Merge remote-tracking branch 'grafana/main' into karsten/quantile-app…

…roximation

operator/CHANGELOG.md

@@ -1,5 +1,6 @@
 ## Main
 
+- [11393](https://github.com/grafana/loki/pull/11393) **periklis**: Add infra annotations for OpenShift based deployments
 - [11094](https://github.com/grafana/loki/pull/11094) **periklis**: Add support for blocking queries per tenant
 - [11288](https://github.com/grafana/loki/pull/11288) **periklis**: Fix custom CA for object-store in ruler component
 - [11091](https://github.com/grafana/loki/pull/11091) **periklis**: Add automatic stream sharding support

operator/bundle/community-openshift/manifests/loki-operator.clusterserviceversion.yaml

@@ -150,9 +150,16 @@ metadata:
     categories: OpenShift Optional, Logging & Tracing
     certified: "false"
     containerImage: docker.io/grafana/loki-operator:0.5.0
-    createdAt: "2023-11-03T11:44:16Z"
+    createdAt: "2023-12-06T06:30:12Z"
     description: The Community Loki Operator provides Kubernetes native deployment
       and management of Loki and related logging components.
+    features.operators.openshift.io/disconnected: "true"
+    features.operators.openshift.io/fips-compliant: "false"
+    features.operators.openshift.io/proxy-aware: "true"
+    features.operators.openshift.io/tls-profiles: "true"
+    features.operators.openshift.io/token-auth-aws: "false"
+    features.operators.openshift.io/token-auth-azure: "false"
+    features.operators.openshift.io/token-auth-gcp: "false"
     operators.operatorframework.io/builder: operator-sdk-unknown
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
     repository: https://github.com/grafana/loki/tree/main/operator

operator/bundle/community/manifests/loki-operator.clusterserviceversion.yaml

@@ -150,7 +150,7 @@ metadata:
     categories: OpenShift Optional, Logging & Tracing
     certified: "false"
     containerImage: docker.io/grafana/loki-operator:0.5.0
-    createdAt: "2023-11-03T11:44:14Z"
+    createdAt: "2023-12-06T06:30:10Z"
     description: The Community Loki Operator provides Kubernetes native deployment
       and management of Loki and related logging components.
     operators.operatorframework.io/builder: operator-sdk-unknown

operator/bundle/openshift/manifests/loki-operator.clusterserviceversion.yaml

@@ -150,7 +150,7 @@ metadata:
     categories: OpenShift Optional, Logging & Tracing
     certified: "false"
     containerImage: quay.io/openshift-logging/loki-operator:0.1.0
-    createdAt: "2023-11-03T11:44:18Z"
+    createdAt: "2023-12-06T06:30:15Z"
     description: |
       The Loki Operator for OCP provides a means for configuring and managing a Loki stack for cluster logging.
       ## Prerequisites and Requirements
@@ -160,6 +160,13 @@ metadata:
       Loki is a memory intensive application.  The initial
       set of OCP nodes may not be large enough to support the Loki stack.  Additional OCP nodes must be added
       to the OCP cluster if you desire to run with the recommended (or better) memory.
+    features.operators.openshift.io/disconnected: "true"
+    features.operators.openshift.io/fips-compliant: "false"
+    features.operators.openshift.io/proxy-aware: "true"
+    features.operators.openshift.io/tls-profiles: "true"
+    features.operators.openshift.io/token-auth-aws: "false"
+    features.operators.openshift.io/token-auth-azure: "false"
+    features.operators.openshift.io/token-auth-gcp: "false"
     olm.skipRange: '>=5.7.0-0 <5.9.0'
     operatorframework.io/cluster-monitoring: "true"
     operatorframework.io/suggested-namespace: openshift-operators-redhat

operator/config/manifests/community-openshift/bases/loki-operator.clusterserviceversion.yaml

@@ -10,6 +10,13 @@ metadata:
     createdAt: "2022-12-22T13:28:40+00:00"
     description: The Community Loki Operator provides Kubernetes native deployment
       and management of Loki and related logging components.
+    features.operators.openshift.io/disconnected: "true"
+    features.operators.openshift.io/fips-compliant: "false"
+    features.operators.openshift.io/proxy-aware: "true"
+    features.operators.openshift.io/tls-profiles: "true"
+    features.operators.openshift.io/token-auth-aws: "false"
+    features.operators.openshift.io/token-auth-azure: "false"
+    features.operators.openshift.io/token-auth-gcp: "false"
     repository: https://github.com/grafana/loki/tree/main/operator
     support: Grafana Loki SIG Operator
   labels:

operator/config/manifests/openshift/bases/loki-operator.clusterserviceversion.yaml

@@ -16,6 +16,13 @@ metadata:
       Loki is a memory intensive application.  The initial
       set of OCP nodes may not be large enough to support the Loki stack.  Additional OCP nodes must be added
       to the OCP cluster if you desire to run with the recommended (or better) memory.
+    features.operators.openshift.io/disconnected: "true"
+    features.operators.openshift.io/fips-compliant: "false"
+    features.operators.openshift.io/proxy-aware: "true"
+    features.operators.openshift.io/tls-profiles: "true"
+    features.operators.openshift.io/token-auth-aws: "false"
+    features.operators.openshift.io/token-auth-azure: "false"
+    features.operators.openshift.io/token-auth-gcp: "false"
     olm.skipRange: '>=5.7.0-0 <5.9.0'
     operatorframework.io/cluster-monitoring: "true"
     operatorframework.io/suggested-namespace: openshift-operators-redhat

operator/hack/deploy-azure-storage-secret.sh

@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+readonly account_name="${1-}"
+readonly container_name="${2-}"
+
+if [[ -z "${account_name}" ]]; then
+    echo "Provide a account name"
+    exit 1
+fi
+
+if [[ -z "${container_name}" ]]; then
+    echo "Provide a container name"
+    exit 1
+fi
+
+readonly namespace="${NAMESPACE:-openshift-logging}"
+
+readonly azure_environment="AzureGlobal"
+
+resource_group=$(az storage account show --name "${account_name}" | jq -r '.resourceGroup')
+readonly resource_group
+
+account_key=$(az storage account keys list --resource-group "${resource_group}" --account-name "${account_name}" | jq -r '.[0].value')
+readonly account_key
+
+kubectl --ignore-not-found=true -n "${namespace}" delete secret test
+kubectl -n "${namespace}" create secret generic test \
+    --from-literal=environment="$(echo -n "${azure_environment}")" \
+    --from-literal=account_name="$(echo -n "${account_name}")" \
+    --from-literal=account_key="$(echo -n "${account_key}")" \
+    --from-literal=container="$(echo -n "${container_name}")"

operator/hack/lokistack_gateway_ocp_azure.yaml

@@ -0,0 +1,25 @@
+apiVersion: loki.grafana.com/v1
+kind: LokiStack
+metadata:
+  name: lokistack-dev
+  namespace: openshift-logging
+spec:
+  size: 1x.demo
+  storage:
+    schemas:
+    - version: v13
+      effectiveDate: 2023-10-15
+    secret:
+      name: test
+      type: azure
+  storageClassName: managed-csi
+  tenants:
+    mode: openshift-logging
+  rules:
+    enabled: true
+    selector:
+      matchLabels:
+        openshift.io/cluster-monitoring: "true"
+    namespaceSelector:
+      matchLabels:
+        openshift.io/cluster-monitoring: "true"

tools/lambda-promtail/lambda-promtail/cw.go

@@ -18,6 +18,7 @@ func parseCWEvent(ctx context.Context, b *batch, ev *events.CloudwatchLogsEvent)
 	}
 
 	labels := model.LabelSet{
+		model.LabelName("__aws_log_type"):             model.LabelValue("cloudwatch"),
 		model.LabelName("__aws_cloudwatch_log_group"): model.LabelValue(data.LogGroup),
 		model.LabelName("__aws_cloudwatch_owner"):     model.LabelValue(data.Owner),
 	}

tools/lambda-promtail/lambda-promtail/cw_test.go

@@ -0,0 +1,60 @@
+package main
+
+import (
+	"context"
+	"testing"
+
+	"github.com/aws/aws-lambda-go/events"
+	"github.com/stretchr/testify/require"
+
+	"github.com/grafana/loki/pkg/logproto"
+)
+
+func Test_parseCWEvent(t *testing.T) {
+	tests := []struct {
+		name           string
+		b              *batch
+		expectedStream string
+		keepStream     bool
+	}{
+		{
+			name: "cloudwatch",
+			b: &batch{
+				streams: map[string]*logproto.Stream{},
+			},
+			expectedStream: `{__aws_cloudwatch_log_group="testLogGroup", __aws_cloudwatch_owner="123456789123", __aws_log_type="cloudwatch"}`,
+			keepStream:     false,
+		},
+		{
+			name: "cloudwatch_keepStream",
+			b: &batch{
+				streams: map[string]*logproto.Stream{},
+			},
+			expectedStream: `{__aws_cloudwatch_log_group="testLogGroup", __aws_cloudwatch_log_stream="testLogStream", __aws_cloudwatch_owner="123456789123", __aws_log_type="cloudwatch"}`,
+			keepStream:     true,
+		},
+	}
+
+	for _, tt := range tests {
+		// Docs: https://docs.aws.amazon.com/lambda/latest/dg/services-cloudwatchlogs.html
+		// Example CloudWatchLogEvent copied from https://github.com/aws/aws-lambda-go/blob/main/events/cloudwatch_logs_test.go
+		cwevent := &events.CloudwatchLogsEvent{
+			AWSLogs: events.CloudwatchLogsRawData{
+				Data: "H4sIAAAAAAAAAHWPwQqCQBCGX0Xm7EFtK+smZBEUgXoLCdMhFtKV3akI8d0bLYmibvPPN3wz00CJxmQnTO41whwWQRIctmEcB6sQbFC3CjW3XW8kxpOpP+OC22d1Wml1qZkQGtoMsScxaczKN3plG8zlaHIta5KqWsozoTYw3/djzwhpLwivWFGHGpAFe7DL68JlBUk+l7KSN7tCOEJ4M3/qOI49vMHj+zCKdlFqLaU2ZHV2a4Ct/an0/ivdX8oYc1UVX860fQDQiMdxRQEAAA==",
+			},
+		}
+
+		t.Run(tt.name, func(t *testing.T) {
+			batchSize = 131072 // Set large enough we don't send to promtail
+			keepStream = tt.keepStream
+			err := parseCWEvent(context.Background(), tt.b, cwevent)
+			if err != nil {
+				t.Error(err)
+			}
+			require.Len(t, tt.b.streams, 1)
+			stream, ok := tt.b.streams[tt.expectedStream]
+			require.True(t, ok, "batch does not contain stream: %s", tt.expectedStream)
+			require.NotNil(t, stream)
+		})
+	}
+}