Temp check in

Signed-off-by: Michel Hollands <michel.hollands@gmail.com>

.github/workflows/check-for-dependency-updates.yaml

@@ -19,9 +19,6 @@ jobs:
     updateVersions:
         name: Update the subcharts
         runs-on: "ubuntu-latest"
-        permissions:
-          contents: write
-          id-token: write
         steps:
             - name: Checkout
               uses: actions/checkout@v2
@@ -69,20 +66,6 @@ jobs:
                   echo "changed=true" >> "${GITHUB_OUTPUT}"
                 fi
 
-            - id: get-secrets
-              uses: grafana/shared-workflows/actions/get-vault-secrets@main
-              with:
-                # Secrets placed in the ci/repo/grafana/<repo>/<path> path in Vault
-                repo_secrets: |
-                  APP_ID=github-app:app-id
-                  PRIVATE_KEY=github-app:private-key
-
-            - uses: actions/create-github-app-token@v1
-              id: app-token
-              with:
-                app-id: ${{ env.APP_ID }}
-                private-key: ${{ env.PRIVATE_KEY }}
-
             - name: Create pull request
               if: steps.update-loki.outputs.changed == 'true' || steps.update-grafana-alloy.outputs.changed == 'true' || steps.update-mimir-distributed.outputs.changed == 'true' || steps.update-tempo-distributed.outputs.changed == 'true' || steps.update-minio.outputs.changed == 'true'
               uses: peter-evans/create-pull-request@v5
@@ -96,15 +79,10 @@ jobs:
                 labels: dependencies
                 branch: chore/update-dependencies
                 delete-branch: true
-                team-reviewers: "@grafana/loki-squad"
-                token: ${{ steps.app-token.outputs.token }}
 
     updateGrafana:
         name: Update the Grafana version
         runs-on: "ubuntu-latest"
-        permissions:
-          contents: write
-          id-token: write
         steps:
             - name: Checkout
               uses: actions/checkout@v2
@@ -120,20 +98,6 @@ jobs:
                   echo "changed=true" >> "${GITHUB_OUTPUT}"
                 fi
 
-            - id: get-secrets
-              uses: grafana/shared-workflows/actions/get-vault-secrets@main
-              with:
-                # Secrets placed in the ci/repo/grafana/<repo>/<path> path in Vault
-                repo_secrets: |
-                  APP_ID=github-app:app-id
-                  PRIVATE_KEY=github-app:private-key
-
-            - uses: actions/create-github-app-token@v1
-              id: app-token
-              with:
-                app-id: ${{ env.APP_ID }}
-                private-key: ${{ env.PRIVATE_KEY }}
-
             - name: Create pull request
               if: steps.update-grafana.outputs.changed == 'true'
               uses: peter-evans/create-pull-request@v5
@@ -147,5 +111,3 @@ jobs:
                 labels: dependencies
                 branch: chore/update-minio
                 delete-branch: true
-                team-reviewers: "@grafana/loki-squad"
-                token: ${{ steps.app-token.outputs.token }}

.github/workflows/helm-ci.yml

@@ -20,48 +20,48 @@ jobs:
       - name: Lint Yaml
         run: make helm-lint
 
-  # call-test:
-  #   name: Test Helm Chart
-  #   runs-on: ubuntu-latest
-  #   steps:
-  #     - name: Checkout
-  #       uses: actions/checkout@v4
-  #       with:
-  #         fetch-depth: 0
+  call-test:
+    name: Test Helm Chart
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
 
-  #     - name: Set up Helm
-  #       uses: azure/setup-helm@v3
-  #       with:
-  #         version: v3.8.2
+      - name: Set up Helm
+        uses: azure/setup-helm@v3
+        with:
+          version: v3.14.0
 
-  #     # Python is required because `ct lint` runs Yamale (https://github.com/23andMe/Yamale) and
-  #     # yamllint (https://github.com/adrienverge/yamllint) which require Python
-  #     - name: Set up Python
-  #       uses: actions/setup-python@v4
-  #       with:
-  #         python-version: 3.9
+      # Python is required because `ct lint` runs Yamale (https://github.com/23andMe/Yamale) and
+      # yamllint (https://github.com/adrienverge/yamllint) which require Python
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: 3.9
 
-  #     - name: Set up chart-testing
-  #       uses: helm/chart-testing-action@v2
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@v2
 
-  #     - name: Run chart-testing (list-changed)
-  #       id: list-changed
-  #       run: |
-  #         changed=$(ct list-changed --config "${CT_CONFIGFILE}")
-  #         if [[ -n "$changed" ]]; then
-  #           echo "changed=true" >> $GITHUB_OUTPUT
-  #         fi
+      - name: Run chart-testing (list-changed)
+        id: list-changed
+        run: |
+          changed=$(ct list-changed --config "${CT_CONFIGFILE}")
+          if [[ -n "$changed" ]]; then
+            echo "changed=true" >> $GITHUB_OUTPUT
+          fi
 
-  #     - name: Run chart-testing (lint)
-  #       run: ct lint --config "${CT_CONFIGFILE}" --check-version-increment=false
+      - name: Run chart-testing (lint)
+        run: ct lint --config "${CT_CONFIGFILE}" --check-version-increment=false
 
-  #     - name: Create kind cluster
-  #       uses: helm/kind-action@v1
-  #       if: steps.list-changed.outputs.changed == 'true'
-  #       with:
-  #         config: "${{ github.workspace }}/.github/configs/cluster-config.yaml"
+      - name: Create kind cluster
+        uses: helm/kind-action@v1
+        if: steps.list-changed.outputs.changed == 'true'
+        with:
+           config: "${{ github.workspace }}/.github/configs/cluster-config.yaml"
 
-  #     - name: Run chart-testing (install)
-  #       run: |
-  #         changed=$(ct list-changed --config "${CT_CONFIGFILE}")
-  #         ct install --config "${CT_CONFIGFILE}"
+      - name: Run chart-testing (install)
+        run: |
+          changed=$(ct list-changed --config "${CT_CONFIGFILE}")
+          ct install --config "${CT_CONFIGFILE}"

charts/meta-monitoring/Chart.lock

@@ -1,18 +1,18 @@
 dependencies:
 - name: loki
   repository: https://grafana.github.io/helm-charts
-  version: 6.29.0
+  version: 6.5.2
 - name: alloy
   repository: https://grafana.github.io/helm-charts
-  version: 0.12.5
+  version: 0.3.0
 - name: mimir-distributed
   repository: https://grafana.github.io/helm-charts
-  version: 5.6.0
+  version: 5.3.0
 - name: tempo-distributed
   repository: https://grafana.github.io/helm-charts
-  version: 1.33.0
+  version: 1.9.9
 - name: minio
   repository: https://charts.min.io
-  version: 5.4.0
-digest: sha256:5225a03d9003384639f5d43b1971126371269347f16f221b7aed377ab85d71be
-generated: "2025-03-27T07:03:11.17404081Z"
+  version: 5.2.0
+digest: sha256:0eaa504de24724505fa4fff5169cd86628465ec366c253392c4ed24f15902b6b
+generated: "2024-05-22T07:02:54.054326052Z"

charts/meta-monitoring/Chart.yaml

@@ -13,7 +13,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.3.0
+version: 1.0.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
@@ -22,20 +22,20 @@ appVersion: "0.0.1"
 dependencies:
 - name: loki
   repository: https://grafana.github.io/helm-charts
-  version: 6.29.0
+  version: 6.5.2
   condition: local.logs.enabled
 - name: alloy
   repository: https://grafana.github.io/helm-charts
-  version: 0.12.5
+  version: 0.3.0
 - name: mimir-distributed
   repository: https://grafana.github.io/helm-charts
-  version: 5.6.0
+  version: 5.3.0
   condition: local.metrics.enabled
 - name: tempo-distributed
   repository: https://grafana.github.io/helm-charts
-  version: 1.33.0
+  version: 1.9.9
   condition: local.traces.enabled
 - name: minio
   repository: https://charts.min.io
-  version: 5.4.0
+  version: 5.2.0
   condition: local.minio.enabled

charts/meta-monitoring/ci/local-values.yaml

@@ -0,0 +1,116 @@
+namespacesToMonitor:
+- loki
+
+local:
+  grafana:
+    enabled: true
+  logs:
+    enabled: true
+  metrics:
+    enabled: true
+  traces:
+    enabled: true
+  minio:
+    enabled: true
+    createSecret: false
+
+cloud:
+  logs:
+    enabled: false
+    secret: logs
+  metrics:
+    enabled: false
+    secret: metrics
+  traces:
+    enabled: false
+    secret: traces
+
+grafana:
+  ingress:
+    hosts:
+      - host: monitoring.example.com
+        paths:
+          - path: /
+            pathType: Prefix
+
+minio:
+  existingSecret: ""
+  rootUser: "abcdefghi"
+  rootPassword: "defghijkl"
+
+loki:
+  deploymentMode: SingleBinary
+  singleBinary:
+    replicas: 1
+    resources:
+      limits:
+        cpu: 3
+        memory: 4Gi
+      requests:
+        cpu: 2
+        memory: 2Gi
+    extraEnv:
+      # Keep a little bit lower than memory limits
+      - name: GOMEMLIMIT
+        value: 3750MiB
+
+  chunksCache:
+    # default is 500MB, with limited memory keep this smaller
+    writebackSizeLimit: 10MB
+
+  # Zero out replica counts of other deployment modes
+  backend:
+    replicas: 0
+  read:
+    replicas: 0
+  write:
+    replicas: 0
+
+  ingester:
+    replicas: 0
+  querier:
+    replicas: 0
+  queryFrontend:
+    replicas: 0
+  queryScheduler:
+    replicas: 0
+  distributor:
+    replicas: 0
+  compactor:
+    replicas: 0
+  indexGateway:
+    replicas: 0
+  bloomCompactor:
+    replicas: 0
+  bloomGateway:
+    replicas: 0
+
+mimir-distributed:
+  minio:
+    enabled: false
+  global:
+    extraEnvFrom:
+    - secretRef:
+        name: "meta-minio"
+
+tempo-distributed:
+  distributor:
+    extraEnvFrom:
+    - secretRef:
+        name: "meta-minio"
+  ingester:
+    extraEnvFrom:
+    - secretRef:
+        name: "meta-minio"
+  compactor:
+    extraEnvFrom:
+    - secretRef:
+        name: "meta-minio"
+  querier:
+    extraEnvFrom:
+    - secretRef:
+        name: "meta-minio"
+  queryFrontend:
+    extraEnvFrom:
+    - secretRef:
+        name: "meta-minio"

charts/meta-monitoring/ct.yaml

@@ -6,6 +6,5 @@ chart-dirs:
 chart-repos:
   - grafana=https://grafana.github.io/helm-charts
   - minio=https://charts.min.io
-helm-extra-args: --timeout 1200s
 check-version-increment: false
 validate-maintainers: false

charts/meta-monitoring/src/dashboards/loki-reads.json

@@ -2449,7 +2449,7 @@
             "repeatIteration": null,
             "repeatRowId": null,
             "showTitle": true,
-            "title": "TSDB Index",
+            "title": "TSBD Index",
             "titleSize": "h6"
          },
          {
@@ -2897,4 +2897,4 @@
       "title": "Loki / Reads",
       "uid": "reads",
       "version": 0
-   }
+   }

charts/meta-monitoring/templates/agent/config.yaml

@@ -120,9 +120,9 @@ data:
         replacement = "{{- .Values.clusterLabelValue -}}"
       }
       rule {
-        source_labels = ["__meta_kubernetes_pod_container_port_name"]
-        action = "keep"
-        regex = ".*metrics.*"
+        source_labels = ["__meta_kubernetes_pod_container_port_number"]
+        action = "drop"
+        regex = "9095"
       }
     }
 
@@ -155,7 +155,133 @@ data:
 
       forward_to = [ {{ include "agent.prometheus_write_targets" . }} ]
     }
+    {{- if .Values.kubeStateMetrics.enabled }}
 
+    prometheus.scrape "kubeStateMetrics" {
+      clustering {
+        enabled = true
+      }
+      targets    = [ { "__address__" = "{{ .Values.kubeStateMetrics.endpoint }}" } ]
+      forward_to = [ prometheus.relabel.filter.receiver ]
+    }
+    {{- end }}
+
+    // cAdvisor and Kubelet metrics
+    // Based on https://github.com/Chewie/loutretelecom-manifests/blob/main/manifests/addons/monitoring/config.river
+    discovery.kubernetes "all_nodes" {
+      role = "node"
+      namespaces {
+        own_namespace = true
+        names = [ {{ include "agent.namespaces" . }} ]
+      }
+    }
+
+    discovery.relabel "all_nodes" {
+      targets = discovery.kubernetes.all_nodes.targets
+      rule {
+        source_labels = ["__meta_kubernetes_node_name"]
+        target_label = "node"
+      }
+      rule {
+        source_labels = ["__meta_kubernetes_namespace"]
+        target_label  = "namespace"
+      }
+      rule {
+        source_labels = ["__meta_kubernetes_pod_name"]
+        target_label  = "pod"
+      }
+      rule {
+        source_labels = ["__meta_kubernetes_namespace", "__meta_kubernetes_pod_label_app_kubernetes_io_name", "__meta_kubernetes_pod_label_app_kubernetes_io_component"]
+        separator = "/"
+        regex = "(.*)/(.*)/(.*)"
+        replacement = "${1}/${2}-${3}"
+        target_label = "job"
+      }
+      rule {
+        target_label = "cluster"
+        replacement = "{{- .Values.clusterLabelValue -}}"
+      }
+    }
+
+    prometheus.scrape "cadvisor" {
+      clustering {
+        enabled = true
+      }
+      targets    = discovery.relabel.all_nodes.output
+      forward_to = [ prometheus.relabel.filter.receiver ]
+
+      metrics_path = "/metrics/cadvisor"
+      scheme = "https"
+
+      bearer_token_file = "/var/run/secrets/kubernetes.io/serviceaccount/token"
+      tls_config {
+        ca_file = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+      }
+    }
+
+    prometheus.scrape "kubelet" {
+      clustering {
+        enabled = true
+      }
+      targets    = discovery.relabel.all_nodes.output
+      forward_to = [ prometheus.relabel.filter.receiver ]
+
+      metrics_path = "/metrics"
+      scheme = "https"
+
+      bearer_token_file = "/var/run/secrets/kubernetes.io/serviceaccount/token"
+      tls_config {
+        ca_file = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+      }
+    }
+
+    prometheus.exporter.unix "promexporter" {}
+
+    prometheus.scrape "node_exporter" {
+      clustering {
+        enabled = true
+      }
+      targets = prometheus.exporter.unix.promexporter.targets
+      forward_to = [prometheus.relabel.node_exporter.receiver]
+
+      job_name = "node-exporter"
+    }
+
+    prometheus.relabel "node_exporter" {
+      forward_to = [ prometheus.relabel.filter.receiver ]
+
+      rule {
+        replacement = env("HOSTNAME")
+        target_label = "nodename"
+      }
+      rule {
+        replacement = "node-exporter"
+        target_label = "job"
+      }
+      rule {
+        source_labels = ["__meta_kubernetes_node_name"]
+        target_label = "node"
+      }
+      rule {
+        source_labels = ["__meta_kubernetes_namespace"]
+        target_label  = "namespace"
+      }
+      rule {
+        source_labels = ["__meta_kubernetes_pod_name"]
+        target_label  = "pod"
+      }
+      rule {
+        source_labels = ["__meta_kubernetes_namespace", "__meta_kubernetes_pod_label_app_kubernetes_io_name", "__meta_kubernetes_pod_label_app_kubernetes_io_component"]
+        separator = "/"
+        regex = "(.*)/(.*)/(.*)"
+        replacement = "${1}/${2}-${3}"
+        target_label = "job"
+      }
+      rule {
+        target_label = "cluster"
+        replacement = "{{- .Values.clusterLabelValue -}}"
+      }
+    }
     {{- end }}
 
     {{- if or .Values.local.traces.enabled .Values.cloud.traces.enabled }}

charts/meta-monitoring/templates/minio/secret.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.local.minio.createSecret }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: minio
+  namespace: {{ $.Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install
+    "helm.sh/hook-weight": "-5"
+data:
+  rootUser: dmFsdWUtMg0KDQo=
+  rootPassword: dmFsdWUtMg0KDQo=
+{{- end }}

charts/meta-monitoring/templates/ruler/ruler.yaml

@@ -51,7 +51,11 @@ spec:
               protocol: TCP
           envFrom:
           - secretRef:
+{{- if .Values.local.minio.enabled }}
+             name: {{ $.Release.Namespace }}-minio
+{{- else }}
              name: minio
+{{- end }}
           readinessProbe:
             failureThreshold: 3
             httpGet:

charts/meta-monitoring/templates/validate.yaml

@@ -34,6 +34,11 @@
 {{- end -}}
 {{- end -}}
 
+{{- if empty .Values.namespacesToMonitor -}}
+  {{- fail "No namespaces have been specified in namespacesToMonitor" -}}
+{{- end -}}
+
 {{- if empty .Values.metrics.retain -}}
   {{- fail "All metrics will be collected, please specify some in metrics.retain" -}}
 {{- end -}}
+

charts/meta-monitoring/values.yaml

@@ -1,7 +1,6 @@
 # Specify the namespaces to monitor here
-# By default the chart will monitor the namespace it is installed in
-# namespacesToMonitor:
-# - loki
+namespacesToMonitor:
+- loki
 # The name of the cluster where this will be installed
 clusterLabelValue: "meta"
 # Set to true to write logs, metrics or traces to Grafana Cloud
@@ -27,9 +26,10 @@ local:
   traces:
     enabled: false
   minio:
-    enabled: false # This should be set to true if any of the previous is enabled
+    enabled: false  # This should be set to true if any of the previous is enabled
+    createSecret: false  # This is used for testing, do not use in production
 grafana:
-  version: 11.4.3
+  version: 10.4.2
   # Gateway ingress configuration
   ingress:
     # -- Specifies whether an ingress for the gateway should be created
@@ -53,25 +53,23 @@ grafana:
             #     port:
             #       number: TODO
     # -- TLS configuration for the gateway ingress. Hosts passed through the `tpl` function to allow templating
-    #tls:
+    # tls:
     #  - secretName: grafana-tls
     #    hosts:
     #      - monitoring.example.com
 logs:
   # Adding regexes here will add a stage.replace block for logs. For more information see
   # https://grafana.com/docs/agent/latest/flow/reference/components/loki.process/#stagereplace-block
-  piiRegexes: null # This example replaces the word after password with *****
-  # - expression: "password (\\\\S+)"
-  #   source: ""         # Empty uses the log message
-  #   replace: "*****""
-  # The lines matching these will be kept in Loki
+  piiRegexes: null  # This example replaces the word after password with *****
+# - expression: "password (\\\\S+)"
+#   source: ""         # Empty uses the log message
+#   replace: "*****""
+# The lines matching these will be kept in Loki
   retain:
   # This shows the queries
-  - executing query
   - caller=metrics.go
   # This shows any errors
   - level=error
-  - level=warn
   # Log lines for delete requests
   - delete request for user added
   - Started processing delete request

docs/installation.md

@@ -91,7 +91,7 @@
 
    local:
      grafana:
-       enabled: true
+       enabled:true
      logs:
        enabled: true
      metrics: