From 9db6a4cbeb53756d52643c111a9cf4801d8d84c9 Mon Sep 17 00:00:00 2001 From: Hernan Dominguez Date: Sun, 20 Apr 2025 17:50:19 +0200 Subject: [PATCH 01/13] Adds EFK to core --- contexts/local/blueprint.yaml | 9 ++++ contexts/local/terraform/cluster/talos.tfvars | 50 ++++++++++++++++++- .../logs/efk/elasticsearch/helm-release.yaml | 32 ++++++++++++ .../logs/efk/elasticsearch/kustomization.yaml | 4 ++ kustomize/logs/efk/filebeat/helm-release.yaml | 23 +++++++++ .../logs/efk/filebeat/kustomization.yaml | 4 ++ kustomize/logs/efk/kibana/helm-release.yaml | 23 +++++++++ kustomize/logs/efk/kibana/kustomization.yaml | 4 ++ kustomize/logs/efk/kustomization.yaml | 1 + kustomize/logs/helm-repository.yaml | 8 +++ kustomize/logs/kustomization.yaml | 3 ++ kustomize/logs/namespace.yaml | 6 +++ windsor.yaml | 4 +- 13 files changed, 168 insertions(+), 3 deletions(-) create mode 100644 kustomize/logs/efk/elasticsearch/helm-release.yaml create mode 100644 kustomize/logs/efk/elasticsearch/kustomization.yaml create mode 100644 kustomize/logs/efk/filebeat/helm-release.yaml create mode 100644 kustomize/logs/efk/filebeat/kustomization.yaml create mode 100644 kustomize/logs/efk/kibana/helm-release.yaml create mode 100644 kustomize/logs/efk/kibana/kustomization.yaml create mode 100644 kustomize/logs/efk/kustomization.yaml create mode 100644 kustomize/logs/helm-repository.yaml create mode 100644 kustomize/logs/kustomization.yaml create mode 100644 kustomize/logs/namespace.yaml diff --git a/contexts/local/blueprint.yaml b/contexts/local/blueprint.yaml index ba820922d..090427d18 100644 --- a/contexts/local/blueprint.yaml +++ b/contexts/local/blueprint.yaml @@ -98,3 +98,12 @@ kustomize: force: true components: - ingress +- name: logs + path: logs + dependsOn: + - csi + force: true + components: + - efk/elasticsearch + - efk/filebeat + - efk/kibana diff --git a/contexts/local/terraform/cluster/talos.tfvars b/contexts/local/terraform/cluster/talos.tfvars index f81ee3d0a..62cee285c 100644 --- a/contexts/local/terraform/cluster/talos.tfvars +++ b/contexts/local/terraform/cluster/talos.tfvars @@ -8,7 +8,51 @@ cluster_endpoint = "https://127.0.0.1:6443" cluster_name = "talos" // A YAML string of common config patches to apply -common_config_patches = "\"cluster\":\n \"apiServer\":\n \"certSANs\":\n - \"localhost\"\n - \"127.0.0.1\"\n \"extraManifests\":\n - \"https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/v0.8.7/deploy/standalone-install.yaml\"\n\"machine\":\n \"certSANs\":\n - \"localhost\"\n - \"127.0.0.1\"\n \"features\":\n \"hostDNS\":\n \"forwardKubeDNSToHost\": true\n \"kubelet\":\n \"extraArgs\":\n \"rotate-server-certificates\": \"true\"\n \"network\":\n \"interfaces\":\n - \"ignore\": true\n \"interface\": \"eth0\"\n \"registries\":\n \"mirrors\":\n \"docker.io\":\n \"endpoints\":\n - \"http://registry-1.docker.test:5000\"\n \"gcr.io\":\n \"endpoints\":\n - \"http://gcr.test:5000\"\n \"ghcr.io\":\n \"endpoints\":\n - \"http://ghcr.test:5000\"\n \"quay.io\":\n \"endpoints\":\n - \"http://quay.test:5000\"\n \"registry.k8s.io\":\n \"endpoints\":\n - \"http://registry.k8s.test:5000\"\n \"registry.test\":\n \"endpoints\":\n - \"http://registry.test:5000\"" +common_config_patches = < Date: Sun, 20 Apr 2025 19:17:33 +0200 Subject: [PATCH 02/13] moving into separate subsystems --- contexts/local/blueprint.yaml | 27 ++++++++++++++----- kustomize/logs/efk/kustomization.yaml | 1 - kustomize/logs/kustomization.yaml | 3 --- kustomize/logs/namespace.yaml | 6 ----- .../elasticsearch/helm-release.yaml | 6 ++--- .../elasticsearch/helm-repository.yaml | 8 ++++++ .../elasticsearch}/kustomization.yaml | 1 + .../kibana/helm-release.yaml | 6 ++--- .../kibana}/helm-repository.yaml | 4 +-- .../kibana}/kustomization.yaml | 1 + .../base}/filebeat/helm-release.yaml | 6 ++--- .../base/filebeat/helm-repository.yaml | 8 ++++++ .../base}/filebeat/kustomization.yaml | 1 + 13 files changed, 51 insertions(+), 27 deletions(-) delete mode 100644 kustomize/logs/efk/kustomization.yaml delete mode 100644 kustomize/logs/kustomization.yaml delete mode 100644 kustomize/logs/namespace.yaml rename kustomize/{logs/efk => observability}/elasticsearch/helm-release.yaml (84%) create mode 100644 kustomize/observability/elasticsearch/helm-repository.yaml rename kustomize/{logs/efk/kibana => observability/elasticsearch}/kustomization.yaml (80%) rename kustomize/{logs/efk => observability}/kibana/helm-release.yaml (77%) rename kustomize/{logs => observability/kibana}/helm-repository.yaml (69%) rename kustomize/{logs/efk/elasticsearch => observability/kibana}/kustomization.yaml (80%) rename kustomize/{logs/efk => telemetry/base}/filebeat/helm-release.yaml (78%) create mode 100644 kustomize/telemetry/base/filebeat/helm-repository.yaml rename kustomize/{logs/efk => telemetry/base}/filebeat/kustomization.yaml (80%) diff --git a/contexts/local/blueprint.yaml b/contexts/local/blueprint.yaml index 090427d18..0fcb2dc65 100644 --- a/contexts/local/blueprint.yaml +++ b/contexts/local/blueprint.yaml @@ -98,12 +98,27 @@ kustomize: force: true components: - ingress -- name: logs - path: logs +- name: elasticsearch + path: observability + source: core + dependsOn: + - pki-base + force: true + components: + - elasticsearch +- name: filebeat + path: telemetry + source: core + dependsOn: + - elasticsearch + force: true + components: + - filebeat +- name: kibana + path: observability + source: core dependsOn: - - csi + - elasticsearch force: true components: - - efk/elasticsearch - - efk/filebeat - - efk/kibana + - kibana \ No newline at end of file diff --git a/kustomize/logs/efk/kustomization.yaml b/kustomize/logs/efk/kustomization.yaml deleted file mode 100644 index e584213cf..000000000 --- a/kustomize/logs/efk/kustomization.yaml +++ /dev/null @@ -1 +0,0 @@ -resources: [] diff --git a/kustomize/logs/kustomization.yaml b/kustomize/logs/kustomization.yaml deleted file mode 100644 index 25ebdb307..000000000 --- a/kustomize/logs/kustomization.yaml +++ /dev/null @@ -1,3 +0,0 @@ -resources: - - namespace.yaml - - helm-repository.yaml diff --git a/kustomize/logs/namespace.yaml b/kustomize/logs/namespace.yaml deleted file mode 100644 index 445995850..000000000 --- a/kustomize/logs/namespace.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: system-logs - labels: - pod-security.kubernetes.io/enforce: privileged diff --git a/kustomize/logs/efk/elasticsearch/helm-release.yaml b/kustomize/observability/elasticsearch/helm-release.yaml similarity index 84% rename from kustomize/logs/efk/elasticsearch/helm-release.yaml rename to kustomize/observability/elasticsearch/helm-release.yaml index d561f0376..a65898cff 100644 --- a/kustomize/logs/efk/elasticsearch/helm-release.yaml +++ b/kustomize/observability/elasticsearch/helm-release.yaml @@ -2,7 +2,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: name: elasticsearch - namespace: system-logs + namespace: system-observability spec: interval: 15m chart: @@ -11,8 +11,8 @@ spec: version: "8.5.1" sourceRef: kind: HelmRepository - name: elastic - namespace: system-logs + name: elastic-elasticsearch + namespace: system-observability values: antiAffinity: "soft" replicas: 1 diff --git a/kustomize/observability/elasticsearch/helm-repository.yaml b/kustomize/observability/elasticsearch/helm-repository.yaml new file mode 100644 index 000000000..4ff074ccc --- /dev/null +++ b/kustomize/observability/elasticsearch/helm-repository.yaml @@ -0,0 +1,8 @@ +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: elastic-elasticsearch + namespace: system-observability +spec: + interval: 1h + url: https://helm.elastic.co diff --git a/kustomize/logs/efk/kibana/kustomization.yaml b/kustomize/observability/elasticsearch/kustomization.yaml similarity index 80% rename from kustomize/logs/efk/kibana/kustomization.yaml rename to kustomize/observability/elasticsearch/kustomization.yaml index 293e4a04f..84f402f63 100644 --- a/kustomize/logs/efk/kibana/kustomization.yaml +++ b/kustomize/observability/elasticsearch/kustomization.yaml @@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1alpha1 kind: Component resources: - helm-release.yaml +- helm-repository.yaml diff --git a/kustomize/logs/efk/kibana/helm-release.yaml b/kustomize/observability/kibana/helm-release.yaml similarity index 77% rename from kustomize/logs/efk/kibana/helm-release.yaml rename to kustomize/observability/kibana/helm-release.yaml index a00403e9f..587fcd909 100644 --- a/kustomize/logs/efk/kibana/helm-release.yaml +++ b/kustomize/observability/kibana/helm-release.yaml @@ -2,7 +2,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: name: kibana - namespace: system-logs + namespace: system-observability spec: interval: 5m chart: @@ -11,8 +11,8 @@ spec: version: "8.5.1" sourceRef: kind: HelmRepository - name: elastic - namespace: system-logs + name: elastic-kibana + namespace: system-observability values: resources: requests: diff --git a/kustomize/logs/helm-repository.yaml b/kustomize/observability/kibana/helm-repository.yaml similarity index 69% rename from kustomize/logs/helm-repository.yaml rename to kustomize/observability/kibana/helm-repository.yaml index d25c402dc..c1ecd24e0 100644 --- a/kustomize/logs/helm-repository.yaml +++ b/kustomize/observability/kibana/helm-repository.yaml @@ -1,8 +1,8 @@ apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository metadata: - name: elastic - namespace: system-logs + name: elastic-kibana + namespace: system-observability spec: interval: 1h url: https://helm.elastic.co diff --git a/kustomize/logs/efk/elasticsearch/kustomization.yaml b/kustomize/observability/kibana/kustomization.yaml similarity index 80% rename from kustomize/logs/efk/elasticsearch/kustomization.yaml rename to kustomize/observability/kibana/kustomization.yaml index 293e4a04f..84f402f63 100644 --- a/kustomize/logs/efk/elasticsearch/kustomization.yaml +++ b/kustomize/observability/kibana/kustomization.yaml @@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1alpha1 kind: Component resources: - helm-release.yaml +- helm-repository.yaml diff --git a/kustomize/logs/efk/filebeat/helm-release.yaml b/kustomize/telemetry/base/filebeat/helm-release.yaml similarity index 78% rename from kustomize/logs/efk/filebeat/helm-release.yaml rename to kustomize/telemetry/base/filebeat/helm-release.yaml index 7628d2222..9fbf19dab 100644 --- a/kustomize/logs/efk/filebeat/helm-release.yaml +++ b/kustomize/telemetry/base/filebeat/helm-release.yaml @@ -2,7 +2,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: name: filebeat - namespace: system-logs + namespace: system-telemetry spec: interval: 5m chart: @@ -11,8 +11,8 @@ spec: version: "8.5.1" sourceRef: kind: HelmRepository - name: elastic - namespace: system-logs + name: elastic-filebeat + namespace: system-telemetry values: resources: requests: diff --git a/kustomize/telemetry/base/filebeat/helm-repository.yaml b/kustomize/telemetry/base/filebeat/helm-repository.yaml new file mode 100644 index 000000000..aecb37d46 --- /dev/null +++ b/kustomize/telemetry/base/filebeat/helm-repository.yaml @@ -0,0 +1,8 @@ +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: elastic-filebeat + namespace: system-observability +spec: + interval: 1h + url: https://helm.elastic.co diff --git a/kustomize/logs/efk/filebeat/kustomization.yaml b/kustomize/telemetry/base/filebeat/kustomization.yaml similarity index 80% rename from kustomize/logs/efk/filebeat/kustomization.yaml rename to kustomize/telemetry/base/filebeat/kustomization.yaml index 293e4a04f..84f402f63 100644 --- a/kustomize/logs/efk/filebeat/kustomization.yaml +++ b/kustomize/telemetry/base/filebeat/kustomization.yaml @@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1alpha1 kind: Component resources: - helm-release.yaml +- helm-repository.yaml From 8b7533f240ded4890131dc3251631eb9f371c571 Mon Sep 17 00:00:00 2001 From: Hernan Dominguez Date: Sun, 20 Apr 2025 21:09:31 +0200 Subject: [PATCH 03/13] fixes --- contexts/local/blueprint.yaml | 5 +---- kustomize/observability/elasticsearch/helm-release.yaml | 2 ++ kustomize/telemetry/base/filebeat/helm-repository.yaml | 2 +- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/contexts/local/blueprint.yaml b/contexts/local/blueprint.yaml index 0fcb2dc65..ed698e93a 100644 --- a/contexts/local/blueprint.yaml +++ b/contexts/local/blueprint.yaml @@ -100,15 +100,13 @@ kustomize: - ingress - name: elasticsearch path: observability - source: core dependsOn: - pki-base force: true components: - elasticsearch - name: filebeat - path: telemetry - source: core + path: telemetry/base dependsOn: - elasticsearch force: true @@ -116,7 +114,6 @@ kustomize: - filebeat - name: kibana path: observability - source: core dependsOn: - elasticsearch force: true diff --git a/kustomize/observability/elasticsearch/helm-release.yaml b/kustomize/observability/elasticsearch/helm-release.yaml index a65898cff..4d67d9a21 100644 --- a/kustomize/observability/elasticsearch/helm-release.yaml +++ b/kustomize/observability/elasticsearch/helm-release.yaml @@ -16,6 +16,8 @@ spec: values: antiAffinity: "soft" replicas: 1 + sysctlInitContainer: + enabled: false esJavaOpts: "-Xmx512m -Xms512m" resources: requests: diff --git a/kustomize/telemetry/base/filebeat/helm-repository.yaml b/kustomize/telemetry/base/filebeat/helm-repository.yaml index aecb37d46..5a34c9df7 100644 --- a/kustomize/telemetry/base/filebeat/helm-repository.yaml +++ b/kustomize/telemetry/base/filebeat/helm-repository.yaml @@ -2,7 +2,7 @@ apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository metadata: name: elastic-filebeat - namespace: system-observability + namespace: system-telemetry spec: interval: 1h url: https://helm.elastic.co From f4c7b0fdb5ac71d44b704ef358bc71b6312a4194 Mon Sep 17 00:00:00 2001 From: Hernan Dominguez Date: Wed, 23 Apr 2025 14:34:49 +0200 Subject: [PATCH 04/13] WIP EFK to core --- contexts/local/blueprint.yaml | 4 +- .../elasticsearch/certificates.yaml | 26 ++++++++++ .../elasticsearch/helm-release.yaml | 6 +++ .../elasticsearch/kustomization.yaml | 1 + .../telemetry/base/filebeat/certificates.yaml | 14 +++++ .../telemetry/base/filebeat/helm-release.yaml | 20 ++++++++ .../base/filebeat/kustomization.yaml | 2 + .../telemetry/base/filebeat/secret-mgr.yaml | 51 +++++++++++++++++++ windsor.yaml | 2 + 9 files changed, 124 insertions(+), 2 deletions(-) create mode 100644 kustomize/observability/elasticsearch/certificates.yaml create mode 100644 kustomize/telemetry/base/filebeat/certificates.yaml create mode 100644 kustomize/telemetry/base/filebeat/secret-mgr.yaml diff --git a/contexts/local/blueprint.yaml b/contexts/local/blueprint.yaml index ed698e93a..7df27a1f5 100644 --- a/contexts/local/blueprint.yaml +++ b/contexts/local/blueprint.yaml @@ -108,7 +108,7 @@ kustomize: - name: filebeat path: telemetry/base dependsOn: - - elasticsearch + - elasticsearch force: true components: - filebeat @@ -118,4 +118,4 @@ kustomize: - elasticsearch force: true components: - - kibana \ No newline at end of file + - kibana diff --git a/kustomize/observability/elasticsearch/certificates.yaml b/kustomize/observability/elasticsearch/certificates.yaml new file mode 100644 index 000000000..ea2b44e4a --- /dev/null +++ b/kustomize/observability/elasticsearch/certificates.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: elasticsearch + namespace: system-observability +spec: + secretName: elasticsearch-master-certs + issuerRef: + name: private + kind: ClusterIssuer + commonName: elasticsearch + dnsNames: + - "elasticsearch-master" + - "elasticsearch-master.system-observability" + - "elasticsearch-master.system-observability.svc" + - "elasticsearch-master.system-observability.svc.${CLUSTER_DOMAIN:-cluster.local}" + - "*.elasticsearch-master.system-observability.svc.${CLUSTER_DOMAIN:-cluster.local}" + - "elasticsearch-master-headless" + - "elasticsearch-master-headless.system-observability" + - "elasticsearch-master-headless.system-observability.svc" + - "elasticsearch-master-headless.system-observability.svc.${CLUSTER_DOMAIN:-cluster.local}" + - "*.elasticsearch-master-headless.system-observability.svc.${CLUSTER_DOMAIN:-cluster.local}" + usages: + - server auth + - client auth diff --git a/kustomize/observability/elasticsearch/helm-release.yaml b/kustomize/observability/elasticsearch/helm-release.yaml index 4d67d9a21..bc605a8f0 100644 --- a/kustomize/observability/elasticsearch/helm-release.yaml +++ b/kustomize/observability/elasticsearch/helm-release.yaml @@ -14,6 +14,12 @@ spec: name: elastic-elasticsearch namespace: system-observability values: + createCert: false + secretMounts: + - name: elastic-certificates + secretName: elasticsearch-master-certs + path: /usr/share/elasticsearch/config/certificates + defaultMode: 0755 antiAffinity: "soft" replicas: 1 sysctlInitContainer: diff --git a/kustomize/observability/elasticsearch/kustomization.yaml b/kustomize/observability/elasticsearch/kustomization.yaml index 84f402f63..23960542f 100644 --- a/kustomize/observability/elasticsearch/kustomization.yaml +++ b/kustomize/observability/elasticsearch/kustomization.yaml @@ -3,3 +3,4 @@ kind: Component resources: - helm-release.yaml - helm-repository.yaml +- certificates.yaml \ No newline at end of file diff --git a/kustomize/telemetry/base/filebeat/certificates.yaml b/kustomize/telemetry/base/filebeat/certificates.yaml new file mode 100644 index 000000000..be57b6053 --- /dev/null +++ b/kustomize/telemetry/base/filebeat/certificates.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: filebeat + namespace: system-telemetry +spec: + secretName: filebeat-tls + issuerRef: + name: private + kind: ClusterIssuer + commonName: filebeat + usages: + - client auth \ No newline at end of file diff --git a/kustomize/telemetry/base/filebeat/helm-release.yaml b/kustomize/telemetry/base/filebeat/helm-release.yaml index 9fbf19dab..8b5803e30 100644 --- a/kustomize/telemetry/base/filebeat/helm-release.yaml +++ b/kustomize/telemetry/base/filebeat/helm-release.yaml @@ -14,6 +14,26 @@ spec: name: elastic-filebeat namespace: system-telemetry values: + daemonset: + secretMounts: + - name: filebeat-tls + secretName: filebeat-tls + path: /usr/share/filebeat/certs/ + extraEnvs: + - name: ELASTICSEARCH_HOSTS + value: "elasticsearch-master.system-observability.svc.cluster.local" + - name: "ELASTICSEARCH_USERNAME" + valueFrom: + secretKeyRef: + name: elasticsearch-master-credentials + key: username + - name: "ELASTICSEARCH_PASSWORD" + valueFrom: + secretKeyRef: + name: elasticsearch-master-credentials + key: password + - name: "ssl.certificate_authorities" + value: "/usr/share/filebeat/certs/ca.crt" resources: requests: cpu: "100m" diff --git a/kustomize/telemetry/base/filebeat/kustomization.yaml b/kustomize/telemetry/base/filebeat/kustomization.yaml index 84f402f63..aa1e7f270 100644 --- a/kustomize/telemetry/base/filebeat/kustomization.yaml +++ b/kustomize/telemetry/base/filebeat/kustomization.yaml @@ -1,5 +1,7 @@ apiVersion: kustomize.config.k8s.io/v1alpha1 kind: Component resources: +- secret-mgr.yaml - helm-release.yaml - helm-repository.yaml +- certificates.yaml \ No newline at end of file diff --git a/kustomize/telemetry/base/filebeat/secret-mgr.yaml b/kustomize/telemetry/base/filebeat/secret-mgr.yaml new file mode 100644 index 000000000..f19f6876b --- /dev/null +++ b/kustomize/telemetry/base/filebeat/secret-mgr.yaml @@ -0,0 +1,51 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: secret-manager + namespace: system-telemetry +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: secret-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: ServiceAccount + name: secret-manager + namespace: system-telemetry +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: secret-manager-init-job + namespace: system-telemetry +spec: + backoffLimit: 10 + template: + spec: + containers: + - name: copy-k8s-secret + image: bitnami/kubectl:1.31.2 + command: ["/bin/sh", "-c", "--"] + args: + - | + kubectl get secret elasticsearch-master-credentials -n system-observability -o yaml \ + | yq eval 'del(.metadata.resourceVersion, .metadata.uid, .metadata.creationTimestamp, .metadata.managedFields) | .metadata.namespace = "system-telemetry"' - \ + | kubectl apply -n system-telemetry -f - + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1000 + capabilities: + drop: + - ALL + restartPolicy: Never + volumes: + - name: temp-volume + emptyDir: {} + serviceAccountName: secret-manager + diff --git a/windsor.yaml b/windsor.yaml index 1c03a2933..fd3aab1b1 100644 --- a/windsor.yaml +++ b/windsor.yaml @@ -2,6 +2,8 @@ version: v1alpha1 contexts: local: blueprint: full + environment: + FLUX_SYSTEM_NAMESPACE: system-gitops docker: enabled: true registries: From 0715720804f50053bb1887ee2f0cb8453a9c231c Mon Sep 17 00:00:00 2001 From: Hernan Dominguez Date: Wed, 23 Apr 2025 14:56:52 +0200 Subject: [PATCH 05/13] Kibana ssl config --- kustomize/observability/kibana/helm-release.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/kustomize/observability/kibana/helm-release.yaml b/kustomize/observability/kibana/helm-release.yaml index 587fcd909..0d367fa99 100644 --- a/kustomize/observability/kibana/helm-release.yaml +++ b/kustomize/observability/kibana/helm-release.yaml @@ -14,6 +14,11 @@ spec: name: elastic-kibana namespace: system-observability values: + kibanaConfig: + kibana.yml: | + elasticsearch.ssl.certificateAuthorities: ["/usr/share/kibana/config/certs/ca.crt"] + elasticsearch.ssl.certificate: "/usr/share/kibana/config/certs/tls.crt" + elasticsearch.ssl.key: "/usr/share/kibana/config/certs/tls.key" resources: requests: cpu: "1000m" From 9768cde409564044629a7fc520ddedb1d455d002 Mon Sep 17 00:00:00 2001 From: Hernan Dominguez Date: Thu, 24 Apr 2025 00:33:02 +0200 Subject: [PATCH 06/13] Fixes certs issues --- .../elasticsearch/helm-release.yaml | 23 ++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/kustomize/observability/elasticsearch/helm-release.yaml b/kustomize/observability/elasticsearch/helm-release.yaml index bc605a8f0..ff199779d 100644 --- a/kustomize/observability/elasticsearch/helm-release.yaml +++ b/kustomize/observability/elasticsearch/helm-release.yaml @@ -16,10 +16,31 @@ spec: values: createCert: false secretMounts: - - name: elastic-certificates + - name: elasticsearch-certificates secretName: elasticsearch-master-certs path: /usr/share/elasticsearch/config/certificates defaultMode: 0755 + extraEnvs: + - name: xpack.security.enabled + value: "true" + - name: xpack.security.transport.ssl.enabled + value: "true" + - name: xpack.security.http.ssl.enabled + value: "true" + - name: xpack.security.transport.ssl.verification_mode + value: "certificate" + - name: xpack.security.transport.ssl.key + value: "/usr/share/elasticsearch/config/certificates/tls.key" + - name: xpack.security.transport.ssl.certificate + value: "/usr/share/elasticsearch/config/certificates/tls.crt" + - name: xpack.security.transport.ssl.certificate_authorities + value: "/usr/share/elasticsearch/config/certificates/ca.crt" + - name: xpack.security.http.ssl.key + value: "/usr/share/elasticsearch/config/certificates/tls.key" + - name: xpack.security.http.ssl.certificate + value: "/usr/share/elasticsearch/config/certificates/tls.crt" + - name: xpack.security.http.ssl.certificate_authorities + value: "/usr/share/elasticsearch/config/certificates/ca.crt" antiAffinity: "soft" replicas: 1 sysctlInitContainer: From ef941578c56f67448d0825fb678d5b0d4a99abef Mon Sep 17 00:00:00 2001 From: Ryan VanGundy Date: Thu, 24 Apr 2025 07:54:28 -0400 Subject: [PATCH 07/13] Add ingress --- contexts/local/blueprint.yaml | 45 +++++--------- .../observability/kibana/ingress/ingress.yaml | 20 +++++++ .../kibana/ingress/kustomization.yaml | 4 ++ terraform/cluster/talos/.terraform.lock.hcl | 59 +++++++++---------- terraform/gitops/flux/.terraform.lock.hcl | 32 +++++----- 5 files changed, 85 insertions(+), 75 deletions(-) create mode 100644 kustomize/observability/kibana/ingress/ingress.yaml create mode 100644 kustomize/observability/kibana/ingress/kustomization.yaml diff --git a/contexts/local/blueprint.yaml b/contexts/local/blueprint.yaml index 7df27a1f5..c5a886edc 100644 --- a/contexts/local/blueprint.yaml +++ b/contexts/local/blueprint.yaml @@ -14,24 +14,19 @@ sources: ref: branch: main terraform: -- source: core - path: cluster/talos -- source: core - path: gitops/flux +- path: cluster/talos +- path: gitops/flux kustomize: - name: policy-base path: policy/base - source: core components: - kyverno - name: policy-resources path: policy/resources - source: core dependsOn: - policy-base - name: csi path: csi - source: core dependsOn: - policy-resources force: true @@ -40,7 +35,6 @@ kustomize: - openebs/dynamic-localpv - name: ingress-base path: ingress/base - source: core dependsOn: - pki-resources force: true @@ -52,7 +46,6 @@ kustomize: - nginx/web - name: pki-base path: pki/base - source: core dependsOn: - policy-resources force: true @@ -61,7 +54,6 @@ kustomize: - trust-manager - name: pki-resources path: pki/resources - source: core dependsOn: - pki-base force: true @@ -70,7 +62,6 @@ kustomize: - public-issuer/selfsigned - name: dns path: dns - source: core dependsOn: - ingress-base - pki-base @@ -84,38 +75,34 @@ kustomize: - external-dns/ingress - name: gitops path: gitops/flux - source: core dependsOn: - ingress-base force: true components: - webhook -- name: demo - path: demo/bookinfo - source: core - dependsOn: - - ingress-base - force: true - components: - - ingress -- name: elasticsearch - path: observability +- name: telemetry-base + path: telemetry/base dependsOn: - pki-base force: true components: - - elasticsearch -- name: filebeat - path: telemetry/base + - prometheus + - filebeat +- name: telemetry-resources + path: telemetry/resources dependsOn: - - elasticsearch + - telemetry-base force: true components: - - filebeat -- name: kibana + - metrics-server + - prometheus +- name: observability path: observability dependsOn: - - elasticsearch + - pki-base force: true components: + - elasticsearch - kibana + - kibana/ingress + - grafana diff --git a/kustomize/observability/kibana/ingress/ingress.yaml b/kustomize/observability/kibana/ingress/ingress.yaml new file mode 100644 index 000000000..915aba199 --- /dev/null +++ b/kustomize/observability/kibana/ingress/ingress.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: kibana + namespace: system-observability + annotations: + cert-manager.io/cluster-issuer: private + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" +spec: + rules: + - host: kibana.${DOMAIN} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: kibana-kibana + port: + number: 5601 diff --git a/kustomize/observability/kibana/ingress/kustomization.yaml b/kustomize/observability/kibana/ingress/kustomization.yaml new file mode 100644 index 000000000..fb7103238 --- /dev/null +++ b/kustomize/observability/kibana/ingress/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - ingress.yaml diff --git a/terraform/cluster/talos/.terraform.lock.hcl b/terraform/cluster/talos/.terraform.lock.hcl index 11bd751e9..1d450b506 100644 --- a/terraform/cluster/talos/.terraform.lock.hcl +++ b/terraform/cluster/talos/.terraform.lock.hcl @@ -2,24 +2,24 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/aws" { - version = "5.93.0" + version = "5.95.0" hashes = [ - "h1:SbzGotY1leY5nnLo/PJOcwIlNTHdZpAErxJSrfr2tTg=", - "zh:00e1b15e6f02cdc788fe855232b63ccce6652930080eac3ba4b8a2e35db02b23", - "zh:3a77ee12e4f5ab2e7b320a0f507389c9171ab82c50d39ae7caa5a1fb2bd95cb3", - "zh:3e32d58e139d098d867eef37914fef01fffb08504d828e0f384c2ffc18d71f80", - "zh:41cf69a525f0fbe0fdb71d26be7ff5e20bb90ccdf5af32c83ed53f0ca2f071b5", - "zh:43055bdd0786855cf7242638a74b579f74f4f1a8e7c7e5e0e50230c8f6b908cb", - "zh:4ac4c29aa0de842ad91145c5a5fba21338531ffca13a510927d445e007a24938", - "zh:57e510498b3aeb6d6155c10fa195e1d5502e763899251057e59e73f653d1e262", - "zh:8f749645b27dba1a07d06aaf9d5596fc4213123f12f3808d68539e78ab16996e", + "h1:PUug/LLWa4GM08rXqnmCVUXj8ibCTvQxgvawhat3bMo=", + "zh:20aac8c95edd444e659f235d19fa6af9b259c5a70fce19d400539ee88687e7d4", + "zh:29c55846fadd19dde0c5108f74d507c296d6c37cabdd466a96d3721a7c261743", + "zh:325fa5cb42d58c9203c279450863c49e534672f7101c067af465f9d7f4be3be5", + "zh:4f18c643584f7ba554399c0db3dd1c81629dfc2508a8777890f9f3b80b5213b7", + "zh:561e38e9cc6f0be5470c187ea8d51047c4133d9cb74cc1c364a9ebe41f40a06b", + "zh:6ec2cceed96ca5e47591ef11686614c663b05e112a814d24246a2739066577b6", + "zh:710a227c02b8a50f75a82a7f063d2416e85783e02ed91bb22cc12e7a8e11a3cf", + "zh:97a2f5e9bf4cf9a38274eddb7967e1cb4e5b04960c7da3603d9b1c15e18b8626", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:aaca5934ac6273d48922ad7685c5fc2aa7ef5275346a9e70366b7a180a788d41", - "zh:b7585b720a97467302f2e29f0688a5a746778f7b73c30eb085c25831decba1e1", - "zh:c16ae0a46d796858c49a89dd90e5ca92f793e646474fadeafaf701def4a4aa83", - "zh:d66bdc9cd5108452d9dba44082e504ff5e3a3001c8f853bbcaff850cb2127a21", - "zh:ee1aec6c44b117a6c8b7159ee7dc82f1ddac6ba434b4e6c493717738326f0a99", - "zh:f0da48692e00ecacea72d7104714d9721f6be40ba094490c442bb3e68d2e2604", + "zh:bf6bfb01fff8226d86c1b219d67cd96f37bb9312b17d00340e6ff00dda2dbe82", + "zh:cba74d606149cbaaa8dfb69f369f2496b851643a879adc24b11515fcece42b66", + "zh:d5a2c36739cab677a48f4856958c96be6f018ff0da50d233ca93a3a21aaceca1", + "zh:df5d1466144852fe5da4af0628db6f02b5186c59f683e5085705d9b90cacfbc0", + "zh:f82d96b45983b3c73b78dced9e344512b7a9adb06e8c1e3e4f422605efbb756d", + "zh:fb523f787077270059a8f3ab52c0fc56257c0b3a06f0219be247c8b15ff0ca2a", ] } @@ -44,22 +44,21 @@ provider "registry.terraform.io/hashicorp/local" { } provider "registry.terraform.io/hashicorp/null" { - version = "3.2.3" + version = "3.2.4" hashes = [ - "h1:I0Um8UkrMUb81Fxq/dxbr3HLP2cecTH2WMJiwKSrwQY=", - "h1:obXguGZUWtNAO09f1f9Cb7hsPCOGXuGdN8bn/ohKRBQ=", - "zh:22d062e5278d872fe7aed834f5577ba0a5afe34a3bdac2b81f828d8d3e6706d2", - "zh:23dead00493ad863729495dc212fd6c29b8293e707b055ce5ba21ee453ce552d", - "zh:28299accf21763ca1ca144d8f660688d7c2ad0b105b7202554ca60b02a3856d3", - "zh:55c9e8a9ac25a7652df8c51a8a9a422bd67d784061b1de2dc9fe6c3cb4e77f2f", - "zh:756586535d11698a216291c06b9ed8a5cc6a4ec43eee1ee09ecd5c6a9e297ac1", + "h1:L5V05xwp/Gto1leRryuesxjMfgZwjb7oool4WS1UEFQ=", + "zh:59f6b52ab4ff35739647f9509ee6d93d7c032985d9f8c6237d1f8a59471bbbe2", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:9d5eea62fdb587eeb96a8c4d782459f4e6b73baeece4d04b4a40e44faaee9301", - "zh:a6355f596a3fb8fc85c2fb054ab14e722991533f87f928e7169a486462c74670", - "zh:b5a65a789cff4ada58a5baffc76cb9767dc26ec6b45c00d2ec8b1b027f6db4ed", - "zh:db5ab669cf11d0e9f81dc380a6fdfcac437aea3d69109c7aef1a5426639d2d65", - "zh:de655d251c470197bcbb5ac45d289595295acb8f829f6c781d4a75c8c8b7c7dd", - "zh:f5c68199f2e6076bce92a12230434782bf768103a427e9bb9abee99b116af7b5", + "zh:795c897119ff082133150121d39ff26cb5f89a730a2c8c26f3a9c1abf81a9c43", + "zh:7b9c7b16f118fbc2b05a983817b8ce2f86df125857966ad356353baf4bff5c0a", + "zh:85e33ab43e0e1726e5f97a874b8e24820b6565ff8076523cc2922ba671492991", + "zh:9d32ac3619cfc93eb3c4f423492a8e0f79db05fec58e449dee9b2d5873d5f69f", + "zh:9e15c3c9dd8e0d1e3731841d44c34571b6c97f5b95e8296a45318b94e5287a6e", + "zh:b4c2ab35d1b7696c30b64bf2c0f3a62329107bd1a9121ce70683dec58af19615", + "zh:c43723e8cc65bcdf5e0c92581dcbbdcbdcf18b8d2037406a5f2033b1e22de442", + "zh:ceb5495d9c31bfb299d246ab333f08c7fb0d67a4f82681fbf47f2a21c3e11ab5", + "zh:e171026b3659305c558d9804062762d168f50ba02b88b231d20ec99578a6233f", + "zh:ed0fe2acdb61330b01841fa790be00ec6beaac91d41f311fb8254f74eb6a711f", ] } diff --git a/terraform/gitops/flux/.terraform.lock.hcl b/terraform/gitops/flux/.terraform.lock.hcl index d9cd36325..5410a561f 100644 --- a/terraform/gitops/flux/.terraform.lock.hcl +++ b/terraform/gitops/flux/.terraform.lock.hcl @@ -2,24 +2,24 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/aws" { - version = "5.93.0" + version = "5.95.0" hashes = [ - "h1:SbzGotY1leY5nnLo/PJOcwIlNTHdZpAErxJSrfr2tTg=", - "zh:00e1b15e6f02cdc788fe855232b63ccce6652930080eac3ba4b8a2e35db02b23", - "zh:3a77ee12e4f5ab2e7b320a0f507389c9171ab82c50d39ae7caa5a1fb2bd95cb3", - "zh:3e32d58e139d098d867eef37914fef01fffb08504d828e0f384c2ffc18d71f80", - "zh:41cf69a525f0fbe0fdb71d26be7ff5e20bb90ccdf5af32c83ed53f0ca2f071b5", - "zh:43055bdd0786855cf7242638a74b579f74f4f1a8e7c7e5e0e50230c8f6b908cb", - "zh:4ac4c29aa0de842ad91145c5a5fba21338531ffca13a510927d445e007a24938", - "zh:57e510498b3aeb6d6155c10fa195e1d5502e763899251057e59e73f653d1e262", - "zh:8f749645b27dba1a07d06aaf9d5596fc4213123f12f3808d68539e78ab16996e", + "h1:PUug/LLWa4GM08rXqnmCVUXj8ibCTvQxgvawhat3bMo=", + "zh:20aac8c95edd444e659f235d19fa6af9b259c5a70fce19d400539ee88687e7d4", + "zh:29c55846fadd19dde0c5108f74d507c296d6c37cabdd466a96d3721a7c261743", + "zh:325fa5cb42d58c9203c279450863c49e534672f7101c067af465f9d7f4be3be5", + "zh:4f18c643584f7ba554399c0db3dd1c81629dfc2508a8777890f9f3b80b5213b7", + "zh:561e38e9cc6f0be5470c187ea8d51047c4133d9cb74cc1c364a9ebe41f40a06b", + "zh:6ec2cceed96ca5e47591ef11686614c663b05e112a814d24246a2739066577b6", + "zh:710a227c02b8a50f75a82a7f063d2416e85783e02ed91bb22cc12e7a8e11a3cf", + "zh:97a2f5e9bf4cf9a38274eddb7967e1cb4e5b04960c7da3603d9b1c15e18b8626", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:aaca5934ac6273d48922ad7685c5fc2aa7ef5275346a9e70366b7a180a788d41", - "zh:b7585b720a97467302f2e29f0688a5a746778f7b73c30eb085c25831decba1e1", - "zh:c16ae0a46d796858c49a89dd90e5ca92f793e646474fadeafaf701def4a4aa83", - "zh:d66bdc9cd5108452d9dba44082e504ff5e3a3001c8f853bbcaff850cb2127a21", - "zh:ee1aec6c44b117a6c8b7159ee7dc82f1ddac6ba434b4e6c493717738326f0a99", - "zh:f0da48692e00ecacea72d7104714d9721f6be40ba094490c442bb3e68d2e2604", + "zh:bf6bfb01fff8226d86c1b219d67cd96f37bb9312b17d00340e6ff00dda2dbe82", + "zh:cba74d606149cbaaa8dfb69f369f2496b851643a879adc24b11515fcece42b66", + "zh:d5a2c36739cab677a48f4856958c96be6f018ff0da50d233ca93a3a21aaceca1", + "zh:df5d1466144852fe5da4af0628db6f02b5186c59f683e5085705d9b90cacfbc0", + "zh:f82d96b45983b3c73b78dced9e344512b7a9adb06e8c1e3e4f422605efbb756d", + "zh:fb523f787077270059a8f3ab52c0fc56257c0b3a06f0219be247c8b15ff0ca2a", ] } From 8e4683ab372cd6baed110994945a086ba3a8764e Mon Sep 17 00:00:00 2001 From: Hernan Dominguez Date: Thu, 24 Apr 2025 15:25:37 +0200 Subject: [PATCH 08/13] Fix kibana ingress --- .../observability/kibana/ingress/ingress.yaml | 2 +- terraform/cluster/talos/.terraform.lock.hcl | 22 ------------------- terraform/gitops/flux/.terraform.lock.hcl | 22 ------------------- windsor.yaml | 4 +++- 4 files changed, 4 insertions(+), 46 deletions(-) diff --git a/kustomize/observability/kibana/ingress/ingress.yaml b/kustomize/observability/kibana/ingress/ingress.yaml index 915aba199..b9f5065c7 100644 --- a/kustomize/observability/kibana/ingress/ingress.yaml +++ b/kustomize/observability/kibana/ingress/ingress.yaml @@ -5,8 +5,8 @@ metadata: namespace: system-observability annotations: cert-manager.io/cluster-issuer: private - nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" spec: + ingressClassName: nginx rules: - host: kibana.${DOMAIN} http: diff --git a/terraform/cluster/talos/.terraform.lock.hcl b/terraform/cluster/talos/.terraform.lock.hcl index 1d450b506..796e04a99 100644 --- a/terraform/cluster/talos/.terraform.lock.hcl +++ b/terraform/cluster/talos/.terraform.lock.hcl @@ -1,28 +1,6 @@ # This file is maintained automatically by "terraform init". # Manual edits may be lost in future updates. -provider "registry.terraform.io/hashicorp/aws" { - version = "5.95.0" - hashes = [ - "h1:PUug/LLWa4GM08rXqnmCVUXj8ibCTvQxgvawhat3bMo=", - "zh:20aac8c95edd444e659f235d19fa6af9b259c5a70fce19d400539ee88687e7d4", - "zh:29c55846fadd19dde0c5108f74d507c296d6c37cabdd466a96d3721a7c261743", - "zh:325fa5cb42d58c9203c279450863c49e534672f7101c067af465f9d7f4be3be5", - "zh:4f18c643584f7ba554399c0db3dd1c81629dfc2508a8777890f9f3b80b5213b7", - "zh:561e38e9cc6f0be5470c187ea8d51047c4133d9cb74cc1c364a9ebe41f40a06b", - "zh:6ec2cceed96ca5e47591ef11686614c663b05e112a814d24246a2739066577b6", - "zh:710a227c02b8a50f75a82a7f063d2416e85783e02ed91bb22cc12e7a8e11a3cf", - "zh:97a2f5e9bf4cf9a38274eddb7967e1cb4e5b04960c7da3603d9b1c15e18b8626", - "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:bf6bfb01fff8226d86c1b219d67cd96f37bb9312b17d00340e6ff00dda2dbe82", - "zh:cba74d606149cbaaa8dfb69f369f2496b851643a879adc24b11515fcece42b66", - "zh:d5a2c36739cab677a48f4856958c96be6f018ff0da50d233ca93a3a21aaceca1", - "zh:df5d1466144852fe5da4af0628db6f02b5186c59f683e5085705d9b90cacfbc0", - "zh:f82d96b45983b3c73b78dced9e344512b7a9adb06e8c1e3e4f422605efbb756d", - "zh:fb523f787077270059a8f3ab52c0fc56257c0b3a06f0219be247c8b15ff0ca2a", - ] -} - provider "registry.terraform.io/hashicorp/local" { version = "2.5.2" hashes = [ diff --git a/terraform/gitops/flux/.terraform.lock.hcl b/terraform/gitops/flux/.terraform.lock.hcl index 5410a561f..acc3198db 100644 --- a/terraform/gitops/flux/.terraform.lock.hcl +++ b/terraform/gitops/flux/.terraform.lock.hcl @@ -1,28 +1,6 @@ # This file is maintained automatically by "terraform init". # Manual edits may be lost in future updates. -provider "registry.terraform.io/hashicorp/aws" { - version = "5.95.0" - hashes = [ - "h1:PUug/LLWa4GM08rXqnmCVUXj8ibCTvQxgvawhat3bMo=", - "zh:20aac8c95edd444e659f235d19fa6af9b259c5a70fce19d400539ee88687e7d4", - "zh:29c55846fadd19dde0c5108f74d507c296d6c37cabdd466a96d3721a7c261743", - "zh:325fa5cb42d58c9203c279450863c49e534672f7101c067af465f9d7f4be3be5", - "zh:4f18c643584f7ba554399c0db3dd1c81629dfc2508a8777890f9f3b80b5213b7", - "zh:561e38e9cc6f0be5470c187ea8d51047c4133d9cb74cc1c364a9ebe41f40a06b", - "zh:6ec2cceed96ca5e47591ef11686614c663b05e112a814d24246a2739066577b6", - "zh:710a227c02b8a50f75a82a7f063d2416e85783e02ed91bb22cc12e7a8e11a3cf", - "zh:97a2f5e9bf4cf9a38274eddb7967e1cb4e5b04960c7da3603d9b1c15e18b8626", - "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:bf6bfb01fff8226d86c1b219d67cd96f37bb9312b17d00340e6ff00dda2dbe82", - "zh:cba74d606149cbaaa8dfb69f369f2496b851643a879adc24b11515fcece42b66", - "zh:d5a2c36739cab677a48f4856958c96be6f018ff0da50d233ca93a3a21aaceca1", - "zh:df5d1466144852fe5da4af0628db6f02b5186c59f683e5085705d9b90cacfbc0", - "zh:f82d96b45983b3c73b78dced9e344512b7a9adb06e8c1e3e4f422605efbb756d", - "zh:fb523f787077270059a8f3ab52c0fc56257c0b3a06f0219be247c8b15ff0ca2a", - ] -} - provider "registry.terraform.io/hashicorp/helm" { version = "2.17.0" hashes = [ diff --git a/windsor.yaml b/windsor.yaml index fd3aab1b1..1d76c1387 100644 --- a/windsor.yaml +++ b/windsor.yaml @@ -57,5 +57,7 @@ contexts: network: cidr_block: 10.5.0.0/16 dns: - enabled: false + enabled: true domain: test + forward: + - 10.5.0.1:8053 From c943de5d33b1da5fc371934b817d2f85a09a50b3 Mon Sep 17 00:00:00 2001 From: Hernan Dominguez Date: Thu, 24 Apr 2025 16:39:33 +0200 Subject: [PATCH 09/13] Adds renovate config --- kustomize/observability/elasticsearch/helm-release.yaml | 1 + kustomize/observability/kibana/helm-release.yaml | 1 + kustomize/telemetry/base/filebeat/helm-release.yaml | 1 + windsor.yaml | 2 +- 4 files changed, 4 insertions(+), 1 deletion(-) diff --git a/kustomize/observability/elasticsearch/helm-release.yaml b/kustomize/observability/elasticsearch/helm-release.yaml index ff199779d..2fd4df0e9 100644 --- a/kustomize/observability/elasticsearch/helm-release.yaml +++ b/kustomize/observability/elasticsearch/helm-release.yaml @@ -8,6 +8,7 @@ spec: chart: spec: chart: elasticsearch + # renovate: datasource=helm depName=elasticsearch package=elasticsearch helmRepo=https://helm.elastic.co version: "8.5.1" sourceRef: kind: HelmRepository diff --git a/kustomize/observability/kibana/helm-release.yaml b/kustomize/observability/kibana/helm-release.yaml index 0d367fa99..436783fff 100644 --- a/kustomize/observability/kibana/helm-release.yaml +++ b/kustomize/observability/kibana/helm-release.yaml @@ -8,6 +8,7 @@ spec: chart: spec: chart: kibana + # renovate: datasource=helm depName=kibana package=kibana helmRepo=https://helm.elastic.co version: "8.5.1" sourceRef: kind: HelmRepository diff --git a/kustomize/telemetry/base/filebeat/helm-release.yaml b/kustomize/telemetry/base/filebeat/helm-release.yaml index 8b5803e30..f059d4841 100644 --- a/kustomize/telemetry/base/filebeat/helm-release.yaml +++ b/kustomize/telemetry/base/filebeat/helm-release.yaml @@ -8,6 +8,7 @@ spec: chart: spec: chart: filebeat + # renovate: datasource=helm depName=filebeat package=filebeat helmRepo=https://helm.elastic.co version: "8.5.1" sourceRef: kind: HelmRepository diff --git a/windsor.yaml b/windsor.yaml index 1d76c1387..9d858fddc 100644 --- a/windsor.yaml +++ b/windsor.yaml @@ -57,7 +57,7 @@ contexts: network: cidr_block: 10.5.0.0/16 dns: - enabled: true + enabled: false domain: test forward: - 10.5.0.1:8053 From c7ef4c92d0448b5114ae092a60423c8c27f27fe3 Mon Sep 17 00:00:00 2001 From: Hernan Dominguez Date: Thu, 24 Apr 2025 16:51:48 +0200 Subject: [PATCH 10/13] Revert blueprint.yaml and windsor.yaml changes --- contexts/local/blueprint.yaml | 42 ++++++++++++++--------------------- windsor.yaml | 8 +------ 2 files changed, 18 insertions(+), 32 deletions(-) diff --git a/contexts/local/blueprint.yaml b/contexts/local/blueprint.yaml index c5a886edc..ba820922d 100644 --- a/contexts/local/blueprint.yaml +++ b/contexts/local/blueprint.yaml @@ -14,19 +14,24 @@ sources: ref: branch: main terraform: -- path: cluster/talos -- path: gitops/flux +- source: core + path: cluster/talos +- source: core + path: gitops/flux kustomize: - name: policy-base path: policy/base + source: core components: - kyverno - name: policy-resources path: policy/resources + source: core dependsOn: - policy-base - name: csi path: csi + source: core dependsOn: - policy-resources force: true @@ -35,6 +40,7 @@ kustomize: - openebs/dynamic-localpv - name: ingress-base path: ingress/base + source: core dependsOn: - pki-resources force: true @@ -46,6 +52,7 @@ kustomize: - nginx/web - name: pki-base path: pki/base + source: core dependsOn: - policy-resources force: true @@ -54,6 +61,7 @@ kustomize: - trust-manager - name: pki-resources path: pki/resources + source: core dependsOn: - pki-base force: true @@ -62,6 +70,7 @@ kustomize: - public-issuer/selfsigned - name: dns path: dns + source: core dependsOn: - ingress-base - pki-base @@ -75,34 +84,17 @@ kustomize: - external-dns/ingress - name: gitops path: gitops/flux + source: core dependsOn: - ingress-base force: true components: - webhook -- name: telemetry-base - path: telemetry/base - dependsOn: - - pki-base - force: true - components: - - prometheus - - filebeat -- name: telemetry-resources - path: telemetry/resources +- name: demo + path: demo/bookinfo + source: core dependsOn: - - telemetry-base - force: true - components: - - metrics-server - - prometheus -- name: observability - path: observability - dependsOn: - - pki-base + - ingress-base force: true components: - - elasticsearch - - kibana - - kibana/ingress - - grafana + - ingress diff --git a/windsor.yaml b/windsor.yaml index 9d858fddc..c189add80 100644 --- a/windsor.yaml +++ b/windsor.yaml @@ -1,9 +1,6 @@ version: v1alpha1 contexts: local: - blueprint: full - environment: - FLUX_SYSTEM_NAMESPACE: system-gitops docker: enabled: true registries: @@ -37,7 +34,6 @@ contexts: driver: docker-desktop cluster: enabled: true - platform: local driver: talos controlplanes: count: 1 @@ -58,6 +54,4 @@ contexts: cidr_block: 10.5.0.0/16 dns: enabled: false - domain: test - forward: - - 10.5.0.1:8053 + domain: test \ No newline at end of file From 9fd02c5dff83ed7b269f5eea18e323117b9a1fef Mon Sep 17 00:00:00 2001 From: Hernan Dominguez Date: Thu, 24 Apr 2025 17:02:18 +0200 Subject: [PATCH 11/13] Adds README and reverts talos.tfvars --- contexts/local/terraform/cluster/talos.tfvars | 50 +------------------ .../observability/elasticsearch/README.md | 9 ++++ 2 files changed, 11 insertions(+), 48 deletions(-) create mode 100644 kustomize/observability/elasticsearch/README.md diff --git a/contexts/local/terraform/cluster/talos.tfvars b/contexts/local/terraform/cluster/talos.tfvars index 62cee285c..f81ee3d0a 100644 --- a/contexts/local/terraform/cluster/talos.tfvars +++ b/contexts/local/terraform/cluster/talos.tfvars @@ -8,51 +8,7 @@ cluster_endpoint = "https://127.0.0.1:6443" cluster_name = "talos" // A YAML string of common config patches to apply -common_config_patches = < Date: Thu, 24 Apr 2025 17:36:05 +0200 Subject: [PATCH 12/13] EOF --- kustomize/observability/elasticsearch/kustomization.yaml | 2 +- kustomize/telemetry/base/filebeat/certificates.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/kustomize/observability/elasticsearch/kustomization.yaml b/kustomize/observability/elasticsearch/kustomization.yaml index 23960542f..58f470dfe 100644 --- a/kustomize/observability/elasticsearch/kustomization.yaml +++ b/kustomize/observability/elasticsearch/kustomization.yaml @@ -3,4 +3,4 @@ kind: Component resources: - helm-release.yaml - helm-repository.yaml -- certificates.yaml \ No newline at end of file +- certificates.yaml diff --git a/kustomize/telemetry/base/filebeat/certificates.yaml b/kustomize/telemetry/base/filebeat/certificates.yaml index be57b6053..1491af822 100644 --- a/kustomize/telemetry/base/filebeat/certificates.yaml +++ b/kustomize/telemetry/base/filebeat/certificates.yaml @@ -11,4 +11,4 @@ spec: kind: ClusterIssuer commonName: filebeat usages: - - client auth \ No newline at end of file + - client auth From 9ad48d9de72db25c11ab8da5cc3287586ac934d1 Mon Sep 17 00:00:00 2001 From: Hernan Dominguez Date: Thu, 24 Apr 2025 17:37:23 +0200 Subject: [PATCH 13/13] EOF --- kustomize/telemetry/base/filebeat/kustomization.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kustomize/telemetry/base/filebeat/kustomization.yaml b/kustomize/telemetry/base/filebeat/kustomization.yaml index aa1e7f270..58200249a 100644 --- a/kustomize/telemetry/base/filebeat/kustomization.yaml +++ b/kustomize/telemetry/base/filebeat/kustomization.yaml @@ -4,4 +4,4 @@ resources: - secret-mgr.yaml - helm-release.yaml - helm-repository.yaml -- certificates.yaml \ No newline at end of file +- certificates.yaml