From 0ab9121aff464080ac43766c0c09ecd93581d6ff Mon Sep 17 00:00:00 2001 From: "loki-gh-app[bot]" <160051081+loki-gh-app[bot]@users.noreply.github.com> Date: Mon, 10 Feb 2025 10:42:11 +0530 Subject: [PATCH] docs(thanos): unhide configuration docs for thanos storage clients (backport k239) (#16142) Co-authored-by: Ashwanth --- docs/sources/shared/configuration.md | 1207 +++++++++++----------- pkg/loki/common/common.go | 2 +- pkg/loki/loki.go | 2 +- pkg/ruler/rulestore/config.go | 4 +- pkg/storage/factory.go | 4 +- tools/doc-generator/parse/parser.go | 21 +- tools/doc-generator/parse/root_blocks.go | 15 +- tools/doc-generator/writer.go | 6 +- 8 files changed, 617 insertions(+), 644 deletions(-) diff --git a/docs/sources/shared/configuration.md b/docs/sources/shared/configuration.md index cfc4db5c45..e2fe96ecee 100644 --- a/docs/sources/shared/configuration.md +++ b/docs/sources/shared/configuration.md @@ -130,6 +130,25 @@ Pass the `-config.expand-env` flag at the command line to enable this way of set # The ruler block configures the Loki ruler. [ruler: ] +ruler_storage: + # The thanos_object_store_config block configures the connection to object + # storage backend using thanos-io/objstore clients. This will become the + # default way of configuring object store clients in future releases. + # Currently this is opt-in and takes effect only when `-use-thanos-objstore` + # is set to true. + # The CLI flags prefix for this block configuration is: ruler-storage + [] + + # Backend storage to use. Supported backends are: local, s3, gcs, azure, + # swift, filesystem, alibabacloud, bos + # CLI flag: -ruler-storage.backend + [backend: | default = "filesystem"] + + local: + # Directory to scan for rules + # CLI flag: -ruler-storage.local.directory + [directory: | default = ""] + # The ingester_client block configures how the distributor will connect to # ingesters. Only appropriate when running all components, the distributor, or # the querier. @@ -659,138 +678,10 @@ pattern_ingester: [compactor: ] compactor_grpc_client: - # gRPC client max receive message size (bytes). - # CLI flag: -compactor.grpc-client.grpc-max-recv-msg-size - [max_recv_msg_size: | default = 104857600] - - # gRPC client max send message size (bytes). - # CLI flag: -compactor.grpc-client.grpc-max-send-msg-size - [max_send_msg_size: | default = 104857600] - - # Use compression when sending messages. Supported values are: 'gzip', - # 'snappy' and '' (disable compression) - # CLI flag: -compactor.grpc-client.grpc-compression - [grpc_compression: | default = ""] - - # Rate limit for gRPC client; 0 means disabled. - # CLI flag: -compactor.grpc-client.grpc-client-rate-limit - [rate_limit: | default = 0] - - # Rate limit burst for gRPC client. - # CLI flag: -compactor.grpc-client.grpc-client-rate-limit-burst - [rate_limit_burst: | default = 0] - - # Enable backoff and retry when we hit rate limits. - # CLI flag: -compactor.grpc-client.backoff-on-ratelimits - [backoff_on_ratelimits: | default = false] - - backoff_config: - # Minimum delay when backing off. - # CLI flag: -compactor.grpc-client.backoff-min-period - [min_period: | default = 100ms] - - # Maximum delay when backing off. - # CLI flag: -compactor.grpc-client.backoff-max-period - [max_period: | default = 10s] - - # Number of times to backoff and retry before failing. - # CLI flag: -compactor.grpc-client.backoff-retries - [max_retries: | default = 10] - - # Initial stream window size. Values less than the default are not supported - # and are ignored. Setting this to a value other than the default disables the - # BDP estimator. - # CLI flag: -compactor.grpc-client.initial-stream-window-size - [initial_stream_window_size: | default = 63KiB1023B] - - # Initial connection window size. Values less than the default are not - # supported and are ignored. Setting this to a value other than the default - # disables the BDP estimator. - # CLI flag: -compactor.grpc-client.initial-connection-window-size - [initial_connection_window_size: | default = 63KiB1023B] - - # Enable TLS in the gRPC client. This flag needs to be enabled when any other - # TLS flag is set. If set to false, insecure connection to gRPC server will be - # used. - # CLI flag: -compactor.grpc-client.tls-enabled - [tls_enabled: | default = false] - - # Path to the client certificate, which will be used for authenticating with - # the server. Also requires the key path to be configured. - # CLI flag: -compactor.grpc-client.tls-cert-path - [tls_cert_path: | default = ""] - - # Path to the key for the client certificate. Also requires the client - # certificate to be configured. - # CLI flag: -compactor.grpc-client.tls-key-path - [tls_key_path: | default = ""] - - # Path to the CA certificates to validate server certificate against. If not - # set, the host's root CA certificates are used. - # CLI flag: -compactor.grpc-client.tls-ca-path - [tls_ca_path: | default = ""] - - # Override the expected name on the server certificate. - # CLI flag: -compactor.grpc-client.tls-server-name - [tls_server_name: | default = ""] - - # Skip validating server certificate. - # CLI flag: -compactor.grpc-client.tls-insecure-skip-verify - [tls_insecure_skip_verify: | default = false] - - # Override the default cipher suite list (separated by commas). Allowed - # values: - # - # Secure Ciphers: - # - TLS_AES_128_GCM_SHA256 - # - TLS_AES_256_GCM_SHA384 - # - TLS_CHACHA20_POLY1305_SHA256 - # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - # - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - # - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - # - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - # - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - # - # Insecure Ciphers: - # - TLS_RSA_WITH_RC4_128_SHA - # - TLS_RSA_WITH_3DES_EDE_CBC_SHA - # - TLS_RSA_WITH_AES_128_CBC_SHA - # - TLS_RSA_WITH_AES_256_CBC_SHA - # - TLS_RSA_WITH_AES_128_CBC_SHA256 - # - TLS_RSA_WITH_AES_128_GCM_SHA256 - # - TLS_RSA_WITH_AES_256_GCM_SHA384 - # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA - # - TLS_ECDHE_RSA_WITH_RC4_128_SHA - # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 - # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - # CLI flag: -compactor.grpc-client.tls-cipher-suites - [tls_cipher_suites: | default = ""] - - # Override the default minimum TLS version. Allowed values: VersionTLS10, - # VersionTLS11, VersionTLS12, VersionTLS13 - # CLI flag: -compactor.grpc-client.tls-min-version - [tls_min_version: | default = ""] - - # The maximum amount of time to establish a connection. A value of 0 means - # default gRPC client connect timeout and backoff. - # CLI flag: -compactor.grpc-client.connect-timeout - [connect_timeout: | default = 5s] - - # Initial backoff delay after first connection failure. Only relevant if - # ConnectTimeout > 0. - # CLI flag: -compactor.grpc-client.connect-backoff-base-delay - [connect_backoff_base_delay: | default = 1s] - - # Maximum backoff delay when establishing a connection. Only relevant if - # ConnectTimeout > 0. - # CLI flag: -compactor.grpc-client.connect-backoff-max-delay - [connect_backoff_max_delay: | default = 5s] + # The grpc_client block configures the gRPC client used to communicate between + # a client and server component in Loki. + # The CLI flags prefix for this block configuration is: compactor.grpc-client + [] # The limits_config block configures global and per-tenant limits in Loki. The # values here can be overridden in the `overrides` section of the runtime_config @@ -1094,110 +985,9 @@ dynamodb: # CLI flag: -dynamodb.kms-key-id [kms_key_id: | default = ""] -# S3 endpoint URL with escaped Key and Secret encoded. If only region is -# specified as a host, proper endpoint will be deduced. Use -# inmemory:/// to use a mock in-memory implementation. -# CLI flag: -s3.url -[s3: ] - -# Set this to `true` to force the request to use path-style addressing. -# CLI flag: -s3.force-path-style -[s3forcepathstyle: | default = false] - -# Comma separated list of bucket names to evenly distribute chunks over. -# Overrides any buckets specified in s3.url flag -# CLI flag: -s3.buckets -[bucketnames: | default = ""] - -# S3 Endpoint to connect to. -# CLI flag: -s3.endpoint -[endpoint: | default = ""] - -# AWS region to use. -# CLI flag: -s3.region -[region: | default = ""] - -# AWS Access Key ID -# CLI flag: -s3.access-key-id -[access_key_id: | default = ""] - -# AWS Secret Access Key -# CLI flag: -s3.secret-access-key -[secret_access_key: | default = ""] - -# AWS Session Token -# CLI flag: -s3.session-token -[session_token: | default = ""] - -# Disable https on s3 connection. -# CLI flag: -s3.insecure -[insecure: | default = false] - -http_config: - # Timeout specifies a time limit for requests made by s3 Client. - # CLI flag: -s3.http.timeout - [timeout: | default = 0s] - - # The maximum amount of time an idle connection will be held open. - # CLI flag: -s3.http.idle-conn-timeout - [idle_conn_timeout: | default = 1m30s] - - # If non-zero, specifies the amount of time to wait for a server's response - # headers after fully writing the request. - # CLI flag: -s3.http.response-header-timeout - [response_header_timeout: | default = 0s] - - # Set to true to skip verifying the certificate chain and hostname. - # CLI flag: -s3.http.insecure-skip-verify - [insecure_skip_verify: | default = false] - - # Path to the trusted CA file that signed the SSL certificate of the S3 - # endpoint. - # CLI flag: -s3.http.ca-file - [ca_file: | default = ""] - -# The signature version to use for authenticating against S3. Supported values -# are: v4. -# CLI flag: -s3.signature-version -[signature_version: | default = "v4"] - -# The S3 storage class which objects will use. Supported values are: GLACIER, -# DEEP_ARCHIVE, GLACIER_IR, INTELLIGENT_TIERING, ONEZONE_IA, OUTPOSTS, -# REDUCED_REDUNDANCY, STANDARD, STANDARD_IA. -# CLI flag: -s3.storage-class -[storage_class: | default = "STANDARD"] - -sse: - # Enable AWS Server Side Encryption. Supported values: SSE-KMS, SSE-S3. - # CLI flag: -s3.sse.type - [type: | default = ""] - - # KMS Key ID used to encrypt objects in S3 - # CLI flag: -s3.sse.kms-key-id - [kms_key_id: | default = ""] - - # KMS Encryption Context used for object encryption. It expects JSON formatted - # string. - # CLI flag: -s3.sse.kms-encryption-context - [kms_encryption_context: | default = ""] - -# Configures back off when S3 get Object. -backoff_config: - # Minimum backoff time when s3 get Object - # CLI flag: -s3.min-backoff - [min_period: | default = 100ms] - - # Maximum backoff time when s3 get Object - # CLI flag: -s3.max-backoff - [max_period: | default = 3s] - - # Maximum number of times to retry for s3 GetObject or ObjectExists - # CLI flag: -s3.max-retries - [max_retries: | default = 5] - -# Disable forcing S3 dualstack endpoint usage. -# CLI flag: -s3.disable-dualstack -[disable_dualstack: | default = false] +# The s3_storage_config block configures the connection to Amazon S3 object +# storage backend. +[] ``` ### azure_storage_config @@ -1555,67 +1345,10 @@ memcached_client: # CLI flag: -.memcached.tls-enabled [tls_enabled: | default = false] - # Path to the client certificate, which will be used for authenticating with - # the server. Also requires the key path to be configured. - # CLI flag: -.memcached.tls-cert-path - [tls_cert_path: | default = ""] - - # Path to the key for the client certificate. Also requires the client - # certificate to be configured. - # CLI flag: -.memcached.tls-key-path - [tls_key_path: | default = ""] - - # Path to the CA certificates to validate server certificate against. If not - # set, the host's root CA certificates are used. - # CLI flag: -.memcached.tls-ca-path - [tls_ca_path: | default = ""] - - # Override the expected name on the server certificate. - # CLI flag: -.memcached.tls-server-name - [tls_server_name: | default = ""] - - # Skip validating server certificate. - # CLI flag: -.memcached.tls-insecure-skip-verify - [tls_insecure_skip_verify: | default = false] - - # Override the default cipher suite list (separated by commas). Allowed - # values: - # - # Secure Ciphers: - # - TLS_AES_128_GCM_SHA256 - # - TLS_AES_256_GCM_SHA384 - # - TLS_CHACHA20_POLY1305_SHA256 - # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - # - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - # - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - # - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - # - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - # - # Insecure Ciphers: - # - TLS_RSA_WITH_RC4_128_SHA - # - TLS_RSA_WITH_3DES_EDE_CBC_SHA - # - TLS_RSA_WITH_AES_128_CBC_SHA - # - TLS_RSA_WITH_AES_256_CBC_SHA - # - TLS_RSA_WITH_AES_128_CBC_SHA256 - # - TLS_RSA_WITH_AES_128_GCM_SHA256 - # - TLS_RSA_WITH_AES_256_GCM_SHA384 - # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA - # - TLS_ECDHE_RSA_WITH_RC4_128_SHA - # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 - # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - # CLI flag: -.memcached.tls-cipher-suites - [tls_cipher_suites: | default = ""] - - # Override the default minimum TLS version. Allowed values: VersionTLS10, - # VersionTLS11, VersionTLS12, VersionTLS13 - # CLI flag: -.memcached.tls-min-version - [tls_min_version: | default = ""] + # The TLS configuration. + # The CLI flags prefix for this block configuration is: + # store.index-cache-write.memcached + [] redis: # Redis Server or Cluster configuration endpoint to use for caching. A @@ -1744,7 +1477,7 @@ Common configuration to be shared between multiple modules. If a more specific c storage: # The s3_storage_config block configures the connection to Amazon S3 object # storage backend. - # The CLI flags prefix for this block configuration is: common + # The CLI flags prefix for this block configuration is: common.storage [s3: ] # The gcs_storage_config block configures the connection to Google Cloud @@ -1849,6 +1582,15 @@ storage: # CLI flag: -common.storage.congestion-control.hedge.strategy [strategy: | default = ""] + # The thanos_object_store_config block configures the connection to object + # storage backend using thanos-io/objstore clients. This will become the + # default way of configuring object store clients in future releases. + # Currently this is opt-in and takes effect only when `-use-thanos-objstore` + # is set to true. + # The CLI flags prefix for this block configuration is: + # common.storage.object-store + [object_store: ] + [persist_tokens: ] [replication_factor: ] @@ -2402,66 +2144,9 @@ Configuration for an ETCD v3 client. Only applies if the selected kvstore is `et # CLI flag: -.etcd.tls-enabled [tls_enabled: | default = false] -# Path to the client certificate, which will be used for authenticating with the -# server. Also requires the key path to be configured. -# CLI flag: -.etcd.tls-cert-path -[tls_cert_path: | default = ""] - -# Path to the key for the client certificate. Also requires the client -# certificate to be configured. -# CLI flag: -.etcd.tls-key-path -[tls_key_path: | default = ""] - -# Path to the CA certificates to validate server certificate against. If not -# set, the host's root CA certificates are used. -# CLI flag: -.etcd.tls-ca-path -[tls_ca_path: | default = ""] - -# Override the expected name on the server certificate. -# CLI flag: -.etcd.tls-server-name -[tls_server_name: | default = ""] - -# Skip validating server certificate. -# CLI flag: -.etcd.tls-insecure-skip-verify -[tls_insecure_skip_verify: | default = false] - -# Override the default cipher suite list (separated by commas). Allowed values: -# -# Secure Ciphers: -# - TLS_AES_128_GCM_SHA256 -# - TLS_AES_256_GCM_SHA384 -# - TLS_CHACHA20_POLY1305_SHA256 -# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA -# - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA -# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA -# - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA -# - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 -# - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 -# - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 -# - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 -# - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 -# - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 -# -# Insecure Ciphers: -# - TLS_RSA_WITH_RC4_128_SHA -# - TLS_RSA_WITH_3DES_EDE_CBC_SHA -# - TLS_RSA_WITH_AES_128_CBC_SHA -# - TLS_RSA_WITH_AES_256_CBC_SHA -# - TLS_RSA_WITH_AES_128_CBC_SHA256 -# - TLS_RSA_WITH_AES_128_GCM_SHA256 -# - TLS_RSA_WITH_AES_256_GCM_SHA384 -# - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA -# - TLS_ECDHE_RSA_WITH_RC4_128_SHA -# - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA -# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 -# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 -# CLI flag: -.etcd.tls-cipher-suites -[tls_cipher_suites: | default = ""] - -# Override the default minimum TLS version. Allowed values: VersionTLS10, -# VersionTLS11, VersionTLS12, VersionTLS13 -# CLI flag: -.etcd.tls-min-version -[tls_min_version: | default = ""] +# The TLS configuration. +# The CLI flags prefix for this block configuration is: ruler.ring.etcd +[] # Etcd username. # CLI flag: -.etcd.username @@ -2671,6 +2356,7 @@ The `grpc_client` block configures the gRPC client used to communicate between a - `bloom-build.builder.grpc` - `bloom-gateway-client.grpc` - `boltdb.shipper.index-gateway-client.grpc` +- `compactor.grpc-client` - `frontend.grpc-client-config` - `ingester.client` - `pattern-ingester.client` @@ -2740,66 +2426,10 @@ backoff_config: # CLI flag: -.tls-enabled [tls_enabled: | default = false] -# Path to the client certificate, which will be used for authenticating with the -# server. Also requires the key path to be configured. -# CLI flag: -.tls-cert-path -[tls_cert_path: | default = ""] - -# Path to the key for the client certificate. Also requires the client -# certificate to be configured. -# CLI flag: -.tls-key-path -[tls_key_path: | default = ""] - -# Path to the CA certificates to validate server certificate against. If not -# set, the host's root CA certificates are used. -# CLI flag: -.tls-ca-path -[tls_ca_path: | default = ""] - -# Override the expected name on the server certificate. -# CLI flag: -.tls-server-name -[tls_server_name: | default = ""] - -# Skip validating server certificate. -# CLI flag: -.tls-insecure-skip-verify -[tls_insecure_skip_verify: | default = false] - -# Override the default cipher suite list (separated by commas). Allowed values: -# -# Secure Ciphers: -# - TLS_AES_128_GCM_SHA256 -# - TLS_AES_256_GCM_SHA384 -# - TLS_CHACHA20_POLY1305_SHA256 -# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA -# - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA -# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA -# - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA -# - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 -# - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 -# - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 -# - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 -# - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 -# - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 -# -# Insecure Ciphers: -# - TLS_RSA_WITH_RC4_128_SHA -# - TLS_RSA_WITH_3DES_EDE_CBC_SHA -# - TLS_RSA_WITH_AES_128_CBC_SHA -# - TLS_RSA_WITH_AES_256_CBC_SHA -# - TLS_RSA_WITH_AES_128_CBC_SHA256 -# - TLS_RSA_WITH_AES_128_GCM_SHA256 -# - TLS_RSA_WITH_AES_256_GCM_SHA384 -# - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA -# - TLS_ECDHE_RSA_WITH_RC4_128_SHA -# - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA -# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 -# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 -# CLI flag: -.tls-cipher-suites -[tls_cipher_suites: | default = ""] - -# Override the default minimum TLS version. Allowed values: VersionTLS10, -# VersionTLS11, VersionTLS12, VersionTLS13 -# CLI flag: -.tls-min-version -[tls_min_version: | default = ""] +# The TLS configuration. +# The CLI flags prefix for this block configuration is: +# tsdb.shipper.index-gateway-client.grpc +[] # The maximum amount of time to establish a connection. A value of 0 means # default gRPC client connect timeout and backoff. @@ -4114,66 +3744,9 @@ When a memberlist config with atleast 1 join_members is defined, kvstore of type # CLI flag: -memberlist.tls-enabled [tls_enabled: | default = false] -# Path to the client certificate, which will be used for authenticating with the -# server. Also requires the key path to be configured. -# CLI flag: -memberlist.tls-cert-path -[tls_cert_path: | default = ""] - -# Path to the key for the client certificate. Also requires the client -# certificate to be configured. -# CLI flag: -memberlist.tls-key-path -[tls_key_path: | default = ""] - -# Path to the CA certificates to validate server certificate against. If not -# set, the host's root CA certificates are used. -# CLI flag: -memberlist.tls-ca-path -[tls_ca_path: | default = ""] - -# Override the expected name on the server certificate. -# CLI flag: -memberlist.tls-server-name -[tls_server_name: | default = ""] - -# Skip validating server certificate. -# CLI flag: -memberlist.tls-insecure-skip-verify -[tls_insecure_skip_verify: | default = false] - -# Override the default cipher suite list (separated by commas). Allowed values: -# -# Secure Ciphers: -# - TLS_AES_128_GCM_SHA256 -# - TLS_AES_256_GCM_SHA384 -# - TLS_CHACHA20_POLY1305_SHA256 -# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA -# - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA -# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA -# - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA -# - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 -# - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 -# - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 -# - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 -# - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 -# - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 -# -# Insecure Ciphers: -# - TLS_RSA_WITH_RC4_128_SHA -# - TLS_RSA_WITH_3DES_EDE_CBC_SHA -# - TLS_RSA_WITH_AES_128_CBC_SHA -# - TLS_RSA_WITH_AES_256_CBC_SHA -# - TLS_RSA_WITH_AES_128_CBC_SHA256 -# - TLS_RSA_WITH_AES_128_GCM_SHA256 -# - TLS_RSA_WITH_AES_256_GCM_SHA384 -# - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA -# - TLS_ECDHE_RSA_WITH_RC4_128_SHA -# - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA -# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 -# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 -# CLI flag: -memberlist.tls-cipher-suites -[tls_cipher_suites: | default = ""] - -# Override the default minimum TLS version. Allowed values: VersionTLS10, -# VersionTLS11, VersionTLS12, VersionTLS13 -# CLI flag: -memberlist.tls-min-version -[tls_min_version: | default = ""] +# The TLS configuration. +# The CLI flags prefix for this block configuration is: memberlist +[] ``` ### named_stores_config @@ -4680,7 +4253,7 @@ storage: [gcs: ] # Configures backend rule storage for S3. - # The CLI flags prefix for this block configuration is: ruler + # The CLI flags prefix for this block configuration is: ruler.storage [s3: ] # Configures backend rule storage for Baidu Object Storage (BOS). @@ -4737,67 +4310,10 @@ storage: [notification_timeout: | default = 10s] alertmanager_client: - # Path to the client certificate, which will be used for authenticating with - # the server. Also requires the key path to be configured. - # CLI flag: -ruler.alertmanager-client.tls-cert-path - [tls_cert_path: | default = ""] - - # Path to the key for the client certificate. Also requires the client - # certificate to be configured. - # CLI flag: -ruler.alertmanager-client.tls-key-path - [tls_key_path: | default = ""] - - # Path to the CA certificates to validate server certificate against. If not - # set, the host's root CA certificates are used. - # CLI flag: -ruler.alertmanager-client.tls-ca-path - [tls_ca_path: | default = ""] - - # Override the expected name on the server certificate. - # CLI flag: -ruler.alertmanager-client.tls-server-name - [tls_server_name: | default = ""] - - # Skip validating server certificate. - # CLI flag: -ruler.alertmanager-client.tls-insecure-skip-verify - [tls_insecure_skip_verify: | default = false] - - # Override the default cipher suite list (separated by commas). Allowed - # values: - # - # Secure Ciphers: - # - TLS_AES_128_GCM_SHA256 - # - TLS_AES_256_GCM_SHA384 - # - TLS_CHACHA20_POLY1305_SHA256 - # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - # - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - # - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - # - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - # - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - # - # Insecure Ciphers: - # - TLS_RSA_WITH_RC4_128_SHA - # - TLS_RSA_WITH_3DES_EDE_CBC_SHA - # - TLS_RSA_WITH_AES_128_CBC_SHA - # - TLS_RSA_WITH_AES_256_CBC_SHA - # - TLS_RSA_WITH_AES_128_CBC_SHA256 - # - TLS_RSA_WITH_AES_128_GCM_SHA256 - # - TLS_RSA_WITH_AES_256_GCM_SHA384 - # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA - # - TLS_ECDHE_RSA_WITH_RC4_128_SHA - # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 - # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - # CLI flag: -ruler.alertmanager-client.tls-cipher-suites - [tls_cipher_suites: | default = ""] - - # Override the default minimum TLS version. Allowed values: VersionTLS10, - # VersionTLS11, VersionTLS12, VersionTLS13 - # CLI flag: -ruler.alertmanager-client.tls-min-version - [tls_min_version: | default = ""] + # The TLS configuration. + # The CLI flags prefix for this block configuration is: + # ruler.alertmanager-client + [] # HTTP Basic authentication username. It overrides the username set in the URL # (if any). @@ -5019,67 +4535,10 @@ evaluation: # CLI flag: -ruler.evaluation.query-frontend.tls-enabled [tls_enabled: | default = false] - # Path to the client certificate, which will be used for authenticating with - # the server. Also requires the key path to be configured. - # CLI flag: -ruler.evaluation.query-frontend.tls-cert-path - [tls_cert_path: | default = ""] - - # Path to the key for the client certificate. Also requires the client - # certificate to be configured. - # CLI flag: -ruler.evaluation.query-frontend.tls-key-path - [tls_key_path: | default = ""] - - # Path to the CA certificates to validate server certificate against. If not - # set, the host's root CA certificates are used. - # CLI flag: -ruler.evaluation.query-frontend.tls-ca-path - [tls_ca_path: | default = ""] - - # Override the expected name on the server certificate. - # CLI flag: -ruler.evaluation.query-frontend.tls-server-name - [tls_server_name: | default = ""] - - # Skip validating server certificate. - # CLI flag: -ruler.evaluation.query-frontend.tls-insecure-skip-verify - [tls_insecure_skip_verify: | default = false] - - # Override the default cipher suite list (separated by commas). Allowed - # values: - # - # Secure Ciphers: - # - TLS_AES_128_GCM_SHA256 - # - TLS_AES_256_GCM_SHA384 - # - TLS_CHACHA20_POLY1305_SHA256 - # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - # - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - # - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - # - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - # - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - # - # Insecure Ciphers: - # - TLS_RSA_WITH_RC4_128_SHA - # - TLS_RSA_WITH_3DES_EDE_CBC_SHA - # - TLS_RSA_WITH_AES_128_CBC_SHA - # - TLS_RSA_WITH_AES_256_CBC_SHA - # - TLS_RSA_WITH_AES_128_CBC_SHA256 - # - TLS_RSA_WITH_AES_128_GCM_SHA256 - # - TLS_RSA_WITH_AES_256_GCM_SHA384 - # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA - # - TLS_ECDHE_RSA_WITH_RC4_128_SHA - # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 - # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - # CLI flag: -ruler.evaluation.query-frontend.tls-cipher-suites - [tls_cipher_suites: | default = ""] - - # Override the default minimum TLS version. Allowed values: VersionTLS10, - # VersionTLS11, VersionTLS12, VersionTLS13 - # CLI flag: -ruler.evaluation.query-frontend.tls-min-version - [tls_min_version: | default = ""] + # The TLS configuration. + # The CLI flags prefix for this block configuration is: + # ruler.evaluation.query-frontend + [] ``` ### runtime_config @@ -5101,8 +4560,8 @@ Configuration for 'runtime config' module, responsible for reloading runtime con The `s3_storage_config` block configures the connection to Amazon S3 object storage backend. The supported CLI flags `` used to reference this configuration block are: -- `common` -- `ruler` +- `common.storage` +- `ruler.storage`   @@ -5110,106 +4569,106 @@ The `s3_storage_config` block configures the connection to Amazon S3 object stor # S3 endpoint URL with escaped Key and Secret encoded. If only region is # specified as a host, proper endpoint will be deduced. Use # inmemory:/// to use a mock in-memory implementation. -# CLI flag: -.storage.s3.url +# CLI flag: -.s3.url [s3: ] # Set this to `true` to force the request to use path-style addressing. -# CLI flag: -.storage.s3.force-path-style +# CLI flag: -.s3.force-path-style [s3forcepathstyle: | default = false] # Comma separated list of bucket names to evenly distribute chunks over. # Overrides any buckets specified in s3.url flag -# CLI flag: -.storage.s3.buckets +# CLI flag: -.s3.buckets [bucketnames: | default = ""] # S3 Endpoint to connect to. -# CLI flag: -.storage.s3.endpoint +# CLI flag: -.s3.endpoint [endpoint: | default = ""] # AWS region to use. -# CLI flag: -.storage.s3.region +# CLI flag: -.s3.region [region: | default = ""] # AWS Access Key ID -# CLI flag: -.storage.s3.access-key-id +# CLI flag: -.s3.access-key-id [access_key_id: | default = ""] # AWS Secret Access Key -# CLI flag: -.storage.s3.secret-access-key +# CLI flag: -.s3.secret-access-key [secret_access_key: | default = ""] # AWS Session Token -# CLI flag: -.storage.s3.session-token +# CLI flag: -.s3.session-token [session_token: | default = ""] # Disable https on s3 connection. -# CLI flag: -.storage.s3.insecure +# CLI flag: -.s3.insecure [insecure: | default = false] http_config: # Timeout specifies a time limit for requests made by s3 Client. - # CLI flag: -.storage.s3.http.timeout + # CLI flag: -.s3.http.timeout [timeout: | default = 0s] # The maximum amount of time an idle connection will be held open. - # CLI flag: -.storage.s3.http.idle-conn-timeout + # CLI flag: -.s3.http.idle-conn-timeout [idle_conn_timeout: | default = 1m30s] # If non-zero, specifies the amount of time to wait for a server's response # headers after fully writing the request. - # CLI flag: -.storage.s3.http.response-header-timeout + # CLI flag: -.s3.http.response-header-timeout [response_header_timeout: | default = 0s] # Set to true to skip verifying the certificate chain and hostname. - # CLI flag: -.storage.s3.http.insecure-skip-verify + # CLI flag: -.s3.http.insecure-skip-verify [insecure_skip_verify: | default = false] # Path to the trusted CA file that signed the SSL certificate of the S3 # endpoint. - # CLI flag: -.storage.s3.http.ca-file + # CLI flag: -.s3.http.ca-file [ca_file: | default = ""] # The signature version to use for authenticating against S3. Supported values # are: v4. -# CLI flag: -.storage.s3.signature-version +# CLI flag: -.s3.signature-version [signature_version: | default = "v4"] # The S3 storage class which objects will use. Supported values are: GLACIER, # DEEP_ARCHIVE, GLACIER_IR, INTELLIGENT_TIERING, ONEZONE_IA, OUTPOSTS, # REDUCED_REDUNDANCY, STANDARD, STANDARD_IA. -# CLI flag: -.storage.s3.storage-class +# CLI flag: -.s3.storage-class [storage_class: | default = "STANDARD"] sse: # Enable AWS Server Side Encryption. Supported values: SSE-KMS, SSE-S3. - # CLI flag: -.storage.s3.sse.type + # CLI flag: -.s3.sse.type [type: | default = ""] # KMS Key ID used to encrypt objects in S3 - # CLI flag: -.storage.s3.sse.kms-key-id + # CLI flag: -.s3.sse.kms-key-id [kms_key_id: | default = ""] # KMS Encryption Context used for object encryption. It expects JSON formatted # string. - # CLI flag: -.storage.s3.sse.kms-encryption-context + # CLI flag: -.s3.sse.kms-encryption-context [kms_encryption_context: | default = ""] # Configures back off when S3 get Object. backoff_config: # Minimum backoff time when s3 get Object - # CLI flag: -.storage.s3.min-backoff + # CLI flag: -.s3.min-backoff [min_period: | default = 100ms] # Maximum backoff time when s3 get Object - # CLI flag: -.storage.s3.max-backoff + # CLI flag: -.s3.max-backoff [max_period: | default = 3s] # Maximum number of times to retry for s3 GetObject or ObjectExists - # CLI flag: -.storage.s3.max-retries + # CLI flag: -.s3.max-retries [max_retries: | default = 5] # Disable forcing S3 dualstack endpoint usage. -# CLI flag: -.storage.s3.disable-dualstack +# CLI flag: -.s3.disable-dualstack [disable_dualstack: | default = false] ``` @@ -5772,6 +5231,33 @@ congestion_control: # CLI flag: -store.max-parallel-get-chunk [max_parallel_get_chunk: | default = 150] +# Enables the use of thanos-io/objstore clients for connecting to object +# storage. When set to true, the configuration inside +# `storage_config.object_store` or `common.storage.object_store` block takes +# effect. +# CLI flag: -use-thanos-objstore +[use_thanos_objstore: | default = false] + +object_store: + # The thanos_object_store_config block configures the connection to object + # storage backend using thanos-io/objstore clients. This will become the + # default way of configuring object store clients in future releases. + # Currently this is opt-in and takes effect only when `-use-thanos-objstore` + # is set to true. + # The CLI flags prefix for this block configuration is: object-store + [] + + named_stores: + [azure: ] + + [filesystem: ] + + [gcs: ] + + [s3: ] + + [swift: ] + # The maximum number of chunks to fetch per batch. # CLI flag: -store.max-chunk-batch-size [max_chunk_batch_size: | default = 50] @@ -6375,12 +5861,481 @@ chunk_tables_provisioning: [inactive_read_scale_lastn: | default = 4] ``` +### thanos_object_store_config + +The `thanos_object_store_config` block configures the connection to object storage backend using thanos-io/objstore clients. This will become the default way of configuring object store clients in future releases. +Currently this is opt-in and takes effect only when `-use-thanos-objstore` is set to true. The supported CLI flags `` used to reference this configuration block are: + +- `common.storage.object-store` +- `object-store` +- `ruler-storage` + +  + +```yaml +s3: + # The S3 bucket endpoint. It could be an AWS S3 endpoint listed at + # https://docs.aws.amazon.com/general/latest/gr/s3.html or the address of an + # S3-compatible service in hostname:port format. + # CLI flag: -.s3.endpoint + [endpoint: | default = ""] + + # S3 region. If unset, the client will issue a S3 GetBucketLocation API call + # to autodetect it. + # CLI flag: -.s3.region + [region: | default = ""] + + # S3 bucket name + # CLI flag: -.s3.bucket-name + [bucket_name: | default = ""] + + # S3 secret access key + # CLI flag: -.s3.secret-access-key + [secret_access_key: | default = ""] + + # S3 access key ID + # CLI flag: -.s3.access-key-id + [access_key_id: | default = ""] + + # S3 session token + # CLI flag: -.s3.session-token + [session_token: | default = ""] + + # If enabled, use http:// for the S3 endpoint instead of https://. This could + # be useful in local dev/test environments while using an S3-compatible + # backend storage, like Minio. + # CLI flag: -.s3.insecure + [insecure: | default = false] + + # Use a specific version of the S3 list object API. Supported values are v1 or + # v2. Default is unset. + # CLI flag: -.s3.list-objects-version + [list_objects_version: | default = ""] + + # Bucket lookup style type, used to access bucket in S3-compatible service. + # Default is auto. Supported values are: auto, path, virtual-hosted. + # CLI flag: -.s3.bucket-lookup-type + [bucket_lookup_type: | default = auto] + + # When enabled, direct all AWS S3 requests to the dual-stack IPv4/IPv6 + # endpoint for the configured region. + # CLI flag: -.s3.dualstack-enabled + [dualstack_enabled: | default = true] + + # The S3 storage class to use, not set by default. Details can be found at + # https://aws.amazon.com/s3/storage-classes/. Supported values are: STANDARD, + # REDUCED_REDUNDANCY, GLACIER, STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, + # DEEP_ARCHIVE, OUTPOSTS, GLACIER_IR, SNOW, EXPRESS_ONEZONE + # CLI flag: -.s3.storage-class + [storage_class: | default = ""] + + # If enabled, it will use the default authentication methods of the AWS SDK + # for go based on known environment variables and known AWS config files. + # CLI flag: -.s3.native-aws-auth-enabled + [native_aws_auth_enabled: | default = false] + + # The minimum file size in bytes used for multipart uploads. If 0, the value + # is optimally computed for each object. + # CLI flag: -.s3.part-size + [part_size: | default = 0] + + # If enabled, a Content-MD5 header is sent with S3 Put Object requests. + # Consumes more resources to compute the MD5, but may improve compatibility + # with object storage services that do not support checksums. + # CLI flag: -.s3.send-content-md5 + [send_content_md5: | default = false] + + # Accessing S3 resources using temporary, secure credentials provided by AWS + # Security Token Service. + # CLI flag: -.s3.sts-endpoint + [sts_endpoint: | default = ""] + + # The maximum number of retries for S3 requests that are retryable. Default is + # 10, set this to 1 to disable retries. + # CLI flag: -.s3.max-retries + [max_retries: | default = 10] + + sse: + # Enable AWS Server Side Encryption. Supported values: SSE-KMS, SSE-S3. + # CLI flag: -.s3.sse.type + [type: | default = ""] + + # KMS Key ID used to encrypt objects in S3 + # CLI flag: -.s3.sse.kms-key-id + [kms_key_id: | default = ""] + + # KMS Encryption Context used for object encryption. It expects JSON + # formatted string. + # CLI flag: -.s3.sse.kms-encryption-context + [kms_encryption_context: | default = ""] + + http: + # The time an idle connection will remain idle before closing. + # CLI flag: -.s3.http.idle-conn-timeout + [idle_conn_timeout: | default = 1m30s] + + # The amount of time the client will wait for a servers response headers. + # CLI flag: -.s3.http.response-header-timeout + [response_header_timeout: | default = 2m] + + # If the client connects via HTTPS and this option is enabled, the client + # will accept any certificate and hostname. + # CLI flag: -.s3.http.insecure-skip-verify + [insecure_skip_verify: | default = false] + + # Maximum time to wait for a TLS handshake. 0 means no limit. + # CLI flag: -.s3.tls-handshake-timeout + [tls_handshake_timeout: | default = 10s] + + # The time to wait for a server's first response headers after fully writing + # the request headers if the request has an Expect header. 0 to send the + # request body immediately. + # CLI flag: -.s3.expect-continue-timeout + [expect_continue_timeout: | default = 1s] + + # Maximum number of idle (keep-alive) connections across all hosts. 0 means + # no limit. + # CLI flag: -.s3.max-idle-connections + [max_idle_connections: | default = 100] + + # Maximum number of idle (keep-alive) connections to keep per-host. If 0, a + # built-in default value is used. + # CLI flag: -.s3.max-idle-connections-per-host + [max_idle_connections_per_host: | default = 100] + + # Maximum number of connections per host. 0 means no limit. + # CLI flag: -.s3.max-connections-per-host + [max_connections_per_host: | default = 0] + + # Path to the CA certificates to validate server certificate against. If not + # set, the host's root CA certificates are used. + # CLI flag: -.s3.http.tls-ca-path + [tls_ca_path: | default = ""] + + # Path to the client certificate, which will be used for authenticating with + # the server. Also requires the key path to be configured. + # CLI flag: -.s3.http.tls-cert-path + [tls_cert_path: | default = ""] + + # Path to the key for the client certificate. Also requires the client + # certificate to be configured. + # CLI flag: -.s3.http.tls-key-path + [tls_key_path: | default = ""] + + # Override the expected name on the server certificate. + # CLI flag: -.s3.http.tls-server-name + [tls_server_name: | default = ""] + + trace: + # When enabled, low-level S3 HTTP operation information is logged at the + # debug level. + # CLI flag: -.s3.trace.enabled + [enabled: | default = false] + +gcs: + # GCS bucket name + # CLI flag: -.gcs.bucket-name + [bucket_name: | default = ""] + + # JSON either from a Google Developers Console client_credentials.json file, + # or a Google Developers service account key. Needs to be valid JSON, not a + # filesystem path. If empty, fallback to Google default logic: + # 1. A JSON file whose path is specified by the GOOGLE_APPLICATION_CREDENTIALS + # environment variable. For workload identity federation, refer to + # https://cloud.google.com/iam/docs/how-to#using-workload-identity-federation + # on how to generate the JSON configuration file for on-prem/non-Google cloud + # platforms. + # 2. A JSON file in a location known to the gcloud command-line tool: + # $HOME/.config/gcloud/application_default_credentials.json. + # 3. On Google Compute Engine it fetches credentials from the metadata server. + # CLI flag: -.gcs.service-account + [service_account: | default = ""] + + # The maximum size of the buffer that GCS client for a single PUT request. 0 + # to disable buffering. + # CLI flag: -.gcs.chunk-buffer-size + [chunk_buffer_size: | default = 0] + + # The maximum number of retries for idempotent operations. Overrides the + # default gcs storage client behavior if this value is greater than 0. Set + # this to 1 to disable retries. + # CLI flag: -.gcs.max-retries + [max_retries: | default = 10] + +azure: + # Azure storage account name + # CLI flag: -.azure.account-name + [account_name: | default = ""] + + # Azure storage account key. If unset, Azure managed identities will be used + # for authentication instead. + # CLI flag: -.azure.account-key + [account_key: | default = ""] + + # If `connection-string` is set, the value of `endpoint-suffix` will not be + # used. Use this method over `account-key` if you need to authenticate via a + # SAS token. Or if you use the Azurite emulator. + # CLI flag: -.azure.connection-string + [connection_string: | default = ""] + + # Azure storage container name + # CLI flag: -.azure.container-name + [container_name: | default = ""] + + # Azure storage endpoint suffix without schema. The account name will be + # prefixed to this value to create the FQDN. If set to empty string, default + # endpoint suffix is used. + # CLI flag: -.azure.endpoint-suffix + [endpoint_suffix: | default = ""] + + # Number of retries for recoverable errors + # CLI flag: -.azure.max-retries + [max_retries: | default = 20] + + # User assigned managed identity. If empty, then System assigned identity is + # used. + # CLI flag: -.azure.user-assigned-id + [user_assigned_id: | default = ""] + + # Delimiter used to replace ':' in chunk IDs when storing chunks + # CLI flag: -.azure.chunk-delimiter + [chunk_delimiter: | default = "-"] + +swift: + # OpenStack Swift application credential id + # CLI flag: -.swift.application-credential-id + [application_credential_id: | default = ""] + + # OpenStack Swift application credential name + # CLI flag: -.swift.application-credential-name + [application_credential_name: | default = ""] + + # OpenStack Swift application credential secret + # CLI flag: -.swift.application-credential-secret + [application_credential_secret: | default = ""] + + # OpenStack Swift authentication API version. 0 to autodetect. + # CLI flag: -.swift.auth-version + [auth_version: | default = 0] + + # OpenStack Swift authentication URL + # CLI flag: -.swift.auth-url + [auth_url: | default = ""] + + # OpenStack Swift username. + # CLI flag: -.swift.username + [username: | default = ""] + + # OpenStack Swift user's domain name. + # CLI flag: -.swift.user-domain-name + [user_domain_name: | default = ""] + + # OpenStack Swift user's domain ID. + # CLI flag: -.swift.user-domain-id + [user_domain_id: | default = ""] + + # OpenStack Swift user ID. + # CLI flag: -.swift.user-id + [user_id: | default = ""] + + # OpenStack Swift API key. + # CLI flag: -.swift.password + [password: | default = ""] + + # OpenStack Swift user's domain ID. + # CLI flag: -.swift.domain-id + [domain_id: | default = ""] + + # OpenStack Swift user's domain name. + # CLI flag: -.swift.domain-name + [domain_name: | default = ""] + + # OpenStack Swift project ID (v2,v3 auth only). + # CLI flag: -.swift.project-id + [project_id: | default = ""] + + # OpenStack Swift project name (v2,v3 auth only). + # CLI flag: -.swift.project-name + [project_name: | default = ""] + + # ID of the OpenStack Swift project's domain (v3 auth only), only needed if it + # differs the from user domain. + # CLI flag: -.swift.project-domain-id + [project_domain_id: | default = ""] + + # Name of the OpenStack Swift project's domain (v3 auth only), only needed if + # it differs from the user domain. + # CLI flag: -.swift.project-domain-name + [project_domain_name: | default = ""] + + # OpenStack Swift Region to use (v2,v3 auth only). + # CLI flag: -.swift.region-name + [region_name: | default = ""] + + # Name of the OpenStack Swift container to put chunks in. + # CLI flag: -.swift.container-name + [container_name: | default = ""] + + # Max retries on requests error. + # CLI flag: -.swift.max-retries + [max_retries: | default = 3] + + # Time after which a connection attempt is aborted. + # CLI flag: -.swift.connect-timeout + [connect_timeout: | default = 10s] + + # Time after which an idle request is aborted. The timeout watchdog is reset + # each time some data is received, so the timeout triggers after X time no + # data is received on a request. + # CLI flag: -.swift.request-timeout + [request_timeout: | default = 5s] + + http: + # The time an idle connection will remain idle before closing. + # CLI flag: -.swift.http.idle-conn-timeout + [idle_conn_timeout: | default = 1m30s] + + # The amount of time the client will wait for a servers response headers. + # CLI flag: -.swift.http.response-header-timeout + [response_header_timeout: | default = 2m] + + # If the client connects via HTTPS and this option is enabled, the client + # will accept any certificate and hostname. + # CLI flag: -.swift.http.insecure-skip-verify + [insecure_skip_verify: | default = false] + + # Maximum time to wait for a TLS handshake. 0 means no limit. + # CLI flag: -.swift.tls-handshake-timeout + [tls_handshake_timeout: | default = 10s] + + # The time to wait for a server's first response headers after fully writing + # the request headers if the request has an Expect header. 0 to send the + # request body immediately. + # CLI flag: -.swift.expect-continue-timeout + [expect_continue_timeout: | default = 1s] + + # Maximum number of idle (keep-alive) connections across all hosts. 0 means + # no limit. + # CLI flag: -.swift.max-idle-connections + [max_idle_connections: | default = 100] + + # Maximum number of idle (keep-alive) connections to keep per-host. If 0, a + # built-in default value is used. + # CLI flag: -.swift.max-idle-connections-per-host + [max_idle_connections_per_host: | default = 100] + + # Maximum number of connections per host. 0 means no limit. + # CLI flag: -.swift.max-connections-per-host + [max_connections_per_host: | default = 0] + + # Path to the CA certificates to validate server certificate against. If not + # set, the host's root CA certificates are used. + # CLI flag: -.swift.http.tls-ca-path + [tls_ca_path: | default = ""] + + # Path to the client certificate, which will be used for authenticating with + # the server. Also requires the key path to be configured. + # CLI flag: -.swift.http.tls-cert-path + [tls_cert_path: | default = ""] + + # Path to the key for the client certificate. Also requires the client + # certificate to be configured. + # CLI flag: -.swift.http.tls-key-path + [tls_key_path: | default = ""] + + # Override the expected name on the server certificate. + # CLI flag: -.swift.http.tls-server-name + [tls_server_name: | default = ""] + +filesystem: + # Local filesystem storage directory. + # CLI flag: -.filesystem.dir + [dir: | default = ""] + +alibaba: + # Endpoint to connect to. + # CLI flag: -.oss.endpoint + [endpoint: | default = ""] + + # Name of OSS bucket. + # CLI flag: -.oss.bucketname + [bucket: | default = ""] + + # alibabacloud Access Key ID + # CLI flag: -.oss.access-key-id + [access_key_id: | default = ""] + + # alibabacloud Secret Access Key + # CLI flag: -.oss.access-key-secret + [access_key_secret: | default = ""] + +bos: + # Name of BOS bucket. + # CLI flag: -.bos.bucket + [bucket: | default = ""] + + # BOS endpoint to connect to. + # CLI flag: -.bos.endpoint + [endpoint: | default = ""] + + # Baidu Cloud Engine (BCE) Access Key ID. + # CLI flag: -.bos.access-key + [access_key: | default = ""] + + # Baidu Cloud Engine (BCE) Secret Access Key. + # CLI flag: -.bos.secret-key + [secret_key: | default = ""] + +# Prefix for all objects stored in the backend storage. For simplicity, it may +# only contain digits and English alphabet letters. +# CLI flag: -.storage-prefix +[storage_prefix: | default = ""] +``` + ### tls_config The TLS configuration. The supported CLI flags `` used to reference this configuration block are: +- `bigtable` +- `blockbuilder.scheduler-grpc-client` +- `bloom-build.builder.grpc` +- `bloom-gateway-client.grpc` +- `bloom.metas-cache.memcached` +- `boltdb.shipper.index-gateway-client.grpc` +- `common.storage.ring.etcd` +- `compactor.grpc-client` +- `compactor.ring.etcd` +- `distributor.ring.etcd` +- `etcd` +- `frontend.grpc-client-config` +- `frontend.index-stats-results-cache.memcached` +- `frontend.instant-metric-results-cache.memcached` +- `frontend.label-results-cache.memcached` +- `frontend.memcached` +- `frontend.series-results-cache.memcached` - `frontend.tail-tls-config` +- `frontend.volume-results-cache.memcached` +- `index-gateway.ring.etcd` +- `ingester.client` +- `ingester.partition-ring.etcd` +- `memberlist` +- `pattern-ingester.client` +- `pattern-ingester.etcd` +- `querier.frontend-client` +- `querier.frontend-grpc-client` +- `querier.scheduler-grpc-client` +- `query-scheduler.grpc-client-config` +- `query-scheduler.ring.etcd` - `reporting.tls-config` +- `ruler.alertmanager-client` +- `ruler.client` +- `ruler.evaluation.query-frontend` +- `ruler.ring.etcd` +- `store.chunks-cache-l2.memcached` +- `store.chunks-cache.memcached` +- `store.index-cache-read.memcached` +- `store.index-cache-write.memcached` +- `tsdb.shipper.index-gateway-client.grpc`   diff --git a/pkg/loki/common/common.go b/pkg/loki/common/common.go index cc280e19bd..5055cb2f9b 100644 --- a/pkg/loki/common/common.go +++ b/pkg/loki/common/common.go @@ -80,7 +80,7 @@ type Storage struct { Hedging hedging.Config `yaml:"hedging"` COS ibmcloud.COSConfig `yaml:"cos"` CongestionControl congestion.Config `yaml:"congestion_control,omitempty"` - ObjectStore bucket.Config `yaml:"object_store" doc:"hidden"` + ObjectStore bucket.Config `yaml:"object_store"` } func (s *Storage) RegisterFlagsWithPrefix(prefix string, f *flag.FlagSet) { diff --git a/pkg/loki/loki.go b/pkg/loki/loki.go index 994afa94cc..1036702ad8 100644 --- a/pkg/loki/loki.go +++ b/pkg/loki/loki.go @@ -89,7 +89,7 @@ type Config struct { Frontend lokifrontend.Config `yaml:"frontend,omitempty"` QueryRange queryrange.Config `yaml:"query_range,omitempty"` Ruler ruler.Config `yaml:"ruler,omitempty"` - RulerStorage rulestore.Config `yaml:"ruler_storage,omitempty" doc:"hidden"` + RulerStorage rulestore.Config `yaml:"ruler_storage,omitempty"` IngesterClient ingester_client.Config `yaml:"ingester_client,omitempty"` Ingester ingester.Config `yaml:"ingester,omitempty"` BlockBuilder blockbuilder.Config `yaml:"block_builder,omitempty"` diff --git a/pkg/ruler/rulestore/config.go b/pkg/ruler/rulestore/config.go index 334e43de09..a4480bb112 100644 --- a/pkg/ruler/rulestore/config.go +++ b/pkg/ruler/rulestore/config.go @@ -2,7 +2,9 @@ package rulestore import ( "flag" + "fmt" "reflect" + "strings" "github.com/grafana/dskit/flagext" @@ -23,7 +25,7 @@ func (cfg *Config) RegisterFlags(f *flag.FlagSet) { cfg.ExtraBackends = []string{local.Name} cfg.Local.RegisterFlagsWithPrefix(prefix, f) - f.StringVar(&cfg.Backend, prefix+"backend", "filesystem", "Backend storage to use. Supported backends are: s3, gcs, azure, swift, filesystem.") + f.StringVar(&cfg.Backend, prefix+"backend", "filesystem", fmt.Sprintf("Backend storage to use. Supported backends are: local, %s", strings.Join(bucket.SupportedBackends, ", "))) cfg.RegisterFlagsWithPrefix(prefix, f) } diff --git a/pkg/storage/factory.go b/pkg/storage/factory.go index e0477ab1e7..a80830de36 100644 --- a/pkg/storage/factory.go +++ b/pkg/storage/factory.go @@ -295,8 +295,8 @@ type Config struct { DisableBroadIndexQueries bool `yaml:"disable_broad_index_queries"` MaxParallelGetChunk int `yaml:"max_parallel_get_chunk"` - UseThanosObjstore bool `yaml:"use_thanos_objstore" doc:"hidden"` - ObjectStore bucket.ConfigWithNamedStores `yaml:"object_store" doc:"hidden"` + UseThanosObjstore bool `yaml:"use_thanos_objstore"` + ObjectStore bucket.ConfigWithNamedStores `yaml:"object_store"` MaxChunkBatchSize int `yaml:"max_chunk_batch_size"` BoltDBShipperConfig boltdb.IndexCfg `yaml:"boltdb_shipper" doc:"description=Configures storing index in an Object Store (GCS/S3/Azure/Swift/COS/Filesystem) in the form of boltdb files. Required fields only required when boltdb-shipper is defined in config."` diff --git a/tools/doc-generator/parse/parser.go b/tools/doc-generator/parse/parser.go index f565bf2dc9..524950cb6e 100644 --- a/tools/doc-generator/parse/parser.go +++ b/tools/doc-generator/parse/parser.go @@ -80,6 +80,7 @@ type ConfigEntry struct { Block *ConfigBlock BlockDesc string Root bool + Inline bool // In case the Kind is KindField FieldFlag string @@ -228,7 +229,25 @@ func config(block *ConfigBlock, cfg interface{}, flags map[uintptr]*flag.Flag, r blocks = append(blocks, subBlock) } } else { - subBlock = block + // For inline fields, we still want to add them to the root blocks list + if isRoot { + subBlock = &ConfigBlock{ + Name: rootName, + Desc: getFieldDescription(cfg, field, rootDesc), + } + blocks = append(blocks, subBlock) + + // Add a field entry that references the root block + block.Add(&ConfigEntry{ + Kind: KindBlock, + Block: subBlock, + BlockDesc: subBlock.Desc, + Root: true, + Inline: true, + }) + } else { + subBlock = block + } } if field.Type.Kind() == reflect.Ptr { diff --git a/tools/doc-generator/parse/root_blocks.go b/tools/doc-generator/parse/root_blocks.go index 12d8b44d2a..b5c13e0109 100644 --- a/tools/doc-generator/parse/root_blocks.go +++ b/tools/doc-generator/parse/root_blocks.go @@ -30,11 +30,10 @@ import ( "github.com/grafana/loki/v3/pkg/querier/queryrange" querier_worker "github.com/grafana/loki/v3/pkg/querier/worker" "github.com/grafana/loki/v3/pkg/ruler" - "github.com/grafana/loki/v3/pkg/ruler/rulestore" "github.com/grafana/loki/v3/pkg/runtime" "github.com/grafana/loki/v3/pkg/scheduler" "github.com/grafana/loki/v3/pkg/storage" - "github.com/grafana/loki/v3/pkg/storage/bucket/gcs" + "github.com/grafana/loki/v3/pkg/storage/bucket" "github.com/grafana/loki/v3/pkg/storage/chunk/cache" "github.com/grafana/loki/v3/pkg/storage/chunk/client/alibaba" "github.com/grafana/loki/v3/pkg/storage/chunk/client/aws" @@ -298,15 +297,9 @@ Named store from this example can be used by setting object_store to store-1 in Desc: "Define actions for matching OpenTelemetry (OTEL) attributes.", }, { - Name: "gcs_storage_backend", - StructType: []reflect.Type{reflect.TypeOf(gcs.Config{})}, - Desc: "The gcs_storage_backend block configures the connection to Google Cloud Storage object storage backend.", - }, - { - Name: "ruler_storage_config", - StructType: []reflect.Type{reflect.TypeOf(rulestore.Config{})}, - Desc: `The ruler_storage_config configures ruler storage backend. -It uses thanos-io/objstore clients for connecting to object storage backends. This will become the default way of configuring object store clients in future releases. + Name: "thanos_object_store_config", + StructType: []reflect.Type{reflect.TypeOf(bucket.Config{})}, + Desc: `The thanos_object_store_config block configures the connection to object storage backend using thanos-io/objstore clients. This will become the default way of configuring object store clients in future releases. Currently this is opt-in and takes effect only when ` + "`-use-thanos-objstore` " + "is set to true.", }, } diff --git a/tools/doc-generator/writer.go b/tools/doc-generator/writer.go index 7a04c891ed..58afa0ac2d 100644 --- a/tools/doc-generator/writer.go +++ b/tools/doc-generator/writer.go @@ -52,7 +52,11 @@ func (w *specWriter) writeConfigEntry(e *parse.ConfigEntry, indent int) (written } // Block reference without entries, because it's a root block - w.out.WriteString(pad(indent) + "[" + e.Name + ": <" + e.Block.Name + ">]\n") + if e.Inline { + w.out.WriteString(pad(indent) + "[<" + e.Block.Name + ">]\n") + } else { + w.out.WriteString(pad(indent) + "[" + e.Name + ": <" + e.Block.Name + ">]\n") + } } else { // Description w.writeComment(e.BlockDesc, indent, 0)