simple role to add logging stack to a cluster

p0f/operators/roles/cluster-logging/defaults/main.yml

@@ -0,0 +1,6 @@
+---
+# Variables that are usually overridden.
+kubeadmin_config: "tmp/kubeconfig-ocp4"
+logging_obc_storage_class: odf-cluster-ceph-rgw
+logging_pvc_storage_class: odf-cluster-ceph-rbd
+...

p0f/operators/roles/cluster-logging/tasks/main.yml

@@ -0,0 +1,236 @@
+---
+# Already performed by deploy-operators role:
+#   - deploy loki operator
+#   - deploy cluster logging operator
+#   - deploy cluster observability operator
+#
+# Deploy and configure the cluster logging stack:
+#   - create an object bucket claim
+#   - extract the credentials and endpoints
+#   - create a loki secret
+#   - deploy a LokiStack
+#   - deploy a ClusterLogForwarder instance
+#
+# TODO: check that the required operators are installed
+#
+# Required variables:
+#
+#   NONE
+#
+# Optional variables:
+#
+#   kubeadmin_config          the administrator kubeconfig file (tmp/kubeconfig-ocp4)
+#   logging_obc_storage_class odf-cluster-ceph-rgw
+#   logging_pvc_storage_class odf-cluster-ceph-rbd
+#
+- name: Create an ObjectBucketClaim for Loki
+  kubernetes.core.k8s:
+    kubeconfig: "{{ kubeadmin_config }}"
+    validate_certs: no
+    api_version: objectbucket.io/v1alpha1
+    kind: objectbucketclaim
+    namespace: openshift-logging
+    name: loki-object-bucket
+    resource_definition:
+      spec:
+        generateBucketName: logging
+        storageClassName: "{{ logging_obc_storage_class }}"
+
+- name: Wait for the OBC to be bound
+  kubernetes.core.k8s_info:
+    kubeconfig: "{{ kubeadmin_config }}"
+    validate_certs: no
+    api_version: objectbucket.io/v1alpha1
+    kind: objectbucketclaim
+    namespace: openshift-logging
+    name: loki-object-bucket
+  register: obc_bound
+  until:
+    - obc_bound.resources is defined
+    - obc_bound.resources | length == 1
+    - obc_bound.resources[0].status is defined
+    - obc_bound.resources[0].status.phase == 'Bound'
+  retries: 6
+  delay: 5
+
+- name: Load the OBC secret
+  kubernetes.core.k8s_info:
+    kubeconfig: "{{ kubeadmin_config }}"
+    validate_certs: no
+    api_version: v1
+    kind: secret
+    namespace: openshift-logging
+    name: loki-object-bucket
+  register: obc_secret
+
+- name: Load the OBC configmap
+  kubernetes.core.k8s_info:
+    kubeconfig: "{{ kubeadmin_config }}"
+    validate_certs: no
+    api_version: v1
+    kind: configmap
+    namespace: openshift-logging
+    name: loki-object-bucket
+  register: obc_cm
+
+- name: Remember OBC data as facts
+  ansible.builtin.set_fact:
+    obc_access_key: "{{ obc_secret.resources[0].data.AWS_ACCESS_KEY_ID | ansible.builtin.b64decode }}"
+    obc_secret_key: "{{ obc_secret.resources[0].data.AWS_SECRET_ACCESS_KEY | ansible.builtin.b64decode }}"
+    obc_bucket_name: "{{ obc_cm.resources[0].data.BUCKET_NAME }}"
+    obc_endpoint: "{{ obc_cm.resources[0].data.BUCKET_HOST }}"
+
+- name: Create a secret for Loki
+  kubernetes.core.k8s:
+    kubeconfig: "{{ kubeadmin_config }}"
+    validate_certs: no
+    api_version: v1
+    kind: secret
+    namespace: openshift-logging
+    name: loki-store
+    resource_definition:
+      stringData:
+        access_key_id: "{{ obc_access_key }}"
+        access_key_secret: "{{ obc_secret_key }}"
+        bucketnames: "{{ obc_bucket_name }}"
+        endpoint: "http://{{ obc_endpoint }}"
+        region: eu-central-1
+
+- name: Create a LokiStack
+  kubernetes.core.k8s:
+    kubeconfig: "{{ kubeadmin_config }}"
+    validate_certs: no
+    api_version: loki.grafana.com/v1
+    kind: lokistack
+    namespace: openshift-logging
+    name: logging-loki
+    resource_definition:
+      spec:
+        managementState: Managed
+        size: 1x.demo
+        storage:
+          schemas:
+            - effectiveDate: '2024-10-01'
+              version: v13
+          secret:
+            name: loki-store
+            type: s3
+        storageClassName: "{{ logging_pvc_storage_class }}"
+        tenants:
+          mode: openshift-logging
+
+# NOTE: this might take a VERY long time in case adjustments are made after an initial deployment.
+- name: Wait for LokiStack to be ready
+  kubernetes.core.k8s_info:
+    kubeconfig: "{{ kubeadmin_config }}"
+    validate_certs: no
+    api_version: loki.grafana.com/v1
+    kind: lokistack
+    namespace: openshift-logging
+    name: logging-loki
+  register: loki_ready
+  until:
+    - loki_ready.resources is defined
+    - loki_ready.resources | length == 1
+    - loki_ready.resources[0].status is defined
+    - (loki_ready.resources[0].status | community.general.json_query('conditions[?type==`Ready`].status')) | length == 1
+    - (loki_ready.resources[0].status | community.general.json_query('conditions[?type==`Ready`].status'))[0] == 'True'
+  retries: 60
+  delay: 5
+
+- name: Create a service account for the log forwarder
+  kubernetes.core.k8s:
+    kubeconfig: "{{ kubeadmin_config }}"
+    validate_certs: no
+    api_version: v1
+    kind: serviceaccount
+    namespace: openshift-logging
+    name: collector
+
+- name: Assign it with required ClusterRoleBindings
+  kubernetes.core.k8s:
+    kubeconfig: "{{ kubeadmin_config }}"
+    validate_certs: no
+    api_version: rbac.authorization.k8s.io/v1
+    kind: clusterrolebinding
+    name: "clf-{{ item }}"
+    resource_definition:
+      roleRef:
+        apiGroup: rbac.authorization.k8s.io
+        kind: ClusterRole
+        name: "{{ item }}"
+      subjects:
+      - kind: ServiceAccount
+        name: collector
+        namespace: openshift-logging
+  loop:
+    - logging-collector-logs-writer
+    - collect-application-logs
+    - collect-audit-logs
+    - collect-infrastructure-logs
+
+- name: Finally, create a CLF
+  kubernetes.core.k8s:
+    kubeconfig: "{{ kubeadmin_config }}"
+    validate_certs: no
+    api_version: observability.openshift.io/v1
+    kind: clusterlogforwarder
+    namespace: openshift-logging
+    name: collector
+    resource_definition:
+      spec:
+        serviceAccount:
+          name: collector
+        outputs:
+        - name: default-lokistack
+          type: lokiStack
+          lokiStack:
+            authentication:
+              token:
+                from: serviceAccount
+            target:
+              name: logging-loki
+              namespace: openshift-logging
+          tls:
+            ca:
+              key: service-ca.crt
+              configMapName: openshift-service-ca.crt
+        pipelines:
+        - name: default-logstore
+          inputRefs:
+          - application
+          - infrastructure
+          outputRefs:
+          - default-lokistack
+
+- name: Wait for CLF to be ready
+  kubernetes.core.k8s_info:
+    kubeconfig: "{{ kubeadmin_config }}"
+    validate_certs: no
+    api_version: observability.openshift.io/v1
+    kind: clusterlogforwarder
+    namespace: openshift-logging
+    name: collector
+  register: clf_ready
+  until:
+    - clf_ready.resources is defined
+    - clf_ready.resources | length == 1
+    - clf_ready.resources[0].status is defined
+    - (clf_ready.resources[0].status | community.general.json_query('conditions[?type==`Ready`].status'))[0] == 'True'
+  retries: 6
+  delay: 5
+
+- name: Activate the web console plugin
+  kubernetes.core.k8s:
+    kubeconfig: "{{ kubeadmin_config }}"
+    validate_certs: no
+    api_version: observability.openshift.io/v1alpha1
+    kind: uiplugin
+    name: logging
+    resource_definition:
+      spec:
+        type: Logging
+        logging:
+          lokiStack:
+            name: logging-loki
+...