Skip to content

Commit

Permalink
feat(operator): Change attribute value used for CCO-based credential …
Browse files Browse the repository at this point in the history
…mode (#12165)
  • Loading branch information
JoaoBraveCoding authored Mar 12, 2024
1 parent a0fce39 commit 3eee541
Show file tree
Hide file tree
Showing 31 changed files with 165 additions and 169 deletions.
1 change: 1 addition & 0 deletions operator/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
## Main

- [12165](https://github.com/grafana/loki/pull/12165) **JoaoBraveCoding**: Change attribute value used for CCO-based credential mode
- [12157](https://github.com/grafana/loki/pull/12157) **periklis**: Fix managed auth features annotation for community-openshift bundle
- [12104](https://github.com/grafana/loki/pull/12104) **periklis**: Upgrade build and runtime dependencies
- [11928](https://github.com/grafana/loki/pull/11928) **periklis**: Fix remote write client timeout config rename
Expand Down
4 changes: 2 additions & 2 deletions operator/apis/config/v1/projectconfig_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -52,9 +52,9 @@ type OpenShiftFeatureGates struct {
// Dashboards enables the loki-mixin dashboards into the OpenShift Console
Dashboards bool `json:"dashboards,omitempty"`

// ManagedAuthEnv is true when OpenShift-functions are enabled and the operator has detected
// TokenCCOAuthEnv is true when OpenShift-functions are enabled and the operator has detected
// that it is running with some kind of "workload identity" (AWS STS, Azure WIF) enabled.
ManagedAuthEnv bool
TokenCCOAuthEnv bool
}

// FeatureGates is the supported set of all operator feature gates.
Expand Down
22 changes: 10 additions & 12 deletions operator/apis/loki/v1/lokistack_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -1070,12 +1070,10 @@ const (
ReasonMissingObjectStorageSecret LokiStackConditionReason = "MissingObjectStorageSecret"
// ReasonInvalidObjectStorageSecret when the format of the secret is invalid.
ReasonInvalidObjectStorageSecret LokiStackConditionReason = "InvalidObjectStorageSecret"
// ReasonMissingCredentialsRequest when the required request for managed auth credentials to object
// storage is missing.
ReasonMissingCredentialsRequest LokiStackConditionReason = "MissingCredentialsRequest"
// ReasonMissingManagedAuthSecret when the required secret for managed auth credentials to object
// storage is missing.
ReasonMissingManagedAuthSecret LokiStackConditionReason = "MissingManagedAuthenticationSecret"
// ReasonMissingTokenCCOAuthSecret when the secret generated by CCO for token authentication is missing.
// This is usually a transient error because the secret is not immediately available after creating the
// CredentialsRequest, but it can persist if the CCO or its configuration are incorrect.
ReasonMissingTokenCCOAuthSecret LokiStackConditionReason = "MissingTokenCCOAuthenticationSecret"
// ReasonInvalidObjectStorageSchema when the spec contains an invalid schema(s).
ReasonInvalidObjectStorageSchema LokiStackConditionReason = "InvalidObjectStorageSchema"
// ReasonMissingObjectStorageCAConfigMap when the required configmap to verify object storage
Expand Down Expand Up @@ -1204,7 +1202,7 @@ type LokiStackComponentStatus struct {

// CredentialMode represents the type of authentication used for accessing the object storage.
//
// +kubebuilder:validation:Enum=static;token;managed
// +kubebuilder:validation:Enum=static;token;token-cco
type CredentialMode string

const (
Expand All @@ -1216,11 +1214,11 @@ const (
// Instead, they are generated during runtime using a service, which allows for shorter-lived credentials and
// much more granular control. This authentication mode is not supported for all object storage types.
CredentialModeToken CredentialMode = "token"
// CredentialModeManaged represents the usage of short-lived tokens retrieved from a credential source.
// This mode is similar to CredentialModeToken,but instead of having a user-configured credential source,
// it is configured by the environment, for example the Cloud Credential Operator in OpenShift.
// This mode is only supported for certain object storage types in certain runtime environments.
CredentialModeManaged CredentialMode = "managed"
// CredentialModeTokenCCO represents the usage of short-lived tokens retrieved from a credential source.
// This mode is similar to CredentialModeToken, but instead of having a user-configured credential source,
// it is configured by the environment and the operator relies on the Cloud Credential Operator to provide
// a secret. This mode is only supported for certain object storage types in certain runtime environments.
CredentialModeTokenCCO CredentialMode = "token-cco"
)

// LokiStackStorageStatus defines the observed state of
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -150,7 +150,7 @@ metadata:
categories: OpenShift Optional, Logging & Tracing
certified: "false"
containerImage: docker.io/grafana/loki-operator:0.5.0
createdAt: "2024-03-11T16:01:17Z"
createdAt: "2024-03-12T09:52:37Z"
description: The Community Loki Operator provides Kubernetes native deployment
and management of Loki and related logging components.
features.operators.openshift.io/disconnected: "true"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -635,7 +635,7 @@ spec:
enum:
- static
- token
- managed
- token-cco
type: string
name:
description: Name of a secret in the namespace configured
Expand Down Expand Up @@ -3819,7 +3819,7 @@ spec:
enum:
- static
- token
- managed
- token-cco
type: string
schemas:
description: |-
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -150,7 +150,7 @@ metadata:
categories: OpenShift Optional, Logging & Tracing
certified: "false"
containerImage: docker.io/grafana/loki-operator:0.5.0
createdAt: "2024-03-11T16:01:16Z"
createdAt: "2024-03-12T09:52:36Z"
description: The Community Loki Operator provides Kubernetes native deployment
and management of Loki and related logging components.
operators.operatorframework.io/builder: operator-sdk-unknown
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -635,7 +635,7 @@ spec:
enum:
- static
- token
- managed
- token-cco
type: string
name:
description: Name of a secret in the namespace configured
Expand Down Expand Up @@ -3819,7 +3819,7 @@ spec:
enum:
- static
- token
- managed
- token-cco
type: string
schemas:
description: |-
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -150,7 +150,7 @@ metadata:
categories: OpenShift Optional, Logging & Tracing
certified: "false"
containerImage: quay.io/openshift-logging/loki-operator:0.1.0
createdAt: "2024-03-11T16:01:19Z"
createdAt: "2024-03-12T09:52:39Z"
description: |
The Loki Operator for OCP provides a means for configuring and managing a Loki stack for cluster logging.
## Prerequisites and Requirements
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -635,7 +635,7 @@ spec:
enum:
- static
- token
- managed
- token-cco
type: string
name:
description: Name of a secret in the namespace configured
Expand Down Expand Up @@ -3819,7 +3819,7 @@ spec:
enum:
- static
- token
- managed
- token-cco
type: string
schemas:
description: |-
Expand Down
4 changes: 2 additions & 2 deletions operator/config/crd/bases/loki.grafana.com_lokistacks.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -617,7 +617,7 @@ spec:
enum:
- static
- token
- managed
- token-cco
type: string
name:
description: Name of a secret in the namespace configured
Expand Down Expand Up @@ -3801,7 +3801,7 @@ spec:
enum:
- static
- token
- managed
- token-cco
type: string
schemas:
description: |-
Expand Down
4 changes: 2 additions & 2 deletions operator/controllers/loki/lokistack_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,7 @@ type LokiStackReconciler struct {
Log logr.Logger
Scheme *runtime.Scheme
FeatureGates configv1.FeatureGates
AuthConfig *config.ManagedAuthConfig
AuthConfig *config.TokenCCOAuthConfig
}

// +kubebuilder:rbac:groups=loki.grafana.com,resources=lokistacks,verbs=get;list;watch;create;update;patch;delete
Expand Down Expand Up @@ -179,7 +179,7 @@ func (r *LokiStackReconciler) updateResources(ctx context.Context, req ctrl.Requ
}
}

if r.FeatureGates.OpenShift.ManagedAuthEnv {
if r.FeatureGates.OpenShift.TokenCCOAuthEnv {
if err := handlers.CreateUpdateDeleteCredentialsRequest(ctx, r.Log, r.Scheme, r.AuthConfig, r.Client, req); err != nil {
return "", err
}
Expand Down
27 changes: 12 additions & 15 deletions operator/docs/operator/api.md
Original file line number Diff line number Diff line change
Expand Up @@ -1115,13 +1115,7 @@ string
<th>Description</th>
</tr>
</thead>
<tbody><tr><td><p>&#34;managed&#34;</p></td>
<td><p>CredentialModeManaged represents the usage of short-lived tokens retrieved from a credential source.
This mode is similar to CredentialModeToken,but instead of having a user-configured credential source,
it is configured by the environment, for example the Cloud Credential Operator in OpenShift.
This mode is only supported for certain object storage types in certain runtime environments.</p>
</td>
</tr><tr><td><p>&#34;static&#34;</p></td>
<tbody><tr><td><p>&#34;static&#34;</p></td>
<td><p>CredentialModeStatic represents the usage of static, long-lived credentials stored in a Secret.
This is the default authentication mode and available for all supported object storage types.</p>
</td>
Expand All @@ -1131,6 +1125,12 @@ In this mode the static configuration does not contain credentials needed for th
Instead, they are generated during runtime using a service, which allows for shorter-lived credentials and
much more granular control. This authentication mode is not supported for all object storage types.</p>
</td>
</tr><tr><td><p>&#34;token-cco&#34;</p></td>
<td><p>CredentialModeTokenCCO represents the usage of short-lived tokens retrieved from a credential source.
This mode is similar to CredentialModeToken, but instead of having a user-configured credential source,
it is configured by the environment and the operator relies on the Cloud Credential Operator to provide
a secret. This mode is only supported for certain object storage types in certain runtime environments.</p>
</td>
</tr></tbody>
</table>

Expand Down Expand Up @@ -1779,10 +1779,6 @@ with the select cluster size.</p>
</tr><tr><td><p>&#34;InvalidTenantsConfiguration&#34;</p></td>
<td><p>ReasonInvalidTenantsConfiguration when the tenant configuration provided is invalid.</p>
</td>
</tr><tr><td><p>&#34;MissingCredentialsRequest&#34;</p></td>
<td><p>ReasonMissingCredentialsRequest when the required request for managed auth credentials to object
storage is missing.</p>
</td>
</tr><tr><td><p>&#34;MissingGatewayTenantAuthenticationConfig&#34;</p></td>
<td><p>ReasonMissingGatewayAuthenticationConfig when the config for when a tenant is missing authentication config</p>
</td>
Expand All @@ -1797,10 +1793,6 @@ for authentication is missing.</p>
<td><p>ReasonMissingGatewayTenantSecret when the required tenant secret
for authentication is missing.</p>
</td>
</tr><tr><td><p>&#34;MissingManagedAuthenticationSecret&#34;</p></td>
<td><p>ReasonMissingManagedAuthSecret when the required secret for managed auth credentials to object
storage is missing.</p>
</td>
</tr><tr><td><p>&#34;MissingObjectStorageCAConfigMap&#34;</p></td>
<td><p>ReasonMissingObjectStorageCAConfigMap when the required configmap to verify object storage
certificates is missing.</p>
Expand All @@ -1813,6 +1805,11 @@ storage is missing.</p>
<td><p>ReasonMissingRulerSecret when the required secret to authorization remote write connections
for the ruler is missing.</p>
</td>
</tr><tr><td><p>&#34;MissingTokenCCOAuthenticationSecret&#34;</p></td>
<td><p>ReasonMissingTokenCCOAuthSecret when the secret generated by CCO for token authentication is missing.
This is usually a transient error because the secret is not immediately available after creating the
CredentialsRequest, but it can persist if the CCO or its configuration are incorrect.</p>
</td>
</tr><tr><td><p>&#34;PendingComponents&#34;</p></td>
<td><p>ReasonPendingComponents when all/some LokiStack components pending dependencies</p>
</td>
Expand Down
4 changes: 2 additions & 2 deletions operator/docs/operator/feature-gates.md
Original file line number Diff line number Diff line change
Expand Up @@ -411,13 +411,13 @@ bool
</tr>
<tr>
<td>
<code>ManagedAuthEnv</code><br/>
<code>TokenCCOAuthEnv</code><br/>
<em>
bool
</em>
</td>
<td>
<p>ManagedAuthEnv is true when OpenShift-functions are enabled and the operator has detected
<p>TokenCCOAuthEnv is true when OpenShift-functions are enabled and the operator has detected
that it is running with some kind of &ldquo;workload identity&rdquo; (AWS STS, Azure WIF) enabled.</p>
</td>
</tr>
Expand Down
2 changes: 1 addition & 1 deletion operator/hack/deploy-aws-storage-secret.sh
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ readonly access_key_id
secret_access_key=${SECRET_ACCESS_KEY:-$(aws configure get aws_secret_access_key)}
readonly secret_access_key

# Managed authentication with/without a manually provisioned AWS Role.
# token authentication with/without a manually provisioned AWS Role.
readonly sts=${STS:-false}
readonly role_arn=${2-}

Expand Down
8 changes: 4 additions & 4 deletions operator/internal/config/managed_auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,12 +13,12 @@ type AzureEnvironment struct {
Region string
}

type ManagedAuthConfig struct {
type TokenCCOAuthConfig struct {
AWS *AWSEnvironment
Azure *AzureEnvironment
}

func discoverManagedAuthConfig() *ManagedAuthConfig {
func discoverTokenCCOAuthConfig() *TokenCCOAuthConfig {
// AWS
roleARN := os.Getenv("ROLEARN")

Expand All @@ -30,13 +30,13 @@ func discoverManagedAuthConfig() *ManagedAuthConfig {

switch {
case roleARN != "":
return &ManagedAuthConfig{
return &TokenCCOAuthConfig{
AWS: &AWSEnvironment{
RoleARN: roleARN,
},
}
case clientID != "" && tenantID != "" && subscriptionID != "":
return &ManagedAuthConfig{
return &TokenCCOAuthConfig{
Azure: &AzureEnvironment{
ClientID: clientID,
SubscriptionID: subscriptionID,
Expand Down
10 changes: 5 additions & 5 deletions operator/internal/config/options.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ import (

// LoadConfig initializes the controller configuration, optionally overriding the defaults
// from a provided configuration file.
func LoadConfig(scheme *runtime.Scheme, configFile string) (*configv1.ProjectConfig, *ManagedAuthConfig, ctrl.Options, error) {
func LoadConfig(scheme *runtime.Scheme, configFile string) (*configv1.ProjectConfig, *TokenCCOAuthConfig, ctrl.Options, error) {
options := ctrl.Options{Scheme: scheme}
if configFile == "" {
return &configv1.ProjectConfig{}, nil, options, nil
Expand All @@ -28,13 +28,13 @@ func LoadConfig(scheme *runtime.Scheme, configFile string) (*configv1.ProjectCon
return nil, nil, options, fmt.Errorf("failed to parse controller manager config file: %w", err)
}

managedAuth := discoverManagedAuthConfig()
if ctrlCfg.Gates.OpenShift.Enabled && managedAuth != nil {
ctrlCfg.Gates.OpenShift.ManagedAuthEnv = true
tokenCCOAuth := discoverTokenCCOAuthConfig()
if ctrlCfg.Gates.OpenShift.Enabled && tokenCCOAuth != nil {
ctrlCfg.Gates.OpenShift.TokenCCOAuthEnv = true
}

options = mergeOptionsFromFile(options, ctrlCfg)
return ctrlCfg, managedAuth, options, nil
return ctrlCfg, tokenCCOAuth, options, nil
}

func mergeOptionsFromFile(o manager.Options, cfg *configv1.ProjectConfig) manager.Options {
Expand Down
6 changes: 3 additions & 3 deletions operator/internal/handlers/credentialsrequest.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ import (

// CreateUpdateDeleteCredentialsRequest creates a new CredentialsRequest resource for a Lokistack
// to request a cloud credentials Secret resource from the OpenShift cloud-credentials-operator.
func CreateUpdateDeleteCredentialsRequest(ctx context.Context, log logr.Logger, scheme *runtime.Scheme, managedAuth *config.ManagedAuthConfig, k k8s.Client, req ctrl.Request) error {
func CreateUpdateDeleteCredentialsRequest(ctx context.Context, log logr.Logger, scheme *runtime.Scheme, tokenCCOAuth *config.TokenCCOAuthConfig, k k8s.Client, req ctrl.Request) error {
ll := log.WithValues("lokistack", req.NamespacedName, "event", "createCredentialsRequest")

var stack lokiv1.LokiStack
Expand Down Expand Up @@ -59,7 +59,7 @@ func CreateUpdateDeleteCredentialsRequest(ctx context.Context, log logr.Logger,
LokiStackNamespace: stack.Namespace,
RulerName: manifests.RulerName(stack.Name),
},
ManagedAuth: managedAuth,
TokenCCOAuth: tokenCCOAuth,
}

credReq, err := openshift.BuildCredentialsRequest(opts)
Expand Down Expand Up @@ -99,7 +99,7 @@ func hasManagedCredentialMode(stack *lokiv1.LokiStack) bool {
switch stack.Spec.Storage.Secret.CredentialMode {
case lokiv1.CredentialModeStatic, lokiv1.CredentialModeToken:
return false
case lokiv1.CredentialModeManaged:
case lokiv1.CredentialModeTokenCCO:
return true
default:
}
Expand Down
Loading

0 comments on commit 3eee541

Please sign in to comment.