Fix: Sidecar configuration for Backend (#10603)

**What this PR does / why we need it**:

**Which issue(s) this PR fixes**:
Fixes #<issue number>

**Special notes for your reviewer**:

**Checklist**
- [x] Reviewed the
[`CONTRIBUTING.md`](https://github.com/grafana/loki/blob/main/CONTRIBUTING.md)
guide (**required**)
- [ ] Documentation added
- [ ] Tests updated
- [ ] `CHANGELOG.md` updated
- [ ] If the change is worth mentioning in the release notes, add
`add-to-release-notes` label
- [ ] Changes that require user attention or interaction to upgrade are
documented in `docs/sources/setup/upgrade/_index.md`
- [x] For Helm chart changes bump the Helm chart version in
`production/helm/loki/Chart.yaml` and update
`production/helm/loki/CHANGELOG.md` and
`production/helm/loki/README.md`. [Example
PR](d10549e)

With this values:

```yaml
sidecar:
  image:
    # -- The Docker registry and image for the k8s sidecar
    repository: kiwigrid/k8s-sidecar
    # -- Docker image tag
    tag: 1.24.3
    # -- Docker image sha. If empty, no sha will be used
    sha: ""
    # -- Docker image pull policy
    pullPolicy: IfNotPresent
  # -- Resource requests and limits for the sidecar
  resources: #{}
    limits:
      cpu: 100m
      memory: 100Mi
    requests:
      cpu: 50m
      memory: 50Mi
  # -- The SecurityContext for the sidecar.
  securityContext:
    runAsNonRoot: true
    runAsGroup: 10001
    runAsUser: 10001
    fsGroup: 10001
  # -- Set to true to skip tls verification for kube api calls.
  skipTlsVerify: false
  # -- Ensure that rule files aren't conflicting and being overwritten by prefixing their name with the namespace they are defined in.
  enableUniqueFilenames: false
  # -- Readiness probe definition. Probe is disabled on the sidecar by default.
  readinessProbe:
    httpGet:
      path: /ready
      port: http-metrics
    initialDelaySeconds: 30
    timeoutSeconds: 1
  # -- Liveness probe definition. Probe is disabled on the sidecar by default.
  livenessProbe:
    httpGet:
      path: /ready
      port: http-metrics
    initialDelaySeconds: 30
    timeoutSeconds: 1
  rules:
    # -- Whether or not to create a sidecar to ingest rule from specific ConfigMaps and/or Secrets.
    enabled: true
    # -- Label that the configmaps/secrets with rules will be marked with.
    label: loki_rule
    # -- Label value that the configmaps/secrets with rules will be set to.
    labelValue: ""
    # -- Folder into which the rules will be placed.
    folder: /rules
    # -- Comma separated list of namespaces. If specified, the sidecar will search for config-maps/secrets inside these namespaces.
    # Otherwise the namespace in which the sidecar is running will be used.
    # It's also possible to specify 'ALL' to search in all namespaces.
    searchNamespace: null
    # -- Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH request, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.
    watchMethod: WATCH
    # -- Search in configmap, secret, or both.
    resource: both
    # -- Absolute path to the shell script to execute after a configmap or secret has been reloaded.
    script: null
    # -- WatchServerTimeout: request to the server, asking it to cleanly close the connection after that.
    # defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S.
    watchServerTimeout: 60
    #
    # -- WatchClientTimeout: is a client-side timeout, configuring your local socket.
    # If you have a network outage dropping all packets with no RST/FIN,
    # this is how long your client waits before realizing & dropping the connection.
    # Defaults to 66sec.
    watchClientTimeout: 60
    # -- Log level of the sidecar container.
    logLevel: INFO
```

Before the patch:

```yaml
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: loki-backend
  namespace: default
  labels:
    helm.sh/chart: loki-5.22.0
    app.kubernetes.io/name: loki
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/version: "2.9.1"
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: backend
    app.kubernetes.io/part-of: memberlist
spec:
  replicas: 3
  podManagementPolicy: Parallel
  updateStrategy:
    rollingUpdate:
      partition: 0
  serviceName: loki-backend-headless
  revisionHistoryLimit: 10
  
  persistentVolumeClaimRetentionPolicy:
    whenDeleted: Delete
    whenScaled: Delete
  selector:
    matchLabels:
      app.kubernetes.io/name: loki
      app.kubernetes.io/instance: release-name
      app.kubernetes.io/component: backend
  template:
    metadata:
      annotations:
        checksum/config: a9f8d008a1b589265e3fa894e3b81ab2a4132bb741d3b6e8db304a1e6b6d3ba5
      labels:
        app.kubernetes.io/name: loki
        app.kubernetes.io/instance: release-name
        app.kubernetes.io/component: backend
        app.kubernetes.io/part-of: memberlist
    spec:
      serviceAccountName: loki
      automountServiceAccountToken: true
      
      securityContext:
        fsGroup: 10001
        runAsGroup: 10001
        runAsNonRoot: true
        runAsUser: 10001
      terminationGracePeriodSeconds: 300
      containers:
        - name: loki-sc-rules
          image: "kiwigrid/k8s-sidecar:1.24.3"
          imagePullPolicy: IfNotPresent
          env:
            - name: METHOD
              value: WATCH
            - name: LABEL
              value: "loki_rule"
            - name: FOLDER
              value: "/rules"
            - name: RESOURCE
              value: "both"
            - name: WATCH_SERVER_TIMEOUT
              value: "60"
            - name: WATCH_CLIENT_TIMEOUT
              value: "60"
            - name: LOG_LEVEL
              value: "INFO"
          livenessProbe:
                null
          readinessProbe:
                null
          resources:
                limits:
        cpu: 100m
        memory: 100Mi
      requests:
        cpu: 50m
        memory: 50Mi
          securityContext:
      fsGroup: 10001
      runAsGroup: 10001
      runAsNonRoot: true
      runAsUser: 10001
          volumeMounts:
            - name: sc-rules-volume
              mountPath: "/rules"
        - name: loki
          image: docker.io/grafana/loki:2.9.1
          imagePullPolicy: IfNotPresent
          args:
            - -config.file=/etc/loki/config/config.yaml
            - -target=backend
            - -legacy-read-mode=false
          ports:
            - name: http-metrics
              containerPort: 3100
              protocol: TCP
            - name: grpc
              containerPort: 9095
              protocol: TCP
            - name: http-memberlist
              containerPort: 7946
              protocol: TCP
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
            readOnlyRootFilesystem: true
          readinessProbe:
            httpGet:
              path: /ready
              port: http-metrics
            initialDelaySeconds: 30
            timeoutSeconds: 1
          volumeMounts:
            - name: config
              mountPath: /etc/loki/config
            - name: runtime-config
              mountPath: /etc/loki/runtime-config
            - name: tmp
              mountPath: /tmp
            - name: data
              mountPath: /var/loki
            - name: sc-rules-volume
              mountPath: "/rules"
          resources:
            {}
      affinity:
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            - labelSelector:
                matchLabels:
                  app.kubernetes.io/name: loki
                  app.kubernetes.io/instance: release-name
                  app.kubernetes.io/component: backend
              topologyKey: kubernetes.io/hostname
        
      volumes:
        - name: tmp
          emptyDir: {}
        - name: config
          configMap:
            name: loki
            items:
              - key: "config.yaml"
                path: "config.yaml"
        - name: runtime-config
          configMap:
            name: loki-runtime
        - name: sc-rules-volume
          emptyDir: {}
  volumeClaimTemplates:
    - metadata:
        name: data
      spec:
        accessModes:
          - ReadWriteOnce
        resources:
          requests:
            storage: "10Gi"
```

After the patch:

```yaml
---
# Source: loki/templates/backend/statefulset-backend.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: loki-backend
  namespace: default
  labels:
    helm.sh/chart: loki-5.22.1
    app.kubernetes.io/name: loki
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/version: "2.9.1"
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: backend
    app.kubernetes.io/part-of: memberlist
spec:
  replicas: 3
  podManagementPolicy: Parallel
  updateStrategy:
    rollingUpdate:
      partition: 0
  serviceName: loki-backend-headless
  revisionHistoryLimit: 10
  
  persistentVolumeClaimRetentionPolicy:
    whenDeleted: Delete
    whenScaled: Delete
  selector:
    matchLabels:
      app.kubernetes.io/name: loki
      app.kubernetes.io/instance: release-name
      app.kubernetes.io/component: backend
  template:
    metadata:
      annotations:
        checksum/config: f1823dbb8a5e31ab8d2ad66878f6abb71a9e0f49c8768462d873da21192e208b
      labels:
        app.kubernetes.io/name: loki
        app.kubernetes.io/instance: release-name
        app.kubernetes.io/component: backend
        app.kubernetes.io/part-of: memberlist
    spec:
      serviceAccountName: loki
      automountServiceAccountToken: true
      
      securityContext:
        fsGroup: 10001
        runAsGroup: 10001
        runAsNonRoot: true
        runAsUser: 10001
      terminationGracePeriodSeconds: 300
      containers:
        - name: loki-sc-rules
          image: "kiwigrid/k8s-sidecar:1.24.3"
          imagePullPolicy: IfNotPresent
          env:
            - name: METHOD
              value: WATCH
            - name: LABEL
              value: "loki_rule"
            - name: FOLDER
              value: "/rules"
            - name: RESOURCE
              value: "both"
            - name: WATCH_SERVER_TIMEOUT
              value: "60"
            - name: WATCH_CLIENT_TIMEOUT
              value: "60"
            - name: LOG_LEVEL
              value: "INFO"
          livenessProbe:
            httpGet:
              path: /ready
              port: http-metrics
            initialDelaySeconds: 30
            timeoutSeconds: 1
          readinessProbe:
            httpGet:
              path: /ready
              port: http-metrics
            initialDelaySeconds: 30
            timeoutSeconds: 1
          resources:
            limits:
              cpu: 100m
              memory: 100Mi
            requests:
              cpu: 50m
              memory: 50Mi
          securityContext:
            fsGroup: 10001
            runAsGroup: 10001
            runAsNonRoot: true
            runAsUser: 10001
          volumeMounts:
            - name: sc-rules-volume
              mountPath: "/rules"
        - name: loki
          image: docker.io/grafana/loki:2.9.1
          imagePullPolicy: IfNotPresent
          args:
            - -config.file=/etc/loki/config/config.yaml
            - -target=backend
            - -legacy-read-mode=false
          ports:
            - name: http-metrics
              containerPort: 3100
              protocol: TCP
            - name: grpc
              containerPort: 9095
              protocol: TCP
            - name: http-memberlist
              containerPort: 7946
              protocol: TCP
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
            readOnlyRootFilesystem: true
          readinessProbe:
            httpGet:
              path: /ready
              port: http-metrics
            initialDelaySeconds: 30
            timeoutSeconds: 1
          volumeMounts:
            - name: config
              mountPath: /etc/loki/config
            - name: runtime-config
              mountPath: /etc/loki/runtime-config
            - name: tmp
              mountPath: /tmp
            - name: data
              mountPath: /var/loki
            - name: sc-rules-volume
              mountPath: "/rules"
          resources:
            {}
      affinity:
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            - labelSelector:
                matchLabels:
                  app.kubernetes.io/name: loki
                  app.kubernetes.io/instance: release-name
                  app.kubernetes.io/component: backend
              topologyKey: kubernetes.io/hostname
        
      volumes:
        - name: tmp
          emptyDir: {}
        - name: config
          configMap:
            name: loki
            items:
              - key: "config.yaml"
                path: "config.yaml"
        - name: runtime-config
          configMap:
            name: loki-runtime
        - name: sc-rules-volume
          emptyDir: {}
  volumeClaimTemplates:
    - metadata:
        name: data
      spec:
        accessModes:
          - ReadWriteOnce
        resources:
          requests:
            storage: "10Gi"
```

---------

Signed-off-by: Nicolas Lamirault <[email protected]>
Co-authored-by: Michel Hollands <[email protected]>

production/helm/loki/CHANGELOG.md

@@ -13,6 +13,10 @@ Entries should include a reference to the pull request that introduced the chang
 
 [//]: # (<AUTOMATED_UPDATES_LOCATOR> : do not remove this line. This locator is used by the CI pipeline to automatically create a changelog entry for each new Loki release. Add other chart versions and respective changelog entries bellow this line.)
 
+## 5.22.2
+
+- [BUGFIX] Fix sidecar configuration for Backend
+
 ## 5.22.1
 
 - ENHANCEMENT #10452 Improve gitops compatibility

production/helm/loki/Chart.yaml

@@ -3,7 +3,7 @@ name: loki
 description: Helm chart for Grafana Loki in simple, scalable mode
 type: application
 appVersion: 2.9.1
-version: 5.22.1
+version: 5.22.2
 home: https://grafana.github.io/helm-charts
 sources:
   - https://github.com/grafana/loki

production/helm/loki/README.md

@@ -1,6 +1,6 @@
 # loki
 
-![Version: 5.22.1](https://img.shields.io/badge/Version-5.22.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.9.1](https://img.shields.io/badge/AppVersion-2.9.1-informational?style=flat-square)
+![Version: 5.22.2](https://img.shields.io/badge/Version-5.22.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.9.1](https://img.shields.io/badge/AppVersion-2.9.1-informational?style=flat-square)
 
 Helm chart for Grafana Loki in simple, scalable mode
 

production/helm/loki/templates/backend/statefulset-backend.yaml

@@ -131,17 +131,19 @@ spec:
             {{- end }}
           {{- if .Values.sidecar.livenessProbe }}
           livenessProbe:
-          {{ toYaml .Values.livenessProbe | indent 6 }}
+          {{- toYaml .Values.sidecar.livenessProbe | nindent 12 }}
           {{- end }}
           {{- if .Values.sidecar.readinessProbe }}
           readinessProbe:
-          {{ toYaml .Values.readinessProbe | indent 6 }}
+          {{- toYaml .Values.sidecar.readinessProbe | nindent 12 }}
           {{- end }}
+          {{- if .Values.sidecar.resources }}
           resources:
-          {{ toYaml .Values.sidecar.resources | indent 6 }}
+          {{- toYaml .Values.sidecar.resources | nindent 12 }}
+          {{- end }}
           {{- if .Values.sidecar.securityContext }}
           securityContext:
-          {{- toYaml .Values.sidecar.securityContext | nindent 6 }}
+          {{- toYaml .Values.sidecar.securityContext | nindent 12 }}
           {{- end }}
           volumeMounts:
             - name: sc-rules-volume