config-log-forwarding-3 #94412
config-log-forwarding-3 #94412
Conversation
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
|
/test all |
openshift-ci
bot
added
the
size/L
|
🤖 Fri Jun 13 15:44:10 - Prow CI generated the docs preview: https://94412--ocpdocs-pr.netlify.app/ |
openshift-ci
bot
added
the
do-not-merge/hold
theashiot
force-pushed
the
config-log-forwarding-3
branch
from
ea9bc99 to
482846d
Compare
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
| @@ -155,7 +152,7 @@ Each region in CloudWatch contains three levels of objects: | |||
| ** log stream | |||
| *** log event | |||
|
|
|||
|
|
|||
| //// | |||
There was a problem hiding this comment.
@jcantrill, i did not finf groupBy in the kafka output api:
FIELDS:
authentication <Object>
sasl <Object>
mechanism <string>
password <Object>
key <string> -required-
secretName <string> -required-
username <Object>
key <string> -required-
secretName <string> -required-
brokers <[]string>
topic <string>
tuning <Object>
compression <string>
enum: none, snappy, zstd, lz4
deliveryMode <string>
enum: AtLeastOnce, AtMostOnce
maxWrite <Object>
url <string>
Is this content still correct?
|
@theashiot: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
| region: us-east-2 <8> | ||
| secret: | ||
| name: cw-secret <9> | ||
| authentication: |
There was a problem hiding this comment.
indentation: authentication is a child of cloudwatch
| outputs: | ||
| - name: cw <4> | ||
| type: cloudwatch <5> | ||
| - name: cw <2> |
There was a problem hiding this comment.
in v6 we require 3 or more chars for a name. Probably best to find a new example name.
| secret: | ||
| name: cw-secret <9> | ||
| authentication: | ||
| awsAccessKey: |
There was a problem hiding this comment.
missing authentication.type awsAccessKey
| keyId: | ||
| key: <key> | ||
| secretName: cw-secret <4> | ||
| groupName: logType <5> |
There was a problem hiding this comment.
This api has changed from groupBy to groupName, and is no longer an enumeration. It now requires a static value, or a template requiring a fallback field.
$ oc explain clf.spec.outputs.cloudwatch.groupName
...
DESCRIPTION:
GroupName defines the strategy for grouping logstreams
The GroupName can be a combination of static and dynamic values consisting
of field paths followed by "\|\|" followed by another field path or a static
value.
A dynamic value is encased in single curly brackets "{}" and MUST end with a
static fallback value separated with "\|\|".
Static values can only contain alphanumeric characters along with dashes,
underscores, dots and forward slashes.
Example:
1. foo-{.bar\|\|"none"}
2. {.foo\|\|.bar\|\|"missing"}
3.
foo.{.bar.baz\|\|.qux.quux.corge\|\|.grault\|\|"nil"}-waldo.fred{.plugh\|\|"none"}
| <5> Specify the strategy for grouping logstreams. The `GroupName` can be a combination of static and dynamic values consisting of field paths followed by "\|\|" followed by another field path or a static value. A dynamic value is encased in single curly brackets "{}" and must end with a static fallback value separated with `\|\|`. | ||
| <6> Specify the AWS region. | ||
| <7> Specify a name for the pipeline. | ||
| <8> Specify which log types to forward by using the pipeline: `application,` `infrastructure`, or `audit`. |
| @@ -135,10 +130,12 @@ spec: | |||
| - name: cw | |||
| type: cloudwatch | |||
| cloudwatch: | |||
| groupBy: logType | |||
| authentication: | |||
There was a problem hiding this comment.
indent all this, and it's missing authentication.type
| @@ -155,7 +152,7 @@ Each region in CloudWatch contains three levels of objects: | |||
| ** log stream | |||
| *** log event | |||
|
|
|||
|
|
|||
| //// | |||
| With `groupBy: logType` in the `ClusterLogForwarding` CR, the three log types in the `inputRefs` produce three log groups in Amazon Cloudwatch: | |||
There was a problem hiding this comment.
With groupName: {.log_type||"unknown"} in the...
| @@ -290,3 +287,4 @@ $ aws --output json logs describe-log-groups | jq .logGroups[].logGroupName | |||
| ---- | |||
|
|
|||
| The `groupBy` field affects the application log group only. It does not affect the `audit` and `infrastructure` log groups. | |||
| //// | |||
There was a problem hiding this comment.
Any info in the lines above referencing groupBy is outdated and incorrect in v6. This example can probably be done away with completely.
For example, if you want UUID to show after the app namespaces, you would use groupName: my-cluster-7977k.{.namespace_id||"unknown} and place this in a pipeline for app logs only.
| tenantKey: kubernetes.namespace_name <9> | ||
| authentication: | ||
| token: | ||
| from: <secret_or_serviceAccount> |
| <3> Specify the type as `loki`. | ||
| <4> Specify the URL and port of the Loki system as a valid absolute URL. You can use the `http` (insecure) or `https` (secure HTTP) protocol. If the cluster-wide proxy using the CIDR annotation is enabled, the output must be a server name or FQDN, not an IP Address. Loki's default port for HTTP(S) communication is 3100. | ||
| <5> For a secure connection, you can specify an `https` or `http` URL that you authenticate by specifying a `secret`. | ||
| <6> For an `https` prefix, specify the name of the secret required by the endpoint for TLS communication. The secret must contain a `ca-bundle.crt` key that points to the certificates it represents. Otherwise, for `http` and `https` prefixes, you can specify a secret that contains a username and password. In legacy implementations, the secret must exist in the `openshift-logging` project. For more information, see the following "Example: Setting a secret that contains a username and password." |
There was a problem hiding this comment.
tls is now its own spec and no longer looks for specific keys
| authentication: | ||
| token: | ||
| from: <secret_or_serviceAccount> | ||
| secret: #<6> |
There was a problem hiding this comment.
this spec has changed in v6. The example should likely be authentication.token.from and be set to serviceAccount. Then the old tls info is now in its own spec, with key and configMap/secretName
| labelKeys: | ||
| - kubernetes.labels.foo <10> | ||
| - kubernetes.labels.foo #<7> | ||
| tenantKey: kubernetes.namespace_name #<8> |
There was a problem hiding this comment.
Is now a template and combination of static and dynamic values inside curly brackets (with a static fallback)
| <5> For a secure connection, you can specify an `https` or `http` URL that you authenticate by specifying a `secret`. | ||
| <6> For an `https` prefix, specify the name of the secret required by the endpoint for TLS communication. The secret must contain a `ca-bundle.crt` key that points to the certificates it represents. Otherwise, for `http` and `https` prefixes, you can specify a secret that contains a username and password. In legacy implementations, the secret must exist in the `openshift-logging` project. For more information, see the following "Example: Setting a secret that contains a username and password." | ||
| <7> Optional: Specify a metadata key field to generate values for the `TenantID` field in Loki. For example, setting `tenantKey: kubernetes.namespace_name` uses the names of the Kubernetes namespaces as values for tenant IDs in Loki. To see which other log record fields you can specify, see the "Log Record Fields" link in the following "Additional resources" section. | ||
| <8> Optional: Specify a list of metadata field keys to replace the default Loki labels. Loki label names must match the regular expression `[a-zA-Z_:][a-zA-Z0-9_:]*`. Illegal characters in metadata keys are replaced with `_` to form the label name. For example, the `kubernetes.labels.foo` metadata key becomes Loki label `kubernetes_labels_foo`. If you do not set `labelKeys`, the default value is: `[log_type, kubernetes.namespace_name, kubernetes.pod_name, kubernetes_host]`. Keep the set of labels small because Loki limits the size and number of labels allowed. See link:https://grafana.com/docs/loki/latest/configuration/#limits_config[Configuring Loki, limits_config]. You can still query based on any log record field using query filters. |
There was a problem hiding this comment.
Is now a template, so this needs to be rewritten.
| <6> For an `https` prefix, specify the name of the secret required by the endpoint for TLS communication. The secret must contain a `ca-bundle.crt` key that points to the certificates it represents. Otherwise, for `http` and `https` prefixes, you can specify a secret that contains a username and password. In legacy implementations, the secret must exist in the `openshift-logging` project. For more information, see the following "Example: Setting a secret that contains a username and password." | ||
| <7> Optional: Specify a metadata key field to generate values for the `TenantID` field in Loki. For example, setting `tenantKey: kubernetes.namespace_name` uses the names of the Kubernetes namespaces as values for tenant IDs in Loki. To see which other log record fields you can specify, see the "Log Record Fields" link in the following "Additional resources" section. | ||
| <8> Optional: Specify a list of metadata field keys to replace the default Loki labels. Loki label names must match the regular expression `[a-zA-Z_:][a-zA-Z0-9_:]*`. Illegal characters in metadata keys are replaced with `_` to form the label name. For example, the `kubernetes.labels.foo` metadata key becomes Loki label `kubernetes_labels_foo`. If you do not set `labelKeys`, the default value is: `[log_type, kubernetes.namespace_name, kubernetes.pod_name, kubernetes_host]`. Keep the set of labels small because Loki limits the size and number of labels allowed. See link:https://grafana.com/docs/loki/latest/configuration/#limits_config[Configuring Loki, limits_config]. You can still query based on any log record field using query filters. | ||
| <9> Specify which log types to forward by using the pipeline: `application,` `infrastructure`, or `audit`. |
Version(s):
Issue:
Link to docs preview:
QE review:
Additional information: