add tenancy in self-service

giantswarm · Nov 7, 2024 · da03311 · da03311
1 parent 7eaa4c3
commit da03311
Show file tree

Hide file tree

Showing 6 changed files with 14 additions and 12 deletions.
diff --git a/pkg/resource/logging-config/alloy-logging-config.go b/pkg/resource/logging-config/alloy-logging-config.go
@@ -74,7 +74,6 @@ func generateAlloyConfig(lc loggedcluster.Interface, observabilityBundleVersion
 		MaxBackoffPeriod            string
 		IsWorkloadCluster           bool
 		LokiURLEnvVarName           string
-		TenantIDEnvVarName          string
 		BasicAuthUsernameEnvVarName string
 		BasicAuthPasswordEnvVarName string
 		SupportPodLogs              bool
@@ -84,7 +83,6 @@ func generateAlloyConfig(lc loggedcluster.Interface, observabilityBundleVersion
 		MaxBackoffPeriod:            common.MaxBackoffPeriod,
 		IsWorkloadCluster:           common.IsWorkloadCluster(lc),
 		LokiURLEnvVarName:           loggingsecret.AlloyLokiURLEnvVarName,
-		TenantIDEnvVarName:          loggingsecret.AlloyTenantIDEnvVarName,
 		BasicAuthUsernameEnvVarName: loggingsecret.AlloyBasicAuthUsernameEnvVarName,
 		BasicAuthPasswordEnvVarName: loggingsecret.AlloyBasicAuthPasswordEnvVarName,
 		// Observability bundle in older versions do not support PodLogs

diff --git a/pkg/resource/logging-config/alloy/logging.alloy.template b/pkg/resource/logging-config/alloy/logging.alloy.template
@@ -84,7 +84,7 @@ discovery.relabel "kubernetes_pods" {
 		target_label  = "container"
 	}
 
-{{- if not .SupportPodLogs }}
+  {{- if not .SupportPodLogs }}
 	rule {
 		source_labels = ["__meta_kubernetes_pod_uid", "__meta_kubernetes_pod_container_name"]
 		separator     = "/"
@@ -107,7 +107,7 @@ discovery.relabel "kubernetes_pods" {
 		action        = "keep"
 	}
 	{{- end }}
-{{- end }}
+  {{- end }}
 }
 
 loki.process "kubernetes_pods" {
@@ -128,6 +128,16 @@ loki.process "kubernetes_pods" {
 			"stream",
 		]
 	}
+  {{- if .SupportPodLogs }}
+  // This is the only place where we need to set it because we put "giantswarm" as a default.
+  // c.f. https://github.com/grafana/alloy/blob/31b697c95ecdf7d43fa7790e31cc0f231d39fe8d/internal/component/common/loki/client/client.go#L458C18-L458C29
+  stage.labels {
+    "tenant" = __meta_kubernetes_pod_label_application_giantswarm_io_tenant
+  }
+  stage.tenant {
+    label = "tenant"
+  }
+  {{- end }}
 }
 
 // journald logs from /run/log/journal
@@ -292,7 +302,7 @@ loki.write "default" {
 	endpoint {
 		url                = env("{{ .LokiURLEnvVarName }}")
 		max_backoff_period = "{{ .MaxBackoffPeriod }}"
-		tenant_id          = env("{{ .TenantIDEnvVarName }}")
+		tenant_id          = "giantswarm"
 
 		basic_auth {
 			username = env("{{ .BasicAuthUsernameEnvVarName }}")

diff --git a/pkg/resource/logging-credentials/logging_operator_secrets.go b/pkg/resource/logging-credentials/logging_operator_secrets.go
@@ -88,7 +88,6 @@ func GetPassword(lc loggedcluster.Interface, credentialsSecret *v1.Secret, usern
 
 // AddLoggingCredentials - Add credentials to LoggingCredentials secret if needed
 func AddLoggingCredentials(lc loggedcluster.Interface, loggingCredentials *v1.Secret) (bool, error) {
-
 	var secretUpdated bool = false
 
 	// Always check credentials for "readuser"

diff --git a/pkg/resource/logging-secret/alloy-logging-secret.go b/pkg/resource/logging-secret/alloy-logging-secret.go
@@ -17,7 +17,6 @@ import (
 
 const (
 	AlloyLokiURLEnvVarName           = "LOKI_URL"
-	AlloyTenantIDEnvVarName          = "TENANT_ID"
 	AlloyBasicAuthUsernameEnvVarName = "BASIC_AUTH_USERNAME"
 	AlloyBasicAuthPasswordEnvVarName = "BASIC_AUTH_PASSWORD" // #nosec G101
 )
@@ -45,7 +44,6 @@ func GenerateAlloyLoggingSecret(lc loggedcluster.Interface, credentialsSecret *v
 	}{
 		ExtraSecretEnv: map[string]string{
 			AlloyLokiURLEnvVarName:           fmt.Sprintf(common.LokiURLFormat, lokiURL),
-			AlloyTenantIDEnvVarName:          common.DefaultWriteTenant,
 			AlloyBasicAuthUsernameEnvVarName: clusterName,
 			AlloyBasicAuthPasswordEnvVarName: writePassword,
 		},

diff --git a/pkg/resource/logging-secret/promtail-logging-secret.go b/pkg/resource/logging-secret/promtail-logging-secret.go
@@ -72,7 +72,7 @@ func GeneratePromtailLoggingSecret(lc loggedcluster.Interface, credentialsSecret
 				Clients: []promtailConfigClient{
 					{
 						URL:      fmt.Sprintf(common.LokiURLFormat, lokiURL),
-						TenantID: common.DefaultWriteTenant,
+						TenantID: "giantswarm",
 						BasicAuth: promtailConfigClientBasicAuth{
 							Username: writeUser,
 							Password: writePassword,

diff --git a/pkg/resource/proxy-auth/proxy-auth.go b/pkg/resource/proxy-auth/proxy-auth.go
@@ -70,9 +70,6 @@ func GenerateProxyAuthSecret(lc loggedcluster.Interface, credentialsSecret *v1.S
 		authCfg.Users = append(authCfg.Users, config.User{
 			Username: writeUser,
 			Password: writePassword,
-			// we set the default tenant even though it may be given by the sender
-			// depending of grafana-multi-teant-proxy config
-			OrgID: common.DefaultWriteTenant,
 		})
 
 		// Add write user to allowed tenants for read user