Skip to content

Commit 10c80c2

Browse files
Merge pull request #18 from projectsyn/feat/additional-config-rendering
Refactor additional config rendering
2 parents 1ba0eb1 + d6a27c5 commit 10c80c2

26 files changed

Lines changed: 1389 additions & 256 deletions

File tree

class/defaults.yml

Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -97,12 +97,26 @@ parameters:
9797
#increase if auth credentials change
9898
secretVersion: 0
9999

100-
secrets: {}
100+
ingress:
101+
enabled: false
102+
tls:
103+
enabled: true
104+
clusterIssuer: 'letsencrypt-production'
105+
key: null
106+
cert: null
107+
url: ''
108+
109+
basicAuth:
110+
enabled: false
111+
htpasswd: '?{vaultkv:${cluster:tenant}/${cluster:name}/${_instance}/htpasswd}'
101112

113+
monitoring: true
102114
alerts:
103115
additionalRules: {}
104116
patchRules:
105117
ignoreNames: []
106118
patches: {}
107119

120+
secrets: {}
121+
108122
helm_values: {}

component/helm_values.jsonnet

Lines changed: 79 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,12 @@ local hasRolloutOperator = std.member(inv.applications, 'rollout-operator');
1010
// Global Params and Zone Aware Replication
1111
local globalConfig = params.global + com.makeMergeable({
1212
nodeSelector: std.get(params, 'globalNodeSelector', params.global.nodeSelector),
13-
zoneAwareReplication: if hasRolloutOperator then params.global.zoneAwareReplication else std.trace('rollout-operator must be installed', {}),
13+
zoneAwareReplication: params.global.zoneAwareReplication {
14+
enabled: if params.global.zoneAwareReplication.enabled then
15+
// Assert that zone aware replication is only enabled if rollout-operator is installed
16+
if hasRolloutOperator then true else error 'rollout-operator must be installed for zone-aware replication'
17+
else false,
18+
},
1419
});
1520

1621
local components = com.makeMergeable({
@@ -85,6 +90,39 @@ local openshift = if isOpenshift then com.makeMergeable({
8590
dnsService: 'dns-default',
8691
dnsNamespace: 'openshift-dns',
8792
},
93+
loki: {
94+
podSecurityContext: {
95+
fsGroup: null,
96+
runAsGroup: null,
97+
runAsNonRoot: true,
98+
runAsUser: null,
99+
},
100+
},
101+
gateway: {
102+
podSecurityContext: {
103+
fsGroup: null,
104+
runAsGroup: null,
105+
runAsNonRoot: true,
106+
runAsUser: null,
107+
},
108+
metrics: {
109+
containerSecurityContext: {
110+
privileged: null,
111+
runAsGroup: null,
112+
runAsNonRoot: null,
113+
runAsUser: null,
114+
},
115+
},
116+
},
117+
rbac: {
118+
sccEnabled: false,
119+
},
120+
memcached: {
121+
podSecurityContext: null,
122+
},
123+
lokiCanary: {
124+
podSecurityContext: null,
125+
},
88126
}) else {};
89127

90128
local images = com.makeMergeable({
@@ -131,6 +169,14 @@ local global = com.makeMergeable({
131169
bucketSecretVersion: '%s' % params.s3.auth.secretVersion,
132170
},
133171
},
172+
[if params.monitoring then 'monitoring']: {
173+
serviceMonitor: {
174+
enabled: params.monitoring,
175+
},
176+
rules: {
177+
enabled: params.monitoring,
178+
},
179+
},
134180
lokiCanary: {
135181
enabled: false,
136182
},
@@ -188,6 +234,33 @@ local loki = com.makeMergeable({
188234

189235
// Loki Config
190236
local ingress = com.makeMergeable({
237+
[if params.components.gateway.enabled then 'gateway']: {
238+
ingress: {
239+
enabled: params.ingress.enabled,
240+
[if params.ingress.tls.enabled && params.ingress.tls.clusterIssuer != null then 'annotations']: {
241+
'cert-manager.io/cluster-issuer': params.ingress.tls.clusterIssuer,
242+
} + if std.objectHas(params.ingress, 'annotations') then com.makeMergeable(params.ingress.annotations) else {},
243+
[if std.objectHas(params.ingress, 'labels') then 'labels']: params.ingress.labels,
244+
hosts: [ {
245+
host: params.ingress.url,
246+
paths: [
247+
{
248+
path: '/',
249+
pathType: 'Prefix',
250+
},
251+
],
252+
} ],
253+
[if params.ingress.tls.enabled then 'tls']: [ {
254+
hosts: [ params.ingress.url ],
255+
secretName: '%s-tls' % std.strReplace(params.ingress.url, '.', '-'),
256+
} ],
257+
},
258+
basicAuth: {
259+
enabled: params.basicAuth.enabled,
260+
[if params.basicAuth.htpasswd != null && !std.objectHas(params.basicAuth, 'existingSecret') then 'existingSecret']: '%s-nginx-htpasswd' % inv.parameters._instance,
261+
[if std.objectHas(params.basicAuth, 'existingSecret') then 'existingSecret']: params.basicAuth.existingSecret,
262+
},
263+
},
191264
});
192265

193266
// hardcoded removal of rollout-operator
@@ -199,6 +272,11 @@ local hardRestrictions = com.makeMergeable({
199272
enabled: false,
200273
},
201274
[if !std.member([ 'none', 'legacy' ], params.preset) then 'deploymentMode']: 'Distributed',
275+
ingester: {
276+
zoneAwareReplication: {
277+
enabled: if hasRolloutOperator && params.global.zoneAwareReplication.enabled then true else false,
278+
},
279+
},
202280
});
203281

204282
{

component/main.jsonnet

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -50,6 +50,19 @@ local params = inv.parameters.loki;
5050

5151
local secrets = com.generateResources(
5252
{
53+
[if params.ingress.tls.enabled && params.ingress.tls.key != null && params.ingress.tls.cert != null then '%s-tls' % std.strReplace(params.ingress.url, '.', '-')]:
54+
{
55+
stringData: {
56+
'tls.key': params.ingress.tls.key,
57+
'tls.cert': params.ingress.tls.cert,
58+
},
59+
},
60+
[if params.basicAuth.enabled && params.basicAuth.htpasswd != null then '%s-nginx-htpasswd' % inv.parameters._instance]:
61+
{
62+
stringData: {
63+
'.htpasswd': params.basicAuth.htpasswd,
64+
},
65+
},
5366
['%s-bucket-secret' % inv.parameters._instance]: {
5467
stringData: {
5568
S3_ACCESS_KEY_ID: params.s3.auth.accessKeyId,

docs/modules/ROOT/pages/how-tos/upgrade-loki-v0-v1.adoc

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,18 @@ helm_values:
4141

4242
Remove the parameters from "Step 1" and deploy again.
4343

44+
=== (Optional) Consider disabling Zone Aware Replication
45+
46+
[IMPORTANT]
47+
====
48+
This version of the component disables zone aware replication by default, because the rollout-operator in this version of the component *installs CRDs* for certain functionalities.
49+
50+
That can be a problem, when more than 1 instance of this component is installed.
51+
We recommend disabling zone aware replication, unless you need this feature and have a cluster that actually has multiple availability zones enabled.
52+
====
53+
54+
See xref:references/parameters.adoc#_global[global configuration] for reference.
55+
4456
=== New Default Resource Requests
4557

4658
[IMPORTANT]

0 commit comments

Comments
 (0)