From a9253cfd7d129e14d869038638c4147a4348bcf9 Mon Sep 17 00:00:00 2001
From: Jean-Francois Roy <jf@devklog.net>
Date: Sun, 29 Dec 2024 11:05:35 -0800
Subject: [PATCH] feat(blackbox-exporter): deploy

---
 .../policyexception/blackbox-exporter.yaml    | 18 ++++
 .../app/policyexception/kustomization.yaml    |  1 +
 .../blackbox-exporter/app/helmrelease.yaml    | 88 +++++++++++++++++++
 .../blackbox-exporter/app/kustomization.yaml  |  6 ++
 .../observability/blackbox-exporter/ks.yaml   | 19 ++++
 .../apps/observability/kustomization.yaml     |  1 +
 .../oci/prometheus-community.yaml             | 14 +++
 7 files changed, 147 insertions(+)
 create mode 100644 kubernetes/apps/kyverno/kyverno-policies/app/policyexception/blackbox-exporter.yaml
 create mode 100644 kubernetes/apps/observability/blackbox-exporter/app/helmrelease.yaml
 create mode 100644 kubernetes/apps/observability/blackbox-exporter/app/kustomization.yaml
 create mode 100644 kubernetes/apps/observability/blackbox-exporter/ks.yaml

diff --git a/kubernetes/apps/kyverno/kyverno-policies/app/policyexception/blackbox-exporter.yaml b/kubernetes/apps/kyverno/kyverno-policies/app/policyexception/blackbox-exporter.yaml
new file mode 100644
index 000000000..c9e633ee7
--- /dev/null
+++ b/kubernetes/apps/kyverno/kyverno-policies/app/policyexception/blackbox-exporter.yaml
@@ -0,0 +1,18 @@
+apiVersion: kyverno.io/v2
+kind: PolicyException
+metadata:
+  name: blackbox-exporter
+  namespace: kyverno
+spec:
+  exceptions:
+    - policyName: psa-baseline
+      ruleNames:
+        - baseline
+  match:
+    any:
+      - resources:
+          kinds:
+            - Pod
+            - Deployment
+          names:
+            - blackbox-exporter*
diff --git a/kubernetes/apps/kyverno/kyverno-policies/app/policyexception/kustomization.yaml b/kubernetes/apps/kyverno/kyverno-policies/app/policyexception/kustomization.yaml
index b18ac116a..a27c93f0b 100644
--- a/kubernetes/apps/kyverno/kyverno-policies/app/policyexception/kustomization.yaml
+++ b/kubernetes/apps/kyverno/kyverno-policies/app/policyexception/kustomization.yaml
@@ -3,4 +3,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - blackbox-exporter.yaml
   - buildkit.yaml
diff --git a/kubernetes/apps/observability/blackbox-exporter/app/helmrelease.yaml b/kubernetes/apps/observability/blackbox-exporter/app/helmrelease.yaml
new file mode 100644
index 000000000..aab523ac6
--- /dev/null
+++ b/kubernetes/apps/observability/blackbox-exporter/app/helmrelease.yaml
@@ -0,0 +1,88 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: blackbox-exporter
+spec:
+  interval: 30m
+  chartRef:
+    kind: OCIRepository
+    name: blackbox-exporter
+    namespace: flux-system
+  driftDetection:
+    mode: enabled
+  install:
+    crds: CreateReplace
+    remediation:
+      retries: 3
+  upgrade:
+    crds: CreateReplace
+    remediation:
+      retries: 3
+  values:
+    fullnameOverride: blackbox-exporter
+    securityContext:
+      capabilities:
+        add: ["NET_RAW"]
+    config:
+      modules:
+        http_2xx:
+          prober: http
+          timeout: 5s
+          http:
+            valid_http_versions: ["HTTP/1.1", "HTTP/2.0"]
+            follow_redirects: true
+        http_2xx_ipv4:
+          prober: http
+          timeout: 5s
+          http:
+            valid_http_versions: ["HTTP/1.1", "HTTP/2.0"]
+            follow_redirects: true
+            preferred_ip_protocol: ipv4
+            ip_protocol_fallback: false
+        http_2xx_ipv6:
+          prober: http
+          timeout: 5s
+          http:
+            valid_http_versions: ["HTTP/1.1", "HTTP/2.0"]
+            follow_redirects: true
+            preferred_ip_protocol: ipv6
+            ip_protocol_fallback: false
+    serviceMonitor:
+      selfMonitor:
+        enabled: true
+      enabled: true
+      defaults:
+        interval: 1m
+        scrapeTimeout: 10s
+      targets:
+        - name: cloudflare-ipv4
+          url: https://cloudflare.com
+          module: http_2xx_ipv4
+        - name: cloudflare-ipv6
+          url: https://cloudflare.com
+          module: http_2xx_ipv6
+        - name: google-ipv4
+          url: https://google.com
+          module: http_2xx_ipv4
+        - name: google-ipv6
+          url: https://google.com
+          module: http_2xx_ipv6
+        - name: github-ipv4
+          url: https://github.com
+          module: http_2xx_ipv4
+        - name: github-ipv6
+          url: https://github.com
+          module: http_2xx_ipv6
+    prometheusRule:
+      enabled: true
+      rules:
+        - alert: BlackboxProbeFailed
+          expr: probe_success == 0
+          for: 15m
+          labels:
+            severity: critical
+          annotations:
+            summary: |-
+              The host {{ $labels.target }} is currently unreachable
diff --git a/kubernetes/apps/observability/blackbox-exporter/app/kustomization.yaml b/kubernetes/apps/observability/blackbox-exporter/app/kustomization.yaml
new file mode 100644
index 000000000..904bfa249
--- /dev/null
+++ b/kubernetes/apps/observability/blackbox-exporter/app/kustomization.yaml
@@ -0,0 +1,6 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - helmrelease.yaml
diff --git a/kubernetes/apps/observability/blackbox-exporter/ks.yaml b/kubernetes/apps/observability/blackbox-exporter/ks.yaml
new file mode 100644
index 000000000..3038e391f
--- /dev/null
+++ b/kubernetes/apps/observability/blackbox-exporter/ks.yaml
@@ -0,0 +1,19 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app blackbox-exporter
+  namespace: flux-system
+spec:
+  targetNamespace: observability
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./kubernetes/apps/observability/blackbox-exporter/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-kubernetes
+  wait: false
+  interval: 30m
diff --git a/kubernetes/apps/observability/kustomization.yaml b/kubernetes/apps/observability/kustomization.yaml
index ff22f65d7..a14055d33 100644
--- a/kubernetes/apps/observability/kustomization.yaml
+++ b/kubernetes/apps/observability/kustomization.yaml
@@ -6,6 +6,7 @@ resources:
   - ./namespace.yaml
   # --
   - ./alloy/ks.yaml
+  - ./blackbox-exporter/ks.yaml
   - ./exportarr/ks.yaml
   - ./gatus/ks.yaml
   - ./grafana/ks.yaml
diff --git a/kubernetes/flux/repositories/oci/prometheus-community.yaml b/kubernetes/flux/repositories/oci/prometheus-community.yaml
index 02e6765d5..d427a8def 100644
--- a/kubernetes/flux/repositories/oci/prometheus-community.yaml
+++ b/kubernetes/flux/repositories/oci/prometheus-community.yaml
@@ -15,6 +15,20 @@ spec:
 ---
 apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: OCIRepository
+metadata:
+  name: blackbox-exporter
+  namespace: flux-system
+spec:
+  interval: 2h
+  layerSelector:
+    mediaType: "application/vnd.cncf.helm.chart.content.v1.tar+gzip"
+    operation: copy
+  url: oci://ghcr.io/prometheus-community/charts/prometheus-blackbox-exporter
+  ref:
+    semver: 9.1.0
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: OCIRepository
 metadata:
   name: kube-state-metrics
   namespace: flux-system