Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[NOT FOR MERGING]: prototype: Send logs to team account based on namespace #1292

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

bmcfeely
Copy link
Contributor

@bmcfeely bmcfeely commented Feb 23, 2024

We're trying to sort out a way that CF can allow teams to put their logs in their own team's account instead of account 1.

This PR prototypes providing a way for teams to tell the chart which key (and therefore to which account) they want their logs sent with based on a pod's namespace. Any pod that doesn't have an explicit mapping from its namespace to an account key will default to be sent with the account 1 key.

This idea is:

  • Creates a ConfigMap that teams can put the Vault location for their api keys (this prototype just hardcodes keys locally, I was lazy :P)
  • Creates a chart "hook" that runs on install and upgrade that generates the Fluent Bit [OUTPUT] blocks by running a NodeJS app to do that
  • Including those [OUTPUT] blocks in the "main" fluent-bit.conf

For CF, we'd do something a little different (but basically the same), since CF uses their own Helm chart. I think it would still be mostly the same. I didn't do the prototype there because, uh, I don't know. 😄

I tested this by:

  • Editing the chart to replace REDACTED_KEY_FOR_PRODUCTION_756053 with the actual key for production 756053
  • Installing the chart with helm uninstall newrelic-logging && helm install newrelic-logging ./charts/newrelic-logging --set licenseKey=<REDACTED_ACCOUNT_1_KEY> --set cluster=brian-kind && kubectl logs $(kubectl get pod | grep newrelic-logging | grep -v creator | awk '{print $1}')
  • Creating a pod in the logging namespace
  • Verifying that the logging namespace pod's logs go to account 756053 (and not account 1)
  • Verifying that the other pods in non-logging namespaces go to account 1

Account 1 logs

(note that it doesn't include logs from the logging namespaces)

Screenshot 2024-02-22 at 9 03 41 PM

Account 756053 logs

(note that it doesn't include logs from other namespaces besides logging)

Screenshot 2024-02-22 at 9 03 37 PM

@bmcfeely bmcfeely requested a review from a team February 23, 2024 05:15
namespace: {{ .Release.Namespace }}
labels: {{ include "newrelic-logging.labels" . | indent 4 }}
data:
# TODO: this needs to be a Vault path instead of hard-coding keys
Copy link
Contributor Author

@bmcfeely bmcfeely Feb 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm pretty sure that we have a way to get secrets from Vault into k8s secrets so that they can be used. I'm assuming that's possible, I'm skipping it here (and just hardcoding keys locally) just so I can get done with the prototype sooner.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant