feat(vector): replace Logflare with direct Vector → ClickHouse pipeline

[h0lybyte]

Summary

• Replaced all 10 Logflare HTTP sinks with a single native ClickHouse sink (skip_unknown_fields, date_time_best_effort, disk buffer)
• Added ch_normalize transform to flatten service logs into unified schema: {timestamp, service, level, message, metadata, pod_name, pod_namespace}
• Added observability.logs_raw table DDL (ON CLUSTER, MergeTree, 90-day TTL, partitioned by day)
• Sealed ClickHouse credentials for Vector namespace
• Removes Logflare as the log ingestion middleware entirely — one less system in the pipeline

Architecture

Vector (DaemonSet) → ClickHouse (observability.logs_raw)

Pre-deploy (already applied)

• CREATE DATABASE observability ON CLUSTER 'cluster'
• CREATE TABLE observability.logs_raw ON CLUSTER 'cluster'
• GRANT ALL ON observability.* TO logflare ON CLUSTER 'cluster'

Test plan

• Verify SealedSecret decrypts in vector namespace
• Confirm Vector pod starts with new config (check /health)
• Verify rows appear in observability.logs_raw within 30s
• Check SELECT service, count() FROM observability.logs_raw GROUP BY service

Ref #8015

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None