ITISFoundation · YuryHrytsuk · Oct 28, 2025 · Oct 28, 2025 · Oct 29, 2025 · Oct 29, 2025
@@ -52,11 +52,6 @@ helmfile-diff: .check-helmfile-installed helmfile.yaml ## Shows the differences
 	@set -a; source $(REPO_CONFIG_LOCATION); set +a; \
 	$(HELMFILE) -f $(REPO_BASE_DIR)/charts/helmfile.yaml diff
 
-.PHONY: helmfile-delete
-helmfile-delete: .check-helmfile-installed helmfile.yaml ## Deletes the helmfile configuration
-	@set -a; source $(REPO_CONFIG_LOCATION); set +a; \
-	$(HELMFILE) -f $(REPO_BASE_DIR)/charts/helmfile.yaml delete
-
 .PHONY: up
 up: helmfile-apply ## Start the stack
 

@@ -0,0 +1,3 @@
+enable-flow-logs:
+	kubectl apply -f flowlogs.yaml
+	kubectl port-forward -n calico-system service/whisker 8081:8081
@@ -0,0 +1,9 @@
+apiVersion: operator.tigera.io/v1
+kind: Goldmane
+metadata:
+  name: default
+---
+apiVersion: operator.tigera.io/v1
+kind: Whisker
+metadata:
+  name: default
@@ -133,6 +133,27 @@ extraObjects:
         - 172.16.0.0/12
         - 192.168.0.0/16
 
+- apiVersion: traefik.io/v1alpha1
+  kind: Middleware
+  metadata:
+    name: metrics-strip-prefix
+    namespace: {{.Release.Namespace}}
+  spec:
+    stripPrefix:
+      prefixes:
+      - /metrics
+
+  # a (href) links do not work properly without trailing slash
+- apiVersion: traefik.io/v1alpha1
+  kind: Middleware
+  metadata:
+    name: metrics-path-append-slash
+    namespace: {{ .Release.Namespace }}
+  spec:
+    redirectRegex:
+      regex: "^(https?://[^/]+/metrics)$"
+      replacement: "${1}/"
+
 - apiVersion: networking.k8s.io/v1
   kind: Ingress
   metadata:

@@ -0,0 +1,6 @@
+dependencies:
+- name: victoria-metrics-distributed
+  repository: https://victoriametrics.github.io/helm-charts/
+  version: 0.23.0
+digest: sha256:2b22bbcbd30a4ba7f9eefdba1b470f9da0592713c273129fd45d4433f212abb9
+generated: "2025-11-09T12:23:19.944728797+01:00"
@@ -0,0 +1,42 @@
+apiVersion: v2
+name: victoria-metrics-distributed
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: &vmDistributedChartVersion 0.23.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.128.0"
+
+dependencies:
+  - name: victoria-metrics-distributed
+    version: *vmDistributedChartVersion
+    # avoid '-' for simplicite (see link below)
+    # https://stackoverflow.com/questions/63853679/helm-templating-doesnt-let-me-use-dash-in-names
+    alias: vmdistributed
+    repository: "https://victoriametrics.github.io/helm-charts/"
+
+#   - name: victoria-metrics-auth
+#     version: 0.19.7
+#     repository: *victoria-metrics-repo
+#     condition: victoria-metrics-auth.enabled
+
+#   - name: victoria-metrics-agent
+#     version: 0.26.2
+#     repository: *victoria-metrics-repo
+#     condition: victoria-metrics-agent.enabled
@@ -0,0 +1,15 @@
+# namespace with defined pod security standard
+# inspired from https://aro-labs.com/pod-security-standards/
+# official doc: https://kubernetes.io/docs/concepts/security/pod-security-standards/
+#
+# Warning: if pod / container does not meet enforced standards, it will not be deployed (silently)
+# execute `kubectl -n <namespace> events` to see errors (e.g.)
+#   Error creating: pods "xyz" is forbidden: violates PodSecurity "baseline:latest": privileged
+#   container "xyz" must not set securityContext.privileged to true
+#
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: victoria-metrics-distributed
+  labels:
+    pod-security.kubernetes.io/enforce: restricted
@@ -0,0 +1,23 @@
+apiVersion: projectcalico.org/v3
+kind: NetworkPolicy
+metadata:
+  name: vmagent-network-policy
+spec:
+  selector: app == "vmagent" && part-of == "{{ .Release.Name }}"
+  egress:
+    - action: Allow
+      protocol: TCP
+      destination:
+        nets:
+          - 10.0.0.0/8
+          - 172.16.0.0/12
+          - 192.168.0.0/16
+        ports:
+          - 6443
+    - action: Allow
+      protocol: TCP
+      destination:
+        ports:
+          - {{ .Values.vmdistributed.common.vmauth.spec.port }}
+          - {{ .Values.vmdistributed.common.vmsingle.spec.port }}
+          - {{ .Values.vmdistributed.common.vmagent.spec.port }}
@@ -0,0 +1,28 @@
+apiVersion: projectcalico.org/v3
+kind: NetworkPolicy
+metadata:
+  name: vmauth-network-policy
+spec:
+  selector: app == "vmauth" && part-of == "{{ .Release.Name }}"
+  ingress:
+    - action: Allow
+      protocol: TCP
+      destination:
+        ports:
+          - {{ .Values.vmdistributed.common.vmauth.spec.port }}
+  egress:
+    - action: Allow
+      protocol: TCP
+      destination:
+        nets:
+          - 10.0.0.0/8
+          - 172.16.0.0/12
+          - 192.168.0.0/16
+        ports:
+          - 6443
+    - action: Allow
+      protocol: TCP
+      destination:
+        ports:
+          - {{ .Values.vmdistributed.common.vmagent.spec.port }}
+          - {{ .Values.vmdistributed.common.vmsingle.spec.port }}
@@ -0,0 +1,12 @@
+apiVersion: projectcalico.org/v3
+kind: NetworkPolicy
+metadata:
+  name: vmsingle-network-policy
+spec:
+  selector: app == "vmsingle" && part-of == "{{ .Release.Name }}"
+  ingress:
+    - action: Allow
+      protocol: TCP
+      destination:
+        ports:
+          - {{ .Values.vmdistributed.common.vmsingle.spec.port }}
@@ -0,0 +1,128 @@
+global:
+  vmSinglePort: "8428"
+
+vmdistributed:
+  fullnameOverride: "vm-distributed"
+
+  common:
+    vmauth:
+      spec:
+        port: "8427"
+        podMetadata:
+          labels:
+            app: vmauth
+            part-of: {{ .Release.Name }}
+    vmagent:
+      spec:
+        port: &vmAgentPort "8429"
+        podMetadata:
+          labels: &vmAgentCommonLabels
+            app: vmagent
+            part-of: {{ .Release.Name }}
+    vmsingle:
+      spec:
+        port: "8428"
+        podMetadata:
+          labels:
+            app: vmsingle
+            part-of: {{ .Release.Name }}
+
+  zoneTpl:
+    common:
+      spec:
+        nodeSelector:
+          ops: "true"
+        useStrictSecurity: true
+    vmcluster:
+      enabled: false
+    vmsingle:
+      enabled: true
+
+  availabilityZones:
+    - name: default
+
+  extra:
+    # it scrapes metrics and write to global write LB
+    # which is an entry point for vm distributed cluster
+    vmagent:
+      enabled: true
+      name: vmagent-scraper
+      spec:
+        useStrictSecurity: true
+        port: *vmAgentPort
+        podMetadata:
+          labels: *vmAgentCommonLabels
+
+  write:
+    global:
+      vmauth:
+        spec:
+          useStrictSecurity: true
+
+  read:
+    global:
+      vmauth:
+        spec:
+          useStrictSecurity: true
+          ingress:
+            host: {{ requiredEnv "K8S_MONITORING_FQDN" }}
+            annotations:
+              namespace: {{ .Release.Namespace }}
+              traefik.ingress.kubernetes.io/router.tls: "true"
+              traefik.ingress.kubernetes.io/router.entrypoints: websecure
+
+
+  victoria-metrics-k8s-stack:
+    enabled: true
+
+    victoria-metrics-operator:
+      enabled: false
+
+    vmagent:
+      enabled: false
+
+    vmsingle:
+      enabled: false
+
+    vmcluster:
+      enabled: false
+
+    alertmanager:
+      enabled: false
+
+    vmalert:
+      enabled: false
+
+    grafana:
+      enabled: false
+
+    prometheus-node-exporter:
+      enabled: false
+
+    kube-state-metrics:
+      enabled: false
+
+    kubelet:
+      enabled: false
+
+    kubeApiServer:
+      enabled: false
+
+    kubeControllerManager:
+      enabled: false
+
+    coreDns:
+      enabled: false
+
+    kubeEtcd:
+      enabled: false
+
+    kubeScheduler:
+      enabled: false
+
+    defaultDashboards:
+      # -- Enable custom dashboards installation
+      enabled: false
+
+    defaultRules:
+      create: false
@@ -0,0 +1,15 @@
+# namespace with defined pod security standard
+# inspired from https://aro-labs.com/pod-security-standards/
+# official doc: https://kubernetes.io/docs/concepts/security/pod-security-standards/
+#
+# Warning: if pod / container does not meet enforced standards, it will not be deployed (silently)
+# execute `kubectl -n <namespace> events` to see errors (e.g.)
+#   Error creating: pods "xyz" is forbidden: violates PodSecurity "baseline:latest": privileged
+#   container "xyz" must not set securityContext.privileged to true
+#
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: victoria-metrics
+  labels:
+    pod-security.kubernetes.io/enforce: restricted