WIP: configure alloy in control-plane

Author: ma-hartma

common/roles/defaults/defaults/main.yaml

@@ -161,8 +161,10 @@ metal_stack_release:
     metal_helm_chart_tag: "helm-charts.metal-stack.metal-control-plane.tag"
     logging_chart_version: "helm-charts.logging.loki.version"
     logging_chart_repo: "helm-charts.logging.loki.repository"
-    logging_alloy_version: "helm-charts.logging.alloy.version"
-    logging_alloy_repo: "helm-charts.logging.alloy.repository"
+    logging_alloy_chart_version: "helm-charts.logging.alloy.version"
+    logging_alloy_chart_repo: "helm-charts.logging.alloy.repository"
+    gardener_logging_alloy_chart_version: "helm-charts.logging.alloy.version"
+    gardener_logging_alloy_chart_repo: "helm-charts.logging.alloy.repository"
     logging_promtail_chart_version: "helm-charts.logging.promtail.version"
     logging_promtail_chart_repo: "helm-charts.logging.promtail.repository"
     gardener_logging_promtail_chart_version: "helm-charts.logging.promtail.version"

control-plane/roles/gardener-logging/README.md

@@ -1,6 +1,12 @@
 # gardener-logging
 
-This role deploys a promtail into a Gardener shooted seed. It is expected that the [logging role](../logging/) was deployed into the metal-stack control plane before executing this role.
+Deploys Alloy (replacing Promtail) into Gardener shooted seeds and optionally into the garden cluster itself. Alloy collects pod logs via the Kubernetes API and forwards them to the Loki instance in the metal-stack control plane.
+
+Expects the [logging role](../logging/) to have been deployed first.
+
+## Configuration
+
+The Alloy River config is generated from structured variables at deploy time. Override individual variables to customize behavior, or bypass the template entirely with `gardener_logging_alloy_config_raw`.
 
 ## Variables
 
@@ -20,3 +26,27 @@ The following variables can be set to configure the role:
 | gardener_logging_ingress_loki_basic_auth_user     |           | The basic auth user for the external loki ingress                |
 | gardener_logging_deploy_to_garden_cluster         |           | Deploys promtail also into the garden cluster                    |
 | gardener_logging_shooted_seeds                    |           | Shooted seed names on which to deploy promtails that log to loki |
+
+### Alloy
+
+| Name | Mandatory | Description |
+| --- | --- | --- |
+| gardener_logging_alloy_chart_version | yes | Helm chart version for alloy (release vector) |
+| gardener_logging_alloy_chart_repo | yes | Repository for alloy (release vector) |
+| gardener_logging_alloy_port | | Alloy listen port (default: `12345`) |
+| gardener_logging_alloy_loki_write_endpoints | | List of Loki push endpoints. Each entry: `{url, basic_auth?: {username, password}}` (default: HTTPS to `gardener_logging_ingress_dns`) |
+| gardener_logging_alloy_cluster_label | | Value for the `cluster=` external label on all log streams (default: `gardener_logging_shooted_seed.name`) |
+| gardener_logging_alloy_meta_monitoring_enabled | | Create a `ServiceMonitor` for alloy metrics and forward alloy's own logs to Loki. Requires kube-prometheus-stack in the seed cluster first (default: `false`) |
+| gardener_logging_alloy_config_raw | | Full Alloy River config string override. When set, bypasses all structured vars above. |
+
+## Migration from Promtail
+
+Alloy replaces Promtail as the log collector. Promtail releases are still deployed in parallel during the transition period (`# TODO remove promtail` markers in the task files).
+
+Key differences from the Promtail helm chart:
+
+| Promtail | Alloy |
+| --- | --- |
+| `config.clients[].url` + `basic_auth` | `gardener_logging_alloy_loki_write_endpoints[].url` + `basic_auth` |
+| `-client.external-labels=cluster=…` extraArg | `gardener_logging_alloy_cluster_label` → `external_labels` in River config |
+| `pipelineStages: [cri, docker]` | Not needed — `loki.source.kubernetes` uses the Kubernetes API |

control-plane/roles/gardener-logging/defaults/main.yaml

@@ -7,6 +7,24 @@ gardener_logging_garden_name: "{{ gardener_defaults_garden_name }}"
 gardener_logging_ingress_loki_basic_auth_user: promtail
 gardener_logging_ingress_loki_basic_auth_password:
 
+# Loki push endpoints (same format as the partition alloy role)
+gardener_logging_alloy_loki_write_endpoints:
+  - url: "https://{{ gardener_logging_ingress_dns }}/loki/api/v1/push"
+    basic_auth:
+      username: "{{ gardener_logging_ingress_loki_basic_auth_user }}"
+      password: "{{ gardener_logging_ingress_loki_basic_auth_password }}"
+
+# Value for the cluster= external label attached to all log streams
+gardener_logging_alloy_cluster_label: "{{ gardener_logging_shooted_seed.name }}"
+
+# Enable meta-monitoring: expose alloy metrics via ServiceMonitor.
+# Requires kube-prometheus-stack to be deployed in the shooted seed cluster first.
+gardener_logging_alloy_meta_monitoring_enabled: false
+gardener_logging_alloy_port: 12345
+
+# Full Alloy River config override. When set, bypasses the seed-alloy-config.alloy.j2 template.
+# gardener_logging_alloy_config_raw: |
+
 gardener_logging_deploy_to_garden_cluster: true
 gardener_logging_shooted_seeds: []
   # - name: my-shooted-seed

control-plane/roles/gardener-logging/tasks/gardener-shooted-seed.yaml

@@ -7,6 +7,21 @@
   set_fact:
     _shoot_kubeconfig: "{{ virtual_garden_kubeconfig | string | shoot_admin_kubeconfig('garden', gardener_logging_shooted_seed.name) | from_yaml }}"
 
+- name: Build alloy config
+  set_fact:
+    gardener_logging_alloy_config: "{{ lookup('template', 'seed-alloy-config.alloy.j2') if (gardener_logging_alloy_config_raw | default('') | length == 0) else gardener_logging_alloy_config_raw }}"
+
+- name: Deploy alloy
+  kubernetes.core.helm:
+    name: alloy
+    chart_repo_url: "{{ gardener_logging_alloy_chart_repo }}"
+    chart_version: "{{ gardener_logging_alloy_chart_version }}"
+    chart_ref: alloy
+    namespace: "{{ gardener_logging_namespace }}"
+    values: "{{ lookup('template', 'seed-alloy-values.yaml') | from_yaml }}"
+    kubeconfig: "{{ _shoot_kubeconfig }}"
+    create_namespace: true
+
 - name: Deploy Promtail
   kubernetes.core.helm:
     name: promtail

control-plane/roles/gardener-logging/tasks/main.yaml

@@ -9,6 +9,30 @@
     that:
       - gardener_logging_promtail_chart_repo is defined
       - gardener_logging_promtail_chart_version is defined
+      - gardener_logging_alloy_chart_repo is defined
+      - gardener_logging_alloy_chart_version is defined
+
+- name: Build alloy config for garden cluster
+  set_fact:
+    gardener_logging_alloy_config: "{{ lookup('template', 'seed-alloy-config.alloy.j2') if (gardener_logging_alloy_config_raw | default('') | length == 0) else gardener_logging_alloy_config_raw }}"
+  when: gardener_logging_deploy_to_garden_cluster
+  vars:
+    gardener_logging_shooted_seed:
+      name: "{{ gardener_logging_garden_name }}"
+
+- name: Deploy alloy to garden cluster
+  kubernetes.core.helm:
+    name: alloy
+    chart_repo_url: "{{ gardener_logging_alloy_chart_repo }}"
+    chart_version: "{{ gardener_logging_alloy_chart_version }}"
+    chart_ref: alloy
+    namespace: "{{ gardener_logging_namespace }}"
+    values: "{{ lookup('template', 'seed-alloy-values.yaml') | from_yaml }}"
+    create_namespace: true
+  when: gardener_logging_deploy_to_garden_cluster
+  vars:
+    gardener_logging_shooted_seed:
+      name: "{{ gardener_logging_garden_name }}"
 
 - name: Deploy Promtail
   kubernetes.core.helm:

control-plane/roles/gardener-logging/templates/seed-alloy-config.alloy.j2

@@ -0,0 +1,68 @@
+logging {
+  level  = "info"
+  format = "logfmt"
+{% if gardener_logging_alloy_meta_monitoring_enabled %}
+  write_to = [loki.relabel.alloy_self.receiver]
+{% endif %}
+}
+
+{% if gardener_logging_alloy_meta_monitoring_enabled %}
+loki.relabel "alloy_self" {
+  forward_to = [loki.write.default.receiver]
+
+  rule {
+    target_label = "job"
+    replacement  = "alloy"
+  }
+}
+{% endif %}
+
+discovery.kubernetes "pods" {
+  role = "pod"
+}
+
+discovery.relabel "pods" {
+  targets = discovery.kubernetes.pods.targets
+
+  rule {
+    source_labels = ["__meta_kubernetes_namespace"]
+    target_label  = "namespace"
+  }
+
+  rule {
+    source_labels = ["__meta_kubernetes_pod_name"]
+    target_label  = "pod"
+  }
+
+  rule {
+    source_labels = ["__meta_kubernetes_pod_container_name"]
+    target_label  = "container"
+  }
+
+  rule {
+    source_labels = ["__meta_kubernetes_pod_label_app"]
+    target_label  = "app"
+  }
+}
+
+loki.source.kubernetes "pods" {
+  targets    = discovery.relabel.pods.output
+  forward_to = [loki.write.default.receiver]
+}
+
+loki.write "default" {
+{% for endpoint in gardener_logging_alloy_loki_write_endpoints %}
+  endpoint {
+    url = "{{ endpoint.url }}"
+{% if endpoint.basic_auth is defined %}
+    basic_auth {
+      username = "{{ endpoint.basic_auth.username }}"
+      password = "{{ endpoint.basic_auth.password }}"
+    }
+{% endif %}
+  }
+{% endfor %}
+  external_labels = {
+    cluster = "{{ gardener_logging_alloy_cluster_label }}",
+  }
+}

control-plane/roles/gardener-logging/templates/seed-alloy-values.yaml

@@ -0,0 +1,28 @@
+# Source with all the defaults: https://raw.githubusercontent.com/grafana/alloy/main/operations/helm/charts/alloy/values.yaml
+alloy:
+  configMap:
+    # -- Create a new ConfigMap for the config file.
+    create: true
+    # -- Content to assign to the new ConfigMap.  This is passed into `tpl` allowing for templating from values.
+    content: |-
+      {{ gardener_logging_alloy_config | indent(6) }}
+
+  # -- Port to listen for traffic on.
+  listenPort: {{ gardener_logging_alloy_port }}
+
+  # -- Enables sending Grafana Labs anonymous usage stats to help improve Grafana
+  # Alloy.
+  enableReporting: false
+
+controller:
+  # -- Tolerations to apply to Grafana Alloy pods.
+  tolerations:
+    - key: node-role.kubernetes.io/master
+      operator: Exists
+      effect: NoSchedule
+    - key: node-role.kubernetes.io/control-plane
+      operator: Exists
+      effect: NoSchedule
+
+serviceMonitor:
+  enabled: {{ gardener_logging_alloy_meta_monitoring_enabled | lower }}

control-plane/roles/logging/README.md

@@ -1,11 +1,16 @@
 # logging
 
-This role is designed to set up logging using Ansible.
-The role includes tasks to install and configure the following logging tools:
+Deploys the control-plane logging stack into the Kubernetes control-plane cluster.
 
-- Loki
-- Logging ingress for Loki
-- Promtail for monitoring the control plane cluster
+Components:
+
+- **Loki** — log storage and query backend
+- **Alloy** — log collector (DaemonSet), replaces Promtail. Collects pod logs via the Kubernetes API (`loki.source.kubernetes`) and forwards them to Loki.
+- Loki ingress with optional TLS and basic auth
+
+## Configuration
+
+The Alloy River config is generated from structured variables at deploy time. Override individual variables to customize behavior, or bypass the template entirely with `logging_alloy_config_raw`.
 
 ## Variables
 
@@ -29,4 +34,39 @@ The following variables can be set to configure the role:
 | logging_ingress_loki_basic_auth_password_salt |           | The basic auth password salt used for stable password hashes   |
 | logging_ingress_loki_basic_auth_password      |           | The basic auth password for the external loki ingress          |
 | logging_ingress_loki_basic_auth_user          |           | The basic auth user for the external loki ingress              |
-| logging_alloy_config                          |           | The config to use for alloy                                    |
+
+### Alloy
+
+| Name | Mandatory | Description |
+| --- | --- | --- |
+| logging_alloy_chart_version | yes | Helm chart version for alloy (release vector) |
+| logging_alloy_chart_repo | yes | Repository for alloy (release vector) |
+| logging_alloy_port | | Alloy listen port (default: `12345`) |
+| logging_alloy_loki_write_endpoints | | List of Loki push endpoints. Each entry: `{url, basic_auth?: {username, password}}` (default: `http://loki:3100/loki/api/v1/push`) |
+| logging_alloy_cluster_label | | Value for the `cluster=` external label on all log streams (default: `{{ metal_control_plane_stage_name }}`) |
+| logging_alloy_eventrouter_enabled | | Include the eventrouter `stage.match` pipeline (default: `true`) |
+| logging_alloy_meta_monitoring_enabled | | Forward alloy's own logs to Loki and create a `ServiceMonitor` for metrics. Requires kube-prometheus-stack to be deployed first (default: `false`) |
+| logging_alloy_config_raw | | Full Alloy River config string override. When set, bypasses all structured vars above. |
+
+## Meta-monitoring
+
+When `logging_alloy_meta_monitoring_enabled: true`:
+
+- Alloy's own internal logs are forwarded to Loki with `job=alloy`
+- The alloy chart creates a `ServiceMonitor` — kube-prometheus-stack picks it up automatically (no label selector required since `serviceMonitorSelectorNilUsesHelmValues: false`)
+
+Deploy the monitoring role first, then set this to `true` and reapply.
+
+## Migration from Promtail
+
+Alloy replaces Promtail as the log collector. The `promtail` Helm release is still deployed in parallel during the transition period.
+
+Key differences from the Promtail helm chart:
+
+| Promtail | Alloy |
+| --- | --- |
+| `config.clients[].url` | `logging_alloy_loki_write_endpoints[].url` |
+| `-client.external-labels=cluster=…` extraArg | `logging_alloy_cluster_label` var → `external_labels` in River config |
+| `pipelineStages: [cri, docker]` | Not needed — `loki.source.kubernetes` uses the Kubernetes API, CRI framing is already stripped |
+| `pipelineStages: [match(eventrouter)]` | `logging_alloy_eventrouter_enabled: true` |
+| `serviceMonitor.enabled` commented out (monitoring dependency) | `logging_alloy_meta_monitoring_enabled: false` by default, same reason |

control-plane/roles/logging/defaults/main.yaml

@@ -1,11 +1,27 @@
 ---
 logging_namespace: monitoring
 logging_alloy_port: 12345
-logging_alloy_config: |
-  logging {
-    level = "info"
-    format = "logfmt"
-  }
+
+# Loki push endpoints (same format as the partition alloy role)
+logging_alloy_loki_write_endpoints:
+  - url: "http://loki:3100/loki/api/v1/push"
+  #   basic_auth:
+  #     username: "promtail"
+  #     password: "secret"
+
+# Value for the cluster= external label attached to all log streams
+logging_alloy_cluster_label: "{{ metal_control_plane_stage_name }}"
+
+# Whether to include the eventrouter pipeline stage (parses eventrouter JSON and promotes namespace label)
+logging_alloy_eventrouter_enabled: true
+
+# Enable meta-monitoring: forward alloy's own logs to Loki and expose metrics via ServiceMonitor.
+# Requires kube-prometheus-stack (monitoring role) to be deployed first.
+logging_alloy_meta_monitoring_enabled: false
+
+# Full Alloy River config override. When set, bypasses all structured vars above.
+# logging_alloy_config_raw: |
+
 logging_ingress_dns: "loki.{{ metal_control_plane_ingress_dns }}"
 logging_ingress_loki_tls: yes
 logging_ingress_loki_basic_auth_user: promtail

control-plane/roles/logging/tasks/main.yaml

@@ -35,6 +35,10 @@
     helm_chart_version: "{{ logging_chart_version }}"
     helm_value_file_template: "loki-values.yaml"
 
+- name: Build alloy config
+  set_fact:
+    logging_alloy_config: "{{ lookup('template', 'alloy-config.alloy.j2') if (logging_alloy_config_raw | default('') | length == 0) else logging_alloy_config_raw }}"
+
 - name: Deploy alloy
   include_role:
     name: ansible-common/roles/helm-chart