diff --git a/clusters/cl01tl/manifests/blocky/ConfigMap-blocky.yaml b/clusters/cl01tl/manifests/blocky/ConfigMap-blocky.yaml index 414ed4921..d90eeac58 100644 --- a/clusters/cl01tl/manifests/blocky/ConfigMap-blocky.yaml +++ b/clusters/cl01tl/manifests/blocky/ConfigMap-blocky.yaml @@ -98,6 +98,7 @@ data: bazarr IN CNAME traefik-cl01tl ceph IN CNAME traefik-cl01tl dawarich IN CNAME traefik-cl01tl + dependency-track IN CNAME traefik-cl01tl directus IN CNAME traefik-cl01tl excalidraw IN CNAME traefik-cl01tl feishin IN CNAME traefik-cl01tl diff --git a/clusters/cl01tl/manifests/blocky/Deployment-blocky.yaml b/clusters/cl01tl/manifests/blocky/Deployment-blocky.yaml index e56360276..85ad4abb3 100644 --- a/clusters/cl01tl/manifests/blocky/Deployment-blocky.yaml +++ b/clusters/cl01tl/manifests/blocky/Deployment-blocky.yaml @@ -22,7 +22,7 @@ spec: template: metadata: annotations: - checksum/configMaps: 6309421b11a654946509b84a07e9f18c48c9538078368817f4c0cd78c62af3b1 + checksum/configMaps: bae0b7c9ab38c6cf83951e9181b8030a7dfd5f8cf191a722b89b654110f1d6b0 labels: app.kubernetes.io/controller: main app.kubernetes.io/instance: blocky diff --git a/clusters/cl01tl/manifests/dependency-track/Cluster-dependency-track-postgresql-18-cluster.yaml b/clusters/cl01tl/manifests/dependency-track/Cluster-dependency-track-postgresql-18-cluster.yaml new file mode 100644 index 000000000..c19f74ff7 --- /dev/null +++ b/clusters/cl01tl/manifests/dependency-track/Cluster-dependency-track-postgresql-18-cluster.yaml @@ -0,0 +1,59 @@ +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: dependency-track-postgresql-18-cluster + namespace: dependency-track + labels: + app.kubernetes.io/name: dependency-track-postgresql-18-cluster + helm.sh/chart: postgres-18-cluster-7.11.2 + app.kubernetes.io/instance: dependency-track + app.kubernetes.io/part-of: dependency-track + app.kubernetes.io/version: "7.11.2" + app.kubernetes.io/managed-by: Helm +spec: + instances: 3 + imageName: "ghcr.io/cloudnative-pg/postgresql:18.3-standard-trixie" + imagePullPolicy: IfNotPresent + postgresUID: 26 + postgresGID: 26 + storage: + size: 10Gi + storageClass: local-path + walStorage: + size: 2Gi + storageClass: local-path + resources: + limits: + hugepages-2Mi: 256Mi + requests: + cpu: 20m + memory: 80Mi + affinity: + enablePodAntiAffinity: true + topologyKey: kubernetes.io/hostname + primaryUpdateMethod: switchover + primaryUpdateStrategy: unsupervised + logLevel: info + enableSuperuserAccess: false + enablePDB: true + postgresql: + parameters: + hot_standby_feedback: "on" + max_slot_wal_keep_size: 2000MB + shared_buffers: 128MB + monitoring: + enablePodMonitor: true + disableDefaultQueries: false + plugins: + - name: barman-cloud.cloudnative-pg.io + enabled: true + isWALArchiver: true + parameters: + barmanObjectName: "dependency-track-postgresql-18-backup-garage-local" + serverName: "dependency-track-postgresql-18-backup-1" + bootstrap: + initdb: + database: app + postInitSQL: + - ALTER DATABASE app SET READ_COMMITTED_SNAPSHOT ON; + owner: app diff --git a/clusters/cl01tl/manifests/dependency-track/Deployment-dependency-track-frontend.yaml b/clusters/cl01tl/manifests/dependency-track/Deployment-dependency-track-frontend.yaml new file mode 100644 index 000000000..d1bc998cf --- /dev/null +++ b/clusters/cl01tl/manifests/dependency-track/Deployment-dependency-track-frontend.yaml @@ -0,0 +1,83 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: dependency-track-frontend + namespace: dependency-track + labels: + helm.sh/chart: dependency-track-0.44.0 + app.kubernetes.io/part-of: dependency-track + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/instance: dependency-track + app.kubernetes.io/name: dependency-track-frontend + app.kubernetes.io/component: frontend + app.kubernetes.io/version: 4.14.1 +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: dependency-track + app.kubernetes.io/name: dependency-track-frontend + app.kubernetes.io/component: frontend + template: + metadata: + labels: + app.kubernetes.io/instance: dependency-track + app.kubernetes.io/name: dependency-track-frontend + app.kubernetes.io/component: frontend + spec: + enableServiceLinks: true + initContainers: + serviceAccountName: dependency-track + securityContext: + fsGroup: 1000 + containers: + - name: dependency-track-frontend + image: docker.io/dependencytrack/frontend:4.14.1@sha256:8217737050b26ea69a6ddd6fe2cb419531a0bae0b903a87a04077a2415fc9f35 + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + resources: + limits: {} + requests: + cpu: 10m + memory: 60Mi + env: + - name: API_BASE_URL + value: "dependency-track.alexlebens.net" + ports: + - name: web + containerPort: 8080 + protocol: TCP + volumeMounts: + - name: tmp + mountPath: /tmp + livenessProbe: + httpGet: + scheme: HTTP + port: web + path: / + failureThreshold: 3 + initialDelaySeconds: 5 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + httpGet: + scheme: HTTP + port: web + path: / + failureThreshold: 3 + initialDelaySeconds: 5 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 5 + volumes: + - name: tmp + emptyDir: {} diff --git a/clusters/cl01tl/manifests/dependency-track/ExternalSecret-dependency-track-key-secret.yaml b/clusters/cl01tl/manifests/dependency-track/ExternalSecret-dependency-track-key-secret.yaml new file mode 100644 index 000000000..aa079b20c --- /dev/null +++ b/clusters/cl01tl/manifests/dependency-track/ExternalSecret-dependency-track-key-secret.yaml @@ -0,0 +1,18 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: dependency-track-key-secret + namespace: dependency-track + labels: + app.kubernetes.io/name: dependency-track-key-secret + app.kubernetes.io/instance: dependency-track + app.kubernetes.io/part-of: dependency-track +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: secret.key + remoteRef: + key: /cl01tl/dependency-track/key + property: key diff --git a/clusters/cl01tl/manifests/dependency-track/ExternalSecret-dependency-track-oidc-secret.yaml b/clusters/cl01tl/manifests/dependency-track/ExternalSecret-dependency-track-oidc-secret.yaml new file mode 100644 index 000000000..0665844c5 --- /dev/null +++ b/clusters/cl01tl/manifests/dependency-track/ExternalSecret-dependency-track-oidc-secret.yaml @@ -0,0 +1,22 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: dependency-track-oidc-secret + namespace: dependency-track + labels: + app.kubernetes.io/name: dependency-track-oidc-secret + app.kubernetes.io/instance: dependency-track + app.kubernetes.io/part-of: dependency-track +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: client + remoteRef: + key: /authentik/oidc/dependency-track + property: client + - secretKey: secret + remoteRef: + key: /authentik/oidc/dependency-track + property: secret diff --git a/clusters/cl01tl/manifests/dependency-track/ExternalSecret-dependency-track-postgresql-18-backup-garage-local-secret.yaml b/clusters/cl01tl/manifests/dependency-track/ExternalSecret-dependency-track-postgresql-18-backup-garage-local-secret.yaml new file mode 100644 index 000000000..38b176640 --- /dev/null +++ b/clusters/cl01tl/manifests/dependency-track/ExternalSecret-dependency-track-postgresql-18-backup-garage-local-secret.yaml @@ -0,0 +1,38 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: dependency-track-postgresql-18-backup-garage-local-secret + namespace: dependency-track + labels: + app.kubernetes.io/name: dependency-track-postgresql-18-backup-garage-local-secret + helm.sh/chart: postgres-18-cluster-7.11.2 + app.kubernetes.io/instance: dependency-track + app.kubernetes.io/part-of: dependency-track + app.kubernetes.io/version: "7.11.2" + app.kubernetes.io/managed-by: Helm +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: ACCESS_REGION + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /garage/home-infra/postgres-backups + metadataPolicy: None + property: ACCESS_REGION + - secretKey: ACCESS_KEY_ID + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /garage/home-infra/postgres-backups + metadataPolicy: None + property: ACCESS_KEY_ID + - secretKey: ACCESS_SECRET_KEY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /garage/home-infra/postgres-backups + metadataPolicy: None + property: ACCESS_SECRET_KEY diff --git a/clusters/cl01tl/manifests/dependency-track/ExternalSecret-dependency-track-postgresql-18-recovery-secret.yaml b/clusters/cl01tl/manifests/dependency-track/ExternalSecret-dependency-track-postgresql-18-recovery-secret.yaml new file mode 100644 index 000000000..700d92488 --- /dev/null +++ b/clusters/cl01tl/manifests/dependency-track/ExternalSecret-dependency-track-postgresql-18-recovery-secret.yaml @@ -0,0 +1,38 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: dependency-track-postgresql-18-recovery-secret + namespace: dependency-track + labels: + helm.sh/chart: postgres-18-cluster-7.11.2 + app.kubernetes.io/instance: dependency-track + app.kubernetes.io/part-of: dependency-track + app.kubernetes.io/version: "7.11.2" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: dependency-track-postgresql-18-recovery-secret +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: ACCESS_REGION + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /garage/home-infra/postgres-backups + metadataPolicy: None + property: ACCESS_REGION + - secretKey: ACCESS_KEY_ID + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /garage/home-infra/postgres-backups + metadataPolicy: None + property: ACCESS_KEY_ID + - secretKey: ACCESS_SECRET_KEY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /garage/home-infra/postgres-backups + metadataPolicy: None + property: ACCESS_SECRET_KEY diff --git a/clusters/cl01tl/manifests/dependency-track/HTTPRoute-dependency-track.yaml b/clusters/cl01tl/manifests/dependency-track/HTTPRoute-dependency-track.yaml new file mode 100644 index 000000000..a52d0c180 --- /dev/null +++ b/clusters/cl01tl/manifests/dependency-track/HTTPRoute-dependency-track.yaml @@ -0,0 +1,35 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: dependency-track + namespace: dependency-track +spec: + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: traefik-gateway + namespace: traefik + hostnames: + - "dependency-track.alexlebens.net" + rules: + - matches: + - path: + type: PathPrefix + value: /api + backendRefs: + - name: dependency-track-api-server + port: 8080 + - matches: + - path: + type: PathPrefix + value: /health + backendRefs: + - name: dependency-track-api-server + port: 8080 + - matches: + - path: + type: PathPrefix + value: / + backendRefs: + - name: dependency-track-frontend + port: 8080 diff --git a/clusters/cl01tl/manifests/dependency-track/ObjectStore-dependency-track-postgresql-18-backup-garage-local.yaml b/clusters/cl01tl/manifests/dependency-track/ObjectStore-dependency-track-postgresql-18-backup-garage-local.yaml new file mode 100644 index 000000000..0737edf2e --- /dev/null +++ b/clusters/cl01tl/manifests/dependency-track/ObjectStore-dependency-track-postgresql-18-backup-garage-local.yaml @@ -0,0 +1,33 @@ +apiVersion: barmancloud.cnpg.io/v1 +kind: ObjectStore +metadata: + name: dependency-track-postgresql-18-backup-garage-local + namespace: dependency-track + labels: + app.kubernetes.io/name: dependency-track-postgresql-18-backup-garage-local + helm.sh/chart: postgres-18-cluster-7.11.2 + app.kubernetes.io/instance: dependency-track + app.kubernetes.io/part-of: dependency-track + app.kubernetes.io/version: "7.11.2" + app.kubernetes.io/managed-by: Helm +spec: + retentionPolicy: 7d + instanceSidecarConfiguration: + env: + - name: AWS_REQUEST_CHECKSUM_CALCULATION + value: when_required + - name: AWS_RESPONSE_CHECKSUM_VALIDATION + value: when_required + configuration: + destinationPath: s3://postgres-backups/cl01tl/dependency-track/dependency-track-postgresql-18-cluster + endpointURL: http://garage-main.garage:3900 + s3Credentials: + accessKeyId: + name: dependency-track-postgresql-18-backup-garage-local-secret + key: ACCESS_KEY_ID + secretAccessKey: + name: dependency-track-postgresql-18-backup-garage-local-secret + key: ACCESS_SECRET_KEY + region: + name: dependency-track-postgresql-18-backup-garage-local-secret + key: ACCESS_REGION diff --git a/clusters/cl01tl/manifests/dependency-track/ObjectStore-dependency-track-postgresql-18-recovery.yaml b/clusters/cl01tl/manifests/dependency-track/ObjectStore-dependency-track-postgresql-18-recovery.yaml new file mode 100644 index 000000000..e46675999 --- /dev/null +++ b/clusters/cl01tl/manifests/dependency-track/ObjectStore-dependency-track-postgresql-18-recovery.yaml @@ -0,0 +1,32 @@ +apiVersion: barmancloud.cnpg.io/v1 +kind: ObjectStore +metadata: + name: "dependency-track-postgresql-18-recovery" + namespace: dependency-track + labels: + helm.sh/chart: postgres-18-cluster-7.11.2 + app.kubernetes.io/instance: dependency-track + app.kubernetes.io/part-of: dependency-track + app.kubernetes.io/version: "7.11.2" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: "dependency-track-postgresql-18-recovery" +spec: + configuration: + destinationPath: s3://postgres-backups/cl01tl/dependency-track/dependency-track-postgresql-18-cluster + endpointURL: http://garage-main.garage:3900 + wal: + compression: snappy + maxParallel: 1 + data: + compression: snappy + jobs: 1 + s3Credentials: + accessKeyId: + name: dependency-track-postgresql-18-recovery-secret + key: ACCESS_KEY_ID + secretAccessKey: + name: dependency-track-postgresql-18-recovery-secret + key: ACCESS_SECRET_KEY + region: + name: dependency-track-postgresql-18-recovery-secret + key: ACCESS_REGION diff --git a/clusters/cl01tl/manifests/dependency-track/PrometheusRule-dependency-track-postgresql-18-alert-rules.yaml b/clusters/cl01tl/manifests/dependency-track/PrometheusRule-dependency-track-postgresql-18-alert-rules.yaml new file mode 100644 index 000000000..9ddc6e548 --- /dev/null +++ b/clusters/cl01tl/manifests/dependency-track/PrometheusRule-dependency-track-postgresql-18-alert-rules.yaml @@ -0,0 +1,270 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: dependency-track-postgresql-18-alert-rules + namespace: dependency-track + labels: + app.kubernetes.io/name: dependency-track-postgresql-18-alert-rules + helm.sh/chart: postgres-18-cluster-7.11.2 + app.kubernetes.io/instance: dependency-track + app.kubernetes.io/part-of: dependency-track + app.kubernetes.io/version: "7.11.2" + app.kubernetes.io/managed-by: Helm +spec: + groups: + - name: cloudnative-pg/dependency-track-postgresql-18 + rules: + - alert: CNPGClusterBackendsWaitingWarning + annotations: + summary: CNPG Cluster a backend is waiting for longer than 5 minutes. + description: |- + Pod {{ $labels.pod }} + has been waiting for longer than 5 minutes + expr: | + cnpg_backends_waiting_total{namespace="dependency-track"} > 300 + for: 1m + labels: + severity: warning + namespace: dependency-track + cnpg_cluster: dependency-track-postgresql-18-cluster + - alert: CNPGClusterDatabaseDeadlockConflictsWarning + annotations: + summary: CNPG Cluster has over 10 deadlock conflicts. + description: |- + There are over 10 deadlock conflicts in + {{ $labels.pod }} + expr: | + cnpg_pg_stat_database_deadlocks{namespace="dependency-track"} > 10 + for: 1m + labels: + severity: warning + namespace: dependency-track + cnpg_cluster: dependency-track-postgresql-18-cluster + - alert: CNPGClusterHACritical + annotations: + summary: CNPG Cluster has no standby replicas! + description: |- + CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has no ready standby replicas. Your cluster at a severe + risk of data loss and downtime if the primary instance fails. + + The primary instance is still online and able to serve queries, although connections to the `-ro` endpoint + will fail. The `-r` endpoint os operating at reduced capacity and all traffic is being served by the main. + + This can happen during a normal fail-over or automated minor version upgrades in a cluster with 2 or less + instances. The replaced instance may need some time to catch-up with the cluster primary instance. + + This alarm will be always trigger if your cluster is configured to run with only 1 instance. In this + case you may want to silence it. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHACritical.md + expr: | + max by (job) (cnpg_pg_replication_streaming_replicas{namespace="dependency-track"} - cnpg_pg_replication_is_wal_receiver_up{namespace="dependency-track"}) < 1 + for: 5m + labels: + severity: critical + namespace: dependency-track + cnpg_cluster: dependency-track-postgresql-18-cluster + - alert: CNPGClusterHAWarning + annotations: + summary: CNPG Cluster less than 2 standby replicas. + description: |- + CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has only {{`{{`}} $value {{`}}`}} standby replicas, putting + your cluster at risk if another instance fails. The cluster is still able to operate normally, although + the `-ro` and `-r` endpoints operate at reduced capacity. + + This can happen during a normal fail-over or automated minor version upgrades. The replaced instance may + need some time to catch-up with the cluster primary instance. + + This alarm will be constantly triggered if your cluster is configured to run with less than 3 instances. + In this case you may want to silence it. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHAWarning.md + expr: | + max by (job) (cnpg_pg_replication_streaming_replicas{namespace="dependency-track"} - cnpg_pg_replication_is_wal_receiver_up{namespace="dependency-track"}) < 2 + for: 5m + labels: + severity: warning + namespace: dependency-track + cnpg_cluster: dependency-track-postgresql-18-cluster + - alert: CNPGClusterHighConnectionsCritical + annotations: + summary: CNPG Instance maximum number of connections critical! + description: |- + CloudNativePG Cluster "dependency-track/dependency-track-postgresql-18-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of + the maximum number of connections. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsCritical.md + expr: | + sum by (pod) (cnpg_backends_total{namespace="dependency-track", pod=~"dependency-track-postgresql-18-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="dependency-track", pod=~"dependency-track-postgresql-18-cluster-([1-9][0-9]*)$"}) * 100 > 95 + for: 5m + labels: + severity: critical + namespace: dependency-track + cnpg_cluster: dependency-track-postgresql-18-cluster + - alert: CNPGClusterHighConnectionsWarning + annotations: + summary: CNPG Instance is approaching the maximum number of connections. + description: |- + CloudNativePG Cluster "dependency-track/dependency-track-postgresql-18-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of + the maximum number of connections. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsWarning.md + expr: | + sum by (pod) (cnpg_backends_total{namespace="dependency-track", pod=~"dependency-track-postgresql-18-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="dependency-track", pod=~"dependency-track-postgresql-18-cluster-([1-9][0-9]*)$"}) * 100 > 80 + for: 5m + labels: + severity: warning + namespace: dependency-track + cnpg_cluster: dependency-track-postgresql-18-cluster + - alert: CNPGClusterHighReplicationLag + annotations: + summary: CNPG Cluster high replication lag + description: |- + CloudNativePG Cluster "dependency-track/dependency-track-postgresql-18-cluster" is experiencing a high replication lag of + {{`{{`}} $value {{`}}`}}ms. + + High replication lag indicates network issues, busy instances, slow queries or suboptimal configuration. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighReplicationLag.md + expr: | + max(cnpg_pg_replication_lag{namespace="dependency-track",pod=~"dependency-track-postgresql-18-cluster-([1-9][0-9]*)$"}) * 1000 > 1000 + for: 5m + labels: + severity: warning + namespace: dependency-track + cnpg_cluster: dependency-track-postgresql-18-cluster + - alert: CNPGClusterInstancesOnSameNode + annotations: + summary: CNPG Cluster instances are located on the same node. + description: |- + CloudNativePG Cluster "dependency-track/dependency-track-postgresql-18-cluster" has {{`{{`}} $value {{`}}`}} + instances on the same node {{`{{`}} $labels.node {{`}}`}}. + + A failure or scheduled downtime of a single node will lead to a potential service disruption and/or data loss. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterInstancesOnSameNode.md + expr: | + count by (node) (kube_pod_info{namespace="dependency-track", pod=~"dependency-track-postgresql-18-cluster-([1-9][0-9]*)$"}) > 1 + for: 5m + labels: + severity: warning + namespace: dependency-track + cnpg_cluster: dependency-track-postgresql-18-cluster + - alert: CNPGClusterLongRunningTransactionWarning + annotations: + summary: CNPG Cluster query is taking longer than 5 minutes. + description: |- + CloudNativePG Cluster Pod {{ $labels.pod }} + is taking more than 5 minutes (300 seconds) for a query. + expr: |- + cnpg_backends_max_tx_duration_seconds{namespace="dependency-track"} > 300 + for: 1m + labels: + severity: warning + namespace: dependency-track + cnpg_cluster: dependency-track-postgresql-18-cluster + - alert: CNPGClusterLowDiskSpaceCritical + annotations: + summary: CNPG Instance is running out of disk space! + description: |- + CloudNativePG Cluster "dependency-track/dependency-track-postgresql-18-cluster" is running extremely low on disk space. Check attached PVCs! + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceCritical.md + expr: | + max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="dependency-track", persistentvolumeclaim=~"dependency-track-postgresql-18-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="dependency-track", persistentvolumeclaim=~"dependency-track-postgresql-18-cluster-([1-9][0-9]*)$"})) > 0.9 OR + max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="dependency-track", persistentvolumeclaim=~"dependency-track-postgresql-18-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="dependency-track", persistentvolumeclaim=~"dependency-track-postgresql-18-cluster-([1-9][0-9]*)$-wal"})) > 0.9 OR + max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="dependency-track", persistentvolumeclaim=~"dependency-track-postgresql-18-cluster-([1-9][0-9]*)$-tbs.*"}) + / + sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="dependency-track", persistentvolumeclaim=~"dependency-track-postgresql-18-cluster-([1-9][0-9]*)$-tbs.*"}) + * + on(namespace, persistentvolumeclaim) group_left(volume) + kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"dependency-track-postgresql-18-cluster-([1-9][0-9]*)$"} + ) > 0.9 + for: 5m + labels: + severity: critical + namespace: dependency-track + cnpg_cluster: dependency-track-postgresql-18-cluster + - alert: CNPGClusterLowDiskSpaceWarning + annotations: + summary: CNPG Instance is running out of disk space. + description: |- + CloudNativePG Cluster "dependency-track/dependency-track-postgresql-18-cluster" is running low on disk space. Check attached PVCs. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceWarning.md + expr: | + max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="dependency-track", persistentvolumeclaim=~"dependency-track-postgresql-18-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="dependency-track", persistentvolumeclaim=~"dependency-track-postgresql-18-cluster-([1-9][0-9]*)$"})) > 0.7 OR + max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="dependency-track", persistentvolumeclaim=~"dependency-track-postgresql-18-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="dependency-track", persistentvolumeclaim=~"dependency-track-postgresql-18-cluster-([1-9][0-9]*)$-wal"})) > 0.7 OR + max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="dependency-track", persistentvolumeclaim=~"dependency-track-postgresql-18-cluster-([1-9][0-9]*)$-tbs.*"}) + / + sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="dependency-track", persistentvolumeclaim=~"dependency-track-postgresql-18-cluster-([1-9][0-9]*)$-tbs.*"}) + * + on(namespace, persistentvolumeclaim) group_left(volume) + kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"dependency-track-postgresql-18-cluster-([1-9][0-9]*)$"} + ) > 0.7 + for: 5m + labels: + severity: warning + namespace: dependency-track + cnpg_cluster: dependency-track-postgresql-18-cluster + - alert: CNPGClusterOffline + annotations: + summary: CNPG Cluster has no running instances! + description: |- + CloudNativePG Cluster "dependency-track/dependency-track-postgresql-18-cluster" has no ready instances. + + Having an offline cluster means your applications will not be able to access the database, leading to + potential service disruption and/or data loss. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterOffline.md + expr: | + (count(cnpg_collector_up{namespace="dependency-track",pod=~"dependency-track-postgresql-18-cluster-([1-9][0-9]*)$"}) OR on() vector(0)) == 0 + for: 5m + labels: + severity: critical + namespace: dependency-track + cnpg_cluster: dependency-track-postgresql-18-cluster + - alert: CNPGClusterPGDatabaseXidAgeWarning + annotations: + summary: CNPG Cluster has a number of transactions from the frozen XID to the current one. + description: |- + Over 300,000,000 transactions from frozen xid + on pod {{ $labels.pod }} + expr: | + cnpg_pg_database_xid_age{namespace="dependency-track"} > 300000000 + for: 1m + labels: + severity: warning + namespace: dependency-track + cnpg_cluster: dependency-track-postgresql-18-cluster + - alert: CNPGClusterPGReplicationWarning + annotations: + summary: CNPG Cluster standby is lagging behind the primary. + description: |- + Standby is lagging behind by over 300 seconds (5 minutes) + expr: | + cnpg_pg_replication_lag{namespace="dependency-track"} > 300 + for: 1m + labels: + severity: warning + namespace: dependency-track + cnpg_cluster: dependency-track-postgresql-18-cluster + - alert: CNPGClusterReplicaFailingReplicationWarning + annotations: + summary: CNPG Cluster has a replica is failing to replicate. + description: |- + Replica {{ $labels.pod }} + is failing to replicate + expr: | + cnpg_pg_replication_in_recovery{namespace="dependency-track"} > cnpg_pg_replication_is_wal_receiver_up{namespace="dependency-track"} + for: 1m + labels: + severity: warning + namespace: dependency-track + cnpg_cluster: dependency-track-postgresql-18-cluster + - alert: CNPGClusterZoneSpreadWarning + annotations: + summary: CNPG Cluster instances in the same zone. + description: |- + CloudNativePG Cluster "dependency-track/dependency-track-postgresql-18-cluster" has instances in the same availability zone. + + A disaster in one availability zone will lead to a potential service disruption and/or data loss. + runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterZoneSpreadWarning.md + expr: | + 3 > count(count by (label_topology_kubernetes_io_zone) (kube_pod_info{namespace="dependency-track", pod=~"dependency-track-postgresql-18-cluster-([1-9][0-9]*)$"} * on(node,instance) group_left(label_topology_kubernetes_io_zone) kube_node_labels)) < 3 + for: 5m + labels: + severity: warning + namespace: dependency-track + cnpg_cluster: dependency-track-postgresql-18-cluster diff --git a/clusters/cl01tl/manifests/dependency-track/ScheduledBackup-dependency-track-postgresql-18-scheduled-backup-live-backup.yaml b/clusters/cl01tl/manifests/dependency-track/ScheduledBackup-dependency-track-postgresql-18-scheduled-backup-live-backup.yaml new file mode 100644 index 000000000..b07aada0d --- /dev/null +++ b/clusters/cl01tl/manifests/dependency-track/ScheduledBackup-dependency-track-postgresql-18-scheduled-backup-live-backup.yaml @@ -0,0 +1,24 @@ +apiVersion: postgresql.cnpg.io/v1 +kind: ScheduledBackup +metadata: + name: "dependency-track-postgresql-18-scheduled-backup-live-backup" + namespace: dependency-track + labels: + app.kubernetes.io/name: "dependency-track-postgresql-18-scheduled-backup-live-backup" + helm.sh/chart: postgres-18-cluster-7.11.2 + app.kubernetes.io/instance: dependency-track + app.kubernetes.io/part-of: dependency-track + app.kubernetes.io/version: "7.11.2" + app.kubernetes.io/managed-by: Helm +spec: + immediate: true + suspend: false + schedule: "0 10 14 * * *" + backupOwnerReference: self + cluster: + name: dependency-track-postgresql-18-cluster + method: plugin + pluginConfiguration: + name: barman-cloud.cloudnative-pg.io + parameters: + barmanObjectName: "dependency-track-postgresql-18-backup-garage-local" diff --git a/clusters/cl01tl/manifests/dependency-track/Service-dependency-track-api-server.yaml b/clusters/cl01tl/manifests/dependency-track/Service-dependency-track-api-server.yaml new file mode 100644 index 000000000..9f2b15ac4 --- /dev/null +++ b/clusters/cl01tl/manifests/dependency-track/Service-dependency-track-api-server.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + name: dependency-track-api-server + namespace: dependency-track + labels: + helm.sh/chart: dependency-track-0.44.0 + app.kubernetes.io/part-of: dependency-track + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/instance: dependency-track + app.kubernetes.io/name: dependency-track-api-server + app.kubernetes.io/component: api-server + app.kubernetes.io/version: 4.14.1 +spec: + type: "ClusterIP" + ports: + - name: web + port: 8080 + targetPort: web + selector: + app.kubernetes.io/instance: dependency-track + app.kubernetes.io/name: dependency-track-api-server + app.kubernetes.io/component: api-server diff --git a/clusters/cl01tl/manifests/dependency-track/Service-dependency-track-frontend.yaml b/clusters/cl01tl/manifests/dependency-track/Service-dependency-track-frontend.yaml new file mode 100644 index 000000000..d0e643901 --- /dev/null +++ b/clusters/cl01tl/manifests/dependency-track/Service-dependency-track-frontend.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + name: dependency-track-frontend + namespace: dependency-track + labels: + helm.sh/chart: dependency-track-0.44.0 + app.kubernetes.io/part-of: dependency-track + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/instance: dependency-track + app.kubernetes.io/name: dependency-track-frontend + app.kubernetes.io/component: frontend + app.kubernetes.io/version: 4.14.1 +spec: + type: "ClusterIP" + ports: + - name: web + port: 8080 + targetPort: web + selector: + app.kubernetes.io/instance: dependency-track + app.kubernetes.io/name: dependency-track-frontend + app.kubernetes.io/component: frontend diff --git a/clusters/cl01tl/manifests/dependency-track/ServiceAccount-dependency-track.yaml b/clusters/cl01tl/manifests/dependency-track/ServiceAccount-dependency-track.yaml new file mode 100644 index 000000000..a486f0c8f --- /dev/null +++ b/clusters/cl01tl/manifests/dependency-track/ServiceAccount-dependency-track.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: dependency-track + namespace: dependency-track + labels: + helm.sh/chart: dependency-track-0.44.0 + app.kubernetes.io/part-of: dependency-track + app.kubernetes.io/managed-by: Helm + annotations: {} +automountServiceAccountToken: false diff --git a/clusters/cl01tl/manifests/dependency-track/ServiceMonitor-dependency-track-api-server.yaml b/clusters/cl01tl/manifests/dependency-track/ServiceMonitor-dependency-track-api-server.yaml new file mode 100644 index 000000000..57fbe8b66 --- /dev/null +++ b/clusters/cl01tl/manifests/dependency-track/ServiceMonitor-dependency-track-api-server.yaml @@ -0,0 +1,28 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: dependency-track-api-server + namespace: dependency-track + labels: + helm.sh/chart: dependency-track-0.44.0 + app.kubernetes.io/part-of: dependency-track + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/instance: dependency-track + app.kubernetes.io/name: dependency-track-api-server + app.kubernetes.io/component: api-server + app.kubernetes.io/version: 4.14.1 +spec: + namespaceSelector: + matchNames: + - dependency-track + selector: + matchLabels: + app.kubernetes.io/instance: dependency-track + app.kubernetes.io/name: dependency-track-api-server + app.kubernetes.io/component: api-server + jobLabel: dependency-track-api-server + endpoints: + - port: web + path: /metrics + interval: 60s + scrapeTimeout: 30s diff --git a/clusters/cl01tl/manifests/dependency-track/StatefulSet-dependency-track-api-server.yaml b/clusters/cl01tl/manifests/dependency-track/StatefulSet-dependency-track-api-server.yaml new file mode 100644 index 000000000..218dd737f --- /dev/null +++ b/clusters/cl01tl/manifests/dependency-track/StatefulSet-dependency-track-api-server.yaml @@ -0,0 +1,160 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: dependency-track-api-server + namespace: dependency-track + labels: + helm.sh/chart: dependency-track-0.44.0 + app.kubernetes.io/part-of: dependency-track + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/instance: dependency-track + app.kubernetes.io/name: dependency-track-api-server + app.kubernetes.io/component: api-server + app.kubernetes.io/version: 4.14.1 +spec: + serviceName: dependency-track-api-server + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: dependency-track + app.kubernetes.io/name: dependency-track-api-server + app.kubernetes.io/component: api-server + template: + metadata: + labels: + app.kubernetes.io/instance: dependency-track + app.kubernetes.io/name: dependency-track-api-server + app.kubernetes.io/component: api-server + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: /metrics + spec: + enableServiceLinks: true + initContainers: + serviceAccount: dependency-track + securityContext: + fsGroup: 1000 + containers: + - name: dependency-track-api-server + image: docker.io/dependencytrack/apiserver:4.14.1@sha256:2d8813e1ba4ada4aa23087d908c1b5a3ffce39261ead5555c397a1d67c7cbe9d + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + resources: + limits: {} + requests: + cpu: 100m + memory: 100Mi + env: + - name: ALPINE_METRICS_ENABLED + value: "true" + - name: ALPINE_SECRET_KEY_PATH + value: "/var/run/secrets/secret.key" + - name: ALPINE_DATABASE_MODE + value: external + - name: ALPINE_DATABASE_MODE + value: org.postgresql.Driver + - name: ALPINE_DATABASE_URL + valueFrom: + secretKeyRef: + key: jdbc-uri + name: dependency-track-postgresql-18-cluster-app + - name: ALPINE_DATABASE_USERNAME + valueFrom: + secretKeyRef: + key: user + name: dependency-track-postgresql-18-cluster-app + - name: ALPINE_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: dependency-track-postgresql-18-cluster-app + - name: ALPINE_OIDC_ENABLED + value: "true" + - name: ALPINE_OIDC_CLIENT_ID + valueFrom: + secretKeyRef: + key: client + name: dependency-track-oidc-secret + - name: ALPINE_OIDC_ISSUER + value: https://authentik.alexlebens.net/application/o/dependency-track/ + - name: ALPINE_OIDC_USERNAME_CLAIM + value: preferred_username + - name: ALPINE_OIDC_TEAMS_CLAIM + value: groups + - name: ALPINE_OIDC_USER_PROVISIONING + value: "true" + - name: ALPINE_OIDC_TEAM_SYNCHRONIZATION + value: "true" + - name: ALPINE_CORS_ENABLED + value: "true" + - name: ALPINE_CORS_ALLOW_ORIGIN + value: dependency-track.alexlebens.net, dependency-track.dependency-track + ports: + - name: web + containerPort: 8080 + protocol: TCP + volumeMounts: + - name: data + mountPath: /data + - name: tmp + mountPath: /tmp + - name: secret-key + subPath: secret.key + mountPath: /var/run/secrets/secret.key + readOnly: true + startupProbe: + httpGet: + scheme: HTTP + port: web + path: /health/started + failureThreshold: 30 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + livenessProbe: + httpGet: + scheme: HTTP + port: web + path: /health/live + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + httpGet: + scheme: HTTP + port: web + path: /health/ready + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 5 + volumes: + - name: tmp + emptyDir: {} + - name: secret-key + secret: + secretName: dependency-track-key-secret + volumeClaimTemplates: + - apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + name: data + spec: + storageClassName: ceph-block + resources: + requests: + storage: 5Gi + accessModes: + - ReadWriteOnce diff --git a/clusters/cl01tl/manifests/gatus/ConfigMap-gatus.yaml b/clusters/cl01tl/manifests/gatus/ConfigMap-gatus.yaml index 63f2c54a3..b4738279f 100644 --- a/clusters/cl01tl/manifests/gatus/ConfigMap-gatus.yaml +++ b/clusters/cl01tl/manifests/gatus/ConfigMap-gatus.yaml @@ -258,6 +258,15 @@ data: interval: 30s name: komodo url: https://komodo.alexlebens.net + - alerts: + - type: ntfy + conditions: + - '[STATUS] == 200' + - '[CERTIFICATE_EXPIRATION] > 240h' + group: core + interval: 30s + name: dependency-track + url: https://dependency-track.alexlebens.net - alerts: - type: ntfy conditions: diff --git a/clusters/cl01tl/manifests/gatus/Deployment-gatus.yaml b/clusters/cl01tl/manifests/gatus/Deployment-gatus.yaml index 71e0bc8c0..8302783b5 100644 --- a/clusters/cl01tl/manifests/gatus/Deployment-gatus.yaml +++ b/clusters/cl01tl/manifests/gatus/Deployment-gatus.yaml @@ -26,7 +26,7 @@ spec: app.kubernetes.io/name: gatus app.kubernetes.io/instance: gatus annotations: - checksum/config: 2045c35bfe77e066a567e99d66cb332dbc1aa9d4e4f6e281f601c552fc4ff610 + checksum/config: 667f13a53f34681b73f9a8569420de0df4eac58383afa7ac49c2ebc375cd0e75 spec: serviceAccountName: default automountServiceAccountToken: false diff --git a/clusters/cl01tl/manifests/homepage/ConfigMap-homepage.yaml b/clusters/cl01tl/manifests/homepage/ConfigMap-homepage.yaml index 4b0aef8f6..579fec0de 100644 --- a/clusters/cl01tl/manifests/homepage/ConfigMap-homepage.yaml +++ b/clusters/cl01tl/manifests/homepage/ConfigMap-homepage.yaml @@ -305,6 +305,12 @@ data: secret: {{HOMEPAGE_VAR_KOMODO_API_SECRET}} showStacks: true fields: ["running", "down", "unhealthy", "unknown"] + - Vulnerability Scanning: + icon: https://avatars.githubusercontent.com/u/40258585 + description: Dependency Track + href: https://dependency-track.alexlebens.net + siteMonitor: http://dependency-track.dependency-track:8080 + statusStyle: dot - Uptime: icon: sh-gatus.webp description: Gatus diff --git a/clusters/cl01tl/manifests/homepage/Deployment-homepage.yaml b/clusters/cl01tl/manifests/homepage/Deployment-homepage.yaml index a8b704160..ed24d7020 100644 --- a/clusters/cl01tl/manifests/homepage/Deployment-homepage.yaml +++ b/clusters/cl01tl/manifests/homepage/Deployment-homepage.yaml @@ -24,7 +24,7 @@ spec: template: metadata: annotations: - checksum/configMaps: 999305e7f650087ece5d8de0c833358d7d79df46281ad88535b3b48e2ca3784e + checksum/configMaps: de293f4303496054a6fe30f28e03d5aa7112db7f0804945a0bebf6df226b029e checksum/secrets: d3ba83f111cd32f92c909268c55ad8bbd4f9e299b74b35b33c1a011180d8b378 labels: app.kubernetes.io/controller: main