feat(observability): enable OTLP tracing, fix Prometheus scraping, add proxy ServiceMonitor

- Set otlp_endpoint to Tempo HTTP receiver (port 4318) for request tracing - Add hostNetwork to prometheusSpec so it can reach kubelet/node-exporter on node public IP - Add ServiceMonitor for proxy metrics scrape on port 9090 - Add CORS origin and Grafana datasource config for monitoring stack
2026-03-09 08:20:42 +00:00
parent caefb071a8
commit 91983ddf29
4 changed files with 43 additions and 5 deletions
--- a/base/monitoring/prometheus-values.yaml
+++ b/base/monitoring/prometheus-values.yaml
@@ -15,7 +15,7 @@ grafana:
  envFromSecret: grafana-oidc
  grafana.ini:
    server:
-      root_url: "https://grafana.DOMAIN_SUFFIX"
+      root_url: "https://metrics.DOMAIN_SUFFIX"
    auth:
      # Keep local login as fallback (admin password from grafana-admin secret)
      disable_login_form: false
@@ -36,21 +36,44 @@ grafana:
      # To restrict to specific users, set role_attribute_path instead.
      auto_assign_org_role: Admin
      skip_org_role_sync: true
+  sidecar:
+    datasources:
+      # Disable the auto-provisioned ClusterIP datasource; we define it
+      # explicitly below using the external URL so Grafana's backend reaches
+      # Prometheus via Pingora (https://systemmetrics.DOMAIN_SUFFIX) rather
+      # than the cluster-internal ClusterIP which is blocked by network policy.
+      defaultDatasourceEnabled: false
+
  additionalDataSources:
+    - name: Prometheus
+      type: prometheus
+      url: "https://systemmetrics.DOMAIN_SUFFIX"
+      access: proxy
+      isDefault: true
+      jsonData:
+        timeInterval: 30s
    - name: Loki
      type: loki
-      url: http://loki.monitoring.svc.cluster.local:3100
+      url: "https://systemlogs.DOMAIN_SUFFIX"
      access: proxy
      isDefault: false
    - name: Tempo
      type: tempo
-      url: http://tempo.monitoring.svc.cluster.local:3100
+      url: "https://systemtracing.DOMAIN_SUFFIX"
      access: proxy
      isDefault: false

 prometheus:
  prometheusSpec:
    retention: 90d
+    # hostNetwork allows Prometheus to reach kubelet (10250) and node-exporter
+    # (9100) on the node's public InternalIP.  On a single-node bare-metal
+    # server, pod-to-node-public-IP traffic doesn't route without this.
+    hostNetwork: true
+    additionalArgs:
+      # Allow browser-direct queries from the Grafana UI origin.
+      - name: web.cors.origin
+        value: "https://metrics.DOMAIN_SUFFIX"
    storageSpec:
      volumeClaimTemplate:
        spec: