Add Grafana Alloy for centralized observability (metrics, logs, traces) (#4816)

## Summary

This PR adds optional Grafana Alloy support to enable centralized
observability for validators by collecting and forwarding metrics, logs,
and traces to a remote monitoring infrastructure.

## Changes

### Docker Compose
- **Optional Alloy monitoring** via `docker-compose.alloy.yml` override
file
- Opt-in: `docker-compose -f docker-compose.yml -f
docker-compose.alloy.yml up -d`
  - Default behavior unchanged: validators run without monitoring
  
- **Alloy configuration** (`docker/alloy-config.river`)
- **Metrics**: Scrapes Prometheus metrics from proxy and shard services
(port 21100)
  - **Logs**: Discovers and streams Docker container logs
  - **Traces**: OTLP receiver on ports 4317 (gRPC) and 4318 (HTTP)
- **Remote forwarding**: Optionally forwards to central Prometheus,
Loki, and Tempo

### Kubernetes Helm Chart
- **Alloy dependency** in `Chart.yaml` (version 1.3.1)
- **Alloy config template** (`alloy-config.river.tpl`)
  - Kubernetes pod/service discovery
  - Scrapes metrics from linera-proxy and linera-shard pods
  - Collects pod logs via Kubernetes API
  - Deployed as DaemonSet for distributed collection

- **Configuration** in `values-local.yaml.gotmpl`
- Controlled by `LINERA_HELMFILE_SET_ALLOY_ENABLED` env var (default:
false)
  - Environment-based credentials
  - Cluster/validator labels for multi-cluster visibility
  - Resource limits (CPU: 500m, Memory: 512Mi)

- **Updated README** with monitoring reference

## Configuration

### Docker Compose

**Basic (local metrics only):**
```bash
docker-compose -f docker-compose.yml -f docker-compose.alloy.yml up -d
```

**With remote endpoints:**
```bash
# Prometheus (OTLP format)
export PROMETHEUS_OTLP_URL="https://your-prometheus/otlp"
export PROMETHEUS_OTLP_USER="username"
export PROMETHEUS_OTLP_PASS="password"

# Loki (logs)
export LOKI_PUSH_URL="https://your-loki/loki/api/v1/push"
export LOKI_PUSH_USER="username"
export LOKI_PUSH_PASS="password"

# Tempo (traces)
export TEMPO_OTLP_URL="https://your-tempo/otlp"
export TEMPO_OTLP_USER="username"
export TEMPO_OTLP_PASS="password"

# Validator identification
export HOSTNAME="validator-01"

docker-compose -f docker-compose.yml -f docker-compose.alloy.yml up -d
```

### Kubernetes

```bash
# Enable Alloy
export LINERA_HELMFILE_SET_ALLOY_ENABLED=true

# Identification
export LINERA_HELMFILE_SET_CLUSTER_NAME="production-gke"
export LINERA_HELMFILE_SET_VALIDATOR_NAME="validator-01"

# Optional: Remote endpoints (same format as Docker)
export PROMETHEUS_OTLP_URL="https://..."
export PROMETHEUS_OTLP_USER="username"
export PROMETHEUS_OTLP_PASS="password"
# ... (Loki and Tempo)

# Deploy
lineractl deploy ...
```

## Key Features

- ✅ **Fully optional**: No changes to default behavior, validators work
without monitoring
- ✅ **Centralized observability**: Send data to a single monitoring
stack
- ✅ **Standards-based**: OpenTelemetry Protocol (OTLP) and Prometheus
remote write
- ✅ **Secure**: TLS with certificate verification, basic auth support
- ✅ **Auto-discovery**: Docker containers and Kubernetes pods
automatically detected
- ✅ **Configurable**: All endpoints and credentials via environment
variables
- ✅ **Distributed collection**: Kubernetes DaemonSet scales across nodes
- ✅ **Multi-validator visibility**: Monitor entire validator fleet

## Architecture

**Docker Compose**: Alloy container scrapes metrics from services,
collects container logs via Docker socket

**Kubernetes**: Alloy DaemonSet (one pod per node) discovers and
collects from validator pods using Kubernetes API

## Verification

### Docker Compose
```bash
# Check Alloy status
docker-compose -f docker-compose.yml -f docker-compose.alloy.yml ps alloy

# View logs
docker-compose logs alloy

# Test metrics endpoint
curl http://localhost:12345/metrics
```

### Kubernetes
```bash
# Check DaemonSet
kubectl get daemonset alloy -n <namespace>

# Check pods
kubectl get pods -l app.kubernetes.io/name=alloy -n <namespace>

# View logs
kubectl logs -l app.kubernetes.io/name=alloy -n <namespace> --tail=100
```

## Files Changed

- `docker/docker-compose.alloy.yml` - Optional Alloy override
- `docker/alloy-config.river` - Alloy configuration for Docker
- `kubernetes/linera-validator/Chart.yaml` - Alloy dependency
- `kubernetes/linera-validator/Chart.lock` - Updated lock file
- `kubernetes/linera-validator/charts/alloy-1.3.1.tgz` - Alloy Helm
chart
- `kubernetes/linera-validator/alloy-config.river.tpl` - Alloy config
template
- `kubernetes/linera-validator/values-local.yaml.gotmpl` - Alloy
configuration
- `kubernetes/linera-validator/README.md` - Added monitoring reference

## Benefits

- Internal validators can send telemetry to Linera's central monitoring
platform
- External partners can optionally enable monitoring to share telemetry
- No impact on validators that don't need/want monitoring
- Reduces local resource usage when using central storage
- Enables fleet-wide monitoring and alerting

## Future Work

- Add OpenTelemetry instrumentation to linera-proxy and linera-shard for
distributed tracing
- Configure alerting rules for critical validator events
- Create custom dashboards for validator-specific metrics

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: eldios

docker/alloy-config.river

@@ -0,0 +1,184 @@
+// Grafana Alloy configuration for Linera validator observability
+// Collects metrics, logs, and traces and forwards to central stack
+
+// ==================== Prometheus Metrics Scraping ====================
+
+// Scrape metrics from proxy service
+prometheus.scrape "proxy_metrics" {
+  targets = [{
+    __address__ = "proxy:21100",
+    job         = "linera-proxy",
+    instance    = env("HOSTNAME"),
+  }]
+
+  // Forward to OTLP converter for remote push if configured
+  forward_to = [otelcol.receiver.prometheus.default.receiver]
+
+  scrape_interval = "15s"
+  scrape_timeout  = "10s"
+}
+
+// Scrape metrics from shard services (all 4 replicas)
+prometheus.scrape "shard_metrics" {
+  targets = [
+    {
+      __address__ = "shard:21100",
+      job         = "linera-shard",
+      instance    = env("HOSTNAME"),
+    },
+  ]
+
+  // Forward to OTLP converter for remote push if configured
+  forward_to = [otelcol.receiver.prometheus.default.receiver]
+
+  scrape_interval = "15s"
+  scrape_timeout  = "10s"
+}
+
+// Expose Alloy's own metrics
+prometheus.exporter.self "alloy" {}
+
+prometheus.scrape "alloy_metrics" {
+  targets    = prometheus.exporter.self.alloy.targets
+  // Forward to OTLP converter for remote push if configured
+  forward_to = [otelcol.receiver.prometheus.default.receiver]
+}
+
+// ==================== Prometheus Metrics Export (Optional) ====================
+
+// Convert Prometheus metrics to OTLP and send to central (Prometheus 3.x uses OTLP)
+// To enable, set these environment variables:
+//   PROMETHEUS_OTLP_URL: https://your-prometheus-endpoint/otlp
+//   PROMETHEUS_OTLP_USER: your-username
+//   PROMETHEUS_OTLP_PASS: your-password
+
+// Export Prometheus metrics as OTLP
+otelcol.exporter.otlphttp "prometheus" {
+  client {
+    endpoint = env("PROMETHEUS_OTLP_URL")
+
+    auth = otelcol.auth.basic.prometheus_credentials.handler
+
+    tls {
+      insecure_skip_verify = false
+    }
+  }
+}
+
+// Basic auth for Prometheus OTLP
+otelcol.auth.basic "prometheus_credentials" {
+  username = env("PROMETHEUS_OTLP_USER")
+  password = env("PROMETHEUS_OTLP_PASS")
+}
+
+// Convert Prometheus metrics to OTLP format
+otelcol.receiver.prometheus "default" {
+  output {
+    metrics = [otelcol.exporter.otlphttp.prometheus.input]
+  }
+}
+
+// ==================== Loki Logs Collection ====================
+
+// Discover docker containers
+discovery.docker "containers" {
+  host = "unix:///var/run/docker.sock"
+}
+
+// Relabel discovered containers
+discovery.relabel "docker_logs" {
+  targets = discovery.docker.containers.targets
+  
+  rule {
+    source_labels = ["__meta_docker_container_name"]
+    target_label  = "container"
+  }
+  
+  rule {
+    source_labels = ["__meta_docker_container_label_com_docker_compose_service"]
+    target_label  = "service"
+  }
+  
+  rule {
+    source_labels = ["__meta_docker_container_label_com_docker_compose_project"]
+    target_label  = "project"
+  }
+}
+
+// Read docker logs
+loki.source.docker "containers" {
+  host       = "unix:///var/run/docker.sock"
+  targets    = discovery.relabel.docker_logs.output
+  forward_to = [loki.write.central.receiver]
+}
+
+// Write logs to central Loki (optional - only if env vars are set)
+// To enable, set these environment variables:
+//   LOKI_PUSH_URL: https://your-loki-endpoint/loki/api/v1/push
+//   LOKI_PUSH_USER: your-username
+//   LOKI_PUSH_PASS: your-password
+loki.write "central" {
+  endpoint {
+    url = env("LOKI_PUSH_URL")
+
+    basic_auth {
+      username = env("LOKI_PUSH_USER")
+      password = env("LOKI_PUSH_PASS")
+    }
+
+    tls_config {
+      insecure_skip_verify = false
+    }
+  }
+
+  external_labels = {
+    cluster   = "validator-docker-compose",
+    validator = env("HOSTNAME"),
+  }
+}
+
+// ==================== Tempo Traces Collection ====================
+
+// OTLP receiver for traces
+otelcol.receiver.otlp "default" {
+  grpc {
+    endpoint = "0.0.0.0:4317"
+  }
+  
+  http {
+    endpoint = "0.0.0.0:4318"
+  }
+  
+  output {
+    traces  = [otelcol.exporter.otlphttp.central.input]
+  }
+}
+
+// Export traces to central Tempo (optional - only if env vars are set)
+// To enable, set these environment variables:
+//   TEMPO_OTLP_URL: https://your-tempo-endpoint/tempo/otlp
+//   TEMPO_OTLP_USER: your-username
+//   TEMPO_OTLP_PASS: your-password
+otelcol.exporter.otlphttp "central" {
+  client {
+    endpoint = env("TEMPO_OTLP_URL")
+
+    auth = otelcol.auth.basic.credentials.handler
+
+    tls {
+      insecure_skip_verify = false
+    }
+  }
+}
+
+// Basic auth for OTLP
+otelcol.auth.basic "credentials" {
+  username = env("TEMPO_OTLP_USER")
+  password = env("TEMPO_OTLP_PASS")
+}
+
+// ==================== Metrics Exposition ====================
+
+// Expose Prometheus-compatible metrics endpoint for central Prometheus to scrape
+// This runs on port 12345 and exposes all collected metrics
+// Note: Alloy's own metrics are already exposed via prometheus.exporter.self

docker/docker-compose.alloy.yml

@@ -0,0 +1,49 @@
+# Docker Compose override file to enable Grafana Alloy for central observability
+#
+# Usage:
+#   docker-compose -f docker-compose.yml -f docker-compose.alloy.yml up -d
+#
+# Documentation: See MONITORING.md for complete setup and configuration guide
+#
+# Required environment variables for remote push:
+#   PROMETHEUS_OTLP_URL: https://your-prometheus-endpoint/otlp
+#   PROMETHEUS_OTLP_USER: your-username
+#   PROMETHEUS_OTLP_PASS: your-password
+#   LOKI_PUSH_URL: https://your-loki-endpoint/loki/api/v1/push
+#   LOKI_PUSH_USER: your-username
+#   LOKI_PUSH_PASS: your-password
+#   TEMPO_OTLP_URL: https://your-tempo-endpoint/tempo/otlp
+#   TEMPO_OTLP_USER: your-username
+#   TEMPO_OTLP_PASS: your-password
+
+services:
+  alloy:
+    image: grafana/alloy:latest
+    container_name: alloy
+    ports:
+      - "12345:12345"  # Prometheus metrics exposition
+      - "4317:4317"    # OTLP gRPC receiver
+      - "4318:4318"    # OTLP HTTP receiver
+    volumes:
+      - ./alloy-config.river:/etc/alloy/config.river:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    command:
+      - "run"
+      - "--server.http.listen-addr=0.0.0.0:12345"
+      - "/etc/alloy/config.river"
+    environment:
+      - HOSTNAME=${HOSTNAME:-validator}
+      - PROMETHEUS_OTLP_URL=${PROMETHEUS_OTLP_URL:-}
+      - PROMETHEUS_OTLP_USER=${PROMETHEUS_OTLP_USER:-}
+      - PROMETHEUS_OTLP_PASS=${PROMETHEUS_OTLP_PASS:-}
+      - LOKI_PUSH_URL=${LOKI_PUSH_URL:-}
+      - LOKI_PUSH_USER=${LOKI_PUSH_USER:-}
+      - LOKI_PUSH_PASS=${LOKI_PUSH_PASS:-}
+      - TEMPO_OTLP_URL=${TEMPO_OTLP_URL:-}
+      - TEMPO_OTLP_USER=${TEMPO_OTLP_USER:-}
+      - TEMPO_OTLP_PASS=${TEMPO_OTLP_PASS:-}
+    labels:
+      com.centurylinklabs.watchtower.enable: "true"
+    depends_on:
+      - proxy
+      - shard

kubernetes/linera-validator/Chart.lock

@@ -8,5 +8,8 @@ dependencies:
 - name: pyroscope
   repository: https://grafana.github.io/helm-charts
   version: 1.14.2
-digest: sha256:7fe611b57ddb6d72aa31bac87568fdb8e531e988e2ce4067b931d3026332f027
-generated: "2025-09-01T16:56:59.19795-03:00"
+- name: alloy
+  repository: https://grafana.github.io/helm-charts
+  version: 1.3.1
+digest: sha256:295a8fc7b332a0b3c3223c2192ee1dbff016f8707760c5b4b22d76403d6d7af4
+generated: "2025-10-21T02:26:24.01435788+02:00"

kubernetes/linera-validator/Chart.yaml

@@ -15,24 +15,29 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 0.2.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.16.0"
+appVersion: "1.16.1"
 
 # Dependencies of the application being deployed.
 dependencies:
   - name: kube-prometheus-stack
     version: "51.0.3"
     repository: "https://prometheus-community.github.io/helm-charts"
-
+    condition: kube-prometheus-stack.enabled
   - name: loki-stack
     version: "2.8.9"
     repository: "https://grafana.github.io/helm-charts"
-
+    condition: loki-stack.enabled
   - name: pyroscope
     version: "1.14.2"
     repository: "https://grafana.github.io/helm-charts"
+    condition: pyroscope.enabled
+  - name: alloy
+    version: "1.3.1"
+    repository: "https://grafana.github.io/helm-charts"
+    condition: alloy.enabled