operator: add mTLS authentication to tenants (#9906)

operator/CHANGELOG.md

@@ -1,5 +1,6 @@
 ## Main
 
+- [9906](https://github.com/grafana/loki/pull/9906) **JoaoBraveCoding**: Add mTLS authentication to tenants
 - [9963](https://github.com/grafana/loki/pull/9963) **xperimental**: Fix application tenant alertmanager configuration
 - [9795](https://github.com/grafana/loki/pull/9795) **JoaoBraveCoding**: Add initContainer to zone aware components to gatekeep them from starting without the AZ annotation
 - [9503](https://github.com/grafana/loki/pull/9503) **shwetaap**: Add Pod annotations with node topology labels to support zone aware scheduling

operator/apis/loki/v1/lokistack_types.go

@@ -183,6 +183,16 @@ type OIDCSpec struct {
 	UsernameClaim string `json:"usernameClaim,omitempty"`
 }
 
+// MTLSSpec specifies mTLS configuration parameters.
+type MTLSSpec struct {
+	// CA defines the spec for the custom CA for tenant's authentication.
+	//
+	// +required
+	// +kubebuilder:validation:Required
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="CA ConfigMap"
+	CA *CASpec `json:"ca"`
+}
+
 // AuthenticationSpec defines the oidc configuration per tenant for lokiStack Gateway component.
 type AuthenticationSpec struct {
 	// TenantName defines the name of the tenant.
@@ -199,10 +209,15 @@ type AuthenticationSpec struct {
 	TenantID string `json:"tenantId"`
 	// OIDC defines the spec for the OIDC tenant's authentication.
 	//
-	// +required
-	// +kubebuilder:validation:Required
+	// +optional
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="OIDC Configuration"
-	OIDC *OIDCSpec `json:"oidc"`
+	OIDC *OIDCSpec `json:"oidc,omitempty"`
+
+	// TLSConfig defines the spec for the mTLS tenant's authentication.
+	//
+	// +optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="mTLS Configuration"
+	MTLS *MTLSSpec `json:"mTLS,omitempty"`
 }
 
 // ModeType is the authentication/authorization mode in which LokiStack Gateway will be configured.
@@ -414,8 +429,7 @@ type HashRingSpec struct {
 	MemberList *MemberListSpec `json:"memberlist,omitempty"`
 }
 
-// ObjectStorageTLSSpec is the TLS configuration for reaching the object storage endpoint.
-type ObjectStorageTLSSpec struct {
+type CASpec struct {
 	// Key is the data key of a ConfigMap containing a CA certificate.
 	// It needs to be in the same namespace as the LokiStack custom resource.
 	// If empty, it defaults to "service-ca.crt".
@@ -433,6 +447,11 @@ type ObjectStorageTLSSpec struct {
 	CA string `json:"caName"`
 }
 
+// ObjectStorageTLSSpec is the TLS configuration for reaching the object storage endpoint.
+type ObjectStorageTLSSpec struct {
+	CASpec `json:",inline"`
+}
+
 // ObjectStorageSecretType defines the type of storage which can be used with the Loki cluster.
 //
 // +kubebuilder:validation:Enum=azure;gcs;s3;swift;alibabacloud;
@@ -926,8 +945,15 @@ const (
 	// ReasonMissingGatewayTenantSecret when the required tenant secret
 	// for authentication is missing.
 	ReasonMissingGatewayTenantSecret LokiStackConditionReason = "MissingGatewayTenantSecret"
+	// ReasonMissingGatewayTenantConfigMap when the required tenant configmap
+	// for authentication is missing.
+	ReasonMissingGatewayTenantConfigMap LokiStackConditionReason = "MissingGatewayTenantConfigMap"
 	// ReasonInvalidGatewayTenantSecret when the format of the secret is invalid.
 	ReasonInvalidGatewayTenantSecret LokiStackConditionReason = "InvalidGatewayTenantSecret"
+	// ReasonInvalidGatewayTenantConfigMap when the format of the configmap is invalid.
+	ReasonInvalidGatewayTenantConfigMap LokiStackConditionReason = "InvalidGatewayTenantConfigMap"
+	// ReasonMissingGatewayAuthenticationConfig when the config for when a tenant is missing authentication config
+	ReasonMissingGatewayAuthenticationConfig LokiStackConditionReason = "MissingGatewayTenantAuthenticationConfig"
 	// ReasonInvalidTenantsConfiguration when the tenant configuration provided is invalid.
 	ReasonInvalidTenantsConfiguration LokiStackConditionReason = "InvalidTenantsConfiguration"
 	// ReasonMissingGatewayOpenShiftBaseDomain when the reconciler cannot lookup the OpenShift DNS base domain.

operator/apis/loki/v1beta1/lokistack_types.go

@@ -866,7 +866,9 @@ func (src *LokiStack) ConvertTo(dstRaw conversion.Hub) error {
 	var storageTLS *v1.ObjectStorageTLSSpec
 	if src.Spec.Storage.TLS != nil {
 		storageTLS = &v1.ObjectStorageTLSSpec{
-			CA: src.Spec.Storage.TLS.CA,
+			CASpec: v1.CASpec{
+				CA: src.Spec.Storage.TLS.CA,
+			},
 		}
 	}
 

operator/bundle/community-openshift/manifests/loki-operator.clusterserviceversion.yaml

@@ -150,7 +150,7 @@ metadata:
     categories: OpenShift Optional, Logging & Tracing
     certified: "false"
     containerImage: docker.io/grafana/loki-operator:main-ac1c1fd
-    createdAt: "2023-07-04T17:17:17Z"
+    createdAt: "2023-07-17T16:04:46Z"
     description: The Community Loki Operator provides Kubernetes native deployment
       and management of Loki and related logging components.
     operators.operatorframework.io/builder: operator-sdk-unknown
@@ -698,6 +698,23 @@ spec:
           configuration spec per tenant.
         displayName: Authentication
         path: tenants.authentication
+      - description: TLSConfig defines the spec for the mTLS tenant's authentication.
+        displayName: mTLS Configuration
+        path: tenants.authentication[0].mTLS
+      - description: CA defines the spec for the custom CA for tenant's authentication.
+        displayName: CA ConfigMap
+        path: tenants.authentication[0].mTLS.ca
+      - description: Key is the data key of a ConfigMap containing a CA certificate.
+          It needs to be in the same namespace as the LokiStack custom resource. If
+          empty, it defaults to "service-ca.crt".
+        displayName: CA ConfigMap Key
+        path: tenants.authentication[0].mTLS.ca.caKey
+      - description: CA is the name of a ConfigMap containing a CA certificate. It
+          needs to be in the same namespace as the LokiStack custom resource.
+        displayName: CA ConfigMap Name
+        path: tenants.authentication[0].mTLS.ca.caName
+        x-descriptors:
+        - urn:alm:descriptor:io.kubernetes:ConfigMap
       - description: OIDC defines the spec for the OIDC tenant's authentication.
         displayName: OIDC Configuration
         path: tenants.authentication[0].oidc
@@ -1359,14 +1376,6 @@ spec:
           - get
           - list
           - watch
-        - apiGroups:
-          - ""
-          resources:
-          - secrets
-          verbs:
-          - get
-          - list
-          - watch
         - apiGroups:
           - apps
           resources:

operator/bundle/community-openshift/manifests/loki.grafana.com_lokistacks.yaml

@@ -3659,6 +3659,31 @@ spec:
                       description: AuthenticationSpec defines the oidc configuration
                         per tenant for lokiStack Gateway component.
                       properties:
+                        mTLS:
+                          description: TLSConfig defines the spec for the mTLS tenant's
+                            authentication.
+                          properties:
+                            ca:
+                              description: CA defines the spec for the custom CA for
+                                tenant's authentication.
+                              properties:
+                                caKey:
+                                  description: Key is the data key of a ConfigMap
+                                    containing a CA certificate. It needs to be in
+                                    the same namespace as the LokiStack custom resource.
+                                    If empty, it defaults to "service-ca.crt".
+                                  type: string
+                                caName:
+                                  description: CA is the name of a ConfigMap containing
+                                    a CA certificate. It needs to be in the same namespace
+                                    as the LokiStack custom resource.
+                                  type: string
+                              required:
+                              - caName
+                              type: object
+                          required:
+                          - ca
+                          type: object
                         oidc:
                           description: OIDC defines the spec for the OIDC tenant's
                             authentication.
@@ -3697,7 +3722,6 @@ spec:
                           description: TenantName defines the name of the tenant.
                           type: string
                       required:
-                      - oidc
                       - tenantId
                       - tenantName
                       type: object

operator/bundle/community/manifests/loki-operator.clusterserviceversion.yaml

@@ -150,7 +150,7 @@ metadata:
     categories: OpenShift Optional, Logging & Tracing
     certified: "false"
     containerImage: docker.io/grafana/loki-operator:main-ac1c1fd
-    createdAt: "2023-07-04T17:17:12Z"
+    createdAt: "2023-07-17T16:04:44Z"
     description: The Community Loki Operator provides Kubernetes native deployment
       and management of Loki and related logging components.
     operators.operatorframework.io/builder: operator-sdk-unknown
@@ -698,6 +698,23 @@ spec:
           configuration spec per tenant.
         displayName: Authentication
         path: tenants.authentication
+      - description: TLSConfig defines the spec for the mTLS tenant's authentication.
+        displayName: mTLS Configuration
+        path: tenants.authentication[0].mTLS
+      - description: CA defines the spec for the custom CA for tenant's authentication.
+        displayName: CA ConfigMap
+        path: tenants.authentication[0].mTLS.ca
+      - description: Key is the data key of a ConfigMap containing a CA certificate.
+          It needs to be in the same namespace as the LokiStack custom resource. If
+          empty, it defaults to "service-ca.crt".
+        displayName: CA ConfigMap Key
+        path: tenants.authentication[0].mTLS.ca.caKey
+      - description: CA is the name of a ConfigMap containing a CA certificate. It
+          needs to be in the same namespace as the LokiStack custom resource.
+        displayName: CA ConfigMap Name
+        path: tenants.authentication[0].mTLS.ca.caName
+        x-descriptors:
+        - urn:alm:descriptor:io.kubernetes:ConfigMap
       - description: OIDC defines the spec for the OIDC tenant's authentication.
         displayName: OIDC Configuration
         path: tenants.authentication[0].oidc
@@ -1346,14 +1363,6 @@ spec:
           - get
           - list
           - watch
-        - apiGroups:
-          - ""
-          resources:
-          - secrets
-          verbs:
-          - get
-          - list
-          - watch
         - apiGroups:
           - apps
           resources:

operator/bundle/community/manifests/loki.grafana.com_lokistacks.yaml

@@ -3659,6 +3659,31 @@ spec:
                       description: AuthenticationSpec defines the oidc configuration
                         per tenant for lokiStack Gateway component.
                       properties:
+                        mTLS:
+                          description: TLSConfig defines the spec for the mTLS tenant's
+                            authentication.
+                          properties:
+                            ca:
+                              description: CA defines the spec for the custom CA for
+                                tenant's authentication.
+                              properties:
+                                caKey:
+                                  description: Key is the data key of a ConfigMap
+                                    containing a CA certificate. It needs to be in
+                                    the same namespace as the LokiStack custom resource.
+                                    If empty, it defaults to "service-ca.crt".
+                                  type: string
+                                caName:
+                                  description: CA is the name of a ConfigMap containing
+                                    a CA certificate. It needs to be in the same namespace
+                                    as the LokiStack custom resource.
+                                  type: string
+                              required:
+                              - caName
+                              type: object
+                          required:
+                          - ca
+                          type: object
                         oidc:
                           description: OIDC defines the spec for the OIDC tenant's
                             authentication.
@@ -3697,7 +3722,6 @@ spec:
                           description: TenantName defines the name of the tenant.
                           type: string
                       required:
-                      - oidc
                       - tenantId
                       - tenantName
                       type: object

operator/bundle/openshift/manifests/loki-operator.clusterserviceversion.yaml

@@ -150,7 +150,7 @@ metadata:
     categories: OpenShift Optional, Logging & Tracing
     certified: "false"
     containerImage: quay.io/openshift-logging/loki-operator:v0.1.0
-    createdAt: "2023-07-04T17:17:21Z"
+    createdAt: "2023-07-17T16:04:47Z"
     description: |
       The Loki Operator for OCP provides a means for configuring and managing a Loki stack for cluster logging.
       ## Prerequisites and Requirements
@@ -711,6 +711,23 @@ spec:
           configuration spec per tenant.
         displayName: Authentication
         path: tenants.authentication
+      - description: TLSConfig defines the spec for the mTLS tenant's authentication.
+        displayName: mTLS Configuration
+        path: tenants.authentication[0].mTLS
+      - description: CA defines the spec for the custom CA for tenant's authentication.
+        displayName: CA ConfigMap
+        path: tenants.authentication[0].mTLS.ca
+      - description: Key is the data key of a ConfigMap containing a CA certificate.
+          It needs to be in the same namespace as the LokiStack custom resource. If
+          empty, it defaults to "service-ca.crt".
+        displayName: CA ConfigMap Key
+        path: tenants.authentication[0].mTLS.ca.caKey
+      - description: CA is the name of a ConfigMap containing a CA certificate. It
+          needs to be in the same namespace as the LokiStack custom resource.
+        displayName: CA ConfigMap Name
+        path: tenants.authentication[0].mTLS.ca.caName
+        x-descriptors:
+        - urn:alm:descriptor:io.kubernetes:ConfigMap
       - description: OIDC defines the spec for the OIDC tenant's authentication.
         displayName: OIDC Configuration
         path: tenants.authentication[0].oidc
@@ -1344,14 +1361,6 @@ spec:
           - get
           - list
           - watch
-        - apiGroups:
-          - ""
-          resources:
-          - secrets
-          verbs:
-          - get
-          - list
-          - watch
         - apiGroups:
           - apps
           resources: