add Secret resource

CHANGELOG.md

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- Add Secret template in helm chart to alloy for environment variables injection.
+
 ### Changed
 
 - Update alloy upstream chart from 0.5.1 to 0.6.0

helm/alloy/examples/mimir-rules/README.md

@@ -0,0 +1,17 @@
+You can deploy this example with the following command:
+
+```
+helm install alloy-mimir-rules helm/alloy --values helm/alloy/examples/mimir-rules/values.yaml
+```
+
+This will deploy and configure Alloy to load PrometheusRules to Mimir.
+
+Alloy will select PrometheusRules with the foo=bar label in every namespaces and load them to Mimir.
+
+It uses Alloy [`mimir.rules.prometheus`](https://grafana.com/docs/alloy/latest/reference/components/mimir/mimir.rules.kubernetes) component.
+
+### Secret values handling
+
+The authentication to Mimir is configured using basic auth. The username and password are stored in a secret and are then used as environment variables in the Alloy config.
+
+NOTE: there is a limitation related to the secret name, therefore the helm release name should be identical to the secret name referenced under secretRef in values.yaml.

helm/alloy/examples/mimir-rules/values.yaml

@@ -8,10 +8,25 @@ alloy:
             address = "http://mimir-gateway.mimir"
             tenant_id = "anonymous"
 
+            basic_auth {
+              username = env("BASIC_AUTH_USERNAME")
+              password = env("BASIC_AUTH_PASSWORD")
+            }
+
             // Select PrometheusRules with foo=bar label in all namespaces.
             rule_selector {
                 match_labels = {
                     "foo" = "bar",
                 }
             }
         }
+    extraSecretEnv:
+    - name: BASIC_AUTH_USERNAME
+      value: username_placeholder
+    - name: BASIC_AUTH_PASSWORD
+      value: password_placeholder
+    envFrom:
+    - secretRef:
+        name: alloy-mimir-rules
+  controller:
+    type: deployment

helm/alloy/templates/secret.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.alloy.alloy.extraSecretEnv }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "alloy.fullname" . }}
+  labels:
+    {{- include "alloy.labels" . | nindent 4 }}
+    app.kubernetes.io/component: config
+data:
+  {{- range $secretEnvMap := .Values.alloy.alloy.extraSecretEnv }}
+  {{ $secretEnvMap.name }}: {{ $secretEnvMap.value | b64enc }}
+  {{- end }}
+{{- end }}

helm/alloy/values.yaml

@@ -32,6 +32,8 @@ alloy:
       seccompProfile:
         type: RuntimeDefault
 
+    extraSecretEnv: []
+
   image:
     repository: giantswarm/alloy