platform/manifests
1
1
Fork 0
Code Issues 7 Pull Requests 6 Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: platform/manifests:mrtz/beta
Branches Tags
platform/manifests:main platform/manifests:renovate/kubernetes-ingress-1.x platform/manifests:renovate/jobset-0.x platform/manifests:renovate/registry.k8s.io-kueue-charts-kueue-0.x platform/manifests:renovate/spegel-0.x platform/manifests:renovate/rabbitmq-16.x platform/manifests:renovate/ghcr.io-juanfont-headscale-0.x platform/manifests:mrtz/cilium-hel1-gateway platform/manifests:automated/npins-update-20260130 platform/manifests:vcluster platform/manifests:attic platform/manifests:nexus platform/manifests:diadash platform/manifests:mrtz/beta platform/manifests:simkir/codex platform/manifests:mrtz/nixidy platform/manifests:nixidy platform/manifests:otel-policy platform/manifests:spmsa platform/manifests:priv-redis platform/manifests:wip platform/manifests:dev
...
pull from: platform/manifests:attic
Branches Tags
platform/manifests:main platform/manifests:renovate/kubernetes-ingress-1.x platform/manifests:renovate/jobset-0.x platform/manifests:renovate/registry.k8s.io-kueue-charts-kueue-0.x platform/manifests:renovate/spegel-0.x platform/manifests:renovate/rabbitmq-16.x platform/manifests:renovate/ghcr.io-juanfont-headscale-0.x platform/manifests:mrtz/cilium-hel1-gateway platform/manifests:automated/npins-update-20260130 platform/manifests:vcluster platform/manifests:attic platform/manifests:nexus platform/manifests:diadash platform/manifests:mrtz/beta platform/manifests:simkir/codex platform/manifests:mrtz/nixidy platform/manifests:nixidy platform/manifests:otel-policy platform/manifests:spmsa platform/manifests:priv-redis platform/manifests:wip platform/manifests:dev

296 Commits
mrtz/beta ... attic

Author SHA1 Message Date
mrtz 75a5fb5c83 devel: Useful kubectl plugins 2026-01-20 18:17:07 +01:00
mrtz 0eb60de429 chore(ingress-nginx): Bump to latest 2026-01-20 17:16:54 +01:00
mrtz 9d034eea25 chore(ingress-nginx): Bump to latest v4.9 2026-01-20 17:03:03 +01:00
mrtz 6104114404 fix(rabbitmq): Also bump resources for prod 2026-01-20 15:45:13 +01:00
mrtz 1e7126fedb ci: sorcerer 2026-01-20 14:42:27 +00:00
mrtz 0d12907f4c ci: atlantis 2026-01-20 14:42:20 +00:00
mrtz 297e5efd88 fix(rabbitmq): Set proper memory requests 2026-01-20 15:38:30 +01:00
mrtz d09eabd2bd chore(rabbitmq): Bump to latest v13 2026-01-20 15:29:51 +01:00
mrtz 351bb41f80 chore(rabbitmq): Bump to latest v12 2026-01-20 15:15:43 +01:00
mrtz fd773bff9f fix(rabbitmq): Prepare for upgrades 2026-01-20 15:08:19 +01:00
simkir 196d3ed0eb atlantis: Remove limits in staging 2026-01-20 09:04:40 +01:00
mrtz f617f29a50 ci: atlantis 2026-01-19 19:07:24 +00:00
mrtz 0bc45748cf fix(spegel): Typo 2026-01-19 19:27:45 +01:00
mrtz fdbdb138e1 fix(spegel): Double the escape, double the fun 2026-01-19 19:26:55 +01:00
mrtz b2ed367b2a fix(spegel): Whitelist gitlab 2026-01-19 19:25:41 +01:00
stigrj 22cb7bddb6 ci: atlantis 2026-01-19 16:15:47 +00:00
simkir fe1c3db4b2 ci: codex 2026-01-19 15:08:56 +00:00
Radovan Bast 830c44644d ci: makai 2026-01-19 15:03:04 +00:00
simkir 5825a4bbc2 ci: atlantis 2026-01-19 14:50:46 +00:00
simkir a7b3310a10 codex: Remove manual production tag 2026-01-19 15:49:56 +01:00
Radovan Bast ecfa74dddd ci: makai 2026-01-19 14:35:06 +00:00
juselius 8a931d7c03 ci: codex 2026-01-19 13:43:06 +00:00
juselius c7b099cff2 ci: sorcerer 2026-01-19 13:43:00 +00:00
juselius 24276410c1 ci: atlantis 2026-01-19 13:42:53 +00:00
mrtz 5493008cb6 chore(spegel): Bump to 0.6.0 2026-01-18 18:19:45 +01:00
juselius a788539d33 ci: codex 2026-01-16 19:06:46 +00:00
juselius 3e06946d04 Merge branch 'automated/npins-update-20260116' into 'main' 
chore: update npins dependencies

See merge request oceanbox/manifests!67
 2026-01-16 20:03:00 +01:00
mrtz 29a51653f3 chore: update npins dependencies 
Automated update of Nix dependencies via npins.

    Updated packages:
    +      "hash": "sha256-wufp5c0nWh/87f9eK7xy1eZXms5zd4yl6S4SR+LfA08="
 2026-01-16 15:00:16 +00:00
mrtz 23b43c9b41 chore(forgejo): Bump to 14.0 2026-01-16 07:03:19 +01:00
mrtz 53ac321316 ci: codex 2026-01-15 17:01:05 +00:00
mrtz c5d42f2266 ci: sorcerer 2026-01-15 17:00:59 +00:00
mrtz a8bbe28137 ci: atlantis 2026-01-15 17:00:50 +00:00
Radovan Bast ed9dd67040 ci: makai 2026-01-15 11:22:39 +00:00
Radovan Bast ef13e1f980 ci: makai 2026-01-15 08:23:47 +00:00
simkir 5d3f57e518 ci: codex 2026-01-15 07:36:32 +00:00
simkir 97ed914338 Enable auto-sync for codex-staging 2026-01-15 08:33:50 +01:00
mrtz aa0ee6ad37 fix: Naming 2026-01-15 00:10:48 +01:00
mrtz 7afc34dbf8 fix(forgejo): HEll 2026-01-15 00:08:08 +01:00
mrtz c77e11f0d2 fix(forgejo): It's getting late us -> eu 2026-01-14 23:58:02 +01:00
mrtz 78892df3fc fix(forgejo): Location matters... 2026-01-14 23:54:52 +01:00
mrtz c3b1cab416 fix(forgejo): Non fully-qualified 2026-01-14 23:52:35 +01:00
mrtz 7227f07b71 fix(forgejo): Remove duplicate storage type 2026-01-14 23:51:54 +01:00
mrtz 683c7f36c3 fix(forgejo): App Path 2026-01-14 23:17:10 +01:00
mrtz 98812a6a3b fix(forgejo): Try us-east 2026-01-14 19:19:34 +01:00
mrtz 8f990cff54 fix(forgejo): Set DB type 2026-01-14 18:49:39 +01:00
mrtz a2678efd78 fix(forgejo): Remove ssl 2026-01-14 18:47:10 +01:00
mrtz cdbacbd34c fix(forgejo): Remove ssl 2026-01-14 18:39:22 +01:00
mrtz 20ca29d5ec fix(forgejo): Hetzner on :443 2026-01-14 18:35:26 +01:00
mrtz 9c42fd665d fix(forgejo): Set storagetype 2026-01-14 18:31:15 +01:00
mrtz 7468b902ce fix(foregjo): Change minio endpoint 2026-01-14 18:29:05 +01:00
simkir 62578486ce ci: sorcerer 2026-01-14 15:55:48 +00:00
simkir 6b17805a42 ci: codex 2026-01-14 15:55:41 +00:00
simkir e35b81b356 ci: atlantis 2026-01-14 15:55:33 +00:00
mrtz 10758b334b chore(forgejo): Bump to 15.1.0 2026-01-14 10:23:46 +01:00
mrtz 8f61e63f29 fix(forgejo): rm location for minio 2026-01-13 16:35:47 +01:00
mrtz 621598dee3 fix(forgejo): Move endpoint to envs 2026-01-13 16:30:46 +01:00
mrtz 0689bd47f2 fix(forgejo): Remove port 2026-01-13 16:23:13 +01:00
mrtz 006efc31c2 fix(forgejo): Use SSL 2026-01-13 16:20:13 +01:00
mrtz 9d45101ed9 fix(forgejo): Valid minio endpoint 2026-01-13 16:15:18 +01:00
mrtz d630bdebef fix(forgejo): Type minioc -> minio 2026-01-13 16:12:06 +01:00
mrtz 8182141bc1 fix(forgejo): Add s3 for packages 2026-01-13 16:08:25 +01:00
Radovan Bast dc67fa2271 ci: makai 2026-01-13 13:16:11 +00:00
simkir 37ea2ad85c ci: atlantis 2026-01-13 12:37:37 +00:00
Radovan Bast 6a5da41480 ci: makai 2026-01-13 12:23:36 +00:00
Radovan Bast cd25aa8a1a ci: makai 2026-01-13 11:56:21 +00:00
Radovan Bast 05a3a69976 ci: makai 2026-01-12 17:03:01 +00:00
simkir 0697a4da10 ci: codex 2026-01-12 16:43:47 +00:00
simkir 8d5443e126 Bump codex 0.0.1-beta.2 -> 0.0.1-beta.3 2026-01-12 17:42:25 +01:00
simkir b32e0643fb ci: codex 2026-01-12 13:48:28 +00:00
mrtz af7f4c8116 ci: codex 2026-01-12 13:44:58 +00:00
mrtz 37bb29b36a ci: atlantis 2026-01-12 13:44:49 +00:00
simkir af04b27c10 Bump codex 0.0.1-beta.1 -> 0.0.1-beta.2 2026-01-12 14:36:23 +01:00
Radovan Bast a42010546f ci: makai 2026-01-12 11:35:36 +00:00
mrtz 7034d20e39 fix(velero): Working version of kubectl 2026-01-12 10:16:32 +01:00
mrtz dbdfcb4f21 fix(velero): Bump plugin and remove legacy kubectl 2026-01-12 10:02:02 +01:00
mrtz 22148fb162 fix(velero): Bump to 11.3.2 2026-01-12 09:58:48 +01:00
mrtz 3086214bac ci: atlantis 2026-01-11 14:27:07 +00:00
mrtz e6c99a8567 chore: Bump nixpkgs 2026-01-11 14:05:38 +01:00
mrtz fa9d45fbb7 fix(forgejo): Remove LB 2026-01-09 15:53:38 +01:00
mrtz 72eb20fb5b fix(forgejo): Change realm 2026-01-09 15:20:17 +01:00
mrtz eb141a7efe fix(forgejo): Add OIDC login 2026-01-09 15:04:38 +01:00
mrtz 773550df56 fix(forgejo): Add back whitelist 2026-01-09 14:34:53 +01:00
mrtz a93173066d fix(forgejo): Remove ssh via LB for now 2026-01-09 14:33:26 +01:00
simkir b39ed6cc54 fix(codex): Set port for fga url 2026-01-09 14:32:23 +01:00
mrtz 685328685b fix(forgejo): Use secrets for DB 2026-01-09 14:28:59 +01:00
simkir 40beab6e4f fix(codex): Remove codex.oceanbox.io from ing hosts 2026-01-09 14:21:39 +01:00
mrtz 46c890c6c3 fix(forgjo): Remove comments in dragonfly 2026-01-09 14:20:53 +01:00
simkir aaa7cf4a6e fix(codex): Rm codex.oceanbox.io from ing tls hosts 2026-01-09 14:19:44 +01:00
simkir 55d385ea6a fix(codex): Set correct openfga url 2026-01-09 14:19:44 +01:00
mrtz 80ebe7c278 fix(forgejo): Limit cpu count dragonfly 2026-01-09 14:19:01 +01:00
mrtz cf5b0273c2 fix(forgejo): Increase dragonfly RAM 2026-01-09 14:13:51 +01:00
mrtz c8ec4161aa fix(forgejo): Move to sys and 2026-01-09 13:55:32 +01:00
simkir 59580b5d29 fix(nginx): Move error page to 503 2026-01-08 14:42:33 +01:00
simkir ddc8c7b253 Add simkir-maps.dev.oceanbox.io to ts dns 2026-01-08 14:32:19 +01:00
simkir 36f0f11ef6 Add codex.adm.oceanbox.io to ts dns 2026-01-08 14:32:02 +01:00
simkir ea1a0a2eb5 Add custom 404.html to nginx default backend 2026-01-08 14:25:22 +01:00
simkir ffb572e762 fix(nginx): Set default backend to custom-error-pages 2026-01-08 14:10:26 +01:00
Radovan Bast f46ca7d2be ci: makai 2026-01-08 11:29:28 +00:00
Radovan Bast 2cd14292d2 ci: makai 2026-01-08 09:48:30 +00:00
mrtz 9470c73e92 fix(forgejo): Correct s3 url 2026-01-08 08:50:33 +01:00
mrtz 922e2fd0ea feat: Add forgejo 2026-01-07 23:22:08 +01:00
Radovan Bast 8c2f6d53c9 ci: makai 2026-01-07 14:22:11 +00:00
simkir 7041b91c45 fix(codex): Add codex.adm.oceanbox.io ing. path 2026-01-07 15:02:20 +01:00
simkir a1c3f766b5 fix(codex): Rename prod ing tls secret to prod 2026-01-07 14:55:50 +01:00
simkir d5e6d86f4b Bump codex 0.0.0-alpha.1 -> 0.0.1-beta.1 2026-01-07 14:33:06 +01:00
simkir 608fae0bf1 ci: codex 2026-01-07 13:29:09 +00:00
simkir d3fd3b7c5b fix(codex): Mount correct cm 2026-01-07 14:20:54 +01:00
simkir 556756d0a0 Rename codex prod appsettings file 2026-01-07 14:18:53 +01:00
simkir d242c23ae3 Rename prod codex cilium network policy 2026-01-07 14:16:14 +01:00
simkir 3255430a3b Add prod codex 2026-01-07 14:10:49 +01:00
Radovan Bast 7594dfe93d ci: makai 2026-01-07 11:28:39 +00:00
mrtz 616a1915f2 fix(atlantis): Staging should use app instead of superuser secret 2026-01-07 11:24:26 +01:00
Radovan Bast de6963de12 ci: makai 2026-01-06 10:34:18 +00:00
juselius 5d8a4056e3 Merge branch 'main' of gitlab.com:oceanbox/manifests 2026-01-06 10:52:31 +01:00
juselius 9c9c87bf2f fix: add intern to headscale acl 2026-01-06 10:52:26 +01:00
Radovan Bast 89a54a995d ci: makai 2026-01-06 09:12:43 +00:00
juselius 707c37b9f1 fix: add faith to headscale acl 2026-01-05 15:45:47 +01:00
Radovan Bast 14ae0e358b ci: makai 2026-01-05 14:44:07 +00:00
simkir ef82ce7bc5 ci: sorcerer 2026-01-05 14:04:34 +00:00
simkir d4d9d9a3b6 ci: atlantis 2026-01-05 14:04:27 +00:00
mrtz f55fd396fc ci: sorcerer 2026-01-05 13:23:48 +00:00
mrtz 91e98e3949 ci: atlantis 2026-01-05 13:23:41 +00:00
mrtz 40eb429c17 Merge branch 'renovate/opentelemetry-collector-0.x' into 'main' 
Update Helm release opentelemetry-collector to v0.142.1

See merge request oceanbox/manifests!58
 2026-01-05 12:27:26 +01:00
mrtz 432a73a4ba Merge branch 'renovate/kyverno-3.x' into 'main' 
Update Helm release kyverno to v3.6.1

See merge request oceanbox/manifests!40
 2026-01-05 10:19:45 +01:00
mrtz de4ab27a2d Merge branch 'renovate/argocd-apps-2.x' into 'main' 
Update Helm release argocd-apps to v2

See merge request oceanbox/manifests!63
 2026-01-05 10:18:15 +01:00
mrtz def3f19dff fix(makai): Correct path for new container reg 2026-01-05 09:05:16 +01:00
Radovan Bast 3336c9782c ci: makai 2026-01-05 07:39:46 +00:00
Radovan Bast b943caef06 ci: makai 2026-01-04 17:56:42 +00:00
mrtz 83a3cece0b Merge branch 'renovate/registry-3.x' into 'main' 
Update registry Docker tag to v3

See merge request oceanbox/manifests!66
 2026-01-04 11:29:24 +01:00
mrtz 2155c4c654 Merge branch 'renovate/openfga-0.x' into 'main' 
Update Helm release openfga to v0.2.50

See merge request oceanbox/manifests!54
 2026-01-04 11:02:48 +01:00
mrtz 13e44a495f Merge branch 'renovate/slurm-operator-0.x' into 'main' 
Update slurm-operator Docker tag to v0.4.1

See merge request oceanbox/manifests!55
 2026-01-04 11:02:03 +01:00
mrtz 923f2b81b9 Merge branch 'renovate/cloudnative-pg-0.x' into 'main' 
Update Helm release cloudnative-pg to v0.27.0

See merge request oceanbox/manifests!56
 2026-01-04 10:58:21 +01:00
mrtz fad034ca44 Merge branch 'renovate/mariadb-operator-25.x' into 'main' 
Update Helm release mariadb-operator to v25.10.3

See merge request oceanbox/manifests!57
 2026-01-04 10:54:03 +01:00
Renovate Bot 31d1918b86 Update registry Docker tag to v3 2026-01-04 08:59:02 +00:00
Renovate Bot 34181f92b1 Update Helm release argocd-apps to v2 2026-01-04 08:58:55 +00:00
Renovate Bot 1d8b1bebcd Update Helm release opentelemetry-collector to v0.142.1 2026-01-04 08:58:42 +00:00
Renovate Bot 91fba971e2 Update Helm release mariadb-operator to v25.10.3 2026-01-04 08:58:39 +00:00
Renovate Bot 4bb68c68a8 Update Helm release kyverno to v3.6.1 2026-01-04 08:58:33 +00:00
Renovate Bot 4fe9cfee86 Update Helm release cloudnative-pg to v0.27.0 2026-01-04 08:58:17 +00:00
Renovate Bot c580b22ff5 Update slurm-operator Docker tag to v0.4.1 2026-01-04 08:58:10 +00:00
Renovate Bot 988ba5a4c2 Update Helm release openfga to v0.2.50 2026-01-04 08:58:07 +00:00
mrtz e9e72da86a fix(headscale): Add Ole 2026-01-02 17:02:02 +01:00
juselius a1c1022465 fix: fix ca issuer 2025-12-30 14:37:26 +01:00
mrtz 4de318d814 fix(hel1): Default cluster-ca 2025-12-30 14:14:52 +01:00
mrtz 7402bad7a4 fix(hel1): Add adm to default url 2025-12-30 13:59:48 +01:00
mrtz 113a582649 fix(hel1): Update base url 2025-12-30 13:54:55 +01:00
mrtz 73b8b11088 Merge branch 'automated/npins-update-20251230' into 'main' 
chore: update npins dependencies

See merge request oceanbox/manifests!52
 2025-12-30 10:40:41 +01:00
mrtz f6854b72c8 chore: update npins dependencies 
Automated update of Nix dependencies via npins.

    Updated packages:
    +      "hash": "18hsj84ndffq8dz2nh7mv2xib113lxc83spkg3csgzw0agpmkris"
 2025-12-30 09:39:02 +00:00
mrtz bb1078b0f2 fix: Disable old ci 2025-12-30 10:35:19 +01:00
mrtz 983fa68f6a chore: Add ci 2025-12-30 10:34:27 +01:00
mrtz 9876d5bec5 ci(nix): Add CI shell 2025-12-30 10:25:44 +01:00
mrtz b6af70c8ca fix(umami): Disable telemetry 2025-12-29 13:34:11 +01:00
mrtz 957526a6bc fix(rules/bootstrap): Format yaml 2025-12-29 13:23:04 +01:00
mrtz f81a4b2732 treewide: Format with shellcheck, jsonlint and yamllint 2025-12-29 12:41:13 +01:00
mrtz d7e4fb43cb fix(cert-manager): Bump to latest release 2025-12-29 11:10:12 +01:00
mrtz e94ed8155e fix(cert-manager): Switch to oci registry 2025-12-29 11:01:52 +01:00
juselius c8a0a98167 fix: update gatus to adm.hel1.obx 2025-12-28 14:36:33 +01:00
mrtz 9cddd9b404 ci: sorcerer 2025-12-22 12:21:24 +00:00
mrtz 3df44cd4b2 ci: atlantis 2025-12-22 12:21:18 +00:00
Radovan Bast 53ac794bd6 ci: makai 2025-12-22 08:35:04 +00:00
Radovan Bast f1a382c76c ci: makai 2025-12-19 21:01:38 +00:00
Radovan Bast 7a7459db10 ci: makai 2025-12-19 20:49:01 +00:00
Radovan Bast ed3515c752 ci: makai 2025-12-19 15:48:31 +00:00
juselius 19457af158 ci: fornix 2025-12-19 15:20:13 +00:00
Radovan Bast e455612874 ci: makai 2025-12-19 14:44:18 +00:00
Radovan Bast df757cf361 ci: makai 2025-12-19 14:27:49 +00:00
juselius eb8f6e83ca ci: fornix 2025-12-19 10:55:33 +00:00
juselius 1668c8db54 ci: fornix 2025-12-19 10:53:07 +00:00
juselius d739c3d1b1 ci: fornix 2025-12-18 14:42:21 +00:00
juselius 10393587b2 ci: fornix 2025-12-18 09:12:46 +00:00
Radovan Bast 64e5b26352 ci: makai 2025-12-18 09:00:22 +00:00
juselius 49ad715025 fix: argh!!! 2025-12-18 09:51:17 +01:00
juselius ee6f7e1d56 fix: argh... 2025-12-18 09:46:59 +01:00
juselius 468eaeed88 Merge branch 'main' of gitlab.com:oceanbox/manifests 2025-12-18 09:45:42 +01:00
juselius 257a55fab7 fix: add composer.lock to persistent drupal 2025-12-18 09:43:35 +01:00
juselius 6fb44f6ba4 ci: fornix 2025-12-18 08:40:27 +00:00
juselius b456dbc0ff fix: add BASE_URL env to drupal deployment 2025-12-18 09:16:35 +01:00
Radovan Bast c415754e46 ci: makai 2025-12-18 07:46:03 +00:00
Radovan Bast 2688f381ef ci: makai 2025-12-17 14:49:42 +00:00
juselius 10c6708bd4 ci: fornix 2025-12-17 13:58:32 +00:00
juselius a07e19b22c fix: disable diagrid dashboard 2025-12-17 14:36:16 +01:00
juselius 2e9dc96ded fix: disable /data path kustomization in sorcerer 2025-12-17 14:13:18 +01:00
juselius 0348b1d46f fix: fix diagrid dasboard statestore config 2025-12-17 14:06:55 +01:00
juselius 22383f1d88 fix: update helmfile container 2025-12-17 13:52:51 +01:00
juselius e2641b18b6 Merge branch 'main' of gitlab.com:oceanbox/manifests 2025-12-17 13:50:20 +01:00
juselius 86240fc085 fix: enable probes on diagrid-dashboard 2025-12-17 13:50:12 +01:00
Radovan Bast 799b6c2858 ci: makai 2025-12-17 11:46:38 +00:00
Radovan Bast daa5b60c43 ci: makai 2025-12-17 09:58:16 +00:00
juselius ca0a228660 feat: enable diagrid dashboard for staging sorcerer 2025-12-17 10:54:42 +01:00
juselius 621945dbf2 Merge remote-tracking branch 'origin/diadash' 2025-12-17 10:46:53 +01:00
Radovan Bast 847c70b547 ci: makai 2025-12-17 08:59:00 +00:00
juselius 40a04b72ae ci: fornix 2025-12-17 08:40:11 +00:00
juselius 457a260d0e ci: fornix 2025-12-17 07:51:12 +00:00
Radovan Bast 49b2992a41 ci: makai 2025-12-16 19:57:00 +00:00
juselius 605581fc40 feat: add diagrid workflow dashboard subchart sorcerer and atlantis 2025-12-16 19:55:59 +01:00
mrtz dab6716033 fix(sorcere/plume): Update cacheDir for prod/staging 2025-12-16 17:39:36 +01:00
mrtz 23bedaa370 fix(sorcerer): Create staging cacheDir 2025-12-16 17:27:25 +01:00
Radovan Bast e578f06d36 ci: makai 2025-12-16 15:13:57 +00:00
Radovan Bast 2e6559e6ad ci: makai 2025-12-16 11:23:15 +00:00
Radovan Bast 7f21f3632d ci: makai 2025-12-16 08:42:04 +00:00
juselius 03ea94648f ci: fornix 2025-12-16 08:28:57 +00:00
juselius cfe034bad0 fix: fix fornix base and drupal urls 2025-12-16 08:50:19 +01:00
juselius 87edc012d4 fix: add values for fornix drupalUrl and baseUrl 2025-12-16 08:48:42 +01:00
Radovan Bast e64207fc08 ci: makai 2025-12-16 07:14:47 +00:00
juselius 1de43ded88 ci: fornix 2025-12-15 18:16:43 +00:00
juselius e82cfe22bd ci: fornix 2025-12-15 16:19:06 +00:00
Radovan Bast be78113f20 ci: makai 2025-12-15 15:34:01 +00:00
juselius 9c48deef78 ci: fornix 2025-12-15 15:16:12 +00:00
mrtz 590541c0e1 chore(umami): Bump to latest 2025-12-15 15:07:24 +01:00
mrtz fc63ae640c fix(kueue): Move ingress 2025-12-15 14:08:21 +01:00
mrtz 26a5fc683e fix(kueue): Value naming 2025-12-15 14:06:18 +01:00
mrtz 10fa7835ae fix(kueue): Per cluster ingress 2025-12-15 14:03:29 +01:00
mrtz d99bb6547d fix(kueue): Add ws ingress 2025-12-15 13:45:32 +01:00
mrtz 5e5ebad9ad fix(kueue): Reset allowed origins 2025-12-15 13:23:46 +01:00
mrtz 5519d67ccc fix(kueue): Add prioriry classes and fix ingress 2025-12-15 12:10:17 +01:00
Radovan Bast 98b34deea2 ci: makai 2025-12-15 07:57:47 +00:00
Radovan Bast 123b23d337 ci: makai 2025-12-14 14:39:58 +00:00
juselius e7e37c8adc Merge branch 'main' of gitlab.com:oceanbox/manifests 2025-12-14 11:41:47 +01:00
juselius 771decaf2b fix: fix diagrid-dashboard service port 2025-12-14 11:41:34 +01:00
Radovan Bast a3609c4072 ci: makai 2025-12-14 10:14:15 +00:00
Radovan Bast f7e4b100e1 ci: makai 2025-12-13 18:02:57 +00:00
Radovan Bast 3ab4a94bb2 ci: makai 2025-12-13 17:52:57 +00:00
mrtz 083cd50d6a fix(kueue): Undo certs 2025-12-13 13:23:59 +01:00
juselius 33395c5051 wip: add rudimentary diagrid dashboard chart. needs work. 2025-12-13 12:31:07 +01:00
mrtz 0b634744da fix(kueue): Lets try again 2025-12-12 16:10:45 +01:00
mrtz 3d423a8111 fix(kueue): Disable internal 2025-12-12 16:09:06 +01:00
mrtz fb71102049 fix(kueue): Check prom 2025-12-12 16:08:14 +01:00
mrtz 07cfd8013d fix(kueue): I'm stupid 2025-12-12 16:05:47 +01:00
mrtz dbb17345b6 fix(kueue): Disable internal certs 2025-12-12 16:02:56 +01:00
mrtz dc5fbb49ca fix(hs): Use dev.x.obx 2025-12-12 15:56:15 +01:00
mrtz 3c9f2e4c4a fix(kueue): Use ca-issuer 2025-12-12 15:55:29 +01:00
mrtz 9f922a494d fix(kueue): Correct yaml 2025-12-12 15:53:35 +01:00
mrtz a4e5901c76 fix(kueue): Correct ingress 2025-12-12 15:49:19 +01:00
mrtz de19337d2c fix(headscale): Add kueue ing 2025-12-12 15:46:33 +01:00
mrtz bb3586b7c5 fix(kueue): Add ingress 2025-12-12 15:45:11 +01:00
mrtz dbf1e73f79 fix(kueue): Enable metrics 2025-12-12 15:39:39 +01:00
mrtz b22d29c4ff minor(kueue): Add localQueue for prod/staging 2025-12-12 15:32:07 +01:00
mrtz abe145e29e fix(kueue): Formatting 2025-12-12 15:26:32 +01:00
mrtz 5f935ebbb9 fix(kueue): Add a default clusterqueue and add support for batch/jobsets 2025-12-12 15:18:29 +01:00
mrtz c25f6f07a6 ci: plume 2025-12-12 14:13:46 +00:00
Radovan Bast 5ca4fd830f ci: makai 2025-12-12 14:05:51 +00:00
mrtz 75aca0ab33 fix(plume): Correct image 2025-12-12 15:02:52 +01:00
mrtz c512b6b402 ci: plume 2025-12-12 14:00:22 +00:00
juselius 95b419ce09 ci: fornix 2025-12-12 13:53:33 +00:00
mrtz 2da99db2a1 ci: plume 2025-12-12 12:57:58 +00:00
mrtz 1b0c49e17f fix(kueue): Use websockets 2025-12-12 11:22:40 +01:00
mrtz 5738b0fd0e fix(kueue): Switch to svc for backend 2025-12-12 11:21:35 +01:00
mrtz 847efcde83 fix(kueue): Correct syntax 2025-12-12 11:11:51 +01:00
mrtz ebcf791fee fix(kueue): Enable dasbboard 2025-12-12 11:10:13 +01:00
Radovan Bast 74e5196c90 ci: makai 2025-12-12 09:30:40 +00:00
juselius 323aca63ac ci: fornix 2025-12-12 08:38:38 +00:00
Radovan Bast 6b9479bdcf ci: makai 2025-12-12 07:17:57 +00:00
juselius 4387d147ed fix: move drupal configs to modules rather than sites 2025-12-11 18:08:17 +01:00
juselius c72c35f905 ci: fornix 2025-12-11 16:52:54 +00:00
juselius e54a374387 fix: fix fornix domain (again) 2025-12-11 15:58:14 +01:00
juselius c3939e6359 fix: add Kueue ServerSideApply=true 2025-12-11 15:53:55 +01:00
juselius 04f41d5dc4 fix: fix fornix dev domain 2025-12-11 15:51:55 +01:00
juselius b5aca9a830 Merge branch 'main' of gitlab.com:oceanbox/manifests 2025-12-11 15:49:13 +01:00
juselius 7b85e30954 fix: fix fornix certificate 2025-12-11 15:49:03 +01:00
juselius 751d371d19 ci: fornix 2025-12-11 14:44:36 +00:00
juselius ea65c4581c feat: add kueue 2025-12-11 15:26:18 +01:00
juselius 1b19734b6e ci: fornix 2025-12-11 12:38:22 +00:00
juselius d69ce7d104 Merge branch 'main' of gitlab.com:oceanbox/manifests 2025-12-11 13:33:33 +01:00
juselius 8a051c10af fix: move drupal to fornix 2025-12-11 13:33:24 +01:00
Radovan Bast 351116d3a8 ci: makai 2025-12-11 11:59:21 +00:00
Radovan Bast f4f0476177 ci: makai 2025-12-11 11:41:53 +00:00
juselius 9a29c2dd5f fix: move drupal to default argo project 2025-12-11 12:28:05 +01:00
juselius e73e060e6d fix: move drupal to fornix ns 2025-12-11 12:22:26 +01:00
juselius 0467528683 fix: fix fornix image tag 2025-12-10 21:43:13 +01:00
juselius 54485c0554 ci: fornix 2025-12-10 20:26:45 +00:00
juselius 7063f68a28 ci: fornix 2025-12-10 18:53:53 +00:00
juselius a3cb3ba335 ci: fornix 2025-12-10 18:43:55 +00:00
Radovan Bast 5b8cc451c2 ci: makai 2025-12-10 15:29:47 +00:00
juselius 86240afd82 fix: update fornix 2025-12-10 16:06:30 +01:00
juselius ee4417aee2 fix: fix fornix registry 2025-12-10 15:52:20 +01:00
juselius 9269d9c026 fix: fix fornix namespace 2025-12-10 15:45:28 +01:00
juselius 6ea0811d74 Merge branch 'main' of gitlab.com:oceanbox/manifests 2025-12-10 15:42:40 +01:00
juselius 0779d405c6 feat: add fornix 2025-12-10 15:42:31 +01:00
Radovan Bast 6626654df6 ci: makai 2025-12-10 14:26:47 +00:00
Radovan Bast df231941c0 ci: makai 2025-12-10 11:23:11 +00:00
mrtz 7002dcd14d fix(mdb): Disable on hel1 2025-12-10 09:03:19 +01:00
juselius b323c48c18 fix: split and fix drupal manifests 2025-12-10 08:51:01 +01:00
mrtz c344a26f5c Run mariadb-operatore on hel1 2025-12-09 13:37:06 +01:00
mrtz 5741568d02 fix: Persist hs 2025-12-09 13:03:28 +01:00
mrtz 480c44a82d ci: codex 2025-12-09 12:02:31 +00:00
Radovan Bast 13a5f16810 ci: makai 2025-12-09 11:28:39 +00:00
Radovan Bast c906bb7136 ci: makai 2025-12-09 07:32:51 +00:00
Radovan Bast e9d6315656 ci: makai 2025-12-09 07:19:18 +00:00
Radovan Bast bb7916b155 ci: makai 2025-12-08 13:52:33 +00:00
Radovan Bast 14554b6dae ci: makai 2025-12-08 13:30:26 +00:00
Radovan Bast a5364d3c16 ci: makai 2025-12-08 11:44:48 +00:00
juselius 3368517f3a ci: sorcerer 2025-12-06 10:37:41 +00:00
juselius 5eee9e90a8 ci: atlantis 2025-12-06 10:37:38 +00:00
Radovan Bast dc52b49da7 ci: makai 2025-12-05 17:21:52 +00:00
Radovan Bast ff5a4e0a2a ci: makai 2025-12-05 17:19:29 +00:00
Radovan Bast e19b240f1f ci: makai 2025-12-05 13:00:06 +00:00
188 changed files with 4925 additions and 2540 deletions
Expand all files Collapse all files
.envrc
+1
View File
@@ -1,6 +1,7 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# the shebang is ignored, but nice for editors # the shebang is ignored, but nice for editors
watch_file nix/sources.json watch_file nix/sources.json
watch_file nix/checks.nix
# Load .env file if it exists # Load .env file if it exists
dotenv_if_exists dotenv_if_exists
.gitignore
+1
View File
@@ -1,6 +1,7 @@
*.tgz *.tgz
_*/ _*/
.direnv/ .direnv/
.env
.pre-commit-config.yaml .pre-commit-config.yaml
_*.yaml _*.yaml
backup/ backup/
.gitlab-ci.yml
+50 -42
View File
@@ -1,46 +1,54 @@
image: # yaml-language-server: $schema=https://gitlab.com/gitlab-org/gitlab/-/raw/master/app/assets/javascripts/editor/schema/ci.json
name: alpine/helm:latest default:
entrypoint: [ "/bin/bash", "-c" ] tags:
- nix
stages: include:
- release - project: oceanbox/gitlab-ci
ref: v4.5
file: template/Base.gitlab-ci.yml
# stages:
# - release
release: # image:
stage: release # name: alpine/helm:latest
rules: # entrypoint: ["/bin/bash", "-c"]
- if: '$CI_COMMIT_BRANCH =~ /^main/'
when: always
- when: never
script:
- |
cd $CI_PROJECT_DIR
for i in $(git show --pretty="" --name-only | grep '^charts/.*/Chart.yaml' | cut -d/ -f2); do
pack=$(helm package ./charts/$i | sed 's/Success.*: \(.*\)/\1/')
if [ ! -z $pack ]; then
chart=$(basename $pack)
curl --request POST \
--user gitlab-ci-token:$CI_JOB_TOKEN \
--form "chart=@${chart}" \
"${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/helm/api/stable/charts"
fi
done
rebuild: # release:
stage: release # stage: release
rules: # rules:
- when: manual # - if: "$CI_COMMIT_BRANCH =~ /^main/"
allow_failure: true # when: always
script: # - when: never
- | # script:
cd $CI_PROJECT_DIR # - |
for i in $(find ./charts -maxdepth 2 -name Chart.yaml | cut -d/ -f3); do # cd $CI_PROJECT_DIR
pack=$(helm package ./charts/$i | sed 's/Success.*: \(.*\)/\1/') # for i in $(git show --pretty="" --name-only | grep '^charts/.*/Chart.yaml' | cut -d/ -f2); do
if [ ! -z $pack ]; then # pack=$(helm package ./charts/$i | sed 's/Success.*: \(.*\)/\1/')
chart=$(basename $pack) # if [ ! -z $pack ]; then
curl --request POST \ # chart=$(basename $pack)
--user gitlab-ci-token:$CI_JOB_TOKEN \ # curl --request POST \
--form "chart=@${chart}" \ # --user gitlab-ci-token:$CI_JOB_TOKEN \
"${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/helm/api/stable/charts" # --form "chart=@${chart}" \
fi # "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/helm/api/stable/charts"
done # fi
# done
# rebuild:
# stage: release
# rules:
# - when: manual
# allow_failure: true
# script:
# - |
# cd $CI_PROJECT_DIR
# for i in $(find ./charts -maxdepth 2 -name Chart.yaml | cut -d/ -f3); do
# pack=$(helm package ./charts/$i | sed 's/Success.*: \(.*\)/\1/')
# if [ ! -z $pack ]; then
# chart=$(basename $pack)
# curl --request POST \
# --user gitlab-ci-token:$CI_JOB_TOKEN \
# --form "chart=@${chart}" \
# "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/helm/api/stable/charts"
# fi
# done
attic/nix/atlantis.nix
+29 -22
View File
@@ -6,39 +6,46 @@ let
values = lib.apps.appValues { values = lib.apps.appValues {
inherit env; inherit env;
base = ../values/atlantis; base = ../values/atlantis;
extraValues = {}; extraValues = { };
}; };
kustomize = r: kustomize =
r:
if r.kind == "Deployment" then if r.kind == "Deployment" then
lib.attrsets.recursiveUpdate r { lib.attrsets.recursiveUpdate r {
spec.template.spec.containers = spec.template.spec.containers = builtins.map (
builtins.map (x: x:
x // { x
// {
livenessProbe.httpGet.path = "/healthz"; livenessProbe.httpGet.path = "/healthz";
readinessProble.httpGet.path = "/healthz"; readinessProble.httpGet.path = "/healthz";
env = x.env ++ [ { name = "INERNAL_PORT"; value = 8000; } ]; env = x.env ++ [
}) r.spec.template.spec.containers; {
name = "INERNAL_PORT";
value = 8000;
}
];
}
) r.spec.template.spec.containers;
} }
else if r.kind == "Service" then else if r.kind == "Service" then
{} { }
else r; else
r;
in in
{ {
options.apps.atlantis = lib.apps.appOptions { options.apps.atlantis = lib.apps.appOptions {
revision = lib.mkOption { revision = lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = "main"; default = "main";
description = "Revision"; description = "Revision";
}; };
hostname = lib.mkOption { hostname = lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = if env == "prod" default = if env == "prod" then "maps.oceanbox.io" else "atlantis.beta.oceanbox.io";
then "maps.oceanbox.io" description = "Revision";
else "atlantis.beta.oceanbox.io"; };
description = "Revision";
};
}; };
config = lib.apps.appConfig cfg "${env}-atlantis" { config = lib.apps.appConfig cfg "${env}-atlantis" {
attic/nix/openfga.nix
+23 -25
View File
@@ -6,34 +6,32 @@ let
values = lib.apps.appValues { values = lib.apps.appValues {
inherit env; inherit env;
base = ../values/openfga; base = ../values/openfga;
extraValues = {}; extraValues = { };
}; };
kustomize = r: kustomize =
if r.kind == "Job" then r: if r.kind == "Job" then lib.attrsets.recursiveUpdate r { spec.backoffLimit = 2; } else r;
lib.attrsets.recursiveUpdate r { spec.backoffLimit = 2; }
else r;
in in
{ {
options.apps.openfga = lib.apps.appOptions {}; options.apps.openfga = lib.apps.appOptions { };
config = lib.apps.appConfig cfg "${env}-openfga" { config = lib.apps.appConfig cfg "${env}-openfga" {
helm.releases."${env}-openfga" = { helm.releases."${env}-openfga" = {
inherit values; inherit values;
chart = lib.helm.downloadHelmChart { chart = lib.helm.downloadHelmChart {
repo = "https://openfga.github.io/helm-charts"; repo = "https://openfga.github.io/helm-charts";
chart = "openfga"; chart = "openfga";
version = "0.2.12"; version = "0.2.12";
chartHash = "sha256-7yLcw9/oNPvCePrtTJwKAG88t0Ym5Dl/S83Gz+gQdDU="; chartHash = "sha256-7yLcw9/oNPvCePrtTJwKAG88t0Ym5Dl/S83Gz+gQdDU=";
};
transformer = rs: builtins.map (x: kustomize x) rs;
};
annotations = {};
resources = {
services.poop.spec = {
};
};
}; };
} transformer = rs: builtins.map (x: kustomize x) rs;
};
annotations = { };
resources = {
services.poop.spec = {
};
};
};
}
attic/values/dex/templates/.vscode/launch.json
Vendored
-3
View File
@@ -1,7 +1,4 @@
{ {
// Use IntelliSense to learn about possible attributes.
// Hover to view descriptions of existing attributes.
// For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
"version": "0.2.0", "version": "0.2.0",
"configurations": [ "configurations": [
{ {
attic/values/dex/templates/deploy.sh
+7 -7
View File
@@ -2,16 +2,16 @@
server="root@fs1-0" server="root@fs1-0"
path="/vol/brick0/nfs0/k1/pv-oceanbox-dex" path="/vol/brick0/nfs0/k1/pv-oceanbox-dex"
dest="$server:$path" dest="${server}:${path}"
index=$(basename dist/assets/index-*.js) index=$(basename dist/assets/index-*.js)
ssh $server -- rm $path/static/js/*.js ssh "${server}" -- rm "${path}"/static/js/*.js
scp dist/assets/*.js $dest/static/js/ scp dist/assets/*.js "${dest}"/static/js/
sed -r "s/@index@/$index/" ./dex/templates/login.html > login.html.$$ sed -r "s/@index@/${index}/" ./dex/templates/login.html > login.html.$$
scp ./dex/templates/* $dest/templates/ scp ./dex/templates/* "${dest}"/templates/
scp ./dex/static/*.* $dest/static/ scp ./dex/static/*.* "${dest}"/static/
scp login.html.$$ $dest/templates/login.html scp login.html.$$ "${dest}"/templates/login.html
rm login.html.$$ rm login.html.$$
ssh admin@k1-0.itpartner.intern -- kubectl rollout restart -n oceanbox deployment/dex ssh admin@k1-0.itpartner.intern -- kubectl rollout restart -n oceanbox deployment/dex
bin/generate.sh
+18 -17
View File
@@ -1,4 +1,5 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# shellcheck disable=SC2034 # Unused variables left for readability
helmfile () { helmfile () {
@@ -10,30 +11,30 @@ bases:
- ../envs/environments.yaml.gotmpl - ../envs/environments.yaml.gotmpl
commonLabels: commonLabels:
tier: $tier tier: ${tier}
releases: releases:
- name: $name - name: ${name}
namespace: {{ .Environment.Name }}-$name namespace: {{ .Environment.Name }}-${name}
chart: ../charts/$name chart: ../charts/${name}
condition: $name.enabled condition: ${name}.enabled
values: values:
- ../values/$name/values/values.yaml.gotmpl - ../values/${name}/values/values.yaml.gotmpl
- ../values/$name/values/values-{{ .Environment.Name }}.yaml - ../values/${name}/values/values-{{ .Environment.Name }}.yaml
postRenderer: ../bin/kustomizer postRenderer: ../bin/kustomizer
postRendererArgs: postRendererArgs:
- ../values/$name/kustomize/{{ .Environment.Name }} - ../values/${name}/kustomize/{{ .Environment.Name }}
missingFileHandler: Info missingFileHandler: Info
- name: manifests - name: manifests
namespace: {{ .Environment.Name }}-$name namespace: {{ .Environment.Name }}-${name}
chart: manifests chart: manifests
condition: $name.enabled condition: ${name}.enabled
missingFileHandler: Info missingFileHandler: Info
values: values:
- ../values/env.yaml - ../values/env.yaml
- ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml - ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
- ../values/$name/env.yaml.gotmpl - ../values/${name}/env.yaml.gotmpl
- ../values/$name/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl - ../values/${name}/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
hooks: hooks:
- events: [ prepare, cleanup ] - events: [ prepare, cleanup ]
showlogs: true showlogs: true
@@ -42,7 +43,7 @@ releases:
- '{{\`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}\`}}' - '{{\`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}\`}}'
- '{{\`{{ .Release.Chart }}\`}}' - '{{\`{{ .Release.Chart }}\`}}'
- '{{\`{{ .Environment.Name }}\`}}' - '{{\`{{ .Environment.Name }}\`}}'
- ../values/$name/manifests - ../values/${name}/manifests
- manifests - manifests
EOF EOF
} }
@@ -59,10 +60,10 @@ done
name=$1 name=$1
tier=$2 tier=$2
if [ -n "$ns" ]; then if [[ -n "${ns}" ]]; then
namespace="namespace: {{ .Environment.Name }}-$name" namespace="namespace: {{ .Environment.Name }}-${name}"
else else
namespace="namespace: $name" namespace="namespace: ${name}"
fi fi
helmfile $1 $2 helmfile "$1" "$2"
bin/helmify
+13 -14
View File
@@ -4,39 +4,38 @@ set -o pipefail
cmd=$1 cmd=$1
chart=$2 chart=$2
env=$3
manifests=${4:-manifests} manifests=${4:-manifests}
outdir=${5:-_manifests} outdir=${5:-_manifests}
build() { build() {
mkdir -p $outdir/templates mkdir -p "${outdir}"/templates
echo "Creating $outdir/templates" echo "Creating ${outdir}/templates"
echo "generating $outdir/Chart.yaml" 1>&2 echo "generating ${outdir}/Chart.yaml" 1>&2
cat <<EOF > $outdir/Chart.yaml cat <<EOF > "${outdir}"/Chart.yaml
apiVersion: v1 apiVersion: v1
appVersion: "1.0" appVersion: "1.0"
# description: A Helm chart for Kubernetes # description: A Helm chart for Kubernetes
name: $chart name: ${chart}
version: 0.1.0 version: 0.1.0
EOF EOF
if [ -d $manifests ]; then if [[ -d "${manifests}" ]]; then
cp -r $manifests/* $outdir/templates cp -r "${manifests}"/* "${outdir}"/templates
elif [ -f $manifests ]; then elif [[ -f "${manifests}" ]]; then
cp $manifests $outdir/templates cp "${manifests}" "${outdir}"/templates
fi fi
} }
clean() { clean() {
echo "cleaning $outdir" 1>&2 echo "cleaning ${outdir}" 1>&2
rm -rf $outdir rm -rf "${outdir}"
} }
case "$cmd" in case "${cmd}" in
"build" ) build ;; "build" ) build ;;
"clean" ) clean ;; "clean" ) clean ;;
* ) echo "unsupported command: $cmd" 1>&2; exit 1 ;; * ) echo "unsupported command: ${cmd}" 1>&2; exit 1 ;;
esac esac
bin/kustomizer
+5 -5
View File
@@ -1,13 +1,13 @@
#!/usr/bin/env bash #!/usr/bin/env bash
[ $# != 1 ] && exit 1 [[ $# != 1 ]] && exit 1
dir=$1 dir=$1
base=$dir/../base base=${dir}/../base
if [ -f $base/kustomization.yaml -a -f $dir/kustomization.yaml ]; then if [[ -f "${base}"/kustomization.yaml ]] && [[ -f "${dir}"/kustomization.yaml ]]; then
cat > $base/_manifest.yaml cat > "${base}"/_manifest.yaml
kubectl kustomize $dir kubectl kustomize "${dir}"
else else
cat cat
fi fi
bootstrap/argocd-cluster-admin.yaml
+13 -13
View File
@@ -3,16 +3,16 @@ kind: ClusterRole
metadata: metadata:
name: argocd-cluster-admin name: argocd-cluster-admin
rules: rules:
- apiGroups: - apiGroups:
- '*' - "*"
resources: resources:
- '*' - "*"
verbs: verbs:
- '*' - "*"
- nonResourceURLs: - nonResourceURLs:
- '*' - "*"
verbs: verbs:
- '*' - "*"
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding kind: ClusterRoleBinding
@@ -23,9 +23,9 @@ roleRef:
kind: ClusterRole kind: ClusterRole
name: argocd-cluster-admin name: argocd-cluster-admin
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: argocd-cluster-admin name: argocd-cluster-admin
namespace: kube-system namespace: kube-system
--- ---
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
bootstrap/cluster-admin-token.yaml
-2
View File
@@ -6,5 +6,3 @@ metadata:
name: cluster-admin-token name: cluster-admin-token
namespace: kube-system namespace: kube-system
type: kubernetes.io/service-account-token type: kubernetes.io/service-account-token
bootstrap/cluster-ekman.yaml
-2
View File
@@ -10,5 +10,3 @@ metadata:
name: cluster-ekman name: cluster-ekman
namespace: argocd namespace: argocd
type: Opaque type: Opaque
bootstrap/helm-kustomize-cmp/deploy.sh
+2 -2
View File
@@ -3,5 +3,5 @@
img=registry.gitlab.com/oceanbox/manifests/helm-kustomize-cmp img=registry.gitlab.com/oceanbox/manifests/helm-kustomize-cmp
tag=${1:-latest} tag=${1:-latest}
docker build -t $img:$tag . docker build -t "${img}":"${tag}" .
docker push $img:$tag docker push "${img}":"${tag}"
bootstrap/helm-kustomize-cmp/generate.sh
+16 -15
View File
@@ -1,14 +1,15 @@
#!/bin/sh #!/bin/sh
# shellcheck disable=SC2154
export HOME=/plugin export HOME=/plugin
env > /tmp/$ARGOCD_APP_NAME.env env > /tmp/"${ARGOCD_APP_NAME}".env
echo "$ARGOCD_APP_PARAMETERS" | jq '.[] | select(.name == "helm-parameters") | .map' | yq -P -oy > parameters.yaml echo "${ARGOCD_APP_PARAMETERS}" | jq '.[] | select(.name == "helm-parameters") | .map' | yq -P -oy > parameters.yaml
cp parameters.yaml /tmp/$ARGOCD_APP_NAME-parameters.yaml cp parameters.yaml /tmp/"${ARGOCD_APP_NAME}"-parameters.yaml
if [ -n "$PARAM_CHART" -a "$PARAM_CHART" != "." ]; then if [ -n "${PARAM_CHART}" ] && [ "${PARAM_CHART}" != "." ]; then
CHART=$PARAM_CHART CHART=${PARAM_CHART}
elif [ -d chart ]; then elif [ -d chart ]; then
CHART=chart CHART=chart
elif [ -f chart ]; then elif [ -f chart ]; then
@@ -18,19 +19,19 @@ else
fi fi
[ -f chart/values.yaml ] && VALUES="-f chart/values.yaml" [ -f chart/values.yaml ] && VALUES="-f chart/values.yaml"
[ -f values-chart.yaml ] && VALUES="$VALUES -f values-chart.yaml" [ -f values-chart.yaml ] && VALUES="${VALUES} -f values-chart.yaml"
[ -f values.yaml ] && VALUES="$VALUES -f values.yaml" [ -f values.yaml ] && VALUES="${VALUES} -f values.yaml"
[ -f values-$PARAM_ENV.yaml ] && VALUES="$VALUES -f values-$PARAM_ENV.yaml" [ -f values-"${PARAM_ENV}".yaml ] && VALUES="${VALUES} -f values-${PARAM_ENV}.yaml"
VALUES="$VALUES -f parameters.yaml" VALUES="${VALUES} -f parameters.yaml"
helm dependency update $CHART >/tmp/$ARGOCD_APP_NAME-helm-dependency-build.out helm dependency update "${CHART}" >/tmp/"${ARGOCD_APP_NAME}"-helm-dependency-build.out
mkdir -p base mkdir -p base
echo "helm template -n $ARGOCD_APP_NAMESPACE $PARAM_FLAGS $VALUES $ARGOCD_APP_NAME $CHART" > /tmp/$ARGOCD_APP_NAME-helm.sh echo "helm template -n ${ARGOCD_APP_NAMESPACE} ${PARAM_FLAGS} ${VALUES} ${ARGOCD_APP_NAME} ${CHART}" > /tmp/"${ARGOCD_APP_NAME}"-helm.sh
helm template -n $ARGOCD_APP_NAMESPACE $PARAM_FLAGS $VALUES $ARGOCD_APP_NAME $CHART > ./base/_manifest.yaml helm template -n "${ARGOCD_APP_NAMESPACE}" "${PARAM_FLAGS}" "${VALUES}" "${ARGOCD_APP_NAME}" "${CHART}" > ./base/_manifest.yaml
cp ./base/_manifest.yaml /tmp/$ARGOCD_APP_NAME-manifest.yaml cp ./base/_manifest.yaml /tmp/"${ARGOCD_APP_NAME}"-manifest.yaml
[ -d "$PARAM_ENV" ] && kubectl kustomize $PARAM_ENV > /tmp/$ARGOCD_APP_NAME-manifest.yaml [ -d "${PARAM_ENV}" ] && kubectl kustomize "${PARAM_ENV}" > /tmp/"${ARGOCD_APP_NAME}"-manifest.yaml
cat /tmp/$ARGOCD_APP_NAME-manifest.yaml cat /tmp/"${ARGOCD_APP_NAME}"-manifest.yaml
bootstrap/helm-kustomize-cmp/get-values.sh
+1 -1
View File
@@ -18,7 +18,7 @@ EOF
exit 0 exit 0
fi fi
yq e -o=p $VALUES | jq --slurp --raw-input ' yq e -o=p "${VALUES}" | jq --slurp --raw-input '
[{ [{
name: "helm-parameters", name: "helm-parameters",
title: "Helm Parameters", title: "Helm Parameters",
bootstrap/helm-kustomize-cmp/init-helm-repos.sh
+2 -1
View File
@@ -1,8 +1,9 @@
#!/bin/sh #!/bin/sh
# shellcheck disable=SC2154
export HOME=/plugin export HOME=/plugin
helm repo add --username argocd-helm --password "$OCEANBOX_HELM_ACCESS_TOKEN" oceanbox \ helm repo add --username argocd-helm --password "${OCEANBOX_HELM_ACCESS_TOKEN}" oceanbox \
https://gitlab.com/api/v4/projects/54396343/packages/helm/stable https://gitlab.com/api/v4/projects/54396343/packages/helm/stable
helm repo add bitnami https://charts.bitnami.com/bitnami helm repo add bitnami https://charts.bitnami.com/bitnami
bootstrap/helm-kustomize-cmp/init.sh
+3 -3
View File
@@ -4,9 +4,9 @@ export HOME=/plugin
helm repo update oceanbox helm repo update oceanbox
if [ -n "$PARAM_CHART" -a "$PARAM_CHART" != "." ]; then if [ -n "${PARAM_CHART}" ] && [ "${PARAM_CHART}" != "." ]; then
helm show values $PARAM_CHART > values-chart.yaml helm show values "${PARAM_CHART}" > values-chart.yaml
elif [ -f chart ]; then elif [ -f chart ]; then
CHART=$(cat chart) CHART=$(cat chart)
helm show values $CHART > values-chart.yaml helm show values "${CHART}" > values-chart.yaml
fi fi
bootstrap/helm-kustomize-cmp/plugin.yaml
+24 -25
View File
@@ -9,7 +9,7 @@ spec:
init: init:
# Init always happens immediately before generate, but its output is not treated as manifests. # Init always happens immediately before generate, but its output is not treated as manifests.
# This is a good place to, for example, download chart dependencies. # This is a good place to, for example, download chart dependencies.
command: [ /bin/sh ] command: [/bin/sh]
args: args:
- /plugin/init.sh - /plugin/init.sh
# The generate command runs in the Application source directory each time manifests are generated. Standard output # The generate command runs in the Application source directory each time manifests are generated. Standard output
@@ -17,7 +17,7 @@ spec:
# To write log messages from the command, write them to stderr, it will always be displayed. # To write log messages from the command, write them to stderr, it will always be displayed.
# Error output will be sent to the UI, so avoid printing sensitive information (such as secrets). # Error output will be sent to the UI, so avoid printing sensitive information (such as secrets).
generate: generate:
command: [ /bin/sh ] command: [/bin/sh]
args: args:
- /plugin/generate.sh - /plugin/generate.sh
@@ -27,15 +27,15 @@ spec:
# Only one of fileName, find.glob, or find.command should be specified. If multiple are specified then only the # Only one of fileName, find.glob, or find.command should be specified. If multiple are specified then only the
# first (in that order) is evaluated. # first (in that order) is evaluated.
# discover: # discover:
# fileName is a glob pattern (https://pkg.go.dev/path/filepath#Glob) that is applied to the Application's source # fileName is a glob pattern (https://pkg.go.dev/path/filepath#Glob) that is applied to the Application's source
# directory. If there is a match, this plugin may be used for the Application. # directory. If there is a match, this plugin may be used for the Application.
# fileName: "./subdir/s*.yaml" # fileName: "./subdir/s*.yaml"
# find: # find:
# This does the same thing as fileName, but it supports double-start (nested directory) glob patterns. # This does the same thing as fileName, but it supports double-start (nested directory) glob patterns.
# glob: "**/Chart.yaml" # glob: "**/Chart.yaml"
# The find command runs in the repository's root directory. To match, it must exit with status code 0 _and_ # The find command runs in the repository's root directory. To match, it must exit with status code 0 _and_
# produce non-empty output to standard out. # produce non-empty output to standard out.
# command: [sh, -c, find . -name env.yaml] # command: [sh, -c, find . -name env.yaml]
# The parameters config describes what parameters the UI should display for an Application. It is up to the user to # The parameters config describes what parameters the UI should display for an Application. It is up to the user to
# actually set parameters in the Application manifest (in spec.source.plugin.parameters). The announcements _only_ # actually set parameters in the Application manifest (in spec.source.plugin.parameters). The announcements _only_
# inform the "Parameters" tab in the App Details page of the UI. # inform the "Parameters" tab in the App Details page of the UI.
@@ -66,22 +66,21 @@ spec:
itemType: string itemType: string
collectionType: string collectionType: string
string: "" string: ""
# All the fields above besides "string" apply to both the array and map type parameter announcements. # All the fields above besides 'string' apply to both the array and map type parameter announcements.
# - name: array-param # - name: array-param
# # This field communicates the parameter's default value to the UI. Setting this field is optional. # # This field communicates the parameter's default value to the UI. Setting this field is optional.
# array: [default, items] # array: [default, items]
# collectionType: array # collectionType: array
# - name: map-param # - name: map-param
# # This field communicates the parameter's default value to the UI. Setting this field is optional. # # This field communicates the parameter's default value to the UI. Setting this field is optional.
# map: # map:
# some: value # some: value
# collectionType: map # collectionType: map
# dynamic: # dynamic:
# The command is run in an Application's source directory. Standard output must be JSON matching the schema of the # The command is run in an Application's source directory. Standard output must be JSON matching the schema of the
# static parameter announcements list. # static parameter announcements list.
# command: [ /bin/sh, /plugin/get-values.sh ] # command: [ /bin/sh, /plugin/get-values.sh ]
# If set to `true` then the plugin receives repository files with original file mode. Dangerous since the repository # If set to `true` then the plugin receives repository files with original file mode. Dangerous since the repository
# might have executable files. Set to true only if you trust the CMP plugin authors. # might have executable files. Set to true only if you trust the CMP plugin authors.
preserveFileMode: false preserveFileMode: false
bootstrap/helmfile-cmp/Dockerfile
+1 -1
View File
@@ -1,4 +1,4 @@
FROM ghcr.io/helmfile/helmfile:v1.0.0 FROM ghcr.io/helmfile/helmfile:v1.1.9
RUN mkdir -p /home/argocd/cmp-server/config/ RUN mkdir -p /home/argocd/cmp-server/config/
COPY plugin.yaml /home/argocd/cmp-server/config/ COPY plugin.yaml /home/argocd/cmp-server/config/
bootstrap/helmfile-cmp/argo-repo-server-old.yaml
+417 -417
View File
@@ -45,432 +45,432 @@ spec:
affinity: affinity:
podAntiAffinity: podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution: preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm: - podAffinityTerm:
labelSelector: labelSelector:
matchLabels: matchLabels:
app.kubernetes.io/name: argocd-repo-server app.kubernetes.io/name: argocd-repo-server
topologyKey: kubernetes.io/hostname topologyKey: kubernetes.io/hostname
weight: 100 weight: 100
automountServiceAccountToken: true automountServiceAccountToken: true
containers: containers:
- args: - args:
- /usr/local/bin/argocd-repo-server - /usr/local/bin/argocd-repo-server
- --port=8081 - --port=8081
- --metrics-port=8084 - --metrics-port=8084
env: env:
- name: ARGOCD_REPO_SERVER_NAME - name: ARGOCD_REPO_SERVER_NAME
value: argocd-repo-server value: argocd-repo-server
- name: ARGOCD_RECONCILIATION_TIMEOUT - name: ARGOCD_RECONCILIATION_TIMEOUT
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: timeout.reconciliation key: timeout.reconciliation
name: argocd-cm name: argocd-cm
optional: true optional: true
- name: ARGOCD_REPO_SERVER_LOGFORMAT - name: ARGOCD_REPO_SERVER_LOGFORMAT
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.log.format key: reposerver.log.format
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_REPO_SERVER_LOGLEVEL - name: ARGOCD_REPO_SERVER_LOGLEVEL
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.log.level key: reposerver.log.level
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_REPO_SERVER_PARALLELISM_LIMIT - name: ARGOCD_REPO_SERVER_PARALLELISM_LIMIT
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.parallelism.limit key: reposerver.parallelism.limit
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_REPO_SERVER_LISTEN_ADDRESS - name: ARGOCD_REPO_SERVER_LISTEN_ADDRESS
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.listen.address key: reposerver.listen.address
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_REPO_SERVER_LISTEN_METRICS_ADDRESS - name: ARGOCD_REPO_SERVER_LISTEN_METRICS_ADDRESS
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.metrics.listen.address key: reposerver.metrics.listen.address
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_REPO_SERVER_DISABLE_TLS - name: ARGOCD_REPO_SERVER_DISABLE_TLS
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.disable.tls key: reposerver.disable.tls
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_TLS_MIN_VERSION - name: ARGOCD_TLS_MIN_VERSION
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.tls.minversion key: reposerver.tls.minversion
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_TLS_MAX_VERSION - name: ARGOCD_TLS_MAX_VERSION
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.tls.maxversion key: reposerver.tls.maxversion
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_TLS_CIPHERS - name: ARGOCD_TLS_CIPHERS
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.tls.ciphers key: reposerver.tls.ciphers
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_REPO_CACHE_EXPIRATION - name: ARGOCD_REPO_CACHE_EXPIRATION
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.repo.cache.expiration key: reposerver.repo.cache.expiration
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: REDIS_SERVER - name: REDIS_SERVER
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: redis.server key: redis.server
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: REDIS_COMPRESSION - name: REDIS_COMPRESSION
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: redis.compression key: redis.compression
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: REDISDB - name: REDISDB
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: redis.db key: redis.db
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: REDIS_USERNAME - name: REDIS_USERNAME
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: redis-username key: redis-username
name: argocd-redis name: argocd-redis
optional: true optional: true
- name: REDIS_PASSWORD - name: REDIS_PASSWORD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: auth key: auth
name: argocd-redis name: argocd-redis
- name: REDIS_SENTINEL_USERNAME - name: REDIS_SENTINEL_USERNAME
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: redis-sentinel-username key: redis-sentinel-username
name: argocd-redis name: argocd-redis
optional: true optional: true
- name: REDIS_SENTINEL_PASSWORD - name: REDIS_SENTINEL_PASSWORD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: redis-sentinel-password key: redis-sentinel-password
name: argocd-redis name: argocd-redis
optional: true optional: true
- name: ARGOCD_DEFAULT_CACHE_EXPIRATION - name: ARGOCD_DEFAULT_CACHE_EXPIRATION
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.default.cache.expiration key: reposerver.default.cache.expiration
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_REPO_SERVER_OTLP_ADDRESS - name: ARGOCD_REPO_SERVER_OTLP_ADDRESS
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: otlp.address key: otlp.address
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_REPO_SERVER_OTLP_INSECURE - name: ARGOCD_REPO_SERVER_OTLP_INSECURE
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: otlp.insecure key: otlp.insecure
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_REPO_SERVER_OTLP_HEADERS - name: ARGOCD_REPO_SERVER_OTLP_HEADERS
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: otlp.headers key: otlp.headers
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_REPO_SERVER_MAX_COMBINED_DIRECTORY_MANIFESTS_SIZE - name: ARGOCD_REPO_SERVER_MAX_COMBINED_DIRECTORY_MANIFESTS_SIZE
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.max.combined.directory.manifests.size key: reposerver.max.combined.directory.manifests.size
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_REPO_SERVER_PLUGIN_TAR_EXCLUSIONS - name: ARGOCD_REPO_SERVER_PLUGIN_TAR_EXCLUSIONS
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.plugin.tar.exclusions key: reposerver.plugin.tar.exclusions
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS - name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.allow.oob.symlinks key: reposerver.allow.oob.symlinks
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_TAR_SIZE - name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_TAR_SIZE
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.streamed.manifest.max.tar.size key: reposerver.streamed.manifest.max.tar.size
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_EXTRACTED_SIZE - name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_EXTRACTED_SIZE
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.streamed.manifest.max.extracted.size key: reposerver.streamed.manifest.max.extracted.size
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_REPO_SERVER_HELM_MANIFEST_MAX_EXTRACTED_SIZE - name: ARGOCD_REPO_SERVER_HELM_MANIFEST_MAX_EXTRACTED_SIZE
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.helm.manifest.max.extracted.size key: reposerver.helm.manifest.max.extracted.size
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_REPO_SERVER_DISABLE_HELM_MANIFEST_MAX_EXTRACTED_SIZE - name: ARGOCD_REPO_SERVER_DISABLE_HELM_MANIFEST_MAX_EXTRACTED_SIZE
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.disable.helm.manifest.max.extracted.size key: reposerver.disable.helm.manifest.max.extracted.size
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_GIT_MODULES_ENABLED - name: ARGOCD_GIT_MODULES_ENABLED
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.enable.git.submodule key: reposerver.enable.git.submodule
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_GIT_LS_REMOTE_PARALLELISM_LIMIT - name: ARGOCD_GIT_LS_REMOTE_PARALLELISM_LIMIT
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.git.lsremote.parallelism.limit key: reposerver.git.lsremote.parallelism.limit
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_GIT_REQUEST_TIMEOUT - name: ARGOCD_GIT_REQUEST_TIMEOUT
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.git.request.timeout key: reposerver.git.request.timeout
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_REVISION_CACHE_LOCK_TIMEOUT - name: ARGOCD_REVISION_CACHE_LOCK_TIMEOUT
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.revision.cache.lock.timeout key: reposerver.revision.cache.lock.timeout
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_REPO_SERVER_INCLUDE_HIDDEN_DIRECTORIES - name: ARGOCD_REPO_SERVER_INCLUDE_HIDDEN_DIRECTORIES
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.include.hidden.directories key: reposerver.include.hidden.directories
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: HELM_CACHE_HOME - name: HELM_CACHE_HOME
value: /helm-working-dir value: /helm-working-dir
- name: HELM_CONFIG_HOME - name: HELM_CONFIG_HOME
value: /helm-working-dir value: /helm-working-dir
- name: HELM_DATA_HOME - name: HELM_DATA_HOME
value: /helm-working-dir value: /helm-working-dir
image: quay.io/argoproj/argocd:v2.12.3 image: quay.io/argoproj/argocd:v2.12.3
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
livenessProbe: livenessProbe:
failureThreshold: 3 failureThreshold: 3
httpGet: httpGet:
path: /healthz?full=true path: /healthz?full=true
port: metrics port: metrics
scheme: HTTP scheme: HTTP
initialDelaySeconds: 10 initialDelaySeconds: 10
periodSeconds: 10 periodSeconds: 10
successThreshold: 1 successThreshold: 1
timeoutSeconds: 1 timeoutSeconds: 1
name: repo-server
ports:
- containerPort: 8081
name: repo-server name: repo-server
protocol: TCP ports:
- containerPort: 8084 - containerPort: 8081
name: metrics name: repo-server
protocol: TCP protocol: TCP
readinessProbe: - containerPort: 8084
failureThreshold: 3 name: metrics
httpGet: protocol: TCP
path: /healthz readinessProbe:
port: metrics failureThreshold: 3
scheme: HTTP httpGet:
initialDelaySeconds: 10 path: /healthz
periodSeconds: 10 port: metrics
successThreshold: 1 scheme: HTTP
timeoutSeconds: 1 initialDelaySeconds: 10
securityContext: periodSeconds: 10
allowPrivilegeEscalation: false successThreshold: 1
capabilities: timeoutSeconds: 1
drop: securityContext:
- ALL allowPrivilegeEscalation: false
readOnlyRootFilesystem: true capabilities:
runAsNonRoot: true drop:
seccompProfile: - ALL
type: RuntimeDefault readOnlyRootFilesystem: true
terminationMessagePath: /dev/termination-log runAsNonRoot: true
terminationMessagePolicy: File seccompProfile:
volumeMounts: type: RuntimeDefault
- mountPath: /app/config/ssh terminationMessagePath: /dev/termination-log
name: ssh-known-hosts terminationMessagePolicy: File
- mountPath: /app/config/tls volumeMounts:
name: tls-certs - mountPath: /app/config/ssh
- mountPath: /app/config/gpg/source name: ssh-known-hosts
name: gpg-keys - mountPath: /app/config/tls
- mountPath: /app/config/gpg/keys name: tls-certs
name: gpg-keyring - mountPath: /app/config/gpg/source
- mountPath: /app/config/reposerver/tls name: gpg-keys
name: argocd-repo-server-tls - mountPath: /app/config/gpg/keys
- mountPath: /helm-working-dir name: gpg-keyring
name: helm-working-dir - mountPath: /app/config/reposerver/tls
- mountPath: /home/argocd/cmp-server/plugins name: argocd-repo-server-tls
name: plugins - mountPath: /helm-working-dir
- mountPath: /tmp name: helm-working-dir
name: tmp - mountPath: /home/argocd/cmp-server/plugins
- command: name: plugins
- /var/run/argocd/argocd-cmp-server - mountPath: /tmp
image: registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite:latest name: tmp
imagePullPolicy: Always - command:
name: kustomize-helm-with-rewrite - /var/run/argocd/argocd-cmp-server
securityContext: image: registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite:latest
runAsNonRoot: true imagePullPolicy: Always
runAsUser: 999 name: kustomize-helm-with-rewrite
terminationMessagePath: /dev/termination-log securityContext:
terminationMessagePolicy: File runAsNonRoot: true
volumeMounts: runAsUser: 999
- mountPath: /var/run/argocd terminationMessagePath: /dev/termination-log
name: var-files terminationMessagePolicy: File
- mountPath: /home/argocd/cmp-server/plugins volumeMounts:
name: plugins - mountPath: /var/run/argocd
- mountPath: /tmp name: var-files
name: cmp-tmp - mountPath: /home/argocd/cmp-server/plugins
- mountPath: /helm-working-dir name: plugins
name: helm-working-dir - mountPath: /tmp
- command: name: cmp-tmp
- /var/run/argocd/argocd-cmp-server - mountPath: /helm-working-dir
image: registry.gitlab.com/oceanbox/manifests/helm-kustomize-cmp:latest name: helm-working-dir
imagePullPolicy: Always - command:
name: helm-kustomize-cmp - /var/run/argocd/argocd-cmp-server
securityContext: image: registry.gitlab.com/oceanbox/manifests/helm-kustomize-cmp:latest
runAsNonRoot: true imagePullPolicy: Always
runAsUser: 999 name: helm-kustomize-cmp
terminationMessagePath: /dev/termination-log securityContext:
terminationMessagePolicy: File runAsNonRoot: true
volumeMounts: runAsUser: 999
- mountPath: /var/run/argocd terminationMessagePath: /dev/termination-log
name: var-files terminationMessagePolicy: File
- mountPath: /home/argocd/cmp-server/plugins volumeMounts:
name: plugins - mountPath: /var/run/argocd
- mountPath: /tmp name: var-files
name: cmp-tmp - mountPath: /home/argocd/cmp-server/plugins
- mountPath: /helm-working-dir name: plugins
name: helm-working-dir - mountPath: /tmp
- command: name: cmp-tmp
- /var/run/argocd/argocd-cmp-server - mountPath: /helm-working-dir
image: registry.gitlab.com/oceanbox/manifests/helmfile-cmp:latest name: helm-working-dir
imagePullPolicy: Always - command:
name: helmfile-cmp - /var/run/argocd/argocd-cmp-server
securityContext: image: registry.gitlab.com/oceanbox/manifests/helmfile-cmp:latest
runAsNonRoot: true imagePullPolicy: Always
runAsUser: 999 name: helmfile-cmp
terminationMessagePath: /dev/termination-log securityContext:
terminationMessagePolicy: File runAsNonRoot: true
volumeMounts: runAsUser: 999
- mountPath: /var/run/argocd terminationMessagePath: /dev/termination-log
name: var-files terminationMessagePolicy: File
- mountPath: /home/argocd/cmp-server/plugins volumeMounts:
name: plugins - mountPath: /var/run/argocd
- mountPath: /tmp name: var-files
name: cmp-tmp - mountPath: /home/argocd/cmp-server/plugins
- mountPath: /helm-working-dir name: plugins
name: helm-working-dir - mountPath: /tmp
name: cmp-tmp
- mountPath: /helm-working-dir
name: helm-working-dir
dnsPolicy: ClusterFirst dnsPolicy: ClusterFirst
imagePullSecrets: imagePullSecrets:
- name: gitlab-pull-secret - name: gitlab-pull-secret
initContainers: initContainers:
- command: - command:
- /bin/cp - /bin/cp
- -n - -n
- /usr/local/bin/argocd - /usr/local/bin/argocd
- /var/run/argocd/argocd-cmp-server - /var/run/argocd/argocd-cmp-server
image: quay.io/argoproj/argocd:v2.12.3 image: quay.io/argoproj/argocd:v2.12.3
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: copyutil name: copyutil
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities: capabilities:
drop: drop:
- ALL - ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsNonRoot: true runAsNonRoot: true
seccompProfile: seccompProfile:
type: RuntimeDefault type: RuntimeDefault
terminationMessagePath: /dev/termination-log terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File terminationMessagePolicy: File
volumeMounts: volumeMounts:
- mountPath: /var/run/argocd - mountPath: /var/run/argocd
name: var-files name: var-files
- command: - command:
- /bin/sh - /bin/sh
- /plugin/init-helm-repos.sh - /plugin/init-helm-repos.sh
env: env:
- name: OCEANBOX_HELM_ACCESS_TOKEN - name: OCEANBOX_HELM_ACCESS_TOKEN
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: token key: token
name: oceanbox-helm name: oceanbox-helm
optional: false optional: false
image: registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite:latest image: registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite:latest
imagePullPolicy: Always imagePullPolicy: Always
name: init-helm-repos name: init-helm-repos
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities: capabilities:
drop: drop:
- ALL - ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsNonRoot: true runAsNonRoot: true
runAsUser: 999 runAsUser: 999
seccompProfile: seccompProfile:
type: RuntimeDefault type: RuntimeDefault
terminationMessagePath: /dev/termination-log terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File terminationMessagePolicy: File
volumeMounts: volumeMounts:
- mountPath: /helm-working-dir - mountPath: /helm-working-dir
name: helm-working-dir name: helm-working-dir
restartPolicy: Always restartPolicy: Always
schedulerName: default-scheduler schedulerName: default-scheduler
serviceAccount: argocd-repo-server serviceAccount: argocd-repo-server
serviceAccountName: argocd-repo-server serviceAccountName: argocd-repo-server
terminationGracePeriodSeconds: 30 terminationGracePeriodSeconds: 30
volumes: volumes:
- name: cmp-tmp - name: cmp-tmp
- name: helm-working-dir - name: helm-working-dir
- name: plugins - name: plugins
- name: var-files - name: var-files
- name: tmp - name: tmp
- configMap: - configMap:
defaultMode: 420 defaultMode: 420
name: argocd-ssh-known-hosts-cm name: argocd-ssh-known-hosts-cm
name: ssh-known-hosts name: ssh-known-hosts
- configMap: - configMap:
defaultMode: 420 defaultMode: 420
name: argocd-tls-certs-cm name: argocd-tls-certs-cm
name: tls-certs name: tls-certs
- configMap: - configMap:
defaultMode: 420 defaultMode: 420
name: argocd-gpg-keys-cm name: argocd-gpg-keys-cm
name: gpg-keys name: gpg-keys
- name: gpg-keyring - name: gpg-keyring
- name: argocd-repo-server-tls - name: argocd-repo-server-tls
secret: secret:
defaultMode: 420 defaultMode: 420
items: items:
- key: tls.crt - key: tls.crt
path: tls.crt path: tls.crt
- key: tls.key - key: tls.key
path: tls.key path: tls.key
- key: ca.crt - key: ca.crt
path: ca.crt path: ca.crt
optional: true optional: true
secretName: argocd-repo-server-tls secretName: argocd-repo-server-tls
bootstrap/helmfile-cmp/argo-repo-server-patch.yaml
+20 -20
View File
@@ -4,24 +4,24 @@ spec:
template: template:
spec: spec:
imagePullSecrets: imagePullSecrets:
- name: gitlab-pull-secret - name: gitlab-pull-secret
containers: containers:
- command: - command:
- /var/run/argocd/argocd-cmp-server - /var/run/argocd/argocd-cmp-server
image: registry.gitlab.com/oceanbox/manifests/helmfile-cmp:latest image: registry.gitlab.com/oceanbox/manifests/helmfile-cmp:latest
imagePullPolicy: Always imagePullPolicy: Always
name: helmfile-cmp name: helmfile-cmp
securityContext: securityContext:
runAsNonRoot: true runAsNonRoot: true
runAsUser: 999 runAsUser: 999
terminationMessagePath: /dev/termination-log terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File terminationMessagePolicy: File
volumeMounts: volumeMounts:
- mountPath: /var/run/argocd - mountPath: /var/run/argocd
name: var-files name: var-files
- mountPath: /home/argocd/cmp-server/plugins - mountPath: /home/argocd/cmp-server/plugins
name: plugins name: plugins
- mountPath: /tmp - mountPath: /tmp
name: tmp name: tmp
- mountPath: /helm-working-dir - mountPath: /helm-working-dir
name: helm-working-dir name: helm-working-dir
bootstrap/helmfile-cmp/deploy.sh
+2 -2
View File
@@ -3,5 +3,5 @@
img=registry.gitlab.com/oceanbox/manifests/helmfile-cmp img=registry.gitlab.com/oceanbox/manifests/helmfile-cmp
tag=${1:-latest} tag=${1:-latest}
docker build -t $img:$tag . docker build -t "${img}":"${tag}" .
docker push $img:$tag docker push "${img}":"${tag}"
bootstrap/helmfile-cmp/generate.sh
+4 -3
View File
@@ -1,4 +1,5 @@
#!/bin/sh #!/bin/sh
# shellcheck disable=SC2154
# NOTE: Ensure errors are part of exitcode # NOTE: Ensure errors are part of exitcode
# set -o pipefail # set -o pipefail
@@ -10,7 +11,7 @@ export HELM_CONFIG_HOME=/tmp/helm/config
export HELMFILE_CACHE_HOME=/tmp/helmfile/cache export HELMFILE_CACHE_HOME=/tmp/helmfile/cache
export HELMFILE_TEMPDIR=/tmp/helmfile/tmp export HELMFILE_TEMPDIR=/tmp/helmfile/tmp
test -n ARGOCD_ENV_HELMFILE_ENVIRONMENT && export HELMFILE_ENVIRONMENT=$ARGOCD_ENV_HELMFILE_ENVIRONMENT test -n ARGOCD_ENV_HELMFILE_ENVIRONMENT && export HELMFILE_ENVIRONMENT="${ARGOCD_ENV_HELMFILE_ENVIRONMENT}"
test -n ARGOCD_ENV_HELMFILE_FILE_PATH && export HELMFILE_FILE_PATH=$ARGOCD_ENV_HELMFILE_FILE_PATH test -n ARGOCD_ENV_HELMFILE_FILE_PATH && export HELMFILE_FILE_PATH="${ARGOCD_ENV_HELMFILE_FILE_PATH}"
helmfile -n "$ARGOCD_APP_NAMESPACE" $ARGS template --include-crds -q helmfile -n "${ARGOCD_APP_NAMESPACE}" "${ARGS}" template -q --include-crds
bootstrap/helmfile-cmp/plugin.yaml
+1 -1
View File
@@ -4,7 +4,7 @@ metadata:
name: helmfile-cmp name: helmfile-cmp
spec: spec:
generate: generate:
command: [ "/bin/sh" ] command: ["/bin/sh"]
args: args:
- /plugin/generate.sh - /plugin/generate.sh
lockRepo: false lockRepo: false
bootstrap/kustomize-helm-with-rewrite/argo-repo-server.yaml
+366 -367
View File
@@ -44,341 +44,341 @@ spec:
affinity: affinity:
podAntiAffinity: podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution: preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm: - podAffinityTerm:
labelSelector: labelSelector:
matchLabels: matchLabels:
app.kubernetes.io/name: argocd-repo-server app.kubernetes.io/name: argocd-repo-server
topologyKey: kubernetes.io/hostname topologyKey: kubernetes.io/hostname
weight: 100 weight: 100
containers: containers:
- args: - args:
- /usr/local/bin/argocd-repo-server - /usr/local/bin/argocd-repo-server
- --port=8081 - --port=8081
- --metrics-port=8084 - --metrics-port=8084
env: env:
- name: ARGOCD_REPO_SERVER_NAME - name: ARGOCD_REPO_SERVER_NAME
value: argocd-repo-server value: argocd-repo-server
- name: ARGOCD_RECONCILIATION_TIMEOUT - name: ARGOCD_RECONCILIATION_TIMEOUT
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: timeout.reconciliation key: timeout.reconciliation
name: argocd-cm name: argocd-cm
optional: true optional: true
- name: ARGOCD_REPO_SERVER_LOGFORMAT - name: ARGOCD_REPO_SERVER_LOGFORMAT
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.log.format key: reposerver.log.format
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_REPO_SERVER_LOGLEVEL - name: ARGOCD_REPO_SERVER_LOGLEVEL
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.log.level key: reposerver.log.level
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_REPO_SERVER_PARALLELISM_LIMIT - name: ARGOCD_REPO_SERVER_PARALLELISM_LIMIT
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.parallelism.limit key: reposerver.parallelism.limit
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_REPO_SERVER_LISTEN_ADDRESS - name: ARGOCD_REPO_SERVER_LISTEN_ADDRESS
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.listen.address key: reposerver.listen.address
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_REPO_SERVER_LISTEN_METRICS_ADDRESS - name: ARGOCD_REPO_SERVER_LISTEN_METRICS_ADDRESS
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.metrics.listen.address key: reposerver.metrics.listen.address
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_REPO_SERVER_DISABLE_TLS - name: ARGOCD_REPO_SERVER_DISABLE_TLS
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.disable.tls key: reposerver.disable.tls
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_TLS_MIN_VERSION - name: ARGOCD_TLS_MIN_VERSION
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.tls.minversion key: reposerver.tls.minversion
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_TLS_MAX_VERSION - name: ARGOCD_TLS_MAX_VERSION
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.tls.maxversion key: reposerver.tls.maxversion
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_TLS_CIPHERS - name: ARGOCD_TLS_CIPHERS
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.tls.ciphers key: reposerver.tls.ciphers
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_REPO_CACHE_EXPIRATION - name: ARGOCD_REPO_CACHE_EXPIRATION
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.repo.cache.expiration key: reposerver.repo.cache.expiration
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: REDIS_SERVER - name: REDIS_SERVER
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: redis.server key: redis.server
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: REDIS_COMPRESSION - name: REDIS_COMPRESSION
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: redis.compression key: redis.compression
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: REDISDB - name: REDISDB
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: redis.db key: redis.db
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: REDIS_USERNAME - name: REDIS_USERNAME
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: redis-username key: redis-username
name: argocd-redis name: argocd-redis
optional: true optional: true
- name: REDIS_PASSWORD - name: REDIS_PASSWORD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: redis-password key: redis-password
name: argocd-redis name: argocd-redis
optional: true optional: true
- name: ARGOCD_DEFAULT_CACHE_EXPIRATION - name: ARGOCD_DEFAULT_CACHE_EXPIRATION
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.default.cache.expiration key: reposerver.default.cache.expiration
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_REPO_SERVER_OTLP_ADDRESS - name: ARGOCD_REPO_SERVER_OTLP_ADDRESS
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: otlp.address key: otlp.address
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_REPO_SERVER_OTLP_INSECURE - name: ARGOCD_REPO_SERVER_OTLP_INSECURE
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: otlp.insecure key: otlp.insecure
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_REPO_SERVER_OTLP_HEADERS - name: ARGOCD_REPO_SERVER_OTLP_HEADERS
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: otlp.headers key: otlp.headers
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_REPO_SERVER_MAX_COMBINED_DIRECTORY_MANIFESTS_SIZE - name: ARGOCD_REPO_SERVER_MAX_COMBINED_DIRECTORY_MANIFESTS_SIZE
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.max.combined.directory.manifests.size key: reposerver.max.combined.directory.manifests.size
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_REPO_SERVER_PLUGIN_TAR_EXCLUSIONS - name: ARGOCD_REPO_SERVER_PLUGIN_TAR_EXCLUSIONS
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.plugin.tar.exclusions key: reposerver.plugin.tar.exclusions
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS - name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.allow.oob.symlinks key: reposerver.allow.oob.symlinks
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_TAR_SIZE - name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_TAR_SIZE
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.streamed.manifest.max.tar.size key: reposerver.streamed.manifest.max.tar.size
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_EXTRACTED_SIZE - name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_EXTRACTED_SIZE
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.streamed.manifest.max.extracted.size key: reposerver.streamed.manifest.max.extracted.size
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_REPO_SERVER_HELM_MANIFEST_MAX_EXTRACTED_SIZE - name: ARGOCD_REPO_SERVER_HELM_MANIFEST_MAX_EXTRACTED_SIZE
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.helm.manifest.max.extracted.size key: reposerver.helm.manifest.max.extracted.size
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_REPO_SERVER_DISABLE_HELM_MANIFEST_MAX_EXTRACTED_SIZE - name: ARGOCD_REPO_SERVER_DISABLE_HELM_MANIFEST_MAX_EXTRACTED_SIZE
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.disable.helm.manifest.max.extracted.size key: reposerver.disable.helm.manifest.max.extracted.size
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_GIT_MODULES_ENABLED - name: ARGOCD_GIT_MODULES_ENABLED
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.enable.git.submodule key: reposerver.enable.git.submodule
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_GIT_LS_REMOTE_PARALLELISM_LIMIT - name: ARGOCD_GIT_LS_REMOTE_PARALLELISM_LIMIT
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.git.lsremote.parallelism.limit key: reposerver.git.lsremote.parallelism.limit
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: ARGOCD_GIT_REQUEST_TIMEOUT - name: ARGOCD_GIT_REQUEST_TIMEOUT
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
key: reposerver.git.request.timeout key: reposerver.git.request.timeout
name: argocd-cmd-params-cm name: argocd-cmd-params-cm
optional: true optional: true
- name: HELM_CACHE_HOME - name: HELM_CACHE_HOME
value: /helm-working-dir value: /helm-working-dir
- name: HELM_CONFIG_HOME - name: HELM_CONFIG_HOME
value: /helm-working-dir value: /helm-working-dir
- name: HELM_DATA_HOME - name: HELM_DATA_HOME
value: /helm-working-dir value: /helm-working-dir
image: quay.io/argoproj/argocd:v2.10.4 image: quay.io/argoproj/argocd:v2.10.4
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
livenessProbe: livenessProbe:
failureThreshold: 3 failureThreshold: 3
httpGet: httpGet:
path: /healthz?full=true path: /healthz?full=true
port: metrics port: metrics
scheme: HTTP scheme: HTTP
initialDelaySeconds: 10 initialDelaySeconds: 10
periodSeconds: 10 periodSeconds: 10
successThreshold: 1 successThreshold: 1
timeoutSeconds: 1 timeoutSeconds: 1
name: repo-server
ports:
- containerPort: 8081
name: repo-server name: repo-server
protocol: TCP ports:
- containerPort: 8084 - containerPort: 8081
name: metrics name: repo-server
protocol: TCP protocol: TCP
readinessProbe: - containerPort: 8084
failureThreshold: 3 name: metrics
httpGet: protocol: TCP
path: /healthz readinessProbe:
port: metrics failureThreshold: 3
scheme: HTTP httpGet:
initialDelaySeconds: 10 path: /healthz
periodSeconds: 10 port: metrics
successThreshold: 1 scheme: HTTP
timeoutSeconds: 1 initialDelaySeconds: 10
resources: {} periodSeconds: 10
securityContext: successThreshold: 1
allowPrivilegeEscalation: false timeoutSeconds: 1
capabilities: resources: {}
drop: securityContext:
- ALL allowPrivilegeEscalation: false
readOnlyRootFilesystem: true capabilities:
runAsNonRoot: true drop:
seccompProfile: - ALL
type: RuntimeDefault readOnlyRootFilesystem: true
terminationMessagePath: /dev/termination-log runAsNonRoot: true
terminationMessagePolicy: File seccompProfile:
volumeMounts: type: RuntimeDefault
- mountPath: /app/config/ssh terminationMessagePath: /dev/termination-log
name: ssh-known-hosts terminationMessagePolicy: File
- mountPath: /app/config/tls volumeMounts:
name: tls-certs - mountPath: /app/config/ssh
- mountPath: /app/config/gpg/source name: ssh-known-hosts
name: gpg-keys - mountPath: /app/config/tls
- mountPath: /app/config/gpg/keys name: tls-certs
name: gpg-keyring - mountPath: /app/config/gpg/source
- mountPath: /app/config/reposerver/tls name: gpg-keys
name: argocd-repo-server-tls - mountPath: /app/config/gpg/keys
- mountPath: /helm-working-dir name: gpg-keyring
name: helm-working-dir - mountPath: /app/config/reposerver/tls
- mountPath: /home/argocd/cmp-server/plugins name: argocd-repo-server-tls
name: plugins - mountPath: /helm-working-dir
- mountPath: /tmp name: helm-working-dir
name: tmp - mountPath: /home/argocd/cmp-server/plugins
- command: name: plugins
- /var/run/argocd/argocd-cmp-server - mountPath: /tmp
image: registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite:latest name: tmp
imagePullPolicy: Always - command:
name: kustomize-helm-with-rewrite - /var/run/argocd/argocd-cmp-server
resources: {} image: registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite:latest
securityContext: imagePullPolicy: Always
runAsNonRoot: true name: kustomize-helm-with-rewrite
runAsUser: 999 resources: {}
terminationMessagePath: /dev/termination-log securityContext:
terminationMessagePolicy: File runAsNonRoot: true
volumeMounts: runAsUser: 999
- mountPath: /var/run/argocd terminationMessagePath: /dev/termination-log
name: var-files terminationMessagePolicy: File
- mountPath: /home/argocd/cmp-server/plugins volumeMounts:
name: plugins - mountPath: /var/run/argocd
- mountPath: /tmp name: var-files
name: cmp-tmp - mountPath: /home/argocd/cmp-server/plugins
- mountPath: /helm-working-dir name: plugins
name: helm-working-dir - mountPath: /tmp
name: cmp-tmp
- mountPath: /helm-working-dir
name: helm-working-dir
dnsPolicy: ClusterFirst dnsPolicy: ClusterFirst
imagePullSecrets: imagePullSecrets:
- name: gitlab-pull-secret - name: gitlab-pull-secret
initContainers: initContainers:
- command: - command:
- /bin/cp - /bin/cp
- -n - -n
- /usr/local/bin/argocd - /usr/local/bin/argocd
- /var/run/argocd/argocd-cmp-server - /var/run/argocd/argocd-cmp-server
image: quay.io/argoproj/argocd:v2.10.4 image: quay.io/argoproj/argocd:v2.10.4
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: copyutil name: copyutil
resources: {} resources: {}
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities: capabilities:
drop: drop:
- ALL - ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsNonRoot: true runAsNonRoot: true
seccompProfile: seccompProfile:
type: RuntimeDefault type: RuntimeDefault
terminationMessagePath: /dev/termination-log terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File terminationMessagePolicy: File
volumeMounts: volumeMounts:
- mountPath: /var/run/argocd - mountPath: /var/run/argocd
name: var-files name: var-files
- command: - command:
- /bin/sh - /bin/sh
- /plugin/init-helm-repos.sh - /plugin/init-helm-repos.sh
image: registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite:latest image: registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite:latest
imagePullPolicy: Always imagePullPolicy: Always
name: init-helm-repos name: init-helm-repos
resources: {} resources: {}
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities: capabilities:
drop: drop:
- ALL - ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsUser: 999 runAsUser: 999
runAsNonRoot: true runAsNonRoot: true
seccompProfile: seccompProfile:
type: RuntimeDefault type: RuntimeDefault
terminationMessagePath: /dev/termination-log terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File terminationMessagePolicy: File
env: env:
- name: OCEANBOX_HELM_ACCESS_TOKEN - name: OCEANBOX_HELM_ACCESS_TOKEN
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: token key: token
name: oceanbox-helm name: oceanbox-helm
optional: false optional: false
volumeMounts: volumeMounts:
- mountPath: /helm-working-dir - mountPath: /helm-working-dir
name: helm-working-dir name: helm-working-dir
restartPolicy: Always restartPolicy: Always
schedulerName: default-scheduler schedulerName: default-scheduler
securityContext: {} securityContext: {}
@@ -386,40 +386,39 @@ spec:
serviceAccountName: argocd-repo-server serviceAccountName: argocd-repo-server
terminationGracePeriodSeconds: 30 terminationGracePeriodSeconds: 30
volumes: volumes:
- emptyDir: {} - emptyDir: {}
name: cmp-tmp name: cmp-tmp
- emptyDir: {} - emptyDir: {}
name: helm-working-dir name: helm-working-dir
- emptyDir: {} - emptyDir: {}
name: plugins name: plugins
- emptyDir: {} - emptyDir: {}
name: var-files name: var-files
- emptyDir: {} - emptyDir: {}
name: tmp name: tmp
- configMap: - configMap:
defaultMode: 420 defaultMode: 420
name: argocd-ssh-known-hosts-cm name: argocd-ssh-known-hosts-cm
name: ssh-known-hosts name: ssh-known-hosts
- configMap: - configMap:
defaultMode: 420 defaultMode: 420
name: argocd-tls-certs-cm name: argocd-tls-certs-cm
name: tls-certs name: tls-certs
- configMap: - configMap:
defaultMode: 420 defaultMode: 420
name: argocd-gpg-keys-cm name: argocd-gpg-keys-cm
name: gpg-keys name: gpg-keys
- emptyDir: {} - emptyDir: {}
name: gpg-keyring name: gpg-keyring
- name: argocd-repo-server-tls - name: argocd-repo-server-tls
secret: secret:
defaultMode: 420 defaultMode: 420
items: items:
- key: tls.crt - key: tls.crt
path: tls.crt path: tls.crt
- key: tls.key - key: tls.key
path: tls.key path: tls.key
- key: ca.crt - key: ca.crt
path: ca.crt path: ca.crt
optional: true optional: true
secretName: argocd-repo-server-tls secretName: argocd-repo-server-tls
bootstrap/reset-ekman-cluster.sh
+1 -1
View File
@@ -13,7 +13,7 @@ kubectl --context ekman apply -f cluster-admin-token.yaml
# kubectl --context oceanbox apply -f _cluster-ekman.yaml # kubectl --context oceanbox apply -f _cluster-ekman.yaml
token=$(kubectl --context ekman get secret -n kube-system argocd-manager-token -o yaml | grep ' token:' | cut -d' ' -f4 | base64 -d) token=$(kubectl --context ekman get secret -n kube-system argocd-manager-token -o yaml | grep ' token:' | cut -d' ' -f4 | base64 -d)
sed "s/@token@/$token/" cluster-ekman.yaml > _cluster-ekman.yaml sed "s/@token@/${token}/" cluster-ekman.yaml > _cluster-ekman.yaml
echo "configure argocd ekman-cluster..." echo "configure argocd ekman-cluster..."
cat _cluster-ekman.yaml cat _cluster-ekman.yaml
kubectl --context oceanbox apply -f _cluster-ekman.yaml kubectl --context oceanbox apply -f _cluster-ekman.yaml
bootstrap/staging-vcluster.yaml
-1
View File
@@ -13,4 +13,3 @@ stringData:
name: staging-vcluster name: staging-vcluster
server: https://staging-vcluster.staging-vcluster server: https://staging-vcluster.staging-vcluster
type: Opaque type: Opaque
bootstrap/values.yaml
+11 -11
View File
@@ -19,12 +19,12 @@ applications:
plugin: plugin:
name: helmfile-cmp name: helmfile-cmp
env: env:
- name: CLUSTER_NAME - name: CLUSTER_NAME
value: replaceme value: replaceme
- name: HELMFILE_ENVIRONMENT - name: HELMFILE_ENVIRONMENT
value: default value: default
- name: HELMFILE_FILE_PATH - name: HELMFILE_FILE_PATH
value: system.yaml.gotmpl value: system.yaml.gotmpl
projects: projects:
sys: sys:
namespace: argocd namespace: argocd
@@ -32,12 +32,12 @@ projects:
additionalAnnotations: {} additionalAnnotations: {}
description: sys components project description: sys components project
sourceRepos: sourceRepos:
- '*' - "*"
destinations: destinations:
- namespace: '*' - namespace: "*"
server: https://kubernetes.default.svc server: https://kubernetes.default.svc
clusterResourceWhitelist: clusterResourceWhitelist:
- group: '*' - group: "*"
kind: '*' kind: "*"
orphanedResources: orphanedResources:
warn: false warn: false
charts/atlantis/Chart.yaml
+5
View File
@@ -8,3 +8,8 @@ version: v1.35.2
# This is the version number of the application being deployed. This version number should be # This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. # incremented each time you make changes to the application.
appVersion: v1.35.2 appVersion: v1.35.2
dependencies:
- name: diagrid-dashboard
version: "0.1.0"
repository: "file://../diagrid-dashboard"
condition: diagrid-dashboard.enabled
charts/atlantis/values.yaml
+3
View File
@@ -116,3 +116,6 @@ serviceMonitor:
nodeSelector: {} nodeSelector: {}
tolerations: [] tolerations: []
affinity: {} affinity: {}
diagrid-dashboard:
enabled: false
charts/diagrid-dashboard/.helmignore
+23
View File
@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
charts/diagrid-dashboard/Chart.yaml
+24
View File
@@ -0,0 +1,24 @@
apiVersion: v2
name: diagrid-dashboard
description: A Helm chart for Kubernetes
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "1.16.0"
charts/diagrid-dashboard/templates/NOTES.txt
+35
View File
@@ -0,0 +1,35 @@
1. Get the application URL by running these commands:
{{- if .Values.httpRoute.enabled }}
{{- if .Values.httpRoute.hostnames }}
export APP_HOSTNAME={{ .Values.httpRoute.hostnames | first }}
{{- else }}
export APP_HOSTNAME=$(kubectl get --namespace {{(first .Values.httpRoute.parentRefs).namespace | default .Release.Namespace }} gateway/{{ (first .Values.httpRoute.parentRefs).name }} -o jsonpath="{.spec.listeners[0].hostname}")
{{- end }}
{{- if and .Values.httpRoute.rules (first .Values.httpRoute.rules).matches (first (first .Values.httpRoute.rules).matches).path.value }}
echo "Visit http://$APP_HOSTNAME{{ (first (first .Values.httpRoute.rules).matches).path.value }} to use your application"
NOTE: Your HTTPRoute depends on the listener configuration of your gateway and your HTTPRoute rules.
The rules can be set for path, method, header and query parameters.
You can check the gateway configuration with 'kubectl get --namespace {{(first .Values.httpRoute.parentRefs).namespace | default .Release.Namespace }} gateway/{{ (first .Values.httpRoute.parentRefs).name }} -o yaml'
{{- end }}
{{- else if .Values.ingress.enabled }}
{{- range $host := .Values.ingress.hosts }}
{{- range .paths }}
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
{{- end }}
{{- end }}
{{- else if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "diagrid-dashboard.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch its status by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "diagrid-dashboard.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "diagrid-dashboard.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
echo http://$SERVICE_IP:{{ .Values.service.port }}
{{- else if contains "ClusterIP" .Values.service.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "diagrid-dashboard.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
{{- end }}
charts/diagrid-dashboard/templates/_helpers.tpl
+62
View File
@@ -0,0 +1,62 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "diagrid-dashboard.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "diagrid-dashboard.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "diagrid-dashboard.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "diagrid-dashboard.labels" -}}
helm.sh/chart: {{ include "diagrid-dashboard.chart" . }}
{{ include "diagrid-dashboard.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "diagrid-dashboard.selectorLabels" -}}
app.kubernetes.io/name: {{ include "diagrid-dashboard.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "diagrid-dashboard.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "diagrid-dashboard.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
charts/diagrid-dashboard/templates/deployment.yaml
+87
View File
@@ -0,0 +1,87 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "diagrid-dashboard.fullname" . }}
labels:
{{- include "diagrid-dashboard.labels" . | nindent 4 }}
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
selector:
matchLabels:
{{- include "diagrid-dashboard.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "diagrid-dashboard.labels" . | nindent 8 }}
{{- with .Values.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "diagrid-dashboard.serviceAccountName" . }}
{{- with .Values.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
{{- with .Values.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
env:
- name: COMPONENT_FILE
value: /app/components/statestore.yaml
ports:
- name: http
containerPort: {{ .Values.service.port }}
protocol: TCP
{{- with .Values.livenessProbe }}
livenessProbe:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.readinessProbe }}
readinessProbe:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
volumeMounts:
- name: statestore
mountPath: /app/components/statestore.yaml
subPath: statestore.yaml
{{- with .Values.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
volumes:
- name: statestore
configMap:
name: {{ include "diagrid-dashboard.fullname" . }}-statestore
{{- with .Values.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
charts/diagrid-dashboard/templates/hpa.yaml
+32
View File
@@ -0,0 +1,32 @@
{{- if .Values.autoscaling.enabled }}
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "diagrid-dashboard.fullname" . }}
labels:
{{- include "diagrid-dashboard.labels" . | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "diagrid-dashboard.fullname" . }}
minReplicas: {{ .Values.autoscaling.minReplicas }}
maxReplicas: {{ .Values.autoscaling.maxReplicas }}
metrics:
{{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
{{- end }}
{{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
{{- end }}
{{- end }}
charts/diagrid-dashboard/templates/httproute.yaml
+38
View File
@@ -0,0 +1,38 @@
{{- if .Values.httpRoute.enabled -}}
{{- $fullName := include "diagrid-dashboard.fullname" . -}}
{{- $svcPort := .Values.service.port -}}
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: {{ $fullName }}
labels:
{{- include "diagrid-dashboard.labels" . | nindent 4 }}
{{- with .Values.httpRoute.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
parentRefs:
{{- with .Values.httpRoute.parentRefs }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.httpRoute.hostnames }}
hostnames:
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
{{- range .Values.httpRoute.rules }}
{{- with .matches }}
- matches:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .filters }}
filters:
{{- toYaml . | nindent 8 }}
{{- end }}
backendRefs:
- name: {{ $fullName }}
port: {{ $svcPort }}
weight: 1
{{- end }}
{{- end }}
charts/diagrid-dashboard/templates/ingress.yaml
+43
View File
@@ -0,0 +1,43 @@
{{- if .Values.ingress.enabled -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ include "diagrid-dashboard.fullname" . }}
labels:
{{- include "diagrid-dashboard.labels" . | nindent 4 }}
{{- with .Values.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- with .Values.ingress.className }}
ingressClassName: {{ . }}
{{- end }}
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
{{- with .pathType }}
pathType: {{ . }}
{{- end }}
backend:
service:
name: {{ include "diagrid-dashboard.fullname" $ }}
port:
number: {{ $.Values.service.port }}
{{- end }}
{{- end }}
{{- end }}
charts/diagrid-dashboard/templates/service.yaml
+15
View File
@@ -0,0 +1,15 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "diagrid-dashboard.fullname" . }}
labels:
{{- include "diagrid-dashboard.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
targetPort: http
protocol: TCP
name: http
selector:
{{- include "diagrid-dashboard.selectorLabels" . | nindent 4 }}
charts/diagrid-dashboard/templates/serviceaccount.yaml
+13
View File
@@ -0,0 +1,13 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "diagrid-dashboard.serviceAccountName" . }}
labels:
{{- include "diagrid-dashboard.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
{{- end }}
charts/diagrid-dashboard/templates/statestore.yaml
+26
View File
@@ -0,0 +1,26 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "diagrid-dashboard.fullname" . }}-statestore
data:
statestore.yaml: |
apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
name: statestore
scopes:
- {{ .Values.statestore.scope }}
spec:
metadata:
- name: redisHost
value: {{ .Values.statestore.redis }}:6379
- name: redisUsername
value: default
- name: redisPassword
value: secret
- name: actorStateStore
value: "true"
- name: redisDB
value: "1"
type: state.redis
version: v1
charts/diagrid-dashboard/templates/tests/test-connection.yaml
+15
View File
@@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: "{{ include "diagrid-dashboard.fullname" . }}-test-connection"
labels:
{{- include "diagrid-dashboard.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
spec:
containers:
- name: wget
image: busybox
command: ['wget']
args: ['{{ include "diagrid-dashboard.fullname" . }}:{{ .Values.service.port }}']
restartPolicy: Never
charts/diagrid-dashboard/values.yaml
+160
View File
@@ -0,0 +1,160 @@
# Default values for diagrid-dashboard.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
statestore:
scope: my-scope
redis: my-redis
# This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/
replicaCount: 1
# This sets the container image more information can be found here: https://kubernetes.io/docs/concepts/containers/images/
image:
repository: ghcr.io/diagridio/diagrid-dashboard
# This sets the pull policy for images.
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: "latest"
# This is for the secrets for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
imagePullSecrets: []
# This is to override the chart name.
nameOverride: ""
fullnameOverride: ""
# This section builds out the service account more information can be found here: https://kubernetes.io/docs/concepts/security/service-accounts/
serviceAccount:
# Specifies whether a service account should be created
create: true
# Automatically mount a ServiceAccount's API credentials?
automount: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
# This is for setting Kubernetes Annotations to a Pod.
# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
podAnnotations: {}
# This is for setting Kubernetes Labels to a Pod.
# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
podLabels: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
# This is for setting up a service more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/
service:
# This sets the service type more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
type: ClusterIP
# This sets the ports more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#field-spec-ports
port: 8080
# This block is for setting up the ingress for more information can be found here: https://kubernetes.io/docs/concepts/services-networking/ingress/
ingress:
enabled: true
className: "nginx"
annotations:
cert-manager.io/cluster-issuer: ca-issuer
nginx.ingress.kubernetes.io/backend-protocol: HTTP
nginx.ingress.kubernetes.io/ssl-redirect: "true"
oceanbox.io/expose: internal
hosts:
- host: diadash.dev.vtn.obx
paths:
- path: /
pathType: ImplementationSpecific
tls:
- secretName: diadash-tls
hosts:
- diadash.dev.vtn.obx
# -- Expose the service via gateway-api HTTPRoute
# Requires Gateway API resources and suitable controller installed within the cluster
# (see: https://gateway-api.sigs.k8s.io/guides/)
httpRoute:
# HTTPRoute enabled.
enabled: false
# HTTPRoute annotations.
annotations: {}
# Which Gateways this Route is attached to.
parentRefs:
- name: gateway
sectionName: http
# namespace: default
# Hostnames matching HTTP header.
hostnames:
- chart-example.local
# List of rules and filters applied.
rules:
- matches:
- path:
type: PathPrefix
value: /headers
# filters:
# - type: RequestHeaderModifier
# requestHeaderModifier:
# set:
# - name: My-Overwrite-Header
# value: this-is-the-only-value
# remove:
# - User-Agent
# - matches:
# - path:
# type: PathPrefix
# value: /echo
# headers:
# - name: version
# value: v2
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
# This is to setup the liveness and readiness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
livenessProbe:
httpGet:
path: /
port: http
readinessProbe:
httpGet:
path: /
port: http
# This section is for setting up autoscaling more information can be found here: https://kubernetes.io/docs/concepts/workloads/autoscaling/
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 100
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80
# Additional volumes on the output Deployment definition.
volumes: {}
# Additional volumeMounts on the output Deployment definition.
volumeMounts: {}
nodeSelector: {}
tolerations: []
affinity: {}
charts/fornix/.helmignore
+23
View File
@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
charts/fornix/Chart.yaml
+21
View File
@@ -0,0 +1,21 @@
apiVersion: v2
name: fornix
description: A Helm chart for Kubernetes
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: v1.6.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "v1.6.0"
charts/fornix/templates/NOTES.txt
+22
View File
@@ -0,0 +1,22 @@
1. Get the application URL by running these commands:
{{- if .Values.ingress.enabled }}
{{- range $host := .Values.ingress.hosts }}
{{- range .paths }}
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
{{- end }}
{{- end }}
{{- else if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "fornix.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch its status by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "fornix.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "fornix.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
echo http://$SERVICE_IP:{{ .Values.service.port }}
{{- else if contains "ClusterIP" .Values.service.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "fornix.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
{{- end }}
charts/fornix/templates/_helpers.tpl
+62
View File
@@ -0,0 +1,62 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "fornix.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "fornix.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "fornix.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "fornix.labels" -}}
helm.sh/chart: {{ include "fornix.chart" . }}
{{ include "fornix.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "fornix.selectorLabels" -}}
app.kubernetes.io/name: {{ include "fornix.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "fornix.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "fornix.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
charts/fornix/templates/deployment.yaml
+83
View File
@@ -0,0 +1,83 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "fornix.fullname" . }}
labels:
{{- include "fornix.labels" . | nindent 4 }}
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
selector:
matchLabels:
{{- include "fornix.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "fornix.labels" . | nindent 8 }}
{{- with .Values.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "fornix.serviceAccountName" . }}
{{- with .Values.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
{{- with .Values.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- name: http
containerPort: {{ .Values.service.port }}
protocol: TCP
env:
- name: DRUPAL_URL
value: {{ .Values.drupalUrl }}
- name: BASE_URL
value: {{ .Values.baseUrl }}
{{- with .Values.livenessProbe }}
livenessProbe:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.readinessProbe }}
readinessProbe:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.volumeMounts }}
volumeMounts:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.volumes }}
volumes:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
charts/fornix/templates/ingress.yaml
+43
View File
@@ -0,0 +1,43 @@
{{- if .Values.ingress.enabled -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ include "fornix.fullname" . }}
labels:
{{- include "fornix.labels" . | nindent 4 }}
{{- with .Values.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- with .Values.ingress.className }}
ingressClassName: {{ . }}
{{- end }}
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
{{- with .pathType }}
pathType: {{ . }}
{{- end }}
backend:
service:
name: {{ include "fornix.fullname" $ }}
port:
number: {{ $.Values.service.port }}
{{- end }}
{{- end }}
{{- end }}
charts/fornix/templates/service.yaml
+15
View File
@@ -0,0 +1,15 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "fornix.fullname" . }}
labels:
{{- include "fornix.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
targetPort: http
protocol: TCP
name: http
selector:
{{- include "fornix.selectorLabels" . | nindent 4 }}
charts/fornix/templates/serviceaccount.yaml
+13
View File
@@ -0,0 +1,13 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "fornix.serviceAccountName" . }}
labels:
{{- include "fornix.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
{{- end }}
charts/fornix/templates/tests/test-connection.yaml
+15
View File
@@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: "{{ include "fornix.fullname" . }}-test-connection"
labels:
{{- include "fornix.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
spec:
containers:
- name: wget
image: busybox
command: ['wget']
args: ['{{ include "fornix.fullname" . }}:{{ .Values.service.port }}']
restartPolicy: Never
charts/fornix/values.yaml
+100
View File
@@ -0,0 +1,100 @@
# Default values for fornix.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
drupalUrl: http://drupal
baseUrl: https://oceanbox.io
# This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/
replicaCount: 1
# This sets the container image more information can be found here: https://kubernetes.io/docs/concepts/containers/images/
image:
repository: registry.gitlab.com/oceanbox/fornix
# This sets the pull policy for images.
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: v1.6.0
# This is for the secrets for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
imagePullSecrets:
- name: gitlab-pull-secret
# This is to override the chart name.
nameOverride: ""
fullnameOverride: ""
# This section builds out the service account more information can be found here: https://kubernetes.io/docs/concepts/security/service-accounts/
serviceAccount:
# Specifies whether a service account should be created
create: true
# Automatically mount a ServiceAccount's API credentials?
automount: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
# This is for setting Kubernetes Annotations to a Pod.
# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
podAnnotations: {}
# This is for setting Kubernetes Labels to a Pod.
# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
podLabels: {}
podSecurityContext:
fsGroup: 2000
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: false
runAsNonRoot: true
runAsUser: 1000
# This is for setting up a service more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/
service:
# This sets the service type more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
type: ClusterIP
# This sets the ports more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#field-spec-ports
port: 8085
# This block is for setting up the ingress for more information can be found here: https://kubernetes.io/docs/concepts/services-networking/ingress/
ingress:
enabled: false
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
# This is to setup the liveness and readiness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
livenessProbe:
httpGet:
path: /
port: http
readinessProbe:
httpGet:
path: /
port: http
# This section is for setting up autoscaling more information can be found here: https://kubernetes.io/docs/concepts/workloads/autoscaling/
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 100
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80
# Additional volumes on the output Deployment definition.
volumes: []
# - name: foo
# secret:
# secretName: mysecret
# optional: false
# Additional volumeMounts on the output Deployment definition.
volumeMounts: []
# - name: foo
# mountPath: "/etc/foo"
# readOnly: true
nodeSelector: {}
tolerations: []
affinity: {}
charts/makai/values.yaml
+1 -1
View File
@@ -3,7 +3,7 @@
# Declare variables to be passed into your templates. # Declare variables to be passed into your templates.
replicaCount: 1 replicaCount: 1
image: image:
repository: registry.gitlab.com/oceanbox/makai/makai repository: registry.gitlab.com/oceanbox/makai
tag: v0.1.0 tag: v0.1.0
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
init: init:
charts/plume/templates/redis.yaml
+1
View File
@@ -45,6 +45,7 @@ spec:
persistentVolumeClaimSpec: persistentVolumeClaimSpec:
accessModes: accessModes:
- ReadWriteOnce - ReadWriteOnce
storageClass: {{ .Values.redis.storageClass | default "managed-nfs-storage" }}
resources: resources:
requests: requests:
storage: {{ .Values.redis.size | default "1Gi" }} storage: {{ .Values.redis.size | default "1Gi" }}
charts/plume/values.yaml
+1 -1
View File
@@ -3,7 +3,7 @@
# Declare variables to be passed into your templates. # Declare variables to be passed into your templates.
replicaCount: 1 replicaCount: 1
image: image:
repository: registry.gitlab.com/oceanbox/plume/plume repository: registry.gitlab.com/oceanbox/plume
tag: v1.6.7 tag: v1.6.7
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
init: init:
charts/sorcerer/Chart.lock
+6
View File
@@ -0,0 +1,6 @@
dependencies:
- name: diagrid-dashboard
repository: file://../diagrid-dashboard
version: 0.1.0
digest: sha256:4fdb3148a2a6439223d7844a3083da2de324dd47e5cb3ac4a5d9c436e6e2c775
generated: "2025-12-16T19:38:21.939708629+01:00"
charts/sorcerer/Chart.yaml
+5
View File
@@ -8,3 +8,8 @@ version: v1.35.2
# This is the version number of the application being deployed. This version number should be # This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. # incremented each time you make changes to the application.
appVersion: v1.35.2 appVersion: v1.35.2
dependencies:
- name: diagrid-dashboard
version: "0.1.0"
repository: "file://../diagrid-dashboard"
condition: diagrid-dashboard.enabled
charts/sorcerer/values.yaml
+6
View File
@@ -108,3 +108,9 @@ serviceMonitor:
nodeSelector: {} nodeSelector: {}
tolerations: [] tolerations: []
affinity: {} affinity: {}
diagrid-dashboard:
enabled: false
statestore:
scope: sorcerer
redis: sorcerer-redis
charts/yolo-registry/values.yaml
+1 -1
View File
@@ -5,7 +5,7 @@
replicaCount: 1 replicaCount: 1
image: image:
repository: registry repository: registry
tag: 2 tag: 3
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
init: init:
enabled: false enabled: false
helmfile.d/argo.yaml.gotmpl
+1 -1
View File
@@ -27,7 +27,7 @@ releases:
- name: argocd-apps - name: argocd-apps
namespace: argocd namespace: argocd
chart: argo/argocd-apps chart: argo/argocd-apps
version: 0.0.9 version: 2.0.3
condition: argo.apps.enabled condition: argo.apps.enabled
values: values:
- ../values/argo/values/apps.yaml.gotmpl - ../values/argo/values/apps.yaml.gotmpl
helmfile.d/cert-manager.yaml.gotmpl
+3 -2
View File
@@ -3,7 +3,8 @@ bases:
repositories: repositories:
- name: cert-manager - name: cert-manager
url: 'https://charts.jetstack.io' oci: true
url: 'quay.io/jetstack/charts'
commonLabels: commonLabels:
tier: system tier: system
@@ -12,7 +13,7 @@ releases:
- name: cert-manager - name: cert-manager
namespace: cert-manager namespace: cert-manager
chart: cert-manager/cert-manager chart: cert-manager/cert-manager
version: 1.12.13 version: v1.19.2
condition: cert_manager.enabled condition: cert_manager.enabled
values: values:
- ../values/cert-manager/values/cert-manager.yaml.gotmpl - ../values/cert-manager/values/cert-manager.yaml.gotmpl
helmfile.d/forgejo.yaml.gotmpl
+44
View File
@@ -0,0 +1,44 @@
bases:
- ../envs/environments.yaml.gotmpl
repositories:
- name: forgejo
oci: true
url: code.forgejo.org/forgejo-helm
commonLabels:
tier: system
releases:
- name: forgejo
namespace: forgejo
chart: forgejo/forgejo
version: 16.0.0
condition: forgejo.enabled
values:
- ../values/forgejo/values/values.yaml
- ../values/forgejo/values/values-{{ .Environment.Name }}.yaml
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/forgejo/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: manifests
namespace: forgejo
chart: manifests
condition: forgejo.enabled
missingFileHandler: Info
values:
- ../values/env.yaml
- ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
- ../values/forgejo/env.yaml.gotmpl
- ../values/forgejo/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/forgejo/manifests
- manifests
helmfile.d/fornix.yaml.gotmpl
+37
View File
@@ -0,0 +1,37 @@
bases:
- ../envs/environments.yaml.gotmpl
commonLabels:
tier: oceanbox
releases:
- name: fornix
namespace: fornix
chart: ../charts/fornix
condition: fornix.enabled
values:
- ../values/fornix/values/values.yaml
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/fornix/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: manifests
namespace: fornix
chart: manifests
condition: fornix.enabled
missingFileHandler: Info
values:
- ../values/env.yaml
- ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
- ../values/fornix/env.yaml.gotmpl
- ../values/fornix/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/fornix/manifests
- manifests
helmfile.d/ingress-nginx.yaml.gotmpl
+1 -1
View File
@@ -12,7 +12,7 @@ releases:
- name: ingress-nginx - name: ingress-nginx
namespace: ingress-nginx namespace: ingress-nginx
chart: ingress-nginx/ingress-nginx chart: ingress-nginx/ingress-nginx
version: 4.8.3 version: 4.14.1
condition: nginx.enabled condition: nginx.enabled
values: values:
- ../values/ingress-nginx/values/ingress-nginx.yaml.gotmpl - ../values/ingress-nginx/values/ingress-nginx.yaml.gotmpl
helmfile.d/kueue.yaml.gotmpl
+40
View File
@@ -0,0 +1,40 @@
bases:
- ../envs/environments.yaml.gotmpl
commonLabels:
tier: system
releases:
- name: kueue
namespace: kueue-system
chart: oci://registry.k8s.io/kueue/charts/kueue
version: 0.15.0
condition: kueue.enabled
values:
- ../values/kueue/values/values.yaml
- ../values/kueue/values/values-{{ .Environment.Name }}.yaml
- ../values/kueue/values/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/kueue/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: manifests
namespace: kueue-system
chart: manifests
condition: kueue.enabled
missingFileHandler: Info
values:
- ../values/env.yaml
- ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
- ../values/kueue/env.yaml.gotmpl
- ../values/kueue/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/kueue/manifests
- manifests
helmfile.d/kyverno.yaml.gotmpl
+1 -1
View File
@@ -15,7 +15,7 @@ releases:
- name: kyverno - name: kyverno
namespace: kyverno namespace: kyverno
chart: kyverno/kyverno chart: kyverno/kyverno
version: 3.5.1 version: 3.6.1
condition: kyverno.enabled condition: kyverno.enabled
values: values:
- ../values/kyverno/values/kyverno.yaml.gotmpl - ../values/kyverno/values/kyverno.yaml.gotmpl
helmfile.d/mariadb-operator.yaml.gotmpl
+1 -1
View File
@@ -12,7 +12,7 @@ releases:
- name: mariadb-operator - name: mariadb-operator
namespace: mariadb-operator namespace: mariadb-operator
chart: mariadb-operator/mariadb-operator chart: mariadb-operator/mariadb-operator
version: 25.8.4 version: 25.10.3
condition: mariadb_operator.enabled condition: mariadb_operator.enabled
values: values:
- ../values/mariadb-operator/values/mariadb-operator.yaml.gotmpl - ../values/mariadb-operator/values/mariadb-operator.yaml.gotmpl
helmfile.d/openfga.yaml.gotmpl
+1 -1
View File
@@ -16,7 +16,7 @@ releases:
namespace: {{ .Environment.Name }}-openfga namespace: {{ .Environment.Name }}-openfga
{{- end }} {{- end }}
chart: openfga/openfga chart: openfga/openfga
version: 0.2.45 version: 0.2.50
condition: openfga.enabled condition: openfga.enabled
values: values:
- ../values/openfga/values/values.yaml - ../values/openfga/values/values.yaml
helmfile.d/opentelemetry-collector.yaml.gotmpl
+1 -1
View File
@@ -12,7 +12,7 @@ releases:
- name: opentelemetry-collector - name: opentelemetry-collector
namespace: otel namespace: otel
chart: open-telemetry/opentelemetry-collector chart: open-telemetry/opentelemetry-collector
version: 0.134.1 version: 0.142.1
condition: otel.enabled condition: otel.enabled
values: values:
- ../values/opentelemetry-collector/values/values.yaml - ../values/opentelemetry-collector/values/values.yaml
helmfile.d/postgres-operator.yaml.gotmpl
+1 -1
View File
@@ -15,7 +15,7 @@ releases:
- name: postgres-operator - name: postgres-operator
namespace: cnpg namespace: cnpg
chart: cloudnative-pg/cloudnative-pg chart: cloudnative-pg/cloudnative-pg
version: 0.26.1 version: 0.27.0
condition: postgres_operator.enabled condition: postgres_operator.enabled
values: values:
- ../values/postgres-operator/values/postgres-operator.yaml.gotmpl - ../values/postgres-operator/values/postgres-operator.yaml.gotmpl
helmfile.d/rabbitmq.yaml.gotmpl
+1 -1
View File
@@ -13,7 +13,7 @@ releases:
- name: {{ .Environment.Name }}-rabbitmq - name: {{ .Environment.Name }}-rabbitmq
namespace: rabbitmq namespace: rabbitmq
chart: bitnami/rabbitmq chart: bitnami/rabbitmq
version: 12.9.0 version: 13.0.3
condition: rabbitmq.enabled condition: rabbitmq.enabled
values: values:
- ../values/rabbitmq/values/values.yaml - ../values/rabbitmq/values/values.yaml
helmfile.d/slurm-operator.yaml.gotmpl
+1 -1
View File
@@ -13,7 +13,7 @@ releases:
- name: slurm-operator - name: slurm-operator
namespace: slinky namespace: slinky
chart: slurm-operator/slurm-operator chart: slurm-operator/slurm-operator
version: 0.4.0 version: 0.4.1
condition: slurm_operator.enabled condition: slurm_operator.enabled
values: values:
- ../values/slurm-operator/values/slurm-operator.yaml.gotmpl - ../values/slurm-operator/values/slurm-operator.yaml.gotmpl
helmfile.d/spegel.yaml.gotmpl
+1 -1
View File
@@ -13,7 +13,7 @@ releases:
- name: spegel - name: spegel
namespace: spegel namespace: spegel
chart: spegel/spegel chart: spegel/spegel
version: 0.5.1 version: 0.6.0
condition: spegel.enabled condition: spegel.enabled
values: values:
- ../values/spegel/values/spegel.yaml.gotmpl - ../values/spegel/values/spegel.yaml.gotmpl
helmfile.d/velero.yaml.gotmpl
+1 -1
View File
@@ -15,7 +15,7 @@ releases:
- name: velero - name: velero
namespace: velero namespace: velero
chart: velero/velero chart: velero/velero
version: 11.1.1 version: 11.3.2
condition: velero.enabled condition: velero.enabled
values: values:
- ../values/velero/values/velero.yaml.gotmpl - ../values/velero/values/velero.yaml.gotmpl
nix/checks.nix
+70
View File
@@ -0,0 +1,70 @@
let
sources = import ./default.nix;
pkgs = import sources.nixpkgs { };
pre-commit = import sources.git-hooks;
globalExcludes = [
"nix/default.nix"
"attic"
"vcluster"
".*vendor"
".*chart/.*"
".*schema.json"
];
in
pre-commit.run {
src = pkgs.nix-gitignore.gitignoreSource [ ] ../.;
# Do not run at pre-commit time
default_stages = [
"pre-push"
];
# TODO(mrtz): Remove when default
package = pkgs.prek;
# Linters From https://github.com/cachix/pre-commit-hooks.nix
hooks = {
nixfmt-rfc-style = {
enable = true;
excludes = globalExcludes;
};
trim-trailing-whitespace.enable = true;
shellcheck = {
enable = true;
excludes = [
"vcluster/"
"attic/"
];
args = [
"-x"
"-o"
"all"
];
};
yamllint = {
enable = true;
excludes = [
"attic/"
"charts/templates/"
"charts/"
"values/"
"vcluster/"
];
settings = {
strict = true;
configData = ''{ extends: default, rules: { document-start: disable, line-length: {max: 300} } }'';
};
};
check-json.enable = true;
renovate-config-validator = {
enable = true;
files = "renovate.json$";
entry = "renovate-config-validator";
};
};
}
nix/default.nix
+127 -24
View File
@@ -9,8 +9,15 @@
*/ */
# Generated by npins. Do not modify; will be overwritten regularly # Generated by npins. Do not modify; will be overwritten regularly
let let
data = builtins.fromJSON (builtins.readFile ./sources.json); # Backwards-compatibly make something that previously didn't take any arguments take some
version = data.version; # The function must return an attrset, and will unfortunately be eagerly evaluated
# Same thing, but it catches eval errors on the default argument so that one may still call it with other arguments
mkFunctor =
fn:
let
e = builtins.tryEval (fn { });
in
(if e.success then e.value else { error = fn { }; }) // { __functor = _self: fn; };
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295 # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295
range = range =
@@ -21,7 +28,6 @@ let
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269 # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269
stringAsChars = f: s: concatStrings (map f (stringToCharacters s)); stringAsChars = f: s: concatStrings (map f (stringToCharacters s));
concatMapStrings = f: list: concatStrings (map f list);
concatStrings = builtins.concatStringsSep ""; concatStrings = builtins.concatStringsSep "";
# If the environment variable NPINS_OVERRIDE_${name} is set, then use # If the environment variable NPINS_OVERRIDE_${name} is set, then use
@@ -48,41 +54,87 @@ let
mkSource = mkSource =
name: spec: name: spec:
{
pkgs ? null,
}:
assert spec ? type; assert spec ? type;
let let
# Unify across builtin and pkgs fetchers.
# `fetchGit` requires a wrapper because of slight API differences.
fetchers =
if pkgs == null then
{
inherit (builtins) fetchTarball fetchurl;
# For some fucking reason, fetchGit has a different signature than the other builtin fetchers …
fetchGit = args: (builtins.fetchGit args).outPath;
}
else
{
fetchTarball =
{
url,
sha256,
}:
pkgs.fetchzip {
inherit url sha256;
extension = "tar";
};
inherit (pkgs) fetchurl;
fetchGit =
{
url,
submodules,
rev,
name,
narHash,
}:
pkgs.fetchgit {
inherit url rev name;
fetchSubmodules = submodules;
hash = narHash;
};
};
# Dispatch to the correct code path based on the type
path = path =
if spec.type == "Git" then if spec.type == "Git" then
mkGitSource spec mkGitSource fetchers spec
else if spec.type == "GitRelease" then else if spec.type == "GitRelease" then
mkGitSource spec mkGitSource fetchers spec
else if spec.type == "PyPi" then else if spec.type == "PyPi" then
mkPyPiSource spec mkPyPiSource fetchers spec
else if spec.type == "Channel" then else if spec.type == "Channel" then
mkChannelSource spec mkChannelSource fetchers spec
else if spec.type == "Tarball" then else if spec.type == "Tarball" then
mkTarballSource spec mkTarballSource fetchers spec
else if spec.type == "Container" then
mkContainerSource pkgs spec
else else
builtins.throw "Unknown source type ${spec.type}"; builtins.throw "Unknown source type ${spec.type}";
in in
spec // { outPath = mayOverride name path; }; spec // { outPath = mayOverride name path; };
mkGitSource = mkGitSource =
{
fetchTarball,
fetchGit,
...
}:
{ {
repository, repository,
revision, revision,
url ? null, url ? null,
submodules, submodules,
hash, hash,
branch ? null,
... ...
}: }:
assert repository ? type; assert repository ? type;
# At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository
# In the latter case, there we will always be an url to the tarball # In the latter case, there we will always be an url to the tarball
if url != null && !submodules then if url != null && !submodules then
builtins.fetchTarball { fetchTarball {
inherit url; inherit url;
sha256 = hash; # FIXME: check nix version & use SRI hashes sha256 = hash;
} }
else else
let let
@@ -93,6 +145,8 @@ let
"https://github.com/${repository.owner}/${repository.repo}.git" "https://github.com/${repository.owner}/${repository.repo}.git"
else if repository.type == "GitLab" then else if repository.type == "GitLab" then
"${repository.server}/${repository.repo_path}.git" "${repository.server}/${repository.repo_path}.git"
else if repository.type == "Forgejo" then
"${repository.server}/${repository.owner}/${repository.repo}.git"
else else
throw "Unrecognized repository type ${repository.type}"; throw "Unrecognized repository type ${repository.type}";
urlToName = urlToName =
@@ -107,40 +161,89 @@ let
"${if matched == null then "source" else builtins.head matched}${appendShort}"; "${if matched == null then "source" else builtins.head matched}${appendShort}";
name = urlToName url revision; name = urlToName url revision;
in in
builtins.fetchGit { fetchGit {
rev = revision; rev = revision;
inherit name; narHash = hash;
# hash = hash;
inherit url submodules; inherit name submodules url;
}; };
mkPyPiSource = mkPyPiSource =
{ url, hash, ... }: { fetchurl, ... }:
builtins.fetchurl { {
url,
hash,
...
}:
fetchurl {
inherit url; inherit url;
sha256 = hash; sha256 = hash;
}; };
mkChannelSource = mkChannelSource =
{ url, hash, ... }: { fetchTarball, ... }:
builtins.fetchTarball { {
url,
hash,
...
}:
fetchTarball {
inherit url; inherit url;
sha256 = hash; sha256 = hash;
}; };
mkTarballSource = mkTarballSource =
{ fetchTarball, ... }:
{ {
url, url,
locked_url ? url, locked_url ? url,
hash, hash,
... ...
}: }:
builtins.fetchTarball { fetchTarball {
url = locked_url; url = locked_url;
sha256 = hash; sha256 = hash;
}; };
mkContainerSource =
pkgs:
{
image_name,
image_tag,
image_digest,
...
}:
if pkgs == null then
builtins.throw "container sources require passing in a Nixpkgs value: https://github.com/andir/npins/blob/master/README.md#using-the-nixpkgs-fetchers"
else
pkgs.dockerTools.pullImage {
imageName = image_name;
imageDigest = image_digest;
finalImageTag = image_tag;
};
in in
if version == 5 then mkFunctor (
builtins.mapAttrs mkSource data.pins {
else input ? ./sources.json,
throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`" }:
let
data =
if builtins.isPath input then
# while `readFile` will throw an error anyways if the path doesn't exist,
# we still need to check beforehand because *our* error can be caught but not the one from the builtin
# *piegames sighs*
if builtins.pathExists input then
builtins.fromJSON (builtins.readFile input)
else
throw "Input path ${toString input} does not exist"
else if builtins.isAttrs input then
input
else
throw "Unsupported input type ${builtins.typeOf input}, must be a path or an attrset";
version = data.version;
in
if version == 7 then
builtins.mapAttrs (name: spec: mkFunctor (mkSource name spec)) data.pins
else
throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"
)
nix/sources.json
+16 -3
View File
@@ -1,11 +1,24 @@
{ {
"pins": { "pins": {
"git-hooks": {
"type": "Git",
"repository": {
"type": "GitHub",
"owner": "cachix",
"repo": "git-hooks.nix"
},
"branch": "master",
"submodules": false,
"revision": "f0927703b7b1c8d97511c4116eb9b4ec6645a0fa",
"url": "https://github.com/cachix/git-hooks.nix/archive/f0927703b7b1c8d97511c4116eb9b4ec6645a0fa.tar.gz",
"hash": "sha256-6MkqajPICgugsuZ92OMoQcgSHnD6sJHwk8AxvMcIgTE="
},
"nixpkgs": { "nixpkgs": {
"type": "Channel", "type": "Channel",
"name": "nixpkgs-unstable", "name": "nixpkgs-unstable",
"url": "https://releases.nixos.org/nixpkgs/nixpkgs-26.05pre903996.59b6c96beacc/nixexprs.tar.xz", "url": "https://releases.nixos.org/nixpkgs/nixpkgs-26.05pre927565.13868c071cc7/nixexprs.tar.xz",
"hash": "0b0yr9d1xyfwgpaj68bimsbjjbj7yis4whjvkrfdycfnasdf0gf0" "hash": "sha256-wufp5c0nWh/87f9eK7xy1eZXms5zd4yl6S4SR+LfA08="
} }
}, },
"version": 5 "version": 7
} }
raw/tos/oceanbox/database/upload-img.sh
+6 -6
View File
@@ -3,7 +3,7 @@
# Simple script for uploading a base64 encoded image into our database. For # Simple script for uploading a base64 encoded image into our database. For
# grafana business image panels. # grafana business image panels.
if [ $# -ne 2 ] if [[ $# -ne 2 ]]
then then
echo "Usage: $0 <image-name> <file>.png" echo "Usage: $0 <image-name> <file>.png"
exit 1 exit 1
@@ -12,9 +12,9 @@ fi
filename=$1 filename=$1
file=$2 file=$2
if [ ! -e $file ] if [[ ! -e "${file}" ]]
then then
echo "file $file does not exist" echo "file ${file} does not exist"
exit 1 exit 1
fi fi
@@ -22,9 +22,9 @@ function create_image() {
local filename=$1 local filename=$1
local data=$2 local data=$2
cat << EOF cat << EOF
INSERT INTO images VALUES('$filename', '$data'); INSERT INTO images VALUES('${filename}', '${data}');
EOF EOF
} }
data=$(cat $file | base64 -w0) data=$(base64 -w0 < "${file}")
create_image $filename $data create_image "${filename}" "${data}"
renovate.json
-1
View File
@@ -1,4 +1,3 @@
// -*- mode: jsonc -*-
{ {
"$schema": "https://docs.renovatebot.com/renovate-schema.json", "$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [ "extends": [
rules/etcd.yaml
+203 -182
View File
@@ -1,183 +1,204 @@
groups: groups:
- name: etcd - name: etcd
rules: rules:
- alert: etcdMembersDown - alert: etcdMembersDown
annotations: annotations:
description: 'etcd cluster "{{ $labels.job }}": members are down ({{ $value description:
}}).' 'etcd cluster "{{ $labels.job }}": members are down ({{ $value
summary: etcd cluster members are down. }}).'
expr: |- summary: etcd cluster members are down.
max without (endpoint) ( expr: |-
sum without (instance) (up{job=~".*etcd.*"} == bool 0) max without (endpoint) (
or sum without (instance) (up{job=~".*etcd.*"} == bool 0)
count without (To) ( or
sum without (instance) (rate(etcd_network_peer_sent_failures_total{job=~".*etcd.*"}[120s])) > 0.01 count without (To) (
) sum without (instance) (rate(etcd_network_peer_sent_failures_total{job=~".*etcd.*"}[120s])) > 0.01
) )
> 0 )
for: 10m > 0
labels: for: 10m
severity: critical labels:
- alert: etcdInsufficientMembers severity: critical
annotations: - alert: etcdInsufficientMembers
description: 'etcd cluster "{{ $labels.job }}": insufficient members ({{ $value annotations:
}}).' description:
summary: etcd cluster has insufficient number of members. 'etcd cluster "{{ $labels.job }}": insufficient members ({{ $value
expr: sum(up{job=~".*etcd.*"} == bool 1) without (instance) < ((count(up{job=~".*etcd.*"}) }}).'
without (instance) + 1) / 2) summary: etcd cluster has insufficient number of members.
for: 3m expr:
labels: sum(up{job=~".*etcd.*"} == bool 1) without (instance) < ((count(up{job=~".*etcd.*"})
severity: critical without (instance) + 1) / 2)
- alert: etcdNoLeader for: 3m
annotations: labels:
description: 'etcd cluster "{{ $labels.job }}": member {{ $labels.instance }} severity: critical
has no leader.' - alert: etcdNoLeader
summary: etcd cluster has no leader. annotations:
expr: etcd_server_has_leader{job=~".*etcd.*"} == 0 description:
for: 1m 'etcd cluster "{{ $labels.job }}": member {{ $labels.instance }}
labels: has no leader.'
severity: critical summary: etcd cluster has no leader.
- alert: etcdHighNumberOfLeaderChanges expr: etcd_server_has_leader{job=~".*etcd.*"} == 0
annotations: for: 1m
description: 'etcd cluster "{{ $labels.job }}": {{ $value }} leader changes labels:
within the last 15 minutes. Frequent elections may be a sign of insufficient severity: critical
resources, high network latency, or disruptions by other components and should - alert: etcdHighNumberOfLeaderChanges
be investigated.' annotations:
summary: etcd cluster has high number of leader changes. description:
expr: increase((max without (instance) (etcd_server_leader_changes_seen_total{job=~".*etcd.*"}) 'etcd cluster "{{ $labels.job }}": {{ $value }} leader changes
or 0*absent(etcd_server_leader_changes_seen_total{job=~".*etcd.*"}))[15m:1m]) within the last 15 minutes. Frequent elections may be a sign of insufficient
>= 4 resources, high network latency, or disruptions by other components and should
for: 5m be investigated.'
labels: summary: etcd cluster has high number of leader changes.
severity: warning expr:
- alert: etcdHighNumberOfFailedGRPCRequests increase((max without (instance) (etcd_server_leader_changes_seen_total{job=~".*etcd.*"})
annotations: or 0*absent(etcd_server_leader_changes_seen_total{job=~".*etcd.*"}))[15m:1m])
description: 'etcd cluster "{{ $labels.job }}": {{ $value }}% of requests for >= 4
{{ $labels.grpc_method }} failed on etcd instance {{ $labels.instance }}.' for: 5m
summary: etcd cluster has high number of failed grpc requests. labels:
expr: |- severity: warning
100 * sum(rate(grpc_server_handled_total{job=~".*etcd.*", grpc_code=~"Unknown|FailedPrecondition|ResourceExhausted|Internal|Unavailable|DataLoss|DeadlineExceeded"}[5m])) without (grpc_type, grpc_code) - alert: etcdHighNumberOfFailedGRPCRequests
/ annotations:
sum(rate(grpc_server_handled_total{job=~".*etcd.*"}[5m])) without (grpc_type, grpc_code) description:
> 1 'etcd cluster "{{ $labels.job }}": {{ $value }}% of requests for
for: 10m {{ $labels.grpc_method }} failed on etcd instance {{ $labels.instance }}.'
labels: summary: etcd cluster has high number of failed grpc requests.
severity: warning expr: |-
- alert: etcdHighNumberOfFailedGRPCRequests 100 * sum(rate(grpc_server_handled_total{job=~".*etcd.*", grpc_code=~"Unknown|FailedPrecondition|ResourceExhausted|Internal|Unavailable|DataLoss|DeadlineExceeded"}[5m])) without (grpc_type, grpc_code)
annotations: /
description: 'etcd cluster "{{ $labels.job }}": {{ $value }}% of requests for sum(rate(grpc_server_handled_total{job=~".*etcd.*"}[5m])) without (grpc_type, grpc_code)
{{ $labels.grpc_method }} failed on etcd instance {{ $labels.instance }}.' > 1
summary: etcd cluster has high number of failed grpc requests. for: 10m
expr: |- labels:
100 * sum(rate(grpc_server_handled_total{job=~".*etcd.*", grpc_code=~"Unknown|FailedPrecondition|ResourceExhausted|Internal|Unavailable|DataLoss|DeadlineExceeded"}[5m])) without (grpc_type, grpc_code) severity: warning
/ - alert: etcdHighNumberOfFailedGRPCRequests
sum(rate(grpc_server_handled_total{job=~".*etcd.*"}[5m])) without (grpc_type, grpc_code) annotations:
> 5 description:
for: 5m 'etcd cluster "{{ $labels.job }}": {{ $value }}% of requests for
labels: {{ $labels.grpc_method }} failed on etcd instance {{ $labels.instance }}.'
severity: critical summary: etcd cluster has high number of failed grpc requests.
- alert: etcdGRPCRequestsSlow expr: |-
annotations: 100 * sum(rate(grpc_server_handled_total{job=~".*etcd.*", grpc_code=~"Unknown|FailedPrecondition|ResourceExhausted|Internal|Unavailable|DataLoss|DeadlineExceeded"}[5m])) without (grpc_type, grpc_code)
description: 'etcd cluster "{{ $labels.job }}": 99th percentile of gRPC requests /
is {{ $value }}s on etcd instance {{ $labels.instance }} for {{ $labels.grpc_method sum(rate(grpc_server_handled_total{job=~".*etcd.*"}[5m])) without (grpc_type, grpc_code)
}} method.' > 5
summary: etcd grpc requests are slow for: 5m
expr: |- labels:
histogram_quantile(0.99, sum(rate(grpc_server_handling_seconds_bucket{job=~".*etcd.*", grpc_method!="Defragment", grpc_type="unary"}[5m])) without(grpc_type)) severity: critical
> 0.15 - alert: etcdGRPCRequestsSlow
for: 10m annotations:
labels: description:
severity: critical 'etcd cluster "{{ $labels.job }}": 99th percentile of gRPC requests
- alert: etcdMemberCommunicationSlow is {{ $value }}s on etcd instance {{ $labels.instance }} for {{ $labels.grpc_method
annotations: }} method.'
description: 'etcd cluster "{{ $labels.job }}": member communication with {{ summary: etcd grpc requests are slow
$labels.To }} is taking {{ $value }}s on etcd instance {{ $labels.instance expr: |-
}}.' histogram_quantile(0.99, sum(rate(grpc_server_handling_seconds_bucket{job=~".*etcd.*", grpc_method!="Defragment", grpc_type="unary"}[5m])) without(grpc_type))
summary: etcd cluster member communication is slow. > 0.15
expr: |- for: 10m
histogram_quantile(0.99, rate(etcd_network_peer_round_trip_time_seconds_bucket{job=~".*etcd.*"}[5m])) labels:
> 0.15 severity: critical
for: 10m - alert: etcdMemberCommunicationSlow
labels: annotations:
severity: warning description:
- alert: etcdHighNumberOfFailedProposals 'etcd cluster "{{ $labels.job }}": member communication with {{
annotations: $labels.To }} is taking {{ $value }}s on etcd instance {{ $labels.instance
description: 'etcd cluster "{{ $labels.job }}": {{ $value }} proposal failures }}.'
within the last 30 minutes on etcd instance {{ $labels.instance }}.' summary: etcd cluster member communication is slow.
summary: etcd cluster has high number of proposal failures. expr: |-
expr: rate(etcd_server_proposals_failed_total{job=~".*etcd.*"}[15m]) > 5 histogram_quantile(0.99, rate(etcd_network_peer_round_trip_time_seconds_bucket{job=~".*etcd.*"}[5m]))
for: 15m > 0.15
labels: for: 10m
severity: warning labels:
- alert: etcdHighFsyncDurations severity: warning
annotations: - alert: etcdHighNumberOfFailedProposals
description: 'etcd cluster "{{ $labels.job }}": 99th percentile fsync durations annotations:
are {{ $value }}s on etcd instance {{ $labels.instance }}.' description:
summary: etcd cluster 99th percentile fsync durations are too high. 'etcd cluster "{{ $labels.job }}": {{ $value }} proposal failures
expr: |- within the last 30 minutes on etcd instance {{ $labels.instance }}.'
histogram_quantile(0.99, rate(etcd_disk_wal_fsync_duration_seconds_bucket{job=~".*etcd.*"}[5m])) summary: etcd cluster has high number of proposal failures.
> 0.5 expr: rate(etcd_server_proposals_failed_total{job=~".*etcd.*"}[15m]) > 5
for: 10m for: 15m
labels: labels:
severity: warning severity: warning
- alert: etcdHighFsyncDurations - alert: etcdHighFsyncDurations
annotations: annotations:
description: 'etcd cluster "{{ $labels.job }}": 99th percentile fsync durations description:
are {{ $value }}s on etcd instance {{ $labels.instance }}.' 'etcd cluster "{{ $labels.job }}": 99th percentile fsync durations
summary: etcd cluster 99th percentile fsync durations are too high. are {{ $value }}s on etcd instance {{ $labels.instance }}.'
expr: |- summary: etcd cluster 99th percentile fsync durations are too high.
histogram_quantile(0.99, rate(etcd_disk_wal_fsync_duration_seconds_bucket{job=~".*etcd.*"}[5m])) expr: |-
> 1 histogram_quantile(0.99, rate(etcd_disk_wal_fsync_duration_seconds_bucket{job=~".*etcd.*"}[5m]))
for: 10m > 0.5
labels: for: 10m
severity: critical labels:
- alert: etcdHighCommitDurations severity: warning
annotations: - alert: etcdHighFsyncDurations
description: 'etcd cluster "{{ $labels.job }}": 99th percentile commit durations annotations:
{{ $value }}s on etcd instance {{ $labels.instance }}.' description:
summary: etcd cluster 99th percentile commit durations are too high. 'etcd cluster "{{ $labels.job }}": 99th percentile fsync durations
expr: |- are {{ $value }}s on etcd instance {{ $labels.instance }}.'
histogram_quantile(0.99, rate(etcd_disk_backend_commit_duration_seconds_bucket{job=~".*etcd.*"}[5m])) summary: etcd cluster 99th percentile fsync durations are too high.
> 0.25 expr: |-
for: 10m histogram_quantile(0.99, rate(etcd_disk_wal_fsync_duration_seconds_bucket{job=~".*etcd.*"}[5m]))
labels: > 1
severity: warning for: 10m
- alert: etcdDatabaseQuotaLowSpace labels:
annotations: severity: critical
description: 'etcd cluster "{{ $labels.job }}": database size exceeds the defined - alert: etcdHighCommitDurations
quota on etcd instance {{ $labels.instance }}, please defrag or increase the annotations:
quota as the writes to etcd will be disabled when it is full.' description:
summary: etcd cluster database is running full. 'etcd cluster "{{ $labels.job }}": 99th percentile commit durations
expr: (last_over_time(etcd_mvcc_db_total_size_in_bytes{job=~".*etcd.*"}[5m]) / {{ $value }}s on etcd instance {{ $labels.instance }}.'
last_over_time(etcd_server_quota_backend_bytes{job=~".*etcd.*"}[5m]))*100 > summary: etcd cluster 99th percentile commit durations are too high.
95 expr: |-
for: 10m histogram_quantile(0.99, rate(etcd_disk_backend_commit_duration_seconds_bucket{job=~".*etcd.*"}[5m]))
labels: > 0.25
severity: critical for: 10m
- alert: etcdExcessiveDatabaseGrowth labels:
annotations: severity: warning
description: 'etcd cluster "{{ $labels.job }}": Predicting running out of disk - alert: etcdDatabaseQuotaLowSpace
space in the next four hours, based on write observations within the past annotations:
four hours on etcd instance {{ $labels.instance }}, please check as it might description:
be disruptive.' 'etcd cluster "{{ $labels.job }}": database size exceeds the defined
summary: etcd cluster database growing very fast. quota on etcd instance {{ $labels.instance }}, please defrag or increase the
expr: predict_linear(etcd_mvcc_db_total_size_in_bytes{job=~".*etcd.*"}[4h], 4*60*60) quota as the writes to etcd will be disabled when it is full.'
> etcd_server_quota_backend_bytes{job=~".*etcd.*"} summary: etcd cluster database is running full.
for: 10m expr:
labels: (last_over_time(etcd_mvcc_db_total_size_in_bytes{job=~".*etcd.*"}[5m]) /
severity: warning last_over_time(etcd_server_quota_backend_bytes{job=~".*etcd.*"}[5m]))*100 >
- alert: etcdDatabaseHighFragmentationRatio 95
annotations: for: 10m
description: 'etcd cluster "{{ $labels.job }}": database size in use on instance labels:
{{ $labels.instance }} is {{ $value | humanizePercentage }} of the actual severity: critical
allocated disk space, please run defragmentation (e.g. etcdctl defrag) to - alert: etcdExcessiveDatabaseGrowth
retrieve the unused fragmented disk space.' annotations:
runbook_url: https://etcd.io/docs/v3.5/op-guide/maintenance/#defragmentation description:
summary: etcd database size in use is less than 50% of the actual allocated 'etcd cluster "{{ $labels.job }}": Predicting running out of disk
storage. space in the next four hours, based on write observations within the past
expr: (last_over_time(etcd_mvcc_db_total_size_in_use_in_bytes{job=~".*etcd.*"}[5m]) four hours on etcd instance {{ $labels.instance }}, please check as it might
/ last_over_time(etcd_mvcc_db_total_size_in_bytes{job=~".*etcd.*"}[5m])) < 0.5 be disruptive.'
and etcd_mvcc_db_total_size_in_use_in_bytes{job=~".*etcd.*"} > 104857600 summary: etcd cluster database growing very fast.
for: 10m expr:
labels: predict_linear(etcd_mvcc_db_total_size_in_bytes{job=~".*etcd.*"}[4h], 4*60*60)
severity: warning > etcd_server_quota_backend_bytes{job=~".*etcd.*"}
for: 10m
labels:
severity: warning
- alert: etcdDatabaseHighFragmentationRatio
annotations:
description:
'etcd cluster "{{ $labels.job }}": database size in use on instance
{{ $labels.instance }} is {{ $value | humanizePercentage }} of the actual
allocated disk space, please run defragmentation (e.g. etcdctl defrag) to
retrieve the unused fragmented disk space.'
runbook_url: https://etcd.io/docs/v3.5/op-guide/maintenance/#defragmentation
summary:
etcd database size in use is less than 50% of the actual allocated
storage.
expr:
(last_over_time(etcd_mvcc_db_total_size_in_use_in_bytes{job=~".*etcd.*"}[5m])
/ last_over_time(etcd_mvcc_db_total_size_in_bytes{job=~".*etcd.*"}[5m])) < 0.5
and etcd_mvcc_db_total_size_in_use_in_bytes{job=~".*etcd.*"} > 104857600
for: 10m
labels:
severity: warning
rules/general.yaml
+46 -42
View File
@@ -1,43 +1,47 @@
groups: groups:
- name: general.rules - name: general.rules
rules: rules:
- alert: TargetDown - alert: TargetDown
annotations: annotations:
description: '{{ printf "%.4g" $value }}% of the {{ $labels.job }}/{{ $labels.service description:
}} targets in {{ $labels.namespace }} namespace are down.' '{{ printf "%.4g" $value }}% of the {{ $labels.job }}/{{ $labels.service
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/general/targetdown }} targets in {{ $labels.namespace }} namespace are down.'
summary: One or more targets are unreachable. runbook_url: https://runbooks.prometheus-operator.dev/runbooks/general/targetdown
expr: 100 * (count(up == 0) BY (cluster, job, namespace, service) / count(up) summary: One or more targets are unreachable.
BY (cluster, job, namespace, service)) > 10 expr:
for: 10m 100 * (count(up == 0) BY (cluster, job, namespace, service) / count(up)
labels: BY (cluster, job, namespace, service)) > 10
severity: warning for: 10m
- alert: Watchdog labels:
annotations: severity: warning
description: | - alert: Watchdog
This is an alert meant to ensure that the entire alerting pipeline is functional. annotations:
This alert is always firing, therefore it should always be firing in Alertmanager description: |
and always fire against a receiver. There are integrations with various notification This is an alert meant to ensure that the entire alerting pipeline is functional.
mechanisms that send a notification when this alert is not firing. For example the This alert is always firing, therefore it should always be firing in Alertmanager
"DeadMansSnitch" integration in PagerDuty. and always fire against a receiver. There are integrations with various notification
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/general/watchdog mechanisms that send a notification when this alert is not firing. For example the
summary: An alert that should always be firing to certify that Alertmanager "DeadMansSnitch" integration in PagerDuty.
is working properly. runbook_url: https://runbooks.prometheus-operator.dev/runbooks/general/watchdog
expr: vector(1) summary:
labels: An alert that should always be firing to certify that Alertmanager
severity: none is working properly.
- alert: InfoInhibitor expr: vector(1)
annotations: labels:
description: | severity: none
This is an alert that is used to inhibit info alerts. - alert: InfoInhibitor
By themselves, the info-level alerts are sometimes very noisy, but they are relevant when combined with annotations:
other alerts. description: |
This alert fires whenever there's a severity="info" alert, and stops firing when another alert with a This is an alert that is used to inhibit info alerts.
severity of 'warning' or 'critical' starts firing on the same namespace. By themselves, the info-level alerts are sometimes very noisy, but they are relevant when combined with
This alert should be routed to a null receiver and configured to inhibit alerts with severity="info". other alerts.
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/general/infoinhibitor This alert fires whenever there's a severity="info" alert, and stops firing when another alert with a
summary: Info-level alert inhibition. severity of 'warning' or 'critical' starts firing on the same namespace.
expr: ALERTS{severity = "info"} == 1 unless on (namespace) ALERTS{alertname != This alert should be routed to a null receiver and configured to inhibit alerts with severity="info".
"InfoInhibitor", severity =~ "warning|critical", alertstate="firing"} == 1 runbook_url: https://runbooks.prometheus-operator.dev/runbooks/general/infoinhibitor
labels: summary: Info-level alert inhibition.
severity: none expr:
ALERTS{severity = "info"} == 1 unless on (namespace) ALERTS{alertname !=
"InfoInhibitor", severity =~ "warning|critical", alertstate="firing"} == 1
labels:
severity: none
rules/kubernetes-apps.yaml
+277 -258
View File
@@ -1,262 +1,281 @@
groups: groups:
- name: kubernetes-apps - name: kubernetes-apps
rules: rules:
- alert: KubePodCrashLooping - alert: KubePodCrashLooping
annotations: annotations:
description: 'Pod {{ $labels.namespace }}/{{ $labels.pod }} ({{ $labels.container description:
}}) is in waiting state (reason: "CrashLoopBackOff").' 'Pod {{ $labels.namespace }}/{{ $labels.pod }} ({{ $labels.container
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubepodcrashlooping }}) is in waiting state (reason: "CrashLoopBackOff").'
summary: Pod is crash looping. runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubepodcrashlooping
expr: max_over_time(kube_pod_container_status_waiting_reason{reason="CrashLoopBackOff", summary: Pod is crash looping.
job="kube-state-metrics", namespace=~".*"}[5m]) >= 1 expr:
for: 15m max_over_time(kube_pod_container_status_waiting_reason{reason="CrashLoopBackOff",
labels: job="kube-state-metrics", namespace=~".*"}[5m]) >= 1
severity: warning for: 15m
- alert: KubePodNotReady labels:
annotations: severity: warning
description: Pod {{ $labels.namespace }}/{{ $labels.pod }} has been in a non-ready - alert: KubePodNotReady
state for longer than 15 minutes. annotations:
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubepodnotready description:
summary: Pod has been in a non-ready state for more than 15 minutes. Pod {{ $labels.namespace }}/{{ $labels.pod }} has been in a non-ready
expr: |- state for longer than 15 minutes.
sum by (namespace, pod, cluster) ( runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubepodnotready
max by (namespace, pod, cluster) ( summary: Pod has been in a non-ready state for more than 15 minutes.
kube_pod_status_phase{job="kube-state-metrics", namespace=~".*", phase=~"Pending|Unknown|Failed"} expr: |-
) * on (namespace, pod, cluster) group_left(owner_kind) topk by (namespace, pod, cluster) ( sum by (namespace, pod, cluster) (
1, max by (namespace, pod, owner_kind, cluster) (kube_pod_owner{owner_kind!="Job"}) max by (namespace, pod, cluster) (
) kube_pod_status_phase{job="kube-state-metrics", namespace=~".*", phase=~"Pending|Unknown|Failed"}
) > 0 ) * on (namespace, pod, cluster) group_left(owner_kind) topk by (namespace, pod, cluster) (
for: 15m 1, max by (namespace, pod, owner_kind, cluster) (kube_pod_owner{owner_kind!="Job"})
labels: )
severity: warning ) > 0
- alert: KubeDeploymentGenerationMismatch for: 15m
annotations: labels:
description: Deployment generation for {{ $labels.namespace }}/{{ $labels.deployment severity: warning
}} does not match, this indicates that the Deployment has failed but has not - alert: KubeDeploymentGenerationMismatch
been rolled back. annotations:
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubedeploymentgenerationmismatch description:
summary: Deployment generation mismatch due to possible roll-back Deployment generation for {{ $labels.namespace }}/{{ $labels.deployment
expr: |- }} does not match, this indicates that the Deployment has failed but has not
kube_deployment_status_observed_generation{job="kube-state-metrics", namespace=~".*"} been rolled back.
!= runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubedeploymentgenerationmismatch
kube_deployment_metadata_generation{job="kube-state-metrics", namespace=~".*"} summary: Deployment generation mismatch due to possible roll-back
for: 15m expr: |-
labels: kube_deployment_status_observed_generation{job="kube-state-metrics", namespace=~".*"}
severity: warning
- alert: KubeDeploymentReplicasMismatch
annotations:
description: Deployment {{ $labels.namespace }}/{{ $labels.deployment }} has
not matched the expected number of replicas for longer than 15 minutes.
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubedeploymentreplicasmismatch
summary: Deployment has not matched the expected number of replicas.
expr: |-
(
kube_deployment_spec_replicas{job="kube-state-metrics", namespace=~".*"}
>
kube_deployment_status_replicas_available{job="kube-state-metrics", namespace=~".*"}
) and (
changes(kube_deployment_status_replicas_updated{job="kube-state-metrics", namespace=~".*"}[10m])
==
0
)
for: 15m
labels:
severity: warning
- alert: KubeDeploymentRolloutStuck
annotations:
description: Rollout of deployment {{ $labels.namespace }}/{{ $labels.deployment
}} is not progressing for longer than 15 minutes.
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubedeploymentrolloutstuck
summary: Deployment rollout is not progressing.
expr: |-
kube_deployment_status_condition{condition="Progressing", status="false",job="kube-state-metrics", namespace=~".*"}
!= 0
for: 15m
labels:
severity: warning
- alert: KubeStatefulSetReplicasMismatch
annotations:
description: StatefulSet {{ $labels.namespace }}/{{ $labels.statefulset }} has
not matched the expected number of replicas for longer than 15 minutes.
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubestatefulsetreplicasmismatch
summary: StatefulSet has not matched the expected number of replicas.
expr: |-
(
kube_statefulset_status_replicas_ready{job="kube-state-metrics", namespace=~".*"}
!=
kube_statefulset_status_replicas{job="kube-state-metrics", namespace=~".*"}
) and (
changes(kube_statefulset_status_replicas_updated{job="kube-state-metrics", namespace=~".*"}[10m])
==
0
)
for: 15m
labels:
severity: warning
- alert: KubeStatefulSetGenerationMismatch
annotations:
description: StatefulSet generation for {{ $labels.namespace }}/{{ $labels.statefulset
}} does not match, this indicates that the StatefulSet has failed but has
not been rolled back.
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubestatefulsetgenerationmismatch
summary: StatefulSet generation mismatch due to possible roll-back
expr: |-
kube_statefulset_status_observed_generation{job="kube-state-metrics", namespace=~".*"}
!=
kube_statefulset_metadata_generation{job="kube-state-metrics", namespace=~".*"}
for: 15m
labels:
severity: warning
- alert: KubeStatefulSetUpdateNotRolledOut
annotations:
description: StatefulSet {{ $labels.namespace }}/{{ $labels.statefulset }} update
has not been rolled out.
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubestatefulsetupdatenotrolledout
summary: StatefulSet update has not been rolled out.
expr: |-
(
max by (namespace, statefulset) (
kube_statefulset_status_current_revision{job="kube-state-metrics", namespace=~".*"}
unless
kube_statefulset_status_update_revision{job="kube-state-metrics", namespace=~".*"}
)
*
(
kube_statefulset_replicas{job="kube-state-metrics", namespace=~".*"}
!= !=
kube_statefulset_status_replicas_updated{job="kube-state-metrics", namespace=~".*"} kube_deployment_metadata_generation{job="kube-state-metrics", namespace=~".*"}
) for: 15m
) and ( labels:
changes(kube_statefulset_status_replicas_updated{job="kube-state-metrics", namespace=~".*"}[5m]) severity: warning
== - alert: KubeDeploymentReplicasMismatch
0 annotations:
) description:
for: 15m Deployment {{ $labels.namespace }}/{{ $labels.deployment }} has
labels: not matched the expected number of replicas for longer than 15 minutes.
severity: warning runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubedeploymentreplicasmismatch
- alert: KubeDaemonSetRolloutStuck summary: Deployment has not matched the expected number of replicas.
annotations: expr: |-
description: DaemonSet {{ $labels.namespace }}/{{ $labels.daemonset }} has not (
finished or progressed for at least 15 minutes. kube_deployment_spec_replicas{job="kube-state-metrics", namespace=~".*"}
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubedaemonsetrolloutstuck >
summary: DaemonSet rollout is stuck. kube_deployment_status_replicas_available{job="kube-state-metrics", namespace=~".*"}
expr: |- ) and (
( changes(kube_deployment_status_replicas_updated{job="kube-state-metrics", namespace=~".*"}[10m])
( ==
kube_daemonset_status_current_number_scheduled{job="kube-state-metrics", namespace=~".*"} 0
!= )
for: 15m
labels:
severity: warning
- alert: KubeDeploymentRolloutStuck
annotations:
description:
Rollout of deployment {{ $labels.namespace }}/{{ $labels.deployment
}} is not progressing for longer than 15 minutes.
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubedeploymentrolloutstuck
summary: Deployment rollout is not progressing.
expr: |-
kube_deployment_status_condition{condition="Progressing", status="false",job="kube-state-metrics", namespace=~".*"}
!= 0
for: 15m
labels:
severity: warning
- alert: KubeStatefulSetReplicasMismatch
annotations:
description:
StatefulSet {{ $labels.namespace }}/{{ $labels.statefulset }} has
not matched the expected number of replicas for longer than 15 minutes.
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubestatefulsetreplicasmismatch
summary: StatefulSet has not matched the expected number of replicas.
expr: |-
(
kube_statefulset_status_replicas_ready{job="kube-state-metrics", namespace=~".*"}
!=
kube_statefulset_status_replicas{job="kube-state-metrics", namespace=~".*"}
) and (
changes(kube_statefulset_status_replicas_updated{job="kube-state-metrics", namespace=~".*"}[10m])
==
0
)
for: 15m
labels:
severity: warning
- alert: KubeStatefulSetGenerationMismatch
annotations:
description:
StatefulSet generation for {{ $labels.namespace }}/{{ $labels.statefulset
}} does not match, this indicates that the StatefulSet has failed but has
not been rolled back.
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubestatefulsetgenerationmismatch
summary: StatefulSet generation mismatch due to possible roll-back
expr: |-
kube_statefulset_status_observed_generation{job="kube-state-metrics", namespace=~".*"}
!=
kube_statefulset_metadata_generation{job="kube-state-metrics", namespace=~".*"}
for: 15m
labels:
severity: warning
- alert: KubeStatefulSetUpdateNotRolledOut
annotations:
description:
StatefulSet {{ $labels.namespace }}/{{ $labels.statefulset }} update
has not been rolled out.
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubestatefulsetupdatenotrolledout
summary: StatefulSet update has not been rolled out.
expr: |-
(
max by (namespace, statefulset) (
kube_statefulset_status_current_revision{job="kube-state-metrics", namespace=~".*"}
unless
kube_statefulset_status_update_revision{job="kube-state-metrics", namespace=~".*"}
)
*
(
kube_statefulset_replicas{job="kube-state-metrics", namespace=~".*"}
!=
kube_statefulset_status_replicas_updated{job="kube-state-metrics", namespace=~".*"}
)
) and (
changes(kube_statefulset_status_replicas_updated{job="kube-state-metrics", namespace=~".*"}[5m])
==
0
)
for: 15m
labels:
severity: warning
- alert: KubeDaemonSetRolloutStuck
annotations:
description:
DaemonSet {{ $labels.namespace }}/{{ $labels.daemonset }} has not
finished or progressed for at least 15 minutes.
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubedaemonsetrolloutstuck
summary: DaemonSet rollout is stuck.
expr: |-
(
(
kube_daemonset_status_current_number_scheduled{job="kube-state-metrics", namespace=~".*"}
!=
kube_daemonset_status_desired_number_scheduled{job="kube-state-metrics", namespace=~".*"}
) or (
kube_daemonset_status_number_misscheduled{job="kube-state-metrics", namespace=~".*"}
!=
0
) or (
kube_daemonset_status_updated_number_scheduled{job="kube-state-metrics", namespace=~".*"}
!=
kube_daemonset_status_desired_number_scheduled{job="kube-state-metrics", namespace=~".*"}
) or (
kube_daemonset_status_number_available{job="kube-state-metrics", namespace=~".*"}
!=
kube_daemonset_status_desired_number_scheduled{job="kube-state-metrics", namespace=~".*"}
)
) and (
changes(kube_daemonset_status_updated_number_scheduled{job="kube-state-metrics", namespace=~".*"}[5m])
==
0
)
for: 15m
labels:
severity: warning
- alert: KubeContainerWaiting
annotations:
description:
pod/{{ $labels.pod }} in namespace {{ $labels.namespace }} on container
{{ $labels.container}} has been in waiting state for longer than 1 hour.
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubecontainerwaiting
summary: Pod container waiting longer than 1 hour
expr:
sum by (namespace, pod, container, cluster) (kube_pod_container_status_waiting_reason{job="kube-state-metrics",
namespace=~".*"}) > 0
for: 1h
labels:
severity: warning
- alert: KubeDaemonSetNotScheduled
annotations:
description:
"{{ $value }} Pods of DaemonSet {{ $labels.namespace }}/{{ $labels.daemonset
}} are not scheduled."
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubedaemonsetnotscheduled
summary: DaemonSet pods are not scheduled.
expr: |-
kube_daemonset_status_desired_number_scheduled{job="kube-state-metrics", namespace=~".*"} kube_daemonset_status_desired_number_scheduled{job="kube-state-metrics", namespace=~".*"}
) or ( -
kube_daemonset_status_current_number_scheduled{job="kube-state-metrics", namespace=~".*"} > 0
for: 10m
labels:
severity: warning
- alert: KubeDaemonSetMisScheduled
annotations:
description:
"{{ $value }} Pods of DaemonSet {{ $labels.namespace }}/{{ $labels.daemonset
}} are running where they are not supposed to run."
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubedaemonsetmisscheduled
summary: DaemonSet pods are misscheduled.
expr:
kube_daemonset_status_number_misscheduled{job="kube-state-metrics", namespace=~".*"} kube_daemonset_status_number_misscheduled{job="kube-state-metrics", namespace=~".*"}
!= > 0
0 for: 15m
) or ( labels:
kube_daemonset_status_updated_number_scheduled{job="kube-state-metrics", namespace=~".*"} severity: warning
!= - alert: KubeJobNotCompleted
kube_daemonset_status_desired_number_scheduled{job="kube-state-metrics", namespace=~".*"} annotations:
) or ( description:
kube_daemonset_status_number_available{job="kube-state-metrics", namespace=~".*"} Job {{ $labels.namespace }}/{{ $labels.job_name }} is taking more
!= than {{ "43200" | humanizeDuration }} to complete.
kube_daemonset_status_desired_number_scheduled{job="kube-state-metrics", namespace=~".*"} runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubejobnotcompleted
) summary: Job did not complete in time
) and ( expr: |-
changes(kube_daemonset_status_updated_number_scheduled{job="kube-state-metrics", namespace=~".*"}[5m]) time() - max by (namespace, job_name, cluster) (kube_job_status_start_time{job="kube-state-metrics", namespace=~".*"}
== and
0 kube_job_status_active{job="kube-state-metrics", namespace=~".*"} > 0) > 43200
) labels:
for: 15m severity: warning
labels: - alert: KubeJobFailed
severity: warning annotations:
- alert: KubeContainerWaiting description:
annotations: Job {{ $labels.namespace }}/{{ $labels.job_name }} failed to complete.
description: pod/{{ $labels.pod }} in namespace {{ $labels.namespace }} on container Removing failed job after investigation should clear this alert.
{{ $labels.container}} has been in waiting state for longer than 1 hour. runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubejobfailed
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubecontainerwaiting summary: Job failed to complete.
summary: Pod container waiting longer than 1 hour expr: kube_job_failed{job="kube-state-metrics", namespace=~".*"} > 0
expr: sum by (namespace, pod, container, cluster) (kube_pod_container_status_waiting_reason{job="kube-state-metrics", for: 15m
namespace=~".*"}) > 0 labels:
for: 1h severity: warning
labels: - alert: KubeHpaReplicasMismatch
severity: warning annotations:
- alert: KubeDaemonSetNotScheduled description:
annotations: HPA {{ $labels.namespace }}/{{ $labels.horizontalpodautoscaler }}
description: '{{ $value }} Pods of DaemonSet {{ $labels.namespace }}/{{ $labels.daemonset has not matched the desired number of replicas for longer than 15 minutes.
}} are not scheduled.' runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubehpareplicasmismatch
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubedaemonsetnotscheduled summary: HPA has not matched desired number of replicas.
summary: DaemonSet pods are not scheduled. expr: |-
expr: |- (kube_horizontalpodautoscaler_status_desired_replicas{job="kube-state-metrics", namespace=~".*"}
kube_daemonset_status_desired_number_scheduled{job="kube-state-metrics", namespace=~".*"} !=
- kube_horizontalpodautoscaler_status_current_replicas{job="kube-state-metrics", namespace=~".*"})
kube_daemonset_status_current_number_scheduled{job="kube-state-metrics", namespace=~".*"} > 0 and
for: 10m (kube_horizontalpodautoscaler_status_current_replicas{job="kube-state-metrics", namespace=~".*"}
labels: >
severity: warning kube_horizontalpodautoscaler_spec_min_replicas{job="kube-state-metrics", namespace=~".*"})
- alert: KubeDaemonSetMisScheduled and
annotations: (kube_horizontalpodautoscaler_status_current_replicas{job="kube-state-metrics", namespace=~".*"}
description: '{{ $value }} Pods of DaemonSet {{ $labels.namespace }}/{{ $labels.daemonset <
}} are running where they are not supposed to run.' kube_horizontalpodautoscaler_spec_max_replicas{job="kube-state-metrics", namespace=~".*"})
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubedaemonsetmisscheduled and
summary: DaemonSet pods are misscheduled. changes(kube_horizontalpodautoscaler_status_current_replicas{job="kube-state-metrics", namespace=~".*"}[15m]) == 0
expr: kube_daemonset_status_number_misscheduled{job="kube-state-metrics", namespace=~".*"} for: 15m
> 0 labels:
for: 15m severity: warning
labels: - alert: KubeHpaMaxedOut
severity: warning annotations:
- alert: KubeJobNotCompleted description:
annotations: HPA {{ $labels.namespace }}/{{ $labels.horizontalpodautoscaler }}
description: Job {{ $labels.namespace }}/{{ $labels.job_name }} is taking more has been running at max replicas for longer than 15 minutes.
than {{ "43200" | humanizeDuration }} to complete. runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubehpamaxedout
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubejobnotcompleted summary: HPA is running at max replicas
summary: Job did not complete in time expr: |-
expr: |- kube_horizontalpodautoscaler_status_current_replicas{job="kube-state-metrics", namespace=~".*"}
time() - max by (namespace, job_name, cluster) (kube_job_status_start_time{job="kube-state-metrics", namespace=~".*"} ==
and kube_horizontalpodautoscaler_spec_max_replicas{job="kube-state-metrics", namespace=~".*"}
kube_job_status_active{job="kube-state-metrics", namespace=~".*"} > 0) > 43200 for: 15m
labels: labels:
severity: warning severity: warning
- alert: KubeJobFailed
annotations:
description: Job {{ $labels.namespace }}/{{ $labels.job_name }} failed to complete.
Removing failed job after investigation should clear this alert.
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubejobfailed
summary: Job failed to complete.
expr: kube_job_failed{job="kube-state-metrics", namespace=~".*"} > 0
for: 15m
labels:
severity: warning
- alert: KubeHpaReplicasMismatch
annotations:
description: HPA {{ $labels.namespace }}/{{ $labels.horizontalpodautoscaler }}
has not matched the desired number of replicas for longer than 15 minutes.
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubehpareplicasmismatch
summary: HPA has not matched desired number of replicas.
expr: |-
(kube_horizontalpodautoscaler_status_desired_replicas{job="kube-state-metrics", namespace=~".*"}
!=
kube_horizontalpodautoscaler_status_current_replicas{job="kube-state-metrics", namespace=~".*"})
and
(kube_horizontalpodautoscaler_status_current_replicas{job="kube-state-metrics", namespace=~".*"}
>
kube_horizontalpodautoscaler_spec_min_replicas{job="kube-state-metrics", namespace=~".*"})
and
(kube_horizontalpodautoscaler_status_current_replicas{job="kube-state-metrics", namespace=~".*"}
<
kube_horizontalpodautoscaler_spec_max_replicas{job="kube-state-metrics", namespace=~".*"})
and
changes(kube_horizontalpodautoscaler_status_current_replicas{job="kube-state-metrics", namespace=~".*"}[15m]) == 0
for: 15m
labels:
severity: warning
- alert: KubeHpaMaxedOut
annotations:
description: HPA {{ $labels.namespace }}/{{ $labels.horizontalpodautoscaler }}
has been running at max replicas for longer than 15 minutes.
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubehpamaxedout
summary: HPA is running at max replicas
expr: |-
kube_horizontalpodautoscaler_status_current_replicas{job="kube-state-metrics", namespace=~".*"}
==
kube_horizontalpodautoscaler_spec_max_replicas{job="kube-state-metrics", namespace=~".*"}
for: 15m
labels:
severity: warning
rules/kubernetes-resources.yaml
+122 -114
View File
@@ -1,115 +1,123 @@
groups: groups:
- name: kubernetes-resources - name: kubernetes-resources
rules: rules:
- alert: KubeCPUOvercommit - alert: KubeCPUOvercommit
annotations: annotations:
description: Cluster {{ $labels.cluster }} has overcommitted CPU resource requests description:
for Pods by {{ $value }} CPU shares and cannot tolerate node failure. Cluster {{ $labels.cluster }} has overcommitted CPU resource requests
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubecpuovercommit for Pods by {{ $value }} CPU shares and cannot tolerate node failure.
summary: Cluster has overcommitted CPU resource requests. runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubecpuovercommit
expr: |- summary: Cluster has overcommitted CPU resource requests.
sum(namespace_cpu:kube_pod_container_resource_requests:sum{}) by (cluster) - (sum(kube_node_status_allocatable{job="kube-state-metrics",resource="cpu"}) by (cluster) - max(kube_node_status_allocatable{job="kube-state-metrics",resource="cpu"}) by (cluster)) > 0 expr: |-
and sum(namespace_cpu:kube_pod_container_resource_requests:sum{}) by (cluster) - (sum(kube_node_status_allocatable{job="kube-state-metrics",resource="cpu"}) by (cluster) - max(kube_node_status_allocatable{job="kube-state-metrics",resource="cpu"}) by (cluster)) > 0
(sum(kube_node_status_allocatable{job="kube-state-metrics",resource="cpu"}) by (cluster) - max(kube_node_status_allocatable{job="kube-state-metrics",resource="cpu"}) by (cluster)) > 0 and
for: 10m (sum(kube_node_status_allocatable{job="kube-state-metrics",resource="cpu"}) by (cluster) - max(kube_node_status_allocatable{job="kube-state-metrics",resource="cpu"}) by (cluster)) > 0
labels: for: 10m
severity: warning labels:
- alert: KubeMemoryOvercommit severity: warning
annotations: - alert: KubeMemoryOvercommit
description: Cluster {{ $labels.cluster }} has overcommitted memory resource annotations:
requests for Pods by {{ $value | humanize }} bytes and cannot tolerate node description:
failure. Cluster {{ $labels.cluster }} has overcommitted memory resource
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubememoryovercommit requests for Pods by {{ $value | humanize }} bytes and cannot tolerate node
summary: Cluster has overcommitted memory resource requests. failure.
expr: |- runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubememoryovercommit
sum(namespace_memory:kube_pod_container_resource_requests:sum{}) by (cluster) - (sum(kube_node_status_allocatable{resource="memory", job="kube-state-metrics"}) by (cluster) - max(kube_node_status_allocatable{resource="memory", job="kube-state-metrics"}) by (cluster)) > 0 summary: Cluster has overcommitted memory resource requests.
and expr: |-
(sum(kube_node_status_allocatable{resource="memory", job="kube-state-metrics"}) by (cluster) - max(kube_node_status_allocatable{resource="memory", job="kube-state-metrics"}) by (cluster)) > 0 sum(namespace_memory:kube_pod_container_resource_requests:sum{}) by (cluster) - (sum(kube_node_status_allocatable{resource="memory", job="kube-state-metrics"}) by (cluster) - max(kube_node_status_allocatable{resource="memory", job="kube-state-metrics"}) by (cluster)) > 0
for: 10m and
labels: (sum(kube_node_status_allocatable{resource="memory", job="kube-state-metrics"}) by (cluster) - max(kube_node_status_allocatable{resource="memory", job="kube-state-metrics"}) by (cluster)) > 0
severity: warning for: 10m
- alert: KubeCPUQuotaOvercommit labels:
annotations: severity: warning
description: Cluster {{ $labels.cluster }} has overcommitted CPU resource requests - alert: KubeCPUQuotaOvercommit
for Namespaces. annotations:
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubecpuquotaovercommit description:
summary: Cluster has overcommitted CPU resource requests. Cluster {{ $labels.cluster }} has overcommitted CPU resource requests
expr: |- for Namespaces.
sum(min without(resource) (kube_resourcequota{job="kube-state-metrics", type="hard", resource=~"(cpu|requests.cpu)"})) by (cluster) runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubecpuquotaovercommit
/ summary: Cluster has overcommitted CPU resource requests.
sum(kube_node_status_allocatable{resource="cpu", job="kube-state-metrics"}) by (cluster) expr: |-
> 1.5 sum(min without(resource) (kube_resourcequota{job="kube-state-metrics", type="hard", resource=~"(cpu|requests.cpu)"})) by (cluster)
for: 5m /
labels: sum(kube_node_status_allocatable{resource="cpu", job="kube-state-metrics"}) by (cluster)
severity: warning > 1.5
- alert: KubeMemoryQuotaOvercommit for: 5m
annotations: labels:
description: Cluster {{ $labels.cluster }} has overcommitted memory resource severity: warning
requests for Namespaces. - alert: KubeMemoryQuotaOvercommit
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubememoryquotaovercommit annotations:
summary: Cluster has overcommitted memory resource requests. description:
expr: |- Cluster {{ $labels.cluster }} has overcommitted memory resource
sum(min without(resource) (kube_resourcequota{job="kube-state-metrics", type="hard", resource=~"(memory|requests.memory)"})) by (cluster) requests for Namespaces.
/ runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubememoryquotaovercommit
sum(kube_node_status_allocatable{resource="memory", job="kube-state-metrics"}) by (cluster) summary: Cluster has overcommitted memory resource requests.
> 1.5 expr: |-
for: 5m sum(min without(resource) (kube_resourcequota{job="kube-state-metrics", type="hard", resource=~"(memory|requests.memory)"})) by (cluster)
labels: /
severity: warning sum(kube_node_status_allocatable{resource="memory", job="kube-state-metrics"}) by (cluster)
- alert: KubeQuotaAlmostFull > 1.5
annotations: for: 5m
description: Namespace {{ $labels.namespace }} is using {{ $value | humanizePercentage labels:
}} of its {{ $labels.resource }} quota. severity: warning
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubequotaalmostfull - alert: KubeQuotaAlmostFull
summary: Namespace quota is going to be full. annotations:
expr: |- description:
kube_resourcequota{job="kube-state-metrics", type="used"} Namespace {{ $labels.namespace }} is using {{ $value | humanizePercentage
/ ignoring(instance, job, type) }} of its {{ $labels.resource }} quota.
(kube_resourcequota{job="kube-state-metrics", type="hard"} > 0) runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubequotaalmostfull
> 0.9 < 1 summary: Namespace quota is going to be full.
for: 15m expr: |-
labels: kube_resourcequota{job="kube-state-metrics", type="used"}
severity: info / ignoring(instance, job, type)
- alert: KubeQuotaFullyUsed (kube_resourcequota{job="kube-state-metrics", type="hard"} > 0)
annotations: > 0.9 < 1
description: Namespace {{ $labels.namespace }} is using {{ $value | humanizePercentage for: 15m
}} of its {{ $labels.resource }} quota. labels:
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubequotafullyused severity: info
summary: Namespace quota is fully used. - alert: KubeQuotaFullyUsed
expr: |- annotations:
kube_resourcequota{job="kube-state-metrics", type="used"} description:
/ ignoring(instance, job, type) Namespace {{ $labels.namespace }} is using {{ $value | humanizePercentage
(kube_resourcequota{job="kube-state-metrics", type="hard"} > 0) }} of its {{ $labels.resource }} quota.
== 1 runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubequotafullyused
for: 15m summary: Namespace quota is fully used.
labels: expr: |-
severity: info kube_resourcequota{job="kube-state-metrics", type="used"}
- alert: KubeQuotaExceeded / ignoring(instance, job, type)
annotations: (kube_resourcequota{job="kube-state-metrics", type="hard"} > 0)
description: Namespace {{ $labels.namespace }} is using {{ $value | humanizePercentage == 1
}} of its {{ $labels.resource }} quota. for: 15m
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubequotaexceeded labels:
summary: Namespace quota has exceeded the limits. severity: info
expr: |- - alert: KubeQuotaExceeded
kube_resourcequota{job="kube-state-metrics", type="used"} annotations:
/ ignoring(instance, job, type) description:
(kube_resourcequota{job="kube-state-metrics", type="hard"} > 0) Namespace {{ $labels.namespace }} is using {{ $value | humanizePercentage
> 1 }} of its {{ $labels.resource }} quota.
for: 15m runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubequotaexceeded
labels: summary: Namespace quota has exceeded the limits.
severity: warning expr: |-
- alert: CPUThrottlingHigh kube_resourcequota{job="kube-state-metrics", type="used"}
annotations: / ignoring(instance, job, type)
description: '{{ $value | humanizePercentage }} throttling of CPU in namespace (kube_resourcequota{job="kube-state-metrics", type="hard"} > 0)
{{ $labels.namespace }} for container {{ $labels.container }} in pod {{ $labels.pod > 1
}}.' for: 15m
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/cputhrottlinghigh labels:
summary: Processes experience elevated CPU throttling. severity: warning
expr: |- - alert: CPUThrottlingHigh
sum(increase(container_cpu_cfs_throttled_periods_total{container!="", }[5m])) by (cluster, container, pod, namespace) annotations:
/ description:
sum(increase(container_cpu_cfs_periods_total{}[5m])) by (cluster, container, pod, namespace) "{{ $value | humanizePercentage }} throttling of CPU in namespace
> ( 25 / 100 ) {{ $labels.namespace }} for container {{ $labels.container }} in pod {{ $labels.pod
for: 15m }}."
labels: runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/cputhrottlinghigh
severity: info summary: Processes experience elevated CPU throttling.
expr: |-
sum(increase(container_cpu_cfs_throttled_periods_total{container!="", }[5m])) by (cluster, container, pod, namespace)
/
sum(increase(container_cpu_cfs_periods_total{}[5m])) by (cluster, container, pod, namespace)
> ( 25 / 100 )
for: 15m
labels:
severity: info
rules/kubernetes-storage.yaml
+113 -108
View File
@@ -1,109 +1,114 @@
groups: groups:
- name: kubernetes-storage - name: kubernetes-storage
rules: rules:
- alert: KubePersistentVolumeFillingUp - alert: KubePersistentVolumeFillingUp
annotations: annotations:
description: The PersistentVolume claimed by {{ $labels.persistentvolumeclaim description:
}} in Namespace {{ $labels.namespace }} {{ with $labels.cluster -}} on Cluster The PersistentVolume claimed by {{ $labels.persistentvolumeclaim
{{ . }} {{- end }} is only {{ $value | humanizePercentage }} free. }} in Namespace {{ $labels.namespace }} {{ with $labels.cluster -}} on Cluster
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubepersistentvolumefillingup {{ . }} {{- end }} is only {{ $value | humanizePercentage }} free.
summary: PersistentVolume is filling up. runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubepersistentvolumefillingup
expr: |- summary: PersistentVolume is filling up.
( expr: |-
kubelet_volume_stats_available_bytes{job="kubelet", namespace=~".*", metrics_path="/metrics"} (
/ kubelet_volume_stats_available_bytes{job="kubelet", namespace=~".*", metrics_path="/metrics"}
kubelet_volume_stats_capacity_bytes{job="kubelet", namespace=~".*", metrics_path="/metrics"} /
) < 0.03 kubelet_volume_stats_capacity_bytes{job="kubelet", namespace=~".*", metrics_path="/metrics"}
and ) < 0.03
kubelet_volume_stats_used_bytes{job="kubelet", namespace=~".*", metrics_path="/metrics"} > 0 and
unless on (cluster, namespace, persistentvolumeclaim) kubelet_volume_stats_used_bytes{job="kubelet", namespace=~".*", metrics_path="/metrics"} > 0
kube_persistentvolumeclaim_access_mode{ access_mode="ReadOnlyMany"} == 1 unless on (cluster, namespace, persistentvolumeclaim)
unless on (cluster, namespace, persistentvolumeclaim) kube_persistentvolumeclaim_access_mode{ access_mode="ReadOnlyMany"} == 1
kube_persistentvolumeclaim_labels{label_excluded_from_alerts="true"} == 1 unless on (cluster, namespace, persistentvolumeclaim)
for: 1m kube_persistentvolumeclaim_labels{label_excluded_from_alerts="true"} == 1
labels: for: 1m
severity: critical labels:
- alert: KubePersistentVolumeFillingUp severity: critical
annotations: - alert: KubePersistentVolumeFillingUp
description: Based on recent sampling, the PersistentVolume claimed by {{ $labels.persistentvolumeclaim annotations:
}} in Namespace {{ $labels.namespace }} {{ with $labels.cluster -}} on Cluster description:
{{ . }} {{- end }} is expected to fill up within four days. Currently {{ $value Based on recent sampling, the PersistentVolume claimed by {{ $labels.persistentvolumeclaim
| humanizePercentage }} is available. }} in Namespace {{ $labels.namespace }} {{ with $labels.cluster -}} on Cluster
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubepersistentvolumefillingup {{ . }} {{- end }} is expected to fill up within four days. Currently {{ $value
summary: PersistentVolume is filling up. | humanizePercentage }} is available.
expr: |- runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubepersistentvolumefillingup
( summary: PersistentVolume is filling up.
kubelet_volume_stats_available_bytes{job="kubelet", namespace=~".*", metrics_path="/metrics"} expr: |-
/ (
kubelet_volume_stats_capacity_bytes{job="kubelet", namespace=~".*", metrics_path="/metrics"} kubelet_volume_stats_available_bytes{job="kubelet", namespace=~".*", metrics_path="/metrics"}
) < 0.15 /
and kubelet_volume_stats_capacity_bytes{job="kubelet", namespace=~".*", metrics_path="/metrics"}
kubelet_volume_stats_used_bytes{job="kubelet", namespace=~".*", metrics_path="/metrics"} > 0 ) < 0.15
and and
predict_linear(kubelet_volume_stats_available_bytes{job="kubelet", namespace=~".*", metrics_path="/metrics"}[6h], 4 * 24 * 3600) < 0 kubelet_volume_stats_used_bytes{job="kubelet", namespace=~".*", metrics_path="/metrics"} > 0
unless on (cluster, namespace, persistentvolumeclaim) and
kube_persistentvolumeclaim_access_mode{ access_mode="ReadOnlyMany"} == 1 predict_linear(kubelet_volume_stats_available_bytes{job="kubelet", namespace=~".*", metrics_path="/metrics"}[6h], 4 * 24 * 3600) < 0
unless on (cluster, namespace, persistentvolumeclaim) unless on (cluster, namespace, persistentvolumeclaim)
kube_persistentvolumeclaim_labels{label_excluded_from_alerts="true"} == 1 kube_persistentvolumeclaim_access_mode{ access_mode="ReadOnlyMany"} == 1
for: 1h unless on (cluster, namespace, persistentvolumeclaim)
labels: kube_persistentvolumeclaim_labels{label_excluded_from_alerts="true"} == 1
severity: warning for: 1h
- alert: KubePersistentVolumeInodesFillingUp labels:
annotations: severity: warning
description: The PersistentVolume claimed by {{ $labels.persistentvolumeclaim - alert: KubePersistentVolumeInodesFillingUp
}} in Namespace {{ $labels.namespace }} {{ with $labels.cluster -}} on Cluster annotations:
{{ . }} {{- end }} only has {{ $value | humanizePercentage }} free inodes. description:
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubepersistentvolumeinodesfillingup The PersistentVolume claimed by {{ $labels.persistentvolumeclaim
summary: PersistentVolumeInodes are filling up. }} in Namespace {{ $labels.namespace }} {{ with $labels.cluster -}} on Cluster
expr: |- {{ . }} {{- end }} only has {{ $value | humanizePercentage }} free inodes.
( runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubepersistentvolumeinodesfillingup
kubelet_volume_stats_inodes_free{job="kubelet", namespace=~".*", metrics_path="/metrics"} summary: PersistentVolumeInodes are filling up.
/ expr: |-
kubelet_volume_stats_inodes{job="kubelet", namespace=~".*", metrics_path="/metrics"} (
) < 0.03 kubelet_volume_stats_inodes_free{job="kubelet", namespace=~".*", metrics_path="/metrics"}
and /
kubelet_volume_stats_inodes_used{job="kubelet", namespace=~".*", metrics_path="/metrics"} > 0 kubelet_volume_stats_inodes{job="kubelet", namespace=~".*", metrics_path="/metrics"}
unless on (cluster, namespace, persistentvolumeclaim) ) < 0.03
kube_persistentvolumeclaim_access_mode{ access_mode="ReadOnlyMany"} == 1 and
unless on (cluster, namespace, persistentvolumeclaim) kubelet_volume_stats_inodes_used{job="kubelet", namespace=~".*", metrics_path="/metrics"} > 0
kube_persistentvolumeclaim_labels{label_excluded_from_alerts="true"} == 1 unless on (cluster, namespace, persistentvolumeclaim)
for: 1m kube_persistentvolumeclaim_access_mode{ access_mode="ReadOnlyMany"} == 1
labels: unless on (cluster, namespace, persistentvolumeclaim)
severity: critical kube_persistentvolumeclaim_labels{label_excluded_from_alerts="true"} == 1
- alert: KubePersistentVolumeInodesFillingUp for: 1m
annotations: labels:
description: Based on recent sampling, the PersistentVolume claimed by {{ $labels.persistentvolumeclaim severity: critical
}} in Namespace {{ $labels.namespace }} {{ with $labels.cluster -}} on Cluster - alert: KubePersistentVolumeInodesFillingUp
{{ . }} {{- end }} is expected to run out of inodes within four days. Currently annotations:
{{ $value | humanizePercentage }} of its inodes are free. description:
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubepersistentvolumeinodesfillingup Based on recent sampling, the PersistentVolume claimed by {{ $labels.persistentvolumeclaim
summary: PersistentVolumeInodes are filling up. }} in Namespace {{ $labels.namespace }} {{ with $labels.cluster -}} on Cluster
expr: |- {{ . }} {{- end }} is expected to run out of inodes within four days. Currently
( {{ $value | humanizePercentage }} of its inodes are free.
kubelet_volume_stats_inodes_free{job="kubelet", namespace=~".*", metrics_path="/metrics"} runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubepersistentvolumeinodesfillingup
/ summary: PersistentVolumeInodes are filling up.
kubelet_volume_stats_inodes{job="kubelet", namespace=~".*", metrics_path="/metrics"} expr: |-
) < 0.15 (
and kubelet_volume_stats_inodes_free{job="kubelet", namespace=~".*", metrics_path="/metrics"}
kubelet_volume_stats_inodes_used{job="kubelet", namespace=~".*", metrics_path="/metrics"} > 0 /
and kubelet_volume_stats_inodes{job="kubelet", namespace=~".*", metrics_path="/metrics"}
predict_linear(kubelet_volume_stats_inodes_free{job="kubelet", namespace=~".*", metrics_path="/metrics"}[6h], 4 * 24 * 3600) < 0 ) < 0.15
unless on (cluster, namespace, persistentvolumeclaim) and
kube_persistentvolumeclaim_access_mode{ access_mode="ReadOnlyMany"} == 1 kubelet_volume_stats_inodes_used{job="kubelet", namespace=~".*", metrics_path="/metrics"} > 0
unless on (cluster, namespace, persistentvolumeclaim) and
kube_persistentvolumeclaim_labels{label_excluded_from_alerts="true"} == 1 predict_linear(kubelet_volume_stats_inodes_free{job="kubelet", namespace=~".*", metrics_path="/metrics"}[6h], 4 * 24 * 3600) < 0
for: 1h unless on (cluster, namespace, persistentvolumeclaim)
labels: kube_persistentvolumeclaim_access_mode{ access_mode="ReadOnlyMany"} == 1
severity: warning unless on (cluster, namespace, persistentvolumeclaim)
- alert: KubePersistentVolumeErrors kube_persistentvolumeclaim_labels{label_excluded_from_alerts="true"} == 1
annotations: for: 1h
description: The persistent volume {{ $labels.persistentvolume }} {{ with $labels.cluster labels:
-}} on Cluster {{ . }} {{- end }} has status {{ $labels.phase }}. severity: warning
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubepersistentvolumeerrors - alert: KubePersistentVolumeErrors
summary: PersistentVolume is having issues with provisioning. annotations:
expr: kube_persistentvolume_status_phase{phase=~"Failed|Pending",job="kube-state-metrics"} description:
> 0 The persistent volume {{ $labels.persistentvolume }} {{ with $labels.cluster
for: 5m -}} on Cluster {{ . }} {{- end }} has status {{ $labels.phase }}.
labels: runbook_url: https://runbooks.prometheus-operator.dev/runbooks/kubernetes/kubepersistentvolumeerrors
severity: critical summary: PersistentVolume is having issues with provisioning.
expr:
kube_persistentvolume_status_phase{phase=~"Failed|Pending",job="kube-state-metrics"}
> 0
for: 5m
labels:
severity: critical
rules/node-exporter.yaml
+366 -339
View File
@@ -1,340 +1,367 @@
groups: groups:
- name: node-exporter - name: node-exporter
rules: rules:
- alert: NodeFilesystemSpaceFillingUp - alert: NodeFilesystemSpaceFillingUp
annotations: annotations:
description: Filesystem on {{ $labels.device }}, mounted on {{ $labels.mountpoint description:
}}, at {{ $labels.instance }} has only {{ printf "%.2f" $value }}% available Filesystem on {{ $labels.device }}, mounted on {{ $labels.mountpoint
space left and is filling up. }}, at {{ $labels.instance }} has only {{ printf "%.2f" $value }}% available
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodefilesystemspacefillingup space left and is filling up.
summary: Filesystem is predicted to run out of space within the next 24 hours. runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodefilesystemspacefillingup
expr: |- summary: Filesystem is predicted to run out of space within the next 24 hours.
( expr: |-
node_filesystem_avail_bytes{job="node-exporter",fstype!="",mountpoint!=""} / node_filesystem_size_bytes{job="node-exporter",fstype!="",mountpoint!=""} * 100 < 15 (
and node_filesystem_avail_bytes{job="node-exporter",fstype!="",mountpoint!=""} / node_filesystem_size_bytes{job="node-exporter",fstype!="",mountpoint!=""} * 100 < 15
predict_linear(node_filesystem_avail_bytes{job="node-exporter",fstype!="",mountpoint!=""}[6h], 24*60*60) < 0 and
and predict_linear(node_filesystem_avail_bytes{job="node-exporter",fstype!="",mountpoint!=""}[6h], 24*60*60) < 0
node_filesystem_readonly{job="node-exporter",fstype!="",mountpoint!=""} == 0 and
) node_filesystem_readonly{job="node-exporter",fstype!="",mountpoint!=""} == 0
for: 1h )
labels: for: 1h
severity: warning labels:
- alert: NodeFilesystemSpaceFillingUp severity: warning
annotations: - alert: NodeFilesystemSpaceFillingUp
description: Filesystem on {{ $labels.device }}, mounted on {{ $labels.mountpoint annotations:
}}, at {{ $labels.instance }} has only {{ printf "%.2f" $value }}% available description:
space left and is filling up fast. Filesystem on {{ $labels.device }}, mounted on {{ $labels.mountpoint
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodefilesystemspacefillingup }}, at {{ $labels.instance }} has only {{ printf "%.2f" $value }}% available
summary: Filesystem is predicted to run out of space within the next 4 hours. space left and is filling up fast.
expr: |- runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodefilesystemspacefillingup
( summary: Filesystem is predicted to run out of space within the next 4 hours.
node_filesystem_avail_bytes{job="node-exporter",fstype!="",mountpoint!=""} / node_filesystem_size_bytes{job="node-exporter",fstype!="",mountpoint!=""} * 100 < 10 expr: |-
and (
predict_linear(node_filesystem_avail_bytes{job="node-exporter",fstype!="",mountpoint!=""}[6h], 4*60*60) < 0 node_filesystem_avail_bytes{job="node-exporter",fstype!="",mountpoint!=""} / node_filesystem_size_bytes{job="node-exporter",fstype!="",mountpoint!=""} * 100 < 10
and and
node_filesystem_readonly{job="node-exporter",fstype!="",mountpoint!=""} == 0 predict_linear(node_filesystem_avail_bytes{job="node-exporter",fstype!="",mountpoint!=""}[6h], 4*60*60) < 0
) and
for: 1h node_filesystem_readonly{job="node-exporter",fstype!="",mountpoint!=""} == 0
labels: )
severity: critical for: 1h
- alert: NodeFilesystemAlmostOutOfSpace labels:
annotations: severity: critical
description: Filesystem on {{ $labels.device }}, mounted on {{ $labels.mountpoint - alert: NodeFilesystemAlmostOutOfSpace
}}, at {{ $labels.instance }} has only {{ printf "%.2f" $value }}% available annotations:
space left. description:
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodefilesystemalmostoutofspace Filesystem on {{ $labels.device }}, mounted on {{ $labels.mountpoint
summary: Filesystem has less than 5% space left. }}, at {{ $labels.instance }} has only {{ printf "%.2f" $value }}% available
expr: |- space left.
( runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodefilesystemalmostoutofspace
node_filesystem_avail_bytes{job="node-exporter",fstype!="",mountpoint!=""} / node_filesystem_size_bytes{job="node-exporter",fstype!="",mountpoint!=""} * 100 < 5 summary: Filesystem has less than 5% space left.
and expr: |-
node_filesystem_readonly{job="node-exporter",fstype!="",mountpoint!=""} == 0 (
) node_filesystem_avail_bytes{job="node-exporter",fstype!="",mountpoint!=""} / node_filesystem_size_bytes{job="node-exporter",fstype!="",mountpoint!=""} * 100 < 5
for: 30m and
labels: node_filesystem_readonly{job="node-exporter",fstype!="",mountpoint!=""} == 0
severity: warning )
- alert: NodeFilesystemAlmostOutOfSpace for: 30m
annotations: labels:
description: Filesystem on {{ $labels.device }}, mounted on {{ $labels.mountpoint severity: warning
}}, at {{ $labels.instance }} has only {{ printf "%.2f" $value }}% available - alert: NodeFilesystemAlmostOutOfSpace
space left. annotations:
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodefilesystemalmostoutofspace description:
summary: Filesystem has less than 3% space left. Filesystem on {{ $labels.device }}, mounted on {{ $labels.mountpoint
expr: |- }}, at {{ $labels.instance }} has only {{ printf "%.2f" $value }}% available
( space left.
node_filesystem_avail_bytes{job="node-exporter",fstype!="",mountpoint!=""} / node_filesystem_size_bytes{job="node-exporter",fstype!="",mountpoint!=""} * 100 < 3 runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodefilesystemalmostoutofspace
and summary: Filesystem has less than 3% space left.
node_filesystem_readonly{job="node-exporter",fstype!="",mountpoint!=""} == 0 expr: |-
) (
for: 30m node_filesystem_avail_bytes{job="node-exporter",fstype!="",mountpoint!=""} / node_filesystem_size_bytes{job="node-exporter",fstype!="",mountpoint!=""} * 100 < 3
labels: and
severity: critical node_filesystem_readonly{job="node-exporter",fstype!="",mountpoint!=""} == 0
- alert: NodeFilesystemFilesFillingUp )
annotations: for: 30m
description: Filesystem on {{ $labels.device }}, mounted on {{ $labels.mountpoint labels:
}}, at {{ $labels.instance }} has only {{ printf "%.2f" $value }}% available severity: critical
inodes left and is filling up. - alert: NodeFilesystemFilesFillingUp
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodefilesystemfilesfillingup annotations:
summary: Filesystem is predicted to run out of inodes within the next 24 hours. description:
expr: |- Filesystem on {{ $labels.device }}, mounted on {{ $labels.mountpoint
( }}, at {{ $labels.instance }} has only {{ printf "%.2f" $value }}% available
node_filesystem_files_free{job="node-exporter",fstype!="",mountpoint!=""} / node_filesystem_files{job="node-exporter",fstype!="",mountpoint!=""} * 100 < 40 inodes left and is filling up.
and runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodefilesystemfilesfillingup
predict_linear(node_filesystem_files_free{job="node-exporter",fstype!="",mountpoint!=""}[6h], 24*60*60) < 0 summary: Filesystem is predicted to run out of inodes within the next 24 hours.
and expr: |-
node_filesystem_readonly{job="node-exporter",fstype!="",mountpoint!=""} == 0 (
) node_filesystem_files_free{job="node-exporter",fstype!="",mountpoint!=""} / node_filesystem_files{job="node-exporter",fstype!="",mountpoint!=""} * 100 < 40
for: 1h and
labels: predict_linear(node_filesystem_files_free{job="node-exporter",fstype!="",mountpoint!=""}[6h], 24*60*60) < 0
severity: warning and
- alert: NodeFilesystemFilesFillingUp node_filesystem_readonly{job="node-exporter",fstype!="",mountpoint!=""} == 0
annotations: )
description: Filesystem on {{ $labels.device }}, mounted on {{ $labels.mountpoint for: 1h
}}, at {{ $labels.instance }} has only {{ printf "%.2f" $value }}% available labels:
inodes left and is filling up fast. severity: warning
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodefilesystemfilesfillingup - alert: NodeFilesystemFilesFillingUp
summary: Filesystem is predicted to run out of inodes within the next 4 hours. annotations:
expr: |- description:
( Filesystem on {{ $labels.device }}, mounted on {{ $labels.mountpoint
node_filesystem_files_free{job="node-exporter",fstype!="",mountpoint!=""} / node_filesystem_files{job="node-exporter",fstype!="",mountpoint!=""} * 100 < 20 }}, at {{ $labels.instance }} has only {{ printf "%.2f" $value }}% available
and inodes left and is filling up fast.
predict_linear(node_filesystem_files_free{job="node-exporter",fstype!="",mountpoint!=""}[6h], 4*60*60) < 0 runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodefilesystemfilesfillingup
and summary: Filesystem is predicted to run out of inodes within the next 4 hours.
node_filesystem_readonly{job="node-exporter",fstype!="",mountpoint!=""} == 0 expr: |-
) (
for: 1h node_filesystem_files_free{job="node-exporter",fstype!="",mountpoint!=""} / node_filesystem_files{job="node-exporter",fstype!="",mountpoint!=""} * 100 < 20
labels: and
severity: critical predict_linear(node_filesystem_files_free{job="node-exporter",fstype!="",mountpoint!=""}[6h], 4*60*60) < 0
- alert: NodeFilesystemAlmostOutOfFiles and
annotations: node_filesystem_readonly{job="node-exporter",fstype!="",mountpoint!=""} == 0
description: Filesystem on {{ $labels.device }}, mounted on {{ $labels.mountpoint )
}}, at {{ $labels.instance }} has only {{ printf "%.2f" $value }}% available for: 1h
inodes left. labels:
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodefilesystemalmostoutoffiles severity: critical
summary: Filesystem has less than 5% inodes left. - alert: NodeFilesystemAlmostOutOfFiles
expr: |- annotations:
( description:
node_filesystem_files_free{job="node-exporter",fstype!="",mountpoint!=""} / node_filesystem_files{job="node-exporter",fstype!="",mountpoint!=""} * 100 < 5 Filesystem on {{ $labels.device }}, mounted on {{ $labels.mountpoint
and }}, at {{ $labels.instance }} has only {{ printf "%.2f" $value }}% available
node_filesystem_readonly{job="node-exporter",fstype!="",mountpoint!=""} == 0 inodes left.
) runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodefilesystemalmostoutoffiles
for: 1h summary: Filesystem has less than 5% inodes left.
labels: expr: |-
severity: warning (
- alert: NodeFilesystemAlmostOutOfFiles node_filesystem_files_free{job="node-exporter",fstype!="",mountpoint!=""} / node_filesystem_files{job="node-exporter",fstype!="",mountpoint!=""} * 100 < 5
annotations: and
description: Filesystem on {{ $labels.device }}, mounted on {{ $labels.mountpoint node_filesystem_readonly{job="node-exporter",fstype!="",mountpoint!=""} == 0
}}, at {{ $labels.instance }} has only {{ printf "%.2f" $value }}% available )
inodes left. for: 1h
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodefilesystemalmostoutoffiles labels:
summary: Filesystem has less than 3% inodes left. severity: warning
expr: |- - alert: NodeFilesystemAlmostOutOfFiles
( annotations:
node_filesystem_files_free{job="node-exporter",fstype!="",mountpoint!=""} / node_filesystem_files{job="node-exporter",fstype!="",mountpoint!=""} * 100 < 3 description:
and Filesystem on {{ $labels.device }}, mounted on {{ $labels.mountpoint
node_filesystem_readonly{job="node-exporter",fstype!="",mountpoint!=""} == 0 }}, at {{ $labels.instance }} has only {{ printf "%.2f" $value }}% available
) inodes left.
for: 1h runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodefilesystemalmostoutoffiles
labels: summary: Filesystem has less than 3% inodes left.
severity: critical expr: |-
- alert: NodeNetworkReceiveErrs (
annotations: node_filesystem_files_free{job="node-exporter",fstype!="",mountpoint!=""} / node_filesystem_files{job="node-exporter",fstype!="",mountpoint!=""} * 100 < 3
description: '{{ $labels.instance }} interface {{ $labels.device }} has encountered and
{{ printf "%.0f" $value }} receive errors in the last two minutes.' node_filesystem_readonly{job="node-exporter",fstype!="",mountpoint!=""} == 0
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodenetworkreceiveerrs )
summary: Network interface is reporting many receive errors. for: 1h
expr: rate(node_network_receive_errs_total{job="node-exporter"}[2m]) / rate(node_network_receive_packets_total{job="node-exporter"}[2m]) labels:
> 0.01 severity: critical
for: 1h - alert: NodeNetworkReceiveErrs
labels: annotations:
severity: warning description:
- alert: NodeNetworkTransmitErrs '{{ $labels.instance }} interface {{ $labels.device }} has encountered
annotations: {{ printf "%.0f" $value }} receive errors in the last two minutes.'
description: '{{ $labels.instance }} interface {{ $labels.device }} has encountered runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodenetworkreceiveerrs
{{ printf "%.0f" $value }} transmit errors in the last two minutes.' summary: Network interface is reporting many receive errors.
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodenetworktransmiterrs expr:
summary: Network interface is reporting many transmit errors. rate(node_network_receive_errs_total{job="node-exporter"}[2m]) / rate(node_network_receive_packets_total{job="node-exporter"}[2m])
expr: rate(node_network_transmit_errs_total{job="node-exporter"}[2m]) / rate(node_network_transmit_packets_total{job="node-exporter"}[2m]) > 0.01
> 0.01 for: 1h
for: 1h labels:
labels: severity: warning
severity: warning - alert: NodeNetworkTransmitErrs
- alert: NodeHighNumberConntrackEntriesUsed annotations:
annotations: description:
description: '{{ $value | humanizePercentage }} of conntrack entries are used.' '{{ $labels.instance }} interface {{ $labels.device }} has encountered
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodehighnumberconntrackentriesused {{ printf "%.0f" $value }} transmit errors in the last two minutes.'
summary: Number of conntrack are getting close to the limit. runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodenetworktransmiterrs
expr: (node_nf_conntrack_entries{job="node-exporter"} / node_nf_conntrack_entries_limit) summary: Network interface is reporting many transmit errors.
> 0.75 expr:
labels: rate(node_network_transmit_errs_total{job="node-exporter"}[2m]) / rate(node_network_transmit_packets_total{job="node-exporter"}[2m])
severity: warning > 0.01
- alert: NodeTextFileCollectorScrapeError for: 1h
annotations: labels:
description: Node Exporter text file collector on {{ $labels.instance }} failed severity: warning
to scrape. - alert: NodeHighNumberConntrackEntriesUsed
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodetextfilecollectorscrapeerror annotations:
summary: Node Exporter text file collector failed to scrape. description: "{{ $value | humanizePercentage }} of conntrack entries are used."
expr: node_textfile_scrape_error{job="node-exporter"} == 1 runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodehighnumberconntrackentriesused
labels: summary: Number of conntrack are getting close to the limit.
severity: warning expr:
- alert: NodeClockSkewDetected (node_nf_conntrack_entries{job="node-exporter"} / node_nf_conntrack_entries_limit)
annotations: > 0.75
description: Clock at {{ $labels.instance }} is out of sync by more than 0.05s. labels:
Ensure NTP is configured correctly on this host. severity: warning
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodeclockskewdetected - alert: NodeTextFileCollectorScrapeError
summary: Clock skew detected. annotations:
expr: |- description:
( Node Exporter text file collector on {{ $labels.instance }} failed
node_timex_offset_seconds{job="node-exporter"} > 0.05 to scrape.
and runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodetextfilecollectorscrapeerror
deriv(node_timex_offset_seconds{job="node-exporter"}[5m]) >= 0 summary: Node Exporter text file collector failed to scrape.
) expr: node_textfile_scrape_error{job="node-exporter"} == 1
or labels:
( severity: warning
node_timex_offset_seconds{job="node-exporter"} < -0.05 - alert: NodeClockSkewDetected
and annotations:
deriv(node_timex_offset_seconds{job="node-exporter"}[5m]) <= 0 description:
) Clock at {{ $labels.instance }} is out of sync by more than 0.05s.
for: 10m Ensure NTP is configured correctly on this host.
labels: runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodeclockskewdetected
severity: warning summary: Clock skew detected.
- alert: NodeClockNotSynchronising expr: |-
annotations: (
description: Clock at {{ $labels.instance }} is not synchronising. Ensure NTP node_timex_offset_seconds{job="node-exporter"} > 0.05
is configured on this host. and
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodeclocknotsynchronising deriv(node_timex_offset_seconds{job="node-exporter"}[5m]) >= 0
summary: Clock not synchronising. )
expr: |- or
min_over_time(node_timex_sync_status{job="node-exporter"}[5m]) == 0 (
and node_timex_offset_seconds{job="node-exporter"} < -0.05
node_timex_maxerror_seconds{job="node-exporter"} >= 16 and
for: 10m deriv(node_timex_offset_seconds{job="node-exporter"}[5m]) <= 0
labels: )
severity: warning for: 10m
- alert: NodeRAIDDegraded labels:
annotations: severity: warning
description: RAID array '{{ $labels.device }}' at {{ $labels.instance }} is - alert: NodeClockNotSynchronising
in degraded state due to one or more disks failures. Number of spare drives annotations:
is insufficient to fix issue automatically. description:
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/noderaiddegraded Clock at {{ $labels.instance }} is not synchronising. Ensure NTP
summary: RAID Array is degraded. is configured on this host.
expr: node_md_disks_required{job="node-exporter",device=~"(/dev/)?(mmcblk.p.+|nvme.+|rbd.+|sd.+|vd.+|xvd.+|dm-.+|md.+|dasd.+)"} runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodeclocknotsynchronising
- ignoring (state) (node_md_disks{state="active",job="node-exporter",device=~"(/dev/)?(mmcblk.p.+|nvme.+|rbd.+|sd.+|vd.+|xvd.+|dm-.+|md.+|dasd.+)"}) summary: Clock not synchronising.
> 0 expr: |-
for: 15m min_over_time(node_timex_sync_status{job="node-exporter"}[5m]) == 0
labels: and
severity: critical node_timex_maxerror_seconds{job="node-exporter"} >= 16
- alert: NodeRAIDDiskFailure for: 10m
annotations: labels:
description: At least one device in RAID array at {{ $labels.instance }} failed. severity: warning
Array '{{ $labels.device }}' needs attention and possibly a disk swap. - alert: NodeRAIDDegraded
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/noderaiddiskfailure annotations:
summary: Failed device in RAID array. description:
expr: node_md_disks{state="failed",job="node-exporter",device=~"(/dev/)?(mmcblk.p.+|nvme.+|rbd.+|sd.+|vd.+|xvd.+|dm-.+|md.+|dasd.+)"} RAID array '{{ $labels.device }}' at {{ $labels.instance }} is
> 0 in degraded state due to one or more disks failures. Number of spare drives
labels: is insufficient to fix issue automatically.
severity: warning runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/noderaiddegraded
- alert: NodeFileDescriptorLimit summary: RAID Array is degraded.
annotations: expr:
description: File descriptors limit at {{ $labels.instance }} is currently at node_md_disks_required{job="node-exporter",device=~"(/dev/)?(mmcblk.p.+|nvme.+|rbd.+|sd.+|vd.+|xvd.+|dm-.+|md.+|dasd.+)"}
{{ printf "%.2f" $value }}%. - ignoring (state) (node_md_disks{state="active",job="node-exporter",device=~"(/dev/)?(mmcblk.p.+|nvme.+|rbd.+|sd.+|vd.+|xvd.+|dm-.+|md.+|dasd.+)"})
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodefiledescriptorlimit > 0
summary: Kernel is predicted to exhaust file descriptors limit soon. for: 15m
expr: |- labels:
( severity: critical
node_filefd_allocated{job="node-exporter"} * 100 / node_filefd_maximum{job="node-exporter"} > 70 - alert: NodeRAIDDiskFailure
) annotations:
for: 15m description:
labels: At least one device in RAID array at {{ $labels.instance }} failed.
severity: warning Array '{{ $labels.device }}' needs attention and possibly a disk swap.
- alert: NodeFileDescriptorLimit runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/noderaiddiskfailure
annotations: summary: Failed device in RAID array.
description: File descriptors limit at {{ $labels.instance }} is currently at expr:
{{ printf "%.2f" $value }}%. node_md_disks{state="failed",job="node-exporter",device=~"(/dev/)?(mmcblk.p.+|nvme.+|rbd.+|sd.+|vd.+|xvd.+|dm-.+|md.+|dasd.+)"}
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodefiledescriptorlimit > 0
summary: Kernel is predicted to exhaust file descriptors limit soon. labels:
expr: |- severity: warning
( - alert: NodeFileDescriptorLimit
node_filefd_allocated{job="node-exporter"} * 100 / node_filefd_maximum{job="node-exporter"} > 90 annotations:
) description:
for: 15m File descriptors limit at {{ $labels.instance }} is currently at
labels: {{ printf "%.2f" $value }}%.
severity: critical runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodefiledescriptorlimit
- alert: NodeCPUHighUsage summary: Kernel is predicted to exhaust file descriptors limit soon.
annotations: expr: |-
description: | (
CPU usage at {{ $labels.instance }} has been above 90% for the last 15 minutes, is currently at {{ printf "%.2f" $value }}%. node_filefd_allocated{job="node-exporter"} * 100 / node_filefd_maximum{job="node-exporter"} > 70
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodecpuhighusage )
summary: High CPU usage. for: 15m
expr: sum without(mode) (avg without (cpu) (rate(node_cpu_seconds_total{job="node-exporter", labels:
mode!="idle"}[2m]))) * 100 > 90 severity: warning
for: 15m - alert: NodeFileDescriptorLimit
labels: annotations:
severity: info description:
- alert: NodeSystemSaturation File descriptors limit at {{ $labels.instance }} is currently at
annotations: {{ printf "%.2f" $value }}%.
description: | runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodefiledescriptorlimit
System load per core at {{ $labels.instance }} has been above 2 for the last 15 minutes, is currently at {{ printf "%.2f" $value }}. summary: Kernel is predicted to exhaust file descriptors limit soon.
This might indicate this instance resources saturation and can cause it becoming unresponsive. expr: |-
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodesystemsaturation (
summary: System saturated, load per core is very high. node_filefd_allocated{job="node-exporter"} * 100 / node_filefd_maximum{job="node-exporter"} > 90
expr: |- )
node_load1{job="node-exporter"} for: 15m
/ count without (cpu, mode) (node_cpu_seconds_total{job="node-exporter", mode="idle"}) > 2 labels:
for: 15m severity: critical
labels: - alert: NodeCPUHighUsage
severity: warning annotations:
- alert: NodeMemoryMajorPagesFaults description: |
annotations: CPU usage at {{ $labels.instance }} has been above 90% for the last 15 minutes, is currently at {{ printf "%.2f" $value }}%.
description: | runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodecpuhighusage
Memory major pages are occurring at very high rate at {{ $labels.instance }}, 500 major page faults per second for the last 15 minutes, is currently at {{ printf "%.2f" $value }}. summary: High CPU usage.
Please check that there is enough memory available at this instance. expr:
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodememorymajorpagesfaults sum without(mode) (avg without (cpu) (rate(node_cpu_seconds_total{job="node-exporter",
summary: Memory major page faults are occurring at very high rate. mode!="idle"}[2m]))) * 100 > 90
expr: rate(node_vmstat_pgmajfault{job="node-exporter"}[5m]) > 500 for: 15m
for: 15m labels:
labels: severity: info
severity: warning - alert: NodeSystemSaturation
- alert: NodeMemoryHighUtilization annotations:
annotations: description: |
description: | System load per core at {{ $labels.instance }} has been above 2 for the last 15 minutes, is currently at {{ printf "%.2f" $value }}.
Memory is filling up at {{ $labels.instance }}, has been above 90% for the last 15 minutes, is currently at {{ printf "%.2f" $value }}%. This might indicate this instance resources saturation and can cause it becoming unresponsive.
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodememoryhighutilization runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodesystemsaturation
summary: Host is running out of memory. summary: System saturated, load per core is very high.
expr: 100 - (node_memory_MemAvailable_bytes{job="node-exporter"} / node_memory_MemTotal_bytes{job="node-exporter"} expr: |-
* 100) > 90 node_load1{job="node-exporter"}
for: 15m / count without (cpu, mode) (node_cpu_seconds_total{job="node-exporter", mode="idle"}) > 2
labels: for: 15m
severity: warning labels:
- alert: NodeDiskIOSaturation severity: warning
annotations: - alert: NodeMemoryMajorPagesFaults
description: | annotations:
Disk IO queue (aqu-sq) is high on {{ $labels.device }} at {{ $labels.instance }}, has been above 10 for the last 30 minutes, is currently at {{ printf "%.2f" $value }}. description: |
This symptom might indicate disk saturation. Memory major pages are occurring at very high rate at {{ $labels.instance }}, 500 major page faults per second for the last 15 minutes, is currently at {{ printf "%.2f" $value }}.
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodediskiosaturation Please check that there is enough memory available at this instance.
summary: Disk IO queue is high. runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodememorymajorpagesfaults
expr: rate(node_disk_io_time_weighted_seconds_total{job="node-exporter", device=~"(/dev/)?(mmcblk.p.+|nvme.+|rbd.+|sd.+|vd.+|xvd.+|dm-.+|md.+|dasd.+)"}[5m]) summary: Memory major page faults are occurring at very high rate.
> 10 expr: rate(node_vmstat_pgmajfault{job="node-exporter"}[5m]) > 500
for: 30m for: 15m
labels: labels:
severity: warning severity: warning
- alert: NodeSystemdServiceFailed - alert: NodeMemoryHighUtilization
annotations: annotations:
description: Systemd service {{ $labels.name }} has entered failed state at description: |
{{ $labels.instance }} Memory is filling up at {{ $labels.instance }}, has been above 90% for the last 15 minutes, is currently at {{ printf "%.2f" $value }}%.
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodesystemdservicefailed runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodememoryhighutilization
summary: Systemd service has entered failed state. summary: Host is running out of memory.
expr: node_systemd_unit_state{job="node-exporter", state="failed"} == 1 expr:
for: 5m 100 - (node_memory_MemAvailable_bytes{job="node-exporter"} / node_memory_MemTotal_bytes{job="node-exporter"}
labels: * 100) > 90
severity: warning for: 15m
- alert: NodeBondingDegraded labels:
annotations: severity: warning
description: Bonding interface {{ $labels.master }} on {{ $labels.instance }} - alert: NodeDiskIOSaturation
is in degraded state due to one or more slave failures. annotations:
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodebondingdegraded description: |
summary: Bonding interface is degraded Disk IO queue (aqu-sq) is high on {{ $labels.device }} at {{ $labels.instance }}, has been above 10 for the last 30 minutes, is currently at {{ printf "%.2f" $value }}.
expr: (node_bonding_slaves - node_bonding_active) != 0 This symptom might indicate disk saturation.
for: 5m runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodediskiosaturation
labels: summary: Disk IO queue is high.
severity: warning expr:
rate(node_disk_io_time_weighted_seconds_total{job="node-exporter", device=~"(/dev/)?(mmcblk.p.+|nvme.+|rbd.+|sd.+|vd.+|xvd.+|dm-.+|md.+|dasd.+)"}[5m])
> 10
for: 30m
labels:
severity: warning
- alert: NodeSystemdServiceFailed
annotations:
description:
Systemd service {{ $labels.name }} has entered failed state at
{{ $labels.instance }}
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodesystemdservicefailed
summary: Systemd service has entered failed state.
expr: node_systemd_unit_state{job="node-exporter", state="failed"} == 1
for: 5m
labels:
severity: warning
- alert: NodeBondingDegraded
annotations:
description:
Bonding interface {{ $labels.master }} on {{ $labels.instance }}
is in degraded state due to one or more slave failures.
runbook_url: https://runbooks.prometheus-operator.dev/runbooks/node/nodebondingdegraded
summary: Bonding interface is degraded
expr: (node_bonding_slaves - node_bonding_active) != 0
for: 5m
labels:
severity: warning
rules/node-resource-utilization.yaml
+75 -69
View File
@@ -1,70 +1,76 @@
groups: groups:
- name: node-resource-utilization.rules - name: node-resource-utilization.rules
rules: rules:
- alert: HostHighCpuLoad - alert: HostHighCpuLoad
annotations: annotations:
description: |- description: |-
CPU load is > 90% CPU load is > 90%
VALUE = {{ $value }} VALUE = {{ $value }}
LABELS = {{ $labels }} LABELS = {{ $labels }}
summary: Host high CPU load (instance {{ $labels.instance }}) summary: Host high CPU load (instance {{ $labels.instance }})
expr: (sum by (instance) (avg by (mode, instance) (rate(node_cpu_seconds_total{mode!="idle"}[2m]))) expr:
> 0.9) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"} (sum by (instance) (avg by (mode, instance) (rate(node_cpu_seconds_total{mode!="idle"}[2m])))
for: 10m > 0.9) * on(instance) group_left (nodename) node_uname_info{nodename=~".+"}
labels: for: 10m
severity: critical labels:
- alert: MemoryUtilizationHighWarning severity: critical
annotations: - alert: MemoryUtilizationHighWarning
dashboard: https://grafana.ads1.itpartner.no/explore?orgId=1&left=%7B%22datasource%22:%22Prometheus%22,%22queries%22:%5B%7B%22refId%22:%22A%22,%22instant%22:true,%22range%22:true,%22exemplar%22:false,%22expr%22:%22topk(10,%20sum(container_memory_usage_bytes%7Bcontainer!%3D%5C%22%5C%22,%20container!%3D%5C%22POD%5{ annotations:
$labels.instance }}%5C%22%7D)%20by%20(container,%20pod,%20namespace))%22%7D%5D,%22range%22:%7B%22from%22:%22now-1h%22,%22to%22:%22now%22%7D%7D dashboard:
description: Node {{ $labels.instance }} has less than 10% available memory. https://grafana.ads1.itpartner.no/explore?orgId=1&left=%7B%22datasource%22:%22Prometheus%22,%22queries%22:%5B%7B%22refId%22:%22A%22,%22instant%22:true,%22range%22:true,%22exemplar%22:false,%22expr%22:%22topk(10,%20sum(container_memory_usage_bytes%7Bcontainer!%3D%5C%22%5C%22,%20container!%3D%5C%22POD%5{
summary: Node Memory utilization warning $labels.instance }}%5C%22%7D)%20by%20(container,%20pod,%20namespace))%22%7D%5D,%22range%22:%7B%22from%22:%22now-1h%22,%22to%22:%22now%22%7D%7D
expr: node_memory_MemAvailable_bytes / node_memory_MemTotal_bytes * 100 < 10 description: Node {{ $labels.instance }} has less than 10% available memory.
for: 5m summary: Node Memory utilization warning
labels: expr: node_memory_MemAvailable_bytes / node_memory_MemTotal_bytes * 100 < 10
severity: critical for: 5m
- alert: MemoryUtilizationHighCritical labels:
annotations: severity: critical
dashboard: https://grafana.ads1.itpartner.no/explore?orgId=1&left=%7B%22datasource%22:%22Prometheus%22,%22queries%22:%5B%7B%22refId%22:%22A%22,%22instant%22:true,%22range%22:true,%22exemplar%22:false,%22expr%22:%22topk(10,%20sum(container_memory_usage_bytes%7Bcontainer!%3D%5C%22%5C%22,%20container!%3D%5C%22POD%5{ - alert: MemoryUtilizationHighCritical
$labels.instance }}%5C%22%7D)%20by%20(container,%20pod,%20namespace))%22%7D%5D,%22range%22:%7B%22from%22:%22now-1h%22,%22to%22:%22now%22%7D%7D annotations:
description: Node {{ $labels.instance }} has less than 5% available memory. dashboard:
summary: Node Memory utilization critical https://grafana.ads1.itpartner.no/explore?orgId=1&left=%7B%22datasource%22:%22Prometheus%22,%22queries%22:%5B%7B%22refId%22:%22A%22,%22instant%22:true,%22range%22:true,%22exemplar%22:false,%22expr%22:%22topk(10,%20sum(container_memory_usage_bytes%7Bcontainer!%3D%5C%22%5C%22,%20container!%3D%5C%22POD%5{
expr: node_memory_MemAvailable_bytes / node_memory_MemTotal_bytes * 100 < 5 $labels.instance }}%5C%22%7D)%20by%20(container,%20pod,%20namespace))%22%7D%5D,%22range%22:%7B%22from%22:%22now-1h%22,%22to%22:%22now%22%7D%7D
for: 1m description: Node {{ $labels.instance }} has less than 5% available memory.
labels: summary: Node Memory utilization critical
severity: critical expr: node_memory_MemAvailable_bytes / node_memory_MemTotal_bytes * 100 < 5
- alert: NodeNotReady for: 1m
annotations: labels:
description: Node {{ $labels.node }} has CPU utilization over 90%. severity: critical
summary: Node has been in not-ready state for longer than 3 minutes - alert: NodeNotReady
expr: (sum(max_over_time(kube_node_status_condition{condition="Ready",status="true"}[3m]) annotations:
<= 0) by (node)) or (absent(kube_node_status_condition{condition="Ready",status="true"})) description: Node {{ $labels.node }} has CPU utilization over 90%.
> 0 summary: Node has been in not-ready state for longer than 3 minutes
for: 5m expr:
labels: (sum(max_over_time(kube_node_status_condition{condition="Ready",status="true"}[3m])
severity: critical <= 0) by (node)) or (absent(kube_node_status_condition{condition="Ready",status="true"}))
- alert: KubernetesNodeMemoryPressure > 0
annotations: for: 5m
description: |- labels:
Node {{ $labels.node }} has MemoryPressure condition severity: critical
VALUE = {{ $value }} - alert: KubernetesNodeMemoryPressure
LABELS = {{ $labels }} annotations:
summary: Kubernetes Node memory pressure (instance {{ $labels.instance }}) description: |-
expr: kube_node_status_condition{condition="MemoryPressure",status="true"} == Node {{ $labels.node }} has MemoryPressure condition
1 VALUE = {{ $value }}
for: 2m LABELS = {{ $labels }}
labels: summary: Kubernetes Node memory pressure (instance {{ $labels.instance }})
severity: critical expr:
- alert: KubernetesContainerOomKiller kube_node_status_condition{condition="MemoryPressure",status="true"} ==
annotations: 1
description: |- for: 2m
Container {{ $labels.container }} in pod {{ $labels.namespace }}/{{ $labels.pod }} has been OOMKilled {{ $value }} times in the last 10 minutes. labels:
VALUE = {{ $value }} severity: critical
LABELS = {{ $labels }} - alert: KubernetesContainerOomKiller
summary: Kubernetes Container oom killer (instance {{ $labels.instance }}) annotations:
expr: (kube_pod_container_status_restarts_total - kube_pod_container_status_restarts_total description: |-
offset 10m >= 1) and ignoring (reason) min_over_time(kube_pod_container_status_last_terminated_reason{reason="OOMKilled"}[10m]) Container {{ $labels.container }} in pod {{ $labels.namespace }}/{{ $labels.pod }} has been OOMKilled {{ $value }} times in the last 10 minutes.
== 1 VALUE = {{ $value }}
for: 0m LABELS = {{ $labels }}
labels: summary: Kubernetes Container oom killer (instance {{ $labels.instance }})
severity: warning expr:
(kube_pod_container_status_restarts_total - kube_pod_container_status_restarts_total
offset 10m >= 1) and ignoring (reason) min_over_time(kube_pod_container_status_last_terminated_reason{reason="OOMKilled"}[10m])
== 1
for: 0m
labels:
severity: warning
rules/velero.yaml
+24 -20
View File
@@ -1,21 +1,25 @@
groups: groups:
- name: velero - name: velero
rules: rules:
- alert: VeleroBackupPartialFailures - alert: VeleroBackupPartialFailures
annotations: annotations:
message: Velero backup {{ $labels.schedule }} has {{$value | humanizePercentage}} partialy message:
failed backups. Velero backup {{ $labels.schedule }} has {{$value | humanizePercentage}} partialy
expr: velero_backup_partial_failure_total{schedule!=""} / velero_backup_attempt_total{schedule!=""} failed backups.
> 0.25 expr:
for: 15m velero_backup_partial_failure_total{schedule!=""} / velero_backup_attempt_total{schedule!=""}
labels: > 0.25
severity: critical for: 15m
- alert: VeleroBackupFailures labels:
annotations: severity: critical
message: Velero backup {{$labels.schedule}} has {{$value | humanizePercentage}} failed - alert: VeleroBackupFailures
backups. annotations:
expr: velero_backup_failure_total{schedule!=""} / velero_backup_attempt_total{schedule!=""} message:
> 0.25 Velero backup {{$labels.schedule}} has {{$value | humanizePercentage}} failed
for: 15m backups.
labels: expr:
severity: critical velero_backup_failure_total{schedule!=""} / velero_backup_attempt_total{schedule!=""}
> 0.25
for: 15m
labels:
severity: critical
rules/x509-exporter.yaml
+51 -45
View File
@@ -1,46 +1,52 @@
groups: groups:
- name: x509-certificate-exporter.rules - name: x509-certificate-exporter.rules
rules: rules:
- alert: X509ExporterReadErrors - alert: X509ExporterReadErrors
annotations: annotations:
description: Over the last 15 minutes, this x509-certificate-exporter instance description:
has experienced errors reading certificate files or querying the Kubernetes Over the last 15 minutes, this x509-certificate-exporter instance
API. This could be caused by a misconfiguration if triggered when the exporter has experienced errors reading certificate files or querying the Kubernetes
starts. API. This could be caused by a misconfiguration if triggered when the exporter
summary: Increasing read errors for x509-certificate-exporter starts.
expr: delta(x509_read_errors[15m]) > 0 summary: Increasing read errors for x509-certificate-exporter
for: 5m expr: delta(x509_read_errors[15m]) > 0
labels: for: 5m
severity: warning labels:
- alert: CertificateError severity: warning
annotations: - alert: CertificateError
description: Certificate could not be decoded {{if $labels.secret_name }} in annotations:
Kubernetes secret "{{ $labels.secret_namespace }}/{{ $labels.secret_name }}"{{else}}at description:
location "{{ $labels.filepath }}"{{end}} Certificate could not be decoded {{if $labels.secret_name }} in
summary: Certificate cannot be decoded Kubernetes secret "{{ $labels.secret_namespace }}/{{ $labels.secret_name }}"{{else}}at
expr: x509_cert_error > 0 location "{{ $labels.filepath }}"{{end}}
for: 15m summary: Certificate cannot be decoded
labels: expr: x509_cert_error > 0
severity: warning for: 15m
- alert: CertificateRenewal labels:
annotations: severity: warning
description: Certificate for "{{ $labels.subject_CN }}" should be renewed {{if - alert: CertificateRenewal
$labels.secret_name }}in Kubernetes secret "{{ $labels.secret_namespace }}/{{ annotations:
$labels.secret_name }}"{{else}}at location "{{ $labels.filepath }}"{{end}} description:
summary: Certificate should be renewed Certificate for "{{ $labels.subject_CN }}" should be renewed {{if
expr: ((x509_cert_not_after{secret_name!="linkerd-identity-issuer", issuer_O="", $labels.secret_name }}in Kubernetes secret "{{ $labels.secret_namespace }}/{{
issuer_CN!="webhook.linkerd.cluster.local"} - time()) / 86400) < 28 $labels.secret_name }}"{{else}}at location "{{ $labels.filepath }}"{{end}}
for: 15m summary: Certificate should be renewed
labels: expr:
severity: warning ((x509_cert_not_after{secret_name!="linkerd-identity-issuer", issuer_O="",
- alert: CertificateExpiration issuer_CN!="webhook.linkerd.cluster.local"} - time()) / 86400) < 28
annotations: for: 15m
description: Certificate for "{{ $labels.subject_CN }}" is about to expire {{if labels:
$labels.secret_name }}in Kubernetes secret "{{ $labels.secret_namespace }}/{{ severity: warning
$labels.secret_name }}"{{else}}at location "{{ $labels.filepath }}"{{end}} - alert: CertificateExpiration
summary: Certificate is about to expire annotations:
expr: ((x509_cert_not_after{secret_name!="linkerd-identity-issuer", issuer_O="", description:
issuer_CN!="webhook.linkerd.cluster.local"} - time()) / 86400) < 14 Certificate for "{{ $labels.subject_CN }}" is about to expire {{if
for: 15m $labels.secret_name }}in Kubernetes secret "{{ $labels.secret_namespace }}/{{
labels: $labels.secret_name }}"{{else}}at location "{{ $labels.filepath }}"{{end}}
severity: critical summary: Certificate is about to expire
expr:
((x509_cert_not_after{secret_name!="linkerd-identity-issuer", issuer_O="",
issuer_CN!="webhook.linkerd.cluster.local"} - time()) / 86400) < 14
for: 15m
labels:
severity: critical
shell.nix
+48 -21
View File
@@ -6,35 +6,62 @@ let
config = { }; config = { };
overlays = [ ]; overlays = [ ];
}; };
checks = import ./nix/checks.nix;
in in
pkgs.mkShellNoCC { pkgs.mkShellNoCC {
name = "clstr"; name = "clstr";
packages = with pkgs; [ packages =
just with pkgs;
npins [
# dev tools
just
npins
# helm # helm
helmfile helmfile
kubernetes-helm kubernetes-helm
# kubectl tools # kubectl tools
kubectl-cnpg kubectl-cnpg
kubectl-neat kubectl-neat
kubelogin kubelogin
kubelogin-oidc kubelogin-oidc
kubectl-rook-ceph kubectl-rook-ceph
kubectl-graph
kubectl-klock
graphviz
# other tools # other tools activate when needed
step-cli # step-cli
linkerd # linkerd
velero # cmctl
cmctl # rclone
# velero
# renovate
# dapr # dapr
dapr-cli dapr-cli
]
++ checks.enabledPackages;
# Environment variables
ARGOCD_ENV_CLUSTER_NAME = "hel1";
HELM_GIT_ACCESS_TOKEN = "glpat-xxx";
shellHook = builtins.concatStringsSep "\n" [
checks.shellHook
]; ];
ARGOCD_ENV_CLUSTER_NAME = "rossby"; # Alternative shells
HELM_GIT_ACCESS_TOKEN = "glpat-xxx"; passthru = pkgs.lib.mapAttrs (name: value: pkgs.mkShellNoCC (value // { inherit name; })) {
ci-shell = {
packages = [
pkgs.npins
];
shellHook = ''
export NPINS_DIRECTORY="nix"
'';
};
};
} }
values/argo/manifests/sys-project.yaml
+3
View File
@@ -88,6 +88,8 @@ spec:
server: https://kubernetes.default.svc server: https://kubernetes.default.svc
- namespace: uptime - namespace: uptime
server: https://kubernetes.default.svc server: https://kubernetes.default.svc
- namespace: forgejo
server: https://kubernetes.default.svc
sourceRepos: sourceRepos:
- https://argoproj.github.io/argo-helm - https://argoproj.github.io/argo-helm
- https://kubernetes-sigs.github.io/metrics-server/ - https://kubernetes-sigs.github.io/metrics-server/
@@ -123,6 +125,7 @@ spec:
- ghcr.io/slinkyproject/charts/slurm-operator-crds - ghcr.io/slinkyproject/charts/slurm-operator-crds
- ghcr.io/spegel-org/helm-charts - ghcr.io/spegel-org/helm-charts
- ghcr.io/dragonflydb/dragonfly-operator/helm/dragonfly-operator - ghcr.io/dragonflydb/dragonfly-operator/helm/dragonfly-operator
- code.forgejo.org/forgejo-helm
- https://operator.mariadb.com/mariadb-enterprise-operator - https://operator.mariadb.com/mariadb-enterprise-operator
- https://operator.mariadb.com - https://operator.mariadb.com
- https://ot-container-kit.github.io/helm-charts - https://ot-container-kit.github.io/helm-charts
values/atlantis/kustomize/prod/appsettings.json
+1 -1
View File
@@ -73,7 +73,7 @@
"connString": "Username=postgres;Password=secret;Host=localhost;Port=5432;Database=app;Pooling=true;", "connString": "Username=postgres;Password=secret;Host=localhost;Port=5432;Database=app;Pooling=true;",
"sorcerer" : "https://sorcerer.data.oceanbox.io", "sorcerer" : "https://sorcerer.data.oceanbox.io",
"allowedOrigins": [ "allowedOrigins": [
"https://maps.oceanbox.io", "https://maps.oceanbox.io"
], ],
"appName": "atlantis", "appName": "atlantis",
"appEnv": "prod", "appEnv": "prod",
values/atlantis/values/values-prod.yaml.gotmpl
+6
View File
@@ -79,3 +79,9 @@ resources:
requests: requests:
cpu: 500m cpu: 500m
memory: 1Gi memory: 1Gi
diagrid-dashboard:
enabled: false
statestore:
scope: prod-atlantis
redis: prod-atlantis-redis
values/atlantis/values/values-staging.yaml.gotmpl
+8 -6
View File
@@ -1,6 +1,6 @@
replicaCount: 1 replicaCount: 1
image: image:
tag: 369127e0-debug tag: 503ccbb2-debug
podAnnotations: podAnnotations:
dapr.io/app-id: "staging-atlantis" dapr.io/app-id: "staging-atlantis"
env: env:
@@ -26,12 +26,12 @@ env:
- name: DB_USER - name: DB_USER
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: staging-atlantis-db-superuser name: staging-atlantis-db-app
key: username key: username
- name: DB_PASSWORD - name: DB_PASSWORD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: staging-atlantis-db-superuser name: staging-atlantis-db-app
key: password key: password
- name: DAPR_API_TOKEN - name: DAPR_API_TOKEN
valueFrom: valueFrom:
@@ -116,9 +116,6 @@ cluster:
db: prod-atlantis-db db: prod-atlantis-db
namespace: prod-atlantis namespace: prod-atlantis
resources: resources:
limits:
cpu: 250m
memory: 1Gi
requests: requests:
cpu: 250m cpu: 250m
memory: 1Gi memory: 1Gi
@@ -133,3 +130,8 @@ redis:
resources: resources:
cpu: 150m cpu: 150m
memory: 256Mi memory: 256Mi
diagrid-dashboard:
enabled: false
statestore:
scope: staging-atlantis
redis: staging-atlantis-redis
values/atlantis/values/values.yaml.gotmpl
+1
View File
@@ -10,3 +10,4 @@ podAnnotations:
dapr.io/sidecar-memory-request: "50Mi" dapr.io/sidecar-memory-request: "50Mi"
# dapr.io/sidecar-cpu-limit: "100m" # dapr.io/sidecar-cpu-limit: "100m"
# dapr.io/sidecar-memory-limit: "1000Mi" # dapr.io/sidecar-memory-limit: "1000Mi"
values/codex/env.yaml.gotmpl
+4
View File
@@ -1,4 +1,8 @@
codex: codex:
enabled: false enabled: false
{{- if eq .Environment.Name "prod" }}
autosync: false autosync: false
{{- else }}
autosync: true
{{- end }}
env: {{ .Environment.Name }} env: {{ .Environment.Name }}
values/codex/kustomize/prod/appsettings.json
+67
View File
@@ -0,0 +1,67 @@
{
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft": "Warning",
"Microsoft.Hosting": "Error"
}
},
"Debug": {
"LogLevel": {
"Default": "Debug"
}
},
"Console": {
"IncludeScopes": true,
"LogLevel": {
"Default": "Debug"
}
},
"OIDC": {
"issuer": "https://auth.oceanbox.io/realms/oceanbox",
"authorization_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/auth",
"token_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/token",
"jwks_uri": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/certs",
"userinfo_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/userinfo",
"end_session_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/logout",
"device_authorization_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/auth/device",
"clientId": "atlantis",
"clientSecret": "",
"scopes": [
"openid",
"email",
"offline_access",
"profile"
],
"audiences": [
"atlantis"
]
},
"SSO": {
"cookieDomain": ".oceanbox.io",
"cookieName": ".obx.prod",
"ttl": 12.0,
"signedOutRedirectUri": "https://maps.oceanbox.io/",
"realm": "atlantis",
"environment": "prod",
"keyStore": {
"kind": "azure",
"uri": "https://atlantis.blob.core.windows.net",
"key": "dataprotection-keys"
},
"keyVault": {
"kind": "azure",
"uri": "https://atlantisvault.vault.azure.net",
"key": "dataencryption-keys"
}
},
"plainAuthUsers": [
{
"username": "admin",
"password": "en-to-tre-fire",
"groups": [ "/oceanbox" ],
"roles": [ "admin" ]
}
]
}
values/codex/kustomize/prod/deployment_patch.yaml
+66
View File
@@ -0,0 +1,66 @@
- op: add
path: /spec/template/spec/containers/0/envFrom
value:
- secretRef:
name: azure-keyvault
- op: add
path: /spec/template/spec/containers/0/env
value:
- name: APP_NAMESPACE
value: prod-atlantis
- name: DOTNET_ENVIRONMENT
value: Production
- name: ASPNETCORE_ENVIRONMENT
value: Production
- name: DB_HOST
valueFrom:
secretKeyRef:
name: prod-atlantis-db-app
key: host
- name: DB_PORT
valueFrom:
secretKeyRef:
name: prod-atlantis-db-app
key: port
- name: DB_DATABASE
valueFrom:
secretKeyRef:
name: prod-atlantis-db-app
key: dbname
- name: DB_USER
valueFrom:
secretKeyRef:
name: prod-atlantis-db-app
key: user
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: prod-atlantis-db-app
key: password
- name: FGA_URL
value: http://prod-openfga.openfga.svc.cluster.local:8080
- name: FGA_DB_HOST
valueFrom:
secretKeyRef:
name: prod-openfga-db-app
key: host
- name: FGA_DB_PORT
valueFrom:
secretKeyRef:
name: prod-openfga-db-app
key: port
- name: FGA_DB_DATABASE
valueFrom:
secretKeyRef:
name: prod-openfga-db-app
key: dbname
- name: FGA_DB_USER
valueFrom:
secretKeyRef:
name: prod-openfga-db-app
key: user
- name: FGA_DB_PASSWORD
valueFrom:
secretKeyRef:
name: prod-openfga-db-app
key: password
values/codex/kustomize/prod/kustomization.yaml
+15
View File
@@ -0,0 +1,15 @@
generatorOptions:
disableNameSuffixHash: true
configMapGenerator:
- name: prod-codex-appsettings
files:
- appsettings.json
patches:
- target:
group: apps
version: v1
kind: Deployment
path: deployment_patch.yaml
resources:
- ../base

Some files were not shown because too many files have changed in this diff Show More