The subject’s username for the basic authentication configuration.

The subject’s password for the basic authentication configuration.

TLS configuration for reaching the alertmanager endpoints.

Header authentication configuration for reaching the alertmanager endpoints.

Basic authentication configuration for reaching the alertmanager endpoints.

The authentication type for the header authentication configuration.

The credentials for the header authentication configuration.

The credentials file for the Header authentication configuration. It is mutually exclusive with credentials.

The CA certificate file path for the TLS configuration.

The server name to validate in the alertmanager server certificates.

The client-side certificate file path for the TLS configuration.

The client-side key file path for the TLS configuration.

Use DNS SRV records to discover Alertmanager hosts.

How long to wait between refreshing DNS resolutions of Alertmanager hosts.

Capacity of the queue for notifications to be sent to the Alertmanager.

HTTP timeout duration when sending notifications to the Alertmanager.

Max time to tolerate outage for restoring “for” state of alert.

Minimum duration between alert and restored “for” state. This is maintained only for alerts with configured “for” time greater than the grace period.

Minimum amount of time to wait before resending an alert to Alertmanager.

URL for alerts return path.

Additional labels to add to all alerts.

If enabled, then requests to Alertmanager use the v2 API.

List of AlertManager URLs to send notifications to. Each Alertmanager URL is treated as a separate group in the configuration. Multiple Alertmanagers in HA per group can be supported by using DNS resolution (See EnableDNSDiscovery).

Defines the configuration for DNS-based discovery of AlertManager hosts.

Defines the configuration for the notification queue to AlertManager hosts.

List of alert relabel configurations.

Client configuration for reaching the alertmanager endpoint.

Name of the alerting rule group. Must be unique within all alerting rules.

Interval defines the time interval between evaluation of the given alerting rule.

Limit defines the number of alerts an alerting rule can produce. 0 is no limit.

Rules defines a list of alerting rules

The name of the alert. Must be a valid label value.

The LogQL expression to evaluate. Every evaluation cycle this is evaluated at the current time, and all resultant time series become pending/firing alerts.

Alerts are considered firing once they have been returned for this long. Alerts which have not yet fired for long enough are considered pending.

Annotations to add to each alert.

Labels to add to each alert.

TenantID of tenant where the alerting rules are evaluated in.

List of groups for alerting rules.

Conditions of the AlertingRule generation health.

TenantName defines the name of the tenant.

TenantID defines the id of the tenant.

OIDC defines the spec for the OIDC tenant’s authentication.

TLSConfig defines the spec for the mTLS tenant’s authentication.

OPA defines the spec for the third-party endpoint for tenant’s authorization.

Roles defines a set of permissions to interact with a tenant.

RoleBindings defines configuration to bind a set of roles to a set of subjects.

Key is the data key of a ConfigMap containing a CA certificate. It needs to be in the same namespace as the LokiStack custom resource. If empty, it defaults to “service-ca.crt”.

CA is the name of a ConfigMap containing a CA certificate. It needs to be in the same namespace as the LokiStack custom resource.

HTTPProxy configures the HTTP_PROXY/http_proxy env variable.

HTTPSProxy configures the HTTPS_PROXY/https_proxy env variable.

NoProxy configures the NO_PROXY/no_proxy env variable.

Type of hash ring implementation that should be used

MemberList configuration spec

"memberlist"

HashRingMemberList when using memberlist for the distributed hash ring.

IngestionRate defines the sample size per second. Units MB.

IngestionBurstSize defines the local rate-limited sample size per distributor replica. It should be set to the set at least to the maximum logs size expected in a single push request.

MaxLabelNameLength defines the maximum number of characters allowed for label keys in log streams.

MaxLabelValueLength defines the maximum number of characters allowed for label values in log streams.

MaxLabelNamesPerSeries defines the maximum number of label names per series in each log stream.

MaxGlobalStreamsPerTenant defines the maximum number of active streams per tenant, across the cluster.

MaxLineSize defines the maximum line size on ingestion path. Units in Bytes.

PerStreamDesiredRate defines the desired ingestion rate per second that LokiStack should target applying automatic stream sharding. Units MB.

PerStreamRateLimit defines the maximum byte rate per second per stream. Units MB.

PerStreamRateLimitBurst defines the maximum burst bytes per stream. Units MB.

"default"

InstanceAddrDefault when using the first from any private network interfaces (RFC 1918 and RFC 6598).

"podIP"

InstanceAddrPodIP when using the public pod IP from the cluster’s pod network.

Global defines the limits applied globally across the cluster.

Tenants defines the limits applied per tenant.

IngestionLimits defines the limits applied on ingested log streams.

QueryLimits defines the limit applied on querying log streams.

Retention defines how long logs are kept in storage.

Replicas defines the number of replica pods of the component.

NodeSelector defines the labels required by a node to schedule the component onto it.

Tolerations defines the tolerations required by a node to schedule the component onto it.

PodAntiAffinity defines the pod anti affinity scheduling rules to schedule pods of a component.

LokiStack CR spec field.

LokiStack CR spec Status.

Compactor is a map to the pod status of the compactor pod.

Distributor is a map to the per pod status of the distributor deployment

IndexGateway is a map to the per pod status of the index gateway statefulset

Ingester is a map to the per pod status of the ingester statefulset

Querier is a map to the per pod status of the querier deployment

QueryFrontend is a map to the per pod status of the query frontend deployment

Gateway is a map to the per pod status of the lokistack gateway deployment.

Ruler is a map to the per pod status of the lokistack ruler statefulset.

"FailedCertificateRotation"

ReasonFailedCertificateRotation when the reconciler cannot rotate any of the required TLS certificates.

"FailedComponents"

ReasonFailedComponents when all/some LokiStack components fail to roll out.

"InvalidGatewayTenantConfigMap"

ReasonInvalidGatewayTenantConfigMap when the format of the configmap is invalid.

"InvalidGatewayTenantSecret"

ReasonInvalidGatewayTenantSecret when the format of the secret is invalid.

"InvalidObjectStorageCAConfigMap"

ReasonInvalidObjectStorageCAConfigMap when the format of the CA configmap is invalid.

"InvalidObjectStorageSchema"

ReasonInvalidObjectStorageSchema when the spec contains an invalid schema(s).

"InvalidObjectStorageSecret"

ReasonInvalidObjectStorageSecret when the format of the secret is invalid.

"InvalidReplicationConfiguration"

ReasonInvalidReplicationConfiguration when the configurated replication factor is not valid with the select cluster size.

"InvalidRulerSecret"

ReasonInvalidRulerSecret when the format of the ruler remote write authorization secret is invalid.

"InvalidTenantsConfiguration"

ReasonInvalidTenantsConfiguration when the tenant configuration provided is invalid.

"MissingGatewayTenantAuthenticationConfig"

ReasonMissingGatewayAuthenticationConfig when the config for when a tenant is missing authentication config

"MissingGatewayOpenShiftBaseDomain"

ReasonMissingGatewayOpenShiftBaseDomain when the reconciler cannot lookup the OpenShift DNS base domain.

"MissingGatewayTenantConfigMap"

ReasonMissingGatewayTenantConfigMap when the required tenant configmap for authentication is missing.

"MissingGatewayTenantSecret"

ReasonMissingGatewayTenantSecret when the required tenant secret for authentication is missing.

"MissingObjectStorageCAConfigMap"

ReasonMissingObjectStorageCAConfigMap when the required configmap to verify object storage certificates is missing.

"MissingObjectStorageSecret"

ReasonMissingObjectStorageSecret when the required secret to store logs to object storage is missing.

"MissingRulerSecret"

ReasonMissingRulerSecret when the required secret to authorization remote write connections for the ruler is missing.

"PendingComponents"

ReasonPendingComponents when all/some LokiStack components pending dependencies

"ReasonQueryTimeoutInvalid"

ReasonQueryTimeoutInvalid when the QueryTimeout can not be parsed.

"ReadyComponents"

ReasonReadyComponents when all LokiStack components are ready to serve traffic.

"ReasonZoneAwareEmptyLabel"

ReasonZoneAwareEmptyLabel when the node-label used for zone-awareness has an empty value.

"ReasonZoneAwareNodesMissing"

ReasonZoneAwareNodesMissing when the cluster does not contain any nodes with the labels needed for zone-awareness.

"Degraded"

ConditionDegraded defines the condition that some or all components in the Loki deployment are degraded or the cluster cannot connect to object storage.

"Failed"

ConditionFailed defines the condition that components in the Loki deployment failed to roll out.

"Pending"

ConditionPending defines the condition that some or all components are in pending state.

"Ready"

ConditionReady defines the condition that all components in the Loki deployment are ready.

"1x.demo"

SizeOneXDemo defines the size of a single Loki deployment with tiny resource requirements and without HA support. This size is intended to run in single-node clusters on laptops, it is only useful for very light testing, demonstrations, or prototypes. There are no ingestion/query performance guarantees. DO NOT USE THIS IN PRODUCTION!

"1x.extra-small"

SizeOneXExtraSmall defines the size of a single Loki deployment with extra small resources/limits requirements and without HA support. This size is ultimately dedicated for development and demo purposes. DO NOT USE THIS IN PRODUCTION!

FIXME: Add clear description of ingestion/query performance expectations.

"1x.medium"

SizeOneXMedium defines the size of a single Loki deployment with small resources/limits requirements and HA support for all Loki components. This size is dedicated for setup with the requirement for single replication factor and auto-compaction.

FIXME: Add clear description of ingestion/query performance expectations.

"1x.small"

SizeOneXSmall defines the size of a single Loki deployment with small resources/limits requirements and HA support for all Loki components. This size is dedicated for setup without the requirement for single replication factor and auto-compaction.

FIXME: Add clear description of ingestion/query performance expectations.

ManagementState defines if the CR should be managed by the operator or not. Default is managed.

Size defines one of the support Loki deployment scale out sizes.

HashRing defines the spec for the distributed hash ring configuration.

Storage defines the spec for the object storage endpoint to store logs.

Storage class name defines the storage class for ingester/querier PVCs.

Proxy defines the spec for the object proxy to configure cluster proxy information.

Deprecated: Please use replication.factor instead. This field will be removed in future versions of this CRD. ReplicationFactor defines the policy for log stream replication.

Replication defines the configuration for Loki data replication.

Rules defines the spec for the ruler component.

Limits defines the limits to be applied to log stream processing.

Template defines the resource/limits/tolerations/nodeselectors per component.

Tenants defines the per-tenant authentication and authorization spec for the lokistack-gateway component.

Components provides summary of all Loki pod status grouped per component.

Storage provides summary of all changes that have occurred to the storage configuration.

Conditions of the Loki deployment health.

Schemas is a list of schemas which have been applied to the LokiStack.

Compactor defines the compaction component spec.

Distributor defines the distributor component spec.

Ingester defines the ingester component spec.

Querier defines the querier component spec.

QueryFrontend defines the query frontend component spec.

Gateway defines the lokistack gateway component spec.

IndexGateway defines the index gateway component spec.

Ruler defines the ruler component spec.

CA defines the spec for the custom CA for tenant’s authentication.

"Managed"

ManagementStateManaged when the LokiStack custom resource should be reconciled by the operator.

"Unmanaged"

ManagementStateUnmanaged when the LokiStack custom resource should not be reconciled by the operator.

InstanceAddrType defines the type of address to use to advertise to the ring. Defaults to the first address from any private network interfaces of the current pod. Alternatively the public pod IP can be used in case private networks (RFC 1918 and RFC 6598) are not available.

EnableIPv6 enables IPv6 support for the memberlist based hash ring.

Currently this also forces the instanceAddrType to podIP to avoid local address lookup for the memberlist.

"dynamic"

Dynamic mode delegates the authorization to a third-party OPA-compatible endpoint.

"openshift-logging"

OpenshiftLogging mode provides fully automatic OpenShift in-cluster authentication and authorization support for application, infrastructure and audit logs.

"openshift-network"

OpenshiftNetwork mode provides fully automatic OpenShift in-cluster authentication and authorization support for network logs only.

"static"

Static mode asserts the Authorization Spec’s Roles and RoleBindings using an in-process OpenPolicyAgent Rego authorizer.

Secret defines the spec for the clientID and clientSecret for tenant’s authentication.

IssuerCA defines the spec for the issuer CA for tenant’s authentication.

IssuerURL defines the URL for issuer.

RedirectURL defines the URL for redirect.

Group claim field from ID Token

User claim field from ID Token

URL defines the third-party endpoint for authorization.

Version for writing and reading logs.

EffectiveDate is the date in UTC that the schema will be applied on. To ensure readibility of logs, this date should be before the current date in UTC.

"v11"

ObjectStorageSchemaV11 when using v11 for the storage schema

"v12"

ObjectStorageSchemaV12 when using v12 for the storage schema

"v13"

ObjectStorageSchemaV13 when using v13 for the storage schema

Type of object storage that should be used

Name of a secret in the namespace configured for object storage secrets.

"alibabacloud"

ObjectStorageSecretAlibabaCloud when using AlibabaCloud OSS for Loki storage

"azure"

ObjectStorageSecretAzure when using Azure for Loki storage

"gcs"

ObjectStorageSecretGCS when using GCS for Loki storage

"s3"

ObjectStorageSecretS3 when using S3 for Loki storage

"swift"

ObjectStorageSecretSwift when using Swift for Loki storage

Schemas for reading and writing logs.

Secret for object storage authentication. Name of a secret in the same namespace as the LokiStack custom resource.

TLS configuration for reaching the object storage endpoint.

Key is the data key of a ConfigMap containing a CA certificate. It needs to be in the same namespace as the LokiStack custom resource. If empty, it defaults to “service-ca.crt”.

CA is the name of a ConfigMap containing a CA certificate. It needs to be in the same namespace as the LokiStack custom resource.

AdminGroups defines a list of groups, whose members are considered to have admin-privileges by the Loki Operator. Setting this to an empty array disables admin groups.

By default the following groups are considered admin-groups: - system:cluster-admins - cluster-admin - dedicated-admin

"read"

Read gives access to read data from a tenant.

"write"

Write gives access to write data to a tenant.

MaxEntriesLimitsPerQuery defines the maximum number of log entries that will be returned for a query.

MaxChunksPerQuery defines the maximum number of chunks that can be fetched by a single query.

MaxQuerySeries defines the maximum of unique series that is returned by a metric query.

Timeout when querying ingesters or storage during the execution of a query request.

CardinalityLimit defines the cardinality limit for index queries.

Name of the recording rule group. Must be unique within all recording rules.

Interval defines the time interval between evaluation of the given recoding rule.

Limit defines the number of series a recording rule can produce. 0 is no limit.

Rules defines a list of recording rules

The name of the time series to output to. Must be a valid metric name.

The LogQL expression to evaluate. Every evaluation cycle this is evaluated at the current time, and all resultant time series become pending/firing alerts.

Labels to add to each recording rule.

TenantID of tenant where the recording rules are evaluated in.

List of groups for recording rules.

Conditions of the RecordingRule generation health.

The source labels select values from existing labels. Their content is concatenated using the configured separator and matched against the configured regular expression for the replace, keep, and drop actions.

Separator placed between concatenated source label values. default is ‘;’.

Label to which the resulting value is written in a replace action. It is mandatory for replace actions. Regex capture groups are available.

Regular expression against which the extracted value is matched. Default is ‘(.*)’

Modulus to take of the hash of the source label values.

Replacement value against which a regex replace is performed if the regular expression matches. Regex capture groups are available. Default is ‘$1’

Action to perform based on regex matching. Default is ‘replace’

"basic"

BasicAuthorization defines the remote write client to use HTTP basic authorization.

"bearer"

BearerAuthorization defines the remote write client to use HTTP bearer authorization.

Number of samples to buffer per shard before we block reading of more

Maximum number of shards, i.e. amount of concurrency.

Minimum number of shards, i.e. amount of concurrency.

Maximum number of samples per send.

Maximum time a sample will wait in buffer.

Initial retry delay. Gets doubled for every retry.

Maximum retry delay.

Name of the remote write config, which if specified must be unique among remote write configs.

The URL of the endpoint to send samples to.

Timeout for requests to the remote write endpoint.

Type of authorzation to use to access the remote write endpoint

Name of a secret in the namespace configured for authorization secrets.

Additional HTTP headers to be sent along with each remote write request.

List of remote write relabel configurations.

Optional proxy URL.

Configure whether HTTP requests follow HTTP 3xx redirects.

Enable remote-write functionality.

Minimum period to wait between refreshing remote-write reconfigurations.

Defines the configuration for remote write client.

Defines the configuration for remote write client queue.

Factor defines the policy for log stream replication.

Zones defines an array of ZoneSpec that the scheduler will try to satisfy. IMPORTANT: Make sure that the replication factor defined is less than or equal to the number of available zones.

Days contains the number of days logs are kept.

Stream defines the log stream.

Days contains the number of days logs are kept.

Priority defines the priority of this selector compared to other retention rules.

Selector contains the LogQL query used to define the log stream.

Interval on how frequently to evaluate rules.

Interval on how frequently to poll for new rule definitions.

Defines alert manager configuration to notify on firing alerts.

Defines a remote write endpoint to write recording rule metrics.

Overrides defines the config overrides to be applied per-tenant.

Conditions of the RulerConfig health.

AlertManagerOverrides defines the overrides to apply to the alertmanager config.

Enabled defines a flag to enable/disable the ruler component

A selector to select which LokiRules to mount for loading alerting/recording rules from.

Namespaces to be selected for PrometheusRules discovery. If unspecified, only the same namespace as the LokiStack object is in is used.

"group"

Group represents a subject that is a group.

"user"

User represents a subject that is a user.

Name of a secret in the namespace configured for tenant secrets.

Mode defines the mode in which lokistack-gateway component will be configured.

Authentication defines the lokistack-gateway component authentication configuration spec per tenant.

Authorization defines the lokistack-gateway component authorization configuration spec per tenant.

Openshift defines the configuration specific to Openshift modes.

MaxSkew describes the maximum degree to which Pods can be unevenly distributed.

TopologyKey is the key that defines a topology in the Nodes’ labels.

The subject’s username for the basic authentication configuration.

The subject’s password for the basic authentication configuration.

TLS configuration for reaching the alertmanager endpoints.

Header authentication configuration for reaching the alertmanager endpoints.

Basic authentication configuration for reaching the alertmanager endpoints.

The authentication type for the header authentication configuration.

The credentials for the header authentication configuration.

The credentials file for the Header authentication configuration. It is mutually exclusive with credentials.

The CA certificate file path for the TLS configuration.

The server name to validate in the alertmanager server certificates.

The client-side certificate file path for the TLS configuration.

The client-side key file path for the TLS configuration.

Use DNS SRV records to discover Alertmanager hosts.

How long to wait between refreshing DNS resolutions of Alertmanager hosts.

Capacity of the queue for notifications to be sent to the Alertmanager.

HTTP timeout duration when sending notifications to the Alertmanager.

Max time to tolerate outage for restoring “for” state of alert.

Minimum duration between alert and restored “for” state. This is maintained only for alerts with configured “for” time greater than the grace period.

Minimum amount of time to wait before resending an alert to Alertmanager.

URL for alerts return path.

Additional labels to add to all alerts.

If enabled, then requests to Alertmanager use the v2 API.

List of AlertManager URLs to send notifications to. Each Alertmanager URL is treated as a separate group in the configuration. Multiple Alertmanagers in HA per group can be supported by using DNS resolution (See EnableDNSDiscovery).

Defines the configuration for DNS-based discovery of AlertManager hosts.

Defines the configuration for the notification queue to AlertManager hosts.

List of alert relabel configurations.

Client configuration for reaching the alertmanager endpoint.

Name of the alerting rule group. Must be unique within all alerting rules.

Interval defines the time interval between evaluation of the given alerting rule.

Limit defines the number of alerts an alerting rule can produce. 0 is no limit.

Rules defines a list of alerting rules

The name of the alert. Must be a valid label value.

The LogQL expression to evaluate. Every evaluation cycle this is evaluated at the current time, and all resultant time series become pending/firing alerts.

Alerts are considered firing once they have been returned for this long. Alerts which have not yet fired for long enough are considered pending.

Annotations to add to each alert.

Labels to add to each alert.

TenantID of tenant where the alerting rules are evaluated in.

List of groups for alerting rules.

Conditions of the AlertingRule generation health.

TenantName defines the name of the tenant.

TenantID defines the id of the tenant.

OIDC defines the spec for the OIDC tenant’s authentication.

OPA defines the spec for the third-party endpoint for tenant’s authorization.

Roles defines a set of permissions to interact with a tenant.

RoleBindings defines configuration to bind a set of roles to a set of subjects.

IngestionRate defines the sample size per second. Units MB.

IngestionBurstSize defines the local rate-limited sample size per distributor replica. It should be set to the set at least to the maximum logs size expected in a single push request.

MaxLabelNameLength defines the maximum number of characters allowed for label keys in log streams.

MaxLabelValueLength defines the maximum number of characters allowed for label values in log streams.

MaxLabelNamesPerSeries defines the maximum number of label names per series in each log stream.

MaxGlobalStreamsPerTenant defines the maximum number of active streams per tenant, across the cluster.

MaxLineSize defines the maximum line size on ingestion path. Units in Bytes.

Global defines the limits applied globally across the cluster.

Tenants defines the limits and overrides applied per tenant.

IngestionLimits defines the limits applied on ingested log streams.

QueryLimits defines the limit applied on querying log streams.

Replicas defines the number of replica pods of the component.

NodeSelector defines the labels required by a node to schedule the component onto it.

Tolerations defines the tolerations required by a node to schedule the component onto it.

Compactor is a map to the pod status of the compactor pod.

Distributor is a map to the per pod status of the distributor deployment

IndexGateway is a map to the per pod status of the index gateway statefulset

Ingester is a map to the per pod status of the ingester statefulset

Querier is a map to the per pod status of the querier deployment

QueryFrontend is a map to the per pod status of the query frontend deployment

Gateway is a map to the per pod status of the lokistack gateway deployment.

Ruler is a map to the per pod status of the lokistack ruler statefulset.

"FailedComponents"

ReasonFailedComponents when all/some LokiStack components fail to roll out.

"InvalidGatewayTenantSecret"

ReasonInvalidGatewayTenantSecret when the format of the secret is invalid.

"InvalidObjectStorageCAConfigMap"

ReasonInvalidObjectStorageCAConfigMap when the format of the CA configmap is invalid.

"InvalidObjectStorageSchema"

ReasonInvalidObjectStorageSchema when the spec contains an invalid schema(s).

"InvalidObjectStorageSecret"

ReasonInvalidObjectStorageSecret when the format of the secret is invalid.

"InvalidReplicationConfiguration"

ReasonInvalidReplicationConfiguration when the configurated replication factor is not valid with the select cluster size.

"InvalidRulerSecret"

ReasonInvalidRulerSecret when the format of the ruler remote write authorization secret is invalid.

"InvalidTenantsConfiguration"

ReasonInvalidTenantsConfiguration when the tenant configuration provided is invalid.

"MissingGatewayOpenShiftBaseDomain"

ReasonMissingGatewayOpenShiftBaseDomain when the reconciler cannot lookup the OpenShift DNS base domain.

"MissingGatewayTenantSecret"

ReasonMissingGatewayTenantSecret when the required tenant secret for authentication is missing.

"MissingObjectStorageCAConfigMap"

ReasonMissingObjectStorageCAConfigMap when the required configmap to verify object storage certificates is missing.

"MissingObjectStorageSecret"

ReasonMissingObjectStorageSecret when the required secret to store logs to object storage is missing.

"MissingRulerSecret"

ReasonMissingRulerSecret when the required secret to authorization remote write connections for the ruler is missing.

"PendingComponents"

ReasonPendingComponents when all/some LokiStack components pending dependencies

"ReadyComponents"

ReasonReadyComponents when all LokiStack components are ready to serve traffic.

"Degraded"

ConditionDegraded defines the condition that some or all components in the Loki deployment are degraded or the cluster cannot connect to object storage.

"Failed"

ConditionFailed defines the condition that components in the Loki deployment failed to roll out.

"Pending"

ConditionPending defines the condition that some or all components are in pending state.

"Ready"

ConditionReady defines the condition that all components in the Loki deployment are ready.

"1x.extra-small"

SizeOneXExtraSmall defines the size of a single Loki deployment with extra small resources/limits requirements and without HA support. This size is ultimately dedicated for development and demo purposes. DO NOT USE THIS IN PRODUCTION!

FIXME: Add clear description of ingestion/query performance expectations.

"1x.medium"

SizeOneXMedium defines the size of a single Loki deployment with small resources/limits requirements and HA support for all Loki components. This size is dedicated for setup with the requirement for single replication factor and auto-compaction.

FIXME: Add clear description of ingestion/query performance expectations.

"1x.small"

SizeOneXSmall defines the size of a single Loki deployment with small resources/limits requirements and HA support for all Loki components. This size is dedicated for setup without the requirement for single replication factor and auto-compaction.

FIXME: Add clear description of ingestion/query performance expectations.

ManagementState defines if the CR should be managed by the operator or not. Default is managed.

Size defines one of the support Loki deployment scale out sizes.

Storage defines the spec for the object storage endpoint to store logs.

Storage class name defines the storage class for ingester/querier PVCs.

ReplicationFactor defines the policy for log stream replication.

Rules defines the spec for the ruler component

Limits defines the per-tenant limits to be applied to log stream processing and the per-tenant the config overrides.

Template defines the resource/limits/tolerations/nodeselectors per component

Tenants defines the per-tenant authentication and authorization spec for the lokistack-gateway component.

Components provides summary of all Loki pod status grouped per component.

Storage provides summary of all changes that have occurred to the storage configuration.

Conditions of the Loki deployment health.

Schemas is a list of schemas which have been applied to the LokiStack.

Compactor defines the compaction component spec.

Distributor defines the distributor component spec.

Ingester defines the ingester component spec.

Querier defines the querier component spec.

QueryFrontend defines the query frontend component spec.

Gateway defines the lokistack gateway component spec.

IndexGateway defines the index gateway component spec.

Ruler defines the ruler component spec.

"Managed"

ManagementStateManaged when the LokiStack custom resource should be reconciled by the operator.

"Unmanaged"

ManagementStateUnmanaged when the LokiStack custom resource should not be reconciled by the operator.

"dynamic"

Dynamic mode delegates the authorization to a third-party OPA-compatible endpoint.

"openshift-logging"

OpenshiftLogging mode provides fully automatic OpenShift in-cluster authentication and authorization support.

"static"

Static mode asserts the Authorization Spec’s Roles and RoleBindings using an in-process OpenPolicyAgent Rego authorizer.

Secret defines the spec for the clientID, clientSecret and issuerCAPath for tenant’s authentication.

IssuerURL defines the URL for issuer.

RedirectURL defines the URL for redirect.

Group claim field from ID Token

User claim field from ID Token

URL defines the third-party endpoint for authorization.

Version for writing and reading logs.

EffectiveDate is the date in UTC that the schema will be applied on. To ensure readibility of logs, this date should be before the current date in UTC.

"v11"

ObjectStorageSchemaV11 when using v11 for the storage schema

"v12"

ObjectStorageSchemaV12 when using v12 for the storage schema

Type of object storage that should be used

Name of a secret in the namespace configured for object storage secrets.

"azure"

ObjectStorageSecretAzure when using Azure for Loki storage

"gcs"

ObjectStorageSecretGCS when using GCS for Loki storage

"s3"

ObjectStorageSecretS3 when using S3 for Loki storage

"swift"

ObjectStorageSecretSwift when using Swift for Loki storage

Schemas for reading and writing logs.

Secret for object storage authentication. Name of a secret in the same namespace as the LokiStack custom resource.

TLS configuration for reaching the object storage endpoint.

CA is the name of a ConfigMap containing a CA certificate. It needs to be in the same namespace as the LokiStack custom resource.

"read"

Read gives access to read data from a tenant.

"write"

Write gives access to write data to a tenant.

MaxEntriesLimitsPerQuery defines the maximum number of log entries that will be returned for a query.

MaxChunksPerQuery defines the maximum number of chunks that can be fetched by a single query.

MaxQuerySeries defines the maximum of unique series that is returned by a metric query.

Name of the recording rule group. Must be unique within all recording rules.

Interval defines the time interval between evaluation of the given recoding rule.

Limit defines the number of series a recording rule can produce. 0 is no limit.

Rules defines a list of recording rules

The name of the time series to output to. Must be a valid metric name.

The LogQL expression to evaluate. Every evaluation cycle this is evaluated at the current time, and all resultant time series become pending/firing alerts.

TenantID of tenant where the recording rules are evaluated in.

List of groups for recording rules.

Conditions of the RecordingRule generation health.

The source labels select values from existing labels. Their content is concatenated using the configured separator and matched against the configured regular expression for the replace, keep, and drop actions.

Separator placed between concatenated source label values. default is ‘;’.

Label to which the resulting value is written in a replace action. It is mandatory for replace actions. Regex capture groups are available.

Regular expression against which the extracted value is matched. Default is ‘(.*)’

Modulus to take of the hash of the source label values.

Replacement value against which a regex replace is performed if the regular expression matches. Regex capture groups are available. Default is ‘$1’

Action to perform based on regex matching. Default is ‘replace’

"basic"

BasicAuthorization defines the remote write client to use HTTP basic authorization.

"bearer"

BearerAuthorization defines the remote write client to use HTTP bearer authorization.

Number of samples to buffer per shard before we block reading of more

Maximum number of shards, i.e. amount of concurrency.

Minimum number of shards, i.e. amount of concurrency.

Maximum number of samples per send.

Maximum time a sample will wait in buffer.

Initial retry delay. Gets doubled for every retry.

Maximum retry delay.

Name of the remote write config, which if specified must be unique among remote write configs.

The URL of the endpoint to send samples to.

Timeout for requests to the remote write endpoint.

Type of authorzation to use to access the remote write endpoint

Name of a secret in the namespace configured for authorization secrets.

Additional HTTP headers to be sent along with each remote write request.

List of remote write relabel configurations.

Optional proxy URL.

Configure whether HTTP requests follow HTTP 3xx redirects.

Enable remote-write functionality.

Minimum period to wait between refreshing remote-write reconfigurations.

Defines the configuration for remote write client.

Defines the configuration for remote write client queue.

Interval on how frequently to evaluate rules.

Interval on how frequently to poll for new rule definitions.

Defines alert manager configuration to notify on firing alerts.

Defines a remote write endpoint to write recording rule metrics.

Overrides defines the config overrides to be applied per-tenant.

Conditions of the RulerConfig health.

AlertManagerOverrides defines the overrides to apply to the alertmanager config.

Enabled defines a flag to enable/disable the ruler component

A selector to select which LokiRules to mount for loading alerting/recording rules from.

Namespaces to be selected for PrometheusRules discovery. If unspecified, only the same namespace as the LokiStack object is in is used.

"group"

Group represents a subject that is a group.

"user"

User represents a subject that is a user.

Name of a secret in the namespace configured for tenant secrets.

Mode defines the mode in which lokistack-gateway component will be configured.

Authentication defines the lokistack-gateway component authentication configuration spec per tenant.

Authorization defines the lokistack-gateway component authorization configuration spec per tenant.