+(Appears on:LokiStackSpec) +
+ClusterProxy is the Proxy configuration when the cluster is behind a Proxy.
+| Field | +Description | +
|---|---|
+httpProxy+ +string + + |
+
+(Optional)
+ HTTPProxy configures the HTTP_PROXY/http_proxy env variable. + |
+
+httpsProxy+ +string + + |
+
+(Optional)
+ HTTPSProxy configures the HTTPS_PROXY/https_proxy env variable. + |
+
+noProxy+ +string + + |
+
+(Optional)
+ NoProxy configures the NO_PROXY/no_proxy env variable. + |
+
+readVarsFromEnv+ +bool + + |
+
+(Optional)
+ ReadVarsFromEnv defines a flag to use Operator-lib provides a helper function + |
+
(Appears on:LimitsTemplateSpec) @@ -604,7 +670,10 @@ PodStatusMap
"FailedComponents"
"FailedCertificateRotation"
ReasonFailedCertificateRotation when the reconciler cannot rotate any of the required TLS certificates.
+"FailedComponents"
ReasonFailedComponents when all/some LokiStack components fail to roll out.
"InvalidGatewayTenantSecret"
proxyProxy defines the spec for the object proxy to configure cluster proxy information.
+replicationFactorstreams+(Appears on:RetentionLimitSpec) +
RetentionStreamSpec defines a log stream with separate retention time.
+(Appears on:AlertingRuleSpec) +
AlertingRuleGroup defines a group of Loki alerting rules.
rules+(Appears on:AlertingRuleGroup) +
AlertingRuleGroupSpec defines the spec for a Loki alerting rule.
groups+(Appears on:RecordingRuleSpec) +
RecordingRuleGroup defines a group of Loki recording rules.
rules+(Appears on:RecordingRuleGroup) +
RecordingRuleGroupSpec defines the spec for a Loki recording rule.
groups+(Appears on:FeatureGates) +
+BuiltInCertManagement is the configuration for the built-in facility to generate and rotate +TLS client and serving certificates for all LokiStack services and internal clients except +for the lokistack-gateway.
+| Field | +Description | +
|---|---|
+enabled+ +bool + + |
+
+ Enabled defines to flag to enable/disable built-in certificate management feature gate. + |
+
+caValidity+ +string + + |
+
+ CACertValidity defines the total duration of the CA certificate validity. + |
+
+caRefresh+ +string + + |
+
+ CACertRefresh defines the duration of the CA certificate validity until a rotation +should happen. It can be set up to 80% of CA certificate validity or equal to the +CA certificate validity. Latter should be used only for rotating only when expired. + |
+
+certValidity+ +string + + |
+
+ CertValidity defines the total duration of the validity for all LokiStack certificates. + |
+
+certRefresh+ +string + + |
+
+ CertRefresh defines the duration of the certificate validity until a rotation +should happen. It can be set up to 80% of certificate validity or equal to the +certificate validity. Latter should be used only for rotating only when expired. +The refresh is applied to all LokiStack certificates at once. + |
+
(Appears on:ProjectConfig)
@@ -104,6 +184,28 @@ suffix -ca-bundle, e.g. lokistack-dev-ca-bundle and th
builtInCertManagementBuiltInCertManagement enables the built-in facility for generating and rotating
+TLS client and serving certificates for all LokiStack services and internal clients except
+for the lokistack-gateway, In detail all internal Loki HTTP and GRPC communication is lifted
+to require mTLS. For the lokistack-gateay you need to provide a secret with or use the ServingCertsService
+on OpenShift:
+- tls.crt: The TLS server side certificate.
+- tls.key: The TLS key for server-side encryption.
+In addition each service requires a configmap named as the LokiStack CR with the
+suffix -ca-bundle, e.g. lokistack-dev-ca-bundle and the following data:
+- service-ca.crt: The CA signing the service certificate in tls.crt.
lokiStackGatewayServingCertsService enables OpenShift service-ca annotations on Services +
ServingCertsService enables OpenShift service-ca annotations on the lokistack-gateway service only to use the in-platform CA and generate a TLS cert/key pair per service for in-cluster data-in-transit encryption. More details: https://docs.openshift.com/container-platform/latest/security/certificate_types_descriptions/service-ca-certificates.html
@@ -288,6 +390,8 @@ boolClusterProxy enables usage of the proxy variables set in the proxy resource. More details: https://docs.openshift.com/container-platform/4.11/networking/enable-cluster-wide-proxy.html#enable-cluster-wide-proxy
+