From 3b8c2868425f0bfb3d6d725aeddcb3e87c9ddf7d Mon Sep 17 00:00:00 2001 From: Jonas Juselius Date: Mon, 23 Jun 2025 10:56:57 +0200 Subject: [PATCH] feat: add plausible helmfile setup --- helmfile.d/plausible.yaml.gotmpl | 31 ++++++++++++++ values/plausible/cnpg.yaml | 13 ++++++ values/plausible/env-oceanbox.yaml.gotmpl | 3 ++ values/plausible/env.yaml.gotmpl | 4 ++ .../CiliumNetworkPolicy-allow-ext.yaml | 14 +++++++ .../CiliumNetworkPolicy-allow-gravatar.yaml | 15 +++++++ values/plausible/manifests/plausible.yaml | 41 +++++++++++++++++++ values/plausible/values/values.yaml | 26 ++++++++++++ 8 files changed, 147 insertions(+) create mode 100644 helmfile.d/plausible.yaml.gotmpl create mode 100644 values/plausible/cnpg.yaml create mode 100644 values/plausible/env-oceanbox.yaml.gotmpl create mode 100644 values/plausible/env.yaml.gotmpl create mode 100644 values/plausible/manifests/network/CiliumNetworkPolicy-allow-ext.yaml create mode 100644 values/plausible/manifests/network/CiliumNetworkPolicy-allow-gravatar.yaml create mode 100644 values/plausible/manifests/plausible.yaml create mode 100644 values/plausible/values/values.yaml diff --git a/helmfile.d/plausible.yaml.gotmpl b/helmfile.d/plausible.yaml.gotmpl new file mode 100644 index 00000000..ac0f9813 --- /dev/null +++ b/helmfile.d/plausible.yaml.gotmpl @@ -0,0 +1,31 @@ +bases: + - ../envs/environments.yaml.gotmpl + +repositories: +- name: plausible + url: https://imio.github.io/helm-charts + +commonLabels: + tier: system + +releases: +- name: manifests + namespace: plausible + chart: manifests + condition: nginx.enabled + missingFileHandler: Info + values: + - ../values/env.yaml + - ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml + - ../values/plausible/env.yaml.gotmpl + - ../values/plausible/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl + hooks: + - events: [ prepare, cleanup ] + showlogs: true + command: ../bin/helmify + args: + - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}' + - '{{`{{ .Release.Chart }}`}}' + - '{{`{{ .Environment.Name }}`}}' + - ../values/plausible/manifests + - manifests diff --git a/values/plausible/cnpg.yaml b/values/plausible/cnpg.yaml new file mode 100644 index 00000000..ebbe63c2 --- /dev/null +++ b/values/plausible/cnpg.yaml @@ -0,0 +1,13 @@ +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: plausible-db + namespace: plausible +spec: + imageName: ghcr.io/cloudnative-pg/postgresql:16.3 + primaryUpdateStrategy: unsupervised + instances: 1 + monitoring: + enablePodMonitor: true + storage: + size: 10Gi diff --git a/values/plausible/env-oceanbox.yaml.gotmpl b/values/plausible/env-oceanbox.yaml.gotmpl new file mode 100644 index 00000000..5de54224 --- /dev/null +++ b/values/plausible/env-oceanbox.yaml.gotmpl @@ -0,0 +1,3 @@ +plausible: + enabled: true + diff --git a/values/plausible/env.yaml.gotmpl b/values/plausible/env.yaml.gotmpl new file mode 100644 index 00000000..ce287d8a --- /dev/null +++ b/values/plausible/env.yaml.gotmpl @@ -0,0 +1,4 @@ +plausible: + enabled: false + autosync: false + diff --git a/values/plausible/manifests/network/CiliumNetworkPolicy-allow-ext.yaml b/values/plausible/manifests/network/CiliumNetworkPolicy-allow-ext.yaml new file mode 100644 index 00000000..806e00dd --- /dev/null +++ b/values/plausible/manifests/network/CiliumNetworkPolicy-allow-ext.yaml @@ -0,0 +1,14 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-plausible-secure-external + namespace: plausible +spec: + description: Allow Plausible External + egress: + - toFQDNs: + - matchName: data.iana.org + - matchName: raw.githubusercontent.com + endpointSelector: + matchLabels: + app.kubernetes.io/name: plausible-analytics \ No newline at end of file diff --git a/values/plausible/manifests/network/CiliumNetworkPolicy-allow-gravatar.yaml b/values/plausible/manifests/network/CiliumNetworkPolicy-allow-gravatar.yaml new file mode 100644 index 00000000..645da60f --- /dev/null +++ b/values/plausible/manifests/network/CiliumNetworkPolicy-allow-gravatar.yaml @@ -0,0 +1,15 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-plausible-secure-gravatar + namespace: plausible +spec: + description: Allow Plausible Gravatar + egress: + - toFQDNs: + - matchName: secure.gravatar.com + - matchName: gravatar.com + - matchName: www.gravatar.com + endpointSelector: + matchLabels: + app.kubernetes.io/name: plausible-analytics \ No newline at end of file diff --git a/values/plausible/manifests/plausible.yaml b/values/plausible/manifests/plausible.yaml new file mode 100644 index 00000000..af65fd4f --- /dev/null +++ b/values/plausible/manifests/plausible.yaml @@ -0,0 +1,41 @@ +{{- if .Values.clusterConfig.argo.enabled }} +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: plausible-analytics + namespace: argocd +spec: + destination: + namespace: plausible + server: 'https://kubernetes.default.svc' + sources: + - repoURL: 'https://imio.github.io/helm-charts' + targetRevision: 0.4.0 + chart: plausible-analytics + helm: + valueFiles: + - $values/values/plausible/values/values.yaml + - repoURL: {{ .Values.clusterConfig.manifests }} + targetRevision: main + ref: values + project: aux + syncPolicy: + managedNamespaceMetadata: + labels: + component: aux + syncOptions: + - CreateNamespace=true + - ApplyOutOfSyncOnly=true + {{- if .Values.plausible.autosync }} + automated: + prune: true + selfHeal: true + {{- end }} + ignoreDifferences: + - kind: Secret + name: plausible-analytics + jqPathExpressions: + - '.data' + - '.metadata.labels' + - '.metadata.annotations' +{{- end }} diff --git a/values/plausible/values/values.yaml b/values/plausible/values/values.yaml new file mode 100644 index 00000000..70005d57 --- /dev/null +++ b/values/plausible/values/values.yaml @@ -0,0 +1,26 @@ +baseURL: https://plausible.adm.oceanbox.io +databaseURL: postgres://app:password@plausible-db-rw:5432/app +clickhouse: + resources: + requests: + cpu: 500m + ephemeral-storage: 50Mi + memory: 512Mi +postgresql: + enabled: false +ingress: + enabled: true + ingressClassName: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + nginx.ingress.kubernetes.io/ssl-redirect: "true" + oceanbox.io/expose: internal + hosts: + - plausible.adm.oceanbox.io + paths: + - / + pathType: ImplementationSpecific + tls: + - secretName: plausible-tls + hosts: + - plausible.adm.oceanbox.io