Skip to content

Commit

Permalink
chore(operator) Revert "feat(operator): Add support for Swift TLS CA …
Browse files Browse the repository at this point in the history
…configuration" (#12693)
  • Loading branch information
btaani authored Apr 22, 2024
1 parent 6d307e5 commit b5a7255
Show file tree
Hide file tree
Showing 3 changed files with 23 additions and 247 deletions.
2 changes: 0 additions & 2 deletions operator/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,5 @@
## Main

- [11708](https://github.com/grafana/loki/pull/11708) **btaani**: Add support for Swift TLS CA configuration

## 0.6.0 (2024-03-19)

- [12228](https://github.com/grafana/loki/pull/12228) **xperimental**: Restructure LokiStack metrics
Expand Down
66 changes: 18 additions & 48 deletions operator/internal/manifests/storage/configure.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,23 +29,17 @@ var (
// based on the object storage type. Currently supported amendments:
// - All: Ensure object storage secret mounted and auth projected as env vars.
// - GCS: Ensure env var GOOGLE_APPLICATION_CREDENTIALS in container
// - S3 & Swift: Ensure mounting custom CA configmap if any TLSConfig given
// - S3: Ensure mounting custom CA configmap if any TLSConfig given
func ConfigureDeployment(d *appsv1.Deployment, opts Options) error {
switch opts.SharedStore {
case lokiv1.ObjectStorageSecretAlibabaCloud, lokiv1.ObjectStorageSecretAzure, lokiv1.ObjectStorageSecretGCS:
case lokiv1.ObjectStorageSecretAlibabaCloud, lokiv1.ObjectStorageSecretAzure, lokiv1.ObjectStorageSecretGCS, lokiv1.ObjectStorageSecretSwift:
return configureDeployment(d, opts)
case lokiv1.ObjectStorageSecretS3:
err := configureDeployment(d, opts)
if err != nil {
return err
}
return configureDeploymentCA(d, opts.TLS, lokiv1.ObjectStorageSecretS3)
case lokiv1.ObjectStorageSecretSwift:
err := configureDeployment(d, opts)
if err != nil {
return err
}
return configureDeploymentCA(d, opts.TLS, lokiv1.ObjectStorageSecretSwift)
return configureDeploymentCA(d, opts.TLS)
default:
return nil
}
Expand All @@ -55,21 +49,16 @@ func ConfigureDeployment(d *appsv1.Deployment, opts Options) error {
// based on the object storage type. Currently supported amendments:
// - All: Ensure object storage secret mounted and auth projected as env vars.
// - GCS: Ensure env var GOOGLE_APPLICATION_CREDENTIALS in container
// - S3 & Swift: Ensure mounting custom CA configmap if any TLSConfig given
// - S3: Ensure mounting custom CA configmap if any TLSConfig given
func ConfigureStatefulSet(d *appsv1.StatefulSet, opts Options) error {
switch opts.SharedStore {
case lokiv1.ObjectStorageSecretAlibabaCloud, lokiv1.ObjectStorageSecretAzure, lokiv1.ObjectStorageSecretGCS:
case lokiv1.ObjectStorageSecretAlibabaCloud, lokiv1.ObjectStorageSecretAzure, lokiv1.ObjectStorageSecretGCS, lokiv1.ObjectStorageSecretSwift:
return configureStatefulSet(d, opts)
case lokiv1.ObjectStorageSecretS3:
if err := configureStatefulSet(d, opts); err != nil {
return err
}
return configureStatefulSetCA(d, opts.TLS, lokiv1.ObjectStorageSecretS3)
case lokiv1.ObjectStorageSecretSwift:
if err := configureStatefulSet(d, opts); err != nil {
return err
}
return configureStatefulSetCA(d, opts.TLS, lokiv1.ObjectStorageSecretSwift)
return configureStatefulSetCA(d, opts.TLS)
default:
return nil
}
Expand All @@ -86,22 +75,16 @@ func configureDeployment(d *appsv1.Deployment, opts Options) error {
return nil
}

// ConfigureDeploymentCA merges a S3 or Swift CA ConfigMap volume into the deployment spec.
func configureDeploymentCA(d *appsv1.Deployment, tls *TLSConfig, secretType lokiv1.ObjectStorageSecretType) error {
// ConfigureDeploymentCA merges a S3 CA ConfigMap volume into the deployment spec.
func configureDeploymentCA(d *appsv1.Deployment, tls *TLSConfig) error {
if tls == nil {
return nil
}

var p corev1.PodSpec
switch secretType {
case lokiv1.ObjectStorageSecretS3:
p = ensureCAForObjectStorage(&d.Spec.Template.Spec, tls, lokiv1.ObjectStorageSecretS3)
case lokiv1.ObjectStorageSecretSwift:
p = ensureCAForObjectStorage(&d.Spec.Template.Spec, tls, lokiv1.ObjectStorageSecretSwift)
}
p := ensureCAForS3(&d.Spec.Template.Spec, tls)

if err := mergo.Merge(&d.Spec.Template.Spec, p, mergo.WithOverride); err != nil {
return kverrors.Wrap(err, "failed to merge object storage ca options ")
return kverrors.Wrap(err, "failed to merge s3 object storage ca options ")
}

return nil
Expand All @@ -118,22 +101,16 @@ func configureStatefulSet(s *appsv1.StatefulSet, opts Options) error {
return nil
}

// ConfigureStatefulSetCA merges a S3 or Swift CA ConfigMap volume into the statefulset spec.
func configureStatefulSetCA(s *appsv1.StatefulSet, tls *TLSConfig, secretType lokiv1.ObjectStorageSecretType) error {
// ConfigureStatefulSetCA merges a S3 CA ConfigMap volume into the statefulset spec.
func configureStatefulSetCA(s *appsv1.StatefulSet, tls *TLSConfig) error {
if tls == nil {
return nil
}
var p corev1.PodSpec

switch secretType {
case lokiv1.ObjectStorageSecretS3:
p = ensureCAForObjectStorage(&s.Spec.Template.Spec, tls, lokiv1.ObjectStorageSecretS3)
case lokiv1.ObjectStorageSecretSwift:
p = ensureCAForObjectStorage(&s.Spec.Template.Spec, tls, lokiv1.ObjectStorageSecretSwift)
}
p := ensureCAForS3(&s.Spec.Template.Spec, tls)

if err := mergo.Merge(&s.Spec.Template.Spec, p, mergo.WithOverride); err != nil {
return kverrors.Wrap(err, "failed to merge object storage ca options ")
return kverrors.Wrap(err, "failed to merge s3 object storage ca options ")
}

return nil
Expand Down Expand Up @@ -269,7 +246,7 @@ func serverSideEncryption(opts Options) []corev1.EnvVar {
}
}

func ensureCAForObjectStorage(p *corev1.PodSpec, tls *TLSConfig, secretType lokiv1.ObjectStorageSecretType) corev1.PodSpec {
func ensureCAForS3(p *corev1.PodSpec, tls *TLSConfig) corev1.PodSpec {
container := p.Containers[0].DeepCopy()
volumes := p.Volumes

Expand All @@ -290,16 +267,9 @@ func ensureCAForObjectStorage(p *corev1.PodSpec, tls *TLSConfig, secretType loki
MountPath: caDirectory,
})

switch secretType {
case lokiv1.ObjectStorageSecretS3:
container.Args = append(container.Args,
fmt.Sprintf("-s3.http.ca-file=%s", path.Join(caDirectory, tls.Key)),
)
case lokiv1.ObjectStorageSecretSwift:
container.Args = append(container.Args,
fmt.Sprintf("-swift.http.ca-file=%s", path.Join(caDirectory, tls.Key)),
)
}
container.Args = append(container.Args,
fmt.Sprintf("-s3.http.ca-file=%s", path.Join(caDirectory, tls.Key)),
)

return corev1.PodSpec{
Containers: []corev1.Container{
Expand Down
202 changes: 5 additions & 197 deletions operator/internal/manifests/storage/configure_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -2505,102 +2505,6 @@ func TestConfigureDeploymentForStorageCA(t *testing.T) {
},
},
},
{
desc: "object storage Swift",
opts: Options{
SecretName: "test",
SharedStore: lokiv1.ObjectStorageSecretSwift,
TLS: &TLSConfig{
CA: "test",
Key: "service-ca.crt",
},
},
dpl: &appsv1.Deployment{
Spec: appsv1.DeploymentSpec{
Template: corev1.PodTemplateSpec{
Spec: corev1.PodSpec{
Containers: []corev1.Container{
{
Name: "loki-querier",
},
},
},
},
},
},
want: &appsv1.Deployment{
Spec: appsv1.DeploymentSpec{
Template: corev1.PodTemplateSpec{
Spec: corev1.PodSpec{
Containers: []corev1.Container{
{
Name: "loki-querier",
VolumeMounts: []corev1.VolumeMount{
{
Name: "test",
ReadOnly: false,
MountPath: "/etc/storage/secrets",
},
{
Name: "storage-tls",
ReadOnly: false,
MountPath: "/etc/storage/ca",
},
},
Args: []string{
"-swift.http.ca-file=/etc/storage/ca/service-ca.crt",
},
Env: []corev1.EnvVar{
{
Name: EnvSwiftUsername,
ValueFrom: &corev1.EnvVarSource{
SecretKeyRef: &corev1.SecretKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: "test",
},
Key: KeySwiftUsername,
},
},
},
{
Name: EnvSwiftPassword,
ValueFrom: &corev1.EnvVarSource{
SecretKeyRef: &corev1.SecretKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: "test",
},
Key: KeySwiftPassword,
},
},
},
},
},
},
Volumes: []corev1.Volume{
{
Name: "test",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: "test",
},
},
},
{
Name: "storage-tls",
VolumeSource: corev1.VolumeSource{
ConfigMap: &corev1.ConfigMapVolumeSource{
LocalObjectReference: corev1.LocalObjectReference{
Name: "test",
},
},
},
},
},
},
},
},
},
},
}

for _, tc := range tc {
Expand All @@ -2627,7 +2531,7 @@ func TestConfigureStatefulSetForStorageCA(t *testing.T) {
desc: "object storage other than S3",
opts: Options{
SecretName: "test",
SharedStore: lokiv1.ObjectStorageSecretAzure,
SharedStore: lokiv1.ObjectStorageSecretSwift,
TLS: &TLSConfig{
CA: "test",
},
Expand Down Expand Up @@ -2661,24 +2565,24 @@ func TestConfigureStatefulSetForStorageCA(t *testing.T) {
},
Env: []corev1.EnvVar{
{
Name: EnvAzureStorageAccountName,
Name: EnvSwiftUsername,
ValueFrom: &corev1.EnvVarSource{
SecretKeyRef: &corev1.SecretKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: "test",
},
Key: KeyAzureStorageAccountName,
Key: KeySwiftUsername,
},
},
},
{
Name: EnvAzureStorageAccountKey,
Name: EnvSwiftPassword,
ValueFrom: &corev1.EnvVarSource{
SecretKeyRef: &corev1.SecretKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: "test",
},
Key: KeyAzureStorageAccountKey,
Key: KeySwiftPassword,
},
},
},
Expand Down Expand Up @@ -2796,102 +2700,6 @@ func TestConfigureStatefulSetForStorageCA(t *testing.T) {
},
},
},
{
desc: "object storage Swift",
opts: Options{
SecretName: "test",
SharedStore: lokiv1.ObjectStorageSecretSwift,
TLS: &TLSConfig{
CA: "test",
Key: "service-ca.crt",
},
},
sts: &appsv1.StatefulSet{
Spec: appsv1.StatefulSetSpec{
Template: corev1.PodTemplateSpec{
Spec: corev1.PodSpec{
Containers: []corev1.Container{
{
Name: "loki-ingester",
},
},
},
},
},
},
want: &appsv1.StatefulSet{
Spec: appsv1.StatefulSetSpec{
Template: corev1.PodTemplateSpec{
Spec: corev1.PodSpec{
Containers: []corev1.Container{
{
Name: "loki-ingester",
VolumeMounts: []corev1.VolumeMount{
{
Name: "test",
ReadOnly: false,
MountPath: "/etc/storage/secrets",
},
{
Name: "storage-tls",
ReadOnly: false,
MountPath: "/etc/storage/ca",
},
},
Args: []string{
"-swift.http.ca-file=/etc/storage/ca/service-ca.crt",
},
Env: []corev1.EnvVar{
{
Name: EnvSwiftUsername,
ValueFrom: &corev1.EnvVarSource{
SecretKeyRef: &corev1.SecretKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: "test",
},
Key: KeySwiftUsername,
},
},
},
{
Name: EnvSwiftPassword,
ValueFrom: &corev1.EnvVarSource{
SecretKeyRef: &corev1.SecretKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: "test",
},
Key: KeySwiftPassword,
},
},
},
},
},
},
Volumes: []corev1.Volume{
{
Name: "test",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: "test",
},
},
},
{
Name: "storage-tls",
VolumeSource: corev1.VolumeSource{
ConfigMap: &corev1.ConfigMapVolumeSource{
LocalObjectReference: corev1.LocalObjectReference{
Name: "test",
},
},
},
},
},
},
},
},
},
},
}

for _, tc := range tc {
Expand Down

0 comments on commit b5a7255

Please sign in to comment.