diff --git a/monitoring/.sops.yaml b/monitoring/.sops.yaml new file mode 100644 index 0000000..9fa527f --- /dev/null +++ b/monitoring/.sops.yaml @@ -0,0 +1,11 @@ +creation_rules: + # encrypt all values from file + - path_regex: \.private\.dec\.yaml$ + encrypted_regex: '^(.*)$' + age: + - age1f9e4pvp5y8gzuk8mz2s5xm85dd7znxhk56tcpuxqwn78qfjwja0qekwlju + # encrypt secrets files + - path_regex: .*.yaml + encrypted_regex: ^(data|stringData)$ + age: + - age1f9e4pvp5y8gzuk8mz2s5xm85dd7znxhk56tcpuxqwn78qfjwja0qekwlju \ No newline at end of file diff --git a/monitoring/README.md b/monitoring/README.md index a91b471..47cf963 100644 --- a/monitoring/README.md +++ b/monitoring/README.md @@ -8,15 +8,16 @@ kubectl create namespace monitoring ## promtail -### setup +## Setup + +Using flux for reconciliation. ``` bash -# add repo -helm repo add grafana https://grafana.github.io/helm-charts -# Install & Upgrade -helm upgrade --install promtail grafana/promtail --namespace monitoring \ ---values=./promtail/values.yaml \ ---values=./promtail//values.local.yaml +./ops-scripts/apply-flux.sh ``` -## Continuous Deploy +**Encrypt secrets:** + +``` bash +sops -e deploy/promtail/helm-values.private.dec.yaml > deploy/promtail/helm-values.private.yaml +``` diff --git a/monitoring/cicd-rbac.yaml b/monitoring/cicd-rbac.yaml deleted file mode 100644 index aed31cd..0000000 --- a/monitoring/cicd-rbac.yaml +++ /dev/null @@ -1,97 +0,0 @@ - - -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - namespace: monitoring - name: ci-cd -rules: -- apiGroups: [""] - resources: ["pods", "services", "secrets", "configmaps", "persistentvolumeclaims", "endpoints", "serviceaccounts"] - verbs: ["get", "watch", "list", "create", "update", "patch", "delete"] -- apiGroups: ["apps"] - resources: ["deployments", "statefulsets","daemonsets"] - verbs: ["get", "watch", "list", "create", "update", "patch", "delete"] -- apiGroups: ["networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "watch", "list", "create", "update", "patch", "delete"] -- apiGroups: ["traefik.io"] - resources: ["ingressroutes"] - verbs: ["get", "watch", "list", "create", "update", "patch", "delete"] - -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["clusterroles", "clusterrolebindings"] - verbs: ["get", "list", "create", "update", "patch", "delete"] - - -# telegraf -- apiGroups: ["monitoring.coreos.com"] - resources: ["servicemonitors", "podmonitors", "prometheuses", "alertmanagers"] - verbs: ["get", "list", "create", "update", "patch", "delete"] - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: ci-cd - namespace: monitoring -subjects: -- kind: ServiceAccount - name: casa-ci-cd - namespace: home-assistant -roleRef: - kind: Role - name: ci-cd - apiGroup: rbac.authorization.k8s.io - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: ci-cd-cluster -rules: -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["clusterroles", "clusterrolebindings"] - verbs: ["get", "list", "create", "update", "patch", "delete"] - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ci-cd-clusterbinding -subjects: -- kind: ServiceAccount - name: casa-ci-cd - namespace: home-assistant -roleRef: - kind: ClusterRole - name: ci-cd-cluster - apiGroup: rbac.authorization.k8s.io - ---- -# telegraf - -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - namespace: kube-system - name: ci-cd-kube-system -rules: -- apiGroups: [""] - resources: ["services"] - verbs: ["get", "list", "create", "update", "patch", "delete"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: ci-cd-kube-system - namespace: kube-system -subjects: -- kind: ServiceAccount - name: casa-ci-cd - namespace: home-assistant -roleRef: - kind: Role - name: ci-cd-kube-system - apiGroup: rbac.authorization.k8s.io diff --git a/monitoring/deploy/flux/.env.d/.gitignore b/monitoring/deploy/flux/.env.d/.gitignore new file mode 100644 index 0000000..d29675e --- /dev/null +++ b/monitoring/deploy/flux/.env.d/.gitignore @@ -0,0 +1,2 @@ +** +!.gitignore \ No newline at end of file diff --git a/monitoring/deploy/flux/kustomization.yaml b/monitoring/deploy/flux/kustomization.yaml new file mode 100644 index 0000000..81319e8 --- /dev/null +++ b/monitoring/deploy/flux/kustomization.yaml @@ -0,0 +1,11 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: monitoring +resources: + - promtail-app-sync.yaml +secretGenerator: + - name: flux-sops-age + files: + - "age.agekey=./.env.d/age.agekey" +generatorOptions: + disableNameSuffixHash: true \ No newline at end of file diff --git a/monitoring/deploy/flux/promtail-app-sync.yaml b/monitoring/deploy/flux/promtail-app-sync.yaml new file mode 100644 index 0000000..89692d7 --- /dev/null +++ b/monitoring/deploy/flux/promtail-app-sync.yaml @@ -0,0 +1,16 @@ +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: promtail +spec: + interval: 1m + sourceRef: + kind: GitRepository + name: casa + namespace: casa-limbosolutions-com + path: services/monitoring/promtail + prune: true + decryption: + provider: sops + secretRef: + name: flux-sops-age diff --git a/monitoring/deploy/promtail/helm-release.yaml b/monitoring/deploy/promtail/helm-release.yaml new file mode 100644 index 0000000..5c7b792 --- /dev/null +++ b/monitoring/deploy/promtail/helm-release.yaml @@ -0,0 +1,22 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: monitoring +spec: + releaseName: promtail + interval: 40h + chart: + spec: + chart: promtail + version: 6.x.x + sourceRef: + kind: HelmRepository + name: https://grafana.github.io/helm-charts + interval: 40h + valuesFrom: + - kind: Secret + name: promtail-helm-values + valuesKey: values.yaml + - kind: Secret + name: promtail-helm-values + valuesKey: values.private.yaml \ No newline at end of file diff --git a/monitoring/deploy/promtail/helm-repo.yaml b/monitoring/deploy/promtail/helm-repo.yaml new file mode 100644 index 0000000..b39d1a8 --- /dev/null +++ b/monitoring/deploy/promtail/helm-repo.yaml @@ -0,0 +1,7 @@ +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: grafana +spec: + interval: 40h + url: https://grafana.github.io/helm-charts \ No newline at end of file diff --git a/monitoring/deploy/promtail/helm-values.private.yaml b/monitoring/deploy/promtail/helm-values.private.yaml new file mode 100644 index 0000000..02328ed --- /dev/null +++ b/monitoring/deploy/promtail/helm-values.private.yaml @@ -0,0 +1,18 @@ +config: + clients: + - url: ENC[AES256_GCM,data:AarLpmfJTu63kYzATeKf4m+60h93G5unSf2e8BplmCws7iVRzeFYGdvp14caaFZiZwWXe5rsdrMBQRc=,iv:Se74MvPyIP5xDcjrKBv3/X4G3G+Q9AYmdK/5t4yDuZc=,tag:A64ERrlrlCgf7PiQMT9WuQ==,type:str] +sops: + age: + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYWjJxcitwdjR3QzQrSGVn + OVRFeTVrUGZMWlcycUREeWJWenpnVDVSbVJRClphakRuL2h2dEsvYWQ3VXJ4aHZL + YzQrU0FiRWttRUpmQkd5eVJFVVZBdVkKLS0tIDB3Y1FwQU5ndVlOQzNkZHA3V1Vl + bVpyTmhtUUhVTk9xZUFibHFyMVdqOEEKgoIrI9rJ1Q93AOZrP8r4rOggIGpSDv2H + uLp0yj1VqyyvtB/RHu4/Gyef2P5IwjTBnYYhZHbfX3AnYYWN58Riog== + -----END AGE ENCRYPTED FILE----- + recipient: age1f9e4pvp5y8gzuk8mz2s5xm85dd7znxhk56tcpuxqwn78qfjwja0qekwlju + encrypted_regex: ^(.*)$ + lastmodified: "2026-06-07T21:04:02Z" + mac: ENC[AES256_GCM,data:Ieh41SbHtPqOIT2ynSEnz+qwaCsEDo9cZOk63AyuiMqsT0vR8TR94gimOKrMgQhjLpJPREYg0hXALgq7x6BxMfzts8n+eRuDsVxah8e17Ad4Gk9Vq9RtHYL06RO4EhevhzuzX32W8N1jt2wJTSDA4Ztjh1QIAAd7YyNnvYOATBo=,iv:eNzc4ObZ7lplIDPjF8Ub4Rfq3AiWLyOGwAdMLY7ojvo=,tag:87y5KNeAYASA/wDs4ETWmw==,type:str] + version: 3.13.1 diff --git a/monitoring/promtail/values.yaml b/monitoring/deploy/promtail/helm-values.yaml similarity index 100% rename from monitoring/promtail/values.yaml rename to monitoring/deploy/promtail/helm-values.yaml diff --git a/monitoring/deploy/promtail/kustomization.yaml b/monitoring/deploy/promtail/kustomization.yaml new file mode 100644 index 0000000..22d6203 --- /dev/null +++ b/monitoring/deploy/promtail/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: monitoring +resources: + - helm-repo.yaml + - helm-release.yaml +secretGenerator: + - name: promtail-helm-values + files: + - values.yaml=helm-values.yaml + - values.private.yaml=helm-values.private.yaml +generatorOptions: + disableNameSuffixHash: true \ No newline at end of file diff --git a/monitoring/ops-scripts/apply-flux.sh b/monitoring/ops-scripts/apply-flux.sh new file mode 100755 index 0000000..e4f8708 --- /dev/null +++ b/monitoring/ops-scripts/apply-flux.sh @@ -0,0 +1,4 @@ +#!/bin/bash +set -e + +kubectl kustomize deploy/flux | kubectl apply -f - \ No newline at end of file diff --git a/monitoring/promtail/.gitignore b/monitoring/promtail/.gitignore deleted file mode 100644 index e615a4d..0000000 --- a/monitoring/promtail/.gitignore +++ /dev/null @@ -1 +0,0 @@ -**.local.** \ No newline at end of file