grafana · periklis · Apr 22, 2024 · Apr 19, 2024
diff --git a/operator/CHANGELOG.md b/operator/CHANGELOG.md
@@ -1,7 +1,5 @@
 ## Main
 
-- [11708](https://github.com/grafana/loki/pull/11708) **btaani**: Add support for Swift TLS CA configuration
-
 ## 0.6.0 (2024-03-19)
 
 - [12228](https://github.com/grafana/loki/pull/12228) **xperimental**: Restructure LokiStack metrics

@@ -29,23 +29,17 @@ var (
 // based on the object storage type. Currently supported amendments:
 // - All: Ensure object storage secret mounted and auth projected as env vars.
 // - GCS: Ensure env var GOOGLE_APPLICATION_CREDENTIALS in container
-// - S3 & Swift: Ensure mounting custom CA configmap if any TLSConfig given
+// - S3: Ensure mounting custom CA configmap if any TLSConfig given
 func ConfigureDeployment(d *appsv1.Deployment, opts Options) error {
 	switch opts.SharedStore {
-	case lokiv1.ObjectStorageSecretAlibabaCloud, lokiv1.ObjectStorageSecretAzure, lokiv1.ObjectStorageSecretGCS:
+	case lokiv1.ObjectStorageSecretAlibabaCloud, lokiv1.ObjectStorageSecretAzure, lokiv1.ObjectStorageSecretGCS, lokiv1.ObjectStorageSecretSwift:
 		return configureDeployment(d, opts)
 	case lokiv1.ObjectStorageSecretS3:
 		err := configureDeployment(d, opts)
 		if err != nil {
 			return err
 		}
-		return configureDeploymentCA(d, opts.TLS, lokiv1.ObjectStorageSecretS3)
-	case lokiv1.ObjectStorageSecretSwift:
-		err := configureDeployment(d, opts)
-		if err != nil {
-			return err
-		}
-		return configureDeploymentCA(d, opts.TLS, lokiv1.ObjectStorageSecretSwift)
+		return configureDeploymentCA(d, opts.TLS)
 	default:
 		return nil
 	}
@@ -55,21 +49,16 @@ func ConfigureDeployment(d *appsv1.Deployment, opts Options) error {
 // based on the object storage type. Currently supported amendments:
 // - All: Ensure object storage secret mounted and auth projected as env vars.
 // - GCS: Ensure env var GOOGLE_APPLICATION_CREDENTIALS in container
-// - S3 & Swift: Ensure mounting custom CA configmap if any TLSConfig given
+// - S3: Ensure mounting custom CA configmap if any TLSConfig given
 func ConfigureStatefulSet(d *appsv1.StatefulSet, opts Options) error {
 	switch opts.SharedStore {
-	case lokiv1.ObjectStorageSecretAlibabaCloud, lokiv1.ObjectStorageSecretAzure, lokiv1.ObjectStorageSecretGCS:
+	case lokiv1.ObjectStorageSecretAlibabaCloud, lokiv1.ObjectStorageSecretAzure, lokiv1.ObjectStorageSecretGCS, lokiv1.ObjectStorageSecretSwift:
 		return configureStatefulSet(d, opts)
 	case lokiv1.ObjectStorageSecretS3:
 		if err := configureStatefulSet(d, opts); err != nil {
 			return err
 		}
-		return configureStatefulSetCA(d, opts.TLS, lokiv1.ObjectStorageSecretS3)
-	case lokiv1.ObjectStorageSecretSwift:
-		if err := configureStatefulSet(d, opts); err != nil {
-			return err
-		}
-		return configureStatefulSetCA(d, opts.TLS, lokiv1.ObjectStorageSecretSwift)
+		return configureStatefulSetCA(d, opts.TLS)
 	default:
 		return nil
 	}
@@ -86,22 +75,16 @@ func configureDeployment(d *appsv1.Deployment, opts Options) error {
 	return nil
 }
 
-// ConfigureDeploymentCA merges a S3 or Swift CA ConfigMap volume into the deployment spec.
-func configureDeploymentCA(d *appsv1.Deployment, tls *TLSConfig, secretType lokiv1.ObjectStorageSecretType) error {
+// ConfigureDeploymentCA merges a S3 CA ConfigMap volume into the deployment spec.
+func configureDeploymentCA(d *appsv1.Deployment, tls *TLSConfig) error {
 	if tls == nil {
 		return nil
 	}
 
-	var p corev1.PodSpec
-	switch secretType {
-	case lokiv1.ObjectStorageSecretS3:
-		p = ensureCAForObjectStorage(&d.Spec.Template.Spec, tls, lokiv1.ObjectStorageSecretS3)
-	case lokiv1.ObjectStorageSecretSwift:
-		p = ensureCAForObjectStorage(&d.Spec.Template.Spec, tls, lokiv1.ObjectStorageSecretSwift)
-	}
+	p := ensureCAForS3(&d.Spec.Template.Spec, tls)
 
 	if err := mergo.Merge(&d.Spec.Template.Spec, p, mergo.WithOverride); err != nil {
-		return kverrors.Wrap(err, "failed to merge object storage ca options ")
+		return kverrors.Wrap(err, "failed to merge s3 object storage ca options ")
 	}
 
 	return nil
@@ -118,22 +101,16 @@ func configureStatefulSet(s *appsv1.StatefulSet, opts Options) error {
 	return nil
 }
 
-// ConfigureStatefulSetCA merges a S3 or Swift CA ConfigMap volume into the statefulset spec.
-func configureStatefulSetCA(s *appsv1.StatefulSet, tls *TLSConfig, secretType lokiv1.ObjectStorageSecretType) error {
+// ConfigureStatefulSetCA merges a S3 CA ConfigMap volume into the statefulset spec.
+func configureStatefulSetCA(s *appsv1.StatefulSet, tls *TLSConfig) error {
 	if tls == nil {
 		return nil
 	}
-	var p corev1.PodSpec
 
-	switch secretType {
-	case lokiv1.ObjectStorageSecretS3:
-		p = ensureCAForObjectStorage(&s.Spec.Template.Spec, tls, lokiv1.ObjectStorageSecretS3)
-	case lokiv1.ObjectStorageSecretSwift:
-		p = ensureCAForObjectStorage(&s.Spec.Template.Spec, tls, lokiv1.ObjectStorageSecretSwift)
-	}
+	p := ensureCAForS3(&s.Spec.Template.Spec, tls)
 
 	if err := mergo.Merge(&s.Spec.Template.Spec, p, mergo.WithOverride); err != nil {
-		return kverrors.Wrap(err, "failed to merge object storage ca options ")
+		return kverrors.Wrap(err, "failed to merge s3 object storage ca options ")
 	}
 
 	return nil
@@ -269,7 +246,7 @@ func serverSideEncryption(opts Options) []corev1.EnvVar {
 	}
 }
 
-func ensureCAForObjectStorage(p *corev1.PodSpec, tls *TLSConfig, secretType lokiv1.ObjectStorageSecretType) corev1.PodSpec {
+func ensureCAForS3(p *corev1.PodSpec, tls *TLSConfig) corev1.PodSpec {
 	container := p.Containers[0].DeepCopy()
 	volumes := p.Volumes
 
@@ -290,16 +267,9 @@ func ensureCAForObjectStorage(p *corev1.PodSpec, tls *TLSConfig, secretType loki
 		MountPath: caDirectory,
 	})
 
-	switch secretType {
-	case lokiv1.ObjectStorageSecretS3:
-		container.Args = append(container.Args,
-			fmt.Sprintf("-s3.http.ca-file=%s", path.Join(caDirectory, tls.Key)),
-		)
-	case lokiv1.ObjectStorageSecretSwift:
-		container.Args = append(container.Args,
-			fmt.Sprintf("-swift.http.ca-file=%s", path.Join(caDirectory, tls.Key)),
-		)
-	}
+	container.Args = append(container.Args,
+		fmt.Sprintf("-s3.http.ca-file=%s", path.Join(caDirectory, tls.Key)),
+	)
 
 	return corev1.PodSpec{
 		Containers: []corev1.Container{

@@ -2505,102 +2505,6 @@ func TestConfigureDeploymentForStorageCA(t *testing.T) {
 				},
 			},
 		},
-		{
-			desc: "object storage Swift",
-			opts: Options{
-				SecretName:  "test",
-				SharedStore: lokiv1.ObjectStorageSecretSwift,
-				TLS: &TLSConfig{
-					CA:  "test",
-					Key: "service-ca.crt",
-				},
-			},
-			dpl: &appsv1.Deployment{
-				Spec: appsv1.DeploymentSpec{
-					Template: corev1.PodTemplateSpec{
-						Spec: corev1.PodSpec{
-							Containers: []corev1.Container{
-								{
-									Name: "loki-querier",
-								},
-							},
-						},
-					},
-				},
-			},
-			want: &appsv1.Deployment{
-				Spec: appsv1.DeploymentSpec{
-					Template: corev1.PodTemplateSpec{
-						Spec: corev1.PodSpec{
-							Containers: []corev1.Container{
-								{
-									Name: "loki-querier",
-									VolumeMounts: []corev1.VolumeMount{
-										{
-											Name:      "test",
-											ReadOnly:  false,
-											MountPath: "/etc/storage/secrets",
-										},
-										{
-											Name:      "storage-tls",
-											ReadOnly:  false,
-											MountPath: "/etc/storage/ca",
-										},
-									},
-									Args: []string{
-										"-swift.http.ca-file=/etc/storage/ca/service-ca.crt",
-									},
-									Env: []corev1.EnvVar{
-										{
-											Name: EnvSwiftUsername,
-											ValueFrom: &corev1.EnvVarSource{
-												SecretKeyRef: &corev1.SecretKeySelector{
-													LocalObjectReference: corev1.LocalObjectReference{
-														Name: "test",
-													},
-													Key: KeySwiftUsername,
-												},
-											},
-										},
-										{
-											Name: EnvSwiftPassword,
-											ValueFrom: &corev1.EnvVarSource{
-												SecretKeyRef: &corev1.SecretKeySelector{
-													LocalObjectReference: corev1.LocalObjectReference{
-														Name: "test",
-													},
-													Key: KeySwiftPassword,
-												},
-											},
-										},
-									},
-								},
-							},
-							Volumes: []corev1.Volume{
-								{
-									Name: "test",
-									VolumeSource: corev1.VolumeSource{
-										Secret: &corev1.SecretVolumeSource{
-											SecretName: "test",
-										},
-									},
-								},
-								{
-									Name: "storage-tls",
-									VolumeSource: corev1.VolumeSource{
-										ConfigMap: &corev1.ConfigMapVolumeSource{
-											LocalObjectReference: corev1.LocalObjectReference{
-												Name: "test",
-											},
-										},
-									},
-								},
-							},
-						},
-					},
-				},
-			},
-		},
 	}
 
 	for _, tc := range tc {
@@ -2627,7 +2531,7 @@ func TestConfigureStatefulSetForStorageCA(t *testing.T) {
 			desc: "object storage other than S3",
 			opts: Options{
 				SecretName:  "test",
-				SharedStore: lokiv1.ObjectStorageSecretAzure,
+				SharedStore: lokiv1.ObjectStorageSecretSwift,
 				TLS: &TLSConfig{
 					CA: "test",
 				},
@@ -2661,24 +2565,24 @@ func TestConfigureStatefulSetForStorageCA(t *testing.T) {
 									},
 									Env: []corev1.EnvVar{
 										{
-											Name: EnvAzureStorageAccountName,
+											Name: EnvSwiftUsername,
 											ValueFrom: &corev1.EnvVarSource{
 												SecretKeyRef: &corev1.SecretKeySelector{
 													LocalObjectReference: corev1.LocalObjectReference{
 														Name: "test",
 													},
-													Key: KeyAzureStorageAccountName,
+													Key: KeySwiftUsername,
 												},
 											},
 										},
 										{
-											Name: EnvAzureStorageAccountKey,
+											Name: EnvSwiftPassword,
 											ValueFrom: &corev1.EnvVarSource{
 												SecretKeyRef: &corev1.SecretKeySelector{
 													LocalObjectReference: corev1.LocalObjectReference{
 														Name: "test",
 													},
-													Key: KeyAzureStorageAccountKey,
+													Key: KeySwiftPassword,
 												},
 											},
 										},
@@ -2796,102 +2700,6 @@ func TestConfigureStatefulSetForStorageCA(t *testing.T) {
 				},
 			},
 		},
-		{
-			desc: "object storage Swift",
-			opts: Options{
-				SecretName:  "test",
-				SharedStore: lokiv1.ObjectStorageSecretSwift,
-				TLS: &TLSConfig{
-					CA:  "test",
-					Key: "service-ca.crt",
-				},
-			},
-			sts: &appsv1.StatefulSet{
-				Spec: appsv1.StatefulSetSpec{
-					Template: corev1.PodTemplateSpec{
-						Spec: corev1.PodSpec{
-							Containers: []corev1.Container{
-								{
-									Name: "loki-ingester",
-								},
-							},
-						},
-					},
-				},
-			},
-			want: &appsv1.StatefulSet{
-				Spec: appsv1.StatefulSetSpec{
-					Template: corev1.PodTemplateSpec{
-						Spec: corev1.PodSpec{
-							Containers: []corev1.Container{
-								{
-									Name: "loki-ingester",
-									VolumeMounts: []corev1.VolumeMount{
-										{
-											Name:      "test",
-											ReadOnly:  false,
-											MountPath: "/etc/storage/secrets",
-										},
-										{
-											Name:      "storage-tls",
-											ReadOnly:  false,
-											MountPath: "/etc/storage/ca",
-										},
-									},
-									Args: []string{
-										"-swift.http.ca-file=/etc/storage/ca/service-ca.crt",
-									},
-									Env: []corev1.EnvVar{
-										{
-											Name: EnvSwiftUsername,
-											ValueFrom: &corev1.EnvVarSource{
-												SecretKeyRef: &corev1.SecretKeySelector{
-													LocalObjectReference: corev1.LocalObjectReference{
-														Name: "test",
-													},
-													Key: KeySwiftUsername,
-												},
-											},
-										},
-										{
-											Name: EnvSwiftPassword,
-											ValueFrom: &corev1.EnvVarSource{
-												SecretKeyRef: &corev1.SecretKeySelector{
-													LocalObjectReference: corev1.LocalObjectReference{
-														Name: "test",
-													},
-													Key: KeySwiftPassword,
-												},
-											},
-										},
-									},
-								},
-							},
-							Volumes: []corev1.Volume{
-								{
-									Name: "test",
-									VolumeSource: corev1.VolumeSource{
-										Secret: &corev1.SecretVolumeSource{
-											SecretName: "test",
-										},
-									},
-								},
-								{
-									Name: "storage-tls",
-									VolumeSource: corev1.VolumeSource{
-										ConfigMap: &corev1.ConfigMapVolumeSource{
-											LocalObjectReference: corev1.LocalObjectReference{
-												Name: "test",
-											},
-										},
-									},
-								},
-							},
-						},
-					},
-				},
-			},
-		},
 	}
 
 	for _, tc := range tc {