From bb0af3ed3bfd5c34cc9a3f900c1c0bb8bd98ee2b Mon Sep 17 00:00:00 2001 From: Bayan Taani <86984560+btaani@users.noreply.github.com> Date: Fri, 19 Apr 2024 13:10:34 +0200 Subject: [PATCH] Revert "operator: Add support for Swift TLS CA configuration (#11708)" This reverts commit c1415c5268ac71b85e6df29dbb18b56551fa9931. --- operator/CHANGELOG.md | 2 - .../internal/manifests/storage/configure.go | 66 ++---- .../manifests/storage/configure_test.go | 202 +----------------- 3 files changed, 23 insertions(+), 247 deletions(-) diff --git a/operator/CHANGELOG.md b/operator/CHANGELOG.md index 3a6f2454ab20..cf21948497dd 100644 --- a/operator/CHANGELOG.md +++ b/operator/CHANGELOG.md @@ -1,7 +1,5 @@ ## Main -- [11708](https://github.com/grafana/loki/pull/11708) **btaani**: Add support for Swift TLS CA configuration - ## 0.6.0 (2024-03-19) - [12228](https://github.com/grafana/loki/pull/12228) **xperimental**: Restructure LokiStack metrics diff --git a/operator/internal/manifests/storage/configure.go b/operator/internal/manifests/storage/configure.go index 3e790e996c8b..b1c8a0df955a 100644 --- a/operator/internal/manifests/storage/configure.go +++ b/operator/internal/manifests/storage/configure.go @@ -29,23 +29,17 @@ var ( // based on the object storage type. Currently supported amendments: // - All: Ensure object storage secret mounted and auth projected as env vars. // - GCS: Ensure env var GOOGLE_APPLICATION_CREDENTIALS in container -// - S3 & Swift: Ensure mounting custom CA configmap if any TLSConfig given +// - S3: Ensure mounting custom CA configmap if any TLSConfig given func ConfigureDeployment(d *appsv1.Deployment, opts Options) error { switch opts.SharedStore { - case lokiv1.ObjectStorageSecretAlibabaCloud, lokiv1.ObjectStorageSecretAzure, lokiv1.ObjectStorageSecretGCS: + case lokiv1.ObjectStorageSecretAlibabaCloud, lokiv1.ObjectStorageSecretAzure, lokiv1.ObjectStorageSecretGCS, lokiv1.ObjectStorageSecretSwift: return configureDeployment(d, opts) case lokiv1.ObjectStorageSecretS3: err := configureDeployment(d, opts) if err != nil { return err } - return configureDeploymentCA(d, opts.TLS, lokiv1.ObjectStorageSecretS3) - case lokiv1.ObjectStorageSecretSwift: - err := configureDeployment(d, opts) - if err != nil { - return err - } - return configureDeploymentCA(d, opts.TLS, lokiv1.ObjectStorageSecretSwift) + return configureDeploymentCA(d, opts.TLS) default: return nil } @@ -55,21 +49,16 @@ func ConfigureDeployment(d *appsv1.Deployment, opts Options) error { // based on the object storage type. Currently supported amendments: // - All: Ensure object storage secret mounted and auth projected as env vars. // - GCS: Ensure env var GOOGLE_APPLICATION_CREDENTIALS in container -// - S3 & Swift: Ensure mounting custom CA configmap if any TLSConfig given +// - S3: Ensure mounting custom CA configmap if any TLSConfig given func ConfigureStatefulSet(d *appsv1.StatefulSet, opts Options) error { switch opts.SharedStore { - case lokiv1.ObjectStorageSecretAlibabaCloud, lokiv1.ObjectStorageSecretAzure, lokiv1.ObjectStorageSecretGCS: + case lokiv1.ObjectStorageSecretAlibabaCloud, lokiv1.ObjectStorageSecretAzure, lokiv1.ObjectStorageSecretGCS, lokiv1.ObjectStorageSecretSwift: return configureStatefulSet(d, opts) case lokiv1.ObjectStorageSecretS3: if err := configureStatefulSet(d, opts); err != nil { return err } - return configureStatefulSetCA(d, opts.TLS, lokiv1.ObjectStorageSecretS3) - case lokiv1.ObjectStorageSecretSwift: - if err := configureStatefulSet(d, opts); err != nil { - return err - } - return configureStatefulSetCA(d, opts.TLS, lokiv1.ObjectStorageSecretSwift) + return configureStatefulSetCA(d, opts.TLS) default: return nil } @@ -86,22 +75,16 @@ func configureDeployment(d *appsv1.Deployment, opts Options) error { return nil } -// ConfigureDeploymentCA merges a S3 or Swift CA ConfigMap volume into the deployment spec. -func configureDeploymentCA(d *appsv1.Deployment, tls *TLSConfig, secretType lokiv1.ObjectStorageSecretType) error { +// ConfigureDeploymentCA merges a S3 CA ConfigMap volume into the deployment spec. +func configureDeploymentCA(d *appsv1.Deployment, tls *TLSConfig) error { if tls == nil { return nil } - var p corev1.PodSpec - switch secretType { - case lokiv1.ObjectStorageSecretS3: - p = ensureCAForObjectStorage(&d.Spec.Template.Spec, tls, lokiv1.ObjectStorageSecretS3) - case lokiv1.ObjectStorageSecretSwift: - p = ensureCAForObjectStorage(&d.Spec.Template.Spec, tls, lokiv1.ObjectStorageSecretSwift) - } + p := ensureCAForS3(&d.Spec.Template.Spec, tls) if err := mergo.Merge(&d.Spec.Template.Spec, p, mergo.WithOverride); err != nil { - return kverrors.Wrap(err, "failed to merge object storage ca options ") + return kverrors.Wrap(err, "failed to merge s3 object storage ca options ") } return nil @@ -118,22 +101,16 @@ func configureStatefulSet(s *appsv1.StatefulSet, opts Options) error { return nil } -// ConfigureStatefulSetCA merges a S3 or Swift CA ConfigMap volume into the statefulset spec. -func configureStatefulSetCA(s *appsv1.StatefulSet, tls *TLSConfig, secretType lokiv1.ObjectStorageSecretType) error { +// ConfigureStatefulSetCA merges a S3 CA ConfigMap volume into the statefulset spec. +func configureStatefulSetCA(s *appsv1.StatefulSet, tls *TLSConfig) error { if tls == nil { return nil } - var p corev1.PodSpec - switch secretType { - case lokiv1.ObjectStorageSecretS3: - p = ensureCAForObjectStorage(&s.Spec.Template.Spec, tls, lokiv1.ObjectStorageSecretS3) - case lokiv1.ObjectStorageSecretSwift: - p = ensureCAForObjectStorage(&s.Spec.Template.Spec, tls, lokiv1.ObjectStorageSecretSwift) - } + p := ensureCAForS3(&s.Spec.Template.Spec, tls) if err := mergo.Merge(&s.Spec.Template.Spec, p, mergo.WithOverride); err != nil { - return kverrors.Wrap(err, "failed to merge object storage ca options ") + return kverrors.Wrap(err, "failed to merge s3 object storage ca options ") } return nil @@ -269,7 +246,7 @@ func serverSideEncryption(opts Options) []corev1.EnvVar { } } -func ensureCAForObjectStorage(p *corev1.PodSpec, tls *TLSConfig, secretType lokiv1.ObjectStorageSecretType) corev1.PodSpec { +func ensureCAForS3(p *corev1.PodSpec, tls *TLSConfig) corev1.PodSpec { container := p.Containers[0].DeepCopy() volumes := p.Volumes @@ -290,16 +267,9 @@ func ensureCAForObjectStorage(p *corev1.PodSpec, tls *TLSConfig, secretType loki MountPath: caDirectory, }) - switch secretType { - case lokiv1.ObjectStorageSecretS3: - container.Args = append(container.Args, - fmt.Sprintf("-s3.http.ca-file=%s", path.Join(caDirectory, tls.Key)), - ) - case lokiv1.ObjectStorageSecretSwift: - container.Args = append(container.Args, - fmt.Sprintf("-swift.http.ca-file=%s", path.Join(caDirectory, tls.Key)), - ) - } + container.Args = append(container.Args, + fmt.Sprintf("-s3.http.ca-file=%s", path.Join(caDirectory, tls.Key)), + ) return corev1.PodSpec{ Containers: []corev1.Container{ diff --git a/operator/internal/manifests/storage/configure_test.go b/operator/internal/manifests/storage/configure_test.go index 3d82c2e73ec6..f9aed80a00fd 100644 --- a/operator/internal/manifests/storage/configure_test.go +++ b/operator/internal/manifests/storage/configure_test.go @@ -2505,102 +2505,6 @@ func TestConfigureDeploymentForStorageCA(t *testing.T) { }, }, }, - { - desc: "object storage Swift", - opts: Options{ - SecretName: "test", - SharedStore: lokiv1.ObjectStorageSecretSwift, - TLS: &TLSConfig{ - CA: "test", - Key: "service-ca.crt", - }, - }, - dpl: &appsv1.Deployment{ - Spec: appsv1.DeploymentSpec{ - Template: corev1.PodTemplateSpec{ - Spec: corev1.PodSpec{ - Containers: []corev1.Container{ - { - Name: "loki-querier", - }, - }, - }, - }, - }, - }, - want: &appsv1.Deployment{ - Spec: appsv1.DeploymentSpec{ - Template: corev1.PodTemplateSpec{ - Spec: corev1.PodSpec{ - Containers: []corev1.Container{ - { - Name: "loki-querier", - VolumeMounts: []corev1.VolumeMount{ - { - Name: "test", - ReadOnly: false, - MountPath: "/etc/storage/secrets", - }, - { - Name: "storage-tls", - ReadOnly: false, - MountPath: "/etc/storage/ca", - }, - }, - Args: []string{ - "-swift.http.ca-file=/etc/storage/ca/service-ca.crt", - }, - Env: []corev1.EnvVar{ - { - Name: EnvSwiftUsername, - ValueFrom: &corev1.EnvVarSource{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: "test", - }, - Key: KeySwiftUsername, - }, - }, - }, - { - Name: EnvSwiftPassword, - ValueFrom: &corev1.EnvVarSource{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: "test", - }, - Key: KeySwiftPassword, - }, - }, - }, - }, - }, - }, - Volumes: []corev1.Volume{ - { - Name: "test", - VolumeSource: corev1.VolumeSource{ - Secret: &corev1.SecretVolumeSource{ - SecretName: "test", - }, - }, - }, - { - Name: "storage-tls", - VolumeSource: corev1.VolumeSource{ - ConfigMap: &corev1.ConfigMapVolumeSource{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: "test", - }, - }, - }, - }, - }, - }, - }, - }, - }, - }, } for _, tc := range tc { @@ -2627,7 +2531,7 @@ func TestConfigureStatefulSetForStorageCA(t *testing.T) { desc: "object storage other than S3", opts: Options{ SecretName: "test", - SharedStore: lokiv1.ObjectStorageSecretAzure, + SharedStore: lokiv1.ObjectStorageSecretSwift, TLS: &TLSConfig{ CA: "test", }, @@ -2661,24 +2565,24 @@ func TestConfigureStatefulSetForStorageCA(t *testing.T) { }, Env: []corev1.EnvVar{ { - Name: EnvAzureStorageAccountName, + Name: EnvSwiftUsername, ValueFrom: &corev1.EnvVarSource{ SecretKeyRef: &corev1.SecretKeySelector{ LocalObjectReference: corev1.LocalObjectReference{ Name: "test", }, - Key: KeyAzureStorageAccountName, + Key: KeySwiftUsername, }, }, }, { - Name: EnvAzureStorageAccountKey, + Name: EnvSwiftPassword, ValueFrom: &corev1.EnvVarSource{ SecretKeyRef: &corev1.SecretKeySelector{ LocalObjectReference: corev1.LocalObjectReference{ Name: "test", }, - Key: KeyAzureStorageAccountKey, + Key: KeySwiftPassword, }, }, }, @@ -2796,102 +2700,6 @@ func TestConfigureStatefulSetForStorageCA(t *testing.T) { }, }, }, - { - desc: "object storage Swift", - opts: Options{ - SecretName: "test", - SharedStore: lokiv1.ObjectStorageSecretSwift, - TLS: &TLSConfig{ - CA: "test", - Key: "service-ca.crt", - }, - }, - sts: &appsv1.StatefulSet{ - Spec: appsv1.StatefulSetSpec{ - Template: corev1.PodTemplateSpec{ - Spec: corev1.PodSpec{ - Containers: []corev1.Container{ - { - Name: "loki-ingester", - }, - }, - }, - }, - }, - }, - want: &appsv1.StatefulSet{ - Spec: appsv1.StatefulSetSpec{ - Template: corev1.PodTemplateSpec{ - Spec: corev1.PodSpec{ - Containers: []corev1.Container{ - { - Name: "loki-ingester", - VolumeMounts: []corev1.VolumeMount{ - { - Name: "test", - ReadOnly: false, - MountPath: "/etc/storage/secrets", - }, - { - Name: "storage-tls", - ReadOnly: false, - MountPath: "/etc/storage/ca", - }, - }, - Args: []string{ - "-swift.http.ca-file=/etc/storage/ca/service-ca.crt", - }, - Env: []corev1.EnvVar{ - { - Name: EnvSwiftUsername, - ValueFrom: &corev1.EnvVarSource{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: "test", - }, - Key: KeySwiftUsername, - }, - }, - }, - { - Name: EnvSwiftPassword, - ValueFrom: &corev1.EnvVarSource{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: "test", - }, - Key: KeySwiftPassword, - }, - }, - }, - }, - }, - }, - Volumes: []corev1.Volume{ - { - Name: "test", - VolumeSource: corev1.VolumeSource{ - Secret: &corev1.SecretVolumeSource{ - SecretName: "test", - }, - }, - }, - { - Name: "storage-tls", - VolumeSource: corev1.VolumeSource{ - ConfigMap: &corev1.ConfigMapVolumeSource{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: "test", - }, - }, - }, - }, - }, - }, - }, - }, - }, - }, } for _, tc := range tc {