Skip to content

feat(system): add talos-log-collector package#3260

Open
IvanHunters wants to merge 1 commit into
mainfrom
feat/talos-log-collector
Open

feat(system): add talos-log-collector package#3260
IvanHunters wants to merge 1 commit into
mainfrom
feat/talos-log-collector

Conversation

@IvanHunters

@IvanHunters IvanHunters commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator

What this PR does

Adds talos-log-collector, an optional system package: a node-local Vector
DaemonSet that receives Talos machine and kernel logs and forwards them to the
tenant VictoriaLogs (vlinsert), alongside the container/audit/event logs
already collected by monitoring-agents.

Talos keeps system and kernel (kmsg) logs inside the OS and does not write them
to a host file the Fluent Bit tail input could read, so these logs are
currently never collected. Vector receives them over the node loopback
(Talos machine.logging); on Talos v1.12 machine.logging already forwards
the runtime kernel (kmsg) stream as the kernel service, so no separate
KmsgLogConfig is required for runtime kernel logs.

Design notes:

  • The pod stays on the pod network so cluster DNS resolves vlinsert with no
    extra config. Talos pushes to 127.0.0.1:5170; a hostPort bound to
    hostIP: 127.0.0.1 publishes that loopback socket into the pod via portmap,
    keeping the receiver off the host network (no node-wide pod exposure).
  • A CiliumNetworkPolicy restricts ingress on the listen port to the host
    entity, so other pods cannot inject spoofed log lines.
  • Runs non-root, read-only root filesystem, all capabilities dropped.
  • Optional package (opt-in via bundles.enabledPackages): inert until each
    Talos node is configured to push logs. Node-side setup is in the README.

Verified end-to-end on a Talos v1.12 dev cluster: service and kernel logs
(including DRBD kmsg) reach VictoriaLogs; pods run non-root with 0 restarts.

Release note

feat(system): add talos-log-collector package to collect Talos machine and kernel logs into VictoriaLogs

Summary by CodeRabbit

  • New Features
    • Added an optional node-local Talos log collector that receives Talos + kernel logs via loopback and forwards them to the platform log ingestion endpoint.
    • Added default configuration for log level, loopback TCP listen port, image, resources, and destination target.
    • Included an optional Cilium network policy to restrict ingestion traffic.
  • Security
    • Runs with hardened, non-root settings and reduced container privileges.
  • Documentation
    • Added installation, configuration, and teardown documentation for the collector.
  • Build & Release
    • Updated the build process to also build the collector image.
  • Tests
    • Added Helm rendering/contract tests covering the collector chart templates.

@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

This PR adds a talos-log-collector system package: a Vector DaemonSet that receives Talos logs on a loopback TCP port and forwards them to VictoriaLogs. It includes Helm templates, values/schema, tests, documentation, an image mirror, and platform/build wiring.

Changes

Talos Log Collector Package

Layer / File(s) Summary
Platform source and bundle wiring
Makefile, packages/core/platform/sources/talos-log-collector.yaml, packages/core/platform/templates/bundles/system.yaml
Build now includes the collector image; the package is registered as a platform source and exposed through the optional system bundle.
Chart packaging and image build
packages/system/talos-log-collector/Chart.yaml, packages/system/talos-log-collector/Makefile, packages/system/talos-log-collector/images/vector/Dockerfile
Defines chart metadata, package automation targets, and a mirrored Vector image Dockerfile.
Collector runtime templates
packages/system/talos-log-collector/templates/*
Adds the Vector pipeline, DaemonSet, loopback host port, VictoriaLogs sink, service account, network policy, scheduling, and hardened security settings.
Values and rendered template validation
packages/system/talos-log-collector/values.yaml, packages/system/talos-log-collector/values.schema.json, packages/system/talos-log-collector/tests/*
Defines configurable defaults and schema validation, with tests covering rendering, routing, ports, security, and ingress policy.
Package documentation
packages/system/talos-log-collector/README.md
Documents architecture, Talos logging configuration, operational behavior, teardown, and parameters.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Talos
  participant Vector
  participant VictoriaLogs
  Talos->>Vector: Send JSON logs to 127.0.0.1:5170
  Vector->>VictoriaLogs: POST compressed NDJSON to vlinsert-generic
Loading

Possibly related PRs

Suggested labels: area/virtualization, area/networking

Suggested reviewers: sircthulhu, kvaps, androndo, lllamnyp, lexfrei

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and concisely describes the main change: adding the talos-log-collector system package.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/talos-log-collector

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 Trivy (0.69.3)

Trivy execution failed: 2026-07-10T12:35:58Z FATAL Fatal error run error: fs scan error: scan error: scan failed: failed analysis: post analysis error: post analysis error: kubernetes scan error: fs filter error: fs filter error: walk error range error: stat smartylint.json: no such file or directory: range error: stat smartylint.json: no such file or directory


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions github-actions Bot added area/uncategorized PR auto-labeler could not map title scope to a known area/*; please review kind/feature Categorizes issue or PR as related to a new feature size/L This PR changes 100-499 lines, ignoring generated files labels Jul 9, 2026
@IvanHunters IvanHunters force-pushed the feat/talos-log-collector branch from bddc1d5 to cf184fe Compare July 9, 2026 14:28
@github-actions github-actions Bot added size/XL This PR changes 500-999 lines, ignoring generated files and removed size/L This PR changes 100-499 lines, ignoring generated files labels Jul 9, 2026
@IvanHunters IvanHunters marked this pull request as ready for review July 9, 2026 14:48
@gemini-code-assist

Copy link
Copy Markdown
Contributor

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request adds the talos-log-collector system package to the platform. The collector fills a gap in log visibility by capturing Talos machine and kernel logs that are not otherwise accessible to standard monitoring agents. It utilizes a node-local Vector instance that receives logs over the loopback interface and forwards them to VictoriaLogs, ensuring secure and efficient log aggregation while maintaining strict security practices such as non-root execution and network ingress restrictions.

Highlights

  • New Package Addition: Introduced the talos-log-collector package, a node-local Vector DaemonSet designed to collect Talos machine and kernel logs.
  • Log Forwarding: Configured the collector to forward logs to the in-cluster VictoriaLogs (vlinsert) service.
  • Security and Network: Implemented a CiliumNetworkPolicy to restrict ingress to the host entity and configured the pod to run with a read-only root filesystem and dropped capabilities.
  • Integration: Added the package to the system bundle and updated the Makefile to support image building for the new component.
New Features

🧠 You can now enable Memory (public preview) to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment Gemini (@gemini-code-assist) Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on Gemini (@gemini-code-assist) comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@dosubot dosubot Bot added the area/platform Issues or PRs related to platform infrastructure (bundle, flux, talos, installer) label Jul 9, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
packages/system/talos-log-collector/tests/talos-log-collector_test.yaml (1)

88-102: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Consider adding test coverage for ServiceAccount and CiliumNetworkPolicy.

The suite covers the receive/forward wiring well, but the ServiceAccount (disabled token automount) and CiliumNetworkPolicy (ingress restricted to host entity) are security-relevant templates with no test coverage. A separate test suite or expanded suite-level templates: list would guard these against regression.

💡 Suggested additional test cases
+  - it: "ServiceAccount has token automount disabled"
+    template: templates/serviceaccount.yaml
+    asserts:
+      - equal:
+          path: automountServiceAccountToken
+          value: false
+
+  - it: "CiliumNetworkPolicy restricts ingress to host entity on listen port"
+    template: templates/networkpolicy.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - matchRegex:
+          path: spec.ingresss[0].toPorts[0].ports[0].port
+          pattern: "5170"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/system/talos-log-collector/tests/talos-log-collector_test.yaml`
around lines 88 - 102, Add test coverage for the security-relevant templates
that are currently untested: the ServiceAccount should assert token automount is
disabled, and the CiliumNetworkPolicy should assert ingress is restricted to the
host entity. Update the talos-log-collector test suite in
talos-log-collector_test.yaml by either expanding the suite-level templates list
or adding a separate suite that targets the ServiceAccount and
CiliumNetworkPolicy templates, using their template names to keep the checks
stable against refactors.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/system/talos-log-collector/README.md`:
- Around line 65-66: Update the resources table in README so the `resources.cpu`
entry matches `daemonset.yaml`: it is request-only, not request-and-limit. Keep
the `resources.memory` description unchanged, and make sure the wording for
`resources.cpu` reflects the actual behavior of the `resources` settings in
`packages/system/talos-log-collector/templates/daemonset.yaml`.

---

Nitpick comments:
In `@packages/system/talos-log-collector/tests/talos-log-collector_test.yaml`:
- Around line 88-102: Add test coverage for the security-relevant templates that
are currently untested: the ServiceAccount should assert token automount is
disabled, and the CiliumNetworkPolicy should assert ingress is restricted to the
host entity. Update the talos-log-collector test suite in
talos-log-collector_test.yaml by either expanding the suite-level templates list
or adding a separate suite that targets the ServiceAccount and
CiliumNetworkPolicy templates, using their template names to keep the checks
stable against refactors.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 35325edd-dd66-4e0f-9c52-c7e9ab51d4f9

📥 Commits

Reviewing files that changed from the base of the PR and between 6b1e170 and cf184fe.

📒 Files selected for processing (15)
  • Makefile
  • packages/core/platform/sources/talos-log-collector.yaml
  • packages/core/platform/templates/bundles/system.yaml
  • packages/system/talos-log-collector/Chart.yaml
  • packages/system/talos-log-collector/Makefile
  • packages/system/talos-log-collector/README.md
  • packages/system/talos-log-collector/images/vector/Dockerfile
  • packages/system/talos-log-collector/templates/_helpers.tpl
  • packages/system/talos-log-collector/templates/configmap.yaml
  • packages/system/talos-log-collector/templates/daemonset.yaml
  • packages/system/talos-log-collector/templates/networkpolicy.yaml
  • packages/system/talos-log-collector/templates/serviceaccount.yaml
  • packages/system/talos-log-collector/tests/talos-log-collector_test.yaml
  • packages/system/talos-log-collector/values.schema.json
  • packages/system/talos-log-collector/values.yaml

Comment thread packages/system/talos-log-collector/README.md

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces the talos-log-collector package, which deploys a node-local Vector DaemonSet to collect Talos machine and kernel logs and forward them to VictoriaLogs. The feedback suggests using the dig function in the ConfigMap template to safely access .Values.global.target and avoid nil pointer errors, updating the PR scope to comply with the repository's conventional commit guidelines, and adding the CriticalAddonsOnly toleration to the DaemonSet to ensure proper scheduling on control-plane nodes.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

victorialogs:
type: http
inputs: [tag]
uri: "http://vlinsert-generic.{{ .Values.global.target }}.svc:9481/insert/jsonline?_stream_fields=node,log_source,talos-service,facility&_msg_field=msg&_time_field=talos-time"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Directly accessing .Values.global.target can cause a nil pointer evaluation error if .Values.global is overridden or not defined in the parent chart or values. Using the Sprig dig function provides a safe fallback and prevents template rendering failures.

        uri: "http://vlinsert-generic.{{ dig \"global\" \"target\" \"tenant-root\" .Values }}.svc:9481/insert/jsonline?_stream_fields=node,log_source,talos-service,facility&_msg_field=msg&_time_field=talos-time"

Comment on lines +1 to +5
---
apiVersion: cozystack.io/v1alpha1
kind: PackageSource
metadata:
name: cozystack.talos-log-collector

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

low

The PR title and release note block use the scope system (e.g., feat(system): ...). According to the Cozystack Review Guidelines, system is not a valid scope. Please update the PR title and release note to use a valid scope, such as the package-specific scope talos-log-collector or platform.

References
  1. Each commit must follow Conventional Commits format: type(scope): brief description. Valid scopes include package-specific scopes matching a directory under packages/. (link)

Comment on lines +70 to +74
tolerations:
- effect: NoSchedule
operator: Exists
- effect: NoExecute
operator: Exists

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

low

For system-critical DaemonSets running on all nodes, it is recommended to explicitly tolerate the CriticalAddonsOnly taint. This ensures the log collector can schedule and run on control-plane nodes that have this taint applied.

      tolerations:
      - effect: NoSchedule
        operator: Exists
      - effect: NoExecute
        operator: Exists
      - key: CriticalAddonsOnly
        operator: Exists

@IvanHunters IvanHunters force-pushed the feat/talos-log-collector branch from cf184fe to 0513194 Compare July 9, 2026 15:19

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
packages/system/talos-log-collector/templates/daemonset.yaml (1)

35-69: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win

Consider adding a liveness probe for the system-node-critical DaemonSet.

Without a livenessProbe, Kubernetes cannot detect a hung Vector process. A TCP probe on the listen port is a minimal safeguard; enabling Vector's internal API for an HTTP health check would be more thorough.

♻️ Suggested liveness probe
         args: ["--config", "/etc/vector/vector.yaml"]
+        livenessProbe:
+          tcpSocket:
+            port: talos
+          initialDelaySeconds: 10
+          periodSeconds: 30
         env:
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/system/talos-log-collector/templates/daemonset.yaml` around lines 35
- 69, Add a livenessProbe to the DaemonSet container in the vector template so
Kubernetes can detect a hung Vector process. Use the existing VECTOR listener
port on the vector container (the same listenPort/hostPort target) and wire it
into the containers spec near the current ports/resources settings. If you
choose a more thorough check later, enable Vector’s internal API and switch to
an HTTP health probe, but for now a TCP probe is the minimal fix.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@packages/system/talos-log-collector/templates/daemonset.yaml`:
- Around line 35-69: Add a livenessProbe to the DaemonSet container in the
vector template so Kubernetes can detect a hung Vector process. Use the existing
VECTOR listener port on the vector container (the same listenPort/hostPort
target) and wire it into the containers spec near the current ports/resources
settings. If you choose a more thorough check later, enable Vector’s internal
API and switch to an HTTP health probe, but for now a TCP probe is the minimal
fix.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ac821759-03db-45f1-81ad-6c592bafb079

📥 Commits

Reviewing files that changed from the base of the PR and between cf184fe and 0513194.

📒 Files selected for processing (15)
  • Makefile
  • packages/core/platform/sources/talos-log-collector.yaml
  • packages/core/platform/templates/bundles/system.yaml
  • packages/system/talos-log-collector/Chart.yaml
  • packages/system/talos-log-collector/Makefile
  • packages/system/talos-log-collector/README.md
  • packages/system/talos-log-collector/images/vector/Dockerfile
  • packages/system/talos-log-collector/templates/_helpers.tpl
  • packages/system/talos-log-collector/templates/configmap.yaml
  • packages/system/talos-log-collector/templates/daemonset.yaml
  • packages/system/talos-log-collector/templates/networkpolicy.yaml
  • packages/system/talos-log-collector/templates/serviceaccount.yaml
  • packages/system/talos-log-collector/tests/talos-log-collector_test.yaml
  • packages/system/talos-log-collector/values.schema.json
  • packages/system/talos-log-collector/values.yaml
✅ Files skipped from review due to trivial changes (3)
  • packages/system/talos-log-collector/templates/_helpers.tpl
  • packages/system/talos-log-collector/values.yaml
  • packages/system/talos-log-collector/README.md
🚧 Files skipped from review as they are similar to previous changes (7)
  • packages/core/platform/sources/talos-log-collector.yaml
  • packages/system/talos-log-collector/Chart.yaml
  • packages/system/talos-log-collector/values.schema.json
  • Makefile
  • packages/system/talos-log-collector/images/vector/Dockerfile
  • packages/core/platform/templates/bundles/system.yaml
  • packages/system/talos-log-collector/tests/talos-log-collector_test.yaml

@sircthulhu

Copy link
Copy Markdown
Contributor

I think we should use already existing package monitoring-agents and add opt-in (default disabled) parameter to enable enpoints for accepting talos jsonlines logs.

Additionaly, I don't think using vector is justified. It's another technology and possible new problems. On the other hand, using fluent-bit would be more straight-forward and we'd know what to expect.

Add a node-local Vector DaemonSet that receives Talos machine and kernel
logs (pushed via machine.logging over the node loopback) and forwards them
to the tenant VictoriaLogs. Talos keeps its system and kernel logs inside
the OS and does not expose them as host files, so the tail-based Fluent Bit
in monitoring-agents never collects them.

The receiver stays on the pod network so cluster DNS resolves the vlinsert
service, and accepts Talos logs via a hostPort bound to hostIP 127.0.0.1,
avoiding the host-network DNS breakage a hostNetwork receiver would hit.
Shipped as an optional system package.

Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>
@IvanHunters IvanHunters force-pushed the feat/talos-log-collector branch from 0513194 to 1fb4bcf Compare July 10, 2026 12:34

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (3)
packages/system/talos-log-collector/tests/talos-log-collector_test.yaml (2)

41-51: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Tolerations test only covers NoSchedule; NoExecute is unverified.

The suite comment states "runs on every node (tolerate everything)" but the assertion only checks the NoSchedule toleration. The DaemonSet template also includes a NoExecute toleration. Adding an assertion for it would complete the coverage claim.

♻️ Suggested additional assertion
       - contains:
           path: spec.template.spec.tolerations
           content:
             effect: NoSchedule
             operator: Exists
+      - contains:
+          path: spec.template.spec.tolerations
+          content:
+            effect: NoExecute
+            operator: Exists
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/system/talos-log-collector/tests/talos-log-collector_test.yaml`
around lines 41 - 51, Add an assertion to the “runs on every node and is
node-critical” test verifying that the DaemonSet tolerations also include
effect: NoExecute with operator: Exists, alongside the existing NoSchedule
assertion.

20-27: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Consider adding a digest-pinning assertion for the image.

The regex verifies the first-party repository but doesn't assert that the image is digest-pinned (sha256:). Other system packages in the repo use patterns like vector:.+sha256: to enforce immutability without coupling to a specific digest. A separate assertion would guard against accidental non-pinned tags.

Based on learnings, in the cozystack/cozystack repo it is acceptable and intentional for image-pin assertions to use tag/digest-agnostic regexes that verify digest pinning (e.g., :.+sha256:) rather than a specific full digest value.

♻️ Suggested additional assertion
   - it: "DaemonSet pulls the first-party vector image from the cozystack registry"
     template: templates/daemonset.yaml
     asserts:
       - isKind:
           of: DaemonSet
       - matchRegex:
           path: spec.template.spec.containers[0].image
           pattern: "^ghcr\\.io/cozystack/cozystack/vector:"
+      - matchRegex:
+          path: spec.template.spec.containers[0].image
+          pattern: "sha256:"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/system/talos-log-collector/tests/talos-log-collector_test.yaml`
around lines 20 - 27, Add a separate matchRegex assertion for
spec.template.spec.containers[0].image in the DaemonSet test, using a pattern
such as `:.+sha256:` to require a digest-pinned image while remaining
independent of the specific digest.

Source: Learnings

packages/system/talos-log-collector/templates/daemonset.yaml (1)

35-69: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win

Consider adding a liveness probe for hang detection.

No liveness probe is configured. If Vector hangs (e.g., deadlock or resource exhaustion), the pod stays Running but silently stops collecting logs — particularly impactful for a system-node-critical DaemonSet. Enabling Vector's built-in health endpoint and adding an HTTP liveness probe is a small change with significant reliability benefit.

💡 Proposed liveness probe addition

In configmap.yaml, enable the Vector API (bound to loopback so it's not exposed to other pods):

     data_dir: /vector-data
+    api:
+      enabled: true
+      address: 127.0.0.1:52000
     sources:

In daemonset.yaml, add the probe:

         args: ["--config", "/etc/vector/vector.yaml"]
+        livenessProbe:
+          httpGet:
+            path: /health
+            port: 52000
+            host: 127.0.0.1
+          initialDelaySeconds: 10
+          periodSeconds: 30
         env:
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/system/talos-log-collector/templates/daemonset.yaml` around lines 35
- 69, Add Vector’s built-in health API configuration to the chart’s configmap
and add an HTTP liveness probe to the vector container in the DaemonSet,
targeting the loopback API health endpoint and the configured listen port.
Ensure the probe uses appropriate delay, timeout, and failure thresholds without
exposing the API beyond the node.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@packages/system/talos-log-collector/templates/daemonset.yaml`:
- Around line 35-69: Add Vector’s built-in health API configuration to the
chart’s configmap and add an HTTP liveness probe to the vector container in the
DaemonSet, targeting the loopback API health endpoint and the configured listen
port. Ensure the probe uses appropriate delay, timeout, and failure thresholds
without exposing the API beyond the node.

In `@packages/system/talos-log-collector/tests/talos-log-collector_test.yaml`:
- Around line 41-51: Add an assertion to the “runs on every node and is
node-critical” test verifying that the DaemonSet tolerations also include
effect: NoExecute with operator: Exists, alongside the existing NoSchedule
assertion.
- Around line 20-27: Add a separate matchRegex assertion for
spec.template.spec.containers[0].image in the DaemonSet test, using a pattern
such as `:.+sha256:` to require a digest-pinned image while remaining
independent of the specific digest.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 4f6d193b-785b-41b2-99cd-1df5f125107f

📥 Commits

Reviewing files that changed from the base of the PR and between 0513194 and 1fb4bcf.

📒 Files selected for processing (15)
  • Makefile
  • packages/core/platform/sources/talos-log-collector.yaml
  • packages/core/platform/templates/bundles/system.yaml
  • packages/system/talos-log-collector/Chart.yaml
  • packages/system/talos-log-collector/Makefile
  • packages/system/talos-log-collector/README.md
  • packages/system/talos-log-collector/images/vector/Dockerfile
  • packages/system/talos-log-collector/templates/_helpers.tpl
  • packages/system/talos-log-collector/templates/configmap.yaml
  • packages/system/talos-log-collector/templates/daemonset.yaml
  • packages/system/talos-log-collector/templates/networkpolicy.yaml
  • packages/system/talos-log-collector/templates/serviceaccount.yaml
  • packages/system/talos-log-collector/tests/talos-log-collector_test.yaml
  • packages/system/talos-log-collector/values.schema.json
  • packages/system/talos-log-collector/values.yaml
✅ Files skipped from review due to trivial changes (6)
  • packages/system/talos-log-collector/values.yaml
  • packages/system/talos-log-collector/Chart.yaml
  • packages/system/talos-log-collector/templates/_helpers.tpl
  • Makefile
  • packages/system/talos-log-collector/images/vector/Dockerfile
  • packages/system/talos-log-collector/README.md
🚧 Files skipped from review as they are similar to previous changes (3)
  • packages/system/talos-log-collector/values.schema.json
  • packages/core/platform/templates/bundles/system.yaml
  • packages/core/platform/sources/talos-log-collector.yaml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area/platform Issues or PRs related to platform infrastructure (bundle, flux, talos, installer) area/uncategorized PR auto-labeler could not map title scope to a known area/*; please review kind/feature Categorizes issue or PR as related to a new feature size/XL This PR changes 500-999 lines, ignoring generated files

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants