Merge pull request #934 from lsst-it/IT-6060_deploy_loki_on_kueyen

(kueyen) Add Loki to Kueyen

Author: gseriche

fleet/lib/kube-prometheus-stack/aggregator/values.yaml

@@ -167,81 +167,13 @@ grafana:
           jsonData:
             handleGrafanaManagedAlerts: false
             implementation: prometheus
-        - name: logs-kube
-          type: grafana-opensearch-datasource
-          uid: os-logs-kube
-          basicAuth: true
-          basicAuthUser: $OS_LOGGING_USERNAME
-          url: https://opensearch.${ get .ClusterLabels "management.cattle.io/cluster-display-name" }.${ .ClusterLabels.site }.lsst.org
+        - name: loki
+          type: loki
+          uid: loki
+          url: http://loki-gateway.loki
           access: proxy
           jsonData:
-            database: logs-kube*
-            flavor: opensearch
-            logLevelField: ""
-            logMessageField: log
-            maxConcurrentShardRequests: 5
-            oauthPassThru: true
-            pplEnabled: true
-            timeField: "@timestamp"
-            version: 2.11.0
-          secureJsonData:
-            basicAuthPassword: $OS_LOGGING_PASSWORD
-        - name: logs-hosts
-          type: grafana-opensearch-datasource
-          uid: os-logs-hosts
-          basicAuth: true
-          basicAuthUser: $OS_LOGGING_USERNAME
-          url: https://opensearch.${ get .ClusterLabels "management.cattle.io/cluster-display-name" }.${ .ClusterLabels.site }.lsst.org
-          access: proxy
-          jsonData:
-            database: logs-hosts*
-            flavor: opensearch
-            logLevelField: ""
-            logMessageField: message
-            maxConcurrentShardRequests: 5
-            oauthPassThru: true
-            pplEnabled: true
-            timeField: "@timestamp"
-            version: 2.11.0
-          secureJsonData:
-            basicAuthPassword: $OS_LOGGING_PASSWORD
-        - name: logs-firewall
-          type: grafana-opensearch-datasource
-          uid: os-logs-firewall
-          basicAuth: true
-          basicAuthUser: $OS_LOGGING_USERNAME
-          url: https://opensearch.${ get .ClusterLabels "management.cattle.io/cluster-display-name" }.${ .ClusterLabels.site }.lsst.org
-          access: proxy
-          jsonData:
-            database: logs-firewall*
-            flavor: opensearch
-            logLevelField: ""
-            logMessageField: message
-            maxConcurrentShardRequests: 5
-            oauthPassThru: true
-            pplEnabled: true
-            timeField: "@timestamp"
-            version: 2.11.0
-          secureJsonData:
-            basicAuthPassword: $OS_LOGGING_PASSWORD
-        - name: logs-network
-          type: grafana-opensearch-datasource
-          uid: os-logs-network
-          basicAuth: true
-          basicAuthUser: $OS_LOGGING_USERNAME
-          url: https://opensearch.${ get .ClusterLabels "management.cattle.io/cluster-display-name" }.${ .ClusterLabels.site }.lsst.org
-          access: proxy
-          jsonData:
-            database: logs-network*
-            flavor: opensearch
-            logLevelField: ""
-            logMessageField: message
-            maxConcurrentShardRequests: 5
-            oauthPassThru: true
-            pplEnabled: true
-            timeField: "@timestamp"
-            version: 2.11.0
-          secureJsonData:
-            basicAuthPassword: $OS_LOGGING_PASSWORD
-  envFromSecrets:
-    - name: grafana-opensearch-credentials
+            maxLines: 1000
+            httpMethod: POST
+            timeout: 60
+            timeInterval: 60s

fleet/lib/loki/fleet.yaml

@@ -0,0 +1,29 @@
+---
+# XXX automate provisioning of buckets and rgw user
+defaultNamespace: &name loki
+labels:
+  bundle: *name
+namespaceLabels:
+  lsst.io/discover: "true"
+helm:
+  chart: &chart loki
+  releaseName: *chart
+  repo: https://grafana.github.io/helm-charts
+  version: 6.30.1
+  timeoutSeconds: 600
+  waitForJobs: true
+  valuesFiles:
+    - values.yaml
+
+targetCustomizations:
+  - name: kueyen
+    clusterSelector:
+      matchExpressions:
+        - key: management.cattle.io/cluster-display-name
+          operator: In
+          values:
+            - kueyen
+    helm:
+      valuesFiles:
+        - overlays/kueyen/values.yaml
+        - overlays/rke2/values.yaml

fleet/lib/loki/overlays/kueyen/values.yaml

@@ -0,0 +1,50 @@
+loki:
+  storage:
+    s3:
+      endpoint: http://rook-ceph-rgw-o11y.rook-ceph.svc.cluster.local:80
+
+  limit_config:
+    query_timeout: 60s
+
+compactor:
+  replicas: 1
+  persistence:
+    enabled: true
+    storageClassName: rook-ceph-block
+
+ingester:
+  replicas: 1
+  persistence:
+    enabled: true
+    size: 15Gi
+    storageClassName: rook-ceph-block
+
+distributor:
+  replicas: 1
+
+querier:
+  replicas: 1
+
+queryFrontend:
+  replicas: 1
+
+queryScheduler:
+  replicas: 1
+
+indexGateway:
+  replicas: 1
+
+gateway:
+  service:
+    type: LoadBalancer
+    port: 80
+  ingress:
+    hosts:
+      - host: loki.kueyen.dev.lsst.org
+        paths:
+          - path: /
+            pathType: Prefix
+    tls:
+      - secretName: loki-dashboard-ingress-tls
+        hosts:
+          - loki.kueyen.dev.lsst.org

fleet/lib/loki/overlays/rke2/values.yaml

@@ -0,0 +1,3 @@
+---
+global:
+  dnsService: rke2-coredns-rke2-coredns

fleet/lib/loki/values.yaml

@@ -0,0 +1,67 @@
+global:
+  extraEnvFrom:
+    - secretRef:
+        name: loki-s3
+
+loki:
+  image:
+    repository: grafana/loki
+  auth_enabled: false
+
+  storage:
+    type: s3
+    s3:
+      access_key_id: ${`${AWS_ACCESS_KEY_ID}`}
+      secret_access_key: ${`${AWS_SECRET_ACCESS_KEY}`}
+      s3ForcePathStyle: true
+      region: o11y
+    bucketNames:
+      chunks: logs-chunks
+      ruler: logs-ruler
+      admin: logs-admin
+
+  commonConfig:
+    replication_factor: 1
+
+  schemaConfig:
+    configs:
+      - from: "2025-03-01"
+        store: tsdb
+        object_store: s3
+        schema: v13
+        index:
+          prefix: loki_index_
+          period: 24h
+
+  compactor:
+    retention_enabled: true
+    retention_delete_delay: 2h
+    working_directory: /var/loki/compactor
+    delete_request_store: s3
+
+deploymentMode: Distributed
+
+gateway:
+  enabled: true
+  service:
+    type: LoadBalancer
+    port: 80
+  ingress:
+    enabled: true
+    ingressClassName: nginx
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt
+      nginx.ingress.kubernetes.io/backend-protocol: HTTP
+      nginx.ingress.kubernetes.io/client-body-buffer-size: 10m
+      nginx.ingress.kubernetes.io/proxy-read-timeout: "60"
+      nginx.ingress.kubernetes.io/proxy-send-timeout: "60"
+
+ruler:
+  enabled: false
+
+read:
+  replicas: 0
+write:
+  replicas: 0
+backend:
+  replicas: 0

fleet/lib/rook-ceph-conf/charts/kueyen/templates/obc-loki.yaml

@@ -0,0 +1,98 @@
+apiVersion: objectbucket.io/v1alpha1
+kind: ObjectBucketClaim
+metadata:
+  name: logs-chunks-storage
+  namespace: rook-ceph
+spec:
+  generateBucketName: logs-chunks-storage
+  storageClassName: lfa
+  additionalConfig:
+    bucketOwner: s3-loki
+    bucketPolicy: |
+      {
+          "Version": "2012-10-17",
+          "Statement": [
+              {
+                  "Sid": "AllowReadAccess",
+                  "Effect": "Allow",
+                  "Principal": {
+                      "AWS": "arn:aws:iam:::user/s3-loki"
+                  },
+                  "Action": [
+                      "s3:ListBucket",
+                      "s3:GetObject",
+                      "s3:GetObjectVersion"
+                  ],
+                  "Resource": [
+                      "arn:aws:s3:::logs-chunks-storage",
+                      "arn:aws:s3:::logs-chunks-storage/*"
+                  ]
+              }
+          ]
+      }
+---
+apiVersion: objectbucket.io/v1alpha1
+kind: ObjectBucketClaim
+metadata:
+  name: logs-ruler-storage
+  namespace: rook-ceph
+spec:
+  generateBucketName: logs-ruler-storage
+  storageClassName: lfa
+  additionalConfig:
+    bucketOwner: s3-loki
+    bucketPolicy: |
+      {
+          "Version": "2012-10-17",
+          "Statement": [
+              {
+                  "Sid": "AllowReadAccess",
+                  "Effect": "Allow",
+                  "Principal": {
+                      "AWS": "arn:aws:iam:::user/s3-loki"
+                  },
+                  "Action": [
+                      "s3:ListBucket",
+                      "s3:GetObject",
+                      "s3:GetObjectVersion"
+                  ],
+                  "Resource": [
+                      "arn:aws:s3:::logs-ruler-storage",
+                      "arn:aws:s3:::logs-ruler-storage/*"
+                  ]
+              }
+          ]
+      }
+---
+apiVersion: objectbucket.io/v1alpha1
+kind: ObjectBucketClaim
+metadata:
+  name: logs-admin-storage
+  namespace: rook-ceph
+spec:
+  generateBucketName: logs-admin-storage
+  storageClassName: lfa
+  additionalConfig:
+    bucketOwner: s3-loki
+    bucketPolicy: |
+      {
+          "Version": "2012-10-17",
+          "Statement": [
+              {
+                  "Sid": "AllowReadAccess",
+                  "Effect": "Allow",
+                  "Principal": {
+                      "AWS": "arn:aws:iam:::user/s3-loki"
+                  },
+                  "Action": [
+                      "s3:ListBucket",
+                      "s3:GetObject",
+                      "s3:GetObjectVersion"
+                  ],
+                  "Resource": [
+                      "arn:aws:s3:::logs-admin-storage",
+                      "arn:aws:s3:::logs-admin-storage/*"
+                  ]
+              }
+          ]
+      }

fleet/lib/rook-ceph-conf/charts/kueyen/templates/objectstoreuser-loki.yaml

@@ -0,0 +1,35 @@
+---
+apiVersion: ceph.rook.io/v1
+kind: CephObjectStoreUser
+metadata:
+  name: s3-loki
+  namespace: rook-ceph
+spec:
+  store: lfa
+  clusterNamespace: rook-ceph
+  quotas:
+    maxBuckets: 3
+---
+apiVersion: external-secrets.io/v1alpha1
+kind: PushSecret
+metadata:
+  name: rook-ceph-object-user-lfa-loki
+  namespace: rook-ceph
+spec:
+  secretStoreRefs:
+    - kind: ClusterSecretStore
+      name: onepassword
+  selector:
+    secret:
+      name: rook-ceph-object-user-lfa-loki
+  data:
+    - match:
+        secretKey: AccessKey
+        remoteRef:
+          remoteKey: s3-loki
+          property: username
+    - match:
+        secretKey: SecretKey
+        remoteRef:
+          remoteKey: s3-loki
+          property: credential

fleet/s/dev/c/kueyen/loki

@@ -0,0 +1 @@
+../../../../lib/loki