Feature Gates
This Document contains the types introduced by the Loki Operator to be consumed by users.
This page is automatically generated with
gen-crd-api-reference-docs
.
config.loki.grafana.com/v1
Package v1 contains API Schema definitions for the config v1 API group
BuiltInCertManagement
(Appears on:FeatureGates)
BuiltInCertManagement is the configuration for the built-in facility to generate and rotate TLS client and serving certificates for all LokiStack services and internal clients except for the lokistack-gateway.
Field | Description |
---|---|
enabled bool |
Enabled defines to flag to enable/disable built-in certificate management feature gate. |
caValidity string |
CACertValidity defines the total duration of the CA certificate validity. |
caRefresh string |
CACertRefresh defines the duration of the CA certificate validity until a rotation should happen. It can be set up to 80% of CA certificate validity or equal to the CA certificate validity. Latter should be used only for rotating only when expired. |
certValidity string |
CertValidity defines the total duration of the validity for all LokiStack certificates. |
certRefresh string |
CertRefresh defines the duration of the certificate validity until a rotation should happen. It can be set up to 80% of certificate validity or equal to the certificate validity. Latter should be used only for rotating only when expired. The refresh is applied to all LokiStack certificates at once. |
FeatureGates
(Appears on:ProjectConfig)
FeatureGates is the supported set of all operator feature gates.
Field | Description |
---|---|
serviceMonitors bool |
ServiceMonitors enables creating a Prometheus-Operator managed ServiceMonitor resource per LokiStack component. |
serviceMonitorTlsEndpoints bool |
ServiceMonitorTLSEndpoints enables TLS for the ServiceMonitor endpoints. |
lokiStackAlerts bool |
LokiStackAlerts enables creating Prometheus-Operator managed PrometheusRules for common Loki alerts. |
httpEncryption bool |
HTTPEncryption enables TLS encryption for all HTTP LokiStack services.
Each HTTP service requires a secret named as the service with the following data:
- |
grpcEncryption bool |
GRPCEncryption enables TLS encryption for all GRPC LokiStack services.
Each GRPC service requires a secret named as the service with the following data:
- |
builtInCertManagement BuiltInCertManagement |
BuiltInCertManagement enables the built-in facility for generating and rotating
TLS client and serving certificates for all LokiStack services and internal clients except
for the lokistack-gateway, In detail all internal Loki HTTP and GRPC communication is lifted
to require mTLS. For the lokistack-gateay you need to provide a secret with or use the |
lokiStackGateway bool |
LokiStackGateway enables reconciling the reverse-proxy lokistack-gateway component for multi-tenant authentication/authorization traffic control to Loki. |
grafanaLabsUsageReport bool |
GrafanaLabsUsageReport enables the Grafana Labs usage report for Loki. More details: https://grafana.com/docs/loki/latest/release-notes/v2-5/#usage-reporting |
restrictedPodSecurityStandard bool |
RestrictedPodSecurityStandard enables compliance with the restrictive pod security standard. More details: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted |
lokiStackWebhook bool |
LokiStackWebhook enables the LokiStack CR validation and conversion webhooks. |
alertingRuleWebhook bool |
AlertingRuleWebhook enables the AlertingRule CR validation webhook. |
recordingRuleWebhook bool |
RecordingRuleWebhook enables the RecordingRule CR validation webhook. |
rulerConfigWebhook bool |
RulerConfigWebhook enables the RulerConfig CR validation webhook. |
defaultNodeAffinity bool |
When DefaultNodeAffinity is enabled the operator will set a default node affinity on all pods. This will limit scheduling of the pods to Nodes with Linux. |
openshift OpenShiftFeatureGates |
OpenShift contains a set of feature gates supported only on OpenShift. |
tlsProfile string |
TLSProfile allows to chose a TLS security profile. Enforced when using HTTPEncryption or GRPCEncryption. |
OpenShiftFeatureGates
(Appears on:FeatureGates)
OpenShiftFeatureGates is the supported set of all operator features gates on OpenShift.
Field | Description |
---|---|
enabled bool |
Enabled defines the flag to enable that these feature gates are used against OpenShift Container Platform releases. |
servingCertsService bool |
ServingCertsService enables OpenShift service-ca annotations on the lokistack-gateway service only to use the in-platform CA and generate a TLS cert/key pair per service for in-cluster data-in-transit encryption. More details: https://docs.openshift.com/container-platform/latest/security/certificate_types_descriptions/service-ca-certificates.html |
ruleExtendedValidation bool |
ExtendedRuleValidation enables extended validation of AlertingRule and RecordingRule to enforce tenancy in an OpenShift context. |
clusterTLSPolicy bool |
ClusterTLSPolicy enables usage of TLS policies set in the API Server. More details: https://docs.openshift.com/container-platform/4.11/security/tls-security-profiles.html |
clusterProxy bool |
ClusterProxy enables usage of the proxy variables set in the proxy resource. More details: https://docs.openshift.com/container-platform/4.11/networking/enable-cluster-wide-proxy.html#enable-cluster-wide-proxy |
dashboards bool |
Dashboards enables the loki-mixin dashboards into the OpenShift Console |
ProjectConfig
ProjectConfig is the Schema for the projectconfigs API
Field | Description |
---|---|
syncPeriod Kubernetes meta/v1.Duration |
(Optional)
SyncPeriod determines the minimum frequency at which watched resources are reconciled. A lower period will correct entropy more quickly, but reduce responsiveness to change if there are many watched resources. Change this value only if you know what you are doing. Defaults to 10 hours if unset. there will a 10 percent jitter between the SyncPeriod of all controllers so that all controllers will not send list requests simultaneously. |
leaderElection Kubernetes v1alpha1.LeaderElectionConfiguration |
(Optional)
LeaderElection is the LeaderElection config to be used when configuring the manager.Manager leader election |
cacheNamespace string |
(Optional)
CacheNamespace if specified restricts the manager’s cache to watch objects in the desired namespace Defaults to all namespaces Note: If a namespace is specified, controllers can still Watch for a cluster-scoped resource (e.g Node). For namespaced resources the cache will only hold objects from the desired namespace. |
gracefulShutDown Kubernetes meta/v1.Duration |
GracefulShutdownTimeout is the duration given to runnable to stop before the manager actually returns on stop. To disable graceful shutdown, set to time.Duration(0) To use graceful shutdown without timeout, set to a negative duration, e.G. time.Duration(-1) The graceful shutdown is skipped for safety reasons in case the leader election lease is lost. |
controller K8S Controller-runtime v1alpha1.ControllerConfigurationSpec |
(Optional)
Controller contains global configuration options for controllers registered within this manager. |
metrics K8S Controller-runtime v1alpha1.ControllerMetrics |
(Optional)
Metrics contains the controller metrics configuration |
health K8S Controller-runtime v1alpha1.ControllerHealth |
(Optional)
Health contains the controller health configuration |
webhook K8S Controller-runtime v1alpha1.ControllerWebhook |
(Optional)
Webhook contains the controllers webhook configuration |
featureGates FeatureGates |
TLSProfileType
(string
alias)
TLSProfileType is a TLS security profile based on the Mozilla definitions: https://wiki.mozilla.org/Security/Server_Side_TLS
Value | Description |
---|---|
"Intermediate" |
TLSProfileIntermediateType is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29 |
"Modern" |
TLSProfileModernType is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility |
"Old" |
TLSProfileOldType is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility |