feat(k8s/amour): scrutiny

https://github.com/AnalogJ/scrutiny
uhthomas · Jan 20, 2024 · dd6a00e · dd6a00e
1 parent 83af633
commit dd6a00e
Show file tree

Hide file tree

Showing 24 changed files with 679 additions and 0 deletions.
diff --git a/cue.mod/gen/github.com/rook/rook/pkg/apis/ceph.rook.io/BUILD.bazel b/cue.mod/gen/github.com/rook/rook/pkg/apis/ceph.rook.io/BUILD.bazel
@@ -0,0 +1,8 @@
+load("@com_github_tnarg_rules_cue//cue:cue.bzl", "cue_library")
+
+cue_library(
+    name = "cue_cephrookio_library",
+    srcs = ["register_go_gen.cue"],
+    importpath = "github.com/rook/rook/pkg/apis/ceph.rook.io:cephrookio",
+    visibility = ["//visibility:public"],
+)
diff --git a/cue.mod/gen/time/BUILD.bazel b/cue.mod/gen/time/BUILD.bazel
@@ -0,0 +1,13 @@
+load("@com_github_tnarg_rules_cue//cue:cue.bzl", "cue_library")
+
+cue_library(
+    name = "cue_time_library",
+    srcs = [
+        "format_go_gen.cue",
+        "time_go_gen.cue",
+        "zoneinfo_go_gen.cue",
+        "zoneinfo_read_go_gen.cue",
+    ],
+    importpath = "github.com/uhthomas/automata/cue.mod/gen/time",
+    visibility = ["//visibility:public"],
+)
diff --git a/k8s/amour/BUILD.bazel b/k8s/amour/BUILD.bazel
@@ -40,6 +40,7 @@ cue_export(
         "//k8s/amour/nvidia_device_plugin:cue_nvidia_device_plugin_library",
         "//k8s/amour/onepassword_connect:cue_onepassword_connect_library",
         "//k8s/amour/rook_ceph:cue_rook_ceph_library",
+        "//k8s/amour/scrutiny:cue_scrutiny_library",
         "//k8s/amour/smartctl_exporter:cue_smartctl_exporter_library",
         "//k8s/amour/snapshot_controller:cue_snapshot_controller_library",
         "//k8s/amour/tailscale:cue_tailscale_library",

diff --git a/k8s/amour/list.cue b/k8s/amour/list.cue
@@ -20,6 +20,7 @@ import (
 	"github.com/uhthomas/automata/k8s/amour/nvidia_device_plugin"
 	"github.com/uhthomas/automata/k8s/amour/onepassword_connect"
 	"github.com/uhthomas/automata/k8s/amour/rook_ceph"
+	"github.com/uhthomas/automata/k8s/amour/scrutiny"
 	"github.com/uhthomas/automata/k8s/amour/smartctl_exporter"
 	"github.com/uhthomas/automata/k8s/amour/snapshot_controller"
 	"github.com/uhthomas/automata/k8s/amour/tailscale"
@@ -71,6 +72,7 @@ _items: [
 	nvidia_device_plugin.#List.items,
 	onepassword_connect.#List.items,
 	rook_ceph.#List.items,
+	scrutiny.#List.items,
 	smartctl_exporter.#List.items,
 	snapshot_controller.#List.items,
 	tailscale.#List.items,

diff --git a/k8s/amour/scrutiny/BUILD.bazel b/k8s/amour/scrutiny/BUILD.bazel
@@ -0,0 +1,17 @@
+load("@com_github_tnarg_rules_cue//cue:cue.bzl", "cue_library")
+
+cue_library(
+    name = "cue_scrutiny_library",
+    srcs = [
+        "list.cue",
+        "namespace_list.cue",
+    ],
+    importpath = "github.com/uhthomas/automata/k8s/amour/scrutiny",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//cue.mod/gen/k8s.io/api/core/v1:cue_v1_library",
+        "//k8s/amour/scrutiny/collector:cue_collector_library",
+        "//k8s/amour/scrutiny/influxdb:cue_influxdb_library",
+        "//k8s/amour/scrutiny/web:cue_web_library",
+    ],
+)
diff --git a/k8s/amour/scrutiny/README.md b/k8s/amour/scrutiny/README.md
@@ -0,0 +1,5 @@
+# scrutiny
+
+[https://github.com/AnalogJ/scrutiny](https://github.com/AnalogJ/scrutiny)
+
+Some inspiration from [this PR](https://github.com/AnalogJ/scrutiny/pull/363).
diff --git a/k8s/amour/scrutiny/collector/BUILD.bazel b/k8s/amour/scrutiny/collector/BUILD.bazel
@@ -0,0 +1,16 @@
+load("@com_github_tnarg_rules_cue//cue:cue.bzl", "cue_library")
+
+cue_library(
+    name = "cue_collector_library",
+    srcs = [
+        "daemon_set_list.cue",
+        "list.cue",
+        "service_account_list.cue",
+    ],
+    importpath = "github.com/uhthomas/automata/k8s/amour/scrutiny/collector",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//cue.mod/gen/k8s.io/api/apps/v1:cue_v1_library",
+        "//cue.mod/gen/k8s.io/api/core/v1:cue_v1_library",
+    ],
+)
diff --git a/k8s/amour/scrutiny/collector/daemon_set_list.cue b/k8s/amour/scrutiny/collector/daemon_set_list.cue
@@ -0,0 +1,69 @@
+package collector
+
+import (
+	appsv1 "k8s.io/api/apps/v1"
+	"k8s.io/api/core/v1"
+)
+
+#DaemonSetList: appsv1.#DaemonSetList & {
+	apiVersion: "apps/v1"
+	kind:       "DaemonSetList"
+	items: [...{
+		apiVersion: "apps/v1"
+		kind:       "DaemonSet"
+	}]
+}
+
+#DaemonSetList: items: [{
+	spec: {
+		selector: matchLabels: "app.kubernetes.io/name": #Name
+		template: {
+			metadata: labels: "app.kubernetes.io/name": #Name
+			spec: {
+				volumes: [{
+					name: "udev"
+					hostPath: path: "/run/udev"
+				}]
+				containers: [{
+					name:  "collector"
+					image: "ghcr.io/analogj/scrutiny:v\(#Version)-collector"
+					env: [{
+						name:  "COLLECTOR_API_ENDPOINT"
+						value: "http://scrutiny-web"
+					}, {
+						name:  "COLLECTOR_RUN_STARTUP"
+						value: "true"
+					}]
+					resources: limits: {
+						(v1.#ResourceCPU):    "100m"
+						(v1.#ResourceMemory): "32Mi"
+					}
+					volumeMounts: [{
+						name:      "udev"
+						mountPath: "/run/udev"
+						readOnly:  true
+					}]
+					imagePullPolicy: v1.#PullIfNotPresent
+					securityContext: {
+						capabilities: {
+							add: ["SYS_ADMIN", "SYS_RAWIO"]
+							drop: ["ALL"]
+						}
+						privileged: true
+						// readOnlyRootFilesystem:   true
+						// allowPrivilegeEscalation: false
+					}
+
+				}]
+				serviceAccountName: #Name
+				// securityContext: {
+				// 	runAsUser:    1000
+				// 	runAsGroup:   3000
+				// 	runAsNonRoot: true
+				// 	fsGroup:      2000
+				// 	seccompProfile: type: v1.#SeccompProfileTypeRuntimeDefault
+				// }
+			}
+		}
+	}
+}]
diff --git a/k8s/amour/scrutiny/collector/list.cue b/k8s/amour/scrutiny/collector/list.cue
@@ -0,0 +1,32 @@
+package collector
+
+import (
+	"list"
+
+	"k8s.io/api/core/v1"
+)
+
+#Name:      "scrutiny-collector"
+#Namespace: "scrutiny"
+#Version:   "0.7.2"
+
+#List: v1.#List & {
+	apiVersion: "v1"
+	kind:       "List"
+	items: [...{
+		metadata: {
+			name: #Name
+			labels: {
+				"app.kubernetes.io/name":    #Name
+				"app.kubernetes.io/version": #Version
+			}
+		}
+	}]
+}
+
+#List: items: list.Concat(_items)
+
+_items: [
+	#DaemonSetList.items,
+	#ServiceAccountList.items,
+]
diff --git a/k8s/amour/scrutiny/collector/service_account_list.cue b/k8s/amour/scrutiny/collector/service_account_list.cue
@@ -0,0 +1,14 @@
+package collector
+
+import "k8s.io/api/core/v1"
+
+#ServiceAccountList: v1.#ServiceAccountList & {
+	apiVersion: "v1"
+	kind:       "ServiceAccountList"
+	items: [...{
+		apiVersion: "v1"
+		kind:       "ServiceAccount"
+	}]
+}
+
+#ServiceAccountList: items: [{}]
diff --git a/k8s/amour/scrutiny/influxdb/BUILD.bazel b/k8s/amour/scrutiny/influxdb/BUILD.bazel
@@ -0,0 +1,18 @@
+load("@com_github_tnarg_rules_cue//cue:cue.bzl", "cue_library")
+
+cue_library(
+    name = "cue_influxdb_library",
+    srcs = [
+        "external_secret_list.cue",
+        "list.cue",
+        "service_list.cue",
+        "stateful_set_list.cue",
+    ],
+    importpath = "github.com/uhthomas/automata/k8s/amour/scrutiny/influxdb",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//cue.mod/gen/github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1:cue_v1beta1_library",
+        "//cue.mod/gen/k8s.io/api/apps/v1:cue_v1_library",
+        "//cue.mod/gen/k8s.io/api/core/v1:cue_v1_library",
+    ],
+)
diff --git a/k8s/amour/scrutiny/influxdb/README.md b/k8s/amour/scrutiny/influxdb/README.md
@@ -0,0 +1,5 @@
+# influxdb
+
+[https://github.com/influxdata/influxdb](https://github.com/influxdata/influxdb)
+
+Some inspiration from the [official Helm chart](https://github.com/influxdata/helm-charts/tree/5da1bad7153326bbd0ed09f1ecdcde519d2be07d/charts/influxdb2).
diff --git a/k8s/amour/scrutiny/influxdb/external_secret_list.cue b/k8s/amour/scrutiny/influxdb/external_secret_list.cue
@@ -0,0 +1,41 @@
+package influxdb
+
+import externalsecretsv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
+
+#ExternalSecretList: externalsecretsv1beta1.#ExternalSecretList & {
+	apiVersion: "external-secrets.io/v1beta1"
+	kind:       "ExternalSecretList"
+	items: [...{
+		apiVersion: "external-secrets.io/v1beta1"
+		kind:       "ExternalSecret"
+	}]
+}
+
+#ExternalSecretList: items: [{
+	spec: {
+		secretStoreRef: {
+			name: "onepassword"
+			kind: "ClusterSecretStore"
+		}
+		target: template: metadata: {
+			annotations: {}
+			labels: {}
+		}
+		dataFrom: [{
+			extract: {
+				key:      "scrutiny-influxdb"
+				property: "username"
+			}
+		}, {
+			extract: {
+				key:      "scrutiny-influxdb"
+				property: "password"
+			}
+		}, {
+			extract: {
+				key:      "scrutiny-influxdb"
+				property: "token"
+			}
+		}]
+	}
+}]
diff --git a/k8s/amour/scrutiny/influxdb/list.cue b/k8s/amour/scrutiny/influxdb/list.cue
@@ -0,0 +1,33 @@
+package influxdb
+
+import (
+	"list"
+
+	"k8s.io/api/core/v1"
+)
+
+#Name:      "scrutiny-influxdb"
+#Namespace: "scrutiny"
+#Version:   "2.7.4"
+
+#List: v1.#List & {
+	apiVersion: "v1"
+	kind:       "List"
+	items: [...{
+		metadata: {
+			name: #Name
+			labels: {
+				"app.kubernetes.io/name":    #Name
+				"app.kubernetes.io/version": #Version
+			}
+		}
+	}]
+}
+
+#List: items: list.Concat(_items)
+
+_items: [
+	#ExternalSecretList.items,
+	#ServiceList.items,
+	#StatefulSetList.items,
+]
diff --git a/k8s/amour/scrutiny/influxdb/service_list.cue b/k8s/amour/scrutiny/influxdb/service_list.cue
@@ -0,0 +1,23 @@
+package influxdb
+
+import "k8s.io/api/core/v1"
+
+#ServiceList: v1.#ServiceList & {
+	apiVersion: "v1"
+	kind:       "ServiceList"
+	items: [...{
+		apiVersion: "v1"
+		kind:       "Service"
+	}]
+}
+
+#ServiceList: items: [{
+	spec: {
+		ports: [{
+			name:       "http"
+			port:       8086
+			targetPort: "http"
+		}]
+		selector: "app.kubernetes.io/name": #Name
+	}
+}]