diff --git a/otc/edp.buildth.ing/stacks/core/dex.yaml b/otc/edp.buildth.ing/stacks/core/dex.yaml new file mode 100644 index 0000000..1013ce3 --- /dev/null +++ b/otc/edp.buildth.ing/stacks/core/dex.yaml @@ -0,0 +1,29 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: dex + namespace: argocd + labels: + env: dev +spec: + project: default + syncPolicy: + automated: + selfHeal: true + syncOptions: + - CreateNamespace=true + retry: + limit: -1 + destination: + name: in-cluster + namespace: dex + sources: + - repoURL: https://charts.dexidp.io + chart: dex + targetRevision: 0.23.0 + helm: + valueFiles: + - $values/otc/edp.buildth.ing/stacks/core/dex/values.yaml + - repoURL: https://observability.buildth.ing/DevFW-CICD/stacks-instances + targetRevision: HEAD + ref: values diff --git a/otc/edp.buildth.ing/stacks/core/dex/values.yaml b/otc/edp.buildth.ing/stacks/core/dex/values.yaml new file mode 100644 index 0000000..48667d7 --- /dev/null +++ b/otc/edp.buildth.ing/stacks/core/dex/values.yaml @@ -0,0 +1,76 @@ +ingress: + enabled: true + className: nginx + annotations: + cert-manager.io/cluster-issuer: main + hosts: + - host: dex.edp.buildth.ing + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - dex.edp.buildth.ing + secretName: dex-cert + +envVars: + - name: FORGEJO_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: dex-forgejo-client + key: clientSecret + - name: FORGEJO_CLIENT_ID + valueFrom: + secretKeyRef: + name: dex-forgejo-client + key: clientID + - name: OIDC_DEX_GRAFANA_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: dex-grafana-client + key: clientSecret + - name: OIDC_DEX_ARGO_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: dex-argo-client + key: clientSecret + - name: LOG_LEVEL + value: debug + +config: + # Set it to a valid URL + issuer: https://dex.edp.buildth.ing + + # See https://dexidp.io/docs/storage/ for more options + storage: + type: memory + + oauth2: + skipApprovalScreen: true + alwaysShowLoginScreen: false + + connectors: + - type: gitea + id: gitea + name: Forgejo + config: + clientID: "$FORGEJO_CLIENT_ID" + clientSecret: "$FORGEJO_CLIENT_SECRET" + redirectURI: https://dex.edp.buildth.ing/callback + baseURL: https://edp.buildth.ing + # loadAllGroups: true + orgs: + - name: DevFW + enablePasswordDB: false + + staticClients: + - id: controller-argocd-dex + name: ArgoCD Client + redirectURIs: + - "http://argocd.edp.buildth.ing/auth/callback" + secretEnv: "OIDC_DEX_ARGO_CLIENT_SECRET" + - id: grafana + redirectURIs: + - "https://grafana.edp.buildth.ing/login/generic_oauth" + name: "Grafana" + secretEnv: "OIDC_DEX_GRAFANA_CLIENT_SECRET" diff --git a/otc/edp.buildth.ing/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml b/otc/edp.buildth.ing/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml index 37eede2..cc153d1 100644 --- a/otc/edp.buildth.ing/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml +++ b/otc/edp.buildth.ing/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml @@ -64,7 +64,7 @@ metadata: name: s3-backup namespace: gitea annotations: - everest.io/disk-volume-type: SATA + everest.io/disk-volume-type: GPSSD everest.io/crypt-key-id: 7032bf53-33aa-4bfa-bca2-052df19f6225 spec: storageClassName: csi-disk @@ -72,7 +72,7 @@ spec: - ReadWriteOnce resources: requests: - storage: 50Gi + storage: 100Gi --- apiVersion: v1 kind: Secret diff --git a/otc/edp.buildth.ing/stacks/observability/grafana-operator/manifests/grafana.yaml b/otc/edp.buildth.ing/stacks/observability/grafana-operator/manifests/grafana.yaml index 90febf9..7b75977 100644 --- a/otc/edp.buildth.ing/stacks/observability/grafana-operator/manifests/grafana.yaml +++ b/otc/edp.buildth.ing/stacks/observability/grafana-operator/manifests/grafana.yaml @@ -8,7 +8,7 @@ spec: persistentVolumeClaim: metadata: annotations: - everest.io/disk-volume-type: SATA + everest.io/disk-volume-type: GPSSD everest.io/crypt-key-id: 7032bf53-33aa-4bfa-bca2-052df19f6225 spec: storageClassName: csi-disk @@ -17,6 +17,40 @@ spec: resources: requests: storage: 10Gi + deployment: + spec: + template: + spec: + containers: + - name: grafana + env: + - name: OAUTH_CLIENT_SECRET + valueFrom: + secretKeyRef: + key: clientSecret + name: dex-grafana-client + config: + log.console: + level: debug + server: + root_url: "https://grafana.edp.buildth.ing" + auth: + disable_login: "true" + disable_login_form: "true" + auth.generic_oauth: + enabled: "true" + name: Forgejo + allow_sign_up: "true" + use_refresh_token: "true" + client_id: grafana + client_secret: $__env{OAUTH_CLIENT_SECRET} + scopes: openid email profile offline_access groups + auth_url: https://dex.edp.buildth.ing/auth + token_url: https://dex.edp.buildth.ing/token + api_url: https://dex.edp.buildth.ing/userinfo + redirect_uri: https://grafana.edp.buildth.ing/login/generic_oauth + role_attribute_path: "contains(groups[*], 'DevFW') && 'GrafanaAdmin' || 'None'" + allow_assign_grafana_admin: "true" ingress: metadata: annotations: diff --git a/otc/edp.buildth.ing/stacks/observability/victoria-k8s-stack/manifests/alerts.yaml b/otc/edp.buildth.ing/stacks/observability/victoria-k8s-stack/manifests/alerts.yaml index 9419609..110ee7e 100644 --- a/otc/edp.buildth.ing/stacks/observability/victoria-k8s-stack/manifests/alerts.yaml +++ b/otc/edp.buildth.ing/stacks/observability/victoria-k8s-stack/manifests/alerts.yaml @@ -27,3 +27,14 @@ spec: annotations: value: "{{ $value }}" description: 'forgejo s3 backup job failed in cluster environment {{ $labels.cluster_environment }}' + - name: disk-consumption-high + rules: + - alert: disk consumption high + expr: 1-(kubelet_volume_stats_available_bytes / kubelet_volume_stats_capacity_bytes) > 0.6 + for: 30s + labels: + severity: major + job: "{{ $labels.job }}" + annotations: + value: "{{ $value }}" + description: 'disk consumption of pvc {{ $labels.namespace }}/{{ $labels.persistentvolumeclaim }} is high in cluster environment {{ $labels.cluster_environment }}' diff --git a/otc/edp.buildth.ing/stacks/observability/victoria-k8s-stack/manifests/vlogs.yaml b/otc/edp.buildth.ing/stacks/observability/victoria-k8s-stack/manifests/vlogs.yaml index b0a2bed..dde11aa 100644 --- a/otc/edp.buildth.ing/stacks/observability/victoria-k8s-stack/manifests/vlogs.yaml +++ b/otc/edp.buildth.ing/stacks/observability/victoria-k8s-stack/manifests/vlogs.yaml @@ -9,7 +9,7 @@ spec: storageMetadata: annotations: everest.io/crypt-key-id: 7032bf53-33aa-4bfa-bca2-052df19f6225 - everest.io/disk-volume-type: SATA + everest.io/disk-volume-type: GPSSD storage: storageClassName: csi-disk accessModes: diff --git a/otc/edp.buildth.ing/stacks/observability/victoria-k8s-stack/values.yaml b/otc/edp.buildth.ing/stacks/observability/victoria-k8s-stack/values.yaml index 7f462dc..7eefbdb 100644 --- a/otc/edp.buildth.ing/stacks/observability/victoria-k8s-stack/values.yaml +++ b/otc/edp.buildth.ing/stacks/observability/victoria-k8s-stack/values.yaml @@ -289,7 +289,7 @@ vmsingle: storageMetadata: annotations: everest.io/crypt-key-id: 7032bf53-33aa-4bfa-bca2-052df19f6225 - everest.io/disk-volume-type: SATA + everest.io/disk-volume-type: GPSSD storage: storageClassName: csi-disk accessModes: