Step 1: Define Authentication Method
To authenticate the Logging agent with IBM Cloud Logs, you need to choose one of the following authentication methods:
-
Option 1: Trusted Profile
Generate a Trusted Profile for the agent's authentication. This method provides enhanced security by leveraging IBM Cloud's Identity and Access Management (IAM) for authentication.
-
Option 2: API Key
Create an API key for authentication using an IAM service ID. This is another valid method for securely sending logs to IBM Cloud Logs.
In this tutorial, we’ll be using the Trusted Profile option for authentication.
Step 2: Configure Helm Chart Values
Create a logs-values.yaml file with these field
metadata:
name: "logs-agent"
image:
version: "1.4.0" # required
clusterName: "" # Enter the name of your cluster. This information is used to improve the metadata and help with your filtering.
env:
# ingestionHost is a required field. For example:
# ingestionHost: "<logs instance>.ingress.us-east.logs.cloud.ibm.com"
ingestionHost: "" # required
# If you are using private CSE proxy, then use port number "3443"
# If you are using private VPE Gateway, then use port number "443"
# If you are using the public endpoint, then use port number "443"
ingestionPort: "" # required
iamMode: "TrustedProfile"
# trustedProfileID - trusted profile id - required for iam trusted profile mode
trustedProfileID: "Profile-yyyyyyyy-xxxx-xxxx-yyyy-zzzzzzzzzzzz" # required if iamMode is set to TrustedProfile
Field Descriptions:
- image.version: Specify the version of the agent to be deployed
- clusterName: Enter the name of your Kubernetes cluster. This will automatically tag log lines with
kubernetes.cluster_name, aiding in log filtering.
- env.ingestionHost: The public or private ingress endpoint for your IBM Cloud Logs instance to receive the logs (e.g.,
<logs-instance>.ingress.us-east.logs.cloud.ibm.com).
- env.ingestionPort: The port used by the ingestion endpoint:
- Public ingress endpoint: 443
- Private ingress endpoint (VPE): 443
- Private ingress endpoint (CSE): 3443
- iamMode: Choose TrustedProfile or IAMAPIKey depending on your authentication method selected in Step 1.
- trustedProfileID: If iamMode is TrustedProfile, provide the Trusted Profile ID (e.g.,
Profile-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx). If you're using IAMAPIKey, this field is not required.
Update these fields with values specific to your IBM Cloud environment before proceeding.
Step 3: Install the Logging Agent with Helm
1. Login to IBM Cloud and Kubernetes Cluster
To get started, make sure you're logged into IBM Cloud and your Kubernetes cluster using the CLI:
ibmcloud login
- Set your Kubernetes cluster context:
ibmcloud ks cluster config -c <cluster-id>
- Verify the current Kubernetes context:
kubectl config current-context
brew install helm
3. Login to Helm Registry
To access the Helm registry, log in using the following command:
helm registry login -u iambearer -p $(ibmcloud iam oauth-tokens --output json | jq -r .iam_token | cut -d " " -f2) icr.io
Alternatively, you can also log in using the IBM Cloud CLI:
ibmcloud cr login
4. Run Helm Dry-Run
Before installing the Helm chart, perform a dry run to validate the resources that will be created:
helm install <install-name> --dry-run oci://icr.io/ibm/observe/logs-agent-helm --version <chart-version> --values ./logs-values.yaml -n ibm-observe --create-namespace
Replace <install-name> with the desired Helm release name, and <chart-version> with the Helm chart version.
Once the dry-run completes successfully, you’ll see a message indicating that the agent is starting up.
Check the Kubernetes namespaces:
Check the DaemonSet in the ibm-observe namespace:
Check the status of the agent pods:
kubectl get pods -n ibm-observe -o wide
Once the pods are running, you should see output similar to this