fix(observability): Changed auth route target to new name

Moved vector from core stack to observability-client
Added victoriametrics-k8s-stack to observability-client for easy vmagent
and scraping config

template/registry/forgejo.yaml

@@ -1,24 +1,24 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: ingress-apps
+  name: forgejo
   namespace: argocd
   labels:
-    example: ref-implementation
+    env: dev
   finalizers:
     - resources-finalizer.argocd.argoproj.io
 spec:
   destination:
-    server: "https://kubernetes.default.svc"
+    name: in-cluster
+    namespace: argocd
   source:
-    repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}}
+    path: "{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/forgejo"
+    repoURL: "https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}}"
     targetRevision: HEAD
-    path: "{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/core/ingress-apps"
   project: default
   syncPolicy:
     automated:
+      prune: true
       selfHeal: true
     syncOptions:
       - CreateNamespace=true
-    retry:
-      limit: -1

template/registry/observability-client.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: observability-client
+  namespace: argocd
+  labels:
+    env: dev
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    name: in-cluster
+    namespace: argocd
+  source:
+    path: "{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/observability-client"
+    repoURL: "https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}}"
+    targetRevision: HEAD
+  project: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

template/stacks/core/argocd.yaml

@@ -30,3 +30,6 @@ spec:
     - repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}}
       targetRevision: HEAD
       ref: values
+    - repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}}
+      targetRevision: HEAD
+      path: "{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/core/argocd/manifests"

template/stacks/forgejo/forgejo-runner.yaml

@@ -21,4 +21,4 @@ spec:
   source:
     repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}}
     targetRevision: HEAD
-    path: "{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/core/forgejo-runner"
+    path: "{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/forgejo/forgejo-runner"

template/stacks/forgejo/forgejo-server.yaml

@@ -0,0 +1,38 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: forgejo-server
+  namespace: argocd
+  labels:
+    env: dev
+spec:
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: -1
+  destination:
+    name: in-cluster
+    namespace: gitea
+  sources:
+    - repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/forgejo-helm.git
+      path: .
+      # first check out the desired version (example v9.0.0): https://code.forgejo.org/forgejo-helm/forgejo-helm/src/tag/v9.0.0/Chart.yaml
+      # (note that the chart version is not the same as the forgejo application version, which is specified in the above Chart.yaml file)
+      # then use the devops pipeline and select development, forgejo and the desired version (example v9.0.0):
+      # https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/devops-pipelines/actions?workflow=update-helm-depends.yaml&actor=0&status=0
+      # finally update the desired version here and include "-depends", it is created by the devops pipeline. 
+      # why do we have an added "-depends" tag? it resolves rate limitings when downloading helm OCI dependencies
+      targetRevision: v9.0.0-depends
+      helm:
+        valueFiles:
+          - $values/{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/forgejo/forgejo-server/values.yaml
+    - repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}}
+      targetRevision: HEAD
+      ref: values
+    - repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}}
+      targetRevision: HEAD
+      path: "{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/forgejo/forgejo-server/manifests"

template/stacks/forgejo/forgejo-server/manifests/forgejo-ingress.yaml

@@ -10,7 +10,7 @@ metadata:
     dns.gardener.cloud/dnsnames: {{{ .Env.DOMAIN_GITEA }}}
     dns.gardener.cloud/ttl: "600"
 {{{ end }}}
-  name: forgejo
+  name: forgejo-server
   namespace: gitea
 spec:
   ingressClassName: nginx
@@ -20,7 +20,7 @@ spec:
       paths:
       - backend:
           service:
-            name: forgejo-http
+            name: forgejo-server-http
             port:
               number: 3000
         path: /

template/stacks/forgejo/forgejo-server/values.yaml

@@ -17,6 +17,22 @@ persistence:
 test:
   enabled: false
 
+deployment:
+  env:
+    - name: SSL_CERT_FILE
+      value: /etc/elasticsearch/elasticsearch.cer
+
+extraVolumeMounts:
+  - mountPath: /etc/elasticsearch
+    name: elasticsearch-cert-volume
+    readOnly: true
+
+extraVolumes:
+  - name: elasticsearch-cert-volume
+    configMap:
+      defaultMode: 420
+      name: elasticsearch-cert
+
 gitea:
   additionalConfigFromEnvs:
     - name: FORGEJO__storage__MINIO_ACCESS_KEY_ID
@@ -53,27 +69,39 @@ gitea:
       valueFrom:
         secretKeyRef:
           name: postgres-forgejo-cloud-credentials
-          key: name
+          key: database
     - name: FORGEJO__database__USER
       valueFrom:
         secretKeyRef:
           name: postgres-forgejo-cloud-credentials
-          key: user
+          key: username
     - name: FORGEJO__database__PASSWD
       valueFrom:
         secretKeyRef:
           name: postgres-forgejo-cloud-credentials
           key: password
+    - name: FORGEJO__indexer__ISSUE_INDEXER_CONN_STR
+      valueFrom:
+        secretKeyRef:
+          name: elasticsearch-cloud-credentials
+          key: connection-string
 
   admin:
     existingSecret: gitea-credential
 
   config:
+    indexer:
+      ISSUE_INDEXER_ENABLED: true
+      ISSUE_INDEXER_TYPE: elasticsearch
+      # TODO next
+      REPO_INDEXER_ENABLED: false
+      # REPO_INDEXER_TYPE: meilisearch # not yet working
+
     storage:
       MINIO_ENDPOINT: obs.eu-de.otc.t-systems.com:443
       STORAGE_TYPE: minio
       MINIO_LOCATION: eu-de
-      MINIO_BUCKET: edp-forgejo-central-forgejo
+      MINIO_BUCKET: edp-forgejo-{{{ .Env.CLUSTER_ENVIRONMENT }}}
       MINIO_USE_SSL: true
 
     queue:
@@ -132,4 +160,4 @@ forgejo:
           - docker:docker://node:16-bullseye
           - self-hosted:docker://ghcr.io/catthehacker/ubuntu:act-22.04
           - ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04
-          - ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-22.04
+          - ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-22.04

template/stacks/observability-client/vector.yaml

@@ -23,7 +23,7 @@ spec:
       targetRevision: 0.43.0
       helm:
         valueFiles:
-          - $values/{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/core/vector/values.yaml
+          - $values/{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/observability-client/vector/values.yaml
     - repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}}
       targetRevision: HEAD
       ref: values

template/stacks/observability-client/vm-client-stack.yaml

@@ -1,7 +1,7 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: forgejo
+  name: vm-client-stack
   namespace: argocd
   labels:
     env: dev
@@ -12,18 +12,20 @@ spec:
       selfHeal: true
     syncOptions:
       - CreateNamespace=true
-    retry:
-      limit: -1
   destination:
     name: in-cluster
-    namespace: gitea
+    namespace: observability
   sources:
-    - repoURL: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/forgejo-helm.git
+    - chart: victoria-metrics-k8s-stack
-      path: .
+      repoURL: https://victoriametrics.github.io/helm-charts/
-      targetRevision: v12.0.0-depends
+      targetRevision: 0.48.1
+      releaseName: vm
       helm:
         valueFiles:
-          - $values/{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/core/forgejo/values.yaml
+          - $values/{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/observability-client/vm-client-stack/values.yaml
     - repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}}
       targetRevision: HEAD
       ref: values
+    - repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}}
+      targetRevision: HEAD
+      path: "{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/observability-client/vm-client-stack/manifests"

template/stacks/observability-client/vm-client-stack/manifests/simple-user-secret.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: simple-user-secret
+  namespace: observability
+type: Opaque
+stringData:
+  username: simple-user
+  password: simple-password

template/stacks/observability/victoria-k8s-stack.yaml

@@ -1,7 +1,7 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: victoria-k8s-stack
+  name: o12y
   namespace: argocd
   labels:
     env: dev
@@ -12,6 +12,7 @@ spec:
       selfHeal: true
     syncOptions:
       - CreateNamespace=true
+      - ServerSideApply=true
   destination:
     name: in-cluster
     namespace: observability
@@ -19,7 +20,7 @@ spec:
     - chart: victoria-metrics-k8s-stack
       repoURL: https://victoriametrics.github.io/helm-charts/
       targetRevision: 0.48.1
-      releaseName: vm
+      releaseName: o12y
       helm:
         valueFiles:
           - $values/{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/observability/victoria-k8s-stack/values.yaml

template/stacks/observability/victoria-k8s-stack/manifests/vmauth.yaml

@@ -8,8 +8,8 @@ spec:
   password: simple-password
   targetRefs:
     - static:
-        url: http://vmsingle-victoria-k8s-stack-victoria-metrics-k8s-stack:8429
+        url: http://vmsingle-o12y:8429
-      paths: ["/api/v1/write/.*"]
+      paths: ["/api/v1/write"]
     - static:
         url: http://vlogs-victorialogs:9428
       paths: ["/insert/elasticsearch/.*"]

template/stacks/observability/victoria-k8s-stack/values.yaml

@@ -14,13 +14,13 @@ global:
 # -- Override chart name
 nameOverride: ""
 # -- Resource full name override
-fullnameOverride: ""
+fullnameOverride: "o12y"
 # -- Tenant to use for Grafana datasources and remote write
 tenant: "0"
 # -- If this chart is used in "Argocd" with "releaseName" field then
 # VMServiceScrapes couldn't select the proper services.
 # For correct working need set value 'argocdReleaseOverride=$ARGOCD_APP_NAME'
-argocdReleaseOverride: ""
+argocdReleaseOverride: "o12y"
 
 # -- VictoriaMetrics Operator dependency chart configuration. More values can be found [here](https://docs.victoriametrics.com/helm/victoriametrics-operator#parameters). Also checkout [here](https://docs.victoriametrics.com/operator/vars) possible ENV variables to configure operator behaviour
 victoria-metrics-operator:
@@ -772,7 +772,7 @@ vmauth:
 
 vmagent:
   # -- Create VMAgent CR
-  enabled: true
+  enabled: false
   # -- VMAgent annotations
   annotations: {}
   # -- Remote write configuration of VMAgent, allowed parameters defined in a [spec](https://docs.victoriametrics.com/operator/api#vmagentremotewritespec)
@@ -875,6 +875,12 @@ grafana:
     enabled: true
     type: pvc
     storageClassName: "default"
+  grafana.ini:
+    # auth:
+    #   login_maximum_inactive_lifetime_duration: 0
+    #   login_maximum_lifetime_duration: 0
+    security:
+      disable_brute_force_login_protection: true
   sidecar:
     datasources:
       enabled: true