Feature Gates

This Document contains the types introduced by the Loki Operator to be consumed by users.

This page is automatically generated with gen-crd-api-reference-docs.

config.loki.grafana.com/v1

Package v1 contains API Schema definitions for the config v1 API group

Resource Types:

BuiltInCertManagement

(Appears on:FeatureGates)

BuiltInCertManagement is the configuration for the built-in facility to generate and rotate TLS client and serving certificates for all LokiStack services and internal clients except for the lokistack-gateway.

Field Description
enabled
bool

Enabled defines to flag to enable/disable built-in certificate management feature gate.

caValidity
string

CACertValidity defines the total duration of the CA certificate validity.

caRefresh
string

CACertRefresh defines the duration of the CA certificate validity until a rotation should happen. It can be set up to 80% of CA certificate validity or equal to the CA certificate validity. Latter should be used only for rotating only when expired.

certValidity
string

CertValidity defines the total duration of the validity for all LokiStack certificates.

certRefresh
string

CertRefresh defines the duration of the certificate validity until a rotation should happen. It can be set up to 80% of certificate validity or equal to the certificate validity. Latter should be used only for rotating only when expired. The refresh is applied to all LokiStack certificates at once.

FeatureGates

(Appears on:ProjectConfig)

FeatureGates is the supported set of all operator feature gates.

Field Description
serviceMonitors
bool

ServiceMonitors enables creating a Prometheus-Operator managed ServiceMonitor resource per LokiStack component.

serviceMonitorTlsEndpoints
bool

ServiceMonitorTLSEndpoints enables TLS for the ServiceMonitor endpoints.

lokiStackAlerts
bool

LokiStackAlerts enables creating Prometheus-Operator managed PrometheusRules for common Loki alerts.

httpEncryption
bool

HTTPEncryption enables TLS encryption for all HTTP LokiStack services. Each HTTP service requires a secret named as the service with the following data: - tls.crt: The TLS server side certificate. - tls.key: The TLS key for server-side encryption. In addition each service requires a configmap named as the LokiStack CR with the suffix -ca-bundle, e.g. lokistack-dev-ca-bundle and the following data: - service-ca.crt: The CA signing the service certificate in tls.crt.

grpcEncryption
bool

GRPCEncryption enables TLS encryption for all GRPC LokiStack services. Each GRPC service requires a secret named as the service with the following data: - tls.crt: The TLS server side certificate. - tls.key: The TLS key for server-side encryption. In addition each service requires a configmap named as the LokiStack CR with the suffix -ca-bundle, e.g. lokistack-dev-ca-bundle and the following data: - service-ca.crt: The CA signing the service certificate in tls.crt.

builtInCertManagement
BuiltInCertManagement

BuiltInCertManagement enables the built-in facility for generating and rotating TLS client and serving certificates for all LokiStack services and internal clients except for the lokistack-gateway, In detail all internal Loki HTTP and GRPC communication is lifted to require mTLS. For the lokistack-gateay you need to provide a secret with or use the ServingCertsService on OpenShift: - tls.crt: The TLS server side certificate. - tls.key: The TLS key for server-side encryption. In addition each service requires a configmap named as the LokiStack CR with the suffix -ca-bundle, e.g. lokistack-dev-ca-bundle and the following data: - service-ca.crt: The CA signing the service certificate in tls.crt.

lokiStackGateway
bool

LokiStackGateway enables reconciling the reverse-proxy lokistack-gateway component for multi-tenant authentication/authorization traffic control to Loki.

grafanaLabsUsageReport
bool

GrafanaLabsUsageReport enables the Grafana Labs usage report for Loki. More details: https://grafana.com/docs/loki/latest/release-notes/v2-5/#usage-reporting

runtimeSeccompProfile
bool

RuntimeSeccompProfile enables the restricted seccomp profile on all Lokistack components.

lokiStackWebhook
bool

LokiStackWebhook enables the LokiStack CR validation and conversion webhooks.

alertingRuleWebhook
bool

AlertingRuleWebhook enables the AlertingRule CR validation webhook.

recordingRuleWebhook
bool

RecordingRuleWebhook enables the RecordingRule CR validation webhook.

rulerConfigWebhook
bool

RulerConfigWebhook enables the RulerConfig CR validation webhook.

defaultNodeAffinity
bool

When DefaultNodeAffinity is enabled the operator will set a default node affinity on all pods. This will limit scheduling of the pods to Nodes with Linux.

openshift
OpenShiftFeatureGates

OpenShift contains a set of feature gates supported only on OpenShift.

tlsProfile
string

TLSProfile allows to chose a TLS security profile. Enforced when using HTTPEncryption or GRPCEncryption.

OpenShiftFeatureGates

(Appears on:FeatureGates)

OpenShiftFeatureGates is the supported set of all operator features gates on OpenShift.

Field Description
servingCertsService
bool

ServingCertsService enables OpenShift service-ca annotations on the lokistack-gateway service only to use the in-platform CA and generate a TLS cert/key pair per service for in-cluster data-in-transit encryption. More details: https://docs.openshift.com/container-platform/latest/security/certificate_types_descriptions/service-ca-certificates.html

gatewayRoute
bool

GatewayRoute enables creating an OpenShift Route for the LokiStack gateway to expose the service to public internet access. More details: https://docs.openshift.com/container-platform/latest/networking/understanding-networking.html

ruleExtendedValidation
bool

ExtendedRuleValidation enables extended validation of AlertingRule and RecordingRule to enforce tenancy in an OpenShift context.

clusterTLSPolicy
bool

ClusterTLSPolicy enables usage of TLS policies set in the API Server. More details: https://docs.openshift.com/container-platform/4.11/security/tls-security-profiles.html

clusterProxy
bool

ClusterProxy enables usage of the proxy variables set in the proxy resource. More details: https://docs.openshift.com/container-platform/4.11/networking/enable-cluster-wide-proxy.html#enable-cluster-wide-proxy

ProjectConfig

ProjectConfig is the Schema for the projectconfigs API

Field Description
syncPeriod
Kubernetes meta/v1.Duration
(Optional)

SyncPeriod determines the minimum frequency at which watched resources are reconciled. A lower period will correct entropy more quickly, but reduce responsiveness to change if there are many watched resources. Change this value only if you know what you are doing. Defaults to 10 hours if unset. there will a 10 percent jitter between the SyncPeriod of all controllers so that all controllers will not send list requests simultaneously.

leaderElection
Kubernetes v1alpha1.LeaderElectionConfiguration
(Optional)

LeaderElection is the LeaderElection config to be used when configuring the manager.Manager leader election

cacheNamespace
string
(Optional)

CacheNamespace if specified restricts the manager’s cache to watch objects in the desired namespace Defaults to all namespaces

Note: If a namespace is specified, controllers can still Watch for a cluster-scoped resource (e.g Node). For namespaced resources the cache will only hold objects from the desired namespace.

gracefulShutDown
Kubernetes meta/v1.Duration

GracefulShutdownTimeout is the duration given to runnable to stop before the manager actually returns on stop. To disable graceful shutdown, set to time.Duration(0) To use graceful shutdown without timeout, set to a negative duration, e.G. time.Duration(-1) The graceful shutdown is skipped for safety reasons in case the leader election lease is lost.

controller
K8S Controller-runtime v1alpha1.ControllerConfigurationSpec
(Optional)

Controller contains global configuration options for controllers registered within this manager.

metrics
K8S Controller-runtime v1alpha1.ControllerMetrics
(Optional)

Metrics contains thw controller metrics configuration

health
K8S Controller-runtime v1alpha1.ControllerHealth
(Optional)

Health contains the controller health configuration

webhook
K8S Controller-runtime v1alpha1.ControllerWebhook
(Optional)

Webhook contains the controllers webhook configuration

featureGates
FeatureGates

TLSProfileType

(string alias)

TLSProfileType is a TLS security profile based on the Mozilla definitions: https://wiki.mozilla.org/Security/Server_Side_TLS

Value Description

"Intermediate"

TLSProfileIntermediateType is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29

"Modern"

TLSProfileModernType is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility

"Old"

TLSProfileOldType is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility