Skip to content

Commit

Permalink
Add OpenShift Auth native support (grafana#94)
Browse files Browse the repository at this point in the history
  • Loading branch information
@periklis
periklis authored Oct 18, 2021
1 parent ac07fc0 commit 3a50d5d
Show file tree
Hide file tree
Showing 43 changed files with 1,746 additions and 623 deletions.
2 changes: 2 additions & 0 deletions bundle/manifests/loki-operator.clusterserviceversion.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -545,6 +545,8 @@ spec:
env:
- name: RELATED_IMAGE_LOKI
value: quay.io/openshift-logging/loki:v2.2.0-10
- name: RELATED_IMAGE_GATEWAY
value: quay.io/observatorium/api:latest
- name: RELATED_IMAGE_OPA
value: quay.io/observatorium/opa-openshift:latest
image: quay.io/openshift-logging/loki-operator:v0.0.1
Expand Down
4 changes: 4 additions & 0 deletions config/overlays/development/kustomization.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,3 +16,7 @@ commonLabels:
app.kubernetes.io/version: "0.0.1"
app.kubernetes.io/part-of: loki-operator
app.kubernetes.io/managed-by: operator-lifecycle-manager

patchesStrategicMerge:
- manager_related_image_patch.yaml
- manager_run_flags_patch.yaml
14 changes: 14 additions & 0 deletions config/overlays/development/manager_related_image_patch.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
spec:
template:
spec:
containers:
- name: manager
env:
- name: RELATED_IMAGE_LOKI
value: docker.io/grafana/loki:2.2.0
- name: RELATED_IMAGE_GATEWAY
value: quay.io/observatorium/api:latest
11 changes: 11 additions & 0 deletions config/overlays/development/manager_run_flags_patch.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
spec:
template:
spec:
containers:
- name: manager
args:
- "--with-lokistack-gateway"
2 changes: 0 additions & 2 deletions config/overlays/openshift/manager_auth_proxy_patch.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
# This patch inject a sidecar container which is a HTTP proxy for the
# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
apiVersion: apps/v1
kind: Deployment
metadata:
Expand Down
4 changes: 2 additions & 2 deletions config/overlays/openshift/manager_related_image_patch.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
# This patch inject a sidecar container which is a HTTP proxy for the
# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
apiVersion: apps/v1
kind: Deployment
metadata:
Expand All @@ -12,5 +10,7 @@ spec:
env:
- name: RELATED_IMAGE_LOKI
value: quay.io/openshift-logging/loki:v2.2.0-10
- name: RELATED_IMAGE_GATEWAY
value: quay.io/observatorium/api:latest
- name: RELATED_IMAGE_OPA
value: quay.io/observatorium/opa-openshift:latest
2 changes: 0 additions & 2 deletions config/overlays/openshift/manager_run_flags_patch.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
# This patch inject a sidecar container which is a HTTP proxy for the
# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
apiVersion: apps/v1
kind: Deployment
metadata:
Expand Down
1 change: 0 additions & 1 deletion config/overlays/openshift/prometheus_service_monitor_patch.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
# Prometheus Monitor Service (Metrics)
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
Expand Down
1 change: 1 addition & 0 deletions config/overlays/production/kustomization.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ patchesStrategicMerge:
# endpoint w/o any authn/z, please comment the following line.
- manager_auth_proxy_patch.yaml
- manager_related_image_patch.yaml
- manager_run_flags_patch.yaml
- prometheus_service_monitor_patch.yaml

images:
Expand Down
6 changes: 2 additions & 4 deletions config/overlays/production/manager_related_image_patch.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
# This patch inject a sidecar container which is a HTTP proxy for the
# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
apiVersion: apps/v1
kind: Deployment
metadata:
Expand All @@ -12,5 +10,5 @@ spec:
env:
- name: RELATED_IMAGE_LOKI
value: docker.io/grafana/loki:2.2.0
- name: RELATED_IMAGE_OPA
value: quay.io/observatorium/opa-openshift:latest
- name: RELATED_IMAGE_GATEWAY
value: quay.io/observatorium/api:latest
11 changes: 11 additions & 0 deletions config/overlays/production/manager_run_flags_patch.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
spec:
template:
spec:
containers:
- name: manager
args:
- "--with-lokistack-gateway"
19 changes: 17 additions & 2 deletions controllers/lokistack_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,9 +26,12 @@ import (
"github.com/ViaQ/loki-operator/internal/manifests"
"github.com/ViaQ/loki-operator/internal/status"
"github.com/go-logr/logr"
routev1 "github.com/openshift/api/route/v1"

appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
networkingv1 "k8s.io/api/networking/v1"
rbacv1 "k8s.io/api/rbac/v1"
"k8s.io/apimachinery/pkg/runtime"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/builder"
Expand Down Expand Up @@ -73,12 +76,19 @@ var (
})
)

// LokiStackReconcilerConfig represents a set of
// configuration options to setup the reconciler.
type LokiStackReconcilerConfig struct {
Host string
Flags manifests.FeatureFlags
}

// LokiStackReconciler reconciles a LokiStack object
type LokiStackReconciler struct {
client.Client
Log logr.Logger
Scheme *runtime.Scheme
Flags manifests.FeatureFlags
Config LokiStackReconcilerConfig
}

// +kubebuilder:rbac:groups=loki.openshift.io,resources=lokistacks,verbs=get;list;watch;create;update;patch;delete
Expand Down Expand Up @@ -113,7 +123,7 @@ func (r *LokiStackReconciler) Reconcile(ctx context.Context, req ctrl.Request) (
return ctrl.Result{}, nil
}

err = handlers.CreateOrUpdateLokiStack(ctx, req, r.Client, r.Scheme, r.Flags)
err = handlers.CreateOrUpdateLokiStack(ctx, req, r.Client, r.Scheme, r.Config.Host, r.Config.Flags)
if err != nil {
return ctrl.Result{
Requeue: true,
Expand Down Expand Up @@ -142,8 +152,13 @@ func (r *LokiStackReconciler) buildController(bld k8s.Builder) error {
return bld.
For(&lokiv1beta1.LokiStack{}, createOrUpdateOnlyPred).
Owns(&corev1.ConfigMap{}, updateOrDeleteOnlyPred).
Owns(&corev1.ServiceAccount{}, updateOrDeleteOnlyPred).
Owns(&corev1.Service{}, updateOrDeleteOnlyPred).
Owns(&appsv1.Deployment{}, updateOrDeleteOnlyPred).
Owns(&appsv1.StatefulSet{}, updateOrDeleteOnlyPred).
Owns(&rbacv1.ClusterRole{}, updateOrDeleteOnlyPred).
Owns(&rbacv1.ClusterRoleBinding{}, updateOrDeleteOnlyPred).
Owns(&networkingv1.Ingress{}, updateOrDeleteOnlyPred).
Owns(&routev1.Route{}, updateOrDeleteOnlyPred).
Complete(r)
}
30 changes: 27 additions & 3 deletions controllers/lokistack_controller_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,15 +9,18 @@ import (
"github.com/ViaQ/logerr/log"
lokiv1beta1 "github.com/ViaQ/loki-operator/api/v1beta1"
"github.com/ViaQ/loki-operator/internal/external/k8s/k8sfakes"
routev1 "github.com/openshift/api/route/v1"
"github.com/stretchr/testify/require"
"sigs.k8s.io/controller-runtime/pkg/builder"
"sigs.k8s.io/controller-runtime/pkg/client"

appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
networkingv1 "k8s.io/api/networking/v1"
rbacv1 "k8s.io/api/rbac/v1"
"k8s.io/apimachinery/pkg/runtime"
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
clientgoscheme "k8s.io/client-go/kubernetes/scheme"
"sigs.k8s.io/controller-runtime/pkg/builder"
"sigs.k8s.io/controller-runtime/pkg/client"
)

var scheme = runtime.NewScheme()
Expand All @@ -39,6 +42,7 @@ func TestMain(m *testing.M) {

// Register the clientgo and CRD schemes
utilruntime.Must(clientgoscheme.AddToScheme(scheme))
utilruntime.Must(routev1.AddToScheme(scheme))
utilruntime.Must(lokiv1beta1.AddToScheme(scheme))

log.Init("testing")
Expand Down Expand Up @@ -77,7 +81,7 @@ func TestLokiStackController_RegisterOwnedResourcesForUpdateOrDeleteOnly(t *test
require.NoError(t, err)

// Require Owns-Calls for all owned resources
require.Equal(t, 4, b.OwnsCallCount())
require.Equal(t, 9, b.OwnsCallCount())

// Require owned resources
type test struct {
Expand All @@ -89,6 +93,10 @@ func TestLokiStackController_RegisterOwnedResourcesForUpdateOrDeleteOnly(t *test
obj: &corev1.ConfigMap{},
pred: updateOrDeleteOnlyPred,
},
{
obj: &corev1.ServiceAccount{},
pred: updateOrDeleteOnlyPred,
},
{
obj: &corev1.Service{},
pred: updateOrDeleteOnlyPred,
Expand All @@ -101,6 +109,22 @@ func TestLokiStackController_RegisterOwnedResourcesForUpdateOrDeleteOnly(t *test
obj: &appsv1.StatefulSet{},
pred: updateOrDeleteOnlyPred,
},
{
obj: &rbacv1.ClusterRole{},
pred: updateOrDeleteOnlyPred,
},
{
obj: &rbacv1.ClusterRoleBinding{},
pred: updateOrDeleteOnlyPred,
},
{
obj: &networkingv1.Ingress{},
pred: updateOrDeleteOnlyPred,
},
{
obj: &routev1.Route{},
pred: updateOrDeleteOnlyPred,
},
}
for i, tst := range table {
// Require Owns-call options to have delete predicate only
Expand Down
9 changes: 5 additions & 4 deletions go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,14 @@ require (
github.com/google/uuid v1.1.2
github.com/imdario/mergo v0.3.12
github.com/maxbrunsfeld/counterfeiter/v6 v6.3.0
github.com/openshift/api v0.0.0-20210901140736-d8ed1449662d // release-4.9
github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.48.0
github.com/prometheus/client_golang v1.11.0
github.com/stretchr/testify v1.7.0
k8s.io/api v0.21.4
k8s.io/apimachinery v0.21.4
k8s.io/client-go v0.21.4
k8s.io/utils v0.0.0-20210527160623-6fdb442a123b
k8s.io/api v0.22.1
k8s.io/apimachinery v0.22.1
k8s.io/client-go v0.22.1
k8s.io/utils v0.0.0-20210707171843-4b05e18ac7d9
sigs.k8s.io/controller-runtime v0.9.2
sigs.k8s.io/yaml v1.2.0
)
Loading

0 comments on commit 3a50d5d

Please sign in to comment.