Merge pull request #328 from openinfradev/release

241015 main from release ( v3.2.1 )
openinfradev · Oct 15, 2024 · eccafa3 · eccafa3
2 parents e2ebf17 + 2a8f99c
commit eccafa3
Show file tree

Hide file tree

Showing 6 changed files with 237 additions and 38 deletions.
diff --git a/lma/base/resources.yaml b/lma/base/resources.yaml
@@ -621,7 +621,7 @@ spec:
     type: helmrepo
     repository: https://harbor.taco-cat.xyz/chartrepo/tks
     name: fluent-operator
-    version: 1.7.0
+    version: 2.7.0
     skipDepUpdate: true
     origin: https://openinfradev.github.io/helm-repo
   releaseName: fluent-operator-crds
@@ -641,18 +641,18 @@ spec:
     origin: https://openinfradev.github.io/helm-repo
     repository: https://harbor.taco-cat.xyz/chartrepo/tks
     name: fluent-operator
-    version: 1.7.0
+    version: 2.7.0
     skipDepUpdate: true
   releaseName: fluent-operator
   targetNamespace: lma
   values:
     operator:
       initcontainer:
         repository: harbor.taco-cat.xyz/tks/docker
-        tag: 19.03
+        tag: "20.10"
       container:
         repository: harbor.taco-cat.xyz/tks/fluent-operator
-        tag: v1.5.0
+        tag: "v2.7.0"
       # FluentBit operator resources. Usually user needn't to adjust these.
       resources:
         limits:
@@ -662,9 +662,10 @@ spec:
           cpu: 100m
           memory: 20Mi
     fluentbit:
+      enable: false
       image:
         repository: harbor.taco-cat.xyz/tks/fluent-bit
-        tag: v1.9.7-debug
+        tag: v2.2.0
   wait: true
 ---
 apiVersion: helm.fluxcd.io/v1
@@ -692,7 +693,7 @@ spec:
         tag: v0.1.1
       fluentbit:
         repository: harbor.taco-cat.xyz/tks/fluent-bit
-        tag: v2.1.4
+        tag: v3.0.4
       elasticsearchTemplates:
         repository: harbor.taco-cat.xyz/tks/curl
         tag: latest
@@ -721,13 +722,7 @@ spec:
       outputs: { }
       targetLogs: [ ]
       alerts:
-        enabled: true
-        namespace: taco-system
-        message: |-
-          {{ $labels.container }} in {{ $labels.pod }} ({{ $labels.taco_cluster }}/{{ $labels.namespace }} ) generate a error due to log = {{ $labels.log }}
-        summary: |-
-          {{ $labels.container }} in {{ $labels.pod }} ({{ $labels.taco_cluster }}/{{ $labels.namespace }} ) generate a error
-        rules: [ ]
+        enabled: false
       clusterName: TO_BE_FIXED
       exclude:
       - key: $kubernetes['container_name']
@@ -753,7 +748,7 @@ spec:
     type: helmrepo
     repository: https://harbor.taco-cat.xyz/chartrepo/tks
     name: lma-addons
-    version: 1.8.7
+    version: 1.9.0
     origin: https://openinfradev.github.io/helm-repo
   releaseName: addons
   targetNamespace: lma
@@ -767,6 +762,9 @@ spec:
       loki:
         enabled: true
         url: "loki-loki-distributed-gateway.lma"
+      lokiuser:
+        enabled: true
+        url: "loki-user-loki-distributed-gateway.lma"
     grafanaDashboard:
       include:
       - kubernetes
@@ -1230,6 +1228,85 @@ spec:
 ---
 apiVersion: helm.fluxcd.io/v1
 kind: HelmRelease
+metadata:
+  labels:
+    name: loki-user
+  name: loki-user
+spec:
+  helmVersion: v3
+  chart:
+    type: helmrepo
+    repository: https://harbor.taco-cat.xyz/chartrepo/tks
+    name: loki-distributed
+    version: 0.58.0
+    origin: https://grafana.github.io/helm-charts
+  releaseName: loki-user
+  targetNamespace: lma
+  values:
+    global:
+      clusterDomain: cluster.local # TO_BE_FIXED
+      dnsService: coredns
+    loki:
+      image:
+        registry: harbor.taco-cat.xyz
+        repository: tks/loki
+        tag: null
+      schemaConfig:
+        configs:
+        - from: "2020-09-07"
+          store: boltdb-shipper
+          object_store: s3
+          schema: v11
+          index:
+            prefix: loki_index_
+            period: 24h
+      storageConfig:
+        boltdb_shipper:
+          active_index_directory: /var/loki/index
+          cache_location: /var/loki/cache
+          cache_ttl: 24h         # Can be increased for faster performance over longer query periods, uses more disk space
+          shared_store: s3
+        aws:
+          s3: TO_BE_FIXED
+          bucketnames: tks-loki-user
+          s3forcepathstyle: true
+      structuredConfig:
+        limits_config:
+          ingestion_rate_mb: 25
+          ingestion_burst_size_mb: 50
+          max_streams_per_user: 0
+          max_global_streams_per_user: 0
+        table_manager:
+          retention_deletes_enabled: true
+          retention_period: TO_BE_FIXED
+    serviceMonitor.enabled: true
+    prometheusRule.enabled: true
+    ingester:
+      resources:
+        limits:
+          cpu: '4'
+          memory: 4Gi
+        requests:
+          cpu: 100m
+          memory: 250Mi
+      persistence:
+        enabled: true
+        inMemory: false
+        size: 100Gi
+    memcachedExporter.enabled: true
+    gateway:
+      image:
+        registry: harbor.taco-cat.xyz
+        repository: tks/nginx-unprivileged
+
+      nginxConfig:
+        httpSnippet: |-
+          client_max_body_size 50M;
+        serverSnippet: |-
+          client_max_body_size 50M;
+---
+apiVersion: helm.fluxcd.io/v1
+kind: HelmRelease
 metadata:
   labels:
     name: lma-bucket
@@ -1250,3 +1327,26 @@ spec:
     s3:
       enabled: true
       buckets: [ ]
+---
+apiVersion: helm.fluxcd.io/v1
+kind: HelmRelease
+metadata:
+  labels:
+    name: opa-exporter
+  name: opa-exporter
+spec:
+  helmVersion: v3
+  chart:
+    type: helmrepo
+    repository: https://harbor.taco-cat.xyz/chartrepo/tks
+    name: opa-scorecard
+    version: 0.1.0
+  releaseName: opa-exporter
+  targetNamespace: lma
+  values:
+    gatekeeper:
+      namespace: gatekeeper-system
+    metrics:
+      podmonitor: true
+      servicemonitor:
+        enabled: true
diff --git a/lma/base/site-values.yaml b/lma/base/site-values.yaml
@@ -22,6 +22,8 @@ global:
 
   lokiHost: loki-loki-distributed-gateway
   lokiPort: 80
+  lokiuserHost: loki-user-loki-distributed-gateway
+  lokiuserPort: 80
   grafanaDatasourceMetric: lma-prometheus.lma:9090
 
 charts:
@@ -147,6 +149,7 @@ charts:
     grafanaDatasource.prometheus.url: $(grafanaDatasourceMetric)
     # grafanaDatasource.prometheus.url: "thanos-query.lma:9090"
     grafanaDatasource.loki.url: $(lokiHost):$(lokiPort)
+    grafanaDatasource.lokiuser.url: $(lokiuserHost):$(lokiuserPort)
 
 - name: prometheus-adapter
   override:
@@ -173,11 +176,18 @@ charts:
       purge: false
       versioning: true
       objectlocking: false
+    - name: loki-user
+      policy: public
+      purge: false
+      versioning: true
+      objectlocking: false
     customCommands:
     - command: ilm rule add --expire-days 90 myminio/tks-thanos
     - command: ilm rule add --expire-days 15 myminio/tks-loki
+    - command: ilm rule add --expire-days 15 myminio/tks-loki-user
     - command: ilm ls myminio/tks-thanos
     - command: ilm ls myminio/tks-loki
+    - command: ilm ls myminio/tks-loki-user
     persistence.storageClass: $(storageClassName)
     persistence.accessMode: ReadWriteOnce
     persistence.size: 20Gi
@@ -260,10 +270,16 @@ charts:
     loki.storageConfig.aws.s3: http://$(defaultUser):$(defaultPassword)@minio.lma.svc:9000/minio
     loki.structuredConfig.table_manager.retention_period: 672h    # delete logs after 672h = 28 days
 
+- name: loki-user
+  override:
+    loki.storageConfig.aws.s3: http://$(defaultUser):$(defaultPassword)@minio.lma.svc:9000/minio
+    loki.structuredConfig.table_manager.retention_period: 72h    # delete logs after 72h = 3 days
+
 - name: lma-bucket
   override:
     s3.enabled: true
     s3.buckets:
     - name: $(clusterName)-tks-thanos
     - name: $(clusterName)-tks-loki
+    - name: $(clusterName)-tks-loki-user
     # tks.iamRoles: arn:aws:iam::12345678:role/control-plane.cluster-api-provider-aws.sigs.k8s.io
diff --git a/policy/base/resources.yaml b/policy/base/resources.yaml
@@ -16,6 +16,7 @@ spec:
   releaseName: opa-gatekeeper
   targetNamespace: gatekeeper-system
   values: 
+    logDenies: true
     enableDeleteOperations: true
 ---
 apiVersion: helm.fluxcd.io/v1
@@ -34,4 +35,32 @@ spec:
   helmVersion: v3
   releaseName: policy-resources
   targetNamespace: gatekeeper-system
-  values: {}
+  values: {}
+---
+apiVersion: helm.fluxcd.io/v1
+kind: HelmRelease
+metadata:
+  labels:
+    name: ratify
+  name: ratify
+spec:
+  chart:
+    type: helmrepo
+    repository: https://harbor.taco-cat.xyz/chartrepo/tks
+    name: ratify
+    version: 1.13.0
+    origin: https://github.com/ratify-project/ratify/tree/v1.2.0/charts/ratify
+  helmVersion: v3
+  releaseName: ratify
+  targetNamespace: gatekeeper-system
+  values: 
+    oras:
+      useHttp: true
+    provider:
+      tls:
+        skipVerify: true
+    featureFlags:
+      RATIFY_CERT_ROTATION: true
+    sbom:
+      enabled: true
+---
diff --git a/policy/base/site-values.yaml b/policy/base/site-values.yaml
@@ -25,3 +25,36 @@ charts:
     enableDeleteOperations: true
 
 - name: policy-resources
+
+- name: ratify
+  override:
+    sbom:
+      disallowedLicenses:
+      - "GPL-2.0-only"
+      - "MPL"
+      disallowedPackages:
+      - name: "busybox"
+        version: "1.36.1-r28"
+    notationCerts:
+    # https://github.com/ratify-project/ratify/blob/dev/test/testdata/notation.crt
+    - |-
+      -----BEGIN CERTIFICATE-----
+      MIIDQzCCAiugAwIBAgIUDxHQ9JxxmnrLWTA5rAtIZCzY8mMwDQYJKoZIhvcNAQEL
+      BQAwKTEPMA0GA1UECgwGUmF0aWZ5MRYwFAYDVQQDDA1SYXRpZnkgU2FtcGxlMB4X
+      DTIzMDYyOTA1MjgzMloXDTMzMDYyNjA1MjgzMlowKTEPMA0GA1UECgwGUmF0aWZ5
+      MRYwFAYDVQQDDA1SYXRpZnkgU2FtcGxlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+      MIIBCgKCAQEAshmsL2VM9ojhgTVUUuEsZro9jfI27VKZJ4naWSHJihmOki7IoZS8
+      3/3ATpkE1lGbduJ77M9UxQbEW1PnESB0bWtMQtjIbser3mFCn15yz4nBXiTIu/K4
+      FYv6HVdc6/cds3jgfEFNw/8RVMBUGNUiSEWa1lV1zDM2v/8GekUr6SNvMyqtY8oo
+      ItwxfUvlhgMNlLgd96mVnnPVLmPkCmXFN9iBMhSce6sn6P9oDIB+pr1ZpE4F5bwa
+      gRBg2tWN3Tz9H/z2a51Xbn7hCT5OLBRlkorHJl2HKKRoXz1hBgR8xOL+zRySH9Qo
+      3yx6WvluYDNfVbCREzKJf9fFiQeVe0EJOwIDAQABo2MwYTAdBgNVHQ4EFgQUKzci
+      EKCDwPBn4I1YZ+sDdnxEir4wHwYDVR0jBBgwFoAUKzciEKCDwPBn4I1YZ+sDdnxE
+      ir4wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAgQwDQYJKoZIhvcNAQEL
+      BQADggEBAGh6duwc1MvV+PUYvIkDfgj158KtYX+bv4PmcV/aemQUoArqM1ECYFjt
+      BlBVmTRJA0lijU5I0oZje80zW7P8M8pra0BM6x3cPnh/oZGrsuMizd4h5b5TnwuJ
+      hRvKFFUVeHn9kORbyQwRQ5SpL8cRGyYp+T6ncEmo0jdIOM5dgfdhwHgb+i3TejcF
+      90sUs65zovUjv1wa11SqOdu12cCj/MYp+H8j2lpaLL2t0cbFJlBY6DNJgxr5qync
+      cz8gbXrZmNbzC7W5QK5J7fcx6tlffOpt5cm427f9NiK2tira50HU7gC3HJkbiSTp
+      Xw10iXXMZzSbQ0/Hj2BF4B40WfAkgRg=
+      -----END CERTIFICATE-----