diff --git a/charts/Makefile b/charts/Makefile index 391e44f3..6b63312e 100644 --- a/charts/Makefile +++ b/charts/Makefile @@ -52,11 +52,6 @@ helmfile-diff: .check-helmfile-installed helmfile.yaml ## Shows the differences @set -a; source $(REPO_CONFIG_LOCATION); set +a; \ $(HELMFILE) -f $(REPO_BASE_DIR)/charts/helmfile.yaml diff -.PHONY: helmfile-delete -helmfile-delete: .check-helmfile-installed helmfile.yaml ## Deletes the helmfile configuration - @set -a; source $(REPO_CONFIG_LOCATION); set +a; \ - $(HELMFILE) -f $(REPO_BASE_DIR)/charts/helmfile.yaml delete - .PHONY: up up: helmfile-apply ## Start the stack diff --git a/charts/calico-configuration/Makefile b/charts/calico-configuration/Makefile new file mode 100644 index 00000000..14f6d725 --- /dev/null +++ b/charts/calico-configuration/Makefile @@ -0,0 +1,9 @@ +# to be executed on kubernetes control nodes +REPO_BASE_DIR := $(shell git rev-parse --show-toplevel) + +include ${REPO_BASE_DIR}/scripts/common.Makefile + +enable-flow-logs: + @$(call confirm_action,Are you using calico 3.30+?,yes) + kubectl apply -f flowlogs.yaml + kubectl port-forward -n calico-system service/whisker 8081:8081 diff --git a/charts/calico-configuration/flowlogs.yaml b/charts/calico-configuration/flowlogs.yaml new file mode 100644 index 00000000..36c9318b --- /dev/null +++ b/charts/calico-configuration/flowlogs.yaml @@ -0,0 +1,9 @@ +apiVersion: operator.tigera.io/v1 +kind: Goldmane +metadata: + name: default +--- +apiVersion: operator.tigera.io/v1 +kind: Whisker +metadata: + name: default diff --git a/charts/local-k8s.Makefile b/charts/local-k8s.Makefile index dd83b852..74b27faf 100644 --- a/charts/local-k8s.Makefile +++ b/charts/local-k8s.Makefile @@ -26,3 +26,5 @@ configure-local-hosts: $(REPO_CONFIG_LOCATION) ## Adds local hosts entries for t grep -q "127.0.0.1 $$K8S_MONITORING_FQDN" /etc/hosts || echo "127.0.0.1 $$K8S_MONITORING_FQDN" | sudo tee -a /etc/hosts @set -a; source $(REPO_CONFIG_LOCATION); set +a; \ grep -q "127.0.0.1 $$K8S_PRIVATE_FQDN" /etc/hosts || echo "127.0.0.1 $$K8S_PRIVATE_FQDN" | sudo tee -a /etc/hosts + @set -a; source $(REPO_CONFIG_LOCATION); set +a; \ + grep -q "127.0.0.1 $$K8S_METRICS_FQDN" /etc/hosts || echo "127.0.0.1 $$K8S_METRICS_FQDN" | sudo tee -a /etc/hosts diff --git a/charts/victoria-metrics-distributed/Chart.lock b/charts/victoria-metrics-distributed/Chart.lock new file mode 100644 index 00000000..c345dc2c --- /dev/null +++ b/charts/victoria-metrics-distributed/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: victoria-metrics-distributed + repository: https://victoriametrics.github.io/helm-charts/ + version: 0.23.0 +digest: sha256:2b22bbcbd30a4ba7f9eefdba1b470f9da0592713c273129fd45d4433f212abb9 +generated: "2025-11-09T12:23:19.944728797+01:00" diff --git a/charts/victoria-metrics-distributed/Chart.yaml b/charts/victoria-metrics-distributed/Chart.yaml new file mode 100644 index 00000000..92f19df3 --- /dev/null +++ b/charts/victoria-metrics-distributed/Chart.yaml @@ -0,0 +1,42 @@ +apiVersion: v2 +name: victoria-metrics-distributed +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: &vmDistributedChartVersion 0.23.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.128.0" + +dependencies: + - name: victoria-metrics-distributed + version: *vmDistributedChartVersion + # avoid '-' for simplicite (see link below) + # https://stackoverflow.com/questions/63853679/helm-templating-doesnt-let-me-use-dash-in-names + alias: vmdistributed + repository: "https://victoriametrics.github.io/helm-charts/" + +# - name: victoria-metrics-auth +# version: 0.19.7 +# repository: *victoria-metrics-repo +# condition: victoria-metrics-auth.enabled + +# - name: victoria-metrics-agent +# version: 0.26.2 +# repository: *victoria-metrics-repo +# condition: victoria-metrics-agent.enabled diff --git a/charts/victoria-metrics-distributed/namespace.yaml b/charts/victoria-metrics-distributed/namespace.yaml new file mode 100644 index 00000000..d8ca9ec1 --- /dev/null +++ b/charts/victoria-metrics-distributed/namespace.yaml @@ -0,0 +1,24 @@ +# namespace with defined pod security standard +# inspired from https://aro-labs.com/pod-security-standards/ +# official doc: https://kubernetes.io/docs/concepts/security/pod-security-standards/ +# +# Warning: if pod / container does not meet enforced standards, it will not be deployed (silently) +# execute `kubectl -n events` to see errors (e.g.) +# Error creating: pods "xyz" is forbidden: violates PodSecurity "baseline:latest": privileged +# container "xyz" must not set securityContext.privileged to true +# +apiVersion: v1 +kind: Namespace +metadata: + name: victoria-metrics-distributed + labels: + pod-security.kubernetes.io/enforce: restricted + +--- + +apiVersion: v1 +kind: Namespace +metadata: + name: victoria-metrics-distributed-privileged + labels: + pod-security.kubernetes.io/enforce: privileged diff --git a/charts/victoria-metrics-distributed/templates/networkpolicies/vm-config-reload b/charts/victoria-metrics-distributed/templates/networkpolicies/vm-config-reload new file mode 100644 index 00000000..585fe8e5 --- /dev/null +++ b/charts/victoria-metrics-distributed/templates/networkpolicies/vm-config-reload @@ -0,0 +1,18 @@ +apiVersion: projectcalico.org/v3 +kind: NetworkPolicy +metadata: + # allow config reload for all workloads in the release + # config reload needs to access the k8s api server + name: vm-config-reload +spec: + selector: part-of == "{{ .Release.Name }}" + egress: + - action: Allow + protocol: TCP + destination: + nets: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + ports: + - 6443 diff --git a/charts/victoria-metrics-distributed/templates/networkpolicies/vmagent-scraper.yaml b/charts/victoria-metrics-distributed/templates/networkpolicies/vmagent-scraper.yaml new file mode 100644 index 00000000..b62c4b52 --- /dev/null +++ b/charts/victoria-metrics-distributed/templates/networkpolicies/vmagent-scraper.yaml @@ -0,0 +1,13 @@ +apiVersion: projectcalico.org/v3 +kind: NetworkPolicy +metadata: + name: vmagent-scraper-network-policy +spec: + selector: app == "vmagent-scraper" && part-of == "{{ .Release.Name }}" + egress: + - action: Allow + destination: + nets: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 diff --git a/charts/victoria-metrics-distributed/templates/networkpolicies/vmagent-zone.yaml b/charts/victoria-metrics-distributed/templates/networkpolicies/vmagent-zone.yaml new file mode 100644 index 00000000..95ab2e8d --- /dev/null +++ b/charts/victoria-metrics-distributed/templates/networkpolicies/vmagent-zone.yaml @@ -0,0 +1,18 @@ +apiVersion: projectcalico.org/v3 +kind: NetworkPolicy +metadata: + name: vmagent-zone-network-policy +spec: + selector: app == "vmagent-zone" && part-of == "{{ .Release.Name }}" + ingress: + - action: Allow + protocol: TCP + destination: + ports: + - {{ .Values.vmdistributed.common.vmagent.spec.port }} + egress: + - action: Allow + protocol: TCP + destination: + ports: + - {{ .Values.vmdistributed.common.vmsingle.spec.port }} diff --git a/charts/victoria-metrics-distributed/templates/networkpolicies/vmauth-global-read.yaml b/charts/victoria-metrics-distributed/templates/networkpolicies/vmauth-global-read.yaml new file mode 100644 index 00000000..0aa563fb --- /dev/null +++ b/charts/victoria-metrics-distributed/templates/networkpolicies/vmauth-global-read.yaml @@ -0,0 +1,18 @@ +apiVersion: projectcalico.org/v3 +kind: NetworkPolicy +metadata: + name: vmauth-global-read-network-policy +spec: + selector: app == "vmauth-global-read" && part-of == "{{ .Release.Name }}" + ingress: + - action: Allow + protocol: TCP + destination: + ports: + - {{ .Values.vmdistributed.common.vmauth.spec.port }} + egress: + - action: Allow + protocol: TCP + destination: + ports: + - {{ .Values.vmdistributed.common.vmauth.spec.port }} diff --git a/charts/victoria-metrics-distributed/templates/networkpolicies/vmauth-global-write.yaml b/charts/victoria-metrics-distributed/templates/networkpolicies/vmauth-global-write.yaml new file mode 100644 index 00000000..0b24097d --- /dev/null +++ b/charts/victoria-metrics-distributed/templates/networkpolicies/vmauth-global-write.yaml @@ -0,0 +1,18 @@ +apiVersion: projectcalico.org/v3 +kind: NetworkPolicy +metadata: + name: vmauth-global-write-network-policy +spec: + selector: app == "vmauth-global-write" && part-of == "{{ .Release.Name }}" + ingress: + - action: Allow + protocol: TCP + destination: + ports: + - {{ .Values.vmdistributed.common.vmauth.spec.port }} + egress: + - action: Allow + protocol: TCP + destination: + ports: + - {{ .Values.vmdistributed.common.vmagent.spec.port }} diff --git a/charts/victoria-metrics-distributed/templates/networkpolicies/vmauth-zone.yaml b/charts/victoria-metrics-distributed/templates/networkpolicies/vmauth-zone.yaml new file mode 100644 index 00000000..638dfbf4 --- /dev/null +++ b/charts/victoria-metrics-distributed/templates/networkpolicies/vmauth-zone.yaml @@ -0,0 +1,18 @@ +apiVersion: projectcalico.org/v3 +kind: NetworkPolicy +metadata: + name: vmauth-zone-network-policy +spec: + selector: app == "vmauth-zone" && part-of == "{{ .Release.Name }}" + ingress: + - action: Allow + protocol: TCP + destination: + ports: + - {{ .Values.vmdistributed.common.vmauth.spec.port }} + egress: + - action: Allow + protocol: TCP + destination: + ports: + - {{ .Values.vmdistributed.common.vmsingle.spec.port }} diff --git a/charts/victoria-metrics-distributed/templates/networkpolicies/vmsingle.yaml b/charts/victoria-metrics-distributed/templates/networkpolicies/vmsingle.yaml new file mode 100644 index 00000000..09c06bad --- /dev/null +++ b/charts/victoria-metrics-distributed/templates/networkpolicies/vmsingle.yaml @@ -0,0 +1,12 @@ +apiVersion: projectcalico.org/v3 +kind: NetworkPolicy +metadata: + name: vmsingle-network-policy +spec: + selector: app == "vmsingle" && part-of == "{{ .Release.Name }}" + ingress: + - action: Allow + protocol: TCP + destination: + ports: + - {{ .Values.vmdistributed.common.vmsingle.spec.port }} diff --git a/charts/victoria-metrics-distributed/values.ebs-pv.yaml.gotmpl b/charts/victoria-metrics-distributed/values.ebs-pv.yaml.gotmpl new file mode 100644 index 00000000..ca738ba4 --- /dev/null +++ b/charts/victoria-metrics-distributed/values.ebs-pv.yaml.gotmpl @@ -0,0 +1,6 @@ +vmdistributed: + common: + vmsingle: + spec: + storage: + storageClassName: "{{ .Values.ebsStorageClassName }}" diff --git a/charts/victoria-metrics-distributed/values.ha.yaml.gotmpl b/charts/victoria-metrics-distributed/values.ha.yaml.gotmpl new file mode 100644 index 00000000..d9b02358 --- /dev/null +++ b/charts/victoria-metrics-distributed/values.ha.yaml.gotmpl @@ -0,0 +1,10 @@ +vmdistributed: + availabilityZones: + - name: {{ requiredEnv "CLUSTER_ZONE_1" }} + - name: {{ requiredEnv "CLUSTER_ZONE_2" }} + + zoneTpl: + common: + spec: + nodeSelector: + topology.kubernetes.io/zone: '{{`{{ .zone.name }}`}}' diff --git a/charts/victoria-metrics-distributed/values.topolvm-pv.yaml.gotmpl b/charts/victoria-metrics-distributed/values.topolvm-pv.yaml.gotmpl new file mode 100644 index 00000000..35ff6ae8 --- /dev/null +++ b/charts/victoria-metrics-distributed/values.topolvm-pv.yaml.gotmpl @@ -0,0 +1,6 @@ +vmdistributed: + common: + vmsingle: + spec: + storage: + storageClassName: "{{ .Values.topolvmStorageClassName }}" diff --git a/charts/victoria-metrics-distributed/values.yaml.gotmpl b/charts/victoria-metrics-distributed/values.yaml.gotmpl new file mode 100644 index 00000000..a86ff879 --- /dev/null +++ b/charts/victoria-metrics-distributed/values.yaml.gotmpl @@ -0,0 +1,230 @@ +vmdistributed: + fullnameOverride: "vm-distributed" + + common: + vmauth: + spec: + port: "8427" + resources: + # rounded defaults from Operator + requests: + memory: "100Mi" + cpu: "0.1" + limits: + memory: "300Mi" + cpu: "0.5" + podMetadata: + labels: + # common label for all components of the release (except vmagent extra) + # we use these labels in network policies. We do not use official convention + # "app.kubernetes.io/part-of" as VM Operator does not support override of some of + # official labels (e.g. app.kubernetes.io/name). So we use a shorter version. + # See https://github.com/VictoriaMetrics/helm-charts/issues/2545#issuecomment-3496376407 + part-of: {{ .Release.Name }} + vmagent: + # https://docs.victoriametrics.com/operator/api/#vmagentspec + spec: + port: &vmAgentPort "8429" + resources: &vmAgentResources + # rounded defaults from Operator + requests: + memory: "256Mi" + cpu: "0.1" + limits: + memory: "512Mi" + cpu: "0.5" + podMetadata: + labels: + part-of: {{ .Release.Name }} + vmsingle: + # https://docs.victoriametrics.com/operator/api/#vmsinglespec + spec: + port: "8428" + removePvcAfterDelete: false + storage: + resources: + requests: + storage: 50Gi + resources: + # rounded defaults from Operator + requests: + memory: "500Mi" + cpu: "0.1" + limits: + memory: "1.5Gi" + cpu: "1.5" + podMetadata: + labels: + app: vmsingle + part-of: {{ .Release.Name }} + + zoneTpl: + common: + spec: + nodeSelector: + ops: "true" + useStrictSecurity: true + vmcluster: + enabled: false + vmsingle: + enabled: true + spec: + # Ideally it should be defined in common spec. But in original chart + # values it is defined in zoneTpl. So, common spec is overriden. + retentionPeriod: "180d" # ~3 months + read: + vmauth: + spec: + podMetadata: + labels: + app: vmauth-zone + vmagent: + spec: + # TODO: configure buffering https://github.com/VictoriaMetrics/helm-charts/issues/2565 + podMetadata: + labels: + app: vmagent-zone + + availabilityZones: + - name: default + + extra: + # it scrapes metrics and write to global write LB + # which is an entry point for vm distributed cluster + # it is considered to be outside of "stack". So, common + # settings are not applied to it. + vmagent: + enabled: true + name: vmagent-scraper + spec: + useStrictSecurity: true + port: *vmAgentPort + resources: *vmAgentResources + podMetadata: + labels: + app: "vmagent-scraper" + part-of: {{ .Release.Name }} + + write: + global: + vmauth: + spec: + useStrictSecurity: true + podMetadata: + labels: + app: vmauth-global-write + + read: + global: + vmauth: + spec: + useStrictSecurity: true + podMetadata: + labels: + app: vmauth-global-read + # Use standard path approach with monitoring FQDN this is possbile. + # See https://github.com/VictoriaMetrics/operator/issues/1617 + ingress: + host: {{ requiredEnv "K8S_METRICS_FQDN" }} + annotations: + namespace: {{ .Release.Namespace }} + traefik.ingress.kubernetes.io/router.tls: "true" + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.middlewares: traefik-traefik-basic-auth@kubernetescrd + + victoria-metrics-k8s-stack: + enabled: true + + victoria-metrics-operator: + enabled: false + + vmagent: + enabled: false + + vmsingle: + enabled: false + + vmcluster: + enabled: false + + alertmanager: + enabled: false + + vmalert: + enabled: false + + grafana: + enabled: false + + # Exporter for machine metrics + prometheus-node-exporter: + enabled: true + namespaceOverride: "{{ .Release.Namespace }}-privileged" + resources: + # draft values. adjust if needed + limits: + cpu: 0.2 + memory: 128Mi + requests: + cpu: 0.1 + memory: 64Mi + vmScrape: + spec: + # chart templates do not set it properly when namespace is overriden + namespaceSelector: + matchNames: ["{{ .Release.Namespace }}-privileged"] + + # cluster metrics about the state of the objects (pods, deploymentsets, ...) + kube-state-metrics: + enabled: true + resources: + # draft values. adjust if needed + limits: + cpu: 0.5 + memory: 512Mi + requests: + cpu: 0.1 + memory: 128Mi + networkPolicy: + enabled: true + flavor: kubernetes # calico understand kubernetes network policy + egress: + - to: + - ipBlock: + cidr: 10.0.0.0/8 + - ipBlock: + cidr: 172.16.0.0/12 + - ipBlock: + cidr: 192.168.0.0/16 + ports: + - protocol: TCP + port: 6443 + podLabels: + app: kube-state-metrics + part-of: {{ .Release.Name }} + + # container metrics (cpu / memory) + kubelet: + enabled: true + + kubeApiServer: + enabled: false + + kubeControllerManager: + enabled: false + + coreDns: + enabled: false + + kubeEtcd: + enabled: false + + kubeScheduler: + enabled: false + + defaultDashboards: + # -- Enable custom dashboards installation + enabled: false + + defaultRules: + create: false diff --git a/charts/victoria-metrics-operator/namespace.yaml b/charts/victoria-metrics-operator/namespace.yaml new file mode 100644 index 00000000..ec72ccbc --- /dev/null +++ b/charts/victoria-metrics-operator/namespace.yaml @@ -0,0 +1,15 @@ +# namespace with defined pod security standard +# inspired from https://aro-labs.com/pod-security-standards/ +# official doc: https://kubernetes.io/docs/concepts/security/pod-security-standards/ +# +# Warning: if pod / container does not meet enforced standards, it will not be deployed (silently) +# execute `kubectl -n events` to see errors (e.g.) +# Error creating: pods "xyz" is forbidden: violates PodSecurity "baseline:latest": privileged +# container "xyz" must not set securityContext.privileged to true +# +apiVersion: v1 +kind: Namespace +metadata: + name: victoria-metrics-operator + labels: + pod-security.kubernetes.io/enforce: restricted diff --git a/charts/victoria-metrics-operator/values.yaml.gotmpl b/charts/victoria-metrics-operator/values.yaml.gotmpl new file mode 100644 index 00000000..53d2f23b --- /dev/null +++ b/charts/victoria-metrics-operator/values.yaml.gotmpl @@ -0,0 +1,32 @@ +operator: + # converts prometheus-operator objects into victoria-metrics-operator ones + disable_prometheus_converter: false + # Enables ownership reference for converted prometheus-operator objects, it will + # remove corresponding victoria-metrics objects in case of deletion prometheus one. + enable_converter_ownership: true + +securityContext: + seccompProfile: + type: RuntimeDefault + +admissionWebhooks: + certManager: + # avoid new cert generation on every helm run + enabled: true + +extraObjects: +- apiVersion: projectcalico.org/v3 + kind: NetworkPolicy + metadata: + name: victoria-metrics-operator-network-policy + spec: + egress: + - action: Allow + protocol: TCP + destination: + nets: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + ports: + - 6443