From 9217572ff9157b4b4e222eec4785b7d8f1822110 Mon Sep 17 00:00:00 2001 From: Nithin Shekar Kuruba Date: Wed, 29 Nov 2023 21:45:14 -0800 Subject: [PATCH] feat: updated all the helm charts for prod deployment --- .../workflows/publish-aggregator-image.yml | 51 ++++++++++ .github/workflows/publish-aggregator.yml | 95 ------------------- .github/workflows/publish-grafana.yml | 70 -------------- .github/workflows/publish-loki.yml | 77 --------------- .github/workflows/publish-promtail-prod.yml | 39 -------- .../workflows/publish-promtail-sandbox.yml | 39 -------- .gitignore | 1 + helm/aggregator/README.md | 27 +++++- ...af30-prod.yaml => values-e4ca1d-prod.yaml} | 5 +- helm/aggregator/values-eb75ad-prod.yaml | 10 -- helm/aggregator/values-eb75ad-tools.yaml | 22 +++++ helm/aggregator/values.yaml | 29 ++++-- helm/grafana/.env.example | 25 +++++ helm/grafana/Makefile | 24 +++-- helm/grafana/README.md | 10 +- helm/grafana/values-e4ca1d-tools.yaml | 26 ++++- helm/grafana/values-eb75ad-tools.yaml | 26 ++++- helm/grafana/values.yaml | 37 ++------ helm/loki/Chart.lock | 8 +- helm/loki/Chart.yaml | 4 +- helm/loki/README.md | 43 +++++++++ ...af30-prod.yaml => values-e4ca1d-prod.yaml} | 15 +-- helm/loki/values-eb75ad-prod.yaml | 38 -------- helm/loki/values-eb75ad-tools.yaml | 60 ++++++++++++ helm/loki/values.yaml | 62 +++++++----- ...c6af30-dev.yaml => values-e4ca1d-dev.yaml} | 4 +- helm/promtail/values-e4ca1d-prod.yaml | 19 ++++ helm/promtail/values-e4ca1d-test.yaml | 19 ++++ helm/promtail/values-eb75ad-dev.yaml | 6 +- helm/promtail/values-eb75ad-prod.yaml | 6 +- helm/promtail/values-eb75ad-test.yaml | 6 +- helm/promtail/values.yaml | 14 +-- 32 files changed, 433 insertions(+), 484 deletions(-) create mode 100644 .github/workflows/publish-aggregator-image.yml delete mode 100644 .github/workflows/publish-aggregator.yml delete mode 100644 .github/workflows/publish-grafana.yml delete mode 100644 .github/workflows/publish-loki.yml delete mode 100644 .github/workflows/publish-promtail-prod.yml delete mode 100644 .github/workflows/publish-promtail-sandbox.yml rename helm/aggregator/{values-c6af30-prod.yaml => values-e4ca1d-prod.yaml} (64%) delete mode 100644 helm/aggregator/values-eb75ad-prod.yaml create mode 100644 helm/aggregator/values-eb75ad-tools.yaml create mode 100644 helm/grafana/.env.example rename helm/loki/{values-c6af30-prod.yaml => values-e4ca1d-prod.yaml} (63%) delete mode 100644 helm/loki/values-eb75ad-prod.yaml create mode 100644 helm/loki/values-eb75ad-tools.yaml rename helm/promtail/{values-c6af30-dev.yaml => values-e4ca1d-dev.yaml} (76%) create mode 100644 helm/promtail/values-e4ca1d-prod.yaml create mode 100644 helm/promtail/values-e4ca1d-test.yaml diff --git a/.github/workflows/publish-aggregator-image.yml b/.github/workflows/publish-aggregator-image.yml new file mode 100644 index 0000000..6d5de33 --- /dev/null +++ b/.github/workflows/publish-aggregator-image.yml @@ -0,0 +1,51 @@ +name: Create and publish SSO Aggregator + +on: + push: + branches: + - main + - dev + paths: + - aggregator/** + +env: + GITHUB_REGISTRY: ghcr.io + IMAGE_NAME: bcgov/sso-aggregator + +jobs: + build-and-push-image: + runs-on: ubuntu-22.04 + permissions: + contents: read + packages: write + + steps: + - uses: hmarr/debug-action@v2 + - uses: actions/checkout@v3 + + - name: Setup Tools + uses: ./.github/actions/setup-tools + + - name: Log in to the GitHub Container registry + uses: docker/login-action@v2 + with: + registry: ${{ env.GITHUB_REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@v4 + with: + images: ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=ref,event=branch + type=sha,format=long + + - name: Build and push Docker image + uses: docker/build-push-action@v3 + with: + context: aggregator + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} diff --git a/.github/workflows/publish-aggregator.yml b/.github/workflows/publish-aggregator.yml deleted file mode 100644 index 438f52c..0000000 --- a/.github/workflows/publish-aggregator.yml +++ /dev/null @@ -1,95 +0,0 @@ -name: Create and publish SSO Aggregator - -on: - push: - branches: - - main - - dev - paths: - - aggregator/** - - helm/aggregator/** - - .github/workflows/publish-aggregator.yml - workflow_dispatch: - inputs: - environment: - description: The target environment - required: true - options: [sandbox, production] - -env: - GITHUB_REGISTRY: ghcr.io - IMAGE_NAME: bcgov/sso-aggregator - -jobs: - build-and-push-image: - runs-on: ubuntu-22.04 - permissions: - contents: read - packages: write - - steps: - - uses: hmarr/debug-action@v2 - - uses: actions/checkout@v3 - - - name: Setup Tools - uses: ./.github/actions/setup-tools - - - name: Log in to the GitHub Container registry - uses: docker/login-action@v2 - with: - registry: ${{ env.GITHUB_REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Extract metadata (tags, labels) for Docker - id: meta - uses: docker/metadata-action@v4 - with: - images: ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }} - tags: | - type=ref,event=branch - type=sha,format=long - - - name: Build and push Docker image - uses: docker/build-push-action@v3 - with: - context: aggregator - push: true - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - - - name: Set env to Sandbox - if: | - (github.ref == 'refs/heads/dev' && github.event_name == 'push') || - (github.event.inputs.environment == 'sandbox' && github.event_name == 'workflow_dispatch') - run: | - cat >> $GITHUB_ENV <> $GITHUB_ENV <> $GITHUB_ENV <> $GITHUB_ENV <> $GITHUB_ENV <> $GITHUB_ENV < once the deployment is completed with the patroni database created, please find the DB admin credentials in OCP secrets below to be used for Grafana datasource configuration: -- `dev`: https://console.apps.gold.devops.gov.bc.ca/k8s/ns/c6af30-prod/secrets/sso-aggregator-patroni-appusers +- `sandbox`: https://console.apps.gold.devops.gov.bc.ca/k8s/ns/e4ca1d-prod/secrets/sso-aggregator-patroni-appusers - `prod`: https://console.apps.gold.devops.gov.bc.ca/k8s/ns/eb75ad-prod/secrets/sso-aggregator-patroni-appusers diff --git a/helm/aggregator/values-c6af30-prod.yaml b/helm/aggregator/values-e4ca1d-prod.yaml similarity index 64% rename from helm/aggregator/values-c6af30-prod.yaml rename to helm/aggregator/values-e4ca1d-prod.yaml index c658317..6c894f2 100644 --- a/helm/aggregator/values-c6af30-prod.yaml +++ b/helm/aggregator/values-e4ca1d-prod.yaml @@ -7,4 +7,7 @@ patroni: compactor: enabled: true - retentionPeriod: "1 month" + retentionPeriod: '1 year' + +autoscaling: + enabled: true diff --git a/helm/aggregator/values-eb75ad-prod.yaml b/helm/aggregator/values-eb75ad-prod.yaml deleted file mode 100644 index 577a908..0000000 --- a/helm/aggregator/values-eb75ad-prod.yaml +++ /dev/null @@ -1,10 +0,0 @@ -replicaCount: 10 - -patroni: - replicaCount: 3 - persistentVolume: - size: 10Gi - -compactor: - enabled: true - retentionPeriod: "1 year" diff --git a/helm/aggregator/values-eb75ad-tools.yaml b/helm/aggregator/values-eb75ad-tools.yaml new file mode 100644 index 0000000..4e177fa --- /dev/null +++ b/helm/aggregator/values-eb75ad-tools.yaml @@ -0,0 +1,22 @@ +replicaCount: 10 + +patroni: + replicaCount: 2 + persistentVolume: + size: 1Gi + +compactor: + enabled: true + retentionPeriod: '1 year' + +autoscaling: + enabled: true + maxReplicas: 5 + +resources: + limits: + cpu: 300m + memory: 1Gi + requests: + cpu: 150m + memory: 512Mi diff --git a/helm/aggregator/values.yaml b/helm/aggregator/values.yaml index d5212d9..2437379 100644 --- a/helm/aggregator/values.yaml +++ b/helm/aggregator/values.yaml @@ -16,14 +16,16 @@ serviceAccount: annotations: {} # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template - name: "" + name: '' podAnnotations: {} -podSecurityContext: {} +podSecurityContext: + {} # fsGroup: 2000 -securityContext: {} +securityContext: + {} # capabilities: # drop: # - ALL @@ -37,11 +39,11 @@ service: resources: limits: - cpu: 200m - memory: 200Mi + cpu: 300m + memory: 512Mi requests: - cpu: 100m - memory: 100Mi + cpu: 150m + memory: 256Mi autoscaling: enabled: false @@ -70,6 +72,13 @@ patroni: image: repository: registry.opensource.zalan.do/acid/spilo-14 tag: 2.1-p7 + resources: + requests: + cpu: 150m + memory: 256Mi + limits: + cpu: 300m + memory: 512Mi postgresMajorVersion: 14 @@ -85,11 +94,11 @@ patroni: compactor: enabled: false - retentionPeriod: "1 year" + retentionPeriod: '1 year' resources: limits: cpu: 100m - memory: 200Mi + memory: 256Mi requests: cpu: 50m - memory: 100Mi + memory: 128Mi diff --git a/helm/grafana/.env.example b/helm/grafana/.env.example new file mode 100644 index 0000000..94f4a81 --- /dev/null +++ b/helm/grafana/.env.example @@ -0,0 +1,25 @@ + +NAME=sso-grafana +NAMESPACE= +SSO_CLIENT_ID= +SSO_CLIENT_SECRET= + +DS_SSO_LOGS_USERNAME= +DS_SSO_LOGS_PASSWORD= +DS_SSO_LOGS_DATABASE= + +DS_KEYCLOAK_DEV_USERNAME= +DS_KEYCLOAK_DEV_PASSWORD= +DS_KEYCLOAK_DEV_DATABASE= + +DS_KEYCLOAK_TEST_USERNAME= +DS_KEYCLOAK_TEST_PASSWORD= +DS_KEYCLOAK_TEST_DATABASE= + +DS_KEYCLOAK_PROD_USERNAME= +DS_KEYCLOAK_PROD_PASSWORD= +DS_KEYCLOAK_PROD_DATABASE= + +DS_AGGREGATOR_USERNAME= +DS_AGGREGATOR_PASSWORD= +DS_AGGREGATOR_DATABASE= diff --git a/helm/grafana/Makefile b/helm/grafana/Makefile index e32896f..8271480 100644 --- a/helm/grafana/Makefile +++ b/helm/grafana/Makefile @@ -1,9 +1,6 @@ -SHELL := /usr/bin/env bash -NAMESPACE= -SSO_CLIENT_ID= -SSO_CLIENT_SECRET= +include /$(PWD)/.env -NAME := sso-grafana +SHELL := /usr/bin/env bash ifndef NAMESPACE $(error NAMESPACE is not set) @@ -12,7 +9,22 @@ endif define arguments "${NAME}" . -n "${NAMESPACE}" -f values.yaml -f "values-${NAMESPACE}.yaml" \ --set grafana."grafana\.ini"."auth\.generic_oauth".client_id=${SSO_CLIENT_ID} \ - --set grafana."grafana\.ini"."auth\.generic_oauth".client_secret=${SSO_CLIENT_SECRET} + --set grafana."grafana\.ini"."auth\.generic_oauth".client_secret=${SSO_CLIENT_SECRET} \ + --set grafana.datasources."datasources\.yaml".datasources[0].user=${DS_SSO_LOGS_USERNAME} \ + --set grafana.datasources."datasources\.yaml".datasources[0].database=${DS_SSO_LOGS_DATABASE} \ + --set grafana.datasources."datasources\.yaml".datasources[0].secureJsonData.password=${DS_SSO_LOGS_PASSWORD} \ + --set grafana.datasources."datasources\.yaml".datasources[1].user=${DS_KEYCLOAK_DEV_USERNAME} \ + --set grafana.datasources."datasources\.yaml".datasources[1].database=${DS_KEYCLOAK_DEV_DATABASE} \ + --set grafana.datasources."datasources\.yaml".datasources[1].secureJsonData.password=${DS_KEYCLOAK_DEV_PASSWORD} \ + --set grafana.datasources."datasources\.yaml".datasources[2].user=${DS_KEYCLOAK_TEST_USERNAME} \ + --set grafana.datasources."datasources\.yaml".datasources[2].database=${DS_KEYCLOAK_TEST_DATABASE} \ + --set grafana.datasources."datasources\.yaml".datasources[2].secureJsonData.password=${DS_KEYCLOAK_TEST_PASSWORD} \ + --set grafana.datasources."datasources\.yaml".datasources[3].user=${DS_KEYCLOAK_PROD_USERNAME} \ + --set grafana.datasources."datasources\.yaml".datasources[3].database=${DS_KEYCLOAK_PROD_DATABASE} \ + --set grafana.datasources."datasources\.yaml".datasources[3].secureJsonData.password=${DS_KEYCLOAK_PROD_PASSWORD} \ + --set grafana.datasources."datasources\.yaml".datasources[4].user=${DS_AGGREGATOR_USERNAME} \ + --set grafana.datasources."datasources\.yaml".datasources[4].database=${DS_AGGREGATOR_DATABASE} \ + --set grafana.datasources."datasources\.yaml".datasources[4].secureJsonData.password=${DS_AGGREGATOR_PASSWORD} endef .PHONY: helm-dep diff --git a/helm/grafana/README.md b/helm/grafana/README.md index 093c0d6..c39c7a3 100644 --- a/helm/grafana/README.md +++ b/helm/grafana/README.md @@ -20,14 +20,12 @@ envsubst < net-policy-sso-keycloak.yaml | oc apply -f - #### Update Helm Values -- Update data source username, password and database names under `values-$LICENSE_PLATE.yml` in place of `` +- create `.env` from `.env.example` and fill the values ### Installing/Upgrading the Chart ```sh -make upgrade NAMESPACE= \ - SSO_CLIENT_ID= \ - SSO_CLIENT_SECRET= +make upgrade ``` - please find the SSO client credentials of the integration `#4492 SSO Dashboard` via [CSS app](https://bcgov.github.io/sso-requests): @@ -35,7 +33,7 @@ make upgrade NAMESPACE= \ ### Uninstalling the Chart ```sh -make uninstall NAMESPACE= +make uninstall ``` ## Grafana Admin credentials @@ -43,7 +41,7 @@ make uninstall NAMESPACE= once the deployment is completed, please find the Grafana admin credentials in OCP secrets below: - `dev`: https://console.apps.gold.devops.gov.bc.ca/k8s/ns/e4ca1d-tools/secrets/sso-grafana -- `prod`: https://console.apps.gold.devops.gov.bc.ca/k8s/ns/eb75ad-prod/secrets/sso-grafana +- `prod`: https://console.apps.gold.devops.gov.bc.ca/k8s/ns/eb75ad-tools/secrets/sso-grafana ## Configuration diff --git a/helm/grafana/values-e4ca1d-tools.yaml b/helm/grafana/values-e4ca1d-tools.yaml index 6fc0c6a..a9300ef 100644 --- a/helm/grafana/values-e4ca1d-tools.yaml +++ b/helm/grafana/values-e4ca1d-tools.yaml @@ -7,8 +7,6 @@ grafana: server: domain: sso-grafana-sandbox.apps.gold.devops.gov.bc.ca root_url: https://sso-grafana-sandbox.apps.gold.devops.gov.bc.ca - auth: - disable_login_form: true auth.generic_oauth: name: SSO Pathfinder Sandbox auth_url: https://dev.sandbox.loginproxy.gov.bc.ca/auth/realms/standard/protocol/openid-connect/auth @@ -86,6 +84,30 @@ grafana: connMaxLifetime: 14400 postgresVersion: 1400 timescaledb: false + - name: SSO Loki + type: loki + access: proxy + orgId: 1 + url: http://sso-loki-gateway.e4ca1d-prod.svc.cluster.local + basicAuth: false + isDefault: true + - name: SSO Postgres + type: postgres + access: proxy + orgId: 1 + url: sso-aggregator-patroni-readonly:5432 + user: + database: + basicAuth: false + secureJsonData: + password: + jsonData: + sslmode: disable + maxOpenConns: + maxIdleConns: 2 + connMaxLifetime: 14400 + postgresVersion: 1400 + timescaledb: false route: enabled: true diff --git a/helm/grafana/values-eb75ad-tools.yaml b/helm/grafana/values-eb75ad-tools.yaml index 25aa01c..bb55d7a 100644 --- a/helm/grafana/values-eb75ad-tools.yaml +++ b/helm/grafana/values-eb75ad-tools.yaml @@ -7,8 +7,6 @@ grafana: server: domain: sso-grafana.apps.gold.devops.gov.bc.ca root_url: https://sso-grafana.apps.gold.devops.gov.bc.ca - auth: - disable_login_form: true auth.generic_oauth: name: SSO Pathfinder auth_url: https://loginproxy.gov.bc.ca/auth/realms/standard/protocol/openid-connect/auth @@ -86,6 +84,30 @@ grafana: connMaxLifetime: 14400 postgresVersion: 1400 timescaledb: false + - name: SSO Loki + type: loki + access: proxy + orgId: 1 + url: http://sso-loki-gateway + basicAuth: false + isDefault: true + - name: SSO Postgres + type: postgres + access: proxy + orgId: 1 + url: sso-aggregator-patroni-readonly:5432 + user: + database: + basicAuth: false + secureJsonData: + password: + jsonData: + sslmode: disable + maxOpenConns: + maxIdleConns: 2 + connMaxLifetime: 14400 + postgresVersion: 1400 + timescaledb: false route: enabled: true diff --git a/helm/grafana/values.yaml b/helm/grafana/values.yaml index 0e40549..27e7c73 100644 --- a/helm/grafana/values.yaml +++ b/helm/grafana/values.yaml @@ -20,7 +20,7 @@ grafana: image: repository: grafana/grafana - tag: '9.3.2' + tag: '10.2.2' pullPolicy: IfNotPresent pullSecrets: [] @@ -32,10 +32,10 @@ grafana: resources: limits: cpu: 250m - memory: 256Mi + memory: 512Mi requests: cpu: 150m - memory: 128Mi + memory: 256Mi persistence: type: pvc @@ -59,6 +59,9 @@ grafana: server: domain: sso-grafana-sandbox.gov.bc.ca root_url: https://sso-grafana-sandbox.gov.bc.ca + auth: + disable_login_form: true + oauth_allow_insecure_email_lookup: true auth.generic_oauth: enabled: true name: Keycloak @@ -78,34 +81,6 @@ grafana: role_attribute_path: contains(client_roles[*], 'grafanaadmin') && 'GrafanaAdmin' || contains(client_roles[*], 'admin') && 'Admin' || contains(client_roles[*], 'editor') && 'Editor' || 'Viewer' # see https://github.com/kubeflow/community/blob/master/devstats/config/grafana/provisioning/datasources/datasource.yaml - datasources: - datasources.yaml: - apiVersion: 1 - datasources: - - name: SSO Loki - type: loki - access: proxy - orgId: 1 - url: http://sso-loki-gateway - basicAuth: false - isDefault: true - - name: SSO Postgres - type: postgres - access: proxy - orgId: 1 - url: sso-aggregator-patroni-readonly:5432 - user: - database: aggregation - basicAuth: false - secureJsonData: - password: - jsonData: - sslmode: disable - maxOpenConns: - maxIdleConns: 2 - connMaxLifetime: 14400 - postgresVersion: 1400 - timescaledb: false route: enabled: true diff --git a/helm/loki/Chart.lock b/helm/loki/Chart.lock index 39c8e80..0f9aedb 100644 --- a/helm/loki/Chart.lock +++ b/helm/loki/Chart.lock @@ -1,9 +1,9 @@ dependencies: - name: loki repository: https://grafana.github.io/helm-charts - version: 3.6.1 + version: 5.36.0 - name: minio repository: https://charts.min.io/ - version: 5.0.4 -digest: sha256:2af49e537e0bb3f7b6075ebc360a2bab5b334aeff4c2dc8a68d47222f0963b26 -generated: "2023-01-03T13:07:32.954504898-08:00" + version: 5.0.10 +digest: sha256:1e56f453711e1567c4b51e6176a748b7dacb16074cde8d9d01b447add81f5cb2 +generated: "2023-10-30T15:49:37.042018-07:00" diff --git a/helm/loki/Chart.yaml b/helm/loki/Chart.yaml index f812323..b9c3b53 100644 --- a/helm/loki/Chart.yaml +++ b/helm/loki/Chart.yaml @@ -7,11 +7,11 @@ version: 0.1.0 dependencies: - name: loki alias: loki - version: 3.6.1 + version: 5.36.0 repository: https://grafana.github.io/helm-charts - name: minio alias: root-minio # see https://github.com/minio/minio/tree/master/helm-releases - version: 5.0.4 + version: 5.0.10 repository: https://charts.min.io/ condition: root-minio.enabled diff --git a/helm/loki/README.md b/helm/loki/README.md index 5f9f092..e59539b 100644 --- a/helm/loki/README.md +++ b/helm/loki/README.md @@ -4,6 +4,41 @@ A Helm chart for deploying [Grafana Loki](https://github.com/grafana/loki/tree/m ## Local deployment via Helm chart +### Pre-Requisites + +- It's generally a good practice to stop Promtail before restarting Grafana Loki. Promtail is responsible for scraping and sending logs to Loki, and stopping it before a restart can prevent potential issues or data loss during the restart process. Stopping Promtail temporarily ensures that it doesn’t try to send logs while Loki is restarting, preventing any potential errors due to a disrupted connection. After Loki has restarted successfully, you can start Promtail again to resume log scraping and forwarding to Loki. This sequence helps in maintaining the integrity of log data and ensures a smoother restart process for Loki. + +```sh +export LICENSE_PLATE= + +oc scale --replicas=0 deployment sso-promtail -n ${LICENSE_PLATE}-dev +oc scale --replicas=0 deployment sso-promtail -n ${LICENSE_PLATE}-test +oc scale --replicas=0 deployment sso-promtail -n ${LICENSE_PLATE}-prod +``` + +- Ensure below network policy exists in the namespace where loki is being deployed + +```yaml +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: allow-sso-promtail + namespace: xxxx-xxxx +spec: + podSelector: {} + ingress: + - from: + - namespaceSelector: + matchLabels: + name: xxxx + - podSelector: + matchLabels: + app.kubernetes.io/name: promtail + policyTypes: + - Ingress +status: {} +``` + ### Installing/Upgrading the Chart ```sh @@ -18,6 +53,14 @@ make upgrade NAMESPACE= \ - please generate the secure credentials for the initial `MinIO Admin` that can be set in the MinIO deployment. +### Post Installation/Update of Loki + +```sh +oc scale --replicas=1 deployment sso-promtail -n ${LICENSE_PLATE}-dev +oc scale --replicas=1 deployment sso-promtail -n ${LICENSE_PLATE}-test +oc scale --replicas=1 deployment sso-promtail -n ${LICENSE_PLATE}-prod +``` + ### Uninstalling the Chart ```sh diff --git a/helm/loki/values-c6af30-prod.yaml b/helm/loki/values-e4ca1d-prod.yaml similarity index 63% rename from helm/loki/values-c6af30-prod.yaml rename to helm/loki/values-e4ca1d-prod.yaml index b17752c..4163b4a 100644 --- a/helm/loki/values-c6af30-prod.yaml +++ b/helm/loki/values-e4ca1d-prod.yaml @@ -1,11 +1,12 @@ loki: write: - replicas: 2 + replicas: 3 persistence: size: 1Gi read: - replicas: 1 + replicas: 3 + legacyReadTarget: true persistence: size: 1Gi @@ -24,14 +25,14 @@ root-minio: rootUser: rootPassword: persistence: - size: 2Gi + size: 1Gi oidc: - configUrl: "https://dev.loginproxy.gov.bc.ca/auth/realms/standard/.well-known/openid-configuration" + configUrl: 'https://sandbox.loginproxy.gov.bc.ca/auth/realms/standard/.well-known/openid-configuration' clientId: clientSecret: - claimName: "client_roles" - scopes: "openid" - redirectUri: "https://sso-minio-sandbox.apps.gold.devops.gov.bc.ca/oauth_callback" + claimName: 'client_roles' + scopes: 'openid' + redirectUri: 'https://sso-minio-sandbox.apps.gold.devops.gov.bc.ca/oauth_callback' routes: minio: enabled: true diff --git a/helm/loki/values-eb75ad-prod.yaml b/helm/loki/values-eb75ad-prod.yaml deleted file mode 100644 index a18f013..0000000 --- a/helm/loki/values-eb75ad-prod.yaml +++ /dev/null @@ -1,38 +0,0 @@ -loki: - write: - replicas: 3 - persistence: - size: 1Gi - - read: - replicas: 3 - persistence: - size: 1Gi - - loki: - storage: - s3: - accessKeyId: - secretAccessKey: - - limits_config: - retention_period: 7200h # 10months - -root-minio: - enabled: true - replicas: 2 - rootUser: - rootPassword: - persistence: - size: 25Gi - oidc: - configUrl: "https://loginproxy.gov.bc.ca/auth/realms/standard/.well-known/openid-configuration" - clientId: - clientSecret: - claimName: "client_roles" - scopes: "openid" - redirectUri: "https://sso-minio.apps.gold.devops.gov.bc.ca/oauth_callback" -routes: - minio: - enabled: true - host: sso-minio.apps.gold.devops.gov.bc.ca diff --git a/helm/loki/values-eb75ad-tools.yaml b/helm/loki/values-eb75ad-tools.yaml new file mode 100644 index 0000000..1c2b3f7 --- /dev/null +++ b/helm/loki/values-eb75ad-tools.yaml @@ -0,0 +1,60 @@ +loki: + write: + replicas: 3 + persistence: + size: 1Gi + resources: + limits: + cpu: 400m + memory: 2Gi + requests: + cpu: 200m + memory: 512Mi + + read: + replicas: 3 + legacyReadTarget: true + persistence: + size: 1Gi + resources: + limits: + cpu: 400m + memory: 2Gi + requests: + cpu: 200m + memory: 512Mi + + loki: + storage: + s3: + accessKeyId: + secretAccessKey: + + limits_config: + retention_period: 17520h # 24 months + +root-minio: + enabled: true + replicas: 3 + rootUser: + rootPassword: + persistence: + size: 5Gi + resources: + limits: + cpu: 500m + memory: 2Gi + requests: + cpu: 250m + memory: 512Mi + oidc: + configUrl: 'https://loginproxy.gov.bc.ca/auth/realms/standard/.well-known/openid-configuration' + clientId: + clientSecret: + claimName: 'client_roles' + scopes: 'openid' + redirectUri: 'https://sso-minio.apps.gold.devops.gov.bc.ca/oauth_callback' +routes: + minio: + enabled: true + host: sso-minio.apps.gold.devops.gov.bc.ca diff --git a/helm/loki/values.yaml b/helm/loki/values.yaml index 44fc9d6..ddf4a3a 100644 --- a/helm/loki/values.yaml +++ b/helm/loki/values.yaml @@ -1,9 +1,9 @@ # see https://github.com/grafana/loki/blob/main/production/helm/loki/values.yaml loki: global: - clusterDomain: "cluster.local" - dnsService: "dns-default" - dnsNamespace: "openshift-dns" + clusterDomain: 'cluster.local' + dnsService: 'dns-default' + dnsNamespace: 'openshift-dns' nameOverride: sso-loki fullnameOverride: sso-loki @@ -32,14 +32,20 @@ loki: limits_config: enforce_metric_name: false reject_old_samples: true - reject_old_samples_max_age: 168h + reject_old_samples_max_age: 168h # 7 days max_cache_freshness_per_query: 1m split_queries_by_interval: 30m max_query_parallelism: 32 max_query_series: 2000 max_query_length: 721h ingestion_rate_mb: 10 - retention_period: 744h + retention_period: 744h # 31 days + max_entries_limit_per_query: 100000 + query_timeout: 300s + max_global_streams_per_user: 1000000 + + commonConfig: + replication_factor: 3 storage: type: s3 @@ -67,7 +73,7 @@ loki: rulerConfig: storage: - type: "s3" + type: 's3' s3: bucketnames: ruler @@ -81,6 +87,10 @@ loki: serviceAccount: create: false + rbac: + create: true + namespaced: true + test: enabled: false @@ -100,8 +110,8 @@ loki: grafanaAgent: installOperator: false - lokiCanary: - enabled: false + lokiCanary: + enabled: false write: replicas: 3 @@ -111,9 +121,9 @@ loki: resources: limits: cpu: 250m - memory: 1Gi + memory: 512Mi requests: - cpu: 50m + cpu: 150m memory: 256Mi read: @@ -124,9 +134,9 @@ loki: resources: limits: cpu: 250m - memory: 1Gi + memory: 512Mi requests: - cpu: 50m + cpu: 150m memory: 256Mi ingress: @@ -139,9 +149,9 @@ loki: resources: limits: cpu: 250m - memory: 1Gi + memory: 512Mi requests: - cpu: 50m + cpu: 150m memory: 256Mi networkPolicy: @@ -155,7 +165,7 @@ root-minio: fullnameOverride: sso-minio image: repository: quay.io/minio/minio - tag: RELEASE.2023-01-02T09-40-09Z + tag: RELEASE.2023-10-25T06-33-25Z pullPolicy: IfNotPresent rootUser: admin rootPassword: adminadmin @@ -172,28 +182,28 @@ root-minio: policy: none purge: false persistence: - size: 2Gi + size: 1Gi storageClass: netapp-block-standard resources: limits: - cpu: 500m - memory: 1Gi + cpu: 300m + memory: 512Mi requests: - cpu: 250m - memory: 800Mi + cpu: 150m + memory: 256Mi serviceAccount: create: false certsPath: /tmp/minio/certs/ configPathmc: /tmp/minio/mc/ oidc: enabled: true - configUrl: "https://identity-provider-url/.well-known/openid-configuration" - clientId: "minio" - clientSecret: "" + configUrl: 'https://identity-provider-url/.well-known/openid-configuration' + clientId: 'minio' + clientSecret: '' # please assign admin user to 'consoleAdmin' role for admin access via CSS app - claimName: "client_roles" - scopes: "openid" - redirectUri: "https://console-endpoint-url/oauth_callback" + claimName: 'client_roles' + scopes: 'openid' + redirectUri: 'https://console-endpoint-url/oauth_callback' routes: minio: diff --git a/helm/promtail/values-c6af30-dev.yaml b/helm/promtail/values-e4ca1d-dev.yaml similarity index 76% rename from helm/promtail/values-c6af30-dev.yaml rename to helm/promtail/values-e4ca1d-dev.yaml index cbd90fe..77bccf7 100644 --- a/helm/promtail/values-c6af30-dev.yaml +++ b/helm/promtail/values-e4ca1d-dev.yaml @@ -8,9 +8,9 @@ promtail: config: logLevel: info clients: - - url: http://sso-loki-gateway.c6af30-prod.svc.cluster.local/loki/api/v1/push + - url: http://sso-loki-gateway.e4ca1d-prod.svc.cluster.local/loki/api/v1/push tenant_id: sso-team - - url: http://sso-aggregator.c6af30-prod.svc.cluster.local:8080/api/promtail/push + - url: http://sso-aggregator.e4ca1d-prod.svc.cluster.local:8080/api/promtail/push snippets: scrapeConfigs: | {{- tpl .Values.ssoScrapeConfigs . }} diff --git a/helm/promtail/values-e4ca1d-prod.yaml b/helm/promtail/values-e4ca1d-prod.yaml new file mode 100644 index 0000000..c0c9025 --- /dev/null +++ b/helm/promtail/values-e4ca1d-prod.yaml @@ -0,0 +1,19 @@ +promtail: + environment: prod + + deployment: + replicaCount: 1 + + # see https://grafana.com/docs/loki/latest/clients/promtail/configuration/#supported-contents-and-default-values-of-configyaml + config: + logLevel: info + clients: + - url: http://sso-loki-gateway.e4ca1d-prod.svc.cluster.local/loki/api/v1/push + tenant_id: sso-team + - url: http://sso-aggregator.e4ca1d-prod.svc.cluster.local:8080/api/promtail/push + snippets: + scrapeConfigs: | + {{- tpl .Values.ssoScrapeConfigs . }} + +persistentVolume: + size: 100Mi diff --git a/helm/promtail/values-e4ca1d-test.yaml b/helm/promtail/values-e4ca1d-test.yaml new file mode 100644 index 0000000..e5f2354 --- /dev/null +++ b/helm/promtail/values-e4ca1d-test.yaml @@ -0,0 +1,19 @@ +promtail: + environment: test + + deployment: + replicaCount: 1 + + # see https://grafana.com/docs/loki/latest/clients/promtail/configuration/#supported-contents-and-default-values-of-configyaml + config: + logLevel: info + clients: + - url: http://sso-loki-gateway.e4ca1d-prod.svc.cluster.local/loki/api/v1/push + tenant_id: sso-team + - url: http://sso-aggregator.e4ca1d-prod.svc.cluster.local:8080/api/promtail/push + snippets: + scrapeConfigs: | + {{- tpl .Values.ssoScrapeConfigs . }} + +persistentVolume: + size: 100Mi diff --git a/helm/promtail/values-eb75ad-dev.yaml b/helm/promtail/values-eb75ad-dev.yaml index 84db767..2cac2cc 100644 --- a/helm/promtail/values-eb75ad-dev.yaml +++ b/helm/promtail/values-eb75ad-dev.yaml @@ -2,15 +2,15 @@ promtail: environment: dev deployment: - replicaCount: 2 + replicaCount: 1 # see https://grafana.com/docs/loki/latest/clients/promtail/configuration/#supported-contents-and-default-values-of-configyaml config: logLevel: info clients: - - url: http://sso-loki-gateway.eb75ad-prod.svc.cluster.local/loki/api/v1/push + - url: http://sso-loki-gateway.eb75ad-tools.svc.cluster.local/loki/api/v1/push tenant_id: sso-team - - url: http://sso-aggregator.eb75ad-prod.svc.cluster.local:8080/api/promtail/push + - url: http://sso-aggregator.eb75ad-tools.svc.cluster.local:8080/api/promtail/push snippets: scrapeConfigs: | {{- tpl .Values.ssoScrapeConfigs . }} diff --git a/helm/promtail/values-eb75ad-prod.yaml b/helm/promtail/values-eb75ad-prod.yaml index d86903b..c8a3fb2 100644 --- a/helm/promtail/values-eb75ad-prod.yaml +++ b/helm/promtail/values-eb75ad-prod.yaml @@ -2,15 +2,15 @@ promtail: environment: prod deployment: - replicaCount: 3 + replicaCount: 1 # see https://grafana.com/docs/loki/latest/clients/promtail/configuration/#supported-contents-and-default-values-of-configyaml config: logLevel: info clients: - - url: http://sso-loki-gateway.eb75ad-prod.svc.cluster.local/loki/api/v1/push + - url: http://sso-loki-gateway.eb75ad-tools.svc.cluster.local/loki/api/v1/push tenant_id: sso-team - - url: http://sso-aggregator.eb75ad-prod.svc.cluster.local:8080/api/promtail/push + - url: http://sso-aggregator.eb75ad-tools.svc.cluster.local:8080/api/promtail/push snippets: scrapeConfigs: | {{- tpl .Values.ssoScrapeConfigs . }} diff --git a/helm/promtail/values-eb75ad-test.yaml b/helm/promtail/values-eb75ad-test.yaml index 950a2d9..b332247 100644 --- a/helm/promtail/values-eb75ad-test.yaml +++ b/helm/promtail/values-eb75ad-test.yaml @@ -2,15 +2,15 @@ promtail: environment: test deployment: - replicaCount: 2 + replicaCount: 1 # see https://grafana.com/docs/loki/latest/clients/promtail/configuration/#supported-contents-and-default-values-of-configyaml config: logLevel: info clients: - - url: http://sso-loki-gateway.eb75ad-prod.svc.cluster.local/loki/api/v1/push + - url: http://sso-loki-gateway.eb75ad-tools.svc.cluster.local/loki/api/v1/push tenant_id: sso-team - - url: http://sso-aggregator.eb75ad-prod.svc.cluster.local:8080/api/promtail/push + - url: http://sso-aggregator.eb75ad-tools.svc.cluster.local:8080/api/promtail/push snippets: scrapeConfigs: | {{- tpl .Values.ssoScrapeConfigs . }} diff --git a/helm/promtail/values.yaml b/helm/promtail/values.yaml index 5c110e7..d56559f 100644 --- a/helm/promtail/values.yaml +++ b/helm/promtail/values.yaml @@ -24,13 +24,13 @@ promtail: imagePullSecrets: [] - resources: {} - # limits: - # cpu: 200m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi + resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 100m + memory: 128Mi podSecurityContext: containerSecurityContext: