Enabled defines to flag to enable/disable built-in certificate management feature gate.

CACertValidity defines the total duration of the CA certificate validity.

CACertRefresh defines the duration of the CA certificate validity until a rotation should happen. It can be set up to 80% of CA certificate validity or equal to the CA certificate validity. Latter should be used only for rotating only when expired.

CertValidity defines the total duration of the validity for all LokiStack certificates.

CertRefresh defines the duration of the certificate validity until a rotation should happen. It can be set up to 80% of certificate validity or equal to the certificate validity. Latter should be used only for rotating only when expired. The refresh is applied to all LokiStack certificates at once.

ServiceMonitors enables creating a Prometheus-Operator managed ServiceMonitor resource per LokiStack component.

ServiceMonitorTLSEndpoints enables TLS for the ServiceMonitor endpoints.

LokiStackAlerts enables creating Prometheus-Operator managed PrometheusRules for common Loki alerts.

HTTPEncryption enables TLS encryption for all HTTP LokiStack services. Each HTTP service requires a secret named as the service with the following data: - tls.crt: The TLS server side certificate. - tls.key: The TLS key for server-side encryption. In addition each service requires a configmap named as the LokiStack CR with the suffix -ca-bundle, e.g. lokistack-dev-ca-bundle and the following data: - service-ca.crt: The CA signing the service certificate in tls.crt.

GRPCEncryption enables TLS encryption for all GRPC LokiStack services. Each GRPC service requires a secret named as the service with the following data: - tls.crt: The TLS server side certificate. - tls.key: The TLS key for server-side encryption. In addition each service requires a configmap named as the LokiStack CR with the suffix -ca-bundle, e.g. lokistack-dev-ca-bundle and the following data: - service-ca.crt: The CA signing the service certificate in tls.crt.

BuiltInCertManagement enables the built-in facility for generating and rotating TLS client and serving certificates for all LokiStack services and internal clients except for the lokistack-gateway, In detail all internal Loki HTTP and GRPC communication is lifted to require mTLS. For the lokistack-gateay you need to provide a secret with or use the ServingCertsService on OpenShift: - tls.crt: The TLS server side certificate. - tls.key: The TLS key for server-side encryption. In addition each service requires a configmap named as the LokiStack CR with the suffix -ca-bundle, e.g. lokistack-dev-ca-bundle and the following data: - service-ca.crt: The CA signing the service certificate in tls.crt.

LokiStackGateway enables reconciling the reverse-proxy lokistack-gateway component for multi-tenant authentication/authorization traffic control to Loki.

GrafanaLabsUsageReport enables the Grafana Labs usage report for Loki. More details: https://grafana.com/docs/loki/latest/release-notes/v2-5/#usage-reporting

RestrictedPodSecurityStandard enables compliance with the restrictive pod security standard. More details: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted

LokiStackWebhook enables the LokiStack CR validation and conversion webhooks.

AlertingRuleWebhook enables the AlertingRule CR validation webhook.

RecordingRuleWebhook enables the RecordingRule CR validation webhook.

RulerConfigWebhook enables the RulerConfig CR validation webhook.

When DefaultNodeAffinity is enabled the operator will set a default node affinity on all pods. This will limit scheduling of the pods to Nodes with Linux.

OpenShift contains a set of feature gates supported only on OpenShift.

TLSProfile allows to chose a TLS security profile. Enforced when using HTTPEncryption or GRPCEncryption.

Enabled defines the flag to enable that these feature gates are used against OpenShift Container Platform releases.

ServingCertsService enables OpenShift service-ca annotations on the lokistack-gateway service only to use the in-platform CA and generate a TLS cert/key pair per service for in-cluster data-in-transit encryption. More details: https://docs.openshift.com/container-platform/latest/security/certificate_types_descriptions/service-ca-certificates.html

ExtendedRuleValidation enables extended validation of AlertingRule and RecordingRule to enforce tenancy in an OpenShift context.

ClusterTLSPolicy enables usage of TLS policies set in the API Server. More details: https://docs.openshift.com/container-platform/4.11/security/tls-security-profiles.html

ClusterProxy enables usage of the proxy variables set in the proxy resource. More details: https://docs.openshift.com/container-platform/4.11/networking/enable-cluster-wide-proxy.html#enable-cluster-wide-proxy

Dashboards enables the loki-mixin dashboards into the OpenShift Console

TokenCCOAuthEnv is true when OpenShift-functions are enabled and the operator has detected that it is running with some kind of “workload identity” (AWS STS, Azure WIF) enabled.

"Intermediate"

TLSProfileIntermediateType is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29

"Modern"

TLSProfileModernType is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility

"Old"

TLSProfileOldType is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility