From d79653cc64f322417d6fa0841325ede99ee81311 Mon Sep 17 00:00:00 2001 From: richardrobertreitz Date: Wed, 30 Jul 2025 12:38:10 +0000 Subject: [PATCH 01/39] test(pipeline): Revert of general test of OSC dependencies Only v1.1.0-edp-v11.0.3 works currently --- template/stacks/forgejo/forgejo-server/values.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/template/stacks/forgejo/forgejo-server/values.yaml b/template/stacks/forgejo/forgejo-server/values.yaml index 3b354fe..7181f40 100644 --- a/template/stacks/forgejo/forgejo-server/values.yaml +++ b/template/stacks/forgejo/forgejo-server/values.yaml @@ -181,8 +181,7 @@ image: #tag: "8.0.3" # Adds -rootless suffix to image name # rootless: true - #fullOverride: {{{ getenv "CLIENT_REPO_DOMAIN" }}}/devfw-cicd/edp-forgejo:v1.1.0-edp-v11.0.3 - fullOverride: {{{ getenv "CLIENT_REPO_DOMAIN" }}}/devfw-cicd/edp-forgejo:osctest + fullOverride: {{{ getenv "CLIENT_REPO_DOMAIN" }}}/devfw-cicd/edp-forgejo:v1.1.0-edp-v11.0.3 forgejo: runner: From a2324a16b7220d85b6c6a170fc01058da42fae61 Mon Sep 17 00:00:00 2001 From: richardrobertreitz Date: Wed, 30 Jul 2025 12:39:18 +0000 Subject: [PATCH 02/39] test(pipeline): Revert of general test of OSC dependencies helm-chart-4.12.4 will require an update of argocd to version >=3 --- template/stacks/otc/ingress-nginx.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/otc/ingress-nginx.yaml b/template/stacks/otc/ingress-nginx.yaml index d240304..8414885 100644 --- a/template/stacks/otc/ingress-nginx.yaml +++ b/template/stacks/otc/ingress-nginx.yaml @@ -20,7 +20,7 @@ spec: sources: - repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/DevFW-CICD/ingress-nginx-helm.git path: charts/ingress-nginx - targetRevision: helm-chart-4.12.4-depends + targetRevision: helm-chart-4.12.1-depends helm: valueFiles: - $values/{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/otc/ingress-nginx/values.yaml From 278c832cb46914c3073bd4c870531eb071337ab3 Mon Sep 17 00:00:00 2001 From: richardrobertreitz Date: Wed, 30 Jul 2025 13:54:04 +0000 Subject: [PATCH 03/39] chore(pipeline): Remove use for our three helm mirrors --- template/stacks/core/argocd.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/template/stacks/core/argocd.yaml b/template/stacks/core/argocd.yaml index cb1e886..5c1d087 100644 --- a/template/stacks/core/argocd.yaml +++ b/template/stacks/core/argocd.yaml @@ -18,12 +18,12 @@ spec: name: in-cluster namespace: argocd sources: - - repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/DevFW-CICD/argocd-helm.git + - repoURL: https://github.com/argoproj/argo-helm.git path: charts/argo-cd # TODO: RIRE Can be updated when https://github.com/argoproj/argo-cd/issues/20790 is fixed and merged # As logout make problems, it is suggested to switch from path based routing to an own argocd domain, # similar to the CNOE amazon reference implementation and in our case, Forgejo - targetRevision: argo-cd-7.8.28-depends + targetRevision: argo-cd-7.8.28 helm: valueFiles: - $values/{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/core/argocd/values.yaml From fb03ded960591e9e1a30740fc9794fa3ba3fae09 Mon Sep 17 00:00:00 2001 From: richardrobertreitz Date: Wed, 30 Jul 2025 13:54:53 +0000 Subject: [PATCH 04/39] chore(pipeline): Remove use for our three helm mirrors --- template/stacks/forgejo/forgejo-server.yaml | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/template/stacks/forgejo/forgejo-server.yaml b/template/stacks/forgejo/forgejo-server.yaml index 249976a..21a7049 100644 --- a/template/stacks/forgejo/forgejo-server.yaml +++ b/template/stacks/forgejo/forgejo-server.yaml @@ -18,15 +18,9 @@ spec: name: in-cluster namespace: gitea sources: - - repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/DevFW-CICD/forgejo-helm.git + - repoURL: https://code.forgejo.org/forgejo-helm/forgejo-helm.git path: . - # first check out the desired version (example v9.0.0): https://code.forgejo.org/forgejo-helm/forgejo-helm/src/tag/v9.0.0/Chart.yaml - # (note that the chart version is not the same as the forgejo application version, which is specified in the above Chart.yaml file) - # then use the devops pipeline and select development, forgejo and the desired version (example v9.0.0): - # https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/DevFW-CICD/devops-pipelines/actions?workflow=update-helm-depends.yaml&actor=0&status=0 - # finally update the desired version here and include "-depends", it is created by the devops pipeline. - # why do we have an added "-depends" tag? it resolves rate limitings when downloading helm OCI dependencies - targetRevision: v12.0.0-depends + targetRevision: v12.0.0 helm: valueFiles: - $values/{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/forgejo/forgejo-server/values.yaml From 30c2ec054b09fe739a014319624e066035701490 Mon Sep 17 00:00:00 2001 From: richardrobertreitz Date: Wed, 30 Jul 2025 13:55:38 +0000 Subject: [PATCH 05/39] chore(pipeline): Remove use for our three helm mirrors --- template/stacks/otc/ingress-nginx.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/template/stacks/otc/ingress-nginx.yaml b/template/stacks/otc/ingress-nginx.yaml index 8414885..cb58d5d 100644 --- a/template/stacks/otc/ingress-nginx.yaml +++ b/template/stacks/otc/ingress-nginx.yaml @@ -18,9 +18,9 @@ spec: name: in-cluster namespace: ingress-nginx sources: - - repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/DevFW-CICD/ingress-nginx-helm.git + - repoURL: https://github.com/kubernetes/ingress-nginx.git path: charts/ingress-nginx - targetRevision: helm-chart-4.12.1-depends + targetRevision: helm-chart-4.12.1 helm: valueFiles: - $values/{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/otc/ingress-nginx/values.yaml From 51a55b5ed4bb60709772d5721c51ddb4cef04e6a Mon Sep 17 00:00:00 2001 From: richardrobertreitz Date: Thu, 31 Jul 2025 09:31:00 +0000 Subject: [PATCH 06/39] fix(forgejo): Enable email notifications for common things like PR's --- template/stacks/forgejo/forgejo-server/values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/template/stacks/forgejo/forgejo-server/values.yaml b/template/stacks/forgejo/forgejo-server/values.yaml index 7181f40..55ccfe9 100644 --- a/template/stacks/forgejo/forgejo-server/values.yaml +++ b/template/stacks/forgejo/forgejo-server/values.yaml @@ -146,6 +146,7 @@ gitea: service: DISABLE_REGISTRATION: true + ENABLE_NOTIFY_MAIL: true other: SHOW_FOOTER_VERSION: false From e7d14a89cdd6b5d097a6db0d2e1f698469d5e131 Mon Sep 17 00:00:00 2001 From: Daniel Sy Date: Wed, 30 Jul 2025 14:35:42 +0200 Subject: [PATCH 07/39] =?UTF-8?q?feat(manifest):=20=F0=9F=8E=89=20WIP=20Ad?= =?UTF-8?q?d=20CronJob=20and=20Secret=20for=20S3=20backups?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds a new CronJob for scheduled S3 backups using rclone, along with a corresponding Secret for AWS credentials. This introduces automated backup functionality for the Forgejo server, enhancing data protection and recovery capabilities. --- .../manifests/forgejo-s3-backup-cronjob.yaml | 64 +++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml diff --git a/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml b/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml new file mode 100644 index 0000000..769cd0d --- /dev/null +++ b/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml @@ -0,0 +1,64 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: forgejo-s3-backup + namespace: gitea +spec: + schedule: "24 * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: rclone + image: rclone/rclone:1.70 + imagePullPolicy: IfNotPresent + env: + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: forgejo-cloud-credentials + key: access-key + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: forgejo-cloud-credentials + key: secret-key + volumeMounts: + - name: rclone-config + mountPath: /etc/rclone + readOnly: true + command: + - /bin/sh + - -c + - | + sleep 7d + # rclone sync remote-source:packages remote-destination:packages --config /etc/rclone/config + restartPolicy: OnFailure + volumes: + - name: rclone-config + secret: + secretName: forgejo-s3-backup + +--- +apiVersion: v1 +kind: Secret +metadata: + name: forgejo-s3-backup + namespace: gitea +type: Opaque +stringData: + config: | + [remote-source] + type = s3 + provider = AWS + env_auth = true + endpoint = https://edp-forgejo-non-prod-observability.obs.eu-de.otc.t-systems.com + region = eu-de + + [remote-destination] + type = s3 + provider = AWS + env_auth = true + endpoint = https://edp-forgejo-backup-test-manu.obs.eu-de.otc.t-systems.com + region = eu-de From 491be80842ee8f525e7c90b4e8e0cf955ce0a3a8 Mon Sep 17 00:00:00 2001 From: Richard Robert Reitz Date: Thu, 31 Jul 2025 15:24:39 +0200 Subject: [PATCH 08/39] fix(s3backup): doing a local backup first and then push it to remote, which is still on the same OBS store --- .../manifests/forgejo-s3-backup-cronjob.yaml | 43 ++++++++++++++----- 1 file changed, 33 insertions(+), 10 deletions(-) diff --git a/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml b/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml index 769cd0d..d7b78e6 100644 --- a/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml +++ b/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml @@ -4,7 +4,7 @@ metadata: name: forgejo-s3-backup namespace: gitea spec: - schedule: "24 * * * *" + schedule: "0 2 * * *" jobTemplate: spec: template: @@ -26,20 +26,41 @@ spec: key: secret-key volumeMounts: - name: rclone-config - mountPath: /etc/rclone + mountPath: /config/rclone readOnly: true + - name: backup-dir + mountPath: /backup_dir + readOnly: false command: - /bin/sh - -c - | - sleep 7d - # rclone sync remote-source:packages remote-destination:packages --config /etc/rclone/config + rm -Rf /backup_dir/backup || true + mkdir -p /backup_dir/backup + rclone sync remote-source:/edp-forgejo-non-prod-observability/packages /backup_dir/backup -v --ignore-checksum + rclone sync /backup_dir/backup remote-destination:/edp-forgejo-non-prod-observability/hackathon3 -v --ignore-checksum + rm -Rf /backup_dir/backup || true restartPolicy: OnFailure volumes: - name: rclone-config secret: secretName: forgejo-s3-backup - + - name: backup-dir + persistentVolumeClaim: + claimName: s3-temp-data +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: s3-temp-data + namespace: gitea +spec: + accessModes: + - ReadWriteOnce + volumeMode: Filesystem + resources: + requests: + storage: 50Gi --- apiVersion: v1 kind: Secret @@ -48,17 +69,19 @@ metadata: namespace: gitea type: Opaque stringData: - config: | + rclone.conf: | [remote-source] type = s3 - provider = AWS + provider = HuaweiOBS env_auth = true - endpoint = https://edp-forgejo-non-prod-observability.obs.eu-de.otc.t-systems.com + endpoint = obs.eu-de.otc.t-systems.com region = eu-de + acl = private [remote-destination] type = s3 - provider = AWS + provider = HuaweiOBS env_auth = true - endpoint = https://edp-forgejo-backup-test-manu.obs.eu-de.otc.t-systems.com + endpoint = obs.eu-de.otc.t-systems.com region = eu-de + acl = private From 55d9a06dc74deaa326c04bff92e99175d5eada38 Mon Sep 17 00:00:00 2001 From: "Fritz-Leo.Ochsmann" Date: Thu, 31 Jul 2025 15:59:25 +0200 Subject: [PATCH 09/39] feat(forgejo): backup s3 directly to pvc --- .../manifests/forgejo-s3-backup-cronjob.yaml | 25 +++++-------------- .../stacks/forgejo/forgejo-server/values.yaml | 1 + 2 files changed, 7 insertions(+), 19 deletions(-) diff --git a/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml b/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml index d7b78e6..223188a 100644 --- a/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml +++ b/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml @@ -4,7 +4,7 @@ metadata: name: forgejo-s3-backup namespace: gitea spec: - schedule: "0 2 * * *" + schedule: "0 1 * * *" jobTemplate: spec: template: @@ -29,17 +29,13 @@ spec: mountPath: /config/rclone readOnly: true - name: backup-dir - mountPath: /backup_dir + mountPath: /backup readOnly: false command: - /bin/sh - -c - | - rm -Rf /backup_dir/backup || true - mkdir -p /backup_dir/backup - rclone sync remote-source:/edp-forgejo-non-prod-observability/packages /backup_dir/backup -v --ignore-checksum - rclone sync /backup_dir/backup remote-destination:/edp-forgejo-non-prod-observability/hackathon3 -v --ignore-checksum - rm -Rf /backup_dir/backup || true + rclone sync source:/${SOURCE_BUCKET}/packages /backup -v --ignore-checksum restartPolicy: OnFailure volumes: - name: rclone-config @@ -47,17 +43,16 @@ spec: secretName: forgejo-s3-backup - name: backup-dir persistentVolumeClaim: - claimName: s3-temp-data + claimName: s3-backup --- apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: s3-temp-data + name: s3-backup namespace: gitea spec: accessModes: - ReadWriteOnce - volumeMode: Filesystem resources: requests: storage: 50Gi @@ -70,15 +65,7 @@ metadata: type: Opaque stringData: rclone.conf: | - [remote-source] - type = s3 - provider = HuaweiOBS - env_auth = true - endpoint = obs.eu-de.otc.t-systems.com - region = eu-de - acl = private - - [remote-destination] + [source] type = s3 provider = HuaweiOBS env_auth = true diff --git a/template/stacks/forgejo/forgejo-server/values.yaml b/template/stacks/forgejo/forgejo-server/values.yaml index 55ccfe9..d777b28 100644 --- a/template/stacks/forgejo/forgejo-server/values.yaml +++ b/template/stacks/forgejo/forgejo-server/values.yaml @@ -1,3 +1,4 @@ +# This is only used for deploying older versions of infra-catalogue where the bucket name is not an output of the terragrunt modules {{{- define "BUCKET_NAME" -}}} {{{- if (getenv "FORGEJO_BUCKET_NAME") -}}} {{{ getenv "FORGEJO_BUCKET_NAME" }}} From 6af5ce71cd67e480d9db50e9318e4fff94bf48fd Mon Sep 17 00:00:00 2001 From: evdo Date: Fri, 1 Aug 2025 10:18:38 +0200 Subject: [PATCH 10/39] feat(forgejo): updated secret ref for a bucket name --- .../forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml b/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml index 223188a..ba0aebd 100644 --- a/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml +++ b/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml @@ -14,6 +14,11 @@ spec: image: rclone/rclone:1.70 imagePullPolicy: IfNotPresent env: + - name: SOURCE_BUCKET + valueFrom: + secretKeyRef: + name: forgejo-cloud-credentials + key: bucket-name - name: AWS_ACCESS_KEY_ID valueFrom: secretKeyRef: From c9d14d451f29a875c9fc1fcbb0a28305cfc4a7ae Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Tue, 5 Aug 2025 15:01:12 +0200 Subject: [PATCH 11/39] feat(grafana alerts): add notification channel (email) for grafana alerts --- .../vm-client-stack/values.yaml | 115 +++--------------- 1 file changed, 18 insertions(+), 97 deletions(-) diff --git a/template/stacks/observability-client/vm-client-stack/values.yaml b/template/stacks/observability-client/vm-client-stack/values.yaml index 33afb8d..095323e 100644 --- a/template/stacks/observability-client/vm-client-stack/values.yaml +++ b/template/stacks/observability-client/vm-client-stack/values.yaml @@ -537,104 +537,25 @@ alertmanager: # -- (object) Alertmanager configuration config: route: - receiver: "blackhole" - # group_by: ["alertgroup", "job"] - # group_wait: 30s - # group_interval: 5m - # repeat_interval: 12h - # routes: - # - # # Duplicate code_owner routes to teams - # # These will send alerts to team channels but continue - # # processing through the rest of the tree to handled by on-call - # - matchers: - # - code_owner_channel!="" - # - severity=~"info|warning|critical" - # group_by: ["code_owner_channel", "alertgroup", "job"] - # receiver: slack-code-owners - # - # # Standard on-call routes - # - matchers: - # - severity=~"info|warning|critical" - # receiver: slack-monitoring - # continue: true - # - # inhibit_rules: - # - target_matchers: - # - severity=~"warning|info" - # source_matchers: - # - severity=critical - # equal: - # - cluster - # - namespace - # - alertname - # - target_matchers: - # - severity=info - # source_matchers: - # - severity=warning - # equal: - # - cluster - # - namespace - # - alertname - # - target_matchers: - # - severity=info - # source_matchers: - # - alertname=InfoInhibitor - # equal: - # - cluster - # - namespace - + receiver: "outlook" + routes: + - matchers: + - alertname=~".*" + receiver: outlook receivers: - - name: blackhole - # - name: "slack-monitoring" - # slack_configs: - # - channel: "#channel" - # send_resolved: true - # title: '{{ template "slack.monzo.title" . }}' - # icon_emoji: '{{ template "slack.monzo.icon_emoji" . }}' - # color: '{{ template "slack.monzo.color" . }}' - # text: '{{ template "slack.monzo.text" . }}' - # actions: - # - type: button - # text: "Runbook :green_book:" - # url: "{{ (index .Alerts 0).Annotations.runbook_url }}" - # - type: button - # text: "Query :mag:" - # url: "{{ (index .Alerts 0).GeneratorURL }}" - # - type: button - # text: "Dashboard :grafana:" - # url: "{{ (index .Alerts 0).Annotations.dashboard }}" - # - type: button - # text: "Silence :no_bell:" - # url: '{{ template "__alert_silence_link" . }}' - # - type: button - # text: '{{ template "slack.monzo.link_button_text" . }}' - # url: "{{ .CommonAnnotations.link_url }}" - # - name: slack-code-owners - # slack_configs: - # - channel: "#{{ .CommonLabels.code_owner_channel }}" - # send_resolved: true - # title: '{{ template "slack.monzo.title" . }}' - # icon_emoji: '{{ template "slack.monzo.icon_emoji" . }}' - # color: '{{ template "slack.monzo.color" . }}' - # text: '{{ template "slack.monzo.text" . }}' - # actions: - # - type: button - # text: "Runbook :green_book:" - # url: "{{ (index .Alerts 0).Annotations.runbook }}" - # - type: button - # text: "Query :mag:" - # url: "{{ (index .Alerts 0).GeneratorURL }}" - # - type: button - # text: "Dashboard :grafana:" - # url: "{{ (index .Alerts 0).Annotations.dashboard }}" - # - type: button - # text: "Silence :no_bell:" - # url: '{{ template "__alert_silence_link" . }}' - # - type: button - # text: '{{ template "slack.monzo.link_button_text" . }}' - # url: "{{ .CommonAnnotations.link_url }}" - # + - name: outlook + email_configs: + - smarthost: 'mail.mms-support.de:465' + auth_username: 'ipcei-cis-devfw@mms-support.de' + auth_password: + name: email-user-credentials + key: connection-string + from: '"IPCEI CIS DevFW" ' + to: 'ipcei-cis-devfw@mms-support.de' + headers: + subject: 'Grafana Mail Alerts' + require_tls: false + # -- Better alert templates for [slack source](https://gist.github.com/milesbxf/e2744fc90e9c41b47aa47925f8ff6512) monzoTemplate: enabled: true From ea6b18b7ea8535e173693c5f3c1acbd308c5a671 Mon Sep 17 00:00:00 2001 From: Daniel Sy Date: Tue, 5 Aug 2025 15:24:37 +0200 Subject: [PATCH 12/39] =?UTF-8?q?feat(alertmanager):=20=F0=9F=8E=89=20Enab?= =?UTF-8?q?le=20managed=20configuration=20for=20alerts?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Updates the Alertmanager configuration to use managed settings, enabling streamlined alert handling. Removes outdated configurations and introduces a new email receiver for Grafana alerts. --- .../victoria-k8s-stack/values.yaml | 117 +++--------------- 1 file changed, 19 insertions(+), 98 deletions(-) diff --git a/template/stacks/observability/victoria-k8s-stack/values.yaml b/template/stacks/observability/victoria-k8s-stack/values.yaml index db459f3..5f5abe2 100644 --- a/template/stacks/observability/victoria-k8s-stack/values.yaml +++ b/template/stacks/observability/victoria-k8s-stack/values.yaml @@ -536,108 +536,29 @@ alertmanager: # If you're migrating existing config, please make sure that `.Values.alertmanager.config`: # - with `useManagedConfig: false` has structure described [here](https://prometheus.io/docs/alerting/latest/configuration/). # - with `useManagedConfig: true` has structure described [here](https://docs.victoriametrics.com/operator/api/#vmalertmanagerconfig). - useManagedConfig: false + useManagedConfig: true # -- (object) Alertmanager configuration config: route: - receiver: "blackhole" - # group_by: ["alertgroup", "job"] - # group_wait: 30s - # group_interval: 5m - # repeat_interval: 12h - # routes: - # - # # Duplicate code_owner routes to teams - # # These will send alerts to team channels but continue - # # processing through the rest of the tree to handled by on-call - # - matchers: - # - code_owner_channel!="" - # - severity=~"info|warning|critical" - # group_by: ["code_owner_channel", "alertgroup", "job"] - # receiver: slack-code-owners - # - # # Standard on-call routes - # - matchers: - # - severity=~"info|warning|critical" - # receiver: slack-monitoring - # continue: true - # - # inhibit_rules: - # - target_matchers: - # - severity=~"warning|info" - # source_matchers: - # - severity=critical - # equal: - # - cluster - # - namespace - # - alertname - # - target_matchers: - # - severity=info - # source_matchers: - # - severity=warning - # equal: - # - cluster - # - namespace - # - alertname - # - target_matchers: - # - severity=info - # source_matchers: - # - alertname=InfoInhibitor - # equal: - # - cluster - # - namespace - + receiver: "outlook" + routes: + - matchers: + - alertname=~".*" + receiver: outlook receivers: - - name: blackhole - # - name: "slack-monitoring" - # slack_configs: - # - channel: "#channel" - # send_resolved: true - # title: '{{ template "slack.monzo.title" . }}' - # icon_emoji: '{{ template "slack.monzo.icon_emoji" . }}' - # color: '{{ template "slack.monzo.color" . }}' - # text: '{{ template "slack.monzo.text" . }}' - # actions: - # - type: button - # text: "Runbook :green_book:" - # url: "{{ (index .Alerts 0).Annotations.runbook_url }}" - # - type: button - # text: "Query :mag:" - # url: "{{ (index .Alerts 0).GeneratorURL }}" - # - type: button - # text: "Dashboard :grafana:" - # url: "{{ (index .Alerts 0).Annotations.dashboard }}" - # - type: button - # text: "Silence :no_bell:" - # url: '{{ template "__alert_silence_link" . }}' - # - type: button - # text: '{{ template "slack.monzo.link_button_text" . }}' - # url: "{{ .CommonAnnotations.link_url }}" - # - name: slack-code-owners - # slack_configs: - # - channel: "#{{ .CommonLabels.code_owner_channel }}" - # send_resolved: true - # title: '{{ template "slack.monzo.title" . }}' - # icon_emoji: '{{ template "slack.monzo.icon_emoji" . }}' - # color: '{{ template "slack.monzo.color" . }}' - # text: '{{ template "slack.monzo.text" . }}' - # actions: - # - type: button - # text: "Runbook :green_book:" - # url: "{{ (index .Alerts 0).Annotations.runbook }}" - # - type: button - # text: "Query :mag:" - # url: "{{ (index .Alerts 0).GeneratorURL }}" - # - type: button - # text: "Dashboard :grafana:" - # url: "{{ (index .Alerts 0).Annotations.dashboard }}" - # - type: button - # text: "Silence :no_bell:" - # url: '{{ template "__alert_silence_link" . }}' - # - type: button - # text: '{{ template "slack.monzo.link_button_text" . }}' - # url: "{{ .CommonAnnotations.link_url }}" - # + - name: outlook + email_configs: + - smarthost: 'mail.mms-support.de:465' + auth_username: 'ipcei-cis-devfw@mms-support.de' + auth_password: + name: email-user-credentials + key: connection-string + from: '"IPCEI CIS DevFW" ' + to: 'f9f9953a.mg.telekom.de@de.teams.ms' + headers: + subject: 'Grafana Mail Alerts' + require_tls: false + # -- Better alert templates for [slack source](https://gist.github.com/milesbxf/e2744fc90e9c41b47aa47925f8ff6512) monzoTemplate: enabled: true From 643176228eab84f89ec7b4683331ff2d037e9076 Mon Sep 17 00:00:00 2001 From: Daniel Sy Date: Tue, 5 Aug 2025 15:25:42 +0200 Subject: [PATCH 13/39] Revert "feat(grafana alerts): add notification channel (email) for grafana alerts" This reverts commit c9d14d451f29a875c9fc1fcbb0a28305cfc4a7ae. --- .../vm-client-stack/values.yaml | 115 +++++++++++++++--- 1 file changed, 97 insertions(+), 18 deletions(-) diff --git a/template/stacks/observability-client/vm-client-stack/values.yaml b/template/stacks/observability-client/vm-client-stack/values.yaml index 095323e..33afb8d 100644 --- a/template/stacks/observability-client/vm-client-stack/values.yaml +++ b/template/stacks/observability-client/vm-client-stack/values.yaml @@ -537,25 +537,104 @@ alertmanager: # -- (object) Alertmanager configuration config: route: - receiver: "outlook" - routes: - - matchers: - - alertname=~".*" - receiver: outlook - receivers: - - name: outlook - email_configs: - - smarthost: 'mail.mms-support.de:465' - auth_username: 'ipcei-cis-devfw@mms-support.de' - auth_password: - name: email-user-credentials - key: connection-string - from: '"IPCEI CIS DevFW" ' - to: 'ipcei-cis-devfw@mms-support.de' - headers: - subject: 'Grafana Mail Alerts' - require_tls: false + receiver: "blackhole" + # group_by: ["alertgroup", "job"] + # group_wait: 30s + # group_interval: 5m + # repeat_interval: 12h + # routes: + # + # # Duplicate code_owner routes to teams + # # These will send alerts to team channels but continue + # # processing through the rest of the tree to handled by on-call + # - matchers: + # - code_owner_channel!="" + # - severity=~"info|warning|critical" + # group_by: ["code_owner_channel", "alertgroup", "job"] + # receiver: slack-code-owners + # + # # Standard on-call routes + # - matchers: + # - severity=~"info|warning|critical" + # receiver: slack-monitoring + # continue: true + # + # inhibit_rules: + # - target_matchers: + # - severity=~"warning|info" + # source_matchers: + # - severity=critical + # equal: + # - cluster + # - namespace + # - alertname + # - target_matchers: + # - severity=info + # source_matchers: + # - severity=warning + # equal: + # - cluster + # - namespace + # - alertname + # - target_matchers: + # - severity=info + # source_matchers: + # - alertname=InfoInhibitor + # equal: + # - cluster + # - namespace + receivers: + - name: blackhole + # - name: "slack-monitoring" + # slack_configs: + # - channel: "#channel" + # send_resolved: true + # title: '{{ template "slack.monzo.title" . }}' + # icon_emoji: '{{ template "slack.monzo.icon_emoji" . }}' + # color: '{{ template "slack.monzo.color" . }}' + # text: '{{ template "slack.monzo.text" . }}' + # actions: + # - type: button + # text: "Runbook :green_book:" + # url: "{{ (index .Alerts 0).Annotations.runbook_url }}" + # - type: button + # text: "Query :mag:" + # url: "{{ (index .Alerts 0).GeneratorURL }}" + # - type: button + # text: "Dashboard :grafana:" + # url: "{{ (index .Alerts 0).Annotations.dashboard }}" + # - type: button + # text: "Silence :no_bell:" + # url: '{{ template "__alert_silence_link" . }}' + # - type: button + # text: '{{ template "slack.monzo.link_button_text" . }}' + # url: "{{ .CommonAnnotations.link_url }}" + # - name: slack-code-owners + # slack_configs: + # - channel: "#{{ .CommonLabels.code_owner_channel }}" + # send_resolved: true + # title: '{{ template "slack.monzo.title" . }}' + # icon_emoji: '{{ template "slack.monzo.icon_emoji" . }}' + # color: '{{ template "slack.monzo.color" . }}' + # text: '{{ template "slack.monzo.text" . }}' + # actions: + # - type: button + # text: "Runbook :green_book:" + # url: "{{ (index .Alerts 0).Annotations.runbook }}" + # - type: button + # text: "Query :mag:" + # url: "{{ (index .Alerts 0).GeneratorURL }}" + # - type: button + # text: "Dashboard :grafana:" + # url: "{{ (index .Alerts 0).Annotations.dashboard }}" + # - type: button + # text: "Silence :no_bell:" + # url: '{{ template "__alert_silence_link" . }}' + # - type: button + # text: '{{ template "slack.monzo.link_button_text" . }}' + # url: "{{ .CommonAnnotations.link_url }}" + # # -- Better alert templates for [slack source](https://gist.github.com/milesbxf/e2744fc90e9c41b47aa47925f8ff6512) monzoTemplate: enabled: true From f19b294b260744a7e897a1383484c2aeb7efdea2 Mon Sep 17 00:00:00 2001 From: richardrobertreitz Date: Thu, 7 Aug 2025 11:30:27 +0000 Subject: [PATCH 14/39] chore(OTC): changed obsolete disk type --- template/stacks/forgejo/forgejo-server/values.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/template/stacks/forgejo/forgejo-server/values.yaml b/template/stacks/forgejo/forgejo-server/values.yaml index d777b28..b8cac1c 100644 --- a/template/stacks/forgejo/forgejo-server/values.yaml +++ b/template/stacks/forgejo/forgejo-server/values.yaml @@ -28,8 +28,10 @@ postgresql-ha: persistence: enabled: true size: 200Gi + storageClass: csi-disk annotations: everest.io/crypt-key-id: {{{ .Env.PVC_KMS_KEY_ID }}} + everest.io/disk-volume-type: GPSSD test: enabled: false From 28c23b9f084dc6cb75262e56c174b7be030c486a Mon Sep 17 00:00:00 2001 From: "Fritz-Leo.Ochsmann" Date: Fri, 8 Aug 2025 15:25:25 +0200 Subject: [PATCH 15/39] chore: set default storage class to csi-disk driver --- .../forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml | 4 ++++ .../observability/grafana-operator/manifests/grafana.yaml | 4 ++++ .../observability/victoria-k8s-stack/manifests/vlogs.yaml | 4 +++- template/stacks/observability/victoria-k8s-stack/values.yaml | 4 +++- 4 files changed, 14 insertions(+), 2 deletions(-) diff --git a/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml b/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml index ba0aebd..e5ea7df 100644 --- a/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml +++ b/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml @@ -55,7 +55,11 @@ kind: PersistentVolumeClaim metadata: name: s3-backup namespace: gitea + annotations: + everest.io/disk-volume-type: SATA + everest.io/crypt-key-id: {{{ .Env.PVC_KMS_KEY_ID }}} spec: + storageClassName: csi-disk accessModes: - ReadWriteOnce resources: diff --git a/template/stacks/observability/grafana-operator/manifests/grafana.yaml b/template/stacks/observability/grafana-operator/manifests/grafana.yaml index 87bc732..1c47357 100644 --- a/template/stacks/observability/grafana-operator/manifests/grafana.yaml +++ b/template/stacks/observability/grafana-operator/manifests/grafana.yaml @@ -6,7 +6,11 @@ metadata: dashboards: "grafana" spec: persistentVolumeClaim: + metadata: + annotations: + everest.io/disk-volume-type: SATA spec: + storageClassName: csi-disk accessModes: - ReadWriteOnce resources: diff --git a/template/stacks/observability/victoria-k8s-stack/manifests/vlogs.yaml b/template/stacks/observability/victoria-k8s-stack/manifests/vlogs.yaml index 4c6fbe9..c74f8d5 100644 --- a/template/stacks/observability/victoria-k8s-stack/manifests/vlogs.yaml +++ b/template/stacks/observability/victoria-k8s-stack/manifests/vlogs.yaml @@ -9,7 +9,9 @@ spec: storageMetadata: annotations: everest.io/crypt-key-id: {{{ .Env.PVC_KMS_KEY_ID }}} + everest.io/disk-volume-type: SATA storage: + storageClassName: csi-disk accessModes: - ReadWriteOnce resources: @@ -21,4 +23,4 @@ spec: cpu: 500m limits: memory: 10Gi - cpu: 2 \ No newline at end of file + cpu: 2 diff --git a/template/stacks/observability/victoria-k8s-stack/values.yaml b/template/stacks/observability/victoria-k8s-stack/values.yaml index 5f5abe2..f3b5241 100644 --- a/template/stacks/observability/victoria-k8s-stack/values.yaml +++ b/template/stacks/observability/victoria-k8s-stack/values.yaml @@ -289,7 +289,9 @@ vmsingle: storageMetadata: annotations: everest.io/crypt-key-id: {{{ .Env.PVC_KMS_KEY_ID }}} + everest.io/disk-volume-type: SATA storage: + storageClassName: csi-disk accessModes: - ReadWriteOnce resources: @@ -801,7 +803,7 @@ grafana: enabled: false # all values for grafana helm chart can be specified here persistence: - enabled: true + enabled: false type: pvc storageClassName: "default" grafana.ini: From dbda3d4ab541c4bdac51155a2613cab9b0134d3f Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Mon, 11 Aug 2025 15:34:38 +0200 Subject: [PATCH 16/39] fix(cronjob): fix bug where only packages got backuped --- .../forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml b/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml index e5ea7df..7540f87 100644 --- a/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml +++ b/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml @@ -40,7 +40,7 @@ spec: - /bin/sh - -c - | - rclone sync source:/${SOURCE_BUCKET}/packages /backup -v --ignore-checksum + rclone sync source:/${SOURCE_BUCKET} /backup -v --ignore-checksum restartPolicy: OnFailure volumes: - name: rclone-config From e0f6cc77dd43f8adc073f0b1cd5e40e2ee17f92d Mon Sep 17 00:00:00 2001 From: Patrick Sy Date: Tue, 5 Aug 2025 11:32:28 +0200 Subject: [PATCH 17/39] fix(observability): Added missing encryption to grafana volume --- .../stacks/observability/grafana-operator/manifests/grafana.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/template/stacks/observability/grafana-operator/manifests/grafana.yaml b/template/stacks/observability/grafana-operator/manifests/grafana.yaml index 1c47357..c5fa295 100644 --- a/template/stacks/observability/grafana-operator/manifests/grafana.yaml +++ b/template/stacks/observability/grafana-operator/manifests/grafana.yaml @@ -9,6 +9,7 @@ spec: metadata: annotations: everest.io/disk-volume-type: SATA + everest.io/crypt-key-id: {{{ .Env.PVC_KMS_KEY_ID }}} spec: storageClassName: csi-disk accessModes: From 975bb6b982cf0db3510900198d3276ffaa9928e0 Mon Sep 17 00:00:00 2001 From: Patrick Sy Date: Tue, 12 Aug 2025 14:07:38 +0200 Subject: [PATCH 18/39] feat(observability): Introduced alert for failed s3 backup jobs --- .../victoria-k8s-stack/manifests/alerts.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/template/stacks/observability/victoria-k8s-stack/manifests/alerts.yaml b/template/stacks/observability/victoria-k8s-stack/manifests/alerts.yaml index f884bd9..8accb1e 100644 --- a/template/stacks/observability/victoria-k8s-stack/manifests/alerts.yaml +++ b/template/stacks/observability/victoria-k8s-stack/manifests/alerts.yaml @@ -16,3 +16,14 @@ spec: annotations: value: "{{ $value }}" description: 'forgejo is down in cluster environment {{ $labels.cluster_environment }}' + - name: forgejo-backup + rules: + - alert: forgejo s3 backup job failed + expr: max by(cluster_environment) (kube_job_status_failed{job_name=~"forgejo-s3-backup-.*"}) != 0 + for: 30s + labels: + severity: major + job: "{{ $labels.job }}" + annotations: + value: "{{ $value }}" + description: 'forgejo s3 backup job failed in cluster environment {{ $labels.cluster_environment }}' From fb64314fb27e1db6020a1433a7fc177f41d24485 Mon Sep 17 00:00:00 2001 From: Patrick Sy Date: Tue, 12 Aug 2025 14:20:01 +0200 Subject: [PATCH 19/39] feat(observability): Introduced alert priority for notifications --- .../observability/victoria-k8s-stack/manifests/alerts.yaml | 4 ++-- template/stacks/observability/victoria-k8s-stack/values.yaml | 5 +++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/template/stacks/observability/victoria-k8s-stack/manifests/alerts.yaml b/template/stacks/observability/victoria-k8s-stack/manifests/alerts.yaml index 8accb1e..9419609 100644 --- a/template/stacks/observability/victoria-k8s-stack/manifests/alerts.yaml +++ b/template/stacks/observability/victoria-k8s-stack/manifests/alerts.yaml @@ -11,7 +11,7 @@ spec: expr: sum by(cluster_environment) (up{pod=~"forgejo-server-.*"}) < 1 for: 30s labels: - severity: major + severity: critical job: "{{ $labels.job }}" annotations: value: "{{ $value }}" @@ -22,7 +22,7 @@ spec: expr: max by(cluster_environment) (kube_job_status_failed{job_name=~"forgejo-s3-backup-.*"}) != 0 for: 30s labels: - severity: major + severity: critical job: "{{ $labels.job }}" annotations: value: "{{ $value }}" diff --git a/template/stacks/observability/victoria-k8s-stack/values.yaml b/template/stacks/observability/victoria-k8s-stack/values.yaml index f3b5241..e421957 100644 --- a/template/stacks/observability/victoria-k8s-stack/values.yaml +++ b/template/stacks/observability/victoria-k8s-stack/values.yaml @@ -542,12 +542,13 @@ alertmanager: # -- (object) Alertmanager configuration config: route: - receiver: "outlook" + receiver: "blackhole" routes: - matchers: - - alertname=~".*" + - severity=~"critical|major" receiver: outlook receivers: + - name: blackhole - name: outlook email_configs: - smarthost: 'mail.mms-support.de:465' From a92ed86c4dface47306dfcfc4c3384f4c375e7ac Mon Sep 17 00:00:00 2001 From: Patrick Sy Date: Tue, 12 Aug 2025 15:06:14 +0200 Subject: [PATCH 20/39] fix(observability): Disabled scraping of kube controller manager and scheduler They are managed by OTC --- template/stacks/observability/victoria-k8s-stack/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/template/stacks/observability/victoria-k8s-stack/values.yaml b/template/stacks/observability/victoria-k8s-stack/values.yaml index e421957..c08a281 100644 --- a/template/stacks/observability/victoria-k8s-stack/values.yaml +++ b/template/stacks/observability/victoria-k8s-stack/values.yaml @@ -1020,7 +1020,7 @@ kubeApiServer: # Component scraping the kube controller manager kubeControllerManager: # -- Enable kube controller manager metrics scraping - enabled: true + enabled: false # -- If your kube controller manager is not deployed as a pod, specify IPs it can be found on endpoints: [] @@ -1153,7 +1153,7 @@ kubeEtcd: # Component scraping kube scheduler kubeScheduler: # -- Enable KubeScheduler metrics scraping - enabled: true + enabled: false # -- If your kube scheduler is not deployed as a pod, specify IPs it can be found on endpoints: [] From 3277d6d8544df1f9eccd9267bf0affcd96709632 Mon Sep 17 00:00:00 2001 From: Manuel Ganter Date: Tue, 12 Aug 2025 16:16:55 +0200 Subject: [PATCH 21/39] introduced control parameter for cronjob --- .../manifests/forgejo-s3-backup-cronjob.yaml | 84 ++++++++++--------- 1 file changed, 46 insertions(+), 38 deletions(-) diff --git a/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml b/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml index 7540f87..ea7aaee 100644 --- a/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml +++ b/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml @@ -5,50 +5,58 @@ metadata: namespace: gitea spec: schedule: "0 1 * * *" + concurrencyPolicy: "Forbid" + successfulJobsHistoryLimit: 5 + failedJobsHistoryLimit: 5 + startingDeadlineSeconds: 600 # 10 minutes jobTemplate: spec: + # 60 min until backup - 10 min start - (backoffLimit * activeDeadlineSeconds) - some time sync buffer + activeDeadlineSeconds: 1350 + backoffLimit: 2 + ttlSecondsAfterFinished: 259200 # template: spec: containers: - - name: rclone - image: rclone/rclone:1.70 - imagePullPolicy: IfNotPresent - env: - - name: SOURCE_BUCKET - valueFrom: - secretKeyRef: - name: forgejo-cloud-credentials - key: bucket-name - - name: AWS_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - name: forgejo-cloud-credentials - key: access-key - - name: AWS_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - name: forgejo-cloud-credentials - key: secret-key - volumeMounts: - - name: rclone-config - mountPath: /config/rclone - readOnly: true - - name: backup-dir - mountPath: /backup - readOnly: false - command: - - /bin/sh - - -c - - | - rclone sync source:/${SOURCE_BUCKET} /backup -v --ignore-checksum + - name: rclone + image: rclone/rclone:1.70 + imagePullPolicy: IfNotPresent + env: + - name: SOURCE_BUCKET + valueFrom: + secretKeyRef: + name: forgejo-cloud-credentials + key: bucket-name + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: forgejo-cloud-credentials + key: access-key + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: forgejo-cloud-credentials + key: secret-key + volumeMounts: + - name: rclone-config + mountPath: /config/rclone + readOnly: true + - name: backup-dir + mountPath: /backup + readOnly: false + command: + - /bin/sh + - -c + - | + rclone sync source:/${SOURCE_BUCKET} /backup -v --ignore-checksum restartPolicy: OnFailure volumes: - - name: rclone-config - secret: - secretName: forgejo-s3-backup - - name: backup-dir - persistentVolumeClaim: - claimName: s3-backup + - name: rclone-config + secret: + secretName: forgejo-s3-backup + - name: backup-dir + persistentVolumeClaim: + claimName: s3-backup --- apiVersion: v1 kind: PersistentVolumeClaim @@ -57,7 +65,7 @@ metadata: namespace: gitea annotations: everest.io/disk-volume-type: SATA - everest.io/crypt-key-id: {{{ .Env.PVC_KMS_KEY_ID }}} + everest.io/crypt-key-id: { { { .Env.PVC_KMS_KEY_ID } } } spec: storageClassName: csi-disk accessModes: From b3582b9929847b314ba9a4ea8f5799f44205f0b4 Mon Sep 17 00:00:00 2001 From: richardrobertreitz Date: Wed, 13 Aug 2025 08:00:52 +0000 Subject: [PATCH 22/39] fix(backup): Fixed syntax problem related to forgejo s3 backups --- .../forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml b/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml index ea7aaee..3a3f48d 100644 --- a/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml +++ b/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml @@ -65,7 +65,7 @@ metadata: namespace: gitea annotations: everest.io/disk-volume-type: SATA - everest.io/crypt-key-id: { { { .Env.PVC_KMS_KEY_ID } } } + everest.io/crypt-key-id: {{{ .Env.PVC_KMS_KEY_ID }}} spec: storageClassName: csi-disk accessModes: From 3a666e718f7cea14858cd6dd69374319ff65b849 Mon Sep 17 00:00:00 2001 From: evdo Date: Wed, 13 Aug 2025 10:55:15 +0200 Subject: [PATCH 23/39] feat(edp): changed disck-volume-type from SATA to GPSSD --- .../forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml | 2 +- .../observability/grafana-operator/manifests/grafana.yaml | 2 +- .../observability/victoria-k8s-stack/manifests/vlogs.yaml | 2 +- template/stacks/observability/victoria-k8s-stack/values.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml b/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml index 3a3f48d..993b25c 100644 --- a/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml +++ b/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml @@ -64,7 +64,7 @@ metadata: name: s3-backup namespace: gitea annotations: - everest.io/disk-volume-type: SATA + everest.io/disk-volume-type: GPSSD everest.io/crypt-key-id: {{{ .Env.PVC_KMS_KEY_ID }}} spec: storageClassName: csi-disk diff --git a/template/stacks/observability/grafana-operator/manifests/grafana.yaml b/template/stacks/observability/grafana-operator/manifests/grafana.yaml index c5fa295..4b9abe2 100644 --- a/template/stacks/observability/grafana-operator/manifests/grafana.yaml +++ b/template/stacks/observability/grafana-operator/manifests/grafana.yaml @@ -8,7 +8,7 @@ spec: persistentVolumeClaim: metadata: annotations: - everest.io/disk-volume-type: SATA + everest.io/disk-volume-type: GPSSD everest.io/crypt-key-id: {{{ .Env.PVC_KMS_KEY_ID }}} spec: storageClassName: csi-disk diff --git a/template/stacks/observability/victoria-k8s-stack/manifests/vlogs.yaml b/template/stacks/observability/victoria-k8s-stack/manifests/vlogs.yaml index c74f8d5..2fec1ef 100644 --- a/template/stacks/observability/victoria-k8s-stack/manifests/vlogs.yaml +++ b/template/stacks/observability/victoria-k8s-stack/manifests/vlogs.yaml @@ -9,7 +9,7 @@ spec: storageMetadata: annotations: everest.io/crypt-key-id: {{{ .Env.PVC_KMS_KEY_ID }}} - everest.io/disk-volume-type: SATA + everest.io/disk-volume-type: GPSSD storage: storageClassName: csi-disk accessModes: diff --git a/template/stacks/observability/victoria-k8s-stack/values.yaml b/template/stacks/observability/victoria-k8s-stack/values.yaml index c08a281..2da0eda 100644 --- a/template/stacks/observability/victoria-k8s-stack/values.yaml +++ b/template/stacks/observability/victoria-k8s-stack/values.yaml @@ -289,7 +289,7 @@ vmsingle: storageMetadata: annotations: everest.io/crypt-key-id: {{{ .Env.PVC_KMS_KEY_ID }}} - everest.io/disk-volume-type: SATA + everest.io/disk-volume-type: GPSSD storage: storageClassName: csi-disk accessModes: From 67c513d1a5451a4a72f889171720525769baae15 Mon Sep 17 00:00:00 2001 From: Daniel Sy Date: Wed, 13 Aug 2025 13:38:31 +0200 Subject: [PATCH 24/39] =?UTF-8?q?feat(alerts):=20=F0=9F=8E=89=20Add=20disk?= =?UTF-8?q?=20consumption=20high=20alert=20rule?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Introduce a new alert rule for monitoring high disk consumption in Kubernetes. This enhances observability by providing alerts when disk usage exceeds 60%, helping to maintain storage health in the cluster environment. Refs: DevFW/infra-deploy#109 --- .../victoria-k8s-stack/manifests/alerts.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/template/stacks/observability/victoria-k8s-stack/manifests/alerts.yaml b/template/stacks/observability/victoria-k8s-stack/manifests/alerts.yaml index 9419609..110ee7e 100644 --- a/template/stacks/observability/victoria-k8s-stack/manifests/alerts.yaml +++ b/template/stacks/observability/victoria-k8s-stack/manifests/alerts.yaml @@ -27,3 +27,14 @@ spec: annotations: value: "{{ $value }}" description: 'forgejo s3 backup job failed in cluster environment {{ $labels.cluster_environment }}' + - name: disk-consumption-high + rules: + - alert: disk consumption high + expr: 1-(kubelet_volume_stats_available_bytes / kubelet_volume_stats_capacity_bytes) > 0.6 + for: 30s + labels: + severity: major + job: "{{ $labels.job }}" + annotations: + value: "{{ $value }}" + description: 'disk consumption of pvc {{ $labels.namespace }}/{{ $labels.persistentvolumeclaim }} is high in cluster environment {{ $labels.cluster_environment }}' From d677b4b0e7bea18fa391018838550f00a0b230f6 Mon Sep 17 00:00:00 2001 From: Richard Robert Reitz Date: Thu, 14 Aug 2025 15:55:03 +0200 Subject: [PATCH 25/39] feat(sso): added dex and added template parameters for grafana and dex --- template/stacks/core/dex.yaml | 29 +++++++ template/stacks/core/dex/values.yaml | 76 +++++++++++++++++++ .../grafana-operator/manifests/grafana.yaml | 4 +- 3 files changed, 107 insertions(+), 2 deletions(-) create mode 100644 template/stacks/core/dex.yaml create mode 100644 template/stacks/core/dex/values.yaml diff --git a/template/stacks/core/dex.yaml b/template/stacks/core/dex.yaml new file mode 100644 index 0000000..d41c0bf --- /dev/null +++ b/template/stacks/core/dex.yaml @@ -0,0 +1,29 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: dex + namespace: argocd + labels: + env: dev +spec: + project: default + syncPolicy: + automated: + selfHeal: true + syncOptions: + - CreateNamespace=true + retry: + limit: -1 + destination: + name: in-cluster + namespace: dex + sources: + - repoURL: https://charts.dexidp.io + chart: dex + targetRevision: 0.23.0 + helm: + valueFiles: + - $values/{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/core/dex/values.yaml + - repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}} + targetRevision: HEAD + ref: values diff --git a/template/stacks/core/dex/values.yaml b/template/stacks/core/dex/values.yaml new file mode 100644 index 0000000..116cbdd --- /dev/null +++ b/template/stacks/core/dex/values.yaml @@ -0,0 +1,76 @@ +ingress: + enabled: true + className: nginx + annotations: + cert-manager.io/cluster-issuer: main + hosts: + - host: {{{ .Env.DOMAIN_DEX }}} + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - {{{ .Env.DOMAIN_DEX }}} + secretName: dex-cert + +envVars: + - name: FORGEJO_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: dex-forgejo-client + key: clientSecret + - name: FORGEJO_CLIENT_ID + valueFrom: + secretKeyRef: + name: dex-forgejo-client + key: clientID + - name: OIDC_DEX_GRAFANA_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: dex-grafana-client + key: clientSecret + - name: OIDC_DEX_ARGO_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: dex-argo-client + key: clientSecret + - name: LOG_LEVEL + value: debug + +config: + # Set it to a valid URL + issuer: https://{{{ .Env.DOMAIN_DEX }}} + + # See https://dexidp.io/docs/storage/ for more options + storage: + type: memory + + oauth2: + skipApprovalScreen: true + alwaysShowLoginScreen: false + + connectors: + - type: gitea + id: gitea + name: Forgejo + config: + clientID: "$FORGEJO_CLIENT_ID" + clientSecret: "$FORGEJO_CLIENT_SECRET" + redirectURI: https://{{{ .Env.DOMAIN_DEX }}}/callback + baseURL: https://edp.buildth.ing + # loadAllGroups: true + orgs: + - name: DevFW + enablePasswordDB: false + + staticClients: + - id: controller-argocd-dex + name: ArgoCD Client + redirectURIs: + - "http://{{{ .Env.DOMAIN_ARGOCD }}}/auth/callback" + secret: "{{`{{ .Env.OIDC_DEX_ARGO_CLIENT_SECRET }}`}}" + - id: grafana + redirectURIs: + - "https://{{{ .Env.DOMAIN_GRAFANA }}}/login/generic_oauth" + name: "Grafana" + secret: "thisisasecret" diff --git a/template/stacks/observability/grafana-operator/manifests/grafana.yaml b/template/stacks/observability/grafana-operator/manifests/grafana.yaml index 4b9abe2..5dd36e8 100644 --- a/template/stacks/observability/grafana-operator/manifests/grafana.yaml +++ b/template/stacks/observability/grafana-operator/manifests/grafana.yaml @@ -25,7 +25,7 @@ spec: spec: ingressClassName: nginx rules: - - host: grafana.{{{ .Env.DOMAIN }}} + - host: {{{ .Env.DOMAIN_GRAFANA }}} http: paths: - backend: @@ -37,5 +37,5 @@ spec: pathType: Prefix tls: - hosts: - - grafana.{{{ .Env.DOMAIN }}} + - {{{ .Env.DOMAIN_GRAFANA }}} secretName: grafana-net-tls From b3f77644e9576171f9f7ee7d901934de702baca2 Mon Sep 17 00:00:00 2001 From: Richard Robert Reitz Date: Thu, 14 Aug 2025 16:22:11 +0200 Subject: [PATCH 26/39] feat(sso): using secret references in dex to not put secrets in git --- template/stacks/core/dex/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/template/stacks/core/dex/values.yaml b/template/stacks/core/dex/values.yaml index 116cbdd..04106e3 100644 --- a/template/stacks/core/dex/values.yaml +++ b/template/stacks/core/dex/values.yaml @@ -68,9 +68,9 @@ config: name: ArgoCD Client redirectURIs: - "http://{{{ .Env.DOMAIN_ARGOCD }}}/auth/callback" - secret: "{{`{{ .Env.OIDC_DEX_ARGO_CLIENT_SECRET }}`}}" + secretEnv: "OIDC_DEX_ARGO_CLIENT_SECRET" - id: grafana redirectURIs: - "https://{{{ .Env.DOMAIN_GRAFANA }}}/login/generic_oauth" name: "Grafana" - secret: "thisisasecret" + secretEnv: "OIDC_DEX_GRAFANA_CLIENT_SECRET" From c8d5195dc7e68ddb2f10917ddf0b5c8254ad2921 Mon Sep 17 00:00:00 2001 From: evdo Date: Fri, 15 Aug 2025 10:01:04 +0200 Subject: [PATCH 27/39] feat(sso): introduced grafana OAUTH config --- .../grafana-operator/manifests/grafana.yaml | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/template/stacks/observability/grafana-operator/manifests/grafana.yaml b/template/stacks/observability/grafana-operator/manifests/grafana.yaml index 5dd36e8..41f32db 100644 --- a/template/stacks/observability/grafana-operator/manifests/grafana.yaml +++ b/template/stacks/observability/grafana-operator/manifests/grafana.yaml @@ -17,6 +17,40 @@ spec: resources: requests: storage: 10Gi + deployment: + spec: + template: + spec: + containers: + - name: grafana + env: + - name: OAUTH_CLIENT_SECRET + valueFrom: + secretKeyRef: + key: clientSecret + name: dex-grafana-client + config: + log.console: + level: debug + server: + root_url: "https://{{{ .Env.DOMAIN_GRAFANA }}}" + auth: + disable_login: "true" + disable_login_form: "true" + auth.generic_oauth: + enabled: "true" + name: Forgejo + allow_sign_up: "true" + use_refresh_token: "true" + client_id: grafana + client_secret: $__env{OAUTH_CLIENT_SECRET} + scopes: openid email profile offline_access groups + auth_url: https://{{{ .Env.DOMAIN_DEX }}}/auth + token_url: https://{{{ .Env.DOMAIN_DEX }}}/token + api_url: https://{{{ .Env.DOMAIN_DEX }}}/userinfo + redirect_uri: https://{{{ .Env.DOMAIN_GRAFANA }}}/login/generic_oauth + role_attribute_path: "contains(groups[*], 'DevFW') && 'GrafanaAdmin' || 'None'" + allow_assign_grafana_admin: "true" ingress: metadata: annotations: From 699b6cedcb0bf325f8aa9b52c6193bc18dc4a44e Mon Sep 17 00:00:00 2001 From: Patrick Sy Date: Fri, 15 Aug 2025 10:56:36 +0200 Subject: [PATCH 28/39] fix(backup): Increased s3 backup volume size to 100GB Refs: DevFW/infra-deploy#116 --- .../forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml b/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml index 993b25c..3d77021 100644 --- a/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml +++ b/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml @@ -72,7 +72,7 @@ spec: - ReadWriteOnce resources: requests: - storage: 50Gi + storage: 100Gi --- apiVersion: v1 kind: Secret From 2eab9bd80b78e3f775553795742cded6ef68cd2c Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Fri, 15 Aug 2025 15:10:55 +0200 Subject: [PATCH 29/39] feat(sso): configure sso for ArgoCD --- template/stacks/core/argocd/values.yaml | 13 +++++++++++-- template/stacks/core/dex/values.yaml | 2 +- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/template/stacks/core/argocd/values.yaml b/template/stacks/core/argocd/values.yaml index dfb7f96..d197745 100644 --- a/template/stacks/core/argocd/values.yaml +++ b/template/stacks/core/argocd/values.yaml @@ -5,6 +5,16 @@ configs: params: server.insecure: true cm: + oidc.config: | + name: FORGEJO + issuer: https://{{{ .Env.DOMAIN_DEX }}} + clientID: controller-argocd-dex + clientSecret: $dex-argo-client:clientSecret + requestedScopes: + - openid + - profile + - email + - groups application.resourceTrackingMethod: annotation timeout.reconciliation: 60s resource.exclusions: | @@ -18,10 +28,9 @@ configs: - CiliumIdentity clusters: - "*" - accounts.provider-argocd: apiKey url: https://{{{ .Env.DOMAIN_ARGOCD }}} rbac: - policy.csv: 'g, provider-argocd, role:admin' + policy.csv: 'g, DevFW, role:admin' tls: certificates: diff --git a/template/stacks/core/dex/values.yaml b/template/stacks/core/dex/values.yaml index 04106e3..c6f8b1c 100644 --- a/template/stacks/core/dex/values.yaml +++ b/template/stacks/core/dex/values.yaml @@ -67,7 +67,7 @@ config: - id: controller-argocd-dex name: ArgoCD Client redirectURIs: - - "http://{{{ .Env.DOMAIN_ARGOCD }}}/auth/callback" + - "https://{{{ .Env.DOMAIN_ARGOCD }}}/auth/callback" secretEnv: "OIDC_DEX_ARGO_CLIENT_SECRET" - id: grafana redirectURIs: From 47c16eeafd004c0ab3d384b92ac1855f898735cf Mon Sep 17 00:00:00 2001 From: "franz.germann" Date: Mon, 18 Aug 2025 10:38:08 +0200 Subject: [PATCH 30/39] feat(vmuser): use secret instead of hardcoded value for authentication --- .../vm-client-stack/manifests/simple-user-secret.yaml | 9 --------- .../victoria-k8s-stack/manifests/vmauth.yaml | 6 ++++-- 2 files changed, 4 insertions(+), 11 deletions(-) delete mode 100644 template/stacks/observability-client/vm-client-stack/manifests/simple-user-secret.yaml diff --git a/template/stacks/observability-client/vm-client-stack/manifests/simple-user-secret.yaml b/template/stacks/observability-client/vm-client-stack/manifests/simple-user-secret.yaml deleted file mode 100644 index f13b0b6..0000000 --- a/template/stacks/observability-client/vm-client-stack/manifests/simple-user-secret.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: simple-user-secret - namespace: observability -type: Opaque -stringData: - username: simple-user - password: simple-password diff --git a/template/stacks/observability/victoria-k8s-stack/manifests/vmauth.yaml b/template/stacks/observability/victoria-k8s-stack/manifests/vmauth.yaml index 2ea5d76..5759093 100644 --- a/template/stacks/observability/victoria-k8s-stack/manifests/vmauth.yaml +++ b/template/stacks/observability/victoria-k8s-stack/manifests/vmauth.yaml @@ -5,11 +5,13 @@ metadata: namespace: observability spec: username: simple-user - password: simple-password + passwordRef: + key: password + name: simple-user-secret targetRefs: - static: url: http://vmsingle-o12y:8429 paths: ["/api/v1/write"] - static: url: http://vlogs-victorialogs:9428 - paths: ["/insert/elasticsearch/.*"] + paths: ["/insert/elasticsearch/.*"] \ No newline at end of file From 4d1621b7837694f1b646178caa178c0a1418f1c7 Mon Sep 17 00:00:00 2001 From: richardrobertreitz Date: Tue, 21 Oct 2025 08:47:29 +0000 Subject: [PATCH 31/39] chore(alerts): disabled bogus alerts related to kubecontrollermanager and kubescheduler --- .../stacks/observability/victoria-k8s-stack/values.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/template/stacks/observability/victoria-k8s-stack/values.yaml b/template/stacks/observability/victoria-k8s-stack/values.yaml index 2da0eda..dd1996b 100644 --- a/template/stacks/observability/victoria-k8s-stack/values.yaml +++ b/template/stacks/observability/victoria-k8s-stack/values.yaml @@ -201,13 +201,13 @@ defaultRules: create: true rules: {} kubernetesSystemControllerManager: - create: true + create: false rules: {} kubeScheduler: - create: true + create: false rules: {} kubernetesSystemScheduler: - create: true + create: false rules: {} kubeStateMetrics: create: true From 115e8f27f6e2e290e8a14fc64d7975ebe3037337 Mon Sep 17 00:00:00 2001 From: Manuel Ganter Date: Thu, 27 Nov 2025 16:28:22 +0100 Subject: [PATCH 32/39] added coder stack --- template/registry/coder.yaml | 24 ++++++++ template/stacks/coder/coder.yaml | 32 ++++++++++ .../coder/coder/manifests/postgres.yaml | 38 ++++++++++++ template/stacks/coder/coder/values.yaml | 61 +++++++++++++++++++ template/stacks/core/cloudnative-pg.yaml | 29 +++++++++ .../stacks/core/cloudnative-pg/values.yaml | 0 6 files changed, 184 insertions(+) create mode 100644 template/registry/coder.yaml create mode 100644 template/stacks/coder/coder.yaml create mode 100644 template/stacks/coder/coder/manifests/postgres.yaml create mode 100644 template/stacks/coder/coder/values.yaml create mode 100644 template/stacks/core/cloudnative-pg.yaml create mode 100644 template/stacks/core/cloudnative-pg/values.yaml diff --git a/template/registry/coder.yaml b/template/registry/coder.yaml new file mode 100644 index 0000000..e9711eb --- /dev/null +++ b/template/registry/coder.yaml @@ -0,0 +1,24 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: coder + namespace: argocd + labels: + env: dev + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + name: in-cluster + namespace: argocd + source: + path: "{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/coder" + repoURL: "https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}}" + targetRevision: HEAD + project: default + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/template/stacks/coder/coder.yaml b/template/stacks/coder/coder.yaml new file mode 100644 index 0000000..a0eaa9c --- /dev/null +++ b/template/stacks/coder/coder.yaml @@ -0,0 +1,32 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: coder + namespace: argocd + labels: + env: dev +spec: + project: default + syncPolicy: + automated: + selfHeal: true + syncOptions: + - CreateNamespace=true + retry: + limit: -1 + destination: + name: in-cluster + namespace: coder + sources: + - repoURL: https://helm.coder.com/v2 + chart: coder + targetRevision: 2.28.3 + helm: + valueFiles: + - $values/{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/coder/coder/values.yaml + - repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}} + targetRevision: HEAD + ref: values + - repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}} + targetRevision: HEAD + path: "{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/coder/coder/manifests" diff --git a/template/stacks/coder/coder/manifests/postgres.yaml b/template/stacks/coder/coder/manifests/postgres.yaml new file mode 100644 index 0000000..cae4b97 --- /dev/null +++ b/template/stacks/coder/coder/manifests/postgres.yaml @@ -0,0 +1,38 @@ +--- +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: coder-db + namespace: coder +spec: + instances: 1 + primaryUpdateStrategy: unsupervised + resources: + requests: + memory: "1Gi" + cpu: "1" + limits: + memory: "1Gi" + cpu: "1" + managed: + roles: + - name: coder + createdb: true + login: true + passwordSecret: + name: coder-db-user + storage: + size: 10Gi + storageClass: csi-disk +--- +apiVersion: postgresql.cnpg.io/v1 +kind: Database +metadata: + name: coder + namespace: coder +spec: + cluster: + name: coder-db + name: coder + owner: coder +--- diff --git a/template/stacks/coder/coder/values.yaml b/template/stacks/coder/coder/values.yaml new file mode 100644 index 0000000..df4334e --- /dev/null +++ b/template/stacks/coder/coder/values.yaml @@ -0,0 +1,61 @@ +coder: + # You can specify any environment variables you'd like to pass to Coder + # here. Coder consumes environment variables listed in + # `coder server --help`, and these environment variables are also passed + # to the workspace provisioner (so you can consume them in your Terraform + # templates for auth keys etc.). + # + # Please keep in mind that you should not set `CODER_HTTP_ADDRESS`, + # `CODER_TLS_ENABLE`, `CODER_TLS_CERT_FILE` or `CODER_TLS_KEY_FILE` as + # they are already set by the Helm chart and will cause conflicts. + env: + - name: CODER_ACCESS_URL + value: https://coder.{{{ .Env.DOMAIN_GITEA }}} + - name: CODER_PG_CONNECTION_URL + valueFrom: + secretKeyRef: + # You'll need to create a secret called coder-db-url with your + # Postgres connection URL like: + # postgres://coder:password@postgres:5432/coder?sslmode=disable + name: coder-db-user + key: url + # For production deployments, we recommend configuring your own GitHub + # OAuth2 provider and disabling the default one. + - name: CODER_OAUTH2_GITHUB_DEFAULT_PROVIDER_ENABLE + value: "false" + - name: EDGE_CONNECT_ENDPOINT + valueFrom: + secretKeyRef: + name: edge-credential + key: endpoint + - name: EDGE_CONNECT_USERNAME + valueFrom: + secretKeyRef: + name: edge-credential + key: username + - name: EDGE_CONNECT_PASSWORD + valueFrom: + secretKeyRef: + name: edge-credential + key: password + + # (Optional) For production deployments the access URL should be set. + # If you're just trying Coder, access the dashboard via the service IP. + # - name: CODER_ACCESS_URL + # value: "https://coder.example.com" + + #tls: + # secretNames: + # - my-tls-secret-name + service: + type: ClusterIP + + ingress: + enable: true + className: nginx + host: coder.{{{ .Env.DOMAIN_GITEA }}} + annotations: + cert-manager.io/cluster-issuer: main + tls: + enable: true + secretName: coder-tls-secret diff --git a/template/stacks/core/cloudnative-pg.yaml b/template/stacks/core/cloudnative-pg.yaml new file mode 100644 index 0000000..861c693 --- /dev/null +++ b/template/stacks/core/cloudnative-pg.yaml @@ -0,0 +1,29 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: cloudnative-pg + namespace: argocd + labels: + env: dev +spec: + project: default + syncPolicy: + automated: + selfHeal: true + syncOptions: + - CreateNamespace=true + retry: + limit: -1 + destination: + name: in-cluster + namespace: cloudnative-pg + sources: + - repoURL: https://cloudnative-pg.github.io/charts + chart: cloudnative-pg + targetRevision: 0.26.1 + helm: + valueFiles: + - $values/{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/core/cloudnative-pg/values.yaml + - repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}} + targetRevision: HEAD + ref: values diff --git a/template/stacks/core/cloudnative-pg/values.yaml b/template/stacks/core/cloudnative-pg/values.yaml new file mode 100644 index 0000000..e69de29 From 94c51a4d77399913073554f61ef732b7d34f046f Mon Sep 17 00:00:00 2001 From: Manuel Ganter Date: Fri, 28 Nov 2025 10:36:34 +0100 Subject: [PATCH 33/39] added terralist --- template/registry/coder.yaml | 2 +- template/registry/terralist.yaml | 24 +++++++ template/stacks/terralist/terralist.yaml | 30 ++++++++ .../stacks/terralist/terralist/values.yaml | 69 +++++++++++++++++++ 4 files changed, 124 insertions(+), 1 deletion(-) create mode 100644 template/registry/terralist.yaml create mode 100644 template/stacks/terralist/terralist.yaml create mode 100644 template/stacks/terralist/terralist/values.yaml diff --git a/template/registry/coder.yaml b/template/registry/coder.yaml index e9711eb..40cfffb 100644 --- a/template/registry/coder.yaml +++ b/template/registry/coder.yaml @@ -1,7 +1,7 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: coder + name: coder-reg namespace: argocd labels: env: dev diff --git a/template/registry/terralist.yaml b/template/registry/terralist.yaml new file mode 100644 index 0000000..167345d --- /dev/null +++ b/template/registry/terralist.yaml @@ -0,0 +1,24 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: terralist-reg + namespace: argocd + labels: + env: dev + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + name: in-cluster + namespace: argocd + source: + path: "{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/terralist" + repoURL: "https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}}" + targetRevision: HEAD + project: default + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/template/stacks/terralist/terralist.yaml b/template/stacks/terralist/terralist.yaml new file mode 100644 index 0000000..77126f8 --- /dev/null +++ b/template/stacks/terralist/terralist.yaml @@ -0,0 +1,30 @@ +# helm upgrade --install --create-namespace --namespace terralist terralist oci://ghcr.io/terralist/helm-charts/terralist -f terralist-values.yaml +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: terralist + namespace: argocd + labels: + env: dev +spec: + project: default + syncPolicy: + automated: + selfHeal: true + syncOptions: + - CreateNamespace=true + retry: + limit: -1 + destination: + name: in-cluster + namespace: terralist + sources: + - repoURL: https://github.com/terralist/helm-charts + path: charts/terralist + targetRevision: terralist-0.8.1 + helm: + valueFiles: + - $values/{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/terralist/terralist/values.yaml + - repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}} + targetRevision: HEAD + ref: values diff --git a/template/stacks/terralist/terralist/values.yaml b/template/stacks/terralist/terralist/values.yaml new file mode 100644 index 0000000..3aa2996 --- /dev/null +++ b/template/stacks/terralist/terralist/values.yaml @@ -0,0 +1,69 @@ +controllers: + main: + strategy: Recreate + containers: + app: + env: + - name: TERRALIST_OAUTH_PROVIDER + value: github + - name: TERRALIST_GH_CLIENT_ID + valueFrom: + secretKeyRef: + name: github-app-credentials + key: client-id + - name: TERRALIST_GH_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: github-app-credentials + key: client-secret + - name: TERRALIST_TOKEN_SIGNING_SECRET + valueFrom: + secretKeyRef: + name: terralist-secret + key: token-signing-secret + - name: TERRALIST_COOKIE_SECRET + valueFrom: + secretKeyRef: + name: terralist-secret + key: cookie-secret + - name: TERRALIST_GH_ORGANIZATION + value: think-ahead-technologies + - name: TERRALIST_URL + value: https://terralist.{{{ .Env.DOMAIN_GITEA }}} + - name: TERRALIST_SQLITE_PATH + value: /data/db.sqlite + - name: TERRALIST_LOCAL_STORE + value: /data/modules + - name: TERRALIST_PROVIDERS_ANONYMOUS_READ + value: "true" + +ingress: + main: + enabled: true + className: nginx + annotations: + cert-manager.io/cluster-issuer: main + hosts: + - host: terralist.{{{ .Env.DOMAIN_GITEA }}} + paths: + - path: / + pathType: Prefix + service: + identifier: main + port: http + tls: + - hosts: + - terralist.{{{ .Env.DOMAIN_GITEA }}} + secretName: terralist-tls-secret + +persistence: + data: + enabled: true + accessMode: ReadWriteOnce + size: 10Gi + retain: false + storageClass: "csi-disk" + annotations: + everest.io/disk-volume-type: GPSSD + globalMounts: + - path: /data From 45da6fc210d13b8b9b649101c2c07ec0b2ef10be Mon Sep 17 00:00:00 2001 From: Manuel Ganter Date: Fri, 28 Nov 2025 11:27:50 +0100 Subject: [PATCH 34/39] added FORGEJO_IMAGE_TAG env var --- template/stacks/forgejo/forgejo-server/values.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/template/stacks/forgejo/forgejo-server/values.yaml b/template/stacks/forgejo/forgejo-server/values.yaml index b8cac1c..00dba3d 100644 --- a/template/stacks/forgejo/forgejo-server/values.yaml +++ b/template/stacks/forgejo/forgejo-server/values.yaml @@ -9,7 +9,7 @@ edp-forgejo-{{{ getenv "CLUSTER_ENVIRONMENT" }}} -# We use recreate to make sure only one instance with one version is running, because Forgejo might break or data gets inconsistant. +# We use recreate to make sure only one instance with one version is running, because Forgejo might break or data gets inconsistant. strategy: type: Recreate @@ -177,7 +177,7 @@ service: nodePort: 32222 externalTrafficPolicy: Cluster annotations: - kubernetes.io/elb.id: {{{ .Env.LOADBALANCER_ID }}} + kubernetes.io/elb.id: {{{ .Env.LOADBALANCER_ID }}} image: pullPolicy: "IfNotPresent" @@ -185,7 +185,7 @@ image: #tag: "8.0.3" # Adds -rootless suffix to image name # rootless: true - fullOverride: {{{ getenv "CLIENT_REPO_DOMAIN" }}}/devfw-cicd/edp-forgejo:v1.1.0-edp-v11.0.3 + fullOverride: {{{ getenv "CLIENT_REPO_DOMAIN" }}}/devfw-cicd/edp-forgejo:{{{ .Env.FORGEJO_IMAGE_TAG }}} forgejo: runner: From 44fecf67c2cfa32a366ad53cf41f8f2ff24ddc1a Mon Sep 17 00:00:00 2001 From: Manuel Ganter Date: Mon, 1 Dec 2025 15:03:31 +0100 Subject: [PATCH 35/39] added oidc env vars for terralist --- .../stacks/terralist/terralist/values.yaml | 32 +++++++++++++++---- 1 file changed, 25 insertions(+), 7 deletions(-) diff --git a/template/stacks/terralist/terralist/values.yaml b/template/stacks/terralist/terralist/values.yaml index 3aa2996..096db37 100644 --- a/template/stacks/terralist/terralist/values.yaml +++ b/template/stacks/terralist/terralist/values.yaml @@ -5,17 +5,37 @@ controllers: app: env: - name: TERRALIST_OAUTH_PROVIDER - value: github - - name: TERRALIST_GH_CLIENT_ID + value: oidc + - name: TERRALIST_OI_CLIENT_ID valueFrom: secretKeyRef: - name: github-app-credentials + name: oidc-credentials key: client-id - - name: TERRALIST_GH_CLIENT_SECRET + - name: TERRALIST_OI_CLIENT_SECRET valueFrom: secretKeyRef: - name: github-app-credentials + name: oidc-credentials key: client-secret + - name: TERRALIST_OI_AUTHORIZE_URL + valueFrom: + secretKeyRef: + name: oidc-credentials + key: authorize-url + - name: TERRALIST_OI_TOKEN_URL + valueFrom: + secretKeyRef: + name: oidc-credentials + key: token-url + - name: TERRALIST_OI_USERINFO_URL + valueFrom: + secretKeyRef: + name: oidc-credentials + key: userinfo-url + - name: TERRALIST_OI_SCOPE + valueFrom: + secretKeyRef: + name: oidc-credentials + key: scope - name: TERRALIST_TOKEN_SIGNING_SECRET valueFrom: secretKeyRef: @@ -26,8 +46,6 @@ controllers: secretKeyRef: name: terralist-secret key: cookie-secret - - name: TERRALIST_GH_ORGANIZATION - value: think-ahead-technologies - name: TERRALIST_URL value: https://terralist.{{{ .Env.DOMAIN_GITEA }}} - name: TERRALIST_SQLITE_PATH From 97709eff30e1e9bb9516cc8426ead3d62ca02a32 Mon Sep 17 00:00:00 2001 From: Manuel Ganter Date: Tue, 2 Dec 2025 13:56:47 +0100 Subject: [PATCH 36/39] added garm to stacks --- template/registry/garm.yaml | 24 ++++++++++++++++++++++ template/stacks/garm/garm.yaml | 29 +++++++++++++++++++++++++++ template/stacks/garm/garm/values.yaml | 23 +++++++++++++++++++++ 3 files changed, 76 insertions(+) create mode 100644 template/registry/garm.yaml create mode 100644 template/stacks/garm/garm.yaml create mode 100644 template/stacks/garm/garm/values.yaml diff --git a/template/registry/garm.yaml b/template/registry/garm.yaml new file mode 100644 index 0000000..3b9a08c --- /dev/null +++ b/template/registry/garm.yaml @@ -0,0 +1,24 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: garm-reg + namespace: argocd + labels: + env: dev + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + name: in-cluster + namespace: argocd + source: + path: "{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/garm" + repoURL: "https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}}" + targetRevision: HEAD + project: default + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/template/stacks/garm/garm.yaml b/template/stacks/garm/garm.yaml new file mode 100644 index 0000000..7b16fd5 --- /dev/null +++ b/template/stacks/garm/garm.yaml @@ -0,0 +1,29 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: garm + namespace: argocd + labels: + env: dev +spec: + project: default + syncPolicy: + automated: + selfHeal: true + syncOptions: + - CreateNamespace=true + retry: + limit: -1 + destination: + name: in-cluster + namespace: garm + sources: + - repoURL: https://edp.buildth.ing/DevFW-CICD/garm-helm + path: charts/garm + targetRevision: v0.0.2 + helm: + valueFiles: + - $values/{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/garm/garm/values.yaml + - repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}} + targetRevision: HEAD + ref: values diff --git a/template/stacks/garm/garm/values.yaml b/template/stacks/garm/garm/values.yaml new file mode 100644 index 0000000..ff18d15 --- /dev/null +++ b/template/stacks/garm/garm/values.yaml @@ -0,0 +1,23 @@ +ingress: + enabled: true + className: nginx + annotations: + cert-manager.io/cluster-issuer: main + nginx.ingress.kubernetes.io/backend-protocol: HTTP + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + hosts: + - host: garm.{{{ .Env.DOMAIN_GITEA }}} + paths: + - path: / + pathType: Prefix + tls: + - secretName: garm-net-tls + hosts: + - garm.{{{ .Env.DOMAIN_GITEA }}} + +# Credentials and Secrets +credentials: + edgeConnect: + existingSecretName: "edge-credential" + gitea: + url: "https://{{{ .Env.DOMAIN_GITEA }}}" # Required From 89f92fdabc966e14d014b17ce052e93f6b8fe197 Mon Sep 17 00:00:00 2001 From: Manuel Ganter Date: Tue, 2 Dec 2025 14:57:37 +0100 Subject: [PATCH 37/39] bumped garm version --- template/stacks/garm/garm.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/garm/garm.yaml b/template/stacks/garm/garm.yaml index 7b16fd5..508b0b5 100644 --- a/template/stacks/garm/garm.yaml +++ b/template/stacks/garm/garm.yaml @@ -20,7 +20,7 @@ spec: sources: - repoURL: https://edp.buildth.ing/DevFW-CICD/garm-helm path: charts/garm - targetRevision: v0.0.2 + targetRevision: v0.0.3 helm: valueFiles: - $values/{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/garm/garm/values.yaml From 5b438097bbd027f0025d6198c34c22f856392a03 Mon Sep 17 00:00:00 2001 From: Manuel Ganter Date: Tue, 2 Dec 2025 15:37:45 +0100 Subject: [PATCH 38/39] bumped argo to argo-cd-9.1.5 --- template/stacks/core/argocd.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/template/stacks/core/argocd.yaml b/template/stacks/core/argocd.yaml index 5c1d087..f54bb04 100644 --- a/template/stacks/core/argocd.yaml +++ b/template/stacks/core/argocd.yaml @@ -23,7 +23,7 @@ spec: # TODO: RIRE Can be updated when https://github.com/argoproj/argo-cd/issues/20790 is fixed and merged # As logout make problems, it is suggested to switch from path based routing to an own argocd domain, # similar to the CNOE amazon reference implementation and in our case, Forgejo - targetRevision: argo-cd-7.8.28 + targetRevision: argo-cd-9.1.5 helm: valueFiles: - $values/{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/core/argocd/values.yaml @@ -32,4 +32,4 @@ spec: ref: values - repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}} targetRevision: HEAD - path: "{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/core/argocd/manifests" \ No newline at end of file + path: "{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/core/argocd/manifests" From ce8865007cefe3aaec3184fcbf7df955b95a8ef3 Mon Sep 17 00:00:00 2001 From: Manuel Ganter Date: Mon, 8 Dec 2025 11:06:51 +0100 Subject: [PATCH 39/39] bumped garm to v0.0.4 --- template/stacks/garm/garm.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/stacks/garm/garm.yaml b/template/stacks/garm/garm.yaml index 508b0b5..555c998 100644 --- a/template/stacks/garm/garm.yaml +++ b/template/stacks/garm/garm.yaml @@ -20,7 +20,7 @@ spec: sources: - repoURL: https://edp.buildth.ing/DevFW-CICD/garm-helm path: charts/garm - targetRevision: v0.0.3 + targetRevision: v0.0.4 helm: valueFiles: - $values/{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/garm/garm/values.yaml