From 769d42d5432fbaee4a59584f7c0ec6388fc4b050 Mon Sep 17 00:00:00 2001
From: Jonas Juselius <jonas.juselius@oceanbox.io>
Date: Mon, 23 Jun 2025 13:09:30 +0200
Subject: [PATCH] feat: add tempo helmfile setup

---
 helmfile.d/tempo.yaml.gotmpl                  | 42 +++++++++++++++
 values/tempo/env-oceanbox.yaml.gotmpl         |  4 ++
 values/tempo/env.yaml.gotmpl                  | 16 +++---
 .../tempo/kustomize/base/kustomization.yaml   |  4 --
 .../kustomize/default/kustomization.yaml      |  4 --
 .../CiliumNetworkPolicy-allow-api-server.yaml | 14 +++++
 values/tempo/manifests/tempo.yaml             | 10 ++--
 values/tempo/values/tempo.yaml.gotmpl         | 53 -------------------
 values/tempo/values/values.yaml.gotmpl        | 51 ++++++++++++++++++
 9 files changed, 126 insertions(+), 72 deletions(-)
 create mode 100644 helmfile.d/tempo.yaml.gotmpl
 create mode 100644 values/tempo/env-oceanbox.yaml.gotmpl
 delete mode 100644 values/tempo/kustomize/base/kustomization.yaml
 delete mode 100644 values/tempo/kustomize/default/kustomization.yaml
 create mode 100644 values/tempo/manifests/network/CiliumNetworkPolicy-allow-api-server.yaml
 delete mode 100644 values/tempo/values/tempo.yaml.gotmpl
 create mode 100644 values/tempo/values/values.yaml.gotmpl

diff --git a/helmfile.d/tempo.yaml.gotmpl b/helmfile.d/tempo.yaml.gotmpl
new file mode 100644
index 00000000..2e458936
--- /dev/null
+++ b/helmfile.d/tempo.yaml.gotmpl
@@ -0,0 +1,42 @@
+bases:
+ - ../envs/environments.yaml.gotmpl
+
+repositories:
+- name: tempo
+  url: https://grafana.github.io/helm-charts
+
+commonLabels:
+  tier: system
+
+releases:
+- name: tempo
+  namespace: tempo
+  chart: tempo/tempo
+  condition: tempo.enabled
+  values:
+  - ../values/tempo/values/values.yaml.gotmpl
+  - ../values/tempo/values/values-{{ .Environment.Name }}.yaml.gotmpl
+  postRenderer: ../bin/kustomizer
+  postRendererArgs:
+  - ../values/tempo/kustomize/{{ .Environment.Name }}
+  missingFileHandler: Info
+- name: manifests
+  namespace: tempo
+  chart: manifests
+  condition: tempo.enabled
+  missingFileHandler: Info
+  values:
+  - ../values/env.yaml
+  - ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
+  - ../values/tempo/env.yaml.gotmpl
+  - ../values/tempo/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
+  hooks:
+  - events: [ prepare, cleanup ]
+    showlogs: true
+    command: ../bin/helmify
+    args:
+    - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
+    - '{{`{{ .Release.Chart }}`}}'
+    - '{{`{{ .Environment.Name }}`}}'
+    - ../values/tempo/manifests
+    - manifests
diff --git a/values/tempo/env-oceanbox.yaml.gotmpl b/values/tempo/env-oceanbox.yaml.gotmpl
new file mode 100644
index 00000000..632257c0
--- /dev/null
+++ b/values/tempo/env-oceanbox.yaml.gotmpl
@@ -0,0 +1,4 @@
+tempo:
+  enabled: true
+  autosync: false
+
diff --git a/values/tempo/env.yaml.gotmpl b/values/tempo/env.yaml.gotmpl
index 1462b9ed..37b7ae59 100644
--- a/values/tempo/env.yaml.gotmpl
+++ b/values/tempo/env.yaml.gotmpl
@@ -1,12 +1,12 @@
 tempo:
   enabled: true
-  autosync: true
+  autosync: false
   s3:
-    endpoint: ""
-    region: ""
+    endpoint: "http://10.255.241.30:30080"
+    region: tos
     insecure_skip_verify: false
-  secret:
-    name: ""
-    access_key: ""
-    access_secret: ""
-  bucketName: ""
+    secret:
+      name: tempo-s3
+      access_key: AWS_ACCESS_KEY_ID
+      access_secret: AWS_ACCESS_KEY_SECRET
+    bucket: tempo-traces
diff --git a/values/tempo/kustomize/base/kustomization.yaml b/values/tempo/kustomize/base/kustomization.yaml
deleted file mode 100644
index 57f354b1..00000000
--- a/values/tempo/kustomize/base/kustomization.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - _manifest.yaml
diff --git a/values/tempo/kustomize/default/kustomization.yaml b/values/tempo/kustomize/default/kustomization.yaml
deleted file mode 100644
index 22967828..00000000
--- a/values/tempo/kustomize/default/kustomization.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-generatorOptions:
-  disableNameSuffixHash: true
-resources:
-  - ../base
diff --git a/values/tempo/manifests/network/CiliumNetworkPolicy-allow-api-server.yaml b/values/tempo/manifests/network/CiliumNetworkPolicy-allow-api-server.yaml
new file mode 100644
index 00000000..aa3ddd8c
--- /dev/null
+++ b/values/tempo/manifests/network/CiliumNetworkPolicy-allow-api-server.yaml
@@ -0,0 +1,14 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-api-server
+  namespace: tempo
+spec:
+  egress:
+    - toPorts:
+        - ports:
+            - port: "7946"
+              protocol: TCP
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: tempo
diff --git a/values/tempo/manifests/tempo.yaml b/values/tempo/manifests/tempo.yaml
index d5c7fd64..ec1059b6 100644
--- a/values/tempo/manifests/tempo.yaml
+++ b/values/tempo/manifests/tempo.yaml
@@ -2,7 +2,7 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: tempo 
+  name: tempo
   namespace: argocd
   annotations:
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
@@ -15,12 +15,16 @@ spec:
   sources:
   - repoURL: {{ .Values.clusterConfig.manifests }}
     targetRevision: HEAD
-    path: helmfiles/tempo
+    path: helmfile.d
     plugin:
-      name: helmfile
+      name: helmfile-cmp
       env:
       - name: CLUSTER_NAME
         value: {{ .Values.clusterConfig.cluster }}
+      - name: HELMFILE_ENVIRONMENT
+        value: default
+      - name: HELMFILE_FILE_PATH
+        value: tempo.yaml.gotmpl
   project: sys
   syncPolicy:
     managedNamespaceMetadata:
diff --git a/values/tempo/values/tempo.yaml.gotmpl b/values/tempo/values/tempo.yaml.gotmpl
deleted file mode 100644
index 529bf8d8..00000000
--- a/values/tempo/values/tempo.yaml.gotmpl
+++ /dev/null
@@ -1,53 +0,0 @@
-tempo:
-    reportingEnabled: false
-    storage:
-    trace:
-        backend: s3
-        s3:
-        bucket: {{ .Values.tempo.bucketName | default "tempo-traces" }}
-        endpoint: {{ .Values.tempo.s3.endpoint | default "https://s3.production.itpartner.no" }}
-        prefix: traces
-        access_key: ${S3KEY}
-        secret_key: ${S3SECRET}
-        forcepathstyle: true
-        region: us-east-1
-        {{- if .Values.tempo.s3.insecure_skip_verify }}
-        tls_insecure_skip_verify: true
-        {{- end }}
-        local:
-        path: /var/tempo/traces
-        wal:
-        path: /var/tempo/wal
-    metricsGenerator:
-    enabled: true
-    remoteWriteUrl: "http://prom-prometheus.prometheus:9090/api/v1/write"
-    extraArgs: { config.expand-env=true }
-    extraEnv:
-    - name: S3KEY
-    valueFrom:
-        secretKeyRef:
-        name: {{ .Values.tempo.secret.name | default "s3-credentials"}}
-        key: {{ .Values.tempo.secret.access_key | default "access_key" }}
-    - name: S3SECRET
-    valueFrom:
-        secretKeyRef:
-        name: {{ .Values.tempo.secret.name | default "s3-credentials"}}
-        key: {{ .Values.tempo.secret.access_key | default "access_secret" }}
-tempoQuery:
-    ingress:
-    enabled: true
-    ingressClassName: nginx
-    annotations:
-        cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
-        nginx.ingress.kubernetes.io/ssl-redirect: "true"
-        {{- with .Values.cluster_config.ingress_whitelist }}
-        nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }}
-        {{- end }}
-    path: /
-    pathType: Prefix
-    hosts:
-        - query.tempo.{{ .Values.cluster_config.domain }}
-    tls:
-        - secretName: tempo-query-tls
-        hosts:
-            - query.tempo.{{ .Values.cluster_config.domain }}
diff --git a/values/tempo/values/values.yaml.gotmpl b/values/tempo/values/values.yaml.gotmpl
new file mode 100644
index 00000000..df0755aa
--- /dev/null
+++ b/values/tempo/values/values.yaml.gotmpl
@@ -0,0 +1,51 @@
+tempo:
+  reportingEnabled: false
+  storage:
+    trace:
+      backend: s3
+      s3:
+        bucket: {{ .Values.tempo.s3.bucket | default "tempo-traces" }}
+        endpoint: {{ .Values.tempo.s3.endpoint }}
+        prefix: traces
+        access_key: ${S3KEY}
+        secret_key: ${S3SECRET}
+        forcepathstyle: true
+        insecure: true
+      local:
+        path: /var/tempo/traces
+      wal:
+        path: /var/tempo/wal
+  metricsGenerator:
+    enabled: true
+    remoteWriteUrl: "http://prom-prometheus.prometheus:9090/api/v1/write"
+  extraArgs: { config.expand-env=true }
+  extraEnv:
+  - name: S3KEY
+    valueFrom:
+      secretKeyRef:
+      name: {{ .Values.tempo.s3.secret.name | default "s3-credentials"}}
+      key: {{ .Values.tempo.s3.secret.access_key | default "access_key" }}
+  - name: S3SECRET
+    valueFrom:
+      secretKeyRef:
+      name: {{ .Values.tempo.s3.secret.name | default "s3-credentials"}}
+      key: {{ .Values.tempo.s3.secret.access_key | default "access_secret" }}
+tempoQuery:
+  ingress:
+    enabled: true
+    ingressClassName: nginx
+    annotations:
+      cert-manager.io/cluster-issuer: {{ .Values.clusterConfig.ingress_clusterissuer }}
+      nginx.ingress.kubernetes.io/ssl-redirect: "true"
+      {{- with .Values.clusterConfig.ingress_whitelist }}
+      nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }}
+      {{- end }}
+      oceanbox.io/expose: internal
+    path: /
+    pathType: Prefix
+    hosts:
+      - query.tempo.{{ .Values.clusterConfig.domain }}
+    tls:
+      - secretName: tempo-query-tls
+        hosts:
+        - query.tempo.{{ .Values.clusterConfig.domain }}