227 lines
4.7 KiB
Markdown
227 lines
4.7 KiB
Markdown
# Loki External Access Setup
|
|
|
|
## Overview
|
|
|
|
Loki is now accessible externally via: **https://loki.thedevops.dev**
|
|
|
|
## Configuration
|
|
|
|
### Ingress
|
|
- **Domain**: loki.thedevops.dev
|
|
- **TLS**: Enabled with Let's Encrypt (cert-manager)
|
|
- **Authentication**: Basic Auth
|
|
- **Service**: loki:3100
|
|
|
|
### Authentication
|
|
|
|
Default credentials:
|
|
- **Username**: `admin`
|
|
- **Password**: `lokipass123`
|
|
|
|
> ⚠️ **IMPORTANT**: Change the password after deployment!
|
|
|
|
### Files Created
|
|
|
|
1. `ingress.yaml` - Main ingress configuration
|
|
2. `middleware-auth.yaml` - Traefik basic auth middleware
|
|
3. `secret-basic-auth.yaml` - Basic auth credentials
|
|
|
|
## DNS Configuration
|
|
|
|
Add this A record to your DNS:
|
|
|
|
```
|
|
loki.thedevops.dev → 5.182.17.194
|
|
```
|
|
|
|
Replace `5.182.17.194` with your actual cluster IP.
|
|
|
|
## Testing Access
|
|
|
|
### 1. Check Loki Health
|
|
|
|
```bash
|
|
curl -u admin:lokipass123 https://loki.thedevops.dev/ready
|
|
```
|
|
|
|
Expected response: `ready`
|
|
|
|
### 2. Query Loki
|
|
|
|
```bash
|
|
# Get labels
|
|
curl -u admin:lokipass123 https://loki.thedevops.dev/loki/api/v1/labels
|
|
|
|
# Query logs
|
|
curl -u admin:lokipass123 -G https://loki.thedevops.dev/loki/api/v1/query \
|
|
--data-urlencode 'query={namespace="loki"}'
|
|
```
|
|
|
|
### 3. Test from Grafana
|
|
|
|
Add Loki as a data source in Grafana:
|
|
|
|
```yaml
|
|
URL: https://loki.thedevops.dev
|
|
Auth: Basic Auth
|
|
User: admin
|
|
Password: lokipass123
|
|
```
|
|
|
|
## Changing the Password
|
|
|
|
### Method 1: Generate new password locally
|
|
|
|
```bash
|
|
# Generate new password hash
|
|
htpasswd -nb admin your-new-password | base64
|
|
|
|
# Update secret-basic-auth.yaml with new hash
|
|
kubectl apply -f apps/loki/secret-basic-auth.yaml
|
|
```
|
|
|
|
### Method 2: Using kubectl directly
|
|
|
|
```bash
|
|
# Create new secret
|
|
kubectl create secret generic loki-basic-auth \
|
|
--from-literal=users=$(htpasswd -nb admin your-new-password) \
|
|
--namespace loki \
|
|
--dry-run=client -o yaml | kubectl apply -f -
|
|
```
|
|
|
|
## Troubleshooting
|
|
|
|
### Ingress not working
|
|
|
|
```bash
|
|
# Check ingress
|
|
kubectl get ingress -n loki
|
|
|
|
# Check certificate
|
|
kubectl get certificate -n loki
|
|
|
|
# Check if Loki is running
|
|
kubectl get pods -n loki
|
|
```
|
|
|
|
### Certificate not issued
|
|
|
|
```bash
|
|
# Check cert-manager
|
|
kubectl get certificaterequest -n loki
|
|
kubectl describe certificate loki-tls -n loki
|
|
|
|
# Check Let's Encrypt challenge
|
|
kubectl get challenges -n loki
|
|
```
|
|
|
|
### Authentication not working
|
|
|
|
```bash
|
|
# Check secret exists
|
|
kubectl get secret loki-basic-auth -n loki
|
|
|
|
# Check middleware
|
|
kubectl get middleware -n loki
|
|
|
|
# Verify secret content
|
|
kubectl get secret loki-basic-auth -n loki -o jsonpath='{.data.users}' | base64 -d
|
|
```
|
|
|
|
## Architecture
|
|
|
|
```
|
|
Internet
|
|
↓
|
|
DNS (loki.thedevops.dev)
|
|
↓
|
|
Traefik Ingress Controller
|
|
↓
|
|
TLS Termination (Let's Encrypt)
|
|
↓
|
|
Basic Auth Middleware
|
|
↓
|
|
Loki Service (ClusterIP:3100)
|
|
↓
|
|
Loki StatefulSet
|
|
```
|
|
|
|
## Security Considerations
|
|
|
|
1. **TLS**: All traffic encrypted with Let's Encrypt certificate
|
|
2. **Authentication**: Basic Auth protects access
|
|
3. **Network Policy**: Consider adding network policies for additional security
|
|
4. **Password Rotation**: Change default password immediately
|
|
5. **Rate Limiting**: Consider adding rate limiting middleware
|
|
|
|
## Integration with Grafana
|
|
|
|
If you want to access Loki from Grafana (already in cluster):
|
|
|
|
### Option 1: Internal access (recommended)
|
|
Use internal service URL: `http://loki.loki.svc.cluster.local:3100`
|
|
No authentication needed for in-cluster access.
|
|
|
|
### Option 2: External access
|
|
Use: `https://loki.thedevops.dev`
|
|
Requires basic auth credentials.
|
|
|
|
## ArgoCD Sync
|
|
|
|
ArgoCD will automatically sync these changes:
|
|
- Ingress will be created
|
|
- TLS certificate will be requested
|
|
- Basic auth will be configured
|
|
|
|
Wait ~2-3 minutes for:
|
|
1. Ingress to be created
|
|
2. Let's Encrypt to issue certificate
|
|
3. DNS propagation (if DNS was just updated)
|
|
|
|
## Verification Checklist
|
|
|
|
- [ ] DNS A record configured
|
|
- [ ] ArgoCD synced successfully
|
|
- [ ] Certificate issued (check cert-manager)
|
|
- [ ] Loki pods running
|
|
- [ ] Ingress created
|
|
- [ ] Can access https://loki.thedevops.dev
|
|
- [ ] Basic auth working
|
|
- [ ] Default password changed
|
|
- [ ] Grafana data source configured (if applicable)
|
|
|
|
## Useful Commands
|
|
|
|
```bash
|
|
# Watch ArgoCD sync
|
|
argocd app get loki --refresh
|
|
|
|
# Check Loki logs
|
|
kubectl logs -n loki -l app.kubernetes.io/name=loki --tail=50
|
|
|
|
# Test Loki internally (from within cluster)
|
|
kubectl run test-loki --rm -it --image=curlimages/curl -- \
|
|
curl http://loki.loki.svc.cluster.local:3100/ready
|
|
|
|
# Check ingress events
|
|
kubectl describe ingress loki -n loki
|
|
|
|
# Force certificate renewal
|
|
kubectl delete certificate loki-tls -n loki
|
|
```
|
|
|
|
## Next Steps
|
|
|
|
1. Configure DNS A record
|
|
2. Wait for ArgoCD to sync (~3 minutes)
|
|
3. Wait for Let's Encrypt certificate (~2 minutes)
|
|
4. Test access with curl
|
|
5. Change default password
|
|
6. Configure Grafana data source (if needed)
|
|
|
|
---
|
|
|
|
**Created**: 2026-01-05
|
|
**Maintained by**: DevOps Team
|