Configuration

Using images on docker.io (hub.docker.com)

These images are built on top of Scratch images.

collectorforopenshift-syslog.yaml

Using certified images on registry.connect.redhat.com

These images are built on top of RHEL images — see outcoldsolutions/collectorforopenshift. Pulling from this registry requires authentication; the steps below walk through it.

collectorforopenshift-rhel-syslog.yaml

registry.connect.redhat.com authentication

registry.connect.redhat.com is not the same as registry.access.redhat.com. The latter hosts Red Hat’s own images and works with OpenShift out of the box; the former hosts certified partner images and requires authentication.

You need a pull secret to authenticate against registry.connect.redhat.com. For background on pull secrets in general, see Allowing Pods to Reference Images from Other Secured Registries.

Apply the manifest first, then switch into the Collectord project (collectorforopenshift-syslog is the default):

1$ oc project collectorforopenshift-syslog

On Linux, log in to the registry with docker so the credentials land in $HOME/.docker/config.json:

1$ docker login registry.connect.redhat.com
2Username: [redhat-username]
3Password: [redhat-user-password]
4Login Succeeded

Use your username here, not your email. Both will let you log in, but only username-based logins can actually pull images.

Then create the secret from that file:

1$ oc --namespace collectorforopenshift-syslog secrets new rhcc .dockerconfigjson=$HOME/.docker/config.json

macOS Docker stores credentials in the keychain, not in config.json, so the file-based approach above won’t work. Create the secret directly from the command line instead: oc secrets --namespace collectorforopenshift-syslog new-dockercfg rhcc --docker-server=registry.connect.redhat.com --docker-username=<user_name> --docker-password=<password> --docker-email=<email>. Make sure this command doesn’t end up in your shell history — it has your password on the command line. See Execute command without keeping it in history. The simplest option is export HISTFILE=/dev/null for the session.

Link the rhcc secret to the collectorforopenshift-syslog service account so the pods can use it:

1$ oc --namespace collectorforopenshift-syslog secrets link collectorforopenshift-syslog rhcc --for=pull

If pods were created before you linked the secret, they won’t pick it up retroactively — delete them and the workloads will recreate them with the right credentials:

1oc delete --namespace collectorforopenshift-syslog pods --all

Created OpenShift Objects

collectorforopenshift-syslog.yaml provisions everything Collectord needs to run on the cluster:

• Project collectorforopenshift-syslog — owns every other object in this list.
• ClusterRole collectorforopenshift-syslog — grants get, list, and watch on the API objects Collectord uses to enrich logs and metrics with OpenShift metadata.
• ServiceAccount collectorforopenshift-syslog — the identity Collectord uses to call the OpenShift API.
• ClusterRoleBinding collectorforopenshift-syslog — binds the ServiceAccount to the ClusterRole.
• ConfigMap collectorforopenshift-syslog — delivers the configuration files Collectord reads at startup.
• DaemonSet collectorforopenshift-syslog — runs Collectord on non-master nodes.
• DaemonSet collectorforopenshift-syslog-master — runs Collectord on master nodes.
• Deployment collectorforopenshift-syslog-addon — a single Collectord that forwards cluster-scoped data (OpenShift events, watched objects) once for the whole cluster.

The collectorforopenshift-syslog.yaml file itself is heavily commented — read through it for the full breakdown of every input and configuration option.