From 70df6562313c433ff8cc7ef0e05292b8076cf25a Mon Sep 17 00:00:00 2001 From: Stephan Feurer Date: Sat, 21 Dec 2024 17:50:37 +0100 Subject: [PATCH] Migrate collector configuration --- class/defaults.yml | 12 +-- component/log_forwarder.libsonnet | 82 +++++++++++++++++++ .../openshift4-logging/20_subscriptions.yaml | 4 +- .../openshift4-logging/40_log_forwarder.yaml | 10 +++ .../40_log_forwarder_rbac.yaml | 63 ++++++++++++++ .../openshift4-logging/20_subscriptions.yaml | 2 +- .../openshift4-logging/40_log_forwarder.yaml | 10 +++ .../40_log_forwarder_rbac.yaml | 63 ++++++++++++++ .../openshift4-logging/20_subscriptions.yaml | 4 +- .../openshift4-logging/40_log_forwarder.yaml | 10 +++ .../40_log_forwarder_rbac.yaml | 63 ++++++++++++++ 11 files changed, 309 insertions(+), 14 deletions(-) create mode 100644 tests/golden/defaults/openshift4-logging/openshift4-logging/40_log_forwarder_rbac.yaml create mode 100644 tests/golden/master/openshift4-logging/openshift4-logging/40_log_forwarder_rbac.yaml create mode 100644 tests/golden/multilineerr/openshift4-logging/openshift4-logging/40_log_forwarder_rbac.yaml diff --git a/class/defaults.yml b/class/defaults.yml index bcb6bcb..7717ca9 100644 --- a/class/defaults.yml +++ b/class/defaults.yml @@ -9,7 +9,7 @@ parameters: namespace: openshift-logging - version: '6.0' + version: '6.1' channel: 'stable-${openshift4_logging:version}' components: @@ -61,13 +61,8 @@ parameters: alerts: release: 'release-${openshift4_logging:version}' - ignore: - - ElasticsearchHighFileDescriptorUsage - - ElasticsearchOperatorCSVNotSuccessful - - FluentdQueueLengthIncreasing - patch: - FluentdQueueLengthIncreasing: - for: '12h' + ignore: [] + patch: {} operatorResources: clusterLogging: @@ -95,4 +90,3 @@ parameters: sleep_time: 2m openshift4_console: ${openshift4_logging:_openshift4_console:${openshift4_logging:components:lokistack:enabled}} - diff --git a/component/log_forwarder.libsonnet b/component/log_forwarder.libsonnet index c57d25f..f0efa91 100644 --- a/component/log_forwarder.libsonnet +++ b/component/log_forwarder.libsonnet @@ -20,6 +20,20 @@ local clusterLogForwarderSpec = { local infraPipeline = std.get(std.get(params.clusterLogForwarder, 'pipelines', {}), 'infrastructure-logs', {}), local auditPipeline = std.get(std.get(params.clusterLogForwarder, 'pipelines', {}), 'audit-logs', {}), + managementState: 'Managed', + collector: { + resources: { + requests: { + cpu: '20m', + memory: '400M', + }, + }, + tolerations: [ { + key: 'storagenode', + operator: 'Exists', + } ], + }, + serviceAccount: 'logcollector', inputs: {}, outputs: {}, pipelines: { @@ -71,10 +85,78 @@ local clusterLogForwarder = kube._Object('observability.openshift.io/v1', 'Clust spec: unfoldSpecs(clusterLogForwarderSpec), }; +// Collector ServiceAccount +// Create a ServiceAccount and ClusterRoleBindings for collector pods. +local rbac = [ + kube.ServiceAccount('logcollector') { + metadata+: { + annotations+: { + 'argocd.argoproj.io/sync-wave': '-50', + }, + namespace: params.namespace, + }, + }, + kube._Object('rbac.authorization.k8s.io/v1', 'ClusterRoleBinding', 'logcollector-application-logs') { + metadata+: { + annotations+: { + 'argocd.argoproj.io/sync-wave': '-50', + }, + namespace: params.namespace, + }, + roleRef: { + apiGroup: 'rbac.authorization.k8s.io', + kind: 'ClusterRole', + name: 'collect-application-logs' + }, + subjects: [{ + kind: 'ServiceAccount', + name: 'logcollector', + namespace: params.namespace + }], + }, + kube._Object('rbac.authorization.k8s.io/v1', 'ClusterRoleBinding', 'logcollector-infrastructure-logs') { + metadata+: { + annotations+: { + 'argocd.argoproj.io/sync-wave': '-50', + }, + namespace: params.namespace, + }, + roleRef: { + apiGroup: 'rbac.authorization.k8s.io', + kind: 'ClusterRole', + name: 'collect-infrastructure-logs' + }, + subjects: [{ + kind: 'ServiceAccount', + name: 'logcollector', + namespace: params.namespace + }], + }, + kube._Object('rbac.authorization.k8s.io/v1', 'ClusterRoleBinding', 'logcollector-audit-logs') { + metadata+: { + annotations+: { + 'argocd.argoproj.io/sync-wave': '-50', + }, + namespace: params.namespace, + }, + roleRef: { + apiGroup: 'rbac.authorization.k8s.io', + kind: 'ClusterRole', + name: 'collect-audit-logs' + }, + subjects: [{ + kind: 'ServiceAccount', + name: 'logcollector', + namespace: params.namespace + }], + }, +]; + // Define outputs below if forwarderEnabled then { '40_log_forwarder': clusterLogForwarder, + '40_log_forwarder_rbac': rbac, } else std.trace( diff --git a/tests/golden/defaults/openshift4-logging/openshift4-logging/20_subscriptions.yaml b/tests/golden/defaults/openshift4-logging/openshift4-logging/20_subscriptions.yaml index 5f550db..15b0b8c 100644 --- a/tests/golden/defaults/openshift4-logging/openshift4-logging/20_subscriptions.yaml +++ b/tests/golden/defaults/openshift4-logging/openshift4-logging/20_subscriptions.yaml @@ -8,7 +8,7 @@ metadata: name: cluster-logging namespace: openshift-logging spec: - channel: stable-6.0 + channel: stable-6.1 config: resources: limits: @@ -31,7 +31,7 @@ metadata: name: loki-operator namespace: openshift-operators-redhat spec: - channel: stable-6.0 + channel: stable-6.1 config: resources: limits: diff --git a/tests/golden/defaults/openshift4-logging/openshift4-logging/40_log_forwarder.yaml b/tests/golden/defaults/openshift4-logging/openshift4-logging/40_log_forwarder.yaml index ae403ba..fc8cd78 100644 --- a/tests/golden/defaults/openshift4-logging/openshift4-logging/40_log_forwarder.yaml +++ b/tests/golden/defaults/openshift4-logging/openshift4-logging/40_log_forwarder.yaml @@ -8,6 +8,15 @@ metadata: name: instance namespace: openshift-logging spec: + collector: + resources: + requests: + cpu: 20m + memory: 400M + tolerations: + - key: storagenode + operator: Exists + managementState: Managed pipelines: - inputRefs: - application @@ -19,3 +28,4 @@ spec: name: infrastructure-logs outputRefs: - default + serviceAccount: logcollector diff --git a/tests/golden/defaults/openshift4-logging/openshift4-logging/40_log_forwarder_rbac.yaml b/tests/golden/defaults/openshift4-logging/openshift4-logging/40_log_forwarder_rbac.yaml new file mode 100644 index 0000000..cac68e1 --- /dev/null +++ b/tests/golden/defaults/openshift4-logging/openshift4-logging/40_log_forwarder_rbac.yaml @@ -0,0 +1,63 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-50' + labels: + name: logcollector + name: logcollector + namespace: openshift-logging +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-50' + labels: + name: logcollector-application-logs + name: logcollector-application-logs + namespace: openshift-logging +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: collect-application-logs +subjects: + - kind: ServiceAccount + name: logcollector + namespace: openshift-logging +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-50' + labels: + name: logcollector-infrastructure-logs + name: logcollector-infrastructure-logs + namespace: openshift-logging +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: collect-infrastructure-logs +subjects: + - kind: ServiceAccount + name: logcollector + namespace: openshift-logging +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-50' + labels: + name: logcollector-audit-logs + name: logcollector-audit-logs + namespace: openshift-logging +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: collect-audit-logs +subjects: + - kind: ServiceAccount + name: logcollector + namespace: openshift-logging diff --git a/tests/golden/forwardingonly/openshift4-logging/openshift4-logging/20_subscriptions.yaml b/tests/golden/forwardingonly/openshift4-logging/openshift4-logging/20_subscriptions.yaml index a7f1a1d..9e42a78 100644 --- a/tests/golden/forwardingonly/openshift4-logging/openshift4-logging/20_subscriptions.yaml +++ b/tests/golden/forwardingonly/openshift4-logging/openshift4-logging/20_subscriptions.yaml @@ -8,7 +8,7 @@ metadata: name: cluster-logging namespace: openshift-logging spec: - channel: stable-6.0 + channel: stable-6.1 config: resources: limits: diff --git a/tests/golden/master/openshift4-logging/openshift4-logging/40_log_forwarder.yaml b/tests/golden/master/openshift4-logging/openshift4-logging/40_log_forwarder.yaml index c0417ea..a754883 100644 --- a/tests/golden/master/openshift4-logging/openshift4-logging/40_log_forwarder.yaml +++ b/tests/golden/master/openshift4-logging/openshift4-logging/40_log_forwarder.yaml @@ -8,12 +8,21 @@ metadata: name: instance namespace: openshift-logging spec: + collector: + resources: + requests: + cpu: 20m + memory: 400M + tolerations: + - key: storagenode + operator: Exists inputs: - application: namespaces: - app-one - app-two name: my-apps + managementState: Managed outputs: - name: custom-forwarder type: syslog @@ -40,3 +49,4 @@ spec: outputRefs: - custom-forwarder parse: json + serviceAccount: logcollector diff --git a/tests/golden/master/openshift4-logging/openshift4-logging/40_log_forwarder_rbac.yaml b/tests/golden/master/openshift4-logging/openshift4-logging/40_log_forwarder_rbac.yaml new file mode 100644 index 0000000..cac68e1 --- /dev/null +++ b/tests/golden/master/openshift4-logging/openshift4-logging/40_log_forwarder_rbac.yaml @@ -0,0 +1,63 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-50' + labels: + name: logcollector + name: logcollector + namespace: openshift-logging +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-50' + labels: + name: logcollector-application-logs + name: logcollector-application-logs + namespace: openshift-logging +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: collect-application-logs +subjects: + - kind: ServiceAccount + name: logcollector + namespace: openshift-logging +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-50' + labels: + name: logcollector-infrastructure-logs + name: logcollector-infrastructure-logs + namespace: openshift-logging +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: collect-infrastructure-logs +subjects: + - kind: ServiceAccount + name: logcollector + namespace: openshift-logging +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-50' + labels: + name: logcollector-audit-logs + name: logcollector-audit-logs + namespace: openshift-logging +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: collect-audit-logs +subjects: + - kind: ServiceAccount + name: logcollector + namespace: openshift-logging diff --git a/tests/golden/multilineerr/openshift4-logging/openshift4-logging/20_subscriptions.yaml b/tests/golden/multilineerr/openshift4-logging/openshift4-logging/20_subscriptions.yaml index 5f550db..15b0b8c 100644 --- a/tests/golden/multilineerr/openshift4-logging/openshift4-logging/20_subscriptions.yaml +++ b/tests/golden/multilineerr/openshift4-logging/openshift4-logging/20_subscriptions.yaml @@ -8,7 +8,7 @@ metadata: name: cluster-logging namespace: openshift-logging spec: - channel: stable-6.0 + channel: stable-6.1 config: resources: limits: @@ -31,7 +31,7 @@ metadata: name: loki-operator namespace: openshift-operators-redhat spec: - channel: stable-6.0 + channel: stable-6.1 config: resources: limits: diff --git a/tests/golden/multilineerr/openshift4-logging/openshift4-logging/40_log_forwarder.yaml b/tests/golden/multilineerr/openshift4-logging/openshift4-logging/40_log_forwarder.yaml index 864adb9..df8698e 100644 --- a/tests/golden/multilineerr/openshift4-logging/openshift4-logging/40_log_forwarder.yaml +++ b/tests/golden/multilineerr/openshift4-logging/openshift4-logging/40_log_forwarder.yaml @@ -8,6 +8,15 @@ metadata: name: instance namespace: openshift-logging spec: + collector: + resources: + requests: + cpu: 20m + memory: 400M + tolerations: + - key: storagenode + operator: Exists + managementState: Managed pipelines: - detectMultilineErrors: true inputRefs: @@ -21,3 +30,4 @@ spec: name: infrastructure-logs outputRefs: - default + serviceAccount: logcollector diff --git a/tests/golden/multilineerr/openshift4-logging/openshift4-logging/40_log_forwarder_rbac.yaml b/tests/golden/multilineerr/openshift4-logging/openshift4-logging/40_log_forwarder_rbac.yaml new file mode 100644 index 0000000..cac68e1 --- /dev/null +++ b/tests/golden/multilineerr/openshift4-logging/openshift4-logging/40_log_forwarder_rbac.yaml @@ -0,0 +1,63 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-50' + labels: + name: logcollector + name: logcollector + namespace: openshift-logging +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-50' + labels: + name: logcollector-application-logs + name: logcollector-application-logs + namespace: openshift-logging +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: collect-application-logs +subjects: + - kind: ServiceAccount + name: logcollector + namespace: openshift-logging +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-50' + labels: + name: logcollector-infrastructure-logs + name: logcollector-infrastructure-logs + namespace: openshift-logging +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: collect-infrastructure-logs +subjects: + - kind: ServiceAccount + name: logcollector + namespace: openshift-logging +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + argocd.argoproj.io/sync-wave: '-50' + labels: + name: logcollector-audit-logs + name: logcollector-audit-logs + namespace: openshift-logging +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: collect-audit-logs +subjects: + - kind: ServiceAccount + name: logcollector + namespace: openshift-logging