traefik updateStrategy and externalTrafficPolicy

Add rate limiting to traefik
reduce cpu request for cpeh
2025-03-15 19:03:41 -06:00 · 2025-03-15 19:03:26 -06:00 · 2025-03-15 15:10:34 -06:00 · 2025-03-15 15:10:17 -06:00 · 2025-03-15 15:08:12 -06:00 · 2025-03-14 22:55:07 -06:00
19 changed files with 331 additions and 8 deletions
--- a/.gitignore
+++ b/.gitignore
@ -13,3 +13,5 @@ talos/secrets.yaml
 kgnot/config.production.json
 53ll/config.production.json

+*.key
+*.pub
--- a/gitea/ssh_ingress.yaml
+++ b/gitea/ssh_ingress.yaml
--- a/gitea/values.yaml
+++ b/gitea/values.yaml
@ -0,0 +1,59 @@
+gitea:
+  config:
+    server:
+      ROOT_URL: https://git.incngrnt.ca/
+      MINIMUM_KEY_SIZE_CHECK: false
+    service:
+      DISABLE_REGISTRATION: true
+    database:
+      DB_TYPE: postgres
+    indexer:
+      ISSUE_INDEXER_TYPE: bleve
+      REPO_INDEXER_ENABLED: true
+    cron:
+      enabled: true
+    repository:
+      DISABLE_DOWNLOAD_SOURCE_ARCHIVES: true
+  additionalConfigFromEnvs:
+    - name: GITEA__DATABASE__HOST
+      valueFrom:
+        secretKeyRef:
+          name: postgres-pguser-gitea
+          key: host 
+    - name: GITEA__DATABASE__NAME
+      valueFrom:
+        secretKeyRef:
+          name: postgres-pguser-gitea
+          key: dbname  
+    - name: GITEA__DATABASE__USER
+      valueFrom:
+        secretKeyRef:
+          name: postgres-pguser-gitea
+          key: user
+    - name: GITEA__DATABASE__PASSWD
+      valueFrom:
+        secretKeyRef:
+          name: postgres-pguser-gitea
+          key: password
+
+strategy:
+  type: Recreate
+ingress:
+  enabled: true
+  hosts:
+    - host: git.incngrnt.ca
+      paths:
+        - path: "/"
+          pathType: Prefix
+  annotations:
+    "traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt"
+
+  
+redis:
+  enabled: true
+redis-cluster:
+  enabled: false
+postgresql:
+  enabled: false
+postgresql-ha:
+  enabled: false
--- a/grafana/alloy_values.yaml
+++ b/grafana/alloy_values.yaml
@ -0,0 +1,23 @@
+alloy:
+  configMap:
+    content: |-
+      logging {
+      	level  = "info"
+      	format = "logfmt"
+      }
+      
+      discovery.kubernetes "pods" {
+        role = "pod"
+      }
+      
+      loki.source.kubernetes "pods" {
+        targets    = discovery.kubernetes.pods.targets
+        forward_to = [loki.write.loki.receiver]
+
+      }
+      
+      loki.write "loki" {
+         endpoint {
+           url = "http://loki.grafana.svc.cluster.local:3100/loki/api/v1/push"
+         }
+       }
--- a/grafana/grafana_values.yaml
+++ b/grafana/grafana_values.yaml
@ -0,0 +1,9 @@
+ingress:
+  enabled: true
+  hosts:
+    - watcher.incngrnt.ca
+  annotations:
+    "traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt"
+
+persistence:
+  enabled: true    
--- a/grafana/loki_values.yaml
+++ b/grafana/loki_values.yaml
@ -0,0 +1,70 @@
+loki:
+  commonConfig:
+    replication_factor: 1
+  schemaConfig:
+    configs:
+      - from: "2024-04-01"
+        store: tsdb
+        object_store: s3
+        schema: v13
+        index:
+          prefix: loki_index_
+          period: 24h
+  pattern_ingester:
+      enabled: true
+  limits_config:
+    allow_structured_metadata: true
+    volume_enabled: true
+  ruler:
+    enable_api: true
+  auth_enabled: false
+
+resultsCache:
+  resources:
+    request:
+      cpu: 100ms
+      memory: 500Mi
+    limits:
+      memory: 500Mi
+chunksCache:
+  resources:
+    request:
+      cpu: 100ms
+      memory: 500Mi
+    limits:
+      memory: 500Mi
+minio:
+  enabled: true
+
+      
+deploymentMode: SingleBinary
+
+singleBinary:
+  replicas: 1
+
+# Zero out replica counts of other deployment modes
+backend:
+  replicas: 0
+read:
+  replicas: 0
+write:
+  replicas: 0
+
+ingester:
+  replicas: 0
+querier:
+  replicas: 0
+queryFrontend:
+  replicas: 0
+queryScheduler:
+  replicas: 0
+distributor:
+  replicas: 0
+compactor:
+  replicas: 0
+indexGateway:
+  replicas: 0
+bloomCompactor:
+  replicas: 0
+bloomGateway:
+  replicas: 0
--- a/grafana/prometheus_values.yaml
+++ b/grafana/prometheus_values.yaml
@ -0,0 +1,3 @@
+rometheus-node-exporter:
+  rbac:
+    pspEnabled: true
--- a/helmfile.lock
+++ b/helmfile.lock
@ -1,17 +1,26 @@
 version: 0.170.1
 dependencies:
+- name: alloy
+  repository: https://grafana.github.io/helm-charts
+  version: 0.12.5
 - name: ghost
  repository: https://charts.bitnami.com/bitnami
-  version: 22.1.19
+  version: 22.2.0
 - name: ghost
  repository: https://charts.bitnami.com/bitnami
-  version: 22.1.19
+  version: 22.2.0
 - name: gitea
  repository: https://dl.gitea.io/charts
  version: 11.0.0
+- name: grafana
+  repository: https://grafana.github.io/helm-charts
+  version: 8.10.3
 - name: k8up
  repository: https://k8up-io.github.io/k8up
  version: 4.8.4
+- name: loki
+  repository: https://grafana.github.io/helm-charts
+  version: 6.28.0
 - name: mariadb
  repository: https://charts.bitnami.com/bitnami
  version: 20.4.1
@ -24,6 +33,9 @@ dependencies:
 - name: postgrescluster
  repository: git+https://github.com/grantdhunter/postgres-operator@helm?ref=main
  version: 5.7.2
+- name: prometheus
+  repository: https://prometheus-community.github.io/helm-charts
+  version: 27.5.1
 - name: rook-ceph
  repository: https://charts.rook.io/release
  version: v1.16.5
@ -36,5 +48,5 @@ dependencies:
 - name: traefik
  repository: https://traefik.github.io/charts
  version: 34.4.1
-digest: sha256:14c9bc504c5060f8bbce5ec9a8df737a19a7216428a31c1cb34ef5c6648e45c5
-generated: "2025-03-12T21:27:22.529913117-06:00"
+digest: sha256:b28767f0ec4d8549e0b1de7446f3468555a2a67bf88d2b554e9a12c2de723d2d
+generated: "2025-03-15T14:34:49.001292746-06:00"
--- a/helmfile.yaml
+++ b/helmfile.yaml
@ -19,6 +19,10 @@ repositories:
    url: https://pkgs.tailscale.com/helmcharts
  - name: gitea
    url: https://dl.gitea.io/charts
+  - name: grafana
+    url: https://grafana.github.io/helm-charts
+  - name: prometheus-community
+    url: https://prometheus-community.github.io/helm-charts
 releases:
  # networking
  - name: metallb
@ -52,6 +56,8 @@ releases:
    namespace: rook-ceph
    createNamespace: true
    chart: rook-release/rook-ceph
+    values:
+      - ./rook-ceph/values.yaml
  - name: rook-ceph-cluster
    namespace: rook-ceph
    createNamespace: true
@ -83,6 +89,36 @@ releases:
    setString:
      - name: auth.rootPassword
        value: {{ requiredEnv "MARIADB_ROOT_PASSWORD" }}
+
+# monitoring
+  - name: grafana
+    namespace: grafana
+    createNamespace: true
+    chart: grafana/grafana
+    values:
+      - grafana/grafana_values.yaml
+    setString:
+      - name: adminPassword
+        value: VYHEKk0Q9KfqQ3UpTx8oc4InrXlUQivUuEeGU8LJ
+  - name: prometheus
+    namespace: grafana
+    createNamespace: true
+    chart: prometheus-community/prometheus
+    values:
+      - grafana/prometheus_values.yaml
+  - name: loki
+    namespace: grafana
+    createNamespace: true
+    chart: grafana/loki
+    values:
+      - grafana/loki_values.yaml
+  - name: alloy
+    namespace: grafana
+    createNamespace: true
+    chart: grafana/alloy
+    values:
+      - grafana/alloy_values.yaml
+      
  # goatchat matrix
  - name: goatchat
    namespace: goatchat
@ -172,3 +208,17 @@ releases:
      - name: repoPassword
        value:  {{ requiredEnv "k8UP_REPO_PASSWORD" }}
 
+  - name: gitea-backup
+    namespace: gitea
+    chart: ./k8up-backup
+    createNamespace: true    
+    values:
+      - ./k8up-backup/values_override.yaml
+    setString:
+      - name: credentials.id
+        value:  {{ requiredEnv "HETZNER_S3_ACCESS_KEY" }}
+      - name: credentials.key
+        value:  {{ requiredEnv "HETZNER_S3_ACCESS_SECRET" }}
+      - name: repoPassword
+        value:  {{ requiredEnv "k8UP_REPO_PASSWORD" }}
+ 
--- a/15
+++ b/15
@ -0,0 +1,15 @@
+update:
+    bws run 'helmfile deps'
+
+deploy:
+    bws run 'helmfile apply'
+
+sdiff:
+    bws run 'helmfile diff --output simple'
+
+ddiff:
+    bws run 'helmfile diff --output dyff'
+
+cleanuppods:
+    kubectl get pods --no-headers | grep -v Running  | awk '{print $1}' | xargs kubectl delete pod
+    
--- a/k8up-backup/Chart.yaml
+++ b/k8up-backup/Chart.yaml
@ -0,0 +1,6 @@
+apiVersion: v2
+name: k8up-backup
+description: A Helm chart for a k8up backup
+
+type: application
+version: 0.0.3
--- a/k8up-backup/templates/backup.yaml
+++ b/k8up-backup/templates/backup.yaml
@ -0,0 +1,20 @@
+apiVersion: k8up.io/v1
+kind: Backup
+metadata:
+  name: {{ .Release.Name }}
+spec:
+  failedJobsHistoryLimit: 2
+  successfulJobsHistoryLimit: 2
+  backend:
+    repoPasswordSecretRef:
+      name: "{{ .Release.Name }}-repopassword"
+      key: password
+    s3:
+      endpoint: "{{ .Values.endpoint }}"
+      bucket: "{{ .Values.bucket }}"
+      accessKeyIDSecretRef:
+         name: "{{ .Release.Name }}-credentials"
+         key: id
+      secretAccessKeySecretRef:
+         name: "{{ .Release.Name }}-credentials"
+         key: key    
--- a/k8up-backup/templates/secrets.yaml
+++ b/k8up-backup/templates/secrets.yaml
@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ .Release.Name }}-credentials"
+data:
+  id: "{{ .Values.credentials.id | b64enc}}"
+  key: "{{ .Values.credentials.key | b64enc}}"
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ .Release.Name }}-repopassword"
+data:
+  password: "{{ .Values.repoPassword | b64enc}}"
--- a/k8up-backup/values.yaml
+++ b/k8up-backup/values.yaml
@ -0,0 +1,7 @@
+# endpoint: 
+# bucket
+# repoPassword:
+# credentials:
+#   id:
+#   key:
+  
--- a/k8up-backup/values_override.yaml
+++ b/k8up-backup/values_override.yaml
@ -0,0 +1,3 @@
+endpoint: hel1.your-objectstorage.com
+bucket: fog
+
--- a/k8up/values.yaml
+++ b/k8up/values.yaml
--- a/rook-ceph-cluster/values.yaml
+++ b/rook-ceph-cluster/values.yaml
@ -9,19 +9,19 @@ cephClusterSpec:
  resources:
    mgr:
      requests:
-        cpu: 150m
+        cpu: 100m
        memory: 256Mi
      limits:
        cpu: "1"
    mon:
      requests:
-        cpu: 150m
+        cpu: 100m
        memory: 256Mi
      limits:
        cpu: "1"        
    osd:
      requests:
-        cpu: 150m
+        cpu: 100m
        memory: 256Mi
      limits:
        cpu: "1"
@ -43,7 +43,7 @@ cephFileSystems:
        activeStandby: true
        resources:
          requests:
-            cpu: 250m
+            cpu: 100m
            memory: 256Mi
          limit:
            cpu: "1"
--- a/rook-ceph/values.yaml
+++ b/rook-ceph/values.yaml
@ -0,0 +1,4 @@
+resources:
+  requests:
+    cpu: 100m
+    memory: 128Mi
--- a/traefik/values.yaml
+++ b/traefik/values.yaml
@ -7,6 +7,9 @@ deployment:
        - name: data
          mountPath: /data

+updateStrategy:
+  type: Recreate
+    
 env:
 - name: HETZNER_API_KEY
   valueFrom:
@ -20,6 +23,16 @@ additionalArguments:
 persistence:
  enabled: true
    
+logs:
+  format: json    
+  access:
+    enabled: true
+    format: json    
+
+service:
+  spec:
+    externalTrafficPolicy: Local
+    
 ingressRoute:
  dashboard:
    enabled: true
@ -30,6 +43,11 @@ ingressRoute:
    tls:
      certResolver: letsencrypt

+ports:
+  websecure:
+    middlewares:
+      - traefik-rate-limit@kubernetescrd
+
 extraObjects:
  - apiVersion: v1
    kind: Secret
@ -47,6 +65,14 @@ extraObjects:
    spec:
      basicAuth:
        secret: traefik-dashboard-auth-secret
+  - apiVersion: traefik.io/v1alpha1
+    kind: Middleware
+    metadata:
+      name: rate-limit
+    spec:
+      rateLimit:
+        average: 50
+        burst: 100

 certificatesResolvers:
  letsencrypt:
Author	SHA1	Message	Date
Grant	60b99e2130	traefik updateStrategy and externalTrafficPolicy	2025-03-15 19:03:41 -06:00
Grant	73e4e3d773	Add rate limiting to traefik	2025-03-15 19:03:26 -06:00
Grant	1ecc287a67	reduce cpu request for cpeh	2025-03-15 15:10:34 -06:00
Grant	34b1e9e077	Add monitoring stack	2025-03-15 15:10:17 -06:00
Grant	f2c9ab770f	Add just to simply helm commands	2025-03-15 15:08:12 -06:00
Grant	f7c8a0e8bc	Add missing values	2025-03-14 22:55:07 -06:00