fluentd-forwarder-template.yaml

---
apiVersion: v1
kind: Template
metadata:
  name: fluentd-forwarder
  annotations:
    description: Template for collecting and forwarding fluentd logs to a remote log collection point like rsyslog or splunk.
labels:
  name: fluentd-forwarder
objects:
- apiVersion: v1
  kind: DeploymentConfig
  metadata:
    labels:
      name: fluentd-forwarder
    name: fluentd-forwarder
  spec:
    replicas: 1
    triggers:
    - type: ImageChange
      imageChangeParams:
        containerNames:
          - fluentd-forwarder
        from:
          kind: ImageStreamTag
          namespace: ${P_NAMESPACE}
          name: ${P_IMAGE_NAME}:${P_IMAGE_VERSION}
    - type: ConfigChange
    selector:
      name: fluentd-forwarder
    template:
      metadata:
        labels:
          name: fluentd-forwarder
      spec:
        containers:
        - name: fluentd-forwarder
          image: ${P_NAMESPACE}/${P_IMAGE_NAME}:${P_IMAGE_VERSION}
          env:
          - name: TARGET_TYPE
            value: ${P_TARGET_TYPE}
          - name: TARGET_HOST
            value: ${P_TARGET_HOST}
          - name: TARGET_PORT
            value: ${P_TARGET_PORT}
          - name: ADDITIONAL_OPTS
            value: ${P_ADDITIONAL_OPTS}
          - name: CA_PATH
            value: ${P_CA_PATH}
          - name: CERT_PATH
            value: ${P_CERT_PATH}
          - name: KEY_PATH
            value: ${P_KEY_PATH}
          - name: SHARED_KEY
            value: ${P_SHARED_KEY}
          volumeMounts:
          - mountPath: /secrets
            name: fluentd-forwarder-secret-mount
            readOnly: true
          - mountPath: /tmp/fluentd-config
            name: fluentd-forwarder-config
            readOnly: true
          name: fluentd-forwarder
          ports:
          - containerPort: 24284
            protocol: TCP
          readinessProbe:
            exec:
              command:
                - /opt/app-root/src/fluentd-check.sh
            failureThreshold: 3
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 5
          livenessProbe:
            exec:
              command:
                - /opt/app-root/src/fluentd-check.sh
            failureThreshold: 3
            initialDelaySeconds: 15
            periodSeconds: 30
            successThreshold: 1
            timeoutSeconds: 5
        volumes:
        - name: fluentd-forwarder-secret-mount
          secret:
            secretName: fluentd-forwarder-certs
            defaultMode: 420
        - name: fluentd-forwarder-config
          configMap:
            name: fluentd-forwarder
            defaultMode: 420
- apiVersion: v1
  kind: Service
  metadata:
    annotations:
      service.alpha.openshift.io/serving-cert-secret-name: fluentd-forwarder-certs
    labels:
      name: fluentd-forwarder
    name: fluentd-forwarder
  spec:
    ports:
    - name: fluentd-forwarder
      port: 24284
      protocol: TCP
      targetPort: 24284
    selector:
      name: fluentd-forwarder
    type: ClusterIP
- apiVersion: v1
  kind: ConfigMap
  metadata:
    labels:
      name: fluentd-forwarder
    name: fluentd-forwarder
  data:
    fluentd.conf: |
      <source>
        @type secure_forward
        self_hostname "#{ENV['HOSTNAME']}"
        bind 0.0.0.0
        port 24284

        shared_key ${SHARED_KEY}

        secure           ${IS_SECURE}
        enable_strict_verification ${STRICT_VERIFICATION}

        ca_cert_path     ${CA_PATH}
        cert_path        ${CERT_PATH}
        private_key_path ${KEY_PATH}

        private_key_passphrase ${KEY_PASSPHRASE}
      </source>

      <filter **>
        @type record_transformer
        <record>
          forwarded_by "#{ENV['HOSTNAME']}"
          source_component "OCP"
        </record>
      </filter>

      <match **>
        @type ${TARGET_TYPE}
        host ${TARGET_HOST}
        port ${TARGET_PORT}
        ${ADDITIONAL_OPTS}
      </match>
parameters:
  - name: P_NAMESPACE
    description: Target namespace for image. Used to reference the ImageStream source for the image.
    value: logging
    required: true
  - name: P_IMAGE_NAME
    description: The name of the image to be used when performing the pull operation.
    value: fluentd-forwarder
    required: true
  - name: P_IMAGE_VERSION
    description: The version of the fluentd-forwarder image to use.
    value: "latest"
  - name: P_TARGET_TYPE
    description: The output target's type. Can be 'remote_syslog' or 'splunk_ex'.
    required: true
    value: remote_syslog
  - name: P_TARGET_HOST
    description: The remote host that is the target for the logging data.
    value: remote-syslog-host.lan
    required: true
  - name: P_TARGET_PORT
    description: The remote port on the host that is the target for the logging data. The normal value for syslog is 514 and the normal value for splunk is 9997.
    required: true
    value: "514"
  - name: P_ADDITIONAL_OPTS
    description: Additional options passed to the forwarder plugin. The normal value for splunk is output_format json.
    value: ""
  - name: P_SHARED_KEY
    description: "A key shared between the logging providers and this forwarder to ensure secure operation. Default: 'ocpaggregatedloggingsharedkey'."
    value: ocpaggregatedloggingsharedkey
    required: true
  - name: P_CA_PATH
    description: Path to the CA certificate required for certificate verification. By default it uses the OCP master's signing certificate.
    value: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
  - name: P_CERT_PATH
    description: Path to the certificate that should be used to identify the server. Defaults to the path outlined for secret mount.
    value: /secrets/tls.crt
  - name: P_KEY_PATH
    description: Path to the key that should be used for the server PKI. Defaults the the path outlined for secret mount.
    value: /secrets/tls.key