correct AWS role annotation and add kubearchive-logging cm to kflux-prd-p03

obetsun · obetsun · commit a5cee8f23951 · 2025-09-26T10:01:18.000+03:00
Signed-off-by: obetsun &lt;obetsun@redhat.com&gt;

rh-pre-commit.version: 2.3.2
rh-pre-commit.check-secrets: ENABLED
diff --git a/components/kubearchive/production/kflux-prd-rh03/external-secret.yaml b/components/kubearchive/production/kflux-prd-rh03/external-secret.yaml
@@ -0,0 +1,26 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: kubearchive-logging
+  namespace: product-kubearchive
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+    argocd.argoproj.io/sync-wave: "-1"
+spec:
+  dataFrom:
+    - extract:
+        key: production/kubearchive/logging
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: appsre-stonesoup-vault
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Delete
+    name: kubearchive-logging
+    template:
+      metadata:
+        annotations:
+          argocd.argoproj.io/sync-options: Prune=false
+          argocd.argoproj.io/compare-options: IgnoreExtraneous
diff --git a/components/kubearchive/production/kflux-prd-rh03/kustomization.yaml b/components/kubearchive/production/kflux-prd-rh03/kustomization.yaml
@@ -4,11 +4,47 @@ kind: Kustomization
 resources:
   - ../../base
   - ../base
+  - external-secret.yaml
   - kubearchive.yaml
 
 namespace: product-kubearchive
 
+# Generate kubearchive-logging ConfigMap with hash for automatic restarts
+# Due to quoting limitations of generators we need to introduce the values with the |
+# See https://github.com/kubernetes-sigs/kustomize/issues/4845#issuecomment-1671570428
+configMapGenerator:
+    - name: kubearchive-logging
+      literals:
+          - |
+              POD_ID=cel:metadata.uid
+          - |
+              NAMESPACE=cel:metadata.namespace
+          - |
+              START=cel:status.?startTime == optional.none() ? int(now()-duration('1h'))*1000000000: status.startTime
+          - |
+              END=cel:status.?startTime == optional.none() ? int(now()+duration('1h'))*1000000000: int(timestamp(status.startTime)+duration('6h'))*1000000000
+          - |
+              LOG_URL=http://loki-gateway.product-kubearchive-logging.svc.cluster.local:80/loki/api/v1/query_range?query=%7Bstream%3D%22{NAMESPACE}%22%7D%20%7C%20pod_id%20%3D%20%60{POD_ID}%60%20%7C%20container%20%3D%20%60{CONTAINER_NAME}%60&start={START}&end={END}&direction=forward
+          - |
+              LOG_URL_JSONPATH=$.data.result[*].values[*][1]
+
 patches:
+  - patch: |-
+      $patch: delete
+      apiVersion: v1
+      kind: ConfigMap
+      metadata:
+        name: kubearchive-logging
+        namespace: kubearchive
+
+  - patch: |-
+      $patch: delete
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: kubearchive-logging
+        namespace: kubearchive
+
   - patch: |-
       apiVersion: batch/v1
       kind: Job
diff --git a/components/vector-kubearchive-log-collector/production/kflux-prd-rh03/loki-helm-generator.yaml b/components/vector-kubearchive-log-collector/production/kflux-prd-rh03/loki-helm-generator.yaml
@@ -16,7 +16,7 @@ valuesInline:
     create: true
     name: loki-sa
     annotations:
-      eks.amazonaws.com/role-arn: "arn:aws:iam::310587744735:role/kflux-prd-rh03-loki-storage-role"
+      eks.amazonaws.com/role-arn: "arn:aws:iam::593793029194:role/kflux-prd-rh03-loki-storage-role"
   loki:
     storage:
       bucketNames:
