IBM Cloud Docs
Rotating the Logging agent IAM APIKey for ingestion by using a Helm chart

Rotating the Logging agent IAM APIKey for ingestion by using a Helm chart

You can use Helm to update the Logging agent IAM APIKey that is deployed in the cluster. Updating the IAM APIKey might be required if you need to rotate the IAM APIKey or update the IAM APIKey for other reasons.

Complete the following steps to update the agent version that is deployed in the cluster:

Before you begin

Before you begin, complete the prerequisite tasks.

Update the agent with a new API key

If the secret has been created manually or if you are using iamMode=TrustedProfile then do not refer to this document for updating the IAM APIKey.

Complete the following steps to update the agent with new APIKey:

  1. Log in to the cluster. For more information, see Access your cluster.

  2. Log in to the Helm registry. Choose one of the following options:

    Option 1: Login to the Helm registry by running the helm registry login command:

    helm registry login -u iambearer -p $(ibmcloud iam oauth-tokens --output json | jq -r .iam_token | cut -d " " -f2) icr.io

    Windows Windows PowerShell users should use this command instead:

    helm registry login -u iambearer -p ((ibmcloud iam oauth-tokens --output json | ConvertFrom-Json).iam_token -replace 'Bearer ', '') icr.io

    For more information, see Using Helm charts in Container Registry: Pulling charts from another registry or Helm repository

    Option 2: Log in to the Helm registry in Container Registry by running the ibmcloud cr login command.

    You can use the [ibmcloud cr login](/docs/Registry?topic=Registry-containerregcli#bx_cr_login) command before you perform a Helm dry run or install. For more information, see Accessing Container Registry.

    Run the following commands:

    ibmcloud cr region-set global

    ibmcloud cr login [--client CLIENT]

  3. Update the agent.

    If you have installed a previous version of the Logging agent and have updated the agent configuration by modifying the config map directly in the cluster, make a copy of your config map from the cluster before running the helm upgrade command. When the Logging agent is updated, any changes made to the config map will be overwritten.

    helm upgrade <install-name> oci://icr.io/ibm/observe/logs-agent-helm --version <chart-version> --values <PATH>/logs-values.yaml -n ibm-observe --set secret.iamAPIKey=<APIKey-value>

    where:

    • <install-name> is the name of the Helm installation (logging-agent)
    • <chart-version> is the version of the helm chart. The Helm chart version should match the agent image version. For more information, see Helm chart versions.
    • <PATH> is the directory path where the logs-values.yaml file is located.
    • <APIKey-value> is the new IAM APIKey associated with the ServiceID.

    For example, you can run the following command from the directory where the logs-values.yaml file is available:

    helm upgrade logging-agent oci://icr.io/ibm/observe/logs-agent-helm --version 1.5.0 --values ./logs-values.yaml -n ibm-observe --set secret.iamAPIKey=<secret>

    To see installed agent name and chart version you can run helm list -n NAMESPACE.

  4. Restart the agent pods.

    For Kubernetes clusters, run:

    kubectl -n ibm-observe rollout restart ds/logs-agent

    For OpenShift clusters, run:

    oc -n ibm-observe rollout restart ds/logs-agent

Verify that logs are being delivered to your target destination

Complete the following steps:

  1. Go to the web UI for your IBM Cloud Logs instance.

  2. When your agent is correctly configured, you can see logs through the default dashboard view. The Logging agent tags log records with a kubernetes object that includes the cluster name.

    kubernetes.cluster_name:<CLUSTER_NAME>

    You can run the query kubernetes.cluster_name:<YOUR_CLUSTER_NAME> in your IBM Cloud Logs instance to search for logs that are generated by your cluster.