diff --git a/charts/beta/loki/Chart.yaml b/charts/beta/loki/Chart.yaml index 6f3dd64..f0ab2db 100644 --- a/charts/beta/loki/Chart.yaml +++ b/charts/beta/loki/Chart.yaml @@ -12,7 +12,7 @@ description: A Loki chart that can be used with Palantir FedStart # pipeline. Library charts do not define any templates and therefore cannot be deployed. type: application -version: 6.2.0003 +version: 6.2.0004 # Be aware that using helm dependencies has undesirable side effects, where you cannot remove # sub-chart config keys by setting them to null. If this type of configuration override is necessary, diff --git a/charts/beta/loki/README.md b/charts/beta/loki/README.md index 7435a3f..edde701 100644 --- a/charts/beta/loki/README.md +++ b/charts/beta/loki/README.md @@ -11,42 +11,23 @@ Refer to the Loki [documentation](https://grafana.com/docs/loki/next/setup/insta In order to deploy this helm-chart, a few pre-requisites must be satisfied: 1. An Amazon S3 bucket must exist to store the Loki data files -2. A K8s secret, named `storage-secret`, must exist in the namespace that loki is installed and must contain the following data. - - ```yaml - apiVersion: v1 - kind: Secret - data: - config: - credential: - ``` - - ```yaml - # config format - [default] - region= - ``` - - ```yaml - # credential format - [default] - aws_access_key_id= - aws_secret_access_key= - ``` +2. Access configured for the loki service account to the S3 bucket ### Config Overrides -The following config overrides should be applied to Loki when installing for the first time +The following config overrides must be applied to Loki when installing for the first time: ```yaml -6.2.0001: +6.2.0004: overrides: + fedstart: + s3: + aws_role_arn: "arn:aws:iam:::role/fedstart-default-role" loki: loki: storage: s3: - region: # us-east-1 - endpoint: # s3-fips.us-east-1.amazonaws.com + region: # us-gov-west-1 bucketNames: chunks: # loki-bucket ruler: # loki-bucket diff --git a/charts/beta/loki/templates/cm.yaml b/charts/beta/loki/templates/cm.yaml new file mode 100644 index 0000000..71e9234 --- /dev/null +++ b/charts/beta/loki/templates/cm.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: loki-aws-s3-config + labels: + {{- include "loki.labels" .Subcharts.loki | nindent 4 }} +data: + AWS_DEFAULT_REGION: {{ .Values.loki.loki.storage.s3.region }} + AWS_ROLE_ARN: {{ .Values.fedstart.s3.aws_role_arn }} + AWS_USE_FIPS_ENDPOINT: {{ quote .Values.fedstart.s3.aws_use_fips }} + AWS_WEB_IDENTITY_TOKEN_FILE: "/var/run/secrets/kubernetes.io/serviceaccount/token" +--- diff --git a/charts/beta/loki/values.yaml b/charts/beta/loki/values.yaml index 1f86b20..cab037a 100644 --- a/charts/beta/loki/values.yaml +++ b/charts/beta/loki/values.yaml @@ -1,5 +1,11 @@ # Default values for loki +fedstart: + s3: + # role in the format "arn:aws-us-gov:iam:::role/fedstart-default-role" + aws_role_arn: "__REPLACE_ME_ROLE_ARN" + aws_use_fips: true + ## Sub-chart value overrides loki: nameOverride: loki @@ -42,12 +48,12 @@ loki: period: 24h storage: type: s3 - # s3: - # region: us-east-1 - # endpoint: s3-fips.us-east-1.amazonaws.com + s3: + region: us-gov-west-1 bucketNames: - chunks: chunks - ruler: ruler + # Enter the name(s) of the buckets to use + chunks: "__REPLACE_ME_BUCKET_NAME" + ruler: "__REPLACE_ME_BUCKET_NAME" storage_config: tsdb_shipper: active_index_directory: /var/loki/tsdb-shipper-active @@ -71,17 +77,14 @@ loki: service: annotations: com.palantir.rubix.service/pod-cert: '{}' + extraEnvFrom: + - configMapRef: + name: loki-aws-s3-config extraVolumeMounts: - name: cert-secret-volume mountPath: "/mnt/secrets/certs" - name: tls-external-ca-bundle mountPath: "/etc/ssl/rubix-ca" - - name: storage-secret - mountPath: /home/loki/.aws/credentials - subPath: credential - - name: storage-secret - mountPath: /home/loki/.aws/config - subPath: config extraVolumes: - name: cert-secret-volume secret: @@ -92,9 +95,6 @@ loki: items: - key: ca.pem path: ca.pem - - name: storage-secret - secret: - secretName: storage-secret affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: @@ -110,17 +110,14 @@ loki: service: annotations: com.palantir.rubix.service/pod-cert: '{}' + extraEnvFrom: + - configMapRef: + name: loki-aws-s3-config extraVolumeMounts: - name: cert-secret-volume mountPath: "/mnt/secrets/certs" - name: tls-external-ca-bundle mountPath: "/etc/ssl/rubix-ca" - - name: storage-secret - mountPath: /home/loki/.aws/credentials - subPath: credential - - name: storage-secret - mountPath: /home/loki/.aws/config - subPath: config extraVolumes: - name: cert-secret-volume secret: @@ -131,9 +128,6 @@ loki: items: - key: ca.pem path: ca.pem - - name: storage-secret - secret: - secretName: storage-secret affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: @@ -148,17 +142,14 @@ loki: service: annotations: com.palantir.rubix.service/pod-cert: '{}' + extraEnvFrom: + - configMapRef: + name: loki-aws-s3-config extraVolumeMounts: - name: cert-secret-volume mountPath: "/mnt/secrets/certs" - name: tls-external-ca-bundle mountPath: "/etc/ssl/rubix-ca" - - name: storage-secret - mountPath: /home/loki/.aws/credentials - subPath: credential - - name: storage-secret - mountPath: /home/loki/.aws/config - subPath: config extraVolumes: - name: cert-secret-volume secret: @@ -169,9 +160,6 @@ loki: items: - key: ca.pem path: ca.pem - - name: storage-secret - secret: - secretName: storage-secret affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: @@ -208,6 +196,9 @@ loki: annotations: com.palantir.rubix.service/pod-cert: "{}" port: 443 + extraEnvFrom: + - configMapRef: + name: loki-aws-s3-config extraVolumeMounts: - name: cert-secret-volume mountPath: "/mnt/secrets/certs"