Merge branch 'main' into paul1r/json_array_loki_issue_9179

grafana · Feb 13, 2024 · 6cfe10d · 6cfe10d
2 parents 055aaf8 + 85908fa
commit 6cfe10d
Show file tree

Hide file tree

Showing 62 changed files with 1,188 additions and 1,134 deletions.
diff --git a/docs/sources/configure/_index.md b/docs/sources/configure/_index.md
@@ -2641,21 +2641,22 @@ ring:
 # CLI flag: -bloom-compactor.enabled
 [enabled: <boolean> | default = false]
 
-# Directory where files can be downloaded for compaction.
-# CLI flag: -bloom-compactor.working-directory
-[working_directory: <string> | default = ""]
-
 # Interval at which to re-run the compaction operation.
 # CLI flag: -bloom-compactor.compaction-interval
 [compaction_interval: <duration> | default = 10m]
 
-# Minimum age of a table before it is considered for compaction.
-# CLI flag: -bloom-compactor.min-compaction-age
-[min_compaction_age: <duration> | default = 24h]
-
-# Maximum age of a table before it is considered for compaction.
-# CLI flag: -bloom-compactor.max-compaction-age
-[max_compaction_age: <duration> | default = 168h]
+# How many index periods (days) to wait before compacting a table. This can be
+# used to lower cost by not re-writing data to object storage too frequently
+# since recent data changes more often.
+# CLI flag: -bloom-compactor.min-table-compaction-period
+[min_table_compaction_period: <int> | default = 1]
+
+# How many index periods (days) to wait before compacting a table. This can be
+# used to lower cost by not trying to compact older data which doesn't change.
+# This can be optimized by aligning it with the maximum
+# `reject_old_samples_max_age` setting of any tenant.
+# CLI flag: -bloom-compactor.max-table-compaction-period
+[max_table_compaction_period: <int> | default = 7]
 
 # Number of workers to run in parallel for compaction.
 # CLI flag: -bloom-compactor.worker-parallelism

diff --git a/integration/cluster/cluster.go b/integration/cluster/cluster.go
@@ -84,7 +84,6 @@ bloom_gateway:
 
 bloom_compactor:
   enabled: false
-  working_directory: {{.dataPath}}/bloom-compactor
 
 compactor:
   working_directory: {{.dataPath}}/compactor

diff --git a/operator/CHANGELOG.md b/operator/CHANGELOG.md
@@ -1,5 +1,6 @@
 ## Main
 
+- [11920](https://github.com/grafana/loki/pull/11920) **xperimental**: Refactor handling of credentials in managed-auth mode
 - [11869](https://github.com/grafana/loki/pull/11869) **periklis**: Add support for running with Google Workload Identity
 - [11868](https://github.com/grafana/loki/pull/11868) **xperimental**: Integrate support for OpenShift-managed credentials in Azure
 - [11854](https://github.com/grafana/loki/pull/11854) **periklis**: Allow custom audience for managed-auth on STS

diff --git a/operator/apis/config/v1/projectconfig_types.go b/operator/apis/config/v1/projectconfig_types.go
@@ -52,16 +52,11 @@ type OpenShiftFeatureGates struct {
 	// Dashboards enables the loki-mixin dashboards into the OpenShift Console
 	Dashboards bool `json:"dashboards,omitempty"`
 
-	// ManagedAuthEnv enabled when the operator installation is on OpenShift STS clusters.
+	// ManagedAuthEnv is true when OpenShift-functions are enabled and the operator has detected
+	// that it is running with some kind of "workload identity" (AWS STS, Azure WIF) enabled.
 	ManagedAuthEnv bool
 }
 
-// ManagedAuthEnabled returns true when OpenShift-functions are enabled and the operator has detected that it is
-// running with some kind of "workload identity" (AWS STS, Azure WIF) enabled.
-func (o *OpenShiftFeatureGates) ManagedAuthEnabled() bool {
-	return o.Enabled && o.ManagedAuthEnv
-}
-
 // FeatureGates is the supported set of all operator feature gates.
 type FeatureGates struct {
 	// ServiceMonitors enables creating a Prometheus-Operator managed ServiceMonitor

diff --git a/operator/apis/loki/v1/lokistack_types.go b/operator/apis/loki/v1/lokistack_types.go
@@ -1174,6 +1174,27 @@ type LokiStackComponentStatus struct {
 	Ruler PodStatusMap `json:"ruler,omitempty"`
 }
 
+// CredentialMode represents the type of authentication used for accessing the object storage.
+//
+// +kubebuilder:validation:Enum=static;token;managed
+type CredentialMode string
+
+const (
+	// CredentialModeStatic represents the usage of static, long-lived credentials stored in a Secret.
+	// This is the default authentication mode and available for all supported object storage types.
+	CredentialModeStatic CredentialMode = "static"
+	// CredentialModeToken represents the usage of short-lived tokens retrieved from a credential source.
+	// In this mode the static configuration does not contain credentials needed for the object storage.
+	// Instead, they are generated during runtime using a service, which allows for shorter-lived credentials and
+	// much more granular control. This authentication mode is not supported for all object storage types.
+	CredentialModeToken CredentialMode = "token"
+	// CredentialModeManaged represents the usage of short-lived tokens retrieved from a credential source.
+	// This mode is similar to CredentialModeToken,but instead of having a user-configured credential source,
+	// it is configured by the environment, for example the Cloud Credential Operator in OpenShift.
+	// This mode is only supported for certain object storage types in certain runtime environments.
+	CredentialModeManaged CredentialMode = "managed"
+)
+
 // LokiStackStorageStatus defines the observed state of
 // the Loki storage configuration.
 type LokiStackStorageStatus struct {
@@ -1183,6 +1204,12 @@ type LokiStackStorageStatus struct {
 	// +optional
 	// +kubebuilder:validation:Optional
 	Schemas []ObjectStorageSchema `json:"schemas,omitempty"`
+
+	// CredentialMode contains the authentication mode used for accessing the object storage.
+	//
+	// +optional
+	// +kubebuilder:validation:Optional
+	CredentialMode CredentialMode `json:"credentialMode,omitempty"`
 }
 
 // LokiStackStatus defines the observed state of LokiStack

diff --git a/operator/bundle/community-openshift/manifests/loki-operator.clusterserviceversion.yaml b/operator/bundle/community-openshift/manifests/loki-operator.clusterserviceversion.yaml
@@ -150,7 +150,7 @@ metadata:
     categories: OpenShift Optional, Logging & Tracing
     certified: "false"
     containerImage: docker.io/grafana/loki-operator:0.5.0
-    createdAt: "2024-01-31T16:48:07Z"
+    createdAt: "2024-02-12T14:48:52Z"
     description: The Community Loki Operator provides Kubernetes native deployment
       and management of Loki and related logging components.
     features.operators.openshift.io/disconnected: "true"
@@ -1472,6 +1472,7 @@ spec:
           - delete
           - get
           - list
+          - update
           - watch
         - apiGroups:
           - config.openshift.io

diff --git a/operator/bundle/community-openshift/manifests/loki.grafana.com_lokistacks.yaml b/operator/bundle/community-openshift/manifests/loki.grafana.com_lokistacks.yaml
@@ -4064,6 +4064,14 @@ spec:
                 description: Storage provides summary of all changes that have occurred
                   to the storage configuration.
                 properties:
+                  credentialMode:
+                    description: CredentialMode contains the authentication mode used
+                      for accessing the object storage.
+                    enum:
+                    - static
+                    - token
+                    - managed
+                    type: string
                   schemas:
                     description: Schemas is a list of schemas which have been applied
                       to the LokiStack.

diff --git a/operator/bundle/community/manifests/loki-operator.clusterserviceversion.yaml b/operator/bundle/community/manifests/loki-operator.clusterserviceversion.yaml
@@ -150,7 +150,7 @@ metadata:
     categories: OpenShift Optional, Logging & Tracing
     certified: "false"
     containerImage: docker.io/grafana/loki-operator:0.5.0
-    createdAt: "2024-01-31T16:48:04Z"
+    createdAt: "2024-02-12T14:48:49Z"
     description: The Community Loki Operator provides Kubernetes native deployment
       and management of Loki and related logging components.
     operators.operatorframework.io/builder: operator-sdk-unknown
@@ -1452,6 +1452,7 @@ spec:
           - delete
           - get
           - list
+          - update
           - watch
         - apiGroups:
           - config.openshift.io

diff --git a/operator/bundle/community/manifests/loki.grafana.com_lokistacks.yaml b/operator/bundle/community/manifests/loki.grafana.com_lokistacks.yaml
@@ -4064,6 +4064,14 @@ spec:
                 description: Storage provides summary of all changes that have occurred
                   to the storage configuration.
                 properties:
+                  credentialMode:
+                    description: CredentialMode contains the authentication mode used
+                      for accessing the object storage.
+                    enum:
+                    - static
+                    - token
+                    - managed
+                    type: string
                   schemas:
                     description: Schemas is a list of schemas which have been applied
                       to the LokiStack.

diff --git a/operator/bundle/openshift/manifests/loki-operator.clusterserviceversion.yaml b/operator/bundle/openshift/manifests/loki-operator.clusterserviceversion.yaml
@@ -150,7 +150,7 @@ metadata:
     categories: OpenShift Optional, Logging & Tracing
     certified: "false"
     containerImage: quay.io/openshift-logging/loki-operator:0.1.0
-    createdAt: "2024-01-31T16:48:10Z"
+    createdAt: "2024-02-12T14:48:55Z"
     description: |
       The Loki Operator for OCP provides a means for configuring and managing a Loki stack for cluster logging.
       ## Prerequisites and Requirements
@@ -1457,6 +1457,7 @@ spec:
           - delete
           - get
           - list
+          - update
           - watch
         - apiGroups:
           - config.openshift.io

diff --git a/operator/bundle/openshift/manifests/loki.grafana.com_lokistacks.yaml b/operator/bundle/openshift/manifests/loki.grafana.com_lokistacks.yaml
@@ -4064,6 +4064,14 @@ spec:
                 description: Storage provides summary of all changes that have occurred
                   to the storage configuration.
                 properties:
+                  credentialMode:
+                    description: CredentialMode contains the authentication mode used
+                      for accessing the object storage.
+                    enum:
+                    - static
+                    - token
+                    - managed
+                    type: string
                   schemas:
                     description: Schemas is a list of schemas which have been applied
                       to the LokiStack.

diff --git a/operator/config/crd/bases/loki.grafana.com_lokistacks.yaml b/operator/config/crd/bases/loki.grafana.com_lokistacks.yaml
@@ -4046,6 +4046,14 @@ spec:
                 description: Storage provides summary of all changes that have occurred
                   to the storage configuration.
                 properties:
+                  credentialMode:
+                    description: CredentialMode contains the authentication mode used
+                      for accessing the object storage.
+                    enum:
+                    - static
+                    - token
+                    - managed
+                    type: string
                   schemas:
                     description: Schemas is a list of schemas which have been applied
                       to the LokiStack.

diff --git a/operator/config/rbac/role.yaml b/operator/config/rbac/role.yaml
@@ -56,6 +56,7 @@ rules:
   - delete
   - get
   - list
+  - update
   - watch
 - apiGroups:
   - config.openshift.io

diff --git a/operator/controllers/loki/credentialsrequests_controller.go b/operator/controllers/loki/credentialsrequests_controller.go
-Original file line number
+Diff line change
@@ Expand Up / @@ -56,6 +56,7 @@ rules: @@
       - delete
       - get
       - list
+      - update
       - watch
     - apiGroups:
       - config.openshift.io
@@ Expand Down @@