promtail: Deploy as DaemonSet

Running Promtail in a pod controlled by a DaemonSet allows it to access
the Kubernetes API via a ServiceAccount token.  Since it needs the API
in order to discover the Pods running on the current node in order to
find their log files, this makes the authentication process a lot
simpler.

promtail/config.yml

@@ -0,0 +1,111 @@
+server:
+  http_listen_port: 9080
+  grpc_listen_port: 0
+  enable_runtime_reload: true
+
+clients:
+- url: https://loki.pyrocufflink.blue/loki/api/v1/push
+  tls_config:
+    ca_file: /run/dch-ca/dch-root-ca.crt
+
+positions:
+  filename: /var/lib/promtail/positions
+
+scrape_configs:
+- job_name: journal
+  journal:
+    json: false
+    labels:
+      job: systemd-journal
+  relabel_configs:
+  - source_labels:
+    - __journal__hostname
+    target_label: hostname
+  - source_labels:
+    - __journal__systemd_unit
+    target_label: unit
+  - source_labels:
+    - __journal_syslog_identifier
+    target_label: syslog_identifier
+  - source_labels:
+    - __journal_priority
+    target_label: priority
+  - source_labels:
+    - __journal_message_id
+    target_label: message_id
+  - source_labels:
+    - __journal__comm
+    target_label: command
+  - source_labels:
+    - __journal__transport
+    target_label: transport
+
+- job_name: pods
+  kubernetes_sd_configs:
+  - role: pod
+  pipeline_stages:
+  - cri: {}
+  relabel_configs:
+  # Magic label: tell Promtail to filter out pods that are not running locally
+  - source_labels: [__meta_kubernetes_pod_node_name]
+    target_label: __host__
+  - target_label: job
+    replacement: kubernetes-pods
+  # Build the log file path:
+  #   /var/log/pods/{namespace}_{pod_name}_{pod_uid}/{container_name}/*.log
+  - source_labels:
+    - __meta_kubernetes_namespace
+    - __meta_kubernetes_pod_name
+    - __meta_kubernetes_pod_uid
+    separator: _
+    target_label: __path__
+    replacement: /var/log/pods/$1
+  - source_labels:
+    - __path__
+    - __meta_kubernetes_pod_container_name
+    separator: /
+    target_label: __path__
+    replacement: '$1/*.log'
+  - source_labels: [__meta_kubernetes_pod_node_name]
+    target_label: node_name
+  - source_labels: [__meta_kubernetes_namespace]
+    target_label: namespace
+  - source_labels: [__meta_kubernetes_pod_name]
+    target_label: pod
+  - source_labels: [__meta_kubernetes_pod_container_name]
+    target_label: container
+  - source_labels: [__meta_kubernetes_pod_controller_name]
+    regex: ([0-9a-z-.]+?)(-[0-9a-f]{8,10})?
+    action: replace
+    target_label: __tmp_controller_name
+  # Set `app` to the first non-empty label from
+  # - app.kubernetes.io/name
+  # - app
+  # If none present, use the pod controller (e.g. Deployment) name.
+  # Fall back to pod name if none found.
+  - source_labels:
+    - __meta_kubernetes_pod_label_app_kubernetes_io_name
+    - __meta_kubernetes_pod_label_app
+    - __tmp_controller_name
+    - __meta_kubernetes_pod_name
+    regex: ^;*([^;]+)(;.*)?$
+    action: replace
+    target_label: app
+  # Set `instance` to the first non-empty label from
+  # - app.kubernetes.io/instance
+  # - instance
+  - source_labels:
+    - __meta_kubernetes_pod_label_app_kubernetes_io_instance
+    - __meta_kubernetes_pod_label_instance
+    regex: ^;*([^;]+)(;.*)?$
+    action: replace
+    target_label: instance
+  # Set `component` to the first non-empty label from
+  # - app.kubernetes.io/component
+  # - component
+  - source_labels:
+    - __meta_kubernetes_pod_label_app_kubernetes_io_component
+    - __meta_kubernetes_pod_label_component
+    regex: ^;*([^;]+)(;.*)?$
+    action: replace
+    target_label: component