Helm: Fix chart mTLS implementation (#12025)

production/helm/loki/templates/_helpers.tpl

@@ -455,7 +455,7 @@ ruler:
 {{- end }}
 
 {{/*
-Calculate the config from structured and unstructred text input
+Calculate the config from structured and unstructured text input
 */}}
 {{- define "loki.calculatedConfig" -}}
 {{ tpl (mergeOverwrite (tpl .Values.loki.config . | fromYaml) .Values.loki.structuredConfig | toYaml) . }}
@@ -704,10 +704,17 @@ http {
   {{- end }}
 
   server {
+    {{- if (.Values.gateway.nginxConfig.ssl) }}
+    listen             8080 ssl;
+    {{- if .Values.gateway.nginxConfig.enableIPv6 }}
+    listen             [::]:8080 ssl;
+    {{- end }}
+    {{- else }}
     listen             8080;
     {{- if .Values.gateway.nginxConfig.enableIPv6 }}
     listen             [::]:8080;
     {{- end }}
+    {{- end }}
 
     {{- if .Values.gateway.basicAuth.enabled }}
     auth_basic           "Loki";
@@ -735,9 +742,11 @@ http {
     {{- $writeHost = include "loki.singleBinaryFullname" .}}
     {{- end }}
 
-    {{- $writeUrl    := printf "http://%s.%s.svc.%s:3100" $writeHost   .Release.Namespace .Values.global.clusterDomain }}
-    {{- $readUrl     := printf "http://%s.%s.svc.%s:3100" $readHost    .Release.Namespace .Values.global.clusterDomain }}
-    {{- $backendUrl  := printf "http://%s.%s.svc.%s:3100" $backendHost .Release.Namespace .Values.global.clusterDomain }}
+    {{- $httpSchema := .Values.gateway.nginxConfig.schema }}
+
+    {{- $writeUrl    := printf "%s://%s.%s.svc.%s:3100" $httpSchema $writeHost   .Release.Namespace .Values.global.clusterDomain }}
+    {{- $readUrl     := printf "%s://%s.%s.svc.%s:3100" $httpSchema $readHost    .Release.Namespace .Values.global.clusterDomain }}
+    {{- $backendUrl  := printf "%s://%s.%s.svc.%s:3100" $httpSchema $backendHost .Release.Namespace .Values.global.clusterDomain }}
 
     {{- if .Values.gateway.nginxConfig.customWriteUrl }}
     {{- $writeUrl  = .Values.gateway.nginxConfig.customWriteUrl }}
@@ -757,19 +766,19 @@ http {
     {{- $indexGatewayHost := include "loki.indexGatewayFullname" .}}
     {{- $rulerHost := include "loki.rulerFullname" .}}
 
-    {{- $distributorUrl := printf "http://%s.%s.svc.%s:3100" $distributorHost .Release.Namespace .Values.global.clusterDomain -}}
-    {{- $ingesterUrl := printf "http://%s.%s.svc.%s:3100" $ingesterHost .Release.Namespace .Values.global.clusterDomain }}
-    {{- $queryFrontendUrl := printf "http://%s.%s.svc.%s:3100" $queryFrontendHost .Release.Namespace .Values.global.clusterDomain }}
-    {{- $indexGatewayUrl := printf "http://%s.%s.svc.%s:3100" $indexGatewayHost .Release.Namespace .Values.global.clusterDomain }}
-    {{- $rulerUrl := printf "http://%s.%s.svc.%s:3100" $rulerHost .Release.Namespace .Values.global.clusterDomain }}
+    {{- $distributorUrl := printf "%s://%s.%s.svc.%s:3100" $httpSchema $distributorHost .Release.Namespace .Values.global.clusterDomain -}}
+    {{- $ingesterUrl := printf "%s://%s.%s.svc.%s:3100" $httpSchema $ingesterHost .Release.Namespace .Values.global.clusterDomain }}
+    {{- $queryFrontendUrl := printf "%s://%s.%s.svc.%s:3100" $httpSchema $queryFrontendHost .Release.Namespace .Values.global.clusterDomain }}
+    {{- $indexGatewayUrl := printf "%s://%s.%s.svc.%s:3100" $httpSchema $indexGatewayHost .Release.Namespace .Values.global.clusterDomain }}
+    {{- $rulerUrl := printf "%s://%s.%s.svc.%s:3100" $httpSchema $rulerHost .Release.Namespace .Values.global.clusterDomain }}
 
     {{- if not "loki.deployment.isDistributed "}}
     {{- $distributorUrl = $writeUrl }}
     {{- $ingesterUrl = $writeUrl }}
     {{- $queryFrontendUrl = $readUrl }}
     {{- $indexGatewayUrl = $backendUrl }}
     {{- $rulerUrl = $backendUrl }}
-    {{- end -}}-}}
+    {{- end -}}
 
     # Distributor
     location = /api/prom/push {

production/helm/loki/templates/loki-canary/daemonset.yaml

@@ -57,6 +57,10 @@ spec:
             {{- end }}
           securityContext:
             {{- toYaml $.Values.loki.containerSecurityContext | nindent 12 }}
+          volumeMounts:
+            {{- with $.Values.monitoring.lokiCanary.extraVolumeMounts }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
           ports:
             - name: http-metrics
               containerPort: 3500
@@ -107,5 +111,9 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      volumes:
+      {{- with $.Values.monitoring.lokiCanary.extraVolumes }}
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
 {{- end }}
 {{- end }}

production/helm/loki/templates/monitoring/logs-instance.yaml

@@ -27,4 +27,4 @@ spec:
     matchLabels:
       {{- include "loki.selectorLabels" $ | nindent 6 }}
 {{- end -}}
-{{- end -}}
+{{- end -}}

production/helm/loki/values.yaml

@@ -714,6 +714,10 @@ monitoring:
     extraEnv: []
     # -- Environment variables from secrets or configmaps to add to the canary pods
     extraEnvFrom: []
+    # -- Volume mounts to add to the canary pods
+    extraVolumeMounts: []
+    # -- Volumes to add to the canary pods
+    extraVolumes: []
     # -- Resource requests and limits for the canary
     resources: {}
     # -- DNS config for canary pods
@@ -2342,6 +2346,8 @@ gateway:
     initialDelaySeconds: 15
     timeoutSeconds: 1
   nginxConfig:
+    # -- Which schema to be used when building URLs. Can be 'http' or 'https'.
+    schema: http
     # -- Enable listener for IPv6, disable on IPv4-only systems
     enableIPv6: true
     # -- NGINX log format
@@ -2354,6 +2360,8 @@ gateway:
     # -- Allows appending custom configuration to the http block, passed through the `tpl` function to allow templating
     httpSnippet: >-
       {{ if .Values.loki.tenants }}proxy_set_header X-Scope-OrgID $remote_user;{{ end }}
+    # -- Whether ssl should be appended to the listen directive of the server block or not.
+    ssl: false
     # -- Override Read URL
     customReadUrl: null
     # -- Override Write URL