operator: Allow multiple matchers for multi-tenancy with Network tenant (#8192)

2 years ago · 688a392db2
parent f125682802
commit 688a392db2
3 changed files with 18 additions and 7 deletions
--- a/operator/CHANGELOG.md
+++ b/operator/CHANGELOG.md
@ -1,5 +1,6 @@
 ## Main

+- [8192](https://github.com/grafana/loki/pull/8192) **jotak**: Allow multiple matchers for multi-tenancy with Network tenant (OpenShift)
 - [8800](https://github.com/grafana/loki/pull/8800) **aminesnow**: Promote AlertingRules, RecordingRules and RulerConfig from v1beta1 to v1
 - [8792](https://github.com/grafana/loki/pull/8792) **orenc1**: Improve documentation for LokiStack installation with ODF Object Storage
 - [8791](https://github.com/grafana/loki/pull/8791) **periklis**: Expand OLM skip range for OpenShift Logging 5.7 release (OpenShift)
--- a/operator/internal/manifests/gateway_tenants_test.go
+++ b/operator/internal/manifests/gateway_tenants_test.go
@ -523,6 +523,8 @@ func TestConfigureDeploymentForMode(t *testing.T) {
 										"--web.internal.listen=:8083",
 										"--web.healthchecks.url=http://localhost:8082",
 										"--opa.package=lokistack",
+										"--opa.matcher=SrcK8S_Namespace,DstK8S_Namespace",
+										"--opa.matcher-op=or",
 										`--openshift.mappings=network=loki.grafana.com`,
 									},
 									Ports: []corev1.ContainerPort{
@ -625,6 +627,8 @@ func TestConfigureDeploymentForMode(t *testing.T) {
 										"--web.internal.listen=:8083",
 										"--web.healthchecks.url=http://localhost:8082",
 										"--opa.package=lokistack",
+										"--opa.matcher=SrcK8S_Namespace,DstK8S_Namespace",
+										"--opa.matcher-op=or",
 										"--tls.internal.server.cert-file=/var/run/tls/http/server/tls.crt",
 										"--tls.internal.server.key-file=/var/run/tls/http/server/tls.key",
 										"--tls.min-version=min-version",
--- a/operator/internal/manifests/openshift/opa_openshift.go
+++ b/operator/internal/manifests/openshift/opa_openshift.go
@ -12,13 +12,14 @@ import (
 )

 const (
-	envRelatedImageOPA     = "RELATED_IMAGE_OPA"
-	defaultOPAImage        = "quay.io/observatorium/opa-openshift:latest"
-	opaContainerName       = "opa"
-	opaDefaultPackage      = "lokistack"
-	opaDefaultAPIGroup     = "loki.grafana.com"
-	opaMetricsPortName     = "opa-metrics"
-	opaDefaultLabelMatcher = "kubernetes_namespace_name"
+	envRelatedImageOPA      = "RELATED_IMAGE_OPA"
+	defaultOPAImage         = "quay.io/observatorium/opa-openshift:latest"
+	opaContainerName        = "opa"
+	opaDefaultPackage       = "lokistack"
+	opaDefaultAPIGroup      = "loki.grafana.com"
+	opaMetricsPortName      = "opa-metrics"
+	opaDefaultLabelMatcher  = "kubernetes_namespace_name"
+	opaNetworkLabelMatchers = "SrcK8S_Namespace,DstK8S_Namespace"
 )

 func newOPAOpenShiftContainer(mode lokiv1.ModeType, secretVolumeName, tlsDir, minTLSVersion, ciphers string, withTLS bool) corev1.Container {
@ -49,6 +50,11 @@ func newOPAOpenShiftContainer(mode lokiv1.ModeType, secretVolumeName, tlsDir, mi
 		args = append(args, []string{
 			fmt.Sprintf("--opa.matcher=%s", opaDefaultLabelMatcher),
 		}...)
+	} else {
+		args = append(args, []string{
+			fmt.Sprintf("--opa.matcher=%s", opaNetworkLabelMatchers),
+			"--opa.matcher-op=or",
+		}...)
 	}

 	if withTLS {