rackerlabs · devx · Dec 29, 2025 · Nov 17, 2025 · Dec 19, 2025 · Dec 29, 2025
diff --git a/applications/base/services/observability/mimir/README.md b/applications/base/services/observability/mimir/README.md
@@ -0,0 +1,13 @@
+# Mimir – Base Configuration
+
+This directory contains the **base manifests** for deploying [Grafana Mimir](https://grafana.com/oss/mimir/), a horizontally-scalable, highly-available metrics storage system designed for cloud-native environments.  
+It is designed to be **consumed by cluster repositories** as a remote base, allowing each cluster to apply **custom overrides** as needed.
+
+**About Grafana Mimir:**
+
+- Provides a **centralized, multi-tenant metrics backend** fully compatible with Prometheus and PromQL.
+- Designed for **high ingestion throughput** and **large-scale time-series storage** across multiple Kubernetes clusters.
+- Stores long-term metrics in **object storage**, enabling **cost-efficient retention** and improved durability.
+- Separates **read and write paths** to enable independent scaling for heavy queries or high ingestion workloads.
+- Uses advanced **caching**, **sharding**, and **compaction** for efficient querying and optimized storage layout.
+- Integrates natively with **Grafana** for unified visualization alongside logs and traces.
diff --git a/applications/base/services/observability/mimir/helm-values/hardened-values-6.0.3.yaml b/applications/base/services/observability/mimir/helm-values/hardened-values-6.0.3.yaml
diff --git a/applications/base/services/observability/mimir/helmrelease.yaml b/applications/base/services/observability/mimir/helmrelease.yaml
@@ -0,0 +1,36 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: mimir
+  namespace: observability
+spec:
+  interval: 5m
+  timeout: 10m
+  driftDetection:
+    mode: enabled
+  install:
+    remediation:
+      retries: 0
+      remediateLastFailure: false
+  upgrade:
+    remediation:
+      retries: 0
+      remediateLastFailure: false
+  targetNamespace: observability
+  chart:
+    spec:
+      chart: mimir-distributed
+      version: 6.0.3
+      sourceRef:
+        kind: HelmRepository
+        name: grafana
+        namespace: observability
+  valuesFrom:
+    - kind: Secret
+      name: mimir-values-base
+      valuesKey: hardened.yaml
+    - kind: Secret
+      name: mimir-values-override
+      valuesKey: override.yaml
+      optional: true
diff --git a/applications/base/services/observability/mimir/kustomization.yaml b/applications/base/services/observability/mimir/kustomization.yaml
@@ -0,0 +1,14 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - "../sources/grafana.yaml"
+  - "helmrelease.yaml"
+secretGenerator:
+  - name: mimir-values-base
+    namespace: observability
+    type: Opaque
+    files:
+      - hardened.yaml=helm-values/hardened-values-6.0.3.yaml
+    options:
+      disableNameSuffixHash: true
diff --git a/applications/base/services/strimzi-kafka-operator/README.md b/applications/base/services/strimzi-kafka-operator/README.md
@@ -0,0 +1,18 @@
+# Strimzi Kafka Operator – Base Configuration
+
+This directory contains the **base manifests** for deploying the
+[Strimzi Kafka Operator](https://github.com/strimzi/strimzi-kafka-operator)
+to run Apache Kafka on Kubernetes using a Kubernetes-native, operator-driven workflow.
+
+It is intended to be consumed by **cluster repositories** as a remote base,
+with the option to provide cluster-specific overrides such as storage classes,
+node placement, resource sizing, and exposure methods.
+
+## About Strimzi Kafka Operator
+
+- Provides a Kubernetes operator to deploy and manage **Apache Kafka** and its related components using Custom Resource Definitions (CRDs).
+- Manages Kafka lifecycle operations including **scaling, rolling upgrades, configuration changes, and automated reconciliation**.
+- Supports Kafka deployment using Kubernetes-native constructs such as **StatefulSets**, Services, and PodDisruptionBudgets.
+- Enables secure Kafka clusters with built-in support for **TLS encryption**, authentication (TLS, SCRAM), and authorization patterns.
+- Allows Kafka operational resources (topics, users, quotas) to be managed declaratively via **KafkaTopic** and **KafkaUser** CRDs.
+- Commonly used to operate **production-grade Kafka on Kubernetes** with consistent configuration and standardized operational practices across environments.
diff --git a/applications/base/services/strimzi-kafka-operator/helm-values/hardened-values-0.49.1.yaml b/applications/base/services/strimzi-kafka-operator/helm-values/hardened-values-0.49.1.yaml
@@ -0,0 +1,190 @@
+# Default values for strimzi-kafka-operator.
+
+# Default replicas for the cluster operator
+replicas: 2
+
+# If you set `watchNamespaces` to the same value as ``.Release.Namespace` (e.g. `helm ... --namespace $NAMESPACE`),
+# the chart will fail because duplicate RoleBindings will be attempted to be created in the same namespace
+watchNamespaces: []
+watchAnyNamespace: false
+
+defaultImageRegistry: quay.io
+defaultImageRepository: strimzi
+defaultImageTag: 0.49.1
+
+image:
+  registry: ""
+  repository: ""
+  name: operator
+  tag: ""
+  # imagePullSecrets:
+  #   - name: secretname
+logVolume: co-config-volume
+logConfigMap: strimzi-cluster-operator
+logConfiguration: ""
+logLevel: ${env:STRIMZI_LOG_LEVEL:-INFO}
+fullReconciliationIntervalMs: 120000
+operationTimeoutMs: 300000
+kubernetesServiceDnsDomain: cluster.local
+featureGates: ""
+tmpDirSizeLimit: 1Mi
+
+# Example on how to configure extraEnvs
+# extraEnvs:
+#   - name: JAVA_OPTS
+#     value: "-Xms256m -Xmx256m"
+
+extraEnvs: []
+
+tolerations: []
+affinity: {}
+annotations: {}
+labels: {}
+nodeSelector: {}
+deploymentAnnotations: {}
+deploymentStrategy: {}
+priorityClassName: ""
+
+podSecurityContext: {}
+securityContext: {}
+rbac:
+  create: yes
+serviceAccountCreate: yes
+serviceAccount: strimzi-cluster-operator
+
+leaderElection:
+  enable: true
+
+# https://kubernetes.io/docs/tasks/run-application/configure-pdb/
+podDisruptionBudget:
+  enabled: true
+  # The PDB definition three attributes to control the availability requirements:
+  # minAvailable or maxUnavailable (mutually exclusive).
+  # unhealthyPodEvictionPolicy
+  #
+  # Field maxUnavailable tells how many pods can be down and minAvailable tells how many pods must be running in a cluster.
+
+  # The pdb template will check values according to below order
+  #
+  #  {{- if .Values.podDisruptionBudget.minAvailable }}
+  #     minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
+  #  {{- end  }}
+  #  {{- if .Values.podDisruptionBudget.maxUnavailable }}
+  #     maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
+  #  {{- end }}
+  #
+  # If both values are set, the template will use the first one and ignore the second one. currently by default minAvailable is set to 1
+  minAvailable: 1
+  maxUnavailable:
+  unhealthyPodEvictionPolicy: IfHealthyBudget
+
+# If you are using the grafana dashboard sidecar,
+# you can import some default dashboards here
+dashboards:
+  enabled: true
+  namespace: ~
+  label: grafana_dashboard # this is the default value from the grafana chart
+  labelValue: "1" # this is the default value from the grafana chart
+  annotations: {}
+  extraLabels: {}
+
+# Docker images that operator uses to provision various components of Strimzi.
+# To use your own registry or repository, define them for each component below or generally via defaultImageRegistry and defaultImageRepository above
+kafka:
+  image:
+    registry: ""
+    repository: ""
+    name: kafka
+    tagPrefix: ""
+kafkaConnect:
+  image:
+    registry: ""
+    repository: ""
+    name: kafka
+    tagPrefix: ""
+topicOperator:
+  image:
+    registry: ""
+    repository: ""
+    name: operator
+    tag: ""
+userOperator:
+  image:
+    registry:
+    repository:
+    name: operator
+    tag: ""
+kafkaInit:
+  image:
+    registry: ""
+    repository: ""
+    name: operator
+    tag: ""
+kafkaBridge:
+  image:
+    registry: ""
+    repository:
+    name: kafka-bridge
+    tag: 0.33.1
+kafkaExporter:
+  image:
+    registry: ""
+    repository: ""
+    name: kafka
+    tagPrefix: ""
+kafkaMirrorMaker2:
+  image:
+    registry: ""
+    repository: ""
+    name: kafka
+    tagPrefix: ""
+cruiseControl:
+  image:
+    registry: ""
+    repository: ""
+    name: kafka
+    tagPrefix: ""
+kanikoExecutor:
+  image:
+    registry: ""
+    repository: ""
+    name: kaniko-executor
+    tag: ""
+buildah:
+  image:
+    registry: ""
+    repository: ""
+    name: buildah
+    tag: ""
+mavenBuilder:
+  image:
+    registry: ""
+    repository: ""
+    name: maven-builder
+    tag: ""
+resources:
+  limits:
+    memory: 384Mi
+    cpu: 1000m
+  requests:
+    memory: 384Mi
+    cpu: 200m
+livenessProbe:
+  initialDelaySeconds: 10
+  periodSeconds: 30
+readinessProbe:
+  initialDelaySeconds: 10
+  periodSeconds: 30
+
+createGlobalResources: true
+# Create clusterroles that extend existing clusterroles to interact with strimzi crds
+# Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
+createAggregateRoles: false
+# Override the exclude pattern for exclude some labels
+labelsExclusionPattern: ""
+# Controls whether Strimzi generates network policy resources (By default true)
+generateNetworkPolicy: true
+# Override the value for Connect build timeout
+connectBuildTimeoutMs: 300000
+# Controls whether Strimzi generates pod disruption budget resources (By default true)
+generatePodDisruptionBudget: true
diff --git a/applications/base/services/strimzi-kafka-operator/helmrelease.yaml b/applications/base/services/strimzi-kafka-operator/helmrelease.yaml
@@ -0,0 +1,37 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: strimzi-kafka-operator
+  namespace: kafka-system
+spec:
+  releaseName: strimzi-kafka-operator
+  interval: 5m
+  timeout: 10m
+  driftDetection:
+    mode: enabled
+  install:
+    remediation:
+      retries: 3
+      remediateLastFailure: true
+  upgrade:
+    remediation:
+      retries: 0
+      remediateLastFailure: false
+  targetNamespace: kafka-system
+  chart:
+    spec:
+      chart: strimzi-kafka-operator
+      version: 0.49.1
+      sourceRef:
+        kind: HelmRepository
+        name: strimzi-kafka-operator
+        namespace: kafka-system
+  valuesFrom:
+    - kind: Secret
+      name: kafka-api-values-base
+      valuesKey: hardened.yaml
+    - kind: Secret
+      name: kafka-api-values-override
+      valuesKey: override.yaml
+      optional: true
diff --git a/applications/base/services/strimzi-kafka-operator/kustomization.yaml b/applications/base/services/strimzi-kafka-operator/kustomization.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - "namespace.yaml"
+  - "source.yaml"
+  - "helmrelease.yaml"
+secretGenerator:
+  - name: kafka-api-values-base
+    namespace: kafka-system
+    type: Opaque
+    files:
+      - hardened.yaml=helm-values/hardened-values-0.49.1.yaml
+    options:
+      disableNameSuffixHash: true
diff --git a/applications/base/services/strimzi-kafka-operator/namespace.yaml b/applications/base/services/strimzi-kafka-operator/namespace.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kafka-system
diff --git a/applications/base/services/strimzi-kafka-operator/source.yaml b/applications/base/services/strimzi-kafka-operator/source.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: strimzi-kafka-operator
+spec:
+  url: oci://quay.io/strimzi-helm
+  interval: 1h
+  type: oci