apitech
/
loki
mirror of https://github.com/grafana/loki
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

operator: Fix OIDC.IssuerCAPath by updating it to type CASpec (#9972)

Browse Source 
Co-authored-by: Periklis Tsirakidis <periklis@redhat.com>
pull/10007/head
Joao Marcal 2 years ago committed by GitHub
parent 85c6a436a7
commit 0fd9331044
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
19 changed files with 424 additions and 99 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 1
      operator/CHANGELOG.md
  2. 7
      operator/apis/loki/v1/lokistack_types.go
  3. 5
      operator/apis/loki/v1/zz_generated.deepcopy.go
  4. 18
      operator/bundle/community-openshift/manifests/loki-operator.clusterserviceversion.yaml
  5. 22
      operator/bundle/community-openshift/manifests/loki.grafana.com_lokistacks.yaml
  6. 18
      operator/bundle/community/manifests/loki-operator.clusterserviceversion.yaml
  7. 22
      operator/bundle/community/manifests/loki.grafana.com_lokistacks.yaml
  8. 18
      operator/bundle/openshift/manifests/loki-operator.clusterserviceversion.yaml
  9. 22
      operator/bundle/openshift/manifests/loki.grafana.com_lokistacks.yaml
  10. 22
      operator/config/crd/bases/loki.grafana.com_lokistacks.yaml
  11. 18
      operator/config/manifests/community-openshift/bases/loki-operator.clusterserviceversion.yaml
  12. 18
      operator/config/manifests/community/bases/loki-operator.clusterserviceversion.yaml
  13. 18
      operator/config/manifests/openshift/bases/loki-operator.clusterserviceversion.yaml
  14. 70
      operator/internal/handlers/internal/gateway/tenant_secrets.go
  15. 5
      operator/internal/handlers/internal/gateway/tenant_secrets_test.go
  16. 70
      operator/internal/manifests/gateway_tenants.go
  17. 131
      operator/internal/manifests/gateway_tenants_test.go
  18. 24
      operator/internal/manifests/internal/gateway/build_test.go
  19. 14
      operator/internal/manifests/var.go

1
operator/CHANGELOG.md
Unescape View File

@ -1,5 +1,6 @@
## Main
- [9972](https://github.com/grafana/loki/pull/9972) **JoaoBraveCoding**: Fix OIDC.IssuerCAPath by updating it to type CASpec
- [9931](https://github.com/grafana/loki/pull/9931) **aminesnow**: Custom configuration for LokiStack admin groups
- [9971](https://github.com/grafana/loki/pull/9971) **aminesnow**: Add namespace and tenantId labels to RecordingRules
- [9906](https://github.com/grafana/loki/pull/9906) **JoaoBraveCoding**: Add mTLS authentication to tenants

7
operator/apis/loki/v1/lokistack_types.go
Unescape View File

@ -153,12 +153,17 @@ type TenantSecretSpec struct {
// OIDCSpec defines the oidc configuration spec for lokiStack Gateway component.
type OIDCSpec struct {
// Secret defines the spec for the clientID, clientSecret and issuerCAPath for tenant's authentication.
// Secret defines the spec for the clientID and clientSecret for tenant's authentication.
//
// +required
// +kubebuilder:validation:Required
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Tenant Secret"
Secret *TenantSecretSpec `json:"secret"`
// IssuerCA defines the spec for the issuer CA for tenant's authentication.
//
// +optional
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="IssuerCA ConfigMap"
IssuerCA *CASpec `json:"issuerCA"`
// IssuerURL defines the URL for issuer.
//
// +required

5
operator/apis/loki/v1/zz_generated.deepcopy.go
Unescape View File

@ -974,6 +974,11 @@ func (in *OIDCSpec) DeepCopyInto(out *OIDCSpec) {
*out = new(TenantSecretSpec)
**out = **in
}
if in.IssuerCA != nil {
in, out := &in.IssuerCA, &out.IssuerCA
*out = new(CASpec)
**out = **in
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCSpec.

18
operator/bundle/community-openshift/manifests/loki-operator.clusterserviceversion.yaml
Unescape View File

@ -718,14 +718,28 @@ spec:
- description: OIDC defines the spec for the OIDC tenant's authentication.
displayName: OIDC Configuration
path: tenants.authentication[0].oidc
- description: IssuerCA defines the spec for the issuer CA for tenant's authentication.
displayName: IssuerCA ConfigMap
path: tenants.authentication[0].oidc.issuerCA
- description: Key is the data key of a ConfigMap containing a CA certificate.
It needs to be in the same namespace as the LokiStack custom resource. If
empty, it defaults to "service-ca.crt".
displayName: CA ConfigMap Key
path: tenants.authentication[0].oidc.issuerCA.caKey
- description: CA is the name of a ConfigMap containing a CA certificate. It
needs to be in the same namespace as the LokiStack custom resource.
displayName: CA ConfigMap Name
path: tenants.authentication[0].oidc.issuerCA.caName
x-descriptors:
- urn:alm:descriptor:io.kubernetes:ConfigMap
- description: IssuerURL defines the URL for issuer.
displayName: Issuer URL
path: tenants.authentication[0].oidc.issuerURL
- description: RedirectURL defines the URL for redirect.
displayName: Redirect URL
path: tenants.authentication[0].oidc.redirectURL
- description: Secret defines the spec for the clientID, clientSecret and issuerCAPath
for tenant's authentication.
- description: Secret defines the spec for the clientID and clientSecret for
tenant's authentication.
displayName: Tenant Secret
path: tenants.authentication[0].oidc.secret
- description: Name of a secret in the namespace configured for tenant secrets.

22
operator/bundle/community-openshift/manifests/loki.grafana.com_lokistacks.yaml
Unescape View File

@ -3691,6 +3691,24 @@ spec:
groupClaim:
description: Group claim field from ID Token
type: string
issuerCA:
description: IssuerCA defines the spec for the issuer
CA for tenant's authentication.
properties:
caKey:
description: Key is the data key of a ConfigMap
containing a CA certificate. It needs to be in
the same namespace as the LokiStack custom resource.
If empty, it defaults to "service-ca.crt".
type: string
caName:
description: CA is the name of a ConfigMap containing
a CA certificate. It needs to be in the same namespace
as the LokiStack custom resource.
type: string
required:
- caName
type: object
issuerURL:
description: IssuerURL defines the URL for issuer.
type: string
@ -3698,8 +3716,8 @@ spec:
description: RedirectURL defines the URL for redirect.
type: string
secret:
description: Secret defines the spec for the clientID,
clientSecret and issuerCAPath for tenant's authentication.
description: Secret defines the spec for the clientID
and clientSecret for tenant's authentication.
properties:
name:
description: Name of a secret in the namespace configured

18
operator/bundle/community/manifests/loki-operator.clusterserviceversion.yaml
Unescape View File

@ -718,14 +718,28 @@ spec:
- description: OIDC defines the spec for the OIDC tenant's authentication.
displayName: OIDC Configuration
path: tenants.authentication[0].oidc
- description: IssuerCA defines the spec for the issuer CA for tenant's authentication.
displayName: IssuerCA ConfigMap
path: tenants.authentication[0].oidc.issuerCA
- description: Key is the data key of a ConfigMap containing a CA certificate.
It needs to be in the same namespace as the LokiStack custom resource. If
empty, it defaults to "service-ca.crt".
displayName: CA ConfigMap Key
path: tenants.authentication[0].oidc.issuerCA.caKey
- description: CA is the name of a ConfigMap containing a CA certificate. It
needs to be in the same namespace as the LokiStack custom resource.
displayName: CA ConfigMap Name
path: tenants.authentication[0].oidc.issuerCA.caName
x-descriptors:
- urn:alm:descriptor:io.kubernetes:ConfigMap
- description: IssuerURL defines the URL for issuer.
displayName: Issuer URL
path: tenants.authentication[0].oidc.issuerURL
- description: RedirectURL defines the URL for redirect.
displayName: Redirect URL
path: tenants.authentication[0].oidc.redirectURL
- description: Secret defines the spec for the clientID, clientSecret and issuerCAPath
for tenant's authentication.
- description: Secret defines the spec for the clientID and clientSecret for
tenant's authentication.
displayName: Tenant Secret
path: tenants.authentication[0].oidc.secret
- description: Name of a secret in the namespace configured for tenant secrets.

22
operator/bundle/community/manifests/loki.grafana.com_lokistacks.yaml
Unescape View File

@ -3691,6 +3691,24 @@ spec:
groupClaim:
description: Group claim field from ID Token
type: string
issuerCA:
description: IssuerCA defines the spec for the issuer
CA for tenant's authentication.
properties:
caKey:
description: Key is the data key of a ConfigMap
containing a CA certificate. It needs to be in
the same namespace as the LokiStack custom resource.
If empty, it defaults to "service-ca.crt".
type: string
caName:
description: CA is the name of a ConfigMap containing
a CA certificate. It needs to be in the same namespace
as the LokiStack custom resource.
type: string
required:
- caName
type: object
issuerURL:
description: IssuerURL defines the URL for issuer.
type: string
@ -3698,8 +3716,8 @@ spec:
description: RedirectURL defines the URL for redirect.
type: string
secret:
description: Secret defines the spec for the clientID,
clientSecret and issuerCAPath for tenant's authentication.
description: Secret defines the spec for the clientID
and clientSecret for tenant's authentication.
properties:
name:
description: Name of a secret in the namespace configured

18
operator/bundle/openshift/manifests/loki-operator.clusterserviceversion.yaml
Unescape View File

@ -731,14 +731,28 @@ spec:
- description: OIDC defines the spec for the OIDC tenant's authentication.
displayName: OIDC Configuration
path: tenants.authentication[0].oidc
- description: IssuerCA defines the spec for the issuer CA for tenant's authentication.
displayName: IssuerCA ConfigMap
path: tenants.authentication[0].oidc.issuerCA
- description: Key is the data key of a ConfigMap containing a CA certificate.
It needs to be in the same namespace as the LokiStack custom resource. If
empty, it defaults to "service-ca.crt".
displayName: CA ConfigMap Key
path: tenants.authentication[0].oidc.issuerCA.caKey
- description: CA is the name of a ConfigMap containing a CA certificate. It
needs to be in the same namespace as the LokiStack custom resource.
displayName: CA ConfigMap Name
path: tenants.authentication[0].oidc.issuerCA.caName
x-descriptors:
- urn:alm:descriptor:io.kubernetes:ConfigMap
- description: IssuerURL defines the URL for issuer.
displayName: Issuer URL
path: tenants.authentication[0].oidc.issuerURL
- description: RedirectURL defines the URL for redirect.
displayName: Redirect URL
path: tenants.authentication[0].oidc.redirectURL
- description: Secret defines the spec for the clientID, clientSecret and issuerCAPath
for tenant's authentication.
- description: Secret defines the spec for the clientID and clientSecret for
tenant's authentication.
displayName: Tenant Secret
path: tenants.authentication[0].oidc.secret
- description: Name of a secret in the namespace configured for tenant secrets.

22
operator/bundle/openshift/manifests/loki.grafana.com_lokistacks.yaml
Unescape View File

@ -3691,6 +3691,24 @@ spec:
groupClaim:
description: Group claim field from ID Token
type: string
issuerCA:
description: IssuerCA defines the spec for the issuer
CA for tenant's authentication.
properties:
caKey:
description: Key is the data key of a ConfigMap
containing a CA certificate. It needs to be in
the same namespace as the LokiStack custom resource.
If empty, it defaults to "service-ca.crt".
type: string
caName:
description: CA is the name of a ConfigMap containing
a CA certificate. It needs to be in the same namespace
as the LokiStack custom resource.
type: string
required:
- caName
type: object
issuerURL:
description: IssuerURL defines the URL for issuer.
type: string
@ -3698,8 +3716,8 @@ spec:
description: RedirectURL defines the URL for redirect.
type: string
secret:
description: Secret defines the spec for the clientID,
clientSecret and issuerCAPath for tenant's authentication.
description: Secret defines the spec for the clientID
and clientSecret for tenant's authentication.
properties:
name:
description: Name of a secret in the namespace configured

22
operator/config/crd/bases/loki.grafana.com_lokistacks.yaml
Unescape View File

@ -3674,6 +3674,24 @@ spec:
groupClaim:
description: Group claim field from ID Token
type: string
issuerCA:
description: IssuerCA defines the spec for the issuer
CA for tenant's authentication.
properties:
caKey:
description: Key is the data key of a ConfigMap
containing a CA certificate. It needs to be in
the same namespace as the LokiStack custom resource.
If empty, it defaults to "service-ca.crt".
type: string
caName:
description: CA is the name of a ConfigMap containing
a CA certificate. It needs to be in the same namespace
as the LokiStack custom resource.
type: string
required:
- caName
type: object
issuerURL:
description: IssuerURL defines the URL for issuer.
type: string
@ -3681,8 +3699,8 @@ spec:
description: RedirectURL defines the URL for redirect.
type: string
secret:
description: Secret defines the spec for the clientID,
clientSecret and issuerCAPath for tenant's authentication.
description: Secret defines the spec for the clientID
and clientSecret for tenant's authentication.
properties:
name:
description: Name of a secret in the namespace configured

18
operator/config/manifests/community-openshift/bases/loki-operator.clusterserviceversion.yaml
Unescape View File

@ -631,14 +631,28 @@ spec:
- description: OIDC defines the spec for the OIDC tenant's authentication.
displayName: OIDC Configuration
path: tenants.authentication[0].oidc
- description: IssuerCA defines the spec for the issuer CA for tenant's authentication.
displayName: IssuerCA ConfigMap
path: tenants.authentication[0].oidc.issuerCA
- description: Key is the data key of a ConfigMap containing a CA certificate.
It needs to be in the same namespace as the LokiStack custom resource. If
empty, it defaults to "service-ca.crt".
displayName: CA ConfigMap Key
path: tenants.authentication[0].oidc.issuerCA.caKey
- description: CA is the name of a ConfigMap containing a CA certificate. It
needs to be in the same namespace as the LokiStack custom resource.
displayName: CA ConfigMap Name
path: tenants.authentication[0].oidc.issuerCA.caName
x-descriptors:
- urn:alm:descriptor:io.kubernetes:ConfigMap
- description: IssuerURL defines the URL for issuer.
displayName: Issuer URL
path: tenants.authentication[0].oidc.issuerURL
- description: RedirectURL defines the URL for redirect.
displayName: Redirect URL
path: tenants.authentication[0].oidc.redirectURL
- description: Secret defines the spec for the clientID, clientSecret and issuerCAPath
for tenant's authentication.
- description: Secret defines the spec for the clientID and clientSecret for
tenant's authentication.
displayName: Tenant Secret
path: tenants.authentication[0].oidc.secret
- description: Name of a secret in the namespace configured for tenant secrets.

18
operator/config/manifests/community/bases/loki-operator.clusterserviceversion.yaml
Unescape View File

@ -631,14 +631,28 @@ spec:
- description: OIDC defines the spec for the OIDC tenant's authentication.
displayName: OIDC Configuration
path: tenants.authentication[0].oidc
- description: IssuerCA defines the spec for the issuer CA for tenant's authentication.
displayName: IssuerCA ConfigMap
path: tenants.authentication[0].oidc.issuerCA
- description: Key is the data key of a ConfigMap containing a CA certificate.
It needs to be in the same namespace as the LokiStack custom resource. If
empty, it defaults to "service-ca.crt".
displayName: CA ConfigMap Key
path: tenants.authentication[0].oidc.issuerCA.caKey
- description: CA is the name of a ConfigMap containing a CA certificate. It
needs to be in the same namespace as the LokiStack custom resource.
displayName: CA ConfigMap Name
path: tenants.authentication[0].oidc.issuerCA.caName
x-descriptors:
- urn:alm:descriptor:io.kubernetes:ConfigMap
- description: IssuerURL defines the URL for issuer.
displayName: Issuer URL
path: tenants.authentication[0].oidc.issuerURL
- description: RedirectURL defines the URL for redirect.
displayName: Redirect URL
path: tenants.authentication[0].oidc.redirectURL
- description: Secret defines the spec for the clientID, clientSecret and issuerCAPath
for tenant's authentication.
- description: Secret defines the spec for the clientID and clientSecret for
tenant's authentication.
displayName: Tenant Secret
path: tenants.authentication[0].oidc.secret
- description: Name of a secret in the namespace configured for tenant secrets.

18
operator/config/manifests/openshift/bases/loki-operator.clusterserviceversion.yaml
Unescape View File

@ -643,14 +643,28 @@ spec:
- description: OIDC defines the spec for the OIDC tenant's authentication.
displayName: OIDC Configuration
path: tenants.authentication[0].oidc
- description: IssuerCA defines the spec for the issuer CA for tenant's authentication.
displayName: IssuerCA ConfigMap
path: tenants.authentication[0].oidc.issuerCA
- description: Key is the data key of a ConfigMap containing a CA certificate.
It needs to be in the same namespace as the LokiStack custom resource. If
empty, it defaults to "service-ca.crt".
displayName: CA ConfigMap Key
path: tenants.authentication[0].oidc.issuerCA.caKey
- description: CA is the name of a ConfigMap containing a CA certificate. It
needs to be in the same namespace as the LokiStack custom resource.
displayName: CA ConfigMap Name
path: tenants.authentication[0].oidc.issuerCA.caName
x-descriptors:
- urn:alm:descriptor:io.kubernetes:ConfigMap
- description: IssuerURL defines the URL for issuer.
displayName: Issuer URL
path: tenants.authentication[0].oidc.issuerURL
- description: RedirectURL defines the URL for redirect.
displayName: Redirect URL
path: tenants.authentication[0].oidc.redirectURL
- description: Secret defines the spec for the clientID, clientSecret and issuerCAPath
for tenant's authentication.
- description: Secret defines the spec for the clientID and clientSecret for
tenant's authentication.
displayName: Tenant Secret
path: tenants.authentication[0].oidc.secret
- description: Name of a secret in the namespace configured for tenant secrets.

70
operator/internal/handlers/internal/gateway/tenant_secrets.go
Unescape View File

@ -30,7 +30,6 @@ func GetTenantSecrets(
var (
tenantSecrets []*manifests.TenantSecrets
gatewaySecret corev1.Secret
caConfigMap corev1.ConfigMap
)
for _, tenant := range stack.Spec.Tenants.Authentication {
@ -57,40 +56,27 @@ func GetTenantSecrets(
Requeue: true,
}
}
tenantSecrets = append(tenantSecrets, &manifests.TenantSecrets{
tennantSecret := &manifests.TenantSecrets{
TenantName: tenant.TenantName,
OIDCSecret: oidcSecret,
})
case tenant.MTLS != nil:
key := client.ObjectKey{Name: tenant.MTLS.CA.CA, Namespace: req.Namespace}
if err := k.Get(ctx, key, &caConfigMap); err != nil {
if apierrors.IsNotFound(err) {
return nil, &status.DegradedError{
Message: fmt.Sprintf("Missing configmap for tenant %s", tenant.TenantName),
Reason: lokiv1.ReasonMissingGatewayTenantConfigMap,
Requeue: true,
}
}
return nil, kverrors.Wrap(err, "failed to lookup lokistack gateway tenant configMap",
"name", key)
}
// Default key if the user doesn't specify it
cmKey := "service-ca.crt"
if tenant.MTLS.CA.CAKey != "" {
cmKey = tenant.MTLS.CA.CAKey
if tenant.OIDC.IssuerCA != nil {
caPath, err := extractCAPath(ctx, k, req.Namespace, tenant.TenantName, tenant.OIDC.IssuerCA)
if err != nil {
return nil, err
}
tennantSecret.OIDCSecret.IssuerCAPath = caPath
}
err := checkKeyIsPresent(&caConfigMap, cmKey)
tenantSecrets = append(tenantSecrets, tennantSecret)
case tenant.MTLS != nil:
caPath, err := extractCAPath(ctx, k, req.Namespace, tenant.TenantName, tenant.MTLS.CA)
if err != nil {
return nil, &status.DegradedError{
Message: "Invalid gateway tenant configmap contents",
Reason: lokiv1.ReasonInvalidGatewayTenantConfigMap,
Requeue: true,
}
return nil, err
}
tenantSecrets = append(tenantSecrets, &manifests.TenantSecrets{
TenantName: tenant.TenantName,
MTLSSecret: &manifests.MTLSSecret{
CAPath: manifests.TenantMTLSCAPath(tenant.TenantName, cmKey),
CAPath: caPath,
},
})
default:
@ -113,12 +99,10 @@ func extractOIDCSecret(s *corev1.Secret) (*manifests.OIDCSecret, error) {
return nil, kverrors.New("missing clientID field", "field", "clientID")
}
clientSecret := s.Data["clientSecret"]
issuerCAPath := s.Data["issuerCAPath"]
return &manifests.OIDCSecret{
ClientID: string(clientID),
ClientSecret: string(clientSecret),
IssuerCAPath: string(issuerCAPath),
}, nil
}
@ -130,3 +114,33 @@ func checkKeyIsPresent(cm *corev1.ConfigMap, key string) error {
}
return nil
}
func extractCAPath(ctx context.Context, k k8s.Client, namespace string, tennantName string, caSpec *lokiv1.CASpec) (string, error) {
var caConfigMap corev1.ConfigMap
key := client.ObjectKey{Name: caSpec.CA, Namespace: namespace}
if err := k.Get(ctx, key, &caConfigMap); err != nil {
if apierrors.IsNotFound(err) {
return "", &status.DegradedError{
Message: fmt.Sprintf("Missing configmap for tenant %s", tennantName),
Reason: lokiv1.ReasonMissingGatewayTenantConfigMap,
Requeue: true,
}
}
return "", kverrors.Wrap(err, "failed to lookup lokistack gateway tenant configMap",
"name", key)
}
// Default key if the user doesn't specify it
cmKey := "service-ca.crt"
if caSpec.CAKey != "" {
cmKey = caSpec.CAKey
}
err := checkKeyIsPresent(&caConfigMap, cmKey)
if err != nil {
return "", &status.DegradedError{
Message: "Invalid gateway tenant configmap contents",
Reason: lokiv1.ReasonInvalidGatewayTenantConfigMap,
Requeue: true,
}
}
return manifests.TenantCAPath(tennantName, cmKey), nil
}

5
operator/internal/handlers/internal/gateway/tenant_secrets_test.go
Unescape View File

@ -47,7 +47,6 @@ func TestGetTenantSecrets(t *testing.T) {
Data: map[string][]byte{
"clientID": []byte("test"),
"clientSecret": []byte("test"),
"issuerCAPath": []byte("/path/to/ca/file"),
},
},
expected: []*manifests.TenantSecrets{
@ -56,7 +55,6 @@ func TestGetTenantSecrets(t *testing.T) {
OIDCSecret: &manifests.OIDCSecret{
ClientID: "test",
ClientSecret: "test",
IssuerCAPath: "/path/to/ca/file",
},
},
},
@ -88,7 +86,7 @@ func TestGetTenantSecrets(t *testing.T) {
{
TenantName: "test",
MTLSSecret: &manifests.MTLSSecret{
CAPath: "/var/run/tls/tenants/test/special-ca.crt",
CAPath: "/var/run/tenants-ca/test/special-ca.crt",
},
},
},
@ -151,7 +149,6 @@ func TestExtractOIDCSecret(t *testing.T) {
Data: map[string][]byte{
"clientID": []byte("test"),
"clientSecret": []byte("test"),
"issuerCAPath": []byte("/tmp/test"),
},
},
},

70
operator/internal/manifests/gateway_tenants.go
Unescape View File

@ -69,7 +69,7 @@ func configureGatewayDeploymentForMode(d *appsv1.Deployment, tenants *lokiv1.Ten
switch tenants.Mode {
case lokiv1.Static, lokiv1.Dynamic:
if tenants != nil {
return configureMTLS(d, tenants)
return configureCAVolumes(d, tenants)
}
return nil
case lokiv1.OpenshiftLogging, lokiv1.OpenshiftNetwork:
@ -194,9 +194,30 @@ func ConfigureOptionsForMode(cfg *config.Options, opt Options) error {
return nil
}
// configureMTLS will mount CA bundles and fix CLI arguments for the gateway container
// if any tenant configured mTLS authentication
func configureMTLS(d *appsv1.Deployment, tenants *lokiv1.TenantsSpec) error {
// configureCAVolumes will mount CA bundles for both OIDC and mTLS. Furthermore
// if a user configures mTLS it will also update the arg --tls.client-auth-type
func configureCAVolumes(d *appsv1.Deployment, tenants *lokiv1.TenantsSpec) error {
if tenants.Authentication == nil {
return nil // nothing to do
}
mountCAConfigMap := func(container *corev1.Container, volumes *[]corev1.Volume, tennantName, configmapName string) {
container.VolumeMounts = append(container.VolumeMounts, corev1.VolumeMount{
Name: tenantCAVolumeName(tennantName),
MountPath: tenantCADir(tennantName),
})
*volumes = append(*volumes, corev1.Volume{
Name: tenantCAVolumeName(tennantName),
VolumeSource: corev1.VolumeSource{
ConfigMap: &corev1.ConfigMapVolumeSource{
LocalObjectReference: corev1.LocalObjectReference{
Name: configmapName,
},
},
},
})
}
var gwIndex int
for i, c := range d.Spec.Template.Spec.Containers {
if c.Name == gatewayContainerName {
@ -211,38 +232,29 @@ func configureMTLS(d *appsv1.Deployment, tenants *lokiv1.TenantsSpec) error {
mTLS := false
for _, tenant := range tenants.Authentication {
if tenant.MTLS != nil {
gwContainer.VolumeMounts = append(gwContainer.VolumeMounts, corev1.VolumeMount{
Name: tenantMTLSVolumeName(tenant.TenantName),
MountPath: tenantMTLSCADir(tenant.TenantName),
})
gwVolumes = append(gwVolumes, corev1.Volume{
Name: tenantMTLSVolumeName(tenant.TenantName),
VolumeSource: corev1.VolumeSource{
ConfigMap: &corev1.ConfigMapVolumeSource{
LocalObjectReference: corev1.LocalObjectReference{
Name: tenant.MTLS.CA.CA,
},
},
},
})
switch {
case tenant.OIDC != nil:
if tenant.OIDC.IssuerCA != nil {
mountCAConfigMap(gwContainer, &gwVolumes, tenant.TenantName, tenant.OIDC.IssuerCA.CA)
}
case tenant.MTLS != nil:
mountCAConfigMap(gwContainer, &gwVolumes, tenant.TenantName, tenant.MTLS.CA.CA)
mTLS = true
}
}
if !mTLS {
return nil // nothing to configure
}
// Remove old tls.client-auth-type
for i, arg := range gwArgs {
if strings.HasPrefix(arg, "--tls.client-auth-type=") {
gwArgs = append(gwArgs[:i], gwArgs[i+1:]...)
break
if mTLS {
// Remove old tls.client-auth-type
for i, arg := range gwArgs {
if strings.HasPrefix(arg, "--tls.client-auth-type=") {
gwArgs = append(gwArgs[:i], gwArgs[i+1:]...)
break
}
}
gwArgs = append(gwArgs, "--tls.client-auth-type=RequestClientCert")
gwContainer.Args = gwArgs
}
gwArgs = append(gwArgs, "--tls.client-auth-type=RequestClientCert")
gwContainer.Args = gwArgs
p := corev1.PodSpec{
Containers: []corev1.Container{
*gwContainer,

131
operator/internal/manifests/gateway_tenants_test.go
Unescape View File

@ -493,7 +493,7 @@ func TestConfigureDeploymentForMode(t *testing.T) {
VolumeMounts: []corev1.VolumeMount{
{
Name: "test-a-ca-bundle",
MountPath: "/var/run/tls/tenants/test-a",
MountPath: "/var/run/tenants-ca/test-a",
},
},
},
@ -549,7 +549,134 @@ func TestConfigureDeploymentForMode(t *testing.T) {
VolumeMounts: []corev1.VolumeMount{
{
Name: "test-a-ca-bundle",
MountPath: "/var/run/tls/tenants/test-a",
MountPath: "/var/run/tenants-ca/test-a",
},
},
},
},
Volumes: []corev1.Volume{
{
Name: "test-a-ca-bundle",
VolumeSource: corev1.VolumeSource{
ConfigMap: &corev1.ConfigMapVolumeSource{
LocalObjectReference: corev1.LocalObjectReference{
Name: "my-ca",
},
},
},
},
},
},
},
},
},
},
{
desc: "static mode with OIDC IssuerCA configured",
stackName: "test",
stackNs: "test-ns",
tenants: &lokiv1.TenantsSpec{
Mode: lokiv1.Static,
Authentication: []lokiv1.AuthenticationSpec{
{
TenantName: "test-a",
TenantID: "a",
OIDC: &lokiv1.OIDCSpec{
IssuerCA: &lokiv1.CASpec{
CA: "my-ca",
CAKey: "my-ca-key",
},
},
},
},
},
dpl: &appsv1.Deployment{
ObjectMeta: metav1.ObjectMeta{
Namespace: "test-ns",
},
Spec: appsv1.DeploymentSpec{
Template: corev1.PodTemplateSpec{
Spec: corev1.PodSpec{
Containers: []corev1.Container{
{
Name: gatewayContainerName,
Args: []string{"--tls.client-auth-type=NoClientCert"},
},
},
},
},
},
},
want: &appsv1.Deployment{
ObjectMeta: metav1.ObjectMeta{
Namespace: "test-ns",
},
Spec: appsv1.DeploymentSpec{
Template: corev1.PodTemplateSpec{
Spec: corev1.PodSpec{
Containers: []corev1.Container{
{
Name: gatewayContainerName,
Args: []string{"--tls.client-auth-type=NoClientCert"},
VolumeMounts: []corev1.VolumeMount{
{
Name: "test-a-ca-bundle",
MountPath: "/var/run/tenants-ca/test-a",
},
},
},
},
Volumes: []corev1.Volume{
{
Name: "test-a-ca-bundle",
VolumeSource: corev1.VolumeSource{
ConfigMap: &corev1.ConfigMapVolumeSource{
LocalObjectReference: corev1.LocalObjectReference{
Name: "my-ca",
},
},
},
},
},
},
},
},
},
},
{
desc: "dynamic mode with mTLS tenant configured",
stackName: "test",
stackNs: "test-ns",
tenants: &lokiv1.TenantsSpec{
Mode: lokiv1.Dynamic,
Authentication: []lokiv1.AuthenticationSpec{
{
TenantName: "test-a",
TenantID: "a",
OIDC: &lokiv1.OIDCSpec{
IssuerCA: &lokiv1.CASpec{
CA: "my-ca",
CAKey: "my-ca-key",
},
},
},
},
},
dpl: defaultGatewayDeployment(),
want: &appsv1.Deployment{
ObjectMeta: metav1.ObjectMeta{
Namespace: "test-ns",
},
Spec: appsv1.DeploymentSpec{
Template: corev1.PodTemplateSpec{
Spec: corev1.PodSpec{
Containers: []corev1.Container{
{
Name: gatewayContainerName,
VolumeMounts: []corev1.VolumeMount{
{
Name: "test-a-ca-bundle",
MountPath: "/var/run/tenants-ca/test-a",
},
},
},

24
operator/internal/manifests/internal/gateway/build_test.go
Unescape View File

@ -27,6 +27,10 @@ func TestBuild_StaticMode(t *testing.T) {
Secret: &lokiv1.TenantSecretSpec{
Name: "test",
},
IssuerCA: &lokiv1.CASpec{
CA: "my-custom-ca",
CAKey: "special-ca.crt",
},
IssuerURL: "https://127.0.0.1:5556/dex",
RedirectURL: "https://localhost:8443/oidc/test-a/callback",
GroupClaim: "test",
@ -40,7 +44,7 @@ func TestBuild_StaticMode(t *testing.T) {
OIDC: &OIDC{
ClientID: "test",
ClientSecret: "test123",
IssuerCAPath: "/tmp/ca/path",
IssuerCAPath: "/var/run/tenants-ca/test-a/special-ca.crt",
},
},
},
@ -73,7 +77,7 @@ tenants:
oidc:
clientID: test
clientSecret: test123
issuerCAPath: /tmp/ca/path
issuerCAPath: /var/run/tenants-ca/test-a/special-ca.crt
issuerURL: https://127.0.0.1:5556/dex
redirectURL: https://localhost:8443/oidc/test-a/callback
usernameClaim: test
@ -120,7 +124,7 @@ roles:
{
TenantName: "test-a",
MTLS: &MTLS{
CAPath: "/var/run/tls/tenants/test-a/special-ca.crt",
CAPath: "/var/run/tenants-ca/test-a/special-ca.crt",
},
},
},
@ -151,7 +155,7 @@ tenants:
- name: test-a
id: test
mTLS:
caPath: /var/run/tls/tenants/test-a/special-ca.crt
caPath: /var/run/tenants-ca/test-a/special-ca.crt
opa:
query: data.lokistack.allow
paths:
@ -216,6 +220,10 @@ func TestBuild_DynamicMode(t *testing.T) {
Secret: &lokiv1.TenantSecretSpec{
Name: "test",
},
IssuerCA: &lokiv1.CASpec{
CA: "my-custom-ca",
CAKey: "special-ca.crt",
},
IssuerURL: "https://127.0.0.1:5556/dex",
RedirectURL: "https://localhost:8443/oidc/test-a/callback",
GroupClaim: "test",
@ -229,7 +237,7 @@ func TestBuild_DynamicMode(t *testing.T) {
OIDC: &OIDC{
ClientID: "test",
ClientSecret: "test123",
IssuerCAPath: "/tmp/ca/path",
IssuerCAPath: "/var/run/tenants-ca/test-a/special-ca.crt",
},
},
},
@ -240,7 +248,7 @@ tenants:
oidc:
clientID: test
clientSecret: test123
issuerCAPath: /tmp/ca/path
issuerCAPath: /var/run/tenants-ca/test-a/special-ca.crt
issuerURL: https://127.0.0.1:5556/dex
redirectURL: https://localhost:8443/oidc/test-a/callback
usernameClaim: test
@ -267,7 +275,7 @@ tenants:
{
TenantName: "test-a",
MTLS: &MTLS{
CAPath: "/var/run/tls/tenants/test-a/special-ca.crt",
CAPath: "/var/run/tenants-ca/test-a/special-ca.crt",
},
},
},
@ -276,7 +284,7 @@ tenants:
- name: test-a
id: test
mTLS:
caPath: /var/run/tls/tenants/test-a/special-ca.crt
caPath: /var/run/tenants-ca/test-a/special-ca.crt
opa:
url: http://127.0.0.1:8181/v1/data/observatorium/allow
`,

14
operator/internal/manifests/var.go
Unescape View File

@ -97,8 +97,8 @@ const (
httpTLSDir = "/var/run/tls/http"
// grpcTLSDir is the path that is mounted from the secret for TLS
grpcTLSDir = "/var/run/tls/grpc"
// tenantMTLSDir is the path that is mounted from the configmaps for mTLS
tenantMTLSDir = "/var/run/tls/tenants"
// tenantCAsDir is the path that is mounted from the configmaps for mTLS
tenantCAsDir = "/var/run/tenants-ca"
// LokiStackCABundleDir is the path that is mounted from the configmap for TLS
caBundleDir = "/var/run/ca"
// caFile is the file name of the certificate authority file
@ -281,16 +281,16 @@ func gatewayUpstreamHTTPTLSKey() string {
return path.Join(gatewayUpstreamHTTPTLSDir(), corev1.TLSPrivateKeyKey)
}
func tenantMTLSVolumeName(tenantName string) string {
func tenantCAVolumeName(tenantName string) string {
return fmt.Sprintf("%s-ca-bundle", tenantName)
}
func tenantMTLSCADir(tennantName string) string {
return path.Join(tenantMTLSDir, tennantName)
func tenantCADir(tennantName string) string {
return path.Join(tenantCAsDir, tennantName)
}
func TenantMTLSCAPath(tennantName, key string) string {
return path.Join(tenantMTLSDir, tennantName, key)
func TenantCAPath(tennantName, key string) string {
return path.Join(tenantCAsDir, tennantName, key)
}
func gatewayClientSecretName(stackName string) string {

Write Preview
Loading…
Cancel
Save