Add the monitoring stack

kubernetes/promtail/configmap.yaml

@@ -0,0 +1,85 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: promtail-config
+  namespace: monitoring
+data:
+  promtail.yaml: |
+    server:
+      http_listen_port: 3101
+      grpc_listen_port: 0
+
+    positions:
+      filename: /run/promtail/positions.yaml
+
+    clients:
+      - url: http://loki.monitoring.svc.cluster.local:3100/loki/api/v1/push
+        tenant_id: talos-cluster
+
+    scrape_configs:
+      # Container logs from /var/log/pods
+      - job_name: kubernetes-pods
+        kubernetes_sd_configs:
+          - role: pod
+        pipeline_stages:
+          - cri: {}
+        relabel_configs:
+          # Only scrape pods with promtail.io/scrape annotation (or all by default)
+          - source_labels:
+              - __meta_kubernetes_pod_annotation_promtail_io_scrape
+            action: drop
+            regex: false
+          
+          # Use pod name as instance
+          - source_labels:
+              - __meta_kubernetes_pod_name
+            target_label: instance
+          
+          # Namespace label
+          - source_labels:
+              - __meta_kubernetes_namespace
+            target_label: namespace
+          
+          # Pod name label
+          - source_labels:
+              - __meta_kubernetes_pod_name
+            target_label: pod
+          
+          # Container name label
+          - source_labels:
+              - __meta_kubernetes_pod_container_name
+            target_label: container
+          
+          # Node name label
+          - source_labels:
+              - __meta_kubernetes_pod_node_name
+            target_label: node
+          
+          # App label (from pod labels)
+          - source_labels:
+              - __meta_kubernetes_pod_label_app
+            target_label: app
+          
+          # App.kubernetes.io/name label
+          - source_labels:
+              - __meta_kubernetes_pod_label_app_kubernetes_io_name
+            target_label: app
+            regex: (.+)
+            action: replace
+          
+          # Set path to container log file
+          - source_labels:
+              - __meta_kubernetes_pod_uid
+              - __meta_kubernetes_pod_container_name
+            target_label: __path__
+            separator: /
+            replacement: /var/log/pods/*$1/*.log
+
+      # Talos system logs (if mounted)
+      - job_name: talos-system
+        static_configs:
+          - targets:
+              - localhost
+            labels:
+              job: talos-system
+              __path__: /var/log/containers/*.log

kubernetes/promtail/daemonset.yaml

@@ -0,0 +1,93 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: promtail
+  namespace: monitoring
+  labels:
+    app: promtail
+spec:
+  selector:
+    matchLabels:
+      app: promtail
+  template:
+    metadata:
+      labels:
+        app: promtail
+    spec:
+      serviceAccountName: promtail
+      tolerations:
+        - key: node-role.kubernetes.io/master
+          operator: Exists
+          effect: NoSchedule
+        - key: node-role.kubernetes.io/control-plane
+          operator: Exists
+          effect: NoSchedule
+      containers:
+        - name: promtail
+          image: grafana/promtail:2.9.2
+          args:
+            - "-config.file=/etc/promtail/promtail.yaml"
+          env:
+            - name: HOSTNAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+          ports:
+            - name: http
+              containerPort: 3101
+              protocol: TCP
+          resources:
+            requests:
+              memory: "50Mi"
+              cpu: "50m"
+            limits:
+              memory: "128Mi"
+              cpu: "100m"
+          securityContext:
+            readOnlyRootFilesystem: true
+            runAsUser: 0
+            runAsGroup: 0
+          volumeMounts:
+            - name: config
+              mountPath: /etc/promtail
+            - name: run
+              mountPath: /run/promtail
+            # Mount pod logs
+            - name: pods
+              mountPath: /var/log/pods
+              readOnly: true
+            # Mount container logs (for CRI-O / containerd)
+            - name: containers
+              mountPath: /var/log/containers
+              readOnly: true
+            # Machine-id for consistent instance identification
+            - name: machine-id
+              mountPath: /etc/machine-id
+              readOnly: true
+          readinessProbe:
+            httpGet:
+              path: /ready
+              port: http
+            initialDelaySeconds: 10
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: /ready
+              port: http
+            initialDelaySeconds: 10
+            periodSeconds: 10
+      volumes:
+        - name: config
+          configMap:
+            name: promtail-config
+        - name: run
+          emptyDir: {}
+        - name: pods
+          hostPath:
+            path: /var/log/pods
+        - name: containers
+          hostPath:
+            path: /var/log/containers
+        - name: machine-id
+          hostPath:
+            path: /etc/machine-id

kubernetes/promtail/rbac.yaml

@@ -0,0 +1,33 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: promtail
+  namespace: monitoring
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: promtail
+rules:
+  - apiGroups: [""]
+    resources:
+      - nodes
+      - nodes/proxy
+      - services
+      - endpoints
+      - pods
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: promtail
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: promtail
+subjects:
+  - kind: ServiceAccount
+    name: promtail
+    namespace: monitoring