apitech
/
loki
mirror of https://github.com/grafana/loki
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

chore(operator) Revert "feat(operator): Add support for Swift TLS CA configuration" (#12693)

Browse Source
pull/10708/head^2
Bayan Taani 2 years ago committed by GitHub
parent 6d307e5da7
commit b5a7255fa4
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 23 additions and 247 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 2
      operator/CHANGELOG.md
  2. 66
      operator/internal/manifests/storage/configure.go
  3. 202
      operator/internal/manifests/storage/configure_test.go

2
operator/CHANGELOG.md
Unescape View File

@ -1,7 +1,5 @@
## Main
- [11708](https://github.com/grafana/loki/pull/11708) **btaani**: Add support for Swift TLS CA configuration
## 0.6.0 (2024-03-19)
- [12228](https://github.com/grafana/loki/pull/12228) **xperimental**: Restructure LokiStack metrics

66
operator/internal/manifests/storage/configure.go
Unescape View File

@ -29,23 +29,17 @@ var (
// based on the object storage type. Currently supported amendments:
// - All: Ensure object storage secret mounted and auth projected as env vars.
// - GCS: Ensure env var GOOGLE_APPLICATION_CREDENTIALS in container
// - S3 & Swift: Ensure mounting custom CA configmap if any TLSConfig given
// - S3: Ensure mounting custom CA configmap if any TLSConfig given
func ConfigureDeployment(d *appsv1.Deployment, opts Options) error {
switch opts.SharedStore {
case lokiv1.ObjectStorageSecretAlibabaCloud, lokiv1.ObjectStorageSecretAzure, lokiv1.ObjectStorageSecretGCS:
case lokiv1.ObjectStorageSecretAlibabaCloud, lokiv1.ObjectStorageSecretAzure, lokiv1.ObjectStorageSecretGCS, lokiv1.ObjectStorageSecretSwift:
return configureDeployment(d, opts)
case lokiv1.ObjectStorageSecretS3:
err := configureDeployment(d, opts)
if err != nil {
return err
}
return configureDeploymentCA(d, opts.TLS, lokiv1.ObjectStorageSecretS3)
case lokiv1.ObjectStorageSecretSwift:
err := configureDeployment(d, opts)
if err != nil {
return err
}
return configureDeploymentCA(d, opts.TLS, lokiv1.ObjectStorageSecretSwift)
return configureDeploymentCA(d, opts.TLS)
default:
return nil
}
@ -55,21 +49,16 @@ func ConfigureDeployment(d *appsv1.Deployment, opts Options) error {
// based on the object storage type. Currently supported amendments:
// - All: Ensure object storage secret mounted and auth projected as env vars.
// - GCS: Ensure env var GOOGLE_APPLICATION_CREDENTIALS in container
// - S3 & Swift: Ensure mounting custom CA configmap if any TLSConfig given
// - S3: Ensure mounting custom CA configmap if any TLSConfig given
func ConfigureStatefulSet(d *appsv1.StatefulSet, opts Options) error {
switch opts.SharedStore {
case lokiv1.ObjectStorageSecretAlibabaCloud, lokiv1.ObjectStorageSecretAzure, lokiv1.ObjectStorageSecretGCS:
case lokiv1.ObjectStorageSecretAlibabaCloud, lokiv1.ObjectStorageSecretAzure, lokiv1.ObjectStorageSecretGCS, lokiv1.ObjectStorageSecretSwift:
return configureStatefulSet(d, opts)
case lokiv1.ObjectStorageSecretS3:
if err := configureStatefulSet(d, opts); err != nil {
return err
}
return configureStatefulSetCA(d, opts.TLS, lokiv1.ObjectStorageSecretS3)
case lokiv1.ObjectStorageSecretSwift:
if err := configureStatefulSet(d, opts); err != nil {
return err
}
return configureStatefulSetCA(d, opts.TLS, lokiv1.ObjectStorageSecretSwift)
return configureStatefulSetCA(d, opts.TLS)
default:
return nil
}
@ -86,22 +75,16 @@ func configureDeployment(d *appsv1.Deployment, opts Options) error {
return nil
}
// ConfigureDeploymentCA merges a S3 or Swift CA ConfigMap volume into the deployment spec.
func configureDeploymentCA(d *appsv1.Deployment, tls *TLSConfig, secretType lokiv1.ObjectStorageSecretType) error {
// ConfigureDeploymentCA merges a S3 CA ConfigMap volume into the deployment spec.
func configureDeploymentCA(d *appsv1.Deployment, tls *TLSConfig) error {
if tls == nil {
return nil
}
var p corev1.PodSpec
switch secretType {
case lokiv1.ObjectStorageSecretS3:
p = ensureCAForObjectStorage(&d.Spec.Template.Spec, tls, lokiv1.ObjectStorageSecretS3)
case lokiv1.ObjectStorageSecretSwift:
p = ensureCAForObjectStorage(&d.Spec.Template.Spec, tls, lokiv1.ObjectStorageSecretSwift)
}
p := ensureCAForS3(&d.Spec.Template.Spec, tls)
if err := mergo.Merge(&d.Spec.Template.Spec, p, mergo.WithOverride); err != nil {
return kverrors.Wrap(err, "failed to merge object storage ca options ")
return kverrors.Wrap(err, "failed to merge s3 object storage ca options ")
}
return nil
@ -118,22 +101,16 @@ func configureStatefulSet(s *appsv1.StatefulSet, opts Options) error {
return nil
}
// ConfigureStatefulSetCA merges a S3 or Swift CA ConfigMap volume into the statefulset spec.
func configureStatefulSetCA(s *appsv1.StatefulSet, tls *TLSConfig, secretType lokiv1.ObjectStorageSecretType) error {
// ConfigureStatefulSetCA merges a S3 CA ConfigMap volume into the statefulset spec.
func configureStatefulSetCA(s *appsv1.StatefulSet, tls *TLSConfig) error {
if tls == nil {
return nil
}
var p corev1.PodSpec
switch secretType {
case lokiv1.ObjectStorageSecretS3:
p = ensureCAForObjectStorage(&s.Spec.Template.Spec, tls, lokiv1.ObjectStorageSecretS3)
case lokiv1.ObjectStorageSecretSwift:
p = ensureCAForObjectStorage(&s.Spec.Template.Spec, tls, lokiv1.ObjectStorageSecretSwift)
}
p := ensureCAForS3(&s.Spec.Template.Spec, tls)
if err := mergo.Merge(&s.Spec.Template.Spec, p, mergo.WithOverride); err != nil {
return kverrors.Wrap(err, "failed to merge object storage ca options ")
return kverrors.Wrap(err, "failed to merge s3 object storage ca options ")
}
return nil
@ -269,7 +246,7 @@ func serverSideEncryption(opts Options) []corev1.EnvVar {
}
}
func ensureCAForObjectStorage(p *corev1.PodSpec, tls *TLSConfig, secretType lokiv1.ObjectStorageSecretType) corev1.PodSpec {
func ensureCAForS3(p *corev1.PodSpec, tls *TLSConfig) corev1.PodSpec {
container := p.Containers[0].DeepCopy()
volumes := p.Volumes
@ -290,16 +267,9 @@ func ensureCAForObjectStorage(p *corev1.PodSpec, tls *TLSConfig, secretType loki
MountPath: caDirectory,
})
switch secretType {
case lokiv1.ObjectStorageSecretS3:
container.Args = append(container.Args,
fmt.Sprintf("-s3.http.ca-file=%s", path.Join(caDirectory, tls.Key)),
)
case lokiv1.ObjectStorageSecretSwift:
container.Args = append(container.Args,
fmt.Sprintf("-swift.http.ca-file=%s", path.Join(caDirectory, tls.Key)),
)
}
container.Args = append(container.Args,
fmt.Sprintf("-s3.http.ca-file=%s", path.Join(caDirectory, tls.Key)),
)
return corev1.PodSpec{
Containers: []corev1.Container{

202
operator/internal/manifests/storage/configure_test.go
Unescape View File

@ -2505,102 +2505,6 @@ func TestConfigureDeploymentForStorageCA(t *testing.T) {
},
},
},
{
desc: "object storage Swift",
opts: Options{
SecretName: "test",
SharedStore: lokiv1.ObjectStorageSecretSwift,
TLS: &TLSConfig{
CA: "test",
Key: "service-ca.crt",
},
},
dpl: &appsv1.Deployment{
Spec: appsv1.DeploymentSpec{
Template: corev1.PodTemplateSpec{
Spec: corev1.PodSpec{
Containers: []corev1.Container{
{
Name: "loki-querier",
},
},
},
},
},
},
want: &appsv1.Deployment{
Spec: appsv1.DeploymentSpec{
Template: corev1.PodTemplateSpec{
Spec: corev1.PodSpec{
Containers: []corev1.Container{
{
Name: "loki-querier",
VolumeMounts: []corev1.VolumeMount{
{
Name: "test",
ReadOnly: false,
MountPath: "/etc/storage/secrets",
},
{
Name: "storage-tls",
ReadOnly: false,
MountPath: "/etc/storage/ca",
},
},
Args: []string{
"-swift.http.ca-file=/etc/storage/ca/service-ca.crt",
},
Env: []corev1.EnvVar{
{
Name: EnvSwiftUsername,
ValueFrom: &corev1.EnvVarSource{
SecretKeyRef: &corev1.SecretKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: "test",
},
Key: KeySwiftUsername,
},
},
},
{
Name: EnvSwiftPassword,
ValueFrom: &corev1.EnvVarSource{
SecretKeyRef: &corev1.SecretKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: "test",
},
Key: KeySwiftPassword,
},
},
},
},
},
},
Volumes: []corev1.Volume{
{
Name: "test",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: "test",
},
},
},
{
Name: "storage-tls",
VolumeSource: corev1.VolumeSource{
ConfigMap: &corev1.ConfigMapVolumeSource{
LocalObjectReference: corev1.LocalObjectReference{
Name: "test",
},
},
},
},
},
},
},
},
},
},
}
for _, tc := range tc {
@ -2627,7 +2531,7 @@ func TestConfigureStatefulSetForStorageCA(t *testing.T) {
desc: "object storage other than S3",
opts: Options{
SecretName: "test",
SharedStore: lokiv1.ObjectStorageSecretAzure,
SharedStore: lokiv1.ObjectStorageSecretSwift,
TLS: &TLSConfig{
CA: "test",
},
@ -2661,24 +2565,24 @@ func TestConfigureStatefulSetForStorageCA(t *testing.T) {
},
Env: []corev1.EnvVar{
{
Name: EnvAzureStorageAccountName,
Name: EnvSwiftUsername,
ValueFrom: &corev1.EnvVarSource{
SecretKeyRef: &corev1.SecretKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: "test",
},
Key: KeyAzureStorageAccountName,
Key: KeySwiftUsername,
},
},
},
{
Name: EnvAzureStorageAccountKey,
Name: EnvSwiftPassword,
ValueFrom: &corev1.EnvVarSource{
SecretKeyRef: &corev1.SecretKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: "test",
},
Key: KeyAzureStorageAccountKey,
Key: KeySwiftPassword,
},
},
},
@ -2796,102 +2700,6 @@ func TestConfigureStatefulSetForStorageCA(t *testing.T) {
},
},
},
{
desc: "object storage Swift",
opts: Options{
SecretName: "test",
SharedStore: lokiv1.ObjectStorageSecretSwift,
TLS: &TLSConfig{
CA: "test",
Key: "service-ca.crt",
},
},
sts: &appsv1.StatefulSet{
Spec: appsv1.StatefulSetSpec{
Template: corev1.PodTemplateSpec{
Spec: corev1.PodSpec{
Containers: []corev1.Container{
{
Name: "loki-ingester",
},
},
},
},
},
},
want: &appsv1.StatefulSet{
Spec: appsv1.StatefulSetSpec{
Template: corev1.PodTemplateSpec{
Spec: corev1.PodSpec{
Containers: []corev1.Container{
{
Name: "loki-ingester",
VolumeMounts: []corev1.VolumeMount{
{
Name: "test",
ReadOnly: false,
MountPath: "/etc/storage/secrets",
},
{
Name: "storage-tls",
ReadOnly: false,
MountPath: "/etc/storage/ca",
},
},
Args: []string{
"-swift.http.ca-file=/etc/storage/ca/service-ca.crt",
},
Env: []corev1.EnvVar{
{
Name: EnvSwiftUsername,
ValueFrom: &corev1.EnvVarSource{
SecretKeyRef: &corev1.SecretKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: "test",
},
Key: KeySwiftUsername,
},
},
},
{
Name: EnvSwiftPassword,
ValueFrom: &corev1.EnvVarSource{
SecretKeyRef: &corev1.SecretKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: "test",
},
Key: KeySwiftPassword,
},
},
},
},
},
},
Volumes: []corev1.Volume{
{
Name: "test",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: "test",
},
},
},
{
Name: "storage-tls",
VolumeSource: corev1.VolumeSource{
ConfigMap: &corev1.ConfigMapVolumeSource{
LocalObjectReference: corev1.LocalObjectReference{
Name: "test",
},
},
},
},
},
},
},
},
},
},
}
for _, tc := range tc {

Write Preview
Loading…
Cancel
Save