From 0fb52c50ffa0d9de4316f20bb84a3c81b2017bfa Mon Sep 17 00:00:00 2001
From: John Lancaster <32917998+jsl12@users.noreply.github.com>
Date: Sun, 28 Dec 2025 20:17:04 -0600
Subject: [PATCH] prometheus mtls working

---
 .gitignore                 |  3 ++-
 certs/.gitkeep             |  0
 docker-compose.yml         |  8 ++++--
 grafana-alloy/config.alloy | 50 +++++++++++++++++++++-----------------
 4 files changed, 36 insertions(+), 25 deletions(-)
 create mode 100644 certs/.gitkeep

diff --git a/.gitignore b/.gitignore
index e6905a2..2eb051c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
-.env*
\ No newline at end of file
+.env*
+certs/
\ No newline at end of file
diff --git a/certs/.gitkeep b/certs/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/docker-compose.yml b/docker-compose.yml
index ee98482..917954c 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -12,9 +12,13 @@ services:
     image: grafana/alloy
     container_name: grafana-alloy
     restart: unless-stopped
+    privileged: true
     volumes:
-      - ./grafana-alloy/config.alloy:/etc/alloy/config.alloy
       - /var/run/docker.sock:/var/run/docker.sock
+      - ./grafana-alloy/config.alloy:/etc/alloy/config.alloy
+      - ./certs:/etc/alloy/certs
+    ports:
+      - '12345:12345'
     command:
       - run
       - --server.http.listen-addr=0.0.0.0:12345
@@ -33,7 +37,7 @@ services:
       WATCHTOWER_SCHEDULE: "0 0 3 * * *"
 
   docker-proxy:
-    image: ghcr.io/tecnativa/docker-socket-proxy:latest
+    image: ghcr.io/tecnativa/docker-socket-proxy
     container_name: docker-proxy
     restart: unless-stopped
     ports:
diff --git a/grafana-alloy/config.alloy b/grafana-alloy/config.alloy
index bf4b9d8..3b6c679 100644
--- a/grafana-alloy/config.alloy
+++ b/grafana-alloy/config.alloy
@@ -4,6 +4,7 @@
 prometheus.exporter.cadvisor "docker_metrics" {
   docker_host = "unix:///var/run/docker.sock"
   storage_duration = "5m"
+  allowlisted_container_labels = ["name", "container", "container_name", "id"]
 }
 
 prometheus.scrape "scraper" {
@@ -15,7 +16,12 @@ prometheus.scrape "scraper" {
 
 prometheus.remote_write "default" {
   endpoint {
-    url = "http://prometheus:9090/api/v1/write"
+    url = "https://prometheus.john-stream.com:9090/api/v1/write"
+    tls_config {
+      cert_file = "/etc/alloy/certs/prometheus.crt"
+      key_file  = "/etc/alloy/certs/prometheus.key"
+      ca_file   = "/etc/alloy/certs/root_ca.crt"
+    }
   }
 }
 
@@ -23,27 +29,27 @@ discovery.docker "linux" {
   host = "unix:///var/run/docker.sock"
 }
 
-discovery.relabel "logs_integrations_docker" {
-  targets = []
+// discovery.relabel "logs_integrations_docker" {
+//   targets = []
 
-  rule {
-    source_labels = ["__meta_docker_container_name"]
-    regex = "/(.*)"
-    target_label = "service_name"
-  }
-}
+//   rule {
+//     source_labels = ["__meta_docker_container_name"]
+//     regex = "/(.*)"
+//     target_label = "service_name"
+//   }
+// }
 
-loki.source.docker "default" {
-  host       = "unix:///var/run/docker.sock"
-  targets    = discovery.docker.linux.targets
-  labels     = {"platform" = "docker"}
-  relabel_rules = discovery.relabel.logs_integrations_docker.rules
-  forward_to = [loki.write.default.receiver]
-}
+// loki.source.docker "default" {
+//   host       = "unix:///var/run/docker.sock"
+//   targets    = discovery.docker.linux.targets
+//   labels     = {"platform" = "docker"}
+//   relabel_rules = discovery.relabel.logs_integrations_docker.rules
+//   forward_to = [loki.write.default.receiver]
+// }
 
-loki.write "default" {
-  endpoint {
-    url = "http://loki:3100/loki/api/v1/push"
-  }
-  external_labels = {}
-}
+// loki.write "default" {
+//   endpoint {
+//     url = "http://loki:3100/loki/api/v1/push"
+//   }
+//   external_labels = {}
+// }