**What this PR does / why we need it**:
**Which issue(s) this PR fixes**:
Fixes #<issue number>
**Special notes for your reviewer**:
**Checklist**
- [x] Reviewed the
[`CONTRIBUTING.md`](https://github.com/grafana/loki/blob/main/CONTRIBUTING.md)
guide (**required**)
- [ ] Documentation added
- [ ] Tests updated
- [ ] `CHANGELOG.md` updated
- [ ] If the change is worth mentioning in the release notes, add
`add-to-release-notes` label
- [ ] Changes that require user attention or interaction to upgrade are
documented in `docs/sources/setup/upgrade/_index.md`
- [x] For Helm chart changes bump the Helm chart version in
`production/helm/loki/Chart.yaml` and update
`production/helm/loki/CHANGELOG.md` and
`production/helm/loki/README.md`. [Example
PR](https://github.com/grafana/loki/commit/d10549e3ece02120974929894ee333d07755d213)
With this values:
```yaml
sidecar:
image:
# -- The Docker registry and image for the k8s sidecar
repository: kiwigrid/k8s-sidecar
# -- Docker image tag
tag: 1.24.3
# -- Docker image sha. If empty, no sha will be used
sha: ""
# -- Docker image pull policy
pullPolicy: IfNotPresent
# -- Resource requests and limits for the sidecar
resources: #{}
limits:
cpu: 100m
memory: 100Mi
requests:
cpu: 50m
memory: 50Mi
# -- The SecurityContext for the sidecar.
securityContext:
runAsNonRoot: true
runAsGroup: 10001
runAsUser: 10001
fsGroup: 10001
# -- Set to true to skip tls verification for kube api calls.
skipTlsVerify: false
# -- Ensure that rule files aren't conflicting and being overwritten by prefixing their name with the namespace they are defined in.
enableUniqueFilenames: false
# -- Readiness probe definition. Probe is disabled on the sidecar by default.
readinessProbe:
httpGet:
path: /ready
port: http-metrics
initialDelaySeconds: 30
timeoutSeconds: 1
# -- Liveness probe definition. Probe is disabled on the sidecar by default.
livenessProbe:
httpGet:
path: /ready
port: http-metrics
initialDelaySeconds: 30
timeoutSeconds: 1
rules:
# -- Whether or not to create a sidecar to ingest rule from specific ConfigMaps and/or Secrets.
enabled: true
# -- Label that the configmaps/secrets with rules will be marked with.
label: loki_rule
# -- Label value that the configmaps/secrets with rules will be set to.
labelValue: ""
# -- Folder into which the rules will be placed.
folder: /rules
# -- Comma separated list of namespaces. If specified, the sidecar will search for config-maps/secrets inside these namespaces.
# Otherwise the namespace in which the sidecar is running will be used.
# It's also possible to specify 'ALL' to search in all namespaces.
searchNamespace: null
# -- Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH request, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.
watchMethod: WATCH
# -- Search in configmap, secret, or both.
resource: both
# -- Absolute path to the shell script to execute after a configmap or secret has been reloaded.
script: null
# -- WatchServerTimeout: request to the server, asking it to cleanly close the connection after that.
# defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S.
watchServerTimeout: 60
#
# -- WatchClientTimeout: is a client-side timeout, configuring your local socket.
# If you have a network outage dropping all packets with no RST/FIN,
# this is how long your client waits before realizing & dropping the connection.
# Defaults to 66sec.
watchClientTimeout: 60
# -- Log level of the sidecar container.
logLevel: INFO
```
Before the patch:
```yaml
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: loki-backend
namespace: default
labels:
helm.sh/chart: loki-5.22.0
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "2.9.1"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: backend
app.kubernetes.io/part-of: memberlist
spec:
replicas: 3
podManagementPolicy: Parallel
updateStrategy:
rollingUpdate:
partition: 0
serviceName: loki-backend-headless
revisionHistoryLimit: 10
persistentVolumeClaimRetentionPolicy:
whenDeleted: Delete
whenScaled: Delete
selector:
matchLabels:
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: backend
template:
metadata:
annotations:
checksum/config: a9f8d008a1b589265e3fa894e3b81ab2a4132bb741d3b6e8db304a1e6b6d3ba5
labels:
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: backend
app.kubernetes.io/part-of: memberlist
spec:
serviceAccountName: loki
automountServiceAccountToken: true
securityContext:
fsGroup: 10001
runAsGroup: 10001
runAsNonRoot: true
runAsUser: 10001
terminationGracePeriodSeconds: 300
containers:
- name: loki-sc-rules
image: "kiwigrid/k8s-sidecar:1.24.3"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
value: WATCH
- name: LABEL
value: "loki_rule"
- name: FOLDER
value: "/rules"
- name: RESOURCE
value: "both"
- name: WATCH_SERVER_TIMEOUT
value: "60"
- name: WATCH_CLIENT_TIMEOUT
value: "60"
- name: LOG_LEVEL
value: "INFO"
livenessProbe:
null
readinessProbe:
null
resources:
limits:
cpu: 100m
memory: 100Mi
requests:
cpu: 50m
memory: 50Mi
securityContext:
fsGroup: 10001
runAsGroup: 10001
runAsNonRoot: true
runAsUser: 10001
volumeMounts:
- name: sc-rules-volume
mountPath: "/rules"
- name: loki
image: docker.io/grafana/loki:2.9.1
imagePullPolicy: IfNotPresent
args:
- -config.file=/etc/loki/config/config.yaml
- -target=backend
- -legacy-read-mode=false
ports:
- name: http-metrics
containerPort: 3100
protocol: TCP
- name: grpc
containerPort: 9095
protocol: TCP
- name: http-memberlist
containerPort: 7946
protocol: TCP
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
readinessProbe:
httpGet:
path: /ready
port: http-metrics
initialDelaySeconds: 30
timeoutSeconds: 1
volumeMounts:
- name: config
mountPath: /etc/loki/config
- name: runtime-config
mountPath: /etc/loki/runtime-config
- name: tmp
mountPath: /tmp
- name: data
mountPath: /var/loki
- name: sc-rules-volume
mountPath: "/rules"
resources:
{}
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: backend
topologyKey: kubernetes.io/hostname
volumes:
- name: tmp
emptyDir: {}
- name: config
configMap:
name: loki
items:
- key: "config.yaml"
path: "config.yaml"
- name: runtime-config
configMap:
name: loki-runtime
- name: sc-rules-volume
emptyDir: {}
volumeClaimTemplates:
- metadata:
name: data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: "10Gi"
```
After the patch:
```yaml
---
# Source: loki/templates/backend/statefulset-backend.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: loki-backend
namespace: default
labels:
helm.sh/chart: loki-5.22.1
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "2.9.1"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: backend
app.kubernetes.io/part-of: memberlist
spec:
replicas: 3
podManagementPolicy: Parallel
updateStrategy:
rollingUpdate:
partition: 0
serviceName: loki-backend-headless
revisionHistoryLimit: 10
persistentVolumeClaimRetentionPolicy:
whenDeleted: Delete
whenScaled: Delete
selector:
matchLabels:
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: backend
template:
metadata:
annotations:
checksum/config: f1823dbb8a5e31ab8d2ad66878f6abb71a9e0f49c8768462d873da21192e208b
labels:
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: backend
app.kubernetes.io/part-of: memberlist
spec:
serviceAccountName: loki
automountServiceAccountToken: true
securityContext:
fsGroup: 10001
runAsGroup: 10001
runAsNonRoot: true
runAsUser: 10001
terminationGracePeriodSeconds: 300
containers:
- name: loki-sc-rules
image: "kiwigrid/k8s-sidecar:1.24.3"
imagePullPolicy: IfNotPresent
env:
- name: METHOD
value: WATCH
- name: LABEL
value: "loki_rule"
- name: FOLDER
value: "/rules"
- name: RESOURCE
value: "both"
- name: WATCH_SERVER_TIMEOUT
value: "60"
- name: WATCH_CLIENT_TIMEOUT
value: "60"
- name: LOG_LEVEL
value: "INFO"
livenessProbe:
httpGet:
path: /ready
port: http-metrics
initialDelaySeconds: 30
timeoutSeconds: 1
readinessProbe:
httpGet:
path: /ready
port: http-metrics
initialDelaySeconds: 30
timeoutSeconds: 1
resources:
limits:
cpu: 100m
memory: 100Mi
requests:
cpu: 50m
memory: 50Mi
securityContext:
fsGroup: 10001
runAsGroup: 10001
runAsNonRoot: true
runAsUser: 10001
volumeMounts:
- name: sc-rules-volume
mountPath: "/rules"
- name: loki
image: docker.io/grafana/loki:2.9.1
imagePullPolicy: IfNotPresent
args:
- -config.file=/etc/loki/config/config.yaml
- -target=backend
- -legacy-read-mode=false
ports:
- name: http-metrics
containerPort: 3100
protocol: TCP
- name: grpc
containerPort: 9095
protocol: TCP
- name: http-memberlist
containerPort: 7946
protocol: TCP
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
readinessProbe:
httpGet:
path: /ready
port: http-metrics
initialDelaySeconds: 30
timeoutSeconds: 1
volumeMounts:
- name: config
mountPath: /etc/loki/config
- name: runtime-config
mountPath: /etc/loki/runtime-config
- name: tmp
mountPath: /tmp
- name: data
mountPath: /var/loki
- name: sc-rules-volume
mountPath: "/rules"
resources:
{}
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app.kubernetes.io/name: loki
app.kubernetes.io/instance: release-name
app.kubernetes.io/component: backend
topologyKey: kubernetes.io/hostname
volumes:
- name: tmp
emptyDir: {}
- name: config
configMap:
name: loki
items:
- key: "config.yaml"
path: "config.yaml"
- name: runtime-config
configMap:
name: loki-runtime
- name: sc-rules-volume
emptyDir: {}
volumeClaimTemplates:
- metadata:
name: data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: "10Gi"
```
---------
Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com>
Co-authored-by: Michel Hollands <42814411+MichelHollands@users.noreply.github.com>
