operator: Provide community bundle for openshift community hub (#8881)

operator/CHANGELOG.md

@@ -1,5 +1,6 @@
 ## Main
 
+- [8881](https://github.com/grafana/loki/pull/8881) **periklis**: Provide community bundle for openshift community hub
 - [8863](https://github.com/grafana/loki/pull/8863) **periklis**: Break the API types out into their own module
 - [8878](https://github.com/grafana/loki/pull/8878) **periklis**: Refactor all type validations into own package
 - [8875](https://github.com/grafana/loki/pull/8875) **Red-GV**: Remove mutations to non-updatable statefulset fields

operator/Makefile

@@ -191,6 +191,7 @@ oci-push: ## Push the image
 .PHONY: bundle-all
 bundle-all: ## Generate both bundles.
 	$(MAKE) bundle
+	$(MAKE) bundle VARIANT=community-openshift
 	$(MAKE) bundle VARIANT=openshift
 
 .PHONY: bundle

operator/bundle/community-openshift/bundle.Dockerfile

@@ -0,0 +1,21 @@
+FROM scratch
+
+# Core bundle labels.
+LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1
+LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/
+LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/
+LABEL operators.operatorframework.io.bundle.package.v1=loki-operator
+LABEL operators.operatorframework.io.bundle.channels.v1=alpha
+LABEL operators.operatorframework.io.bundle.channel.default.v1=alpha
+LABEL operators.operatorframework.io.metrics.builder=operator-sdk-unknown
+LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1
+LABEL operators.operatorframework.io.metrics.project_layout=go.kubebuilder.io/v3
+
+# Labels for testing.
+LABEL operators.operatorframework.io.test.mediatype.v1=scorecard+v1
+LABEL operators.operatorframework.io.test.config.v1=tests/scorecard/
+
+# Copy files to locations specified by labels.
+COPY ./manifests /manifests/
+COPY ./metadata /metadata/
+COPY ./tests/scorecard /tests/scorecard/

operator/bundle/community-openshift/manifests/loki-operator-controller-manager-metrics-service_v1_service.yaml

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    service.beta.openshift.io/serving-cert-secret-name: loki-operator-metrics
+  creationTimestamp: null
+  labels:
+    app.kubernetes.io/instance: loki-operator-v0.1.0
+    app.kubernetes.io/managed-by: operator-lifecycle-manager
+    app.kubernetes.io/name: loki-operator
+    app.kubernetes.io/part-of: loki-operator
+    app.kubernetes.io/version: 0.1.0
+  name: loki-operator-controller-manager-metrics-service
+spec:
+  ports:
+  - name: https
+    port: 8443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/managed-by: operator-lifecycle-manager
+    app.kubernetes.io/name: loki-operator
+    app.kubernetes.io/part-of: loki-operator
+    name: loki-operator-controller-manager
+status:
+  loadBalancer: {}

operator/bundle/community-openshift/manifests/loki-operator-manager-config_v1_configmap.yaml

@@ -0,0 +1,67 @@
+apiVersion: v1
+data:
+  controller_manager_config.yaml: |
+    apiVersion: config.loki.grafana.com/v1
+    kind: ProjectConfig
+    health:
+      healthProbeBindAddress: :8081
+    metrics:
+      bindAddress: 127.0.0.1:8080
+    webhook:
+      port: 9443
+    leaderElection:
+      leaderElect: false
+      resourceName: e3716011.grafana.com
+    featureGates:
+      #
+      # Monitoring feature gates
+      #
+      serviceMonitors: true
+      serviceMonitorTlsEndpoints: true
+      lokiStackAlerts: true
+      #
+      # Encryption feature gates
+      #
+      httpEncryption: true
+      grpcEncryption: true
+      builtInCertManagement:
+        enabled: true
+        # CA certificate validity: 5 years
+        caValidity: 43830h
+        # CA certificate refresh at 80% of validity
+        caRefresh: 35064h
+        # Target certificate validity: 90d
+        certValidity: 2160h
+        # Target certificate refresh at 80% of validity
+        certRefresh: 1728h
+      #
+      # Component feature gates
+      #
+      lokiStackGateway: true
+      runtimeSeccompProfile: true
+      defaultNodeAffinity: true
+      #
+      # Webhook feature gates
+      #
+      lokiStackWebhook: true
+      alertingRuleWebhook: true
+      recordingRuleWebhook: true
+      rulerConfigWebhook: true
+      #
+      # OpenShift feature gates
+      #
+      openshift:
+        servingCertsService: true
+        gatewayRoute: true
+        ruleExtendedValidation: true
+        clusterTLSPolicy: true
+        clusterProxy: true
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/instance: loki-operator-v0.1.0
+    app.kubernetes.io/managed-by: operator-lifecycle-manager
+    app.kubernetes.io/name: loki-operator
+    app.kubernetes.io/part-of: loki-operator
+    app.kubernetes.io/version: 0.1.0
+  name: loki-operator-manager-config

operator/bundle/community-openshift/manifests/loki-operator-metrics-monitor_monitoring.coreos.com_v1_servicemonitor.yaml

@@ -0,0 +1,25 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  labels:
+    app.kubernetes.io/instance: loki-operator-v0.1.0
+    app.kubernetes.io/managed-by: operator-lifecycle-manager
+    app.kubernetes.io/name: loki-operator
+    app.kubernetes.io/part-of: loki-operator
+    app.kubernetes.io/version: 0.1.0
+    name: loki-operator
+  name: loki-operator-metrics-monitor
+spec:
+  endpoints:
+  - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+    interval: 30s
+    path: /metrics
+    scheme: https
+    scrapeTimeout: 10s
+    targetPort: 8443
+    tlsConfig:
+      caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
+      serverName: loki-operator-controller-manager-metrics-service.kubernetes-operators.svc
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: loki-operator

operator/bundle/community-openshift/manifests/loki-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml

@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  labels:
+    app.kubernetes.io/instance: loki-operator-v0.1.0
+    app.kubernetes.io/managed-by: operator-lifecycle-manager
+    app.kubernetes.io/name: loki-operator
+    app.kubernetes.io/part-of: loki-operator
+    app.kubernetes.io/version: 0.1.0
+  name: loki-operator-metrics-reader
+rules:
+- nonResourceURLs:
+  - /metrics
+  verbs:
+  - get

operator/bundle/community-openshift/manifests/loki-operator-prometheus_rbac.authorization.k8s.io_v1_role.yaml

@@ -0,0 +1,25 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+  creationTimestamp: null
+  labels:
+    app.kubernetes.io/instance: loki-operator-v0.1.0
+    app.kubernetes.io/managed-by: operator-lifecycle-manager
+    app.kubernetes.io/name: loki-operator
+    app.kubernetes.io/part-of: loki-operator
+    app.kubernetes.io/version: 0.1.0
+  name: loki-operator-prometheus
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  - endpoints
+  - pods
+  verbs:
+  - get
+  - list
+  - watch

operator/bundle/community-openshift/manifests/loki-operator-prometheus_rbac.authorization.k8s.io_v1_rolebinding.yaml

@@ -0,0 +1,22 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+  creationTimestamp: null
+  labels:
+    app.kubernetes.io/instance: loki-operator-v0.1.0
+    app.kubernetes.io/managed-by: operator-lifecycle-manager
+    app.kubernetes.io/name: loki-operator
+    app.kubernetes.io/part-of: loki-operator
+    app.kubernetes.io/version: 0.1.0
+  name: loki-operator-prometheus
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: loki-operator-prometheus
+subjects:
+- kind: ServiceAccount
+  name: prometheus-k8s
+  namespace: openshift-monitoring

operator/bundle/community-openshift/manifests/loki-operator-webhook-service_v1_service.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Service
+metadata:
+  creationTimestamp: null
+  labels:
+    app.kubernetes.io/instance: loki-operator-v0.1.0
+    app.kubernetes.io/managed-by: operator-lifecycle-manager
+    app.kubernetes.io/name: loki-operator
+    app.kubernetes.io/part-of: loki-operator
+    app.kubernetes.io/version: 0.1.0
+  name: loki-operator-webhook-service
+spec:
+  ports:
+  - port: 443
+    protocol: TCP
+    targetPort: 9443
+  selector:
+    app.kubernetes.io/managed-by: operator-lifecycle-manager
+    app.kubernetes.io/name: loki-operator
+    app.kubernetes.io/part-of: loki-operator
+status:
+  loadBalancer: {}

operator/bundle/community-openshift/manifests/loki.grafana.com_alertingrules.yaml

@@ -0,0 +1,372 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.11.3
+  creationTimestamp: null
+  labels:
+    app.kubernetes.io/instance: loki-operator-v0.1.0
+    app.kubernetes.io/managed-by: operator-lifecycle-manager
+    app.kubernetes.io/name: loki-operator
+    app.kubernetes.io/part-of: loki-operator
+    app.kubernetes.io/version: 0.1.0
+  name: alertingrules.loki.grafana.com
+spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        service:
+          name: loki-operator-webhook-service
+          namespace: kubernetes-operators
+          path: /convert
+          port: 443
+      conversionReviewVersions:
+      - v1
+      - v1beta1
+  group: loki.grafana.com
+  names:
+    kind: AlertingRule
+    listKind: AlertingRuleList
+    plural: alertingrules
+    singular: alertingrule
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: AlertingRule is the Schema for the alertingrules API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: AlertingRuleSpec defines the desired state of AlertingRule
+            properties:
+              groups:
+                description: List of groups for alerting rules.
+                items:
+                  description: AlertingRuleGroup defines a group of Loki alerting
+                    rules.
+                  properties:
+                    interval:
+                      default: 1m
+                      description: Interval defines the time interval between evaluation
+                        of the given alerting rule.
+                      pattern: ((([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?|0)
+                      type: string
+                    limit:
+                      description: Limit defines the number of alerts an alerting
+                        rule can produce. 0 is no limit.
+                      format: int32
+                      type: integer
+                    name:
+                      description: Name of the alerting rule group. Must be unique
+                        within all alerting rules.
+                      type: string
+                    rules:
+                      description: Rules defines a list of alerting rules
+                      items:
+                        description: AlertingRuleGroupSpec defines the spec for a
+                          Loki alerting rule.
+                        properties:
+                          alert:
+                            description: The name of the alert. Must be a valid label
+                              value.
+                            type: string
+                          annotations:
+                            additionalProperties:
+                              type: string
+                            description: Annotations to add to each alert.
+                            type: object
+                          expr:
+                            description: The LogQL expression to evaluate. Every evaluation
+                              cycle this is evaluated at the current time, and all
+                              resultant time series become pending/firing alerts.
+                            type: string
+                          for:
+                            description: Alerts are considered firing once they have
+                              been returned for this long. Alerts which have not yet
+                              fired for long enough are considered pending.
+                            pattern: ((([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?|0)
+                            type: string
+                          labels:
+                            additionalProperties:
+                              type: string
+                            description: Labels to add to each alert.
+                            type: object
+                        required:
+                        - expr
+                        type: object
+                      type: array
+                  required:
+                  - name
+                  - rules
+                  type: object
+                type: array
+              tenantID:
+                description: TenantID of tenant where the alerting rules are evaluated
+                  in.
+                type: string
+            required:
+            - tenantID
+            type: object
+          status:
+            description: AlertingRuleStatus defines the observed state of AlertingRule
+            properties:
+              conditions:
+                description: Conditions of the AlertingRule generation health.
+                items:
+                  description: "Condition contains details for one aspect of the current
+                    state of this API Resource. --- This struct is intended for direct
+                    use as an array at the field path .status.conditions.  For example,
+                    \n type FooStatus struct{ // Represents the observations of a
+                    foo's current state. // Known .status.conditions.type are: \"Available\",
+                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
+                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+                  properties:
+                    lastTransitionTime:
+                      description: lastTransitionTime is the last time the condition
+                        transitioned from one status to another. This should be when
+                        the underlying condition changed.  If that is not known, then
+                        using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message is a human readable message indicating
+                        details about the transition. This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: observedGeneration represents the .metadata.generation
+                        that the condition was set based upon. For instance, if .metadata.generation
+                        is currently 12, but the .status.conditions[x].observedGeneration
+                        is 9, the condition is out of date with respect to the current
+                        state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: reason contains a programmatic identifier indicating
+                        the reason for the condition's last transition. Producers
+                        of specific condition types may define expected values and
+                        meanings for this field, and whether the values are considered
+                        a guaranteed API. The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                        --- Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+  - name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: AlertingRule is the Schema for the alertingrules API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: AlertingRuleSpec defines the desired state of AlertingRule
+            properties:
+              groups:
+                description: List of groups for alerting rules.
+                items:
+                  description: AlertingRuleGroup defines a group of Loki alerting
+                    rules.
+                  properties:
+                    interval:
+                      default: 1m
+                      description: Interval defines the time interval between evaluation
+                        of the given alerting rule.
+                      pattern: ((([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?|0)
+                      type: string
+                    limit:
+                      description: Limit defines the number of alerts an alerting
+                        rule can produce. 0 is no limit.
+                      format: int32
+                      type: integer
+                    name:
+                      description: Name of the alerting rule group. Must be unique
+                        within all alerting rules.
+                      type: string
+                    rules:
+                      description: Rules defines a list of alerting rules
+                      items:
+                        description: AlertingRuleGroupSpec defines the spec for a
+                          Loki alerting rule.
+                        properties:
+                          alert:
+                            description: The name of the alert. Must be a valid label
+                              value.
+                            type: string
+                          annotations:
+                            additionalProperties:
+                              type: string
+                            description: Annotations to add to each alert.
+                            type: object
+                          expr:
+                            description: The LogQL expression to evaluate. Every evaluation
+                              cycle this is evaluated at the current time, and all
+                              resultant time series become pending/firing alerts.
+                            type: string
+                          for:
+                            description: Alerts are considered firing once they have
+                              been returned for this long. Alerts which have not yet
+                              fired for long enough are considered pending.
+                            pattern: ((([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?|0)
+                            type: string
+                          labels:
+                            additionalProperties:
+                              type: string
+                            description: Labels to add to each alert.
+                            type: object
+                        required:
+                        - expr
+                        type: object
+                      type: array
+                  required:
+                  - name
+                  - rules
+                  type: object
+                type: array
+              tenantID:
+                description: TenantID of tenant where the alerting rules are evaluated
+                  in.
+                type: string
+            required:
+            - tenantID
+            type: object
+          status:
+            description: AlertingRuleStatus defines the observed state of AlertingRule
+            properties:
+              conditions:
+                description: Conditions of the AlertingRule generation health.
+                items:
+                  description: "Condition contains details for one aspect of the current
+                    state of this API Resource. --- This struct is intended for direct
+                    use as an array at the field path .status.conditions.  For example,
+                    \n type FooStatus struct{ // Represents the observations of a
+                    foo's current state. // Known .status.conditions.type are: \"Available\",
+                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
+                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+                  properties:
+                    lastTransitionTime:
+                      description: lastTransitionTime is the last time the condition
+                        transitioned from one status to another. This should be when
+                        the underlying condition changed.  If that is not known, then
+                        using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message is a human readable message indicating
+                        details about the transition. This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: observedGeneration represents the .metadata.generation
+                        that the condition was set based upon. For instance, if .metadata.generation
+                        is currently 12, but the .status.conditions[x].observedGeneration
+                        is 9, the condition is out of date with respect to the current
+                        state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: reason contains a programmatic identifier indicating
+                        the reason for the condition's last transition. Producers
+                        of specific condition types may define expected values and
+                        meanings for this field, and whether the values are considered
+                        a guaranteed API. The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                        --- Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+            type: object
+        type: object
+    served: false
+    storage: false
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions: null

operator/bundle/community-openshift/manifests/loki.grafana.com_recordingrules.yaml

@@ -0,0 +1,340 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.11.3
+  creationTimestamp: null
+  labels:
+    app.kubernetes.io/instance: loki-operator-v0.1.0
+    app.kubernetes.io/managed-by: operator-lifecycle-manager
+    app.kubernetes.io/name: loki-operator
+    app.kubernetes.io/part-of: loki-operator
+    app.kubernetes.io/version: 0.1.0
+  name: recordingrules.loki.grafana.com
+spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        service:
+          name: loki-operator-webhook-service
+          namespace: kubernetes-operators
+          path: /convert
+          port: 443
+      conversionReviewVersions:
+      - v1
+      - v1beta1
+  group: loki.grafana.com
+  names:
+    kind: RecordingRule
+    listKind: RecordingRuleList
+    plural: recordingrules
+    singular: recordingrule
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: RecordingRule is the Schema for the recordingrules API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: RecordingRuleSpec defines the desired state of RecordingRule
+            properties:
+              groups:
+                description: List of groups for recording rules.
+                items:
+                  description: RecordingRuleGroup defines a group of Loki  recording
+                    rules.
+                  properties:
+                    interval:
+                      default: 1m
+                      description: Interval defines the time interval between evaluation
+                        of the given recoding rule.
+                      pattern: ((([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?|0)
+                      type: string
+                    limit:
+                      description: Limit defines the number of series a recording
+                        rule can produce. 0 is no limit.
+                      format: int32
+                      type: integer
+                    name:
+                      description: Name of the recording rule group. Must be unique
+                        within all recording rules.
+                      type: string
+                    rules:
+                      description: Rules defines a list of recording rules
+                      items:
+                        description: RecordingRuleGroupSpec defines the spec for a
+                          Loki recording rule.
+                        properties:
+                          expr:
+                            description: The LogQL expression to evaluate. Every evaluation
+                              cycle this is evaluated at the current time, and all
+                              resultant time series become pending/firing alerts.
+                            type: string
+                          record:
+                            description: The name of the time series to output to.
+                              Must be a valid metric name.
+                            type: string
+                        required:
+                        - expr
+                        type: object
+                      type: array
+                  required:
+                  - name
+                  - rules
+                  type: object
+                type: array
+              tenantID:
+                description: TenantID of tenant where the recording rules are evaluated
+                  in.
+                type: string
+            required:
+            - tenantID
+            type: object
+          status:
+            description: RecordingRuleStatus defines the observed state of RecordingRule
+            properties:
+              conditions:
+                description: Conditions of the RecordingRule generation health.
+                items:
+                  description: "Condition contains details for one aspect of the current
+                    state of this API Resource. --- This struct is intended for direct
+                    use as an array at the field path .status.conditions.  For example,
+                    \n type FooStatus struct{ // Represents the observations of a
+                    foo's current state. // Known .status.conditions.type are: \"Available\",
+                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
+                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+                  properties:
+                    lastTransitionTime:
+                      description: lastTransitionTime is the last time the condition
+                        transitioned from one status to another. This should be when
+                        the underlying condition changed.  If that is not known, then
+                        using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message is a human readable message indicating
+                        details about the transition. This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: observedGeneration represents the .metadata.generation
+                        that the condition was set based upon. For instance, if .metadata.generation
+                        is currently 12, but the .status.conditions[x].observedGeneration
+                        is 9, the condition is out of date with respect to the current
+                        state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: reason contains a programmatic identifier indicating
+                        the reason for the condition's last transition. Producers
+                        of specific condition types may define expected values and
+                        meanings for this field, and whether the values are considered
+                        a guaranteed API. The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                        --- Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+  - name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: RecordingRule is the Schema for the recordingrules API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: RecordingRuleSpec defines the desired state of RecordingRule
+            properties:
+              groups:
+                description: List of groups for recording rules.
+                items:
+                  description: RecordingRuleGroup defines a group of Loki  recording
+                    rules.
+                  properties:
+                    interval:
+                      default: 1m
+                      description: Interval defines the time interval between evaluation
+                        of the given recoding rule.
+                      pattern: ((([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?|0)
+                      type: string
+                    limit:
+                      description: Limit defines the number of series a recording
+                        rule can produce. 0 is no limit.
+                      format: int32
+                      type: integer
+                    name:
+                      description: Name of the recording rule group. Must be unique
+                        within all recording rules.
+                      type: string
+                    rules:
+                      description: Rules defines a list of recording rules
+                      items:
+                        description: RecordingRuleGroupSpec defines the spec for a
+                          Loki recording rule.
+                        properties:
+                          expr:
+                            description: The LogQL expression to evaluate. Every evaluation
+                              cycle this is evaluated at the current time, and all
+                              resultant time series become pending/firing alerts.
+                            type: string
+                          record:
+                            description: The name of the time series to output to.
+                              Must be a valid metric name.
+                            type: string
+                        required:
+                        - expr
+                        type: object
+                      type: array
+                  required:
+                  - name
+                  - rules
+                  type: object
+                type: array
+              tenantID:
+                description: TenantID of tenant where the recording rules are evaluated
+                  in.
+                type: string
+            required:
+            - tenantID
+            type: object
+          status:
+            description: RecordingRuleStatus defines the observed state of RecordingRule
+            properties:
+              conditions:
+                description: Conditions of the RecordingRule generation health.
+                items:
+                  description: "Condition contains details for one aspect of the current
+                    state of this API Resource. --- This struct is intended for direct
+                    use as an array at the field path .status.conditions.  For example,
+                    \n type FooStatus struct{ // Represents the observations of a
+                    foo's current state. // Known .status.conditions.type are: \"Available\",
+                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
+                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+                  properties:
+                    lastTransitionTime:
+                      description: lastTransitionTime is the last time the condition
+                        transitioned from one status to another. This should be when
+                        the underlying condition changed.  If that is not known, then
+                        using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message is a human readable message indicating
+                        details about the transition. This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: observedGeneration represents the .metadata.generation
+                        that the condition was set based upon. For instance, if .metadata.generation
+                        is currently 12, but the .status.conditions[x].observedGeneration
+                        is 9, the condition is out of date with respect to the current
+                        state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: reason contains a programmatic identifier indicating
+                        the reason for the condition's last transition. Producers
+                        of specific condition types may define expected values and
+                        meanings for this field, and whether the values are considered
+                        a guaranteed API. The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                        --- Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+            type: object
+        type: object
+    served: false
+    storage: false
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions: null

operator/bundle/community-openshift/metadata/annotations.yaml

@@ -0,0 +1,15 @@
+annotations:
+  # Core bundle annotations.
+  operators.operatorframework.io.bundle.mediatype.v1: registry+v1
+  operators.operatorframework.io.bundle.manifests.v1: manifests/
+  operators.operatorframework.io.bundle.metadata.v1: metadata/
+  operators.operatorframework.io.bundle.package.v1: loki-operator
+  operators.operatorframework.io.bundle.channels.v1: alpha
+  operators.operatorframework.io.bundle.channel.default.v1: alpha
+  operators.operatorframework.io.metrics.builder: operator-sdk-unknown
+  operators.operatorframework.io.metrics.mediatype.v1: metrics+v1
+  operators.operatorframework.io.metrics.project_layout: go.kubebuilder.io/v3
+
+  # Annotations for testing.
+  operators.operatorframework.io.test.mediatype.v1: scorecard+v1
+  operators.operatorframework.io.test.config.v1: tests/scorecard/

operator/bundle/community-openshift/tests/scorecard/config.yaml

@@ -0,0 +1,70 @@
+apiVersion: scorecard.operatorframework.io/v1alpha3
+kind: Configuration
+metadata:
+  name: config
+stages:
+- parallel: true
+  tests:
+  - entrypoint:
+    - scorecard-test
+    - basic-check-spec
+    image: quay.io/operator-framework/scorecard-test:v1.4.0
+    labels:
+      suite: basic
+      test: basic-check-spec-test
+    storage:
+      spec:
+        mountPath: {}
+  - entrypoint:
+    - scorecard-test
+    - olm-bundle-validation
+    image: quay.io/operator-framework/scorecard-test:v1.4.0
+    labels:
+      suite: olm
+      test: olm-bundle-validation-test
+    storage:
+      spec:
+        mountPath: {}
+  - entrypoint:
+    - scorecard-test
+    - olm-crds-have-validation
+    image: quay.io/operator-framework/scorecard-test:v1.4.0
+    labels:
+      suite: olm
+      test: olm-crds-have-validation-test
+    storage:
+      spec:
+        mountPath: {}
+  - entrypoint:
+    - scorecard-test
+    - olm-crds-have-resources
+    image: quay.io/operator-framework/scorecard-test:v1.4.0
+    labels:
+      suite: olm
+      test: olm-crds-have-resources-test
+    storage:
+      spec:
+        mountPath: {}
+  - entrypoint:
+    - scorecard-test
+    - olm-spec-descriptors
+    image: quay.io/operator-framework/scorecard-test:v1.4.0
+    labels:
+      suite: olm
+      test: olm-spec-descriptors-test
+    storage:
+      spec:
+        mountPath: {}
+  - entrypoint:
+    - scorecard-test
+    - olm-status-descriptors
+    image: quay.io/operator-framework/scorecard-test:v1.4.0
+    labels:
+      suite: olm
+      test: olm-status-descriptors-test
+    storage:
+      spec:
+        mountPath: {}
+storage:
+  spec:
+    mountPath: {}

operator/bundle/community/manifests/loki-operator.clusterserviceversion.yaml

@@ -150,7 +150,7 @@ metadata:
     categories: OpenShift Optional, Logging & Tracing
     certified: "false"
     containerImage: docker.io/grafana/loki-operator:main-39f2856
-    createdAt: "2023-03-17T05:07:17Z"
+    createdAt: "2023-03-23T18:39:42Z"
     description: The Community Loki Operator provides Kubernetes native deployment
       and management of Loki and related logging components.
     operators.operatorframework.io/builder: operator-sdk-unknown
@@ -1186,6 +1186,15 @@ spec:
 
     * Kubernetes Custom Resources: Use Kubernetes custom resources to deploy and manage Loki, Alerting rules, Recording rules, and related components.
     * Simplified Deployment Configuration: Configure the fundamentals of Loki like tenants, limits, replication factor and storage from a native Kubernetes resource.
+    ### Feature Gates
+
+    The Loki Operator Bundle provides a set of feature gates that enable/disable specific feature depending on the target Kubernetes distribution. The following feature gates are enabled by default:
+    * `lokiStackGateway`: Enables reconciling the reverse-proxy lokistack-gateway component for multi-tenant authentication/authorization traffic control to Loki.
+    * `runtimeSeccompProfile`: Enables the restricted seccomp profile on all Lokistack components.
+    * `lokiStackWebhook`: Enables the LokiStack CR validation and conversion webhooks.
+    * `alertingRuleWebhook`: Enables the AlertingRule CR validation webhook.
+    * `recordingRuleWebhook`: Enables the RecordingRule CR validation webhook.
+    * `rulerConfigWebhook`: Enables the RulerConfig CR validation webhook.
 
     ### Before you start
 

operator/bundle/openshift/manifests/loki-operator.clusterserviceversion.yaml

@@ -150,7 +150,7 @@ metadata:
     categories: OpenShift Optional, Logging & Tracing
     certified: "false"
     containerImage: quay.io/openshift-logging/loki-operator:v0.1.0
-    createdAt: "2023-03-17T05:07:19Z"
+    createdAt: "2023-03-23T18:39:47Z"
     description: |
       The Loki Operator for OCP provides a means for configuring and managing a Loki stack for cluster logging.
       ## Prerequisites and Requirements

operator/config/manifests/community-openshift/kustomization.yaml

@@ -0,0 +1,4 @@
+resources:
+- ../../overlays/community-openshift
+- ../../samples
+- ../../scorecard

operator/config/manifests/community/bases/loki-operator.clusterserviceversion.yaml

@@ -2003,6 +2003,15 @@ spec:
 
     * Kubernetes Custom Resources: Use Kubernetes custom resources to deploy and manage Loki, Alerting rules, Recording rules, and related components.
     * Simplified Deployment Configuration: Configure the fundamentals of Loki like tenants, limits, replication factor and storage from a native Kubernetes resource.
+    ### Feature Gates
+
+    The Loki Operator Bundle provides a set of feature gates that enable/disable specific feature depending on the target Kubernetes distribution. The following feature gates are enabled by default:
+    * `lokiStackGateway`: Enables reconciling the reverse-proxy lokistack-gateway component for multi-tenant authentication/authorization traffic control to Loki.
+    * `runtimeSeccompProfile`: Enables the restricted seccomp profile on all Lokistack components.
+    * `lokiStackWebhook`: Enables the LokiStack CR validation and conversion webhooks.
+    * `alertingRuleWebhook`: Enables the AlertingRule CR validation webhook.
+    * `recordingRuleWebhook`: Enables the RecordingRule CR validation webhook.
+    * `rulerConfigWebhook`: Enables the RulerConfig CR validation webhook.
 
     ### Before you start
 

operator/config/overlays/community-openshift/controller_manager_config.yaml

@@ -0,0 +1,55 @@
+apiVersion: config.loki.grafana.com/v1
+kind: ProjectConfig
+health:
+  healthProbeBindAddress: :8081
+metrics:
+  bindAddress: 127.0.0.1:8080
+webhook:
+  port: 9443
+leaderElection:
+  leaderElect: false
+  resourceName: e3716011.grafana.com
+featureGates:
+  #
+  # Monitoring feature gates
+  #
+  serviceMonitors: true
+  serviceMonitorTlsEndpoints: true
+  lokiStackAlerts: true
+  #
+  # Encryption feature gates
+  #
+  httpEncryption: true
+  grpcEncryption: true
+  builtInCertManagement:
+    enabled: true
+    # CA certificate validity: 5 years
+    caValidity: 43830h
+    # CA certificate refresh at 80% of validity
+    caRefresh: 35064h
+    # Target certificate validity: 90d
+    certValidity: 2160h
+    # Target certificate refresh at 80% of validity
+    certRefresh: 1728h
+  #
+  # Component feature gates
+  #
+  lokiStackGateway: true
+  runtimeSeccompProfile: true
+  defaultNodeAffinity: true
+  #
+  # Webhook feature gates
+  #
+  lokiStackWebhook: true
+  alertingRuleWebhook: true
+  recordingRuleWebhook: true
+  rulerConfigWebhook: true
+  #
+  # OpenShift feature gates
+  #
+  openshift:
+    servingCertsService: true
+    gatewayRoute: true
+    ruleExtendedValidation: true
+    clusterTLSPolicy: true
+    clusterProxy: true

operator/config/overlays/community-openshift/kustomization.yaml

@@ -0,0 +1,30 @@
+resources:
+- ./../openshift
+
+# Adds namespace to all resources.
+namespace: kubernetes-operators
+
+labels:
+- pairs:
+    app.kubernetes.io/name: loki-operator
+    app.kubernetes.io/part-of: loki-operator
+    app.kubernetes.io/managed-by: operator-lifecycle-manager
+  includeSelectors: true
+- pairs:
+    app.kubernetes.io/instance: loki-operator-v0.1.0
+    app.kubernetes.io/version: "0.1.0"
+
+configMapGenerator:
+- files:
+  - controller_manager_config.yaml
+  name: manager-config
+  behavior: replace
+
+patchesStrategicMerge:
+- manager_related_image_patch.yaml
+- prometheus_service_monitor_patch.yaml
+
+images:
+- name: controller
+  newName: docker.io/grafana/loki-operator
+  newTag: main-39f2856

operator/config/overlays/community-openshift/manager_related_image_patch.yaml

@@ -0,0 +1,16 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+spec:
+  template:
+    spec:
+      containers:
+        - name: manager
+          env:
+          - name: RELATED_IMAGE_LOKI
+            value: docker.io/grafana/loki:2.7.4
+          - name: RELATED_IMAGE_GATEWAY
+            value: quay.io/observatorium/api:latest
+          - name: RELATED_IMAGE_OPA
+            value: quay.io/observatorium/opa-openshift:latest

operator/config/overlays/community-openshift/prometheus_service_monitor_patch.yaml

@@ -0,0 +1,17 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  labels:
+    name: loki-operator
+  name: metrics-monitor
+spec:
+  endpoints:
+    - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+      path: /metrics
+      targetPort: 8443
+      scheme: https
+      interval: 30s
+      scrapeTimeout: 10s
+      tlsConfig:
+        caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
+        serverName: loki-operator-controller-manager-metrics-service.kubernetes-operators.svc

operator/hack/operatorhub.sh

@@ -17,7 +17,7 @@ if [[ ! -d "${LOCAL_REPOSITORIES_PATH}/${UPSTREAM_REPOSITORY}" ]]; then
 fi
 
 SOURCE_DIR=$(pwd)
-VERSION=$(grep "VERSION ?= " Makefile | awk -F= '{print $3}' | xargs)
+VERSION=$(grep "VERSION ?= " Makefile | awk -F= '{print $2}' | xargs)
 
 for dest in ${COMMUNITY_OPERATORS_REPOSITORY} ${UPSTREAM_REPOSITORY}; do
     (
@@ -34,7 +34,11 @@ for dest in ${COMMUNITY_OPERATORS_REPOSITORY} ${UPSTREAM_REPOSITORY}; do
         git rebase -q upstream/main
 
         mkdir -p "operators/loki-operator/${VERSION}"
-        cp -r "${SOURCE_DIR}/bundle/community"/* "operators/loki-operator/${VERSION}/"
+        if [[ "${dest}" = "${UPSTREAM_REPOSITORY}" ]]; then
+            cp -r "${SOURCE_DIR}/bundle/community-openshift"/* "operators/loki-operator/${VERSION}/"
+        else
+            cp -r "${SOURCE_DIR}/bundle/community"/* "operators/loki-operator/${VERSION}/"
+        fi
         rm "operators/loki-operator/${VERSION}/bundle.Dockerfile"
 
         if [[ "${dest}" = "${UPSTREAM_REPOSITORY}" ]]; then