fix/issue 32993 (#1248)

* use journald to consume k3s logs * make charts
2021-06-08 14:03:17 -07:00 · 2021-06-08 14:03:17 -07:00 · f91fac2cf7
parent ba4492b7d4
commit f91fac2cf7
6 changed files with 278 additions and 93 deletions
--- a/assets/rancher-logging/rancher-logging-3.9.401+up3.9.4.tgz
+++ b/assets/rancher-logging/rancher-logging-3.9.401+up3.9.4.tgz
--- a/charts/rancher-logging/rancher-logging/3.9.401+up3.9.4/templates/loggings/k3s/configmap.yaml
+++ b/charts/rancher-logging/rancher-logging/3.9.401+up3.9.4/templates/loggings/k3s/configmap.yaml
@ -0,0 +1,29 @@
+{{- if and .Values.additionalLoggingSources.k3s.enabled (eq .Values.additionalLoggingSources.k3s.container_engine "systemd") }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-k3s
+  labels:
+{{ include "logging-operator.labels" . | indent 4 }}
+data:
+  fluent-bit.conf: |
+    [SERVICE]
+        Flush             1
+        Grace             5
+        Daemon            Off
+        Log_Level         info
+        Coro_Stack_Size   24576
+
+    [INPUT]
+        Name              systemd
+        Tag               k3s
+        Path              {{ .Values.systemdLogPath | default "/var/log/journal" }}
+        Systemd_Filter    _SYSTEMD_UNIT=k3s.service
+
+    [OUTPUT]
+        Name              forward
+        Match             *
+        Host              {{ .Release.Name }}-fluentd.{{ .Release.Namespace }}.svc
+        Port              24240
+        Retry_Limit       False
+{{- end }}
--- a/charts/rancher-logging/rancher-logging/3.9.401+up3.9.4/templates/loggings/k3s/daemonset.yaml
+++ b/charts/rancher-logging/rancher-logging/3.9.401+up3.9.4/templates/loggings/k3s/daemonset.yaml
@ -0,0 +1,110 @@
+{{- if and .Values.additionalLoggingSources.k3s.enabled (eq .Values.additionalLoggingSources.k3s.container_engine "systemd") }}
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: "{{ .Release.Name }}-k3s-journald-aggregator"
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  selector:
+    matchLabels:
+      name: {{ .Release.Name }}-k3s-journald-aggregator
+  template:
+    metadata:
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/loggings/k3s/configmap.yaml") . | sha256sum }}
+      name: "{{ .Release.Name }}-k3s-journald-aggregator"
+      namespace: "{{ .Release.Namespace }}"
+      labels:
+        name: {{ .Release.Name }}-k3s-journald-aggregator
+    spec:
+      containers:
+        - name: fluentbit
+          image: "{{ template "system_default_registry" . }}{{ .Values.images.fluentbit.repository }}:{{ .Values.images.fluentbit.tag }}"
+          {{- if .Values.global.seLinux.enabled }}
+          securityContext:
+            seLinuxOptions:
+              type: rke_logreader_t
+          {{- end }}
+          volumeMounts:
+            - mountPath: /fluent-bit/etc/
+              name: config
+            - mountPath: {{ .Values.systemdLogPath | default "/var/log/journal" }}
+              name: journal
+              readOnly: true
+            - mountPath: /etc/machine-id
+              name: machine-id
+              readOnly: true
+      {{- with .Values.tolerations }}
+      tolerations: {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector: {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: "{{ .Release.Name }}-k3s-journald-aggregator"
+      volumes:
+        - name: config
+          configMap:
+            name: "{{ .Release.Name }}-k3s"
+        - name: journal
+          hostPath:
+            path: {{ .Values.systemdLogPath | default "/var/log/journal" }}
+        - name: machine-id
+          hostPath:
+            path: /etc/machine-id
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: "{{ .Release.Name }}-k3s-journald-aggregator"
+  namespace: "{{ .Release.Namespace }}"
+{{- if .Values.global.psp.enabled }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: "{{ .Release.Name }}-k3s-journald-aggregator"
+rules:
+  - apiGroups:
+    - policy
+    resourceNames:
+    - "{{ .Release.Name }}-k3s-journald-aggregator"
+    resources:
+    - podsecuritypolicies
+    verbs:
+    - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: "{{ .Release.Name }}-k3s-journald-aggregator"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: "{{ .Release.Name }}-k3s-journald-aggregator"
+subjects:
+  - kind: ServiceAccount
+    name: "{{ .Release.Name }}-k3s-journald-aggregator"
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: "{{ .Release.Name }}-k3s-journald-aggregator"
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  allowPrivilegeEscalation: false
+  fsGroup:
+    rule: RunAsAny
+  readOnlyRootFilesystem: true
+  runAsUser:
+    rule: RunAsAny
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  volumes:
+  - configMap
+  - emptyDir
+  - secret
+  - hostPath
+{{- end }}
+{{- end }}
--- a/packages/rancher-logging/generated-changes/overlay/templates/loggings/k3s/configmap.yaml
+++ b/packages/rancher-logging/generated-changes/overlay/templates/loggings/k3s/configmap.yaml
@ -0,0 +1,29 @@
+{{- if and .Values.additionalLoggingSources.k3s.enabled (eq .Values.additionalLoggingSources.k3s.container_engine "systemd") }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-k3s
+  labels:
+{{ include "logging-operator.labels" . | indent 4 }}
+data:
+  fluent-bit.conf: |
+    [SERVICE]
+        Flush             1
+        Grace             5
+        Daemon            Off
+        Log_Level         info
+        Coro_Stack_Size   24576
+
+    [INPUT]
+        Name              systemd
+        Tag               k3s
+        Path              {{ .Values.systemdLogPath | default "/var/log/journal" }}
+        Systemd_Filter    _SYSTEMD_UNIT=k3s.service
+
+    [OUTPUT]
+        Name              forward
+        Match             *
+        Host              {{ .Release.Name }}-fluentd.{{ .Release.Namespace }}.svc
+        Port              24240
+        Retry_Limit       False
+{{- end }}
--- a/packages/rancher-logging/generated-changes/overlay/templates/loggings/k3s/daemonset.yaml
+++ b/packages/rancher-logging/generated-changes/overlay/templates/loggings/k3s/daemonset.yaml
@ -0,0 +1,110 @@
+{{- if and .Values.additionalLoggingSources.k3s.enabled (eq .Values.additionalLoggingSources.k3s.container_engine "systemd") }}
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: "{{ .Release.Name }}-k3s-journald-aggregator"
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  selector:
+    matchLabels:
+      name: {{ .Release.Name }}-k3s-journald-aggregator
+  template:
+    metadata:
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/loggings/k3s/configmap.yaml") . | sha256sum }}
+      name: "{{ .Release.Name }}-k3s-journald-aggregator"
+      namespace: "{{ .Release.Namespace }}"
+      labels:
+        name: {{ .Release.Name }}-k3s-journald-aggregator
+    spec:
+      containers:
+        - name: fluentbit
+          image: "{{ template "system_default_registry" . }}{{ .Values.images.fluentbit.repository }}:{{ .Values.images.fluentbit.tag }}"
+          {{- if .Values.global.seLinux.enabled }}
+          securityContext:
+            seLinuxOptions:
+              type: rke_logreader_t
+          {{- end }}
+          volumeMounts:
+            - mountPath: /fluent-bit/etc/
+              name: config
+            - mountPath: {{ .Values.systemdLogPath | default "/var/log/journal" }}
+              name: journal
+              readOnly: true
+            - mountPath: /etc/machine-id
+              name: machine-id
+              readOnly: true
+      {{- with .Values.tolerations }}
+      tolerations: {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector: {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: "{{ .Release.Name }}-k3s-journald-aggregator"
+      volumes:
+        - name: config
+          configMap:
+            name: "{{ .Release.Name }}-k3s"
+        - name: journal
+          hostPath:
+            path: {{ .Values.systemdLogPath | default "/var/log/journal" }}
+        - name: machine-id
+          hostPath:
+            path: /etc/machine-id
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: "{{ .Release.Name }}-k3s-journald-aggregator"
+  namespace: "{{ .Release.Namespace }}"
+{{- if .Values.global.psp.enabled }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: "{{ .Release.Name }}-k3s-journald-aggregator"
+rules:
+  - apiGroups:
+    - policy
+    resourceNames:
+    - "{{ .Release.Name }}-k3s-journald-aggregator"
+    resources:
+    - podsecuritypolicies
+    verbs:
+    - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: "{{ .Release.Name }}-k3s-journald-aggregator"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: "{{ .Release.Name }}-k3s-journald-aggregator"
+subjects:
+  - kind: ServiceAccount
+    name: "{{ .Release.Name }}-k3s-journald-aggregator"
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: "{{ .Release.Name }}-k3s-journald-aggregator"
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  allowPrivilegeEscalation: false
+  fsGroup:
+    rule: RunAsAny
+  readOnlyRootFilesystem: true
+  runAsUser:
+    rule: RunAsAny
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  volumes:
+  - configMap
+  - emptyDir
+  - secret
+  - hostPath
+{{- end }}
+{{- end }}
--- a/packages/rancher-logging/generated-changes/overlay/templates/loggings/k3s/logging-k3s-systemd.yaml
+++ b/packages/rancher-logging/generated-changes/overlay/templates/loggings/k3s/logging-k3s-systemd.yaml
@ -1,93 +0,0 @@
-{{- if and .Values.additionalLoggingSources.k3s.enabled (eq .Values.additionalLoggingSources.k3s.container_engine "systemd")}}
-apiVersion: logging.banzaicloud.io/v1beta1
-kind: Logging
-metadata:
-  name: {{ .Release.Name }}-k3s
-  namespace: {{ .Release.Namespace }}
-  labels:
-{{ include "logging-operator.labels" . | indent 4 }}
-spec:
-  controlNamespace: {{ .Release.Namespace }}
-  fluentbit:
-    image:
-      repository: {{ template "system_default_registry" . }}{{ .Values.images.fluentbit.repository }}
-      tag: {{ .Values.images.fluentbit.tag }}
-    inputTail:
-      Tag: "k3s"
-      Path: "/var/log/syslog"
-      {{- if .Values.fluentbit.inputTail.Buffer_Chunk_Size }}
-      Buffer_Chunk_Size: {{ .Values.fluentbit.inputTail.Buffer_Chunk_Size }}
-      {{- end }}
-      {{- if .Values.fluentbit.inputTail.Buffer_Max_Size }}
-      Buffer_Max_Size: {{ .Values.fluentbit.inputTail.Buffer_Max_Size }}
-      {{- end }}
-      {{- if .Values.fluentbit.inputTail.Mem_Buf_Limit }}
-      Mem_Buf_Limit: {{ .Values.fluentbit.inputTail.Mem_Buf_Limit }}
-      {{- end }}
-      {{- if .Values.fluentbit.inputTail.Multiline_Flush }}
-      Multiline_Flush: {{ .Values.fluentbit.inputTail.Multiline_Flush }}
-      {{- end }}
-      {{- if .Values.fluentbit.inputTail.Skip_Long_Lines }}
-      Skip_Long_Lines: {{ .Values.fluentbit.inputTail.Skip_Long_Lines }}
-      {{- end }}
-    extraVolumeMounts:
-      - source: "/var/log/"
-        destination: "/var/log"
-        readOnly: true
-    {{- if not .Values.disablePvc }}
-    {{- with .Values.fluentbit.bufferStorage }}
-    bufferStorage: {{- toYaml . | nindent 6 }}
-    {{- end }}
-    {{- with .Values.fluentbit.bufferStorageVolume }}
-    bufferStorageVolume: {{- toYaml . | nindent 6 }}
-    {{- end }}
-    {{- end }}
-    {{- if .Values.global.psp.enabled }}
-    security:
-      podSecurityPolicyCreate: true
-      roleBasedAccessControlCreate: true
-    {{- end }}
-    {{- with (concat (.Values.tolerations) (.Values.fluentbit.tolerations)) }}
-    tolerations: {{- toYaml . | nindent 6 }}
-    {{- end }}
-    {{- with .Values.nodeSelector }}
-    nodeSelector: {{- toYaml . | nindent 6 }}
-    {{- end }}
-    {{- with .Values.fluentbit.resources }}
-    resources: {{- toYaml . | nindent 6 }}
-    {{- end }}
-  fluentd:
-    image:
-      repository: {{ template "system_default_registry" . }}{{ .Values.images.fluentd.repository }}
-      tag: {{ .Values.images.fluentd.tag }}
-    configReloaderImage:
-      repository: {{ template "system_default_registry" . }}{{ .Values.images.config_reloader.repository }}
-      tag: {{ .Values.images.config_reloader.tag }}
-    {{- if not .Values.disablePvc }}
-    {{- with .Values.fluentd.bufferStorageVolume }}
-    bufferStorageVolume: {{- toYaml . | nindent 6 }}
-    {{- end }}
-    {{- end }}
-    disablePvc: {{ .Values.disablePvc }}
-    {{- if .Values.fluentd.replicas }}
-    scaling:
-      replicas: {{ .Values.fluentd.replicas }}
-    {{- end }}
-    {{- if .Values.global.psp.enabled }}
-    security:
-      podSecurityPolicyCreate: true
-      roleBasedAccessControlCreate: true
-    {{- end }}
-    {{- with (default .Values.tolerations .Values.fluentd.tolerations) }}
-    tolerations: {{- toYaml . | nindent 6 }}
-    {{- end }}
-    {{- with (default .Values.nodeSelector .Values.fluentd.nodeSelector) }}
-    nodeSelector: {{- toYaml . | nindent 6 }}
-    {{- end }}
-    {{- with .Values.fluentd.resources }}
-    resources: {{- toYaml . | nindent 6 }}
-    {{- end }}
-    {{- with .Values.fluentd.livenessProbe }}
-    livenessProbe: {{- toYaml . | nindent 6 }}
-    {{- end }}
-{{- end }}