Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Deprecation of Loki based application logs in SAP BTP, Kyma Runtime

a-thaler
Advisor
Advisor
‎11-02-2022 9:55 AM
I'm part of the team working on the Observability feature for SAP BTP, Kyma Runtime, and in my previous blog post: From Observability to Telemetry – a strategy shift in SAP BTP, Kyma Runtime, I talked a bit about the general shift we are planning to do in the Kyma runtime in regards to Observability. As a first but important step, we are going to deprecate the logging functionality based on Loki, that is, the capability to query application logs for up to 5 days using the integrated Grafana view. In this blog post, I'm going to give you more details why we made that decision, and present the alternatives.

Background


SAP BTP, Kyma Runtime shifted the focus towards providing enterprise-grade components as building blocks that you can use to connect your productive workloads with the SAP ecosystem. Our classic in-cluster Logging component does not qualify for enterprise-grade criteria because it does not scale with your application log load. Furthermore, you cannot configure it in any way, like for data retention times. Lastly, running a logging backend in-cluster (in the same cluster where your workload is running) has several flaws:

  • Ecosystem: It does not support a multi-environment scenario, where you want to store and analyze logs from multiple environments in one solution.

  • Security: Your historic application logs are exposed to a potential attacker of the cluster, and with that, cannot be used for forensic analysis.

  • Operations: If the cluster is not accessible for any reason, you also cannot access the historical application logs for troubleshooting.


Another factor that influenced our decision is that Grafana Labs changed the licensing for Loki and Grafana to AGPLv3. This made us rethink the observability capabilities of the Kyma runtime overall, reinforcing our strategy shift towards integration into existing observability systems over managing such systems in-cluster. For the same reason, we accelerated the execution of the strategy, and with that, the deprecation of the Loki-based Logging component.

Overall, we no longer believe that a managed in-cluster solution meets the typical requirements for productive workloads; so we won't invest further into that. Instead, the Kyma runtime is going to support you with the integration into central systems, ideally also providing solutions that are part of the SAP BTP offering.

Consequences


For now, nothing changes as it is a deprecation only. However, in half a year or later:

  • You will lose the ability to browse your application logs for up to 5 days in the integrated Grafana explore view.


Still, the following options will not be affected:

  • You can continue to retrieve logs for currently running workloads using the Kubernetes-native `kubectl logs` command.

  • You can continue to view current container logs in the dashboard of the Kyma runtime.

  • Also, you can continue to bring your custom solution for collection and long-term storage of application logs within or outside the cluster.


New API


Furthermore, to unburden you from the details of how to reliably fetch and ship all relevant logs for your application to a managed logging backend, we introduced a first version of a new Kubernetes API extension: the LogPipeline API. With this API, you can select the application logs you are interested in by namespaces and containers, and define an output based on a plain HTTP/JSON integration. If you want to find out more, hop over to the product documentation for the Telemetry component.

A remark: After you read my previous: From Observability to Telemetry – a strategy shift in SAP BTP, Kyma Runtime, you might wonder why the Kyma runtime uses a protocol that's very specific to the Fluent Bit ecosystem and not as vendor-neutral as expected. The reason is that in the OpenTelemetry ecosystem, the parts related to logs are just about to become stable and adopted (while for the other data types, they are already stable). Because the Fluent Bit ecosystem is very mature and widely adopted, we decided to go with that in a first version but will evolve it to support the OTLP specification later.

Integration Options


With the new API, you get the following integration options:

  1. The LogPipeline API enables the integration into systems that natively support HTTP/JSON as input. Typically, such systems use Fluentd as ingestor.

  2. If direct integration is not possible, you can run Fluntd in your custom namespace and leverage the full ecosystem of output plugins to connect with nearly any vendor available.

  3. If your scenario is more advanced, or you anyway want to run your own log collector, you still can do that as well.


If you prefer the classic in-cluster Loki solution, read Installing a custom Loki stack.



Conclusion


With an upcoming release of SAP BTP, Kyma runtime, the feature for retrieving application logs based on Loki will be marked as deprecated. About six months or later, the feature will be removed. We'll announce the deprecation and removal in the release notes.

So, if you have no external logging system integrated yet, you might want to start evaluating that option or follow the provided instructions on installing Loki on your own.


Stay tuned for upcoming SAP BTP Kyma Runtime blog posts and follow the related topic page.
Labels:
7 Comments
LuizGomes
Participant
‎12-04-2022 7:03 PM
0 Kudos
hi andreas.thaler01

Thanks for your blog. It helps me a lot. I got a question. How would I authenticate in grafana using BTP itself. In this guide https://help.sap.com/docs/BTP/65de2977205c403bbc107264b8eccf4b/3e4299cfd0884c428e6b4774225638e8.html a prerequisite is IAS. But I don't have IAS and it's not possible to configure it. Is it possible to configure it in another way but using SAP technologies, apart from IAS?

 

And also why adopt an authentication strategy different from the one adopted to authenticate to the cluster. I really hoped that kyma would help me on a daily basis and save me time. But I need to live with the particularities imposed by SAP.
a-thaler
Advisor
Advisor
‎12-05-2022 1:59 PM
0 Kudos
Hi Luiz,

thanks a lot for your feedback. We try to support a harmonized authentication strategy via the configuration of a custom IAS tenant. You can configure your IAS tenant for cluster access and for Grafana access. Could you please share why that is not a valid option for you? According to this documentation you should be able to get a default tenant which you can leverage for that.

Alternatively, we can check if you could just bring your own standalone approuter and configure that for the Grafana exposure via xsuaa integration. Would that be a more viable option?

Looking forward to hear your thoughts,

Andreas
LuizGomes
Participant
‎12-05-2022 10:17 PM
0 Kudos
Hi andreas.thaler01

 

The infeasibility of ISA is due to the fact that it is one more service that consumes hours of implementation and maintenance. There is no possibility that I will configure this service only for grafana authentication.

With xsuaa it is a more viable option, it is simpler to configure and maintain than IAS. How would this configuration look? Can you provide it as an example? Can you include it in the guide?

 

Luiz Gomes
a-thaler
Advisor
Advisor
‎12-09-2022 10:26 AM
0 Kudos
Hi 015454888556565665685989,

The assumption is that users will own/manage an IAS tenant anyway as it brings much more flexibility in group management. However, I get your point and the assumption is not valid by default.

For the cluster access, by default an internal tenant gets used where the user has no access. Unfortunately that cannot be re-used for the in-cluster grafana access as secrets of the internal tenant would be exposed. That's why a custom setting is required at the moment.

I tried the scenario on base of an approuter with xsuaa integration and it worked out. Please have a look here for my findings.

I hope that might fit for you,

 

Andreas
LuizGomes
Participant
‎12-09-2022 10:57 AM
0 Kudos
Hi andreas.thaler01

It worked, I'm connecting via xsuaa in grafana.

I noticed that I don't have some permissions and since some functionality is not present, can this be worked around or is it the default for this version of grafana with kyma?

 

Regards

Luiz Gomes
a-thaler
Advisor
Advisor
‎12-09-2022 12:53 PM
0 Kudos
Hi 015454888556565665685989,

the Grafana instance bundled with Kyma is "read-only" and with that has limited functionality. That cannot be changed by the user.

As outlined in the linked strategy blog post, we don't see a future in running a managed solution inside the data plane which is owned by the user, instead we will focus on integration capabilities.

Good to hear that it worked out,

Thanks Andreas
LuizGomes
Participant
‎12-09-2022 1:27 PM
0 Kudos
Hi @Andreas Thales

 

So I don't see any adherence to the use of this version of grafana. We need to create business-oriented dashboards to give stakeholders a business view.

 

Regards

Luiz Gomes
Labels in this area
Popular Blog Posts