Merge pull request #4615 from tyriis/feature/blackbox-exporter

feat(blackbox-exporter): setup

kubernetes/talos-flux/apps/atlantis/tyriis/terraform-github/external-secret.yaml

@@ -0,0 +1,51 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: &name atlantis-age-keys
+spec:
+  refreshInterval: 1m
+  secretStoreRef:
+    name: vault-backend
+    kind: ClusterSecretStore
+  target:
+    name: *name
+    creationPolicy: Owner
+  data:
+    - secretKey: terraform-gcloud.txt
+      remoteRef:
+        key: infra/techtales/terraform-gcloud
+        property: age
+    - secretKey: terraform-github.txt
+      remoteRef:
+        key: infra/techtales/terraform-github
+        property: age
+    - secretKey: terraform-gworkspace.txt
+      remoteRef:
+        key: infra/techtales/terraform-gworkspace
+        property: age
+    - secretKey: terraform-vault.txt
+      remoteRef:
+        key: infra/techtales/terraform-vault
+        property: age
+
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: &name atlantis-github-token
+spec:
+  refreshInterval: 1m
+  secretStoreRef:
+    name: vault-backend
+    kind: ClusterSecretStore
+  target:
+    name: *name
+    creationPolicy: Owner
+  data:
+    - secretKey: GITHUB_TOKEN
+      remoteRef:
+        key: infra/techtales/github-automation
+        property: GITHUB_TOKEN

kubernetes/talos-flux/apps/observability/blackbox-exporter/app/helm-release.yaml

@@ -0,0 +1,129 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: &app blackbox-exporter
+spec:
+  interval: 30m
+  driftDetection:
+    mode: enabled
+  chart:
+    spec:
+      chart: prometheus-blackbox-exporter
+      version: 9.2.0
+      sourceRef:
+        kind: HelmRepository
+        name: prometheus-community-charts
+        namespace: flux-system
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  values:
+    fullnameOverride: blackbox-exporter
+
+    image:
+      registry: quay.io
+
+    podSecurityContext:
+      sysctls:
+        - name: net.ipv4.ping_group_range
+          value: "0 2147483647"
+
+    config:
+      modules:
+        http_2xx:
+          prober: http
+          timeout: 5s
+          http:
+            valid_http_versions: ["HTTP/1.1", "HTTP/2.0"]
+            follow_redirects: true
+            preferred_ip_protocol: "ip4"
+        icmp:
+          prober: icmp
+          timeout: 30s
+          icmp:
+            preferred_ip_protocol: "ip4"
+
+    ingress:
+      enabled: true
+      className: traefik
+      annotations:
+        kubernetes.io/tls-acme: "true"
+        cert-manager.io/cluster-issuer: letsencrypt-production
+        traefik.ingress.kubernetes.io/router.middlewares: traefik-ingress-sso@kubernetescrd
+        traefik.ingress.kubernetes.io/router.entrypoints: websecure
+        traefik.ingress.kubernetes.io/affinity: "true"
+        traefik.ingress.kubernetes.io/router.tls: "true"
+      hosts:
+        - host: &host blackbox-exporter.techtales.io
+          paths:
+            - path: /
+              pathType: Prefix
+      tls:
+        - hosts:
+            - *host
+          secretName: blackbox-exporter-tls
+
+    prometheusRule:
+      enabled: true
+      rules:
+        - alert: BlackboxSslCertificateWillExpireSoon
+          expr: probe_ssl_earliest_cert_expiry - time() < 86400 * 7
+          for: 15m
+          labels:
+            severity: critical
+          annotations:
+            summary: |-
+              The SSL certificate for {{ $labels.target }} will expire in less than 7 days
+        - alert: BlackboxSslCertificateExpired
+          expr: probe_ssl_earliest_cert_expiry - time() <= 0
+          for: 15m
+          labels:
+            severity: critical
+          annotations:
+            summary: |-
+              The SSL certificate for {{ $labels.target }} has expired
+        - alert: BlackboxProbeFailed
+          expr: probe_success == 0
+          for: 15m
+          labels:
+            severity: critical
+          annotations:
+            summary: |-
+              The host {{ $labels.instance }} is currently unreachable
+
+    pspEnabled: false
+
+    securityContext:
+      readOnlyRootFilesystem: true
+      allowPrivilegeEscalation: false
+      capabilities:
+        add: ["NET_RAW"]
+
+    serviceMonitor:
+      enabled: true
+      defaults:
+        labels:
+          release: prometheus
+        interval: 1m
+        scrapeTimeout: 30s
+      targets:
+        # Vacuum robot downstairs
+        - module: icmp
+          name: roborock-vacuum-a135-icmp
+          url: roborock-vacuum-a135.home
+
+        # Vacuum robot basement
+        - module: icmp
+          name: neato-basement-icmp
+          url: neato-basement.home
+
+        - module: icmp
+          name: ping-cloudflare
+          url: 1.1.1.1
+          scrape_interval: 30s

kubernetes/talos-flux/apps/observability/blackbox-exporter/app/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - helm-release.yaml

kubernetes/talos-flux/apps/observability/blackbox-exporter/flux-sync.yaml

@@ -0,0 +1,23 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &appname blackbox-exporter
+  namespace: flux-system
+  labels:
+    substitution.flux.home.arpa/enabled: "true"
+spec:
+  targetNamespace: observability
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *appname
+  path: ./kubernetes/talos-flux/apps/observability/blackbox-exporter/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops
+  wait: true
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m

kubernetes/talos-flux/apps/observability/kustomization.yaml

@@ -5,6 +5,7 @@ kind: Kustomization
 resources:
   - ./namespace.yaml
   - ./alertmanager-discord/flux-sync.yaml
+  - ./blackbox-exporter/flux-sync.yaml
   - ./botkube/flux-sync.yaml
   - ./grafana/flux-sync.yaml
   - ./kromgo/flux-sync.yaml