resource "kubernetes_namespace" "monitoring-system" { metadata { name = "monitoring-system" labels = { "pod-security.kubernetes.io/enforce" = "privileged" } } } resource "kubernetes_manifest" "prometheus-pod-monitors" { manifest = yamldecode(file("${path.module}/manifests/crd-podmonitors.yaml")) } resource "kubernetes_manifest" "prometheus-service-monitors" { manifest = yamldecode(file("${path.module}/manifests/crd-servicemonitors.yaml")) } resource "helm_release" "kube-state-metrics" { depends_on = [kubernetes_manifest.prometheus-pod-monitors, kubernetes_manifest.prometheus-service-monitors] name = "kube-state-metrics" chart = "kube-state-metrics" repository = "https://prometheus-community.github.io/helm-charts" version = "5.24.0" namespace = kubernetes_namespace.monitoring-system.metadata[0].name atomic = true cleanup_on_fail = true values = [<<-EOF nodeSelector: node-role.kubernetes.io/control-plane: "" tolerations: - key: "node-role.kubernetes.io/control-plane" effect: NoSchedule updateStrategy: Recreate prometheusScrape: false prometheus: monitor: enabled: true http: honorLabels: true EOF ] } resource "helm_release" "monitoring" { depends_on = [kubernetes_manifest.prometheus-pod-monitors, kubernetes_manifest.prometheus-service-monitors] count = 0 name = "monitoring" chart = "k8s-monitoring" repository = "https://grafana.github.io/helm-charts" version = "2.0.0-rc.10" namespace = kubernetes_namespace.monitoring-system.metadata[0].name atomic = true cleanup_on_fail = true values = [<<-EOF cluster: name: "${var.cluster_name}" clusterMetrics: enabled: true clusterEvents: enabled: true podLogs: enabled: true nodeLogs: enabled: true prometheusOperatorObjects: enabled: true annotationAutodiscovery: enabled: true alloy-logs: enabled: true alloy-metrics: enabled: true alloy-singleton: enabled: true destinations: - name: monitor-tjo-cloud type: otlp url: "grpc.otel.monitor.tjo.cloud:443" auth: type: oauth2 oauth2: tokenURL: "https://id.tjo.space/application/o/token/" clientId: "o6Tz2215HLvhvZ4RCZCR8oMmCapTu30iwkoMkz6m" clientSecretFile: "/var/run/secrets/kubernetes.io/serviceaccount/token" endpointParams: grant_type: - "client_credentials" client_assertion_type: - "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" logs: enabled: true metrics: enabled: true traces: enabled: false EOF ] }