diff --git a/chart/templates/alloy/git-credentials.yaml b/chart/templates/alloy/git-credentials.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..ef7d50ce33819bbd28d8a394e95cd914f186a75e
--- /dev/null
+++ b/chart/templates/alloy/git-credentials.yaml
@@ -0,0 +1,7 @@
+{{- $gitCredsSecretDict := dict
+ "name" "alloy"
+ "targetScope" .Values.addons.alloy
+ "releaseName" .Release.Name
+ "releaseNamespace" .Release.Namespace
+}}
+{{- include "gitCredsSecret" $gitCredsSecretDict | nindent 0 -}}
diff --git a/chart/templates/alloy/gitrepository.yaml b/chart/templates/alloy/gitrepository.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..2d5a4cad14896210d94aa01ca8a13a36480a3cad
--- /dev/null
+++ b/chart/templates/alloy/gitrepository.yaml
@@ -0,0 +1,23 @@
+{{- if and (eq .Values.addons.alloy.sourceType "git") (not .Values.offline) .Values.addons.alloy.enabled }}
+{{- $gitCredsDict := dict
+ "name" "alloy"
+ "packageGitScope" .Values.addons.alloy.git
+ "rootScope" .
+ "releaseName" .Release.Name
+}}
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+ name: alloy
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app.kubernetes.io/name: alloy
+ {{- include "commonLabels" . | nindent 4}}
+spec:
+ interval: {{ .Values.flux.interval }}
+ url: {{ .Values.addons.alloy.git.repo }}
+ ref:
+ {{- include "validRef" .Values.addons.alloy.git | nindent 4 }}
+ {{ include "gitIgnore" . }}
+ {{- include "gitCredsExtended" $gitCredsDict | nindent 2 }}
+{{- end }}
diff --git a/chart/templates/alloy/helmrelease.yaml b/chart/templates/alloy/helmrelease.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..5591edfda9b304fcaa0a17470c40de5f9d751e2a
--- /dev/null
+++ b/chart/templates/alloy/helmrelease.yaml
@@ -0,0 +1,74 @@
+{{- $fluxSettingsMonitoring := merge .Values.addons.alloy.flux .Values.flux -}}
+{{- if .Values.addons.alloy.enabled }}
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ name: alloy
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app.kubernetes.io/name: alloy
+ {{- include "commonLabels" . | nindent 4}}
+ annotations:
+ checksum/bigbang-values: {{ include (print $.Template.BasePath "/alloy/values.yaml") . | sha256sum }}
+spec:
+ targetNamespace: monitoring
+ chart:
+ spec:
+ {{- if eq .Values.addons.alloy.sourceType "git" }}
+ chart: {{ .Values.addons.alloy.git.path }}
+ sourceRef:
+ kind: GitRepository
+ name: alloy
+ namespace: {{ .Release.Namespace }}
+ {{- else }}
+ chart: {{ .Values.addons.alloy.helmRepo.chartName }}
+ version: {{ .Values.addons.alloy.helmRepo.tag }}
+ sourceRef:
+ kind: HelmRepository
+ name: {{ .Values.addons.alloy.helmRepo.repoName }}
+ namespace: {{ .Release.Namespace }}
+ {{- $repoType := include "getRepoType" (dict "repoName" .Values.addons.alloy.helmRepo.repoName "allRepos" $.Values.helmRepositories) -}}
+ {{- if (and .Values.addons.alloy.helmRepo.cosignVerify (eq $repoType "oci")) }} # Needs to be an OCI repo
+ verify:
+ provider: cosign
+ secretRef:
+ name: {{ printf "%s-cosign-pub" .Values.addons.alloy.helmRepo.repoName }}
+ {{- end }}
+ {{- end }}
+ interval: 5m
+
+ {{- toYaml $fluxSettingsMonitoring | nindent 2 }}
+
+ {{- if .Values.addons.alloy.postRenderers }}
+ postRenderers:
+ {{ toYaml .Values.addons.alloy.postRenderers | nindent 4 }}
+ {{- end }}
+ valuesFrom:
+ - name: {{ .Release.Name }}-alloy-values
+ kind: Secret
+ valuesKey: "common"
+ - name: {{ .Release.Name }}-alloy-values
+ kind: Secret
+ valuesKey: "defaults"
+ - name: {{ .Release.Name }}-alloy-values
+ kind: Secret
+ valuesKey: "overlays"
+
+ # TODO: DRY this up
+ {{- if or .Values.gatekeeper.enabled .Values.istio.enabled .Values.kyvernoPolicies.enabled .Values.monitoring.enabled }}
+ dependsOn:
+ {{- if .Values.istio.enabled }}
+ - name: istio
+ namespace: {{ .Release.Namespace }}
+ {{- end }}
+ {{- if .Values.gatekeeper.enabled }}
+ - name: gatekeeper
+ namespace: {{ .Release.Namespace }}
+ {{- end }}
+ {{- if .Values.kyvernoPolicies.enabled }}
+ - name: kyverno-policies
+ namespace: {{ .Release.Namespace }}
+ {{- end }}
+ {{- end }}
+{{- end }}
+
diff --git a/chart/templates/alloy/imagepullsecret.yaml b/chart/templates/alloy/imagepullsecret.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..8fce1a127f4dac21a9ad5849223a56dbe62f2c07
--- /dev/null
+++ b/chart/templates/alloy/imagepullsecret.yaml
@@ -0,0 +1,16 @@
+{{- if and (not .Values.monitoring.enabled) (not .Values.grafana.enabled ) .Values.addons.alloy.enabled }}
+{{- if ( include "imagePullSecret" . ) }}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: private-registry
+ namespace: monitoring
+ labels:
+ app.kubernetes.io/name: alloy
+ {{- include "commonLabels" . | nindent 4}}
+type: kubernetes.io/dockerconfigjson
+data:
+ .dockerconfigjson: {{ template "imagePullSecret" . }}
+{{- end }}
+{{- end }}
+
diff --git a/chart/templates/alloy/namespace.yaml b/chart/templates/alloy/namespace.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..b8c80daa6032cb02a34c0e18fd358312a5c42bb2
--- /dev/null
+++ b/chart/templates/alloy/namespace.yaml
@@ -0,0 +1,11 @@
+{{- if and (not .Values.monitoring.enabled) (not .Values.grafana.enabled ) .Values.addons.alloy.enabled }}
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: monitoring
+ labels:
+ app.kubernetes.io/name: monitoring
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
+ istio-injection: {{ dig "istio" "injection" "enabled" .Values.grafana }}
+{{- end }}
diff --git a/chart/templates/alloy/values.yaml b/chart/templates/alloy/values.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..e2e813ebba2b1a850f3c1a6f488b7e78fa29daf5
--- /dev/null
+++ b/chart/templates/alloy/values.yaml
@@ -0,0 +1,14 @@
+{{- /* Create secret */ -}}
+{{- if .Values.addons.alloy.enabled }}
+{{- include "values-secret" (dict "root" $ "package" .Values.addons.alloy "name" "alloy" "defaults" (include "bigbang.defaults.alloy" .)) }}
+{{- end }}
+
+{{- define "bigbang.defaults.alloy" -}}
+monitoring:
+ enabled: {{ .Values.monitoring.enabled }}
+
+networkPolicies:
+ enabled: {{ .Values.networkPolicies.enabled }}
+ controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+
+{{- end }}
\ No newline at end of file
diff --git a/chart/templates/kyverno-policies/values.yaml b/chart/templates/kyverno-policies/values.yaml
index 6c0ffc833b61923b247a9952df7c83b6a628329e..912552cb1cf97b1bec36450ba9728b3d7cbcd586 100644
--- a/chart/templates/kyverno-policies/values.yaml
+++ b/chart/templates/kyverno-policies/values.yaml
@@ -937,6 +937,7 @@ policies:
- monitoring-monitoring-kube-state-metrics*
- monitoring-monitoring-kube-operator*
- prometheus-monitoring-monitoring-kube-prometheus*
+ - monitoring-alloy-*
- namespace: anchore
pods:
allow:
diff --git a/chart/values.schema.json b/chart/values.schema.json
index eba96b5f61a65506c8106ac074ac9f920203e5f7..492af7b1b03481bf872c458ea4bfbd6f4a658899 100644
--- a/chart/values.schema.json
+++ b/chart/values.schema.json
@@ -1239,6 +1239,20 @@
"$ref": "#/$defs/istio"
}
}
+ },
+ "externalSecrets": {
+ "allOf": [
+ {
+ "$ref": "#/$defs/basePackage"
+ }
+ ]
+ },
+ "alloy": {
+ "allOf": [
+ {
+ "$ref": "#/$defs/basePackage"
+ }
+ ]
}
}
},
diff --git a/chart/values.yaml b/chart/values.yaml
index 9d684240eed5db3d13c6601bce687d0ade4c558f..4f524c9724a0ad6d47595781449546a0d3e6281d 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -2103,6 +2103,25 @@ addons:
postRenderers: []
+ alloy:
+ # -- Toggle deployment of grafana alloy
+ enabled: false
+
+ # -- Choose source type of "git" or "helmRepo"
+ sourceType: "git"
+
+ git:
+ repo: https://repo1.dso.mil/big-bang/product/packages/alloy.git
+ tag: "1.5.0-bb.5"
+ path: "./chart"
+
+ values: {}
+
+ postRenderers: []
+
+ # -- Flux reconciliation overrides specifically for the alloy package
+ flux: {}
+
# -- Wrapper chart for integrating Big Bang components alongside a package
wrapper:
# -- Choose source type of "git" or "helmRepo"
@@ -2215,3 +2234,5 @@ packages:
# -- Values to pass through to package Helm chart
values: {}
+
+
diff --git a/docs/understanding-bigbang/package-architecture/alloy.md b/docs/understanding-bigbang/package-architecture/alloy.md
new file mode 100644
index 0000000000000000000000000000000000000000..0182688dd22d5d0c57a944dbe311bfd42e81381b
--- /dev/null
+++ b/docs/understanding-bigbang/package-architecture/alloy.md
@@ -0,0 +1,83 @@
+# Grafana Alloy
+
+## Overview
+
+[Grafana Alloy](https://grafana.com/docs/alloy/latest/), formerly known as
+Grafana Agent, is Grafana's opinionated spin of the OpenTelemetry collector. It
+combines many open-source projects in the cloud-native observability space with
+the goal of being the only observability component necessary to collect and
+distribute telemetry signals within a cluster.
+
+```mermaid
+flowchart TD
+ subgraph Monitoring
+ Prometheus/Thanos
+ Loki
+ end
+
+ subgraph DT[Distributed Tracing]
+ Tempo
+ end
+
+ subgraph A[Alloy]
+ Alloy
+ Alloy ==> |Traces| Tempo
+ Alloy ==> |Metrics| Prometheus/Thanos
+ Alloy ==> |Logs| Loki
+ end
+
+ style EU stroke-dasharray: 10 10
+ subgraph EU[End-User Applications]
+ App-A -->|OpenTelemetry| Alloy
+ App-B -->|OpenTelemetry| Alloy
+ App-C -->|OpenTelemetry| Alloy
+ end
+
+ subgraph N[K8s Node]
+ CL[Container Logs]-->|Logs|Alloy
+ NE[Node Exporter]-->|Metrics|Alloy
+ end
+
+ subgraph ServiceMonitors
+ Service-A<-->|Metrics|Alloy
+ Service-B<-->|Metrics|Alloy
+ Service-C<-->|Metrics|Alloy
+ end
+```
+
+## Big Bang Touchpoints
+
+### Licensing
+
+Grafana Alloy is open-source,
+[licensed under Apache 2.0](https://github.com/grafana/alloy/blob/main/LICENSE).
+
+### UI
+
+While Grafana Alloy does expose a
+[UI for visualizing its configuration status](https://grafana.com/docs/alloy/latest/troubleshoot/debug/),
+it is not necessary for use and is not exposed by default within Big Bang.
+
+### Storage
+
+Grafana Alloy requires no storage itself, opting instead to push telemetry
+signals to other cluster components like Loki and Tempo, which have their own
+storage needs.
+
+### Logging
+
+Grafana Alloy writes its logs to stderr. These logs will be picked up by the
+logging collector configured within the cluster.
+
+### High Availability
+
+Grafana Alloy supports multiple deployment modes with built-in clustering.
+Depending on which features are enabled in the `k8s-monitoring` chart, Alloy
+may be deployed as a `StatefulSet`, `DaemonSet`, or `Deployment`.
+
+### Health Checks
+
+Grafana Alloy is configured with standard liveness and readiness probes. In
+addition to the health of Alloy itself, cluster administrators can view the UI
+mentioned above for specific health statuses of individual Alloy
+[components](https://grafana.com/docs/alloy/latest/get-started/components/).
diff --git a/tests/test-values.yaml b/tests/test-values.yaml
index 63267af9780d8e027a5925d009544693b06cabb1..1e0faa25bc19ed6c3249cad693b46428824ca433 100644
--- a/tests/test-values.yaml
+++ b/tests/test-values.yaml
@@ -619,6 +619,7 @@ kyvernoPolicies:
- fortify
- thanos
- holocron
+ - alloy
names:
- "*-cypress-test*"
parameters:
@@ -659,6 +660,7 @@ kyvernoPolicies:
- fortify
- thanos
- holocron
+ - alloy
names:
- "*-cypress-test*"
- resources:
@@ -706,6 +708,7 @@ kyvernoPolicies:
- fortify
- thanos
- holocron
+ - alloy
names:
- "*-cypress-test*"
update-image-pull-policy:
@@ -758,6 +761,13 @@ kyvernoPolicies:
- velero
names:
- velero-backup-restore-test*
+ - resources:
+ namespaces:
+ - alloy
+ names:
+ - alloy-config-validator*
+ - alloy-config-analysis*
+ - alloy-test*
require-non-root-user:
exclude:
any:
@@ -781,6 +791,14 @@ kyvernoPolicies:
- twistlock
names:
- volume-upgrade-job*
+ - resources:
+ namespaces:
+ - alloy
+ names:
+ - alloy-config-validator*
+ - alloy-config-analysis*
+ - alloy-test*
+ require-non-root-user:
disallow-namespaces:
parameters:
disallow: