Merge branch 'feature/storage-cluster' into feat/mcm-migration

Author: kirgene

gitops/applications/base/monitoring/values-kube-prometheus.yaml

@@ -7,7 +7,7 @@ prometheusOperator:
   resources:
     limits:
       cpu: 200m
-      memory: 200Mi
+      memory: 256Mi
     requests:
       cpu: 100m
       memory: 128Mi

gitops/applications/overlays/cloud_provider/private-cloud/storage-provider/monitoring/values-kube-prometheus.yaml

@@ -7,7 +7,7 @@ prometheusOperator:
   resources:
     limits:
       cpu: 200m
-      memory: 200Mi
+      memory: 256Mi
     requests:
       cpu: 100m
       memory: 128Mi

terraform/ccnew/ansible-k8s-deploy/terragrunt.hcl

@@ -52,7 +52,7 @@ dependency "k8s_deploy" {
     private_dns_zone_id = "null"
   }
   mock_outputs_allowed_terraform_commands = ["init", "validate", "plan", "show"]
-  mock_outputs_merge_strategy_with_state  = "shallow"
+  mock_outputs_merge_strategy_with_state  = "deep_map_only"
 }
 
 inputs = {

terraform/ccnew/default-config/private-cloud-vars.yaml

@@ -1,5 +1,6 @@
 external_load_balancer_dns: publicip
 wireguard_port: 31821
+wireguard_health_port: 31822
 dns_provider: aws
 create_ext_dns_user: true
 create_iam_user: true

terraform/gitops/generate-files/templates/mcm/agent.yaml.tpl

@@ -0,0 +1,160 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: vault-agent
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: mcm
+      app.kubernetes.io/name: vault-agent
+  template:
+    metadata:
+      name: vault-agent
+      labels:
+        app.kubernetes.io/instance: mcm
+        app.kubernetes.io/name: vault-agent
+    spec:
+      restartPolicy: Always
+      serviceAccountName: ${mcm_service_account_name}
+      volumes:
+        - name: mcm-secret-volume
+          secret:
+            secretName: mcm-secret
+            defaultMode: 420
+        - name: tls-configmap
+          configMap:
+            name: mcm-connection-manager-api-tls-configmap
+            items:
+              - key: tlsClientCSRParameters.json
+                path: tlsClientCSRParameters.json
+              - key: tlsServerCSRParameters.json
+                path: tlsServerCSRParameters.json
+              - key: caCSRParameters.json
+                path: caCSRParameters.json
+            defaultMode: 420
+        - name: home-init
+          emptyDir:
+            medium: Memory
+        - name: home-sidecar
+          emptyDir:
+            medium: Memory
+        - name: vault-secrets
+          emptyDir:
+            medium: Memory
+        - name: vault-config
+          configMap:
+            name: vault-agent
+            defaultMode: 420
+      initContainers:
+        - name: vault-agent-init
+          image: ghcr.io/mojaloop/vault-agent-util:0.0.2
+          command:
+            - /bin/sh
+            - '-ec'
+          args:
+            - touch /home/vault/.vault-token && vault agent -config=/vault/configs/config-init.hcl
+          env:
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: metadata.namespace
+            - name: HOST_IP
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: status.hostIP
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: status.podIP
+            - name: VAULT_LOG_LEVEL
+              value: debug
+            - name: VAULT_LOG_FORMAT
+              value: standard
+            - name: VAULT_ADDR
+              value: http://vault.vault.svc:8200
+            - name: VAULT_SKIP_VERIFY
+              value: 'false'
+          resources:
+            limits:
+              cpu: 500m
+            requests:
+              cpu: 250m
+              memory: 64Mi
+          volumeMounts:
+            - name: home-init
+              mountPath: /home/vault
+            - name: vault-secrets
+              mountPath: /vault/secrets
+            - name: vault-config
+              readOnly: true
+              mountPath: /vault/configs
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+            runAsUser: 100
+            runAsGroup: 1000
+            runAsNonRoot: true
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+      containers:
+        - name: vault-agent
+          image: ghcr.io/mojaloop/vault-agent-util:0.0.2
+          command:
+            - /bin/sh
+            - '-ec'
+          args:
+            - touch /home/vault/.vault-token && vault agent -config=/vault/configs/config.hcl
+          env:
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: metadata.namespace
+            - name: HOST_IP
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: status.hostIP
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: status.podIP
+            - name: VAULT_LOG_LEVEL
+              value: debug
+            - name: VAULT_LOG_FORMAT
+              value: standard
+            - name: VAULT_ADDR
+              value: http://vault.vault.svc:8200
+            - name: VAULT_SKIP_VERIFY
+              value: 'false'
+          resources:
+            limits:
+              cpu: 500m
+            requests:
+              cpu: 250m
+              memory: 64Mi
+          volumeMounts:
+            - name: home-sidecar
+              mountPath: /home/vault
+            - name: vault-secrets
+              mountPath: /vault/secrets
+            - name: vault-config
+              readOnly: true
+              mountPath: /vault/configs
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+            runAsUser: 100
+            runAsGroup: 1000
+            runAsNonRoot: true
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false

terraform/gitops/generate-files/templates/mcm/kustomization.yaml.tpl

@@ -12,6 +12,7 @@ resources:
   - istio-gateway.yaml
 # %{ endif }
   - service-monitors.yaml
+  - agent.yaml
 configMapGenerator:
   - name: vault-agent
     files:

terraform/gitops/generate-files/templates/monitoring/install/values-grafana-operator.yaml.tpl

@@ -1 +1,7 @@
----
+resources:
+  requests:
+    cpu: 100m
+    memory: 128Mi
+  limits:
+    cpu: 200m
+    memory: 256Mi

terraform/gitops/generate-files/templates/monitoring/install/values-loki-official-helm.yaml.tpl

@@ -317,6 +317,13 @@ gateway:
   enabled: true
   replicas: 1
   verboseLogging: true
+  resources:
+    requests:
+      cpu: 50m
+      memory: 64Mi
+    limits:
+      cpu: 200m
+      memory: 256Mi
   service:
     type: ClusterIP
     port: 80
@@ -341,6 +348,13 @@ indexGateway:
         name: ${object_store_loki_credentials_secret_name}
   extraArgs:
     - -config.expand-env=true
+  resources:
+    requests:
+      cpu: 100m
+      memory: 256Mi
+    limits:
+      cpu: 500m
+      memory: 512Mi
   persistence:
     enabled: true
     size: 10Gi
@@ -362,6 +376,13 @@ chunksCache:
   replicas: 1
   allocatedMemory: 1400
   maxItemMemory: 5
+  resources:
+    requests:
+      cpu: 100m
+      memory: 256Mi
+    limits:
+      cpu: 500m
+      memory: 2Gi
   nodeSelector:
     workload-class.mojaloop.io/MONITORING: "enabled"
 %{if length(tolerations) > 0 ~}
@@ -379,6 +400,13 @@ resultsCache:
   enabled: true
   replicas: 1
   allocatedMemory: 1024
+  resources:
+    requests:
+      cpu: 50m
+      memory: 128Mi
+    limits:
+      cpu: 200m
+      memory: 1Gi
   nodeSelector:
     workload-class.mojaloop.io/MONITORING: "enabled"
 %{if length(tolerations) > 0 ~}
@@ -404,6 +432,13 @@ monitoring:
 #Loki Canary
 lokiCanary:
   enabled: true
+  resources:
+    requests:
+      cpu: 25m
+      memory: 32Mi
+    limits:
+      cpu: 100m
+      memory: 128Mi
   nodeSelector:
     workload-class.mojaloop.io/MONITORING: "enabled"
 %{if length(tolerations) > 0 ~}
@@ -421,4 +456,4 @@ backend:
 read:
   replicas: 0
 write:
-  replicas: 0
+  replicas: 0

terraform/gitops/generate-files/templates/monitoring/install/values-metrics-server.yaml.tpl

@@ -1,4 +1,11 @@
 replicas: ${metrics_server_replicas}
+resources:
+  requests:
+    cpu: 100m
+    memory: 256Mi
+  limits:
+    cpu: 200m
+    memory: 512Mi
 defaultArgs:
   - --cert-dir=/tmp
   - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
@@ -14,4 +21,4 @@ tolerations:
     operator: "${t.operator}"
     value: "${t.value}"
 %{ endfor ~}
-%{ endif ~}
+%{ endif ~}

terraform/gitops/generate-files/templates/monitoring/install/values-opentelemetry-operator.yaml.tpl

@@ -1,6 +1,13 @@
 manager:
   collectorImage:
     repository: ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-k8s
+  resources:
+    requests:
+      cpu: 50m
+      memory: 128Mi
+    limits:
+      cpu: 100m
+      memory: 256Mi
 %{if length(tolerations) > 0 ~}
 tolerations:
 %{ for t in tolerations ~}
@@ -9,4 +16,4 @@ tolerations:
     operator: "${t.operator}"
     value: "${t.value}"
 %{ endfor ~}
-%{ endif ~}
+%{ endif ~}