pub/loki
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

init

Browse Source
This commit is contained in:
Vassiliy Yegorov
2022-11-14 21:01:18 +07:00
commit 335091569a
38 changed files with 2101 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
docker-client/README.md Normal file
View File

@@ -0,0 +1,46 @@
# Установка и конфиг докер-хоста
1. docker plugin install grafana/loki-docker-driver:latest --alias loki --grant-all-permissions
2. docker plugin ls
3. run docker container with changed logging path:
```bash
docker run --log-driver=loki \
--log-opt loki-url="https://<user_id>:<password>@<DOMAIN_LOKI>/loki/api/v1/push" \
--log-opt loki-retries=5 \
--log-opt loki-batch-size=400 \
hub/image
```
4. or set default setting of all container, located in /etc/docker/daemon.json
```json
{
"debug" : true,
"log-driver": "loki",
"log-opts": {
"loki-url": "https://<user_id>:<password>@<DOMAIN_LOKI>/loki/api/v1/push",
"loki-batch-size": "400"
}
}
```
# Upgrading plugin
The upgrade process involves disabling the existing plugin, upgrading, then re-enabling and restarting Docker:
```bash
docker plugin disable loki --force
docker plugin upgrade loki grafana/loki-docker-driver:latest --grant-all-permissions
docker plugin enable loki
systemctl restart docker
```
# Uninstalling plugin
To cleanly uninstall the plugin, disable and remove it:
```bash
docker plugin disable loki --force
docker plugin rm loki
```

1
loki-server/.env Normal file
View File

@@ -0,0 +1 @@
HOST=t.realmanual.ru

7
loki-server/data/grafana/datasources.yaml Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: 1
datasources:
- access: proxy
isDefault: true
name: loki-main
type: loki
url: http://loki:3100

25
loki-server/data/grafana/grafana.ini Normal file
View File

@@ -0,0 +1,25 @@
[analytics]
check_for_updates = true
[auth.ldap]
allow_sign_up = true
config_file = /etc/grafana/ldap.toml
enabled = false
[grafana_net]
url = https://logs.bildme.ru
[log]
mode = console
[paths]
data = /var/lib/grafana/data
logs = /var/log/grafana
plugins = /var/lib/grafana/plugins
provisioning = /etc/grafana/provisioning
[server]
root_url = https://logs.bildme.ru
[smtp]
enabled = true
from_address = logs@bildme.ru
from_name = Logs Bildme.ru
host = smtp.eu.mailgun.org:587
password = PASSWORD
skip_verify = true
user = logs@bildme.ru

26
loki-server/data/grafana/ldap.toml Normal file
View File

@@ -0,0 +1,26 @@
verbose_logging = true
[[servers]]
host = "ipa.bildme.ru"
port = 636
use_ssl = true
start_tls = false
ssl_skip_verify = true
bind_dn = "uid=system,cn=sysaccounts,cn=etc,dc=ipa,dc=bildme,dc=ru"
bind_password = "PASSWORD"
search_filter = "(uid=%s)"
search_base_dns = ["cn=users,cn=accounts,dc=ipa,dc=bildme,dc=ru"]
group_search_base_dns = ["cn=admins,cn=groups,cn=accounts,dc=ipa,dc=bildme,dc=ru"]
[servers.attributes]
name = "givenName"
surname = "sn"
username = "uid"
member_of = "memberOf"
email = "mail"
# Administrators
[[servers.group_mappings]]
grafana_admin = true
group_dn = "cn=admins,cn=groups,cn=accounts,dc=ipa,dc=bildme,dc=ru"
org_role = "Admin"

62
loki-server/data/local-config.yaml Normal file
View File

@@ -0,0 +1,62 @@
auth_enabled: false
server:
grpc_listen_port: 9095
http_listen_port: 3100
compactor:
retention_delete_delay: 2h
retention_delete_worker_count: 150
retention_enabled: true
shared_store: filesystem
working_directory: /loki/boltdb-shipper-compactor
ingester:
chunk_block_size: 262144
chunk_idle_period: 3m
chunk_retain_period: 1m
lifecycler:
ring:
kvstore:
store: inmemory
replication_factor: 1
max_transfer_retries: 0
wal:
dir: /loki/wal
limits_config:
enforce_metric_name: false
max_entries_limit_per_query: 5000
per_stream_rate_limit: 8M
per_stream_rate_limit_burst: 16M
reject_old_samples: true
reject_old_samples_max_age: 360h
schema_config:
configs:
- from: 2020-10-24
store: boltdb-shipper
object_store: filesystem
schema: v11
index:
prefix: index_
period: 24h
common:
path_prefix: /loki
storage:
filesystem:
chunks_directory: /loki/chunks
rules_directory: /loki/rules
replication_factor: 1
ring:
instance_addr: 127.0.0.1
kvstore:
store: inmemory
chunk_store_config:
max_look_back_period: 0s
table_manager:
retention_deletes_enabled: true
retention_period: 360h

1
loki-server/data/user.file Normal file
View File

@@ -0,0 +1 @@
loki:$$2y$$05$$UZwmFTrItdJngPd3eLTn5uw5SKU4fyB0d22aWA0sG1A/Cx9PONtM6

63
loki-server/docker-compose.yaml Normal file
View File

@@ -0,0 +1,63 @@
version: "3.9"
services:
grafana:
image: grafana/grafana:latest
container_name: grafana
restart: always
labels:
- "traefik.enable=true"
- "traefik.http.routers.logs.entrypoints=https"
- "traefik.http.routers.logs.rule=Host(`logs.${HOST}`)"
- "traefik.http.routers.logs.tls=true"
- "traefik.http.routers.logs.tls.certresolver=letsEncrypt"
- "traefik.http.services.logs-service.loadbalancer.server.port=3000"
- "traefik.docker.network=webproxy"
environment:
- GF_PATHS_DATA=/var/lib/grafana/data
- GF_PATHS_LOGS=/var/log/grafana
- GF_PATHS_PLUGINS=/var/lib/grafana/plugins
- GF_PATHS_PROVISIONING=/etc/grafana/provisioning
- GF_AUTH_ANONYMOUS_ENABLED=false
- GF_USERS_ALLOW_SIGN_UP=false
- GF_USERS_ALLOW_ORG_CREATE=false
volumes:
- ./data/grafana/grafana.ini:/etc/grafana/grafana.ini
- ./data/grafana/ldap.toml:/etc/grafana/ldap.toml
- ./data/grafana/datasources.yaml:/etc/grafana/provisioning/datasources/datasources.yaml
expose:
- 3000
networks:
- loki
- webproxy
loki:
image: grafana/loki:2.6.1
container_name: loki
restart: always
labels:
- "traefik.enable=true"
- "traefik.http.routers.loki.entrypoints=https"
- "traefik.http.routers.loki.rule=Host(`loki.${HOST}`)"
- "traefik.http.routers.loki.tls=true"
- "traefik.http.routers.loki.tls.certresolver=letsEncrypt"
- "traefik.http.routers.loki.middlewares=loki-auth"
- "traefik.http.services.loki-service.loadbalancer.server.port=3100"
- "traefik.http.middlewares.loki-auth.basicauth.usersfile=/mnt/user.file" # loki\loki123
- "traefik.docker.network=webproxy"
command: -config.file=/etc/loki/local-config.yaml
volumes:
- ./data/local-config.yaml:/etc/loki/local-config.yaml
- ./data/loki/loki:/loki
- ./data/user.file:/mnt/user.file
expose:
- 3100
networks:
- loki
- webproxy
networks:
loki:
name: loki
webproxy:
name: webproxy

22
promtail-helm/.helmignore Normal file
View File

@@ -0,0 +1,22 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

17
promtail-helm/Chart.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: v2
appVersion: 2.6.1
description: Promtail is an agent which ships the contents of local logs to a Loki
instance
home: https://grafana.com/loki
icon: https://raw.githubusercontent.com/grafana/loki/master/docs/sources/logo.png
maintainers:
- email: lokiproject@googlegroups.com
name: Loki Maintainers
- name: unguiculus
name: promtail
sources:
- https://github.com/grafana/loki
- https://grafana.com/oss/loki/
- https://grafana.com/docs/loki/latest/
type: application
version: 6.6.1

310
promtail-helm/README.md Normal file
View File

@@ -0,0 +1,310 @@
# promtail
![Version: 6.6.1](https://img.shields.io/badge/Version-6.6.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.6.1](https://img.shields.io/badge/AppVersion-2.6.1-informational?style=flat-square)
Promtail is an agent which ships the contents of local logs to a Loki instance
## Source Code
* <https://github.com/grafana/loki>
* <https://grafana.com/oss/loki/>
* <https://grafana.com/docs/loki/latest/>
## Chart Repo
Add the following repo to use the chart:
```console
helm repo add grafana https://grafana.github.io/helm-charts
```
## Upgrading
A major chart version change indicates that there is an incompatible breaking change needing manual actions.
### From Chart Versions >= 3.0.0
* Customizeable initContainer added.
### From Chart Versions < 3.0.0
#### Notable Changes
* Helm 3 is required
* Labels have been updated to follow the official Kubernetes [label recommendations](https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/)
* The default scrape configs have been updated to take new and old labels into consideration
* The config file must be specified as string which can be templated.
See below for details
* The config file is now stored in a Secret and no longer in a ConfigMap because it may contain sensitive data, such as basic auth credentials
Due to the label changes, an existing installation cannot be upgraded without manual interaction.
There are basically two options:
##### Option 1
Uninstall the old release and re-install the new one.
There will be no data loss.
Promtail will cleanly shut down and write the `positions.yaml`.
The new release which will pick up again from the existing `positions.yaml`.
##### Option 2
* Add new selector labels to the existing pods:
```
kubectl label pods -n <namespace> -l app=promtail,release=<release> app.kubernetes.io/name=promtail app.kubernetes.io/instance=<release>
```
* Perform a non-cascading deletion of the DaemonSet which will keep the pods running:
```
kubectl delete daemonset -n <namespace> -l app=promtail,release=<release> --cascade=false
```
* Perform a regular Helm upgrade on the existing release.
The new DaemonSet will pick up the existing pods and perform a rolling upgrade.
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| affinity | object | `{}` | Affinity configuration for pods |
| annotations | object | `{}` | Annotations for the DaemonSet |
| config | object | See `values.yaml` | Section for crafting Promtails config file. The only directly relevant value is `config.file` which is a templated string that references the other values and snippets below this key. |
| config.clients | list | See `values.yaml` | The config of clients of the Promtail server Must be reference in `config.file` to configure `clients` |
| config.file | string | See `values.yaml` | Config file contents for Promtail. Must be configured as string. It is templated so it can be assembled from reusable snippets in order to avoid redundancy. |
| config.logLevel | string | `"info"` | The log level of the Promtail server Must be reference in `config.file` to configure `server.log_level` See default config in `values.yaml` |
| config.serverPort | int | `3101` | The port of the Promtail server Must be reference in `config.file` to configure `server.http_listen_port` See default config in `values.yaml` |
| config.snippets | object | See `values.yaml` | A section of reusable snippets that can be reference in `config.file`. Custom snippets may be added in order to reduce redundancy. This is especially helpful when multiple `kubernetes_sd_configs` are use which usually have large parts in common. |
| config.snippets.extraLimitsConfig | string | empty | You can put here any keys that will be directly added to the config file's 'limits_config' block. |
| config.snippets.extraRelabelConfigs | list | `[]` | You can put here any additional relabel_configs to "kubernetes-pods" job |
| config.snippets.extraScrapeConfigs | string | empty | You can put here any additional scrape configs you want to add to the config file. |
| config.snippets.extraServerConfigs | string | empty | You can put here any keys that will be directly added to the config file's 'server' block. |
| configmap.enabled | bool | `false` | If enabled, promtail config will be created as a ConfigMap instead of a secret |
| containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true}` | The security context for containers |
| daemonset.enabled | bool | `true` | Deploys Promtail as a DaemonSet |
| defaultVolumeMounts | list | See `values.yaml` | Default volume mounts. Corresponds to `volumes`. |
| defaultVolumes | list | See `values.yaml` | Default volumes that are mounted into pods. In most cases, these should not be changed. Use `extraVolumes`/`extraVolumeMounts` for additional custom volumes. |
| deployment.autoscaling.enabled | bool | `false` | Creates a HorizontalPodAutoscaler for the deployment |
| deployment.autoscaling.maxReplicas | int | `10` | |
| deployment.autoscaling.minReplicas | int | `1` | |
| deployment.autoscaling.targetCPUUtilizationPercentage | int | `80` | |
| deployment.autoscaling.targetMemoryUtilizationPercentage | string | `nil` | |
| deployment.enabled | bool | `false` | Deploys Promtail as a Deployment |
| deployment.replicaCount | int | `1` | |
| extraArgs | list | `[]` | |
| extraContainers | object | `{}` | |
| extraEnv | list | `[]` | Extra environment variables |
| extraEnvFrom | list | `[]` | Extra environment variables from secrets or configmaps |
| extraObjects | list | `[]` | Extra K8s manifests to deploy |
| extraPorts | object | `{}` | Configure additional ports and services. For each configured port, a corresponding service is created. See values.yaml for details |
| extraVolumeMounts | list | `[]` | |
| extraVolumes | list | `[]` | |
| fullnameOverride | string | `nil` | Overrides the chart's computed fullname |
| httpPathPrefix | string | `""` | Base path to server all API routes fro |
| image.pullPolicy | string | `"IfNotPresent"` | Docker image pull policy |
| image.registry | string | `"docker.io"` | The Docker registry |
| image.repository | string | `"grafana/promtail"` | Docker image repository |
| image.tag | string | `nil` | Overrides the image tag whose default is the chart's appVersion |
| imagePullSecrets | list | `[]` | Image pull secrets for Docker images |
| initContainer | list | `[]` | |
| livenessProbe | object | `{}` | Liveness probe |
| nameOverride | string | `nil` | Overrides the chart's name |
| networkPolicy.enabled | bool | `false` | Specifies whether Network Policies should be created |
| networkPolicy.k8sApi.cidrs | list | `[]` | Specifies specific network CIDRs you want to limit access to |
| networkPolicy.k8sApi.port | int | `8443` | Specify the k8s API endpoint port |
| networkPolicy.metrics.cidrs | list | `[]` | Specifies specific network CIDRs which are allowed to access the metrics port. In case you use namespaceSelector, you also have to specify your kubelet networks here. The metrics ports are also used for probes. |
| networkPolicy.metrics.namespaceSelector | object | `{}` | Specifies the namespaces which are allowed to access the metrics port |
| networkPolicy.metrics.podSelector | object | `{}` | Specifies the Pods which are allowed to access the metrics port. As this is cross-namespace communication, you also neeed the namespaceSelector. |
| nodeSelector | object | `{}` | Node selector for pods |
| podAnnotations | object | `{}` | Pod annotations |
| podLabels | object | `{}` | Pod labels |
| podSecurityContext | object | `{"runAsGroup":0,"runAsUser":0}` | The security context for pods |
| podSecurityPolicy | object | See `values.yaml` | PodSecurityPolicy configuration. |
| priorityClassName | string | `nil` | The name of the PriorityClass |
| rbac.create | bool | `true` | Specifies whether RBAC resources are to be created |
| rbac.pspEnabled | bool | `false` | Specifies whether a PodSecurityPolicy is to be created |
| readinessProbe | object | See `values.yaml` | Readiness probe |
| resources | object | `{}` | Resource requests and limits |
| serviceAccount.annotations | object | `{}` | Annotations for the service account |
| serviceAccount.create | bool | `true` | Specifies whether a ServiceAccount should be created |
| serviceAccount.imagePullSecrets | list | `[]` | Image pull secrets for the service account |
| serviceAccount.name | string | `nil` | The name of the ServiceAccount to use. If not set and `create` is true, a name is generated using the fullname template |
| serviceMonitor.annotations | object | `{}` | ServiceMonitor annotations |
| serviceMonitor.enabled | bool | `false` | If enabled, ServiceMonitor resources for Prometheus Operator are created |
| serviceMonitor.interval | string | `nil` | ServiceMonitor scrape interval |
| serviceMonitor.labels | object | `{}` | Additional ServiceMonitor labels |
| serviceMonitor.metricRelabelings | list | `[]` | ServiceMonitor relabel configs to apply to samples as the last step before ingestion https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#relabelconfig (defines `metric_relabel_configs`) |
| serviceMonitor.namespace | string | `nil` | Alternative namespace for ServiceMonitor resources |
| serviceMonitor.namespaceSelector | object | `{}` | Namespace selector for ServiceMonitor resources |
| serviceMonitor.relabelings | list | `[]` | ServiceMonitor relabel configs to apply to samples before scraping https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#relabelconfig (defines `relabel_configs`) |
| serviceMonitor.scheme | string | `"http"` | ServiceMonitor will use http by default, but you can pick https as well |
| serviceMonitor.scrapeTimeout | string | `nil` | ServiceMonitor scrape timeout in Go duration format (e.g. 15s) |
| serviceMonitor.targetLabels | list | `[]` | ServiceMonitor will add labels from the service to the Prometheus metric https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#servicemonitorspec |
| serviceMonitor.tlsConfig | string | `nil` | ServiceMonitor will use these tlsConfig settings to make the health check requests |
| tolerations | list | `[{"effect":"NoSchedule","key":"node-role.kubernetes.io/master","operator":"Exists"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane","operator":"Exists"}]` | Tolerations for pods. By default, pods will be scheduled on master/control-plane nodes. |
| updateStrategy | object | `{}` | The update strategy for the DaemonSet |
## Configuration
The config file for Promtail must be configured as string.
This is necessary because the contents are passed through the `tpl` function.
With this, the file can be templated and assembled from reusable YAML snippets.
It is common to have multiple `kubernetes_sd_configs` that, in turn, usually need the same `pipeline_stages`.
Thus, extracting reusable snippets helps reduce redundancy and avoid copy/paste errors.
See `values.yaml´ for details.
Also, the following examples make use of this feature.
For additional reference, please refer to Promtail's docs:
https://grafana.com/docs/loki/latest/clients/promtail/configuration/
### Syslog Support
```yaml
extraPorts:
syslog:
name: tcp-syslog
containerPort: 1514
service:
port: 80
type: LoadBalancer
externalTrafficPolicy: Local
loadBalancerIP: 123.234.123.234
config:
snippets:
extraScrapeConfigs: |
# Add an additional scrape config for syslog
- job_name: syslog
syslog:
listen_address: 0.0.0.0:{{ .Values.extraPorts.syslog.containerPort }}
labels:
job: syslog
relabel_configs:
- source_labels:
- __syslog_message_hostname
target_label: hostname
# example label values: kernel, CRON, kubelet
- source_labels:
- __syslog_message_app_name
target_label: app
# example label values: debug, notice, informational, warning, error
- source_labels:
- __syslog_message_severity
target_label: level
```
Find additional source labels in the Promtail's docs:
https://grafana.com/docs/loki/latest/clients/promtail/configuration/#syslog
### Journald Support
```yaml
config:
snippets:
extraScrapeConfigs: |
# Add an additional scrape config for syslog
- job_name: journal
journal:
path: /var/log/journal
max_age: 12h
labels:
job: systemd-journal
relabel_configs:
- source_labels:
- __journal__hostname
target_label: hostname
# example label values: kubelet.service, containerd.service
- source_labels:
- __journal__systemd_unit
target_label: unit
# example label values: debug, notice, info, warning, error
- source_labels:
- __journal_priority_keyword
target_label: level
# Mount journal directory and machine-id file into promtail pods
extraVolumes:
- name: journal
hostPath:
path: /var/log/journal
- name: machine-id
hostPath:
path: /etc/machine-id
extraVolumeMounts:
- name: journal
mountPath: /var/log/journal
readOnly: true
- name: machine-id
mountPath: /etc/machine-id
readOnly: true
```
Find additional configuration options in Promtail's docs:
https://grafana.com/docs/loki/latest/clients/promtail/configuration/#journal
More journal source labels can be found here https://www.freedesktop.org/software/systemd/man/systemd.journal-fields.html.
> Note that each message from the journal may have a different set of fields and software may write an arbitrary set of custom fields for their logged messages. [(related issue)](https://github.com/grafana/loki/issues/2048#issuecomment-626234611)
The machine-id needs to be available in the container as it is required for scraping.
This is described in Promtail's scraping docs:
https://grafana.com/docs/loki/latest/clients/promtail/scraping/#journal-scraping-linux-only
### Push API Support
```yaml
extraPorts:
httpPush:
name: http-push
containerPort: 3500
grpcPush:
name: grpc-push
containerPort: 3600
config:
file: |
server:
log_level: {{ .Values.config.logLevel }}
http_listen_port: {{ .Values.config.serverPort }}
clients:
- url: {{ .Values.config.lokiAddress }}
positions:
filename: /run/promtail/positions.yaml
scrape_configs:
{{- tpl .Values.config.snippets.scrapeConfigs . | nindent 2 }}
- job_name: push1
loki_push_api:
server:
http_listen_port: {{ .Values.extraPorts.httpPush.containerPort }}
grpc_listen_port: {{ .Values.extraPorts.grpcPush.containerPort }}
labels:
pushserver: push1
```
### Customize client config options
By default, promtail send logs scraped to `loki` server at `http://loki-gateway/loki/api/v1/push`.
If you want to customize clients or add additional options to `loki`, please use the `clients` section. For example, to enable HTTP basic auth and include OrgID header, you can use:
```yaml
config:
clients:
- url: http://loki.server/loki/api/v1/push
tenant_id: 1
basic_auth:
username: loki
password: secret
```

229
promtail-helm/README.md.gotmpl Normal file
View File

@@ -0,0 +1,229 @@
{{ template "chart.header" . }}
{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }}
{{ template "chart.description" . }}
{{ template "chart.sourcesSection" . }}
{{ template "chart.requirementsSection" . }}
## Chart Repo
Add the following repo to use the chart:
```console
helm repo add grafana https://grafana.github.io/helm-charts
```
## Upgrading
A major chart version change indicates that there is an incompatible breaking change needing manual actions.
### From Chart Versions >= 3.0.0
* Customizeable initContainer added.
### From Chart Versions < 3.0.0
#### Notable Changes
* Helm 3 is required
* Labels have been updated to follow the official Kubernetes [label recommendations](https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/)
* The default scrape configs have been updated to take new and old labels into consideration
* The config file must be specified as string which can be templated.
See below for details
* The config file is now stored in a Secret and no longer in a ConfigMap because it may contain sensitive data, such as basic auth credentials
Due to the label changes, an existing installation cannot be upgraded without manual interaction.
There are basically two options:
##### Option 1
Uninstall the old release and re-install the new one.
There will be no data loss.
Promtail will cleanly shut down and write the `positions.yaml`.
The new release which will pick up again from the existing `positions.yaml`.
##### Option 2
* Add new selector labels to the existing pods:
```
kubectl label pods -n <namespace> -l app=promtail,release=<release> app.kubernetes.io/name=promtail app.kubernetes.io/instance=<release>
```
* Perform a non-cascading deletion of the DaemonSet which will keep the pods running:
```
kubectl delete daemonset -n <namespace> -l app=promtail,release=<release> --cascade=false
```
* Perform a regular Helm upgrade on the existing release.
The new DaemonSet will pick up the existing pods and perform a rolling upgrade.
{{ template "chart.valuesSection" . }}
## Configuration
The config file for Promtail must be configured as string.
This is necessary because the contents are passed through the `tpl` function.
With this, the file can be templated and assembled from reusable YAML snippets.
It is common to have multiple `kubernetes_sd_configs` that, in turn, usually need the same `pipeline_stages`.
Thus, extracting reusable snippets helps reduce redundancy and avoid copy/paste errors.
See `values.yaml´ for details.
Also, the following examples make use of this feature.
For additional reference, please refer to Promtail's docs:
https://grafana.com/docs/loki/latest/clients/promtail/configuration/
### Syslog Support
```yaml
extraPorts:
syslog:
name: tcp-syslog
containerPort: 1514
service:
port: 80
type: LoadBalancer
externalTrafficPolicy: Local
loadBalancerIP: 123.234.123.234
config:
snippets:
extraScrapeConfigs: |
# Add an additional scrape config for syslog
- job_name: syslog
syslog:
listen_address: 0.0.0.0:{{"{{"}} .Values.extraPorts.syslog.containerPort {{"}}"}}
labels:
job: syslog
relabel_configs:
- source_labels:
- __syslog_message_hostname
target_label: hostname
# example label values: kernel, CRON, kubelet
- source_labels:
- __syslog_message_app_name
target_label: app
# example label values: debug, notice, informational, warning, error
- source_labels:
- __syslog_message_severity
target_label: level
```
Find additional source labels in the Promtail's docs:
https://grafana.com/docs/loki/latest/clients/promtail/configuration/#syslog
### Journald Support
```yaml
config:
snippets:
extraScrapeConfigs: |
# Add an additional scrape config for syslog
- job_name: journal
journal:
path: /var/log/journal
max_age: 12h
labels:
job: systemd-journal
relabel_configs:
- source_labels:
- __journal__hostname
target_label: hostname
# example label values: kubelet.service, containerd.service
- source_labels:
- __journal__systemd_unit
target_label: unit
# example label values: debug, notice, info, warning, error
- source_labels:
- __journal_priority_keyword
target_label: level
# Mount journal directory and machine-id file into promtail pods
extraVolumes:
- name: journal
hostPath:
path: /var/log/journal
- name: machine-id
hostPath:
path: /etc/machine-id
extraVolumeMounts:
- name: journal
mountPath: /var/log/journal
readOnly: true
- name: machine-id
mountPath: /etc/machine-id
readOnly: true
```
Find additional configuration options in Promtail's docs:
https://grafana.com/docs/loki/latest/clients/promtail/configuration/#journal
More journal source labels can be found here https://www.freedesktop.org/software/systemd/man/systemd.journal-fields.html.
> Note that each message from the journal may have a different set of fields and software may write an arbitrary set of custom fields for their logged messages. [(related issue)](https://github.com/grafana/loki/issues/2048#issuecomment-626234611)
The machine-id needs to be available in the container as it is required for scraping.
This is described in Promtail's scraping docs:
https://grafana.com/docs/loki/latest/clients/promtail/scraping/#journal-scraping-linux-only
### Push API Support
```yaml
extraPorts:
httpPush:
name: http-push
containerPort: 3500
grpcPush:
name: grpc-push
containerPort: 3600
config:
file: |
server:
log_level: {{"{{"}} .Values.config.logLevel {{"}}"}}
http_listen_port: {{"{{"}} .Values.config.serverPort {{"}}"}}
clients:
- url: {{"{{"}} .Values.config.lokiAddress {{"}}"}}
positions:
filename: /run/promtail/positions.yaml
scrape_configs:
{{"{{"}}- tpl .Values.config.snippets.scrapeConfigs . | nindent 2 {{"}}"}}
- job_name: push1
loki_push_api:
server:
http_listen_port: {{"{{"}} .Values.extraPorts.httpPush.containerPort {{"}}"}}
grpc_listen_port: {{"{{"}} .Values.extraPorts.grpcPush.containerPort {{"}}"}}
labels:
pushserver: push1
```
### Customize client config options
By default, promtail send logs scraped to `loki` server at `http://loki-gateway/loki/api/v1/push`.
If you want to customize clients or add additional options to `loki`, please use the `clients` section. For example, to enable HTTP basic auth and include OrgID header, you can use:
```yaml
config:
clients:
- url: http://loki.server/loki/api/v1/push
tenant_id: 1
basic_auth:
username: loki
password: secret
```

6
promtail-helm/ci/autoscaled-deployment-values.yaml Normal file
View File

@@ -0,0 +1,6 @@
daemonset:
enabled: false
deployment:
enabled: true
autoscaling:
enabled: true

0
promtail-helm/ci/default-values.yaml Normal file
View File

4
promtail-helm/ci/deployment-values.yaml Normal file
View File

@@ -0,0 +1,4 @@
daemonset:
enabled: false
deployment:
enabled: true

53
promtail-helm/ci/netpol-values.yaml Normal file
View File

@@ -0,0 +1,53 @@
extraPorts:
syslog:
name: tcp-syslog
containerPort: 1514
service:
port: 1234
type: NodePort
httpPush:
name: http-push
containerPort: 3500
grpcPush:
name: grpc-push
containerPort: 3600
config:
snippets:
extraScrapeConfigs: |
- job_name: syslog
syslog:
listen_address: 0.0.0.0:{{ .Values.extraPorts.syslog.containerPort }}
labels:
job: syslog
relabel_configs:
- source_labels:
- __syslog_message_hostname
target_label: host
- job_name: push1
loki_push_api:
server:
http_listen_port: {{ .Values.extraPorts.httpPush.containerPort }}
grpc_listen_port: {{ .Values.extraPorts.grpcPush.containerPort }}
labels:
pushserver: push1
networkPolicy:
# -- Specifies whether Network Policies should be created
enabled: true
metrics:
# -- Specifies the Pods which are allowed to access the metrics port.
# As this is cross-namespace communication, you also neeed the namespaceSelector.
podSelector: {}
# -- Specifies the namespaces which are allowed to access the metrics port
namespaceSelector: {}
# -- Specifies specific network CIDRs which are allowed to access the metrics port.
# In case you use namespaceSelector, you also have to specify your kubelet networks here.
# The metrics ports are also used for probes.
cidrs: []
k8sApi:
# -- Specify the k8s API endpoint port
port: 8443
# -- Specifies specific network CIDRs you want to limit access to
cidrs: []

34
promtail-helm/ci/service-values.yaml Normal file
View File

@@ -0,0 +1,34 @@
extraPorts:
syslog:
name: tcp-syslog
containerPort: 1514
service:
port: 1234
type: NodePort
httpPush:
name: http-push
containerPort: 3500
grpcPush:
name: grpc-push
containerPort: 3600
config:
snippets:
extraScrapeConfigs: |
- job_name: syslog
syslog:
listen_address: 0.0.0.0:{{ .Values.extraPorts.syslog.containerPort }}
labels:
job: syslog
relabel_configs:
- source_labels:
- __syslog_message_hostname
target_label: host
- job_name: push1
loki_push_api:
server:
http_listen_port: {{ .Values.extraPorts.httpPush.containerPort }}
grpc_listen_port: {{ .Values.extraPorts.grpcPush.containerPort }}
labels:
pushserver: push1

15
promtail-helm/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,15 @@
***********************************************************************
Welcome to Grafana Promtail
Chart version: {{ .Chart.Version }}
Promtail version: {{ .Values.image.tag | default .Chart.AppVersion }}
***********************************************************************
Verify the application is working by running these commands:
{{- if .Values.daemonset.enabled }}
* kubectl --namespace {{ .Release.Namespace }} port-forward daemonset/{{ include "promtail.fullname" . }} {{ .Values.config.serverPort }}
{{- end }}
{{- if .Values.deployment.enabled }}
* kubectl --namespace {{ .Release.Namespace }} port-forward deployment/{{ include "promtail.fullname" . }} {{ .Values.config.serverPort }}
{{- end }}
* curl http://127.0.0.1:{{ .Values.config.serverPort }}/metrics

80
promtail-helm/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,80 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "promtail.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "promtail.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "promtail.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "promtail.labels" -}}
helm.sh/chart: {{ include "promtail.chart" . }}
{{ include "promtail.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "promtail.selectorLabels" -}}
app.kubernetes.io/name: {{ include "promtail.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account
*/}}
{{- define "promtail.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "promtail.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
The service name to connect to Loki. Defaults to the same logic as "loki.fullname"
*/}}
{{- define "loki.serviceName" -}}
{{- if .Values.loki.serviceName -}}
{{- .Values.loki.serviceName -}}
{{- else if .Values.loki.fullnameOverride -}}
{{- .Values.loki.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default "loki" .Values.loki.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}

117
promtail-helm/templates/_pod.tpl Normal file
View File

@@ -0,0 +1,117 @@
{{/*
Pod template used in Daemonset and Deployment
*/}}
{{- define "promtail.podTemplate" }}
metadata:
labels:
{{- include "promtail.selectorLabels" . | nindent 8 }}
{{- with .Values.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
annotations:
checksum/config: {{ include (print .Template.BasePath "/secret.yaml") . | sha256sum }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
serviceAccountName: {{ include "promtail.serviceAccountName" . }}
{{- with .Values.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}
{{- with .Values.initContainer }}
initContainers:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- name: promtail
image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
- "-config.file=/etc/promtail/promtail.yaml"
{{- with .Values.extraArgs }}
{{- toYaml . | nindent 12 }}
{{- end }}
volumeMounts:
- name: config
mountPath: /etc/promtail
{{- with .Values.defaultVolumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.extraVolumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
env:
- name: HOSTNAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
{{- with .Values.extraEnv }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.extraEnvFrom }}
envFrom:
{{- toYaml . | nindent 12 }}
{{- end }}
ports:
- name: http-metrics
containerPort: {{ .Values.config.serverPort }}
protocol: TCP
{{- range $key, $values := .Values.extraPorts }}
- name: {{ .name | default $key }}
containerPort: {{ $values.containerPort }}
protocol: {{ $values.protocol | default "TCP" }}
{{- end }}
securityContext:
{{- toYaml .Values.containerSecurityContext | nindent 12 }}
{{- with .Values.livenessProbe }}
livenessProbe:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- with .Values.readinessProbe }}
readinessProbe:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- with .Values.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if .Values.deployment.enabled }}
{{- range $name, $values := .Values.extraContainers }}
- name: {{ $name }}
{{ toYaml $values | nindent 10 }}
{{- end }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: config
{{- if .Values.configmap.enabled }}
configMap:
name: {{ include "promtail.fullname" . }}
{{- else }}
secret:
secretName: {{ include "promtail.fullname" . }}
{{- end }}
{{- with .Values.defaultVolumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.extraVolumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}

21
promtail-helm/templates/clusterrole.yaml Normal file
View File

@@ -0,0 +1,21 @@
{{- if .Values.rbac.create }}
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "promtail.fullname" . }}
labels:
{{- include "promtail.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- nodes
- nodes/proxy
- services
- endpoints
- pods
verbs:
- get
- watch
- list
{{- end }}

16
promtail-helm/templates/clusterrolebinding.yaml Normal file
View File

@@ -0,0 +1,16 @@
{{- if .Values.rbac.create }}
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "promtail.fullname" . }}
labels:
{{- include "promtail.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: {{ include "promtail.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: {{ include "promtail.fullname" . }}
apiGroup: rbac.authorization.k8s.io
{{- end }}

12
promtail-helm/templates/configmap.yaml Normal file
View File

@@ -0,0 +1,12 @@
{{- if .Values.configmap.enabled }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "promtail.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "promtail.labels" . | nindent 4 }}
data:
promtail.yaml: |
{{- tpl .Values.config.file . | nindent 4 }}
{{- end }}

21
promtail-helm/templates/daemonset.yaml Normal file
View File

@@ -0,0 +1,21 @@
{{- if .Values.daemonset.enabled -}}
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ include "promtail.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "promtail.labels" . | nindent 4 }}
{{- with .Values.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
{{- include "promtail.selectorLabels" . | nindent 6 }}
updateStrategy:
{{- toYaml .Values.updateStrategy | nindent 4 }}
template:
{{- include "promtail.podTemplate" . -}}
{{- end -}}

22
promtail-helm/templates/deployment.yaml Normal file
View File

@@ -0,0 +1,22 @@
{{- if .Values.deployment.enabled -}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "promtail.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "promtail.labels" . | nindent 4 }}
{{- with .Values.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if not .Values.deployment.autoscaling.enabled }}
replicas: {{ .Values.deployment.replicaCount }}
{{- end }}
selector:
matchLabels:
{{- include "promtail.selectorLabels" . | nindent 6 }}
template:
{{- include "promtail.podTemplate" . -}}
{{- end -}}

4
promtail-helm/templates/extra-manifests.yaml Normal file
View File

@@ -0,0 +1,4 @@
{{ range .Values.extraObjects }}
---
{{ tpl (toYaml .) $ }}
{{ end }}

31
promtail-helm/templates/hpa.yaml Normal file
View File

@@ -0,0 +1,31 @@
{{- if and .Values.deployment.enabled .Values.deployment.autoscaling.enabled }}
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "promtail.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "promtail.labels" . | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "promtail.fullname" . }}
{{- with .Values.deployment.autoscaling }}
minReplicas: {{ .minReplicas }}
maxReplicas: {{ .maxReplicas }}
metrics:
{{- with .targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
targetAverageUtilization: {{ . }}
{{- end }}
{{- with .targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
targetAverageUtilization: {{ . }}
{{- end }}
{{- end }}
{{- end }}

126
promtail-helm/templates/networkpolicy.yaml Normal file
View File

@@ -0,0 +1,126 @@
{{- if .Values.networkPolicy.enabled }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ template "promtail.name" . }}-namespace-only
namespace: {{ .Release.Namespace }}
labels:
{{- include "promtail.labels" . | nindent 4 }}
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
egress:
- to:
- podSelector: {}
ingress:
- from:
- podSelector: {}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ template "promtail.name" . }}-egress-dns
namespace: {{ .Release.Namespace }}
labels:
{{- include "promtail.labels" . | nindent 4 }}
spec:
podSelector:
matchLabels:
{{- include "promtail.selectorLabels" . | nindent 6 }}
policyTypes:
- Egress
egress:
- ports:
- port: 53
protocol: UDP
to:
- namespaceSelector: {}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ template "promtail.name" . }}-egress-k8s-api
namespace: {{ .Release.Namespace }}
labels:
{{- include "promtail.labels" . | nindent 4 }}
spec:
podSelector:
matchLabels:
{{- include "promtail.selectorLabels" . | nindent 6 }}
policyTypes:
- Egress
egress:
- ports:
- port: {{ .Values.networkPolicy.k8sApi.port }}
protocol: TCP
{{- if len .Values.networkPolicy.k8sApi.cidrs }}
to:
{{- range $cidr := .Values.networkPolicy.k8sApi.cidrs }}
- ipBlock:
cidr: {{ $cidr }}
{{- end }}
{{- end }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ template "promtail.name" . }}-ingress-metrics
namespace: {{ .Release.Namespace }}
labels:
{{- include "promtail.labels" . | nindent 4 }}
spec:
podSelector:
matchLabels:
{{- include "promtail.selectorLabels" . | nindent 6 }}
policyTypes:
- Ingress
ingress:
- ports:
- port: http-metrics
protocol: TCP
{{- if len .Values.networkPolicy.metrics.cidrs }}
from:
{{- range $cidr := .Values.networkPolicy.metrics.cidrs }}
- ipBlock:
cidr: {{ $cidr }}
{{- end }}
{{- if .Values.networkPolicy.metrics.namespaceSelector }}
- namespaceSelector:
{{- toYaml .Values.networkPolicy.metrics.namespaceSelector | nindent 12 }}
{{- if .Values.networkPolicy.metrics.podSelector }}
podSelector:
{{- toYaml .Values.networkPolicy.metrics.podSelector | nindent 12 }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.extraPorts }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ template "promtail.name" . }}-egress-extra-ports
namespace: {{ .Release.Namespace }}
labels:
{{- include "promtail.labels" . | nindent 4 }}
spec:
podSelector:
matchLabels:
{{- include "promtail.selectorLabels" . | nindent 6 }}
policyTypes:
- Egress
egress:
- ports:
{{- range $extraPortConfig := .Values.extraPorts }}
- port: {{ $extraPortConfig.containerPort }}
protocol: {{ $extraPortConfig.protocol }}
{{- end }}
{{- end }}
{{- end }}

12
promtail-helm/templates/podsecuritypolicy.yaml Normal file
View File

@@ -0,0 +1,12 @@
{{- if and .Values.rbac.create .Values.rbac.pspEnabled }}
{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ include "promtail.fullname" . }}
labels:
{{- include "promtail.labels" . | nindent 4 }}
spec:
{{- toYaml .Values.podSecurityPolicy | nindent 2 }}
{{- end }}
{{- end }}

18
promtail-helm/templates/role.yaml Normal file
View File

@@ -0,0 +1,18 @@
{{- if and .Values.rbac.create .Values.rbac.pspEnabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "promtail.fullname" . }}-psp
namespace: {{ .Release.Namespace }}
labels:
{{- include "promtail.labels" . | nindent 4 }}
rules:
- apiGroups:
- policy
resources:
- podsecuritypolicies
verbs:
- use
resourceNames:
- {{ include "promtail.fullname" . }}
{{- end }}

16
promtail-helm/templates/rolebinding.yaml Normal file
View File

@@ -0,0 +1,16 @@
{{- if and .Values.rbac.create .Values.rbac.pspEnabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "promtail.fullname" . }}-psp
namespace: {{ .Release.Namespace }}
labels:
{{- include "promtail.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "promtail.fullname" . }}-psp
subjects:
- kind: ServiceAccount
name: {{ include "promtail.serviceAccountName" . }}
{{- end }}

12
promtail-helm/templates/secret.yaml Normal file
View File

@@ -0,0 +1,12 @@
{{- if not .Values.configmap.enabled }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "promtail.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "promtail.labels" . | nindent 4 }}
stringData:
promtail.yaml: |
{{- tpl .Values.config.file . | nindent 4 }}
{{- end }}

52
promtail-helm/templates/service-extra.yaml Normal file
View File

@@ -0,0 +1,52 @@
{{- range $key, $values := .Values.extraPorts }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "promtail.fullname" $ }}-{{ $key | lower }}
namespace: {{ $.Release.Namespace }}
labels:
{{- include "promtail.labels" $ | nindent 4 }}
{{- with .labels }}
{{- toYaml $ | nindent 4 }}
{{- end }}
{{- with .annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- with $values.service }}
type: {{ .type | default "ClusterIP" }}
{{- with .clusterIP }}
clusterIP: {{ . }}
{{- end }}
{{- with .loadBalancerIP }}
loadBalancerIP: {{ . }}
{{- end }}
{{- with .loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{- toYaml . | nindent 4 }}
{{- end -}}
{{- with .externalIPs }}
externalIPs:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .externalTrafficPolicy }}
externalTrafficPolicy: {{ . }}
{{- end }}
{{- end }}
ports:
- name: {{ .name | default $key }}
targetPort: {{ .name | default $key }}
protocol: {{ $values.protocol | default "TCP" }}
{{- if $values.service }}
port: {{ $values.service.port | default $values.containerPort }}
{{- if $values.service.nodePort }}
nodePort: {{ $values.service.nodePort }}
{{- end }}
{{- else }}
port: {{ $values.containerPort }}
{{- end }}
selector:
{{- include "promtail.selectorLabels" $ | nindent 4 }}
{{- end }}

18
promtail-helm/templates/service-metrics.yaml Normal file
View File

@@ -0,0 +1,18 @@
{{- if .Values.serviceMonitor.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "promtail.fullname" . }}-metrics
namespace: {{ .Release.Namespace }}
labels:
{{- include "promtail.labels" . | nindent 4 }}
spec:
clusterIP: None
ports:
- name: http-metrics
port: {{ .Values.config.serverPort }}
targetPort: http-metrics
protocol: TCP
selector:
{{- include "promtail.selectorLabels" . | nindent 4 }}
{{- end }}

17
promtail-helm/templates/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,17 @@
{{- if .Values.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "promtail.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "promtail.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.serviceAccount.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end }}

58
promtail-helm/templates/servicemonitor.yaml Normal file
View File

@@ -0,0 +1,58 @@
{{- with .Values.serviceMonitor }}
{{- if .enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "promtail.fullname" $ }}
{{- with .namespace }}
namespace: {{ . }}
{{- end }}
{{- with .annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
{{- include "promtail.labels" $ | nindent 4 }}
{{- with .labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- with .namespaceSelector }}
namespaceSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
selector:
matchLabels:
{{- include "promtail.selectorLabels" $ | nindent 6 }}
endpoints:
- port: http-metrics
{{- with $.Values.httpPathPrefix }}
path: {{ . }}
{{- end }}
{{- with .interval }}
interval: {{ . }}
{{- end }}
{{- with .scrapeTimeout }}
scrapeTimeout: {{ . }}
{{- end }}
{{- with .relabelings }}
relabelings:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .metricRelabelings }}
metricRelabelings:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .scheme }}
scheme: {{ . }}
{{- end }}
{{- with .tlsConfig }}
tlsConfig:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .targetLabels }}
targetLabels:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

456
promtail-helm/values.yaml Normal file
View File

@@ -0,0 +1,456 @@
# -- Overrides the chart's name
nameOverride: null
# -- Overrides the chart's computed fullname
fullnameOverride: null
daemonset:
# -- Deploys Promtail as a DaemonSet
enabled: true
deployment:
# -- Deploys Promtail as a Deployment
enabled: false
replicaCount: 1
autoscaling:
# -- Creates a HorizontalPodAutoscaler for the deployment
enabled: false
minReplicas: 1
maxReplicas: 10
targetCPUUtilizationPercentage: 80
targetMemoryUtilizationPercentage:
configmap:
# -- If enabled, promtail config will be created as a ConfigMap instead of a secret
enabled: false
initContainer: []
# # -- Specifies whether the init container for setting inotify max user instances is to be enabled
# - name: init
# # -- Docker registry, image and tag for the init container image
# image: docker.io/busybox:1.33
# # -- Docker image pull policy for the init container image
# imagePullPolicy: IfNotPresent
# # -- The inotify max user instances to configure
# command:
# - sh
# - -c
# - sysctl -w fs.inotify.max_user_instances=128
# securityContext:
# privileged: true
image:
# -- The Docker registry
registry: docker.io
# -- Docker image repository
repository: grafana/promtail
# -- Overrides the image tag whose default is the chart's appVersion
tag: null
# -- Docker image pull policy
pullPolicy: IfNotPresent
# -- Image pull secrets for Docker images
imagePullSecrets: []
# -- Annotations for the DaemonSet
annotations: {}
# -- The update strategy for the DaemonSet
updateStrategy: {}
# -- Pod labels
podLabels: {}
# -- Pod annotations
podAnnotations: {}
# prometheus.io/scrape: "true"
# prometheus.io/port: "http-metrics"
# -- The name of the PriorityClass
priorityClassName: null
# -- Liveness probe
livenessProbe: {}
# -- Readiness probe
# @default -- See `values.yaml`
readinessProbe:
failureThreshold: 5
httpGet:
path: "{{ printf `%s/ready` .Values.httpPathPrefix }}"
port: http-metrics
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
# -- Resource requests and limits
resources: {}
# limits:
# cpu: 200m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
# -- The security context for pods
podSecurityContext:
runAsUser: 0
runAsGroup: 0
# -- The security context for containers
containerSecurityContext:
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
allowPrivilegeEscalation: false
rbac:
# -- Specifies whether RBAC resources are to be created
create: true
# -- Specifies whether a PodSecurityPolicy is to be created
pspEnabled: false
serviceAccount:
# -- Specifies whether a ServiceAccount should be created
create: true
# -- The name of the ServiceAccount to use.
# If not set and `create` is true, a name is generated using the fullname template
name: null
# -- Image pull secrets for the service account
imagePullSecrets: []
# -- Annotations for the service account
annotations: {}
# -- Node selector for pods
nodeSelector: {}
# -- Affinity configuration for pods
affinity: {}
# -- Tolerations for pods. By default, pods will be scheduled on master/control-plane nodes.
tolerations:
- key: node-role.kubernetes.io/master
operator: Exists
effect: NoSchedule
- key: node-role.kubernetes.io/control-plane
operator: Exists
effect: NoSchedule
# -- Default volumes that are mounted into pods. In most cases, these should not be changed.
# Use `extraVolumes`/`extraVolumeMounts` for additional custom volumes.
# @default -- See `values.yaml`
defaultVolumes:
- name: run
hostPath:
path: /run/promtail
- name: containers
hostPath:
path: /var/lib/docker/containers
- name: pods
hostPath:
path: /var/log/pods
# -- Default volume mounts. Corresponds to `volumes`.
# @default -- See `values.yaml`
defaultVolumeMounts:
- name: run
mountPath: /run/promtail
- name: containers
mountPath: /var/lib/docker/containers
readOnly: true
- name: pods
mountPath: /var/log/pods
readOnly: true
# Extra volumes to be added in addition to those specified under `defaultVolumes`.
extraVolumes: []
# Extra volume mounts together. Corresponds to `extraVolumes`.
extraVolumeMounts: []
# Extra args for the Promtail container.
extraArgs: []
# -- Example:
# -- extraArgs:
# -- - -client.external-labels=hostname=$(HOSTNAME)
# -- Extra environment variables
extraEnv: []
# -- Extra environment variables from secrets or configmaps
extraEnvFrom: []
# ServiceMonitor configuration
serviceMonitor:
# -- If enabled, ServiceMonitor resources for Prometheus Operator are created
enabled: false
# -- Alternative namespace for ServiceMonitor resources
namespace: null
# -- Namespace selector for ServiceMonitor resources
namespaceSelector: {}
# -- ServiceMonitor annotations
annotations: {}
# -- Additional ServiceMonitor labels
labels: {}
# -- ServiceMonitor scrape interval
interval: null
# -- ServiceMonitor scrape timeout in Go duration format (e.g. 15s)
scrapeTimeout: null
# -- ServiceMonitor relabel configs to apply to samples before scraping
# https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#relabelconfig
# (defines `relabel_configs`)
relabelings: []
# -- ServiceMonitor relabel configs to apply to samples as the last
# step before ingestion
# https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#relabelconfig
# (defines `metric_relabel_configs`)
metricRelabelings: []
# --ServiceMonitor will add labels from the service to the Prometheus metric
# https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#servicemonitorspec
targetLabels: []
# -- ServiceMonitor will use http by default, but you can pick https as well
scheme: http
# -- ServiceMonitor will use these tlsConfig settings to make the health check requests
tlsConfig: null
# Extra containers created as part of a Promtail Deployment resource
# - spec for Container:
# https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#container-v1-core
#
# Note that the key is used as the `name` field, i.e. below will create a
# container named `promtail-proxy`.
extraContainers: {}
# promtail-proxy:
# image: nginx
# ...
# -- Configure additional ports and services. For each configured port, a corresponding service is created.
# See values.yaml for details
extraPorts: {}
# syslog:
# name: tcp-syslog
# containerPort: 1514
# protocol: TCP
# service:
# type: ClusterIP
# clusterIP: null
# port: 1514
# externalIPs: []
# nodePort: null
# annotations: {}
# labels: {}
# loadBalancerIP: null
# loadBalancerSourceRanges: []
# externalTrafficPolicy: null
# -- PodSecurityPolicy configuration.
# @default -- See `values.yaml`
podSecurityPolicy:
privileged: true
allowPrivilegeEscalation: true
volumes:
- 'secret'
- 'hostPath'
- 'downwardAPI'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
readOnlyRootFilesystem: true
requiredDropCapabilities:
- ALL
# -- Section for crafting Promtails config file. The only directly relevant value is `config.file`
# which is a templated string that references the other values and snippets below this key.
# @default -- See `values.yaml`
config:
# -- The log level of the Promtail server
# Must be reference in `config.file` to configure `server.log_level`
# See default config in `values.yaml`
logLevel: info
# -- The port of the Promtail server
# Must be reference in `config.file` to configure `server.http_listen_port`
# See default config in `values.yaml`
serverPort: 3101
# -- The config of clients of the Promtail server
# Must be reference in `config.file` to configure `clients`
# @default -- See `values.yaml`
clients:
- url: http://loki-gateway/loki/api/v1/push
# -- A section of reusable snippets that can be reference in `config.file`.
# Custom snippets may be added in order to reduce redundancy.
# This is especially helpful when multiple `kubernetes_sd_configs` are use which usually have large parts in common.
# @default -- See `values.yaml`
snippets:
pipelineStages:
- cri: {}
common:
- action: replace
source_labels:
- __meta_kubernetes_pod_node_name
target_label: node_name
- action: replace
source_labels:
- __meta_kubernetes_namespace
target_label: namespace
- action: replace
replacement: $1
separator: /
source_labels:
- namespace
- app
target_label: job
- action: replace
source_labels:
- __meta_kubernetes_pod_name
target_label: pod
- action: replace
source_labels:
- __meta_kubernetes_pod_container_name
target_label: container
- action: replace
replacement: /var/log/pods/*$1/*.log
separator: /
source_labels:
- __meta_kubernetes_pod_uid
- __meta_kubernetes_pod_container_name
target_label: __path__
- action: replace
replacement: /var/log/pods/*$1/*.log
regex: true/(.*)
separator: /
source_labels:
- __meta_kubernetes_pod_annotationpresent_kubernetes_io_config_hash
- __meta_kubernetes_pod_annotation_kubernetes_io_config_hash
- __meta_kubernetes_pod_container_name
target_label: __path__
# If set to true, adds an additional label for the scrape job.
# This helps debug the Promtail config.
addScrapeJobLabel: false
# -- You can put here any keys that will be directly added to the config file's 'limits_config' block.
# @default -- empty
extraLimitsConfig: ""
# -- You can put here any keys that will be directly added to the config file's 'server' block.
# @default -- empty
extraServerConfigs: ""
# -- You can put here any additional scrape configs you want to add to the config file.
# @default -- empty
extraScrapeConfigs: ""
# -- You can put here any additional relabel_configs to "kubernetes-pods" job
extraRelabelConfigs: []
scrapeConfigs: |
# See also https://github.com/grafana/loki/blob/master/production/ksonnet/promtail/scrape_config.libsonnet for reference
- job_name: kubernetes-pods
pipeline_stages:
{{- toYaml .Values.config.snippets.pipelineStages | nindent 4 }}
kubernetes_sd_configs:
- role: pod
relabel_configs:
- source_labels:
- __meta_kubernetes_pod_controller_name
regex: ([0-9a-z-.]+?)(-[0-9a-f]{8,10})?
action: replace
target_label: __tmp_controller_name
- source_labels:
- __meta_kubernetes_pod_label_app_kubernetes_io_name
- __meta_kubernetes_pod_label_app
- __tmp_controller_name
- __meta_kubernetes_pod_name
regex: ^;*([^;]+)(;.*)?$
action: replace
target_label: app
- source_labels:
- __meta_kubernetes_pod_label_app_kubernetes_io_instance
- __meta_kubernetes_pod_label_release
regex: ^;*([^;]+)(;.*)?$
action: replace
target_label: instance
- source_labels:
- __meta_kubernetes_pod_label_app_kubernetes_io_component
- __meta_kubernetes_pod_label_component
regex: ^;*([^;]+)(;.*)?$
action: replace
target_label: component
{{- if .Values.config.snippets.addScrapeJobLabel }}
- replacement: kubernetes-pods
target_label: scrape_job
{{- end }}
{{- toYaml .Values.config.snippets.common | nindent 4 }}
{{- with .Values.config.snippets.extraRelabelConfigs }}
{{- toYaml . | nindent 4 }}
{{- end }}
# -- Config file contents for Promtail.
# Must be configured as string.
# It is templated so it can be assembled from reusable snippets in order to avoid redundancy.
# @default -- See `values.yaml`
file: |
server:
log_level: {{ .Values.config.logLevel }}
http_listen_port: {{ .Values.config.serverPort }}
{{- with .Values.httpPathPrefix }}
http_path_prefix: {{ . }}
{{- end }}
{{- tpl .Values.config.snippets.extraServerConfigs . | nindent 2 }}
clients:
{{- tpl (toYaml .Values.config.clients) . | nindent 2 }}
positions:
filename: /run/promtail/positions.yaml
scrape_configs:
{{- tpl .Values.config.snippets.scrapeConfigs . | nindent 2 }}
{{- tpl .Values.config.snippets.extraScrapeConfigs . | nindent 2 }}
limits_config:
{{- tpl .Values.config.snippets.extraLimitsConfig . | nindent 2 }}
networkPolicy:
# -- Specifies whether Network Policies should be created
enabled: false
metrics:
# -- Specifies the Pods which are allowed to access the metrics port.
# As this is cross-namespace communication, you also neeed the namespaceSelector.
podSelector: {}
# -- Specifies the namespaces which are allowed to access the metrics port
namespaceSelector: {}
# -- Specifies specific network CIDRs which are allowed to access the metrics port.
# In case you use namespaceSelector, you also have to specify your kubelet networks here.
# The metrics ports are also used for probes.
cidrs: []
k8sApi:
# -- Specify the k8s API endpoint port
port: 8443
# -- Specifies specific network CIDRs you want to limit access to
cidrs: []
# -- Base path to server all API routes fro
httpPathPrefix: ""
# -- Extra K8s manifests to deploy
extraObjects: []
# - apiVersion: "kubernetes-client.io/v1"
# kind: ExternalSecret
# metadata:
# name: promtail-secrets
# spec:
# backendType: gcpSecretsManager
# data:
# - key: promtail-oauth2-creds
# name: client_secret

71
promtell-localhost/README.md Normal file
View File

@@ -0,0 +1,71 @@
# install
1. install from binary
```bash
curl -s https://api.github.com/repos/grafana/loki/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep promtail-linux-amd64.zip | wget -i -
unzip promtail-linux-amd64.zip
sudo mv promtail-linux-amd64 /usr/local/bin/promtail
```
2. check
```bash
promtail --version
```
3. crate base config
```bash
sudo tee /etc/promtail-local-config.yaml<<EOF
server:
http_listen_port: 9080
grpc_listen_port: 0
positions:
filename: /data/loki/positions.yaml
clients:
- url: http://<DOMAIN_LOKI>:3100/loki/api/v1/push
basic_auth:
username: loki
password: <PASSWORD>
scrape_configs:
- job_name: system
static_configs:
- targets:
- localhost
labels:
job: varlogs
__path__: /var/log/*log
relabel_configs:
- target_label: node
replacement: <NODE_NAME>
EOF
```
4. create service
```bash
sudo tee /etc/systemd/system/promtail.service<<EOF
[Unit]
Description=Promtail service
After=network.target
[Service]
Type=simple
User=root
ExecStart=/usr/local/bin/promtail -config.file /etc/promtail-local-config.yaml
[Install]
WantedBy=multi-user.target
EOF
```
4. restart
```bash
sudo systemctl daemon-reload
sudo systemctl start promtail.service
```