Documentation ¶
Index ¶
- Variables
- func AlertingRuleTenantLabels(ar *lokiv1.AlertingRule)
- func BuildAlertManagerCAConfigMap(opts Options) *corev1.ConfigMap
- func BuildCredentialsRequest(opts Options) (*cloudcredentialv1.CredentialsRequest, error)
- func BuildDashboards(operatorNs string) ([]client.Object, error)
- func BuildGatewayCAConfigMap(opts Options) *corev1.ConfigMap
- func BuildGatewayClusterRole(opts Options) *rbacv1.ClusterRole
- func BuildGatewayClusterRoleBinding(opts Options) *rbacv1.ClusterRoleBinding
- func BuildGatewayObjects(opts Options) []client.Object
- func BuildGatewayTenantModeObjects(opts Options) []client.Object
- func BuildMonitoringRole(opts Options) *rbacv1.Role
- func BuildMonitoringRoleBinding(opts Options) *rbacv1.RoleBinding
- func BuildRoute(opts Options) client.Object
- func BuildRulerClusterRole(opts Options) *rbacv1.ClusterRole
- func BuildRulerClusterRoleBinding(opts Options) *rbacv1.ClusterRoleBinding
- func BuildRulerObjects(opts Options) []client.Object
- func BuildRulerServiceAccount(opts Options) client.Object
- func ConfigureGatewayDeployment(d *appsv1.Deployment, mode lokiv1.ModeType, secretVolumeName, tlsDir string, ...) error
- func ConfigureGatewayDeploymentRulesAPI(d *appsv1.Deployment, containerName string) error
- func ConfigureGatewayService(s *corev1.ServiceSpec) error
- func ConfigureGatewayServiceMonitor(sm *monitoringv1.ServiceMonitor, withTLS bool) error
- func ConfigureOptions(configOpt *config.Options, am, uwam bool, ...) error
- func ConfigureRulerStatefulSet(ss *appsv1.StatefulSet, alertmanagerCABundleName string, ...) error
- func GetTenants(mode lokiv1.ModeType) []string
- func RecordingRuleTenantLabels(r *lokiv1.RecordingRule)
- func ServiceAccountAnnotations(opts Options) map[string]string
- type AuthenticationSpec
- type AuthorizationSpec
- type BuildOptions
- type Options
- type TenantData
Constants ¶
This section is empty.
Variables ¶
var ( // GatewayOPAHTTPPort is the HTTP port of the OpenPolicyAgent sidecar. GatewayOPAHTTPPort int32 = 8082 // GatewayOPAInternalPort is the HTTP metrics port of the OpenPolicyAgent sidecar. GatewayOPAInternalPort int32 = 8083 // GatewayOPAHTTPPortName is the HTTP container port name of the OpenPolicyAgent sidecar. GatewayOPAHTTPPortName = "public" // GatewayOPAInternalPortName is the HTTP container metrics port name of the OpenPolicyAgent sidecar. GatewayOPAInternalPortName = "opa-metrics" // ServingCertKey is the annotation key for services used the // cert-signing service to create a new key/cert pair signed // by the service CA stored in a secret with the same name // as the annotated service. ServingCertKey = "service.beta.openshift.io/serving-cert-secret-name" // InjectCABundleKey is the annotation key for configmaps used by the // cert-signing service to inject the service CA into the annotated // configmap. InjectCABundleKey = "service.beta.openshift.io/inject-cabundle" // MonitoringNS is the namespace containing cluster monitoring objects such as alertmanager. MonitoringNS = "openshift-monitoring" // MonitoringSVCMain is the name of the alertmanager main service used for alerts. MonitoringSVCMain = "alertmanager-main" // MonitoringSVCOperated is the name of the alertmanager operator service used for alerts. MonitoringSVCOperated = "alertmanager-operated" MonitoringSVCUserWorkload = "alertmanager-user-workload" MonitoringUserWorkloadNS = "openshift-user-workload-monitoring" )
Functions ¶
func AlertingRuleTenantLabels ¶
func AlertingRuleTenantLabels(ar *lokiv1.AlertingRule)
func BuildAlertManagerCAConfigMap ¶
BuildAlertManagerCAConfigMap returns a k8s configmap for the LokiStack alertmanager serviceCA configmap. This configmap is used to configure the ruler to verify AlertManager TLS certificates.
func BuildCredentialsRequest ¶ added in v0.6.0
func BuildCredentialsRequest(opts Options) (*cloudcredentialv1.CredentialsRequest, error)
func BuildDashboards ¶ added in v0.5.0
func BuildGatewayCAConfigMap ¶
BuildGatewayCAConfigMap returns a k8s configmap for the LokiStack serviceCA configmap. This configmap is used to configure the gateway and components to verify TLS certificates.
func BuildGatewayClusterRole ¶
func BuildGatewayClusterRole(opts Options) *rbacv1.ClusterRole
BuildGatewayClusterRole returns a k8s ClusterRole object for the lokistack gateway serviceaccount to allow creating:
- TokenReviews to authenticate the user by bearer token.
- SubjectAccessReview to authorize the user by bearer token. if having access to read/create logs.
func BuildGatewayClusterRoleBinding ¶
func BuildGatewayClusterRoleBinding(opts Options) *rbacv1.ClusterRoleBinding
BuildGatewayClusterRoleBinding returns a k8s ClusterRoleBinding object for the lokistack gateway serviceaccount to grant access to: - rbac.authentication.k8s.io/TokenReviews - rbac.authorization.k8s.io/SubjectAccessReviews
func BuildGatewayObjects ¶
BuildGatewayObjects returns a list of auxiliary openshift/k8s objects for lokistack gateway deployments on OpenShift.
func BuildGatewayTenantModeObjects ¶
BuildGatewayTenantModeObjects returns a list of auxiliary openshift/k8s objects for lokistack gateway deployments on OpenShift for tenant modes: - openshift-logging - openshift-network
func BuildMonitoringRole ¶
BuildMonitoringRole returns a Role resource that defines list and watch access on pods, services and endpoints.
func BuildMonitoringRoleBinding ¶
func BuildMonitoringRoleBinding(opts Options) *rbacv1.RoleBinding
BuildMonitoringRoleBinding returns a RoleBinding resource that binds the OpenShift Cluster Monitoring Prometheus service account `prometheus-k8s` to the LokiStack namespace to allow discovering LokiStack owned pods, services and endpoints.
func BuildRoute ¶
BuildRoute builds an OpenShift route object for the LokiStack Gateway
func BuildRulerClusterRole ¶
func BuildRulerClusterRole(opts Options) *rbacv1.ClusterRole
BuildRulerClusterRole returns a k8s ClusterRole object for the lokistack ruler serviceaccount to allow patching sending alerts to alertmanagers.
func BuildRulerClusterRoleBinding ¶
func BuildRulerClusterRoleBinding(opts Options) *rbacv1.ClusterRoleBinding
BuildRulerClusterRoleBinding returns a k8s ClusterRoleBinding object for the lokistack ruler serviceaccount to grant access to alertmanagers.
func BuildRulerObjects ¶
BuildRulerObjects returns a list of auxiliary openshift/k8s objects for lokistack ruler deployments on OpenShift.
func BuildRulerServiceAccount ¶
BuildRulerServiceAccount returns a k8s object for the LokiStack Ruler serviceaccount. This ServiceAccount is used to autheticate and access the alertmanager host.
func ConfigureGatewayDeployment ¶
func ConfigureGatewayDeployment( d *appsv1.Deployment, mode lokiv1.ModeType, secretVolumeName, tlsDir string, minTLSVersion, ciphers string, withTLS bool, adminGroups []string, ) error
ConfigureGatewayDeployment merges an OpenPolicyAgent sidecar into the deployment spec. With this, the deployment will route authorization request to the OpenShift apiserver through the sidecar. This function also forces the use of a TLS connection for the gateway.
func ConfigureGatewayDeploymentRulesAPI ¶
func ConfigureGatewayDeploymentRulesAPI(d *appsv1.Deployment, containerName string) error
ConfigureGatewayDeploymentRulesAPI merges CLI argument to the gateway container that allow only Rules API access with a valid namespace input for the tenant application.
func ConfigureGatewayService ¶
func ConfigureGatewayService(s *corev1.ServiceSpec) error
ConfigureGatewayService merges the OpenPolicyAgent sidecar metrics port into the service spec. With this the metrics are exposed through the same service.
func ConfigureGatewayServiceMonitor ¶
func ConfigureGatewayServiceMonitor(sm *monitoringv1.ServiceMonitor, withTLS bool) error
ConfigureGatewayServiceMonitor merges the OpenPolicyAgent sidecar endpoint into the service monitor. With this cluster-monitoring prometheus can scrape the sidecar metrics.
func ConfigureOptions ¶
func ConfigureOptions(configOpt *config.Options, am, uwam bool, token, caPath, monitorServerName string) error
ConfigureOptions applies default configuration for the use of the cluster monitoring alertmanager.
func ConfigureRulerStatefulSet ¶
func ConfigureRulerStatefulSet( ss *appsv1.StatefulSet, alertmanagerCABundleName string, token, caDir, caPath string, monitorServerName, rulerContainerName string, ) error
ConfigureRulerStatefulSet configures the ruler to use the cluster monitoring alertmanager.
func GetTenants ¶
GetTenants return the slice of all supported tenants for a specified mode
func RecordingRuleTenantLabels ¶
func RecordingRuleTenantLabels(r *lokiv1.RecordingRule)
func ServiceAccountAnnotations ¶
ServiceAccountAnnotations returns a map of OpenShift specific routes for ServiceAccounts. Specifically the serviceacount will be annotated for each tenant with the OAuthRedirectReference to make the serviceaccount a valid oauth-client.
Types ¶
type AuthenticationSpec ¶
type AuthenticationSpec struct { TenantName string TenantID string ServiceAccount string RedirectURL string CookieSecret string }
AuthenticationSpec describes the authentication specification for a single tenant to authenticate it's subjects through OpenShift Auth.
type AuthorizationSpec ¶
type AuthorizationSpec struct {
OPAUrl string
}
AuthorizationSpec describes the authorization specification for all tenants to authorize access for it's subjects through the opa-openshift sidecar.
type BuildOptions ¶
type BuildOptions struct { LokiStackName string LokiStackNamespace string GatewayName string GatewaySvcName string GatewaySvcTargetPort string GatewayRouteTimeout time.Duration RulerName string Labels map[string]string AlertManagerEnabled bool UserWorkloadAlertManagerEnabled bool }
BuildOptions represents the set of options required to build extra lokistack gateway k8s objects (e.g. ServiceAccount, Route, RBAC) on openshift.
type Options ¶
type Options struct { BuildOpts BuildOptions Authentication []AuthenticationSpec Authorization AuthorizationSpec TokenCCOAuth *config.TokenCCOAuthConfig }
Options is the set of internal template options for rendering the lokistack-gateway tenants configuration file when mode openshift-logging or openshift-network.
func NewOptions ¶
func NewOptions( stackName, stackNamespace string, gwName, gwSvcName, gwPortName string, gwWriteTimeout time.Duration, gwLabels map[string]string, rulerName string, ) *Options
NewOptions returns an openshift options struct.
func (*Options) WithTenantsForMode ¶
type TenantData ¶
type TenantData struct {
CookieSecret string
}
TenantData defines the existing cookieSecret for lokistack reconcile.