design-proposals: multi-target log forwarding from kubernetes-tenants

[IvanHunters]

Summary

Adds a draft design proposal for fanning out fluent-bit container logs from a kubernetes (k8s-tenant) cluster to multiple ancestor VictoriaLogs instances, on top of the implicit immediate-parent destination. The default behaviour stays bit-for-bit identical to today; the feature is opt-in via a new addons.monitoringAgents.additionalLogTargets list on the Kubernetes CR.

The proposal is complementary to (not replacing) cozystack/cozystack#2195 — that PR adds split routing for namespace-tenant monitoring-agents, this proposal adds fan-out for kubernetes-tenant monitoring-agents. Both share the underlying mechanism (additional [OUTPUT] blocks in fluent-bit config).

Depends on:

• cozystack/cozystack#2910 — adds vlinsert to the tenant egress allowlist.
• cozystack/cozystack#2912 — fixes ancestor tenant.cozystack.io/* labels on grandchild namespaces, which the egress policy relies on.

Why now

Reported by the TTK platform operations team: there is no way to view logs from a child kubernetes tenant in the root tenant's Grafana, which breaks the platform operator's incident-response workflow (forced to hop between per-tenant Grafanas). The current production workaround is a manual kubernetes-ht-monitoring-agents HelmRelease patch plus suspend: true on the parent — sustainable for a hotfix, not as a permanent state.

Reviewers

Pinging the team referenced in similar community/ PRs for visibility — open to discussion on the open questions in the body (shorthand DSL, default of ancestors, whether to centralise the multi-output rendering in the monitoring-agents chart vs. callers).

Summary by CodeRabbit

• New Features

  • Introduced optional log forwarding configuration enabling logs to be sent to multiple ancestor destinations with flexible targeting options (parent, root, ancestors, or explicit tenant names).

• Documentation

  • Added comprehensive design proposal documenting the multi-target log forwarding feature, including security considerations, upgrade and rollback behavior, edge case handling, and testing procedures.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8360288d-8a56-47b8-9462-c0737bd8929a

📥 Commits

Reviewing files that changed from the base of the PR and between abb40d0 and 154666a.

📒 Files selected for processing (1)

• design-proposals/multi-target-log-forwarding-kubernetes-tenants/README.md

---

📝 Walkthrough

Walkthrough

This PR introduces a design proposal for a multi-target log forwarding feature in Kubernetes tenant clusters. The document specifies how logs can be fan-out from a tenant's immediate parent VictoriaLogs instance to additional ancestor instances via a new optional CR field, Helm templating approach, and network policy integration.

Changes

Multi-target log forwarding feature design

Layer / File(s)	Summary
Multi-target log forwarding design proposal design-proposals/multi-target-log-forwarding-kubernetes-tenants/README.md	Complete design proposal defining the spec.addons.monitoringAgents.additionalLogTargets CR field with shorthand and explicit tenant name support, Helm chart rendering of multiple fluent-bit [OUTPUT] blocks, network policy reliance on existing tenant CCNP whitelisting, upgrade/rollback semantics, security implications, failure scenarios, testing strategy, and rollout guidance.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related issues

• [monitoring] Improve multi-tenant log isolation, dashboard scoping, and VM monitoring cozystack#2194: Modifies monitoring-agents fluent-bit configuration for log routing (per-tenant / multi-target vlinsert/vlogs outputs), directly related to this feature's implementation.

Poem

🐰 Logs shall flow in many streams,
To ancestors beyond our dreams,
A design shines bright and clear,
Fan-out forwarding, far and near! 📡✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly and concisely summarizes the main change: adding a design proposal for multi-target log forwarding from kubernetes-tenant clusters.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces a design proposal for multi-target log forwarding from Kubernetes tenant clusters to ancestor VictoriaLogs instances by extending the monitoring-agents chart. The review feedback highlights two key issues in the proposed Helm template and configuration: first, the need to split resolved shorthand targets (like 'ancestors') to prevent rendering invalid host configurations, and second, updating the fluent-bit Match pattern from 'kube.' to '' to ensure all log inputs (including audit and system events) are correctly forwarded.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

In Helm templates, the include function always returns a string. If a shorthand like ancestors resolves to multiple target namespaces (e.g., space-separated), include "kubernetes.resolveLogTarget" will return them as a single string. Appending this directly to $targets will result in a single list element containing multiple space-separated namespaces, which will render an invalid Host configuration (e.g., Host vlinsert-generic.tenant-root tenant-parent.svc.cozy.local).

To handle multi-target shorthands correctly, you should split the resolved string before appending it to the $targets list.

Suggested change

	{{- range .Values.addons.monitoringAgents.additionalLogTargets | default list }}
	{{- $resolved := include "kubernetes.resolveLogTarget" (dict "shorthand" . "ctx" $) }}
	{{- $targets = append $targets $resolved }}
	{{- end }}
	{{- range .Values.addons.monitoringAgents.additionalLogTargets | default list }}
	{{- $resolved := include "kubernetes.resolveLogTarget" (dict "shorthand" . "ctx" $) }}
	{{- range (splitList " " $resolved) }}
	{{- if . }}
	{{- $targets = append $targets . }}
	{{- end }}
	{{- end }}
	{{- end }}

[gemini-code-assist]

The proposal states that multiple inputs (kube container logs, audit, kubelet events) should all respect the same destination list. However, the proposed [OUTPUT] block uses Match kube.*. If audit logs or other system events use different tags (e.g., audit.*), they will not be matched by this output block and thus won't be forwarded to the additional targets. Consider using Match * or matching the exact tags used by all configured inputs.

Suggested change

	{{- range $targets }}
	[OUTPUT]
	Name http
	Match kube.*
	{{- range $targets }}
	[OUTPUT]
	Name http
	Match *