create rosa-loki chart (#51)

Signed-off-by: Paul Czarkowski <[email protected]>

README.md

@@ -24,7 +24,7 @@ See [/charts](charts) for a list of charts.
 
 ## Starters
 
-To create a new chat using one of our starters, clone down this repo and run
+To create a new chart using one of our starters, clone down this repo and run
 
 ```bash
 helm create example-cr --starter $(pwd)/../starters/cr

charts/rosa-loki/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/rosa-loki/Chart.yaml

@@ -0,0 +1,12 @@
+apiVersion: v2
+name: rosa-loki
+description: A Helm chart for Kubernetes
+type: application
+version: 0.1.0
+dependencies:
+  - name: grafana-cr
+    version: "0.2.1"
+    repository: "https://rh-mobb.github.io/helm-charts/"
+home: "https://rh-mobb.github.io/helm-charts/"
+maintainers:
+  - name: rh-mobb

charts/rosa-loki/README.md

@@ -0,0 +1,181 @@
+# Helm Chart to configure Lokistack on ROSA
+
+This helm chart will set up a ROSA cluster to store Audit, Infrastructure, and Application logs in Loki (backed by s3).
+
+## Prerequisites
+
+* A ROSA cluster
+* Helm CLI
+
+## Prepare Environment
+
+1. Set some environment variables
+
+    > Change these to suit your environment / cluster
+
+    ```bash
+    export CLUSTER_NAME="$(whoami)-sts"
+    export NAMESPACE=cluster-logging
+    export AWS_REGION=us-east-1
+    export SCRATCH=/tmp/rosa-loki
+    mkdir -p $SCRATCH
+    ```
+
+1. Add the MOBB chart repository to your Helm
+
+    ```bash
+    helm repo add mobb https://rh-mobb.github.io/helm-charts/
+    ```
+
+1. Update your repositories
+
+    ```bash
+    helm repo update
+    ```
+
+## Prepare AWS Account
+
+1. Create S3 bucket
+
+    ```bash
+    aws s3api create-bucket --bucket "rosa-${CLUSTER_NAME}-loki" \
+      --region "${AWS_REGION}"
+    ```
+
+1. Create an IAM Policy
+
+    ```bash
+    cat << EOF > ${SCRATCH}/policy.json
+    {
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+            "Effect": "Allow",
+            "Action": [
+                "s3:ListBucket",
+                "s3:PutObject",
+                "s3:GetObject",
+                "s3:DeleteObject"
+            ],
+            "Resource": [
+                "arn:aws:s3:::rosa-${CLUSTER_NAME}-loki",
+                "arn:aws:s3:::rosa-${CLUSTER_NAME}-loki/*"
+            ]
+      }
+    ]
+    }
+    EOF
+    POLICY_ARN=$(aws iam create-policy --policy-name "rosa-${CLUSTER_NAME}-loki" \
+    --policy-document file:///${SCRATCH}/policy.json --query Policy.Arn --output text)
+    echo ${POLICY_ARN}
+    ```
+
+1. Create an IAM user for Loki
+
+    ```bash
+    aws iam create-user \
+      --user-name rosa-${CLUSTER_NAME}-loki \
+      > $SCRATCH/aws-user.json
+   ```
+
+1. Create IAM Access Key and save it to variables
+
+    ```bash
+    aws iam create-access-key \
+      --user-name rosa-${CLUSTER_NAME}-loki \
+      > $SCRATCH/aws-access-key.json
+
+    AWS_ID=`cat $SCRATCH/aws-access-key.json | jq -r '.AccessKey.AccessKeyId'`
+    AWS_KEY=`cat $SCRATCH/aws-access-key.json | jq -r '.AccessKey.SecretAccessKey'`
+    ```
+
+## Deploy and Configure Loki
+
+1. Create a namespace to deploy to
+
+    ```bash
+    oc new-project $NAMESPACE
+    ```
+
+1. Use the `mobb/operatorhub` chart to deploy the needed operators
+
+    ```bash
+    helm upgrade -n $NAMESPACE custom-logging-operators \
+      mobb/operatorhub --install \
+      --values https://raw.githubusercontent.com/rh-mobb/helm-charts/main/charts/rosa-loki/files/operatorhub.yaml
+    ```
+
+1. Wait until the two operators are running
+
+    ```bash
+    oc -n openshift-logging rollout status \
+      deployment cluster-logging-operator
+    oc -n $NAMESPACE rollout status deployment \
+      grafana-operator-controller-manager
+    oc -n openshift-operators-redhat rollout status \
+      deployment loki-operator-controller-manager
+    ```
+
+    ```
+    deployment "cluster-logging-operator" successfully rolled out
+    deployment "grafana-operator-controller-manager" successfully rolled out
+    deployment "loki-operator-controller-manager" successfully rolled out
+    ```
+
+## Deploy the Helm Chart
+
+1. Install a Chart
+
+    ```bash
+    helm upgrade --install -n $NAMESPACE cluster-logging \
+      --set "aws_access_key_id=${AWS_ID}" \
+      --set "aws_access_key_secret=${AWS_KEY}" \
+      --set "aws_region=${AWS_REGION}" \
+      --set "aws_s3_bucket_name=rosa-${CLUSTER_NAME}-loki" \
+      mobb/rosa-loki
+    ```
+
+1. Check to see the Lokistack pods are started
+
+    ```bash
+    oc -n openshift-logging get pods
+    ```
+
+    ```
+    NAME                                           READY   STATUS    RESTARTS   AGE
+    cluster-logging-operator-6fd6dbc575-xzxpc      1/1     Running   0          38m
+    collector-4ckl2                                2/2     Running   0          98s
+    collector-dw4jn                                2/2     Running   0          97s
+    collector-fjv4p                                2/2     Running   0          97s
+    collector-lth49                                2/2     Running   0          97s
+    collector-qqxv8                                2/2     Running   0          97s
+    logging-loki-compactor-0                       1/1     Running   0          86s
+    logging-loki-distributor-79d8db5f89-xmpmz      1/1     Running   0          86s
+    logging-loki-gateway-69f68f5685-54bgz          2/2     Running   0          86s
+    logging-loki-gateway-69f68f5685-ql6hk          2/2     Running   0          86s
+    logging-loki-index-gateway-0                   1/1     Running   0          86s
+    logging-loki-ingester-0                        1/1     Running   0          86s
+    logging-loki-querier-766cfd6bcd-79k28          1/1     Running   0          86s
+    logging-loki-query-frontend-7f8cdb6885-x5n49   1/1     Running   0          86s
+    logging-view-plugin-b97d78895-wwqts            1/1     Running   0          102s
+    ```
+
+> Note: If you want to view logs from the Console, you can enabled it via **Operators > Installed Operators > Red Hat OpenShift Logging > Console Plugin**.
+
+1. Fetch the Route for Grafana
+
+    ```bash
+    oc get route grafana-route -o jsonpath='{"https://"}{.spec.host}{"\n"}'
+    ```
+
+    ```
+    https://grafana-route-cluster-logging.apps.pczarkow-sts.h5yv.p1.openshiftapps.com
+    ```
+
+1. Browse to the Route via your preferred Web browser and log in using your OpenShift credentials.
+
+1. Click the Compass icon in the menu and Click **Explore**
+
+1. Change the Source from `Grafana` to `Loki (Infrastructure)` and search for `{kubernetes_namespace_name="cluster-logging"}`.
+
+    ![screenshot showing loki accessing logs](./files/loki-logs.png)

charts/rosa-loki/files/operatorhub.yaml

@@ -0,0 +1,30 @@
+subscriptions:
+  - name: grafana-operator
+    channel: v4
+    installPlanApproval: Automatic
+    source: community-operators
+    sourceNamespace: openshift-marketplace
+  - name: cluster-logging
+    namespace: openshift-logging
+    channel: stable
+    installPlanApproval: Automatic
+    source: redhat-operators
+    sourceNamespace: openshift-marketplace
+  - name: loki-operator
+    channel: stable
+    installPlanApproval: Automatic
+    source: redhat-operators
+    sourceNamespace: openshift-marketplace
+    namespace: openshift-operators-redhat
+operatorGroups:
+  - name: cluster-logging
+    targetNamespace: ~
+  - name: openshift-operators-redhat
+    namespace: openshift-operators-redhat
+    targetNamespace: all
+catalogSources: []
+#   - name: operatorhubio
+#     sourceType: grpc
+#     image: quay.io/operator-framework/upstream-community-operators:latest
+#     displayName: Community Operators
+#     publisher: OperatorHub.io

charts/rosa-loki/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "rosa-loki.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "rosa-loki.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "rosa-loki.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "rosa-loki.labels" -}}
+helm.sh/chart: {{ include "rosa-loki.chart" . }}
+{{ include "rosa-loki.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "rosa-loki.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "rosa-loki.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "rosa-loki.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "rosa-loki.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

charts/rosa-loki/templates/clusterlogforwarder.yaml

@@ -0,0 +1,20 @@
+apiVersion: logging.openshift.io/v1
+kind: ClusterLogForwarder
+metadata:
+  name: instance
+  namespace: openshift-logging
+spec:
+  pipelines:
+  - name: logs-to-default
+    inputRefs:
+    {{ if .Values.forward_infrastructure }}
+    - infrastructure
+    {{ end }}
+    {{ if .Values.forward_application }}
+    - application
+    {{ end }}
+    {{ if .Values.forward_audit }}
+    - audit
+    {{ end }}
+    outputRefs:
+    - default

charts/rosa-loki/templates/clusterlogging.yaml

@@ -0,0 +1,15 @@
+apiVersion: logging.openshift.io/v1
+kind: ClusterLogging
+metadata:
+  name: instance
+  namespace: openshift-logging
+  labels:
+    {{- include "rosa-loki.labels" . | nindent 4 }}
+spec:
+  managementState: Managed
+  logStore:
+    type: lokistack
+    lokistack:
+      name: logging-loki
+  collection:
+    type: vector

charts/rosa-loki/templates/grafana-datasource.yaml

@@ -0,0 +1,39 @@
+# https://github.com/grafana/loki/blob/main/operator/hack/addon_grafana_gateway_ocp_oauth.yaml
+apiVersion: integreatly.org/v1alpha1
+kind: GrafanaDataSource
+metadata:
+  name: {{ include "rosa-loki.fullname" . }}-prometheus
+  labels:
+    {{- include "rosa-loki.labels" . | nindent 4 }}
+spec:
+  name: {{ include "rosa-loki.fullname" . }}.yaml
+  datasources:
+  {{ if .Values.forward_application }}
+    - name: Loki (Application)
+      type: loki
+      editable: true
+      access: proxy
+      url: https://logging-loki-gateway-http.openshift-logging.svc.cluster.local:8080/api/logs/v1/application/
+      jsonData:
+        # tlsAuthWithCACert: true
+        tlsSkipVerify: true
+  {{ end }}
+  {{ if .Values.forward_infrastructure }}
+    - name: Loki (Infrastructure)
+      type: loki
+      editable: true
+      access: proxy
+      url: https://logging-loki-gateway-http.openshift-logging.svc.cluster.local:8080/api/logs/v1/infrastructure/
+      jsonData:
+        # tlsAuthWithCACert: true
+        tlsSkipVerify: true
+  {{ end }}
+  {{ if .Values.forward_audit }}
+    - name: Loki (Audit)
+      type: loki
+      access: proxy
+      url: https://logging-loki-gateway-http.openshift-logging.svc.cluster.local:8080/api/logs/v1/audit/
+      jsonData:
+        # tlsAuthWithCACert: true
+        tlsSkipVerify: true
+  {{ end }}