Enabled defines to flag to enable/disable built-in certificate management feature gate.

CACertValidity defines the total duration of the CA certificate validity.

CACertRefresh defines the duration of the CA certificate validity until a rotation should happen. It can be set up to 80% of CA certificate validity or equal to the CA certificate validity. Latter should be used only for rotating only when expired.

CertValidity defines the total duration of the validity for all LokiStack certificates.

CertRefresh defines the duration of the certificate validity until a rotation should happen. It can be set up to 80% of certificate validity or equal to the certificate validity. Latter should be used only for rotating only when expired. The refresh is applied to all LokiStack certificates at once.

ServiceMonitors enables creating a Prometheus-Operator managed ServiceMonitor resource per LokiStack component.

ServiceMonitorTLSEndpoints enables TLS for the ServiceMonitor endpoints.

LokiStackAlerts enables creating Prometheus-Operator managed PrometheusRules for common Loki alerts.

HTTPEncryption enables TLS encryption for all HTTP LokiStack services. Each HTTP service requires a secret named as the service with the following data: - tls.crt: The TLS server side certificate. - tls.key: The TLS key for server-side encryption. In addition each service requires a configmap named as the LokiStack CR with the suffix -ca-bundle, e.g. lokistack-dev-ca-bundle and the following data: - service-ca.crt: The CA signing the service certificate in tls.crt.

GRPCEncryption enables TLS encryption for all GRPC LokiStack services. Each GRPC service requires a secret named as the service with the following data: - tls.crt: The TLS server side certificate. - tls.key: The TLS key for server-side encryption. In addition each service requires a configmap named as the LokiStack CR with the suffix -ca-bundle, e.g. lokistack-dev-ca-bundle and the following data: - service-ca.crt: The CA signing the service certificate in tls.crt.

BuiltInCertManagement enables the built-in facility for generating and rotating TLS client and serving certificates for all LokiStack services and internal clients except for the lokistack-gateway, In detail all internal Loki HTTP and GRPC communication is lifted to require mTLS. For the lokistack-gateay you need to provide a secret with or use the ServingCertsService on OpenShift: - tls.crt: The TLS server side certificate. - tls.key: The TLS key for server-side encryption. In addition each service requires a configmap named as the LokiStack CR with the suffix -ca-bundle, e.g. lokistack-dev-ca-bundle and the following data: - service-ca.crt: The CA signing the service certificate in tls.crt.

LokiStackGateway enables reconciling the reverse-proxy lokistack-gateway component for multi-tenant authentication/authorization traffic control to Loki.

GrafanaLabsUsageReport enables the Grafana Labs usage report for Loki. More details: https://grafana.com/docs/loki/latest/release-notes/v2-5/#usage-reporting

RestrictedPodSecurityStandard enables compliance with the restrictive pod security standard. More details: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted

LokiStackWebhook enables the LokiStack CR validation and conversion webhooks.

AlertingRuleWebhook enables the AlertingRule CR validation webhook.

RecordingRuleWebhook enables the RecordingRule CR validation webhook.

RulerConfigWebhook enables the RulerConfig CR validation webhook.

When DefaultNodeAffinity is enabled the operator will set a default node affinity on all pods. This will limit scheduling of the pods to Nodes with Linux.

OpenShift contains a set of feature gates supported only on OpenShift.

TLSProfile allows to chose a TLS security profile. Enforced when using HTTPEncryption or GRPCEncryption.

Enabled defines the flag to enable that these feature gates are used against OpenShift Container Platform releases.

ServingCertsService enables OpenShift service-ca annotations on the lokistack-gateway service only to use the in-platform CA and generate a TLS cert/key pair per service for in-cluster data-in-transit encryption. More details: https://docs.openshift.com/container-platform/latest/security/certificate_types_descriptions/service-ca-certificates.html

ExtendedRuleValidation enables extended validation of AlertingRule and RecordingRule to enforce tenancy in an OpenShift context.

ClusterTLSPolicy enables usage of TLS policies set in the API Server. More details: https://docs.openshift.com/container-platform/4.11/security/tls-security-profiles.html

ClusterProxy enables usage of the proxy variables set in the proxy resource. More details: https://docs.openshift.com/container-platform/4.11/networking/enable-cluster-wide-proxy.html#enable-cluster-wide-proxy

SyncPeriod determines the minimum frequency at which watched resources are reconciled. A lower period will correct entropy more quickly, but reduce responsiveness to change if there are many watched resources. Change this value only if you know what you are doing. Defaults to 10 hours if unset. there will a 10 percent jitter between the SyncPeriod of all controllers so that all controllers will not send list requests simultaneously.

LeaderElection is the LeaderElection config to be used when configuring the manager.Manager leader election

CacheNamespace if specified restricts the manager’s cache to watch objects in the desired namespace Defaults to all namespaces

Note: If a namespace is specified, controllers can still Watch for a cluster-scoped resource (e.g Node). For namespaced resources the cache will only hold objects from the desired namespace.

GracefulShutdownTimeout is the duration given to runnable to stop before the manager actually returns on stop. To disable graceful shutdown, set to time.Duration(0) To use graceful shutdown without timeout, set to a negative duration, e.G. time.Duration(-1) The graceful shutdown is skipped for safety reasons in case the leader election lease is lost.

Controller contains global configuration options for controllers registered within this manager.

Metrics contains thw controller metrics configuration

Health contains the controller health configuration

Webhook contains the controllers webhook configuration

"Intermediate"

TLSProfileIntermediateType is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29

"Modern"

TLSProfileModernType is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility

"Old"

TLSProfileOldType is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility