diff --git a/TODO.md b/TODO.md new file mode 100644 index 0000000..5140c35 --- /dev/null +++ b/TODO.md @@ -0,0 +1,3 @@ +TODO: +* Set location provisioner path permissions +* Limit postgres connections in reconciler \ No newline at end of file diff --git a/charts/monitoring/Chart.yaml b/charts/monitoring/Chart.yaml new file mode 100644 index 0000000..9683fee --- /dev/null +++ b/charts/monitoring/Chart.yaml @@ -0,0 +1,3 @@ +apiVersion: v2 +version: 1.0.0 +name: monitoring diff --git a/charts/monitoring/templates/falco.yaml b/charts/monitoring/templates/falco.yaml new file mode 100644 index 0000000..0175dd8 --- /dev/null +++ b/charts/monitoring/templates/falco.yaml @@ -0,0 +1,25 @@ +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: '{{ .Release.Name }}-falco' +spec: + interval: 1h + url: https://falcosecurity.github.io/charts + +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: '{{ .Release.Name }}-falco' +spec: + chart: + spec: + chart: falco + reconcileStrategy: ChartVersion + sourceRef: + apiVersion: source.toolkit.fluxcd.io/v1 + kind: HelmRepository + name: '{{ .Release.Name }}-falco' + namespace: '{{ .Release.Namespace }}' + interval: 1h + values: {} diff --git a/charts/monitoring/templates/kube-prometheus-stack.yaml b/charts/monitoring/templates/kube-prometheus-stack.yaml new file mode 100644 index 0000000..9c6267d --- /dev/null +++ b/charts/monitoring/templates/kube-prometheus-stack.yaml @@ -0,0 +1,51 @@ +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: '{{ .Release.Name }}-prometheus-community' +spec: + interval: 1h + url: https://prometheus-community.github.io/helm-charts/ + +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: '{{ .Release.Name }}-prometheus-community' +spec: + chart: + spec: + chart: kube-prometheus-stack + reconcileStrategy: ChartVersion + sourceRef: + apiVersion: source.toolkit.fluxcd.io/v1 + kind: HelmRepository + name: '{{ .Release.Name }}-prometheus-community' + namespace: '{{ .Release.Namespace }}' + interval: 1h + values: {} + +--- +apiVersion: homelab.mortenolsen.pro/v1 +kind: HttpService +metadata: + name: '{{ .Release.Name }}-prometheus-community' +spec: + environment: '{{ .Values.globals.environment }}' + subdomain: '{{ .Values.graphana.subdomain }}' + destination: + host: '{{ .Release.Name }}-prometheus-community-grafana.{{ .Release.Namespace }}.svc.cluster.local' + port: + number: 80 + +--- +apiVersion: homelab.mortenolsen.pro/v1 +kind: HttpService +metadata: + name: '{{ .Release.Name }}-prometheus-community-alertmanager' +spec: + environment: '{{ .Values.globals.environment }}' + subdomain: '{{ .Values.graphana.subdomain }}' + destination: + host: '{{ .Release.Name }}-prometheus-community-alertmanager.{{ .Release.Namespace }}.svc.cluster.local' + port: + number: 9093 diff --git a/charts/monitoring/templates/kyverno.yaml b/charts/monitoring/templates/kyverno.yaml new file mode 100644 index 0000000..8845eb5 --- /dev/null +++ b/charts/monitoring/templates/kyverno.yaml @@ -0,0 +1,25 @@ +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: '{{ .Release.Name }}-kyverno' +spec: + interval: 1h + url: https://kyverno.github.io/kyverno/ + +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: '{{ .Release.Name }}-kyverno' +spec: + chart: + spec: + chart: kyverno + reconcileStrategy: ChartVersion + sourceRef: + apiVersion: source.toolkit.fluxcd.io/v1 + kind: HelmRepository + name: '{{ .Release.Name }}-kyverno' + namespace: '{{ .Release.Namespace }}' + interval: 1h + values: {} diff --git a/charts/monitoring/templates/loki.yaml b/charts/monitoring/templates/loki.yaml new file mode 100644 index 0000000..dca4f82 --- /dev/null +++ b/charts/monitoring/templates/loki.yaml @@ -0,0 +1,121 @@ +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: '{{ .Release.Name }}-loki' +spec: + interval: 1h + url: https://grafana.github.io/helm-charts + +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: '{{ .Release.Name }}-loki' +spec: + chart: + spec: + chart: loki + reconcileStrategy: ChartVersion + sourceRef: + apiVersion: source.toolkit.fluxcd.io/v1 + kind: HelmRepository + name: '{{ .Release.Name }}-loki' + namespace: '{{ .Release.Namespace }}' + interval: 1h + values: + deploymentMode: SingleBinary + loki: + auth_enabled: false + server: + http_listen_port: 3100 + + memberlist: + join_members: + - loki-memberlist + + schemaConfig: + configs: + - from: 2020-05-15 + store: tsdb + object_store: filesystem + schema: v13 + index: + prefix: index_ + period: 24h + + storage: + type: filesystem + + storage_config: + filesystem: + directory: /loki/chunks + + limits_config: + reject_old_samples: true + reject_old_samples_max_age: 168h + max_cache_freshness_per_query: 10m + split_queries_by_interval: 15m + volume_enabled: true + + common: + path_prefix: /loki + storage: + filesystem: + chunks_directory: /loki/chunks + rules_directory: /loki/rules + replication_factor: 1 + ring: + instance_addr: 127.0.0.1 + kvstore: + store: inmemory + + # Enable persistent storage + singleBinary: + persistence: + enabled: true + size: 10Gi + storageClass: '{{ .Values.globals.environment }}' # Uses default storage class + extraVolumeMounts: + - name: storage + mountPath: /loki + + backend: + replicas: 0 + read: + replicas: 0 + write: + replicas: 0 + + ingester: + replicas: 0 + querier: + replicas: 0 + queryFrontend: + replicas: 0 + queryScheduler: + replicas: 0 + distributor: + replicas: 0 + compactor: + replicas: 0 + indexGateway: + replicas: 0 + bloomCompactor: + replicas: 0 + bloomGateway: + replicas: 0 + promtail: + enabled: true + config: + snippets: + extraScrapeConfigs: | + - job_name: kubernetes-pods + kubernetes_sd_configs: + - role: pod + relabel_configs: + - source_labels: ["__meta_kubernetes_pod_container_name"] + target_label: "container" + - source_labels: ["__meta_kubernetes_pod_name"] + target_label: "pod" + - source_labels: ["__meta_kubernetes_pod_namespace"] + target_label: "namespace" diff --git a/charts/monitoring/templates/trivy.yaml b/charts/monitoring/templates/trivy.yaml new file mode 100644 index 0000000..e7cfa89 --- /dev/null +++ b/charts/monitoring/templates/trivy.yaml @@ -0,0 +1,25 @@ +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: '{{ .Release.Name }}-aqua' +spec: + interval: 1h + url: https://aquasecurity.github.io/helm-charts/ + +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: '{{ .Release.Name }}-aqua' +spec: + chart: + spec: + chart: trivy-operator + reconcileStrategy: ChartVersion + sourceRef: + apiVersion: source.toolkit.fluxcd.io/v1 + kind: HelmRepository + name: '{{ .Release.Name }}-aqua' + namespace: '{{ .Release.Namespace }}' + interval: 1h + values: {} diff --git a/charts/monitoring/values.yaml b/charts/monitoring/values.yaml new file mode 100644 index 0000000..2f5a6c0 --- /dev/null +++ b/charts/monitoring/values.yaml @@ -0,0 +1,4 @@ +globals: + environment: prod +graphana: + subdomain: grafana \ No newline at end of file diff --git a/src/resources/homelab/postgres-database/postgres-database.ts b/src/resources/homelab/postgres-database/postgres-database.ts index eb1f005..62d677e 100644 --- a/src/resources/homelab/postgres-database/postgres-database.ts +++ b/src/resources/homelab/postgres-database/postgres-database.ts @@ -124,19 +124,23 @@ class PostgresDatabase extends CustomResource { user: clusterSecret.user, password: clusterSecret.password, }); - const connectionError = await database.ping(); - if (connectionError) { - console.error('Failed to connect', connectionError); - throw new NotReadyError('FailedToConnectToDatabase'); + try { + const connectionError = await database.ping(); + if (connectionError) { + console.error('Failed to connect', connectionError); + throw new NotReadyError('FailedToConnectToDatabase'); + } + await database.upsertRole({ + name: secret.user, + password: secret.password, + }); + await database.upsertDatabase({ + name: secret.database, + owner: secret.user, + }); + } finally { + await database.close(); } - await database.upsertRole({ - name: secret.user, - password: secret.password, - }); - await database.upsertDatabase({ - name: secret.database, - owner: secret.user, - }); }; } diff --git a/src/services/postgres/postgres.instance.ts b/src/services/postgres/postgres.instance.ts index ad6855c..8215a7c 100644 --- a/src/services/postgres/postgres.instance.ts +++ b/src/services/postgres/postgres.instance.ts @@ -60,6 +60,10 @@ class PostgresInstance { await this.#db.raw(`ALTER DATABASE "${name}" OWNER TO "${owner}"`); } }; + + public close = async () => { + await this.#db.destroy(); + }; } export { PostgresInstance, type PostgresInstanceOptions };