Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

operator: Add serviceaccount per lokistack resource #11533

Merged
merged 7 commits into from
Dec 20, 2023
Merged

operator: Add serviceaccount per lokistack resource #11533

merged 7 commits into from
Dec 20, 2023

Conversation

JoaoBraveCoding
Copy link
Contributor

@JoaoBraveCoding JoaoBraveCoding commented Dec 20, 2023
edited
Loading

What this PR does / why we need it:
The lokistack pods used for run using the default serviceaccount on the install namespace except for the lokista-ck-gateway and ruler pods that requested serviceaccounts and corresponding token secrets for external activities (e.g. SubjectAccessReviews, Alertmanager authentication)

The present PR adds a single shared serviceaccount per LokiStack resource to be used by the rest of the components. This enables using the projected account token for authentication against cloud providers (e.g., managed identity services like STS and WIF).
Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:
This is a preparation action for:

Checklist

  • Reviewed the CONTRIBUTING.md guide (required)
  • Documentation added
  • Tests updated
  • CHANGELOG.md updated
    • If the change is worth mentioning in the release notes, add add-to-release-notes label
  • Changes that require user attention or interaction to upgrade are documented in docs/sources/setup/upgrade/_index.md
  • For Helm chart changes bump the Helm chart version in production/helm/loki/Chart.yaml and update production/helm/loki/CHANGELOG.md and production/helm/loki/README.md. Example PR
  • If the change is deprecating or removing a configuration option, update the deprecated-config.yaml and deleted-config.yaml files respectively in the tools/deprecated-config-checker directory. Example PR

@JoaoBraveCoding JoaoBraveCoding changed the title Add serviceaccount per lokistack resource operator: Add serviceaccount per lokistack resource Dec 20, 2023
@periklis periklis mentioned this pull request Dec 20, 2023
Closed
8 tasks
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Dec 20, 2023
edited
Loading

Trivy scan found the following vulnerabilities:

  • HIGH, Target: docker.io/grafana/loki:main-a760cdf (alpine 3.18.4), Type: alpine openssl: Incorrect cipher key and IV length processing in libcrypto3 v3.1.3-r0. Fixed in v3.1.4-r0
  • HIGH, Target: docker.io/grafana/loki:main-a760cdf (alpine 3.18.4), Type: alpine openssl: Incorrect cipher key and IV length processing in libssl3 v3.1.3-r0. Fixed in v3.1.4-r0
    \nTo see more details on these vulnerabilities, and how/where to fix them, please run docker build -t grafana/loki:main-a760cdf -f cmd/loki/Dockerfile .
    trivy i grafana/loki:main-a760cdf on your branch. If these were not introduced by your PR, please considering fixing them in via a subsequent PR. Thanks!

@periklis periklis enabled auto-merge (squash) December 20, 2023 18:28
@periklis periklis merged commit 26432c0 into grafana:main Dec 20, 2023
14 checks passed
rhnasc pushed a commit to inloco/loki that referenced this pull request Apr 12, 2024
@JoaoBraveCoding @rhnasc
operator: Add serviceaccount per lokistack resource (grafana#11533)
3da91c8
@JoaoBraveCoding JoaoBraveCoding deleted the lokistack-sa branch July 9, 2024 14:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@periklis periklis periklis approved these changes

@xperimental xperimental Awaiting requested review from xperimental xperimental is a code owner

Assignees
No one assigned
Labels
sig/operator size/L
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@JoaoBraveCoding @periklis