Add Grafana Alloy as an addon package

25553d91 · Kevin Scheunemann · Michael Martin · 4322bca4 · 25553d91 · 25553d91
Commit 25553d91 authored 5 months ago by Kevin Scheunemann Committed by Michael Martin 5 months ago
--- a/chart/templates/alloy/git-credentials.yaml
+++ b/chart/templates/alloy/git-credentials.yaml
+{{- $gitCredsSecretDict := dict
+  "name" "alloy"
+  "targetScope" .Values.addons.alloy
+  "releaseName" .Release.Name
+  "releaseNamespace" .Release.Namespace
+}}
+{{- include "gitCredsSecret" $gitCredsSecretDict | nindent 0 -}}
--- a/chart/templates/alloy/gitrepository.yaml
+++ b/chart/templates/alloy/gitrepository.yaml
+{{- if and (eq .Values.addons.alloy.sourceType "git") (not .Values.offline) .Values.addons.alloy.enabled }}
+{{- $gitCredsDict := dict
+  "name" "alloy"
+  "packageGitScope" .Values.addons.alloy.git
+  "rootScope" .
+  "releaseName" .Release.Name
+}}
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: alloy
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: alloy
+    {{- include "commonLabels" . | nindent 4}}
+spec:
+  interval: {{ .Values.flux.interval }}
+  url: {{ .Values.addons.alloy.git.repo }}
+  ref:
+    {{- include "validRef" .Values.addons.alloy.git | nindent 4 }}
+  {{ include "gitIgnore" . }}
+  {{- include "gitCredsExtended" $gitCredsDict | nindent 2 }}
+{{- end }}
--- a/chart/templates/alloy/helmrelease.yaml
+++ b/chart/templates/alloy/helmrelease.yaml
+{{- $fluxSettingsMonitoring := merge .Values.addons.alloy.flux .Values.flux -}}
+{{- if .Values.addons.alloy.enabled }}
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: alloy
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: alloy
+    {{- include "commonLabels" . | nindent 4}}
+  annotations:
+    checksum/bigbang-values: {{ include (print $.Template.BasePath "/alloy/values.yaml") . | sha256sum }}
+spec:
+  targetNamespace: monitoring
+  chart:
+    spec:
+      {{- if eq .Values.addons.alloy.sourceType "git" }}
+      chart: {{ .Values.addons.alloy.git.path }}
+      sourceRef:
+        kind: GitRepository
+        name: alloy
+        namespace: {{ .Release.Namespace }}
+      {{- else }}
+      chart: {{ .Values.addons.alloy.helmRepo.chartName }}
+      version: {{ .Values.addons.alloy.helmRepo.tag }}
+      sourceRef:
+        kind: HelmRepository
+        name: {{ .Values.addons.alloy.helmRepo.repoName }}
+        namespace: {{ .Release.Namespace }}
+      {{- $repoType := include "getRepoType" (dict "repoName" .Values.addons.alloy.helmRepo.repoName "allRepos" $.Values.helmRepositories) -}}
+      {{- if (and .Values.addons.alloy.helmRepo.cosignVerify (eq $repoType "oci")) }} # Needs to be an OCI repo
+      verify:
+        provider: cosign
+        secretRef:
+          name: {{ printf "%s-cosign-pub" .Values.addons.alloy.helmRepo.repoName }}
+      {{- end }}
+      {{- end }}
+      interval: 5m
+
+  {{- toYaml $fluxSettingsMonitoring | nindent 2 }}
+
+  {{- if .Values.addons.alloy.postRenderers }}
+  postRenderers:
+  {{ toYaml .Values.addons.alloy.postRenderers | nindent 4 }}
+  {{- end }}
+  valuesFrom:
+    - name: {{ .Release.Name }}-alloy-values
+      kind: Secret
+      valuesKey: "common"
+    - name: {{ .Release.Name }}-alloy-values
+      kind: Secret
+      valuesKey: "defaults"
+    - name: {{ .Release.Name }}-alloy-values
+      kind: Secret
+      valuesKey: "overlays"
+
+  # TODO: DRY this up
+  {{- if or .Values.gatekeeper.enabled .Values.istio.enabled .Values.kyvernoPolicies.enabled .Values.monitoring.enabled }}
+  dependsOn:
+  {{- if .Values.istio.enabled }}
+    - name: istio
+      namespace: {{ .Release.Namespace }}
+  {{- end }}
+  {{- if .Values.gatekeeper.enabled }}
+    - name: gatekeeper
+      namespace: {{ .Release.Namespace }}
+  {{- end }}
+  {{- if .Values.kyvernoPolicies.enabled }}
+    - name: kyverno-policies
+      namespace: {{ .Release.Namespace }}
+  {{- end }}
+  {{- end }}
+{{- end }}
+
--- a/chart/templates/alloy/imagepullsecret.yaml
+++ b/chart/templates/alloy/imagepullsecret.yaml
+{{- if and (not .Values.monitoring.enabled) (not .Values.grafana.enabled ) .Values.addons.alloy.enabled }}
+{{- if ( include "imagePullSecret" . ) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: private-registry
+  namespace: monitoring
+  labels:
+    app.kubernetes.io/name: alloy
+    {{- include "commonLabels" . | nindent 4}}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ template "imagePullSecret" . }}
+{{- end }}
+{{- end }}
+
--- a/chart/templates/alloy/namespace.yaml
+++ b/chart/templates/alloy/namespace.yaml
+{{- if and (not .Values.monitoring.enabled) (not .Values.grafana.enabled ) .Values.addons.alloy.enabled }}
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
+  labels:
+    app.kubernetes.io/name: monitoring
+    app.kubernetes.io/component: "core"
+    {{- include "commonLabels" . | nindent 4}}
+    istio-injection: {{ dig "istio" "injection" "enabled" .Values.grafana }}
+{{- end }}
--- a/chart/templates/alloy/values.yaml
+++ b/chart/templates/alloy/values.yaml
+{{- /* Create secret */ -}}
+{{- if .Values.addons.alloy.enabled }}
+{{- include "values-secret" (dict "root" $ "package" .Values.addons.alloy "name" "alloy" "defaults" (include "bigbang.defaults.alloy" .)) }}
+{{- end }}
+
+{{- define "bigbang.defaults.alloy" -}}
+monitoring:
+  enabled: {{ .Values.monitoring.enabled }}
+
+networkPolicies:
+  enabled: {{ .Values.networkPolicies.enabled }}
+  controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+
+{{- end }}
\ No newline at end of file
--- a/chart/templates/kyverno-policies/values.yaml
+++ b/chart/templates/kyverno-policies/values.yaml
@@ -937,6 +937,7 @@ policies:
          - monitoring-monitoring-kube-state-metrics*
          - monitoring-monitoring-kube-operator*
          - prometheus-monitoring-monitoring-kube-prometheus*
+          - monitoring-alloy-*
      - namespace: anchore
        pods:
          allow:

--- a/chart/values.schema.json
+++ b/chart/values.schema.json
@@ -1239,6 +1239,20 @@
              "$ref": "#/$defs/istio"
            }
          }
+        },
+        "externalSecrets": {
+          "allOf": [
+            {
+              "$ref": "#/$defs/basePackage"
+            }
+          ]
+        },
+        "alloy": {
+          "allOf": [
+            {
+              "$ref": "#/$defs/basePackage"
+            }
+          ]
        }
      }
    },

--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -2103,6 +2103,25 @@ addons:

    postRenderers: []

+  alloy:
+    # -- Toggle deployment of grafana alloy
+    enabled: false
+
+    # -- Choose source type of "git" or "helmRepo"
+    sourceType: "git"
+
+    git:
+      repo: https://repo1.dso.mil/big-bang/product/packages/alloy.git
+      tag: "1.5.0-bb.5"
+      path: "./chart"
+
+    values: {}
+
+    postRenderers: []
+
+    # -- Flux reconciliation overrides specifically for the alloy package
+    flux: {}
+
 # -- Wrapper chart for integrating Big Bang components alongside a package
 wrapper:
  # -- Choose source type of "git" or "helmRepo"
@@ -2215,3 +2234,5 @@ packages:

    # -- Values to pass through to package Helm chart
    values: {}
+
+    
--- a/docs/understanding-bigbang/package-architecture/alloy.md
+++ b/docs/understanding-bigbang/package-architecture/alloy.md
+# Grafana Alloy
+
+## Overview
+
+[Grafana Alloy](https://grafana.com/docs/alloy/latest/), formerly known as
+Grafana Agent, is Grafana's opinionated spin of the OpenTelemetry collector. It
+combines many open-source projects in the cloud-native observability space with
+the goal of being the only observability component necessary to collect and
+distribute telemetry signals within a cluster.
+
+```mermaid
+flowchart TD
+  subgraph Monitoring
+    Prometheus/Thanos
+    Loki
+  end
+
+  subgraph DT[Distributed Tracing]
+    Tempo
+  end
+
+  subgraph A[Alloy]
+    Alloy
+    Alloy ==> |Traces| Tempo
+    Alloy ==> |Metrics| Prometheus/Thanos
+    Alloy ==> |Logs| Loki
+  end
+
+  style EU stroke-dasharray: 10 10
+  subgraph EU[End-User Applications]
+    App-A -->|OpenTelemetry| Alloy
+    App-B -->|OpenTelemetry| Alloy
+    App-C -->|OpenTelemetry| Alloy
+  end
+
+  subgraph N[K8s Node]
+    CL[Container Logs]-->|Logs|Alloy
+    NE[Node Exporter]-->|Metrics|Alloy
+  end
+
+  subgraph ServiceMonitors
+    Service-A<-->|Metrics|Alloy
+    Service-B<-->|Metrics|Alloy
+    Service-C<-->|Metrics|Alloy
+  end
+```
+
+## Big Bang Touchpoints
+
+### Licensing
+
+Grafana Alloy is open-source,
+[licensed under Apache 2.0](https://github.com/grafana/alloy/blob/main/LICENSE).
+
+### UI
+
+While Grafana Alloy does expose a
+[UI for visualizing its configuration status](https://grafana.com/docs/alloy/latest/troubleshoot/debug/),
+it is not necessary for use and is not exposed by default within Big Bang.
+
+### Storage
+
+Grafana Alloy requires no storage itself, opting instead to push telemetry
+signals to other cluster components like Loki and Tempo, which have their own
+storage needs.
+
+### Logging
+
+Grafana Alloy writes its logs to stderr. These logs will be picked up by the
+logging collector configured within the cluster.
+
+### High Availability
+
+Grafana Alloy supports multiple deployment modes with built-in clustering.
+Depending on which features are enabled in the `k8s-monitoring` chart, Alloy
+may be deployed as a `StatefulSet`, `DaemonSet`, or `Deployment`.
+
+### Health Checks
+
+Grafana Alloy is configured with standard liveness and readiness probes. In
+addition to the health of Alloy itself, cluster administrators can view the UI
+mentioned above for specific health statuses of individual Alloy
+[components](https://grafana.com/docs/alloy/latest/get-started/components/).
--- a/tests/test-values.yaml
+++ b/tests/test-values.yaml
@@ -619,6 +619,7 @@ kyvernoPolicies:
              - fortify
              - thanos
              - holocron
+              - alloy
              names:
              - "*-cypress-test*"
        parameters:
@@ -659,6 +660,7 @@ kyvernoPolicies:
              - fortify
              - thanos
              - holocron
+              - alloy
              names:
              - "*-cypress-test*"
          - resources:
@@ -706,6 +708,7 @@ kyvernoPolicies:
              - fortify
              - thanos
              - holocron
+              - alloy
              names:
              - "*-cypress-test*"
      update-image-pull-policy:
@@ -758,6 +761,13 @@ kyvernoPolicies:
              - velero
              names:
              - velero-backup-restore-test*
+          - resources:
+              namespaces:
+              - alloy
+              names:
+              - alloy-config-validator*
+              - alloy-config-analysis*
+              - alloy-test*
      require-non-root-user:
        exclude:
          any:
@@ -781,6 +791,14 @@ kyvernoPolicies:
              - twistlock
              names:
              - volume-upgrade-job*
+          - resources:
+              namespaces:
+              - alloy
+              names:
+              - alloy-config-validator*
+              - alloy-config-analysis*
+              - alloy-test*
+      require-non-root-user:
      disallow-namespaces:
        parameters:
          disallow: