gitops: observability stack (Loki/Promtail/Grafana), Grafana Ingress, Argo multi-source

- Add gitops/observability umbrella chart with vendored Helm deps - Grafana Ingress: Traefik, letsencrypt-prod, grafana.k8s.selair.it + root_url - Argo Application: spec.sources (onelab + onelab-obs) - OneLab: configuration secret override, compliance/LDAP values, logs.path /logs - Docs: OBSERVABILITY, BOOTSTRAP, README, instance-overrides example Made-with: Cursor
2026-03-20 11:10:06 +01:00
parent 9cb1b10d6c
commit b91c35c410
18 changed files with 360 additions and 14 deletions
--- a/gitops/observability/Chart.lock
+++ b/gitops/observability/Chart.lock
@@ -0,0 +1,12 @@
+dependencies:
+- name: loki
+  repository: https://grafana.github.io/helm-charts
+  version: 6.55.0
+- name: promtail
+  repository: https://grafana.github.io/helm-charts
+  version: 6.17.1
+- name: grafana
+  repository: https://grafana.github.io/helm-charts
+  version: 10.5.15
+digest: sha256:5b34192a8db9d940587777fbc62a13503c21217da814308654ce73fca2ed5d56
+generated: "2026-03-20T11:06:47.9376325+01:00"
--- a/gitops/observability/Chart.yaml
+++ b/gitops/observability/Chart.yaml
@@ -0,0 +1,16 @@
+apiVersion: v2
+name: onelab-observability
+description: Loki + Promtail + Grafana for OneLab (same Argo Application as app chart via multi-source).
+type: application
+version: 0.1.0
+appVersion: "1.0"
+dependencies:
+  - name: loki
+    version: 6.55.0
+    repository: https://grafana.github.io/helm-charts
+  - name: promtail
+    version: 6.17.1
+    repository: https://grafana.github.io/helm-charts
+  - name: grafana
+    version: 10.5.15
+    repository: https://grafana.github.io/helm-charts
--- a/gitops/observability/README.md
+++ b/gitops/observability/README.md
@@ -0,0 +1,7 @@
+# OneLab observability (Helm umbrella)
+
+Loki + Promtail + Grafana dependencies are pinned in `Chart.lock`; packaged charts live in `charts/*.tgz`.
+
+Deployed by Argo CD as the second `sources` entry in `gitops/argocd/application.yaml` with **`releaseName: onelab-obs`**.
+
+See [../docs/OBSERVABILITY.md](../docs/OBSERVABILITY.md) for operations and security notes.
--- a/gitops/observability/charts/grafana-10.5.15.tgz
+++ b/gitops/observability/charts/grafana-10.5.15.tgz
--- a/gitops/observability/charts/loki-6.55.0.tgz
+++ b/gitops/observability/charts/loki-6.55.0.tgz
--- a/gitops/observability/charts/promtail-6.17.1.tgz
+++ b/gitops/observability/charts/promtail-6.17.1.tgz
--- a/gitops/observability/values.yaml
+++ b/gitops/observability/values.yaml
@@ -0,0 +1,128 @@
+# Umbrella chart: Loki (SingleBinary + filesystem) + Promtail + Grafana.
+# Keep hostPath below in sync with persistence.hostPath.logs in gitops/values/k3s-example.yaml.
+
+loki:
+  deploymentMode: SingleBinary
+  loki:
+    auth_enabled: false
+    commonConfig:
+      replication_factor: 1
+    storage:
+      type: filesystem
+    schemaConfig:
+      configs:
+        - from: "2024-04-01"
+          store: tsdb
+          object_store: filesystem
+          schema: v13
+          index:
+            prefix: loki_index_
+            period: 24h
+    limits_config:
+      retention_period: 168h
+      ingestion_rate_mb: 16
+      ingestion_burst_size_mb: 32
+  singleBinary:
+    replicas: 1
+    persistence:
+      enabled: true
+      size: 10Gi
+  backend:
+    replicas: 0
+  read:
+    replicas: 0
+  write:
+    replicas: 0
+  ingester:
+    replicas: 0
+  querier:
+    replicas: 0
+  queryFrontend:
+    replicas: 0
+  queryScheduler:
+    replicas: 0
+  distributor:
+    replicas: 0
+  compactor:
+    replicas: 0
+  indexGateway:
+    replicas: 0
+  bloomCompactor:
+    replicas: 0
+  bloomGateway:
+    replicas: 0
+  ruler:
+    replicas: 0
+  minio:
+    enabled: false
+  lokiCanary:
+    enabled: false
+  test:
+    enabled: false
+  chunksCache:
+    enabled: false
+  resultsCache:
+    enabled: false
+
+promtail:
+  config:
+    clients:
+      - url: http://{{ .Release.Name }}-loki-gateway.{{ .Release.Namespace }}.svc.cluster.local/loki/api/v1/push
+    snippets:
+      extraScrapeConfigs: |
+        - job_name: onelab-host-log-files
+          static_configs:
+            - targets:
+                - localhost
+              labels:
+                job: onelab-files
+                __path__: /onelab-host-logs/**/*
+  extraVolumes:
+    - name: onelab-host-logs
+      hostPath:
+        path: /opt/onelab/logs
+        type: DirectoryOrCreate
+  extraVolumeMounts:
+    - name: onelab-host-logs
+      mountPath: /onelab-host-logs
+      readOnly: true
+
+# Grafana Ingress: align host/TLS with gitops/values/k3s-example.yaml ingress (Traefik + cert-manager).
+grafana:
+  adminUser: admin
+  adminPassword: changeme
+  persistence:
+    enabled: true
+    size: 2Gi
+  service:
+    type: ClusterIP
+  # Required when served behind Ingress (redirects, OAuth callbacks).
+  grafana.ini:
+    server:
+      domain: grafana.k8s.selair.it
+      root_url: https://grafana.k8s.selair.it/
+  ingress:
+    enabled: true
+    ingressClassName: traefik
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+    hosts:
+      - grafana.k8s.selair.it
+    path: /
+    pathType: Prefix
+    tls:
+      - secretName: grafana-tls-k8s-selair
+        hosts:
+          - grafana.k8s.selair.it
+  datasources:
+    datasources.yaml:
+      apiVersion: 1
+      datasources:
+        - name: Loki
+          type: loki
+          uid: loki
+          url: http://{{ .Release.Name }}-loki-gateway.{{ .Release.Namespace }}.svc.cluster.local
+          access: proxy
+          isDefault: true
+          jsonData:
+            maxLines: 1000