From f1a221e49de4f5cd8eae8c03544bd95be42380b7 Mon Sep 17 00:00:00 2001
From: Pete Wall <pete.wall@grafana.com>
Date: Sat, 21 Dec 2024 13:21:58 -0600
Subject: [PATCH] Fix the type of endpoint params (#1029)

Signed-off-by: Pete Wall <pete.wall@grafana.com>
---
 .../destinations/loki-values.yaml             |    4 +-
 .../destinations/otlp-values.yaml             |    4 +-
 .../destinations/prometheus-values.yaml       |    4 +-
 .../destinations/pyroscope-values.yaml        |    4 +-
 .../k8s-monitoring/docs/destinations/loki.md  |    4 +-
 .../k8s-monitoring/docs/destinations/otlp.md  |    4 +-
 .../docs/destinations/prometheus.md           |    4 +-
 .../docs/destinations/pyroscope.md            |    4 +-
 .../docs/examples/auth/oauth2/README.md       |   56 +
 .../examples/auth/oauth2/alloy-logs.alloy     |  371 ++
 .../examples/auth/oauth2/alloy-metrics.alloy  |  540 +++
 .../auth/oauth2/alloy-singleton.alloy         |  196 +
 .../docs/examples/auth/oauth2/description.txt |    3 +
 .../docs/examples/auth/oauth2/output.yaml     | 4124 +++++++++++++++++
 .../docs/examples/auth/oauth2/values.yaml     |   44 +
 .../schema-mods/types-and-enums.json          |   32 +-
 .../destinations/_destination_loki.tpl        |    2 +-
 .../destinations/_destination_otlp.tpl        |    2 +-
 .../destinations/_destination_prometheus.tpl  |    2 +-
 .../destinations/_destination_pyroscope.tpl   |    2 +-
 charts/k8s-monitoring/values.schema.json      |   52 +
 21 files changed, 5434 insertions(+), 24 deletions(-)
 create mode 100644 charts/k8s-monitoring/docs/examples/auth/oauth2/README.md
 create mode 100644 charts/k8s-monitoring/docs/examples/auth/oauth2/alloy-logs.alloy
 create mode 100644 charts/k8s-monitoring/docs/examples/auth/oauth2/alloy-metrics.alloy
 create mode 100644 charts/k8s-monitoring/docs/examples/auth/oauth2/alloy-singleton.alloy
 create mode 100644 charts/k8s-monitoring/docs/examples/auth/oauth2/description.txt
 create mode 100644 charts/k8s-monitoring/docs/examples/auth/oauth2/output.yaml
 create mode 100644 charts/k8s-monitoring/docs/examples/auth/oauth2/values.yaml

diff --git a/charts/k8s-monitoring/destinations/loki-values.yaml b/charts/k8s-monitoring/destinations/loki-values.yaml
index 6df6771be..117304381 100644
--- a/charts/k8s-monitoring/destinations/loki-values.yaml
+++ b/charts/k8s-monitoring/destinations/loki-values.yaml
@@ -94,7 +94,7 @@ auth:
     # -- Raw config for accessing the client ID
     # @section -- Authentication - OAuth2
     clientIdFrom: ""
-    # -- Prometheus OAuth2 client secret
+    # -- OAuth2 client secret
     # @section -- Authentication - OAuth2
     clientSecret: ""
     # -- The key for the client secret property in the secret
@@ -106,7 +106,7 @@ auth:
     # -- File containing the OAuth2 client secret.
     # @section -- Authentication - OAuth2
     clientSecretFile: ""
-    # -- Prometheus OAuth2 endpoint parameters
+    # -- OAuth2 endpoint parameters
     # @section -- Authentication - OAuth2
     endpointParams: {}
     # -- HTTP proxy to send requests through.
diff --git a/charts/k8s-monitoring/destinations/otlp-values.yaml b/charts/k8s-monitoring/destinations/otlp-values.yaml
index 382efef79..32e9ca131 100644
--- a/charts/k8s-monitoring/destinations/otlp-values.yaml
+++ b/charts/k8s-monitoring/destinations/otlp-values.yaml
@@ -104,7 +104,7 @@ auth:
     # -- Raw config for accessing the client ID
     # @section -- Authentication - OAuth2
     clientIdFrom: ""
-    # -- Prometheus OAuth2 client secret
+    # -- OAuth2 client secret
     # @section -- Authentication - OAuth2
     clientSecret: ""
     # -- The key for the client secret property in the secret
@@ -116,7 +116,7 @@ auth:
     # -- File containing the OAuth2 client secret.
     # @section -- Authentication - OAuth2
     clientSecretFile: ""
-    # -- Prometheus OAuth2 endpoint parameters
+    # -- OAuth2 endpoint parameters
     # @section -- Authentication - OAuth2
     endpointParams: {}
     # -- HTTP proxy to send requests through.
diff --git a/charts/k8s-monitoring/destinations/prometheus-values.yaml b/charts/k8s-monitoring/destinations/prometheus-values.yaml
index 76a5e7ce7..58fd30e71 100644
--- a/charts/k8s-monitoring/destinations/prometheus-values.yaml
+++ b/charts/k8s-monitoring/destinations/prometheus-values.yaml
@@ -103,7 +103,7 @@ auth:
     # -- Raw config for accessing the client ID
     # @section -- Authentication - OAuth2
     clientIdFrom: ""
-    # -- Prometheus OAuth2 client secret
+    # -- OAuth2 client secret
     # @section -- Authentication - OAuth2
     clientSecret: ""
     # -- The key for the client secret property in the secret
@@ -115,7 +115,7 @@ auth:
     # -- File containing the OAuth2 client secret.
     # @section -- Authentication - OAuth2
     clientSecretFile: ""
-    # -- Prometheus OAuth2 endpoint parameters
+    # -- OAuth2 endpoint parameters
     # @section -- Authentication - OAuth2
     endpointParams: {}
     # -- HTTP proxy to send requests through.
diff --git a/charts/k8s-monitoring/destinations/pyroscope-values.yaml b/charts/k8s-monitoring/destinations/pyroscope-values.yaml
index 900ff207e..376893aa2 100644
--- a/charts/k8s-monitoring/destinations/pyroscope-values.yaml
+++ b/charts/k8s-monitoring/destinations/pyroscope-values.yaml
@@ -82,7 +82,7 @@ auth:
     # -- Raw config for accessing the client ID
     # @section -- Authentication - OAuth2
     clientIdFrom: ""
-    # -- Prometheus OAuth2 client secret
+    # -- OAuth2 client secret
     # @section -- Authentication - OAuth2
     clientSecret: ""
     # -- The key for the client secret property in the secret
@@ -94,7 +94,7 @@ auth:
     # -- File containing the OAuth2 client secret.
     # @section -- Authentication - OAuth2
     clientSecretFile: ""
-    # -- Prometheus OAuth2 endpoint parameters
+    # -- OAuth2 endpoint parameters
     # @section -- Authentication - OAuth2
     endpointParams: {}
     # -- HTTP proxy to send requests through.
diff --git a/charts/k8s-monitoring/docs/destinations/loki.md b/charts/k8s-monitoring/docs/destinations/loki.md
index a7dc3d607..9d54d19ea 100644
--- a/charts/k8s-monitoring/docs/destinations/loki.md
+++ b/charts/k8s-monitoring/docs/destinations/loki.md
@@ -20,11 +20,11 @@ This defines the options for defining a destination for logs that use the Loki p
 | auth.oauth2.clientId | string | `""` | OAuth2 client ID |
 | auth.oauth2.clientIdFrom | string | `""` | Raw config for accessing the client ID |
 | auth.oauth2.clientIdKey | string | `"clientId"` | The key for the client ID property in the secret |
-| auth.oauth2.clientSecret | string | `""` | Prometheus OAuth2 client secret |
+| auth.oauth2.clientSecret | string | `""` | OAuth2 client secret |
 | auth.oauth2.clientSecretFile | string | `""` | File containing the OAuth2 client secret. |
 | auth.oauth2.clientSecretFrom | string | `""` | Raw config for accessing the client secret |
 | auth.oauth2.clientSecretKey | string | `"clientSecret"` | The key for the client secret property in the secret |
-| auth.oauth2.endpointParams | object | `{}` | Prometheus OAuth2 endpoint parameters |
+| auth.oauth2.endpointParams | object | `{}` | OAuth2 endpoint parameters |
 | auth.oauth2.noProxy | string | `""` | Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying. |
 | auth.oauth2.proxyConnectHeader | object | `{}` | Specifies headers to send to proxies during CONNECT requests. |
 | auth.oauth2.proxyFromEnvironment | bool | `false` | Use the proxy URL indicated by environment variables. |
diff --git a/charts/k8s-monitoring/docs/destinations/otlp.md b/charts/k8s-monitoring/docs/destinations/otlp.md
index 5285af6ae..331942d71 100644
--- a/charts/k8s-monitoring/docs/destinations/otlp.md
+++ b/charts/k8s-monitoring/docs/destinations/otlp.md
@@ -20,11 +20,11 @@ This defines the options for defining a destination for OpenTelemetry data that
 | auth.oauth2.clientId | string | `""` | OAuth2 client ID |
 | auth.oauth2.clientIdFrom | string | `""` | Raw config for accessing the client ID |
 | auth.oauth2.clientIdKey | string | `"clientId"` | The key for the client ID property in the secret |
-| auth.oauth2.clientSecret | string | `""` | Prometheus OAuth2 client secret |
+| auth.oauth2.clientSecret | string | `""` | OAuth2 client secret |
 | auth.oauth2.clientSecretFile | string | `""` | File containing the OAuth2 client secret. |
 | auth.oauth2.clientSecretFrom | string | `""` | Raw config for accessing the client secret |
 | auth.oauth2.clientSecretKey | string | `"clientSecret"` | The key for the client secret property in the secret |
-| auth.oauth2.endpointParams | object | `{}` | Prometheus OAuth2 endpoint parameters |
+| auth.oauth2.endpointParams | object | `{}` | OAuth2 endpoint parameters |
 | auth.oauth2.noProxy | string | `""` | Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying. |
 | auth.oauth2.proxyConnectHeader | object | `{}` | Specifies headers to send to proxies during CONNECT requests. |
 | auth.oauth2.proxyFromEnvironment | bool | `false` | Use the proxy URL indicated by environment variables. |
diff --git a/charts/k8s-monitoring/docs/destinations/prometheus.md b/charts/k8s-monitoring/docs/destinations/prometheus.md
index 25e9c8d3b..8e9a7363b 100644
--- a/charts/k8s-monitoring/docs/destinations/prometheus.md
+++ b/charts/k8s-monitoring/docs/destinations/prometheus.md
@@ -20,11 +20,11 @@ This defines the options for defining a destination for metrics that use the Pro
 | auth.oauth2.clientId | string | `""` | OAuth2 client ID |
 | auth.oauth2.clientIdFrom | string | `""` | Raw config for accessing the client ID |
 | auth.oauth2.clientIdKey | string | `"clientId"` | The key for the client ID property in the secret |
-| auth.oauth2.clientSecret | string | `""` | Prometheus OAuth2 client secret |
+| auth.oauth2.clientSecret | string | `""` | OAuth2 client secret |
 | auth.oauth2.clientSecretFile | string | `""` | File containing the OAuth2 client secret. |
 | auth.oauth2.clientSecretFrom | string | `""` | Raw config for accessing the client secret |
 | auth.oauth2.clientSecretKey | string | `"clientSecret"` | The key for the client secret property in the secret |
-| auth.oauth2.endpointParams | object | `{}` | Prometheus OAuth2 endpoint parameters |
+| auth.oauth2.endpointParams | object | `{}` | OAuth2 endpoint parameters |
 | auth.oauth2.noProxy | string | `""` | Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying. |
 | auth.oauth2.proxyConnectHeader | object | `{}` | Specifies headers to send to proxies during CONNECT requests. |
 | auth.oauth2.proxyFromEnvironment | bool | `false` | Use the proxy URL indicated by environment variables. |
diff --git a/charts/k8s-monitoring/docs/destinations/pyroscope.md b/charts/k8s-monitoring/docs/destinations/pyroscope.md
index 15c6c0955..861f426ee 100644
--- a/charts/k8s-monitoring/docs/destinations/pyroscope.md
+++ b/charts/k8s-monitoring/docs/destinations/pyroscope.md
@@ -19,11 +19,11 @@ This defines the options for defining a destination for profiles that use the Py
 | auth.oauth2.clientId | string | `""` | OAuth2 client ID |
 | auth.oauth2.clientIdFrom | string | `""` | Raw config for accessing the client ID |
 | auth.oauth2.clientIdKey | string | `"clientId"` | The key for the client ID property in the secret |
-| auth.oauth2.clientSecret | string | `""` | Prometheus OAuth2 client secret |
+| auth.oauth2.clientSecret | string | `""` | OAuth2 client secret |
 | auth.oauth2.clientSecretFile | string | `""` | File containing the OAuth2 client secret. |
 | auth.oauth2.clientSecretFrom | string | `""` | Raw config for accessing the client secret |
 | auth.oauth2.clientSecretKey | string | `"clientSecret"` | The key for the client secret property in the secret |
-| auth.oauth2.endpointParams | object | `{}` | Prometheus OAuth2 endpoint parameters |
+| auth.oauth2.endpointParams | object | `{}` | OAuth2 endpoint parameters |
 | auth.oauth2.noProxy | string | `""` | Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying. |
 | auth.oauth2.proxyConnectHeader | object | `{}` | Specifies headers to send to proxies during CONNECT requests. |
 | auth.oauth2.proxyFromEnvironment | bool | `false` | Use the proxy URL indicated by environment variables. |
diff --git a/charts/k8s-monitoring/docs/examples/auth/oauth2/README.md b/charts/k8s-monitoring/docs/examples/auth/oauth2/README.md
new file mode 100644
index 000000000..eaecc075e
--- /dev/null
+++ b/charts/k8s-monitoring/docs/examples/auth/oauth2/README.md
@@ -0,0 +1,56 @@
+<!--
+(NOTE: Do not edit README.md directly. It is a generated file!)
+(      To make changes, please modify values.yaml or description.txt and run `make examples`)
+-->
+# OAuth2 Authentication
+
+This example demonstrates how to use OAuth2 for authentication.
+
+## Values
+
+```yaml
+cluster:
+  name: oauth2-auth-example
+
+destinations:
+  - name: otel-endpoint
+    type: otlp
+    url: "grpc.my.otel.endpoint:443"
+    auth:
+      type: oauth2
+      oauth2:
+        tokenURL: "https://my.idp/application/o/token/"
+        clientId: "my-client-id"
+        clientSecretFile: "/var/run/secrets/kubernetes.io/serviceaccount/token"
+        endpointParams:
+          grant_type: ["client_credentials"]
+          client_assertion_type: ["urn:ietf:params:oauth:client-assertion-type:jwt-bearer"]
+    logs: {enabled: true}
+    metrics: {enabled: true}
+    traces: {enabled: true}
+
+clusterMetrics:
+  enabled: true
+
+clusterEvents:
+  enabled: true
+
+podLogs:
+  enabled: true
+
+nodeLogs:
+  enabled: true
+
+prometheusOperatorObjects:
+  enabled: true
+
+annotationAutodiscovery:
+  enabled: true
+
+alloy-logs:
+  enabled: true
+alloy-metrics:
+  enabled: true
+alloy-singleton:
+  enabled: true
+```
diff --git a/charts/k8s-monitoring/docs/examples/auth/oauth2/alloy-logs.alloy b/charts/k8s-monitoring/docs/examples/auth/oauth2/alloy-logs.alloy
new file mode 100644
index 000000000..601322651
--- /dev/null
+++ b/charts/k8s-monitoring/docs/examples/auth/oauth2/alloy-logs.alloy
@@ -0,0 +1,371 @@
+// Destination: otel-endpoint (otlp)
+otelcol.receiver.prometheus "otel_endpoint" {
+  output {
+    metrics = [otelcol.processor.attributes.otel_endpoint.input]
+  }
+}
+otelcol.receiver.loki "otel_endpoint" {
+  output {
+    logs = [otelcol.processor.attributes.otel_endpoint.input]
+  }
+}
+otelcol.auth.oauth2 "otel_endpoint" {
+  client_id = nonsensitive(remote.kubernetes.secret.otel_endpoint.data["clientId"])
+  client_secret_file = "/var/run/secrets/kubernetes.io/serviceaccount/token"
+  endpoint_params = {
+    client_assertion_type = ["urn:ietf:params:oauth:client-assertion-type:jwt-bearer"],
+    grant_type = ["client_credentials"],
+  }
+  token_url = "https://my.idp/application/o/token/"
+}
+
+otelcol.processor.attributes "otel_endpoint" {
+  action {
+    key = "cluster"
+    action = "upsert"
+    value = "oauth2-auth-example"
+  }
+  action {
+    key = "k8s.cluster.name"
+    action = "upsert"
+    value = "oauth2-auth-example"
+  }
+  output {
+    metrics = [otelcol.processor.transform.otel_endpoint.input]
+    logs = [otelcol.processor.transform.otel_endpoint.input]
+    traces = [otelcol.processor.transform.otel_endpoint.input]
+  }
+}
+
+otelcol.processor.transform "otel_endpoint" {
+  error_mode = "ignore"
+
+  output {
+    metrics = [otelcol.processor.batch.otel_endpoint.input]
+    logs = [otelcol.processor.batch.otel_endpoint.input]
+    traces = [otelcol.processor.batch.otel_endpoint.input]
+  }
+}
+
+otelcol.processor.batch "otel_endpoint" {
+  timeout = "2s"
+  send_batch_size = 8192
+  send_batch_max_size = 0
+
+  output {
+    metrics = [otelcol.exporter.otlp.otel_endpoint.input]
+    logs = [otelcol.exporter.otlp.otel_endpoint.input]
+    traces = [otelcol.exporter.otlp.otel_endpoint.input]
+  }
+}
+otelcol.exporter.otlp "otel_endpoint" {
+  client {
+    endpoint = "grpc.my.otel.endpoint:443"
+    auth = otelcol.auth.oauth2.otel_endpoint.handler
+    tls {
+      insecure = false
+      insecure_skip_verify = false
+    }
+  }
+}
+
+remote.kubernetes.secret "otel_endpoint" {
+  name      = "otel-endpoint-k8smon-k8s-monitoring"
+  namespace = "default"
+}
+
+// Feature: Node Logs
+declare "node_logs" {
+  argument "logs_destinations" {
+    comment = "Must be a list of log destinations where collected logs should be forwarded to"
+  }
+
+  loki.relabel "journal" {
+
+    // copy all journal labels and make the available to the pipeline stages as labels, there is a label
+    // keep defined to filter out unwanted labels, these pipeline labels can be set as structured metadata
+    // as well, the following labels are available:
+    // - boot_id
+    // - cap_effective
+    // - cmdline
+    // - comm
+    // - exe
+    // - gid
+    // - hostname
+    // - machine_id
+    // - pid
+    // - stream_id
+    // - systemd_cgroup
+    // - systemd_invocation_id
+    // - systemd_slice
+    // - systemd_unit
+    // - transport
+    // - uid
+    //
+    // More Info: https://www.freedesktop.org/software/systemd/man/systemd.journal-fields.html
+    rule {
+      action = "labelmap"
+      regex = "__journal__(.+)"
+    }
+
+    rule {
+      action = "replace"
+      source_labels = ["__journal__systemd_unit"]
+      replacement = "$1"
+      target_label = "unit"
+    }
+
+    // the service_name label will be set automatically in loki if not set, and the unit label
+    // will not allow service_name to be set automatically.
+    rule {
+      action = "replace"
+      source_labels = ["__journal__systemd_unit"]
+      replacement = "$1"
+      target_label = "service_name"
+    }
+
+    forward_to = [] // No forward_to is used in this component, the defined rules are used in the loki.source.journal component
+  }
+
+  loki.source.journal "worker" {
+    path = "/var/log/journal"
+    format_as_json = false
+    max_age = "8h"
+    relabel_rules = loki.relabel.journal.rules
+    labels = {
+      job = "integrations/kubernetes/journal",
+      instance = sys.env("HOSTNAME"),
+    }
+    forward_to = [loki.process.journal_logs.receiver]
+  }
+
+  loki.process "journal_logs" {
+    stage.static_labels {
+      values = {
+        // add a static source label to the logs so they can be differentiated / restricted if necessary
+        "source" = "journal",
+        // default level to unknown
+        level = "unknown",
+      }
+    }
+
+    // Attempt to determine the log level, most k8s workers are either in logfmt or klog formats
+    // check to see if the log line matches the klog format (https://github.com/kubernetes/klog)
+    stage.match {
+      // unescaped regex: ([IWED][0-9]{4}\s+[0-9]{2}:[0-9]{2}:[0-9]{2}\.[0-9]+)
+      selector = "{level=\"unknown\"} |~ \"([IWED][0-9]{4}\\\\s+[0-9]{2}:[0-9]{2}:[0-9]{2}\\\\.[0-9]+)\""
+
+      // extract log level, klog uses a single letter code for the level followed by the month and day i.e. I0119
+      stage.regex {
+        expression = "((?P<level>[A-Z])[0-9])"
+      }
+
+      // if the extracted level is I set INFO
+      stage.replace {
+        source = "level"
+        expression = "(I)"
+        replace = "INFO"
+      }
+
+      // if the extracted level is W set WARN
+      stage.replace {
+        source = "level"
+        expression = "(W)"
+        replace = "WARN"
+      }
+
+      // if the extracted level is E set ERROR
+      stage.replace {
+        source = "level"
+        expression = "(E)"
+        replace = "ERROR"
+      }
+
+      // if the extracted level is I set INFO
+      stage.replace {
+        source = "level"
+        expression = "(D)"
+        replace = "DEBUG"
+      }
+
+      // set the extracted level to be a label
+      stage.labels {
+        values = {
+          level = "",
+        }
+      }
+    }
+
+    // if the level is still unknown, do one last attempt at detecting it based on common levels
+    stage.match {
+      selector = "{level=\"unknown\"}"
+
+      // unescaped regex: (?i)(?:"(?:level|loglevel|levelname|lvl|levelText|SeverityText)":\s*"|\s*(?:level|loglevel|levelText|lvl)="?|\s+\[?)(?P<level>(DEBUG?|DBG|INFO?(RMATION)?|WA?RN(ING)?|ERR(OR)?|CRI?T(ICAL)?|FATAL|FTL|NOTICE|TRACE|TRC|PANIC|PNC|ALERT|EMERGENCY))("|\s+|-|\s*\])
+      stage.regex {
+        expression = "(?i)(?:\"(?:level|loglevel|levelname|lvl|levelText|SeverityText)\":\\s*\"|\\s*(?:level|loglevel|levelText|lvl)=\"?|\\s+\\[?)(?P<level>(DEBUG?|DBG|INFO?(RMATION)?|WA?RN(ING)?|ERR(OR)?|CRI?T(ICAL)?|FATAL|FTL|NOTICE|TRACE|TRC|PANIC|PNC|ALERT|EMERGENCY))(\"|\\s+|-|\\s*\\])"
+      }
+
+      // set the extracted level to be a label
+      stage.labels {
+        values = {
+          level = "",
+        }
+      }
+    }
+
+    // Only keep the labels that are defined in the `keepLabels` list.
+    stage.label_keep {
+      values = ["instance","job","level","name","unit","service_name","source"]
+    }
+
+    forward_to = argument.logs_destinations.value
+  }
+}
+node_logs "feature" {
+  logs_destinations = [
+    otelcol.receiver.loki.otel_endpoint.receiver,
+  ]
+}
+
+// Feature: Pod Logs
+declare "pod_logs" {
+  argument "logs_destinations" {
+    comment = "Must be a list of log destinations where collected logs should be forwarded to"
+  }
+  
+  discovery.relabel "filtered_pods" {
+    targets = discovery.kubernetes.pods.targets
+    rule {
+      source_labels = ["__meta_kubernetes_namespace"]
+      action = "replace"
+      target_label = "namespace"
+    }
+    rule {
+      source_labels = ["__meta_kubernetes_pod_name"]
+      action = "replace"
+      target_label = "pod"
+    }
+    rule {
+      source_labels = ["__meta_kubernetes_pod_container_name"]
+      action = "replace"
+      target_label = "container"
+    }
+    rule {
+      source_labels = ["__meta_kubernetes_namespace", "__meta_kubernetes_pod_container_name"]
+      separator = "/"
+      action = "replace"
+      replacement = "$1"
+      target_label = "job"
+    }
+  
+    // set the container runtime as a label
+    rule {
+      action = "replace"
+      source_labels = ["__meta_kubernetes_pod_container_id"]
+      regex = "^(\\S+):\\/\\/.+$"
+      replacement = "$1"
+      target_label = "tmp_container_runtime"
+    }
+  
+    // set the job label from the k8s.grafana.com/logs.job annotation if it exists
+    rule {
+      source_labels = ["__meta_kubernetes_pod_annotation_k8s_grafana_com_logs_job"]
+      regex = "(.+)"
+      target_label = "job"
+    }
+  
+    // make all labels on the pod available to the pipeline as labels,
+    // they are omitted before write to loki via stage.label_keep unless explicitly set
+    rule {
+      action = "labelmap"
+      regex = "__meta_kubernetes_pod_label_(.+)"
+    }
+  
+    // make all annotations on the pod available to the pipeline as labels,
+    // they are omitted before write to loki via stage.label_keep unless explicitly set
+    rule {
+      action = "labelmap"
+      regex = "__meta_kubernetes_pod_annotation_(.+)"
+    }
+  }
+  
+  discovery.kubernetes "pods" {
+    role = "pod"
+    selectors {
+      role = "pod"
+      field = "spec.nodeName=" + sys.env("HOSTNAME")
+    }
+  }
+  
+  discovery.relabel "filtered_pods_with_paths" {
+    targets = discovery.relabel.filtered_pods.output
+  
+    rule {
+      source_labels = ["__meta_kubernetes_pod_uid", "__meta_kubernetes_pod_container_name"]
+      separator = "/"
+      action = "replace"
+      replacement = "/var/log/pods/*$1/*.log"
+      target_label = "__path__"
+    }
+  }
+  
+  local.file_match "pod_logs" {
+    path_targets = discovery.relabel.filtered_pods_with_paths.output
+  }
+  
+  loki.source.file "pod_logs" {
+    targets    = local.file_match.pod_logs.targets
+    forward_to = [loki.process.pod_logs.receiver]
+  }
+  
+  loki.process "pod_logs" {
+    stage.match {
+      selector = "{tmp_container_runtime=~\"containerd|cri-o\"}"
+      // the cri processing stage extracts the following k/v pairs: log, stream, time, flags
+      stage.cri {}
+  
+      // Set the extract flags and stream values as labels
+      stage.labels {
+        values = {
+          flags  = "",
+          stream  = "",
+        }
+      }
+    }
+  
+    stage.match {
+      selector = "{tmp_container_runtime=\"docker\"}"
+      // the docker processing stage extracts the following k/v pairs: log, stream, time
+      stage.docker {}
+  
+      // Set the extract stream value as a label
+      stage.labels {
+        values = {
+          stream  = "",
+        }
+      }
+    }
+  
+    // Drop the filename label, since it's not really useful in the context of Kubernetes, where we already have cluster,
+    // namespace, pod, and container labels. Drop any structured metadata. Also drop the temporary
+    // container runtime label as it is no longer needed.
+    stage.label_drop {
+      values = [
+        "filename",
+        "tmp_container_runtime",
+      ]
+    }
+  
+    // Only keep the labels that are defined in the `keepLabels` list.
+    stage.label_keep {
+      values = ["app_kubernetes_io_name","container","instance","job","level","namespace","pod","service_name"]
+    }
+  
+    forward_to = argument.logs_destinations.value
+  }
+}
+pod_logs "feature" {
+  logs_destinations = [
+    otelcol.receiver.loki.otel_endpoint.receiver,
+  ]
+}
diff --git a/charts/k8s-monitoring/docs/examples/auth/oauth2/alloy-metrics.alloy b/charts/k8s-monitoring/docs/examples/auth/oauth2/alloy-metrics.alloy
new file mode 100644
index 000000000..e9efc2b78
--- /dev/null
+++ b/charts/k8s-monitoring/docs/examples/auth/oauth2/alloy-metrics.alloy
@@ -0,0 +1,540 @@
+// Destination: otel-endpoint (otlp)
+otelcol.receiver.prometheus "otel_endpoint" {
+  output {
+    metrics = [otelcol.processor.attributes.otel_endpoint.input]
+  }
+}
+otelcol.receiver.loki "otel_endpoint" {
+  output {
+    logs = [otelcol.processor.attributes.otel_endpoint.input]
+  }
+}
+otelcol.auth.oauth2 "otel_endpoint" {
+  client_id = nonsensitive(remote.kubernetes.secret.otel_endpoint.data["clientId"])
+  client_secret_file = "/var/run/secrets/kubernetes.io/serviceaccount/token"
+  endpoint_params = {
+    client_assertion_type = ["urn:ietf:params:oauth:client-assertion-type:jwt-bearer"],
+    grant_type = ["client_credentials"],
+  }
+  token_url = "https://my.idp/application/o/token/"
+}
+
+otelcol.processor.attributes "otel_endpoint" {
+  action {
+    key = "cluster"
+    action = "upsert"
+    value = "oauth2-auth-example"
+  }
+  action {
+    key = "k8s.cluster.name"
+    action = "upsert"
+    value = "oauth2-auth-example"
+  }
+  output {
+    metrics = [otelcol.processor.transform.otel_endpoint.input]
+    logs = [otelcol.processor.transform.otel_endpoint.input]
+    traces = [otelcol.processor.transform.otel_endpoint.input]
+  }
+}
+
+otelcol.processor.transform "otel_endpoint" {
+  error_mode = "ignore"
+
+  output {
+    metrics = [otelcol.processor.batch.otel_endpoint.input]
+    logs = [otelcol.processor.batch.otel_endpoint.input]
+    traces = [otelcol.processor.batch.otel_endpoint.input]
+  }
+}
+
+otelcol.processor.batch "otel_endpoint" {
+  timeout = "2s"
+  send_batch_size = 8192
+  send_batch_max_size = 0
+
+  output {
+    metrics = [otelcol.exporter.otlp.otel_endpoint.input]
+    logs = [otelcol.exporter.otlp.otel_endpoint.input]
+    traces = [otelcol.exporter.otlp.otel_endpoint.input]
+  }
+}
+otelcol.exporter.otlp "otel_endpoint" {
+  client {
+    endpoint = "grpc.my.otel.endpoint:443"
+    auth = otelcol.auth.oauth2.otel_endpoint.handler
+    tls {
+      insecure = false
+      insecure_skip_verify = false
+    }
+  }
+}
+
+remote.kubernetes.secret "otel_endpoint" {
+  name      = "otel-endpoint-k8smon-k8s-monitoring"
+  namespace = "default"
+}
+
+// Feature: Annotation Autodiscovery
+declare "annotation_autodiscovery" {
+  argument "metrics_destinations" {
+    comment = "Must be a list of metric destinations where collected metrics should be forwarded to"
+  }
+
+  discovery.kubernetes "pods" {
+    role = "pod"
+  }
+
+  discovery.relabel "annotation_autodiscovery_pods" {
+    targets = discovery.kubernetes.pods.targets
+    rule {
+      source_labels = ["__meta_kubernetes_pod_annotation_k8s_grafana_com_scrape"]
+      regex = "true"
+      action = "keep"
+    }
+    rule {
+      source_labels = ["__meta_kubernetes_pod_annotation_k8s_grafana_com_job"]
+      action = "replace"
+      target_label = "job"
+    }
+    rule {
+      source_labels = ["__meta_kubernetes_pod_annotation_k8s_grafana_com_instance"]
+      action = "replace"
+      target_label = "instance"
+    }
+    rule {
+      source_labels = ["__meta_kubernetes_pod_annotation_k8s_grafana_com_metrics_path"]
+      action = "replace"
+      target_label = "__metrics_path__"
+    }
+
+    // Choose the pod port
+    // The discovery generates a target for each declared container port of the pod.
+    // If the metricsPortName annotation has value, keep only the target where the port name matches the one of the annotation.
+    rule {
+      source_labels = ["__meta_kubernetes_pod_container_port_name"]
+      target_label = "__tmp_port"
+    }
+    rule {
+      source_labels = ["__meta_kubernetes_pod_annotation_k8s_grafana_com_metrics_portName"]
+      regex = "(.+)"
+      target_label = "__tmp_port"
+    }
+    rule {
+      source_labels = ["__meta_kubernetes_pod_container_port_name"]
+      action = "keepequal"
+      target_label = "__tmp_port"
+    }
+
+    // If the metrics port number annotation has a value, override the target address to use it, regardless whether it is
+    // one of the declared ports on that Pod.
+    rule {
+      source_labels = ["__meta_kubernetes_pod_annotation_k8s_grafana_com_metrics_portNumber", "__meta_kubernetes_pod_ip"]
+      regex = "(\\d+);(([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4})"
+      replacement = "[$2]:$1" // IPv6
+      target_label = "__address__"
+    }
+    rule {
+      source_labels = ["__meta_kubernetes_pod_annotation_k8s_grafana_com_metrics_portNumber", "__meta_kubernetes_pod_ip"]
+      regex = "(\\d+);((([0-9]+?)(\\.|$)){4})" // IPv4, takes priority over IPv6 when both exists
+      replacement = "$2:$1"
+      target_label = "__address__"
+    }
+
+    rule {
+      source_labels = ["__meta_kubernetes_pod_annotation_k8s_grafana_com_metrics_scheme"]
+      action = "replace"
+      target_label = "__scheme__"
+    }
+
+    rule {
+      source_labels = ["__meta_kubernetes_pod_annotation_k8s_grafana_com_metrics_scrapeInterval"]
+      action = "replace"
+      target_label = "__scrape_interval__"
+    }
+  }
+
+  discovery.kubernetes "services" {
+    role = "service"
+  }
+
+  discovery.relabel "annotation_autodiscovery_services" {
+    targets = discovery.kubernetes.services.targets
+    rule {
+      source_labels = ["__meta_kubernetes_service_annotation_k8s_grafana_com_scrape"]
+      regex = "true"
+      action = "keep"
+    }
+    rule {
+      source_labels = ["__meta_kubernetes_service_annotation_k8s_grafana_com_job"]
+      action = "replace"
+      target_label = "job"
+    }
+    rule {
+      source_labels = ["__meta_kubernetes_service_annotation_k8s_grafana_com_instance"]
+      action = "replace"
+      target_label = "instance"
+    }
+    rule {
+      source_labels = ["__meta_kubernetes_service_annotation_k8s_grafana_com_metrics_path"]
+      action = "replace"
+      target_label = "__metrics_path__"
+    }
+
+    // Choose the service port
+    rule {
+      source_labels = ["__meta_kubernetes_service_port_name"]
+      target_label = "__tmp_port"
+    }
+    rule {
+      source_labels = ["__meta_kubernetes_service_annotation_k8s_grafana_com_metrics_portName"]
+      regex = "(.+)"
+      target_label = "__tmp_port"
+    }
+    rule {
+      source_labels = ["__meta_kubernetes_service_port_name"]
+      action = "keepequal"
+      target_label = "__tmp_port"
+    }
+
+    rule {
+      source_labels = ["__meta_kubernetes_service_port_number"]
+      target_label = "__tmp_port"
+    }
+    rule {
+      source_labels = ["__meta_kubernetes_service_annotation_k8s_grafana_com_metrics_portNumber"]
+      regex = "(.+)"
+      target_label = "__tmp_port"
+    }
+    rule {
+      source_labels = ["__meta_kubernetes_service_port_number"]
+      action = "keepequal"
+      target_label = "__tmp_port"
+    }
+
+    rule {
+      source_labels = ["__meta_kubernetes_service_annotation_k8s_grafana_com_metrics_scheme"]
+      action = "replace"
+      target_label = "__scheme__"
+    }
+
+    rule {
+      source_labels = ["__meta_kubernetes_service_annotation_k8s_grafana_com_metrics_scrapeInterval"]
+      action = "replace"
+      target_label = "__scrape_interval__"
+    }
+  }
+
+  discovery.relabel "annotation_autodiscovery_http" {
+    targets = concat(discovery.relabel.annotation_autodiscovery_pods.output, discovery.relabel.annotation_autodiscovery_services.output)
+    rule {
+      source_labels = ["__scheme__"]
+      regex = "https"
+      action = "drop"
+    }
+  }
+
+  discovery.relabel "annotation_autodiscovery_https" {
+    targets = concat(discovery.relabel.annotation_autodiscovery_pods.output, discovery.relabel.annotation_autodiscovery_services.output)
+    rule {
+      source_labels = ["__scheme__"]
+      regex = "https"
+      action = "keep"
+    }
+  }
+
+  prometheus.scrape "annotation_autodiscovery_http" {
+    targets = discovery.relabel.annotation_autodiscovery_http.output
+    scrape_interval = "60s"
+    honor_labels = true
+    bearer_token_file = "/var/run/secrets/kubernetes.io/serviceaccount/token"
+    clustering {
+      enabled = true
+    }
+
+    forward_to = argument.metrics_destinations.value
+  }
+
+  prometheus.scrape "annotation_autodiscovery_https" {
+    targets = discovery.relabel.annotation_autodiscovery_https.output
+    scrape_interval = "60s"
+    honor_labels = true
+    bearer_token_file = "/var/run/secrets/kubernetes.io/serviceaccount/token"
+    tls_config {
+      insecure_skip_verify = true
+    }
+    clustering {
+      enabled = true
+    }
+
+    forward_to = argument.metrics_destinations.value
+  }
+}
+annotation_autodiscovery "feature" {
+  metrics_destinations = [
+    otelcol.receiver.prometheus.otel_endpoint.receiver,
+  ]
+}
+
+// Feature: Cluster Metrics
+declare "cluster_metrics" {
+  argument "metrics_destinations" {
+    comment = "Must be a list of metric destinations where collected metrics should be forwarded to"
+  }
+  
+  remote.kubernetes.configmap "kubernetes" {
+    name = "k8smon-alloy-module-kubernetes"
+    namespace = "default"
+  }
+  
+  import.string "kubernetes" {
+    content = remote.kubernetes.configmap.kubernetes.data["core_metrics.alloy"]
+  }  
+  
+  kubernetes.kubelet "scrape" {
+    clustering = true
+    keep_metrics = "up|container_cpu_usage_seconds_total|kubelet_certificate_manager_client_expiration_renew_errors|kubelet_certificate_manager_client_ttl_seconds|kubelet_certificate_manager_server_ttl_seconds|kubelet_cgroup_manager_duration_seconds_bucket|kubelet_cgroup_manager_duration_seconds_count|kubelet_node_config_error|kubelet_node_name|kubelet_pleg_relist_duration_seconds_bucket|kubelet_pleg_relist_duration_seconds_count|kubelet_pleg_relist_interval_seconds_bucket|kubelet_pod_start_duration_seconds_bucket|kubelet_pod_start_duration_seconds_count|kubelet_pod_worker_duration_seconds_bucket|kubelet_pod_worker_duration_seconds_count|kubelet_running_container_count|kubelet_running_containers|kubelet_running_pod_count|kubelet_running_pods|kubelet_runtime_operations_errors_total|kubelet_runtime_operations_total|kubelet_server_expiration_renew_errors|kubelet_volume_stats_available_bytes|kubelet_volume_stats_capacity_bytes|kubelet_volume_stats_inodes|kubelet_volume_stats_inodes_used|kubernetes_build_info|namespace_workload_pod|rest_client_requests_total|storage_operation_duration_seconds_count|storage_operation_errors_total|volume_manager_total_volumes"
+    scrape_interval = "60s"
+    max_cache_size = 100000
+    forward_to = argument.metrics_destinations.value
+  }  
+  
+  kubernetes.resources "scrape" {
+    clustering = true
+    job_label = "integrations/kubernetes/resources"
+    keep_metrics = "up|node_cpu_usage_seconds_total|node_memory_working_set_bytes"
+    scrape_interval = "60s"
+    max_cache_size = 100000
+    forward_to = argument.metrics_destinations.value
+  }  
+  
+  kubernetes.cadvisor "scrape" {
+    clustering = true
+    keep_metrics = "up|container_cpu_cfs_periods_total|container_cpu_cfs_throttled_periods_total|container_cpu_usage_seconds_total|container_fs_reads_bytes_total|container_fs_reads_total|container_fs_writes_bytes_total|container_fs_writes_total|container_memory_cache|container_memory_rss|container_memory_swap|container_memory_working_set_bytes|container_network_receive_bytes_total|container_network_receive_packets_dropped_total|container_network_receive_packets_total|container_network_transmit_bytes_total|container_network_transmit_packets_dropped_total|container_network_transmit_packets_total|machine_memory_bytes"
+    scrape_interval = "60s"
+    max_cache_size = 100000
+    forward_to = [prometheus.relabel.cadvisor.receiver]
+  }
+  
+  prometheus.relabel "cadvisor" {
+    max_cache_size = 100000
+    // Drop empty container labels, addressing https://github.com/google/cadvisor/issues/2688
+    rule {
+      source_labels = ["__name__","container"]
+      separator = "@"
+      regex = "(container_cpu_.*|container_fs_.*|container_memory_.*)@"
+      action = "drop"
+    }
+    // Drop empty image labels, addressing https://github.com/google/cadvisor/issues/2688
+    rule {
+      source_labels = ["__name__","image"]
+      separator = "@"
+      regex = "(container_cpu_.*|container_fs_.*|container_memory_.*|container_network_.*)@"
+      action = "drop"
+    }
+    // Normalizing unimportant labels (not deleting to continue satisfying <label>!="" checks)
+    rule {
+      source_labels = ["__name__", "boot_id"]
+      separator = "@"
+      regex = "machine_memory_bytes@.*"
+      target_label = "boot_id"
+      replacement = "NA"
+    }
+    rule {
+      source_labels = ["__name__", "system_uuid"]
+      separator = "@"
+      regex = "machine_memory_bytes@.*"
+      target_label = "system_uuid"
+      replacement = "NA"
+    }
+    // Filter out non-physical devices/interfaces
+    rule {
+      source_labels = ["__name__", "device"]
+      separator = "@"
+      regex = "container_fs_.*@(/dev/)?(mmcblk.p.+|nvme.+|rbd.+|sd.+|vd.+|xvd.+|dasd.+)"
+      target_label = "__keepme"
+      replacement = "1"
+    }
+    rule {
+      source_labels = ["__name__", "__keepme"]
+      separator = "@"
+      regex = "container_fs_.*@"
+      action = "drop"
+    }
+    rule {
+      source_labels = ["__name__"]
+      regex = "container_fs_.*"
+      target_label = "__keepme"
+      replacement = ""
+    }
+    rule {
+      source_labels = ["__name__", "interface"]
+      separator = "@"
+      regex = "container_network_.*@(en[ospx][0-9].*|wlan[0-9].*|eth[0-9].*)"
+      target_label = "__keepme"
+      replacement = "1"
+    }
+    rule {
+      source_labels = ["__name__", "__keepme"]
+      separator = "@"
+      regex = "container_network_.*@"
+      action = "drop"
+    }
+    rule {
+      source_labels = ["__name__"]
+      regex = "container_network_.*"
+      target_label = "__keepme"
+      replacement = ""
+    }
+    forward_to = argument.metrics_destinations.value
+  }            
+  
+  remote.kubernetes.configmap "kube_state_metrics" {
+    name = "k8smon-alloy-module-kubernetes"
+    namespace = "default"
+  }
+  
+  import.string "kube_state_metrics" {
+    content = remote.kubernetes.configmap.kube_state_metrics.data["kube-state-metrics_metrics.alloy"]
+  }
+  
+  kube_state_metrics.kubernetes "targets" {
+    label_selectors = [
+      "app.kubernetes.io/name=kube-state-metrics",
+      "release=k8smon",
+    ]
+  }
+  
+  kube_state_metrics.scrape "metrics" {
+    targets = kube_state_metrics.kubernetes.targets.output
+    clustering = true
+    keep_metrics = "up|kube_daemonset.*|kube_deployment_metadata_generation|kube_deployment_spec_replicas|kube_deployment_status_observed_generation|kube_deployment_status_replicas_available|kube_deployment_status_replicas_updated|kube_horizontalpodautoscaler_spec_max_replicas|kube_horizontalpodautoscaler_spec_min_replicas|kube_horizontalpodautoscaler_status_current_replicas|kube_horizontalpodautoscaler_status_desired_replicas|kube_job.*|kube_namespace_status_phase|kube_node.*|kube_persistentvolumeclaim_resource_requests_storage_bytes|kube_pod_container_info|kube_pod_container_resource_limits|kube_pod_container_resource_requests|kube_pod_container_status_last_terminated_reason|kube_pod_container_status_restarts_total|kube_pod_container_status_waiting_reason|kube_pod_info|kube_pod_owner|kube_pod_start_time|kube_pod_status_phase|kube_pod_status_reason|kube_replicaset.*|kube_resourcequota|kube_statefulset.*"
+    scrape_interval = "60s"
+    max_cache_size = 100000
+    forward_to = argument.metrics_destinations.value
+  }  
+  
+  remote.kubernetes.configmap "node_exporter" {
+    name = "k8smon-alloy-module-system"
+    namespace = "default"
+  }
+  
+  import.string "node_exporter" {
+    content = remote.kubernetes.configmap.node_exporter.data["node-exporter_metrics.alloy"]
+  }
+  
+  node_exporter.kubernetes "targets" {
+    label_selectors = [
+      "app.kubernetes.io/name=node-exporter",
+      "release=k8smon",
+    ]
+  }
+  
+  discovery.relabel "node_exporter" {
+    targets = node_exporter.kubernetes.targets.output
+    rule {
+      source_labels = ["__meta_kubernetes_pod_node_name"]
+      action = "replace"
+      target_label = "instance"
+    }
+  }
+  
+  node_exporter.scrape "metrics" {
+    targets = discovery.relabel.node_exporter.output
+    job_label = "integrations/node_exporter"
+    clustering = true
+    keep_metrics = "up|node_cpu.*|node_exporter_build_info|node_filesystem.*|node_memory.*|node_network_receive_bytes_total|node_network_receive_drop_total|node_network_transmit_bytes_total|node_network_transmit_drop_total|process_cpu_seconds_total|process_resident_memory_bytes"
+    scrape_interval = "60s"
+    max_cache_size = 100000
+    forward_to = argument.metrics_destinations.value
+  }  
+  
+  discovery.kubernetes "windows_exporter_pods" {
+    role = "pod"
+    namespaces {
+      names = ["default"]
+    }
+    selectors {
+      role = "pod"
+      label = "app.kubernetes.io/name=windows-exporter,release=k8smon"
+    }
+  }
+  
+  discovery.relabel "windows_exporter" {
+    targets = discovery.kubernetes.windows_exporter_pods.targets
+    rule {
+      source_labels = ["__meta_kubernetes_pod_node_name"]
+      action = "replace"
+      target_label = "instance"
+    }
+  }
+  
+  prometheus.scrape "windows_exporter" {
+    job_name   = "integrations/windows-exporter"
+    targets  = discovery.relabel.windows_exporter.output
+    scrape_interval = "60s"
+    clustering {
+      enabled = true
+    }
+    forward_to = [prometheus.relabel.windows_exporter.receiver]
+  }
+  
+  prometheus.relabel "windows_exporter" {
+    max_cache_size = 100000
+    rule {
+      source_labels = ["__name__"]
+      regex = "up|windows_.*|node_cpu_seconds_total|node_filesystem_size_bytes|node_filesystem_avail_bytes|container_cpu_usage_seconds_total"
+      action = "keep"
+    }
+    forward_to = argument.metrics_destinations.value
+  }    
+}
+cluster_metrics "feature" {
+  metrics_destinations = [
+    otelcol.receiver.prometheus.otel_endpoint.receiver,
+  ]
+}
+
+// Feature: Prometheus Operator Objects
+declare "prometheus_operator_objects" {
+  argument "metrics_destinations" {
+    comment = "Must be a list of metric destinations where collected metrics should be forwarded to"
+  }
+  
+  // Prometheus Operator PodMonitor objects
+  prometheus.operator.podmonitors "pod_monitors" {
+    clustering {
+      enabled = true
+    }
+    scrape {
+      default_scrape_interval = "60s"
+    }
+    forward_to = argument.metrics_destinations.value
+  }
+  
+  // Prometheus Operator Probe objects
+  prometheus.operator.probes "pod_monitors" {
+    clustering {
+      enabled = true
+    }
+    scrape {
+      default_scrape_interval = "60s"
+    }
+    forward_to = argument.metrics_destinations.value
+  }
+  
+  // Prometheus Operator ServiceMonitor objects
+  prometheus.operator.servicemonitors "service_monitors" {
+    clustering {
+      enabled = true
+    }
+    scrape {
+      default_scrape_interval = "60s"
+    }
+    forward_to = argument.metrics_destinations.value
+  }
+}
+prometheus_operator_objects "feature" {
+  metrics_destinations = [
+    otelcol.receiver.prometheus.otel_endpoint.receiver,
+  ]
+}
diff --git a/charts/k8s-monitoring/docs/examples/auth/oauth2/alloy-singleton.alloy b/charts/k8s-monitoring/docs/examples/auth/oauth2/alloy-singleton.alloy
new file mode 100644
index 000000000..8b58c833b
--- /dev/null
+++ b/charts/k8s-monitoring/docs/examples/auth/oauth2/alloy-singleton.alloy
@@ -0,0 +1,196 @@
+// Destination: otel-endpoint (otlp)
+otelcol.receiver.prometheus "otel_endpoint" {
+  output {
+    metrics = [otelcol.processor.attributes.otel_endpoint.input]
+  }
+}
+otelcol.receiver.loki "otel_endpoint" {
+  output {
+    logs = [otelcol.processor.attributes.otel_endpoint.input]
+  }
+}
+otelcol.auth.oauth2 "otel_endpoint" {
+  client_id = nonsensitive(remote.kubernetes.secret.otel_endpoint.data["clientId"])
+  client_secret_file = "/var/run/secrets/kubernetes.io/serviceaccount/token"
+  endpoint_params = {
+    client_assertion_type = ["urn:ietf:params:oauth:client-assertion-type:jwt-bearer"],
+    grant_type = ["client_credentials"],
+  }
+  token_url = "https://my.idp/application/o/token/"
+}
+
+otelcol.processor.attributes "otel_endpoint" {
+  action {
+    key = "cluster"
+    action = "upsert"
+    value = "oauth2-auth-example"
+  }
+  action {
+    key = "k8s.cluster.name"
+    action = "upsert"
+    value = "oauth2-auth-example"
+  }
+  output {
+    metrics = [otelcol.processor.transform.otel_endpoint.input]
+    logs = [otelcol.processor.transform.otel_endpoint.input]
+    traces = [otelcol.processor.transform.otel_endpoint.input]
+  }
+}
+
+otelcol.processor.transform "otel_endpoint" {
+  error_mode = "ignore"
+
+  output {
+    metrics = [otelcol.processor.batch.otel_endpoint.input]
+    logs = [otelcol.processor.batch.otel_endpoint.input]
+    traces = [otelcol.processor.batch.otel_endpoint.input]
+  }
+}
+
+otelcol.processor.batch "otel_endpoint" {
+  timeout = "2s"
+  send_batch_size = 8192
+  send_batch_max_size = 0
+
+  output {
+    metrics = [otelcol.exporter.otlp.otel_endpoint.input]
+    logs = [otelcol.exporter.otlp.otel_endpoint.input]
+    traces = [otelcol.exporter.otlp.otel_endpoint.input]
+  }
+}
+otelcol.exporter.otlp "otel_endpoint" {
+  client {
+    endpoint = "grpc.my.otel.endpoint:443"
+    auth = otelcol.auth.oauth2.otel_endpoint.handler
+    tls {
+      insecure = false
+      insecure_skip_verify = false
+    }
+  }
+}
+
+remote.kubernetes.secret "otel_endpoint" {
+  name      = "otel-endpoint-k8smon-k8s-monitoring"
+  namespace = "default"
+}
+
+// Feature: Cluster Events
+declare "cluster_events" {
+  argument "logs_destinations" {
+    comment = "Must be a list of log destinations where collected logs should be forwarded to"
+  }
+
+  loki.source.kubernetes_events "cluster_events" {
+    job_name   = "integrations/kubernetes/eventhandler"
+    log_format = "logfmt"
+    forward_to = [loki.process.cluster_events.receiver]
+  }
+
+  loki.process "cluster_events" {
+
+    // add a static source label to the logs so they can be differentiated / restricted if necessary
+    stage.static_labels {
+      values = {
+        "source" = "kubernetes-events",
+      }
+    }
+
+    // extract some of the fields from the log line, these could be used as labels, structured metadata, etc.
+    stage.logfmt {
+      mapping = {
+        "component" = "sourcecomponent", // map the sourcecomponent field to component
+        "kind" = "",
+        "level" = "type", // most events don't have a level but they do have a "type" i.e. Normal, Warning, Error, etc.
+        "name" = "",
+        "node" = "sourcehost", // map the sourcehost field to node
+      }
+    }
+    // set these values as labels, they may or may not be used as index labels in Loki as they can be dropped
+    // prior to being written to Loki, but this makes them available
+    stage.labels {
+      values = {
+        "component" = "",
+        "kind" = "",
+        "level" = "",
+        "name" = "",
+        "node" = "",
+      }
+    }
+
+    // if kind=Node, set the node label by copying the instance label
+    stage.match {
+      selector = "{kind=\"Node\"}"
+
+      stage.labels {
+        values = {
+          "node" = "name",
+        }
+      }
+    }
+
+    // set the level extracted key value as a normalized log level
+    stage.match {
+      selector = "{level=\"Normal\"}"
+
+      stage.static_labels {
+        values = {
+          level = "Info",
+        }
+      }
+    }
+
+    // Only keep the labels that are defined in the `keepLabels` list.
+    stage.label_keep {
+      values = ["job","level","namespace","node","source"]
+    }
+    forward_to = argument.logs_destinations.value
+  }
+}
+cluster_events "feature" {
+  logs_destinations = [
+    otelcol.receiver.loki.otel_endpoint.receiver,
+  ]
+}
+
+// Self Reporting
+prometheus.exporter.unix "kubernetes_monitoring_telemetry" {
+  set_collectors = ["textfile"]
+  textfile {
+    directory = "/etc/alloy"
+  }
+}
+
+discovery.relabel "kubernetes_monitoring_telemetry" {
+  targets = prometheus.exporter.unix.kubernetes_monitoring_telemetry.targets
+  rule {
+    target_label = "instance"
+    action = "replace"
+    replacement = "k8smon"
+  }
+  rule {
+    target_label = "job"
+    action = "replace"
+    replacement = "integrations/kubernetes/kubernetes_monitoring_telemetry"
+  }
+}
+
+prometheus.scrape "kubernetes_monitoring_telemetry" {
+  job_name   = "integrations/kubernetes/kubernetes_monitoring_telemetry"
+  targets    = discovery.relabel.kubernetes_monitoring_telemetry.output
+  scrape_interval = "1h"
+  clustering {
+    enabled = true
+  }
+  forward_to = [prometheus.relabel.kubernetes_monitoring_telemetry.receiver]
+}
+
+prometheus.relabel "kubernetes_monitoring_telemetry" {
+  rule {
+    source_labels = ["__name__"]
+    regex = "grafana_kubernetes_monitoring_.*"
+    action = "keep"
+  }
+  forward_to = [
+    otelcol.receiver.prometheus.otel_endpoint.receiver,
+  ]
+}
diff --git a/charts/k8s-monitoring/docs/examples/auth/oauth2/description.txt b/charts/k8s-monitoring/docs/examples/auth/oauth2/description.txt
new file mode 100644
index 000000000..80a71feff
--- /dev/null
+++ b/charts/k8s-monitoring/docs/examples/auth/oauth2/description.txt
@@ -0,0 +1,3 @@
+# OAuth2 Authentication
+
+This example demonstrates how to use OAuth2 for authentication.
diff --git a/charts/k8s-monitoring/docs/examples/auth/oauth2/output.yaml b/charts/k8s-monitoring/docs/examples/auth/oauth2/output.yaml
new file mode 100644
index 000000000..a14592f94
--- /dev/null
+++ b/charts/k8s-monitoring/docs/examples/auth/oauth2/output.yaml
@@ -0,0 +1,4124 @@
+---
+# Source: k8s-monitoring/charts/alloy-logs/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: k8smon-alloy-logs
+  namespace: default
+  labels:
+    helm.sh/chart: alloy-logs-0.10.1
+    app.kubernetes.io/name: alloy-logs
+    app.kubernetes.io/instance: k8smon
+    
+    app.kubernetes.io/version: "v1.5.1"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/part-of: alloy
+    app.kubernetes.io/component: rbac
+---
+# Source: k8s-monitoring/charts/alloy-metrics/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: k8smon-alloy-metrics
+  namespace: default
+  labels:
+    helm.sh/chart: alloy-metrics-0.10.1
+    app.kubernetes.io/name: alloy-metrics
+    app.kubernetes.io/instance: k8smon
+    
+    app.kubernetes.io/version: "v1.5.1"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/part-of: alloy
+    app.kubernetes.io/component: rbac
+---
+# Source: k8s-monitoring/charts/alloy-singleton/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: k8smon-alloy-singleton
+  namespace: default
+  labels:
+    helm.sh/chart: alloy-singleton-0.10.1
+    app.kubernetes.io/name: alloy-singleton
+    app.kubernetes.io/instance: k8smon
+    
+    app.kubernetes.io/version: "v1.5.1"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/part-of: alloy
+    app.kubernetes.io/component: rbac
+---
+# Source: k8s-monitoring/charts/clusterMetrics/charts/kube-state-metrics/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+automountServiceAccountToken: true
+metadata:
+  labels:    
+    helm.sh/chart: kube-state-metrics-5.27.0
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: metrics
+    app.kubernetes.io/part-of: kube-state-metrics
+    app.kubernetes.io/name: kube-state-metrics
+    app.kubernetes.io/instance: k8smon
+    app.kubernetes.io/version: "2.14.0"
+    release: k8smon
+  name: k8smon-kube-state-metrics
+  namespace: default
+---
+# Source: k8s-monitoring/charts/clusterMetrics/charts/node-exporter/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: k8smon-node-exporter
+  namespace: default
+  labels:
+    helm.sh/chart: node-exporter-4.43.0
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: metrics
+    app.kubernetes.io/part-of: node-exporter
+    app.kubernetes.io/name: node-exporter
+    app.kubernetes.io/instance: k8smon
+    app.kubernetes.io/version: "1.8.2"
+    release: k8smon
+automountServiceAccountToken: false
+---
+# Source: k8s-monitoring/charts/clusterMetrics/charts/windows-exporter/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: k8smon-windows-exporter
+  namespace: default
+  labels:
+    helm.sh/chart: windows-exporter-0.7.1
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: metrics
+    app.kubernetes.io/part-of: windows-exporter
+    app.kubernetes.io/name: windows-exporter
+    app.kubernetes.io/instance: k8smon
+    app.kubernetes.io/version: "0.29.2"
+    release: k8smon
+---
+# Source: k8s-monitoring/templates/destination_secret.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "otel-endpoint-k8smon-k8s-monitoring"
+  namespace: "default"
+type: Opaque
+data:
+  clientId: "bXktY2xpZW50LWlk"
+---
+# Source: k8s-monitoring/charts/clusterMetrics/charts/windows-exporter/templates/config.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: k8smon-windows-exporter
+  namespace: default
+  labels:
+    helm.sh/chart: windows-exporter-0.7.1
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: metrics
+    app.kubernetes.io/part-of: windows-exporter
+    app.kubernetes.io/name: windows-exporter
+    app.kubernetes.io/instance: k8smon
+    app.kubernetes.io/version: "0.29.2"
+    release: k8smon
+data:
+  config.yml: |
+    collectors:
+      enabled: cpu,cs,container,logical_disk,memory,net,os
+    collector:
+      service:
+        services-where: "Name='containerd' or Name='kubelet'"
+---
+# Source: k8s-monitoring/templates/alloy-config.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: k8smon-alloy-metrics
+  namespace: default
+data:
+  config.alloy: |-
+    // Destination: otel-endpoint (otlp)
+    otelcol.receiver.prometheus "otel_endpoint" {
+      output {
+        metrics = [otelcol.processor.attributes.otel_endpoint.input]
+      }
+    }
+    otelcol.receiver.loki "otel_endpoint" {
+      output {
+        logs = [otelcol.processor.attributes.otel_endpoint.input]
+      }
+    }
+    otelcol.auth.oauth2 "otel_endpoint" {
+      client_id = nonsensitive(remote.kubernetes.secret.otel_endpoint.data["clientId"])
+      client_secret_file = "/var/run/secrets/kubernetes.io/serviceaccount/token"
+      endpoint_params = {
+        client_assertion_type = ["urn:ietf:params:oauth:client-assertion-type:jwt-bearer"],
+        grant_type = ["client_credentials"],
+      }
+      token_url = "https://my.idp/application/o/token/"
+    }
+    
+    otelcol.processor.attributes "otel_endpoint" {
+      action {
+        key = "cluster"
+        action = "upsert"
+        value = "oauth2-auth-example"
+      }
+      action {
+        key = "k8s.cluster.name"
+        action = "upsert"
+        value = "oauth2-auth-example"
+      }
+      output {
+        metrics = [otelcol.processor.transform.otel_endpoint.input]
+        logs = [otelcol.processor.transform.otel_endpoint.input]
+        traces = [otelcol.processor.transform.otel_endpoint.input]
+      }
+    }
+    
+    otelcol.processor.transform "otel_endpoint" {
+      error_mode = "ignore"
+    
+      output {
+        metrics = [otelcol.processor.batch.otel_endpoint.input]
+        logs = [otelcol.processor.batch.otel_endpoint.input]
+        traces = [otelcol.processor.batch.otel_endpoint.input]
+      }
+    }
+    
+    otelcol.processor.batch "otel_endpoint" {
+      timeout = "2s"
+      send_batch_size = 8192
+      send_batch_max_size = 0
+    
+      output {
+        metrics = [otelcol.exporter.otlp.otel_endpoint.input]
+        logs = [otelcol.exporter.otlp.otel_endpoint.input]
+        traces = [otelcol.exporter.otlp.otel_endpoint.input]
+      }
+    }
+    otelcol.exporter.otlp "otel_endpoint" {
+      client {
+        endpoint = "grpc.my.otel.endpoint:443"
+        auth = otelcol.auth.oauth2.otel_endpoint.handler
+        tls {
+          insecure = false
+          insecure_skip_verify = false
+        }
+      }
+    }
+    
+    remote.kubernetes.secret "otel_endpoint" {
+      name      = "otel-endpoint-k8smon-k8s-monitoring"
+      namespace = "default"
+    }
+    
+    // Feature: Annotation Autodiscovery
+    declare "annotation_autodiscovery" {
+      argument "metrics_destinations" {
+        comment = "Must be a list of metric destinations where collected metrics should be forwarded to"
+      }
+    
+      discovery.kubernetes "pods" {
+        role = "pod"
+      }
+    
+      discovery.relabel "annotation_autodiscovery_pods" {
+        targets = discovery.kubernetes.pods.targets
+        rule {
+          source_labels = ["__meta_kubernetes_pod_annotation_k8s_grafana_com_scrape"]
+          regex = "true"
+          action = "keep"
+        }
+        rule {
+          source_labels = ["__meta_kubernetes_pod_annotation_k8s_grafana_com_job"]
+          action = "replace"
+          target_label = "job"
+        }
+        rule {
+          source_labels = ["__meta_kubernetes_pod_annotation_k8s_grafana_com_instance"]
+          action = "replace"
+          target_label = "instance"
+        }
+        rule {
+          source_labels = ["__meta_kubernetes_pod_annotation_k8s_grafana_com_metrics_path"]
+          action = "replace"
+          target_label = "__metrics_path__"
+        }
+    
+        // Choose the pod port
+        // The discovery generates a target for each declared container port of the pod.
+        // If the metricsPortName annotation has value, keep only the target where the port name matches the one of the annotation.
+        rule {
+          source_labels = ["__meta_kubernetes_pod_container_port_name"]
+          target_label = "__tmp_port"
+        }
+        rule {
+          source_labels = ["__meta_kubernetes_pod_annotation_k8s_grafana_com_metrics_portName"]
+          regex = "(.+)"
+          target_label = "__tmp_port"
+        }
+        rule {
+          source_labels = ["__meta_kubernetes_pod_container_port_name"]
+          action = "keepequal"
+          target_label = "__tmp_port"
+        }
+    
+        // If the metrics port number annotation has a value, override the target address to use it, regardless whether it is
+        // one of the declared ports on that Pod.
+        rule {
+          source_labels = ["__meta_kubernetes_pod_annotation_k8s_grafana_com_metrics_portNumber", "__meta_kubernetes_pod_ip"]
+          regex = "(\\d+);(([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4})"
+          replacement = "[$2]:$1" // IPv6
+          target_label = "__address__"
+        }
+        rule {
+          source_labels = ["__meta_kubernetes_pod_annotation_k8s_grafana_com_metrics_portNumber", "__meta_kubernetes_pod_ip"]
+          regex = "(\\d+);((([0-9]+?)(\\.|$)){4})" // IPv4, takes priority over IPv6 when both exists
+          replacement = "$2:$1"
+          target_label = "__address__"
+        }
+    
+        rule {
+          source_labels = ["__meta_kubernetes_pod_annotation_k8s_grafana_com_metrics_scheme"]
+          action = "replace"
+          target_label = "__scheme__"
+        }
+    
+        rule {
+          source_labels = ["__meta_kubernetes_pod_annotation_k8s_grafana_com_metrics_scrapeInterval"]
+          action = "replace"
+          target_label = "__scrape_interval__"
+        }
+      }
+    
+      discovery.kubernetes "services" {
+        role = "service"
+      }
+    
+      discovery.relabel "annotation_autodiscovery_services" {
+        targets = discovery.kubernetes.services.targets
+        rule {
+          source_labels = ["__meta_kubernetes_service_annotation_k8s_grafana_com_scrape"]
+          regex = "true"
+          action = "keep"
+        }
+        rule {
+          source_labels = ["__meta_kubernetes_service_annotation_k8s_grafana_com_job"]
+          action = "replace"
+          target_label = "job"
+        }
+        rule {
+          source_labels = ["__meta_kubernetes_service_annotation_k8s_grafana_com_instance"]
+          action = "replace"
+          target_label = "instance"
+        }
+        rule {
+          source_labels = ["__meta_kubernetes_service_annotation_k8s_grafana_com_metrics_path"]
+          action = "replace"
+          target_label = "__metrics_path__"
+        }
+    
+        // Choose the service port
+        rule {
+          source_labels = ["__meta_kubernetes_service_port_name"]
+          target_label = "__tmp_port"
+        }
+        rule {
+          source_labels = ["__meta_kubernetes_service_annotation_k8s_grafana_com_metrics_portName"]
+          regex = "(.+)"
+          target_label = "__tmp_port"
+        }
+        rule {
+          source_labels = ["__meta_kubernetes_service_port_name"]
+          action = "keepequal"
+          target_label = "__tmp_port"
+        }
+    
+        rule {
+          source_labels = ["__meta_kubernetes_service_port_number"]
+          target_label = "__tmp_port"
+        }
+        rule {
+          source_labels = ["__meta_kubernetes_service_annotation_k8s_grafana_com_metrics_portNumber"]
+          regex = "(.+)"
+          target_label = "__tmp_port"
+        }
+        rule {
+          source_labels = ["__meta_kubernetes_service_port_number"]
+          action = "keepequal"
+          target_label = "__tmp_port"
+        }
+    
+        rule {
+          source_labels = ["__meta_kubernetes_service_annotation_k8s_grafana_com_metrics_scheme"]
+          action = "replace"
+          target_label = "__scheme__"
+        }
+    
+        rule {
+          source_labels = ["__meta_kubernetes_service_annotation_k8s_grafana_com_metrics_scrapeInterval"]
+          action = "replace"
+          target_label = "__scrape_interval__"
+        }
+      }
+    
+      discovery.relabel "annotation_autodiscovery_http" {
+        targets = concat(discovery.relabel.annotation_autodiscovery_pods.output, discovery.relabel.annotation_autodiscovery_services.output)
+        rule {
+          source_labels = ["__scheme__"]
+          regex = "https"
+          action = "drop"
+        }
+      }
+    
+      discovery.relabel "annotation_autodiscovery_https" {
+        targets = concat(discovery.relabel.annotation_autodiscovery_pods.output, discovery.relabel.annotation_autodiscovery_services.output)
+        rule {
+          source_labels = ["__scheme__"]
+          regex = "https"
+          action = "keep"
+        }
+      }
+    
+      prometheus.scrape "annotation_autodiscovery_http" {
+        targets = discovery.relabel.annotation_autodiscovery_http.output
+        scrape_interval = "60s"
+        honor_labels = true
+        bearer_token_file = "/var/run/secrets/kubernetes.io/serviceaccount/token"
+        clustering {
+          enabled = true
+        }
+    
+        forward_to = argument.metrics_destinations.value
+      }
+    
+      prometheus.scrape "annotation_autodiscovery_https" {
+        targets = discovery.relabel.annotation_autodiscovery_https.output
+        scrape_interval = "60s"
+        honor_labels = true
+        bearer_token_file = "/var/run/secrets/kubernetes.io/serviceaccount/token"
+        tls_config {
+          insecure_skip_verify = true
+        }
+        clustering {
+          enabled = true
+        }
+    
+        forward_to = argument.metrics_destinations.value
+      }
+    }
+    annotation_autodiscovery "feature" {
+      metrics_destinations = [
+        otelcol.receiver.prometheus.otel_endpoint.receiver,
+      ]
+    }
+    
+    // Feature: Cluster Metrics
+    declare "cluster_metrics" {
+      argument "metrics_destinations" {
+        comment = "Must be a list of metric destinations where collected metrics should be forwarded to"
+      }
+      
+      remote.kubernetes.configmap "kubernetes" {
+        name = "k8smon-alloy-module-kubernetes"
+        namespace = "default"
+      }
+      
+      import.string "kubernetes" {
+        content = remote.kubernetes.configmap.kubernetes.data["core_metrics.alloy"]
+      }  
+      
+      kubernetes.kubelet "scrape" {
+        clustering = true
+        keep_metrics = "up|container_cpu_usage_seconds_total|kubelet_certificate_manager_client_expiration_renew_errors|kubelet_certificate_manager_client_ttl_seconds|kubelet_certificate_manager_server_ttl_seconds|kubelet_cgroup_manager_duration_seconds_bucket|kubelet_cgroup_manager_duration_seconds_count|kubelet_node_config_error|kubelet_node_name|kubelet_pleg_relist_duration_seconds_bucket|kubelet_pleg_relist_duration_seconds_count|kubelet_pleg_relist_interval_seconds_bucket|kubelet_pod_start_duration_seconds_bucket|kubelet_pod_start_duration_seconds_count|kubelet_pod_worker_duration_seconds_bucket|kubelet_pod_worker_duration_seconds_count|kubelet_running_container_count|kubelet_running_containers|kubelet_running_pod_count|kubelet_running_pods|kubelet_runtime_operations_errors_total|kubelet_runtime_operations_total|kubelet_server_expiration_renew_errors|kubelet_volume_stats_available_bytes|kubelet_volume_stats_capacity_bytes|kubelet_volume_stats_inodes|kubelet_volume_stats_inodes_used|kubernetes_build_info|namespace_workload_pod|rest_client_requests_total|storage_operation_duration_seconds_count|storage_operation_errors_total|volume_manager_total_volumes"
+        scrape_interval = "60s"
+        max_cache_size = 100000
+        forward_to = argument.metrics_destinations.value
+      }  
+      
+      kubernetes.resources "scrape" {
+        clustering = true
+        job_label = "integrations/kubernetes/resources"
+        keep_metrics = "up|node_cpu_usage_seconds_total|node_memory_working_set_bytes"
+        scrape_interval = "60s"
+        max_cache_size = 100000
+        forward_to = argument.metrics_destinations.value
+      }  
+      
+      kubernetes.cadvisor "scrape" {
+        clustering = true
+        keep_metrics = "up|container_cpu_cfs_periods_total|container_cpu_cfs_throttled_periods_total|container_cpu_usage_seconds_total|container_fs_reads_bytes_total|container_fs_reads_total|container_fs_writes_bytes_total|container_fs_writes_total|container_memory_cache|container_memory_rss|container_memory_swap|container_memory_working_set_bytes|container_network_receive_bytes_total|container_network_receive_packets_dropped_total|container_network_receive_packets_total|container_network_transmit_bytes_total|container_network_transmit_packets_dropped_total|container_network_transmit_packets_total|machine_memory_bytes"
+        scrape_interval = "60s"
+        max_cache_size = 100000
+        forward_to = [prometheus.relabel.cadvisor.receiver]
+      }
+      
+      prometheus.relabel "cadvisor" {
+        max_cache_size = 100000
+        // Drop empty container labels, addressing https://github.com/google/cadvisor/issues/2688
+        rule {
+          source_labels = ["__name__","container"]
+          separator = "@"
+          regex = "(container_cpu_.*|container_fs_.*|container_memory_.*)@"
+          action = "drop"
+        }
+        // Drop empty image labels, addressing https://github.com/google/cadvisor/issues/2688
+        rule {
+          source_labels = ["__name__","image"]
+          separator = "@"
+          regex = "(container_cpu_.*|container_fs_.*|container_memory_.*|container_network_.*)@"
+          action = "drop"
+        }
+        // Normalizing unimportant labels (not deleting to continue satisfying <label>!="" checks)
+        rule {
+          source_labels = ["__name__", "boot_id"]
+          separator = "@"
+          regex = "machine_memory_bytes@.*"
+          target_label = "boot_id"
+          replacement = "NA"
+        }
+        rule {
+          source_labels = ["__name__", "system_uuid"]
+          separator = "@"
+          regex = "machine_memory_bytes@.*"
+          target_label = "system_uuid"
+          replacement = "NA"
+        }
+        // Filter out non-physical devices/interfaces
+        rule {
+          source_labels = ["__name__", "device"]
+          separator = "@"
+          regex = "container_fs_.*@(/dev/)?(mmcblk.p.+|nvme.+|rbd.+|sd.+|vd.+|xvd.+|dasd.+)"
+          target_label = "__keepme"
+          replacement = "1"
+        }
+        rule {
+          source_labels = ["__name__", "__keepme"]
+          separator = "@"
+          regex = "container_fs_.*@"
+          action = "drop"
+        }
+        rule {
+          source_labels = ["__name__"]
+          regex = "container_fs_.*"
+          target_label = "__keepme"
+          replacement = ""
+        }
+        rule {
+          source_labels = ["__name__", "interface"]
+          separator = "@"
+          regex = "container_network_.*@(en[ospx][0-9].*|wlan[0-9].*|eth[0-9].*)"
+          target_label = "__keepme"
+          replacement = "1"
+        }
+        rule {
+          source_labels = ["__name__", "__keepme"]
+          separator = "@"
+          regex = "container_network_.*@"
+          action = "drop"
+        }
+        rule {
+          source_labels = ["__name__"]
+          regex = "container_network_.*"
+          target_label = "__keepme"
+          replacement = ""
+        }
+        forward_to = argument.metrics_destinations.value
+      }            
+      
+      remote.kubernetes.configmap "kube_state_metrics" {
+        name = "k8smon-alloy-module-kubernetes"
+        namespace = "default"
+      }
+      
+      import.string "kube_state_metrics" {
+        content = remote.kubernetes.configmap.kube_state_metrics.data["kube-state-metrics_metrics.alloy"]
+      }
+      
+      kube_state_metrics.kubernetes "targets" {
+        label_selectors = [
+          "app.kubernetes.io/name=kube-state-metrics",
+          "release=k8smon",
+        ]
+      }
+      
+      kube_state_metrics.scrape "metrics" {
+        targets = kube_state_metrics.kubernetes.targets.output
+        clustering = true
+        keep_metrics = "up|kube_daemonset.*|kube_deployment_metadata_generation|kube_deployment_spec_replicas|kube_deployment_status_observed_generation|kube_deployment_status_replicas_available|kube_deployment_status_replicas_updated|kube_horizontalpodautoscaler_spec_max_replicas|kube_horizontalpodautoscaler_spec_min_replicas|kube_horizontalpodautoscaler_status_current_replicas|kube_horizontalpodautoscaler_status_desired_replicas|kube_job.*|kube_namespace_status_phase|kube_node.*|kube_persistentvolumeclaim_resource_requests_storage_bytes|kube_pod_container_info|kube_pod_container_resource_limits|kube_pod_container_resource_requests|kube_pod_container_status_last_terminated_reason|kube_pod_container_status_restarts_total|kube_pod_container_status_waiting_reason|kube_pod_info|kube_pod_owner|kube_pod_start_time|kube_pod_status_phase|kube_pod_status_reason|kube_replicaset.*|kube_resourcequota|kube_statefulset.*"
+        scrape_interval = "60s"
+        max_cache_size = 100000
+        forward_to = argument.metrics_destinations.value
+      }  
+      
+      remote.kubernetes.configmap "node_exporter" {
+        name = "k8smon-alloy-module-system"
+        namespace = "default"
+      }
+      
+      import.string "node_exporter" {
+        content = remote.kubernetes.configmap.node_exporter.data["node-exporter_metrics.alloy"]
+      }
+      
+      node_exporter.kubernetes "targets" {
+        label_selectors = [
+          "app.kubernetes.io/name=node-exporter",
+          "release=k8smon",
+        ]
+      }
+      
+      discovery.relabel "node_exporter" {
+        targets = node_exporter.kubernetes.targets.output
+        rule {
+          source_labels = ["__meta_kubernetes_pod_node_name"]
+          action = "replace"
+          target_label = "instance"
+        }
+      }
+      
+      node_exporter.scrape "metrics" {
+        targets = discovery.relabel.node_exporter.output
+        job_label = "integrations/node_exporter"
+        clustering = true
+        keep_metrics = "up|node_cpu.*|node_exporter_build_info|node_filesystem.*|node_memory.*|node_network_receive_bytes_total|node_network_receive_drop_total|node_network_transmit_bytes_total|node_network_transmit_drop_total|process_cpu_seconds_total|process_resident_memory_bytes"
+        scrape_interval = "60s"
+        max_cache_size = 100000
+        forward_to = argument.metrics_destinations.value
+      }  
+      
+      discovery.kubernetes "windows_exporter_pods" {
+        role = "pod"
+        namespaces {
+          names = ["default"]
+        }
+        selectors {
+          role = "pod"
+          label = "app.kubernetes.io/name=windows-exporter,release=k8smon"
+        }
+      }
+      
+      discovery.relabel "windows_exporter" {
+        targets = discovery.kubernetes.windows_exporter_pods.targets
+        rule {
+          source_labels = ["__meta_kubernetes_pod_node_name"]
+          action = "replace"
+          target_label = "instance"
+        }
+      }
+      
+      prometheus.scrape "windows_exporter" {
+        job_name   = "integrations/windows-exporter"
+        targets  = discovery.relabel.windows_exporter.output
+        scrape_interval = "60s"
+        clustering {
+          enabled = true
+        }
+        forward_to = [prometheus.relabel.windows_exporter.receiver]
+      }
+      
+      prometheus.relabel "windows_exporter" {
+        max_cache_size = 100000
+        rule {
+          source_labels = ["__name__"]
+          regex = "up|windows_.*|node_cpu_seconds_total|node_filesystem_size_bytes|node_filesystem_avail_bytes|container_cpu_usage_seconds_total"
+          action = "keep"
+        }
+        forward_to = argument.metrics_destinations.value
+      }    
+    }
+    cluster_metrics "feature" {
+      metrics_destinations = [
+        otelcol.receiver.prometheus.otel_endpoint.receiver,
+      ]
+    }
+    
+    // Feature: Prometheus Operator Objects
+    declare "prometheus_operator_objects" {
+      argument "metrics_destinations" {
+        comment = "Must be a list of metric destinations where collected metrics should be forwarded to"
+      }
+      
+      // Prometheus Operator PodMonitor objects
+      prometheus.operator.podmonitors "pod_monitors" {
+        clustering {
+          enabled = true
+        }
+        scrape {
+          default_scrape_interval = "60s"
+        }
+        forward_to = argument.metrics_destinations.value
+      }
+      
+      // Prometheus Operator Probe objects
+      prometheus.operator.probes "pod_monitors" {
+        clustering {
+          enabled = true
+        }
+        scrape {
+          default_scrape_interval = "60s"
+        }
+        forward_to = argument.metrics_destinations.value
+      }
+      
+      // Prometheus Operator ServiceMonitor objects
+      prometheus.operator.servicemonitors "service_monitors" {
+        clustering {
+          enabled = true
+        }
+        scrape {
+          default_scrape_interval = "60s"
+        }
+        forward_to = argument.metrics_destinations.value
+      }
+    }
+    prometheus_operator_objects "feature" {
+      metrics_destinations = [
+        otelcol.receiver.prometheus.otel_endpoint.receiver,
+      ]
+    }
+---
+# Source: k8s-monitoring/templates/alloy-config.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: k8smon-alloy-singleton
+  namespace: default
+data:
+  config.alloy: |-
+    // Destination: otel-endpoint (otlp)
+    otelcol.receiver.prometheus "otel_endpoint" {
+      output {
+        metrics = [otelcol.processor.attributes.otel_endpoint.input]
+      }
+    }
+    otelcol.receiver.loki "otel_endpoint" {
+      output {
+        logs = [otelcol.processor.attributes.otel_endpoint.input]
+      }
+    }
+    otelcol.auth.oauth2 "otel_endpoint" {
+      client_id = nonsensitive(remote.kubernetes.secret.otel_endpoint.data["clientId"])
+      client_secret_file = "/var/run/secrets/kubernetes.io/serviceaccount/token"
+      endpoint_params = {
+        client_assertion_type = ["urn:ietf:params:oauth:client-assertion-type:jwt-bearer"],
+        grant_type = ["client_credentials"],
+      }
+      token_url = "https://my.idp/application/o/token/"
+    }
+    
+    otelcol.processor.attributes "otel_endpoint" {
+      action {
+        key = "cluster"
+        action = "upsert"
+        value = "oauth2-auth-example"
+      }
+      action {
+        key = "k8s.cluster.name"
+        action = "upsert"
+        value = "oauth2-auth-example"
+      }
+      output {
+        metrics = [otelcol.processor.transform.otel_endpoint.input]
+        logs = [otelcol.processor.transform.otel_endpoint.input]
+        traces = [otelcol.processor.transform.otel_endpoint.input]
+      }
+    }
+    
+    otelcol.processor.transform "otel_endpoint" {
+      error_mode = "ignore"
+    
+      output {
+        metrics = [otelcol.processor.batch.otel_endpoint.input]
+        logs = [otelcol.processor.batch.otel_endpoint.input]
+        traces = [otelcol.processor.batch.otel_endpoint.input]
+      }
+    }
+    
+    otelcol.processor.batch "otel_endpoint" {
+      timeout = "2s"
+      send_batch_size = 8192
+      send_batch_max_size = 0
+    
+      output {
+        metrics = [otelcol.exporter.otlp.otel_endpoint.input]
+        logs = [otelcol.exporter.otlp.otel_endpoint.input]
+        traces = [otelcol.exporter.otlp.otel_endpoint.input]
+      }
+    }
+    otelcol.exporter.otlp "otel_endpoint" {
+      client {
+        endpoint = "grpc.my.otel.endpoint:443"
+        auth = otelcol.auth.oauth2.otel_endpoint.handler
+        tls {
+          insecure = false
+          insecure_skip_verify = false
+        }
+      }
+    }
+    
+    remote.kubernetes.secret "otel_endpoint" {
+      name      = "otel-endpoint-k8smon-k8s-monitoring"
+      namespace = "default"
+    }
+    
+    // Feature: Cluster Events
+    declare "cluster_events" {
+      argument "logs_destinations" {
+        comment = "Must be a list of log destinations where collected logs should be forwarded to"
+      }
+    
+      loki.source.kubernetes_events "cluster_events" {
+        job_name   = "integrations/kubernetes/eventhandler"
+        log_format = "logfmt"
+        forward_to = [loki.process.cluster_events.receiver]
+      }
+    
+      loki.process "cluster_events" {
+    
+        // add a static source label to the logs so they can be differentiated / restricted if necessary
+        stage.static_labels {
+          values = {
+            "source" = "kubernetes-events",
+          }
+        }
+    
+        // extract some of the fields from the log line, these could be used as labels, structured metadata, etc.
+        stage.logfmt {
+          mapping = {
+            "component" = "sourcecomponent", // map the sourcecomponent field to component
+            "kind" = "",
+            "level" = "type", // most events don't have a level but they do have a "type" i.e. Normal, Warning, Error, etc.
+            "name" = "",
+            "node" = "sourcehost", // map the sourcehost field to node
+          }
+        }
+        // set these values as labels, they may or may not be used as index labels in Loki as they can be dropped
+        // prior to being written to Loki, but this makes them available
+        stage.labels {
+          values = {
+            "component" = "",
+            "kind" = "",
+            "level" = "",
+            "name" = "",
+            "node" = "",
+          }
+        }
+    
+        // if kind=Node, set the node label by copying the instance label
+        stage.match {
+          selector = "{kind=\"Node\"}"
+    
+          stage.labels {
+            values = {
+              "node" = "name",
+            }
+          }
+        }
+    
+        // set the level extracted key value as a normalized log level
+        stage.match {
+          selector = "{level=\"Normal\"}"
+    
+          stage.static_labels {
+            values = {
+              level = "Info",
+            }
+          }
+        }
+    
+        // Only keep the labels that are defined in the `keepLabels` list.
+        stage.label_keep {
+          values = ["job","level","namespace","node","source"]
+        }
+        forward_to = argument.logs_destinations.value
+      }
+    }
+    cluster_events "feature" {
+      logs_destinations = [
+        otelcol.receiver.loki.otel_endpoint.receiver,
+      ]
+    }
+    
+    // Self Reporting
+    prometheus.exporter.unix "kubernetes_monitoring_telemetry" {
+      set_collectors = ["textfile"]
+      textfile {
+        directory = "/etc/alloy"
+      }
+    }
+    
+    discovery.relabel "kubernetes_monitoring_telemetry" {
+      targets = prometheus.exporter.unix.kubernetes_monitoring_telemetry.targets
+      rule {
+        target_label = "instance"
+        action = "replace"
+        replacement = "k8smon"
+      }
+      rule {
+        target_label = "job"
+        action = "replace"
+        replacement = "integrations/kubernetes/kubernetes_monitoring_telemetry"
+      }
+    }
+    
+    prometheus.scrape "kubernetes_monitoring_telemetry" {
+      job_name   = "integrations/kubernetes/kubernetes_monitoring_telemetry"
+      targets    = discovery.relabel.kubernetes_monitoring_telemetry.output
+      scrape_interval = "1h"
+      clustering {
+        enabled = true
+      }
+      forward_to = [prometheus.relabel.kubernetes_monitoring_telemetry.receiver]
+    }
+    
+    prometheus.relabel "kubernetes_monitoring_telemetry" {
+      rule {
+        source_labels = ["__name__"]
+        regex = "grafana_kubernetes_monitoring_.*"
+        action = "keep"
+      }
+      forward_to = [
+        otelcol.receiver.prometheus.otel_endpoint.receiver,
+      ]
+    }
+    
+    
+    
+    
+  self-reporting-metric.prom: |
+    # HELP grafana_kubernetes_monitoring_build_info A metric to report the version of the Kubernetes Monitoring Helm chart
+    # TYPE grafana_kubernetes_monitoring_build_info gauge
+    grafana_kubernetes_monitoring_build_info{version="2.0.0-rc.10", namespace="default"} 1
+    # HELP grafana_kubernetes_monitoring_feature_info A metric to report the enabled features of the Kubernetes Monitoring Helm chart
+    # TYPE grafana_kubernetes_monitoring_feature_info gauge
+    grafana_kubernetes_monitoring_feature_info{feature="annotationAutodiscovery", version="1.0.0"} 1
+    grafana_kubernetes_monitoring_feature_info{deployments="kube-state-metrics,node-exporter,windows-exporter", feature="clusterMetrics", sources="kubelet,kubeletResource,cadvisor,kube-state-metrics,node-exporter,windows-exporter", version="1.0.0"} 1
+    grafana_kubernetes_monitoring_feature_info{feature="clusterEvents", version="1.0.0"} 1
+    grafana_kubernetes_monitoring_feature_info{feature="nodeLogs", version="1.0.0"} 1
+    grafana_kubernetes_monitoring_feature_info{feature="podLogs", method="volumes", version="1.0.0"} 1
+    grafana_kubernetes_monitoring_feature_info{feature="prometheusOperatorObjects", version="1.0.0"} 1
+---
+# Source: k8s-monitoring/templates/alloy-config.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: k8smon-alloy-logs
+  namespace: default
+data:
+  config.alloy: |-
+    // Destination: otel-endpoint (otlp)
+    otelcol.receiver.prometheus "otel_endpoint" {
+      output {
+        metrics = [otelcol.processor.attributes.otel_endpoint.input]
+      }
+    }
+    otelcol.receiver.loki "otel_endpoint" {
+      output {
+        logs = [otelcol.processor.attributes.otel_endpoint.input]
+      }
+    }
+    otelcol.auth.oauth2 "otel_endpoint" {
+      client_id = nonsensitive(remote.kubernetes.secret.otel_endpoint.data["clientId"])
+      client_secret_file = "/var/run/secrets/kubernetes.io/serviceaccount/token"
+      endpoint_params = {
+        client_assertion_type = ["urn:ietf:params:oauth:client-assertion-type:jwt-bearer"],
+        grant_type = ["client_credentials"],
+      }
+      token_url = "https://my.idp/application/o/token/"
+    }
+    
+    otelcol.processor.attributes "otel_endpoint" {
+      action {
+        key = "cluster"
+        action = "upsert"
+        value = "oauth2-auth-example"
+      }
+      action {
+        key = "k8s.cluster.name"
+        action = "upsert"
+        value = "oauth2-auth-example"
+      }
+      output {
+        metrics = [otelcol.processor.transform.otel_endpoint.input]
+        logs = [otelcol.processor.transform.otel_endpoint.input]
+        traces = [otelcol.processor.transform.otel_endpoint.input]
+      }
+    }
+    
+    otelcol.processor.transform "otel_endpoint" {
+      error_mode = "ignore"
+    
+      output {
+        metrics = [otelcol.processor.batch.otel_endpoint.input]
+        logs = [otelcol.processor.batch.otel_endpoint.input]
+        traces = [otelcol.processor.batch.otel_endpoint.input]
+      }
+    }
+    
+    otelcol.processor.batch "otel_endpoint" {
+      timeout = "2s"
+      send_batch_size = 8192
+      send_batch_max_size = 0
+    
+      output {
+        metrics = [otelcol.exporter.otlp.otel_endpoint.input]
+        logs = [otelcol.exporter.otlp.otel_endpoint.input]
+        traces = [otelcol.exporter.otlp.otel_endpoint.input]
+      }
+    }
+    otelcol.exporter.otlp "otel_endpoint" {
+      client {
+        endpoint = "grpc.my.otel.endpoint:443"
+        auth = otelcol.auth.oauth2.otel_endpoint.handler
+        tls {
+          insecure = false
+          insecure_skip_verify = false
+        }
+      }
+    }
+    
+    remote.kubernetes.secret "otel_endpoint" {
+      name      = "otel-endpoint-k8smon-k8s-monitoring"
+      namespace = "default"
+    }
+    
+    // Feature: Node Logs
+    declare "node_logs" {
+      argument "logs_destinations" {
+        comment = "Must be a list of log destinations where collected logs should be forwarded to"
+      }
+    
+      loki.relabel "journal" {
+    
+        // copy all journal labels and make the available to the pipeline stages as labels, there is a label
+        // keep defined to filter out unwanted labels, these pipeline labels can be set as structured metadata
+        // as well, the following labels are available:
+        // - boot_id
+        // - cap_effective
+        // - cmdline
+        // - comm
+        // - exe
+        // - gid
+        // - hostname
+        // - machine_id
+        // - pid
+        // - stream_id
+        // - systemd_cgroup
+        // - systemd_invocation_id
+        // - systemd_slice
+        // - systemd_unit
+        // - transport
+        // - uid
+        //
+        // More Info: https://www.freedesktop.org/software/systemd/man/systemd.journal-fields.html
+        rule {
+          action = "labelmap"
+          regex = "__journal__(.+)"
+        }
+    
+        rule {
+          action = "replace"
+          source_labels = ["__journal__systemd_unit"]
+          replacement = "$1"
+          target_label = "unit"
+        }
+    
+        // the service_name label will be set automatically in loki if not set, and the unit label
+        // will not allow service_name to be set automatically.
+        rule {
+          action = "replace"
+          source_labels = ["__journal__systemd_unit"]
+          replacement = "$1"
+          target_label = "service_name"
+        }
+    
+        forward_to = [] // No forward_to is used in this component, the defined rules are used in the loki.source.journal component
+      }
+    
+      loki.source.journal "worker" {
+        path = "/var/log/journal"
+        format_as_json = false
+        max_age = "8h"
+        relabel_rules = loki.relabel.journal.rules
+        labels = {
+          job = "integrations/kubernetes/journal",
+          instance = sys.env("HOSTNAME"),
+        }
+        forward_to = [loki.process.journal_logs.receiver]
+      }
+    
+      loki.process "journal_logs" {
+        stage.static_labels {
+          values = {
+            // add a static source label to the logs so they can be differentiated / restricted if necessary
+            "source" = "journal",
+            // default level to unknown
+            level = "unknown",
+          }
+        }
+    
+        // Attempt to determine the log level, most k8s workers are either in logfmt or klog formats
+        // check to see if the log line matches the klog format (https://github.com/kubernetes/klog)
+        stage.match {
+          // unescaped regex: ([IWED][0-9]{4}\s+[0-9]{2}:[0-9]{2}:[0-9]{2}\.[0-9]+)
+          selector = "{level=\"unknown\"} |~ \"([IWED][0-9]{4}\\\\s+[0-9]{2}:[0-9]{2}:[0-9]{2}\\\\.[0-9]+)\""
+    
+          // extract log level, klog uses a single letter code for the level followed by the month and day i.e. I0119
+          stage.regex {
+            expression = "((?P<level>[A-Z])[0-9])"
+          }
+    
+          // if the extracted level is I set INFO
+          stage.replace {
+            source = "level"
+            expression = "(I)"
+            replace = "INFO"
+          }
+    
+          // if the extracted level is W set WARN
+          stage.replace {
+            source = "level"
+            expression = "(W)"
+            replace = "WARN"
+          }
+    
+          // if the extracted level is E set ERROR
+          stage.replace {
+            source = "level"
+            expression = "(E)"
+            replace = "ERROR"
+          }
+    
+          // if the extracted level is I set INFO
+          stage.replace {
+            source = "level"
+            expression = "(D)"
+            replace = "DEBUG"
+          }
+    
+          // set the extracted level to be a label
+          stage.labels {
+            values = {
+              level = "",
+            }
+          }
+        }
+    
+        // if the level is still unknown, do one last attempt at detecting it based on common levels
+        stage.match {
+          selector = "{level=\"unknown\"}"
+    
+          // unescaped regex: (?i)(?:"(?:level|loglevel|levelname|lvl|levelText|SeverityText)":\s*"|\s*(?:level|loglevel|levelText|lvl)="?|\s+\[?)(?P<level>(DEBUG?|DBG|INFO?(RMATION)?|WA?RN(ING)?|ERR(OR)?|CRI?T(ICAL)?|FATAL|FTL|NOTICE|TRACE|TRC|PANIC|PNC|ALERT|EMERGENCY))("|\s+|-|\s*\])
+          stage.regex {
+            expression = "(?i)(?:\"(?:level|loglevel|levelname|lvl|levelText|SeverityText)\":\\s*\"|\\s*(?:level|loglevel|levelText|lvl)=\"?|\\s+\\[?)(?P<level>(DEBUG?|DBG|INFO?(RMATION)?|WA?RN(ING)?|ERR(OR)?|CRI?T(ICAL)?|FATAL|FTL|NOTICE|TRACE|TRC|PANIC|PNC|ALERT|EMERGENCY))(\"|\\s+|-|\\s*\\])"
+          }
+    
+          // set the extracted level to be a label
+          stage.labels {
+            values = {
+              level = "",
+            }
+          }
+        }
+    
+        // Only keep the labels that are defined in the `keepLabels` list.
+        stage.label_keep {
+          values = ["instance","job","level","name","unit","service_name","source"]
+        }
+    
+        forward_to = argument.logs_destinations.value
+      }
+    }
+    node_logs "feature" {
+      logs_destinations = [
+        otelcol.receiver.loki.otel_endpoint.receiver,
+      ]
+    }
+    
+    // Feature: Pod Logs
+    declare "pod_logs" {
+      argument "logs_destinations" {
+        comment = "Must be a list of log destinations where collected logs should be forwarded to"
+      }
+      
+      discovery.relabel "filtered_pods" {
+        targets = discovery.kubernetes.pods.targets
+        rule {
+          source_labels = ["__meta_kubernetes_namespace"]
+          action = "replace"
+          target_label = "namespace"
+        }
+        rule {
+          source_labels = ["__meta_kubernetes_pod_name"]
+          action = "replace"
+          target_label = "pod"
+        }
+        rule {
+          source_labels = ["__meta_kubernetes_pod_container_name"]
+          action = "replace"
+          target_label = "container"
+        }
+        rule {
+          source_labels = ["__meta_kubernetes_namespace", "__meta_kubernetes_pod_container_name"]
+          separator = "/"
+          action = "replace"
+          replacement = "$1"
+          target_label = "job"
+        }
+      
+        // set the container runtime as a label
+        rule {
+          action = "replace"
+          source_labels = ["__meta_kubernetes_pod_container_id"]
+          regex = "^(\\S+):\\/\\/.+$"
+          replacement = "$1"
+          target_label = "tmp_container_runtime"
+        }
+      
+        // set the job label from the k8s.grafana.com/logs.job annotation if it exists
+        rule {
+          source_labels = ["__meta_kubernetes_pod_annotation_k8s_grafana_com_logs_job"]
+          regex = "(.+)"
+          target_label = "job"
+        }
+      
+        // make all labels on the pod available to the pipeline as labels,
+        // they are omitted before write to loki via stage.label_keep unless explicitly set
+        rule {
+          action = "labelmap"
+          regex = "__meta_kubernetes_pod_label_(.+)"
+        }
+      
+        // make all annotations on the pod available to the pipeline as labels,
+        // they are omitted before write to loki via stage.label_keep unless explicitly set
+        rule {
+          action = "labelmap"
+          regex = "__meta_kubernetes_pod_annotation_(.+)"
+        }
+      }
+      
+      discovery.kubernetes "pods" {
+        role = "pod"
+        selectors {
+          role = "pod"
+          field = "spec.nodeName=" + sys.env("HOSTNAME")
+        }
+      }
+      
+      discovery.relabel "filtered_pods_with_paths" {
+        targets = discovery.relabel.filtered_pods.output
+      
+        rule {
+          source_labels = ["__meta_kubernetes_pod_uid", "__meta_kubernetes_pod_container_name"]
+          separator = "/"
+          action = "replace"
+          replacement = "/var/log/pods/*$1/*.log"
+          target_label = "__path__"
+        }
+      }
+      
+      local.file_match "pod_logs" {
+        path_targets = discovery.relabel.filtered_pods_with_paths.output
+      }
+      
+      loki.source.file "pod_logs" {
+        targets    = local.file_match.pod_logs.targets
+        forward_to = [loki.process.pod_logs.receiver]
+      }
+      
+      loki.process "pod_logs" {
+        stage.match {
+          selector = "{tmp_container_runtime=~\"containerd|cri-o\"}"
+          // the cri processing stage extracts the following k/v pairs: log, stream, time, flags
+          stage.cri {}
+      
+          // Set the extract flags and stream values as labels
+          stage.labels {
+            values = {
+              flags  = "",
+              stream  = "",
+            }
+          }
+        }
+      
+        stage.match {
+          selector = "{tmp_container_runtime=\"docker\"}"
+          // the docker processing stage extracts the following k/v pairs: log, stream, time
+          stage.docker {}
+      
+          // Set the extract stream value as a label
+          stage.labels {
+            values = {
+              stream  = "",
+            }
+          }
+        }
+      
+        // Drop the filename label, since it's not really useful in the context of Kubernetes, where we already have cluster,
+        // namespace, pod, and container labels. Drop any structured metadata. Also drop the temporary
+        // container runtime label as it is no longer needed.
+        stage.label_drop {
+          values = [
+            "filename",
+            "tmp_container_runtime",
+          ]
+        }
+      
+        // Only keep the labels that are defined in the `keepLabels` list.
+        stage.label_keep {
+          values = ["app_kubernetes_io_name","container","instance","job","level","namespace","pod","service_name"]
+        }
+      
+        forward_to = argument.logs_destinations.value
+      }
+    }
+    pod_logs "feature" {
+      logs_destinations = [
+        otelcol.receiver.loki.otel_endpoint.receiver,
+      ]
+    }
+---
+# Source: k8s-monitoring/templates/alloy-modules-configmaps.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: k8smon-alloy-module-kubernetes
+data:
+  core_metrics.alloy: |
+    /*
+    Module: job-cadvisor
+    Description: Scrapes cadvisor
+    
+    Note: Every argument except for "forward_to" is optional, and does have a defined default value.  However, the values for these
+          arguments are not defined using the default = " ... " argument syntax, but rather using the coalesce(argument.value, " ... ").
+          This is because if the argument passed in from another consuming module is set to null, the default = " ... " syntax will
+          does not override the value passed in, where coalesce() will return the first non-null value.
+    */
+    declare "cadvisor" {
+      argument "forward_to" {
+        comment = "Must be a list(MetricsReceiver) where collected logs should be forwarded to"
+      }
+      argument "field_selectors" {
+        // Docs: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+        comment = "The label selectors to use to find matching targets (default: [\"metadata.name=kubernetes\"])"
+        optional = true
+      }
+      argument "label_selectors" {
+        // Docs: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+        comment = "The label selectors to use to find matching targets (default: [])"
+        optional = true
+      }
+      argument "job_label" {
+        comment = "The job label to add for all cadvisor metric (default: integrations/kubernetes/cadvisor)"
+        optional = true
+      }
+      argument "keep_metrics" {
+        comment = "A regular expression of metrics to keep (default: see below)"
+        optional = true
+      }
+      argument "drop_metrics" {
+        comment = "A regular expression of metrics to drop (default: see below)"
+        optional = true
+      }
+      argument "scrape_interval" {
+        comment = "How often to scrape metrics from the targets (default: 60s)"
+        optional = true
+      }
+      argument "scrape_timeout" {
+        comment = "How long before a scrape times out (default: 10s)"
+        optional = true
+      }
+      argument "max_cache_size" {
+        comment = "The maximum number of elements to hold in the relabeling cache (default: 100000).  This should be at least 2x-5x your largest scrape target or samples appended rate."
+        optional = true
+      }
+      argument "clustering" {
+        // Docs: https://grafana.com/docs/agent/latest/flow/concepts/clustering/
+        comment = "Whether or not clustering should be enabled (default: false)"
+        optional = true
+      }
+    
+      export "output" {
+        value = discovery.relabel.cadvisor.output
+      }
+    
+      // cadvisor service discovery for all of the nodes
+      discovery.kubernetes "cadvisor" {
+        role = "node"
+    
+        selectors {
+          role = "node"
+          field = join(coalesce(argument.field_selectors.value, []), ",")
+          label = join(coalesce(argument.label_selectors.value, []), ",")
+        }
+      }
+    
+      // cadvisor relabelings (pre-scrape)
+      discovery.relabel "cadvisor" {
+        targets = discovery.kubernetes.cadvisor.targets
+    
+        // set the address to use the kubernetes service dns name
+        rule {
+          target_label = "__address__"
+          replacement  = "kubernetes.default.svc.cluster.local:443"
+        }
+    
+        // set the metrics path to use the proxy path to the nodes cadvisor metrics endpoint
+        rule {
+          source_labels = ["__meta_kubernetes_node_name"]
+          regex = "(.+)"
+          replacement = "/api/v1/nodes/${1}/proxy/metrics/cadvisor"
+          target_label = "__metrics_path__"
+        }
+    
+        // set the node label
+        rule {
+          source_labels = ["__meta_kubernetes_node_name"]
+          target_label  = "node"
+        }
+    
+        // set the app name if specified as metadata labels "app:" or "app.kubernetes.io/name:" or "k8s-app:"
+        rule {
+          action = "replace"
+          source_labels = [
+            "__meta_kubernetes_node_label_app_kubernetes_io_name",
+            "__meta_kubernetes_node_label_k8s_app",
+            "__meta_kubernetes_node_label_app",
+          ]
+          separator = ";"
+          regex = "^(?:;*)?([^;]+).*$"
+          replacement = "$1"
+          target_label = "app"
+        }
+    
+        // set a source label
+        rule {
+          action = "replace"
+          replacement = "kubernetes"
+          target_label = "source"
+        }
+      }
+    
+      // cadvisor scrape job
+      prometheus.scrape "cadvisor" {
+        job_name = coalesce(argument.job_label.value, "integrations/kubernetes/cadvisor")
+        forward_to = [prometheus.relabel.cadvisor.receiver]
+        targets = discovery.relabel.cadvisor.output
+        scheme = "https"
+        scrape_interval = coalesce(argument.scrape_interval.value, "60s")
+        scrape_timeout = coalesce(argument.scrape_timeout.value, "10s")
+        bearer_token_file = "/var/run/secrets/kubernetes.io/serviceaccount/token"
+    
+        tls_config {
+          ca_file = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+          insecure_skip_verify = false
+          server_name = "kubernetes"
+        }
+    
+        clustering {
+          enabled = coalesce(argument.clustering.value, false)
+        }
+      }
+    
+      // cadvisor metric relabelings (post-scrape)
+      prometheus.relabel "cadvisor" {
+        forward_to = argument.forward_to.value
+        max_cache_size = coalesce(argument.max_cache_size.value, 100000)
+    
+        // drop metrics that match the drop_metrics regex
+        rule {
+          source_labels = ["__name__"]
+          regex = coalesce(argument.drop_metrics.value, "(^(go|process)_.+$)")
+          action = "drop"
+        }
+    
+        // keep only metrics that match the keep_metrics regex
+        rule {
+          source_labels = ["__name__"]
+          regex = coalesce(argument.keep_metrics.value, "(up|container_(cpu_(cfs_(periods|throttled_periods)_total|usage_seconds_total)|fs_(reads|writes)(_bytes)?_total|memory_(cache|rss|swap|working_set_bytes)|network_(receive|transmit)_(bytes|packets(_dropped)?_total))|machine_memory_bytes)")
+          action = "keep"
+        }
+    
+        // Drop empty container labels, addressing https://github.com/google/cadvisor/issues/2688
+        rule {
+          source_labels = ["__name__","container"]
+          separator = "@"
+          regex = "(container_cpu_.*|container_fs_.*|container_memory_.*)@"
+          action = "drop"
+        }
+    
+        // Drop empty image labels, addressing https://github.com/google/cadvisor/issues/2688
+        rule {
+          source_labels = ["__name__","image"]
+          separator = "@"
+          regex = "(container_cpu_.*|container_fs_.*|container_memory_.*|container_network_.*)@"
+          action = "drop"
+        }
+    
+        // Normalizing unimportant labels (not deleting to continue satisfying <label>!="" checks)
+        rule {
+          source_labels = ["__name__", "boot_id"]
+          separator = "@"
+          regex = "machine_memory_bytes@.*"
+          target_label = "boot_id"
+          replacement = "NA"
+        }
+        rule {
+          source_labels = ["__name__", "system_uuid"]
+          separator = "@"
+          regex = "machine_memory_bytes@.*"
+          target_label = "system_uuid"
+          replacement = "NA"
+        }
+    
+        // Filter out non-physical devices/interfaces
+        rule {
+          source_labels = ["__name__", "device"]
+          separator = "@"
+          regex = "container_fs_.*@(/dev/)?(mmcblk.p.+|nvme.+|rbd.+|sd.+|vd.+|xvd.+|dasd.+)"
+          target_label = "__keepme"
+          replacement = "1"
+        }
+        rule {
+          source_labels = ["__name__", "__keepme"]
+          separator = "@"
+          regex = "container_fs_.*@"
+          action = "drop"
+        }
+        rule {
+          source_labels = ["__name__"]
+          regex = "container_fs_.*"
+          target_label = "__keepme"
+          replacement = ""
+        }
+        rule {
+          source_labels = ["__name__", "interface"]
+          separator = "@"
+          regex = "container_network_.*@(en[ospx][0-9].*|wlan[0-9].*|eth[0-9].*)"
+          target_label = "__keepme"
+          replacement = "1"
+        }
+        rule {
+          source_labels = ["__name__", "__keepme"]
+          separator = "@"
+          regex = "container_network_.*@"
+          action = "drop"
+        }
+        rule {
+          source_labels = ["__name__"]
+          regex = "container_network_.*"
+          target_label = "__keepme"
+          replacement = ""
+        }
+      }
+    }
+    
+    declare "resources" {
+      argument "forward_to" {
+        comment = "Must be a list(MetricsReceiver) where collected logs should be forwarded to"
+      }
+      argument "field_selectors" {
+        // Docs: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+        comment = "The label selectors to use to find matching targets (default: [\"metadata.name=kubernetes\"])"
+        optional = true
+      }
+      argument "label_selectors" {
+        // Docs: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+        comment = "The label selectors to use to find matching targets (default: [])"
+        optional = true
+      }
+      argument "job_label" {
+        comment = "The job label to add for all resources metric (default: integrations/kubernetes/kube-resources)"
+        optional = true
+      }
+      argument "keep_metrics" {
+        comment = "A regular expression of metrics to keep (default: see below)"
+        optional = true
+      }
+      argument "drop_metrics" {
+        comment = "A regular expression of metrics to drop (default: see below)"
+        optional = true
+      }
+      argument "scrape_interval" {
+        comment = "How often to scrape metrics from the targets (default: 60s)"
+        optional = true
+      }
+      argument "scrape_timeout" {
+        comment = "How long before a scrape times out (default: 10s)"
+        optional = true
+      }
+      argument "max_cache_size" {
+        comment = "The maximum number of elements to hold in the relabeling cache (default: 100000).  This should be at least 2x-5x your largest scrape target or samples appended rate."
+        optional = true
+      }
+      argument "clustering" {
+        // Docs: https://grafana.com/docs/agent/latest/flow/concepts/clustering/
+        comment = "Whether or not clustering should be enabled (default: false)"
+        optional = true
+      }
+    
+      export "output" {
+        value = discovery.relabel.resources.output
+      }
+    
+      // resources service discovery for all of the nodes
+      discovery.kubernetes "resources" {
+        role = "node"
+    
+        selectors {
+          role = "node"
+          field = join(coalesce(argument.field_selectors.value, []), ",")
+          label = join(coalesce(argument.label_selectors.value, []), ",")
+        }
+      }
+    
+      // resources relabelings (pre-scrape)
+      discovery.relabel "resources" {
+        targets = discovery.kubernetes.resources.targets
+    
+        // set the address to use the kubernetes service dns name
+        rule {
+          target_label = "__address__"
+          replacement  = "kubernetes.default.svc.cluster.local:443"
+        }
+    
+        // set the metrics path to use the proxy path to the nodes resources metrics endpoint
+        rule {
+          source_labels = ["__meta_kubernetes_node_name"]
+          regex = "(.+)"
+          replacement = "/api/v1/nodes/${1}/proxy/metrics/resource"
+          target_label = "__metrics_path__"
+        }
+    
+        // set the node label
+        rule {
+          source_labels = ["__meta_kubernetes_node_name"]
+          target_label  = "node"
+        }
+    
+        // set the app name if specified as metadata labels "app:" or "app.kubernetes.io/name:" or "k8s-app:"
+        rule {
+          action = "replace"
+          source_labels = [
+            "__meta_kubernetes_node_label_app_kubernetes_io_name",
+            "__meta_kubernetes_node_label_k8s_app",
+            "__meta_kubernetes_node_label_app",
+          ]
+          separator = ";"
+          regex = "^(?:;*)?([^;]+).*$"
+          replacement = "$1"
+          target_label = "app"
+        }
+    
+        // set a source label
+        rule {
+          action = "replace"
+          replacement = "kubernetes"
+          target_label = "source"
+        }
+      }
+    
+       // resources scrape job
+      prometheus.scrape "resources" {
+        job_name = coalesce(argument.job_label.value, "integrations/kubernetes/kube-resources")
+        forward_to = [prometheus.relabel.resources.receiver]
+        targets = discovery.relabel.resources.output
+        scheme = "https"
+        scrape_interval = coalesce(argument.scrape_interval.value, "60s")
+        scrape_timeout = coalesce(argument.scrape_timeout.value, "10s")
+        bearer_token_file = "/var/run/secrets/kubernetes.io/serviceaccount/token"
+    
+        tls_config {
+          ca_file = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+          insecure_skip_verify = false
+          server_name = "kubernetes"
+        }
+    
+        clustering {
+          enabled = coalesce(argument.clustering.value, false)
+        }
+      }
+    
+      // resources metric relabelings (post-scrape)
+      prometheus.relabel "resources" {
+        forward_to = argument.forward_to.value
+        max_cache_size = coalesce(argument.max_cache_size.value, 100000)
+    
+        // drop metrics that match the drop_metrics regex
+        rule {
+          source_labels = ["__name__"]
+          regex = coalesce(argument.drop_metrics.value, "(^(go|process)_.+$)")
+          action = "drop"
+        }
+    
+        // keep only metrics that match the keep_metrics regex
+        rule {
+          source_labels = ["__name__"]
+          regex = coalesce(argument.keep_metrics.value, "(.+)")
+          action = "keep"
+        }
+      }
+    }
+    
+    declare "kubelet" {
+      argument "forward_to" {
+        comment = "Must be a list(MetricsReceiver) where collected logs should be forwarded to"
+      }
+      argument "field_selectors" {
+        // Docs: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+        comment = "The label selectors to use to find matching targets (default: [])"
+        optional = true
+      }
+      argument "label_selectors" {
+        // Docs: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+        comment = "The label selectors to use to find matching targets (default: [])"
+        optional = true
+      }
+      argument "job_label" {
+        comment = "The job label to add for all kubelet metric (default: integrations/kubernetes/kube-kubelet)"
+        optional = true
+      }
+      argument "keep_metrics" {
+        comment = "A regular expression of metrics to keep (default: see below)"
+        optional = true
+      }
+      argument "drop_metrics" {
+        comment = "A regular expression of metrics to drop (default: see below)"
+        optional = true
+      }
+      argument "scrape_interval" {
+        comment = "How often to scrape metrics from the targets (default: 60s)"
+        optional = true
+      }
+      argument "scrape_timeout" {
+        comment = "How long before a scrape times out (default: 10s)"
+        optional = true
+      }
+      argument "max_cache_size" {
+        comment = "The maximum number of elements to hold in the relabeling cache (default: 100000).  This should be at least 2x-5x your largest scrape target or samples appended rate."
+        optional = true
+      }
+      argument "clustering" {
+        // Docs: https://grafana.com/docs/agent/latest/flow/concepts/clustering/
+        comment = "Whether or not clustering should be enabled (default: false)"
+        optional = true
+      }
+    
+      export "output" {
+        value = discovery.relabel.kubelet.output
+      }
+    
+      // kubelet service discovery for all of the nodes
+      discovery.kubernetes "kubelet" {
+        role = "node"
+    
+        selectors {
+          role = "node"
+          field = join(coalesce(argument.field_selectors.value, []), ",")
+          label = join(coalesce(argument.label_selectors.value, []), ",")
+        }
+      }
+    
+      // kubelet relabelings (pre-scrape)
+      discovery.relabel "kubelet" {
+        targets = discovery.kubernetes.kubelet.targets
+    
+        // set the address to use the kubernetes service dns name
+        rule {
+          target_label = "__address__"
+          replacement  = "kubernetes.default.svc.cluster.local:443"
+        }
+    
+        // set the metrics path to use the proxy path to the nodes kubelet metrics endpoint
+        rule {
+          source_labels = ["__meta_kubernetes_node_name"]
+          regex = "(.+)"
+          replacement = "/api/v1/nodes/${1}/proxy/metrics"
+          target_label = "__metrics_path__"
+        }
+    
+        // set the node label
+        rule {
+          source_labels = ["__meta_kubernetes_node_name"]
+          target_label  = "node"
+        }
+    
+        // set the app name if specified as metadata labels "app:" or "app.kubernetes.io/name:" or "k8s-app:"
+        rule {
+          action = "replace"
+          source_labels = [
+            "__meta_kubernetes_node_label_app_kubernetes_io_name",
+            "__meta_kubernetes_node_label_k8s_app",
+            "__meta_kubernetes_node_label_app",
+          ]
+          separator = ";"
+          regex = "^(?:;*)?([^;]+).*$"
+          replacement = "$1"
+          target_label = "app"
+        }
+    
+        // set a source label
+        rule {
+          action = "replace"
+          replacement = "kubernetes"
+          target_label = "source"
+        }
+      }
+    
+      // kubelet scrape job
+      prometheus.scrape "kubelet" {
+        job_name = coalesce(argument.job_label.value, "integrations/kubernetes/kubelet")
+        forward_to = [prometheus.relabel.kubelet.receiver]
+        targets = discovery.relabel.kubelet.output
+        scheme = "https"
+        scrape_interval = coalesce(argument.scrape_interval.value, "60s")
+        scrape_timeout = coalesce(argument.scrape_timeout.value, "10s")
+        bearer_token_file = "/var/run/secrets/kubernetes.io/serviceaccount/token"
+    
+        tls_config {
+          ca_file = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+          insecure_skip_verify = false
+          server_name = "kubernetes"
+        }
+    
+        clustering {
+          enabled = coalesce(argument.clustering.value, false)
+        }
+      }
+    
+      // kubelet metric relabelings (post-scrape)
+      prometheus.relabel "kubelet" {
+        forward_to = argument.forward_to.value
+        max_cache_size = coalesce(argument.max_cache_size.value, 100000)
+    
+        // drop metrics that match the drop_metrics regex
+        rule {
+          source_labels = ["__name__"]
+          regex = coalesce(argument.drop_metrics.value, "(^(go|process)_.+$)")
+          action = "drop"
+        }
+    
+        // keep only metrics that match the keep_metrics regex
+        rule {
+          source_labels = ["__name__"]
+          regex = coalesce(argument.keep_metrics.value, "(.+)")
+          action = "keep"
+        }
+      }
+    }
+    
+    declare "apiserver" {
+      argument "forward_to" {
+        comment = "Must be a list(MetricsReceiver) where collected logs should be forwarded to"
+      }
+      argument "namespaces" {
+        comment = "The namespaces to look for targets in (default: default)"
+        optional = true
+      }
+      argument "field_selectors" {
+        // Docs: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+        comment = "The label selectors to use to find matching targets (default: [\"metadata.name=kubernetes\"])"
+        optional = true
+      }
+      argument "label_selectors" {
+        // Docs: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+        comment = "The label selectors to use to find matching targets (default: [])"
+        optional = true
+      }
+      argument "port_name" {
+        comment = "The value of the label for the selector (default: https)"
+        optional = true
+      }
+      argument "job_label" {
+        comment = "The job label to add for all kube-apiserver metrics (default: integrations/kubernetes/kube-apiserver)"
+        optional = true
+      }
+      argument "keep_metrics" {
+        comment = "A regular expression of metrics to keep (default: see below)"
+        optional = true
+      }
+      // drop metrics and les from kube-prometheus
+      // https://github.com/prometheus-operator/kube-prometheus/blob/main/manifests/kubernetesControlPlane-serviceMonitorApiserver.yaml
+      argument "drop_metrics" {
+        comment = "A regular expression of metrics to drop (default: see below)"
+        optional = true
+      }
+      argument "drop_les" {
+        comment = "Regular expression of metric les label values to drop (default: see below)"
+        optional = true
+      }
+      argument "scrape_interval" {
+        comment = "How often to scrape metrics from the targets (default: 60s)"
+        optional = true
+      }
+      argument "scrape_timeout" {
+        comment = "How long before a scrape times out (default: 10s)"
+        optional = true
+      }
+      argument "max_cache_size" {
+        comment = "The maximum number of elements to hold in the relabeling cache (default: 100000).  This should be at least 2x-5x your largest scrape target or samples appended rate."
+        optional = true
+      }
+      argument "clustering" {
+        // Docs: https://grafana.com/docs/agent/latest/flow/concepts/clustering/
+        comment = "Whether or not clustering should be enabled (default: false)"
+        optional = true
+      }
+    
+      export "output" {
+        value = discovery.relabel.apiserver.output
+      }
+    
+      // kube-apiserver service discovery
+      discovery.kubernetes "apiserver" {
+        role = "service"
+    
+        selectors {
+          role = "service"
+          field = join(coalesce(argument.field_selectors.value, ["metadata.name=kubernetes"]), ",")
+          label = join(coalesce(argument.label_selectors.value, []), ",")
+        }
+    
+        namespaces {
+          names = coalesce(argument.namespaces.value, ["default"])
+        }
+      }
+    
+      // apiserver relabelings (pre-scrape)
+      discovery.relabel "apiserver" {
+        targets = discovery.kubernetes.apiserver.targets
+    
+        // only keep targets with a matching port name
+        rule {
+          source_labels = ["__meta_kubernetes_service_port_name"]
+          regex = coalesce(argument.port_name.value, "https")
+          action = "keep"
+        }
+    
+        // set the namespace
+        rule {
+          action = "replace"
+          source_labels = ["__meta_kubernetes_namespace"]
+          target_label = "namespace"
+        }
+    
+        // set the service_name
+        rule {
+          action = "replace"
+          source_labels = ["__meta_kubernetes_service_name"]
+          target_label = "service"
+        }
+    
+        // set the app name if specified as metadata labels "app:" or "app.kubernetes.io/name:" or "k8s-app:"
+        rule {
+          action = "replace"
+          source_labels = [
+            "__meta_kubernetes_service_label_app_kubernetes_io_name",
+            "__meta_kubernetes_service_label_k8s_app",
+            "__meta_kubernetes_service_label_app",
+          ]
+          separator = ";"
+          regex = "^(?:;*)?([^;]+).*$"
+          replacement = "$1"
+          target_label = "app"
+        }
+    
+        // set a source label
+        rule {
+          action = "replace"
+          replacement = "kubernetes"
+          target_label = "source"
+        }
+      }
+    
+      // kube-apiserver scrape job
+      prometheus.scrape "apiserver" {
+        job_name = coalesce(argument.job_label.value, "integrations/kubernetes/kube-apiserver")
+        forward_to = [prometheus.relabel.apiserver.receiver]
+        targets = discovery.relabel.apiserver.output
+        scheme = "https"
+        scrape_interval = coalesce(argument.scrape_interval.value, "60s")
+        scrape_timeout = coalesce(argument.scrape_timeout.value, "10s")
+        bearer_token_file = "/var/run/secrets/kubernetes.io/serviceaccount/token"
+    
+        tls_config {
+          ca_file = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+          insecure_skip_verify = false
+          server_name = "kubernetes"
+        }
+    
+        clustering {
+          enabled = coalesce(argument.clustering.value, false)
+        }
+      }
+    
+      // apiserver metric relabelings (post-scrape)
+      prometheus.relabel "apiserver" {
+        forward_to = argument.forward_to.value
+        max_cache_size = coalesce(argument.max_cache_size.value, 100000)
+    
+        // drop metrics that match the drop_metrics regex
+        rule {
+          source_labels = ["__name__"]
+          regex = coalesce(argument.drop_metrics.value, "(((go|process)_.+)|kubelet_(pod_(worker|start)_latency_microseconds|cgroup_manager_latency_microseconds|pleg_relist_(latency|interval)_microseconds|runtime_operations(_latency_microseconds|_errors)?|eviction_stats_age_microseconds|device_plugin_(registration_count|alloc_latency_microseconds)|network_plugin_operations_latency_microseconds)|scheduler_(e2e_scheduling_latency_microseconds|scheduling_algorithm_(predicate|priority|preemption)_evaluation|scheduling_algorithm_latency_microseconds|binding_latency_microseconds|scheduling_latency_seconds)|apiserver_(request_(count|latencies(_summary)?)|dropped_requests|storage_(data_key_generation|transformation_(failures_total|latencies_microseconds))|proxy_tunnel_sync_latency_secs|longrunning_gauge|registered_watchers)|kubelet_docker_(operations(_latency_microseconds|_errors|_timeout)?)|reflector_(items_per_(list|watch)|list_duration_seconds|lists_total|short_watches_total|watch_duration_seconds|watches_total)|etcd_(helper_(cache_(hit|miss)_count|cache_entry_count|object_counts)|request_(cache_(get|add)_latencies_summary|latencies_summary)|debugging.*|disk.*|server.*)|transformation_(latencies_microseconds|failures_total)|(admission_quota_controller|APIServiceOpenAPIAggregationControllerQueue1|APIServiceRegistrationController|autoregister|AvailableConditionController|crd_(autoregistration_controller|Establishing|finalizer|naming_condition_controller|openapi_controller)|DiscoveryController|non_structural_schema_condition_controller|kubeproxy_sync_proxy_rules|rest_client_request_latency|storage_operation_(errors_total|status_count))(_.*)|apiserver_admission_(controller_admission|step_admission)_latencies_seconds_.*)")
+          action = "drop"
+        }
+    
+        // drop metrics whose name and le label match the drop_les regex
+        rule {
+          source_labels = [
+            "__name__",
+            "le",
+          ]
+          regex = coalesce(argument.drop_les.value, "apiserver_request_duration_seconds_bucket;(0.15|0.25|0.3|0.35|0.4|0.45|0.6|0.7|0.8|0.9|1.25|1.5|1.75|2.5|3|3.5|4.5|6|7|8|9|15|25|30|50)")
+          action = "drop"
+        }
+    
+        // keep only metrics that match the keep_metrics regex
+        rule {
+          source_labels = ["__name__"]
+          regex = coalesce(argument.keep_metrics.value, "(.+)")
+          action = "keep"
+        }
+      }
+    }
+    
+    declare "probes" {
+      argument "field_selectors" {
+        // Docs: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+        comment = "The label selectors to use to find matching targets (default: [\"metadata.name=kubernetes\"])"
+        optional = true
+      }
+      argument "label_selectors" {
+        // Docs: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+        comment = "The label selectors to use to find matching targets (default: [])"
+        optional = true
+      }
+      argument "forward_to" {
+        comment = "Must be a list(MetricsReceiver) where collected logs should be forwarded to"
+      }
+      argument "job_label" {
+        comment = "The job label to add for all probes metric (default: integrations/kubernetes/kube-probes)"
+        optional = true
+      }
+      argument "keep_metrics" {
+        comment = "A regular expression of metrics to keep (default: see below)"
+        optional = true
+      }
+      argument "drop_metrics" {
+        comment = "A regular expression of metrics to drop (default: see below)"
+        optional = true
+      }
+      argument "scrape_interval" {
+        comment = "How often to scrape metrics from the targets (default: 60s)"
+        optional = true
+      }
+      argument "scrape_timeout" {
+        comment = "How long before a scrape times out (default: 10s)"
+        optional = true
+      }
+      argument "max_cache_size" {
+        comment = "The maximum number of elements to hold in the relabeling cache (default: 100000).  This should be at least 2x-5x your largest scrape target or samples appended rate."
+        optional = true
+      }
+      argument "clustering" {
+        // Docs: https://grafana.com/docs/agent/latest/flow/concepts/clustering/
+        comment = "Whether or not clustering should be enabled (default: false)"
+        optional = true
+      }
+    
+      export "output" {
+        value = discovery.relabel.probes.output
+      }
+    
+      // probes service discovery for all of the nodes
+      discovery.kubernetes "probes" {
+        role = "node"
+    
+        selectors {
+          role = "node"
+          field = join(coalesce(argument.field_selectors.value, []), ",")
+          label = join(coalesce(argument.label_selectors.value, []), ",")
+        }
+      }
+    
+      // probes relabelings (pre-scrape)
+      discovery.relabel "probes" {
+        targets = discovery.kubernetes.probes.targets
+    
+        // set the address to use the kubernetes service dns name
+        rule {
+          target_label = "__address__"
+          replacement  = "kubernetes.default.svc.cluster.local:443"
+        }
+    
+        // set the metrics path to use the proxy path to the nodes probes metrics endpoint
+        rule {
+          source_labels = ["__meta_kubernetes_node_name"]
+          regex = "(.+)"
+          replacement = "/api/v1/nodes/${1}/proxy/metrics/probes"
+          target_label = "__metrics_path__"
+        }
+    
+        // set the node label
+        rule {
+          source_labels = ["__meta_kubernetes_node_name"]
+          target_label  = "node"
+        }
+    
+        // set the app name if specified as metadata labels "app:" or "app.kubernetes.io/name:" or "k8s-app:"
+        rule {
+          action = "replace"
+          source_labels = [
+            "__meta_kubernetes_node_label_app_kubernetes_io_name",
+            "__meta_kubernetes_node_label_k8s_app",
+            "__meta_kubernetes_node_label_app",
+          ]
+          separator = ";"
+          regex = "^(?:;*)?([^;]+).*$"
+          replacement = "$1"
+          target_label = "app"
+        }
+    
+        // set a source label
+        rule {
+          action = "replace"
+          replacement = "kubernetes"
+          target_label = "source"
+        }
+      }
+    
+       // probes scrape job
+      prometheus.scrape "probes" {
+        job_name = coalesce(argument.job_label.value, "integrations/kubernetes/kube-probes")
+        forward_to = [prometheus.relabel.probes.receiver]
+        targets = discovery.relabel.probes.output
+        scheme = "https"
+        scrape_interval = coalesce(argument.scrape_interval.value, "60s")
+        scrape_timeout = coalesce(argument.scrape_timeout.value, "10s")
+        bearer_token_file = "/var/run/secrets/kubernetes.io/serviceaccount/token"
+    
+        tls_config {
+          ca_file = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+          insecure_skip_verify = false
+          server_name = "kubernetes"
+        }
+    
+        clustering {
+          enabled = coalesce(argument.clustering.value, false)
+        }
+      }
+    
+      // probes metric relabelings (post-scrape)
+      prometheus.relabel "probes" {
+        forward_to = argument.forward_to.value
+        max_cache_size = coalesce(argument.max_cache_size.value, 100000)
+    
+        // drop metrics that match the drop_metrics regex
+        rule {
+          source_labels = ["__name__"]
+          regex = coalesce(argument.drop_metrics.value, "(^(go|process)_.+$)")
+          action = "drop"
+        }
+    
+        // keep only metrics that match the keep_metrics regex
+        rule {
+          source_labels = ["__name__"]
+          regex = coalesce(argument.keep_metrics.value, "(.+)")
+          action = "keep"
+        }
+      }
+    }
+    
+    declare "kube_dns" {
+      argument "forward_to" {
+        comment = "Must be a list(MetricsReceiver) where collected logs should be forwarded to"
+      }
+      // arguments for kubernetes discovery
+      argument "namespaces" {
+        comment = "The namespaces to look for targets in (default: [\"kube-system\"])"
+        optional = true
+      }
+      argument "field_selectors" {
+        // Docs: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+        comment = "The label selectors to use to find matching targets (default: [])"
+        optional = true
+      }
+      argument "label_selectors" {
+        // Docs: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+        comment = "The label selectors to use to find matching targets (default: [\"k8s-app=kube-dns\"])"
+        optional = true
+      }
+      argument "port_name" {
+        comment = "The of the port to scrape metrics from (default: metrics)"
+        optional = true
+      }
+      argument "job_label" {
+        comment = "The job label to add for all kube_dns metric (default: integrations/kubernetes/kube-dns)"
+        optional = true
+      }
+      argument "keep_metrics" {
+        comment = "A regular expression of metrics to keep (default: see below)"
+        optional = true
+      }
+      argument "drop_metrics" {
+        comment = "A regular expression of metrics to drop (default: see below)"
+        optional = true
+      }
+      argument "scrape_interval" {
+        comment = "How often to scrape metrics from the targets (default: 60s)"
+        optional = true
+      }
+      argument "scrape_timeout" {
+        comment = "How long before a scrape times out (default: 10s)"
+        optional = true
+      }
+      argument "max_cache_size" {
+        comment = "The maximum number of elements to hold in the relabeling cache (default: 100000).  This should be at least 2x-5x your largest scrape target or samples appended rate."
+        optional = true
+      }
+      argument "clustering" {
+        // Docs: https://grafana.com/docs/agent/latest/flow/concepts/clustering/
+        comment = "Whether or not clustering should be enabled (default: false)"
+        optional = true
+      }
+    
+      export "output" {
+        value = discovery.relabel.kube_dns.output
+      }
+    
+      // kube_dns service discovery for all of the nodes
+      discovery.kubernetes "kube_dns" {
+        role = "endpoints"
+    
+        selectors {
+          role = "endpoints"
+          field = join(coalesce(argument.field_selectors.value, []), ",")
+          label = join(coalesce(argument.label_selectors.value, ["k8s-app=kube-dns"]), ",")
+        }
+    
+        namespaces {
+          names = coalesce(argument.namespaces.value, ["kube-system"])
+        }
+      }
+    
+      // kube_dns relabelings (pre-scrape)
+      discovery.relabel "kube_dns" {
+        targets = discovery.kubernetes.kube_dns.targets
+    
+        // keep only the specified metrics port name, and pods that are Running and ready
+        rule {
+          source_labels = [
+            "__meta_kubernetes_pod_container_port_name",
+            "__meta_kubernetes_pod_phase",
+            "__meta_kubernetes_pod_ready",
+          ]
+          separator = "@"
+          regex = coalesce(argument.port_name.value, "metrics") + "@Running@true"
+          action = "keep"
+        }
+    
+        // drop any init containers
+        rule {
+          source_labels = ["__meta_kubernetes_pod_container_init"]
+          regex = "true"
+          action = "drop"
+        }
+    
+        // set the namespace label
+        rule {
+          source_labels = ["__meta_kubernetes_namespace"]
+          target_label  = "namespace"
+        }
+    
+        // set the pod label
+        rule {
+          source_labels = ["__meta_kubernetes_pod_name"]
+          target_label  = "pod"
+        }
+    
+        // set the container label
+        rule {
+          source_labels = ["__meta_kubernetes_pod_container_name"]
+          target_label  = "container"
+        }
+    
+        // set a workload label
+        rule {
+          source_labels = [
+            "__meta_kubernetes_pod_controller_kind",
+            "__meta_kubernetes_pod_controller_name",
+          ]
+          separator = "/"
+          target_label  = "workload"
+        }
+        // remove the hash from the ReplicaSet
+        rule {
+          source_labels = ["workload"]
+          regex = "(ReplicaSet/.+)-.+"
+          target_label  = "workload"
+        }
+    
+        // set the app name if specified as metadata labels "app:" or "app.kubernetes.io/name:" or "k8s-app:"
+        rule {
+          action = "replace"
+          source_labels = [
+            "__meta_kubernetes_pod_label_app_kubernetes_io_name",
+            "__meta_kubernetes_pod_label_k8s_app",
+            "__meta_kubernetes_pod_label_app",
+          ]
+          separator = ";"
+          regex = "^(?:;*)?([^;]+).*$"
+          replacement = "$1"
+          target_label = "app"
+        }
+    
+        // set the service label
+        rule {
+          source_labels = ["__meta_kubernetes_service_name"]
+          target_label  = "service"
+        }
+    
+        // set a source label
+        rule {
+          action = "replace"
+          replacement = "kubernetes"
+          target_label = "source"
+        }
+      }
+    
+       // kube_dns scrape job
+      prometheus.scrape "kube_dns" {
+        job_name = coalesce(argument.job_label.value, "integrations/kubernetes/kube-dns")
+        forward_to = [prometheus.relabel.kube_dns.receiver]
+        targets = discovery.relabel.kube_dns.output
+        scrape_interval = coalesce(argument.scrape_interval.value, "60s")
+        scrape_timeout = coalesce(argument.scrape_timeout.value, "10s")
+    
+        clustering {
+          enabled = coalesce(argument.clustering.value, false)
+        }
+      }
+    
+      // kube_dns metric relabelings (post-scrape)
+      prometheus.relabel "kube_dns" {
+        forward_to = argument.forward_to.value
+        max_cache_size = coalesce(argument.max_cache_size.value, 100000)
+    
+        // drop metrics that match the drop_metrics regex
+        rule {
+          source_labels = ["__name__"]
+          regex = coalesce(argument.drop_metrics.value, "(^(go|process|promhttp)_.+$)")
+          action = "drop"
+        }
+    
+        // keep only metrics that match the keep_metrics regex
+        rule {
+          source_labels = ["__name__"]
+          regex = coalesce(argument.keep_metrics.value, "(.+)")
+          action = "keep"
+        }
+      }
+    }
+    
+  kube-state-metrics_metrics.alloy: |
+    /*
+    Module: job-kube-state-metrics
+    Description: Scrapes Kube-State-Metrics, this is a separate scrape job, if you are also using annotation based scraping, you will want to explicitly
+                 disable kube-state-metrics from being scraped by this module and annotations by setting the following annotation on the kube-state-metrics
+                 metrics.agent.grafana.com/scrape: "false"
+    
+    Note: Every argument except for "forward_to" is optional, and does have a defined default value.  However, the values for these
+          arguments are not defined using the default = " ... " argument syntax, but rather using the coalesce(argument.value, " ... ").
+          This is because if the argument passed in from another consuming module is set to null, the default = " ... " syntax will
+          does not override the value passed in, where coalesce() will return the first non-null value.
+    */
+    declare "kubernetes" {
+      // arguments for kubernetes discovery
+      argument "namespaces" {
+        comment = "The namespaces to look for targets in (default: [] is all namespaces)"
+        optional = true
+      }
+    
+      argument "field_selectors" {
+        // Docs: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+        comment = "The label selectors to use to find matching targets (default: [])"
+        optional = true
+      }
+    
+      argument "label_selectors" {
+        // Docs: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+        comment = "The label selectors to use to find matching targets (default: [\"app.kubernetes.io/name=kube-state-metrics\"])"
+        optional = true
+      }
+    
+      argument "port_name" {
+        comment = "The of the port to scrape metrics from (default: http)"
+        optional = true
+      }
+    
+      // kube state metrics service discovery for all of the pods
+      discovery.kubernetes "ksm" {
+        role = "service"
+    
+        selectors {
+          role = "service"
+          field = join(coalesce(argument.field_selectors.value, []), ",")
+          label = join(coalesce(argument.label_selectors.value, ["app.kubernetes.io/name=kube-state-metrics"]), ",")
+        }
+    
+        namespaces {
+          names = coalesce(argument.namespaces.value, [])
+        }
+      }
+    
+      // kube-state-metrics relabelings (pre-scrape)
+      discovery.relabel "ksm" {
+        targets = discovery.kubernetes.ksm.targets
+    
+        // only keep targets with a matching port name
+        rule {
+          source_labels = ["__meta_kubernetes_service_port_name"]
+          regex = coalesce(argument.port_name.value, "http")
+          action = "keep"
+        }
+    
+        // set a source label
+        rule {
+          action = "replace"
+          replacement = "kubernetes"
+          target_label = "source"
+        }
+      }
+    
+      export "output" {
+        value = discovery.relabel.ksm.output
+      }
+    }
+    
+    declare "scrape" {
+      argument "targets" {
+        comment = "Must be a list() of targets"
+      }
+    
+      argument "forward_to" {
+        comment = "Must be a list(MetricsReceiver) where collected logs should be forwarded to"
+      }
+    
+      argument "job_label" {
+        comment = "The job label to add for all kube-kube_state_metrics metrics (default: integrations/kubernetes/kube-state-metrics)"
+        optional = true
+      }
+    
+      argument "keep_metrics" {
+        comment = "A regular expression of metrics to keep (default: see below)"
+        optional = true
+      }
+    
+      argument "drop_metrics" {
+        comment = "A regular expression of metrics to drop (default: see below)"
+        optional = true
+      }
+    
+      argument "scrape_interval" {
+        comment = "How often to scrape metrics from the targets (default: 60s)"
+        optional = true
+      }
+    
+      argument "scrape_timeout" {
+        comment = "How long before a scrape times out (default: 10s)"
+        optional = true
+      }
+    
+      argument "max_cache_size" {
+        comment = "The maximum number of elements to hold in the relabeling cache (default: 100000).  This should be at least 2x-5x your largest scrape target or samples appended rate."
+        optional = true
+      }
+    
+      argument "clustering" {
+        // Docs: https://grafana.com/docs/agent/latest/flow/concepts/clustering/
+        comment = "Whether or not clustering should be enabled (default: false)"
+        optional = true
+      }
+    
+      // kube-state-metrics scrape job
+      prometheus.scrape "kube_state_metrics" {
+        job_name = coalesce(argument.job_label.value, "integrations/kubernetes/kube-state-metrics")
+        forward_to = [prometheus.relabel.kube_state_metrics.receiver]
+        targets = argument.targets.value
+        scrape_interval = coalesce(argument.scrape_interval.value, "60s")
+        scrape_timeout = coalesce(argument.scrape_timeout.value, "10s")
+    
+        clustering {
+          enabled = coalesce(argument.clustering.value, false)
+        }
+      }
+    
+      // kube_state_metrics metric relabelings (post-scrape)
+      prometheus.relabel "kube_state_metrics" {
+        forward_to = argument.forward_to.value
+        max_cache_size = coalesce(argument.max_cache_size.value, 100000)
+    
+        // drop metrics that match the drop_metrics regex
+        rule {
+          source_labels = ["__name__"]
+          regex = coalesce(argument.drop_metrics.value, "(^(go|process)_.+$)")
+          action = "drop"
+        }
+    
+        // keep only metrics that match the keep_metrics regex
+        rule {
+          source_labels = ["__name__"]
+          regex = coalesce(argument.keep_metrics.value, "(up|kube_(daemonset.*|deployment_(metadata_generation|spec_replicas|status_(observed_generation|replicas_(available|updated)))|horizontalpodautoscaler_(spec_(max|min)_replicas|status_(current|desired)_replicas)|job.*|namespace_status_phase|node.*|persistentvolumeclaim_resource_requests_storage_bytes|pod_(container_(info|resource_(limits|requests)|status_(last_terminated_reason|restarts_total|waiting_reason))|info|owner|start_time|status_(phase|reason))|replicaset.*|resourcequota|statefulset.*))")
+          action = "keep"
+        }
+      }
+    }
+---
+# Source: k8s-monitoring/templates/alloy-modules-configmaps.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: k8smon-alloy-module-system
+data:
+  node-exporter_metrics.alloy: |
+    /*
+    Module: job-node_exporter
+    Description: Scrapes node_exporter
+    
+    Note: Every argument except for "forward_to" is optional, and does have a defined default value.  However, the values for these
+          arguments are not defined using the default = " ... " argument syntax, but rather using the coalesce(argument.value, " ... ").
+          This is because if the argument passed in from another consuming module is set to null, the default = " ... " syntax will
+          does not override the value passed in, where coalesce() will return the first non-null value.
+    */
+    declare "kubernetes" {
+      // arguments for kubernetes discovery
+      argument "namespaces" {
+        comment = "The namespaces to look for targets in (default: [] is all namespaces)"
+        optional = true
+      }
+    
+      argument "field_selectors" {
+        // Docs: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+        comment = "The label selectors to use to find matching targets (default: [])"
+        optional = true
+      }
+    
+      argument "label_selectors" {
+        // Docs: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+        comment = "The label selectors to use to find matching targets (default: [\"app.kubernetes.io/name=prometheus-node-exporter\"])"
+        optional = true
+      }
+    
+      argument "port_name" {
+        comment = "The of the port to scrape metrics from (default: metrics)"
+        optional = true
+      }
+    
+      // node_exporter service discovery for all of the pods
+      discovery.kubernetes "node_exporter" {
+        role = "pod"
+    
+        selectors {
+          role = "pod"
+          field = join(coalesce(argument.field_selectors.value, []), ",")
+          label = join(coalesce(argument.label_selectors.value, ["app.kubernetes.io/name=prometheus-node-exporter"]), ",")
+        }
+    
+        namespaces {
+          names = coalesce(argument.namespaces.value, [])
+        }
+      }
+    
+      // node_exporter relabelings (pre-scrape)
+      discovery.relabel "kubernetes" {
+        targets = discovery.kubernetes.node_exporter.targets
+    
+        // keep only the specified metrics port name, and pods that are Running and ready
+        rule {
+          source_labels = [
+            "__meta_kubernetes_pod_container_port_name",
+            "__meta_kubernetes_pod_phase",
+            "__meta_kubernetes_pod_ready",
+          ]
+          separator = "@"
+          regex = coalesce(argument.port_name.value, "metrics") + "@Running@true"
+          action = "keep"
+        }
+    
+        // drop any init containers
+        rule {
+          source_labels = ["__meta_kubernetes_pod_container_init"]
+          regex = "true"
+          action = "drop"
+        }
+    
+        // set the namespace label
+        rule {
+          source_labels = ["__meta_kubernetes_namespace"]
+          target_label  = "namespace"
+        }
+    
+        // set the pod label
+        rule {
+          source_labels = ["__meta_kubernetes_pod_name"]
+          target_label  = "pod"
+        }
+    
+        // set the container label
+        rule {
+          source_labels = ["__meta_kubernetes_pod_container_name"]
+          target_label  = "container"
+        }
+    
+        // set a workload label
+        rule {
+          source_labels = [
+            "__meta_kubernetes_pod_controller_kind",
+            "__meta_kubernetes_pod_controller_name",
+          ]
+          separator = "/"
+          target_label  = "workload"
+        }
+        // remove the hash from the ReplicaSet
+        rule {
+          source_labels = ["workload"]
+          regex = "(ReplicaSet/.+)-.+"
+          target_label  = "workload"
+        }
+    
+        // set the app name if specified as metadata labels "app:" or "app.kubernetes.io/name:" or "k8s-app:"
+        rule {
+          action = "replace"
+          source_labels = [
+            "__meta_kubernetes_pod_label_app_kubernetes_io_name",
+            "__meta_kubernetes_pod_label_k8s_app",
+            "__meta_kubernetes_pod_label_app",
+          ]
+          separator = ";"
+          regex = "^(?:;*)?([^;]+).*$"
+          replacement = "$1"
+          target_label = "app"
+        }
+    
+        // set the component if specified as metadata labels "component:" or "app.kubernetes.io/component:" or "k8s-component:"
+        rule {
+          action = "replace"
+          source_labels = [
+            "__meta_kubernetes_pod_label_app_kubernetes_io_component",
+            "__meta_kubernetes_pod_label_k8s_component",
+            "__meta_kubernetes_pod_label_component",
+          ]
+          regex = "^(?:;*)?([^;]+).*$"
+          replacement = "$1"
+          target_label = "component"
+        }
+    
+        // set a source label
+        rule {
+          action = "replace"
+          replacement = "kubernetes"
+          target_label = "source"
+        }
+      }
+    
+      export "output" {
+        value = discovery.relabel.kubernetes.output
+      }
+    }
+    
+    declare "local" {
+      argument "port" {
+        comment = "The port to use (default: 9100)"
+        optional = true
+      }
+    
+      // arguments for local (static)
+      discovery.relabel "local" {
+        targets = [
+          {
+            "__address__" = "localhost" + format("%s", coalesce(argument.port.value, "9100")),
+            "source" = "local",
+          },
+        ]
+      }
+    
+      export "output" {
+        value = discovery.relabel.local.output
+      }
+    }
+    
+    declare "scrape" {
+      argument "targets" {
+        comment = "Must be a list() of targets"
+      }
+    
+      argument "forward_to" {
+        comment = "Must be a list(MetricsReceiver) where collected logs should be forwarded to"
+      }
+    
+      argument "job_label" {
+        comment = "The job label to add for all node_exporter metric (default: integrations/node_exporter)"
+        optional = true
+      }
+    
+      argument "keep_metrics" {
+        comment = "A regular expression of metrics to keep (default: see below)"
+        optional = true
+      }
+    
+      argument "drop_metrics" {
+        comment = "A regular expression of metrics to drop (default: see below)"
+        optional = true
+      }
+    
+      argument "scrape_interval" {
+        comment = "How often to scrape metrics from the targets (default: 60s)"
+        optional = true
+      }
+    
+      argument "scrape_timeout" {
+        comment = "How long before a scrape times out (default: 10s)"
+        optional = true
+      }
+    
+      argument "max_cache_size" {
+        comment = "The maximum number of elements to hold in the relabeling cache (default: 100000).  This should be at least 2x-5x your largest scrape target or samples appended rate."
+        optional = true
+      }
+    
+      argument "clustering" {
+        // Docs: https://node_exporter.com/docs/agent/latest/flow/concepts/clustering/
+        comment = "Whether or not clustering should be enabled (default: false)"
+        optional = true
+      }
+    
+      // node_exporter scrape job
+      prometheus.scrape "node_exporter" {
+        job_name = coalesce(argument.job_label.value, "integrations/node_exporter")
+        forward_to = [prometheus.relabel.node_exporter.receiver]
+        targets = argument.targets.value
+        scrape_interval = coalesce(argument.scrape_interval.value, "60s")
+        scrape_timeout = coalesce(argument.scrape_timeout.value, "10s")
+    
+        clustering {
+          enabled = coalesce(argument.clustering.value, false)
+        }
+      }
+    
+      // node_exporter metric relabelings (post-scrape)
+      prometheus.relabel "node_exporter" {
+        forward_to = argument.forward_to.value
+        max_cache_size = coalesce(argument.max_cache_size.value, 100000)
+    
+        // drop metrics that match the drop_metrics regex
+        rule {
+          source_labels = ["__name__"]
+          regex = coalesce(argument.drop_metrics.value, "(^(go)_.+$)")
+          action = "drop"
+        }
+    
+        // keep only metrics that match the keep_metrics regex
+        rule {
+          source_labels = ["__name__"]
+          regex = coalesce(argument.keep_metrics.value, "(up|scrape_(duration_seconds|series_added|samples_(post_metric_relabeling|scraped))|node_(arp_entries|boot_time_seconds|context_switches_total|cpu_seconds_total|disk_(io_time_seconds_total|io_time_weighted_seconds_total|read_(bytes_total|time_seconds_total)|reads_completed_total|write_time_seconds_total|writes_completed_total|written_bytes_total)|file(fd_(allocated|maximum)|system_(avail_bytes|device_error|files(_free)?|readonly|size_bytes))|intr_total|load(1|15|5)|md_disks(_required)?|memory_(Active_(anon_bytes|bytes|file_bytes)|Anon(HugePages_bytes|Pages_bytes)|Bounce_bytes|Buffers_bytes|Cached_bytes|CommitLimit_bytes|Committed_AS_bytes|DirectMap(1G|2M|4k)_bytes|Dirty_bytes|HugePages_(Free|Rsvd|Surp|Total)|Hugepagesize_bytes|Inactive_(anon_bytes|bytes|file_bytes)|Mapped_bytes|Mem(Available|Free|Total)_bytes|S(Reclaimable|Unreclaim)_bytes|Shmem(HugePages_bytes|PmdMapped_bytes|_bytes)|Slab_bytes|SwapTotal_bytes|Vmalloc(Chunk|Total|Used)_bytes|Writeback(Tmp|)_bytes)|netstat_(Icmp6_(InErrors|InMsgs|OutMsgs)|Icmp_(InErrors|InMsgs|OutMsgs)|IpExt_(InOctets|OutOctets)|TcpExt_(Listen(Drops|Overflows)|TCPSynRetrans)|Tcp_(InErrs|InSegs|OutRsts|OutSegs|RetransSegs)|Udp6_(InDatagrams|InErrors|NoPorts|OutDatagrams|RcvbufErrors|SndbufErrors)|Udp(Lite|)_(InDatagrams|InErrors|NoPorts|OutDatagrams|RcvbufErrors|SndbufErrors))|network_(carrier|info|mtu_bytes|receive_(bytes_total|compressed_total|drop_total|errs_total|fifo_total|multicast_total|packets_total)|speed_bytes|transmit_(bytes_total|compressed_total|drop_total|errs_total|fifo_total|multicast_total|packets_total|queue_length)|up)|nf_conntrack_(entries(_limit)?|limit)|os_info|sockstat_(FRAG6|FRAG|RAW6|RAW|TCP6|TCP_(alloc|inuse|mem(_bytes)?|orphan|tw)|UDP6|UDPLITE6|UDPLITE|UDP_(inuse|mem(_bytes)?)|sockets_used)|softnet_(dropped_total|processed_total|times_squeezed_total)|systemd_unit_state|textfile_scrape_error|time_zone_offset_seconds|timex_(estimated_error_seconds|maxerror_seconds|offset_seconds|sync_status)|uname_info|vmstat_(oom_kill|pgfault|pgmajfault|pgpgin|pgpgout|pswpin|pswpout)|process_(max_fds|open_fds)))")
+          action = "keep"
+        }
+    
+        // Drop metrics for certain file systems
+        rule {
+          source_labels = ["__name__", "fstype"]
+          separator = "@"
+          regex = "node_filesystem.*@(tempfs)"
+          action = "drop"
+        }
+      }
+    }
+---
+# Source: k8s-monitoring/charts/alloy-logs/templates/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: k8smon-alloy-logs
+  labels:
+    helm.sh/chart: alloy-logs-0.10.1
+    app.kubernetes.io/name: alloy-logs
+    app.kubernetes.io/instance: k8smon
+    
+    app.kubernetes.io/version: "v1.5.1"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/part-of: alloy
+    app.kubernetes.io/component: rbac
+rules:
+  # Rules which allow discovery.kubernetes to function.
+  - apiGroups:
+      - ""
+      - "discovery.k8s.io"
+      - "networking.k8s.io"
+    resources:
+      - endpoints
+      - endpointslices
+      - ingresses
+      - nodes
+      - nodes/proxy
+      - nodes/metrics
+      - pods
+      - services
+    verbs:
+      - get
+      - list
+      - watch
+  # Rules which allow loki.source.kubernetes and loki.source.podlogs to work.
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+      - pods/log
+      - namespaces
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - "monitoring.grafana.com"
+    resources:
+      - podlogs
+    verbs:
+      - get
+      - list
+      - watch
+  # Rules which allow mimir.rules.kubernetes to work.
+  - apiGroups: ["monitoring.coreos.com"]
+    resources:
+      - prometheusrules
+    verbs:
+      - get
+      - list
+      - watch
+  - nonResourceURLs:
+      - /metrics
+    verbs:
+      - get
+  # Rules for prometheus.kubernetes.*
+  - apiGroups: ["monitoring.coreos.com"]
+    resources:
+      - podmonitors
+      - servicemonitors
+      - probes
+    verbs:
+      - get
+      - list
+      - watch
+  # Rules which allow eventhandler to work.
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - get
+      - list
+      - watch
+  # needed for remote.kubernetes.*
+  - apiGroups: [""]
+    resources:
+      - "configmaps"
+      - "secrets"
+    verbs:
+      - get
+      - list
+      - watch
+  # needed for otelcol.processor.k8sattributes
+  - apiGroups: ["apps"]
+    resources: ["replicasets"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["extensions"]
+    resources: ["replicasets"]
+    verbs: ["get", "list", "watch"]
+---
+# Source: k8s-monitoring/charts/alloy-metrics/templates/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: k8smon-alloy-metrics
+  labels:
+    helm.sh/chart: alloy-metrics-0.10.1
+    app.kubernetes.io/name: alloy-metrics
+    app.kubernetes.io/instance: k8smon
+    
+    app.kubernetes.io/version: "v1.5.1"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/part-of: alloy
+    app.kubernetes.io/component: rbac
+rules:
+  # Rules which allow discovery.kubernetes to function.
+  - apiGroups:
+      - ""
+      - "discovery.k8s.io"
+      - "networking.k8s.io"
+    resources:
+      - endpoints
+      - endpointslices
+      - ingresses
+      - nodes
+      - nodes/proxy
+      - nodes/metrics
+      - pods
+      - services
+    verbs:
+      - get
+      - list
+      - watch
+  # Rules which allow loki.source.kubernetes and loki.source.podlogs to work.
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+      - pods/log
+      - namespaces
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - "monitoring.grafana.com"
+    resources:
+      - podlogs
+    verbs:
+      - get
+      - list
+      - watch
+  # Rules which allow mimir.rules.kubernetes to work.
+  - apiGroups: ["monitoring.coreos.com"]
+    resources:
+      - prometheusrules
+    verbs:
+      - get
+      - list
+      - watch
+  - nonResourceURLs:
+      - /metrics
+    verbs:
+      - get
+  # Rules for prometheus.kubernetes.*
+  - apiGroups: ["monitoring.coreos.com"]
+    resources:
+      - podmonitors
+      - servicemonitors
+      - probes
+    verbs:
+      - get
+      - list
+      - watch
+  # Rules which allow eventhandler to work.
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - get
+      - list
+      - watch
+  # needed for remote.kubernetes.*
+  - apiGroups: [""]
+    resources:
+      - "configmaps"
+      - "secrets"
+    verbs:
+      - get
+      - list
+      - watch
+  # needed for otelcol.processor.k8sattributes
+  - apiGroups: ["apps"]
+    resources: ["replicasets"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["extensions"]
+    resources: ["replicasets"]
+    verbs: ["get", "list", "watch"]
+---
+# Source: k8s-monitoring/charts/alloy-singleton/templates/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: k8smon-alloy-singleton
+  labels:
+    helm.sh/chart: alloy-singleton-0.10.1
+    app.kubernetes.io/name: alloy-singleton
+    app.kubernetes.io/instance: k8smon
+    
+    app.kubernetes.io/version: "v1.5.1"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/part-of: alloy
+    app.kubernetes.io/component: rbac
+rules:
+  # Rules which allow discovery.kubernetes to function.
+  - apiGroups:
+      - ""
+      - "discovery.k8s.io"
+      - "networking.k8s.io"
+    resources:
+      - endpoints
+      - endpointslices
+      - ingresses
+      - nodes
+      - nodes/proxy
+      - nodes/metrics
+      - pods
+      - services
+    verbs:
+      - get
+      - list
+      - watch
+  # Rules which allow loki.source.kubernetes and loki.source.podlogs to work.
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+      - pods/log
+      - namespaces
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - "monitoring.grafana.com"
+    resources:
+      - podlogs
+    verbs:
+      - get
+      - list
+      - watch
+  # Rules which allow mimir.rules.kubernetes to work.
+  - apiGroups: ["monitoring.coreos.com"]
+    resources:
+      - prometheusrules
+    verbs:
+      - get
+      - list
+      - watch
+  - nonResourceURLs:
+      - /metrics
+    verbs:
+      - get
+  # Rules for prometheus.kubernetes.*
+  - apiGroups: ["monitoring.coreos.com"]
+    resources:
+      - podmonitors
+      - servicemonitors
+      - probes
+    verbs:
+      - get
+      - list
+      - watch
+  # Rules which allow eventhandler to work.
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - get
+      - list
+      - watch
+  # needed for remote.kubernetes.*
+  - apiGroups: [""]
+    resources:
+      - "configmaps"
+      - "secrets"
+    verbs:
+      - get
+      - list
+      - watch
+  # needed for otelcol.processor.k8sattributes
+  - apiGroups: ["apps"]
+    resources: ["replicasets"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["extensions"]
+    resources: ["replicasets"]
+    verbs: ["get", "list", "watch"]
+---
+# Source: k8s-monitoring/charts/clusterMetrics/charts/kube-state-metrics/templates/role.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:    
+    helm.sh/chart: kube-state-metrics-5.27.0
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: metrics
+    app.kubernetes.io/part-of: kube-state-metrics
+    app.kubernetes.io/name: kube-state-metrics
+    app.kubernetes.io/instance: k8smon
+    app.kubernetes.io/version: "2.14.0"
+    release: k8smon
+  name: k8smon-kube-state-metrics
+rules:
+
+- apiGroups: ["certificates.k8s.io"]
+  resources:
+  - certificatesigningrequests
+  verbs: ["list", "watch"]
+
+- apiGroups: [""]
+  resources:
+  - configmaps
+  verbs: ["list", "watch"]
+
+- apiGroups: ["batch"]
+  resources:
+  - cronjobs
+  verbs: ["list", "watch"]
+
+- apiGroups: ["extensions", "apps"]
+  resources:
+  - daemonsets
+  verbs: ["list", "watch"]
+
+- apiGroups: ["extensions", "apps"]
+  resources:
+  - deployments
+  verbs: ["list", "watch"]
+
+- apiGroups: [""]
+  resources:
+  - endpoints
+  verbs: ["list", "watch"]
+
+- apiGroups: ["autoscaling"]
+  resources:
+  - horizontalpodautoscalers
+  verbs: ["list", "watch"]
+
+- apiGroups: ["extensions", "networking.k8s.io"]
+  resources:
+  - ingresses
+  verbs: ["list", "watch"]
+
+- apiGroups: ["batch"]
+  resources:
+  - jobs
+  verbs: ["list", "watch"]
+
+- apiGroups: ["coordination.k8s.io"]
+  resources:
+  - leases
+  verbs: ["list", "watch"]
+
+- apiGroups: [""]
+  resources:
+  - limitranges
+  verbs: ["list", "watch"]
+
+- apiGroups: ["admissionregistration.k8s.io"]
+  resources:
+    - mutatingwebhookconfigurations
+  verbs: ["list", "watch"]
+
+- apiGroups: [""]
+  resources:
+  - namespaces
+  verbs: ["list", "watch"]
+
+- apiGroups: ["networking.k8s.io"]
+  resources:
+  - networkpolicies
+  verbs: ["list", "watch"]
+
+- apiGroups: [""]
+  resources:
+  - nodes
+  verbs: ["list", "watch"]
+
+- apiGroups: [""]
+  resources:
+  - persistentvolumeclaims
+  verbs: ["list", "watch"]
+
+- apiGroups: [""]
+  resources:
+  - persistentvolumes
+  verbs: ["list", "watch"]
+
+- apiGroups: ["policy"]
+  resources:
+    - poddisruptionbudgets
+  verbs: ["list", "watch"]
+
+- apiGroups: [""]
+  resources:
+  - pods
+  verbs: ["list", "watch"]
+
+- apiGroups: ["extensions", "apps"]
+  resources:
+  - replicasets
+  verbs: ["list", "watch"]
+
+- apiGroups: [""]
+  resources:
+  - replicationcontrollers
+  verbs: ["list", "watch"]
+
+- apiGroups: [""]
+  resources:
+  - resourcequotas
+  verbs: ["list", "watch"]
+
+- apiGroups: [""]
+  resources:
+  - secrets
+  verbs: ["list", "watch"]
+
+- apiGroups: [""]
+  resources:
+  - services
+  verbs: ["list", "watch"]
+
+- apiGroups: ["apps"]
+  resources:
+  - statefulsets
+  verbs: ["list", "watch"]
+
+- apiGroups: ["storage.k8s.io"]
+  resources:
+    - storageclasses
+  verbs: ["list", "watch"]
+
+- apiGroups: ["admissionregistration.k8s.io"]
+  resources:
+    - validatingwebhookconfigurations
+  verbs: ["list", "watch"]
+
+- apiGroups: ["storage.k8s.io"]
+  resources:
+    - volumeattachments
+  verbs: ["list", "watch"]
+---
+# Source: k8s-monitoring/charts/alloy-logs/templates/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: k8smon-alloy-logs
+  labels:
+    helm.sh/chart: alloy-logs-0.10.1
+    app.kubernetes.io/name: alloy-logs
+    app.kubernetes.io/instance: k8smon
+    
+    app.kubernetes.io/version: "v1.5.1"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/part-of: alloy
+    app.kubernetes.io/component: rbac
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: k8smon-alloy-logs
+subjects:
+  - kind: ServiceAccount
+    name: k8smon-alloy-logs
+    namespace: default
+---
+# Source: k8s-monitoring/charts/alloy-metrics/templates/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: k8smon-alloy-metrics
+  labels:
+    helm.sh/chart: alloy-metrics-0.10.1
+    app.kubernetes.io/name: alloy-metrics
+    app.kubernetes.io/instance: k8smon
+    
+    app.kubernetes.io/version: "v1.5.1"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/part-of: alloy
+    app.kubernetes.io/component: rbac
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: k8smon-alloy-metrics
+subjects:
+  - kind: ServiceAccount
+    name: k8smon-alloy-metrics
+    namespace: default
+---
+# Source: k8s-monitoring/charts/alloy-singleton/templates/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: k8smon-alloy-singleton
+  labels:
+    helm.sh/chart: alloy-singleton-0.10.1
+    app.kubernetes.io/name: alloy-singleton
+    app.kubernetes.io/instance: k8smon
+    
+    app.kubernetes.io/version: "v1.5.1"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/part-of: alloy
+    app.kubernetes.io/component: rbac
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: k8smon-alloy-singleton
+subjects:
+  - kind: ServiceAccount
+    name: k8smon-alloy-singleton
+    namespace: default
+---
+# Source: k8s-monitoring/charts/clusterMetrics/charts/kube-state-metrics/templates/clusterrolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:    
+    helm.sh/chart: kube-state-metrics-5.27.0
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: metrics
+    app.kubernetes.io/part-of: kube-state-metrics
+    app.kubernetes.io/name: kube-state-metrics
+    app.kubernetes.io/instance: k8smon
+    app.kubernetes.io/version: "2.14.0"
+    release: k8smon
+  name: k8smon-kube-state-metrics
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: k8smon-kube-state-metrics
+subjects:
+- kind: ServiceAccount
+  name: k8smon-kube-state-metrics
+  namespace: default
+---
+# Source: k8s-monitoring/charts/alloy-logs/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: k8smon-alloy-logs
+  labels:
+    helm.sh/chart: alloy-logs-0.10.1
+    app.kubernetes.io/name: alloy-logs
+    app.kubernetes.io/instance: k8smon
+    
+    app.kubernetes.io/version: "v1.5.1"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/part-of: alloy
+    app.kubernetes.io/component: networking
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: alloy-logs
+    app.kubernetes.io/instance: k8smon
+  internalTrafficPolicy: Cluster
+  ports:
+    - name: http-metrics
+      port: 12345
+      targetPort: 12345
+      protocol: "TCP"
+---
+# Source: k8s-monitoring/charts/alloy-metrics/templates/cluster_service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: k8smon-alloy-metrics-cluster
+  labels:
+    helm.sh/chart: alloy-metrics-0.10.1
+    app.kubernetes.io/name: alloy-metrics
+    app.kubernetes.io/instance: k8smon
+    
+    app.kubernetes.io/version: "v1.5.1"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/part-of: alloy
+    app.kubernetes.io/component: networking
+spec:
+  type: ClusterIP
+  clusterIP: 'None'
+  publishNotReadyAddresses: true
+  selector:
+    app.kubernetes.io/name: alloy-metrics
+    app.kubernetes.io/instance: k8smon
+  ports:
+    # Do not include the -metrics suffix in the port name, otherwise metrics
+    # can be double-collected with the non-headless Service if it's also
+    # enabled.
+    #
+    # This service should only be used for clustering, and not metric
+    # collection.
+    - name: http
+      port: 12345
+      targetPort: 12345
+      protocol: "TCP"
+---
+# Source: k8s-monitoring/charts/alloy-metrics/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: k8smon-alloy-metrics
+  labels:
+    helm.sh/chart: alloy-metrics-0.10.1
+    app.kubernetes.io/name: alloy-metrics
+    app.kubernetes.io/instance: k8smon
+    
+    app.kubernetes.io/version: "v1.5.1"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/part-of: alloy
+    app.kubernetes.io/component: networking
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: alloy-metrics
+    app.kubernetes.io/instance: k8smon
+  internalTrafficPolicy: Cluster
+  ports:
+    - name: http-metrics
+      port: 12345
+      targetPort: 12345
+      protocol: "TCP"
+---
+# Source: k8s-monitoring/charts/alloy-singleton/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: k8smon-alloy-singleton
+  labels:
+    helm.sh/chart: alloy-singleton-0.10.1
+    app.kubernetes.io/name: alloy-singleton
+    app.kubernetes.io/instance: k8smon
+    
+    app.kubernetes.io/version: "v1.5.1"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/part-of: alloy
+    app.kubernetes.io/component: networking
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: alloy-singleton
+    app.kubernetes.io/instance: k8smon
+  internalTrafficPolicy: Cluster
+  ports:
+    - name: http-metrics
+      port: 12345
+      targetPort: 12345
+      protocol: "TCP"
+---
+# Source: k8s-monitoring/charts/clusterMetrics/charts/kube-state-metrics/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: k8smon-kube-state-metrics
+  namespace: default
+  labels:    
+    helm.sh/chart: kube-state-metrics-5.27.0
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: metrics
+    app.kubernetes.io/part-of: kube-state-metrics
+    app.kubernetes.io/name: kube-state-metrics
+    app.kubernetes.io/instance: k8smon
+    app.kubernetes.io/version: "2.14.0"
+    release: k8smon
+  annotations:
+spec:
+  type: "ClusterIP"
+  ports:
+  - name: "http"
+    protocol: TCP
+    port: 8080
+    targetPort: 8080
+  
+  selector:    
+    app.kubernetes.io/name: kube-state-metrics
+    app.kubernetes.io/instance: k8smon
+---
+# Source: k8s-monitoring/charts/clusterMetrics/charts/node-exporter/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: k8smon-node-exporter
+  namespace: default
+  labels:
+    helm.sh/chart: node-exporter-4.43.0
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: metrics
+    app.kubernetes.io/part-of: node-exporter
+    app.kubernetes.io/name: node-exporter
+    app.kubernetes.io/instance: k8smon
+    app.kubernetes.io/version: "1.8.2"
+    release: k8smon
+  annotations:
+    prometheus.io/scrape: "true"
+spec:
+  type: ClusterIP
+  ports:
+    - port: 9100
+      targetPort: 9100
+      protocol: TCP
+      name: metrics
+  selector:
+    app.kubernetes.io/name: node-exporter
+    app.kubernetes.io/instance: k8smon
+---
+# Source: k8s-monitoring/charts/clusterMetrics/charts/windows-exporter/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: k8smon-windows-exporter
+  namespace: default
+  labels:
+    helm.sh/chart: windows-exporter-0.7.1
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: metrics
+    app.kubernetes.io/part-of: windows-exporter
+    app.kubernetes.io/name: windows-exporter
+    app.kubernetes.io/instance: k8smon
+    app.kubernetes.io/version: "0.29.2"
+    release: k8smon
+  annotations:
+    prometheus.io/scrape: "true"
+spec:
+  type: ClusterIP
+  ports:
+    - port: 9182
+      targetPort: metrics
+      protocol: TCP
+      appProtocol: http
+      name: metrics
+  selector:
+    app.kubernetes.io/name: windows-exporter
+    app.kubernetes.io/instance: k8smon
+---
+# Source: k8s-monitoring/charts/alloy-logs/templates/controllers/daemonset.yaml
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: k8smon-alloy-logs
+  labels:
+    helm.sh/chart: alloy-logs-0.10.1
+    app.kubernetes.io/name: alloy-logs
+    app.kubernetes.io/instance: k8smon
+    
+    app.kubernetes.io/version: "v1.5.1"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/part-of: alloy
+spec:
+  minReadySeconds: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: alloy-logs
+      app.kubernetes.io/instance: k8smon
+  template:
+    metadata:
+      annotations:
+        kubectl.kubernetes.io/default-container: alloy
+      labels:
+        app.kubernetes.io/name: alloy-logs
+        app.kubernetes.io/instance: k8smon
+    spec:
+      serviceAccountName: k8smon-alloy-logs
+      containers:
+        - name: alloy
+          image: docker.io/grafana/alloy:v1.5.1
+          imagePullPolicy: IfNotPresent
+          args:
+            - run
+            - /etc/alloy/config.alloy
+            - --storage.path=/tmp/alloy
+            - --server.http.listen-addr=0.0.0.0:12345
+            - --server.http.ui-path-prefix=/
+            - --stability.level=generally-available
+          env:
+            - name: ALLOY_DEPLOY_MODE
+              value: "helm"
+            - name: HOSTNAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+          ports:
+            - containerPort: 12345
+              name: http-metrics
+          readinessProbe:
+            httpGet:
+              path: /-/ready
+              port: 12345
+              scheme: HTTP
+            initialDelaySeconds: 10
+            timeoutSeconds: 1
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              add:
+              - CHOWN
+              - DAC_OVERRIDE
+              - FOWNER
+              - FSETID
+              - KILL
+              - SETGID
+              - SETUID
+              - SETPCAP
+              - NET_BIND_SERVICE
+              - NET_RAW
+              - SYS_CHROOT
+              - MKNOD
+              - AUDIT_WRITE
+              - SETFCAP
+              drop:
+              - ALL
+            seccompProfile:
+              type: RuntimeDefault
+          volumeMounts:
+            - name: config
+              mountPath: /etc/alloy
+            - name: varlog
+              mountPath: /var/log
+              readOnly: true
+            - name: dockercontainers
+              mountPath: /var/lib/docker/containers
+              readOnly: true
+        - name: config-reloader
+          image: ghcr.io/jimmidyson/configmap-reload:v0.12.0
+          args:
+            - --volume-dir=/etc/alloy
+            - --webhook-url=http://localhost:12345/-/reload
+          volumeMounts:
+            - name: config
+              mountPath: /etc/alloy
+          resources:
+            requests:
+              cpu: 1m
+              memory: 5Mi
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      volumes:
+        - name: config
+          configMap:
+            name: k8smon-alloy-logs
+        - name: varlog
+          hostPath:
+            path: /var/log
+        - name: dockercontainers
+          hostPath:
+            path: /var/lib/docker/containers
+---
+# Source: k8s-monitoring/charts/clusterMetrics/charts/node-exporter/templates/daemonset.yaml
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: k8smon-node-exporter
+  namespace: default
+  labels:
+    helm.sh/chart: node-exporter-4.43.0
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: metrics
+    app.kubernetes.io/part-of: node-exporter
+    app.kubernetes.io/name: node-exporter
+    app.kubernetes.io/instance: k8smon
+    app.kubernetes.io/version: "1.8.2"
+    release: k8smon
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: node-exporter
+      app.kubernetes.io/instance: k8smon
+  revisionHistoryLimit: 10
+  updateStrategy:
+    rollingUpdate:
+      maxUnavailable: 1
+    type: RollingUpdate
+  template:
+    metadata:
+      annotations:
+        cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
+        k8s.grafana.com/logs.job: integrations/node_exporter
+      labels:
+        helm.sh/chart: node-exporter-4.43.0
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/component: metrics
+        app.kubernetes.io/part-of: node-exporter
+        app.kubernetes.io/name: node-exporter
+        app.kubernetes.io/instance: k8smon
+        app.kubernetes.io/version: "1.8.2"
+        release: k8smon
+    spec:
+      automountServiceAccountToken: false
+      securityContext:
+        fsGroup: 65534
+        runAsGroup: 65534
+        runAsNonRoot: true
+        runAsUser: 65534
+      serviceAccountName: k8smon-node-exporter
+      containers:
+        - name: node-exporter
+          image: quay.io/prometheus/node-exporter:v1.8.2
+          imagePullPolicy: IfNotPresent
+          args:
+            - --path.procfs=/host/proc
+            - --path.sysfs=/host/sys
+            - --path.rootfs=/host/root
+            - --path.udev.data=/host/root/run/udev/data
+            - --web.listen-address=[$(HOST_IP)]:9100
+          securityContext:
+            readOnlyRootFilesystem: true
+          env:
+            - name: HOST_IP
+              value: 0.0.0.0
+          ports:
+            - name: metrics
+              containerPort: 9100
+              protocol: TCP
+          livenessProbe:
+            failureThreshold: 3
+            httpGet:
+              httpHeaders:
+              path: /
+              port: 9100
+              scheme: HTTP
+            initialDelaySeconds: 0
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+          readinessProbe:
+            failureThreshold: 3
+            httpGet:
+              httpHeaders:
+              path: /
+              port: 9100
+              scheme: HTTP
+            initialDelaySeconds: 0
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+          volumeMounts:
+            - name: proc
+              mountPath: /host/proc
+              readOnly:  true
+            - name: sys
+              mountPath: /host/sys
+              readOnly: true
+            - name: root
+              mountPath: /host/root
+              mountPropagation: HostToContainer
+              readOnly: true
+      hostNetwork: true
+      hostPID: true
+      hostIPC: false
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: eks.amazonaws.com/compute-type
+                operator: NotIn
+                values:
+                - fargate
+      nodeSelector:
+        kubernetes.io/os: linux
+      tolerations:
+        - effect: NoSchedule
+          operator: Exists
+      volumes:
+        - name: proc
+          hostPath:
+            path: /proc
+        - name: sys
+          hostPath:
+            path: /sys
+        - name: root
+          hostPath:
+            path: /
+---
+# Source: k8s-monitoring/charts/clusterMetrics/charts/windows-exporter/templates/daemonset.yaml
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: k8smon-windows-exporter
+  namespace: default
+  labels:
+    helm.sh/chart: windows-exporter-0.7.1
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: metrics
+    app.kubernetes.io/part-of: windows-exporter
+    app.kubernetes.io/name: windows-exporter
+    app.kubernetes.io/instance: k8smon
+    app.kubernetes.io/version: "0.29.2"
+    release: k8smon
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: windows-exporter
+      app.kubernetes.io/instance: k8smon
+  updateStrategy:
+    rollingUpdate:
+      maxUnavailable: 1
+    type: RollingUpdate
+  template:
+    metadata:
+      annotations:
+        cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
+        k8s.grafana.com/logs.job: integrations/windows_exporter
+      labels:
+        helm.sh/chart: windows-exporter-0.7.1
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/component: metrics
+        app.kubernetes.io/part-of: windows-exporter
+        app.kubernetes.io/name: windows-exporter
+        app.kubernetes.io/instance: k8smon
+        app.kubernetes.io/version: "0.29.2"
+        release: k8smon
+    spec:
+      automountServiceAccountToken: false
+      securityContext:
+        windowsOptions:
+          hostProcess: true
+          runAsUserName: NT AUTHORITY\system
+      initContainers:
+        - name: configure-firewall
+          image: ghcr.io/prometheus-community/windows-exporter:0.29.2
+          command: [ "powershell" ]
+          args: [ "New-NetFirewallRule", "-DisplayName", "'windows-exporter'", "-Direction", "inbound", "-Profile", "Any", "-Action", "Allow", "-LocalPort", "9182", "-Protocol", "TCP" ]
+      serviceAccountName: k8smon-windows-exporter
+      containers:
+        - name: windows-exporter
+          image: ghcr.io/prometheus-community/windows-exporter:0.29.2
+          imagePullPolicy: IfNotPresent
+          args:
+            - --config.file=%CONTAINER_SANDBOX_MOUNT_POINT%/config.yml
+            - --collector.textfile.directories=%CONTAINER_SANDBOX_MOUNT_POINT%
+            - --web.listen-address=:9182
+          env:
+          ports:
+            - name: metrics
+              containerPort: 9182
+              protocol: TCP
+          livenessProbe:
+            failureThreshold: 3
+            httpGet:
+              httpHeaders:
+              path: /health
+              port: 9182
+              scheme: HTTP
+            initialDelaySeconds: 0
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+          readinessProbe:
+            failureThreshold: 3
+            httpGet:
+              httpHeaders:
+              path: /health
+              port: 9182
+              scheme: HTTP
+            initialDelaySeconds: 0
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+          volumeMounts:
+            - name: config
+              mountPath: /config.yml
+              subPath: config.yml
+      hostNetwork: true
+      hostPID: true
+      nodeSelector:
+        kubernetes.io/os: windows
+      tolerations:
+        - effect: NoSchedule
+          operator: Exists
+      volumes:
+        - name: config
+          configMap:
+            name: k8smon-windows-exporter
+---
+# Source: k8s-monitoring/charts/alloy-singleton/templates/controllers/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: k8smon-alloy-singleton
+  labels:
+    helm.sh/chart: alloy-singleton-0.10.1
+    app.kubernetes.io/name: alloy-singleton
+    app.kubernetes.io/instance: k8smon
+    
+    app.kubernetes.io/version: "v1.5.1"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/part-of: alloy
+spec:
+  replicas: 1
+  minReadySeconds: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: alloy-singleton
+      app.kubernetes.io/instance: k8smon
+  template:
+    metadata:
+      annotations:
+        kubectl.kubernetes.io/default-container: alloy
+        k8s.grafana.com/logs.job: integrations/alloy
+      labels:
+        app.kubernetes.io/name: alloy-singleton
+        app.kubernetes.io/instance: k8smon
+    spec:
+      serviceAccountName: k8smon-alloy-singleton
+      containers:
+        - name: alloy
+          image: docker.io/grafana/alloy:v1.5.1
+          imagePullPolicy: IfNotPresent
+          args:
+            - run
+            - /etc/alloy/config.alloy
+            - --storage.path=/tmp/alloy
+            - --server.http.listen-addr=0.0.0.0:12345
+            - --server.http.ui-path-prefix=/
+            - --stability.level=generally-available
+          env:
+            - name: ALLOY_DEPLOY_MODE
+              value: "helm"
+            - name: HOSTNAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+          ports:
+            - containerPort: 12345
+              name: http-metrics
+          readinessProbe:
+            httpGet:
+              path: /-/ready
+              port: 12345
+              scheme: HTTP
+            initialDelaySeconds: 10
+            timeoutSeconds: 1
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              add:
+              - CHOWN
+              - DAC_OVERRIDE
+              - FOWNER
+              - FSETID
+              - KILL
+              - SETGID
+              - SETUID
+              - SETPCAP
+              - NET_BIND_SERVICE
+              - NET_RAW
+              - SYS_CHROOT
+              - MKNOD
+              - AUDIT_WRITE
+              - SETFCAP
+              drop:
+              - ALL
+            seccompProfile:
+              type: RuntimeDefault
+          volumeMounts:
+            - name: config
+              mountPath: /etc/alloy
+        - name: config-reloader
+          image: ghcr.io/jimmidyson/configmap-reload:v0.12.0
+          args:
+            - --volume-dir=/etc/alloy
+            - --webhook-url=http://localhost:12345/-/reload
+          volumeMounts:
+            - name: config
+              mountPath: /etc/alloy
+          resources:
+            requests:
+              cpu: 1m
+              memory: 5Mi
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      volumes:
+        - name: config
+          configMap:
+            name: k8smon-alloy-singleton
+---
+# Source: k8s-monitoring/charts/clusterMetrics/charts/kube-state-metrics/templates/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: k8smon-kube-state-metrics
+  namespace: default
+  labels:    
+    helm.sh/chart: kube-state-metrics-5.27.0
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: metrics
+    app.kubernetes.io/part-of: kube-state-metrics
+    app.kubernetes.io/name: kube-state-metrics
+    app.kubernetes.io/instance: k8smon
+    app.kubernetes.io/version: "2.14.0"
+    release: k8smon
+spec:
+  selector:
+    matchLabels:      
+      app.kubernetes.io/name: kube-state-metrics
+      app.kubernetes.io/instance: k8smon
+  replicas: 1
+  strategy:
+    type: Recreate
+  revisionHistoryLimit: 10
+  template:
+    metadata:
+      labels:        
+        helm.sh/chart: kube-state-metrics-5.27.0
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/component: metrics
+        app.kubernetes.io/part-of: kube-state-metrics
+        app.kubernetes.io/name: kube-state-metrics
+        app.kubernetes.io/instance: k8smon
+        app.kubernetes.io/version: "2.14.0"
+        release: k8smon
+    spec:
+      automountServiceAccountToken: true
+      hostNetwork: false
+      serviceAccountName: k8smon-kube-state-metrics
+      securityContext:
+        fsGroup: 65534
+        runAsGroup: 65534
+        runAsNonRoot: true
+        runAsUser: 65534
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+      - name: kube-state-metrics
+        args:
+        - --port=8080
+        - --resources=certificatesigningrequests,configmaps,cronjobs,daemonsets,deployments,endpoints,horizontalpodautoscalers,ingresses,jobs,leases,limitranges,mutatingwebhookconfigurations,namespaces,networkpolicies,nodes,persistentvolumeclaims,persistentvolumes,poddisruptionbudgets,pods,replicasets,replicationcontrollers,resourcequotas,secrets,services,statefulsets,storageclasses,validatingwebhookconfigurations,volumeattachments
+        - --metric-labels-allowlist=nodes=[agentpool,alpha.eksctl.io/cluster-name,alpha.eksctl.io/nodegroup-name,beta.kubernetes.io/instance-type,cloud.google.com/gke-nodepool,cluster_name,ec2_amazonaws_com_Name,ec2_amazonaws_com_aws_autoscaling_groupName,ec2_amazonaws_com_aws_autoscaling_group_name,ec2_amazonaws_com_name,eks_amazonaws_com_nodegroup,k8s_io_cloud_provider_aws,karpenter.sh/nodepool,kubernetes.azure.com/cluster,kubernetes.io/arch,kubernetes.io/hostname,kubernetes.io/os,node.kubernetes.io/instance-type,topology.kubernetes.io/region,topology.kubernetes.io/zone]
+        imagePullPolicy: IfNotPresent
+        image: registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.14.0
+        ports:
+        - containerPort: 8080
+          name: "http"
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            httpHeaders:
+            path: /livez
+            port: 8080
+            scheme: HTTP
+          initialDelaySeconds: 5
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 5
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            httpHeaders:
+            path: /readyz
+            port: 8081
+            scheme: HTTP
+          initialDelaySeconds: 5
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 5
+        resources:
+          {}
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+      nodeSelector:
+        kubernetes.io/os: linux
+---
+# Source: k8s-monitoring/charts/alloy-metrics/templates/controllers/statefulset.yaml
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: k8smon-alloy-metrics
+  labels:
+    helm.sh/chart: alloy-metrics-0.10.1
+    app.kubernetes.io/name: alloy-metrics
+    app.kubernetes.io/instance: k8smon
+    
+    app.kubernetes.io/version: "v1.5.1"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/part-of: alloy
+spec:
+  replicas: 1
+  podManagementPolicy: Parallel
+  minReadySeconds: 10
+  serviceName: k8smon-alloy-metrics
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: alloy-metrics
+      app.kubernetes.io/instance: k8smon
+  template:
+    metadata:
+      annotations:
+        kubectl.kubernetes.io/default-container: alloy
+        k8s.grafana.com/logs.job: integrations/alloy
+      labels:
+        app.kubernetes.io/name: alloy-metrics
+        app.kubernetes.io/instance: k8smon
+    spec:
+      serviceAccountName: k8smon-alloy-metrics
+      containers:
+        - name: alloy
+          image: docker.io/grafana/alloy:v1.5.1
+          imagePullPolicy: IfNotPresent
+          args:
+            - run
+            - /etc/alloy/config.alloy
+            - --storage.path=/tmp/alloy
+            - --server.http.listen-addr=0.0.0.0:12345
+            - --server.http.ui-path-prefix=/
+            - --cluster.enabled=true
+            - --cluster.join-addresses=k8smon-alloy-metrics-cluster
+            - --cluster.name=alloy-metrics
+            - --stability.level=generally-available
+          env:
+            - name: ALLOY_DEPLOY_MODE
+              value: "helm"
+            - name: HOSTNAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+          ports:
+            - containerPort: 12345
+              name: http-metrics
+          readinessProbe:
+            httpGet:
+              path: /-/ready
+              port: 12345
+              scheme: HTTP
+            initialDelaySeconds: 10
+            timeoutSeconds: 1
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              add:
+              - CHOWN
+              - DAC_OVERRIDE
+              - FOWNER
+              - FSETID
+              - KILL
+              - SETGID
+              - SETUID
+              - SETPCAP
+              - NET_BIND_SERVICE
+              - NET_RAW
+              - SYS_CHROOT
+              - MKNOD
+              - AUDIT_WRITE
+              - SETFCAP
+              drop:
+              - ALL
+            seccompProfile:
+              type: RuntimeDefault
+          volumeMounts:
+            - name: config
+              mountPath: /etc/alloy
+        - name: config-reloader
+          image: ghcr.io/jimmidyson/configmap-reload:v0.12.0
+          args:
+            - --volume-dir=/etc/alloy
+            - --webhook-url=http://localhost:12345/-/reload
+          volumeMounts:
+            - name: config
+              mountPath: /etc/alloy
+          resources:
+            requests:
+              cpu: 1m
+              memory: 5Mi
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        kubernetes.io/os: linux
+      volumes:
+        - name: config
+          configMap:
+            name: k8smon-alloy-metrics
diff --git a/charts/k8s-monitoring/docs/examples/auth/oauth2/values.yaml b/charts/k8s-monitoring/docs/examples/auth/oauth2/values.yaml
new file mode 100644
index 000000000..5ded956af
--- /dev/null
+++ b/charts/k8s-monitoring/docs/examples/auth/oauth2/values.yaml
@@ -0,0 +1,44 @@
+cluster:
+  name: oauth2-auth-example
+
+destinations:
+  - name: otel-endpoint
+    type: otlp
+    url: "grpc.my.otel.endpoint:443"
+    auth:
+      type: oauth2
+      oauth2:
+        tokenURL: "https://my.idp/application/o/token/"
+        clientId: "my-client-id"
+        clientSecretFile: "/var/run/secrets/kubernetes.io/serviceaccount/token"
+        endpointParams:
+          grant_type: ["client_credentials"]
+          client_assertion_type: ["urn:ietf:params:oauth:client-assertion-type:jwt-bearer"]
+    logs: {enabled: true}
+    metrics: {enabled: true}
+    traces: {enabled: true}
+
+clusterMetrics:
+  enabled: true
+
+clusterEvents:
+  enabled: true
+
+podLogs:
+  enabled: true
+
+nodeLogs:
+  enabled: true
+
+prometheusOperatorObjects:
+  enabled: true
+
+annotationAutodiscovery:
+  enabled: true
+
+alloy-logs:
+  enabled: true
+alloy-metrics:
+  enabled: true
+alloy-singleton:
+  enabled: true
diff --git a/charts/k8s-monitoring/schema-mods/types-and-enums.json b/charts/k8s-monitoring/schema-mods/types-and-enums.json
index 0efdfb1e1..1134af83c 100644
--- a/charts/k8s-monitoring/schema-mods/types-and-enums.json
+++ b/charts/k8s-monitoring/schema-mods/types-and-enums.json
@@ -12,12 +12,24 @@
   },
   "definitions": {
     "loki-destination": {"properties": {
-      "auth": {"properties": {"type": {"enum": ["none", "basic", "bearerToken", "oauth2"]}}},
+      "auth": {"properties": {
+        "type": {"enum": ["none", "basic", "bearerToken", "oauth2"]},
+        "oatuh2": {"properties": {"endpointParams": {
+          "type": "object",
+          "additionalProperties": {"type": "array", "items": {"type": "string"}}
+        }}}
+      }},
       "secret": {"properties": {"create": {"type": ["null", "boolean"]}}},
       "tenantId": {"type": ["string", "number"]}
     }},
     "otlp-destination": {"properties": {
-      "auth": {"properties": {"type": {"enum": ["none", "basic", "bearerToken", "oauth2"]}}},
+      "auth": {"properties": {
+        "type": {"enum": ["none", "basic", "bearerToken", "oauth2"]},
+        "oatuh2": {"properties": {"endpointParams": {
+          "type": "object",
+          "additionalProperties": {"type": "array", "items": {"type": "string"}}
+        }}}
+      }},
       "secret": {"properties": {"create": {"type": ["null", "boolean"]}}},
       "tenantId": {"type": ["string", "number"]},
       "metrics": {"properties": {"enabled": {"type": ["null", "boolean"]}}},
@@ -40,12 +52,24 @@
       }}
     }},
     "prometheus-destination": {"properties": {
-      "auth": {"properties": {"type": {"enum": ["none", "basic", "bearerToken", "oauth2", "sigv4"]}}},
+      "auth": {"properties": {
+        "type": {"enum": ["none", "basic", "bearerToken", "oauth2", "sigv4"]},
+        "oatuh2": {"properties": {"endpointParams": {
+          "type": "object",
+          "additionalProperties": {"type": "array", "items": {"type": "string"}}
+        }}}
+      }},
       "secret": {"properties": {"create": {"type": ["null", "boolean"]}}},
       "tenantId": {"type": ["string", "number"]}
     }},
     "pyroscope-destination": {"properties": {
-      "auth": {"properties": {"type": {"enum": ["none", "basic", "bearerToken", "oauth2"]}}},
+      "auth": {"properties": {
+        "type": {"enum": ["none", "basic", "bearerToken", "oauth2"]},
+        "oatuh2": {"properties": {"endpointParams": {
+          "type": "object",
+          "additionalProperties": {"type": "array", "items": {"type": "string"}}
+        }}}
+      }},
       "secret": {"properties": {"create": {"type": ["null", "boolean"]}}},
       "tenantId": {"type": ["string", "number"]}
     }}
diff --git a/charts/k8s-monitoring/templates/destinations/_destination_loki.tpl b/charts/k8s-monitoring/templates/destinations/_destination_loki.tpl
index 55e5fee35..f6b39bca6 100644
--- a/charts/k8s-monitoring/templates/destinations/_destination_loki.tpl
+++ b/charts/k8s-monitoring/templates/destinations/_destination_loki.tpl
@@ -47,7 +47,7 @@ loki.write {{ include "helper.alloy_name" .name | quote }} {
       {{- if .auth.oauth2.endpointParams }}
       endpoint_params = {
       {{- range $k, $v := .auth.oauth2.endpointParams }}
-        {{ $k }} = {{ $v | quote }},
+        {{ $k }} = {{ $v | toJson }},
       {{- end }}
       }
       {{- end }}
diff --git a/charts/k8s-monitoring/templates/destinations/_destination_otlp.tpl b/charts/k8s-monitoring/templates/destinations/_destination_otlp.tpl
index 0d9ec0a44..1aa242c8b 100644
--- a/charts/k8s-monitoring/templates/destinations/_destination_otlp.tpl
+++ b/charts/k8s-monitoring/templates/destinations/_destination_otlp.tpl
@@ -46,7 +46,7 @@ otelcol.auth.oauth2 {{ include "helper.alloy_name" .name | quote }} {
   {{- if .auth.oauth2.endpointParams }}
   endpoint_params = {
   {{- range $k, $v := .auth.oauth2.endpointParams }}
-    {{ $k }} = {{ $v | quote }},
+    {{ $k }} = {{ $v | toJson }},
   {{- end }}
   }
   {{- end }}
diff --git a/charts/k8s-monitoring/templates/destinations/_destination_prometheus.tpl b/charts/k8s-monitoring/templates/destinations/_destination_prometheus.tpl
index 75b727d5a..deff48504 100644
--- a/charts/k8s-monitoring/templates/destinations/_destination_prometheus.tpl
+++ b/charts/k8s-monitoring/templates/destinations/_destination_prometheus.tpl
@@ -51,7 +51,7 @@ prometheus.remote_write {{ include "helper.alloy_name" .name | quote }} {
       {{- if .auth.oauth2.endpointParams }}
       endpoint_params = {
       {{- range $k, $v := .auth.oauth2.endpointParams }}
-        {{ $k }} = {{ $v | quote }},
+        {{ $k }} = {{ $v | toJson }},
       {{- end }}
       }
       {{- end }}
diff --git a/charts/k8s-monitoring/templates/destinations/_destination_pyroscope.tpl b/charts/k8s-monitoring/templates/destinations/_destination_pyroscope.tpl
index 646bdb992..7e9973547 100644
--- a/charts/k8s-monitoring/templates/destinations/_destination_pyroscope.tpl
+++ b/charts/k8s-monitoring/templates/destinations/_destination_pyroscope.tpl
@@ -38,7 +38,7 @@ pyroscope.write {{ include "helper.alloy_name" .name | quote }} {
       {{- if .auth.oauth2.endpointParams }}
       endpoint_params = {
       {{- range $k, $v := .auth.oauth2.endpointParams }}
-        {{ $k }} = {{ $v | quote }},
+        {{ $k }} = {{ $v | toJson }},
       {{- end }}
       }
       {{- end }}
diff --git a/charts/k8s-monitoring/values.schema.json b/charts/k8s-monitoring/values.schema.json
index 70d813da9..ffa103a55 100644
--- a/charts/k8s-monitoring/values.schema.json
+++ b/charts/k8s-monitoring/values.schema.json
@@ -1156,6 +1156,19 @@
                         },
                         "usernameKey": {
                             "type": "string"
+                        },
+                        "oatuh2": {
+                            "properties": {
+                                "endpointParams": {
+                                    "type": "object",
+                                    "additionalProperties": {
+                                        "type": "array",
+                                        "items": {
+                                            "type": "string"
+                                        }
+                                    }
+                                }
+                            }
                         }
                     }
                 },
@@ -1347,6 +1360,19 @@
                         },
                         "usernameKey": {
                             "type": "string"
+                        },
+                        "oatuh2": {
+                            "properties": {
+                                "endpointParams": {
+                                    "type": "object",
+                                    "additionalProperties": {
+                                        "type": "array",
+                                        "items": {
+                                            "type": "string"
+                                        }
+                                    }
+                                }
+                            }
                         }
                     }
                 },
@@ -1735,6 +1761,19 @@
                         },
                         "usernameKey": {
                             "type": "string"
+                        },
+                        "oatuh2": {
+                            "properties": {
+                                "endpointParams": {
+                                    "type": "object",
+                                    "additionalProperties": {
+                                        "type": "array",
+                                        "items": {
+                                            "type": "string"
+                                        }
+                                    }
+                                }
+                            }
                         }
                     }
                 },
@@ -1983,6 +2022,19 @@
                         },
                         "usernameKey": {
                             "type": "string"
+                        },
+                        "oatuh2": {
+                            "properties": {
+                                "endpointParams": {
+                                    "type": "object",
+                                    "additionalProperties": {
+                                        "type": "array",
+                                        "items": {
+                                            "type": "string"
+                                        }
+                                    }
+                                }
+                            }
                         }
                     }
                 },