mirror of https://github.com/grafana/loki
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
328 lines
8.1 KiB
328 lines
8.1 KiB
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
annotations:
|
|
serviceaccounts.openshift.io/oauth-redirectreference.grafana: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"grafana"}}'
|
|
name: grafana
|
|
namespace: openshift-logging
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: logging-logs-reader
|
|
rules:
|
|
- apiGroups:
|
|
- loki.grafana.com
|
|
resourceNames:
|
|
- logs
|
|
resources:
|
|
- application
|
|
- infrastructure
|
|
- audit
|
|
verbs:
|
|
- get
|
|
- create
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- namespaces
|
|
verbs:
|
|
- get
|
|
- list
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: logging-grafana-auth-delegator
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:auth-delegator
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: grafana
|
|
namespace: openshift-logging
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: logging-grafana-logs-reader
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: logging-logs-reader
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: grafana
|
|
namespace: openshift-logging
|
|
---
|
|
apiVersion: v1
|
|
data:
|
|
config.ini: |
|
|
[analytics]
|
|
check_for_updates = false
|
|
reporting_enabled = false
|
|
[auth]
|
|
disable_login_form = true
|
|
disable_signout_menu = true
|
|
[auth.basic]
|
|
enabled = false
|
|
[auth.proxy]
|
|
auto_sign_up = true
|
|
enabled = true
|
|
header_name = X-Forwarded-User
|
|
[security]
|
|
admin_user = system:does-not-exist
|
|
cookie_secure = true
|
|
[users]
|
|
viewers_can_edit = true
|
|
default_theme = light
|
|
[log]
|
|
mode = console
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: grafana-config
|
|
namespace: openshift-logging
|
|
---
|
|
apiVersion: v1
|
|
data:
|
|
loki.yaml: |
|
|
apiVersion: 1
|
|
datasources:
|
|
- name: Loki (Application)
|
|
isDefault: true
|
|
type: loki
|
|
access: proxy
|
|
url: https://${GATEWAY_ADDRESS}/api/logs/v1/application/
|
|
jsonData:
|
|
tlsAuthWithCACert: true
|
|
httpHeaderName1: Authorization
|
|
secureJsonData:
|
|
tlsCACert: ${GATEWAY_SERVICE_CA}
|
|
httpHeaderValue1: Bearer ${GATEWAY_BEARER_TOKEN}
|
|
- name: Loki (Infrastructure)
|
|
type: loki
|
|
access: proxy
|
|
url: https://${GATEWAY_ADDRESS}/api/logs/v1/application/
|
|
jsonData:
|
|
tlsAuthWithCACert: true
|
|
httpHeaderName1: Authorization
|
|
secureJsonData:
|
|
tlsCACert: ${GATEWAY_SERVICE_CA}
|
|
httpHeaderValue1: Bearer ${GATEWAY_BEARER_TOKEN}
|
|
- name: Loki (Audit)
|
|
type: loki
|
|
access: proxy
|
|
url: https://${GATEWAY_ADDRESS}/api/logs/v1/application/
|
|
jsonData:
|
|
tlsAuthWithCACert: true
|
|
httpHeaderName1: Authorization
|
|
secureJsonData:
|
|
tlsCACert: ${GATEWAY_SERVICE_CA}
|
|
httpHeaderValue1: Bearer ${GATEWAY_BEARER_TOKEN}
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: grafana-datasources
|
|
namespace: openshift-logging
|
|
---
|
|
apiVersion: v1
|
|
data:
|
|
prepare-token.sh: |
|
|
#!/usr/bin/env bash
|
|
|
|
set -e -u -o pipefail
|
|
|
|
bearer_token=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
|
|
sed "s/\${GATEWAY_BEARER_TOKEN}/$bearer_token/g" /input/loki.yaml > /output/loki.yaml
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: grafana-init-scripts
|
|
namespace: openshift-logging
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
annotations:
|
|
service.alpha.openshift.io/serving-cert-secret-name: grafana-tls
|
|
labels:
|
|
app: grafana
|
|
name: grafana
|
|
namespace: openshift-logging
|
|
spec:
|
|
ports:
|
|
- name: https
|
|
port: 8443
|
|
protocol: TCP
|
|
targetPort: https
|
|
- name: http-grafana
|
|
port: 3000
|
|
protocol: TCP
|
|
targetPort: http-grafana
|
|
selector:
|
|
app: grafana
|
|
sessionAffinity: None
|
|
type: ClusterIP
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
labels:
|
|
app: grafana
|
|
name: grafana
|
|
namespace: openshift-logging
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
app: grafana
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: grafana
|
|
spec:
|
|
containers:
|
|
- args:
|
|
- -config=/etc/grafana/config.ini
|
|
env:
|
|
- name: GATEWAY_SERVICE_CA
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
key: service-ca.crt
|
|
name: openshift-service-ca.crt
|
|
- name: GATEWAY_ADDRESS
|
|
value: lokistack-dev-gateway-http.openshift-logging.svc:8080
|
|
- name: GF_PATHS_PROVISIONING
|
|
value: /var/lib/provisioning
|
|
- name: GF_SECURITY_ADMIN_USER
|
|
value: kube:admin
|
|
image: docker.io/grafana/grafana:8.5.6
|
|
imagePullPolicy: IfNotPresent
|
|
livenessProbe:
|
|
failureThreshold: 3
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 10
|
|
successThreshold: 1
|
|
tcpSocket:
|
|
port: 3000
|
|
timeoutSeconds: 1
|
|
name: grafana
|
|
ports:
|
|
- containerPort: 3000
|
|
name: http-grafana
|
|
protocol: TCP
|
|
readinessProbe:
|
|
failureThreshold: 3
|
|
httpGet:
|
|
path: /robots.txt
|
|
port: 3000
|
|
scheme: HTTP
|
|
initialDelaySeconds: 10
|
|
periodSeconds: 30
|
|
successThreshold: 1
|
|
timeoutSeconds: 2
|
|
resources:
|
|
requests:
|
|
cpu: 250m
|
|
memory: 256Mi
|
|
volumeMounts:
|
|
- mountPath: /etc/grafana
|
|
name: grafana-config
|
|
- mountPath: /var/lib/provisioning/datasources
|
|
name: patched-datasources
|
|
- mountPath: /var/lib/grafana
|
|
name: grafana
|
|
- mountPath: /etc/grafana/provisioning/datasources
|
|
name: grafana-datasources
|
|
- args:
|
|
- -provider=openshift
|
|
- -https-address=:8443
|
|
- -http-address=
|
|
- -upstream=http://localhost:3000
|
|
- -tls-cert=/etc/tls/private/tls.crt
|
|
- -tls-key=/etc/tls/private/tls.key
|
|
- -client-id=system:serviceaccount:openshift-logging:grafana
|
|
- -client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token
|
|
- -cookie-secret=ZXhhbXBsZS1jb29raWUtc2VjcmV0enp6
|
|
- -cookie-expire=24h
|
|
- -skip-provider-button
|
|
- -scope=user:info user:check-access user:list-projects
|
|
- -pass-access-token
|
|
env:
|
|
- name: HTTP_PROXY
|
|
- name: HTTPS_PROXY
|
|
- name: NO_PROXY
|
|
image: quay.io/openshift/origin-oauth-proxy:4.10
|
|
imagePullPolicy: IfNotPresent
|
|
name: grafana-proxy
|
|
ports:
|
|
- containerPort: 8443
|
|
name: https
|
|
protocol: TCP
|
|
readinessProbe:
|
|
failureThreshold: 3
|
|
httpGet:
|
|
path: /oauth/healthz
|
|
port: https
|
|
scheme: HTTPS
|
|
periodSeconds: 10
|
|
successThreshold: 1
|
|
timeoutSeconds: 1
|
|
resources:
|
|
requests:
|
|
cpu: 1m
|
|
memory: 20Mi
|
|
terminationMessagePath: /dev/termination-log
|
|
terminationMessagePolicy: File
|
|
volumeMounts:
|
|
- mountPath: /etc/tls/private
|
|
name: secret-grafana-tls
|
|
initContainers:
|
|
- args:
|
|
- /usr/bin/bash
|
|
- -c
|
|
- /scripts/prepare-token.sh
|
|
image: docker.io/library/fedora:35
|
|
name: write-bearer-token
|
|
volumeMounts:
|
|
- mountPath: /scripts
|
|
name: grafana-init-scripts
|
|
- mountPath: /input
|
|
name: grafana-datasources
|
|
- mountPath: /output
|
|
name: patched-datasources
|
|
serviceAccountName: grafana
|
|
volumes:
|
|
- configMap:
|
|
name: grafana-config
|
|
name: grafana-config
|
|
- name: secret-grafana-tls
|
|
secret:
|
|
defaultMode: 420
|
|
secretName: grafana-tls
|
|
- configMap:
|
|
defaultMode: 493
|
|
name: grafana-init-scripts
|
|
name: grafana-init-scripts
|
|
- emptyDir: {}
|
|
name: patched-datasources
|
|
- configMap:
|
|
name: grafana-datasources
|
|
name: grafana-datasources
|
|
- emptyDir: {}
|
|
name: grafana
|
|
---
|
|
apiVersion: route.openshift.io/v1
|
|
kind: Route
|
|
metadata:
|
|
name: grafana
|
|
namespace: openshift-logging
|
|
spec:
|
|
port:
|
|
targetPort: https
|
|
tls:
|
|
insecureEdgeTerminationPolicy: Redirect
|
|
termination: reencrypt
|
|
to:
|
|
kind: Service
|
|
name: grafana
|
|
weight: 100
|
|
wildcardPolicy: None
|
|
|