Loki Operator

Gateway Configuration

This document describes how to configure the LokiStack Gateway component.

Overview

The LokiStack Gateway is a reverse-proxy component that provides secure access to Loki for multi-tenant authentication and authorization. By default, the operator creates external access resources to make the gateway accessible from outside the cluster:

  • OpenShift: Creates Route objects
  • Kubernetes: Creates Ingress objects

You can disable external access creation.

External Access Configuration

Disable External Access

To disable automatic creation of external access resources:

apiVersion: loki.grafana.com/v1
kind: LokiStack
metadata:
  name: lokistack-dev
spec:
  ...
  tenants:
    mode: static  # or openshift-logging, openshift-network, dynamic
    disableIngress: true  # Disable external access resource creation

Result:

  • OpenShift: No Route object created (existing Routes are automatically removed)
  • Kubernetes: No Ingress object created (existing Ingress resources are automatically removed)
  • Gateway remains accessible via internal Service
  • Gateway can still be exposed to external access by creating a custom resource.

Explicitly Enable External Access

You can explicitly enable external access (same as default behavior):

apiVersion: loki.grafana.com/v1
kind: LokiStack
metadata:
  name: lokistack-dev
spec:
  ...
  tenants:
    mode: static  # or openshift-logging, openshift-network, dynamic
    disableIngress: false  # Explicitly enable external access (default)

Resource Cleanup Behavior

When you change the external access configuration from enabled to disabled:

  1. Automatic Cleanup: The operator automatically removes existing external access resources
  2. Safe Deletion: Only resources owned by the LokiStack are deleted (prevents accidental deletion of user-created resources)
← Zone-Aware Replication Support
Contributing →