Added bb-common and replaced resources with bb-common generated resources
General MR
Summary
- Added bb-common as a chart dependency
- Replaced netpols, authpols, peerauths, and virtual service with bb-common generated resources
Relevant logs/screenshots
Used bb-common-loki branch to test/validate
Before Upgrade (SingleBinary Deployment):
kubectl get netpol -n logging
NAME POD-SELECTOR AGE
allow-alloy-ingress-logging-loki app.kubernetes.io/instance=logging-loki,app.kubernetes.io/name=logging-loki 9m18s
allow-from-istio-ingressgateway-logging-loki app.kubernetes.io/instance=logging-loki,app.kubernetes.io/name=logging-loki 9m18s
allow-in-ns-logging-loki <none> 9m18s
allow-istiod-egress-logging-loki <none> 9m18s
allow-loki-sidecar-scraping <none> 9m18s
allow-monitoring-test-egress-loki helm-test=enabled 9m18s
allow-tempo-egress-logging-loki <none> 9m18s
default-deny-all-logging-loki <none> 9m18s
egress-dns <none> 9m18s
egress-external-services app.kubernetes.io/instance=logging-loki,app.kubernetes.io/name=logging-loki 9m18s
ingress-grafana-gateway app.kubernetes.io/component=gateway,app.kubernetes.io/instance=logging-loki,app.kubernetes.io/name=logging-loki 9m18s
ingress-monitoring app.kubernetes.io/instance=logging-loki,app.kubernetes.io/name=logging-loki 9m18skubectl get ap -n logging
NAME ACTION AGE
loki-allow-intranamespace ALLOW 9m23s
loki-alloy-authz-policy ALLOW 9m23s
loki-minio-operator-policy ALLOW 9m23s
loki-public-ingressgateway-ingressgateway-authz-policy ALLOW 9m23skubectl get se -n logging
NAME HOSTS LOCATION RESOLUTION AGE
cypress-service-entries-loki ["registry.npmjs.org","download.cypress.io","cdn.cypress.io","repo1.dso.mil","grafana.dev.bigbang.mil","optimizationguide-pa.googleapis.com","clientservices.googleapis.com","accounts.google.com","redirector.gvt1.com","content-autofill.googleapis.com","safebrowsing.googleapis.com"] MESH_EXTERNAL DNS 9m26skubectl get pa -n logging
NAME MODE AGE
default-loki STRICT 10mkubectl get vs -n logging -o yaml
apiVersion: v1
items:
- apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
annotations:
meta.helm.sh/release-name: logging-loki
meta.helm.sh/release-namespace: logging
creationTimestamp: "2025-12-18T11:10:11Z"
generation: 1
labels:
app.kubernetes.io/component: networking
app.kubernetes.io/instance: logging-loki
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: logging-loki
app.kubernetes.io/part-of: loki
helm.sh/chart: logging-loki
helm.toolkit.fluxcd.io/name: loki
helm.toolkit.fluxcd.io/namespace: bigbang
name: loki
namespace: logging
resourceVersion: "10306"
uid: b8607d39-672d-4989-9dec-26cef815ebb5
spec:
gateways:
- istio-gateway/public-ingressgateway
hosts:
- loki.dev.bigbang.mil
http:
- route:
- destination:
host: logging-loki.logging.svc.cluster.local
port:
number: 3100
kind: List
metadata:
resourceVersion: ""After Upgrade (SingleBinary Deployment)
kubectl get netpol -n logging
NAME POD-SELECTOR AGE
allow-egress-from-logging-loki-to-ns-tempo-pod-tempo-tcp-port-9411 app.kubernetes.io/name=logging-loki 5m52s
allow-egress-from-logging-loki-to-storage-subnets app.kubernetes.io/name=logging-loki 5m52s
allow-ingress-to-logging-loki-tcp-port-3100-from-ns-alloy-pod-alloy app.kubernetes.io/name=logging-loki 5m52s
allow-ingress-to-logging-loki-tcp-port-3100-from-ns-alloy-pod-alloy-logs app.kubernetes.io/name=logging-loki 5m52s
allow-ingress-to-logging-loki-tcp-port-3100-from-ns-monitoring-pod-grafana app.kubernetes.io/name=logging-loki 5m52s
allow-ingress-to-logging-loki-tcp-port-3100-from-ns-monitoring-pod-prometheus app.kubernetes.io/name=logging-loki 5m52s
allow-ingress-to-loki-3100-from-ns-istio-gateway-pod-public-ingressgateway app.kubernetes.io/name=logging-loki 5m52s
default-egress-allow-all-in-ns <none> 5m52s
default-egress-allow-istiod <none> 5m52s
default-egress-allow-kube-dns <none> 5m52s
default-egress-deny-all <none> 5m52s
default-ingress-allow-all-in-ns <none> 5m52s
default-ingress-allow-prometheus-to-istio-sidecar <none> 5m52s
default-ingress-deny-all <none> 5m52skubectl get ap -n logging
NAME ACTION AGE
allow-ingress-to-logging-loki-tcp-port-3100-from-ns-alloy-with-identity-alloy-alloy-logs ALLOW 5m55s
allow-ingress-to-logging-loki-tcp-port-3100-from-ns-alloy-with-identity-alloy-alloy-operator ALLOW 5m55s
allow-ingress-to-logging-loki-tcp-port-3100-from-ns-monitoring-with-identity-monitoring-grafana ALLOW 5m55s
allow-ingress-to-logging-loki-tcp-port-3100-from-ns-monitoring-with-identity-monitoring-monitoring-kube-prometheus ALLOW 5m55s
default-authz-allow-all-in-ns ALLOW 5m55s
default-authz-allow-nothing 5m55s
loki-public-ingressgateway-authz-policy ALLOW 5m55skubectl get se -n logging
NAME HOSTS LOCATION RESOLUTION AGE
cypress-service-entries-loki ["repo1.dso.mil","grafana.dev.bigbang.mil","optimizationguide-pa.googleapis.com","clientservices.googleapis.com","accounts.google.com","redirector.gvt1.com","content-autofill.googleapis.com","safebrowsing.googleapis.com"] MESH_EXTERNAL DNS 29m
loki-service-entry ["loki.dev.bigbang.mil"] MESH_EXTERNAL DNS 6m11skubectl get pa -n logging
NAME MODE AGE
default-peer-auth STRICT 6m16skubectl get vs -n logging -o yaml
apiVersion: v1
items:
- apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
annotations:
meta.helm.sh/release-name: logging-loki
meta.helm.sh/release-namespace: logging
creationTimestamp: "2025-12-18T11:10:11Z"
generation: 1
labels:
app.kubernetes.io/managed-by: Helm
helm.toolkit.fluxcd.io/name: loki
helm.toolkit.fluxcd.io/namespace: bigbang
name: loki
namespace: logging
resourceVersion: "38184"
uid: b8607d39-672d-4989-9dec-26cef815ebb5
spec:
gateways:
- istio-gateway/public-ingressgateway
hosts:
- loki.dev.bigbang.mil
http:
- route:
- destination:
host: logging-loki.logging.svc.cluster.local
port:
number: 3100
kind: List
metadata:
resourceVersion: ""
Before Upgrade (scalable deployment):
kubectl get netpol -n logging
NAME POD-SELECTOR AGE
allow-alloy-ingress-logging-loki app.kubernetes.io/instance=logging-loki,app.kubernetes.io/name=logging-loki 9m14s
allow-from-istio-ingressgateway-logging-loki app.kubernetes.io/instance=logging-loki,app.kubernetes.io/name=logging-loki 9m14s
allow-in-ns-logging-loki <none> 9m14s
allow-istiod-egress-logging-loki <none> 9m14s
allow-loki-sidecar-scraping <none> 9m14s
allow-minio-operator-egress app=minio 9m14s
allow-minio-operator-ingress app=minio 9m14s
allow-minio-tenant-egress app=minio 9m14s
allow-monitoring-test-egress-loki helm-test=enabled 9m14s
allow-tempo-egress-logging-loki <none> 9m14s
default-deny-all-logging-loki <none> 9m14s
egress-dns <none> 9m14s
ingress-grafana-gateway app.kubernetes.io/component=gateway,app.kubernetes.io/instance=logging-loki,app.kubernetes.io/name=logging-loki 9m14s
ingress-monitoring app.kubernetes.io/instance=logging-loki,app.kubernetes.io/name=logging-loki 9m14skubectl get ap -n logging
NAME ACTION AGE
loki-allow-intranamespace ALLOW 9m16s
loki-alloy-authz-policy ALLOW 9m16s
loki-minio-operator-policy ALLOW 9m16s
loki-public-ingressgateway-ingressgateway-authz-policy ALLOW 9m16skubectl get se -n logging
NAME HOSTS LOCATION RESOLUTION AGE
cypress-service-entries-loki ["registry.npmjs.org","download.cypress.io","cdn.cypress.io","repo1.dso.mil","grafana.dev.bigbang.mil","optimizationguide-pa.googleapis.com","clientservices.googleapis.com","accounts.google.com","redirector.gvt1.com","content-autofill.googleapis.com","safebrowsing.googleapis.com"] MESH_EXTERNAL DNS 9m19skubectl get pa -n logging
NAME MODE AGE
default-loki STRICT 9m22skubectl get vs -n logging -o yaml
apiVersion: v1
items:
- apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
annotations:
meta.helm.sh/release-name: logging-loki
meta.helm.sh/release-namespace: logging
creationTimestamp: "2025-12-18T11:50:56Z"
generation: 1
labels:
app.kubernetes.io/component: networking
app.kubernetes.io/instance: logging-loki
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: logging-loki
app.kubernetes.io/part-of: loki
helm.sh/chart: logging-loki
helm.toolkit.fluxcd.io/name: loki
helm.toolkit.fluxcd.io/namespace: bigbang
name: loki
namespace: logging
resourceVersion: "10777"
uid: ec9309d7-49e2-4a38-896b-742e083375bc
spec:
gateways:
- istio-gateway/public-ingressgateway
hosts:
- loki.dev.bigbang.mil
http:
- route:
- destination:
host: logging-loki-gateway.logging.svc.cluster.local
port:
number: 80
kind: List
metadata:
resourceVersion: ""After Upgrade (scalable deployment):
kubectl get netpol -n logging
NAME POD-SELECTOR AGE
allow-egress-from-logging-loki-to-ns-tempo-pod-tempo-tcp-port-9411 app.kubernetes.io/name=logging-loki 5m8s
allow-egress-from-minio-to-kubeapi app.kubernetes.io/name=minio 5m8s
allow-egress-from-minio-to-ns-minio-operator-pod-minio-operator-tcp-port-4222 app.kubernetes.io/name=minio 5m7s
allow-egress-from-minio-to-storage-subnets app.kubernetes.io/name=minio 5m7s
allow-ingress-to-logging-loki-tcp-port-3100-from-ns-alloy-pod-alloy app.kubernetes.io/name=logging-loki 5m7s
allow-ingress-to-logging-loki-tcp-port-3100-from-ns-alloy-pod-alloy-logs app.kubernetes.io/name=logging-loki 5m7s
allow-ingress-to-logging-loki-tcp-port-3100-from-ns-monitoring-pod-prometheus app.kubernetes.io/name=logging-loki 5m7s
allow-ingress-to-loki-80-from-ns-istio-gateway-pod-public-ingressgateway app.kubernetes.io/component=gateway,app.kubernetes.io/name=logging-loki 5m7s
allow-ingress-to-loki-tcp-port-8080-from-ns-monitoring-pod-grafana app.kubernetes.io/component=gateway,app.kubernetes.io/name=logging-loki 5m7s
allow-ingress-to-minio-tcp-port-9000-from-ns-minio-operator-pod-minio-operator app.kubernetes.io/name=minio 5m7s
default-egress-allow-all-in-ns <none> 5m7s
default-egress-allow-istiod <none> 5m7s
default-egress-allow-kube-dns <none> 5m7s
default-egress-deny-all <none> 5m7s
default-ingress-allow-all-in-ns <none> 5m7s
default-ingress-allow-prometheus-to-istio-sidecar <none> 5m7s
default-ingress-deny-all <none> 5m7skubectl get ap -n logging
NAME ACTION AGE
allow-ingress-to-logging-loki-tcp-port-3100-from-ns-alloy-with-identity-alloy-alloy-logs ALLOW 5m10s
allow-ingress-to-logging-loki-tcp-port-3100-from-ns-alloy-with-identity-alloy-alloy-operator ALLOW 5m9s
allow-ingress-to-logging-loki-tcp-port-3100-from-ns-monitoring-with-identity-monitoring-monitoring-kube-prometheus ALLOW 5m9s
allow-ingress-to-loki-tcp-port-8080-from-ns-monitoring-with-identity-monitoring-grafana ALLOW 5m8s
allow-ingress-to-minio-tcp-port-9000-from-ns-minio-operator-with-identity-minio-operator ALLOW 5m7s
default-authz-allow-all-in-ns ALLOW 5m10s
default-authz-allow-nothing 5m10s
loki-public-ingressgateway-authz-policy ALLOW 5m5skubectl get se -n logging
NAME HOSTS LOCATION RESOLUTION AGE
cypress-service-entries-loki ["repo1.dso.mil","grafana.dev.bigbang.mil","optimizationguide-pa.googleapis.com","clientservices.googleapis.com","accounts.google.com","redirector.gvt1.com","content-autofill.googleapis.com","safebrowsing.googleapis.com"] MESH_EXTERNAL DNS 6m33s
loki-service-entry ["loki.dev.bigbang.mil"] MESH_EXTERNAL DNS 5m13skubectl get pa -n logging
NAME MODE AGE
default-peer-auth STRICT 5m22skubectl get vs -n logging -o yaml
apiVersion: v1
items:
- apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
annotations:
meta.helm.sh/release-name: logging-loki
meta.helm.sh/release-namespace: logging
creationTimestamp: "2025-12-18T12:15:37Z"
generation: 1
labels:
app.kubernetes.io/managed-by: Helm
helm.toolkit.fluxcd.io/name: loki
helm.toolkit.fluxcd.io/namespace: bigbang
name: loki
namespace: logging
resourceVersion: "46817"
uid: 28642d13-ad43-468e-91c6-5b57f428cadd
spec:
gateways:
- istio-gateway/public-ingressgateway
hosts:
- loki.dev.bigbang.mil
http:
- route:
- destination:
host: logging-loki-gateway.logging.svc.cluster.local
port:
number: 80
kind: List
metadata:
resourceVersion: ""
Linked Issue
Upgrade Notices
Loki is now leveraging our bb-common integration for network policies and istio-related resources. Please refer to this blog post for additional information on the integration. During this process a previously unknown bug was found where the network policy allowing traffic from Grafana to Loki's gateway was actually allowing all traffic into that gateway. The network policy has been updated as part of this work so that it functions as intended.
Umbrella Branch
bb-common-loki
Edited by Jimmy Bourque