Add observability stack with jaeger and opentelemetry-collector (#35)

* add observability stack

* chore(stack/observability): move jaeger and otel-operator to the observability stack directory

* chore(stack/observability): add grafana, loki, and tempo, with pre-configured data sources and TLS

* chore(stack/observability): add docs to the opentelemetry-collector config

* chore(stack/observability): disable otel-collector logging, fix unused template variable

* chore(stacks/observability): change batch processor to every second

* chore(stack/observability): add collector deployment for use outside of pods

* chore(stack/observability): update opentelemetry-operator

* chore(stack/observability): update manifest urls ahead of merge

* chore(stack/observability): add url to opentelemetry-operator chart

* chore(stack/observability): change grafana service type to NodePort

* chore: Switch to opentelemetry.io/v1beta1

* chore(stack/observability): move the stack to be with the related stacks

* chore(stack/observability): add comments about lack of NodePort services

---------

Co-authored-by: Sebastian Bernauer <[email protected]>

Author: NickLarsenNZ

stacks/observability/grafana-admin-credentials.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: grafana-admin-credentials
+stringData:
+  admin-user: admin
+  admin-password: {{ grafanaAdminPassword }}

stacks/observability/grafana-loki.yaml

@@ -0,0 +1,64 @@
+# https://github.com/grafana/loki/tree/main/production/helm/loki
+releaseName: loki
+name: loki
+repo:
+  name: loki
+  url: https://grafana.github.io/helm-charts
+version: 5.47.2
+options:
+  loki:
+    auth_enabled: false
+    commonConfig:
+      replication_factor: 1
+    storage:
+      type: 'filesystem'
+    server:
+      http_tls_config:
+        cert_file: /etc/loki/certs/tls.crt
+        key_file: /etc/loki/certs/tls.key
+    readinessProbe:
+      httpGet:
+        scheme: HTTPS
+  monitoring:
+    dashboards:
+      enabled: false
+    rules:
+      enabled: false
+    serviceMonitor:
+      enabled: false
+    lokiCanary:
+      enabled: false
+    selfMonitoring:
+      enabled: false
+      grafanaAgent:
+        installOperator: false
+  test:
+    enabled: false
+  gateway:
+    enabled: false
+  singleBinary:
+    replicas: 1
+    extraVolumeMounts:
+      # Mount the certificate generated by the secret-operator
+      - name: tls
+        mountPath: /etc/loki/certs/
+    extraVolumes:
+      # Request a TLS certificate from the secret-operator
+      - name: tls
+        ephemeral:
+          volumeClaimTemplate:
+            metadata:
+              annotations:
+                secrets.stackable.tech/class: tls
+                # Add the service loki to the
+                # distinguished names because this service is used
+                # by opentelemetry-collector.
+                secrets.stackable.tech/scope: |-
+                  service=loki
+            spec:
+              storageClassName: secrets.stackable.tech
+              accessModes:
+                - ReadWriteOnce
+              resources:
+                requests:
+                  storage: 1

stacks/observability/grafana-tempo.yaml

@@ -0,0 +1,51 @@
+# https://github.com/grafana/helm-charts/tree/main/charts/tempo
+releaseName: tempo
+name: tempo
+repo:
+  name: tempo
+  url: https://grafana.github.io/helm-charts
+version: 1.7.2
+options:
+  tempo:
+    server:
+      http_tls_config:
+        cert_file: /etc/tempo/certs/tls.crt
+        key_file: /etc/tempo/certs/tls.key
+    receivers:
+      otlp:
+        protocols:
+          grpc:
+            endpoint: "0.0.0.0:4317"
+            tls:
+              cert_file: /etc/tempo/certs/tls.crt
+              key_file: /etc/tempo/certs/tls.key
+    extraVolumeMounts:
+      # Mount the certificate generated by the secret-operator
+      - name: tls
+        mountPath: /etc/tempo/certs/
+  tempoQuery:
+    enabled: true
+    extraVolumeMounts:
+      # Mount the certificate generated by the secret-operator
+      - name: tls
+        mountPath: /etc/tempo/certs/
+  extraVolumes:
+    # Request a TLS certificate from the secret-operator
+    - name: tls
+      ephemeral:
+        volumeClaimTemplate:
+          metadata:
+            annotations:
+              secrets.stackable.tech/class: tls
+              # Add the service loki to the
+              # distinguished names because this service is used
+              # by opentelemetry-collector.
+              secrets.stackable.tech/scope: |-
+                service=tempo
+          spec:
+            storageClassName: secrets.stackable.tech
+            accessModes:
+              - ReadWriteOnce
+            resources:
+              requests:
+                storage: 1

stacks/observability/grafana.yaml

@@ -0,0 +1,87 @@
+# https://github.com/grafana/helm-charts/tree/main/charts/grafana
+releaseName: grafana
+name: grafana
+repo:
+  name: grafana
+  url: https://grafana.github.io/helm-charts
+version: 7.3.7
+options:
+  admin:
+    existingSecret: grafana-admin-credentials
+  service:
+    type: NodePort
+  datasources:
+    datasources.yaml:
+      apiVersion: 1
+      datasources:
+      - name: Loki
+        type: loki
+        url: https://loki.default.svc.cluster.local:3100
+        access: proxy
+        isDefault: false
+        jsonData:
+          tlsAuthWithCACert: true
+        secureJsonData:
+          tlsCACert: $__file{/etc/grafana/certs/ca.crt}
+      - name: Tempo
+        type: tempo
+        url: https://tempo.default.svc.cluster.local:3100
+        access: proxy
+        isDefault: false
+        jsonData:
+          tlsAuthWithCACert: true
+        secureJsonData:
+          tlsCACert: $__file{/etc/grafana/certs/ca.crt}
+  readinessProbe:
+    httpGet:
+      scheme: HTTPS
+  livenessProbe:
+    httpGet:
+      scheme: HTTPS
+  testFramework:
+    enabled: false
+  resources:
+    limits:
+      cpu: 100m
+      memory: 128Mi
+    requests:
+      cpu: 100m
+      memory: 128Mi
+  persistence:
+    enabled: true
+    # storageClassName: default
+    accessModes:
+      - ReadWriteOnce
+    size: 1Gi
+    # annotations: {}
+    finalizers: []
+  env:
+    # Enable HTTPS, using a Certificate from the Secret Operator
+    GF_SERVER_PROTOCOL: https
+    GF_SERVER_CERT_FILE: /etc/grafana/certs/tls.crt
+    GF_SERVER_CERT_KEY: /etc/grafana/certs/tls.key
+  extraVolumeMounts:
+    # Mount the certificate generated by the secret-operator
+    - name: tls
+      mountPath: /etc/grafana/certs/
+  extraVolumes:
+    # Request a TLS certificate from the secret-operator
+    - name: tls
+      csi:
+        driver: secrets.stackable.tech
+        volumeAttributes:
+          secrets.stackable.tech/class: tls
+          secrets.stackable.tech/scope: node,pod,service=grafana
+      # ephemeral:
+      #   volumeClaimTemplate:
+      #     metadata:
+      #       annotations:
+      #         secrets.stackable.tech/class: tls
+      #         secrets.stackable.tech/scope: pod #,service=grafana
+      #     spec:
+      #       storageClassName: secrets.stackable.tech
+      #       accessModes:
+      #         - ReadWriteOnce
+      #       resources:
+      #         requests:
+      #           storage: 1

stacks/observability/jaeger.yaml

@@ -0,0 +1,30 @@
+# https://github.com/jaegertracing/helm-charts/tree/main/charts/jaeger
+# The jaeger allInOne mode doesn't support NodePort services.
+releaseName: jaeger
+name: jaeger
+repo:
+  name: jaeger
+  url: https://jaegertracing.github.io/helm-charts
+version: 2.0.1
+options:
+  # labels:
+  #   stackable.tech/vendor: Stackable
+  provisionDataStore:
+    cassandra: false
+  allInOne:
+    enabled: true
+    extraEnv: []
+    service:
+      headless: true
+      collector:
+        otlp:
+          grpc:
+            name: otlp-grpc
+          # http:
+          #   name: otlp-http
+  agent:
+    enabled: false
+  collector:
+    enabled: false
+  query:
+    enabled: false