feat: enabled monitors everywhere and standardize resources a bit (#1281

)

* feat: enabled monitors everywhere and standardize resources a bit

Signed-off-by: Devin Buhl <[email protected]>

* add raw tags

---------

Signed-off-by: Devin Buhl <[email protected]>

bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml.j2

@@ -24,11 +24,14 @@ spec:
  keepHistory: false
  values:
  installCRDs: true
- extraArgs:
- - --dns01-recursive-nameservers=1.1.1.1:53,9.9.9.9:53
- - --dns01-recursive-nameservers-only
+ dns01RecursiveNameservers: 1.1.1.1:53,9.9.9.9:53
+ dns01RecursiveNameserversOnly: true
  podDnsPolicy: None
  podDnsConfig:
  nameservers:
  - "1.1.1.1"
  - "9.9.9.9"
+ prometheus:
+ enabled: true
+ podMonitor:
+ enabled: true

bootstrap/templates/kubernetes/apps/kube-system/kubelet-csr-approver/app/helmrelease.yaml.j2

@@ -26,3 +26,7 @@ spec:
  {% filter indent(width=4, first=True) %}
  {% include 'partials/kubelet-csr-approver-values.partial.yaml.j2' %}
  {% endfilter %}
+ metrics:
+ enable: true
+ serviceMonitor:
+ enabled: true

bootstrap/templates/kubernetes/apps/kube-system/metrics-server/app/helmrelease.yaml.j2

@@ -28,3 +28,7 @@ spec:
  - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
  - --kubelet-use-node-status-port
  - --metric-resolution=15s
+ metrics:
+ enabled: true
+ serviceMonitor:
+ enabled: true

bootstrap/templates/kubernetes/apps/kube-system/reloader/app/helmrelease.yaml.j2

@@ -26,3 +26,6 @@ spec:
  fullnameOverride: reloader
  reloader:
  readOnlyRootFileSystem: true
+ podMonitor:
+ enabled: true
+ namespace: "{% raw %}{{ .Release.Namespace }}{% endraw %}"

bootstrap/templates/kubernetes/apps/kube-system/spegel/app/helmrelease.yaml.j2

@@ -34,3 +34,5 @@ spec:
  service:
  registry:
  hostPort: 29999
+ serviceMonitor:
+ enabled: true

bootstrap/templates/kubernetes/apps/network/cloudflared/app/helmrelease.yaml.j2

@@ -35,7 +35,7 @@ spec:
  repository: docker.io/cloudflare/cloudflared
  tag: 2024.1.5
  env:
- NO_AUTOUPDATE: "true"
+ NO_AUTOUPDATE: true
  TUNNEL_CRED_FILE: /etc/cloudflared/creds/credentials.json
  TUNNEL_METRICS: 0.0.0.0:8080
  TUNNEL_ORIGIN_ENABLE_HTTP2: true
@@ -67,21 +67,30 @@ spec:
  readiness: *probes
  startup:
  enabled: false
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ capabilities: { drop: ["ALL"] }
+ seccompProfile:
+ type: RuntimeDefault
  resources:
  requests:
- cpu: 5m
- memory: 128M
+ cpu: 10m
  limits:
- memory: 256M
+ memory: 256Mi
  pod:
  securityContext:
- runAsUser: 568
- runAsGroup: 568
+ runAsUser: 65534
+ runAsGroup: 65534
+ runAsNonRoot: true
  service:
  main:
  ports:
  http:
  port: *port
+ serviceMonitor:
+ main:
+ enabled: true
  persistence:
  config:
  enabled: true

bootstrap/templates/kubernetes/apps/network/echo-server/app/helmrelease.yaml.j2

@@ -48,16 +48,22 @@ spec:
  readiness: *probes
  startup:
  enabled: false
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ capabilities: { drop: ["ALL"] }
+ seccompProfile:
+ type: RuntimeDefault
  resources:
  requests:
- cpu: 5m
- memory: 10M
+ cpu: 10m
  limits:
- memory: 64M
+ memory: 64Mi
  pod:
  securityContext:
- runAsUser: 568
- runAsGroup: 568
+ runAsNonRoot: true
+ runAsUser: 65534
+ runAsGroup: 65534
  service:
  main:
  ports:

bootstrap/templates/kubernetes/apps/network/external-dns/app/helmrelease.yaml.j2

@@ -41,5 +41,7 @@ spec:
  txtPrefix: k8s.
  txtOwnerId: default
  domainFilters: ["${SECRET_DOMAIN}"]
+ serviceMonitor:
+ enabled: true
  podAnnotations:
  secret.reloader.stakater.com/reload: external-dns-secret

bootstrap/templates/kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml.j2

@@ -63,6 +63,12 @@ spec:
  proxy-body-size: 0
  proxy-buffer-size: 16k
  ssl-protocols: TLSv1.3 TLSv1.2
+ metrics:
+ enabled: true
+ serviceMonitor:
+ enabled: true
+ namespaceSelector:
+ any: true
  extraArgs:
  {% if cloudflare.acme.production %}
  default-ssl-certificate: "network/${SECRET_DOMAIN/./-}-production-tls"
@@ -80,8 +86,7 @@ spec:
  app.kubernetes.io/component: controller
  resources:
  requests:
- cpu: 10m
- memory: 250Mi
+ cpu: 100m
  limits:
  memory: 500Mi
  defaultBackend:

bootstrap/templates/kubernetes/apps/network/ingress-nginx/internal/helmrelease.yaml.j2

@@ -60,6 +60,12 @@ spec:
  proxy-body-size: 0
  proxy-buffer-size: 16k
  ssl-protocols: TLSv1.3 TLSv1.2
+ metrics:
+ enabled: true
+ serviceMonitor:
+ enabled: true
+ namespaceSelector:
+ any: true
  extraArgs:
  {% if cloudflare.acme.production %}
  default-ssl-certificate: "network/${SECRET_DOMAIN/./-}-production-tls"
@@ -77,8 +83,7 @@ spec:
  app.kubernetes.io/component: controller
  resources:
  requests:
- cpu: 10m
- memory: 250Mi
+ cpu: 100m
  limits:
  memory: 500Mi
  defaultBackend:

bootstrap/templates/kubernetes/apps/system-upgrade/system-upgrade-controller/app/helmrelease.yaml.j2

@@ -48,14 +48,9 @@ spec:
  fieldPath: metadata.namespace
  pod:
  securityContext:
- runAsNonRoot: true
  runAsUser: 65534
  runAsGroup: 65534
- allowPrivilegeEscalation: false
- seccompProfile:
- type: RuntimeDefault
- capabilities:
- drop: ["ALL"]
+ runAsNonRoot: true
  affinity:
  nodeAffinity:
  requiredDuringSchedulingIgnoredDuringExecution:

bootstrap/templates/partials/cilium-values-full.partial.yaml.j2

@@ -1,8 +1,6 @@
 autoDirectNodeRoutes: true
 bpf:
  masquerade: true
-bgp:
- enabled: false
 cluster:
  name: home-kubernetes
  id: 1

bootstrap/templates/partials/cilium-values-init.partial.yaml.j2

@@ -1,8 +1,6 @@
 autoDirectNodeRoutes: true
 bpf:
  masquerade: true
-bgp:
- enabled: false
 cluster:
  name: home-kubernetes
  id: 1