Merge pull request #164 from appuio/fix/logcollector-permission

Fix Logs not sent to LokiStack

component/log_forwarder.libsonnet

@@ -28,8 +28,34 @@ local clusterLogForwarderSpec = {
   },
   filters: {},
   inputs: {},
-  outputs: {},
-  pipelines: {},
+  outputs: {
+    [if lokiEnabled then 'default-lokistack']: {
+      type: 'lokiStack',
+      lokiStack: {
+        target: {
+          name: 'loki',
+          namespace: params.namespace,
+        },
+        authentication: {
+          token: {
+            from: 'serviceAccount',
+          },
+        },
+      },
+      tls: {
+        ca: {
+          key: 'service-ca.crt',
+          configMapName: 'openshift-service-ca.crt',
+        },
+      },
+    },
+  },
+  pipelines: {
+    [if lokiEnabled then 'default-lokistack']: {
+      outputRefs: [ 'default-lokistack' ],
+      inputRefs: [ 'application', 'infrastructure' ],
+    },
+  },
 } + com.makeMergeable(params.clusterLogForwarder);
 
 // Unfold objects into array for ClusterLogForwarder resource.
@@ -135,6 +161,24 @@ local rbac = [
       namespace: params.namespace,
     } ],
   },
+  if lokiEnabled then kube._Object('rbac.authorization.k8s.io/v1', 'ClusterRoleBinding', 'logcollector-log-writer') {
+    metadata+: {
+      annotations+: {
+        'argocd.argoproj.io/sync-wave': '-50',
+      },
+      namespace: params.namespace,
+    },
+    roleRef: {
+      apiGroup: 'rbac.authorization.k8s.io',
+      kind: 'ClusterRole',
+      name: 'logging-collector-logs-writer',
+    },
+    subjects: [ {
+      kind: 'ServiceAccount',
+      name: 'logcollector',
+      namespace: params.namespace,
+    } ],
+  },
 ];
 
 // Define outputs below

tests/golden/defaults/openshift4-logging/openshift4-logging/40_log_forwarder.yaml

@@ -17,5 +17,26 @@ spec:
       - key: storagenode
         operator: Exists
   managementState: Managed
+  outputs:
+    - lokiStack:
+        authentication:
+          token:
+            from: serviceAccount
+        target:
+          name: loki
+          namespace: openshift-logging
+      name: default-lokistack
+      tls:
+        ca:
+          configMapName: openshift-service-ca.crt
+          key: service-ca.crt
+      type: lokiStack
+  pipelines:
+    - inputRefs:
+        - application
+        - infrastructure
+      name: default-lokistack
+      outputRefs:
+        - default-lokistack
   serviceAccount:
     name: logcollector

tests/golden/defaults/openshift4-logging/openshift4-logging/40_log_forwarder_rbac.yaml

@@ -61,3 +61,21 @@ subjects:
   - kind: ServiceAccount
     name: logcollector
     namespace: openshift-logging
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '-50'
+  labels:
+    name: logcollector-log-writer
+  name: logcollector-log-writer
+  namespace: openshift-logging
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: logging-collector-logs-writer
+subjects:
+  - kind: ServiceAccount
+    name: logcollector
+    namespace: openshift-logging

tests/golden/master/openshift4-logging/openshift4-logging/40_log_forwarder.yaml

@@ -30,13 +30,32 @@ spec:
   outputs:
     - name: custom-forwarder
       type: syslog
+    - lokiStack:
+        authentication:
+          token:
+            from: serviceAccount
+        target:
+          name: loki
+          namespace: openshift-logging
+      name: default-lokistack
+      tls:
+        ca:
+          configMapName: openshift-service-ca.crt
+          key: service-ca.crt
+      type: lokiStack
   pipelines:
     - name: application-logs
       outputRefs:
         - custom-forwarder
     - name: audit-logs
       outputRefs:
         - custom-forwarder
+    - inputRefs:
+        - application
+        - infrastructure
+      name: default-lokistack
+      outputRefs:
+        - default-lokistack
     - inputRefs:
         - my-apps
       name: my-apps

tests/golden/master/openshift4-logging/openshift4-logging/40_log_forwarder_rbac.yaml

@@ -61,3 +61,21 @@ subjects:
   - kind: ServiceAccount
     name: logcollector
     namespace: openshift-logging
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '-50'
+  labels:
+    name: logcollector-log-writer
+  name: logcollector-log-writer
+  namespace: openshift-logging
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: logging-collector-logs-writer
+subjects:
+  - kind: ServiceAccount
+    name: logcollector
+    namespace: openshift-logging

tests/golden/multilineerr/openshift4-logging/openshift4-logging/40_log_forwarder.yaml

@@ -17,9 +17,29 @@ spec:
       - key: storagenode
         operator: Exists
   managementState: Managed
+  outputs:
+    - lokiStack:
+        authentication:
+          token:
+            from: serviceAccount
+        target:
+          name: loki
+          namespace: openshift-logging
+      name: default-lokistack
+      tls:
+        ca:
+          configMapName: openshift-service-ca.crt
+          key: service-ca.crt
+      type: lokiStack
   pipelines:
     - detectMultilineErrors: true
       name: application-logs
       parse: json
+    - inputRefs:
+        - application
+        - infrastructure
+      name: default-lokistack
+      outputRefs:
+        - default-lokistack
   serviceAccount:
     name: logcollector

tests/golden/multilineerr/openshift4-logging/openshift4-logging/40_log_forwarder_rbac.yaml

@@ -61,3 +61,21 @@ subjects:
   - kind: ServiceAccount
     name: logcollector
     namespace: openshift-logging
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '-50'
+  labels:
+    name: logcollector-log-writer
+  name: logcollector-log-writer
+  namespace: openshift-logging
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: logging-collector-logs-writer
+subjects:
+  - kind: ServiceAccount
+    name: logcollector
+    namespace: openshift-logging