operator: Add extended-validation for rules on OpenShift (grafana#7295)

operator/CHANGELOG.md

@@ -1,5 +1,6 @@
 ## Main
 
+- [7295](https://github.com/grafana/loki/pull/7295) **xperimental**: Add extended-validation for rules on OpenShift
 - [6951](https://github.com/grafana/loki/pull/6951) **Red-GV**: Adding operational Lokistack alerts
 - [7254](https://github.com/grafana/loki/pull/7254) **periklis**: Expose Loki Ruler API via the lokistack-gateway
 - [7214](https://github.com/grafana/loki/pull/7214) **periklis**: Fix ruler GRPC tls client configuration

operator/apis/config/v1/projectconfig_types.go

@@ -17,6 +17,10 @@ type OpenShiftFeatureGates struct {
 	// gateway to expose the service to public internet access.
 	// More details: https://docs.openshift.com/container-platform/latest/networking/understanding-networking.html
 	GatewayRoute bool `json:"gatewayRoute,omitempty"`
+
+	// ExtendedRuleValidation enables extended validation of AlertingRule and RecordingRule
+	// to enforce tenancy in an OpenShift context.
+	ExtendedRuleValidation bool `json:"ruleExtendedValidation,omitempty"`
 }
 
 // FeatureGates is the supported set of all operator feature gates.

operator/apis/loki/v1beta1/alertingrule_types.go

@@ -107,6 +107,7 @@ type AlertingRuleStatus struct {
 
 //+kubebuilder:object:root=true
 //+kubebuilder:subresource:status
+//+kubebuilder:webhook:path=/validate-loki-grafana-com-v1beta1-alertingrule,mutating=false,failurePolicy=fail,sideEffects=None,groups=loki.grafana.com,resources=alertingrules,verbs=create;update,versions=v1beta1,name=valertingrule.loki.grafana.com,admissionReviewVersions=v1
 
 // AlertingRule is the Schema for the alertingrules API
 //

operator/apis/loki/v1beta1/recordingrule_types.go

@@ -85,6 +85,7 @@ type RecordingRuleStatus struct {
 
 //+kubebuilder:object:root=true
 //+kubebuilder:subresource:status
+//+kubebuilder:webhook:path=/validate-loki-grafana-com-v1beta1-recordingrule,mutating=false,failurePolicy=fail,sideEffects=None,groups=loki.grafana.com,resources=recordingrules,verbs=create;update,versions=v1beta1,name=vrecordingrule.loki.grafana.com,admissionReviewVersions=v1
 
 // RecordingRule is the Schema for the recordingrules API
 //

operator/apis/loki/v1beta1/v1beta1.go

@@ -39,6 +39,8 @@ var (
 	ErrParseEvaluationInterval = errors.New("Failed to parse evaluation")
 	// ErrParseLogQLExpression when any loki rule expression is not a valid LogQL expression.
 	ErrParseLogQLExpression = errors.New("Failed to parse LogQL expression")
+	// ErrParseLogQLNotSample when the Loki rule expression does not evaluate to a sample expression.
+	ErrParseLogQLNotSample = errors.New("LogQL expression is not a sample query")
 	// ErrEffectiveDatesNotUnique when effective dates are not unique.
 	ErrEffectiveDatesNotUnique = errors.New("Effective dates are not unique")
 	// ErrParseEffectiveDates when effective dates cannot be parsed.
@@ -51,4 +53,8 @@ var (
 	ErrSchemaRetroactivelyRemoved = errors.New("Cannot retroactively remove schema(s)")
 	// ErrSchemaRetroactivelyChanged when a schema has been retroactively changed
 	ErrSchemaRetroactivelyChanged = errors.New("Cannot retroactively change schema")
+
+	// ErrRuleMustMatchNamespace indicates that an expression used in an alerting or recording rule is missing
+	// matchers for a namespace.
+	ErrRuleMustMatchNamespace = errors.New("rule needs to have a matcher for the namespace")
 )

operator/bundle/manifests/loki-operator-manager-config_v1_configmap.yaml

@@ -45,6 +45,7 @@ data:
       openshift:
         servingCertsService: true
         gatewayRoute: true
+        ruleExtendedValidation: true
 kind: ConfigMap
 metadata:
   labels:

operator/bundle/manifests/loki-operator.clusterserviceversion.yaml

@@ -1346,7 +1346,7 @@ spec:
     containerPort: 443
     deploymentName: loki-operator-controller-manager
     failurePolicy: Fail
-    generateName: valertingrule.kb.io
+    generateName: valertingrule.loki.grafana.com
     rules:
     - apiGroups:
       - loki.grafana.com
@@ -1386,7 +1386,7 @@ spec:
     containerPort: 443
     deploymentName: loki-operator-controller-manager
     failurePolicy: Fail
-    generateName: vrecordingrule.kb.io
+    generateName: vrecordingrule.loki.grafana.com
     rules:
     - apiGroups:
       - loki.grafana.com

operator/config/overlays/openshift/controller_manager_config.yaml

@@ -42,3 +42,4 @@ featureGates:
   openshift:
     servingCertsService: true
     gatewayRoute: true
+    ruleExtendedValidation: true

operator/config/webhook/manifests.yaml

@@ -33,7 +33,7 @@ webhooks:
       namespace: system
       path: /validate-loki-grafana-com-v1beta1-alertingrule
   failurePolicy: Fail
-  name: valertingrule.kb.io
+  name: valertingrule.loki.grafana.com
   rules:
   - apiGroups:
     - loki.grafana.com
@@ -53,7 +53,7 @@ webhooks:
       namespace: system
       path: /validate-loki-grafana-com-v1beta1-recordingrule
   failurePolicy: Fail
-  name: vrecordingrule.kb.io
+  name: vrecordingrule.loki.grafana.com
   rules:
   - apiGroups:
     - loki.grafana.com

operator/go.mod

@@ -26,6 +26,7 @@ require (
 	github.com/google/go-cmp v0.5.7
 	github.com/grafana/loki v1.6.2-0.20220708124813-b92f113cb096
 	github.com/openshift/library-go v0.0.0-20220622115547-84d884f4c9f6
+	github.com/prometheus/prometheus v1.8.2-0.20220303173753-edfe657b5405
 	gopkg.in/yaml.v2 v2.4.0
 )
 
@@ -122,7 +123,6 @@ require (
 	github.com/prometheus/common/sigv4 v0.1.0 // indirect
 	github.com/prometheus/node_exporter v1.0.0-rc.0.0.20200428091818-01054558c289 // indirect
 	github.com/prometheus/procfs v0.7.3 // indirect
-	github.com/prometheus/prometheus v1.8.2-0.20220303173753-edfe657b5405 // indirect
 	github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529 // indirect
 	github.com/sercand/kuberesolver v2.4.0+incompatible // indirect
 	github.com/shopspring/decimal v1.2.0 // indirect