[bot] Update tektoncd/operator

upstream/docs/AirGapImageConfiguration.md

@@ -73,6 +73,7 @@ Supports all the images listed above in kubernetes and following are specific to
 | Pipeline-as-code      | pac-webhook                       | `IMAGE_PAC_PAC_WEBHOOK`                             |
 | Pipeline-as-code      | pac-watcher                       | `IMAGE_PAC_PAC_WATCHER`                             |
 | Console Plugin        | console-plugin                    | `IMAGE_PIPELINES_CONSOLE_PLUGIN`                    |
+| Results               | retention-policy-agent            | `IMAGE_RESULTS_RETENTION_POLICY_AGENT`              |
 | Addons                |                                   | `IMAGE_ADDONS_BUILD`                                |
 | Addons                |                                   | `IMAGE_ADDONS_GENERATE`                             |
 | Addons                |                                   | `IMAGE_ADDONS_GEN_ENV_FILE`                         |

upstream/docs/TektonResult.md

@@ -80,7 +80,7 @@ kubectl apply -f pvc.yaml
   kubectl get tektonresults.operator.tekton.dev
   ```
 
-## Properties
+## Spec
 The TektonResult CR is like below:
 ```yaml
 apiVersion: operator.tekton.dev/v1alpha1
@@ -105,6 +105,9 @@ spec:
   gcc_creds_secret_key: <value>
   gcs_bucket_name: <value>
   is_external_db: false
+  loki_stack_name: #optional
+  loki_stack_namespace: #optional
+
 ```
 
 These properties are analogous to the one in configmap of tekton results api `tekton-results-api-config` documented at [api.md]:https://github.com/tektoncd/results/blob/4472848a0fb7c1473cfca8b647553170efac78a1/cmd/api/README.md
@@ -202,3 +205,104 @@ spec:
   is_external_db: true
 ...
 ```
+
+## LokiStack + TektonResult
+
+Tekton Results leverages external Third Party APIs to query data. Storing of data via Tekton Results is inefficient
+and bad for performance. It's better to use forwarders like Vector, Promtail, Fluentd for forwarding TaskRun pod Logs from nodes.
+
+### Kubernetes (GCP) + LokiStack/Loki
+
+#### Loki
+
+You can either use Grafana's [Helm Repo](https://grafana.com/docs/loki/latest/setup/install/helm/) or operator from [OperatorHub](https://operatorhub.io/operator/loki-operator) to install Loki. 
+Installing via operator simplies certain operations for Tekton Operator. You just need to configure `lokistack_name` and `lokistack_namespace`.
+
+In case of helm installation, you will need to configure options field to configure Results API configMap `tekton-results-api-config`:
+```yaml
+LOGS_API
+LOGGING_PLUGIN_PROXY_PATH
+LOGGING_PLUGIN_API_URL
+LOGGING_PLUGIN_TOKEN_PATH
+LOGGING_PLUGIN_NAMESPACE_KEY
+LOGGING_PLUGIN_STATIC_LABELS
+LOGGING_PLUGIN_TLS_VERIFICATION_DISABLE
+LOGGING_PLUGIN_FORWARDER_DELAY_DURATION
+```
+
+- `LOGGING_PLUGIN_PROXY_PATH`: The path to the proxy used for logging. These reverse proxyies like NGinx is used for authentication.
+
+- `LOGGING_PLUGIN_API_URL`: The Base URL for quering Loki.
+
+- `LOGGING_PLUGIN_TOKEN_PATH`: The path to the token used for authentication with the logging service. `/var/run/secrets/kubernetes.io/serviceaccount/token` can be used if results api service account token can be used as Authorization jwt token for quering Loki.
+
+- `LOGGING_PLUGIN_NAMESPACE_KEY`: The key used to identify the namespace in log queries.
+
+- `LOGGING_PLUGIN_STATIC_LABELS`: Any static labels to be added to all log queries. It's necessary to have some fields to filter out tekton logs.
+
+- `LOGGING_PLUGIN_TLS_VERIFICATION_DISABLE`: A boolean flag to disable TLS verification. This should be set to "false" in production environments to ensure secure connections.
+
+These fields allow you to configure how Tekton Results interacts with your Loki backend.
+
+You might need to configure following environment variable to Tekton Results API deployment if you are using some custom CA to generate TLS certificate:
+```yaml
+LOGGING_PLUGIN_CA_CERT
+```
+
+- `LOGGING_PLUGIN_FORWARDER_DELAY_DURATION`: This is the max duration in minutes taken by third party logging system to forward and store the logs after completion of taskrun and pipelinerun. This is used to search between start time of runs and completion plus buffer duration.
+
+#### Forwarder
+
+You need to configure forwarder systems to add labels for namespace, pass TaskRun UID/PipelineRun UID in pods and a common label <key:value> alongwith logs from nodes.
+
+A sample configuration for vector: [values.yaml](https://github.com/tektoncd/results/blob/main/test/e2e/loki_vector/vector.yaml). 
+
+### OpenShift (LokiStack + OpenShift Logging)
+
+
+To configure LokiStack with TektonResult, you can use the `lokistack_name` and `lokistack_namespace` properties in the TektonResult custom resource. Here's how to do it:
+
+
+1. First, ensure that you have LokiStack installed in your cluster.
+
+2. Then, create or update your TektonResult CR with the following properties:
+
+```yaml
+apiVersion: operator.tekton.dev/v1alpha1
+kind: TektonResult
+metadata:
+  name: result
+spec:
+  targetNamespace: tekton-pipelines
+  // ... other properties ...
+  lokistack_name: your-lokistack-name
+  lokistack_namespace: your-lokistack-namespace
+```
+Replace your-lokistack-name with the name of your LokiStack instance and your-lokistack-namespace with the namespace where LokiStack is installed.
+
+By setting these properties, Operator will configure Tekton Result to use the specified LokiStack instance for log retrieval.
+
+
+#### OpenShift Logging
+
+Install the openshift logging operator by following this: [Deploying Cluster Logging](https://docs.openshift.com/container-platform/4.16/observability/logging/cluster-logging-deploying.html#logging-loki-gui-install_cluster-logging-deploying)
+
+If you are installing OpenShift Logging Operator only for TaskRun Logs, then you also need to configure a ClusterLogForwarder:
+```yaml
+apiVersion: "logging.openshift.io/v1"
+kind: ClusterLogForwarder
+metadata:
+  name: instance
+  namespace: openshift-logging
+spec:
+  inputs:
+  - name: only-tekton
+    application:
+      selector:
+        matchLabels:
+          app.kubernetes.io/managed-by: tekton-pipelines
+  pipelines:
+    - name: enable-default-log-store
+      inputRefs: [ only-tekton ]
+      outputRefs: [ default ]
+```

upstream/operatorhub/openshift/config.yaml

@@ -246,7 +246,13 @@ image-substitutions:
         containerName: openshift-pipelines-operator-lifecycle
         envKeys:
           - IMAGE_RESULTS_API
-
+- image: registry.redhat.io/openshift-pipelines/pipelines-results-retention-policy-agent-rhel8@
+  replaceLocations:
+    envTargets:
+      - deploymentName: openshift-pipelines-operator
+        containerName: openshift-pipelines-operator-lifecycle
+        envKeys:
+          - IMAGE_RESULTS_RETENTION_POLICY_AGENT
 - image: registry.redhat.io/ubi8/openjdk-17@sha256:e8cc2e476282b75d89c73057bfa713db22d72bdb2808d62d981a84c33beb2575
   replaceLocations:
     envTargets:

upstream/operatorhub/openshift/release-artifacts/bundle/manifests/openshift-pipelines-operator-rh.clusterserviceversion.yaml

@@ -895,6 +895,8 @@ spec:
                   value: registry.redhat.io/openshift-pipelines/tekton-results-api-rhel8@
                 - name: IMAGE_RESULTS_TEKTON_RESULTS_WATCHER
                   value: registry.redhat.io/openshift-pipelines/tekton-results-watcher-rhel8@
+                - name: IMAGE_RESULTS_RETENTION_POLICY_AGENT
+                  value: registry.redhat.io/openshift-pipelines/tekton-results-retention-policy-agent-rhel8@
                 - name: IMAGE_HUB_TEKTON_HUB_DB_MIGRATION
                   value: registry.redhat.io/openshift-pipelines/pipelines-hub-db-migration-rhel8@
                 - name: IMAGE_HUB_TEKTON_HUB_API

upstream/pkg/apis/operator/v1alpha1/tektonresult_types.go

@@ -53,26 +53,32 @@ func (tp *TektonResult) GetStatus() TektonComponentStatus {
 type TektonResultSpec struct {
 	CommonSpec           `json:",inline"`
 	ResultsAPIProperties `json:",inline"`
+	LokiStackProperties  `json:",inline"`
+}
+
+type LokiStackProperties struct {
+	LokiStackName      string `json:"loki_stack_name,omitempty"`
+	LokiStackNamespace string `json:"loki_stack_namespace,omitempty"`
 }
 
 // ResultsAPIProperties defines the fields which are configurable for
 // Results API server config
 type ResultsAPIProperties struct {
 	DBHost                string `json:"db_host,omitempty"`
-	DBPort                int64  `json:"db_port,omitempty"`
+	DBPort                *int64 `json:"db_port,omitempty"`
 	DBName                string `json:"db_name,omitempty"`
 	DBSSLMode             string `json:"db_sslmode,omitempty"`
-	DBEnableAutoMigration bool   `json:"db_enable_auto_migration,omitempty"`
-	ServerPort            int64  `json:"server_port,omitempty"`
-	PrometheusPort        int64  `json:"prometheus_port,omitempty"`
+	DBEnableAutoMigration *bool  `json:"db_enable_auto_migration,omitempty"`
+	ServerPort            *int64 `json:"server_port,omitempty"`
+	PrometheusPort        *int64 `json:"prometheus_port,omitempty"`
 	LogLevel              string `json:"log_level,omitempty"`
-	LogsAPI               bool   `json:"logs_api,omitempty"`
+	LogsAPI               *bool  `json:"logs_api,omitempty"`
 	LogsType              string `json:"logs_type,omitempty"`
-	LogsBufferSize        int64  `json:"logs_buffer_size,omitempty"`
+	LogsBufferSize        *int64 `json:"logs_buffer_size,omitempty"`
 	LogsPath              string `json:"logs_path,omitempty"`
 	TLSHostnameOverride   string `json:"tls_hostname_override,omitempty"`
-	AuthDisable           bool   `json:"auth_disable,omitempty"`
-	AuthImpersonate       bool   `json:"auth_impersonate,omitempty"`
+	AuthDisable           *bool  `json:"auth_disable,omitempty"`
+	AuthImpersonate       *bool  `json:"auth_impersonate,omitempty"`
 	LoggingPVCName        string `json:"logging_pvc_name,omitempty"`
 	GcsBucketName         string `json:"gcs_bucket_name,omitempty"`
 	StorageEmulatorHost   string `json:"storage_emulator_host,omitempty"`
@@ -82,6 +88,15 @@ type ResultsAPIProperties struct {
 	GCSCredsSecretName string `json:"gcs_creds_secret_name,omitempty"`
 	GCSCredsSecretKey  string `json:"gcs_creds_secret_key,omitempty"`
 	IsExternalDB       bool   `json:"is_external_db"`
+
+	LoggingPluginTLSVerificationDisable bool   `json:"logging_plugin_tls_verification_disable,omitempty"`
+	LoggingPluginProxyPath              string `json:"logging_plugin_proxy_path,omitempty"`
+	LoggingPluginAPIURL                 string `json:"logging_plugin_api_url,omitempty"`
+	LoggingPluginTokenPath              string `json:"logging_plugin_token_path,omitempty"`
+	LoggingPluginNamespaceKey           string `json:"logging_plugin_namespace_key,omitempty"`
+	LoggingPluginStaticLabels           string `json:"logging_plugin_static_labels,omitempty"`
+	LoggingPluginCACert                 string `json:"logging_plugin_ca_cert,omitempty"`
+	LoggingPluginForwarderDelayDuration *uint  `json:"logging_plugin_forwarder_delay_duration,omitempty"`
 	// Options holds additions fields and these fields will be updated on the manifests
 	Options AdditionalOptions `json:"options"`
 }

upstream/pkg/apis/operator/v1alpha1/tektonresult_validation.go

@@ -19,10 +19,15 @@ package v1alpha1
 import (
 	"context"
 	"fmt"
+	"strings"
 
 	"knative.dev/pkg/apis"
 )
 
+const (
+	LogsTypeLoki = "loki"
+)
+
 func (tp *TektonResult) Validate(ctx context.Context) (errs *apis.FieldError) {
 
 	if apis.IsInDelete(ctx) {
@@ -33,6 +38,20 @@ func (tp *TektonResult) Validate(ctx context.Context) (errs *apis.FieldError) {
 		errMsg := fmt.Sprintf("metadata.name, Only one instance of TektonResult is allowed by name, %s", ResultResourceName)
 		return errs.Also(apis.ErrInvalidValue(tp.GetName(), errMsg))
 	}
+	errs = errs.Also(tp.Spec.validate("spec"))
+	return errs
+}
 
-	return nil
+func (trs *TektonResultSpec) validate(path string) (errs *apis.FieldError) {
+	if trs.LokiStackName != "" {
+		if strings.ToLower(trs.LogsType) != LogsTypeLoki && trs.LogsType != "" {
+			errMsg := fmt.Sprintf("Loki stack is only supported when logs_type is loki or empty, got logs_type: %s", trs.LogsType)
+			errs = errs.Also(apis.ErrInvalidValue(trs.LogsType, fmt.Sprintf("%s.logs_type", path), errMsg))
+		}
+		if trs.LokiStackNamespace == "" {
+			errMsg := "Loki stack namespace is required when loki_stack_name is provided"
+			errs = errs.Also(apis.ErrInvalidValue(trs.LokiStackNamespace, fmt.Sprintf("%s.loki_stack_namespace", path), errMsg))
+		}
+	}
+	return errs
 }

upstream/pkg/reconciler/kubernetes/tektonresult/tektonresult.go

@@ -18,6 +18,7 @@ package tektonresult
 
 import (
 	"context"
+	"errors"
 	"fmt"
 
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -98,6 +99,7 @@ func (r *Reconciler) FinalizeKind(ctx context.Context, original *v1alpha1.Tekton
 	if err := r.extension.Finalize(ctx, original); err != nil {
 		logger.Error("Failed to finalize platform resources", err)
 	}
+
 	return nil
 }
 
@@ -140,7 +142,7 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, tr *v1alpha1.TektonResul
 	if tp.GetSpec().GetTargetNamespace() != tr.GetSpec().GetTargetNamespace() {
 		errMsg := fmt.Sprintf("tekton-pipelines is missing in %s namespace", tr.GetSpec().GetTargetNamespace())
 		tr.Status.MarkDependencyMissing(errMsg)
-		return fmt.Errorf(errMsg)
+		return errors.New(errMsg)
 	}
 
 	// check if the secrets are created
@@ -299,7 +301,7 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, tr *v1alpha1.TektonResul
 
 	// Mark PostReconcile Complete
 	tr.Status.MarkPostReconcilerComplete()
-
+	r.updateTektonResultsStatus(ctx, tr, installedTIS)
 	return nil
 }
 

upstream/pkg/reconciler/kubernetes/tektonresult/testdata/api-config.yaml

@@ -13,6 +13,13 @@ data:
     AUTH_DISABLE=false
     AUTH_IMPERSONATE=false
     LOG_LEVEL=debug
+    LOGGING_PLUGIN_API_URL=https:8080
+    LOGGING_PLUGIN_FORWARDER_DELAY_DURATION=007
+    LOGGING_PLUGIN_NAMESPACE_KEY=test
+    LOGGING_PLUGIN_PROXY_PATH=/log
+    LOGGING_PLUGIN_STATIC_LABELS=log_type=bar
+    LOGGING_PLUGIN_TLS_VERIFICATION_DISABLE=true
+    LOGGING_PLUGIN_TOKEN_PATH=/token
     LOGS_API=true
     LOGS_TYPE=File
     LOGS_BUFFER_SIZE=32768