Alloy (Collector)

Namespace: alloy | Operator: alloy-operator | Manifests: infrastructure/monitoring/alloy/

Two separate Alloy CRs run as Deployments, split by concern so they can have different RBAC permissions.

alloy-logs

Collects pod logs cluster-wide and forwards them to Loki.

• Discovers all pods via the Kubernetes API (discovery.kubernetes)
• Relabels metadata into consistent labels (namespace, pod, container, app, job) at collection time, so Loki doesn't need to parse them later
• Pushes to http://loki-gateway.loki.svc.cluster.local/loki/api/v1/push (see Loki)

RBAC: needs get/list/watch on pods, pods/log, namespaces.

alloy-metrics

Scrapes metrics using Prometheus Operator CRDs and remote-writes to Mimir.

• Watches PodMonitor and ServiceMonitor CRDs across all namespaces — this is why prometheus-crds must be installed first (those CRDs come from it)
• Remote-writes to http://mimir-gateway.mimir.svc.cluster.local/api/v1/push (see Mimir)
• X-Scope-OrgID: anonymous header is required because Mimir runs in single-tenant mode and expects a tenant ID on every request
• mimir.rules.kubernetes syncs any PrometheusRule CRDs into Mimir's ruler — currently no PrometheusRules exist, so this is a no-op

RBAC: needs get/list/watch on podmonitors, servicemonitors, scrapeconfigs, probes, prometheusrules (all under monitoring.coreos.com).