imfreedom/k8s-cluster

Lower the resources for trac

14 months ago, Gary Kramlich
5e0f351f8ee3
Lower the resources for trac

We haven't had any stability issues with trac since we redirected the issues,
so we're going to lower the resources to reflect that and hopefully bring them
down a bit more over time.
# this manifest sets up an ingress using hub to the kube-prometheus stack which
# was applied directly from the manifests in github.com/coreos/kube-prometheus.
#
# It uses https://github.com/thomseddon/traefik-forward-auth to do OIDC based
# logins against our JetBrains Hub instance.
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: common-headers
namespace: monitoring
spec:
headers:
customResponseHeaders:
X-Frame-Options: SAMEORIGIN
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: strip-prefixes
namespace: monitoring
spec:
stripPrefix:
forceSlash: false
prefixes:
- "/alertmanager"
- "/grafana"
- "/prometheus"
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: hub-forward-auth
namespace: monitoring
spec:
forwardAuth:
address: http://traefik-forward-auth.monitoring:4181
trustForwardHeader: true
authResponseHeaders:
- X-Forwarded-User
- Authorization
- Set-Cookie
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: common
namespace: monitoring
spec:
chain:
middlewares:
- name: hub-forward-auth
- name: strip-prefixes
- name: common-headers
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: https-redirect
namespace: monitoring
spec:
redirectScheme:
scheme: https
permanent: true
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: monitoring-http
namespace: monitoring
spec:
entryPoints:
- http
routes:
- match: Host(`monitoring.imfreedom.org`)
kind: Rule
services:
- name: traefik-forward-auth
port: 4181
middlewares:
- name: https-redirect
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: monitoring
namespace: monitoring
spec:
entryPoints:
- https
routes:
- match: Host(`monitoring.imfreedom.org`) && PathPrefix(`/alertmanager`)
kind: Rule
services:
- name: alertmanager-main
port: 9093
middlewares:
- name: common
- match: Host(`monitoring.imfreedom.org`) && PathPrefix(`/grafana`)
kind: Rule
services:
- name: grafana
port: 3000
middlewares:
- name: common
- match: Host(`monitoring.imfreedom.org`) && PathPrefix(`/prometheus`)
kind: Rule
services:
- name: prometheus
port: 9090
middlewares:
- name: common
- match: Host(`monitoring.imfreedom.org`) && PathPrefix(`/_oauth`)
kind: Rule
services:
- name: traefik-forward-auth
port: 4181
middlewares:
- name: common
tls:
secretName: monitoring-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
namespace: monitoring
name: monitoring-tls
spec:
secretName: monitoring-tls
issuerRef:
name: letsencrypt
commonName: monitoring.imfreedom.org
dnsNames:
- monitoring.imfreedom.org
---
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: monitoring
name: traefik-forward-auth
labels:
app: traefik-forward-auth
spec:
replicas: 1
selector:
matchLabels:
app: traefik-forward-auth
template:
metadata:
labels:
app: traefik-forward-auth
spec:
containers:
- args:
- --default-provider=oidc
env:
- name: PROVIDERS_OIDC_ISSUER_URL
value: https://hub.imfreedom.org/hub
- name: PROVIDERS_OIDC_CLIENT_ID
valueFrom:
secretKeyRef:
name: monitoring
key: client_id
- name: PROVIDERS_OIDC_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: monitoring
key: client_secret
- name: SECRET
valueFrom:
secretKeyRef:
name: monitoring
key: cookie_secret
image: thomseddon/traefik-forward-auth:2
imagePullPolicy: Always
name: traefik-forward-auth
ports:
- containerPort: 4181
protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
namespace: monitoring
name: traefik-forward-auth
labels:
app: traefik-forward-auth
spec:
ports:
- name: http
port: 4181
protocol: TCP
targetPort: 4181
selector:
app: traefik-forward-auth
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/name: prometheus-operator
app.kubernetes.io/version: 0.45.0
name: prometheus-operator
namespace: monitoring
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/name: prometheus-operator
app.kubernetes.io/version: 0.45.0
name: prometheus-operator-monitoring
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: prometheus-operator
subjects:
- kind: ServiceAccount
name: prometheus-operator
namespace: monitoring
---
apiVersion: monitoring.coreos.com/v1
kind: Prometheus
metadata:
name: prometheus
namespace: monitoring
spec:
serviceAccountName: prometheus-operator
podMonitorSelector:
matchLabels:
monitoring: cluster-wide
resources:
limits:
cpu: 1000m
memory: 512Mi
requests:
cpu: 500m
memory: 256Mi
enableAdminAPI: false
externalUrl: 'https://monitoring.imfreedom.org/prometheus/'
routePrefix: '/'
---
apiVersion: v1
kind: Service
metadata:
namespace: monitoring
name: prometheus
labels:
app: prometheus
spec:
ports:
- port: 9090
protocol: TCP
selector:
app: prometheus
prometheus: prometheus
---