This section describes how to deploy and configure FEP Logging instance via the FEPLogging custom resource. FEPLogging is a separate CR which will accept logs sent from FEPCluster and forwards them to Elasticsearch or Prometheus for raising alarm. User must create FEPLogging CR before enabling FEPCluster logging feature.
The fepLogging section needs to be added under spec to define required parameters for FEPLogging configuration.
Following is a sample template :
spec:
fepLogging:
elastic:
authSecret:
secretName: elastic-auth
passwordKey: password
userKey: username
host: elastic-passthrough.apps.openshift.com
logstashPrefix: postgres
port: 443
scheme: https
sslVerify: true
tls:
certificateName: elastic-cert
caName: elastic-cacert
image:
pullPolicy: IfNotPresent
mcSpec:
limits:
cpu: 500m
memory: 700Mi
requests:
cpu: 200m
memory: 512Mi
restartRequired: false
sysExtraLogging: false
scrapeInterval: 30s
scrapeTimeout: 30s
tls:
certificateName: fluentd-cert
caName: cacert
prometheus:
…Below is the list of all parameters defined in the fepLogging section, along with their brief description
Custom Resource spec | Required/Optional | Change Effect | Updating value allowed |
|---|---|---|---|
spec.fepLogging.image.image | Optional | Fluentd Image of FEPLogging | Yes |
spec.fepLogging.image.pullPolicy | Required | Fluentd Image pull policy of FEPLogging | Yes |
spec.fepLogging.mcSpec.limits.cpu | Required | Max CPU allocated to fluentd container | Yes |
spec.fepLogging.mcSpec.limits.memory | Required | Max memory allocated to fluentd container | Yes |
spec.fepLogging.mcSpec.requests.cpu | Required | CPU allocation at start for fluentd container | Yes |
spec.fepLogging.mcSpec.requests.memory | Required | Memory allocation at start for fluentd container | Yes |
spec.fepLogging.sysExtraLogging | Required | To turn on extra debugging messages for operator, set value to true. It can be turned on/off at any time | Yes |
spec.fepLogging.restartRequired | Required | To restart FEPLogging instance for applying any new configuration for example after certificate rotation | Yes |
spec.fepLogging.scrapeInterval | Optional | Scrape interval for Prometheus to fetch metrics from FEPLogging instance | Yes |
spec.fepLogging.scrapeTimeout | Optional | Scrape Timeout for Prometheus to fetch metrics from FEPLogging instance | Yes |
spec.fepLogging.elastic.host | Optional | Target Elasticsearch host name | Yes |
spec.fepLogging.elastic.port | Optional | Target Elasticsearch port number | Yes |
spec.fepLogging.elastic.authSecret.secretName | Optional | Secret name which contains Elasticsearch authentication username & password | Yes |
spec.fepLogging.elastic.authSecret.userKey | Optional | Username key specified in Elasticsearch authentication secret | Yes |
spec.fepLogging.elastic.authSecret.passwordKey | Optional | Password key specified in Elasticsearch authentication secret | Yes |
spec.fepLogging.elastic.logstashPrefix | Optional | Logstash prefix to differentiate index pattern in elastic search. Default value is postgres | Yes |
spec.fepLogging.elastic.auditLogstashPrefix | Optional | Logstash prefix to differentiate index pattern in elastic search for auditlog. If not specified, it will default to the same value as ‘logstashPrefix’. | Yes |
spec.fepLogging.elastic.scheme | Optional | Connection scheme between FEPLogging & Elasticsearch. Possible options http & https | Yes |
spec.fepLogging.elastic.sslVerify | Optional | Set to true if you want to verify ssl certificate. If set to false then will not consider TLS crtificate | Yes |
spec.fepLogging.elastic.tls.certificateName | Optional | Kubernetes secret name which holds fluentd certificate | Yes |
spec.fepLogging.elastic.tls.caName | Optional | Kubernetes configmap which holds cacert of Elasticsearch to verify Elasticsearch TLS connection | Yes |
spec.fepLogging.tls.certificateName | Optional | Kubernetes secret name which holds Fluentd certificate | Yes |
spec.fepLogging.tls.caName | Optional | Kubernetes configmap which holds cacert of Fluentd to configure MTLS between FEPLogging & Prometheus | Yes |
spec.prometheus.tls.certificateName | Optional | Kubernetes secret name which holds Prometheus certificate | Yes |
spec.prometheus.tls.caName | Optional | Kubernetes configmap which holds cacert of Fluentd to configure MTLS between FEPLogging & Prometheus | Yes |
The image property is used to specify other than default Fluentd image and it’s pullPolicy from FEPLogging CR.
If not specified it will use default image provided by Operator.
Example)
spec:
fepLogging:
image:
image: 'quay.io/fujitsu/fujitsu-enterprise-postgres-fluentbit:ubi9-18-1.0'
pullPolicy: IfNotPresentFEPLogging container Memory & CPU configuration can be provided by mcSpec properties.
Example)
spec:
fepLogging:
mcSpec:
limits:
cpu: 500m
memory: 700Mi
requests:
cpu: 200m
memory: 512MiIf FEPLogging required to be restarted to apply any new change, for example, after certificate rotation, FEPLogging container can be restarted by setting restartRequired flag as true. Default value of this flag is False. This flag will change back to false once the pod is restarted
Example)
spec:
fepLogging:
restartRequired: truescrapeInterval and scrapeTimeout properties of FEPLogging are optional. These properties are used by Prometheus Servicemonitor to configure metrics fetching interval(scrapeInterval) and timeout of request.
Example)
spec:
fepLogging:
scrapeInterval: 30s
scrapeTimeout: 30sTo forward logs from FEPLogging(Fluentd) to Elasticsearch, need to configure elastic property. This is optional property. Elasticsearch server and certificates will be configured by user.
To configure log forwarding to Elasticsearch, the following properties are required.
authSecret
host
port
logstashPrefix
auditLogstashPrefix
scheme
sslVerify
tls(if sslVerify set to true)
Configure Elasticsearch server and use it’s host name and port.
Here tls property is optional and works with sslVerify flag. To enable secure connection and tls verification set sslVerify true and provide valid certificateName & caName.
Elasticsearch caName is mandatory which holds CA cert of elastic search server.
Example)
spec:
fepLogging:
elastic:
authSecret:
passwordKey: password
secretName: elastic-auth
userKey: username
host: elastic-passthrough.apps.openshift.com
logstashPrefix: postgres
auditLogstashPrefix: postgres
port: 443
scheme: https
sslVerify: false
tls:
certificateName: fluentd-cert
caName: elastic-cacertauthSecret is the secret which contains username & password in base64 format for elastic search authentication
Example)
kind: Secret apiVersion: v1 metadata: name: elastic-auth namespace: my-namespace data: password: OFBobzlyRUJWOGg1Mk0xcXdaMUQ5bzQ0 username: ZWxhc3RpYw== type: Opaque
FEPLogging has optional TLS property. If user wants to forward logs from FEPCluster to FEPLogging instance over a secure connection, the TLS configuration for FEPCluster(remoteLogging section) and the TLS configuration for FEPLogging and Prometheus are mandatory. Configuring TLS configuration on just fepLogging or Prometheus will not work.
When a self signed certificate is used, caName can be skipped.
Example)
spec:
fepLogging:
tls:
certificateName: fluentd-cert
caName: cacertIf secured connection between FEPLogging and FEPCluster is required, then TLS configuration for FEPLogging and Prometheus are mandatory. Configuring TLS on just fepLogging or Prometheus will not work.
When a self signed certificate is used, caName can be skipped.
Example)
spec:
fepLogging:
…
prometheus:
tls:
certificateName: prometheus-cert
caName: cacert