multi cluster

infra/values/base/argocd-values.yaml

@@ -0,0 +1,83 @@
+configs:
+  secret:
+    createSecret: true
+    argocdServerAdminPassword: "$2b$12$Tmb1jH7ADvwWoUoNPXXsfOf6JqEluqhq8mL06a8DGT2AP1GzbNsCm"
+  cm:
+    application.resourceTrackingMethod: annotation
+    timeout.reconciliation: 60s
+    admin.enabled: "true"
+    repositories: |
+      - type: git
+        url: https://github.com/snothub
+        name: github-repo
+  params:
+    "server.insecure": true
+server:
+  ingress:
+    enabled: false
+    ingressClassName: nginx
+  extraArgs:
+  - --insecure
+
+notifications:
+  # Don't create secret via Helm - using SealedSecret instead
+  secret:
+    create: false
+
+  # Define notification templates
+  templates:
+    template.app-syncing: |
+      webhook:
+        slack:
+          method: POST
+          body: |
+            {
+              "payload": "🖥️ {{ .context.clusterName }}: 🔄 *{{ .app.metadata.name }}* is syncing...\n📦 Revision: {{ .app.status.sync.revision | substr 0 7 }}"
+            }
+    template.app-sync-succeeded: |
+      webhook:
+        slack:
+          method: POST
+          body: |
+            {
+              "payload": "🖥️ {{ .context.clusterName }}: ✅ *{{ .app.metadata.name }}* sync succeeded\n📦 Revision: {{ .app.status.sync.revision | substr 0 7 }}{{ range .app.status.summary.images }}\n🏷️  Image: {{ . }}{{ end }}"
+            }
+    template.app-sync-failed: |
+      webhook:
+        slack:
+          method: POST
+          body: |
+            {
+              "payload": "🖥️ {{ .context.clusterName }}: ❌ *{{ .app.metadata.name }}* sync failed\n📦 Revision: {{ .app.status.sync.revision | substr 0 7 }}\n⚠️  Message: {{ .app.status.operationState.message }}"
+            }
+    template.app-degraded: |
+      webhook:
+        slack:
+          method: POST
+          body: |
+            {
+              "payload": "🖥️ {{ .context.clusterName }}: ⚠️ *{{ .app.metadata.name }}* is degraded\n🏥 Health: {{ .app.status.health.status }}\n💬 Message: {{ .app.status.health.message }}"
+            }
+
+  # Define notification triggers
+  triggers:
+    trigger.on-sync-running: |
+      - when: app.status.operationState.phase in ['Running']
+        send: [app-syncing]
+    trigger.on-sync-succeeded: |
+      - when: app.status.operationState.phase in ['Succeeded']
+        send: [app-sync-succeeded]
+    trigger.on-sync-failed: |
+      - when: app.status.operationState.phase in ['Failed']
+        send: [app-sync-failed]
+    trigger.on-degraded: |
+      - when: app.status.health.status == 'Degraded'
+        send: [app-degraded]
+
+  # Define notification services (webhook for Slack)
+  notifiers:
+    service.webhook.slack: |
+      url: $slack-webhook-url
+      headers:
+      - name: Content-Type
+        value: application/json

infra/values/base/dot-ai-stack-values.yaml

@@ -0,0 +1,11 @@
+dot-ai:
+  ingress:
+    enabled: true
+    className: traefik
+dot-ai-ui:
+  uiAuth:
+    secretRef:
+      name: dot-ai-secrets
+  ingress:
+    enabled: true
+    className: traefik

infra/values/base/fluent-bit-values.yaml

@@ -0,0 +1,77 @@
+# Fluent Bit Helm Chart Values
+# Static configuration for Loki output
+
+config:
+  service: |
+    [SERVICE]
+        Daemon Off
+        Flush 1
+        Log_Level info
+        Parsers_File parsers.conf
+        Parsers_File custom_parsers.conf
+        HTTP_Server On
+        HTTP_Listen 0.0.0.0
+        HTTP_Port 2020
+        Health_Check On
+
+  inputs: |
+    [INPUT]
+        Name tail
+        Path /var/log/containers/*.log
+        multiline.parser docker, cri
+        Tag kube.*
+        Mem_Buf_Limit 5MB
+        Skip_Long_Lines On
+
+    [INPUT]
+        Name systemd
+        Tag host.*
+        Systemd_Filter _SYSTEMD_UNIT=kubelet.service
+        Read_From_Tail On
+
+  filters: |
+    [FILTER]
+        Name kubernetes
+        Match kube.*
+        Kube_URL https://kubernetes.default.svc:443
+        Kube_CA_File /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+        Kube_Token_File /var/run/secrets/kubernetes.io/serviceaccount/token
+        Kube_Tag_Prefix kube.var.log.containers.
+        Merge_Log On
+        Keep_Log Off
+        K8S-Logging.Parser On
+        K8S-Logging.Exclude On
+
+  outputs: |
+    [OUTPUT]
+        Name loki
+        Match kube.*
+        Host loki-gateway.monitoring.svc.cluster.local
+        Port 80
+        Labels job=fluent-bit, namespace=$kubernetes['namespace_name'], pod=$kubernetes['pod_name'], container=$kubernetes['container_name']
+        Line_Format json
+
+    [OUTPUT]
+        Name loki
+        Match host.*
+        Host loki-gateway.monitoring.svc.cluster.local
+        Port 80
+        Labels job=fluent-bit-systemd
+        Line_Format json
+
+
+tolerations:
+- key: node-role.kubernetes.io/control-plane
+  operator: Exists
+  effect: NoSchedule
+- key: node-role.kubernetes.io/master
+  operator: Exists
+  effect: NoSchedule
+
+resources:
+  requests:
+    cpu: 50m
+    memory: 128Mi
+  limits:
+    cpu: 100m
+    memory: 256Mi

infra/values/base/keycloak-values.yaml

@@ -0,0 +1,60 @@
+# Bitnami Keycloak Helm Chart Values
+# Chart version: 25.2.0
+
+image:
+  repository: bitnamilegacy/keycloak
+
+production: true
+proxyHeaders: xforwarded
+
+auth:
+  adminUser: admin
+  existingSecret: keycloak-credentials
+  passwordSecretKey: admin-password
+
+ingress:
+  enabled: true
+  tls: true
+  ingressClassName: traefik
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+
+resources:
+  requests:
+    cpu: 250m
+    memory: 512Mi
+  limits:
+    cpu: "1"
+    memory: 1Gi
+
+postgresql:
+  enabled: true
+  image:
+    repository: bitnamilegacy/postgresql
+  auth:
+    existingSecret: keycloak-credentials
+    secretKeys:
+      adminPasswordKey: postgres-password
+      userPasswordKey: password
+    username: bn_keycloak
+    database: bitnami_keycloak
+  primary:
+    persistence:
+      size: 8Gi
+
+keycloakConfigCli:
+  enabled: true
+  image:
+    repository: bitnamilegacy/keycloak-config-cli
+  configuration:
+    forte-realm.json: |
+      {
+        "realm": "forte",
+        "enabled": true,
+        "displayName": "Forte",
+        "sslRequired": "external",
+        "registrationAllowed": false,
+        "loginWithEmailAllowed": true,
+        "resetPasswordAllowed": true,
+        "rememberMe": true
+      }

infra/values/base/loki-values.yaml

@@ -0,0 +1,42 @@
+global:
+  dnsService: coredns
+
+deploymentMode: SingleBinary
+loki:
+  auth_enabled: false
+  commonConfig:
+    replication_factor: 1
+  storage:
+    type: 'filesystem'
+  schemaConfig:
+    configs:
+    - from: "2024-01-01"
+      store: tsdb
+      index:
+        prefix: loki_index_
+        period: 24h
+      object_store: filesystem # we're storing on filesystem so there's no real persistence here.
+      schema: v13
+  limits_config:
+    reject_old_samples: true
+    reject_old_samples_max_age: 168h
+    ingestion_rate_mb: 10
+    ingestion_burst_size_mb: 20
+    max_line_size: 512KB
+chunksCache:
+  enabled: false
+singleBinary:
+  replicas: 1
+  resources:
+    requests:
+      cpu: 100m
+      memory: 512Mi
+    limits:
+      cpu: 200m
+      memory: 2Gi
+read:
+  replicas: 0
+backend:
+  replicas: 0
+write:
+  replicas: 0

infra/values/base/prometheus-values.yaml

@@ -0,0 +1,60 @@
+server:
+  ingress:
+    enabled: false
+  service:
+    servicePort: 80
+
+  resources:
+    requests:
+      cpu: 250m
+      memory: 512Mi
+    limits:
+      cpu: 500m
+      memory: 1Gi
+
+  enableLifecycle: true
+
+extraScrapeConfigs: |
+  - job_name: kyverno
+    scrape_interval: 15s
+    metrics_path: /metrics
+    kubernetes_sd_configs:
+      - role: endpoints
+        namespaces:
+          names:
+            - kyverno
+    relabel_configs:
+      - source_labels: [__meta_kubernetes_endpoint_port_name]
+        regex: metrics-port
+        action: keep
+      - source_labels: [__meta_kubernetes_service_name]
+        target_label: service
+      - source_labels: [__meta_kubernetes_pod_name]
+        target_label: pod
+      - source_labels: [__meta_kubernetes_namespace]
+        target_label: namespace
+
+  - job_name: trivy-operator
+    scrape_interval: 30s
+    metrics_path: /metrics
+    kubernetes_sd_configs:
+      - role: pod
+        namespaces:
+          names:
+            - trivy-system
+    relabel_configs:
+      - source_labels: [__meta_kubernetes_pod_label_app_kubernetes_io_name]
+        regex: trivy-operator
+        action: keep
+      - source_labels: [__meta_kubernetes_pod_container_port_number]
+        regex: "8080"
+        action: keep
+      - source_labels: [__meta_kubernetes_pod_name]
+        target_label: pod
+      - source_labels: [__meta_kubernetes_namespace]
+        target_label: namespace
+      - source_labels: [__meta_kubernetes_pod_label_app_kubernetes_io_instance]
+        target_label: instance
+
+alertmanager:
+  enabled: false

infra/values/base/traefik-values.yaml

@@ -0,0 +1,50 @@
+providers:
+  kubernetesIngress:
+    publishedService: # Fixes ArgoCD health checks for LoadBalancer services
+      enabled: true
+deployment:
+  replicas: 2
+
+ingressRoute:
+  dashboard:
+    enabled: true
+    # Optional: specify entrypoint
+    entrypoint: traefik
+
+api:
+  dashboard: true
+  debug: false
+
+service:
+  type: LoadBalancer
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.priority: "42"
+    traefik.ingress.kubernetes.io/router.tls: "true"
+
+ingressClass:
+  enabled: true
+  isDefaultClass: true
+
+# Configure entry points
+ports:
+  metrics:
+    expose:
+      default: true
+    observability:
+      accessLogs: true
+      metrics: true
+      tracing: true
+      traceVerbosity: detailed
+  web:
+    http:
+      redirections:
+        entrypoint:
+          to: websecure
+          scheme: https
+
+  websecure:
+    observability:
+      accessLogs: true
+      metrics: true
+      tracing: true