Refactor additional config rendering

.github/workflows/test.yaml

@@ -36,7 +36,6 @@ jobs:
           - legacy
           - extra-config
           - openshift
-          - prometheus
     defaults:
       run:
         working-directory: ${{ env.COMPONENT_NAME }}
@@ -55,7 +54,6 @@ jobs:
           - legacy
           - extra-config
           - openshift
-          - prometheus
     defaults:
       run:
         working-directory: ${{ env.COMPONENT_NAME }}

Makefile.vars.mk

@@ -50,4 +50,4 @@ KUBENT_IMAGE    ?= ghcr.io/doitintl/kube-no-trouble:latest
 KUBENT_DOCKER   ?= $(DOCKER_CMD) $(DOCKER_ARGS) $(root_volume) --entrypoint=/app/kubent $(KUBENT_IMAGE)
 
 instance ?= defaults
-test_instances = tests/defaults.yml tests/legacy.yml tests/extra-config.yml tests/openshift.yml tests/prometheus.yml
+test_instances = tests/defaults.yml tests/legacy.yml tests/extra-config.yml tests/openshift.yml

class/defaults.yml

@@ -97,12 +97,26 @@ parameters:
         #increase if auth credentials change
         secretVersion: 0
 
-    secrets: {}
+    ingress:
+      enabled: false
+      tls:
+        enabled: true
+        clusterIssuer: 'letsencrypt-production'
+        key: null
+        cert: null
+      url: ''
+
+    basicAuth:
+      enabled: false
+      htpasswd: '?{vaultkv:${cluster:tenant}/${cluster:name}/${_instance}/htpasswd}'
 
+    monitoring: true
     alerts:
       additionalRules: {}
       patchRules:
         ignoreNames: []
         patches: {}
 
+    secrets: {}
+
     helm_values: {}

class/loki.yml

@@ -30,6 +30,7 @@ parameters:
         output_path: ${_instance}/10_helm_loki
         helm_values_files:
           - ${_base_directory}/helmcharts/loki/${loki:charts:loki:version}/${loki:preset}.yaml
+          - ${_base_directory}/helmcharts/loki/${loki:charts:loki:version}/${_instance}-components.yaml
           - ${_base_directory}/helmcharts/loki/${loki:charts:loki:version}/${_instance}-configs.yaml
           - ${_base_directory}/helmcharts/loki/${loki:charts:loki:version}/${_instance}-overrides.yaml
         helm_params:

component/helm_values.jsonnet

@@ -10,7 +10,12 @@ local hasRolloutOperator = std.member(inv.applications, 'rollout-operator');
 // Global Params and Zone Aware Replication
 local globalConfig = params.global + com.makeMergeable({
   nodeSelector: std.get(params, 'globalNodeSelector', params.global.nodeSelector),
-  zoneAwareReplication: if hasRolloutOperator then params.global.zoneAwareReplication else std.trace('rollout-operator must be installed', {}),
+  zoneAwareReplication: params.global.zoneAwareReplication {
+    enabled: if params.global.zoneAwareReplication.enabled then
+      // Assert that zone aware replication is only enabled if rollout-operator is installed
+      if hasRolloutOperator then true else error 'rollout-operator must be installed for zone-aware replication'
+    else false,
+  },
 });
 
 local components = com.makeMergeable({
@@ -42,7 +47,6 @@ local components = com.makeMergeable({
   // Ingress Configuration
   gateway: {
     [if params.components.gateway.enabled then 'enabledNonEnterprise']: params.components.gateway.enabled,
-    extraEnvFrom: [ { secretRef: { name: '%s-bucket-secret' % inv.parameters._instance } } ],
     extraArgs: [ '-config.expand-env=true' ],
     nodeSelector: std.get(params.components.gateway, 'nodeSelector', globalConfig.nodeSelector),
   } + com.makeMergeable(params.components.gateway),
@@ -133,6 +137,14 @@ local global = com.makeMergeable({
       bucketSecretVersion: '%s' % params.s3.auth.secretVersion,
     },
   },
+  [if params.monitoring then 'monitoring']: {
+    serviceMonitor: {
+      enabled: params.monitoring,
+    },
+    rules: {
+      enabled: params.monitoring,
+    },
+  },
   lokiCanary: {
     enabled: false,
   },
@@ -190,6 +202,35 @@ local loki = com.makeMergeable({
 
 // Loki Config
 local ingress = com.makeMergeable({
+  [if params.components.gateway.enabled then 'gateway']: {
+    ingress: {
+      enabled: params.ingress.enabled,
+      [if params.ingress.tls.enabled && params.ingress.tls.clusterIssuer != null then 'annotations']: {
+        'cert-manager.io/cluster-issuer': params.ingress.tls.clusterIssuer,
+      } + if std.objectHas(params.ingress, 'annotations') then com.makeMergeable(params.ingress.annotations) else {},
+      [if std.objectHas(params.ingress, 'labels') then 'labels']: params.ingress.labels,
+      hosts: [ {
+        host: params.ingress.url,
+        paths: [
+          {
+            path: '/',
+            pathType: 'Prefix',
+          },
+        ],
+      } ],
+      [if params.ingress.tls.enabled then 'tls']: [ {
+        hosts: [ params.ingress.url ],
+        secretName: '%s-tls' % std.strReplace(params.ingress.url, '.', '-'),
+      } ],
+    },
+    nginx: {
+      basicAuth: {
+        enabled: params.basicAuth.enabled,
+        [if params.basicAuth.htpasswd != null && !std.objectHas(params.basicAuth, 'existingSecret') then 'existingSecret']: '%s-nginx-htpasswd' % inv.parameters._instance,
+        [if std.objectHas(params.basicAuth, 'existingSecret') then 'existingSecret']: params.basicAuth.existingSecret,
+      },
+    },
+  },
 });
 
 // hardcoded removal of rollout-operator
@@ -201,9 +242,15 @@ local hardRestrictions = com.makeMergeable({
     enabled: false,
   },
   [if !std.member([ 'none', 'legacy' ], params.preset) then 'deploymentMode']: 'Distributed',
+  ingester: {
+    zoneAwareReplication: {
+      enabled: if hasRolloutOperator && params.global.zoneAwareReplication.enabled then true else false,
+    },
+  },
 });
 
 {
+  ['%s-components' % inv.parameters._instance]: components + caches + experimental,
   ['%s-configs' % inv.parameters._instance]: openshift + images + global + loki + ingress,
   ['%s-overrides' % inv.parameters._instance]: params.helm_values + hardRestrictions,
 }

component/main.jsonnet

@@ -50,6 +50,19 @@ local params = inv.parameters.loki;
 
 local secrets = com.generateResources(
   {
+    [if params.ingress.tls.enabled && params.ingress.tls.key != null && params.ingress.tls.cert != null then '%s-tls' % std.strReplace(params.ingress.url, '.', '-')]:
+      {
+        stringData: {
+          'tls.key': params.ingress.tls.key,
+          'tls.cert': params.ingress.tls.cert,
+        },
+      },
+    [if params.basicAuth.enabled && params.basicAuth.htpasswd != null then '%s-nginx-htpasswd' % inv.parameters._instance]:
+      {
+        stringData: {
+          '.htpasswd': params.basicAuth.htpasswd,
+        },
+      },
     ['%s-bucket-secret' % inv.parameters._instance]: {
       stringData: {
         S3_ACCESS_KEY_ID: params.s3.auth.accessKeyId,

docs/modules/ROOT/pages/references/parameters.adoc

@@ -555,25 +555,181 @@ s3:
 Configure access- and secret key for the S3 storage.
 
 
-== `secrets`
+== `ingress`
+
+Ingress configuration
+
+=== `ingress.enabled`
+
+[horizontal]
+type:: boolean
+default::
++
+[source,yaml]
+----
+ingress:
+  enabled: false
+----
+
+Enables ingress.
+
+=== `ingress.tls.enabled`
 
 [horizontal]
 type:: dict
-default:: `{}`
+default::
++
+[source,yaml]
+----
+ingress:
+  tls:
+    enabled: true
+----
+
+Enables using TLS for ingress.
+
+=== `ingress.tls.clusterIssuer`
+
+[horizontal]
+type:: dict
+default::
++
+[source,yaml]
+----
+ingress:
+  tls:
+    clusterIssuer: letsencrypt-production
+----
+
+Configures the annotation for the cert-manager `ClusterIssuer`, this component assumes cert-manager is installed.
+
+=== `ingress.tls.key` and `ingress.tls.cert`
+
+[horizontal]
+type:: dict
+default::
++
+[source,yaml]
+----
+ingress:
+  tls:
+    key: null
+    cert: null
+----
+default::
++
+[source,yaml]
+----
+ingress:
+  tls:
+    clusterIssuer: null
+    key: |
+      -----BEGIN PRIVATE KEY-----
+      ...
+      -----END PRIVATE KEY-----
+    cert: |
+      -----BEGIN CERTIFICATE-----
+      ...
+      -----END CERTIFICATE-----
+----
+
+Configures private key and certificate for TLS.
+The secret will automatically be created.
+
+[TIP]
+====
+This requires `ingress.tls.clusterIssuer` to be null.
+If both are enabled, `ingress.tls.clusterIssuer` takes precedence.
+====
+
+=== `ingress.url`
+
+[horizontal]
+type:: dict
+default::
++
+[source,yaml]
+----
+ingress:
+  url: ''
+----
+
+The URL for witch the ingress is configured.
+
+=== `ingress.annotations` and `ingress.labels`
+
+[horizontal]
+type:: dict
+default::
++
+[source,yaml]
+----
+ingress:
+  annotations: {}
+  labels: {}
+----
 example::
 +
 [source,yaml]
 ----
-secrets:
-  loki-bucket-secret:
-    stringData:
-      S3_ACCESS_KEY_ID: null
-      S3_SECRET_ACCESS_KEY: null
-      S3_ENDPOINT: null
+ingress:
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-staging
 ----
 
-A dict of secrets to create in the namespace. The key is the name of the secret, the value is the content of the secret.
-The value must be a dict with a key `stringData` which is a dict of key/value pairs to add to the secret.
+Add custom annotations and labels.
+
+
+== `basicAuth`
+
+Configures basic authentication for nginx.
+
+=== `basicAuth.enabled`
+
+[horizontal]
+type:: boolean
+default::
++
+[source,yaml]
+----
+basicAuth:
+  enabled: false
+----
+
+Enables basic authentication for nginx.
+
+=== `basicAuth.htpasswd`
+
+[horizontal]
+type:: boolean
+default::
++
+[source,yaml]
+----
+basicAuth:
+  htpasswd: '?{vaultkv:${cluster:tenant}/${cluster:name}/${_instance}/htpasswd}'
+----
+
+The content of the `.htpasswd` file.
+
+[TIP]
+====
+If you set the `basicAuth.htpasswd: null`, you can use the `basicAuth.existingSecret` to inlcude an existing secret.
+====
+
+
+== `monitoring`
+
+[horizontal]
+type:: dict
+default::
++
+[source,yaml]
+----
+monitoring: true
+----
+
+Enable the service monitors, rules, and alerts from the Helm chart.
 
 
 == `alerts`
@@ -644,6 +800,27 @@ The component expects valid partial Prometheus alert rule objects as values.
 IMPORTANT: The provided values aren't validated, they're applied to the corresponding upstream alert as-is.
 
 
+== `secrets`
+
+[horizontal]
+type:: dict
+default:: `{}`
+example::
++
+[source,yaml]
+----
+secrets:
+  loki-bucket-secret:
+    stringData:
+      S3_ACCESS_KEY_ID: null
+      S3_SECRET_ACCESS_KEY: null
+      S3_ENDPOINT: null
+----
+
+A dict of secrets to create in the namespace. The key is the name of the secret, the value is the content of the secret.
+The value must be a dict with a key `stringData` which is a dict of key/value pairs to add to the secret.
+
+
 == `helm_values`
 
 [horizontal]