diff --git a/clusters/cl01tl/manifests/argocd/ConfigMap-argocd-cm.yaml b/clusters/cl01tl/manifests/argocd/ConfigMap-argocd-cm.yaml index 2e86620ed..8a2fe7c23 100644 --- a/clusters/cl01tl/manifests/argocd/ConfigMap-argocd-cm.yaml +++ b/clusters/cl01tl/manifests/argocd/ConfigMap-argocd-cm.yaml @@ -127,6 +127,6 @@ data: statusbadge.enabled: "true" statusbadge.url: https://argocd.alexlebens.net/ timeout.hard.reconciliation: 0s - timeout.reconciliation: 100s + timeout.reconciliation: 120s timeout.reconciliation.jitter: 60s url: https://argocd.alexlebens.net diff --git a/clusters/cl01tl/manifests/argocd/ConfigMap-argocd-notifications-cm.yaml b/clusters/cl01tl/manifests/argocd/ConfigMap-argocd-notifications-cm.yaml index 34f769504..b51d9ca74 100644 --- a/clusters/cl01tl/manifests/argocd/ConfigMap-argocd-notifications-cm.yaml +++ b/clusters/cl01tl/manifests/argocd/ConfigMap-argocd-notifications-cm.yaml @@ -13,7 +13,6 @@ metadata: app.kubernetes.io/version: "v3.3.4" data: context: | - argocdUrl: https://argocd.example.com argocdUrl: https://argocd.alexlebens.net service.webhook.ntfy: | url: http://ntfy.ntfy/ diff --git a/clusters/cl01tl/manifests/argocd/Deployment-argocd-applicationset-controller.yaml b/clusters/cl01tl/manifests/argocd/Deployment-argocd-applicationset-controller.yaml index ea479634d..ceff90d06 100644 --- a/clusters/cl01tl/manifests/argocd/Deployment-argocd-applicationset-controller.yaml +++ b/clusters/cl01tl/manifests/argocd/Deployment-argocd-applicationset-controller.yaml @@ -223,20 +223,23 @@ spec: livenessProbe: tcpSocket: port: probe - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 + initialDelaySeconds: 60 + periodSeconds: 30 + timeoutSeconds: 5 successThreshold: 1 failureThreshold: 3 readinessProbe: tcpSocket: port: probe - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 + initialDelaySeconds: 60 + periodSeconds: 30 + timeoutSeconds: 5 successThreshold: 1 failureThreshold: 3 - resources: {} + resources: + requests: + cpu: 10m + memory: 64Mi securityContext: allowPrivilegeEscalation: false capabilities: diff --git a/clusters/cl01tl/manifests/argocd/Deployment-argocd-dex-server.yaml b/clusters/cl01tl/manifests/argocd/Deployment-argocd-dex-server.yaml index 10a5c639c..c77fd3f01 100644 --- a/clusters/cl01tl/manifests/argocd/Deployment-argocd-dex-server.yaml +++ b/clusters/cl01tl/manifests/argocd/Deployment-argocd-dex-server.yaml @@ -22,7 +22,7 @@ spec: metadata: annotations: checksum/cmd-params: 362141fbaf5ddcad145ee51a3a6db083fab8509f6c73479f1359ffe75d7589be - checksum/cm: 44a2e45c2c3dbd82942defeed934270a6ee4d9850869d9b7ba268e4c873a8847 + checksum/cm: 7e934038471270914ddb1112d29a81a9239f0edb8dece4e96029b7edee00e3a2 labels: helm.sh/chart: argo-cd-9.4.15 app.kubernetes.io/name: argocd-dex-server @@ -98,7 +98,10 @@ spec: timeoutSeconds: 1 successThreshold: 1 failureThreshold: 3 - resources: {} + resources: + requests: + cpu: 10m + memory: 64Mi securityContext: allowPrivilegeEscalation: false capabilities: @@ -130,7 +133,10 @@ spec: name: static-files - mountPath: /tmp name: dexconfig - resources: {} + resources: + requests: + cpu: 10m + memory: 64Mi securityContext: allowPrivilegeEscalation: false capabilities: diff --git a/clusters/cl01tl/manifests/argocd/Deployment-argocd-notifications-controller.yaml b/clusters/cl01tl/manifests/argocd/Deployment-argocd-notifications-controller.yaml index 0d07fb7d5..35cd062ba 100644 --- a/clusters/cl01tl/manifests/argocd/Deployment-argocd-notifications-controller.yaml +++ b/clusters/cl01tl/manifests/argocd/Deployment-argocd-notifications-controller.yaml @@ -103,7 +103,10 @@ spec: timeoutSeconds: 1 successThreshold: 1 failureThreshold: 3 - resources: {} + resources: + requests: + cpu: 10m + memory: 64Mi securityContext: allowPrivilegeEscalation: false capabilities: diff --git a/clusters/cl01tl/manifests/argocd/Deployment-argocd-redis-ha-haproxy.yaml b/clusters/cl01tl/manifests/argocd/Deployment-argocd-redis-ha-haproxy.yaml index 09f466ff8..fc96c0426 100644 --- a/clusters/cl01tl/manifests/argocd/Deployment-argocd-redis-ha-haproxy.yaml +++ b/clusters/cl01tl/manifests/argocd/Deployment-argocd-redis-ha-haproxy.yaml @@ -28,9 +28,6 @@ spec: component: haproxy app.kubernetes.io/name: argocd-redis-ha-haproxy annotations: - prometheus.io/port: "9101" - prometheus.io/scrape: "true" - prometheus.io/path: "/metrics" checksum/config: 41729c8b600983b574147eb778eb317992f0a620e163e58b070b159548c3f8e6 spec: serviceAccountName: argocd-redis-ha-haproxy @@ -52,7 +49,7 @@ spec: topologyKey: kubernetes.io/hostname initContainers: - name: config-init - image: ecr-public.aws.com/docker/library/haproxy:3.0.8-alpine + image: haproxy:3.3.6-alpine@sha256:744be2dca649a44d490a4c565d36968d19482dd387f1bdd44c168f4322bc6b1e imagePullPolicy: IfNotPresent resources: {} command: @@ -76,7 +73,7 @@ spec: mountPath: /data containers: - name: haproxy - image: ecr-public.aws.com/docker/library/haproxy:3.0.8-alpine + image: haproxy:3.3.6-alpine@sha256:744be2dca649a44d490a4c565d36968d19482dd387f1bdd44c168f4322bc6b1e imagePullPolicy: IfNotPresent securityContext: allowPrivilegeEscalation: false @@ -106,7 +103,10 @@ spec: containerPort: 6379 - name: metrics-port containerPort: 9101 - resources: {} + resources: + requests: + cpu: 10m + memory: 128Mi volumeMounts: - name: data mountPath: /usr/local/etc/haproxy diff --git a/clusters/cl01tl/manifests/argocd/Deployment-argocd-repo-server.yaml b/clusters/cl01tl/manifests/argocd/Deployment-argocd-repo-server.yaml index d8249ef1c..99ad02af8 100644 --- a/clusters/cl01tl/manifests/argocd/Deployment-argocd-repo-server.yaml +++ b/clusters/cl01tl/manifests/argocd/Deployment-argocd-repo-server.yaml @@ -22,7 +22,7 @@ spec: metadata: annotations: checksum/cmd-params: 362141fbaf5ddcad145ee51a3a6db083fab8509f6c73479f1359ffe75d7589be - checksum/cm: 44a2e45c2c3dbd82942defeed934270a6ee4d9850869d9b7ba268e4c873a8847 + checksum/cm: 7e934038471270914ddb1112d29a81a9239f0edb8dece4e96029b7edee00e3a2 labels: helm.sh/chart: argo-cd-9.4.15 app.kubernetes.io/name: argocd-repo-server @@ -332,21 +332,24 @@ spec: httpGet: path: /healthz?full=true port: metrics - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 + initialDelaySeconds: 60 + periodSeconds: 30 + timeoutSeconds: 5 successThreshold: 1 failureThreshold: 3 readinessProbe: httpGet: path: /healthz port: metrics - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 + initialDelaySeconds: 60 + periodSeconds: 30 + timeoutSeconds: 5 successThreshold: 1 failureThreshold: 3 - resources: {} + resources: + requests: + cpu: 10m + memory: 64Mi securityContext: allowPrivilegeEscalation: false capabilities: @@ -365,7 +368,10 @@ spec: image: quay.io/argoproj/argocd:v3.3.4 imagePullPolicy: IfNotPresent name: copyutil - resources: {} + resources: + requests: + cpu: 10m + memory: 64Mi securityContext: allowPrivilegeEscalation: false capabilities: diff --git a/clusters/cl01tl/manifests/argocd/Deployment-argocd-server.yaml b/clusters/cl01tl/manifests/argocd/Deployment-argocd-server.yaml index 6a028ffed..0a1fdb61f 100644 --- a/clusters/cl01tl/manifests/argocd/Deployment-argocd-server.yaml +++ b/clusters/cl01tl/manifests/argocd/Deployment-argocd-server.yaml @@ -22,7 +22,7 @@ spec: metadata: annotations: checksum/cmd-params: 362141fbaf5ddcad145ee51a3a6db083fab8509f6c73479f1359ffe75d7589be - checksum/cm: 44a2e45c2c3dbd82942defeed934270a6ee4d9850869d9b7ba268e4c873a8847 + checksum/cm: 7e934038471270914ddb1112d29a81a9239f0edb8dece4e96029b7edee00e3a2 labels: helm.sh/chart: argo-cd-9.4.15 app.kubernetes.io/name: argocd-server @@ -394,7 +394,10 @@ spec: timeoutSeconds: 1 successThreshold: 1 failureThreshold: 3 - resources: {} + resources: + requests: + cpu: 10m + memory: 64Mi securityContext: allowPrivilegeEscalation: false capabilities: diff --git a/clusters/cl01tl/manifests/argocd/ExternalSecret-argocd-gitea-repo-infrastructure-secret.yaml b/clusters/cl01tl/manifests/argocd/ExternalSecret-argocd-gitea-repo-infrastructure-secret.yaml index bf9ac7044..732fc9e4f 100644 --- a/clusters/cl01tl/manifests/argocd/ExternalSecret-argocd-gitea-repo-infrastructure-secret.yaml +++ b/clusters/cl01tl/manifests/argocd/ExternalSecret-argocd-gitea-repo-infrastructure-secret.yaml @@ -14,22 +14,13 @@ spec: data: - secretKey: type remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /cl01tl/argocd/credentials/repo/infrastructure - metadataPolicy: None property: type - secretKey: url remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /cl01tl/argocd/credentials/repo/infrastructure - metadataPolicy: None property: url - secretKey: sshPrivateKey remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /cl01tl/argocd/credentials/repo/infrastructure - metadataPolicy: None property: sshPrivateKey diff --git a/clusters/cl01tl/manifests/argocd/ExternalSecret-argocd-notifications-secret.yaml b/clusters/cl01tl/manifests/argocd/ExternalSecret-argocd-notifications-secret.yaml index 7f0f694fe..b6fea328b 100644 --- a/clusters/cl01tl/manifests/argocd/ExternalSecret-argocd-notifications-secret.yaml +++ b/clusters/cl01tl/manifests/argocd/ExternalSecret-argocd-notifications-secret.yaml @@ -14,8 +14,5 @@ spec: data: - secretKey: ntfy-token remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /ntfy/user/cl01tl - metadataPolicy: None property: token diff --git a/clusters/cl01tl/manifests/argocd/ExternalSecret-argocd-oidc-secret.yaml b/clusters/cl01tl/manifests/argocd/ExternalSecret-argocd-oidc-secret.yaml index e46cecdf2..abde54eae 100644 --- a/clusters/cl01tl/manifests/argocd/ExternalSecret-argocd-oidc-secret.yaml +++ b/clusters/cl01tl/manifests/argocd/ExternalSecret-argocd-oidc-secret.yaml @@ -14,15 +14,9 @@ spec: data: - secretKey: secret remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /authentik/oidc/argocd - metadataPolicy: None property: secret - secretKey: client remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /authentik/oidc/argocd - metadataPolicy: None property: client diff --git a/clusters/cl01tl/manifests/argocd/Pod-argocd-redis-ha-service-test.yaml b/clusters/cl01tl/manifests/argocd/Pod-argocd-redis-ha-service-test.yaml index 064c96a49..f377b5b43 100644 --- a/clusters/cl01tl/manifests/argocd/Pod-argocd-redis-ha-service-test.yaml +++ b/clusters/cl01tl/manifests/argocd/Pod-argocd-redis-ha-service-test.yaml @@ -15,7 +15,7 @@ spec: tolerations: [] containers: - name: "argocd-service-test" - image: ecr-public.aws.com/docker/library/redis:8.2.3-alpine + image: redis:8.6.1-alpine@sha256:315270d166080f537bbdf1b489b603aaaa213cb55a544acfa51feb7481abb1c0 command: - sh - -c diff --git a/clusters/cl01tl/manifests/argocd/PrometheusRule-argocd-redis-ha.yaml b/clusters/cl01tl/manifests/argocd/PrometheusRule-argocd-redis-ha.yaml new file mode 100644 index 000000000..e045617a6 --- /dev/null +++ b/clusters/cl01tl/manifests/argocd/PrometheusRule-argocd-redis-ha.yaml @@ -0,0 +1,18 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: argocd-redis-ha +spec: + groups: + - name: argocd-redis-ha + interval: 30s + rules: + - alert: RedisPodDown + annotations: + description: Redis pod {{ $labels.pod }} is down + summary: Redis pod {{ $labels.pod }} is down + expr: | + redis_up{job="argocd-redis-ha"} == 0 + for: 5m + labels: + severity: critical diff --git a/clusters/cl01tl/manifests/argocd/Service-argocd-redis-ha-announce-0.yaml b/clusters/cl01tl/manifests/argocd/Service-argocd-redis-ha-announce-0.yaml index b0be908aa..45775519d 100644 --- a/clusters/cl01tl/manifests/argocd/Service-argocd-redis-ha-announce-0.yaml +++ b/clusters/cl01tl/manifests/argocd/Service-argocd-redis-ha-announce-0.yaml @@ -21,6 +21,10 @@ spec: port: 26379 protocol: TCP targetPort: sentinel + - name: http-exporter + port: 9121 + protocol: TCP + targetPort: exporter-port selector: release: argocd app: redis-ha diff --git a/clusters/cl01tl/manifests/argocd/Service-argocd-redis-ha-announce-1.yaml b/clusters/cl01tl/manifests/argocd/Service-argocd-redis-ha-announce-1.yaml index 67db19cf4..158856ecf 100644 --- a/clusters/cl01tl/manifests/argocd/Service-argocd-redis-ha-announce-1.yaml +++ b/clusters/cl01tl/manifests/argocd/Service-argocd-redis-ha-announce-1.yaml @@ -21,6 +21,10 @@ spec: port: 26379 protocol: TCP targetPort: sentinel + - name: http-exporter + port: 9121 + protocol: TCP + targetPort: exporter-port selector: release: argocd app: redis-ha diff --git a/clusters/cl01tl/manifests/argocd/Service-argocd-redis-ha-announce-2.yaml b/clusters/cl01tl/manifests/argocd/Service-argocd-redis-ha-announce-2.yaml index cbc2611b6..a9217e6e8 100644 --- a/clusters/cl01tl/manifests/argocd/Service-argocd-redis-ha-announce-2.yaml +++ b/clusters/cl01tl/manifests/argocd/Service-argocd-redis-ha-announce-2.yaml @@ -21,6 +21,10 @@ spec: port: 26379 protocol: TCP targetPort: sentinel + - name: http-exporter + port: 9121 + protocol: TCP + targetPort: exporter-port selector: release: argocd app: redis-ha diff --git a/clusters/cl01tl/manifests/argocd/Service-argocd-redis-ha.yaml b/clusters/cl01tl/manifests/argocd/Service-argocd-redis-ha.yaml index 382657bfc..ee5d62622 100644 --- a/clusters/cl01tl/manifests/argocd/Service-argocd-redis-ha.yaml +++ b/clusters/cl01tl/manifests/argocd/Service-argocd-redis-ha.yaml @@ -8,6 +8,7 @@ metadata: heritage: "Helm" release: "argocd" chart: redis-ha-4.34.11 + exporter: enabled annotations: spec: type: ClusterIP @@ -21,6 +22,10 @@ spec: port: 26379 protocol: TCP targetPort: sentinel + - name: http-exporter-port + port: 9121 + protocol: TCP + targetPort: exporter-port selector: release: argocd app: redis-ha diff --git a/clusters/cl01tl/manifests/argocd/StatefulSet-argocd-application-controller.yaml b/clusters/cl01tl/manifests/argocd/StatefulSet-argocd-application-controller.yaml index 7f80ea5c8..c766fff9e 100644 --- a/clusters/cl01tl/manifests/argocd/StatefulSet-argocd-application-controller.yaml +++ b/clusters/cl01tl/manifests/argocd/StatefulSet-argocd-application-controller.yaml @@ -23,7 +23,7 @@ spec: metadata: annotations: checksum/cmd-params: 362141fbaf5ddcad145ee51a3a6db083fab8509f6c73479f1359ffe75d7589be - checksum/cm: 44a2e45c2c3dbd82942defeed934270a6ee4d9850869d9b7ba268e4c873a8847 + checksum/cm: 7e934038471270914ddb1112d29a81a9239f0edb8dece4e96029b7edee00e3a2 labels: helm.sh/chart: argo-cd-9.4.15 app.kubernetes.io/name: argocd-application-controller @@ -334,12 +334,15 @@ spec: httpGet: path: /healthz port: metrics - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 + initialDelaySeconds: 60 + periodSeconds: 30 + timeoutSeconds: 5 successThreshold: 1 failureThreshold: 3 - resources: {} + resources: + requests: + cpu: 15m + memory: 1Gi securityContext: allowPrivilegeEscalation: false capabilities: diff --git a/clusters/cl01tl/manifests/argocd/StatefulSet-argocd-redis-ha-server.yaml b/clusters/cl01tl/manifests/argocd/StatefulSet-argocd-redis-ha-server.yaml index 57bf06b2a..8bff71370 100644 --- a/clusters/cl01tl/manifests/argocd/StatefulSet-argocd-redis-ha-server.yaml +++ b/clusters/cl01tl/manifests/argocd/StatefulSet-argocd-redis-ha-server.yaml @@ -47,7 +47,7 @@ spec: automountServiceAccountToken: false initContainers: - name: config-init - image: ecr-public.aws.com/docker/library/redis:8.2.3-alpine + image: redis:8.6.1-alpine@sha256:315270d166080f537bbdf1b489b603aaaa213cb55a544acfa51feb7481abb1c0 imagePullPolicy: IfNotPresent resources: {} command: @@ -79,7 +79,7 @@ spec: mountPath: /data containers: - name: redis - image: ecr-public.aws.com/docker/library/redis:8.2.3-alpine + image: redis:8.6.1-alpine@sha256:315270d166080f537bbdf1b489b603aaaa213cb55a544acfa51feb7481abb1c0 imagePullPolicy: IfNotPresent command: - redis-server @@ -128,7 +128,10 @@ spec: - sh - -c - /health/redis_readiness.sh - resources: {} + resources: + requests: + cpu: 1000m + memory: 64Mi ports: - name: redis containerPort: 6379 @@ -147,7 +150,7 @@ spec: - /bin/sh - /readonly-config/trigger-failover-if-master.sh - name: sentinel - image: ecr-public.aws.com/docker/library/redis:8.2.3-alpine + image: redis:8.6.1-alpine@sha256:315270d166080f537bbdf1b489b603aaaa213cb55a544acfa51feb7481abb1c0 imagePullPolicy: IfNotPresent command: - redis-sentinel @@ -207,7 +210,7 @@ spec: name: health lifecycle: {} - name: split-brain-fix - image: ecr-public.aws.com/docker/library/redis:8.2.3-alpine + image: redis:8.6.1-alpine@sha256:315270d166080f537bbdf1b489b603aaaa213cb55a544acfa51feb7481abb1c0 imagePullPolicy: IfNotPresent command: - sh @@ -237,6 +240,43 @@ spec: readOnly: true - mountPath: /data name: data + - name: redis-exporter + image: "ghcr.io/oliver006/redis_exporter:v1.82.0@sha256:6a97d4dd743b533e1f950c677b87d880e44df363c61af3f406fc9e53ed65ee03" + imagePullPolicy: IfNotPresent + args: + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + env: + - name: REDIS_ADDR + value: redis://localhost:6379 + livenessProbe: + httpGet: + path: /metrics + port: 9121 + initialDelaySeconds: 15 + periodSeconds: 15 + timeoutSeconds: 3 + readinessProbe: + httpGet: + path: /metrics + port: 9121 + initialDelaySeconds: 15 + periodSeconds: 15 + successThreshold: 2 + timeoutSeconds: 3 + resources: {} + ports: + - name: exporter-port + containerPort: 9121 + volumeMounts: volumes: - name: config configMap: @@ -245,5 +285,16 @@ spec: configMap: name: argocd-redis-ha-health-configmap defaultMode: 0755 - - name: data - emptyDir: {} + volumeClaimTemplates: + - apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + name: data + annotations: + labels: {} + spec: + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: "10Gi"