From a3aaa53ec082f8548d6a2b69c12cc2a0751ddd9f Mon Sep 17 00:00:00 2001 From: Joao Marcal Date: Fri, 31 Jan 2025 12:25:19 +0000 Subject: [PATCH 1/2] feat(operator): extend LokiStack authorization to support OTel Semantics --- .../manifests/gateway_tenants_test.go | 20 +++++++++++-------- operator/internal/manifests/gateway_test.go | 2 +- .../manifests/openshift/alertingrule.go | 2 +- .../manifests/openshift/alertingrule_test.go | 2 +- .../internal/manifests/openshift/configure.go | 4 ++-- .../manifests/openshift/opa_openshift.go | 5 +++-- .../manifests/openshift/recordingrule.go | 2 +- .../manifests/openshift/recordingrule_test.go | 2 +- 8 files changed, 22 insertions(+), 17 deletions(-) diff --git a/operator/internal/manifests/gateway_tenants_test.go b/operator/internal/manifests/gateway_tenants_test.go index 051b6a653aab8..e9f4341cb22c8 100644 --- a/operator/internal/manifests/gateway_tenants_test.go +++ b/operator/internal/manifests/gateway_tenants_test.go @@ -716,7 +716,7 @@ func TestConfigureDeploymentForMode(t *testing.T) { { Name: gatewayContainerName, Args: []string{ - "--logs.auth.extract-selectors=kubernetes_namespace_name", + "--logs.auth.extract-selectors=kubernetes_namespace_name,k8s_namespace_name", }, }, { @@ -730,7 +730,8 @@ func TestConfigureDeploymentForMode(t *testing.T) { "--opa.skip-tenants=audit,infrastructure", "--opa.package=lokistack", "--opa.admin-groups=system:cluster-admins,cluster-admin,dedicated-admin", - "--opa.matcher=kubernetes_namespace_name", + "--opa.matcher=kubernetes_namespace_name,k8s_namespace_name", + "--opa.matcher-op=or", `--openshift.mappings=application=loki.grafana.com`, `--openshift.mappings=infrastructure=loki.grafana.com`, `--openshift.mappings=audit=loki.grafana.com`, @@ -825,7 +826,7 @@ func TestConfigureDeploymentForMode(t *testing.T) { { Name: gatewayContainerName, Args: []string{ - "--logs.auth.extract-selectors=kubernetes_namespace_name", + "--logs.auth.extract-selectors=kubernetes_namespace_name,k8s_namespace_name", }, }, { @@ -839,7 +840,8 @@ func TestConfigureDeploymentForMode(t *testing.T) { "--opa.skip-tenants=audit,infrastructure", "--opa.package=lokistack", "--opa.admin-groups=system:cluster-admins,cluster-admin,dedicated-admin", - "--opa.matcher=kubernetes_namespace_name", + "--opa.matcher=kubernetes_namespace_name,k8s_namespace_name", + "--opa.matcher-op=or", "--tls.internal.server.cert-file=/var/run/tls/http/server/tls.crt", "--tls.internal.server.key-file=/var/run/tls/http/server/tls.key", "--tls.min-version=min-version", @@ -1162,7 +1164,7 @@ func TestConfigureDeploymentForMode(t *testing.T) { { Name: gatewayContainerName, Args: []string{ - "--logs.auth.extract-selectors=kubernetes_namespace_name", + "--logs.auth.extract-selectors=kubernetes_namespace_name,k8s_namespace_name", }, }, { @@ -1176,7 +1178,8 @@ func TestConfigureDeploymentForMode(t *testing.T) { "--opa.skip-tenants=audit,infrastructure", "--opa.package=lokistack", "--opa.admin-groups=custom-admins,other-admins", - "--opa.matcher=kubernetes_namespace_name", + "--opa.matcher=kubernetes_namespace_name,k8s_namespace_name", + "--opa.matcher-op=or", `--openshift.mappings=application=loki.grafana.com`, `--openshift.mappings=infrastructure=loki.grafana.com`, `--openshift.mappings=audit=loki.grafana.com`, @@ -1259,7 +1262,7 @@ func TestConfigureDeploymentForMode(t *testing.T) { { Name: gatewayContainerName, Args: []string{ - "--logs.auth.extract-selectors=kubernetes_namespace_name", + "--logs.auth.extract-selectors=kubernetes_namespace_name,k8s_namespace_name", }, }, { @@ -1272,7 +1275,8 @@ func TestConfigureDeploymentForMode(t *testing.T) { "--web.healthchecks.url=http://localhost:8082", "--opa.skip-tenants=audit,infrastructure", "--opa.package=lokistack", - "--opa.matcher=kubernetes_namespace_name", + "--opa.matcher=kubernetes_namespace_name,k8s_namespace_name", + "--opa.matcher-op=or", `--openshift.mappings=application=loki.grafana.com`, `--openshift.mappings=infrastructure=loki.grafana.com`, `--openshift.mappings=audit=loki.grafana.com`, diff --git a/operator/internal/manifests/gateway_test.go b/operator/internal/manifests/gateway_test.go index 02ad588974858..0bd637bc0c12b 100644 --- a/operator/internal/manifests/gateway_test.go +++ b/operator/internal/manifests/gateway_test.go @@ -726,7 +726,7 @@ func TestBuildGateway_WithRulesEnabled(t *testing.T) { wantArgs: []string{ "--logs.rules.endpoint=https://abcd-ruler-http.efgh.svc.cluster.local:3100", "--logs.rules.read-only=true", - "--logs.rules.label-filters=application:kubernetes_namespace_name", + "--logs.rules.label-filters=application:kubernetes_namespace_name,k8s_namespace_name", }, }, { diff --git a/operator/internal/manifests/openshift/alertingrule.go b/operator/internal/manifests/openshift/alertingrule.go index 5d03db6d0f924..6b0a3ba6b6c44 100644 --- a/operator/internal/manifests/openshift/alertingrule.go +++ b/operator/internal/manifests/openshift/alertingrule.go @@ -6,7 +6,7 @@ func AlertingRuleTenantLabels(ar *lokiv1.AlertingRule) { switch ar.Spec.TenantID { case tenantApplication: appendAlertingRuleLabels(ar, map[string]string{ - opaDefaultLabelMatcher: ar.Namespace, + opaDefaultLabelMatchers: ar.Namespace, ocpMonitoringGroupByLabel: ar.Namespace, }) case tenantInfrastructure, tenantAudit, tenantNetwork: diff --git a/operator/internal/manifests/openshift/alertingrule_test.go b/operator/internal/manifests/openshift/alertingrule_test.go index afd50dc3d2d73..22cfcacf10668 100644 --- a/operator/internal/manifests/openshift/alertingrule_test.go +++ b/operator/internal/manifests/openshift/alertingrule_test.go @@ -46,7 +46,7 @@ func TestAlertingRuleTenantLabels(t *testing.T) { { Alert: "alert", Labels: map[string]string{ - opaDefaultLabelMatcher: "test-ns", + opaDefaultLabelMatchers: "test-ns", ocpMonitoringGroupByLabel: "test-ns", }, }, diff --git a/operator/internal/manifests/openshift/configure.go b/operator/internal/manifests/openshift/configure.go index 75ecc65973bf5..5403c89afa944 100644 --- a/operator/internal/manifests/openshift/configure.go +++ b/operator/internal/manifests/openshift/configure.go @@ -81,7 +81,7 @@ func ConfigureGatewayDeployment( } d.Spec.Template.Spec.Containers[i].Args = append(d.Spec.Template.Spec.Containers[i].Args, - fmt.Sprintf("--logs.auth.extract-selectors=%s", opaDefaultLabelMatcher), + fmt.Sprintf("--logs.auth.extract-selectors=%s", opaDefaultLabelMatchers), ) } } @@ -102,7 +102,7 @@ func ConfigureGatewayDeploymentRulesAPI(d *appsv1.Deployment, containerName stri container := corev1.Container{ Args: []string{ - fmt.Sprintf("--logs.rules.label-filters=%s:%s", tenantApplication, opaDefaultLabelMatcher), + fmt.Sprintf("--logs.rules.label-filters=%s:%s", tenantApplication, opaDefaultLabelMatchers), }, } diff --git a/operator/internal/manifests/openshift/opa_openshift.go b/operator/internal/manifests/openshift/opa_openshift.go index bc804c11b11ed..1fb3600bc2bb2 100644 --- a/operator/internal/manifests/openshift/opa_openshift.go +++ b/operator/internal/manifests/openshift/opa_openshift.go @@ -19,7 +19,7 @@ const ( opaDefaultPackage = "lokistack" opaDefaultAPIGroup = "loki.grafana.com" opaMetricsPortName = "opa-metrics" - opaDefaultLabelMatcher = "kubernetes_namespace_name" + opaDefaultLabelMatchers = "kubernetes_namespace_name,k8s_namespace_name" opaNetworkLabelMatchers = "SrcK8S_Namespace,DstK8S_Namespace" ocpMonitoringGroupByLabel = "namespace" ) @@ -53,7 +53,8 @@ func newOPAOpenShiftContainer(mode lokiv1.ModeType, secretVolumeName, tlsDir, mi if mode != lokiv1.OpenshiftNetwork { args = append(args, []string{ - fmt.Sprintf("--opa.matcher=%s", opaDefaultLabelMatcher), + fmt.Sprintf("--opa.matcher=%s", opaDefaultLabelMatchers), + "--opa.matcher-op=or", }...) } else { args = append(args, []string{ diff --git a/operator/internal/manifests/openshift/recordingrule.go b/operator/internal/manifests/openshift/recordingrule.go index 8e8a0eccfa6de..97480516a2d22 100644 --- a/operator/internal/manifests/openshift/recordingrule.go +++ b/operator/internal/manifests/openshift/recordingrule.go @@ -6,7 +6,7 @@ func RecordingRuleTenantLabels(r *lokiv1.RecordingRule) { switch r.Spec.TenantID { case tenantApplication: appendRecordingRuleLabels(r, map[string]string{ - opaDefaultLabelMatcher: r.Namespace, + opaDefaultLabelMatchers: r.Namespace, ocpMonitoringGroupByLabel: r.Namespace, }) case tenantInfrastructure, tenantAudit, tenantNetwork: diff --git a/operator/internal/manifests/openshift/recordingrule_test.go b/operator/internal/manifests/openshift/recordingrule_test.go index 901913dac2944..9eb61487aadfb 100644 --- a/operator/internal/manifests/openshift/recordingrule_test.go +++ b/operator/internal/manifests/openshift/recordingrule_test.go @@ -46,7 +46,7 @@ func TestRecordingRuleTenantLabels(t *testing.T) { { Record: "record", Labels: map[string]string{ - opaDefaultLabelMatcher: "test-ns", + opaDefaultLabelMatchers: "test-ns", ocpMonitoringGroupByLabel: "test-ns", }, }, From cb89029c27035bbeadecabbb6aa682aa8a0a1a98 Mon Sep 17 00:00:00 2001 From: Joao Marcal Date: Fri, 31 Jan 2025 12:25:19 +0000 Subject: [PATCH 2/2] feat(operator): extend LokiStack authorization to support OTel Semantics --- .../manifests/gateway_tenants_test.go | 20 +++++++++++-------- operator/internal/manifests/gateway_test.go | 2 +- .../manifests/openshift/alertingrule.go | 16 +++++++++++---- .../manifests/openshift/alertingrule_test.go | 2 +- .../internal/manifests/openshift/configure.go | 4 ++-- .../manifests/openshift/opa_openshift.go | 5 +++-- .../manifests/openshift/recordingrule.go | 16 +++++++++++---- .../manifests/openshift/recordingrule_test.go | 2 +- .../internal/validation/openshift/common.go | 3 ++- 9 files changed, 46 insertions(+), 24 deletions(-) diff --git a/operator/internal/manifests/gateway_tenants_test.go b/operator/internal/manifests/gateway_tenants_test.go index 051b6a653aab8..e9f4341cb22c8 100644 --- a/operator/internal/manifests/gateway_tenants_test.go +++ b/operator/internal/manifests/gateway_tenants_test.go @@ -716,7 +716,7 @@ func TestConfigureDeploymentForMode(t *testing.T) { { Name: gatewayContainerName, Args: []string{ - "--logs.auth.extract-selectors=kubernetes_namespace_name", + "--logs.auth.extract-selectors=kubernetes_namespace_name,k8s_namespace_name", }, }, { @@ -730,7 +730,8 @@ func TestConfigureDeploymentForMode(t *testing.T) { "--opa.skip-tenants=audit,infrastructure", "--opa.package=lokistack", "--opa.admin-groups=system:cluster-admins,cluster-admin,dedicated-admin", - "--opa.matcher=kubernetes_namespace_name", + "--opa.matcher=kubernetes_namespace_name,k8s_namespace_name", + "--opa.matcher-op=or", `--openshift.mappings=application=loki.grafana.com`, `--openshift.mappings=infrastructure=loki.grafana.com`, `--openshift.mappings=audit=loki.grafana.com`, @@ -825,7 +826,7 @@ func TestConfigureDeploymentForMode(t *testing.T) { { Name: gatewayContainerName, Args: []string{ - "--logs.auth.extract-selectors=kubernetes_namespace_name", + "--logs.auth.extract-selectors=kubernetes_namespace_name,k8s_namespace_name", }, }, { @@ -839,7 +840,8 @@ func TestConfigureDeploymentForMode(t *testing.T) { "--opa.skip-tenants=audit,infrastructure", "--opa.package=lokistack", "--opa.admin-groups=system:cluster-admins,cluster-admin,dedicated-admin", - "--opa.matcher=kubernetes_namespace_name", + "--opa.matcher=kubernetes_namespace_name,k8s_namespace_name", + "--opa.matcher-op=or", "--tls.internal.server.cert-file=/var/run/tls/http/server/tls.crt", "--tls.internal.server.key-file=/var/run/tls/http/server/tls.key", "--tls.min-version=min-version", @@ -1162,7 +1164,7 @@ func TestConfigureDeploymentForMode(t *testing.T) { { Name: gatewayContainerName, Args: []string{ - "--logs.auth.extract-selectors=kubernetes_namespace_name", + "--logs.auth.extract-selectors=kubernetes_namespace_name,k8s_namespace_name", }, }, { @@ -1176,7 +1178,8 @@ func TestConfigureDeploymentForMode(t *testing.T) { "--opa.skip-tenants=audit,infrastructure", "--opa.package=lokistack", "--opa.admin-groups=custom-admins,other-admins", - "--opa.matcher=kubernetes_namespace_name", + "--opa.matcher=kubernetes_namespace_name,k8s_namespace_name", + "--opa.matcher-op=or", `--openshift.mappings=application=loki.grafana.com`, `--openshift.mappings=infrastructure=loki.grafana.com`, `--openshift.mappings=audit=loki.grafana.com`, @@ -1259,7 +1262,7 @@ func TestConfigureDeploymentForMode(t *testing.T) { { Name: gatewayContainerName, Args: []string{ - "--logs.auth.extract-selectors=kubernetes_namespace_name", + "--logs.auth.extract-selectors=kubernetes_namespace_name,k8s_namespace_name", }, }, { @@ -1272,7 +1275,8 @@ func TestConfigureDeploymentForMode(t *testing.T) { "--web.healthchecks.url=http://localhost:8082", "--opa.skip-tenants=audit,infrastructure", "--opa.package=lokistack", - "--opa.matcher=kubernetes_namespace_name", + "--opa.matcher=kubernetes_namespace_name,k8s_namespace_name", + "--opa.matcher-op=or", `--openshift.mappings=application=loki.grafana.com`, `--openshift.mappings=infrastructure=loki.grafana.com`, `--openshift.mappings=audit=loki.grafana.com`, diff --git a/operator/internal/manifests/gateway_test.go b/operator/internal/manifests/gateway_test.go index 02ad588974858..0bd637bc0c12b 100644 --- a/operator/internal/manifests/gateway_test.go +++ b/operator/internal/manifests/gateway_test.go @@ -726,7 +726,7 @@ func TestBuildGateway_WithRulesEnabled(t *testing.T) { wantArgs: []string{ "--logs.rules.endpoint=https://abcd-ruler-http.efgh.svc.cluster.local:3100", "--logs.rules.read-only=true", - "--logs.rules.label-filters=application:kubernetes_namespace_name", + "--logs.rules.label-filters=application:kubernetes_namespace_name,k8s_namespace_name", }, }, { diff --git a/operator/internal/manifests/openshift/alertingrule.go b/operator/internal/manifests/openshift/alertingrule.go index 5d03db6d0f924..9f7ee11da2d38 100644 --- a/operator/internal/manifests/openshift/alertingrule.go +++ b/operator/internal/manifests/openshift/alertingrule.go @@ -1,14 +1,22 @@ package openshift -import lokiv1 "github.com/grafana/loki/operator/api/loki/v1" +import ( + "strings" + + lokiv1 "github.com/grafana/loki/operator/api/loki/v1" +) func AlertingRuleTenantLabels(ar *lokiv1.AlertingRule) { switch ar.Spec.TenantID { case tenantApplication: - appendAlertingRuleLabels(ar, map[string]string{ - opaDefaultLabelMatcher: ar.Namespace, + labels := map[string]string{ ocpMonitoringGroupByLabel: ar.Namespace, - }) + } + labelMatchers := strings.Split(opaDefaultLabelMatchers, ",") + for _, label := range labelMatchers { + labels[label] = ar.Namespace + } + appendAlertingRuleLabels(ar, labels) case tenantInfrastructure, tenantAudit, tenantNetwork: appendAlertingRuleLabels(ar, map[string]string{ ocpMonitoringGroupByLabel: ar.Namespace, diff --git a/operator/internal/manifests/openshift/alertingrule_test.go b/operator/internal/manifests/openshift/alertingrule_test.go index afd50dc3d2d73..22cfcacf10668 100644 --- a/operator/internal/manifests/openshift/alertingrule_test.go +++ b/operator/internal/manifests/openshift/alertingrule_test.go @@ -46,7 +46,7 @@ func TestAlertingRuleTenantLabels(t *testing.T) { { Alert: "alert", Labels: map[string]string{ - opaDefaultLabelMatcher: "test-ns", + opaDefaultLabelMatchers: "test-ns", ocpMonitoringGroupByLabel: "test-ns", }, }, diff --git a/operator/internal/manifests/openshift/configure.go b/operator/internal/manifests/openshift/configure.go index 75ecc65973bf5..5403c89afa944 100644 --- a/operator/internal/manifests/openshift/configure.go +++ b/operator/internal/manifests/openshift/configure.go @@ -81,7 +81,7 @@ func ConfigureGatewayDeployment( } d.Spec.Template.Spec.Containers[i].Args = append(d.Spec.Template.Spec.Containers[i].Args, - fmt.Sprintf("--logs.auth.extract-selectors=%s", opaDefaultLabelMatcher), + fmt.Sprintf("--logs.auth.extract-selectors=%s", opaDefaultLabelMatchers), ) } } @@ -102,7 +102,7 @@ func ConfigureGatewayDeploymentRulesAPI(d *appsv1.Deployment, containerName stri container := corev1.Container{ Args: []string{ - fmt.Sprintf("--logs.rules.label-filters=%s:%s", tenantApplication, opaDefaultLabelMatcher), + fmt.Sprintf("--logs.rules.label-filters=%s:%s", tenantApplication, opaDefaultLabelMatchers), }, } diff --git a/operator/internal/manifests/openshift/opa_openshift.go b/operator/internal/manifests/openshift/opa_openshift.go index bc804c11b11ed..1fb3600bc2bb2 100644 --- a/operator/internal/manifests/openshift/opa_openshift.go +++ b/operator/internal/manifests/openshift/opa_openshift.go @@ -19,7 +19,7 @@ const ( opaDefaultPackage = "lokistack" opaDefaultAPIGroup = "loki.grafana.com" opaMetricsPortName = "opa-metrics" - opaDefaultLabelMatcher = "kubernetes_namespace_name" + opaDefaultLabelMatchers = "kubernetes_namespace_name,k8s_namespace_name" opaNetworkLabelMatchers = "SrcK8S_Namespace,DstK8S_Namespace" ocpMonitoringGroupByLabel = "namespace" ) @@ -53,7 +53,8 @@ func newOPAOpenShiftContainer(mode lokiv1.ModeType, secretVolumeName, tlsDir, mi if mode != lokiv1.OpenshiftNetwork { args = append(args, []string{ - fmt.Sprintf("--opa.matcher=%s", opaDefaultLabelMatcher), + fmt.Sprintf("--opa.matcher=%s", opaDefaultLabelMatchers), + "--opa.matcher-op=or", }...) } else { args = append(args, []string{ diff --git a/operator/internal/manifests/openshift/recordingrule.go b/operator/internal/manifests/openshift/recordingrule.go index 8e8a0eccfa6de..8ab1938d528d4 100644 --- a/operator/internal/manifests/openshift/recordingrule.go +++ b/operator/internal/manifests/openshift/recordingrule.go @@ -1,14 +1,22 @@ package openshift -import lokiv1 "github.com/grafana/loki/operator/api/loki/v1" +import ( + "strings" + + lokiv1 "github.com/grafana/loki/operator/api/loki/v1" +) func RecordingRuleTenantLabels(r *lokiv1.RecordingRule) { switch r.Spec.TenantID { case tenantApplication: - appendRecordingRuleLabels(r, map[string]string{ - opaDefaultLabelMatcher: r.Namespace, + labels := map[string]string{ ocpMonitoringGroupByLabel: r.Namespace, - }) + } + labelMatchers := strings.Split(opaDefaultLabelMatchers, ",") + for _, label := range labelMatchers { + labels[label] = r.Namespace + } + appendRecordingRuleLabels(r, labels) case tenantInfrastructure, tenantAudit, tenantNetwork: appendRecordingRuleLabels(r, map[string]string{ ocpMonitoringGroupByLabel: r.Namespace, diff --git a/operator/internal/manifests/openshift/recordingrule_test.go b/operator/internal/manifests/openshift/recordingrule_test.go index 901913dac2944..9eb61487aadfb 100644 --- a/operator/internal/manifests/openshift/recordingrule_test.go +++ b/operator/internal/manifests/openshift/recordingrule_test.go @@ -46,7 +46,7 @@ func TestRecordingRuleTenantLabels(t *testing.T) { { Record: "record", Labels: map[string]string{ - opaDefaultLabelMatcher: "test-ns", + opaDefaultLabelMatchers: "test-ns", ocpMonitoringGroupByLabel: "test-ns", }, }, diff --git a/operator/internal/validation/openshift/common.go b/operator/internal/validation/openshift/common.go index a41161cbc54f6..7d70c463fa36d 100644 --- a/operator/internal/validation/openshift/common.go +++ b/operator/internal/validation/openshift/common.go @@ -19,6 +19,7 @@ const ( descriptionAnnotationName = "description" namespaceLabelName = "kubernetes_namespace_name" + namespaceOTLPLabelName = "k8s_namespace_name" namespaceOpenshiftLogging = "openshift-logging" tenantAudit = "audit" @@ -73,7 +74,7 @@ func validateRuleExpression(namespace, tenantID, rawExpr string) error { func validateIncludesNamespace(namespace string, matchers []*labels.Matcher) bool { for _, m := range matchers { - if m.Name == namespaceLabelName && m.Type == labels.MatchEqual && m.Value == namespace { + if (m.Name == namespaceLabelName || m.Name == namespaceOTLPLabelName) && m.Type == labels.MatchEqual && m.Value == namespace { return true } }