Fix brusnika-stage observability secrets and certs

clusters/brusnika-stage/infrastructure/clusterissuer-letsencrypt.yaml

@@ -12,6 +12,9 @@ spec:
       - selector:
           dnsNames:
             - zitadel.test.sarex.brusnika.tech
+            - grafana.test.sarex.brusnika.tech
+            - openobserve.test.sarex.brusnika.tech
+            - vmalert.test.sarex.brusnika.tech
         http01:
           ingress:
             class: istio

clusters/brusnika-stage/infrastructure/patches/openobserve.yaml

@@ -44,55 +44,6 @@ spec:
             - name: ZO_TELEMETRY
               value:
                 _default: "false"
-          secretEnvs:
-            - name: ZO_ROOT_USER_EMAIL
-              secretName:
-                _default: openobserve-secret
-              secretKey: ZO_ROOT_USER_EMAIL
-            - name: ZO_ROOT_USER_PASSWORD
-              secretName:
-                _default: openobserve-secret
-              secretKey: ZO_ROOT_USER_PASSWORD
-            - name: ZO_META_POSTGRES_DSN
-              secretName:
-                _default: openobserve-secret
-              secretKey: ZO_META_POSTGRES_DSN
-            - name: ZO_NATS_ADDR
-              secretName:
-                _default: openobserve-secret
-              secretKey: ZO_NATS_ADDR
-            - name: PGHOST
-              secretName:
-                _default: openobserve-secret
-              secretKey: PGHOST
-            - name: PGPORT
-              secretName:
-                _default: openobserve-secret
-              secretKey: PGPORT
-            - name: PGDATABASE
-              secretName:
-                _default: openobserve-secret
-              secretKey: PGDATABASE
-            - name: PGUSER
-              secretName:
-                _default: openobserve-secret
-              secretKey: PGUSER
-            - name: PGPASSWORD
-              secretName:
-                _default: openobserve-secret
-              secretKey: PGPASSWORD
-            - name: PGSSLMODE
-              secretName:
-                _default: openobserve-secret
-              secretKey: PGSSLMODE
-            - name: ZO_S3_ACCESS_KEY
-              secretName:
-                _default: openobserve-secret
-              secretKey: ZO_S3_ACCESS_KEY
-            - name: ZO_S3_SECRET_KEY
-              secretName:
-                _default: openobserve-secret
-              secretKey: ZO_S3_SECRET_KEY
           serviceAccount:
             enabled: true
             name:
@@ -104,17 +55,7 @@ spec:
               _default: regcred
     openobserve:
       secret:
-        create: true
+        create: false
-        extraNamespaces:
-          - opentelemetry-collector
-        data:
-          ZO_ROOT_USER_EMAIL: admin@openobserve.test.sarex.brusnika.tech
-          PGHOST: 192.168.2.45
-          PGPORT: "5432"
-          PGDATABASE: openobserve
-          PGUSER: openobserve
-          PGSSLMODE: disable
-          ZO_NATS_ADDR: nats://openobserve-nats:4222
       nats:
         enabled: true
         replicaCount: 1

clusters/brusnika-stage/infrastructure/patches/opentelemetry-collector.yaml

@@ -4,6 +4,26 @@ metadata:
   name: opentelemetry-collector
   namespace: opentelemetry-collector
 spec:
+  postRenderers:
+    - kustomize:
+        patches:
+          - target:
+              group: apps
+              version: v1
+              kind: DaemonSet
+              name: otel-collector
+            patch: |-
+              - op: replace
+                path: /spec/template/spec/containers/0/command
+                value:
+                  - /bin/sh
+                  - -ec
+              - op: replace
+                path: /spec/template/spec/containers/0/args
+                value:
+                  - |
+                    export OPENOBSERVE_BASIC_AUTH="$(cat /vault/secrets/openobserve-basic-auth)"
+                    exec /otelcol-contrib --config=/conf/relay.yaml
   dependsOn:
     - name: prometheus-stack
       namespace: prometheus-stack
@@ -14,17 +34,22 @@ spec:
   values:
     imagePullSecrets:
       - name: regcred
+    podAnnotations:
+      vault.hashicorp.com/agent-init-first: "true"
+      vault.hashicorp.com/agent-inject: "true"
+      vault.hashicorp.com/agent-pre-populate-only: "true"
+      vault.hashicorp.com/auth-path: auth/kubernetes
+      vault.hashicorp.com/role: openobserve
+      vault.hashicorp.com/agent-inject-secret-openobserve-basic-auth: secrets/data/vault/apps/openobserve
+      vault.hashicorp.com/agent-inject-template-openobserve-basic-auth: |-
+        {{- with secret "secrets/data/vault/apps/openobserve" -}}
+        {{ index .Data.data "OPENOBSERVE_BASIC_AUTH" }}
+        {{- end -}}
     mode: daemonset
     fullnameOverride: otel-collector
     rollout:
       rollingUpdate:
         maxUnavailable: 4
-    extraEnvs:
-      - name: OPENOBSERVE_BASIC_AUTH
-        valueFrom:
-          secretKeyRef:
-            name: openobserve-secret
-            key: OPENOBSERVE_BASIC_AUTH
     presets:
       logsCollection:
         enabled: true

clusters/brusnika-stage/infrastructure/patches/prometheus-stack.yaml

@@ -25,7 +25,7 @@ spec:
     prometheus-node-exporter:
       prometheus:
         monitor:
-          enabled: false
+          enabled: true
           jobLabel: node-exporter
     extraServiceMonitors:
       - name: zitadel-external-metrics