traPtitech · cp-20 · Dec 12, 2024 · Dec 12, 2024 · Dec 12, 2024 · Dec 12, 2024
diff --git a/monitor/loki/config/config.yaml b/monitor/loki/config/config.yaml
@@ -5,9 +5,27 @@ common:
   path_prefix: /var/loki
   replication_factor: 1
   storage:
-    filesystem:
-      chunks_directory: /loki-data/chunks
-      rules_directory: /loki-data/rules
+    s3:
+      endpoint: https://s3.ap-northeast-1.wasabisys.com
+      region: ap-northeast-1
+      bucketnames: trap-loki
+      access_key_id: ${S3_ACCESS_KEY}
+      secret_access_key: ${S3_SECRET_KEY}
+      s3forcepathstyle: true
+
+storage_config:
+  filesystem:
+    directory: /loki-data/chunks
+  hedging:
+    at: 250ms
+    max_per_second: 20
+    up_to: 3
+
+ruler:
+  storage:
+    type: local
+    local:
+      directory: /loki-data/rules
 
 limits_config:
   max_cache_freshness_per_query: 10m
@@ -42,18 +60,19 @@ schema_config:
       index:
         prefix: index_
         period: 24h
+    - from: "2024-12-14"
+      object_store: s3
+      store: tsdb
+      schema: v13
+      index:
+        prefix: index_
+        period: 24h
 
 server:
   log_level: warn
   grpc_listen_port: 9095
   http_listen_port: 3100
 
-storage_config:
-  hedging:
-    at: 250ms
-    max_per_second: 20
-    up_to: 3
-
 table_manager:
   retention_deletes_enabled: true
   # 7 days

diff --git a/monitor/loki/ksops.yaml b/monitor/loki/ksops.yaml
@@ -0,0 +1,11 @@
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: ksops
+  annotations:
+    config.kubernetes.io/function: |
+      exec:
+        path: ksops
+
+files:
+  - ./secrets/s3-credentials.yaml
diff --git a/monitor/loki/kustomization.yaml b/monitor/loki/kustomization.yaml
@@ -10,3 +10,6 @@ configMapGenerator:
   - name: loki-runtime-config
     files:
       - config/runtime-config.yaml
+
+generators:
+   - ksops.yaml
diff --git a/monitor/loki/secrets/s3-credentials.yaml b/monitor/loki/secrets/s3-credentials.yaml
@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: s3-credentials
+    annotations:
+        # kustomizeによってSecret名にhash suffixを付けさせる設定
+        # Secretの中身が変更されたとき、自動リロードが可能になる
+        # kustomize設定のnameReferenceで、Secretを読む側のフィールドを参照する必要あり
+        kustomize.config.k8s.io/needs-hash: "true"
+stringData:
+    s3-access-key: ENC[AES256_GCM,data:DfporcfBusm/WLQhswKga0gc/1w=,iv:XyPqmSPfGnKYEU9S3WZvZb9emvrbeBTS1Bjh8htHdIs=,tag:MI9vR2dkzO/jSHfwtyVzRw==,type:str]
+    s3-secret-key: ENC[AES256_GCM,data:AXgXqwHH5apIm3L1TATAFnC/XH71AYt9lefKXZq412UqxP5dWdNK3g==,iv:OmQiywnxB00szqz1SH3fUCdsM+SxsY/msWJ6pDTrqWA=,tag:wALnssWcwqMHp0dizoWI+A==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age156red4ptw5huzpwlfnrukg4htuucdweu9jg8usjz98ggmeyedces3xqplq
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArOURSZUVjWm5hZ1NNK1ZR
+            Q2tjSkJNN01ucUNHQ21kSHRJTHo2L1pRN0RFClpMbmxXZ0JKWTVNUGpuWndqQTFG
+            QmcxaDFNZ3FKL1hDZEs4QnhkTlZFSTAKLS0tIFZqUHVmMjhKTEpUK1FPRWw5bzFJ
+            ZVhENlNMWk9JdEdCWjlrN3VCSDZRaHcKhKCNs5bWWEoIZ2akoKJ9ZCDJLEGyqBP/
+            +KZUHSRXBHxLusjAWfEt1DiZuWbk+rQBotR40H7f8cHM85K+Ps7gJQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-12-12T08:37:51Z"
+    mac: ENC[AES256_GCM,data:+JpJxgqkRhYwb1zTQF4Kjd6sunKbEDAXDDjeyqrdc7ft03gnYYJQtT+TVwDDwIETeDPpgACtbMjyyGZNCoHna9ERGY57srg7XzsjqRwJgja2xHw548vFYFBVqbkzANBt9QaHOZRWd5Ez2VlKUECHVxuoo74mZPfTJ5q3GmIl0I8=,iv:m+nlDp8MZKBvhl2Y0IapE6w1Dzl4RLRKdnv5ePc4M6Y=,tag:c4dYOJbuM09lO7GUKfitqA==,type:str]
+    pgp: []
+    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
+    version: 3.9.2
diff --git a/monitor/loki/stateful-set.yaml b/monitor/loki/stateful-set.yaml
@@ -89,6 +89,18 @@ spec:
             periodSeconds: 1
             failureThreshold: 60
 
+          env:
+            - name: S3_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: s3-credentials
+                  key: s3-access-key
+            - name: S3_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: s3-credentials
+                  key: s3-secret-key
+
           volumeMounts:
             - name: tmp
               mountPath: /tmp