charts diff --git a/iac/apps/prometheus/values.yaml b/iac/apps/prometheus/values.yaml new file mode 100644 index 0000000..a06ac67 --- /dev/null +++ b/iac/apps/prometheus/values.yaml @@ -0,0 +1,41 @@ +kube-prometheus-stack: + prometheus: + prometheusSpec: + retention: 7d + storageSpec: + volumeClaimTemplate: + spec: + accessModes: ["ReadWriteOnce"] + resources: + requests: + storage: 10Gi + + resources: + requests: + memory: "2Gi" + cpu: "500m" + limits: + memory: "4Gi" + cpu: "1000m" + + serviceMonitorSelectorNilUsesHelmValues: false + podMonitorSelectorNilUsesHelmValues: false + + grafana: + enabled: true + adminPassword: "admin" # Change in production! + + persistence: + enabled: true + size: 5Gi + + resources: + requests: + memory: "256Mi" + cpu: "100m" + limits: + memory: "512Mi" + cpu: "200m" + + alertmanager: + enabled: true diff --git a/iac/apps/vault/Chart.yaml b/iac/apps/vault/Chart.yaml new file mode 100644 index 0000000..2453a5a --- /dev/null +++ b/iac/apps/vault/Chart.yaml @@ -0,0 +1,9 @@ +apiVersion: v2 +name: vault +description: HashiCorp Vault deployment +type: application +version: 1.0.0 +dependencies: + - name: vault + version: 0.28.0 + repository: https://helm.releases.hashicorp.com diff --git a/iac/apps/vault/values.yaml b/iac/apps/vault/values.yaml new file mode 100644 index 0000000..28cf835 --- /dev/null +++ b/iac/apps/vault/values.yaml @@ -0,0 +1,41 @@ +vault: + server: + dev: + enabled: true + devRootToken: "root" # Change in production! + + ha: + enabled: false + + dataStorage: + enabled: true + size: 10Gi + + resources: + requests: + memory: "256Mi" + cpu: "250m" + limits: + memory: "512Mi" + cpu: "500m" + + ingress: + enabled: false + + serviceAccount: + create: true + name: vault + + ui: + enabled: true + serviceType: "ClusterIP" + + injector: + enabled: true + resources: + requests: + memory: "128Mi" + cpu: "50m" + limits: + memory: "256Mi" + cpu: "100m" diff --git a/iac/argocd/applications/fluent-bit.yaml b/iac/argocd/applications/fluent-bit.yaml new file mode 100644 index 0000000..c8caece --- /dev/null +++ b/iac/argocd/applications/fluent-bit.yaml @@ -0,0 +1,22 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: fluent-bit + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + source: + repoURL: https://github.com/mvarshney/labapiserver.git + targetRevision: main + path: iac/apps/fluent-bit + destination: + server: https://kubernetes.default.svc + namespace: fluent-bit + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/iac/argocd/applications/kong.yaml b/iac/argocd/applications/kong.yaml new file mode 100644 index 0000000..c63109e --- /dev/null +++ b/iac/argocd/applications/kong.yaml @@ -0,0 +1,22 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: kong + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + source: + repoURL: https://github.com/mvarshney/labapiserver.git + targetRevision: main + path: iac/apps/kong + destination: + server: https://kubernetes.default.svc + namespace: kong + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/iac/argocd/applications/labapiserver.yaml b/iac/argocd/applications/labapiserver.yaml new file mode 100644 index 0000000..61def47 --- /dev/null +++ b/iac/argocd/applications/labapiserver.yaml @@ -0,0 +1,29 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: labapiserver + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io + annotations: + argocd-image-updater.argoproj.io/image-list: labapiserver=ghcr.io/REPLACE_WITH_YOUR_GITHUB_USERNAME/labapiserver + argocd-image-updater.argoproj.io/labapiserver.update-strategy: latest + argocd-image-updater.argoproj.io/write-back-method: git +spec: + project: default + source: + repoURL: https://github.com/mvarshney/labapiserver.git + targetRevision: main + path: iac/apps/labapiserver + helm: + valueFiles: + - values.yaml + destination: + server: https://kubernetes.default.svc + namespace: labapiserver + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/iac/argocd/applications/otel-collector.yaml b/iac/argocd/applications/otel-collector.yaml new file mode 100644 index 0000000..c290590 --- /dev/null +++ b/iac/argocd/applications/otel-collector.yaml @@ -0,0 +1,22 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: otel-collector + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + source: + repoURL: https://github.com/mvarshney/labapiserver.git + targetRevision: main + path: iac/apps/otel-collector + destination: + server: https://kubernetes.default.svc + namespace: otel-collector + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/iac/argocd/applications/prometheus.yaml b/iac/argocd/applications/prometheus.yaml new file mode 100644 index 0000000..5032dd4 --- /dev/null +++ b/iac/argocd/applications/prometheus.yaml @@ -0,0 +1,23 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: prometheus + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + source: + repoURL: https://github.com/mvarshney/labapiserver.git + targetRevision: main + path: iac/apps/prometheus + destination: + server: https://kubernetes.default.svc + namespace: prometheus + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - ServerSideApply=true diff --git a/iac/argocd/applications/vault.yaml b/iac/argocd/applications/vault.yaml new file mode 100644 index 0000000..07511f2 --- /dev/null +++ b/iac/argocd/applications/vault.yaml @@ -0,0 +1,22 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: vault + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + source: + repoURL: https://github.com/mvarshney/labapiserver.git + targetRevision: main + path: iac/apps/vault + destination: + server: https://kubernetes.default.svc + namespace: vault + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/iac/argocd/root-app.yaml b/iac/argocd/root-app.yaml new file mode 100644 index 0000000..9fa25fe --- /dev/null +++ b/iac/argocd/root-app.yaml @@ -0,0 +1,22 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: root-app + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + source: + repoURL: https://github.com/mvarshney/labapiserver.git + targetRevision: main + path: iac/argocd/applications + directory: + recurse: false + destination: + server: https://kubernetes.default.svc + namespace: argocd + syncPolicy: + automated: + prune: true + selfHeal: true