-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(operator): Allow setting explicit CredentialMode in LokiStack storage spec #12106
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks overall good to me and works fine on an AWS STS managed cluster with an in-cluster Minio installation. Two cleanup suggestions added below, but approved to unblock you when done.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since we use Options.CredentialsMode
in storage/configure.go
to determine which mounts/volumes to consider we can probably remove S3.STS
, GCS.WorkloadIdentity
and Azure.WorkloadIdentity
. WDYT?
Tested the new code on Azure and GCP as well. Seems to work fine 👍 |
@@ -19,9 +20,9 @@ import ( | |||
"github.com/grafana/loki/operator/internal/manifests/openshift" | |||
) | |||
|
|||
// CreateCredentialsRequest creates a new CredentialsRequest resource for a Lokistack | |||
// CreateUpdateDeleteCredentialsRequest creates a new CredentialsRequest resource for a Lokistack |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit.
// CreateUpdateDeleteCredentialsRequest creates a new CredentialsRequest resource for a Lokistack | |
// CreateUpdateDeleteCredentialsRequest manages a new CredentialsRequest resource for a Lokistack |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
What this PR does / why we need it:
Currently it is not possible to run the operator in managed mode and then deploy a LokiStack using a different mode for credentials to the object storage (static credentials or non-managed tokens). This is due to the credential-mode being determined only by the environment of the operator and the provided secret, making it an implicit consequence of the configuration instead of an explicit configuration.
This PR adds an optional attribute to the LokiStack's spec that allows the user to override the default credential mode. The main use-case for this is running a non-managed credential with an operator running in a managed-credentials OpenShift cluster, but it can also be used make the credentials-mode explicit for other deployments instead of having the operator decide based on the provided secret.
Which issue(s) this PR fixes:
Fixes LOG-5105
Special notes for your reviewer:
CredentialMode
is an enum with just three possible values, but it is optional, so""
is a possible value inside the operator as well, although this can not be set on theLokiStack
resource.CredentialsRequest
is only created when running in managed-mode. It is also removed when the mode changes and it had been created before.Checklist
CONTRIBUTING.md
guide (required)CHANGELOG.md
updated