[WIP] feat(KONFLUX-8225): add log forwarder for KubeArchive

argo-cd-apps/base/member/infra-deployments/kustomization.yaml

@@ -30,6 +30,7 @@ resources:
   - konflux-ui
   - konflux-rbac
   - konflux-info
+  - vector-kubearchive-logs-collector
   - vector-tekton-logs-collector
   - kyverno
   - namespace-lister

argo-cd-apps/base/member/infra-deployments/vector-kubearchive-log-collector/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- vector-kubearchive-logs-collector.yaml
+components:
+  - ../../../../k-components/deploy-to-member-cluster-merge-generator

argo-cd-apps/base/member/infra-deployments/vector-kubearchive-log-collector/vector-kubearchive-logs-collector.yaml

@@ -0,0 +1,41 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: vector-kubearchive-logs-collector
+spec:
+  generators:
+    - merge:
+        mergeKeys:
+          - nameNormalized
+        generators:
+          - clusters:
+              values:
+                sourceRoot: components/vector-kubearchive-logs-collector
+                environment: staging
+                clusterDir: ""
+          - list:
+              elements: []
+  template:
+    metadata:
+      name: vector-kubearchive-logs-collector-{{nameNormalized}}
+    spec:
+      project: default
+      source:
+        path: '{{values.sourceRoot}}/{{values.environment}}/{{values.clusterDir}}'
+        repoURL: https://github.com/olegbet/infra-deployments.git
+        targetRevision: KONFLUX-8225_add_log_forwarder_for_loki
+      destination:
+        namespace: product-kubearchive-logging
+        server: '{{server}}'
+      syncPolicy:
+        automated:
+          prune: true
+          selfHeal: true
+        syncOptions:
+          - CreateNamespace=true
+        retry:
+          limit: -1
+          backoff:
+            duration: 10s
+            factor: 2
+            maxDuration: 3m

components/pipeline-service/base/rbac/product-kubearchive-logging/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: product-kubearchive-logging
+resources:
+  - pipeline-service-sre.yaml

components/pipeline-service/base/rbac/product-kubearchive-logging/pipeline-service-sre.yaml

@@ -0,0 +1,45 @@
+---
+# Grant access to the tekton-logging namespace
+# This binding is needed to allow the pipelines team to manage the pods
+# which happen to stuck during an upgrade.
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: pipeline-service-sre-manage-vector-pods
+  namespace: product-kubearchive-logging
+rules:
+  - apiGroups:
+      - ""
+    verbs:
+      - get
+      - list
+      - watch
+      - delete
+    resources:
+      - pods
+  - apiGroups:
+      - "apps"
+    verbs:
+      - get
+      - list
+      - watch
+      - delete
+    resources:
+      - daemonsets
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: pipeline-service-sre-manage-vector-pods
+  namespace: product-kubearchive-logging
+subjects:
+  - kind: Group
+    apiGroup: rbac.authorization.k8s.io
+    name: konflux-pipeline-service
+  - apiGroup: rbac.authorization.k8s.io
+    kind: Group
+    name: konflux-sre
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: pipeline-service-sre-manage-vector-pods

components/vector-kubearchive-log-collector/base/kustomization.yaml

@@ -0,0 +1,19 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: product-kubearchive-logging
+commonAnnotations:
+  argocd.argoproj.io/sync-wave: "-1"
+  ignore-check.kube-linter.io/run-as-non-root: >
+      "Vector Runs as Root and attach host Path."
+  ignore-check.kube-linter.io/sensitive-host-mounts: >
+      "Vector Runs requires certain host mounts to watch 
+      files being created by pods."
+  ignore-check.kube-linter.io/drop-net-raw-capability: >
+      "Vector Runs requires access to socket."
+
+generators:
+  - vector-helm-generator.yaml
+
+resources:
+  - vector-pre.yaml
+

components/vector-kubearchive-log-collector/base/vector-helm-generator.yaml

@@ -0,0 +1,10 @@
+apiVersion: builtin
+kind: HelmChartInflationGenerator
+metadata:
+  name: vector
+name: vector
+repo: https://helm.vector.dev
+version: 0.46.1
+releaseName: vector-kubearchive-logs-collector
+namespace: product-kubearchive-logging
+valuesFile: vector-helm-values.yaml

components/vector-kubearchive-log-collector/base/vector-helm-values.yaml

@@ -0,0 +1,150 @@
+---
+role: Agent
+resources:
+  requests:
+    cpu: 512m
+    memory: 4096Mi
+  limits:
+    cpu: 2000m
+    memory: 4096Mi
+customConfig:
+  data_dir: /vector-data-dir
+  api:
+    enabled: true
+    address: 127.0.0.1:8686
+    playground: false
+  sources:
+    k8s_logs:
+      type: kubernetes_logs
+      rotate_wait_secs: 5
+      glob_minimum_cooldown_ms: 500
+      max_line_bytes: 3145728
+      auto_partial_merge: true
+  transforms:
+    reduce_events:
+      type: reduce
+      inputs:
+        - k8s_logs
+      group_by:
+        - file
+      flush_period_ms: 2000
+      end_every_period_ms: 2000
+      merge_strategies:
+        message: concat_newline
+    remap_app_logs:
+      type: remap
+      inputs:
+        - reduce_events
+      source: |-
+        .tmp = del(.)
+        # Handling Tekton-specific labels
+        if exists(.tmp.kubernetes.pod_labels."tekton.dev/taskRunUID") {
+          .taskRunUID = del(.tmp.kubernetes.pod_labels."tekton.dev/taskRunUID")
+        } else {
+          .taskRunUID = "none"
+        }
+        if exists(.tmp.kubernetes.pod_labels."tekton.dev/pipelineRunUID") {
+          .pipelineRunUID = del(.tmp.kubernetes.pod_labels."tekton.dev/pipelineRunUID")
+          .result = .pipelineRunUID
+        } else {
+          .result = .taskRunUID
+        }
+        # --- Start: Cronjob Specific Handling ---
+        # Check for cronjob related labels. Common labels include `job-name` and `controller-uid`
+        # from the job created by the cronjob, and potentially `cronjob-name` if explicitly set.
+        if exists(.tmp.kubernetes.pod_labels."job-name") {
+          .job_name = del(.tmp.kubernetes.pod_labels."job-name")
+          .log_type = "cronjob" # Tag logs from cronjobs
+          if exists(.tmp.kubernetes.pod_labels."cronjob-name") {
+            .cronjob_name = del(.tmp.kubernetes.pod_labels."cronjob-name")
+          } else {
+            # Attempt to infer cronjob name from job-name (common pattern: <cronjob-name>-<hash>)
+            if .job_name =~ r"^(.*)-\d{8,10}$" { # Basic pattern for job names from cronjobs (e.g., mycronjob-12345678)
+              .cronjob_name = capture(.job_name, r"^(.*)-\d{8,10}$")[0]
+            } else {
+              .cronjob_name = "unknown_cronjob"
+            }
+          }
+          if exists(.tmp.kubernetes.pod_labels."controller-uid") {
+              .job_uid = del(.tmp.kubernetes.pod_labels."controller-uid")
+          }
+        } else {
+          .log_type = "application" # Default for other application logs
+        }
+        # --- End: Cronjob Specific Handling ---
+        # Handling general Kubernetes labels
+        if exists(.tmp.kubernetes.pod_labels) {
+          .pod_labels = .tmp.kubernetes.pod_labels
+        } else {
+          .pod_labels = "no_labels"
+        }
+        if exists(.tmp.kubernetes.pod_namespace) {
+          .namespace = del(.tmp.kubernetes.pod_namespace)
+        } else {
+          .namespace = "unlabeled"
+        }
+        # General Kubernetes container name
+        if exists(.tmp.kubernetes.container_name) {
+          .container = del(.tmp.kubernetes.container_name)
+        } else {
+          .container = "unknown_container"
+        }
+        # General message field handling
+        if exists(.tmp.message) {
+          .message = del(.tmp.message)
+        } else {
+          .message = "no_message"
+        }
+        # Clean up temporary fields
+        del(.tmp)
+  sinks:
+    loki:
+      type: loki
+      inputs: ["remap_app_logs"]
+      endpoint: "http://loki.product-kubearchive-logging.svc.cluster.local:3100" 
+      labels:
+          namespace: .kubernetes.namespace_name
+          pod: .kubernetes.pod_name
+          container: .kubernetes.container_name
+      batch:
+        max_bytes: 10485760
+        timeout_secs: 300 
+      compression: "none"
+      encoding:
+        codec: "text"
+      key_prefix: "/logs/{{ `{{ .namespace }}` }}/{{`{{ .result }}`}}/{{`{{ .taskRunUID }}`}}/{{`{{ .container }}`}}"
+      filename_time_format: "-%s"
+      filename_append_uuid: false
+      buffer:
+        type: "memory"
+        max_events: 10000
+        when_full: "block"
+
+nodeSelector:
+  konflux-ci.dev/workload: konflux-tenants
+tolerations:
+  - effect: NoSchedule
+    key: konflux-ci.dev/workload
+    operator: Equal
+    value: konflux-tenants
+image:
+  repository: quay.io/kubearchive/vector
+  tag: 0.46.1-distroless-libc
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - CHOWN
+    - DAC_OVERRIDE
+    - FOWNER
+    - FSETID
+    - KILL
+    - NET_BIND_SERVICE
+    - SETGID
+    - SETPCAP
+    - SETUID
+  readOnlyRootFilesystem: true
+  seLinuxOptions:
+    type: spc_t
+  seccompProfile:
+    type: RuntimeDefault

components/vector-kubearchive-log-collector/base/vector-pre.yaml

@@ -0,0 +1,54 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: product-kubearchive-logging
+---
+allowHostDirVolumePlugin: true
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: false
+allowPrivilegedContainer: false
+allowedCapabilities: null
+apiVersion: security.openshift.io/v1
+defaultAddCapabilities: null
+defaultAllowPrivilegeEscalation: false
+forbiddenSysctls:
+- '*'
+fsGroup:
+  type: RunAsAny
+groups: []
+kind: SecurityContextConstraints
+metadata:
+  name: logging-scc
+  namespace: product-kubearchive-logging
+priority: null
+readOnlyRootFilesystem: true
+requiredDropCapabilities:
+- CHOWN
+- DAC_OVERRIDE
+- FSETID
+- FOWNER
+- SETGID
+- SETUID
+- SETPCAP
+- NET_BIND_SERVICE
+- KILL
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: RunAsAny
+seccompProfiles:
+- runtime/default
+supplementalGroups:
+  type: RunAsAny
+users:
+- system:serviceaccount:product-kubearchive-logging:vector-kubearchive-logs-collector
+volumes:
+- configMap
+- emptyDir
+- hostPath
+- projected
+- secret

components/vector-kubearchive-log-collector/development/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../base
+  - loki-helm-generator.yaml

components/vector-kubearchive-log-collector/development/loki-helm-generator.yaml

@@ -0,0 +1,10 @@
+apiVersion: builtin
+kind: HelmChartInflationGenerator
+metadata:
+  name: loki
+name: loki
+repo: https://grafana.github.io/helm-charts
+version: 0.0.1
+releaseName: vector-kubearchive-logs-collector
+namespace: product-kubearchive-logging
+valuesFile: loki-helm-values.yaml