feat: Add VictoriaMetrics monitoring stack

Adds victoria-metrics-single, grafana, kube-state-metrics, and
node-exporter to the cluster. Enables metrics endpoints on traefik,
argocd, and cert-manager for scraping. Grafana available at
grafana.tr1ceracop.de with VictoriaMetrics as default datasource.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

envs/production/_apps/grafana/app-data.ytt.yaml

@@ -0,0 +1,5 @@
+#@data/values-schema
+---
+#@overlay/match-child-defaults missing_ok=True
+application:
+  namespace: monitoring

envs/production/_apps/kube-state-metrics/app-data.ytt.yaml

@@ -0,0 +1,5 @@
+#@data/values-schema
+---
+#@overlay/match-child-defaults missing_ok=True
+application:
+  namespace: monitoring

envs/production/_apps/node-exporter/app-data.ytt.yaml

@@ -0,0 +1,5 @@
+#@data/values-schema
+---
+#@overlay/match-child-defaults missing_ok=True
+application:
+  namespace: monitoring

envs/production/_apps/victoria-metrics-single/app-data.ytt.yaml

@@ -0,0 +1,5 @@
+#@data/values-schema
+---
+#@overlay/match-child-defaults missing_ok=True
+application:
+  namespace: monitoring

envs/production/env-data.ytt.yaml

@@ -7,3 +7,7 @@ environment:
     - proto: traefik
     - proto: cert-manager
     - proto: forgejo
+    - proto: victoria-metrics-single
+    - proto: grafana
+    - proto: kube-state-metrics
+    - proto: node-exporter

prototypes/argocd/helm/argo-cd.yaml

@@ -15,11 +15,28 @@ configs:
         - kube-controller-manager
       jsonPointers:
         - /status
+    resource.customizations.ignoreDifferences.apps_StatefulSet: |
+      jqPathExpressions:
+        - .spec.volumeClaimTemplates
+
+controller:
+  metrics:
+    enabled: true
 
 server:
+  metrics:
+    enabled: true
   ingress:
     enabled: true
     ingressClassName: traefik
     tls: true
     annotations:
       cert-manager.io/cluster-issuer: letsencrypt
+
+repoServer:
+  metrics:
+    enabled: true
+
+applicationSet:
+  metrics:
+    enabled: true

prototypes/cert-manager/helm/cert-manager.yaml

@@ -6,3 +6,6 @@ crds:
 global:
   leaderElection:
     namespace: cert-manager
+
+prometheus:
+  enabled: true

prototypes/grafana/app-data.ytt.yaml

@@ -0,0 +1,5 @@
+#@data/values-schema
+---
+#@overlay/match-child-defaults missing_ok=True
+application:
+  namespace: monitoring

prototypes/grafana/helm/grafana.yaml

@@ -0,0 +1,58 @@
+---
+resources:
+  requests:
+    cpu: 50m
+    memory: 128Mi
+  limits:
+    memory: 256Mi
+
+persistence:
+  enabled: true
+  size: 2Gi
+  storageClassName: local-path
+
+ingress:
+  enabled: true
+  ingressClassName: traefik
+  hosts:
+    - grafana.tr1ceracop.de
+  tls:
+    - secretName: grafana-tls
+      hosts:
+        - grafana.tr1ceracop.de
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+
+datasources:
+  datasources.yaml:
+    apiVersion: 1
+    datasources:
+      - name: VictoriaMetrics
+        type: prometheus
+        url: http://victoria-metrics-single-server.monitoring.svc:8428
+        access: proxy
+        isDefault: true
+
+dashboardProviders:
+  dashboardproviders.yaml:
+    apiVersion: 1
+    providers:
+      - name: default
+        orgId: 1
+        folder: ""
+        type: file
+        disableDeletion: false
+        editable: true
+        options:
+          path: /var/lib/grafana/dashboards/default
+
+dashboards:
+  default:
+    node-exporter:
+      gnetId: 1860
+      revision: 37
+      datasource: VictoriaMetrics
+    kubernetes-cluster:
+      gnetId: 15757
+      revision: 37
+      datasource: VictoriaMetrics

prototypes/grafana/vendir/base.ytt.yaml

@@ -0,0 +1,16 @@
+#@ load("@ytt:data", "data")
+
+#@ app = data.values.application
+---
+apiVersion: vendir.k14s.io/v1alpha1
+kind: Config
+directories:
+  - path: #@ "charts/" + app.name
+    contents:
+      - path: .
+        helmChart:
+          name: #@ app.name
+          version: #@ app.version
+          repository:
+            url: #@ app.url
+        lazy: true

prototypes/grafana/vendir/vendir-data.ytt.yaml

@@ -0,0 +1,8 @@
+#@data/values-schema
+---
+#@overlay/match-child-defaults missing_ok=True
+application:
+  #! renovate: datasource=helm
+  name: grafana
+  url: https://grafana.github.io/helm-charts
+  version: 10.5.15

prototypes/grafana/ytt/ns.ytt.yaml

@@ -0,0 +1,10 @@
+#@ load("@ytt:data", "data")
+#@ load("@ytt:overlay", "overlay")
+
+#@ ns = data.values.application.namespace
+
+#@overlay/match by=overlay.all, expects="1+"
+---
+metadata:
+  #@overlay/match missing_ok=True
+  namespace: #@ ns

prototypes/kube-state-metrics/app-data.ytt.yaml

@@ -0,0 +1,5 @@
+#@data/values-schema
+---
+#@overlay/match-child-defaults missing_ok=True
+application:
+  namespace: monitoring

prototypes/kube-state-metrics/helm/kube-state-metrics.yaml

@@ -0,0 +1,7 @@
+---
+resources:
+  requests:
+    cpu: 10m
+    memory: 64Mi
+  limits:
+    memory: 128Mi

prototypes/kube-state-metrics/vendir/base.ytt.yaml

@@ -0,0 +1,16 @@
+#@ load("@ytt:data", "data")
+
+#@ app = data.values.application
+---
+apiVersion: vendir.k14s.io/v1alpha1
+kind: Config
+directories:
+  - path: #@ "charts/" + app.name
+    contents:
+      - path: .
+        helmChart:
+          name: #@ app.name
+          version: #@ app.version
+          repository:
+            url: #@ app.url
+        lazy: true

prototypes/kube-state-metrics/vendir/vendir-data.ytt.yaml

@@ -0,0 +1,8 @@
+#@data/values-schema
+---
+#@overlay/match-child-defaults missing_ok=True
+application:
+  #! renovate: datasource=helm
+  name: kube-state-metrics
+  url: https://prometheus-community.github.io/helm-charts
+  version: 7.2.2

prototypes/kube-state-metrics/ytt/ns.ytt.yaml

@@ -0,0 +1,10 @@
+#@ load("@ytt:data", "data")
+#@ load("@ytt:overlay", "overlay")
+
+#@ ns = data.values.application.namespace
+
+#@overlay/match by=overlay.all, expects="1+"
+---
+metadata:
+  #@overlay/match missing_ok=True
+  namespace: #@ ns

prototypes/node-exporter/app-data.ytt.yaml

@@ -0,0 +1,5 @@
+#@data/values-schema
+---
+#@overlay/match-child-defaults missing_ok=True
+application:
+  namespace: monitoring

prototypes/node-exporter/helm/prometheus-node-exporter.yaml

@@ -0,0 +1,12 @@
+---
+resources:
+  requests:
+    cpu: 10m
+    memory: 32Mi
+  limits:
+    memory: 64Mi
+
+tolerations:
+  - key: node-role.kubernetes.io/control-plane
+    operator: Exists
+    effect: NoSchedule

prototypes/node-exporter/vendir/base.ytt.yaml

@@ -0,0 +1,16 @@
+#@ load("@ytt:data", "data")
+
+#@ app = data.values.application
+---
+apiVersion: vendir.k14s.io/v1alpha1
+kind: Config
+directories:
+  - path: #@ "charts/" + app.name
+    contents:
+      - path: .
+        helmChart:
+          name: #@ app.name
+          version: #@ app.version
+          repository:
+            url: #@ app.url
+        lazy: true

prototypes/node-exporter/vendir/vendir-data.ytt.yaml

@@ -0,0 +1,8 @@
+#@data/values-schema
+---
+#@overlay/match-child-defaults missing_ok=True
+application:
+  #! renovate: datasource=helm
+  name: prometheus-node-exporter
+  url: https://prometheus-community.github.io/helm-charts
+  version: 4.52.2

prototypes/node-exporter/ytt/ns.ytt.yaml

@@ -0,0 +1,10 @@
+#@ load("@ytt:data", "data")
+#@ load("@ytt:overlay", "overlay")
+
+#@ ns = data.values.application.namespace
+
+#@overlay/match by=overlay.all, expects="1+"
+---
+metadata:
+  #@overlay/match missing_ok=True
+  namespace: #@ ns

prototypes/traefik/helm/traefik.yaml

@@ -13,6 +13,9 @@ ports:
     hostPort: 80
   websecure:
     hostPort: 443
+  metrics:
+    expose:
+      default: true
 
 persistence:
   enabled: false

prototypes/victoria-metrics-single/app-data.ytt.yaml

@@ -0,0 +1,5 @@
+#@data/values-schema
+---
+#@overlay/match-child-defaults missing_ok=True
+application:
+  namespace: monitoring

prototypes/victoria-metrics-single/helm/victoria-metrics-single.yaml

@@ -0,0 +1,57 @@
+---
+server:
+  resources:
+    requests:
+      cpu: 100m
+      memory: 256Mi
+    limits:
+      memory: 512Mi
+  persistentVolume:
+    enabled: true
+    size: 10Gi
+    storageClassName: local-path
+  scrape:
+    enabled: true
+    config:
+      global:
+        scrape_interval: 30s
+        scrape_timeout: 10s
+      scrape_configs:
+        - job_name: victoriametrics
+          static_configs:
+            - targets: ["localhost:8428"]
+        - job_name: node-exporter
+          kubernetes_sd_configs:
+            - role: endpoints
+          relabel_configs:
+            - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
+              action: keep
+              regex: monitoring;prometheus-node-exporter;metrics
+        - job_name: kube-state-metrics
+          kubernetes_sd_configs:
+            - role: endpoints
+          relabel_configs:
+            - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
+              action: keep
+              regex: monitoring;kube-state-metrics;http
+        - job_name: traefik
+          kubernetes_sd_configs:
+            - role: endpoints
+          relabel_configs:
+            - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
+              action: keep
+              regex: traefik;traefik;metrics
+        - job_name: argocd
+          kubernetes_sd_configs:
+            - role: endpoints
+          relabel_configs:
+            - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_endpoint_port_name]
+              action: keep
+              regex: argocd;http-metrics
+        - job_name: cert-manager
+          kubernetes_sd_configs:
+            - role: endpoints
+          relabel_configs:
+            - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
+              action: keep
+              regex: cert-manager;cert-manager;tcp-prometheus-servicemonitor

prototypes/victoria-metrics-single/vendir/base.ytt.yaml

@@ -0,0 +1,16 @@
+#@ load("@ytt:data", "data")
+
+#@ app = data.values.application
+---
+apiVersion: vendir.k14s.io/v1alpha1
+kind: Config
+directories:
+  - path: #@ "charts/" + app.name
+    contents:
+      - path: .
+        helmChart:
+          name: #@ app.name
+          version: #@ app.version
+          repository:
+            url: #@ app.url
+        lazy: true

prototypes/victoria-metrics-single/vendir/vendir-data.ytt.yaml

@@ -0,0 +1,8 @@
+#@data/values-schema
+---
+#@overlay/match-child-defaults missing_ok=True
+application:
+  #! renovate: datasource=helm
+  name: victoria-metrics-single
+  url: https://victoriametrics.github.io/helm-charts
+  version: 0.33.0

prototypes/victoria-metrics-single/ytt/ns.ytt.yaml

@@ -0,0 +1,18 @@
+#@ load("@ytt:data", "data")
+#@ load("@ytt:overlay", "overlay")
+
+#@ ns = data.values.application.namespace
+
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: #@ ns
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
+
+#@overlay/match by=overlay.all, expects="1+"
+---
+metadata:
+  #@overlay/match missing_ok=True
+  namespace: #@ ns

rendered/argocd/production/app-grafana.yaml

@@ -0,0 +1,25 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  annotations:
+    myks.dev/environment: production
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  name: app-production-grafana
+  namespace: argocd
+spec:
+  destination:
+    namespace: grafana
+    server: https://kubernetes.default.svc
+  project: env-production
+  source:
+    path: rendered/envs/production/grafana
+    repoURL: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
+    targetRevision: main
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true

rendered/argocd/production/app-kube-state-metrics.yaml

@@ -0,0 +1,25 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  annotations:
+    myks.dev/environment: production
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  name: app-production-kube-state-metrics
+  namespace: argocd
+spec:
+  destination:
+    namespace: kube-state-metrics
+    server: https://kubernetes.default.svc
+  project: env-production
+  source:
+    path: rendered/envs/production/kube-state-metrics
+    repoURL: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
+    targetRevision: main
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true

rendered/argocd/production/app-node-exporter.yaml

@@ -0,0 +1,25 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  annotations:
+    myks.dev/environment: production
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  name: app-production-node-exporter
+  namespace: argocd
+spec:
+  destination:
+    namespace: node-exporter
+    server: https://kubernetes.default.svc
+  project: env-production
+  source:
+    path: rendered/envs/production/node-exporter
+    repoURL: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
+    targetRevision: main
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true

rendered/argocd/production/app-victoria-metrics-single.yaml

@@ -0,0 +1,25 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  annotations:
+    myks.dev/environment: production
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  name: app-production-victoria-metrics-single
+  namespace: argocd
+spec:
+  destination:
+    namespace: victoria-metrics-single
+    server: https://kubernetes.default.svc
+  project: env-production
+  source:
+    path: rendered/envs/production/victoria-metrics-single
+    repoURL: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
+    targetRevision: main
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true

rendered/envs/production/argocd/configmap-argocd-cm.yaml

@@ -9,6 +9,9 @@ data:
       - kube-controller-manager
     jsonPointers:
       - /status
+  resource.customizations.ignoreDifferences.apps_StatefulSet: |
+    jqPathExpressions:
+      - .spec.volumeClaimTemplates
   server.rbac.log.enforce.enable: "false"
   statusbadge.enabled: "false"
   timeout.hard.reconciliation: 0s

rendered/envs/production/argocd/deployment-argo-cd-argocd-repo-server.yaml

@@ -23,7 +23,7 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/cm: 3583210793db8d1abf108262c051079800349bbfb09cb52450b6dd436e4523f1
+        checksum/cm: 1a6402f45d0f0bbb7e237471101104aa332424c905bd8050b98a04c60e87a399
         checksum/cmd-params: f46fb4747491e33ef19e957952ce838b6507690ddf03e01967ec0b131af9b595
       labels:
         app.kubernetes.io/component: repo-server

rendered/envs/production/argocd/deployment-argo-cd-argocd-server.yaml

@@ -23,7 +23,7 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/cm: 3583210793db8d1abf108262c051079800349bbfb09cb52450b6dd436e4523f1
+        checksum/cm: 1a6402f45d0f0bbb7e237471101104aa332424c905bd8050b98a04c60e87a399
         checksum/cmd-params: f46fb4747491e33ef19e957952ce838b6507690ddf03e01967ec0b131af9b595
       labels:
         app.kubernetes.io/component: server

rendered/envs/production/argocd/service-argo-cd-argocd-application-controller-metrics.yaml

@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
+  labels:
+    app.kubernetes.io/component: application-controller
+    app.kubernetes.io/instance: argo-cd
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: argocd-metrics
+    app.kubernetes.io/part-of: argocd
+    app.kubernetes.io/version: v2.14.10
+    helm.sh/chart: argo-cd-7.8.26
+  name: argo-cd-argocd-application-controller-metrics
+  namespace: argocd
+spec:
+  ports:
+    - name: http-metrics
+      port: 8082
+      protocol: TCP
+      targetPort: metrics
+  selector:
+    app.kubernetes.io/instance: argo-cd
+    app.kubernetes.io/name: argocd-application-controller
+  type: ClusterIP

rendered/envs/production/argocd/service-argo-cd-argocd-applicationset-controller-metrics.yaml

@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
+  labels:
+    app.kubernetes.io/component: applicationset-controller
+    app.kubernetes.io/instance: argo-cd
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: argocd-metrics
+    app.kubernetes.io/part-of: argocd
+    app.kubernetes.io/version: v2.14.10
+    helm.sh/chart: argo-cd-7.8.26
+  name: argo-cd-argocd-applicationset-controller-metrics
+  namespace: argocd
+spec:
+  ports:
+    - name: http-metrics
+      port: 8080
+      protocol: TCP
+      targetPort: metrics
+  selector:
+    app.kubernetes.io/instance: argo-cd
+    app.kubernetes.io/name: argocd-applicationset-controller
+  type: ClusterIP

rendered/envs/production/argocd/service-argo-cd-argocd-repo-server-metrics.yaml

@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
+  labels:
+    app.kubernetes.io/component: repo-server
+    app.kubernetes.io/instance: argo-cd
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: argocd-repo-server-metrics
+    app.kubernetes.io/part-of: argocd
+    app.kubernetes.io/version: v2.14.10
+    helm.sh/chart: argo-cd-7.8.26
+  name: argo-cd-argocd-repo-server-metrics
+  namespace: argocd
+spec:
+  ports:
+    - name: http-metrics
+      port: 8084
+      protocol: TCP
+      targetPort: metrics
+  selector:
+    app.kubernetes.io/instance: argo-cd
+    app.kubernetes.io/name: argocd-repo-server
+  type: ClusterIP

rendered/envs/production/argocd/service-argo-cd-argocd-server-metrics.yaml

@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
+  labels:
+    app.kubernetes.io/component: server
+    app.kubernetes.io/instance: argo-cd
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: argocd-server-metrics
+    app.kubernetes.io/part-of: argocd
+    app.kubernetes.io/version: v2.14.10
+    helm.sh/chart: argo-cd-7.8.26
+  name: argo-cd-argocd-server-metrics
+  namespace: argocd
+spec:
+  ports:
+    - name: http-metrics
+      port: 8083
+      protocol: TCP
+      targetPort: metrics
+  selector:
+    app.kubernetes.io/instance: argo-cd
+    app.kubernetes.io/name: argocd-server
+  type: ClusterIP

rendered/envs/production/argocd/statefulset-argo-cd-argocd-application-controller.yaml

@@ -24,7 +24,7 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/cm: 3583210793db8d1abf108262c051079800349bbfb09cb52450b6dd436e4523f1
+        checksum/cm: 1a6402f45d0f0bbb7e237471101104aa332424c905bd8050b98a04c60e87a399
         checksum/cmd-params: f46fb4747491e33ef19e957952ce838b6507690ddf03e01967ec0b131af9b595
       labels:
         app.kubernetes.io/component: application-controller

rendered/envs/production/grafana/clusterrole-grafana-clusterrole.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
+  labels:
+    app.kubernetes.io/instance: grafana
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/version: 12.3.1
+    helm.sh/chart: grafana-10.5.15
+  name: grafana-clusterrole
+  namespace: monitoring
+rules: []

rendered/envs/production/grafana/clusterrolebinding-grafana-clusterrolebinding.yaml

@@ -0,0 +1,20 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
+  labels:
+    app.kubernetes.io/instance: grafana
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/version: 12.3.1
+    helm.sh/chart: grafana-10.5.15
+  name: grafana-clusterrolebinding
+  namespace: monitoring
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: grafana-clusterrole
+subjects:
+  - kind: ServiceAccount
+    name: grafana
+    namespace: grafana

rendered/envs/production/grafana/configmap-grafana-dashboards-default.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+data: {}
+kind: ConfigMap
+metadata:
+  annotations:
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
+  labels:
+    app.kubernetes.io/instance: grafana
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/version: 12.3.1
+    dashboard-provider: default
+    helm.sh/chart: grafana-10.5.15
+  name: grafana-dashboards-default
+  namespace: monitoring

rendered/envs/production/grafana/configmap-grafana.yaml

@@ -0,0 +1,47 @@
+apiVersion: v1
+data:
+  dashboardproviders.yaml: |
+    apiVersion: 1
+    providers:
+    - disableDeletion: false
+      editable: true
+      folder: ""
+      name: default
+      options:
+        path: /var/lib/grafana/dashboards/default
+      orgId: 1
+      type: file
+  datasources.yaml: |
+    apiVersion: 1
+    datasources:
+    - access: proxy
+      isDefault: true
+      name: VictoriaMetrics
+      type: prometheus
+      url: http://victoria-metrics-single-server.monitoring.svc:8428
+  download_dashboards.sh: "#!/usr/bin/env sh\nset -euf\nmkdir -p /var/lib/grafana/dashboards/default\n\ncurl -skf \\\n--connect-timeout 60 \\\n--max-time 60 \\\n-H \"Accept: application/json\" \\\n-H \"Content-Type: application/json;charset=UTF-8\" \\\n  \"https://grafana.com/api/dashboards/15757/revisions/37/download\" \\\n  | sed '/-- .* --/! s/\"datasource\":.*,/\"datasource\": \"VictoriaMetrics\",/g' \\\n> \"/var/lib/grafana/dashboards/default/kubernetes-cluster.json\"\n  \ncurl -skf \\\n--connect-timeout 60 \\\n--max-time 60 \\\n-H \"Accept: application/json\" \\\n-H \"Content-Type: application/json;charset=UTF-8\" \\\n  \"https://grafana.com/api/dashboards/1860/revisions/37/download\" \\\n  | sed '/-- .* --/! s/\"datasource\":.*,/\"datasource\": \"VictoriaMetrics\",/g' \\\n> \"/var/lib/grafana/dashboards/default/node-exporter.json\"\n"
+  grafana.ini: |
+    [analytics]
+    check_for_updates = true
+    [log]
+    mode = console
+    [paths]
+    data = /var/lib/grafana/
+    logs = /var/log/grafana
+    plugins = /var/lib/grafana/plugins
+    provisioning = /etc/grafana/provisioning
+    [server]
+    domain = grafana.tr1ceracop.de
+    [unified_storage]
+    index_path = /var/lib/grafana-search/bleve
+kind: ConfigMap
+metadata:
+  annotations:
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
+  labels:
+    app.kubernetes.io/instance: grafana
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/version: 12.3.1
+    helm.sh/chart: grafana-10.5.15
+  name: grafana
+  namespace: monitoring

rendered/envs/production/grafana/deployment-grafana.yaml

@@ -0,0 +1,187 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations:
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
+  labels:
+    app.kubernetes.io/instance: grafana
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/version: 12.3.1
+    helm.sh/chart: grafana-10.5.15
+  name: grafana
+  namespace: monitoring
+spec:
+  replicas: 1
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: grafana
+      app.kubernetes.io/name: grafana
+  strategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      annotations:
+        checksum/config: de8d6f16e9721409f5848bcc101e6aa9815e6455bd4fb9b59306159e705ac1cb
+        checksum/dashboards-json-config: 63ff5f7bd5ab0b6c241c689c0aa4d78be9bef984e63c1089dc988905fbb61f74
+        checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24
+        checksum/secret: 2d69544e089b6217799ec53d023d438ff572a49e7e20d15ec4b75a77fbcd6d30
+        kubectl.kubernetes.io/default-container: grafana
+      labels:
+        app.kubernetes.io/instance: grafana
+        app.kubernetes.io/name: grafana
+        app.kubernetes.io/version: 12.3.1
+        helm.sh/chart: grafana-10.5.15
+    spec:
+      automountServiceAccountToken: true
+      containers:
+        - env:
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
+            - name: GF_SECURITY_ADMIN_USER
+              valueFrom:
+                secretKeyRef:
+                  key: admin-user
+                  name: grafana
+            - name: GF_SECURITY_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key: admin-password
+                  name: grafana
+            - name: GF_PATHS_DATA
+              value: /var/lib/grafana/
+            - name: GF_PATHS_LOGS
+              value: /var/log/grafana
+            - name: GF_PATHS_PLUGINS
+              value: /var/lib/grafana/plugins
+            - name: GF_PATHS_PROVISIONING
+              value: /etc/grafana/provisioning
+            - name: GF_UNIFIED_STORAGE_INDEX_PATH
+              value: /var/lib/grafana-search/bleve
+            - name: GOMEMLIMIT
+              valueFrom:
+                resourceFieldRef:
+                  divisor: "1"
+                  resource: limits.memory
+          image: docker.io/grafana/grafana:12.3.1
+          imagePullPolicy: IfNotPresent
+          livenessProbe:
+            failureThreshold: 10
+            httpGet:
+              path: /api/health
+              port: grafana
+            initialDelaySeconds: 60
+            timeoutSeconds: 30
+          name: grafana
+          ports:
+            - containerPort: 3000
+              name: grafana
+              protocol: TCP
+            - containerPort: 9094
+              name: gossip-tcp
+              protocol: TCP
+            - containerPort: 9094
+              name: gossip-udp
+              protocol: UDP
+            - containerPort: 6060
+              name: profiling
+              protocol: TCP
+          readinessProbe:
+            httpGet:
+              path: /api/health
+              port: grafana
+          resources:
+            limits:
+              memory: 256Mi
+            requests:
+              cpu: 50m
+              memory: 128Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            seccompProfile:
+              type: RuntimeDefault
+          volumeMounts:
+            - mountPath: /etc/grafana/grafana.ini
+              name: config
+              subPath: grafana.ini
+            - mountPath: /var/lib/grafana
+              name: storage
+            - mountPath: /var/lib/grafana-search
+              name: search
+            - mountPath: /etc/grafana/provisioning/datasources/datasources.yaml
+              name: config
+              subPath: datasources.yaml
+            - mountPath: /etc/grafana/provisioning/dashboards/dashboardproviders.yaml
+              name: config
+              subPath: dashboardproviders.yaml
+      enableServiceLinks: true
+      initContainers:
+        - command:
+            - chown
+            - -R
+            - 472:472
+            - /var/lib/grafana
+          image: docker.io/library/busybox:1.31.1
+          imagePullPolicy: IfNotPresent
+          name: init-chown-data
+          securityContext:
+            capabilities:
+              add:
+                - CHOWN
+              drop:
+                - ALL
+            readOnlyRootFilesystem: false
+            runAsNonRoot: false
+            runAsUser: 0
+            seccompProfile:
+              type: RuntimeDefault
+          volumeMounts:
+            - mountPath: /var/lib/grafana
+              name: storage
+        - args:
+            - -c
+            - mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh
+          command:
+            - /bin/sh
+          env: null
+          image: docker.io/curlimages/curl:8.9.1
+          imagePullPolicy: IfNotPresent
+          name: download-dashboards
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
+          volumeMounts:
+            - mountPath: /etc/grafana/download_dashboards.sh
+              name: config
+              subPath: download_dashboards.sh
+            - mountPath: /var/lib/grafana
+              name: storage
+      securityContext:
+        fsGroup: 472
+        runAsGroup: 472
+        runAsNonRoot: true
+        runAsUser: 472
+      serviceAccountName: grafana
+      shareProcessNamespace: false
+      volumes:
+        - configMap:
+            name: grafana
+          name: config
+        - configMap:
+            name: grafana-dashboards-default
+          name: dashboards-default
+        - name: storage
+          persistentVolumeClaim:
+            claimName: grafana
+        - emptyDir: {}
+          name: search

rendered/envs/production/grafana/ingress-grafana.yaml

@@ -0,0 +1,30 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
+    cert-manager.io/cluster-issuer: letsencrypt
+  labels:
+    app.kubernetes.io/instance: grafana
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/version: 12.3.1
+    helm.sh/chart: grafana-10.5.15
+  name: grafana
+  namespace: monitoring
+spec:
+  ingressClassName: traefik
+  rules:
+    - host: grafana.tr1ceracop.de
+      http:
+        paths:
+          - backend:
+              service:
+                name: grafana
+                port:
+                  number: 80
+            path: /
+            pathType: Prefix
+  tls:
+    - hosts:
+        - grafana.tr1ceracop.de
+      secretName: grafana-tls

rendered/envs/production/grafana/persistentvolumeclaim-grafana.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  annotations:
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
+  finalizers:
+    - kubernetes.io/pvc-protection
+  labels:
+    app.kubernetes.io/instance: grafana
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/version: 12.3.1
+    helm.sh/chart: grafana-10.5.15
+  name: grafana
+  namespace: monitoring
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 2Gi
+  storageClassName: local-path

rendered/envs/production/grafana/role-grafana.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
+  labels:
+    app.kubernetes.io/instance: grafana
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/version: 12.3.1
+    helm.sh/chart: grafana-10.5.15
+  name: grafana
+  namespace: monitoring
+rules: []

rendered/envs/production/grafana/rolebinding-grafana.yaml

@@ -0,0 +1,20 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
+  labels:
+    app.kubernetes.io/instance: grafana
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/version: 12.3.1
+    helm.sh/chart: grafana-10.5.15
+  name: grafana
+  namespace: monitoring
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: grafana
+subjects:
+  - kind: ServiceAccount
+    name: grafana
+    namespace: grafana

rendered/envs/production/grafana/secret-grafana.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+data:
+  admin-password: WEh6bjRwYTlGOVM2a3dRT0RncndrNDZocXlrc0Q4Mjlxdll6ZXFHUw==
+  admin-user: YWRtaW4=
+  ldap-toml: ""
+kind: Secret
+metadata:
+  annotations:
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
+  labels:
+    app.kubernetes.io/component: admin-secret
+    app.kubernetes.io/instance: grafana
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/version: 12.3.1
+    helm.sh/chart: grafana-10.5.15
+  name: grafana
+  namespace: monitoring
+type: Opaque

rendered/envs/production/grafana/service-grafana.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
+  labels:
+    app.kubernetes.io/instance: grafana
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/version: 12.3.1
+    helm.sh/chart: grafana-10.5.15
+  name: grafana
+  namespace: monitoring
+spec:
+  ports:
+    - name: service
+      port: 80
+      protocol: TCP
+      targetPort: grafana
+  selector:
+    app.kubernetes.io/instance: grafana
+    app.kubernetes.io/name: grafana
+  type: ClusterIP

rendered/envs/production/grafana/serviceaccount-grafana.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+automountServiceAccountToken: false
+kind: ServiceAccount
+metadata:
+  annotations:
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
+  labels:
+    app.kubernetes.io/instance: grafana
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/version: 12.3.1
+    helm.sh/chart: grafana-10.5.15
+  name: grafana
+  namespace: monitoring

rendered/envs/production/kube-state-metrics/clusterrole-kube-state-metrics.yaml

@@ -0,0 +1,212 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
+  labels:
+    app.kubernetes.io/component: metrics
+    app.kubernetes.io/instance: kube-state-metrics
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: kube-state-metrics
+    app.kubernetes.io/part-of: kube-state-metrics
+    app.kubernetes.io/version: 2.18.0
+    helm.sh/chart: kube-state-metrics-7.2.2
+  name: kube-state-metrics
+  namespace: monitoring
+rules:
+  - apiGroups:
+      - certificates.k8s.io
+    resources:
+      - certificatesigningrequests
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - batch
+    resources:
+      - cronjobs
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - daemonsets
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - discovery.k8s.io
+    resources:
+      - endpointslices
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - autoscaling
+    resources:
+      - horizontalpodautoscalers
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - ingresses
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - batch
+    resources:
+      - jobs
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - limitranges
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - admissionregistration.k8s.io
+    resources:
+      - mutatingwebhookconfigurations
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - networkpolicies
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - persistentvolumeclaims
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - persistentvolumes
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - policy
+    resources:
+      - poddisruptionbudgets
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - replicasets
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - replicationcontrollers
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - resourcequotas
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - services
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - statefulsets
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - storage.k8s.io
+    resources:
+      - storageclasses
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - admissionregistration.k8s.io
+    resources:
+      - validatingwebhookconfigurations
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - storage.k8s.io
+    resources:
+      - volumeattachments
+    verbs:
+      - list
+      - watch

rendered/envs/production/kube-state-metrics/clusterrolebinding-kube-state-metrics.yaml

@@ -0,0 +1,23 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
+  labels:
+    app.kubernetes.io/component: metrics
+    app.kubernetes.io/instance: kube-state-metrics
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: kube-state-metrics
+    app.kubernetes.io/part-of: kube-state-metrics
+    app.kubernetes.io/version: 2.18.0
+    helm.sh/chart: kube-state-metrics-7.2.2
+  name: kube-state-metrics
+  namespace: monitoring
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kube-state-metrics
+subjects:
+  - kind: ServiceAccount
+    name: kube-state-metrics
+    namespace: kube-state-metrics

rendered/envs/production/kube-state-metrics/deployment-kube-state-metrics.yaml

@@ -0,0 +1,92 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations:
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
+  labels:
+    app.kubernetes.io/component: metrics
+    app.kubernetes.io/instance: kube-state-metrics
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: kube-state-metrics
+    app.kubernetes.io/part-of: kube-state-metrics
+    app.kubernetes.io/version: 2.18.0
+    helm.sh/chart: kube-state-metrics-7.2.2
+  name: kube-state-metrics
+  namespace: monitoring
+spec:
+  replicas: 1
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: kube-state-metrics
+      app.kubernetes.io/name: kube-state-metrics
+  strategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: metrics
+        app.kubernetes.io/instance: kube-state-metrics
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: kube-state-metrics
+        app.kubernetes.io/part-of: kube-state-metrics
+        app.kubernetes.io/version: 2.18.0
+        helm.sh/chart: kube-state-metrics-7.2.2
+    spec:
+      automountServiceAccountToken: true
+      containers:
+        - args:
+            - --port=8080
+            - --resources=certificatesigningrequests,configmaps,cronjobs,daemonsets,deployments,endpointslices,horizontalpodautoscalers,ingresses,jobs,leases,limitranges,mutatingwebhookconfigurations,namespaces,networkpolicies,nodes,persistentvolumeclaims,persistentvolumes,poddisruptionbudgets,pods,replicasets,replicationcontrollers,resourcequotas,secrets,services,statefulsets,storageclasses,validatingwebhookconfigurations,volumeattachments
+          image: registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.18.0
+          imagePullPolicy: IfNotPresent
+          livenessProbe:
+            failureThreshold: 3
+            httpGet:
+              httpHeaders: null
+              path: /livez
+              port: http
+              scheme: HTTP
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 5
+          name: kube-state-metrics
+          ports:
+            - containerPort: 8080
+              name: http
+            - containerPort: 8081
+              name: metrics
+          readinessProbe:
+            failureThreshold: 3
+            httpGet:
+              httpHeaders: null
+              path: /readyz
+              port: metrics
+              scheme: HTTP
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 5
+          resources:
+            limits:
+              memory: 128Mi
+            requests:
+              cpu: 10m
+              memory: 64Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+      dnsPolicy: ClusterFirst
+      hostNetwork: false
+      securityContext:
+        fsGroup: 65534
+        runAsGroup: 65534
+        runAsNonRoot: true
+        runAsUser: 65534
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: kube-state-metrics

rendered/envs/production/kube-state-metrics/service-kube-state-metrics.yaml

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
+    prometheus.io/scrape: "true"
+  labels:
+    app.kubernetes.io/component: metrics
+    app.kubernetes.io/instance: kube-state-metrics
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: kube-state-metrics
+    app.kubernetes.io/part-of: kube-state-metrics
+    app.kubernetes.io/version: 2.18.0
+    helm.sh/chart: kube-state-metrics-7.2.2
+  name: kube-state-metrics
+  namespace: monitoring
+spec:
+  ports:
+    - name: http
+      port: 8080
+      protocol: TCP
+      targetPort: http
+  selector:
+    app.kubernetes.io/instance: kube-state-metrics
+    app.kubernetes.io/name: kube-state-metrics
+  type: ClusterIP

rendered/envs/production/kube-state-metrics/serviceaccount-kube-state-metrics.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  annotations:
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
+  labels:
+    app.kubernetes.io/component: metrics
+    app.kubernetes.io/instance: kube-state-metrics
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: kube-state-metrics
+    app.kubernetes.io/part-of: kube-state-metrics
+    app.kubernetes.io/version: 2.18.0
+    helm.sh/chart: kube-state-metrics-7.2.2
+  name: kube-state-metrics
+  namespace: monitoring

rendered/envs/production/node-exporter/daemonset-prometheus-node-exporter.yaml

@@ -0,0 +1,135 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  annotations:
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
+  labels:
+    app.kubernetes.io/component: metrics
+    app.kubernetes.io/instance: prometheus-node-exporter
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: prometheus-node-exporter
+    app.kubernetes.io/part-of: prometheus-node-exporter
+    app.kubernetes.io/version: 1.10.2
+    helm.sh/chart: prometheus-node-exporter-4.52.2
+  name: prometheus-node-exporter
+  namespace: monitoring
+spec:
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: prometheus-node-exporter
+      app.kubernetes.io/name: prometheus-node-exporter
+  template:
+    metadata:
+      annotations:
+        cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
+      labels:
+        app.kubernetes.io/component: metrics
+        app.kubernetes.io/instance: prometheus-node-exporter
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: prometheus-node-exporter
+        app.kubernetes.io/part-of: prometheus-node-exporter
+        app.kubernetes.io/version: 1.10.2
+        helm.sh/chart: prometheus-node-exporter-4.52.2
+    spec:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: eks.amazonaws.com/compute-type
+                    operator: NotIn
+                    values:
+                      - fargate
+                  - key: type
+                    operator: NotIn
+                    values:
+                      - virtual-kubelet
+      automountServiceAccountToken: false
+      containers:
+        - args:
+            - --path.procfs=/host/proc
+            - --path.sysfs=/host/sys
+            - --path.rootfs=/host/root
+            - --path.udev.data=/host/root/run/udev/data
+            - --web.listen-address=[$(HOST_IP)]:9100
+          env:
+            - name: HOST_IP
+              value: 0.0.0.0
+          image: quay.io/prometheus/node-exporter:v1.10.2
+          imagePullPolicy: IfNotPresent
+          livenessProbe:
+            failureThreshold: 3
+            httpGet:
+              httpHeaders: null
+              path: /
+              port: metrics
+              scheme: HTTP
+            initialDelaySeconds: 0
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+          name: node-exporter
+          ports:
+            - containerPort: 9100
+              name: metrics
+              protocol: TCP
+          readinessProbe:
+            failureThreshold: 3
+            httpGet:
+              httpHeaders: null
+              path: /
+              port: metrics
+              scheme: HTTP
+            initialDelaySeconds: 0
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+          resources:
+            limits:
+              memory: 64Mi
+            requests:
+              cpu: 10m
+              memory: 32Mi
+          securityContext:
+            readOnlyRootFilesystem: true
+          volumeMounts:
+            - mountPath: /host/proc
+              name: proc
+              readOnly: true
+            - mountPath: /host/sys
+              name: sys
+              readOnly: true
+            - mountPath: /host/root
+              mountPropagation: HostToContainer
+              name: root
+              readOnly: true
+      hostIPC: false
+      hostNetwork: true
+      hostPID: true
+      nodeSelector:
+        kubernetes.io/os: linux
+      securityContext:
+        fsGroup: 65534
+        runAsGroup: 65534
+        runAsNonRoot: true
+        runAsUser: 65534
+      serviceAccountName: prometheus-node-exporter
+      tolerations:
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/control-plane
+          operator: Exists
+      volumes:
+        - hostPath:
+            path: /proc
+          name: proc
+        - hostPath:
+            path: /sys
+          name: sys
+        - hostPath:
+            path: /
+          name: root
+  updateStrategy:
+    rollingUpdate:
+      maxUnavailable: 1
+    type: RollingUpdate

rendered/envs/production/node-exporter/service-prometheus-node-exporter.yaml

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
+    prometheus.io/scrape: "true"
+  labels:
+    app.kubernetes.io/component: metrics
+    app.kubernetes.io/instance: prometheus-node-exporter
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: prometheus-node-exporter
+    app.kubernetes.io/part-of: prometheus-node-exporter
+    app.kubernetes.io/version: 1.10.2
+    helm.sh/chart: prometheus-node-exporter-4.52.2
+  name: prometheus-node-exporter
+  namespace: monitoring
+spec:
+  ports:
+    - name: metrics
+      port: 9100
+      protocol: TCP
+      targetPort: 9100
+  selector:
+    app.kubernetes.io/instance: prometheus-node-exporter
+    app.kubernetes.io/name: prometheus-node-exporter
+  type: ClusterIP

rendered/envs/production/node-exporter/serviceaccount-prometheus-node-exporter.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+automountServiceAccountToken: false
+kind: ServiceAccount
+metadata:
+  annotations:
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
+  labels:
+    app.kubernetes.io/component: metrics
+    app.kubernetes.io/instance: prometheus-node-exporter
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: prometheus-node-exporter
+    app.kubernetes.io/part-of: prometheus-node-exporter
+    app.kubernetes.io/version: 1.10.2
+    helm.sh/chart: prometheus-node-exporter-4.52.2
+  name: prometheus-node-exporter
+  namespace: monitoring

rendered/envs/production/traefik/service-traefik.yaml

@@ -12,6 +12,10 @@ metadata:
   namespace: traefik
 spec:
   ports:
+    - name: metrics
+      port: 9100
+      protocol: TCP
+      targetPort: metrics
     - name: web
       port: 80
       protocol: TCP

rendered/envs/production/victoria-metrics-single/clusterrole-victoria-metrics-single-server.yaml

@@ -0,0 +1,43 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
+  labels:
+    app.kubernetes.io/managed-by: Helm
+    helm.sh/chart: victoria-metrics-single-0.33.0
+  name: victoria-metrics-single-server
+  namespace: monitoring
+rules:
+  - apiGroups:
+      - discovery.k8s.io
+    resources:
+      - endpointslices
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+      - nodes/metrics
+      - services
+      - endpoints
+      - pods
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - nonResourceURLs:
+      - /metrics
+    verbs:
+      - get

rendered/envs/production/victoria-metrics-single/clusterrolebinding-victoria-metrics-single-server.yaml

@@ -0,0 +1,18 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
+  labels:
+    app.kubernetes.io/managed-by: Helm
+    helm.sh/chart: victoria-metrics-single-0.33.0
+  name: victoria-metrics-single-server
+  namespace: monitoring
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: victoria-metrics-single-server
+subjects:
+  - kind: ServiceAccount
+    name: victoria-metrics-single-server
+    namespace: victoria-metrics-single

rendered/envs/production/victoria-metrics-single/configmap-victoria-metrics-single-server-scrapeconfig.yaml

@@ -0,0 +1,73 @@
+apiVersion: v1
+data:
+  scrape.yml: |
+    global:
+      scrape_interval: 30s
+      scrape_timeout: 10s
+    scrape_configs:
+    - job_name: victoriametrics
+      static_configs:
+      - targets:
+        - localhost:8428
+    - job_name: node-exporter
+      kubernetes_sd_configs:
+      - role: endpoints
+      relabel_configs:
+      - action: keep
+        regex: monitoring;prometheus-node-exporter;metrics
+        source_labels:
+        - __meta_kubernetes_namespace
+        - __meta_kubernetes_service_name
+        - __meta_kubernetes_endpoint_port_name
+    - job_name: kube-state-metrics
+      kubernetes_sd_configs:
+      - role: endpoints
+      relabel_configs:
+      - action: keep
+        regex: monitoring;kube-state-metrics;http
+        source_labels:
+        - __meta_kubernetes_namespace
+        - __meta_kubernetes_service_name
+        - __meta_kubernetes_endpoint_port_name
+    - job_name: traefik
+      kubernetes_sd_configs:
+      - role: endpoints
+      relabel_configs:
+      - action: keep
+        regex: traefik;traefik;metrics
+        source_labels:
+        - __meta_kubernetes_namespace
+        - __meta_kubernetes_service_name
+        - __meta_kubernetes_endpoint_port_name
+    - job_name: argocd
+      kubernetes_sd_configs:
+      - role: endpoints
+      relabel_configs:
+      - action: keep
+        regex: argocd;http-metrics
+        source_labels:
+        - __meta_kubernetes_namespace
+        - __meta_kubernetes_endpoint_port_name
+    - job_name: cert-manager
+      kubernetes_sd_configs:
+      - role: endpoints
+      relabel_configs:
+      - action: keep
+        regex: cert-manager;cert-manager;tcp-prometheus-servicemonitor
+        source_labels:
+        - __meta_kubernetes_namespace
+        - __meta_kubernetes_service_name
+        - __meta_kubernetes_endpoint_port_name
+kind: ConfigMap
+metadata:
+  annotations:
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
+  labels:
+    app: server
+    app.kubernetes.io/instance: victoria-metrics-single
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: victoria-metrics-single
+    app.kubernetes.io/version: v1.138.0
+    helm.sh/chart: victoria-metrics-single-0.33.0
+  name: victoria-metrics-single-server-scrapeconfig
+  namespace: monitoring

rendered/envs/production/victoria-metrics-single/namespace-monitoring.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  annotations:
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
+  name: monitoring
+  namespace: monitoring

rendered/envs/production/victoria-metrics-single/service-victoria-metrics-single-server.yaml

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
+  labels:
+    app: server
+    app.kubernetes.io/instance: victoria-metrics-single
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: victoria-metrics-single
+    app.kubernetes.io/version: v1.138.0
+    helm.sh/chart: victoria-metrics-single-0.33.0
+  name: victoria-metrics-single-server
+  namespace: monitoring
+spec:
+  clusterIP: None
+  ports:
+    - name: http
+      port: 8428
+      protocol: TCP
+      targetPort: http
+  selector:
+    app: server
+    app.kubernetes.io/instance: victoria-metrics-single
+    app.kubernetes.io/name: victoria-metrics-single
+  type: ClusterIP

rendered/envs/production/victoria-metrics-single/serviceaccount-victoria-metrics-single-server.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
+  labels:
+    app.kubernetes.io/managed-by: Helm
+    helm.sh/chart: victoria-metrics-single-0.33.0
+  name: victoria-metrics-single-server
+  namespace: monitoring

rendered/envs/production/victoria-metrics-single/statefulset-victoria-metrics-single-server.yaml

@@ -0,0 +1,97 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  annotations:
+    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
+  labels:
+    app: server
+    app.kubernetes.io/instance: victoria-metrics-single
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: victoria-metrics-single
+    app.kubernetes.io/version: v1.138.0
+    helm.sh/chart: victoria-metrics-single-0.33.0
+  name: victoria-metrics-single-server
+  namespace: monitoring
+spec:
+  podManagementPolicy: OrderedReady
+  replicas: 1
+  selector:
+    matchLabels:
+      app: server
+      app.kubernetes.io/instance: victoria-metrics-single
+      app.kubernetes.io/name: victoria-metrics-single
+  serviceName: victoria-metrics-single-server
+  template:
+    metadata:
+      labels:
+        app: server
+        app.kubernetes.io/instance: victoria-metrics-single
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: victoria-metrics-single
+        app.kubernetes.io/version: v1.138.0
+        helm.sh/chart: victoria-metrics-single-0.33.0
+    spec:
+      automountServiceAccountToken: true
+      containers:
+        - args:
+            - --envflag.enable
+            - --envflag.prefix=VM_
+            - --httpListenAddr=:8428
+            - --loggerFormat=json
+            - --promscrape.config=/scrapeconfig/scrape.yml
+            - --retentionPeriod=1
+            - --storageDataPath=/storage
+          image: victoriametrics/victoria-metrics:v1.138.0
+          imagePullPolicy: IfNotPresent
+          livenessProbe:
+            failureThreshold: 10
+            initialDelaySeconds: 30
+            periodSeconds: 30
+            tcpSocket:
+              port: http
+            timeoutSeconds: 5
+          name: vmsingle
+          ports:
+            - containerPort: 8428
+              name: http
+          readinessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /health
+              port: http
+              scheme: HTTP
+            initialDelaySeconds: 5
+            periodSeconds: 15
+            timeoutSeconds: 5
+          resources:
+            limits:
+              memory: 512Mi
+            requests:
+              cpu: 100m
+              memory: 256Mi
+          securityContext: {}
+          volumeMounts:
+            - mountPath: /storage
+              name: server-volume
+            - mountPath: /scrapeconfig
+              name: scrapeconfig
+      securityContext: {}
+      serviceAccountName: victoria-metrics-single-server
+      terminationGracePeriodSeconds: 60
+      volumes:
+        - configMap:
+            name: victoria-metrics-single-server-scrapeconfig
+          name: scrapeconfig
+  updateStrategy: {}
+  volumeClaimTemplates:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
+        name: server-volume
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 10Gi
+        storageClassName: local-path