feat: add Loki-based admin usage dashboard with Perses datasource

[tgitelman]

Summary
Add admin usage dashboard (usage-admin-loki-dashboard) that queries Loki structured logs via LogQL, showing token consumption, request counts, rate limiting, success rate, and active users
Add Loki datasource infrastructure: PersesDatasource CR, TLS CA ConfigMap, RBAC ClusterRoleBinding, and SA token Secret
Wire into existing observability/dashboards kustomization alongside the Prometheus-based dashboards
Details
The dashboard provides an admin-level view of MaaS API usage by querying structured metadata from Envoy access logs stored in Loki (via OTel Collector). It complements the existing Prometheus-based dashboards with per-request granularity including user_id, tokens_total, response_code, and model.

Dashboard panels:

Total Tokens, Total Requests, Total Rate Limited, Success Rate, Active Users (stat panels)
Token consumption over time (time series chart with "View by" model/subscription selector)
Usage breakdown table (model × subscription with token and request counts)
Loki infra (deployment/components/observability/loki/):

loki-datasource.yaml — PersesDatasource pointing to LokiStack gateway with SA token + TLS
loki-ca.yaml — ConfigMap with service CA injection for TLS
loki-rbac.yaml — ClusterRoleBinding granting perses-sa the cluster-logging-application-view role
loki-secret.yaml — SA token secret for LokiStack gateway authentication
Prerequisites
LokiStack deployed and receiving structured logs from the Envoy OTel access logger
Cluster Observability Operator (COO) with Perses enabled
OTel Collector forwarding Envoy access logs to Loki via OTLP
Test plan

Deploy with kubectl apply -k deployment/components/observability/observability/dashboards/

Verify dashboard appears in OpenShift Console under Observe > Dashboards

Confirm all panels render data (Total Tokens, Requests, Rate Limited, Success Rate, Active Users)

Verify "View by" selector switches token chart grouping between model and subscription

Confirm usage breakdown table shows model × subscription detail

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: tgitelman
Once this PR has been reviewed and has the lgtm label, please assign jland-redhat for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 2a469a53-501e-4909-a83c-1c42ce6e31a4

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[ahadas]

did you check if we can enable unencrypted communication from within the cluster? I saw we have unencrypted communication with the Prometheus instance of ODH - I think it makes sense here as well, if possible

[tgitelman]

LokiStack gateway in openshift-logging mode enforces HTTPS exclusively (PR #6288). There's no HTTP port to connect to. This matches the Prometheus/Thanos Querier pattern — the ODH operator's own cluster-prometheus-datasource also uses HTTPS + service CA + bearer token to Thanos Querier (same pattern we follow here for Loki). The CA ConfigMap + TLS config are required.

[ahadas]

This matches the Prometheus/Thanos Querier pattern — the ODH operator's own cluster-prometheus-datasource also uses HTTPS + service CA + bearer token to Thanos Querier (same pattern we follow here for Loki)

the Prometheus instance I referred to is not the cluster-prometheus-datasource but the one that is specific to ODH

[ahadas]

this should not rely on the namespace being logging4

[ahadas]

this probably needs to move to the opendatahub-operator instead

[ahadas]

I guess we don't need this here, right?

[ahadas]

the datasource needs to be placed in observability/dashboards folder, next to the dashboard

[ahadas]

version 1.5 of cluster observability operator is expected later this week, we need to test their fix for dynamic values in those lists

[rhods-ci-bot]

@tgitelman: The following test has Failed:

OCI Artifact Browser URL

View in Artifact Browser

Inspecting Test Artifacts Manually

To inspect your test artifacts manually, follow these steps:

1. Install ORAS (see the ORAS installation guide).
2. Download artifacts with the following commands:

mkdir -p oras-artifacts
cd oras-artifacts
oras pull quay.io/opendatahub/odh-ci-artifacts:maas-group-test-758wt