Feature Gates
This Document contains the types introduced by the Loki Operator to be consumed by users.
This page is automatically generated with
gen-crd-api-reference-docs
.
config.loki.grafana.com/v1
Package v1 contains API Schema definitions for the config v1 API group
BuiltInCertManagement
(Appears on:FeatureGates)
BuiltInCertManagement is the configuration for the built-in facility to generate and rotate TLS client and serving certificates for all LokiStack services and internal clients except for the lokistack-gateway.
Field | Description |
---|---|
enabled bool |
Enabled defines to flag to enable/disable built-in certificate management feature gate. |
caValidity string |
CACertValidity defines the total duration of the CA certificate validity. |
caRefresh string |
CACertRefresh defines the duration of the CA certificate validity until a rotation should happen. It can be set up to 80% of CA certificate validity or equal to the CA certificate validity. Latter should be used only for rotating only when expired. |
certValidity string |
CertValidity defines the total duration of the validity for all LokiStack certificates. |
certRefresh string |
CertRefresh defines the duration of the certificate validity until a rotation should happen. It can be set up to 80% of certificate validity or equal to the certificate validity. Latter should be used only for rotating only when expired. The refresh is applied to all LokiStack certificates at once. |
FeatureGates
FeatureGates is the supported set of all operator feature gates.
Field | Description |
---|---|
serviceMonitors bool |
ServiceMonitors enables creating a Prometheus-Operator managed ServiceMonitor resource per LokiStack component. |
serviceMonitorTlsEndpoints bool |
ServiceMonitorTLSEndpoints enables TLS for the ServiceMonitor endpoints. |
lokiStackAlerts bool |
LokiStackAlerts enables creating Prometheus-Operator managed PrometheusRules for common Loki alerts. |
httpEncryption bool |
HTTPEncryption enables TLS encryption for all HTTP LokiStack services.
Each HTTP service requires a secret named as the service with the following data:
- |
grpcEncryption bool |
GRPCEncryption enables TLS encryption for all GRPC LokiStack services.
Each GRPC service requires a secret named as the service with the following data:
- |
builtInCertManagement BuiltInCertManagement |
BuiltInCertManagement enables the built-in facility for generating and rotating
TLS client and serving certificates for all LokiStack services and internal clients except
for the lokistack-gateway, In detail all internal Loki HTTP and GRPC communication is lifted
to require mTLS. For the lokistack-gateay you need to provide a secret with or use the |
lokiStackGateway bool |
LokiStackGateway enables reconciling the reverse-proxy lokistack-gateway component for multi-tenant authentication/authorization traffic control to Loki. |
grafanaLabsUsageReport bool |
GrafanaLabsUsageReport enables the Grafana Labs usage report for Loki. More details: https://grafana.com/docs/loki/latest/release-notes/v2-5/#usage-reporting |
restrictedPodSecurityStandard bool |
RestrictedPodSecurityStandard enables compliance with the restrictive pod security standard. More details: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted |
lokiStackWebhook bool |
LokiStackWebhook enables the LokiStack CR validation and conversion webhooks. |
alertingRuleWebhook bool |
AlertingRuleWebhook enables the AlertingRule CR validation webhook. |
recordingRuleWebhook bool |
RecordingRuleWebhook enables the RecordingRule CR validation webhook. |
rulerConfigWebhook bool |
RulerConfigWebhook enables the RulerConfig CR validation webhook. |
defaultNodeAffinity bool |
When DefaultNodeAffinity is enabled the operator will set a default node affinity on all pods. This will limit scheduling of the pods to Nodes with Linux. |
openshift OpenShiftFeatureGates |
OpenShift contains a set of feature gates supported only on OpenShift. |
tlsProfile string |
TLSProfile allows to chose a TLS security profile. Enforced when using HTTPEncryption or GRPCEncryption. |
OpenShiftFeatureGates
(Appears on:FeatureGates)
OpenShiftFeatureGates is the supported set of all operator features gates on OpenShift.
Field | Description |
---|---|
enabled bool |
Enabled defines the flag to enable that these feature gates are used against OpenShift Container Platform releases. |
servingCertsService bool |
ServingCertsService enables OpenShift service-ca annotations on the lokistack-gateway service only to use the in-platform CA and generate a TLS cert/key pair per service for in-cluster data-in-transit encryption. More details: https://docs.openshift.com/container-platform/latest/security/certificate_types_descriptions/service-ca-certificates.html |
ruleExtendedValidation bool |
ExtendedRuleValidation enables extended validation of AlertingRule and RecordingRule to enforce tenancy in an OpenShift context. |
clusterTLSPolicy bool |
ClusterTLSPolicy enables usage of TLS policies set in the API Server. More details: https://docs.openshift.com/container-platform/4.11/security/tls-security-profiles.html |
clusterProxy bool |
ClusterProxy enables usage of the proxy variables set in the proxy resource. More details: https://docs.openshift.com/container-platform/4.11/networking/enable-cluster-wide-proxy.html#enable-cluster-wide-proxy |
dashboards bool |
Dashboards enables the loki-mixin dashboards into the OpenShift Console |
TokenCCOAuthEnv bool |
TokenCCOAuthEnv is true when OpenShift-functions are enabled and the operator has detected that it is running with some kind of “workload identity” (AWS STS, Azure WIF) enabled. |
TLSProfileType
(string
alias)
TLSProfileType is a TLS security profile based on the Mozilla definitions: https://wiki.mozilla.org/Security/Server_Side_TLS
Value | Description |
---|---|
"Intermediate" |
TLSProfileIntermediateType is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29 |
"Modern" |
TLSProfileModernType is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility |
"Old" |
TLSProfileOldType is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility |