Try TLS configs

production/helm/loki/src/dashboards/loki-mixin-recording-rules.json → production/helm/loki/src/dashboards/ssd/loki-mixin-recording-rules.json

@@ -7,7 +7,7 @@
                "enable": true,
                "hide": true,
                "iconColor": "rgba(0, 211, 255, 1)",
-               "name": "Annotations & Alerts",
+               "name": "Annot",
                "target": {
                   "limit": 100,
                   "matchAny": false,

production/helm/loki/templates/_helpers.tpl

@@ -455,7 +455,7 @@ ruler:
 {{- end }}
 
 {{/*
-Calculate the config from structured and unstructred text input
+Calculate the config from structured and unstructured text input
 */}}
 {{- define "loki.calculatedConfig" -}}
 {{ tpl (mergeOverwrite (tpl .Values.loki.config . | fromYaml) .Values.loki.structuredConfig | toYaml) . }}
@@ -704,9 +704,19 @@ http {
   {{- end }}
 
   server {
-    listen             8080;
+    listen              443 ssl;
+    ssl_certificate     /var/tls/tls.crt;
+    ssl_certificate_key /var/tls/tls.key;
+    ssl_protocols       TLSv1.2 TLSv1.3;
+    server_name loki-memberlist;
+    ssl_ciphers         HIGH:!aNULL:!MD5;
+    ssl_client_certificate /var/client-tls/tls.crt;
+    ssl_verify_client   on;
+    ssl_trusted_certificate /var/root-tls/tls.crt;
+
+    listen             8080 ssl;
     {{- if .Values.gateway.nginxConfig.enableIPv6 }}
-    listen             [::]:8080;
+    listen             [::]:8080 ssl;
     {{- end }}
 
     {{- if .Values.gateway.basicAuth.enabled }}
@@ -735,9 +745,11 @@ http {
     {{- $writeHost = include "loki.singleBinaryFullname" .}}
     {{- end }}
 
-    {{- $writeUrl    := printf "http://%s.%s.svc.%s:3100" $writeHost   .Release.Namespace .Values.global.clusterDomain }}
-    {{- $readUrl     := printf "http://%s.%s.svc.%s:3100" $readHost    .Release.Namespace .Values.global.clusterDomain }}
-    {{- $backendUrl  := printf "http://%s.%s.svc.%s:3100" $backendHost .Release.Namespace .Values.global.clusterDomain }}
+    {{- $httpSchema := .Values.gateway.nginxConfig.schema }}
+
+    {{- $writeUrl    := printf "%s://%s.%s.svc.%s:3100" $httpSchema $writeHost   .Release.Namespace .Values.global.clusterDomain }}
+    {{- $readUrl     := printf "%s://%s.%s.svc.%s:3100" $httpSchema $readHost    .Release.Namespace .Values.global.clusterDomain }}
+    {{- $backendUrl  := printf "%s://%s.%s.svc.%s:3100" $httpSchema $backendHost .Release.Namespace .Values.global.clusterDomain }}
 
     {{- if .Values.gateway.nginxConfig.customWriteUrl }}
     {{- $writeUrl  = .Values.gateway.nginxConfig.customWriteUrl }}
@@ -757,11 +769,11 @@ http {
     {{- $indexGatewayHost := include "loki.indexGatewayFullname" .}}
     {{- $rulerHost := include "loki.rulerFullname" .}}
 
-    {{- $distributorUrl := printf "http://%s.%s.svc.%s:3100" $distributorHost .Release.Namespace .Values.global.clusterDomain -}}
-    {{- $ingesterUrl := printf "http://%s.%s.svc.%s:3100" $ingesterHost .Release.Namespace .Values.global.clusterDomain }}
-    {{- $queryFrontendUrl := printf "http://%s.%s.svc.%s:3100" $queryFrontendHost .Release.Namespace .Values.global.clusterDomain }}
-    {{- $indexGatewayUrl := printf "http://%s.%s.svc.%s:3100" $indexGatewayHost .Release.Namespace .Values.global.clusterDomain }}
-    {{- $rulerUrl := printf "http://%s.%s.svc.%s:3100" $rulerHost .Release.Namespace .Values.global.clusterDomain }}
+    {{- $distributorUrl := printf "%s://%s.%s.svc.%s:3100" $httpSchema $distributorHost .Release.Namespace .Values.global.clusterDomain -}}
+    {{- $ingesterUrl := printf "%s://%s.%s.svc.%s:3100" $httpSchema $ingesterHost .Release.Namespace .Values.global.clusterDomain }}
+    {{- $queryFrontendUrl := printf "%s://%s.%s.svc.%s:3100" $httpSchema $queryFrontendHost .Release.Namespace .Values.global.clusterDomain }}
+    {{- $indexGatewayUrl := printf "%s://%s.%s.svc.%s:3100" $httpSchema $indexGatewayHost .Release.Namespace .Values.global.clusterDomain }}
+    {{- $rulerUrl := printf "%s://%s.%s.svc.%s:3100" $httpSchema $rulerHost .Release.Namespace .Values.global.clusterDomain }}
 
     {{- if not "loki.deployment.isDistributed "}}
     {{- $distributorUrl = $writeUrl }}

production/helm/loki/templates/loki-canary/daemonset.yaml

@@ -57,6 +57,10 @@ spec:
             {{- end }}
           securityContext:
             {{- toYaml $.Values.loki.containerSecurityContext | nindent 12 }}
+          volumeMounts:
+            {{- with $.Values.monitoring.lokiCanary.extraVolumeMounts }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
           ports:
             - name: http-metrics
               containerPort: 3500
@@ -107,5 +111,9 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      volumes:
+      {{- with $.Values.monitoring.lokiCanary.extraVolumes }}
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
 {{- end }}
 {{- end }}

production/helm/loki/templates/monitoring/_helpers-monitoring.tpl

@@ -3,13 +3,18 @@ Client definition for LogsInstance
 */}}
 {{- define "loki.logsInstanceClient" -}}
 {{- $isSingleBinary := eq (include "loki.deployment.isSingleBinary" .) "true" -}}
-{{- $url := printf "http://%s.%s.svc.%s:3100/loki/api/v1/push" (include "loki.writeFullname" .) .Release.Namespace .Values.global.clusterDomain }}
+{{- $url := printf "https://%s.%s.svc.%s:3100/loki/api/v1/push" (include "loki.writeFullname" .) .Release.Namespace .Values.global.clusterDomain }}
 {{- if $isSingleBinary  }}
-  {{- $url = printf "http://%s.%s.svc.%s:3100/loki/api/v1/push" (include "loki.singleBinaryFullname" .) .Release.Namespace .Values.global.clusterDomain }}
+  {{- $url = printf "https://%s.%s.svc.%s:3100/loki/api/v1/push" (include "loki.singleBinaryFullname" .) .Release.Namespace .Values.global.clusterDomain }}
 {{- else if .Values.gateway.enabled -}}
-  {{- $url = printf "http://%s.%s.svc.%s/loki/api/v1/push" (include "loki.gatewayFullname" .) .Release.Namespace .Values.global.clusterDomain }}
+  {{- $url = printf "https://%s.%s.svc.%s/loki/api/v1/push" (include "loki.gatewayFullname" .) .Release.Namespace .Values.global.clusterDomain }}
 {{- end -}}
 - url: {{ $url }}
+  tlsConfig:
+    caFile: /var/root-tls/tls.crt
+    certFile: /var/client-tls/tls.crt
+    keyFile: /var/client-tls/tls.key
+    serverName: loki-memberlist
   externalLabels:
     cluster: {{ include "loki.clusterLabel" . }}
   {{- if .Values.enterprise.enabled }}

production/helm/loki/templates/monitoring/dashboards/configmap-1.yaml

@@ -16,15 +16,21 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 data:
-  "loki-chunks.json": |
-    {{ $.Files.Get "src/dashboards/loki-chunks.json" | fromJson | toJson }}
-  "loki-deletion.json": |
-    {{ $.Files.Get "src/dashboards/loki-deletion.json" | fromJson | toJson }}
-  "loki-logs.json": |
-    {{ $.Files.Get "src/dashboards/loki-logs.json" | fromJson | toJson }}
-  "loki-mixin-recording-rules.json": |
-    {{ $.Files.Get "src/dashboards/loki-mixin-recording-rules.json" | fromJson | toJson }}
-  "loki-operational.json": |
-    {{ $.Files.Get "src/dashboards/loki-operational.json" | fromJson | toJson }}
+  {{- $prefix := "ssd" }}
+  {{- if "loki.deployment.isDistributed "}}
+  {{- $prefix = "distributed" }}
+  {{- end -}}
+
+  # "loki-chunks.json": |
+  #   {{ $.Files.Get (printf "src/dashboards/%s/loki-chunks.json" $prefix) | fromJson | toJson }}
+  # TODO: why does this one fails?
+  # "loki-deletion.json": |
+  #   {{ $.Files.Get (printf "src/dashboards/%s/loki-deletion.json" $prefix) | fromJson | toJson }}
+  # "loki-logs.json": |
+  #   {{ $.Files.Get (printf "src/dashboards/%s/loki-logs.json" $prefix) | fromJson | toJson }}
+  # "loki-mixin-recording-rules.json": |
+  #   {{ $.Files.Get (printf "src/dashboards/%s/loki-mixin-recording-rules.json" $prefix) | fromJson | toJson }}
+  # "loki-operational.json": |
+  #   {{ $.Files.Get (printf "src/dashboards/%s/loki-operational.json" $prefix) | fromJson | toJson }}
 {{- end -}}
 {{- end -}}

production/helm/loki/templates/monitoring/dashboards/configmap-2.yaml

@@ -16,15 +16,20 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 data:
+  {{ $prefix := "ssd" }}
+  {{- if "loki.deployment.isDistributed "}}
+  {{- $prefix = "distributed" }}
+  {{- end -}}
+
   "loki-reads-resources.json": |
-    {{ $.Files.Get "src/dashboards/loki-reads-resources.json" | fromJson | toJson }}
+    {{ $.Files.Get (printf "src/dashboards/%s/loki-reads-resources.json" $prefix) | fromJson | toJson }}
   "loki-reads.json": |
-    {{ $.Files.Get "src/dashboards/loki-reads.json" | fromJson | toJson }}
+    {{ $.Files.Get (printf "src/dashboards/%s/loki-reads.json" $prefix) | fromJson | toJson }}
   "loki-retention.json": |
-    {{ $.Files.Get "src/dashboards/loki-retention.json" | fromJson | toJson }}
+    {{ $.Files.Get (printf "src/dashboards/%s/loki-retention.json" $prefix) | fromJson | toJson }}
   "loki-writes-resources.json": |
-    {{ $.Files.Get "src/dashboards/loki-writes-resources.json" | fromJson | toJson }}
+    {{ $.Files.Get (printf "src/dashboards/%s/loki-writes-resources.json" $prefix) | fromJson | toJson }}
   "loki-writes.json": |
-    {{ $.Files.Get "src/dashboards/loki-writes.json" | fromJson | toJson }}
-{{- end -}}
+    {{ $.Files.Get (printf "src/dashboards/%s/loki-writes.json" $prefix) | fromJson | toJson }}
 {{- end -}}
+{{- end -}}

production/helm/loki/templates/monitoring/logs-instance.yaml

@@ -28,3 +28,14 @@ spec:
       {{- include "loki.selectorLabels" $ | nindent 6 }}
 {{- end -}}
 {{- end -}}
+
+  volumes:
+  - name: tls-cert
+    secret:
+      secretName: my-demo-app-tls
+  - name: root-tls-cert
+    secret:
+      secretName: ca-tls
+  - name: client-tls
+    secret:
+      secretName: client-tls

production/helm/loki/templates/monitoring/pod-logs.yaml

@@ -25,18 +25,17 @@ spec:
     - action: labelmap
       regex: __meta_kubernetes_pod_label_(.+)
     - action: replace
-      replacement: "$1"
-      separator: "-"
+      regex: "(.*)"
+      replacement: "($1)"
       sourceLabels:
-        - __meta_kubernetes_pod_label_app_kubernetes_io_name
-        - __meta_kubernetes_pod_label_app_kubernetes_io_component
-      targetLabel: __service__
+        - __meta_kubernetes_namespace
+      targetLabel: __job_namespace__
     - action: replace
       replacement: "$1"
       separator: "/"
       sourceLabels:
-        - __meta_kubernetes_namespace
-        - __service__
+        - __job_namespace__
+        - __meta_kubernetes_pod_label_app_kubernetes_io_component
       targetLabel: job
     - action: replace
       sourceLabels:

production/helm/loki/templates/monitoring/servicemonitor.yaml

@@ -38,10 +38,19 @@ spec:
       scrapeTimeout: {{ . }}
       {{- end }}
       relabelings:
-        - sourceLabels: [job]
+        - sourceLabels:
+          - __meta_kubernetes_namespace
+          targetLabel: __job_namespace
+          replacement: "($1)"
+
+        - sourceLabels:
+          - __job_namespace
+          - __meta_kubernetes_pod_label_app_kubernetes_io_component
           action: replace
-          replacement: "{{ $.Release.Namespace }}/$1"
+          separator: "/"
           targetLabel: job
+          # replacement: "({{ $.Release.Namespace }})/$1"
+
         - action: replace
           replacement: "{{ include "loki.clusterLabel" $ }}"
           targetLabel: cluster

production/helm/loki/values.yaml

@@ -160,9 +160,9 @@ loki:
     schema_config:
       configs:
         - from: 2022-01-11
-          store: boltdb-shipper
+          store: tsdb
           object_store: {{ .Values.loki.storage.type }}
-          schema: v12
+          schema: v13
           index:
             prefix: loki_index_
             period: 24h
@@ -654,7 +654,7 @@ monitoring:
     # -- Tenant to use for self monitoring
     tenant:
       # -- Name of the tenant
-      name: "self-monitoring"
+      name: "loki"
       # -- Namespace to create additional tenant token secret in. Useful if your Grafana instance
       # is in a separate namespace. Token will still be created in the canary namespace.
       secretNamespace: "{{ .Release.Namespace }}"
@@ -714,6 +714,10 @@ monitoring:
     extraEnv: []
     # -- Environment variables from secrets or configmaps to add to the canary pods
     extraEnvFrom: []
+    # -- Volume mounts to add to the canary pods
+    extraVolumeMounts: []
+    # -- Volumes to add to the canary pods
+    extraVolumes: []
     # -- Resource requests and limits for the canary
     resources: {}
     # -- DNS config for canary pods
@@ -2339,9 +2343,12 @@ gateway:
     httpGet:
       path: /
       port: http-metrics
+      schema: HTTPS
     initialDelaySeconds: 15
     timeoutSeconds: 1
   nginxConfig:
+    # -- Which schema to be used by URLs. Can be 'http' or 'https'.
+    schema: "https"
     # -- Enable listener for IPv6, disable on IPv4-only systems
     enableIPv6: true
     # -- NGINX log format