operator: Update Grafana and forwarding documentation (grafana#6442)

Author: xperimental

operator/docs/forwarding_logs_to_gateway.md

@@ -1,6 +1,6 @@
 # Forwarding Logs to LokiStack
 
-This document will describe how to send application, infrastructure, and audit logs to the Lokistack Gateway as different tenants using Promtail or Fluentd. The built-in gateway provides secure access to the distributor (and query-frontend) via consulting an OAuth/OIDC endpoint for the request subject.
+This document will describe how to send application, infrastructure, and audit logs to the LokiStack Gateway as different tenants using Promtail or Fluentd. The built-in gateway provides secure access to the distributor (and query-frontend) via consulting an OAuth/OIDC endpoint for the request subject.
 
 __Please read the [hacking guide](./hack_loki_operator.md) before proceeding with the following instructions.__
 
@@ -37,7 +37,8 @@ _Note: While this document will only give instructions for two methods of log fo
 
     ```console
     kubectl -n openshift-logging create secret generic lokistack-gateway-bearer-token \
-    --from-literal=token="/var/run/secrets/kubernetes.io/serviceaccount/token"
+      --from-literal=token="/var/run/secrets/kubernetes.io/serviceaccount/token" \
+      --from-literal=ca-bundle.crt="$(kubectl get cm lokistack-dev-ca-bundle -o json | jq -r '.data."service-ca.crt"')"
     ```
 
 * Create the following `ClusterRole` and `ClusterRoleBinding` which will allow the cluster to authenticate the user(s) submitting the logs:
@@ -178,13 +179,19 @@ To configure Promtail to send application, audit, and infrastructure logs, add t
 clients:
   - # ...
     bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
-    url: http://lokistack-dev-gateway-http.openshift-logging.svc:8080/api/logs/v1/audit/loki/api/v1/push
+    tls_config:
+      ca_file: /run/secrets/kubernetes.io/serviceaccount/service-ca.crt
+    url: https://lokistack-dev-gateway-http.openshift-logging.svc:8080/api/logs/v1/audit/loki/api/v1/push
   - # ...
     bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
-    url: http://lokistack-dev-gateway-http.openshift-logging.svc:8080/api/logs/v1/application/loki/api/v1/push
+    tls_config:
+      ca_file: /run/secrets/kubernetes.io/serviceaccount/service-ca.crt
+    url: https://lokistack-dev-gateway-http.openshift-logging.svc:8080/api/logs/v1/application/loki/api/v1/push
   - # ...
     bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
-    url: http://lokistack-dev-gateway-http.openshift-logging.svc:8080/api/logs/v1/infrastructure/loki/api/v1/push
+    tls_config:
+      ca_file: /run/secrets/kubernetes.io/serviceaccount/service-ca.crt
+    url: https://lokistack-dev-gateway-http.openshift-logging.svc:8080/api/logs/v1/infrastructure/loki/api/v1/push
 ```
 
 The rest of the configuration can be configured to the developer's desire.
@@ -199,8 +206,9 @@ The Fluentd configuration can be overrided to target the `application` endpoint
 <match **>
   @type loki
   # ...
-  bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
-  url: http://lokistack-dev-gateway-http.openshift-logging.svc:8080/api/logs/v1/application
+  bearer_token_file /var/run/secrets/kubernetes.io/serviceaccount/token
+  ca_cert /run/secrets/kubernetes.io/serviceaccount/service-ca.crt
+  url https://lokistack-dev-gateway-http.openshift-logging.svc:8080/api/logs/v1/application
 </match>
 ```
 

operator/hack/addon_grafana_gateway_ocp.yaml

@@ -81,7 +81,7 @@ data:
     mode = console
 kind: ConfigMap
 metadata:
-  name: grafana-config-mbkktkdhtm
+  name: grafana-config
   namespace: openshift-logging
 ---
 apiVersion: v1
@@ -93,30 +93,36 @@ data:
         isDefault: true
         type: loki
         access: proxy
-        url: http://${GATEWAY_ADDRESS}/api/logs/v1/application/
+        url: https://${GATEWAY_ADDRESS}/api/logs/v1/application/
         jsonData:
+          tlsAuthWithCACert: true
           httpHeaderName1: Authorization
         secureJsonData:
+          tlsCACert: ${GATEWAY_SERVICE_CA}
           httpHeaderValue1: Bearer ${GATEWAY_BEARER_TOKEN}
       - name: Loki (Infrastructure)
         type: loki
         access: proxy
-        url: http://${GATEWAY_ADDRESS}/api/logs/v1/infrastructure/
+        url: https://${GATEWAY_ADDRESS}/api/logs/v1/application/
         jsonData:
+          tlsAuthWithCACert: true
           httpHeaderName1: Authorization
         secureJsonData:
+          tlsCACert: ${GATEWAY_SERVICE_CA}
           httpHeaderValue1: Bearer ${GATEWAY_BEARER_TOKEN}
       - name: Loki (Audit)
         type: loki
         access: proxy
-        url: http://${GATEWAY_ADDRESS}/api/logs/v1/audit/
+        url: https://${GATEWAY_ADDRESS}/api/logs/v1/application/
         jsonData:
+          tlsAuthWithCACert: true
           httpHeaderName1: Authorization
         secureJsonData:
+          tlsCACert: ${GATEWAY_SERVICE_CA}
           httpHeaderValue1: Bearer ${GATEWAY_BEARER_TOKEN}
 kind: ConfigMap
 metadata:
-  name: grafana-datasources-hkh56t48tg
+  name: grafana-datasources
   namespace: openshift-logging
 ---
 apiVersion: v1
@@ -130,7 +136,7 @@ data:
     sed "s/\${GATEWAY_BEARER_TOKEN}/$bearer_token/g" /input/loki.yaml > /output/loki.yaml
 kind: ConfigMap
 metadata:
-  name: grafana-init-scripts-6mt2bg5dd8
+  name: grafana-init-scripts
   namespace: openshift-logging
 ---
 apiVersion: v1
@@ -158,7 +164,7 @@ spec:
   type: ClusterIP
 ---
 apiVersion: apps/v1
-kind: StatefulSet
+kind: Deployment
 metadata:
   labels:
     app: grafana
@@ -168,7 +174,6 @@ spec:
   selector:
     matchLabels:
       app: grafana
-  serviceName: grafana
   template:
     metadata:
       labels:
@@ -178,13 +183,18 @@ spec:
       - args:
         - -config=/etc/grafana/config.ini
         env:
+        - name: GATEWAY_SERVICE_CA
+          valueFrom:
+            configMapKeyRef:
+              key: service-ca.crt
+              name: openshift-service-ca.crt
         - name: GATEWAY_ADDRESS
           value: lokistack-dev-gateway-http.openshift-logging.svc:8080
         - name: GF_PATHS_PROVISIONING
           value: /var/lib/provisioning
         - name: GF_SECURITY_ADMIN_USER
           value: kube:admin
-        image: docker.io/grafana/grafana:8.5.2
+        image: docker.io/grafana/grafana:8.5.6
         imagePullPolicy: IfNotPresent
         livenessProbe:
           failureThreshold: 3
@@ -282,32 +292,23 @@ spec:
       serviceAccountName: grafana
       volumes:
       - configMap:
-          name: grafana-config-mbkktkdhtm
+          name: grafana-config
         name: grafana-config
       - name: secret-grafana-tls
         secret:
           defaultMode: 420
           secretName: grafana-tls
       - configMap:
           defaultMode: 493
-          name: grafana-init-scripts-6mt2bg5dd8
+          name: grafana-init-scripts
         name: grafana-init-scripts
       - emptyDir: {}
         name: patched-datasources
       - configMap:
-          name: grafana-datasources-hkh56t48tg
+          name: grafana-datasources
         name: grafana-datasources
-  volumeClaimTemplates:
-  - metadata:
-      labels:
-        app: grafana
-      name: grafana
-    spec:
-      accessModes:
-      - ReadWriteOnce
-      resources:
-        requests:
-          storage: 1Gi
+      - emptyDir: {}
+        name: grafana
 ---
 apiVersion: route.openshift.io/v1
 kind: Route

operator/hack/addon_grafana_gateway_ocp_oauth.yaml

@@ -76,7 +76,7 @@ data:
     mode = console
 kind: ConfigMap
 metadata:
-  name: grafana-config-5kt2h4545b
+  name: grafana-config
   namespace: openshift-logging
 ---
 apiVersion: v1
@@ -88,18 +88,30 @@ data:
         isDefault: true
         type: loki
         access: proxy
-        url: http://${GATEWAY_ADDRESS}/api/logs/v1/application/
+        url: https://${GATEWAY_ADDRESS}/api/logs/v1/application/
+        jsonData:
+          tlsAuthWithCACert: true
+        secureJsonData:
+          tlsCACert: ${GATEWAY_SERVICE_CA}
       - name: Loki (Infrastructure)
         type: loki
         access: proxy
-        url: http://${GATEWAY_ADDRESS}/api/logs/v1/infrastructure/
+        url: https://${GATEWAY_ADDRESS}/api/logs/v1/infrastructure/
+        jsonData:
+          tlsAuthWithCACert: true
+        secureJsonData:
+          tlsCACert: ${GATEWAY_SERVICE_CA}
       - name: Loki (Audit)
         type: loki
         access: proxy
-        url: http://${GATEWAY_ADDRESS}/api/logs/v1/audit/
+        url: https://${GATEWAY_ADDRESS}/api/logs/v1/audit/
+        jsonData:
+          tlsAuthWithCACert: true
+        secureJsonData:
+          tlsCACert: ${GATEWAY_SERVICE_CA}
 kind: ConfigMap
 metadata:
-  name: grafana-datasources-d9f6t65c72
+  name: grafana-datasources
   namespace: openshift-logging
 ---
 apiVersion: v1
@@ -127,7 +139,7 @@ spec:
   type: ClusterIP
 ---
 apiVersion: apps/v1
-kind: StatefulSet
+kind: Deployment
 metadata:
   labels:
     app: grafana
@@ -137,7 +149,6 @@ spec:
   selector:
     matchLabels:
       app: grafana
-  serviceName: grafana
   template:
     metadata:
       labels:
@@ -147,11 +158,16 @@ spec:
       - args:
         - -config=/etc/grafana/config.ini
         env:
+        - name: GATEWAY_SERVICE_CA
+          valueFrom:
+            configMapKeyRef:
+              key: service-ca.crt
+              name: openshift-service-ca.crt
         - name: GATEWAY_ADDRESS
           value: lokistack-dev-gateway-http.openshift-logging.svc:8080
         - name: GF_SECURITY_ADMIN_USER
           value: kube:admin
-        image: docker.io/grafana/grafana:8.5.2
+        image: docker.io/grafana/grafana:8.5.6
         imagePullPolicy: IfNotPresent
         livenessProbe:
           failureThreshold: 3
@@ -234,26 +250,17 @@ spec:
       serviceAccountName: grafana
       volumes:
       - configMap:
-          name: grafana-config-5kt2h4545b
+          name: grafana-config
         name: grafana-config
       - name: secret-grafana-tls
         secret:
           defaultMode: 420
           secretName: grafana-tls
       - configMap:
-          name: grafana-datasources-d9f6t65c72
+          name: grafana-datasources
         name: grafana-datasources
-  volumeClaimTemplates:
-  - metadata:
-      labels:
-        app: grafana
-      name: grafana
-    spec:
-      accessModes:
-      - ReadWriteOnce
-      resources:
-        requests:
-          storage: 1Gi
+      - emptyDir: {}
+        name: grafana
 ---
 apiVersion: route.openshift.io/v1
 kind: Route