Update loki config for S3 access with role ARN (#46)

palantir · Jun 5, 2024 · 0ad1918 · 0ad1918
1 parent 01fb40c
commit 0ad1918
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 59 deletions.
diff --git a/charts/beta/loki/Chart.yaml b/charts/beta/loki/Chart.yaml
@@ -12,7 +12,7 @@ description: A Loki chart that can be used with Palantir FedStart
 # pipeline. Library charts do not define any templates and therefore cannot be deployed.
 type: application
 
-version: 6.2.0003
+version: 6.2.0004
 
 # Be aware that using helm dependencies has undesirable side effects, where you cannot remove
 # sub-chart config keys by setting them to null. If this type of configuration override is necessary,

diff --git a/charts/beta/loki/README.md b/charts/beta/loki/README.md
@@ -11,42 +11,23 @@ Refer to the Loki [documentation](https://grafana.com/docs/loki/next/setup/insta
 In order to deploy this helm-chart, a few pre-requisites must be satisfied:
 
 1. An Amazon S3 bucket must exist to store the Loki data files
-2. A K8s secret, named `storage-secret`, must exist in the namespace that loki is installed and must contain the following data.
-
-   ```yaml
-   apiVersion: v1
-   kind: Secret
-   data:
-     config: <base64-encoded-config>
-     credential: <base64-encoded-credential>
-   ```
-
-   ```yaml
-   # config format
-   [default]
-   region=<stack-region>
-   ```
-
-   ```yaml
-   # credential format
-   [default]
-   aws_access_key_id=<redacted>
-   aws_secret_access_key=<redacted>
-   ```
+2. Access configured for the loki service account to the S3 bucket
 
 ### Config Overrides
 
-The following config overrides should be applied to Loki when installing for the first time
+The following config overrides must be applied to Loki when installing for the first time:
 
 ```yaml
-6.2.0001:
+6.2.0004:
   overrides:
+    fedstart:
+      s3:
+        aws_role_arn: "arn:aws:iam::<account-number>:role/fedstart-default-role"
     loki:
       loki:
         storage:
           s3:
-            region: <region>      # us-east-1
-            endpoint: <endpoint>  # s3-fips.us-east-1.amazonaws.com
+            region: <region>      # us-gov-west-1
           bucketNames:
             chunks: <bucket-name> # loki-bucket
             ruler: <bucket-name>  # loki-bucket

diff --git a/charts/beta/loki/templates/cm.yaml b/charts/beta/loki/templates/cm.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: loki-aws-s3-config
+  labels:
+    {{- include "loki.labels" .Subcharts.loki | nindent 4 }}
+data:
+  AWS_DEFAULT_REGION: {{ .Values.loki.loki.storage.s3.region }}
+  AWS_ROLE_ARN: {{ .Values.fedstart.s3.aws_role_arn }}
+  AWS_USE_FIPS_ENDPOINT: {{ quote .Values.fedstart.s3.aws_use_fips }}
+  AWS_WEB_IDENTITY_TOKEN_FILE: "/var/run/secrets/kubernetes.io/serviceaccount/token"
+---
diff --git a/charts/beta/loki/values.yaml b/charts/beta/loki/values.yaml
@@ -1,5 +1,11 @@
 # Default values for loki
 
+fedstart:
+  s3:
+    # role in the format "arn:aws-us-gov:iam::<account_number>:role/fedstart-default-role"
+    aws_role_arn: "__REPLACE_ME_ROLE_ARN"
+    aws_use_fips: true
+
 ## Sub-chart value overrides
 loki:
   nameOverride: loki
@@ -42,12 +48,12 @@ loki:
             period: 24h
     storage:
       type: s3
-      # s3:
-      #   region: us-east-1
-      #   endpoint: s3-fips.us-east-1.amazonaws.com
+      s3:
+        region: us-gov-west-1
       bucketNames:
-        chunks: chunks
-        ruler: ruler
+        # Enter the name(s) of the buckets to use
+        chunks: "__REPLACE_ME_BUCKET_NAME"
+        ruler: "__REPLACE_ME_BUCKET_NAME"
     storage_config:
       tsdb_shipper:
         active_index_directory: /var/loki/tsdb-shipper-active
@@ -71,17 +77,14 @@ loki:
     service:
       annotations:
         com.palantir.rubix.service/pod-cert: '{}'
+    extraEnvFrom:
+      - configMapRef:
+          name: loki-aws-s3-config
     extraVolumeMounts:
       - name: cert-secret-volume
         mountPath: "/mnt/secrets/certs"
       - name: tls-external-ca-bundle
         mountPath: "/etc/ssl/rubix-ca"
-      - name: storage-secret
-        mountPath: /home/loki/.aws/credentials
-        subPath: credential
-      - name: storage-secret
-        mountPath: /home/loki/.aws/config
-        subPath: config
     extraVolumes:
       - name: cert-secret-volume
         secret:
@@ -92,9 +95,6 @@ loki:
           items:
             - key: ca.pem
               path: ca.pem
-      - name: storage-secret
-        secret:
-          secretName: storage-secret
     affinity:
       nodeAffinity:
         requiredDuringSchedulingIgnoredDuringExecution:
@@ -110,17 +110,14 @@ loki:
     service:
       annotations:
         com.palantir.rubix.service/pod-cert: '{}'
+    extraEnvFrom:
+      - configMapRef:
+          name: loki-aws-s3-config
     extraVolumeMounts:
       - name: cert-secret-volume
         mountPath: "/mnt/secrets/certs"
       - name: tls-external-ca-bundle
         mountPath: "/etc/ssl/rubix-ca"
-      - name: storage-secret
-        mountPath: /home/loki/.aws/credentials
-        subPath: credential
-      - name: storage-secret
-        mountPath: /home/loki/.aws/config
-        subPath: config
     extraVolumes:
       - name: cert-secret-volume
         secret:
@@ -131,9 +128,6 @@ loki:
           items:
             - key: ca.pem
               path: ca.pem
-      - name: storage-secret
-        secret:
-          secretName: storage-secret
     affinity:
       nodeAffinity:
         requiredDuringSchedulingIgnoredDuringExecution:
@@ -148,17 +142,14 @@ loki:
     service:
       annotations:
         com.palantir.rubix.service/pod-cert: '{}'
+    extraEnvFrom:
+      - configMapRef:
+          name: loki-aws-s3-config
     extraVolumeMounts:
       - name: cert-secret-volume
         mountPath: "/mnt/secrets/certs"
       - name: tls-external-ca-bundle
         mountPath: "/etc/ssl/rubix-ca"
-      - name: storage-secret
-        mountPath: /home/loki/.aws/credentials
-        subPath: credential
-      - name: storage-secret
-        mountPath: /home/loki/.aws/config
-        subPath: config
     extraVolumes:
       - name: cert-secret-volume
         secret:
@@ -169,9 +160,6 @@ loki:
           items:
             - key: ca.pem
               path: ca.pem
-      - name: storage-secret
-        secret:
-          secretName: storage-secret
     affinity:
       nodeAffinity:
         requiredDuringSchedulingIgnoredDuringExecution:
@@ -208,6 +196,9 @@ loki:
       annotations:
         com.palantir.rubix.service/pod-cert: "{}"
       port: 443
+    extraEnvFrom:
+      - configMapRef:
+          name: loki-aws-s3-config
     extraVolumeMounts:
       - name: cert-secret-volume
         mountPath: "/mnt/secrets/certs"