WIP: feat(operator): extend LokiStack authorization to support OTel Semantics

operator/internal/manifests/gateway_tenants_test.go

@@ -716,7 +716,7 @@ func TestConfigureDeploymentForMode(t *testing.T) {
 								{
 									Name: gatewayContainerName,
 									Args: []string{
-										"--logs.auth.extract-selectors=kubernetes_namespace_name",
+										"--logs.auth.extract-selectors=kubernetes_namespace_name,k8s_namespace_name",
 									},
 								},
 								{
@@ -730,7 +730,8 @@ func TestConfigureDeploymentForMode(t *testing.T) {
 										"--opa.skip-tenants=audit,infrastructure",
 										"--opa.package=lokistack",
 										"--opa.admin-groups=system:cluster-admins,cluster-admin,dedicated-admin",
-										"--opa.matcher=kubernetes_namespace_name",
+										"--opa.matcher=kubernetes_namespace_name,k8s_namespace_name",
+										"--opa.matcher-op=or",
 										`--openshift.mappings=application=loki.grafana.com`,
 										`--openshift.mappings=infrastructure=loki.grafana.com`,
 										`--openshift.mappings=audit=loki.grafana.com`,
@@ -825,7 +826,7 @@ func TestConfigureDeploymentForMode(t *testing.T) {
 								{
 									Name: gatewayContainerName,
 									Args: []string{
-										"--logs.auth.extract-selectors=kubernetes_namespace_name",
+										"--logs.auth.extract-selectors=kubernetes_namespace_name,k8s_namespace_name",
 									},
 								},
 								{
@@ -839,7 +840,8 @@ func TestConfigureDeploymentForMode(t *testing.T) {
 										"--opa.skip-tenants=audit,infrastructure",
 										"--opa.package=lokistack",
 										"--opa.admin-groups=system:cluster-admins,cluster-admin,dedicated-admin",
-										"--opa.matcher=kubernetes_namespace_name",
+										"--opa.matcher=kubernetes_namespace_name,k8s_namespace_name",
+										"--opa.matcher-op=or",
 										"--tls.internal.server.cert-file=/var/run/tls/http/server/tls.crt",
 										"--tls.internal.server.key-file=/var/run/tls/http/server/tls.key",
 										"--tls.min-version=min-version",
@@ -1162,7 +1164,7 @@ func TestConfigureDeploymentForMode(t *testing.T) {
 								{
 									Name: gatewayContainerName,
 									Args: []string{
-										"--logs.auth.extract-selectors=kubernetes_namespace_name",
+										"--logs.auth.extract-selectors=kubernetes_namespace_name,k8s_namespace_name",
 									},
 								},
 								{
@@ -1176,7 +1178,8 @@ func TestConfigureDeploymentForMode(t *testing.T) {
 										"--opa.skip-tenants=audit,infrastructure",
 										"--opa.package=lokistack",
 										"--opa.admin-groups=custom-admins,other-admins",
-										"--opa.matcher=kubernetes_namespace_name",
+										"--opa.matcher=kubernetes_namespace_name,k8s_namespace_name",
+										"--opa.matcher-op=or",
 										`--openshift.mappings=application=loki.grafana.com`,
 										`--openshift.mappings=infrastructure=loki.grafana.com`,
 										`--openshift.mappings=audit=loki.grafana.com`,
@@ -1259,7 +1262,7 @@ func TestConfigureDeploymentForMode(t *testing.T) {
 								{
 									Name: gatewayContainerName,
 									Args: []string{
-										"--logs.auth.extract-selectors=kubernetes_namespace_name",
+										"--logs.auth.extract-selectors=kubernetes_namespace_name,k8s_namespace_name",
 									},
 								},
 								{
@@ -1272,7 +1275,8 @@ func TestConfigureDeploymentForMode(t *testing.T) {
 										"--web.healthchecks.url=http://localhost:8082",
 										"--opa.skip-tenants=audit,infrastructure",
 										"--opa.package=lokistack",
-										"--opa.matcher=kubernetes_namespace_name",
+										"--opa.matcher=kubernetes_namespace_name,k8s_namespace_name",
+										"--opa.matcher-op=or",
 										`--openshift.mappings=application=loki.grafana.com`,
 										`--openshift.mappings=infrastructure=loki.grafana.com`,
 										`--openshift.mappings=audit=loki.grafana.com`,

operator/internal/manifests/gateway_test.go

@@ -726,7 +726,7 @@ func TestBuildGateway_WithRulesEnabled(t *testing.T) {
 			wantArgs: []string{
 				"--logs.rules.endpoint=https://abcd-ruler-http.efgh.svc.cluster.local:3100",
 				"--logs.rules.read-only=true",
-				"--logs.rules.label-filters=application:kubernetes_namespace_name",
+				"--logs.rules.label-filters=application:kubernetes_namespace_name,k8s_namespace_name",
 			},
 		},
 		{

operator/internal/manifests/openshift/alertingrule.go

@@ -1,14 +1,23 @@
 package openshift
 
-import lokiv1 "github.com/grafana/loki/operator/api/loki/v1"
+import (
+	"strings"
+
+	lokiv1 "github.com/grafana/loki/operator/api/loki/v1"
+)
 
 func AlertingRuleTenantLabels(ar *lokiv1.AlertingRule) {
 	switch ar.Spec.TenantID {
 	case tenantApplication:
 		appendAlertingRuleLabels(ar, map[string]string{
-			opaDefaultLabelMatcher:    ar.Namespace,
+			opaDefaultLabelMatchers:   ar.Namespace,
 			ocpMonitoringGroupByLabel: ar.Namespace,
-		})
+		}
+		labelMatchers := strings.Split(opaDefaultLabelMatchers, ",")
+		for _, label := range labelMatchers {
+			labels[label] = ar.Namespace
+		}
+		appendAlertingRuleLabels(ar, labels)
 	case tenantInfrastructure, tenantAudit, tenantNetwork:
 		appendAlertingRuleLabels(ar, map[string]string{
 			ocpMonitoringGroupByLabel: ar.Namespace,
@@ -19,7 +28,7 @@
 }
 
 func appendAlertingRuleLabels(ar *lokiv1.AlertingRule, labels map[string]string) {
 	for groupIdx, group := range ar.Spec.Groups {
 		for ruleIdx, rule := range group.Rules {
 			if rule.Labels == nil {
 				rule.Labels = map[string]string{}

operator/internal/manifests/openshift/alertingrule_test.go

@@ -46,7 +46,7 @@ func TestAlertingRuleTenantLabels(t *testing.T) {
 								{
 									Alert: "alert",
 									Labels: map[string]string{
-										opaDefaultLabelMatcher:    "test-ns",
+										opaDefaultLabelMatchers:   "test-ns",
 										ocpMonitoringGroupByLabel: "test-ns",
 									},
 								},

operator/internal/manifests/openshift/configure.go

@@ -81,7 +81,7 @@ func ConfigureGatewayDeployment(
 			}
 
 			d.Spec.Template.Spec.Containers[i].Args = append(d.Spec.Template.Spec.Containers[i].Args,
-				fmt.Sprintf("--logs.auth.extract-selectors=%s", opaDefaultLabelMatcher),
+				fmt.Sprintf("--logs.auth.extract-selectors=%s", opaDefaultLabelMatchers),
 			)
 		}
 	}
@@ -102,7 +102,7 @@ func ConfigureGatewayDeploymentRulesAPI(d *appsv1.Deployment, containerName stri
 
 	container := corev1.Container{
 		Args: []string{
-			fmt.Sprintf("--logs.rules.label-filters=%s:%s", tenantApplication, opaDefaultLabelMatcher),
+			fmt.Sprintf("--logs.rules.label-filters=%s:%s", tenantApplication, opaDefaultLabelMatchers),
 		},
 	}
 

operator/internal/manifests/openshift/opa_openshift.go

@@ -19,7 +19,7 @@ const (
 	opaDefaultPackage         = "lokistack"
 	opaDefaultAPIGroup        = "loki.grafana.com"
 	opaMetricsPortName        = "opa-metrics"
-	opaDefaultLabelMatcher    = "kubernetes_namespace_name"
+	opaDefaultLabelMatchers   = "kubernetes_namespace_name,k8s_namespace_name"
 	opaNetworkLabelMatchers   = "SrcK8S_Namespace,DstK8S_Namespace"
 	ocpMonitoringGroupByLabel = "namespace"
 )
@@ -53,7 +53,8 @@ func newOPAOpenShiftContainer(mode lokiv1.ModeType, secretVolumeName, tlsDir, mi
 
 	if mode != lokiv1.OpenshiftNetwork {
 		args = append(args, []string{
-			fmt.Sprintf("--opa.matcher=%s", opaDefaultLabelMatcher),
+			fmt.Sprintf("--opa.matcher=%s", opaDefaultLabelMatchers),
+			"--opa.matcher-op=or",
 		}...)
 	} else {
 		args = append(args, []string{

operator/internal/manifests/openshift/recordingrule.go

@@ -1,14 +1,23 @@
 package openshift
 
-import lokiv1 "github.com/grafana/loki/operator/api/loki/v1"
+import (
+	"strings"
+
+	lokiv1 "github.com/grafana/loki/operator/api/loki/v1"
+)
 
 func RecordingRuleTenantLabels(r *lokiv1.RecordingRule) {
 	switch r.Spec.TenantID {
 	case tenantApplication:
 		appendRecordingRuleLabels(r, map[string]string{
-			opaDefaultLabelMatcher:    r.Namespace,
+			opaDefaultLabelMatchers:   r.Namespace,
 			ocpMonitoringGroupByLabel: r.Namespace,
-		})
+		}
+		labelMatchers := strings.Split(opaDefaultLabelMatchers, ",")
+		for _, label := range labelMatchers {
+			labels[label] = r.Namespace
+		}
+		appendRecordingRuleLabels(r, labels)
 	case tenantInfrastructure, tenantAudit, tenantNetwork:
 		appendRecordingRuleLabels(r, map[string]string{
 			ocpMonitoringGroupByLabel: r.Namespace,
@@ -19,7 +28,7 @@
 }
 
 func appendRecordingRuleLabels(r *lokiv1.RecordingRule, labels map[string]string) {
 	for groupIdx, group := range r.Spec.Groups {
 		for ruleIdx, rule := range group.Rules {
 			if rule.Labels == nil {
 				rule.Labels = map[string]string{}

operator/internal/manifests/openshift/recordingrule_test.go

@@ -46,7 +46,7 @@ func TestRecordingRuleTenantLabels(t *testing.T) {
 								{
 									Record: "record",
 									Labels: map[string]string{
-										opaDefaultLabelMatcher:    "test-ns",
+										opaDefaultLabelMatchers:   "test-ns",
 										ocpMonitoringGroupByLabel: "test-ns",
 									},
 								},

operator/internal/validation/openshift/common.go

@@ -19,6 +19,7 @@ const (
 	descriptionAnnotationName = "description"
 
 	namespaceLabelName        = "kubernetes_namespace_name"
+	namespaceOTLPLabelName    = "k8s_namespace_name"
 	namespaceOpenshiftLogging = "openshift-logging"
 
 	tenantAudit          = "audit"
@@ -73,7 +74,7 @@ func validateRuleExpression(namespace, tenantID, rawExpr string) error {
 
 func validateIncludesNamespace(namespace string, matchers []*labels.Matcher) bool {
 	for _, m := range matchers {
-		if m.Name == namespaceLabelName && m.Type == labels.MatchEqual && m.Value == namespace {
+		if (m.Name == namespaceLabelName || m.Name == namespaceOTLPLabelName) && m.Type == labels.MatchEqual && m.Value == namespace {
 			return true
 		}
 	}