updates

2026-02-08 01:36:28 +01:00 · 2025-09-05 11:22:58 +02:00
10 changed files with 277 additions and 12 deletions
--- a/TODO.md
+++ b/TODO.md
@@ -0,0 +1,3 @@
 TODO:
 * Set location provisioner path permissions
 * Limit postgres connections in reconciler
--- a/charts/monitoring/Chart.yaml
+++ b/charts/monitoring/Chart.yaml
@@ -0,0 +1,3 @@
 apiVersion: v2
 version: 1.0.0
 name: monitoring
--- a/charts/monitoring/templates/falco.yaml
+++ b/charts/monitoring/templates/falco.yaml
@@ -0,0 +1,25 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: '{{ .Release.Name }}-falco'
 spec:
  interval: 1h
  url: https://falcosecurity.github.io/charts
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: '{{ .Release.Name }}-falco'
 spec:
  chart:
    spec:
      chart: falco
      reconcileStrategy: ChartVersion
      sourceRef:
        apiVersion: source.toolkit.fluxcd.io/v1
        kind: HelmRepository
        name: '{{ .Release.Name }}-falco'
        namespace: '{{ .Release.Namespace }}'
  interval: 1h
  values: {}
--- a/charts/monitoring/templates/kube-prometheus-stack.yaml
+++ b/charts/monitoring/templates/kube-prometheus-stack.yaml
@@ -0,0 +1,51 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: '{{ .Release.Name }}-prometheus-community'
 spec:
  interval: 1h
  url: https://prometheus-community.github.io/helm-charts/
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: '{{ .Release.Name }}-prometheus-community'
 spec:
  chart:
    spec:
      chart: kube-prometheus-stack
      reconcileStrategy: ChartVersion
      sourceRef:
        apiVersion: source.toolkit.fluxcd.io/v1
        kind: HelmRepository
        name: '{{ .Release.Name }}-prometheus-community'
        namespace: '{{ .Release.Namespace }}'
  interval: 1h
  values: {}
 ---
 apiVersion: homelab.mortenolsen.pro/v1
 kind: HttpService
 metadata:
  name: '{{ .Release.Name }}-prometheus-community'
 spec:
  environment: '{{ .Values.globals.environment }}'
  subdomain: '{{ .Values.graphana.subdomain }}'
  destination:
    host: '{{ .Release.Name }}-prometheus-community-grafana.{{ .Release.Namespace }}.svc.cluster.local'
    port:
      number: 80
 ---
 apiVersion: homelab.mortenolsen.pro/v1
 kind: HttpService
 metadata:
  name: '{{ .Release.Name }}-prometheus-community-alertmanager'
 spec:
  environment: '{{ .Values.globals.environment }}'
  subdomain: '{{ .Values.graphana.subdomain }}'
  destination:
    host: '{{ .Release.Name }}-prometheus-community-alertmanager.{{ .Release.Namespace }}.svc.cluster.local'
    port:
      number: 9093
--- a/charts/monitoring/templates/kyverno.yaml
+++ b/charts/monitoring/templates/kyverno.yaml
@@ -0,0 +1,25 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: '{{ .Release.Name }}-kyverno'
 spec:
  interval: 1h
  url: https://kyverno.github.io/kyverno/
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: '{{ .Release.Name }}-kyverno'
 spec:
  chart:
    spec:
      chart: kyverno
      reconcileStrategy: ChartVersion
      sourceRef:
        apiVersion: source.toolkit.fluxcd.io/v1
        kind: HelmRepository
        name: '{{ .Release.Name }}-kyverno'
        namespace: '{{ .Release.Namespace }}'
  interval: 1h
  values: {}
--- a/charts/monitoring/templates/loki.yaml
+++ b/charts/monitoring/templates/loki.yaml
@@ -0,0 +1,121 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: '{{ .Release.Name }}-loki'
 spec:
  interval: 1h
  url: https://grafana.github.io/helm-charts
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: '{{ .Release.Name }}-loki'
 spec:
  chart:
    spec:
      chart: loki
      reconcileStrategy: ChartVersion
      sourceRef:
        apiVersion: source.toolkit.fluxcd.io/v1
        kind: HelmRepository
        name: '{{ .Release.Name }}-loki'
        namespace: '{{ .Release.Namespace }}'
  interval: 1h
  values:
    deploymentMode: SingleBinary
    loki:
      auth_enabled: false
      server:
        http_listen_port: 3100
      memberlist:
        join_members:
          - loki-memberlist
      schemaConfig:
        configs:
          - from: 2020-05-15
            store: tsdb
            object_store: filesystem
            schema: v13
            index:
              prefix: index_
              period: 24h
      storage:
        type: filesystem
      storage_config:
        filesystem:
          directory: /loki/chunks
      limits_config:
        reject_old_samples: true
        reject_old_samples_max_age: 168h
        max_cache_freshness_per_query: 10m
        split_queries_by_interval: 15m
        volume_enabled: true
      common:
        path_prefix: /loki
        storage:
          filesystem:
            chunks_directory: /loki/chunks
            rules_directory: /loki/rules
        replication_factor: 1
        ring:
          instance_addr: 127.0.0.1
          kvstore:
            store: inmemory
    # Enable persistent storage
    singleBinary:
      persistence:
        enabled: true
        size: 10Gi
        storageClass: '{{ .Values.globals.environment }}' # Uses default storage class
      extraVolumeMounts:
        - name: storage
          mountPath: /loki
    backend:
      replicas: 0
    read:
      replicas: 0
    write:
      replicas: 0
    ingester:
      replicas: 0
    querier:
      replicas: 0
    queryFrontend:
      replicas: 0
    queryScheduler:
      replicas: 0
    distributor:
      replicas: 0
    compactor:
      replicas: 0
    indexGateway:
      replicas: 0
    bloomCompactor:
      replicas: 0
    bloomGateway:
      replicas: 0
    promtail:
      enabled: true
      config:
        snippets:
          extraScrapeConfigs: |
            - job_name: kubernetes-pods
              kubernetes_sd_configs:
                - role: pod
              relabel_configs:
                - source_labels: ["__meta_kubernetes_pod_container_name"]
                  target_label: "container"
                - source_labels: ["__meta_kubernetes_pod_name"]
                  target_label: "pod"
                - source_labels: ["__meta_kubernetes_pod_namespace"]
                  target_label: "namespace"
--- a/charts/monitoring/templates/trivy.yaml
+++ b/charts/monitoring/templates/trivy.yaml
@@ -0,0 +1,25 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: '{{ .Release.Name }}-aqua'
 spec:
  interval: 1h
  url: https://aquasecurity.github.io/helm-charts/
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: '{{ .Release.Name }}-aqua'
 spec:
  chart:
    spec:
      chart: trivy-operator
      reconcileStrategy: ChartVersion
      sourceRef:
        apiVersion: source.toolkit.fluxcd.io/v1
        kind: HelmRepository
        name: '{{ .Release.Name }}-aqua'
        namespace: '{{ .Release.Namespace }}'
  interval: 1h
  values: {}
--- a/charts/monitoring/values.yaml
+++ b/charts/monitoring/values.yaml
@@ -0,0 +1,4 @@
 globals:
  environment: prod
 graphana:
  subdomain: grafana
--- a/src/resources/homelab/postgres-database/postgres-database.ts
+++ b/src/resources/homelab/postgres-database/postgres-database.ts
@@ -124,19 +124,23 @@ class PostgresDatabase extends CustomResource<typeof specSchema> {
      user: clusterSecret.user,
      password: clusterSecret.password,
    });
-    const connectionError = await database.ping();
+    try {
-    if (connectionError) {
+      const connectionError = await database.ping();
-      console.error('Failed to connect', connectionError);
+      if (connectionError) {
-      throw new NotReadyError('FailedToConnectToDatabase');
+        console.error('Failed to connect', connectionError);
        throw new NotReadyError('FailedToConnectToDatabase');
      }
      await database.upsertRole({
        name: secret.user,
        password: secret.password,
      });
      await database.upsertDatabase({
        name: secret.database,
        owner: secret.user,
      });
    } finally {
      await database.close();
    }
    await database.upsertRole({
      name: secret.user,
      password: secret.password,
    });
    await database.upsertDatabase({
      name: secret.database,
      owner: secret.user,
    });
  };
 }
--- a/src/services/postgres/postgres.instance.ts
+++ b/src/services/postgres/postgres.instance.ts
@@ -60,6 +60,10 @@ class PostgresInstance {
      await this.#db.raw(`ALTER DATABASE "${name}" OWNER TO "${owner}"`);
    }
  };
  public close = async () => {
    await this.#db.destroy();
  };
 }
 export { PostgresInstance, type PostgresInstanceOptions };