lokiのログをS3に保存するように

monitor/loki/config/config.yaml

@@ -5,9 +5,27 @@ common:
   path_prefix: /var/loki
   replication_factor: 1
   storage:
-    filesystem:
-      chunks_directory: /loki-data/chunks
-      rules_directory: /loki-data/rules
+    s3:
+      endpoint: https://s3.ap-northeast-1.wasabisys.com
+      region: ap-northeast-1
+      bucketnames: trap-loki
+      access_key_id: ${S3_ACCESS_KEY}
+      secret_access_key: ${S3_SECRET_KEY}
+      s3forcepathstyle: true
+
+storage_config:
+  filesystem:
+    directory: /loki-data/chunks
+  hedging:
+    at: 250ms
+    max_per_second: 20
+    up_to: 3
+
+ruler:
+  storage:
+    type: local
+    local:
+      directory: /loki-data/rules
 
 limits_config:
   max_cache_freshness_per_query: 10m
@@ -42,18 +60,19 @@ schema_config:
       index:
         prefix: index_
         period: 24h
+    - from: "2024-12-13"
+      object_store: s3
+      store: tsdb
+      schema: v13
+      index:
+        prefix: index_
+        period: 24h
 
 server:
   log_level: warn
   grpc_listen_port: 9095
   http_listen_port: 3100
 
-storage_config:
-  hedging:
-    at: 250ms
-    max_per_second: 20
-    up_to: 3
-
 table_manager:
   retention_deletes_enabled: true
   # 7 days

monitor/loki/ksops.yaml

@@ -0,0 +1,11 @@
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: ksops
+  annotations:
+    config.kubernetes.io/function: |
+      exec:
+        path: ksops
+
+files:
+  - ./secrets/s3-credentials.yaml

monitor/loki/kustomization.yaml

@@ -10,3 +10,6 @@ configMapGenerator:
   - name: loki-runtime-config
     files:
       - config/runtime-config.yaml
+
+generators:
+   - ksops.yaml

monitor/loki/secrets/s3-credentials.yaml

@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: my-secret
+    annotations:
+        # kustomizeによってSecret名にhash suffixを付けさせる設定
+        # Secretの中身が変更されたとき、自動リロードが可能になる
+        # kustomize設定のnameReferenceで、Secretを読む側のフィールドを参照する必要あり
+        kustomize.config.k8s.io/needs-hash: "true"
+stringData:
+    s3-access-key: ENC[AES256_GCM,data:GsSaKLRolz266FoNo7C/UhKJpmk=,iv:4XLXRRpEY8x7rIIZDgsAgVsUDrxw0dAB73AVZvwj+ds=,tag:VSajBS+c8PtfsT3yhlUstA==,type:str]
+    s3-secret-key: ENC[AES256_GCM,data:YCSRynS4ZUZ+t/TroP2umh2vTo2he09UtesyP9RhDKqsE9Ch9kWFOQ==,iv:ioa0o5L0koKQtyJR1D5ZTs1XO7TiF5WQirAEfVZTZK8=,tag:n4dMowfEvqTx9P1rAjdySw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age156red4ptw5huzpwlfnrukg4htuucdweu9jg8usjz98ggmeyedces3xqplq
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxQUMxa1JIbzd0OHN4UGRi
+            OW14ait6K0dkNGVsQXUzS2NqckQvREdRTnlBCkp3bWhxaGttZDE2RU1sMDNLa3dj
+            L1NQdWJLZnVJcEg1eXRFUjJpRTVtS3cKLS0tIGpMQ2RuQVJyRHd6SWVCL2tlZ2gz
+            Vnd1SWdJSFNwaS92TWpBZ3pzcjdvVlkKXlirgs/ia+bfkZ5VljptL6edz+XSevhP
+            O40ug/XU3loMm9qcYo0dtrwkXBZfcK/1beX6ZcTqHVfj6peBqS7gTQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-12-12T00:38:43Z"
+    mac: ENC[AES256_GCM,data:goQ+VVtPmWnYQ9YJtlLeCkm7/tvtzN1WTjin7kutQGtY6gkhazjqvuloUJl6KcOgeDGGcnbRdv7I6zv30GPVn+6s5lGT68MqQSncrVTwk4xOmFhQXjBRdQtLNpkWBgyPrrpXbjxWbl9/AvUe+56/KYECWM91Eksvy7hKQMQuozA=,iv:8Y19KEgxm43Bx+cMNrmAjrDm83j1+rQS6XThtKXKWpk=,tag:mV7autFZWiFDNyJnYYoh+A==,type:str]
+    pgp: []
+    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
+    version: 3.9.2

monitor/loki/stateful-set.yaml

@@ -89,6 +89,18 @@ spec:
             periodSeconds: 1
             failureThreshold: 60
 
+          env:
+            - name: S3_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: s3-credentials
+                  key: s3-access-key
+            - name: S3_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: s3-credentials
+                  key: s3-secret-key
+
           volumeMounts:
             - name: tmp
               mountPath: /tmp