From 35285d397854f9c7fdeb3ec536b5c1b2cd8cb1d1 Mon Sep 17 00:00:00 2001 From: Stephan Feurer Date: Wed, 15 Jan 2025 12:11:51 +0100 Subject: [PATCH] Fix Logs not sent to LokiStack The ClusterLogForwarder did not have the definitions and permissions to insert logs into the builtin Loki Stack. --- component/log_forwarder.libsonnet | 48 ++++++++++++++++++- .../openshift4-logging/40_log_forwarder.yaml | 21 ++++++++ .../40_log_forwarder_rbac.yaml | 18 +++++++ .../openshift4-logging/40_log_forwarder.yaml | 19 ++++++++ .../40_log_forwarder_rbac.yaml | 18 +++++++ .../openshift4-logging/40_log_forwarder.yaml | 20 ++++++++ .../40_log_forwarder_rbac.yaml | 18 +++++++ 7 files changed, 160 insertions(+), 2 deletions(-) diff --git a/component/log_forwarder.libsonnet b/component/log_forwarder.libsonnet index d2fa8a5..cd66f50 100644 --- a/component/log_forwarder.libsonnet +++ b/component/log_forwarder.libsonnet @@ -28,8 +28,34 @@ local clusterLogForwarderSpec = { }, filters: {}, inputs: {}, - outputs: {}, - pipelines: {}, + outputs: { + [if lokiEnabled then 'default-lokistack']: { + type: 'lokiStack', + lokiStack: { + target: { + name: 'loki', + namespace: params.namespace, + }, + authentication: { + token: { + from: 'serviceAccount', + }, + }, + }, + tls: { + ca: { + key: 'service-ca.crt', + configMapName: 'openshift-service-ca.crt', + }, + }, + }, + }, + pipelines: { + [if lokiEnabled then 'default-lokistack']: { + outputRefs: [ 'default-lokistack' ], + inputRefs: [ 'application', 'infrastructure'], + }, + }, } + com.makeMergeable(params.clusterLogForwarder); // Unfold objects into array for ClusterLogForwarder resource. @@ -135,6 +161,24 @@ local rbac = [ namespace: params.namespace, } ], }, + if lokiEnabled then kube._Object('rbac.authorization.k8s.io/v1', 'ClusterRoleBinding', 'logcollector-log-writer') { + metadata+: { + annotations+: { + 'argocd.argoproj.io/sync-wave': '-50', + }, + namespace: params.namespace, + }, + roleRef: { + apiGroup: 'rbac.authorization.k8s.io', + kind: 'ClusterRole', + name: 'logcollector-log-writer', + }, + subjects: [ { + kind: 'ServiceAccount', + name: 'logcollector', + namespace: params.namespace, + } ], + }, ]; // Define outputs below diff --git a/tests/golden/defaults/openshift4-logging/openshift4-logging/40_log_forwarder.yaml b/tests/golden/defaults/openshift4-logging/openshift4-logging/40_log_forwarder.yaml index 3fcb1dd..cee6405 100644 --- a/tests/golden/defaults/openshift4-logging/openshift4-logging/40_log_forwarder.yaml +++ b/tests/golden/defaults/openshift4-logging/openshift4-logging/40_log_forwarder.yaml @@ -17,5 +17,26 @@ spec: - key: storagenode operator: Exists managementState: Managed + outputs: + - lokiStack: + authentication: + token: + from: serviceAccount + target: + name: loki + namespace: openshift-logging + name: default-lokistack + tls: + ca: + configMapName: openshift-service-ca.crt + key: service-ca.crt + type: lokiStack + pipelines: + - inputRefs: + - application + - infrastructure + name: default-lokistack + outputRefs: + - default-lokistack serviceAccount: name: logcollector diff --git a/tests/golden/defaults/openshift4-logging/openshift4-logging/40_log_forwarder_rbac.yaml b/tests/golden/defaults/openshift4-logging/openshift4-logging/40_log_forwarder_rbac.yaml index cac68e1..752b057 100644 --- a/tests/golden/defaults/openshift4-logging/openshift4-logging/40_log_forwarder_rbac.yaml +++ b/tests/golden/defaults/openshift4-logging/openshift4-logging/40_log_forwarder_rbac.yaml @@ -61,3 +61,21 @@ subjects: - kind: ServiceAccount name: logcollector namespace: openshift-logging +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-50' + labels: + name: logcollector-log-writer + name: logcollector-log-writer + namespace: openshift-logging +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: logcollector-log-writer +subjects: + - kind: ServiceAccount + name: logcollector + namespace: openshift-logging diff --git a/tests/golden/master/openshift4-logging/openshift4-logging/40_log_forwarder.yaml b/tests/golden/master/openshift4-logging/openshift4-logging/40_log_forwarder.yaml index 10ef1ea..96c65b7 100644 --- a/tests/golden/master/openshift4-logging/openshift4-logging/40_log_forwarder.yaml +++ b/tests/golden/master/openshift4-logging/openshift4-logging/40_log_forwarder.yaml @@ -30,6 +30,19 @@ spec: outputs: - name: custom-forwarder type: syslog + - lokiStack: + authentication: + token: + from: serviceAccount + target: + name: loki + namespace: openshift-logging + name: default-lokistack + tls: + ca: + configMapName: openshift-service-ca.crt + key: service-ca.crt + type: lokiStack pipelines: - name: application-logs outputRefs: @@ -37,6 +50,12 @@ spec: - name: audit-logs outputRefs: - custom-forwarder + - inputRefs: + - application + - infrastructure + name: default-lokistack + outputRefs: + - default-lokistack - inputRefs: - my-apps name: my-apps diff --git a/tests/golden/master/openshift4-logging/openshift4-logging/40_log_forwarder_rbac.yaml b/tests/golden/master/openshift4-logging/openshift4-logging/40_log_forwarder_rbac.yaml index cac68e1..752b057 100644 --- a/tests/golden/master/openshift4-logging/openshift4-logging/40_log_forwarder_rbac.yaml +++ b/tests/golden/master/openshift4-logging/openshift4-logging/40_log_forwarder_rbac.yaml @@ -61,3 +61,21 @@ subjects: - kind: ServiceAccount name: logcollector namespace: openshift-logging +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-50' + labels: + name: logcollector-log-writer + name: logcollector-log-writer + namespace: openshift-logging +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: logcollector-log-writer +subjects: + - kind: ServiceAccount + name: logcollector + namespace: openshift-logging diff --git a/tests/golden/multilineerr/openshift4-logging/openshift4-logging/40_log_forwarder.yaml b/tests/golden/multilineerr/openshift4-logging/openshift4-logging/40_log_forwarder.yaml index b74ce8f..2ff4093 100644 --- a/tests/golden/multilineerr/openshift4-logging/openshift4-logging/40_log_forwarder.yaml +++ b/tests/golden/multilineerr/openshift4-logging/openshift4-logging/40_log_forwarder.yaml @@ -17,9 +17,29 @@ spec: - key: storagenode operator: Exists managementState: Managed + outputs: + - lokiStack: + authentication: + token: + from: serviceAccount + target: + name: loki + namespace: openshift-logging + name: default-lokistack + tls: + ca: + configMapName: openshift-service-ca.crt + key: service-ca.crt + type: lokiStack pipelines: - detectMultilineErrors: true name: application-logs parse: json + - inputRefs: + - application + - infrastructure + name: default-lokistack + outputRefs: + - default-lokistack serviceAccount: name: logcollector diff --git a/tests/golden/multilineerr/openshift4-logging/openshift4-logging/40_log_forwarder_rbac.yaml b/tests/golden/multilineerr/openshift4-logging/openshift4-logging/40_log_forwarder_rbac.yaml index cac68e1..752b057 100644 --- a/tests/golden/multilineerr/openshift4-logging/openshift4-logging/40_log_forwarder_rbac.yaml +++ b/tests/golden/multilineerr/openshift4-logging/openshift4-logging/40_log_forwarder_rbac.yaml @@ -61,3 +61,21 @@ subjects: - kind: ServiceAccount name: logcollector namespace: openshift-logging +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-50' + labels: + name: logcollector-log-writer + name: logcollector-log-writer + namespace: openshift-logging +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: logcollector-log-writer +subjects: + - kind: ServiceAccount + name: logcollector + namespace: openshift-logging