diff --git a/account/account-service.yaml b/account/account-service.yaml new file mode 100644 index 0000000000000000000000000000000000000000..8b80d728d3d533ff5088f8f2713f9cbe90d157b0 --- /dev/null +++ b/account/account-service.yaml @@ -0,0 +1,58 @@ +kind: HelmRelease +metadata: + name: account-service + namespace: account +spec: + chart: + name: account-service + values: + replicaCount: 2 + + image: + repository: eu.gcr.io/nynja-ci-201610/account/account-service + tag: master-4 + + gateway: + selector: + - api-gateway.default.svc.cluster.local + hosts: + - account.staging.nynja.net + + resources: + limits: + cpu: 1 + memory: 1500Mi + requests: + cpu: 500m + memory: 1000Mi + + ports: + containerPort: + http: 8080 + grpc: 6565 + + # CORS policy + corsPolicy: + allowOrigin: + - http://localhost:3000 + - https://localhost + - https://localhost/grpc/ + - http://10.191.224.180:3000 + - https://localhost:8080 + - https://127.0.0.1:8080 + - https://web.dev-eu.nynja.net + - https://web.staging.nynja.net + - https://web.nynja.net + - http://10.191.38.1 + - https://admin-console.dev-eu.nynja.net + allowMethods: + - POST + - GET + - OPTIONS + allowCredentials: false + allowHeaders: + - content-type + - x-grpc-web + - authorization + maxAge: "600s" + diff --git a/auth/auth-service.yaml b/auth/auth-service.yaml new file mode 100644 index 0000000000000000000000000000000000000000..9fc2ab7f72f0cbeb5bd2d8b05b15767655f29291 --- /dev/null +++ b/auth/auth-service.yaml @@ -0,0 +1,104 @@ +kind: HelmRelease +metadata: + name: auth-service + namespace: auth +spec: + chart: + name: auth-service + values: + replicaCount: 2 + image: + repository: eu.gcr.io/nynja-ci-201610/auth/auth-service + tag: master-2 + gateway: + selector: + - api-gateway.default.svc.cluster.local + hosts: + - auth.staging.nynja.net + + resources: + limits: + cpu: 1 + memory: 1500Mi + requests: + cpu: 500m + memory: 1000Mi + + ports: + containerPort: + http: 8008 + grpc: 6566 + + # Amazon email server configuration. + amazon: + ses: + host: "email-smtp.us-west-2.amazonaws.com" + port: "587" + smtp: + password: "AgCfLEcpKyMwkQpjk6JHzkYM3SWUjd/jIsO40oF8Dj9xACLXHt/lsreW4ng3dwX5mYed4Z5lPOfPm1Fsy2gljyFAkjnaeo9HOSRkWzRN+wdTJNRKZeLqisuT4/32yBv6BgOrdzph1v0IJRmrvHNzpZp/FsHWRjYm9SNI1GRef1iKqP4k2uqIQ5H2+0mDeMYXZSyDkPtQyCtKKQGNTs00etC1V8ExQ6hT//3hFVvEEtQ54obH00kAPGY92mnH6VdYTLSAbuhdD7AXaD7JVpA2zUXU6rThg+dGywM6iXR3SDuflZuzyUgt1npPgxSzfFjUypaMB72jSTFBsgx3YY+RAe++ZWg76SW477lh8r09ig6AG0/JXeslx0ybM606Or21cFkHf5BeaWPotTOvKYYBSeq+B+V6Za1bYTsj/5cZbJU7UImwGOU5qb8z135W9oXaLRZQ4jxIX7/rRcALuyH1ZH9290XOfeGZJM0CAvQt4Xy2Z1/GNje3HrHaBOFARX6XT8wsJCpE0f510bbMM2ncNHAPCGmfigp1sM8zPHr1xRMn+o17jOGQM7Z9zozAu4GsCFJ2wogrAn03KpxnhWtejghxbQQ5QnKYUPw8VbYZ1UvM6sUH8a3sbV53MpZNrvd4yMWJ2jycYGQmjU9og6Da1dUr4Cnh3wMpLp/g/oaETnAkR1my5v1xnSKAmjqWnkiYmeC7MrINJA+NRsQpbDWU6IxxfguQZohd/FEQOZbcmEK+RQcFDUFdd2APu9yRiw==" + username: "AgBocHTeeoQwciFouaJyeIgkJDGGigBj5hATLxVjmgtDabBf3Pzn0RnylO/MKKb6sRtMohvkbgXiLBXtsyvMa1jvFVHdrKcB7vvGKPZNitbuk84La9w2YnRH436jee9pTOLgPDSEGJghRF87KEcSitAit6M631fDiCm54mjgIMw1pioqOq3oa7CH8lhQhotNk65adpcmDJ7rZuS9pgvKUpq4g7Svtz8WCkYayIN7YFTIKyTClsCPJW6+jUGYszoMxZLRlkvNALc2B2DeIu0wSLXIuuGCa0ElgdMOUxVKSTHQY52j9Opja226WumyoBkThwPm64fKR8q9Aebos5Ye9jC2/WAU0syscVcBK0VPjY/5in6wkf34LZfyfgmFd9T/7GsliqVZnGMOuoOiX0VlACjhaHzdsR+/oIGP027NJ8xVawZeyWJ1edKWW7FWz8cIiWqP7H6PSqw+RlDJdcm3pwiyi+8cJqXWJrDDNqVTSU2F28TB51RDxSYuFINn2eH4Y5DkOgyLmrnsPF3JgjKyS8GfWYCSy+Qgw6g8uZSCQoD9LNRKjEbcBjcv4evF5I0Qhb0ObID+gCfxBY076Ws8420dwWZfCPYfYYt7Hh14iItpipLxuMrVK/9c/tknmPqefqxQYqHhnYx7PaW2xtsjEN6LiwAxjpvOi2esb4T4x/h2I8PEmuQspDzz87ELz5RYLIGhBUdOf7bu7+DNSgK+cPWwct8JZQ==" + from: "noreply@nynja.net" + + # Telesign integration. + telesign: + host: "rest-ww.telesign.com" + restEndpoint: "https://rest-ww.telesign.com/" + customerId: "AgCVtLlhx9E20FXjeFOiVVz/0VBh7yrKY5ieNBmm82HOKcSagCDzIqLy5cMCyoP58xaaD6IjvuVdXMso0/w6ccakxCQQVBN16nFCKasQw/QH71HC1glDCO19jM1UfM+RW7RR5m3Mhb75NpPnBv8hFeDBA6uI9J4UZq1asrdTOKOolQj3lWUmYHwtr6fSI9Pwn+9SdjXkNvXrKuG2AVac+PxT/lHJ7R0g4C0jGYcaOeKwFMpGG0LN8vqXoKLv0GAl2a8m/QS0ONUp6zmagJyUjB/wGG3D0N5R/bz5bsMtgYjJH2u9q+27rmYKfoiQhV76CFombtTEqIBGSnRiUN3F70OTImbG//rio25HImJ+FYAheR98mKXl2Mdb76LEqJHikNejW0z3OUgwAY44jyat0EYUNiUnLQ3mq9Q1YG1DiZvXrS19suX/8WraX3JKO/aMBVza919YStZ7y1OkTyf9xcA67YCEqQPzMEZMkBkzs2psxZvHQ58omKD2n50mL9bSC0LVgpjQkTbIotTINZ628UstgQaoej4V8LbT2EYanWZV1HLwAgK241QXWfsVnR+yu6EN+1az3gbOCsyvjTWJrkcqd4lmWhz+ghqiHENVgBagZlCb8iZTUjbEg3fPV9//XAeFIObNVe7J6Z7Smv7mNuOShpyL6ipoZQ5yM1WdVoxZySqQIaXgmQxkAG50b7A8R3/b14WmiwbWnNXCELgKPkET67wnXwyQqNKQ8NNYLJCJreWLGgU=" + apiKey: "AgA7S5hFhBc31y2PUROshw5nUDMksv7fKSvN1yToI2IojeYRxl1sRGTXVDxWWifXsPOvkQGdb32nR4Zms0ZIWbGqRjnJ/N5BQ2Vi/mVBAR+aFKs8ZYfzjK/7nNPJYgOuo9nqn2XeCYcABLuKPwmMZv2m1e6ZPnv88bJNym53+IdI5D3/LGM0WY/7S+S73TD2SDr5u4REgVaEbNVPnBnEddQ0sKAWjaQ9foQi9J7XfOxZiabN5HmiOf5a6JGUi9gk7sIk2LXglMTwsE3Iq31d42lCKG+wGoYDGoLxV95V7E8PhPB5i/qDAbcW+oRPSkaRebdu8hBv6nEqbS70k3hdOUWBDFSyxpOCVp9xTBRsgl2HwmI5nna66Mge74gRfspumWDgMQ14b6ERgHj20sdWuH4W93ura0wlxywgACWEiTPiZkor+YuI7SJNPE9/ezQltVRQoPVgenXVbjsJBe0obttPNmSiTS6Xa+vSnJfGm9XueyLCa+yaW8rZqpm6zFoai8kkXa40es1wl9Co1kC6a09ah3uE7uoVWNBLhteaBbYDRcB1jino9IZiFVK0I8kkjkxXOP0QCBwkCrSKj/1yDFGdgotNZpgY3dKWVXfP4QfViJkRYhzKGW4GoeLbTeDFVy/5+oGOl63XbfYlEz7vlNH4q/EhzE2oSYA/vmXic/Fb6Ek2SULVRdBBkvm9IXWf+C/trFjhqHvRbOzpRh++qdPOwlx/ILYEHX8DrMTf7kZxfihuYtUNaBjFWYneghkUy3eFyfahFgndVIs/YInhlwjTQ6rdD2wMnGa05227n3cfuvp5BRc7iE4p" + # Token validation + token: + ## Auth token validity in seconds. + auth: + expires: 300 + ## A new user can only request "max_count" of verify tokens/codes within next "request_timeslot" minutes. + verify: + # Verify token validity in seconds. + expires: 3600 + # Number of times a token can be requested. + maxCount: 1000 + # Time slot in minutes for observing the max_counter parameter. + timeSlot: 60 + ## Access token configuration. + access: + # Access token validity in seconds. + expires: 604800 + device: + # Limits the number of failed device registration attempts for given timeslot (in minutes). + maxFailed: 200 + # Timeslot (in minutes) + attemptsTimeslot: 60 + phone: + # Limits the number of failed phone (phone number) registration attempts for given timeslot (in minutes). + maxFailed: 200 + # Timeslot (in minutes) + attemptsTimeslot: 60 + + # Google integration. + google: + tokenApiUrl: https://www.googleapis.com/oauth2/v4/token + redirectUrl: https://web.staging.nynja.net/oauth/google + clientId: "AgBSFq/x2PTsU6Ry5Jx8zBDis5ECpEMJKy1HfT6YTcKkQfGwMFPN0X9HbxG6rFZgBliIbBCUwTAC1Ct1V+DmNoWx7kKCZmcqlIKLvIvanHxc/7tzfurq+xSGK8SsK87T1Z1SQ+fIaHyh0wMYlU+LdWuN/L9XgPOA/gMVUeg3KfwWCo1MUnyXTZu7oxyehg9s072kBPL/SJcKPcQu+7skZG5OYr2gelR/0tUgKkGE9Elc+ugNUQKvTl3qHlgCXlxijkbSFBaRLsa1e9Yt8NZggeW+7+IgooiWPyS4Be6InoX0RQvitP7c2+rW1VE+/iLb+qNH2+hnAtmsbM4+TXi2FsD1lRR+uGPRnKhUwQiVr72wK3U3tW3X3uRrY6cK4ubH4qShh3GcKi+2TFwwW4F8MlF358Y6M8bvsyyr3Ba0DNo/eSGZg5R2GrbVmkdEWRLJsgRWzj7SOe/wes2vbea6Cq1A5YKqausnYdJAXAtioanrsOk/lGDOtxI1if3PrAkHidJqxQHemzaXAou5ZggvRx1z0HB0r6UcbH34Q8AWxTwi7e91t7jM3pm4np1kpL8afQnsR3VonANgbzfQv4d7XP4Q6V4uTdL1jC8Lvq1uvtmJixucajNhpCvwHYJo/hzSq3NVw5zK/ONzQAErV8tkalX2IYO7yiyn6w8cCpQHT8AsAKLWDMi+RWNlNPHuHPBX44smfvDEzvfXrl15uk0OEEC0YpNkqddlVvpyTR8IIc3Mt9FghLnA++Zi0W04JfphNCLPDJPHVjNrjidYlgH85ym2f9gFbxm32PI=" + clientSecret: "AgAQtC7A3xN70LpTJE/fP+kX6jDikJfj6OgvaaWsqkXATOesjxxMhpEbrZKZUn8OHIU5gxXdD1KZHty+Z8F6yGcwsXEVYoGmbXjQMsGTsbuIIwKDlzAZQndyWSNTJ3/QxN80bVkNrYTBfUUOdNtWMg3KM4VAHmmvvC2E11wbFvK7KMnM5ftuJOWSwgwl2+YVlZV0kmWi0LPTMVBR8XWNwMcIFbw9X/8RuLlHGuyRFQ1IjKge2AGGbywVJnBVsVuPhwtXVz1tzXAIXeM04orPmul+kdTxrOxYZORD3AJQuhBQckilbXg3h7frFEug7k/8RylJC+6xL4gV59Qnkj1SJihqa9qHURzaR9NVtMlegyB4lxBjZRsAavfxL/0ASlCk21JNF/P0C18sw3rRfo7Ql7tYDgA74WpWaesUrVHh3UZbHxt9zfcS+3yTd3j+z9zuDecm7Vsl/+MRvZn6InMbQWHQg2O69NPsBFF2oxuZD0iEbRluQu970XzWl8bV6cuzR726u4ck+sQDqnOmduEtqLYCXFaQeEm7ZVRSIUeZ1cFfHje0z3TpOQB5NmCW9XFVCkfM56J6vMy6F4sAseYYVyMBf5jaNzVVHtR1aHi5ezv6atwtANjxVQwYgcuqm8IAziUPwyTI8hPPwC7VXxNPxr6GNvLee+/zwvX4LJrUz64ZievxIBdyKV0aNB8CjfoNh+imWiZ2uwqrwccy2dn8y1RJAQyX3AARjp4=" + + # Facebook integration. + facebook: + userInfoByTokenURL: https://graph.facebook.com/v3.1/me?access_token= + oauthTokenProviderURL: https://graph.facebook.com/v3.1/oauth/access_token + redirectUri: https://web.dev-eu.nynja.net/oauth/facebook + appId: "AgAmyMudv7C0n+ddMvlmuVAewwFoIv0CgDdJ++EGvdOfYuEMz6oJnTZlQbIg8HzqfLHnPg4zPpX97609A+EgwITXzZ/9nxnr7y4RMQsWbYRC/LSo8KS8bPqkNW1pNhY0/rEL7VsCPgcVRimLvQjLo5poD2NYf5g09B0zVWm2JnbmEtDfRKEF+6nBrybRRUGD3mHNkB7cR4wWH98VyTZUrY8i8O6htCgN6kbtHKnlPytEap4JWofX99qNhw0OPJwwhPOMNHk8OHb65bRlfyBHhF4pbrGRBGvjMj6PQj89jEWtf4vWracJChSKeg7gxTEBx1RAmdYkcy1ljoEZTSLw8iP5tJg4XZW6cQTVVufKSXVp5CF1hEYhcPYg3pd4+28F8RlNEBP1GBWkIrZxKKRuhLoI0O9WXSmITtCFAxtjAWlQXzBVe+1BCsxI5SVb0RZojk1zPDyvJ3d1zXP7pg/8vO0x6vPZCccnC5+DOaUoz647c89LJGoNwy+4yHRUI9GBUZV1SXXDmghLWziRe0nLHOBb5/KQMkiW0/5Mniq54UTdziAOUnw8CANJI8Q1fXDqIhcreGVx+aBKf6tGRjmfe8EUp7c8+wJToIkl5rLPMIaDSu661WOGBZGibJ9PzsqNHN/f8X0rvjv0mfxhb6yBLFVgAYjH7yQvii7zqRggaFex8exnTHVm8t5YomV2RJJD7n2NbqThHVlred+PbiwpzHSm" + secretKey: "AgBj0S2NV67z0PBy7qutJVqgjK/YIbfUurziUoC0sOZn9Rp3MvYINBFhoG6ye2mhwlIAvT5EZ/qqE+ajPrx6WmMZnONwWmeaT8O3t85L4baKQbCX+6UgbmYEZXHWGzI69noXXmMEv3KkR3utmm3n5TxSWIbpepNN4mT55GH0j6NHJnWXNR3xH9K/iRbkoDf8N1GhiK5klMaaVnMsajjnKxO8vyYsY53VC49KIEF4b8BFrar1xcdNf1pThNt/8e7z+/FqAaTqJXETAjFckExtZSCzRkOdgjJbHUYm1b5iGwlRTxm5gosNVWgkXULTCUxq3+/ZpXfwbDwtp8sk8op22dRFU3fSWL0tdU4U1WqMGGdGbN8jbwHV0g8u0yHAUOXYlPepQu2mIEWzI+bob0VU6opYT3VSSbRuFPrcVvZpWTWjQNHyeRwNNXDaEB4gxkKO0+xAKHB1PT3poVRbRUkAVIB0Hv3S7b1E0Ys3IaomOCUr37MolVlDcDCRrH4nlLCEfwAZF6dFmED7acpCJKknKn66WaN+hqFPO7eaazdioT16HXXas2TyCZQLTPDwoso9l+aJ6Jwn/jn2bc6MROl6oowtQ1M0kyWee6NJKc6t3gzVZ5fGazk52q7uGt3Qn3ol8koZLWWqZFarwuJnuxrnwMc5uBOsMb+Pr/8Cv+P51sjzQJiXYv/8INn68B4KMV34NVsCXFceJn4ox1QnzoQirNMiBGFrAs4D3oi7SxYx9tPejA==" + + # CORS policy + corsPolicy: + allowOrigin: + - https://web.staging.nynja.net + allowMethods: + - POST + - GET + - OPTIONS + allowCredentials: false + allowHeaders: + - content-type + - x-grpc-web + - authorization + maxAge: "600s" diff --git a/monitoring/grafana.yaml b/monitoring/grafana.yaml index 5ad0aafebc963ab19a6e57e5af8f73f54fae7ec4..e8bedcfcc0ddea4abe390c1557c1cafe0e340e9a 100644 --- a/monitoring/grafana.yaml +++ b/monitoring/grafana.yaml @@ -12,31 +12,55 @@ spec: serviceAccount: create: true name: + replicas: 1 + deploymentStrategy: RollingUpdate + + readinessProbe: + httpGet: + path: /api/health + port: 3000 + + livenessProbe: + httpGet: + path: /api/health + port: 3000 + initialDelaySeconds: 60 + timeoutSeconds: 30 + failureThreshold: 10 + image: repository: grafana/grafana - #tag: 5.1.3 - tag: 5.2.4 + tag: 5.3.2 pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace. ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ ## # pullSecrets: # - myRegistrKeySecretName + + securityContext: + runAsUser: 472 + fsGroup: 472 + downloadDashboardsImage: repository: appropriate/curl tag: latest pullPolicy: IfNotPresent + ## Pod Annotations # podAnnotations: {} + ## Deployment annotations # annotations: {} + ## Expose the grafana service to be accessed from outside the cluster (LoadBalancer service). ## or access it from within the cluster (ClusterIP service). Set the service type and the port to serve it. ## ref: http://kubernetes.io/docs/user-guide/services/ - ## + # service: type: ClusterIP #type: LoadBalancer @@ -47,7 +71,7 @@ spec: nynja.biz/scrape: "true" nynja.biz/scrape_port: "80" nynja.biz/env: "staging" - nynja.biz/probe: "grafana" + nynja.biz/probe: "grafana" labels: {} gateway: selector: @@ -67,25 +91,30 @@ spec: # - secretName: chart-example-tls # hosts: # - chart-example.local + resources: limits: - cpu: 100m - memory: 128Mi + cpu: 400m + memory: 512Mi requests: - cpu: 100m - memory: 128Mi + cpu: 400m + memory: 256Mi + ## Node labels for pod assignment ## ref: https://kubernetes.io/docs/user-guide/node-selection/ # nodeSelector: {} + ## Tolerations for pod assignment ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ ## tolerations: [] + ## Affinity for pod assignment ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity ## affinity: {} + ## Enable persistence using Persistent Volume Claims ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ ## @@ -108,11 +137,14 @@ spec: ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ ## # schedulerName: + ## Extra environment variables that will be pass onto deployment pods env: {} + ## The name of a secret in the same kubernetes namespace which contain values to be added to the environment ## This can be useful for auth tokens, etc envFromSecret: "" + ## Additional grafana server secret mounts # Defines additional mounts with secrets. Secrets must be manually created in the namespace. extraSecretMounts: [] @@ -120,21 +152,15 @@ spec: # mountPath: /etc/secrets # secretName: grafana-secret-files # readOnly: true + # Pass the plugins you want installed as a comma separated list. # plugins: "digrich-bubblechart-panel,grafana-clock-panel" plugins: "" + ## Configure grafana datasources ## ref: http://docs.grafana.org/administration/provisioning/#datasources ## - #datasources: {} - # datasources.yaml: - # apiVersion: 1 - # datasources: - # - name: Prometheus - # type: prometheus - # url: http://prometheus-prometheus-server - # access: proxy - # isDefault: true + datasources: datasources.yaml: apiVersion: 1 @@ -145,23 +171,17 @@ spec: url: http://prometheus-server.monitoring.svc.cluster.local access: proxy isDefault: true + basicAuth: false + isDefault: true + version: 1 + org_id: 1 + ## Configure grafana dashboard providers ## ref: http://docs.grafana.org/administration/provisioning/#dashboards ## ## `path` must be /var/lib/grafana/dashboards/ ## - #dashboardProviders: {} - # dashboardproviders.yaml: - # apiVersion: 1 - # providers: - # - name: 'default' - # orgId: 1 - # folder: '' - # type: file - # disableDeletion: false - # editable: true - # options: - # path: /var/lib/grafana/default/dashboards + dashboardProviders: dashboardproviders.yaml: apiVersion: 1 @@ -174,12 +194,14 @@ spec: editable: true options: path: /var/lib/grafana/dashboards + ## Configure grafana dashboard to import ## NOTE: To use dashboards you must also enable/configure dashboardProviders ## ref: https://grafana.com/dashboards ## ## dashboards per provider, use provider name as key. ## + dashboards: {} # default: # some-dashboard: @@ -191,6 +213,9 @@ spec: # datasource: Prometheus # local-dashboard: # url: https://example.com/repository/test.json + + + ## Reference to external ConfigMap per provider. Use provider name as key and ConfiMap name as value. ## A provider dashboards must be defined either by external ConfigMaps or in values.yaml, not in both. ## ConfigMap data example: @@ -203,6 +228,7 @@ spec: # default: "" dashboardsConfigMaps: default: all-dashboards + ## Grafana's primary configuration ## NOTE: values in map will be converted to ini format ## ref: http://docs.grafana.org/installation/configuration/ @@ -225,6 +251,7 @@ spec: # enabled: true # allow_sign_up: true # config_file: /etc/grafana/ldap.toml + ## Grafana's LDAP configuration ## Templated by the template in _helpers.tpl ## NOTE: To enable the grafana.ini must be configured with auth.ldap.enabled @@ -238,6 +265,7 @@ spec: config: "" # config: |- # verbose_logging = true + # [[servers]] # host = "my-ldap-server" # port = 636 @@ -245,6 +273,7 @@ spec: # start_tls = false # ssl_skip_verify = false # bind_dn = "uid=%s,ou=users,dc=myorg,dc=com" + ## Grafana's SMTP configuration ## NOTE: To enable, grafana.ini must be configured with smtp.enabled ## ref: http://docs.grafana.org/installation/configuration/#smtp @@ -252,18 +281,19 @@ spec: # `existingSecret` is a reference to an existing secret containing the smtp configuration # for Grafana in keys `user` and `password`. existingSecret: "" + ## Sidecars that collect the configmaps with specified label and stores the included files them into the respective folders ## Requires at least Grafana 5 to work and can't be used together with parameters dashboardProviders, datasources and dashboards sidecar: image: kiwigrid/k8s-sidecar:0.0.3 imagePullPolicy: IfNotPresent resources: - # limits: - # cpu: 100m - # memory: 100Mi - # requests: - # cpu: 50m - # memory: 50Mi + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 100m + memory: 128Mi dashboards: enabled: false # label that the configmaps with dashboards are marked with @@ -273,4 +303,4 @@ spec: datasources: enabled: false # label that the configmaps with datasources are marked with - label: grafana_datasource \ No newline at end of file + label: grafana_datasource diff --git a/monitoring/prometheus.yaml b/monitoring/prometheus.yaml index cf54e1342f6a84d0e364c4036c83478be4d37b20..da1879c6a524a025c12425d8feb81f28ded54461 100644 --- a/monitoring/prometheus.yaml +++ b/monitoring/prometheus.yaml @@ -8,8 +8,13 @@ spec: values: rbac: create: true + + ## Define the NYNJA Group's current environment + # + nynja_env: 'stg' + ## Define serviceAccount names for components. Defaults to component's fully qualified name. - ## + # serviceAccounts: alertmanager: create: true @@ -28,19 +33,19 @@ spec: name: alertmanager: ## If false, alertmanager will not be installed - ## + # enabled: true ## alertmanager container name - ## + # name: alertmanager ## alertmanager container image - ## + # image: repository: prom/alertmanager tag: v0.15.3 pullPolicy: IfNotPresent ## Additional alertmanager container arguments - ## + # extraArgs: {} ## The URL prefix at which the container can be accessed. Useful in the case the '-web.external-url' includes a slug ## so that the various internal URLs are still able to access as they are in the default case. @@ -51,39 +56,40 @@ spec: baseURL: "/" ## Additional alertmanager container environment variable ## For instance to add a http_proxy - ## + # extraEnv: {} ## ConfigMap override where fullname is {{.Release.Name}}-{{.Values.alertmanager.configMapOverrideName}} ## Defining configMapOverrideName will cause templates/alertmanager-configmap.yaml ## to NOT generate a ConfigMap resource - ## + # configMapOverrideName: "" - pagerduty: - ## If true, PagerDuty will be enabled for Alertmanager - ## - enabled: true - ## The sealed PagerDuty Service Key (sealed with Bitnami's SealedSecret) - servicekey: "AgAdqruztyqLNjqgyNlKmR9SrdeX49+/ujHMIYFC9n1yCRxS28uxsiXXQBoXBuMA8oaKctAiavFEWviFtNdcmvvnrfVVTjMOZCQMpdKXSBYjwOyMg+bLFoEdjcgJoy+OSFLLnZ4Bx72rPIycwF4jiz9+eznTCvt+W7u4H/Jh54sc9c3va8z9KSBNdL2poOphjLVqgkmegP5crSHhwA12X5EEsFhC1xFZd1cPMfLpxNThuCiL9H77nzk/m9bgQiyMcpBypaiElZHPNxlgDtvu+av/27y3/XscCPtGb35qroU9XhdNsr5Js2Fs/GG+SX3zb6EdEa2DnbaVNSYTJGXj2iEc0c2VdMCr8+xIa+PmH4wY9E+lxVZS6cE0TjBF7Yl+8+zCZ6Q5Ao/JDIYt2Wa69SOiGWBHjS6ElsH4cUyRUcKiPrqWMcuXzD22tJFW/Z+uM/CcIsM9lqJKLAOwcTByRMWId43V8q8yNnzxayccqmJ2ox9Pc6e49+GTkE4vtyA3yLRHhOTrLcOHGNHCTKhyKAVZSdENEFBAo9kVnCcNGDCInsNxnDqj5uhyNX2rpuRDz6WiywtGv7i6XaNDcqcWiPLs5gXKP6ZImd54Mo1pigoXeDagpdcCOJzEDuLFVD+H5A7xuRYP3og2TT3AFWOcVp2hMD0vGK3BmUXU7k5iW1DrUeg4/o982+01fHI8gZKWySyOTKtI8SIRT3YLwxjJNNWWL3bQ9dB+k8oYiHABXxuGpw==" + pagerduty: + ## If true, PagerDuty will be enabled for Alertmanager + # + enabled: true + ## The sealed PagerDuty Service Key (sealed with Bitnami's SealedSecret) + servicekey: "AgAiX+HSlRoh0ljLuQjelMobs5lu6mY5nkbDmfLkIO+4s02GgDAtbNvMRVmKvBvWFCXD/KzkQw+7+ja1IRam5VK85Pi29EpBjdfgQp/sX5fSTrR4ybxjdAeBvHrEirX7RPaX/9RBnb0WJLsJlS6zQ5hYQz/AkNfaCIVKumecsh3Cy2UeOXDGJiW/bPt4veVEN0iUYgnKCZlmr80mCbaAe44IVMHix74BDRA3CbJt8hJDGqC2x8TbElWNq3zAC4rB7Rl5qTsJh4ZNmIJVFCzwc0E3+Z61KBIRs0st2fetlTnT+6L+pODFP5wsC59LRCKWrS2N9Ah24Vxz0iDThJlHLECUpcce33mSYiJ9A/iuAmLAgZcwqz9gtGQC2rl7Xwnq7hCbWHB9TgzYrJbiJLPYsS265yw5R7VBwq3/uCbnEagEtJ+fmfR4iTywFDQt/Iw7jj+rVb2rq1u2IoS5CMOxIN2pYucS2jLvJ4z17NJrKnhNmWc4bWWxneRlLVB7oDPPeIWdl4QjsQ61uGNU8Ok0DHxyqCIQ3yf5p/TaLCfePoo7Xa4BnL87bg1Q0Hr9FFdZy8evIrbbUJIC/9bWFyw3rG/0TGV5rbBiH/2vR4ZEd81StLFMtmcWhU0Le2lazXobdpginlZmQOMRWu8jLTp7VxkJhdi8cAoAk9x9UW/Qp907nVpGcjc5DRKgQD2vBYF09ZVQSbHM6rCpjrmVZK0hmUzd/hHXKkuaIV6wrfJnCSNzFA==" - slackapi: - ## If true, the specified Slack Channel will be used with Alertmanager and PagerDuty - ## - enabled: true - ## The sealed Slack Channel API URL (sealed with Bitnami's SealedSecret) - url: "AgAG0HyCty3CxW7U4ciM36I4GIBK8gq1va8JLigAPXlKFKI2d9bAIuyGVxP/WGgzAwpHREwVdVlZSeF46lapcxqOunqaMNcNvV6DKUM0bpdoytzkX+IwuilkLxJKpQiMbfoPsqxIJ/7X4qIIV4+08e76TJEJ2ha9tXawhCYM07fIEvaHOkzm/maXKO/Ep20aOX6jBuyoh/BRWFpQ4bnJFNjuuD1t21cmHkvqWJVQT3jHGos5tBCMVHkw01F6c4nHNpAEdiUWPSMwmCuZilEAqpzxo7pwBdP/H79zJBczYhpoTshwm5W39FCrfMGx7HhpBuWPAHFMLN3KtxiN8qu5uiKGyXxPDTEvzby3LcFFydcfdHQTANZj56DWH3vSdYsvluN5mrpjA1X4mvqwqCLkKLNlrNLO7dw6dHnRzNC5VpZAzLY83AJPgdzbqByP6R0QJfCNMWJ0HUiP/afEDQSfvvqUyqWAXH7bnAdqIh554V0tikoxfsOecygqdufXdoYAoFNr3YLnG9HviNNxdAsSXy7Y5utJDs7Ytef4ZnxVHD01M+beNTYs/SOScKi8vJOgHcDKeazVaLmGf+cF2CPzrShBqXE4WMwAE7gRefxTNmjD21JVeWGBEwUhlTtUF9L4hWTkz3UkQuQ4juui8sm+yXRxTvSOZEe36I8lLJhEuklBqck0mbJX6KRMxv8EplZG19rcC4li0Bw34GWonMoaqTD8NkSJvzz5UITCBjU5JmoC4jTanFBdJTR5FIpGoJIGoIWIDkdCj+ayrGN50kExW6llZ12YhEl5t4A+O7RJjg==" + slackapi: + ## If true, the specified Slack Channel will be used with Alertmanager and PagerDuty + ## + # + enabled: true + ## The sealed Slack Channel API URL (sealed with Bitnami's SealedSecret) + url: "AgArB71t2jdm1e6+hT/UYHpX+jmbuiLtQoRv6/lWaktD5TQsVxHzu/sxHmGsuUQfRo28pJRi3AgSH7Ji9/TnmJvaYtkSv9iyOLtx4UlmhiFDB6Z7x/CFuyvpb7wylSFjIlzYrefGhD02ST9FdwDLBzLWptQugfFt8hMjZi9ImyA3QMJh06BankQjHj8aWEOQxkMESFxAcF8x4EY2FadqEDAYred+MS6Qz/zd4mNiFl5rNhmskX4I/VjdKlI5pdcvy8b8o5ci8DXIUZaTdhvwznyXyu1JQBxC8tO0oaXveuPfn3r6ENJN32p1RzhZ1CRCSSPZFVq6aZzL5lfRuoI0QMAOjPbBJNIkq6cFqZonXhipsXH99QSXdxIwKhFOE7HhlnoV+3YoBpRvQf+uVoj3GSjwBsEJjb4TIgQ0jj5dNEe3EuJhBlDOr988wnocMibw8L6hffWPMGgai52+W8C9UJh7B2r0M8dFf5KzDsGu1PCnSMehCfcFv9n5OpQyzCehgyJ6MickdhbnGE67tLVkI69N/8okVeCJLaDYQmZfJdTWkNNWL8rGfNxbyc7q/GtZmhPex0MYVru1+xLxm1g/TI6myBsvqH4AZHf5fZkvYyTNOfzfTZ2/QSaZK6NkSErWr5h3vBfVf49bU32O8U9f1ZiEjQilCEF5BkkiA7A1ywF5NMTkZAl0I/65kHyoZa2F9eTE6YxMynafLrhjgRdxvYVgX2B4Ur/QqkL/J++9T0vGYBYnPr7cwJ4ZUNhTjkh+HCu0D9VT4n0TDuZp0EA8dtC4O2ZOuGGujvso/hriqw==" ingress: ## If true, alertmanager Ingress will be created - ## + # enabled: false ## alertmanager Ingress annotations - ## + # annotations: {} # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: 'true' ## alertmanager Ingress additional labels - ## + # extraLabels: {} ## alertmanager Ingress hostnames with optional path ## Must be provided if Ingress is enabled @@ -163,10 +169,10 @@ spec: resources: limits: cpu: 50m - memory: 160Mi + memory: 192Mi requests: - cpu: 10m - memory: 32Mi + cpu: 30m + memory: 96Mi ## Security context to be added to alertmanager pods ## securityContext: {} @@ -227,8 +233,8 @@ spec: cpu: 100m memory: 320Mi requests: - cpu: 20m - memory: 64Mi + cpu: 25m + memory: 96Mi initChownData: ## If false, data ownership will not be reset at startup ## This allows the prometheus-server to be run with an arbitrary user @@ -252,8 +258,8 @@ spec: cpu: 75m memory: 320Mi requests: - cpu: 20m - memory: 64Mi + cpu: 25m + memory: 96Mi kubeStateMetrics: ## If false, kube-state-metrics will not be installed ## @@ -296,8 +302,8 @@ spec: cpu: 150m memory: 480Mi requests: - cpu: 30m - memory: 48Mi + cpu: 50m + memory: 128Mi ## Security context to be added to kube-state-metrics pods ## securityContext: {} @@ -327,7 +333,7 @@ spec: ## image: repository: prom/node-exporter - tag: v0.16.0 + tag: v0.17.0 pullPolicy: IfNotPresent ## Custom Update Strategy ## @@ -375,8 +381,8 @@ spec: cpu: 200m memory: 300Mi requests: - cpu: 40m - memory: 64Mi + cpu: 50m + memory: 128Mi ## Security context to be added to node-exporter pods ## securityContext: {} @@ -405,7 +411,7 @@ spec: ## image: repository: prom/prometheus - tag: v2.5.0 + tag: v2.6.0 pullPolicy: IfNotPresent ## The URL prefix at which the container can be accessed. Useful in the case the '-web.external-url' includes a slug ## so that the various internal URLs are still able to access as they are in the default case. @@ -550,19 +556,19 @@ spec: resources: limits: cpu: 1250m - memory: 4Gi + memory: 6Gi requests: cpu: 750m - memory: 2Gi + memory: 3Gi ## Security context to be added to server pods ## securityContext: {} - ## The environment name - shown as a headline in the Prometheus Alerts - # - externalLabels: - cluster: "staging" + ## The environment name - shown as a headline in the Prometheus Alerts + # + externalLabels: + cluster: "staging" service: annotations: @@ -593,13 +599,16 @@ spec: ## Prometheus data retention period (i.e 360h) ## retention: "" - ## Set the namespace where Istio is installed - default: "istio-system" - namespace: - istio: "istio-system" - externalFiles: - rules: - enabled: true - confFile: "rules" + ## Set the namespace where Istio is installed - default: "istio-system" + namespace: + istio: "istio-system" + externalFiles: + rules: + enabled: true + confFile: "rules" + scrape_configs: + enabled: true + confFile: "scrape_configs" pushgateway: ## If false, pushgateway will not be installed @@ -613,7 +622,7 @@ spec: ## image: repository: prom/pushgateway - tag: v0.5.2 + tag: v0.6.0 pullPolicy: IfNotPresent ## Additional pushgateway container arguments ## @@ -664,8 +673,8 @@ spec: cpu: 100m memory: 320Mi requests: - cpu: 20m - memory: 64Mi + cpu: 30m + memory: 128Mi ## Security context to be added to push-gateway pods ## securityContext: {} @@ -688,90 +697,102 @@ spec: ## alertmanager ConfigMap entries ## alertmanagerFiles: - notifications.tpl: |- - {{ define "__alertmanager" }}Environment: ___PROMETHEUS_CLUSTER_NAME___{{ end }} - {{ define "__alertmanagerURL" }}{{ .ExternalURL }}/#/alerts?receiver={{ .Receiver }}{{ end }} + notifications.tpl: |- + {{ define "__alertmanager" }}Environment: ___PROMETHEUS_CLUSTER_NAME___{{ end }} + {{ define "__alertmanagerURL" }}{{ .ExternalURL }}/#/alerts?receiver={{ .Receiver }}{{ end }} - {{ define "__subject" }}[{{ .Status | toUpper }}{{ if eq .Status "firing" }}:{{ .Alerts.Firing | len }}{{ end }}] {{ .GroupLabels.SortedPairs.Values | join " " }} {{ if gt (len .CommonLabels) (len .GroupLabels) }}({{ with .CommonLabels.Remove .GroupLabels.Names }}{{ .Values | join " " }}{{ end }}){{ end }}{{ end }} - {{ define "__description" }}{{ end }} + {{ define "__subject" }}[{{ .Status | toUpper }}{{ if eq .Status "firing" }}:{{ .Alerts.Firing | len }}{{ end }}] {{ .GroupLabels.SortedPairs.Values | join " " }} {{ if gt (len .CommonLabels) (len .GroupLabels) }}({{ with .CommonLabels.Remove .GroupLabels.Names }}{{ .Values | join " " }}{{ end }}){{ end }}{{ end }} + {{ define "__description" }}{{ end }} - {{ define "__text_alert_list" }}{{ range . }}Labels: - {{ range .Labels.SortedPairs }} - {{ .Name }} = {{ .Value }} - {{ end }}Annotations: - {{ range .Annotations.SortedPairs }} - {{ .Name }} = {{ .Value }} - {{ end }}Source: {{ .GeneratorURL }} - {{ end }}{{ end }} + {{ define "__text_alert_list" }}{{ range . }}Labels: + {{ range .Labels.SortedPairs }} - {{ .Name }} = {{ .Value }} + {{ end }}Annotations: + {{ range .Annotations.SortedPairs }} - {{ .Name }} = {{ .Value }} + {{ end }}Source: {{ .GeneratorURL }} + {{ end }}{{ end }} - {{ define "slack.default.title" }}{{ template "__subject" . }}{{ end }} - {{ define "slack.default.username" }}{{ template "__alertmanager" . }}{{ end }} - {{ define "slack.default.fallback" }}{{ template "slack.default.title" . }} | {{ template "slack.default.titlelink" . }}{{ end }} - {{ define "slack.default.pretext" }}{{ end }} - {{ define "slack.default.titlelink" }}{{ template "__alertmanagerURL" . }}{{ end }} - {{ define "slack.default.iconemoji" }}{{ end }} - {{ define "slack.default.iconurl" }}{{ end }} - {{ define "slack.default.text" }}{{ end }} - {{ define "slack.default.footer" }}{{ end }} + {{ define "slack.default.title" }}{{ template "__subject" . }}{{ end }} + {{ define "slack.default.username" }}{{ template "__alertmanager" . }}{{ end }} + {{ define "slack.default.fallback" }}{{ template "slack.default.title" . }} | {{ template "slack.default.titlelink" . }}{{ end }} + {{ define "slack.default.pretext" }}{{ end }} + {{ define "slack.default.titlelink" }}{{ template "__alertmanagerURL" . }}{{ end }} + {{ define "slack.default.iconemoji" }}{{ end }} + {{ define "slack.default.iconurl" }}{{ end }} + {{ define "slack.default.text" }}{{ end }} + {{ define "slack.default.footer" }}{{ end }} - alertmanager.yml: - global: - slack_api_url: ___ALERTMANAGER_SLACK_API_URL___ + {{ define "__single_message_title" }}[{{ .Status | toUpper }}:{{ if eq .Status "firing" }}{{ .Alerts.Firing | len }}{{ else }}{{ .Alerts.Resolved | len }}{{ end }}]{{ end }} - receivers: - - name: default-receiver + {{ define "custom_title" }} {{ if or (and (eq (len .Alerts.Firing) 1) (eq (len .Alerts.Resolved) 0)) (and (eq (len .Alerts.Firing) 0) (eq (len .Alerts.Resolved) 1)) }}{{ template "__single_message_title" . }}{{ end }}{{ end }} - slack_configs: - - channel: '#ops-alerts-staging' - send_resolved: false - username: '{{ template "slack.default.username" . }}' - color: '{{ if eq .Status "firing" }}danger{{ else }}good{{ end }}' - title: '{{ template "slack.default.title" . }}' - title_link: '{{ template "slack.default.titlelink" . }}' - pretext: '{{ .CommonAnnotations.summary }}' - text: |- - {{ range .Alerts }} - *Alert:* {{ .Annotations.summary }} - `{{ .Labels.severity }}` - *Description:* {{ .Annotations.description }} - *Details:* - {{ range .Labels.SortedPairs }} • *{{ .Name }}:* `{{ .Value }}` - {{ end }} - {{ end }} - fallback: '{{ template "slack.default.fallback" . }}' - icon_emoji: '{{ template "slack.default.iconemoji" . }}' - icon_url: '{{ template "slack.default.iconurl" . }}' + {{ define "custom_slack_message" }} + {{ if or (and (eq (len .Alerts.Firing) 1) (eq (len .Alerts.Resolved) 0)) (and (eq (len .Alerts.Firing) 0) (eq (len .Alerts.Resolved) 1)) }} + {{ range .Alerts.Firing }}• {{ .Annotations.identifier }} *-* {{ .Annotations.description }}{{ end }}{{ range .Alerts.Resolved }}• {{ .Annotations.identifier }} *-* {{ .Annotations.description }}{{ end }} + {{ else }} + {{ if gt (len .Alerts.Firing) 0 }} + *[FIRING:{{ .Alerts.Firing | len }}]* + {{ range .Alerts.Firing }}• {{ .Annotations.identifier }} *-* {{ .Annotations.description }} + {{ end }}{{ end }} + {{ if gt (len .Alerts.Resolved) 0 }} + *[RESOLVED:{{ .Alerts.Resolved | len }}]* + {{ range .Alerts.Resolved }}• {{ .Annotations.identifier }} *-* {{ .Annotations.description }} + {{ end }}{{ end }} + {{ end }} + {{ end }} - pagerduty_configs: - - service_key: ___PAGERDUTY_SERVICEKEY___ + alertmanager.yml: + global: + slack_api_url: ___ALERTMANAGER_SLACK_API_URL___ - templates: - - /automations/notifications.tpl + receivers: + - name: default-receiver - route: - group_wait: 30s - group_interval: 5m - receiver: default-receiver - repeat_interval: 3h - #group_by: ['alertname', 'cluster', 'env'] - group_by: ['alertname', 'cluster'] - routes: - - match: - env: staging - group_wait: 5m - repeat_interval: 24h + slack_configs: + - channel: '#ops-alerts-staging' + send_resolved: true + username: '{{ template "slack.default.username" . }}' + color: '{{ if eq .Status "firing" }}danger{{ else }}good{{ end }}' + title: '{{ template "custom_title" . }}' + title_link: '{{ template "slack.default.titlelink" . }}' + pretext: '{{ .CommonAnnotations.summary }}' + text: '{{ template "custom_slack_message" . }}' + fallback: '{{ template "slack.default.fallback" . }}' + icon_emoji: '{{ template "slack.default.iconemoji" . }}' + icon_url: '{{ if eq .Status "firing" }}https://raw.githubusercontent.com/BulprosMiroslavHadzhiev/prometheus-icons/master/firing.png{{ else }}https://raw.githubusercontent.com/BulprosMiroslavHadzhiev/prometheus-icons/master/resolved.png{{ end }}' + pagerduty_configs: + - service_key: ___PAGERDUTY_SERVICEKEY___ -## Prometheus server ConfigMap entries -## -serverFiles: - alerts: {} + templates: + - /automations/notifications.tpl - prometheus.yml: - rule_files: - - /data/etc/config/rules - - /data/etc/config/alerts + route: + group_wait: 30s + group_interval: 5m + receiver: default-receiver + repeat_interval: 3h + #group_by: ['alertname', 'cluster', 'env'] + group_by: ['alertname', 'cluster'] + routes: + - match: + env: staging + group_wait: 5m + repeat_interval: 24h -networkPolicy: - ## Enable creation of NetworkPolicy resources. - ## - enabled: false + ## Prometheus server ConfigMap entries + ## + serverFiles: + alerts: {} + + prometheus.yml: + rule_files: + - /data/etc/config/rules + - /data/etc/config/alerts + + + networkPolicy: + ## Enable creation of NetworkPolicy resources. + ## + enabled: false diff --git a/nynja-app/nynja-app-web.yaml b/nynja-app/nynja-app-web.yaml index c8b0ba3e2e32e868dd425af46df0b5c1d10e8502..3473700b216bde6d735df18aa46b18d5ee055def 100644 --- a/nynja-app/nynja-app-web.yaml +++ b/nynja-app/nynja-app-web.yaml @@ -13,7 +13,7 @@ spec: sealedSecret: "AgB1U6XCWIIhXPxZ1VqYUQN0uPwtwCfSVw8/LeV1z9noSalqmSi4a5SW4aRHE71RMN6uDHoPQp6lbMqxxAt8Ze9K5iRlg91cJoFRso7IvF9iG8W/O3HpWCdcdigSz9yiG7H5KR2ZfnOpqNUtObejzSFxlfewzOyQz5h/rbDImLiB+9S7mbpdVCINDTSkW3gNUv30jRtM/gvcKYTZAkup5SvRRSLI9/xsRi6JrPU8yvMd5nPqAIe+hIUqBwIcTwPBRf+chqjU+7kcSsZNIhNITCcUmpRT/ykl/u/fW8DQ/a1NYhFrnZRCxR/pAwk9NJH0b9jWrf4ieZz9/icia0mTu39+AK1j2zcBBSmCsnNJVXkgeOJd1qJ1U1E7h32+q6tTSDy1oma0avAArRPbyFr11BXXYMAOENlPiSQh1qeHirXlc/3QMnIVKQ9HKI23S1qS7BkdAgky8ChFQ6XBwJJF/pejdSw6b6ZMcgs8GFcPayp0VkjucX98S0CbUK10N77iyEpxDlcYyt15+bIZiQlVARV9Fyd4S6L//FwiBn5QHO/foVIK2tnL7xuQy8cLN4x2JEBI1Y24HjpbIHUL6lkPGqs5mY2qOGACaze4WJ5IhT4tTvs76XyzmLnYUECB7+DIPu2Hks9wCyou7NPNiASBptPGRL9c1RJqow8ZORNOv0nvTkJrVO3jl7wsN8HzEMyGYdSJfXzkIDNUmIhlhgvOY9WeB1ZXUW+xawXqADAC/bpfTYUjziv2J0CkVrb25w==" image: repository: eu.gcr.io/nynja-ci-201610/nynja-app/nynja-app-web - tag: master-17 + tag: master-36 gateway: selector: - api-gateway.default.svc.cluster.local