Fix brusnika-stage observability secrets and certs

2026-06-15 12:03:39 +03:00 · 2026-06-15 12:03:39 +03:00 · 805394607a
commit 805394607a
parent 2abd7d9658
4 changed files with 36 additions and 67 deletions
--- a/clusters/brusnika-stage/infrastructure/clusterissuer-letsencrypt.yaml
+++ b/clusters/brusnika-stage/infrastructure/clusterissuer-letsencrypt.yaml
@ -12,6 +12,9 @@ spec:
      - selector:
          dnsNames:
            - zitadel.test.sarex.brusnika.tech
+            - grafana.test.sarex.brusnika.tech
+            - openobserve.test.sarex.brusnika.tech
+            - vmalert.test.sarex.brusnika.tech
        http01:
          ingress:
            class: istio
--- a/clusters/brusnika-stage/infrastructure/patches/openobserve.yaml
+++ b/clusters/brusnika-stage/infrastructure/patches/openobserve.yaml
@ -44,55 +44,6 @@ spec:
            - name: ZO_TELEMETRY
              value:
                _default: "false"
-          secretEnvs:
-            - name: ZO_ROOT_USER_EMAIL
-              secretName:
-                _default: openobserve-secret
-              secretKey: ZO_ROOT_USER_EMAIL
-            - name: ZO_ROOT_USER_PASSWORD
-              secretName:
-                _default: openobserve-secret
-              secretKey: ZO_ROOT_USER_PASSWORD
-            - name: ZO_META_POSTGRES_DSN
-              secretName:
-                _default: openobserve-secret
-              secretKey: ZO_META_POSTGRES_DSN
-            - name: ZO_NATS_ADDR
-              secretName:
-                _default: openobserve-secret
-              secretKey: ZO_NATS_ADDR
-            - name: PGHOST
-              secretName:
-                _default: openobserve-secret
-              secretKey: PGHOST
-            - name: PGPORT
-              secretName:
-                _default: openobserve-secret
-              secretKey: PGPORT
-            - name: PGDATABASE
-              secretName:
-                _default: openobserve-secret
-              secretKey: PGDATABASE
-            - name: PGUSER
-              secretName:
-                _default: openobserve-secret
-              secretKey: PGUSER
-            - name: PGPASSWORD
-              secretName:
-                _default: openobserve-secret
-              secretKey: PGPASSWORD
-            - name: PGSSLMODE
-              secretName:
-                _default: openobserve-secret
-              secretKey: PGSSLMODE
-            - name: ZO_S3_ACCESS_KEY
-              secretName:
-                _default: openobserve-secret
-              secretKey: ZO_S3_ACCESS_KEY
-            - name: ZO_S3_SECRET_KEY
-              secretName:
-                _default: openobserve-secret
-              secretKey: ZO_S3_SECRET_KEY
          serviceAccount:
            enabled: true
            name:
@ -104,17 +55,7 @@ spec:
              _default: regcred
    openobserve:
      secret:
-        create: true
-        extraNamespaces:
-          - opentelemetry-collector
-        data:
-          ZO_ROOT_USER_EMAIL: admin@openobserve.test.sarex.brusnika.tech
-          PGHOST: 192.168.2.45
-          PGPORT: "5432"
-          PGDATABASE: openobserve
-          PGUSER: openobserve
-          PGSSLMODE: disable
-          ZO_NATS_ADDR: nats://openobserve-nats:4222
+        create: false
      nats:
        enabled: true
        replicaCount: 1
--- a/clusters/brusnika-stage/infrastructure/patches/opentelemetry-collector.yaml
+++ b/clusters/brusnika-stage/infrastructure/patches/opentelemetry-collector.yaml
@ -4,6 +4,26 @@ metadata:
  name: opentelemetry-collector
  namespace: opentelemetry-collector
 spec:
+  postRenderers:
+    - kustomize:
+        patches:
+          - target:
+              group: apps
+              version: v1
+              kind: DaemonSet
+              name: otel-collector
+            patch: |-
+              - op: replace
+                path: /spec/template/spec/containers/0/command
+                value:
+                  - /bin/sh
+                  - -ec
+              - op: replace
+                path: /spec/template/spec/containers/0/args
+                value:
+                  - |
+                    export OPENOBSERVE_BASIC_AUTH="$(cat /vault/secrets/openobserve-basic-auth)"
+                    exec /otelcol-contrib --config=/conf/relay.yaml
  dependsOn:
    - name: prometheus-stack
      namespace: prometheus-stack
@ -14,17 +34,22 @@ spec:
  values:
    imagePullSecrets:
      - name: regcred
+    podAnnotations:
+      vault.hashicorp.com/agent-init-first: "true"
+      vault.hashicorp.com/agent-inject: "true"
+      vault.hashicorp.com/agent-pre-populate-only: "true"
+      vault.hashicorp.com/auth-path: auth/kubernetes
+      vault.hashicorp.com/role: openobserve
+      vault.hashicorp.com/agent-inject-secret-openobserve-basic-auth: secrets/data/vault/apps/openobserve
+      vault.hashicorp.com/agent-inject-template-openobserve-basic-auth: |-
+        {{- with secret "secrets/data/vault/apps/openobserve" -}}
+        {{ index .Data.data "OPENOBSERVE_BASIC_AUTH" }}
+        {{- end -}}
    mode: daemonset
    fullnameOverride: otel-collector
    rollout:
      rollingUpdate:
        maxUnavailable: 4
-    extraEnvs:
-      - name: OPENOBSERVE_BASIC_AUTH
-        valueFrom:
-          secretKeyRef:
-            name: openobserve-secret
-            key: OPENOBSERVE_BASIC_AUTH
    presets:
      logsCollection:
        enabled: true
--- a/clusters/brusnika-stage/infrastructure/patches/prometheus-stack.yaml
+++ b/clusters/brusnika-stage/infrastructure/patches/prometheus-stack.yaml
@ -25,7 +25,7 @@ spec:
    prometheus-node-exporter:
      prometheus:
        monitor:
-          enabled: false
+          enabled: true
          jobLabel: node-exporter
    extraServiceMonitors:
      - name: zitadel-external-metrics