KubeArchive: install on stone-prd-rh01

argo-cd-apps/base/member/infra-deployments/kubearchive/kubearchive.yaml

@@ -30,8 +30,8 @@ spec:
                 - nameNormalized: pentest-p01
                   values.clusterDir: pentest-p01
                 # Public
-                # - nameNormalized: stone-prd-rh01
-                #   values.clusterDir: stone-prd-rh01
+                - nameNormalized: stone-prd-rh01
+                  values.clusterDir: stone-prd-rh01
                 # - nameNormalized: kflux-prd-rh02
                 #   values.clusterDir: kflux-prd-rh02
                 - nameNormalized: kflux-prd-rh03

argo-cd-apps/base/member/infra-deployments/vector-kubearchive-log-collector/vector-kubearchive-log-collector.yaml

@@ -32,8 +32,8 @@ spec:
                 # - nameNormalized: pentest-p01
                 #   values.clusterDir: pentest-p01
                 # Public
-                # - nameNormalized: stone-prd-rh01
-                #   values.clusterDir: stone-prd-rh01
+                - nameNormalized: stone-prd-rh01
+                  values.clusterDir: stone-prd-rh01
                 - nameNormalized: kflux-rhel-p01
                   values.clusterDir: kflux-rhel-p01
                 - nameNormalized: kflux-prd-rh03

components/konflux-ui/production/stone-prd-rh01/kustomization.yaml

@@ -9,10 +9,6 @@ configMapGenerator:
   - name: dex
     files:
       - dex-config.yaml
-  - name: proxy-nginx-static
-    files:
-      - kubearchive.conf
-    behavior: merge
 
 patches:
   - path: add-service-certs-patch.yaml

components/kubearchive/production/stone-prd-rh01/external-secret.yaml

@@ -0,0 +1,26 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: kubearchive-logging
+  namespace: product-kubearchive
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+    argocd.argoproj.io/sync-wave: "-1"
+spec:
+  dataFrom:
+    - extract:
+        key: production/kubearchive/logging
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: appsre-stonesoup-vault
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Delete
+    name: kubearchive-logging
+    template:
+      metadata:
+        annotations:
+          argocd.argoproj.io/sync-options: Prune=false
+          argocd.argoproj.io/compare-options: IgnoreExtraneous

components/kubearchive/production/stone-prd-rh01/kustomization.yaml

@@ -4,19 +4,47 @@ kind: Kustomization
 resources:
   - ../../base
   - ../base
-  - https://github.com/kubearchive/kubearchive/releases/download/v1.0.1/kubearchive.yaml?timeout=90
+  - external-secret.yaml
+  - https://github.com/kubearchive/kubearchive/releases/download/v1.7.0/kubearchive.yaml?timeout=90
 
 namespace: product-kubearchive
 
+# Generate kubearchive-logging ConfigMap with hash for automatic restarts
+# Due to quoting limitations of generators we need to introduce the values with the |
+# See https://github.com/kubernetes-sigs/kustomize/issues/4845#issuecomment-1671570428
+configMapGenerator:
+    - name: kubearchive-logging
+      literals:
+          - |
+              POD_ID=cel:metadata.uid
+          - |
+              NAMESPACE=cel:metadata.namespace
+          - |
+              START=cel:status.?startTime == optional.none() ? int(now()-duration('1h'))*1000000000: status.startTime
+          - |
+              END=cel:status.?startTime == optional.none() ? int(now()+duration('1h'))*1000000000: int(timestamp(status.startTime)+duration('6h'))*1000000000
+          - |
+              LOG_URL=http://loki-gateway.product-kubearchive-logging.svc.cluster.local:80/loki/api/v1/query_range?query=%7Bstream%3D%22{NAMESPACE}%22%7D%20%7C%20pod_id%20%3D%20%60{POD_ID}%60%20%7C%20container%20%3D%20%60{CONTAINER_NAME}%60&start={START}&end={END}&direction=forward
+          - |
+              LOG_URL_JSONPATH=$.data.result[*].values[*][1]
+
 patches:
-  # We don't need the Secret as it will be created by the ExternalSecrets Operator
+  - patch: |-
+      $patch: delete
+      apiVersion: v1
+      kind: ConfigMap
+      metadata:
+        name: kubearchive-logging
+        namespace: kubearchive
+
   - patch: |-
       $patch: delete
       apiVersion: v1
       kind: Secret
       metadata:
-        name: kubearchive-database-credentials
+        name: kubearchive-logging
         namespace: kubearchive
+
   - patch: |-
       apiVersion: batch/v1
       kind: Job
@@ -29,7 +57,15 @@ patches:
               - name: migration
                 env:
                   - name: KUBEARCHIVE_VERSION
-                    value: v1.0.1
+                    value: v1.7.0
+  # We don't need the Secret as it will be created by the ExternalSecrets Operator
+  - patch: |-
+      $patch: delete
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: kubearchive-database-credentials
+        namespace: kubearchive
   - patch: |-
       apiVersion: external-secrets.io/v1beta1
       kind: ExternalSecret
@@ -88,6 +124,8 @@ patches:
                   value: enabled
                 - name: OTEL_EXPORTER_OTLP_ENDPOINT
                   value: http://otel-collector:4318
+                - name: AUTH_IMPERSONATE
+                  value: "true"
                 securityContext:
                   readOnlyRootFilesystem: true
                   runAsNonRoot: true
@@ -102,6 +140,7 @@ patches:
           spec:
             containers:
               - name: manager
+                args: [--health-probe-bind-address=:8081]
                 env:
                 - name: KUBEARCHIVE_OTEL_MODE
                   value: enabled
@@ -114,11 +153,11 @@ patches:
                   - containerPort: 8081
                 resources:
                   limits:
-                    cpu: 500m
-                    memory: 256Mi
+                    cpu: 100m
+                    memory: 512Mi
                   requests:
-                    cpu: 10m
-                    memory: 256Mi
+                    cpu: 100m
+                    memory: 512Mi
 
   - patch: |-
       apiVersion: apps/v1

components/policies/production/stone-prd-rh01/kustomization.yaml

@@ -3,3 +3,4 @@ kind: Kustomization
 resources:
 - ../base
 - ../policies/kueue/
+- ../policies/kubearchive/

components/vector-kubearchive-log-collector/production/stone-prd-rh01/kustomization.yaml

@@ -0,0 +1,19 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+commonAnnotations:
+  ignore-check.kube-linter.io/drop-net-raw-capability: |
+    "Vector runs requires access to socket."
+  ignore-check.kube-linter.io/run-as-non-root: |
+    "Vector runs as Root and attach host Path."
+  ignore-check.kube-linter.io/sensitive-host-mounts: |
+    "Vector runs requires certain host mounts to watch files being created by pods."
+  ignore-check.kube-linter.io/pdb-unhealthy-pod-eviction-policy: |
+    "Managed by upstream Loki chart (no value exposed for unhealthyPodEvictionPolicy)."
+
+resources:
+- ../base
+
+generators:
+- vector-helm-generator.yaml
+- loki-helm-generator.yaml

components/vector-kubearchive-log-collector/production/stone-prd-rh01/loki-helm-generator.yaml

@@ -0,0 +1,27 @@
+apiVersion: builtin
+kind: HelmChartInflationGenerator
+metadata:
+  name: loki
+name: loki
+repo: https://grafana.github.io/helm-charts
+version: 6.30.1
+releaseName: loki
+namespace: product-kubearchive-logging
+valuesFile: loki-helm-values.yaml
+additionalValuesFiles:
+  - loki-helm-prod-values.yaml
+valuesInline:
+  # Cluster-specific overrides
+  serviceAccount:
+    create: true
+    name: loki-sa
+    annotations:
+      eks.amazonaws.com/role-arn: "arn:aws:iam::520050076864:role/stone-prd-rh01-loki-storage-role"
+  loki:
+    storage:
+      bucketNames:
+        chunks: stone-prd-rh01-loki-storage
+        admin: stone-prd-rh01-loki-storage
+    storage_config:
+      aws:
+        bucketnames: stone-prd-rh01-loki-storage