Revert "Refactor storage options from handler into internal package"

This reverts commit c66110f.
grafana · Jan 12, 2024 · 0264258 · 0264258
1 parent 326e240
commit 0264258
Show file tree

Hide file tree

Showing 11 changed files with 144 additions and 216 deletions.
diff --git a/operator/internal/handlers/internal/storage/ca_configmap.go b/operator/internal/handlers/internal/storage/ca_configmap.go
@@ -13,9 +13,9 @@ func (e caKeyError) Error() string {
 	return fmt.Sprintf("key not present or data empty: %s", string(e))
 }
 
-// checkCAConfigMap checks if the given CA configMap has an non-empty entry for the key used as CA certificate.
+// CheckCAConfigMap checks if the given CA configMap has an non-empty entry for the key used as CA certificate.
 // If the key is present it will return a hash of the current key name and contents.
-func checkCAConfigMap(cm *corev1.ConfigMap, key string) (string, error) {
+func CheckCAConfigMap(cm *corev1.ConfigMap, key string) (string, error) {
 	data := cm.Data[key]
 	if data == "" {
 		return "", caKeyError(key)

diff --git a/operator/internal/handlers/internal/storage/ca_configmap_test.go b/operator/internal/handlers/internal/storage/ca_configmap_test.go
@@ -1,4 +1,4 @@
-package storage
+package storage_test
 
 import (
 	"testing"
@@ -45,7 +45,7 @@ func TestIsValidConfigMap(t *testing.T) {
 		t.Run(tst.name, func(t *testing.T) {
 			t.Parallel()
 
-			hash, err := checkCAConfigMap(tst.cm, "service-ca.crt")
+			hash, err := CheckCAConfigMap(tst.cm, "service-ca.crt")
 
 			require.Equal(t, tst.wantHash, hash)
 			if tst.wantErrorMsg == "" {

diff --git a/operator/internal/handlers/internal/storage/options.go b/operator/internal/handlers/internal/storage/options.go
diff --git a/operator/internal/handlers/internal/storage/secrets.go b/operator/internal/handlers/internal/storage/secrets.go
@@ -1,53 +1,21 @@
 package storage
 
 import (
-	"context"
 	"crypto/sha1"
 	"fmt"
 	"sort"
 
 	"github.com/ViaQ/logerr/v2/kverrors"
-	"github.com/go-logr/logr"
 	corev1 "k8s.io/api/core/v1"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	configv1 "github.com/grafana/loki/operator/apis/config/v1"
 	lokiv1 "github.com/grafana/loki/operator/apis/loki/v1"
-	"github.com/grafana/loki/operator/internal/external/k8s"
-	"github.com/grafana/loki/operator/internal/handlers/internal/openshift"
 	"github.com/grafana/loki/operator/internal/manifests/storage"
-	"github.com/grafana/loki/operator/internal/status"
 )
 
-func getSecrets(ctx context.Context, k k8s.Client, ll logr.Logger, stack *lokiv1.LokiStack, fg configv1.FeatureGates) (*corev1.Secret, *corev1.Secret, error) {
-	var storageSecret *corev1.Secret
-	key := client.ObjectKey{Name: stack.Spec.Storage.Secret.Name, Namespace: stack.Namespace}
-	if err := k.Get(ctx, key, storageSecret); err != nil {
-		if apierrors.IsNotFound(err) {
-			return nil, nil, &status.DegradedError{
-				Message: "Missing object storage secret",
-				Reason:  lokiv1.ReasonMissingObjectStorageSecret,
-				Requeue: false,
-			}
-		}
-		return nil, nil, kverrors.Wrap(err, "failed to lookup lokistack storage secret", "name", key)
-	}
+var hashSeparator = []byte(",")
 
-	var managedAuthCreds *corev1.Secret
-	if fg.OpenShift.Enabled {
-		key := client.ObjectKeyFromObject(stack)
-		creds, err := openshift.GetManagedAuthCredentials(ctx, k, ll, key, fg)
-		if err != nil {
-			return storageSecret, nil, err
-		}
-		managedAuthCreds = creds
-	}
-
-	return storageSecret, managedAuthCreds, nil
-}
-
-func extractSecrets(s *corev1.Secret, secretType lokiv1.ObjectStorageSecretType, managedAuthSecret *corev1.Secret) (*storage.Options, error) {
+// ExtractSecret reads a k8s secret into a manifest object storage struct if valid.
+func ExtractSecret(s *corev1.Secret, secretType lokiv1.ObjectStorageSecretType, managedAuthSecret *corev1.Secret) (*storage.Options, error) {
 	hash, err := hashSecretData(s)
 	if err != nil {
 		return nil, kverrors.Wrap(err, "error calculating hash for secret", "type", secretType)
@@ -66,12 +34,8 @@ func extractSecrets(s *corev1.Secret, secretType lokiv1.ObjectStorageSecretType,
 			return nil, kverrors.Wrap(err, "error calculating hash for secret", "type", secretType)
 		}
 
-		storageOpts.OpenShift = storage.OpenShiftOptions{
-			ManagedAuthCreds: storage.ManagedAuthCreds{
-				Name: managedAuthSecret.GetName(),
-				SHA1: extraSHash,
-			},
-		}
+		storageOpts.ExtraSecretName = managedAuthSecret.Name
+		storageOpts.ExtraSecretSHA1 = extraSHash
 	}
 
 	switch secretType {

diff --git a/operator/internal/handlers/internal/storage/secrets_test.go b/operator/internal/handlers/internal/storage/secrets_test.go
@@ -135,7 +135,7 @@ func TestAzureExtract(t *testing.T) {
 		t.Run(tst.name, func(t *testing.T) {
 			t.Parallel()
 
-			opts, err := extractSecrets(tst.secret, lokiv1.ObjectStorageSecretAzure, nil)
+			opts, err := ExtractSecret(tst.secret, lokiv1.ObjectStorageSecretAzure, nil)
 			if !tst.wantErr {
 				require.NoError(t, err)
 				require.NotEmpty(t, opts.SecretName)
@@ -186,7 +186,7 @@ func TestGCSExtract(t *testing.T) {
 		t.Run(tst.name, func(t *testing.T) {
 			t.Parallel()
 
-			_, err := extractSecrets(tst.secret, lokiv1.ObjectStorageSecretGCS, nil)
+			_, err := ExtractSecret(tst.secret, lokiv1.ObjectStorageSecretGCS, nil)
 			if !tst.wantErr {
 				require.NoError(t, err)
 			}
@@ -360,7 +360,7 @@ func TestS3Extract(t *testing.T) {
 		t.Run(tst.name, func(t *testing.T) {
 			t.Parallel()
 
-			opts, err := extractSecrets(tst.secret, lokiv1.ObjectStorageSecretS3, nil)
+			opts, err := ExtractSecret(tst.secret, lokiv1.ObjectStorageSecretS3, nil)
 			if !tst.wantErr {
 				require.NoError(t, err)
 				require.NotEmpty(t, opts.SecretName)
@@ -509,7 +509,7 @@ func TestSwiftExtract(t *testing.T) {
 		t.Run(tst.name, func(t *testing.T) {
 			t.Parallel()
 
-			opts, err := extractSecrets(tst.secret, lokiv1.ObjectStorageSecretSwift, nil)
+			opts, err := ExtractSecret(tst.secret, lokiv1.ObjectStorageSecretSwift, nil)
 			if !tst.wantErr {
 				require.NoError(t, err)
 				require.NotEmpty(t, opts.SecretName)
@@ -583,7 +583,7 @@ func TestAlibabaCloudExtract(t *testing.T) {
 		t.Run(tst.name, func(t *testing.T) {
 			t.Parallel()
 
-			opts, err := extractSecrets(tst.secret, lokiv1.ObjectStorageSecretAlibabaCloud, nil)
+			opts, err := ExtractSecret(tst.secret, lokiv1.ObjectStorageSecretAlibabaCloud, nil)
 			if !tst.wantErr {
 				require.NoError(t, err)
 				require.NotEmpty(t, opts.SecretName)

diff --git a/operator/internal/handlers/lokistack_create_or_update.go b/operator/internal/handlers/lokistack_create_or_update.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"os"
+	"time"
 
 	"github.com/ViaQ/logerr/v2/kverrors"
 	"github.com/go-logr/logr"
@@ -26,6 +27,7 @@ import (
 	"github.com/grafana/loki/operator/internal/handlers/internal/tlsprofile"
 	"github.com/grafana/loki/operator/internal/manifests"
 	manifests_openshift "github.com/grafana/loki/operator/internal/manifests/openshift"
+	storageoptions "github.com/grafana/loki/operator/internal/manifests/storage"
 	"github.com/grafana/loki/operator/internal/metrics"
 	"github.com/grafana/loki/operator/internal/status"
 )
@@ -65,11 +67,92 @@ func CreateOrUpdateLokiStack(
 		gwImg = manifests.DefaultLokiStackGatewayImage
 	}
 
-	objStore, err := storage.BuildOptions(ctx, k, ll, &stack, fg)
+	var storageSecret corev1.Secret
+	key := client.ObjectKey{Name: stack.Spec.Storage.Secret.Name, Namespace: stack.Namespace}
+	if err := k.Get(ctx, key, &storageSecret); err != nil {
+		if apierrors.IsNotFound(err) {
+			return &status.DegradedError{
+				Message: "Missing object storage secret",
+				Reason:  lokiv1.ReasonMissingObjectStorageSecret,
+				Requeue: false,
+			}
+		}
+		return kverrors.Wrap(err, "failed to lookup lokistack storage secret", "name", key)
+	}
+
+	stsCreds, err := getSTSCredsFromEnv(ctx, k, ll, client.ObjectKeyFromObject(&stack), fg)
 	if err != nil {
 		return err
 	}
 
+	objStore, err := storage.ExtractSecret(&storageSecret, stack.Spec.Storage.Secret.Type, stsCreds)
+	if err != nil {
+		return &status.DegradedError{
+			Message: fmt.Sprintf("Invalid object storage secret contents: %s", err),
+			Reason:  lokiv1.ReasonInvalidObjectStorageSecret,
+			Requeue: false,
+		}
+	}
+	objStore.OpenShiftEnabled = fg.OpenShift.Enabled
+
+	storageSchemas, err := storageoptions.BuildSchemaConfig(
+		time.Now().UTC(),
+		stack.Spec.Storage,
+		stack.Status.Storage,
+	)
+	if err != nil {
+		return &status.DegradedError{
+			Message: fmt.Sprintf("Invalid object storage schema contents: %s", err),
+			Reason:  lokiv1.ReasonInvalidObjectStorageSchema,
+			Requeue: false,
+		}
+	}
+
+	objStore.Schemas = storageSchemas
+
+	if stack.Spec.Storage.TLS != nil {
+		tlsConfig := stack.Spec.Storage.TLS
+
+		if tlsConfig.CA == "" {
+			return &status.DegradedError{
+				Message: "Missing object storage CA config map",
+				Reason:  lokiv1.ReasonMissingObjectStorageCAConfigMap,
+				Requeue: false,
+			}
+		}
+
+		var cm corev1.ConfigMap
+		key := client.ObjectKey{Name: tlsConfig.CA, Namespace: stack.Namespace}
+		if err = k.Get(ctx, key, &cm); err != nil {
+			if apierrors.IsNotFound(err) {
+				return &status.DegradedError{
+					Message: "Missing object storage CA config map",
+					Reason:  lokiv1.ReasonMissingObjectStorageCAConfigMap,
+					Requeue: false,
+				}
+			}
+			return kverrors.Wrap(err, "failed to lookup lokistack object storage CA config map", "name", key)
+		}
+
+		caKey := defaultCAKey
+		if tlsConfig.CAKey != "" {
+			caKey = tlsConfig.CAKey
+		}
+
+		var caHash string
+		caHash, err = storage.CheckCAConfigMap(&cm, caKey)
+		if err != nil {
+			return &status.DegradedError{
+				Message: "Invalid object storage CA configmap contents: missing key or no contents",
+				Reason:  lokiv1.ReasonInvalidObjectStorageCAConfigMap,
+				Requeue: false,
+			}
+		}
+
+		objStore.SecretSHA1 = fmt.Sprintf("%s;%s", objStore.SecretSHA1, caHash)
+		objStore.TLS = &storageoptions.TLSConfig{CA: cm.Name, Key: caKey}
+	}
+
 	var (
 		baseDomain    string
 		tenantSecrets []*manifests.TenantSecrets
@@ -279,7 +362,7 @@ func CreateOrUpdateLokiStack(
 	// updated and another resource is not. This would cause the status to
 	// be possibly misaligned with the configmap, which could lead to
 	// a user possibly being unable to read logs.
-	if err := status.SetStorageSchemaStatus(ctx, k, req, objStore.Schemas); err != nil {
+	if err := status.SetStorageSchemaStatus(ctx, k, req, storageSchemas); err != nil {
 		ll.Error(err, "failed to set storage schema status")
 		return err
 	}
@@ -367,3 +450,31 @@ func isNamespacedResource(obj client.Object) bool {
 		return true
 	}
 }
+
+func getSTSCredsFromEnv(ctx context.Context, k k8s.Client, l logr.Logger, stack client.ObjectKey, fg configv1.FeatureGates) (*corev1.Secret, error) {
+	var managedAuthCreds corev1.Secret
+	managedAuthEnv := manifests_openshift.DiscoverManagedAuthEnv()
+	if managedAuthEnv == nil || !fg.OpenShift.Enabled {
+		return nil, nil
+	}
+
+	l.Info("discovered managed authentication credentials cluster", "env", managedAuthEnv)
+
+	managedAuthCredsKey, err := manifests_openshift.CreateCredentialsRequest(ctx, k, stack, managedAuthEnv)
+	if err != nil {
+		return nil, kverrors.Wrap(err, "failed creating OpenShift CCO CredentialsRequest", "name", stack)
+	}
+
+	if err := k.Get(ctx, managedAuthCredsKey, &managedAuthCreds); err != nil {
+		if apierrors.IsNotFound(err) {
+			return nil, &status.DegradedError{
+				Message: "Missing OpenShift CCO managed authentication credentials secret",
+				Reason:  lokiv1.ReasonMissingManagedAuthSecret,
+				Requeue: true,
+			}
+		}
+		return nil, kverrors.Wrap(err, "failed to lookup OpenShift CCO managed authentication credentials secret", "name", stack)
+	}
+
+	return &managedAuthCreds, nil
+}