apitech
/
loki
mirror of https://github.com/grafana/loki
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

operator: Update Grafana and forwarding documentation (#6442)

Browse Source
pull/6450/head
Robert Jacob 4 years ago committed by GitHub
parent 8d6e2f0275
commit 56363801b6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 67 additions and 51 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 22
      operator/docs/forwarding_logs_to_gateway.md
  2. 47
      operator/hack/addon_grafana_gateway_ocp.yaml
  3. 49
      operator/hack/addon_grafana_gateway_ocp_oauth.yaml

22
operator/docs/forwarding_logs_to_gateway.md
Unescape View File

@ -1,6 +1,6 @@
# Forwarding Logs to LokiStack
This document will describe how to send application, infrastructure, and audit logs to the Lokistack Gateway as different tenants using Promtail or Fluentd. The built-in gateway provides secure access to the distributor (and query-frontend) via consulting an OAuth/OIDC endpoint for the request subject.
This document will describe how to send application, infrastructure, and audit logs to the LokiStack Gateway as different tenants using Promtail or Fluentd. The built-in gateway provides secure access to the distributor (and query-frontend) via consulting an OAuth/OIDC endpoint for the request subject.
__Please read the [hacking guide](./hack_loki_operator.md) before proceeding with the following instructions.__
@ -37,7 +37,8 @@ _Note: While this document will only give instructions for two methods of log fo
```console
kubectl -n openshift-logging create secret generic lokistack-gateway-bearer-token \
--from-literal=token="/var/run/secrets/kubernetes.io/serviceaccount/token"
--from-literal=token="/var/run/secrets/kubernetes.io/serviceaccount/token" \
--from-literal=ca-bundle.crt="$(kubectl get cm lokistack-dev-ca-bundle -o json | jq -r '.data."service-ca.crt"')"
```
* Create the following `ClusterRole` and `ClusterRoleBinding` which will allow the cluster to authenticate the user(s) submitting the logs:
@ -178,13 +179,19 @@ To configure Promtail to send application, audit, and infrastructure logs, add t
clients:
- # ...
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
url: http://lokistack-dev-gateway-http.openshift-logging.svc:8080/api/logs/v1/audit/loki/api/v1/push
tls_config:
ca_file: /run/secrets/kubernetes.io/serviceaccount/service-ca.crt
url: https://lokistack-dev-gateway-http.openshift-logging.svc:8080/api/logs/v1/audit/loki/api/v1/push
- # ...
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
url: http://lokistack-dev-gateway-http.openshift-logging.svc:8080/api/logs/v1/application/loki/api/v1/push
tls_config:
ca_file: /run/secrets/kubernetes.io/serviceaccount/service-ca.crt
url: https://lokistack-dev-gateway-http.openshift-logging.svc:8080/api/logs/v1/application/loki/api/v1/push
- # ...
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
url: http://lokistack-dev-gateway-http.openshift-logging.svc:8080/api/logs/v1/infrastructure/loki/api/v1/push
tls_config:
ca_file: /run/secrets/kubernetes.io/serviceaccount/service-ca.crt
url: https://lokistack-dev-gateway-http.openshift-logging.svc:8080/api/logs/v1/infrastructure/loki/api/v1/push
```
The rest of the configuration can be configured to the developer's desire.
@ -199,8 +206,9 @@ The Fluentd configuration can be overrided to target the `application` endpoint
<match **>
@type loki
# ...
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
url: http://lokistack-dev-gateway-http.openshift-logging.svc:8080/api/logs/v1/application
bearer_token_file /var/run/secrets/kubernetes.io/serviceaccount/token
ca_cert /run/secrets/kubernetes.io/serviceaccount/service-ca.crt
url https://lokistack-dev-gateway-http.openshift-logging.svc:8080/api/logs/v1/application
</match>
```

47
operator/hack/addon_grafana_gateway_ocp.yaml
Unescape View File

@ -81,7 +81,7 @@ data:
mode = console
kind: ConfigMap
metadata:
name: grafana-config-mbkktkdhtm
name: grafana-config
namespace: openshift-logging
---
apiVersion: v1
@ -93,30 +93,36 @@ data:
isDefault: true
type: loki
access: proxy
url: http://${GATEWAY_ADDRESS}/api/logs/v1/application/
url: https://${GATEWAY_ADDRESS}/api/logs/v1/application/
jsonData:
tlsAuthWithCACert: true
httpHeaderName1: Authorization
secureJsonData:
tlsCACert: ${GATEWAY_SERVICE_CA}
httpHeaderValue1: Bearer ${GATEWAY_BEARER_TOKEN}
- name: Loki (Infrastructure)
type: loki
access: proxy
url: http://${GATEWAY_ADDRESS}/api/logs/v1/infrastructure/
url: https://${GATEWAY_ADDRESS}/api/logs/v1/application/
jsonData:
tlsAuthWithCACert: true
httpHeaderName1: Authorization
secureJsonData:
tlsCACert: ${GATEWAY_SERVICE_CA}
httpHeaderValue1: Bearer ${GATEWAY_BEARER_TOKEN}
- name: Loki (Audit)
type: loki
access: proxy
url: http://${GATEWAY_ADDRESS}/api/logs/v1/audit/
url: https://${GATEWAY_ADDRESS}/api/logs/v1/application/
jsonData:
tlsAuthWithCACert: true
httpHeaderName1: Authorization
secureJsonData:
tlsCACert: ${GATEWAY_SERVICE_CA}
httpHeaderValue1: Bearer ${GATEWAY_BEARER_TOKEN}
kind: ConfigMap
metadata:
name: grafana-datasources-hkh56t48tg
name: grafana-datasources
namespace: openshift-logging
---
apiVersion: v1
@ -130,7 +136,7 @@ data:
sed "s/\${GATEWAY_BEARER_TOKEN}/$bearer_token/g" /input/loki.yaml > /output/loki.yaml
kind: ConfigMap
metadata:
name: grafana-init-scripts-6mt2bg5dd8
name: grafana-init-scripts
namespace: openshift-logging
---
apiVersion: v1
@ -158,7 +164,7 @@ spec:
type: ClusterIP
---
apiVersion: apps/v1
kind: StatefulSet
kind: Deployment
metadata:
labels:
app: grafana
@ -168,7 +174,6 @@ spec:
selector:
matchLabels:
app: grafana
serviceName: grafana
template:
metadata:
labels:
@ -178,13 +183,18 @@ spec:
- args:
- -config=/etc/grafana/config.ini
env:
- name: GATEWAY_SERVICE_CA
valueFrom:
configMapKeyRef:
key: service-ca.crt
name: openshift-service-ca.crt
- name: GATEWAY_ADDRESS
value: lokistack-dev-gateway-http.openshift-logging.svc:8080
- name: GF_PATHS_PROVISIONING
value: /var/lib/provisioning
- name: GF_SECURITY_ADMIN_USER
value: kube:admin
image: docker.io/grafana/grafana:8.5.2
image: docker.io/grafana/grafana:8.5.6
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
@ -282,7 +292,7 @@ spec:
serviceAccountName: grafana
volumes:
- configMap:
name: grafana-config-mbkktkdhtm
name: grafana-config
name: grafana-config
- name: secret-grafana-tls
secret:
@ -290,24 +300,15 @@ spec:
secretName: grafana-tls
- configMap:
defaultMode: 493
name: grafana-init-scripts-6mt2bg5dd8
name: grafana-init-scripts
name: grafana-init-scripts
- emptyDir: {}
name: patched-datasources
- configMap:
name: grafana-datasources-hkh56t48tg
name: grafana-datasources
name: grafana-datasources
volumeClaimTemplates:
- metadata:
labels:
app: grafana
name: grafana
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
- emptyDir: {}
name: grafana
---
apiVersion: route.openshift.io/v1
kind: Route

49
operator/hack/addon_grafana_gateway_ocp_oauth.yaml
Unescape View File

@ -76,7 +76,7 @@ data:
mode = console
kind: ConfigMap
metadata:
name: grafana-config-5kt2h4545b
name: grafana-config
namespace: openshift-logging
---
apiVersion: v1
@ -88,18 +88,30 @@ data:
isDefault: true
type: loki
access: proxy
url: http://${GATEWAY_ADDRESS}/api/logs/v1/application/
url: https://${GATEWAY_ADDRESS}/api/logs/v1/application/
jsonData:
tlsAuthWithCACert: true
secureJsonData:
tlsCACert: ${GATEWAY_SERVICE_CA}
- name: Loki (Infrastructure)
type: loki
access: proxy
url: http://${GATEWAY_ADDRESS}/api/logs/v1/infrastructure/
url: https://${GATEWAY_ADDRESS}/api/logs/v1/infrastructure/
jsonData:
tlsAuthWithCACert: true
secureJsonData:
tlsCACert: ${GATEWAY_SERVICE_CA}
- name: Loki (Audit)
type: loki
access: proxy
url: http://${GATEWAY_ADDRESS}/api/logs/v1/audit/
url: https://${GATEWAY_ADDRESS}/api/logs/v1/audit/
jsonData:
tlsAuthWithCACert: true
secureJsonData:
tlsCACert: ${GATEWAY_SERVICE_CA}
kind: ConfigMap
metadata:
name: grafana-datasources-d9f6t65c72
name: grafana-datasources
namespace: openshift-logging
---
apiVersion: v1
@ -127,7 +139,7 @@ spec:
type: ClusterIP
---
apiVersion: apps/v1
kind: StatefulSet
kind: Deployment
metadata:
labels:
app: grafana
@ -137,7 +149,6 @@ spec:
selector:
matchLabels:
app: grafana
serviceName: grafana
template:
metadata:
labels:
@ -147,11 +158,16 @@ spec:
- args:
- -config=/etc/grafana/config.ini
env:
- name: GATEWAY_SERVICE_CA
valueFrom:
configMapKeyRef:
key: service-ca.crt
name: openshift-service-ca.crt
- name: GATEWAY_ADDRESS
value: lokistack-dev-gateway-http.openshift-logging.svc:8080
- name: GF_SECURITY_ADMIN_USER
value: kube:admin
image: docker.io/grafana/grafana:8.5.2
image: docker.io/grafana/grafana:8.5.6
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
@ -234,26 +250,17 @@ spec:
serviceAccountName: grafana
volumes:
- configMap:
name: grafana-config-5kt2h4545b
name: grafana-config
name: grafana-config
- name: secret-grafana-tls
secret:
defaultMode: 420
secretName: grafana-tls
- configMap:
name: grafana-datasources-d9f6t65c72
name: grafana-datasources
name: grafana-datasources
volumeClaimTemplates:
- metadata:
labels:
app: grafana
name: grafana
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
- emptyDir: {}
name: grafana
---
apiVersion: route.openshift.io/v1
kind: Route

Write Preview
Loading…
Cancel
Save