diff --git a/operator/CHANGELOG.md b/operator/CHANGELOG.md
index f10317f2d921d..fc3e8e224855d 100644
--- a/operator/CHANGELOG.md
+++ b/operator/CHANGELOG.md
@@ -1,5 +1,6 @@
## Main
+- [12165](https://github.com/grafana/loki/pull/12165) **JoaoBraveCoding**: Change attribute value used for CCO-based credential mode
- [12157](https://github.com/grafana/loki/pull/12157) **periklis**: Fix managed auth features annotation for community-openshift bundle
- [12104](https://github.com/grafana/loki/pull/12104) **periklis**: Upgrade build and runtime dependencies
- [11928](https://github.com/grafana/loki/pull/11928) **periklis**: Fix remote write client timeout config rename
diff --git a/operator/apis/config/v1/projectconfig_types.go b/operator/apis/config/v1/projectconfig_types.go
index 8e510b5d3ab79..25656e2ea01ae 100644
--- a/operator/apis/config/v1/projectconfig_types.go
+++ b/operator/apis/config/v1/projectconfig_types.go
@@ -52,9 +52,9 @@ type OpenShiftFeatureGates struct {
// Dashboards enables the loki-mixin dashboards into the OpenShift Console
Dashboards bool `json:"dashboards,omitempty"`
- // ManagedAuthEnv is true when OpenShift-functions are enabled and the operator has detected
+ // TokenCCOAuthEnv is true when OpenShift-functions are enabled and the operator has detected
// that it is running with some kind of "workload identity" (AWS STS, Azure WIF) enabled.
- ManagedAuthEnv bool
+ TokenCCOAuthEnv bool
}
// FeatureGates is the supported set of all operator feature gates.
diff --git a/operator/apis/loki/v1/lokistack_types.go b/operator/apis/loki/v1/lokistack_types.go
index 00ac658ec475b..f347feccf9c22 100644
--- a/operator/apis/loki/v1/lokistack_types.go
+++ b/operator/apis/loki/v1/lokistack_types.go
@@ -1070,12 +1070,10 @@ const (
ReasonMissingObjectStorageSecret LokiStackConditionReason = "MissingObjectStorageSecret"
// ReasonInvalidObjectStorageSecret when the format of the secret is invalid.
ReasonInvalidObjectStorageSecret LokiStackConditionReason = "InvalidObjectStorageSecret"
- // ReasonMissingCredentialsRequest when the required request for managed auth credentials to object
- // storage is missing.
- ReasonMissingCredentialsRequest LokiStackConditionReason = "MissingCredentialsRequest"
- // ReasonMissingManagedAuthSecret when the required secret for managed auth credentials to object
- // storage is missing.
- ReasonMissingManagedAuthSecret LokiStackConditionReason = "MissingManagedAuthenticationSecret"
+ // ReasonMissingTokenCCOAuthSecret when the secret generated by CCO for token authentication is missing.
+ // This is usually a transient error because the secret is not immediately available after creating the
+ // CredentialsRequest, but it can persist if the CCO or its configuration are incorrect.
+ ReasonMissingTokenCCOAuthSecret LokiStackConditionReason = "MissingTokenCCOAuthenticationSecret"
// ReasonInvalidObjectStorageSchema when the spec contains an invalid schema(s).
ReasonInvalidObjectStorageSchema LokiStackConditionReason = "InvalidObjectStorageSchema"
// ReasonMissingObjectStorageCAConfigMap when the required configmap to verify object storage
@@ -1204,7 +1202,7 @@ type LokiStackComponentStatus struct {
// CredentialMode represents the type of authentication used for accessing the object storage.
//
-// +kubebuilder:validation:Enum=static;token;managed
+// +kubebuilder:validation:Enum=static;token;token-cco
type CredentialMode string
const (
@@ -1216,11 +1214,11 @@ const (
// Instead, they are generated during runtime using a service, which allows for shorter-lived credentials and
// much more granular control. This authentication mode is not supported for all object storage types.
CredentialModeToken CredentialMode = "token"
- // CredentialModeManaged represents the usage of short-lived tokens retrieved from a credential source.
- // This mode is similar to CredentialModeToken,but instead of having a user-configured credential source,
- // it is configured by the environment, for example the Cloud Credential Operator in OpenShift.
- // This mode is only supported for certain object storage types in certain runtime environments.
- CredentialModeManaged CredentialMode = "managed"
+ // CredentialModeTokenCCO represents the usage of short-lived tokens retrieved from a credential source.
+ // This mode is similar to CredentialModeToken, but instead of having a user-configured credential source,
+ // it is configured by the environment and the operator relies on the Cloud Credential Operator to provide
+ // a secret. This mode is only supported for certain object storage types in certain runtime environments.
+ CredentialModeTokenCCO CredentialMode = "token-cco"
)
// LokiStackStorageStatus defines the observed state of
diff --git a/operator/bundle/community-openshift/manifests/loki-operator.clusterserviceversion.yaml b/operator/bundle/community-openshift/manifests/loki-operator.clusterserviceversion.yaml
index 4d422b62a3abb..01cf5ae69027c 100644
--- a/operator/bundle/community-openshift/manifests/loki-operator.clusterserviceversion.yaml
+++ b/operator/bundle/community-openshift/manifests/loki-operator.clusterserviceversion.yaml
@@ -150,7 +150,7 @@ metadata:
categories: OpenShift Optional, Logging & Tracing
certified: "false"
containerImage: docker.io/grafana/loki-operator:0.5.0
- createdAt: "2024-03-11T16:01:17Z"
+ createdAt: "2024-03-12T09:52:37Z"
description: The Community Loki Operator provides Kubernetes native deployment
and management of Loki and related logging components.
features.operators.openshift.io/disconnected: "true"
diff --git a/operator/bundle/community-openshift/manifests/loki.grafana.com_lokistacks.yaml b/operator/bundle/community-openshift/manifests/loki.grafana.com_lokistacks.yaml
index 71efdfb7c3be5..1c0dfd4b54082 100644
--- a/operator/bundle/community-openshift/manifests/loki.grafana.com_lokistacks.yaml
+++ b/operator/bundle/community-openshift/manifests/loki.grafana.com_lokistacks.yaml
@@ -635,7 +635,7 @@ spec:
enum:
- static
- token
- - managed
+ - token-cco
type: string
name:
description: Name of a secret in the namespace configured
@@ -3819,7 +3819,7 @@ spec:
enum:
- static
- token
- - managed
+ - token-cco
type: string
schemas:
description: |-
diff --git a/operator/bundle/community/manifests/loki-operator.clusterserviceversion.yaml b/operator/bundle/community/manifests/loki-operator.clusterserviceversion.yaml
index f40439a62db9d..75d0690ffdfcd 100644
--- a/operator/bundle/community/manifests/loki-operator.clusterserviceversion.yaml
+++ b/operator/bundle/community/manifests/loki-operator.clusterserviceversion.yaml
@@ -150,7 +150,7 @@ metadata:
categories: OpenShift Optional, Logging & Tracing
certified: "false"
containerImage: docker.io/grafana/loki-operator:0.5.0
- createdAt: "2024-03-11T16:01:16Z"
+ createdAt: "2024-03-12T09:52:36Z"
description: The Community Loki Operator provides Kubernetes native deployment
and management of Loki and related logging components.
operators.operatorframework.io/builder: operator-sdk-unknown
diff --git a/operator/bundle/community/manifests/loki.grafana.com_lokistacks.yaml b/operator/bundle/community/manifests/loki.grafana.com_lokistacks.yaml
index 9c79db16a41f4..9087671517f2a 100644
--- a/operator/bundle/community/manifests/loki.grafana.com_lokistacks.yaml
+++ b/operator/bundle/community/manifests/loki.grafana.com_lokistacks.yaml
@@ -635,7 +635,7 @@ spec:
enum:
- static
- token
- - managed
+ - token-cco
type: string
name:
description: Name of a secret in the namespace configured
@@ -3819,7 +3819,7 @@ spec:
enum:
- static
- token
- - managed
+ - token-cco
type: string
schemas:
description: |-
diff --git a/operator/bundle/openshift/manifests/loki-operator.clusterserviceversion.yaml b/operator/bundle/openshift/manifests/loki-operator.clusterserviceversion.yaml
index 3481885ec84cb..aafba3b3a6574 100644
--- a/operator/bundle/openshift/manifests/loki-operator.clusterserviceversion.yaml
+++ b/operator/bundle/openshift/manifests/loki-operator.clusterserviceversion.yaml
@@ -150,7 +150,7 @@ metadata:
categories: OpenShift Optional, Logging & Tracing
certified: "false"
containerImage: quay.io/openshift-logging/loki-operator:0.1.0
- createdAt: "2024-03-11T16:01:19Z"
+ createdAt: "2024-03-12T09:52:39Z"
description: |
The Loki Operator for OCP provides a means for configuring and managing a Loki stack for cluster logging.
## Prerequisites and Requirements
diff --git a/operator/bundle/openshift/manifests/loki.grafana.com_lokistacks.yaml b/operator/bundle/openshift/manifests/loki.grafana.com_lokistacks.yaml
index 61f0728b49829..595812b06f2db 100644
--- a/operator/bundle/openshift/manifests/loki.grafana.com_lokistacks.yaml
+++ b/operator/bundle/openshift/manifests/loki.grafana.com_lokistacks.yaml
@@ -635,7 +635,7 @@ spec:
enum:
- static
- token
- - managed
+ - token-cco
type: string
name:
description: Name of a secret in the namespace configured
@@ -3819,7 +3819,7 @@ spec:
enum:
- static
- token
- - managed
+ - token-cco
type: string
schemas:
description: |-
diff --git a/operator/config/crd/bases/loki.grafana.com_lokistacks.yaml b/operator/config/crd/bases/loki.grafana.com_lokistacks.yaml
index 28470614faecd..b38108dd80a1a 100644
--- a/operator/config/crd/bases/loki.grafana.com_lokistacks.yaml
+++ b/operator/config/crd/bases/loki.grafana.com_lokistacks.yaml
@@ -617,7 +617,7 @@ spec:
enum:
- static
- token
- - managed
+ - token-cco
type: string
name:
description: Name of a secret in the namespace configured
@@ -3801,7 +3801,7 @@ spec:
enum:
- static
- token
- - managed
+ - token-cco
type: string
schemas:
description: |-
diff --git a/operator/controllers/loki/lokistack_controller.go b/operator/controllers/loki/lokistack_controller.go
index df768c6d4dd06..22b94395418a7 100644
--- a/operator/controllers/loki/lokistack_controller.go
+++ b/operator/controllers/loki/lokistack_controller.go
@@ -110,7 +110,7 @@ type LokiStackReconciler struct {
Log logr.Logger
Scheme *runtime.Scheme
FeatureGates configv1.FeatureGates
- AuthConfig *config.ManagedAuthConfig
+ AuthConfig *config.TokenCCOAuthConfig
}
// +kubebuilder:rbac:groups=loki.grafana.com,resources=lokistacks,verbs=get;list;watch;create;update;patch;delete
@@ -179,7 +179,7 @@ func (r *LokiStackReconciler) updateResources(ctx context.Context, req ctrl.Requ
}
}
- if r.FeatureGates.OpenShift.ManagedAuthEnv {
+ if r.FeatureGates.OpenShift.TokenCCOAuthEnv {
if err := handlers.CreateUpdateDeleteCredentialsRequest(ctx, r.Log, r.Scheme, r.AuthConfig, r.Client, req); err != nil {
return "", err
}
diff --git a/operator/docs/operator/api.md b/operator/docs/operator/api.md
index 88256ec496bdb..6c5c47775a4e1 100644
--- a/operator/docs/operator/api.md
+++ b/operator/docs/operator/api.md
@@ -1115,13 +1115,7 @@ string
| Description |
-"managed" |
-CredentialModeManaged represents the usage of short-lived tokens retrieved from a credential source.
-This mode is similar to CredentialModeToken,but instead of having a user-configured credential source,
-it is configured by the environment, for example the Cloud Credential Operator in OpenShift.
-This mode is only supported for certain object storage types in certain runtime environments.
- |
-
"static" |
+
"static" |
CredentialModeStatic represents the usage of static, long-lived credentials stored in a Secret.
This is the default authentication mode and available for all supported object storage types.
|
@@ -1131,6 +1125,12 @@ In this mode the static configuration does not contain credentials needed for th
Instead, they are generated during runtime using a service, which allows for shorter-lived credentials and
much more granular control. This authentication mode is not supported for all object storage types.
+
"token-cco" |
+CredentialModeTokenCCO represents the usage of short-lived tokens retrieved from a credential source.
+This mode is similar to CredentialModeToken, but instead of having a user-configured credential source,
+it is configured by the environment and the operator relies on the Cloud Credential Operator to provide
+a secret. This mode is only supported for certain object storage types in certain runtime environments.
+ |
@@ -1779,10 +1779,6 @@ with the select cluster size.
"InvalidTenantsConfiguration" |
ReasonInvalidTenantsConfiguration when the tenant configuration provided is invalid.
|
-
"MissingCredentialsRequest" |
-ReasonMissingCredentialsRequest when the required request for managed auth credentials to object
-storage is missing.
- |
"MissingGatewayTenantAuthenticationConfig" |
ReasonMissingGatewayAuthenticationConfig when the config for when a tenant is missing authentication config
|
@@ -1797,10 +1793,6 @@ for authentication is missing.
ReasonMissingGatewayTenantSecret when the required tenant secret
for authentication is missing.
|
-
"MissingManagedAuthenticationSecret" |
-ReasonMissingManagedAuthSecret when the required secret for managed auth credentials to object
-storage is missing.
- |
"MissingObjectStorageCAConfigMap" |
ReasonMissingObjectStorageCAConfigMap when the required configmap to verify object storage
certificates is missing.
@@ -1813,6 +1805,11 @@ storage is missing.
| ReasonMissingRulerSecret when the required secret to authorization remote write connections
for the ruler is missing.
|
+
"MissingTokenCCOAuthenticationSecret" |
+ReasonMissingTokenCCOAuthSecret when the secret generated by CCO for token authentication is missing.
+This is usually a transient error because the secret is not immediately available after creating the
+CredentialsRequest, but it can persist if the CCO or its configuration are incorrect.
+ |
"PendingComponents" |
ReasonPendingComponents when all/some LokiStack components pending dependencies
|
diff --git a/operator/docs/operator/feature-gates.md b/operator/docs/operator/feature-gates.md
index 189b72e4ddb12..d35609df1f8eb 100644
--- a/operator/docs/operator/feature-gates.md
+++ b/operator/docs/operator/feature-gates.md
@@ -411,13 +411,13 @@ bool
-ManagedAuthEnv
+TokenCCOAuthEnv
bool
|
- ManagedAuthEnv is true when OpenShift-functions are enabled and the operator has detected
+ TokenCCOAuthEnv is true when OpenShift-functions are enabled and the operator has detected
that it is running with some kind of “workload identity” (AWS STS, Azure WIF) enabled.
|
diff --git a/operator/hack/deploy-aws-storage-secret.sh b/operator/hack/deploy-aws-storage-secret.sh
index e9689321d0b22..c6fceaf4780f9 100755
--- a/operator/hack/deploy-aws-storage-secret.sh
+++ b/operator/hack/deploy-aws-storage-secret.sh
@@ -37,7 +37,7 @@ readonly access_key_id
secret_access_key=${SECRET_ACCESS_KEY:-$(aws configure get aws_secret_access_key)}
readonly secret_access_key
-# Managed authentication with/without a manually provisioned AWS Role.
+# token authentication with/without a manually provisioned AWS Role.
readonly sts=${STS:-false}
readonly role_arn=${2-}
diff --git a/operator/internal/config/managed_auth.go b/operator/internal/config/managed_auth.go
index 76f9d72f3c262..6e3dc524716b1 100644
--- a/operator/internal/config/managed_auth.go
+++ b/operator/internal/config/managed_auth.go
@@ -13,12 +13,12 @@ type AzureEnvironment struct {
Region string
}
-type ManagedAuthConfig struct {
+type TokenCCOAuthConfig struct {
AWS *AWSEnvironment
Azure *AzureEnvironment
}
-func discoverManagedAuthConfig() *ManagedAuthConfig {
+func discoverTokenCCOAuthConfig() *TokenCCOAuthConfig {
// AWS
roleARN := os.Getenv("ROLEARN")
@@ -30,13 +30,13 @@ func discoverManagedAuthConfig() *ManagedAuthConfig {
switch {
case roleARN != "":
- return &ManagedAuthConfig{
+ return &TokenCCOAuthConfig{
AWS: &AWSEnvironment{
RoleARN: roleARN,
},
}
case clientID != "" && tenantID != "" && subscriptionID != "":
- return &ManagedAuthConfig{
+ return &TokenCCOAuthConfig{
Azure: &AzureEnvironment{
ClientID: clientID,
SubscriptionID: subscriptionID,
diff --git a/operator/internal/config/options.go b/operator/internal/config/options.go
index dc54404f22450..33ce3cfde91f2 100644
--- a/operator/internal/config/options.go
+++ b/operator/internal/config/options.go
@@ -17,7 +17,7 @@ import (
// LoadConfig initializes the controller configuration, optionally overriding the defaults
// from a provided configuration file.
-func LoadConfig(scheme *runtime.Scheme, configFile string) (*configv1.ProjectConfig, *ManagedAuthConfig, ctrl.Options, error) {
+func LoadConfig(scheme *runtime.Scheme, configFile string) (*configv1.ProjectConfig, *TokenCCOAuthConfig, ctrl.Options, error) {
options := ctrl.Options{Scheme: scheme}
if configFile == "" {
return &configv1.ProjectConfig{}, nil, options, nil
@@ -28,13 +28,13 @@ func LoadConfig(scheme *runtime.Scheme, configFile string) (*configv1.ProjectCon
return nil, nil, options, fmt.Errorf("failed to parse controller manager config file: %w", err)
}
- managedAuth := discoverManagedAuthConfig()
- if ctrlCfg.Gates.OpenShift.Enabled && managedAuth != nil {
- ctrlCfg.Gates.OpenShift.ManagedAuthEnv = true
+ tokenCCOAuth := discoverTokenCCOAuthConfig()
+ if ctrlCfg.Gates.OpenShift.Enabled && tokenCCOAuth != nil {
+ ctrlCfg.Gates.OpenShift.TokenCCOAuthEnv = true
}
options = mergeOptionsFromFile(options, ctrlCfg)
- return ctrlCfg, managedAuth, options, nil
+ return ctrlCfg, tokenCCOAuth, options, nil
}
func mergeOptionsFromFile(o manager.Options, cfg *configv1.ProjectConfig) manager.Options {
diff --git a/operator/internal/handlers/credentialsrequest.go b/operator/internal/handlers/credentialsrequest.go
index 0592a9602fa71..9096f15d4026f 100644
--- a/operator/internal/handlers/credentialsrequest.go
+++ b/operator/internal/handlers/credentialsrequest.go
@@ -22,7 +22,7 @@ import (
// CreateUpdateDeleteCredentialsRequest creates a new CredentialsRequest resource for a Lokistack
// to request a cloud credentials Secret resource from the OpenShift cloud-credentials-operator.
-func CreateUpdateDeleteCredentialsRequest(ctx context.Context, log logr.Logger, scheme *runtime.Scheme, managedAuth *config.ManagedAuthConfig, k k8s.Client, req ctrl.Request) error {
+func CreateUpdateDeleteCredentialsRequest(ctx context.Context, log logr.Logger, scheme *runtime.Scheme, tokenCCOAuth *config.TokenCCOAuthConfig, k k8s.Client, req ctrl.Request) error {
ll := log.WithValues("lokistack", req.NamespacedName, "event", "createCredentialsRequest")
var stack lokiv1.LokiStack
@@ -59,7 +59,7 @@ func CreateUpdateDeleteCredentialsRequest(ctx context.Context, log logr.Logger,
LokiStackNamespace: stack.Namespace,
RulerName: manifests.RulerName(stack.Name),
},
- ManagedAuth: managedAuth,
+ TokenCCOAuth: tokenCCOAuth,
}
credReq, err := openshift.BuildCredentialsRequest(opts)
@@ -99,7 +99,7 @@ func hasManagedCredentialMode(stack *lokiv1.LokiStack) bool {
switch stack.Spec.Storage.Secret.CredentialMode {
case lokiv1.CredentialModeStatic, lokiv1.CredentialModeToken:
return false
- case lokiv1.CredentialModeManaged:
+ case lokiv1.CredentialModeTokenCCO:
return true
default:
}
diff --git a/operator/internal/handlers/credentialsrequest_test.go b/operator/internal/handlers/credentialsrequest_test.go
index e9835bd5c81e6..dfb63cf166820 100644
--- a/operator/internal/handlers/credentialsrequest_test.go
+++ b/operator/internal/handlers/credentialsrequest_test.go
@@ -57,13 +57,13 @@ func TestCreateUpdateDeleteCredentialsRequest_CreateNewResource(t *testing.T) {
NamespacedName: client.ObjectKey{Name: "my-stack", Namespace: "ns"},
}
- managedAuth := &config.ManagedAuthConfig{
+ tokenCCOAuth := &config.TokenCCOAuthConfig{
AWS: &config.AWSEnvironment{
RoleARN: "a-role-arn",
},
}
- err := CreateUpdateDeleteCredentialsRequest(context.Background(), logger, scheme, managedAuth, k, req)
+ err := CreateUpdateDeleteCredentialsRequest(context.Background(), logger, scheme, tokenCCOAuth, k, req)
require.NoError(t, err)
require.Equal(t, 1, k.CreateCallCount())
@@ -89,7 +89,7 @@ func TestCreateUpdateDeleteCredentialsRequest_CreateNewResourceAzure(t *testing.
NamespacedName: client.ObjectKey{Name: "my-stack", Namespace: "ns"},
}
- managedAuth := &config.ManagedAuthConfig{
+ tokenCCOAuth := &config.TokenCCOAuthConfig{
Azure: &config.AzureEnvironment{
ClientID: "test-client-id",
SubscriptionID: "test-tenant-id",
@@ -98,7 +98,7 @@ func TestCreateUpdateDeleteCredentialsRequest_CreateNewResourceAzure(t *testing.
},
}
- err := CreateUpdateDeleteCredentialsRequest(context.Background(), logger, scheme, managedAuth, k, req)
+ err := CreateUpdateDeleteCredentialsRequest(context.Background(), logger, scheme, tokenCCOAuth, k, req)
require.NoError(t, err)
require.Equal(t, 1, k.CreateCallCount())
@@ -117,7 +117,7 @@ func TestCreateUpdateDeleteCredentialsRequest_Update_WhenCredentialsRequestExist
NamespacedName: client.ObjectKey{Name: "my-stack", Namespace: "ns"},
}
- managedAuth := &config.ManagedAuthConfig{
+ tokenCCOAuth := &config.TokenCCOAuthConfig{
AWS: &config.AWSEnvironment{
RoleARN: "a-role-arn",
},
@@ -138,7 +138,7 @@ func TestCreateUpdateDeleteCredentialsRequest_Update_WhenCredentialsRequestExist
k := credentialsRequestFakeClient(cr, lokistack)
- err := CreateUpdateDeleteCredentialsRequest(context.Background(), logger, scheme, managedAuth, k, req)
+ err := CreateUpdateDeleteCredentialsRequest(context.Background(), logger, scheme, tokenCCOAuth, k, req)
require.NoError(t, err)
require.Equal(t, 2, k.GetCallCount())
require.Equal(t, 0, k.CreateCallCount())
@@ -150,7 +150,7 @@ func TestCreateUpdateDeleteCredentialsRequest_DeleteExisting_WhenNotManagedMode(
NamespacedName: client.ObjectKey{Name: "my-stack", Namespace: "ns"},
}
- managedAuth := &config.ManagedAuthConfig{
+ tokenCCOAuth := &config.TokenCCOAuthConfig{
AWS: &config.AWSEnvironment{
RoleARN: "a-role-arn",
},
@@ -178,7 +178,7 @@ func TestCreateUpdateDeleteCredentialsRequest_DeleteExisting_WhenNotManagedMode(
k := credentialsRequestFakeClient(cr, lokistack)
- err := CreateUpdateDeleteCredentialsRequest(context.Background(), logger, scheme, managedAuth, k, req)
+ err := CreateUpdateDeleteCredentialsRequest(context.Background(), logger, scheme, tokenCCOAuth, k, req)
require.NoError(t, err)
require.Equal(t, 2, k.GetCallCount())
require.Equal(t, 0, k.CreateCallCount())
@@ -191,7 +191,7 @@ func TestCreateUpdateDeleteCredentialsRequest_DoNothing_WhenNotManagedMode(t *te
NamespacedName: client.ObjectKey{Name: "my-stack", Namespace: "ns"},
}
- managedAuth := &config.ManagedAuthConfig{
+ tokenCCOAuth := &config.TokenCCOAuthConfig{
AWS: &config.AWSEnvironment{
RoleARN: "a-role-arn",
},
@@ -213,7 +213,7 @@ func TestCreateUpdateDeleteCredentialsRequest_DoNothing_WhenNotManagedMode(t *te
k := credentialsRequestFakeClient(nil, lokistack)
- err := CreateUpdateDeleteCredentialsRequest(context.Background(), logger, scheme, managedAuth, k, req)
+ err := CreateUpdateDeleteCredentialsRequest(context.Background(), logger, scheme, tokenCCOAuth, k, req)
require.NoError(t, err)
require.Equal(t, 2, k.GetCallCount())
require.Equal(t, 0, k.CreateCallCount())
diff --git a/operator/internal/handlers/internal/storage/secrets.go b/operator/internal/handlers/internal/storage/secrets.go
index 11cb93a6365ea..570415236a404 100644
--- a/operator/internal/handlers/internal/storage/secrets.go
+++ b/operator/internal/handlers/internal/storage/secrets.go
@@ -53,8 +53,8 @@ const gcpAccountTypeExternal = "external_account"
func getSecrets(ctx context.Context, k k8s.Client, stack *lokiv1.LokiStack, fg configv1.FeatureGates) (*corev1.Secret, *corev1.Secret, error) {
var (
- storageSecret corev1.Secret
- managedAuthSecret corev1.Secret
+ storageSecret corev1.Secret
+ tokenCCOAuthSecret corev1.Secret
)
key := client.ObjectKey{Name: stack.Spec.Storage.Secret.Name, Namespace: stack.Namespace}
@@ -69,27 +69,27 @@ func getSecrets(ctx context.Context, k k8s.Client, stack *lokiv1.LokiStack, fg c
return nil, nil, fmt.Errorf("failed to lookup lokistack storage secret: %w", err)
}
- if fg.OpenShift.ManagedAuthEnv {
+ if fg.OpenShift.TokenCCOAuthEnv {
secretName := storage.ManagedCredentialsSecretName(stack.Name)
- managedAuthCredsKey := client.ObjectKey{Name: secretName, Namespace: stack.Namespace}
- if err := k.Get(ctx, managedAuthCredsKey, &managedAuthSecret); err != nil {
+ tokenCCOAuthCredsKey := client.ObjectKey{Name: secretName, Namespace: stack.Namespace}
+ if err := k.Get(ctx, tokenCCOAuthCredsKey, &tokenCCOAuthSecret); err != nil {
if apierrors.IsNotFound(err) {
// We don't know if this is an error yet, need to wait for evaluation of CredentialMode
// For now we go with empty "managed secret", the eventual DegradedError will be returned later.
return &storageSecret, nil, nil
}
- return nil, nil, fmt.Errorf("failed to lookup OpenShift CCO managed authentication credentials secret: %w", err)
+ return nil, nil, fmt.Errorf("failed to lookup OpenShift CCO token authentication credentials secret: %w", err)
}
- return &storageSecret, &managedAuthSecret, nil
+ return &storageSecret, &tokenCCOAuthSecret, nil
}
return &storageSecret, nil, nil
}
// extractSecrets reads the k8s obj storage secret into a manifest object storage struct if valid.
-// The managed auth is also read into the manifest object under the right circumstances.
-func extractSecrets(secretSpec lokiv1.ObjectStorageSecretSpec, objStore, managedAuth *corev1.Secret, fg configv1.FeatureGates) (storage.Options, error) {
+// The token cco auth is also read into the manifest object under the right circumstances.
+func extractSecrets(secretSpec lokiv1.ObjectStorageSecretSpec, objStore, tokenCCOAuth *corev1.Secret, fg configv1.FeatureGates) (storage.Options, error) {
hash, err := hashSecretData(objStore)
if err != nil {
return storage.Options{}, errSecretHashError
@@ -98,16 +98,16 @@ func extractSecrets(secretSpec lokiv1.ObjectStorageSecretSpec, objStore, managed
openShiftOpts := storage.OpenShiftOptions{
Enabled: fg.OpenShift.Enabled,
}
- if managedAuth != nil {
- var managedAuthHash string
- managedAuthHash, err = hashSecretData(managedAuth)
+ if tokenCCOAuth != nil {
+ var tokenCCOAuthHash string
+ tokenCCOAuthHash, err = hashSecretData(tokenCCOAuth)
if err != nil {
return storage.Options{}, errSecretHashError
}
openShiftOpts.CloudCredentials = storage.CloudCredentials{
- SecretName: managedAuth.Name,
- SHA1: managedAuthHash,
+ SecretName: tokenCCOAuth.Name,
+ SHA1: tokenCCOAuthHash,
}
}
@@ -161,9 +161,9 @@ func determineCredentialMode(spec lokiv1.ObjectStorageSecretSpec, secret *corev1
return spec.CredentialMode, nil
}
- if fg.OpenShift.ManagedAuthEnv {
- // Default to managed credential mode on a managed-auth installation
- return lokiv1.CredentialModeManaged, nil
+ if fg.OpenShift.TokenCCOAuthEnv {
+ // Default to token cco credential mode on a token-cco-auth installation
+ return lokiv1.CredentialModeTokenCCO, nil
}
switch spec.Type {
@@ -298,7 +298,7 @@ func validateAzureCredentials(s *corev1.Secret, credentialMode lokiv1.Credential
}
return true, nil
- case lokiv1.CredentialModeManaged:
+ case lokiv1.CredentialModeTokenCCO:
if len(accountKey) > 0 || len(clientID) > 0 || len(tenantID) > 0 || len(subscriptionID) > 0 {
return false, errAzureManagedIdentityNoOverride
}
@@ -370,7 +370,7 @@ func extractGCSConfigSecret(s *corev1.Secret, credentialMode lokiv1.CredentialMo
WorkloadIdentity: true,
Audience: audience,
}, nil
- case lokiv1.CredentialModeManaged:
+ case lokiv1.CredentialModeTokenCCO:
return nil, fmt.Errorf("%w: type: %s credentialMode: %s", errSecretUnsupportedCredentialMode, lokiv1.ObjectStorageSecretGCS, credentialMode)
default:
}
@@ -409,7 +409,7 @@ func extractS3ConfigSecret(s *corev1.Secret, credentialMode lokiv1.CredentialMod
}
switch credentialMode {
- case lokiv1.CredentialModeManaged:
+ case lokiv1.CredentialModeTokenCCO:
cfg.STS = true
cfg.Audience = string(audience)
// Do not allow users overriding the role arn provided on Loki Operator installation
diff --git a/operator/internal/handlers/internal/storage/secrets_test.go b/operator/internal/handlers/internal/storage/secrets_test.go
index 6e4fc98f11241..80b8b48dd2418 100644
--- a/operator/internal/handlers/internal/storage/secrets_test.go
+++ b/operator/internal/handlers/internal/storage/secrets_test.go
@@ -143,7 +143,7 @@ func TestAzureExtract(t *testing.T) {
wantError: "missing secret field: subscription_id",
},
{
- name: "managed auth - no auth override",
+ name: "token cco auth - no auth override",
secret: &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{Name: "test"},
Data: map[string][]byte{
@@ -159,8 +159,8 @@ func TestAzureExtract(t *testing.T) {
},
featureGates: configv1.FeatureGates{
OpenShift: configv1.OpenShiftFeatureGates{
- Enabled: true,
- ManagedAuthEnv: true,
+ Enabled: true,
+ TokenCCOAuthEnv: true,
},
},
wantError: errAzureManagedIdentityNoOverride.Error(),
@@ -231,11 +231,11 @@ func TestAzureExtract(t *testing.T) {
},
featureGates: configv1.FeatureGates{
OpenShift: configv1.OpenShiftFeatureGates{
- Enabled: true,
- ManagedAuthEnv: true,
+ Enabled: true,
+ TokenCCOAuthEnv: true,
},
},
- wantCredentialMode: lokiv1.CredentialModeManaged,
+ wantCredentialMode: lokiv1.CredentialModeTokenCCO,
},
{
name: "all set including optional",
@@ -554,25 +554,25 @@ func TestS3Extract(t *testing.T) {
}
}
-func TestS3Extract_WithOpenShiftManagedAuth(t *testing.T) {
+func TestS3Extract_WithOpenShiftTokenCCOAuth(t *testing.T) {
fg := configv1.FeatureGates{
OpenShift: configv1.OpenShiftFeatureGates{
- Enabled: true,
- ManagedAuthEnv: true,
+ Enabled: true,
+ TokenCCOAuthEnv: true,
},
}
type test struct {
- name string
- secret *corev1.Secret
- managedAuthSecret *corev1.Secret
- wantError string
+ name string
+ secret *corev1.Secret
+ tokenCCOAuthSecret *corev1.Secret
+ wantError string
}
table := []test{
{
- name: "missing bucketnames",
- secret: &corev1.Secret{},
- managedAuthSecret: &corev1.Secret{},
- wantError: "missing secret field: bucketnames",
+ name: "missing bucketnames",
+ secret: &corev1.Secret{},
+ tokenCCOAuthSecret: &corev1.Secret{},
+ wantError: "missing secret field: bucketnames",
},
{
name: "missing region",
@@ -581,8 +581,8 @@ func TestS3Extract_WithOpenShiftManagedAuth(t *testing.T) {
"bucketnames": []byte("this,that"),
},
},
- managedAuthSecret: &corev1.Secret{},
- wantError: "missing secret field: region",
+ tokenCCOAuthSecret: &corev1.Secret{},
+ wantError: "missing secret field: region",
},
{
name: "override role_arn not allowed",
@@ -593,8 +593,8 @@ func TestS3Extract_WithOpenShiftManagedAuth(t *testing.T) {
"role_arn": []byte("role-arn"),
},
},
- managedAuthSecret: &corev1.Secret{},
- wantError: "secret field not allowed: role_arn",
+ tokenCCOAuthSecret: &corev1.Secret{},
+ wantError: "secret field not allowed: role_arn",
},
{
name: "STS all set",
@@ -605,8 +605,8 @@ func TestS3Extract_WithOpenShiftManagedAuth(t *testing.T) {
"region": []byte("a-region"),
},
},
- managedAuthSecret: &corev1.Secret{
- ObjectMeta: metav1.ObjectMeta{Name: "managed-auth"},
+ tokenCCOAuthSecret: &corev1.Secret{
+ ObjectMeta: metav1.ObjectMeta{Name: "token-cco-auth"},
},
},
}
@@ -619,16 +619,16 @@ func TestS3Extract_WithOpenShiftManagedAuth(t *testing.T) {
Type: lokiv1.ObjectStorageSecretS3,
}
- opts, err := extractSecrets(spec, tst.secret, tst.managedAuthSecret, fg)
+ opts, err := extractSecrets(spec, tst.secret, tst.tokenCCOAuthSecret, fg)
if tst.wantError == "" {
require.NoError(t, err)
require.NotEmpty(t, opts.SecretName)
require.NotEmpty(t, opts.SecretSHA1)
require.Equal(t, lokiv1.ObjectStorageSecretS3, opts.SharedStore)
require.True(t, opts.S3.STS)
- require.Equal(t, tst.managedAuthSecret.Name, opts.OpenShift.CloudCredentials.SecretName)
+ require.Equal(t, tst.tokenCCOAuthSecret.Name, opts.OpenShift.CloudCredentials.SecretName)
require.NotEmpty(t, opts.OpenShift.CloudCredentials.SHA1)
- require.Equal(t, lokiv1.CredentialModeManaged, opts.CredentialMode)
+ require.Equal(t, lokiv1.CredentialModeTokenCCO, opts.CredentialMode)
} else {
require.EqualError(t, err, tst.wantError)
}
diff --git a/operator/internal/handlers/internal/storage/storage.go b/operator/internal/handlers/internal/storage/storage.go
index dee185a72c85a..b2d40d6cf32c1 100644
--- a/operator/internal/handlers/internal/storage/storage.go
+++ b/operator/internal/handlers/internal/storage/storage.go
@@ -20,14 +20,14 @@ import (
// - The object storage schema config is invalid.
// - The object storage CA ConfigMap is missing if one referenced.
// - The object storage CA ConfigMap data is invalid.
-// - The object storage managed auth secret is missing (Only on OpenShift STS-clusters)
+// - The object storage token cco auth secret is missing (Only on OpenShift STS-clusters)
func BuildOptions(ctx context.Context, k k8s.Client, stack *lokiv1.LokiStack, fg configv1.FeatureGates) (storage.Options, error) {
- storageSecret, managedAuthSecret, err := getSecrets(ctx, k, stack, fg)
+ storageSecret, tokenCCOAuthSecret, err := getSecrets(ctx, k, stack, fg)
if err != nil {
return storage.Options{}, err
}
- objStore, err := extractSecrets(stack.Spec.Storage.Secret, storageSecret, managedAuthSecret, fg)
+ objStore, err := extractSecrets(stack.Spec.Storage.Secret, storageSecret, tokenCCOAuthSecret, fg)
if err != nil {
return storage.Options{}, &status.DegradedError{
Message: fmt.Sprintf("Invalid object storage secret contents: %s", err),
@@ -36,11 +36,11 @@ func BuildOptions(ctx context.Context, k k8s.Client, stack *lokiv1.LokiStack, fg
}
}
- if objStore.CredentialMode == lokiv1.CredentialModeManaged && managedAuthSecret == nil {
- // If we have no managed-auth secret at this point, it is an error
+ if objStore.CredentialMode == lokiv1.CredentialModeTokenCCO && tokenCCOAuthSecret == nil {
+ // If we have no token cco auth secret at this point, it is an error
return storage.Options{}, &status.DegradedError{
Message: "Missing OpenShift cloud credentials secret",
- Reason: lokiv1.ReasonMissingManagedAuthSecret,
+ Reason: lokiv1.ReasonMissingTokenCCOAuthSecret,
Requeue: true,
}
}
diff --git a/operator/internal/handlers/internal/storage/storage_test.go b/operator/internal/handlers/internal/storage/storage_test.go
index 9a11f6b2a8a02..3e805c60a5be2 100644
--- a/operator/internal/handlers/internal/storage/storage_test.go
+++ b/operator/internal/handlers/internal/storage/storage_test.go
@@ -47,7 +47,7 @@ var (
},
}
- defaultManagedAuthSecret = corev1.Secret{
+ defaultTokenCCOAuthSecret = corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: "some-stack-secret",
Namespace: "some-ns",
@@ -147,13 +147,13 @@ func TestBuildOptions_WhenMissingCloudCredentialsSecret_SetDegraded(t *testing.T
fg := configv1.FeatureGates{
OpenShift: configv1.OpenShiftFeatureGates{
- ManagedAuthEnv: true,
+ TokenCCOAuthEnv: true,
},
}
degradedErr := &status.DegradedError{
Message: "Missing OpenShift cloud credentials secret",
- Reason: lokiv1.ReasonMissingManagedAuthSecret,
+ Reason: lokiv1.ReasonMissingTokenCCOAuthSecret,
Requeue: true,
}
@@ -176,7 +176,7 @@ func TestBuildOptions_WhenMissingCloudCredentialsSecret_SetDegraded(t *testing.T
},
},
Secret: lokiv1.ObjectStorageSecretSpec{
- Name: defaultManagedAuthSecret.Name,
+ Name: defaultTokenCCOAuthSecret.Name,
Type: lokiv1.ObjectStorageSecretS3,
},
},
@@ -189,8 +189,8 @@ func TestBuildOptions_WhenMissingCloudCredentialsSecret_SetDegraded(t *testing.T
k.SetClientObject(object, stack)
return nil
}
- if name.Name == defaultManagedAuthSecret.Name {
- k.SetClientObject(object, &defaultManagedAuthSecret)
+ if name.Name == defaultTokenCCOAuthSecret.Name {
+ k.SetClientObject(object, &defaultTokenCCOAuthSecret)
return nil
}
if name.Name == fmt.Sprintf("%s-aws-creds", stack.Name) {
diff --git a/operator/internal/manifests/openshift/credentialsrequest.go b/operator/internal/manifests/openshift/credentialsrequest.go
index 0c0a19adc98d3..3f202998212a9 100644
--- a/operator/internal/manifests/openshift/credentialsrequest.go
+++ b/operator/internal/manifests/openshift/credentialsrequest.go
@@ -17,7 +17,7 @@ const azureFallbackRegion = "centralus"
func BuildCredentialsRequest(opts Options) (*cloudcredentialv1.CredentialsRequest, error) {
stack := client.ObjectKey{Name: opts.BuildOpts.LokiStackName, Namespace: opts.BuildOpts.LokiStackNamespace}
- providerSpec, err := encodeProviderSpec(opts.ManagedAuth)
+ providerSpec, err := encodeProviderSpec(opts.TokenCCOAuth)
if err != nil {
return nil, kverrors.Wrap(err, "failed encoding credentialsrequest provider spec")
}
@@ -42,7 +42,7 @@ func BuildCredentialsRequest(opts Options) (*cloudcredentialv1.CredentialsReques
}, nil
}
-func encodeProviderSpec(env *config.ManagedAuthConfig) (*runtime.RawExtension, error) {
+func encodeProviderSpec(env *config.TokenCCOAuthConfig) (*runtime.RawExtension, error) {
var spec runtime.Object
switch {
diff --git a/operator/internal/manifests/openshift/credentialsrequest_test.go b/operator/internal/manifests/openshift/credentialsrequest_test.go
index 36c6e2331f7e5..08194190a2508 100644
--- a/operator/internal/manifests/openshift/credentialsrequest_test.go
+++ b/operator/internal/manifests/openshift/credentialsrequest_test.go
@@ -15,7 +15,7 @@ func TestBuildCredentialsRequest_HasSecretRef_MatchingLokiStackNamespace(t *test
LokiStackName: "a-stack",
LokiStackNamespace: "ns",
},
- ManagedAuth: &config.ManagedAuthConfig{
+ TokenCCOAuth: &config.TokenCCOAuthConfig{
AWS: &config.AWSEnvironment{
RoleARN: "role-arn",
},
@@ -33,7 +33,7 @@ func TestBuildCredentialsRequest_HasServiceAccountNames_ContainsAllLokiStackServ
LokiStackName: "a-stack",
LokiStackNamespace: "ns",
},
- ManagedAuth: &config.ManagedAuthConfig{
+ TokenCCOAuth: &config.TokenCCOAuthConfig{
AWS: &config.AWSEnvironment{
RoleARN: "role-arn",
},
@@ -52,7 +52,7 @@ func TestBuildCredentialsRequest_CloudTokenPath_MatchinOpenShiftSADirectory(t *t
LokiStackName: "a-stack",
LokiStackNamespace: "ns",
},
- ManagedAuth: &config.ManagedAuthConfig{
+ TokenCCOAuth: &config.TokenCCOAuthConfig{
AWS: &config.AWSEnvironment{
RoleARN: "role-arn",
},
@@ -78,7 +78,7 @@ func TestBuildCredentialsRequest_FollowsNamingConventions(t *testing.T) {
LokiStackName: "a-stack",
LokiStackNamespace: "ns",
},
- ManagedAuth: &config.ManagedAuthConfig{
+ TokenCCOAuth: &config.TokenCCOAuthConfig{
AWS: &config.AWSEnvironment{
RoleARN: "role-arn",
},
diff --git a/operator/internal/manifests/openshift/options.go b/operator/internal/manifests/openshift/options.go
index 572db7fe64453..7cba773841b82 100644
--- a/operator/internal/manifests/openshift/options.go
+++ b/operator/internal/manifests/openshift/options.go
@@ -15,7 +15,7 @@ type Options struct {
BuildOpts BuildOptions
Authentication []AuthenticationSpec
Authorization AuthorizationSpec
- ManagedAuth *config.ManagedAuthConfig
+ TokenCCOAuth *config.TokenCCOAuthConfig
}
// AuthenticationSpec describes the authentication specification
diff --git a/operator/internal/manifests/storage/configure.go b/operator/internal/manifests/storage/configure.go
index a8c0b32fb15b2..b1c8a0df955a9 100644
--- a/operator/internal/manifests/storage/configure.go
+++ b/operator/internal/manifests/storage/configure.go
@@ -14,9 +14,9 @@ import (
)
var (
- managedAuthConfigVolumeMount = corev1.VolumeMount{
- Name: managedAuthConfigVolumeName,
- MountPath: managedAuthConfigDirectory,
+ tokenCCOAuthConfigVolumeMount = corev1.VolumeMount{
+ Name: tokenAuthConfigVolumeName,
+ MountPath: tokenAuthConfigDirectory,
}
saTokenVolumeMount = corev1.VolumeMount{
@@ -136,14 +136,14 @@ func ensureObjectStoreCredentials(p *corev1.PodSpec, opts Options) corev1.PodSpe
MountPath: secretDirectory,
})
- if managedAuthEnabled(opts) {
- container.Env = append(container.Env, managedAuthCredentials(opts)...)
+ if tokenAuthEnabled(opts) {
+ container.Env = append(container.Env, tokenAuthCredentials(opts)...)
volumes = append(volumes, saTokenVolume(opts))
container.VolumeMounts = append(container.VolumeMounts, saTokenVolumeMount)
- if opts.OpenShift.ManagedAuthEnabled() && opts.S3 != nil && opts.S3.STS {
- volumes = append(volumes, managedAuthConfigVolume(opts))
- container.VolumeMounts = append(container.VolumeMounts, managedAuthConfigVolumeMount)
+ if opts.OpenShift.TokenCCOAuthEnabled() && opts.S3 != nil && opts.S3.STS {
+ volumes = append(volumes, tokenCCOAuthConfigVolume(opts))
+ container.VolumeMounts = append(container.VolumeMounts, tokenCCOAuthConfigVolumeMount)
}
} else {
container.Env = append(container.Env, staticAuthCredentials(opts)...)
@@ -190,12 +190,12 @@ func staticAuthCredentials(opts Options) []corev1.EnvVar {
}
}
-func managedAuthCredentials(opts Options) []corev1.EnvVar {
+func tokenAuthCredentials(opts Options) []corev1.EnvVar {
switch opts.SharedStore {
case lokiv1.ObjectStorageSecretS3:
- if opts.OpenShift.ManagedAuthEnabled() {
+ if opts.OpenShift.TokenCCOAuthEnabled() {
return []corev1.EnvVar{
- envVarFromValue(EnvAWSCredentialsFile, path.Join(managedAuthConfigDirectory, KeyAWSCredentialsFilename)),
+ envVarFromValue(EnvAWSCredentialsFile, path.Join(tokenAuthConfigDirectory, KeyAWSCredentialsFilename)),
envVarFromValue(EnvAWSSdkLoadConfig, "true"),
}
} else {
@@ -205,7 +205,7 @@ func managedAuthCredentials(opts Options) []corev1.EnvVar {
}
}
case lokiv1.ObjectStorageSecretAzure:
- if opts.OpenShift.ManagedAuthEnabled() {
+ if opts.OpenShift.TokenCCOAuthEnabled() {
return []corev1.EnvVar{
envVarFromSecret(EnvAzureStorageAccountName, opts.SecretName, KeyAzureStorageAccountName),
envVarFromSecret(EnvAzureClientID, opts.OpenShift.CloudCredentials.SecretName, azureManagedCredentialKeyClientID),
@@ -300,9 +300,9 @@ func envVarFromValue(name, value string) corev1.EnvVar {
}
}
-func managedAuthEnabled(opts Options) bool {
+func tokenAuthEnabled(opts Options) bool {
switch opts.CredentialMode {
- case lokiv1.CredentialModeToken, lokiv1.CredentialModeManaged:
+ case lokiv1.CredentialModeToken, lokiv1.CredentialModeTokenCCO:
return true
case lokiv1.CredentialModeStatic:
fallthrough
@@ -346,9 +346,9 @@ func saTokenVolume(opts Options) corev1.Volume {
}
}
-func managedAuthConfigVolume(opts Options) corev1.Volume {
+func tokenCCOAuthConfigVolume(opts Options) corev1.Volume {
return corev1.Volume{
- Name: managedAuthConfigVolumeName,
+ Name: tokenAuthConfigVolumeName,
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: opts.OpenShift.CloudCredentials.SecretName,
diff --git a/operator/internal/manifests/storage/configure_test.go b/operator/internal/manifests/storage/configure_test.go
index cd2b5514b469d..f9aed80a00fdd 100644
--- a/operator/internal/manifests/storage/configure_test.go
+++ b/operator/internal/manifests/storage/configure_test.go
@@ -424,7 +424,7 @@ func TestConfigureDeploymentForStorageType(t *testing.T) {
opts: Options{
SecretName: "test",
SharedStore: lokiv1.ObjectStorageSecretAzure,
- CredentialMode: lokiv1.CredentialModeManaged,
+ CredentialMode: lokiv1.CredentialModeTokenCCO,
Azure: &AzureStorageConfig{
WorkloadIdentity: true,
},
@@ -861,7 +861,7 @@ func TestConfigureDeploymentForStorageType(t *testing.T) {
opts: Options{
SecretName: "test",
SharedStore: lokiv1.ObjectStorageSecretS3,
- CredentialMode: lokiv1.CredentialModeManaged,
+ CredentialMode: lokiv1.CredentialModeTokenCCO,
S3: &S3StorageConfig{
STS: true,
},
@@ -904,12 +904,12 @@ func TestConfigureDeploymentForStorageType(t *testing.T) {
ReadOnly: false,
MountPath: saTokenVolumeMountPath,
},
- managedAuthConfigVolumeMount,
+ tokenCCOAuthConfigVolumeMount,
},
Env: []corev1.EnvVar{
{
Name: "AWS_SHARED_CREDENTIALS_FILE",
- Value: "/etc/storage/managed-auth/credentials",
+ Value: "/etc/storage/token-auth/credentials",
},
{
Name: "AWS_SDK_LOAD_CONFIG",
@@ -944,7 +944,7 @@ func TestConfigureDeploymentForStorageType(t *testing.T) {
},
},
{
- Name: managedAuthConfigVolumeName,
+ Name: tokenAuthConfigVolumeName,
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: "cloud-credentials",
@@ -1623,7 +1623,7 @@ func TestConfigureStatefulSetForStorageType(t *testing.T) {
opts: Options{
SecretName: "test",
SharedStore: lokiv1.ObjectStorageSecretAzure,
- CredentialMode: lokiv1.CredentialModeManaged,
+ CredentialMode: lokiv1.CredentialModeTokenCCO,
Azure: &AzureStorageConfig{
WorkloadIdentity: true,
},
@@ -1811,7 +1811,7 @@ func TestConfigureStatefulSetForStorageType(t *testing.T) {
opts: Options{
SecretName: "test",
SharedStore: lokiv1.ObjectStorageSecretGCS,
- CredentialMode: lokiv1.CredentialModeManaged,
+ CredentialMode: lokiv1.CredentialModeTokenCCO,
GCS: &GCSStorageConfig{
Audience: "test",
WorkloadIdentity: true,
@@ -1967,7 +1967,7 @@ func TestConfigureStatefulSetForStorageType(t *testing.T) {
opts: Options{
SecretName: "test",
SharedStore: lokiv1.ObjectStorageSecretS3,
- CredentialMode: lokiv1.CredentialModeManaged,
+ CredentialMode: lokiv1.CredentialModeTokenCCO,
S3: &S3StorageConfig{
STS: true,
},
@@ -2010,12 +2010,12 @@ func TestConfigureStatefulSetForStorageType(t *testing.T) {
ReadOnly: false,
MountPath: saTokenVolumeMountPath,
},
- managedAuthConfigVolumeMount,
+ tokenCCOAuthConfigVolumeMount,
},
Env: []corev1.EnvVar{
{
Name: "AWS_SHARED_CREDENTIALS_FILE",
- Value: "/etc/storage/managed-auth/credentials",
+ Value: "/etc/storage/token-auth/credentials",
},
{
Name: "AWS_SDK_LOAD_CONFIG",
@@ -2050,7 +2050,7 @@ func TestConfigureStatefulSetForStorageType(t *testing.T) {
},
},
{
- Name: managedAuthConfigVolumeName,
+ Name: tokenAuthConfigVolumeName,
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: "cloud-credentials",
diff --git a/operator/internal/manifests/storage/options.go b/operator/internal/manifests/storage/options.go
index 4a29a59b83f0d..47779ce554793 100644
--- a/operator/internal/manifests/storage/options.go
+++ b/operator/internal/manifests/storage/options.go
@@ -102,6 +102,6 @@ type CloudCredentials struct {
SHA1 string
}
-func (o OpenShiftOptions) ManagedAuthEnabled() bool {
+func (o OpenShiftOptions) TokenCCOAuthEnabled() bool {
return o.CloudCredentials.SecretName != "" && o.CloudCredentials.SHA1 != ""
}
diff --git a/operator/internal/manifests/storage/var.go b/operator/internal/manifests/storage/var.go
index 1f236406bdd09..ccb69ff27289d 100644
--- a/operator/internal/manifests/storage/var.go
+++ b/operator/internal/manifests/storage/var.go
@@ -137,8 +137,8 @@ const (
storageTLSVolume = "storage-tls"
caDirectory = "/etc/storage/ca"
- managedAuthConfigVolumeName = "managed-auth-config"
- managedAuthConfigDirectory = "/etc/storage/managed-auth"
+ tokenAuthConfigVolumeName = "token-auth-config"
+ tokenAuthConfigDirectory = "/etc/storage/token-auth"
awsDefaultAudience = "sts.amazonaws.com"
diff --git a/operator/internal/manifests/var.go b/operator/internal/manifests/var.go
index 7d43f3b27deb2..c81636fe5a553 100644
--- a/operator/internal/manifests/var.go
+++ b/operator/internal/manifests/var.go
@@ -78,8 +78,8 @@ const (
AnnotationLokiConfigHash string = "loki.grafana.com/config-hash"
// AnnotationLokiObjectStoreHash stores the last SHA1 hash of the loki object storage credetials.
AnnotationLokiObjectStoreHash string = "loki.grafana.com/object-store-hash"
- // AnnotationLokiManagedAuthHash stores the last SHA1 hash of the loki managed auth credentials.
- AnnotationLokiManagedAuthHash string = "loki.grafana.com/managed-auth-hash"
+ // AnnotationLokiTokenCCOAuthHash stores the SHA1 hash of the secret generated by the Cloud Credential Operator.
+ AnnotationLokiTokenCCOAuthHash string = "loki.grafana.com/token-cco-auth-hash"
// LabelCompactorComponent is the label value for the compactor component
LabelCompactorComponent string = "compactor"
@@ -145,7 +145,7 @@ func commonAnnotations(opts Options) map[string]string {
a[AnnotationLokiObjectStoreHash] = opts.ObjectStorage.SecretSHA1
}
if opts.ObjectStorage.OpenShift.CloudCredentials.SHA1 != "" {
- a[AnnotationLokiManagedAuthHash] = opts.ObjectStorage.OpenShift.CloudCredentials.SHA1
+ a[AnnotationLokiTokenCCOAuthHash] = opts.ObjectStorage.OpenShift.CloudCredentials.SHA1
}
return a
diff --git a/operator/main.go b/operator/main.go
index e212c268cbad8..4dc501f8be338 100644
--- a/operator/main.go
+++ b/operator/main.go
@@ -59,14 +59,14 @@ func main() {
var err error
- ctrlCfg, managedAuth, options, err := config.LoadConfig(scheme, configFile)
+ ctrlCfg, tokenCCOAuth, options, err := config.LoadConfig(scheme, configFile)
if err != nil {
logger.Error(err, "failed to load operator configuration")
os.Exit(1)
}
- if managedAuth != nil {
- logger.Info("Discovered OpenShift Cluster within a managed authentication environment")
+ if tokenCCOAuth != nil {
+ logger.Info("Discovered OpenShift Cluster within a token cco authentication environment")
}
if ctrlCfg.Gates.LokiStackAlerts && !ctrlCfg.Gates.ServiceMonitors {
@@ -103,7 +103,7 @@ func main() {
Log: logger.WithName("controllers").WithName("lokistack"),
Scheme: mgr.GetScheme(),
FeatureGates: ctrlCfg.Gates,
- AuthConfig: managedAuth,
+ AuthConfig: tokenCCOAuth,
}).SetupWithManager(mgr); err != nil {
logger.Error(err, "unable to create controller", "controller", "lokistack")
os.Exit(1)