From 9269f4bbd9f9d97bfe7f2278fc39f8f7e1281b9c Mon Sep 17 00:00:00 2001
From: Kirby Liu <liu.kirby@gmail.com>
Date: Wed, 26 Mar 2025 14:40:48 +0000
Subject: [PATCH] Add service monitor to Alloy/values.yaml

---
 chart/templates/alloy/_postrenderers.tpl | 11 +++++++++++
 chart/templates/alloy/helmrelease.yaml   | 20 ++++++++++++++------
 chart/templates/alloy/values.yaml        | 14 ++++++++++++++
 3 files changed, 39 insertions(+), 6 deletions(-)
 create mode 100644 chart/templates/alloy/_postrenderers.tpl

diff --git a/chart/templates/alloy/_postrenderers.tpl b/chart/templates/alloy/_postrenderers.tpl
new file mode 100644
index 0000000000..1455db0a60
--- /dev/null
+++ b/chart/templates/alloy/_postrenderers.tpl
@@ -0,0 +1,11 @@
+{{- define "alloy.istioPostRenderers" }}
+- kustomize:
+    patches:
+      - patch: |
+          - op: replace
+            path: /spec/endpoints/0/scheme
+            value: https
+        target:
+          kind: ServiceMonitor
+          name: ".*alloy-alloy.*"
+{{- end }}
\ No newline at end of file
diff --git a/chart/templates/alloy/helmrelease.yaml b/chart/templates/alloy/helmrelease.yaml
index 8554c74983..189ecf3d0c 100644
--- a/chart/templates/alloy/helmrelease.yaml
+++ b/chart/templates/alloy/helmrelease.yaml
@@ -1,4 +1,5 @@
-{{- $fluxSettingsMonitoring := merge .Values.addons.alloy.flux .Values.flux -}}
+{{- $fluxSettingsAlloy := merge .Values.addons.alloy.flux .Values.flux -}}
+{{- $isStrictIstio := and (eq (include "istioEnabled" .) "true") (eq (dig "istio" "mtls" "mode" "STRICT" .Values.addons.alloy.values) "STRICT") -}}
 {{- if .Values.addons.alloy.enabled }}
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
@@ -37,12 +38,15 @@ spec:
       {{- end }}
       {{- end }}
       interval: 5m
-
-  {{- toYaml $fluxSettingsMonitoring | nindent 2 }}
-
-  {{- if .Values.addons.alloy.postRenderers }}
+  {{- toYaml $fluxSettingsAlloy | nindent 2 }}
+  {{- if or .Values.addons.alloy.postRenderers (and .Values.monitoring.enabled $isStrictIstio ) }}
   postRenderers:
-  {{ toYaml .Values.addons.alloy.postRenderers | nindent 4 }}
+  {{- if and .Values.monitoring.enabled $isStrictIstio }}
+  {{- include "alloy.istioPostRenderers" . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.addons.alloy.postRenderers }}
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
   {{- end }}
   valuesFrom:
     - name: {{ .Release.Name }}-alloy-values
@@ -70,6 +74,10 @@ spec:
     - name: kyverno-policies
       namespace: {{ .Release.Namespace }}
   {{- end }}
+  {{- if .Values.monitoring.enabled }}
+    - name: monitoring
+      namespace: {{ .Release.Namespace }}
+  {{- end }}
   {{- end }}
 {{- end }}
 
diff --git a/chart/templates/alloy/values.yaml b/chart/templates/alloy/values.yaml
index c903df4275..a7dc2c9f9c 100644
--- a/chart/templates/alloy/values.yaml
+++ b/chart/templates/alloy/values.yaml
@@ -26,4 +26,18 @@ istio:
       (dig "istio" "hardened" "enabled" false .Values.addons.alloy.values)
     }}
 
+k8s-monitoring:
+  {{- range $service := list "alloy-metrics" "alloy-log" }} # Add/Remove Alloy Micro-Services as Alloy Configurations Change
+  {{ $service }}:
+    serviceMonitor:
+      enabled: {{ $.Values.monitoring.enabled }}
+      {{- if and (include "istioEnabled" $) (eq (dig "istio" "mtls" "mode" "STRICT" $.Values.addons.alloy.values) "STRICT") }}
+      tlsConfig:
+        caFile: /etc/prom-certs/root-cert.pem
+        certFile: /etc/prom-certs/cert-chain.pem
+        keyFile: /etc/prom-certs/key.pem
+        insecureSkipVerify: true  # Prometheus does not support Istio security naming, thus skip verifying target pod certificate
+      {{- end }}
+  {{- end }}
+
 {{- end }}
\ No newline at end of file
-- 
GitLab