[helm] Add Loki Canary to Helm Chart

[trevorwhitney]

What this PR does / why we need it:

This PR adds the Loki canary as well as the GEL provisioner to the Loki helm chart. The Loki canary expands the self-monitoring functionality of the Helm chart, giving operators insight beyond whether Loki is just running, but also if it's functioning properly.

The GEL provisioner was necessary for the canary to work when the enterprise option (enterprise.enabled = true) is enabled. Since enabling enterprise in the helm chart also enables auth/multi-tenancy, the addition of the provisioner allows the helm chart to automatically create a tenant for the canary via the GEL admin API, and to create applicable access policies and tokens. Furthermore, additional tenants can also be specified, which will be provisioned, creating a read and write token for each that will be stored in k8s secrets.

Which issue(s) this PR fixes:
Fixes #7019

Checklist

• Documentation added
• Tests updated
• Is this an important fix or new feature? Add an entry in the CHANGELOG.md.
• Changes that require user attention or interaction to upgrade are documented in docs/sources/upgrading/_index.md

[grafanabot]

./tools/diff_coverage.sh ../loki-main/test_results.txt test_results.txt ingester,distributor,querier,querier/queryrange,iter,storage,chunkenc,logql,loki

Change in test coverage per package. Green indicates 0 or positive change, red indicates that test coverage for a package fell.

+           ingester	0%
+        distributor	0%
+            querier	0%
+ querier/queryrange	0%
+               iter	0%
+            storage	0%
+           chunkenc	0%
+              logql	0%
+               loki	0%

[DylanGuedes]

few nits

[DylanGuedes]

is this identation right?

[jeschkies]

Why is a tenant ID required for enterprise?

[trevorwhitney]

probably not required for enterprise since with enterprise we're providing the username below.

[trevorwhitney]

changed the logic a bit, and yes double checked indenation, following is with auth_enabled = true but enterprise off:

spec:
  clients:
    
    - url: http://loki-gateway.default.svc.cluster.local/loki/api/v1/push
      externalLabels:
        cluster: release-name-loki
      tenantId: self-monitoring

[jeschkies]

I need to give it one more pass.

[grafanabot]

./tools/diff_coverage.sh ../loki-main/test_results.txt test_results.txt ingester,distributor,querier,querier/queryrange,iter,storage,chunkenc,logql,loki

Change in test coverage per package. Green indicates 0 or positive change, red indicates that test coverage for a package fell.

+           ingester	0%
+        distributor	0%
+            querier	0%
- querier/queryrange	-0.1%
+               iter	0%
+            storage	0%
+           chunkenc	0%
+              logql	0%
+               loki	0%

[towolf]

Hi @trevorwhitney, could you explain, why you added the loki-canary ServiceAccount as a Helm post-install hook? This fails to work with Helm via Terraform (hashicorp/terraform-provider-helm#683), and I see no reason for this.

https://github.com/grafana/loki/blob/main/production/helm/loki/templates/loki-canary/serviceaccount.yaml#L10

[towolf]

And another question @trevorwhitney, why do you default to latest and not to .Chart.Appversion here?

https://github.com/grafana/loki/blob/main/production/helm/loki/templates/loki-canary/_helpers.tpl#L28

[trevorwhitney]

@towolf the reason for the post-install hook was probably because I copied the service account template from either the tokengen or provisioner jobs, and my guess for those being post-install hooks are to delay the running of the job. But I agree, we probably don't need to delay anything for the canary so we can remove that.

Also, we should definitely use .Char.Appversion here, agreed!

[trevorwhitney]

@towolf here's a PR to fix, thanks for pointing these out!
#7236