diff --git a/lma/base/resources.yaml b/lma/base/resources.yaml index 80b2e86..4e827b3 100644 --- a/lma/base/resources.yaml +++ b/lma/base/resources.yaml @@ -748,7 +748,7 @@ spec: type: helmrepo repository: https://harbor.taco-cat.xyz/chartrepo/tks name: lma-addons - version: 1.8.7 + version: 1.9.0 origin: https://openinfradev.github.io/helm-repo releaseName: addons targetNamespace: lma @@ -762,6 +762,9 @@ spec: loki: enabled: true url: "loki-loki-distributed-gateway.lma" + lokiuser: + enabled: true + url: "loki-user-loki-distributed-gateway.lma" grafanaDashboard: include: - kubernetes @@ -1225,6 +1228,85 @@ spec: --- apiVersion: helm.fluxcd.io/v1 kind: HelmRelease +metadata: + labels: + name: loki-user + name: loki-user +spec: + helmVersion: v3 + chart: + type: helmrepo + repository: https://harbor.taco-cat.xyz/chartrepo/tks + name: loki-distributed + version: 0.58.0 + origin: https://grafana.github.io/helm-charts + releaseName: loki-user + targetNamespace: lma + values: + global: + clusterDomain: cluster.local # TO_BE_FIXED + dnsService: coredns + loki: + image: + registry: harbor.taco-cat.xyz + repository: tks/loki + tag: null + schemaConfig: + configs: + - from: "2020-09-07" + store: boltdb-shipper + object_store: s3 + schema: v11 + index: + prefix: loki_index_ + period: 24h + storageConfig: + boltdb_shipper: + active_index_directory: /var/loki/index + cache_location: /var/loki/cache + cache_ttl: 24h # Can be increased for faster performance over longer query periods, uses more disk space + shared_store: s3 + aws: + s3: TO_BE_FIXED + bucketnames: tks-loki-user + s3forcepathstyle: true + structuredConfig: + limits_config: + ingestion_rate_mb: 25 + ingestion_burst_size_mb: 50 + max_streams_per_user: 0 + max_global_streams_per_user: 0 + table_manager: + retention_deletes_enabled: true + retention_period: TO_BE_FIXED + serviceMonitor.enabled: true + prometheusRule.enabled: true + ingester: + resources: + limits: + cpu: '4' + memory: 4Gi + requests: + cpu: 100m + memory: 250Mi + persistence: + enabled: true + inMemory: false + size: 100Gi + memcachedExporter.enabled: true + gateway: + image: + registry: harbor.taco-cat.xyz + repository: tks/nginx-unprivileged + + nginxConfig: + httpSnippet: |- + client_max_body_size 50M; + serverSnippet: |- + client_max_body_size 50M; +--- +apiVersion: helm.fluxcd.io/v1 +kind: HelmRelease metadata: labels: name: lma-bucket diff --git a/lma/base/site-values.yaml b/lma/base/site-values.yaml index b9519e4..ee08b35 100644 --- a/lma/base/site-values.yaml +++ b/lma/base/site-values.yaml @@ -22,6 +22,8 @@ global: lokiHost: loki-loki-distributed-gateway lokiPort: 80 + lokiuserHost: loki-user-loki-distributed-gateway + lokiuserPort: 80 grafanaDatasourceMetric: lma-prometheus.lma:9090 charts: @@ -147,6 +149,7 @@ charts: grafanaDatasource.prometheus.url: $(grafanaDatasourceMetric) # grafanaDatasource.prometheus.url: "thanos-query.lma:9090" grafanaDatasource.loki.url: $(lokiHost):$(lokiPort) + grafanaDatasource.lokiuser.url: $(lokiuserHost):$(lokiuserPort) - name: prometheus-adapter override: @@ -173,11 +176,18 @@ charts: purge: false versioning: true objectlocking: false + - name: loki-user + policy: public + purge: false + versioning: true + objectlocking: false customCommands: - command: ilm rule add --expire-days 90 myminio/tks-thanos - command: ilm rule add --expire-days 15 myminio/tks-loki + - command: ilm rule add --expire-days 15 myminio/tks-loki-user - command: ilm ls myminio/tks-thanos - command: ilm ls myminio/tks-loki + - command: ilm ls myminio/tks-loki-user persistence.storageClass: $(storageClassName) persistence.accessMode: ReadWriteOnce persistence.size: 20Gi @@ -260,10 +270,16 @@ charts: loki.storageConfig.aws.s3: http://$(defaultUser):$(defaultPassword)@minio.lma.svc:9000/minio loki.structuredConfig.table_manager.retention_period: 672h # delete logs after 672h = 28 days +- name: loki-user + override: + loki.storageConfig.aws.s3: http://$(defaultUser):$(defaultPassword)@minio.lma.svc:9000/minio + loki.structuredConfig.table_manager.retention_period: 72h # delete logs after 72h = 3 days + - name: lma-bucket override: s3.enabled: true s3.buckets: - name: $(clusterName)-tks-thanos - name: $(clusterName)-tks-loki + - name: $(clusterName)-tks-loki-user # tks.iamRoles: arn:aws:iam::12345678:role/control-plane.cluster-api-provider-aws.sigs.k8s.io diff --git a/policy/base/resources.yaml b/policy/base/resources.yaml index 735dbdf..f818861 100644 --- a/policy/base/resources.yaml +++ b/policy/base/resources.yaml @@ -35,4 +35,32 @@ spec: helmVersion: v3 releaseName: policy-resources targetNamespace: gatekeeper-system - values: {} \ No newline at end of file + values: {} +--- +apiVersion: helm.fluxcd.io/v1 +kind: HelmRelease +metadata: + labels: + name: ratify + name: ratify +spec: + chart: + type: helmrepo + repository: https://harbor.taco-cat.xyz/chartrepo/tks + name: ratify + version: 1.13.0 + origin: https://github.com/ratify-project/ratify/tree/v1.2.0/charts/ratify + helmVersion: v3 + releaseName: ratify + targetNamespace: gatekeeper-system + values: + oras: + useHttp: true + provider: + tls: + skipVerify: true + featureFlags: + RATIFY_CERT_ROTATION: true + sbom: + enabled: true +--- diff --git a/policy/base/site-values.yaml b/policy/base/site-values.yaml index 8b181ee..8f4b2c8 100644 --- a/policy/base/site-values.yaml +++ b/policy/base/site-values.yaml @@ -25,3 +25,36 @@ charts: enableDeleteOperations: true - name: policy-resources + +- name: ratify + override: + sbom: + disallowedLicenses: + - "GPL-2.0-only" + - "MPL" + disallowedPackages: + - name: "busybox" + version: "1.36.1-r28" + notationCerts: + # https://github.com/ratify-project/ratify/blob/dev/test/testdata/notation.crt + - |- + -----BEGIN CERTIFICATE----- + MIIDQzCCAiugAwIBAgIUDxHQ9JxxmnrLWTA5rAtIZCzY8mMwDQYJKoZIhvcNAQEL + BQAwKTEPMA0GA1UECgwGUmF0aWZ5MRYwFAYDVQQDDA1SYXRpZnkgU2FtcGxlMB4X + DTIzMDYyOTA1MjgzMloXDTMzMDYyNjA1MjgzMlowKTEPMA0GA1UECgwGUmF0aWZ5 + MRYwFAYDVQQDDA1SYXRpZnkgU2FtcGxlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A + MIIBCgKCAQEAshmsL2VM9ojhgTVUUuEsZro9jfI27VKZJ4naWSHJihmOki7IoZS8 + 3/3ATpkE1lGbduJ77M9UxQbEW1PnESB0bWtMQtjIbser3mFCn15yz4nBXiTIu/K4 + FYv6HVdc6/cds3jgfEFNw/8RVMBUGNUiSEWa1lV1zDM2v/8GekUr6SNvMyqtY8oo + ItwxfUvlhgMNlLgd96mVnnPVLmPkCmXFN9iBMhSce6sn6P9oDIB+pr1ZpE4F5bwa + gRBg2tWN3Tz9H/z2a51Xbn7hCT5OLBRlkorHJl2HKKRoXz1hBgR8xOL+zRySH9Qo + 3yx6WvluYDNfVbCREzKJf9fFiQeVe0EJOwIDAQABo2MwYTAdBgNVHQ4EFgQUKzci + EKCDwPBn4I1YZ+sDdnxEir4wHwYDVR0jBBgwFoAUKzciEKCDwPBn4I1YZ+sDdnxE + ir4wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAgQwDQYJKoZIhvcNAQEL + BQADggEBAGh6duwc1MvV+PUYvIkDfgj158KtYX+bv4PmcV/aemQUoArqM1ECYFjt + BlBVmTRJA0lijU5I0oZje80zW7P8M8pra0BM6x3cPnh/oZGrsuMizd4h5b5TnwuJ + hRvKFFUVeHn9kORbyQwRQ5SpL8cRGyYp+T6ncEmo0jdIOM5dgfdhwHgb+i3TejcF + 90sUs65zovUjv1wa11SqOdu12cCj/MYp+H8j2lpaLL2t0cbFJlBY6DNJgxr5qync + cz8gbXrZmNbzC7W5QK5J7fcx6tlffOpt5cm427f9NiK2tira50HU7gC3HJkbiSTp + Xw10iXXMZzSbQ0/Hj2BF4B40WfAkgRg= + -----END CERTIFICATE----- \ No newline at end of file diff --git a/tks-cluster/infra/aws/resources.yaml b/tks-cluster/infra/aws/resources.yaml index 6d550eb..39f2f44 100644 --- a/tks-cluster/infra/aws/resources.yaml +++ b/tks-cluster/infra/aws/resources.yaml @@ -11,7 +11,7 @@ spec: type: helmrepo repository: https://harbor.taco-cat.xyz/chartrepo/tks name: cluster-api-aws - version: 0.11.1 + version: 0.11.2 releaseName: cluster-api-aws targetNamespace: argo values: @@ -19,7 +19,7 @@ spec: cluster: name: TO_BE_FIXED region: TO_BE_FIXED - kubernetesVersion: v1.25.9 + kubernetesVersion: v1.28.3 podCidrBlocks: - 192.168.0.0/16 bastion: