feat: Migrate sys applications to helmfile

Move most of helmfiles into temp to test only velero. File structure: ```bash / ├── helmfile.d/ # Helmfiles, *.yaml.gotmpl ├── charts/ # Our own charts, e.g `Atlantis` ├── values # Values for helmfiles │ ├── <chart> │ │ ├── values.yaml.gotmpl # Values to be templated in `values/` │ │ ├── kustomize # Kustomizations per environment │ │ ├── manifests # Raw manifests │ │ │ ├── <chart>.yaml # Argo App for bootstrap │ │ │ ├── dashboards # Grafana dashboards │ │ │ │ └── <chart>-metrics.yaml │ │ │ └── policies # Cilium and Kyverno policies │ │ │ ├── CiliumNetworkPolicy-allow-api-server.yaml │ │ │ └── KyvernoPolicy-regred-secret.yaml │ │ └── values # Values for each environment │ │ ├── <chart>-staging.yaml.gotmpl # Values for staging environment │ │ ├── <chart>-prod.yaml.gotmpl # Values for prod environment │ │ └── <chart>.yaml.gotmpl # Standard values for all environments │ │ │ ├── values.yaml # Standard values for all cluster │ ├── values-oceanbox.yaml # Values overrides for oceanbox │ ├── values-ekman.yaml # Values overrides for ekman ```
2025-06-04 13:18:18 +02:00
parent a0a0f8586d
commit 1bb720840d
102 changed files with 9862 additions and 106 deletions
@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-alerting
+  namespace: prometheus
+spec:
+  description: Allow alerting
+  egress:
+    - toEntities:
+        - world
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: prom-alertmanager
@@ -0,0 +1,14 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-alertmanager-ingress
+  namespace: prometheus
+spec:
+  description: Allow Nginx ingress
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: alertmanager
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: ingress-nginx
@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-dns-metrics
+  namespace: prometheus
+spec:
+  description: Allow DNS metrics
+  egress:
+    - toPorts:
+        - ports:
+            - port: "9153"
+              protocol: TCP
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: prometheus
@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-etcd-metrics
+  namespace: prometheus
+spec:
+  description: Allow ETCD metrics
+  egress:
+    - toPorts:
+        - ports:
+            - port: "2379"
+              protocol: TCP
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: prometheus
@@ -0,0 +1,14 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-grafana-ingress
+  namespace: prometheus
+spec:
+  description: Allow Grafana ingress
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: grafana
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: ingress-nginx
@@ -0,0 +1,16 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-grafana-oidc-login
+  namespace: prometheus
+spec:
+  description: Allow Grafana OIDC login
+  egress:
+    - toFQDNs:
+        - matchName: login.microsoftonline.com
+        - matchPattern: '*.microsoftonline.com'
+        - matchName: api.github.com
+        - matchName: github.com
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: grafana
@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-grafana-plugins
+  namespace: prometheus
+spec:
+  description: Allow Grafana Plugins
+  egress:
+    - toFQDNs:
+        - matchName: grafana.com
+        - matchName: storage.googleapis.com
+        - matchName: raw.githubusercontent.com
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: grafana
@@ -0,0 +1,14 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-grafana-secure-gravatar
+  namespace: prometheus
+spec:
+  description: Allow Grafana Secure Gravatar
+  egress:
+    - toFQDNs:
+        - matchName: secure.grafana.com
+        - matchName: secure.gravatar.com
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: grafana
@@ -0,0 +1,14 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-host-traffic
+  namespace: prometheus
+spec:
+  description: Allow Host Traffic
+  egress:
+    - toEntities:
+        - remote-node
+        - host
+        - kube-apiserver
+  endpointSelector:
+    matchLabels: {}
@@ -0,0 +1,14 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-nginx-ingress
+  namespace: prometheus
+spec:
+  description: Allow Nginx ingress
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: prometheus
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: ingress-nginx
@@ -0,0 +1,19 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-opencost-scrape
+  namespace: prometheus
+spec:
+  description: Allow OpenCost scrape
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: prometheus
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            app.kubernetes.io/name: opencost
+            io.kubernetes.pod.namespace: opencost
+    - toPorts:
+        - ports:
+            - port: "9090"
+              protocol: TCP
@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-remote-node-to-metrics-server
+  namespace: prometheus
+spec:
+  description: Allow Remote Metrics Server
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: metrics-server
+  ingress:
+    - fromEntities:
+        - remote-node
@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-remote-node-to-webhook
+  namespace: prometheus
+spec:
+  description: Allow Remote Web Hook
+  endpointSelector:
+    matchLabels:
+      app: kube-prometheus-stack-operator
+  ingress:
+    - fromEntities:
+        - remote-node
@@ -0,0 +1,14 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-robusta-ingress
+  namespace: prometheus
+spec:
+  description: Allow Robusta ingress
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: prom-prometheus
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: robusta
@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-stats-grafana
+  namespace: prometheus
+spec:
+  description: Allow stats
+  egress:
+    - toFQDNs:
+        - matchName: stats.grafana.org
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: grafana
@@ -0,0 +1,32 @@
+{{- if and (.Values.kyverno.enabled) (.Values.prometheus.enabled) }}
+apiVersion: kyverno.io/v1
+kind: Policy
+metadata:
+  name: prometheus-stack-default-dashboard-folder
+  namespace: prometheus
+spec:
+  admission: true
+  background: true
+  mutateExistingOnPolicyUpdate: true
+  rules:
+  - match:
+      any:
+      - resources:
+          kinds:
+          - ConfigMap
+          selector:
+            matchLabels:
+              app.kubernetes.io/part-of: kube-prometheus-stack
+    mutate:
+      patchStrategicMerge:
+        metadata:
+          annotations:
+            grafana_folder: Prometheus-stack
+      targets:
+      - apiVersion: v1
+        kind: ConfigMap        
+        name: "{{`{{ request.object.metadata.name }}`}}"
+    name: generate-dashboard-folder-annotation
+    skipBackgroundRequests: true
+  validationFailureAction: Audit
+{{- end }}
@@ -11,7 +11,7 @@ spec:
  sources:
  - repoURL: {{ .Values.clusterConfig.manifests }}
    targetRevision: HEAD
-    path: helmfiles/cilium
+    path: helmfiles/prometheus
    plugin:
      name: helmfile
      env:
@@ -19,6 +19,9 @@ spec:
          value: {{ .Values.clusterConfig.cluster }}
  project: sys
  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: sys
    syncOptions:
    - ServerSideApply=true
    {{- if .Values.prometheus.autosync }}
@@ -1,32 +1,35 @@
-cilium:
-  enabled: false
+prometheus:
+  enabled: true
  autosync: true
-  spire:
+  # Helm chart version, and app version is different. CRD version MUST be equals to chart's APP version
+  crd_version: 14.0.0
+  certRenewCronEnabled: true
+  snitchUrl: ""
+  oncallUrl: ""
+  pagerdutyRoutingKey: ""
+  fullname: ""
+  # https://github.com/prometheus-community/helm-charts/blob/main/charts/kube-prometheus-stack/values.yaml#L47
+  defaultRules: {}
+  additionalScrapeConfigs: []
+  additionalDataSources: []
+  enableFeatures: []
+  storage:
+    size: 50Gi
+  grafana:
+    defaultDashboardsEnabled: true
+    persistence: false
+    disable_login_form: true
+    plugins: []
+  coredns:
+    targetPort: ""
+  etcd:
+    targetPort: ""
+  scheduler:
+    targetPort: ""
+  kubelet:
    enabled: false
-  envoy:
+    https: false
+  thanos:
    enabled: false
-  hubble:
-    ui: true
-    enabled: false
-  encryption:
-    enabled: true
-    type: wireguard
-  kubeProxyReplacement: true
-  l2announcement:
-    enabled: false
-  nodePort:
-    enabled: false
-  gatewayAPI:
-    enabled: false
-  ingressController:
-    enabled: false
-    defaultClass: false
-    loadbalancerMode: shared
-  policyAuditMode: false
-  upgradeCompatability: 1.15
-  k8sServiceHost: localhost
-  k8sServicePort: 7445
-  loadbalancerPool:
-    enabled: false
-    cidr: []
-
+    datasource:
+      enabled: false