apiVersion: v1 kind: ServiceAccount metadata: name: grafana-loki-sa namespace: grafana-logging --- # The LokiStack gateway (opa-openshift) performs two SubjectAccessReviews for each request: # 1. Can the user `get application` in loki.grafana.com? (tenant access check) # 2. Can the user `get pods` in the queried namespace? (namespace-level access check) # This ClusterRole satisfies both checks with minimum required permissions. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: grafana-loki-reader rules: - apiGroups: ["loki.grafana.com"] resources: ["application"] verbs: ["get"] - apiGroups: [""] resources: ["namespaces", "pods"] verbs: ["get", "list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: grafana-loki-reader roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: grafana-loki-reader subjects: - kind: ServiceAccount name: grafana-loki-sa namespace: grafana-logging --- # Long-lived token for the Grafana datasource apiVersion: v1 kind: Secret metadata: name: grafana-loki-token namespace: grafana-logging annotations: kubernetes.io/service-account.name: grafana-loki-sa type: kubernetes.io/service-account-token --- apiVersion: grafana.integreatly.org/v1beta1 kind: Grafana metadata: name: logging-grafana namespace: grafana-logging labels: app: grafana spec: route: spec: {} config: log: mode: "console" auth: disable_login_form: "false" --- apiVersion: grafana.integreatly.org/v1beta1 kind: GrafanaDatasource metadata: name: lokistack-datasource namespace: grafana-logging spec: instanceSelector: matchLabels: app: grafana valuesFrom: - targetPath: "secureJsonData.httpHeaderValue1" valueFrom: secretKeyRef: name: grafana-loki-token key: token datasource: name: Loki type: loki access: proxy url: https://logging-loki-gateway-http.openshift-logging.svc.cluster.local:8080/api/logs/v1/application/ isDefault: true jsonData: tlsSkipVerify: true httpHeaderName1: "Authorization" maxLines: 1000 secureJsonData: httpHeaderValue1: "Bearer ${token}"