gitops: add kube-prometheus

gitops/home-kubernetes/flux-system/extra-kustomizations.yaml

@@ -27,6 +27,19 @@ spec:
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
+metadata:
+  name: kube-prometheus
+  namespace: flux-system
+spec:
+  interval: 10m0s
+  path: ./gitops/home-kubernetes/kube-prometheus
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
 metadata:
   name: ingress-nginx
   namespace: flux-system

gitops/home-kubernetes/kube-prometheus/helmrelease.yaml

@@ -0,0 +1,81 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: kube-prometheus-stack
+  namespace: monitoring
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: kube-prometheus-stack
+      sourceRef:
+        kind: HelmRepository
+        name: prometheus-community
+        namespace: flux-system
+  install:
+    createNamespace: true
+    crds: CreateReplace
+    remediation:
+      retries: 3
+  upgrade:
+    crds: CreateReplace
+    remediation:
+      retries: 3
+  values:
+    prometheus:
+      prometheusSpec:
+        retention: 60d
+        storageSpec:
+          volumeClaimTemplate:
+            spec:
+              accessModes: ["ReadWriteOnce"]
+              resources:
+                requests:
+                  storage: 20Gi
+        resources:
+          requests:
+            memory: 0.5Gi
+            cpu: 500m
+          limits:
+            memory: 4Gi
+            cpu: 2
+        serviceMonitorSelectorNilUsesHelmValues: false
+        podMonitorSelectorNilUsesHelmValues: false
+        ruleSelectorNilUsesHelmValues: false
+
+    alertmanager:
+      alertmanagerSpec:
+        storage:
+          volumeClaimTemplate:
+            spec:
+              accessModes: ["ReadWriteOnce"]
+              resources:
+                requests:
+                  storage: 3Gi
+
+    grafana:
+      persistence:
+        enabled: true
+        size: 10Gi
+      adminPassword: admin
+      ingress:
+        enabled: true
+        ingressClassName: nginx  # adjust if using traefik/contour/etc
+        hosts:
+          - grafana.lab.home.hrajfrisbee.cz
+        annotations:
+          cert-manager.io/cluster-issuer: letsencrypt-prod
+          nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-User,X-Auth-Request-Email,Authorization
+          nginx.ingress.kubernetes.io/auth-signin: https://oauth2-proxy.lab.home.hrajfrisbee.cz
+            /oauth2/start?rd=$scheme://$host$escaped_request_uri
+          nginx.ingress.kubernetes.io/auth-url: https://oauth2-proxy.lab.home.hrajfrisbee.cz
+            /oauth2/auth          
+        tls:
+          - secretName: grafana-tls
+            hosts:
+              - grafana.lab.home.hrajfrisbee.cz      
+
+    prometheusOperator:
+      admissionWebhooks:
+        certManager:
+          enabled: false

gitops/home-kubernetes/kube-prometheus/helmrepository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: prometheus-community
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://prometheus-community.github.io/helm-charts

gitops/home-kubernetes/kube-prometheus/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring

gitops/home-kubernetes/oauth-proxy/helmrelease.yaml

@@ -31,6 +31,7 @@ spec:
         pass_access_token = true
         skip_provider_button = true
         upstreams = ["static://202"]
+        skip_auth_routes = ["PUT=^/uploads/.*", "POST=^/uploads/.*"]
 
     extraArgs:
       - --reverse-proxy=true
@@ -38,6 +39,8 @@ spec:
     ingress:
       enabled: true
       className: nginx
+      annotations:
+        cert-manager.io/cluster-issuer: letsencrypt-prod
       hosts:
         - oauth2-proxy.lab.home.hrajfrisbee.cz
       tls:

gitops/home-kubernetes/oauth-proxy/readme.md

@@ -0,0 +1,8 @@
+```bash
+
+annotations:
+  nginx.ingress.kubernetes.io/auth-url: "http://oauth2-proxy.oauth2-proxy.svc.cluster.local:4180/oauth2/auth"
+  nginx.ingress.kubernetes.io/auth-signin: "https://oauth2-proxy.lab.home.hrajfrisbee.cz/oauth2/start?rd=$scheme://$host$escaped_request_uri"
+  nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User,X-Auth-Request-Email,Authorization"
+
+```

gitops/home-kubernetes/oauth-proxy/secret.yaml

@@ -8,4 +8,4 @@ metadata:
 stringData:
   client-id: oauth2-proxy
   client-secret: <REPLACE_WITH_KANIDM_SECRET>
-  cookie-secret: <REPLACE_WITH_OPENSSL_RAND_BASE64_32>
+  cookie-secret: a1f522c2394696c76e88eea54769d9e1

gitops/home-kubernetes/plane/helmrelease.yaml

@@ -34,6 +34,13 @@ spec:
       ingressClass: nginx
       ingress_annotations:
         cert-manager.io/cluster-issuer: letsencrypt-production
+        nginx.ingress.kubernetes.io/auth-url: "https://oauth2-proxy.lab.home.hrajfrisbee.cz /oauth2/auth"
+        nginx.ingress.kubernetes.io/auth-signin: "https://oauth2-proxy.lab.home.hrajfrisbee.cz /oauth2/start?rd=$scheme://$host$escaped_request_uri"
+        nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User,X-Auth-Request-Email,Authorization"
+        nginx.ingress.kubernetes.io/configuration-snippet: |
+          if ($request_uri ~* "^/uploads/") {
+            set $auth_request_uri "";
+          }        
       #   nginx.ingress.kubernetes.io/proxy-body-size: "10m"
 
     # PostgreSQL - local stateful or external