From 805394607a9f88aac545afaf6ed9b6a5e5f2e2c6 Mon Sep 17 00:00:00 2001 From: Kochetkov S Date: Mon, 15 Jun 2026 12:03:39 +0300 Subject: [PATCH] Fix brusnika-stage observability secrets and certs --- .../clusterissuer-letsencrypt.yaml | 3 + .../infrastructure/patches/openobserve.yaml | 61 +------------------ .../patches/opentelemetry-collector.yaml | 37 +++++++++-- .../patches/prometheus-stack.yaml | 2 +- 4 files changed, 36 insertions(+), 67 deletions(-) diff --git a/clusters/brusnika-stage/infrastructure/clusterissuer-letsencrypt.yaml b/clusters/brusnika-stage/infrastructure/clusterissuer-letsencrypt.yaml index 91712f5..79afaf3 100644 --- a/clusters/brusnika-stage/infrastructure/clusterissuer-letsencrypt.yaml +++ b/clusters/brusnika-stage/infrastructure/clusterissuer-letsencrypt.yaml @@ -12,6 +12,9 @@ spec: - selector: dnsNames: - zitadel.test.sarex.brusnika.tech + - grafana.test.sarex.brusnika.tech + - openobserve.test.sarex.brusnika.tech + - vmalert.test.sarex.brusnika.tech http01: ingress: class: istio diff --git a/clusters/brusnika-stage/infrastructure/patches/openobserve.yaml b/clusters/brusnika-stage/infrastructure/patches/openobserve.yaml index 3c9d14d..32d1ecd 100644 --- a/clusters/brusnika-stage/infrastructure/patches/openobserve.yaml +++ b/clusters/brusnika-stage/infrastructure/patches/openobserve.yaml @@ -44,55 +44,6 @@ spec: - name: ZO_TELEMETRY value: _default: "false" - secretEnvs: - - name: ZO_ROOT_USER_EMAIL - secretName: - _default: openobserve-secret - secretKey: ZO_ROOT_USER_EMAIL - - name: ZO_ROOT_USER_PASSWORD - secretName: - _default: openobserve-secret - secretKey: ZO_ROOT_USER_PASSWORD - - name: ZO_META_POSTGRES_DSN - secretName: - _default: openobserve-secret - secretKey: ZO_META_POSTGRES_DSN - - name: ZO_NATS_ADDR - secretName: - _default: openobserve-secret - secretKey: ZO_NATS_ADDR - - name: PGHOST - secretName: - _default: openobserve-secret - secretKey: PGHOST - - name: PGPORT - secretName: - _default: openobserve-secret - secretKey: PGPORT - - name: PGDATABASE - secretName: - _default: openobserve-secret - secretKey: PGDATABASE - - name: PGUSER - secretName: - _default: openobserve-secret - secretKey: PGUSER - - name: PGPASSWORD - secretName: - _default: openobserve-secret - secretKey: PGPASSWORD - - name: PGSSLMODE - secretName: - _default: openobserve-secret - secretKey: PGSSLMODE - - name: ZO_S3_ACCESS_KEY - secretName: - _default: openobserve-secret - secretKey: ZO_S3_ACCESS_KEY - - name: ZO_S3_SECRET_KEY - secretName: - _default: openobserve-secret - secretKey: ZO_S3_SECRET_KEY serviceAccount: enabled: true name: @@ -104,17 +55,7 @@ spec: _default: regcred openobserve: secret: - create: true - extraNamespaces: - - opentelemetry-collector - data: - ZO_ROOT_USER_EMAIL: admin@openobserve.test.sarex.brusnika.tech - PGHOST: 192.168.2.45 - PGPORT: "5432" - PGDATABASE: openobserve - PGUSER: openobserve - PGSSLMODE: disable - ZO_NATS_ADDR: nats://openobserve-nats:4222 + create: false nats: enabled: true replicaCount: 1 diff --git a/clusters/brusnika-stage/infrastructure/patches/opentelemetry-collector.yaml b/clusters/brusnika-stage/infrastructure/patches/opentelemetry-collector.yaml index be264cf..48e5950 100644 --- a/clusters/brusnika-stage/infrastructure/patches/opentelemetry-collector.yaml +++ b/clusters/brusnika-stage/infrastructure/patches/opentelemetry-collector.yaml @@ -4,6 +4,26 @@ metadata: name: opentelemetry-collector namespace: opentelemetry-collector spec: + postRenderers: + - kustomize: + patches: + - target: + group: apps + version: v1 + kind: DaemonSet + name: otel-collector + patch: |- + - op: replace + path: /spec/template/spec/containers/0/command + value: + - /bin/sh + - -ec + - op: replace + path: /spec/template/spec/containers/0/args + value: + - | + export OPENOBSERVE_BASIC_AUTH="$(cat /vault/secrets/openobserve-basic-auth)" + exec /otelcol-contrib --config=/conf/relay.yaml dependsOn: - name: prometheus-stack namespace: prometheus-stack @@ -14,17 +34,22 @@ spec: values: imagePullSecrets: - name: regcred + podAnnotations: + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: openobserve + vault.hashicorp.com/agent-inject-secret-openobserve-basic-auth: secrets/data/vault/apps/openobserve + vault.hashicorp.com/agent-inject-template-openobserve-basic-auth: |- + {{- with secret "secrets/data/vault/apps/openobserve" -}} + {{ index .Data.data "OPENOBSERVE_BASIC_AUTH" }} + {{- end -}} mode: daemonset fullnameOverride: otel-collector rollout: rollingUpdate: maxUnavailable: 4 - extraEnvs: - - name: OPENOBSERVE_BASIC_AUTH - valueFrom: - secretKeyRef: - name: openobserve-secret - key: OPENOBSERVE_BASIC_AUTH presets: logsCollection: enabled: true diff --git a/clusters/brusnika-stage/infrastructure/patches/prometheus-stack.yaml b/clusters/brusnika-stage/infrastructure/patches/prometheus-stack.yaml index 74ad85a..e8c2c04 100644 --- a/clusters/brusnika-stage/infrastructure/patches/prometheus-stack.yaml +++ b/clusters/brusnika-stage/infrastructure/patches/prometheus-stack.yaml @@ -25,7 +25,7 @@ spec: prometheus-node-exporter: prometheus: monitor: - enabled: false + enabled: true jobLabel: node-exporter extraServiceMonitors: - name: zitadel-external-metrics