Skip to content

Commit 62a72f6

Browse files
JoaoBraveCodingbtaani
JoaoBraveCoding
and
btaani
authored
feat(operator): Add support for Swift TLS CA configuration (#15260)
Co-authored-by: Bayan Taani <86984560+btaani@users.noreply.github.com>
1 parent 42f87d3 commit 62a72f6

File tree

2 files changed

+245
-23
lines changed

2 files changed

+245
-23
lines changed

‎operator/internal/manifests/storage/configure.go

Lines changed: 48 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -29,17 +29,23 @@ var (
2929
// based on the object storage type. Currently supported amendments:
3030
// - All: Ensure object storage secret mounted and auth projected as env vars.
3131
// - GCS: Ensure env var GOOGLE_APPLICATION_CREDENTIALS in container
32-
// - S3: Ensure mounting custom CA configmap if any TLSConfig given
32+
// - S3 & Swift: Ensure mounting custom CA configmap if any TLSConfig given
3333
func ConfigureDeployment(d *appsv1.Deployment, opts Options) error {
3434
switch opts.SharedStore {
35-
case lokiv1.ObjectStorageSecretAlibabaCloud, lokiv1.ObjectStorageSecretAzure, lokiv1.ObjectStorageSecretGCS, lokiv1.ObjectStorageSecretSwift:
35+
case lokiv1.ObjectStorageSecretAlibabaCloud, lokiv1.ObjectStorageSecretAzure, lokiv1.ObjectStorageSecretGCS:
3636
return configureDeployment(d, opts)
3737
case lokiv1.ObjectStorageSecretS3:
3838
err := configureDeployment(d, opts)
3939
if err != nil {
4040
return err
4141
}
42-
return configureDeploymentCA(d, opts.TLS)
42+
return configureDeploymentCA(d, opts.TLS, lokiv1.ObjectStorageSecretS3)
43+
case lokiv1.ObjectStorageSecretSwift:
44+
err := configureDeployment(d, opts)
45+
if err != nil {
46+
return err
47+
}
48+
return configureDeploymentCA(d, opts.TLS, lokiv1.ObjectStorageSecretSwift)
4349
default:
4450
return nil
4551
}
@@ -49,16 +55,21 @@ func ConfigureDeployment(d *appsv1.Deployment, opts Options) error {
4955
// based on the object storage type. Currently supported amendments:
5056
// - All: Ensure object storage secret mounted and auth projected as env vars.
5157
// - GCS: Ensure env var GOOGLE_APPLICATION_CREDENTIALS in container
52-
// - S3: Ensure mounting custom CA configmap if any TLSConfig given
58+
// - S3 & Swift: Ensure mounting custom CA configmap if any TLSConfig given
5359
func ConfigureStatefulSet(d *appsv1.StatefulSet, opts Options) error {
5460
switch opts.SharedStore {
55-
case lokiv1.ObjectStorageSecretAlibabaCloud, lokiv1.ObjectStorageSecretAzure, lokiv1.ObjectStorageSecretGCS, lokiv1.ObjectStorageSecretSwift:
61+
case lokiv1.ObjectStorageSecretAlibabaCloud, lokiv1.ObjectStorageSecretAzure, lokiv1.ObjectStorageSecretGCS:
5662
return configureStatefulSet(d, opts)
5763
case lokiv1.ObjectStorageSecretS3:
5864
if err := configureStatefulSet(d, opts); err != nil {
5965
return err
6066
}
61-
return configureStatefulSetCA(d, opts.TLS)
67+
return configureStatefulSetCA(d, opts.TLS, lokiv1.ObjectStorageSecretS3)
68+
case lokiv1.ObjectStorageSecretSwift:
69+
if err := configureStatefulSet(d, opts); err != nil {
70+
return err
71+
}
72+
return configureStatefulSetCA(d, opts.TLS, lokiv1.ObjectStorageSecretSwift)
6273
default:
6374
return nil
6475
}
@@ -75,16 +86,22 @@ func configureDeployment(d *appsv1.Deployment, opts Options) error {
7586
return nil
7687
}
7788

78-
// ConfigureDeploymentCA merges a S3 CA ConfigMap volume into the deployment spec.
79-
func configureDeploymentCA(d *appsv1.Deployment, tls *TLSConfig) error {
89+
// ConfigureDeploymentCA merges a S3 or Swift CA ConfigMap volume into the deployment spec.
90+
func configureDeploymentCA(d *appsv1.Deployment, tls *TLSConfig, secretType lokiv1.ObjectStorageSecretType) error {
8091
if tls == nil {
8192
return nil
8293
}
8394

84-
p := ensureCAForS3(&d.Spec.Template.Spec, tls)
95+
var p corev1.PodSpec
96+
switch secretType {
97+
case lokiv1.ObjectStorageSecretS3:
98+
p = ensureCAForObjectStorage(&d.Spec.Template.Spec, tls, lokiv1.ObjectStorageSecretS3)
99+
case lokiv1.ObjectStorageSecretSwift:
100+
p = ensureCAForObjectStorage(&d.Spec.Template.Spec, tls, lokiv1.ObjectStorageSecretSwift)
101+
}
85102

86103
if err := mergo.Merge(&d.Spec.Template.Spec, p, mergo.WithOverride); err != nil {
87-
return kverrors.Wrap(err, "failed to merge s3 object storage ca options ")
104+
return kverrors.Wrap(err, "failed to merge object storage ca options ")
88105
}
89106

90107
return nil
@@ -101,16 +118,22 @@ func configureStatefulSet(s *appsv1.StatefulSet, opts Options) error {
101118
return nil
102119
}
103120

104-
// ConfigureStatefulSetCA merges a S3 CA ConfigMap volume into the statefulset spec.
105-
func configureStatefulSetCA(s *appsv1.StatefulSet, tls *TLSConfig) error {
121+
// ConfigureStatefulSetCA merges a S3 or Swift CA ConfigMap volume into the statefulset spec.
122+
func configureStatefulSetCA(s *appsv1.StatefulSet, tls *TLSConfig, secretType lokiv1.ObjectStorageSecretType) error {
106123
if tls == nil {
107124
return nil
108125
}
126+
var p corev1.PodSpec
109127

110-
p := ensureCAForS3(&s.Spec.Template.Spec, tls)
128+
switch secretType {
129+
case lokiv1.ObjectStorageSecretS3:
130+
p = ensureCAForObjectStorage(&s.Spec.Template.Spec, tls, lokiv1.ObjectStorageSecretS3)
131+
case lokiv1.ObjectStorageSecretSwift:
132+
p = ensureCAForObjectStorage(&s.Spec.Template.Spec, tls, lokiv1.ObjectStorageSecretSwift)
133+
}
111134

112135
if err := mergo.Merge(&s.Spec.Template.Spec, p, mergo.WithOverride); err != nil {
113-
return kverrors.Wrap(err, "failed to merge s3 object storage ca options ")
136+
return kverrors.Wrap(err, "failed to merge object storage ca options ")
114137
}
115138

116139
return nil
@@ -254,7 +277,7 @@ func serverSideEncryption(opts Options) []corev1.EnvVar {
254277
}
255278
}
256279

257-
func ensureCAForS3(p *corev1.PodSpec, tls *TLSConfig) corev1.PodSpec {
280+
func ensureCAForObjectStorage(p *corev1.PodSpec, tls *TLSConfig, secretType lokiv1.ObjectStorageSecretType) corev1.PodSpec {
258281
container := p.Containers[0].DeepCopy()
259282
volumes := p.Volumes
260283

@@ -275,9 +298,16 @@ func ensureCAForS3(p *corev1.PodSpec, tls *TLSConfig) corev1.PodSpec {
275298
MountPath: caDirectory,
276299
})
277300

278-
container.Args = append(container.Args,
279-
fmt.Sprintf("-s3.http.ca-file=%s", path.Join(caDirectory, tls.Key)),
280-
)
301+
switch secretType {
302+
case lokiv1.ObjectStorageSecretS3:
303+
container.Args = append(container.Args,
304+
fmt.Sprintf("-s3.http.ca-file=%s", path.Join(caDirectory, tls.Key)),
305+
)
306+
case lokiv1.ObjectStorageSecretSwift:
307+
container.Args = append(container.Args,
308+
fmt.Sprintf("-swift.http.tls-ca-path=%s", path.Join(caDirectory, tls.Key)),
309+
)
310+
}
281311

282312
return corev1.PodSpec{
283313
Containers: []corev1.Container{

‎operator/internal/manifests/storage/configure_test.go

Lines changed: 197 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -2600,6 +2600,102 @@ func TestConfigureDeploymentForStorageCA(t *testing.T) {
26002600
},
26012601
},
26022602
},
2603+
{
2604+
desc: "object storage Swift",
2605+
opts: Options{
2606+
SecretName: "test",
2607+
SharedStore: lokiv1.ObjectStorageSecretSwift,
2608+
TLS: &TLSConfig{
2609+
CA: "test",
2610+
Key: "service-ca.crt",
2611+
},
2612+
},
2613+
dpl: &appsv1.Deployment{
2614+
Spec: appsv1.DeploymentSpec{
2615+
Template: corev1.PodTemplateSpec{
2616+
Spec: corev1.PodSpec{
2617+
Containers: []corev1.Container{
2618+
{
2619+
Name: "loki-querier",
2620+
},
2621+
},
2622+
},
2623+
},
2624+
},
2625+
},
2626+
want: &appsv1.Deployment{
2627+
Spec: appsv1.DeploymentSpec{
2628+
Template: corev1.PodTemplateSpec{
2629+
Spec: corev1.PodSpec{
2630+
Containers: []corev1.Container{
2631+
{
2632+
Name: "loki-querier",
2633+
VolumeMounts: []corev1.VolumeMount{
2634+
{
2635+
Name: "test",
2636+
ReadOnly: false,
2637+
MountPath: "/etc/storage/secrets",
2638+
},
2639+
{
2640+
Name: "storage-tls",
2641+
ReadOnly: false,
2642+
MountPath: "/etc/storage/ca",
2643+
},
2644+
},
2645+
Args: []string{
2646+
"-swift.http.tls-ca-path=/etc/storage/ca/service-ca.crt",
2647+
},
2648+
Env: []corev1.EnvVar{
2649+
{
2650+
Name: EnvSwiftUsername,
2651+
ValueFrom: &corev1.EnvVarSource{
2652+
SecretKeyRef: &corev1.SecretKeySelector{
2653+
LocalObjectReference: corev1.LocalObjectReference{
2654+
Name: "test",
2655+
},
2656+
Key: KeySwiftUsername,
2657+
},
2658+
},
2659+
},
2660+
{
2661+
Name: EnvSwiftPassword,
2662+
ValueFrom: &corev1.EnvVarSource{
2663+
SecretKeyRef: &corev1.SecretKeySelector{
2664+
LocalObjectReference: corev1.LocalObjectReference{
2665+
Name: "test",
2666+
},
2667+
Key: KeySwiftPassword,
2668+
},
2669+
},
2670+
},
2671+
},
2672+
},
2673+
},
2674+
Volumes: []corev1.Volume{
2675+
{
2676+
Name: "test",
2677+
VolumeSource: corev1.VolumeSource{
2678+
Secret: &corev1.SecretVolumeSource{
2679+
SecretName: "test",
2680+
},
2681+
},
2682+
},
2683+
{
2684+
Name: "storage-tls",
2685+
VolumeSource: corev1.VolumeSource{
2686+
ConfigMap: &corev1.ConfigMapVolumeSource{
2687+
LocalObjectReference: corev1.LocalObjectReference{
2688+
Name: "test",
2689+
},
2690+
},
2691+
},
2692+
},
2693+
},
2694+
},
2695+
},
2696+
},
2697+
},
2698+
},
26032699
}
26042700

26052701
for _, tc := range tc {
@@ -2625,7 +2721,7 @@ func TestConfigureStatefulSetForStorageCA(t *testing.T) {
26252721
desc: "object storage other than S3",
26262722
opts: Options{
26272723
SecretName: "test",
2628-
SharedStore: lokiv1.ObjectStorageSecretSwift,
2724+
SharedStore: lokiv1.ObjectStorageSecretAzure,
26292725
TLS: &TLSConfig{
26302726
CA: "test",
26312727
},
@@ -2659,24 +2755,24 @@ func TestConfigureStatefulSetForStorageCA(t *testing.T) {
26592755
},
26602756
Env: []corev1.EnvVar{
26612757
{
2662-
Name: EnvSwiftUsername,
2758+
Name: EnvAzureStorageAccountName,
26632759
ValueFrom: &corev1.EnvVarSource{
26642760
SecretKeyRef: &corev1.SecretKeySelector{
26652761
LocalObjectReference: corev1.LocalObjectReference{
26662762
Name: "test",
26672763
},
2668-
Key: KeySwiftUsername,
2764+
Key: KeyAzureStorageAccountName,
26692765
},
26702766
},
26712767
},
26722768
{
2673-
Name: EnvSwiftPassword,
2769+
Name: EnvAzureStorageAccountKey,
26742770
ValueFrom: &corev1.EnvVarSource{
26752771
SecretKeyRef: &corev1.SecretKeySelector{
26762772
LocalObjectReference: corev1.LocalObjectReference{
26772773
Name: "test",
26782774
},
2679-
Key: KeySwiftPassword,
2775+
Key: KeyAzureStorageAccountKey,
26802776
},
26812777
},
26822778
},
@@ -2794,6 +2890,102 @@ func TestConfigureStatefulSetForStorageCA(t *testing.T) {
27942890
},
27952891
},
27962892
},
2893+
{
2894+
desc: "object storage Swift",
2895+
opts: Options{
2896+
SecretName: "test",
2897+
SharedStore: lokiv1.ObjectStorageSecretSwift,
2898+
TLS: &TLSConfig{
2899+
CA: "test",
2900+
Key: "service-ca.crt",
2901+
},
2902+
},
2903+
sts: &appsv1.StatefulSet{
2904+
Spec: appsv1.StatefulSetSpec{
2905+
Template: corev1.PodTemplateSpec{
2906+
Spec: corev1.PodSpec{
2907+
Containers: []corev1.Container{
2908+
{
2909+
Name: "loki-ingester",
2910+
},
2911+
},
2912+
},
2913+
},
2914+
},
2915+
},
2916+
want: &appsv1.StatefulSet{
2917+
Spec: appsv1.StatefulSetSpec{
2918+
Template: corev1.PodTemplateSpec{
2919+
Spec: corev1.PodSpec{
2920+
Containers: []corev1.Container{
2921+
{
2922+
Name: "loki-ingester",
2923+
VolumeMounts: []corev1.VolumeMount{
2924+
{
2925+
Name: "test",
2926+
ReadOnly: false,
2927+
MountPath: "/etc/storage/secrets",
2928+
},
2929+
{
2930+
Name: "storage-tls",
2931+
ReadOnly: false,
2932+
MountPath: "/etc/storage/ca",
2933+
},
2934+
},
2935+
Args: []string{
2936+
"-swift.http.tls-ca-path=/etc/storage/ca/service-ca.crt",
2937+
},
2938+
Env: []corev1.EnvVar{
2939+
{
2940+
Name: EnvSwiftUsername,
2941+
ValueFrom: &corev1.EnvVarSource{
2942+
SecretKeyRef: &corev1.SecretKeySelector{
2943+
LocalObjectReference: corev1.LocalObjectReference{
2944+
Name: "test",
2945+
},
2946+
Key: KeySwiftUsername,
2947+
},
2948+
},
2949+
},
2950+
{
2951+
Name: EnvSwiftPassword,
2952+
ValueFrom: &corev1.EnvVarSource{
2953+
SecretKeyRef: &corev1.SecretKeySelector{
2954+
LocalObjectReference: corev1.LocalObjectReference{
2955+
Name: "test",
2956+
},
2957+
Key: KeySwiftPassword,
2958+
},
2959+
},
2960+
},
2961+
},
2962+
},
2963+
},
2964+
Volumes: []corev1.Volume{
2965+
{
2966+
Name: "test",
2967+
VolumeSource: corev1.VolumeSource{
2968+
Secret: &corev1.SecretVolumeSource{
2969+
SecretName: "test",
2970+
},
2971+
},
2972+
},
2973+
{
2974+
Name: "storage-tls",
2975+
VolumeSource: corev1.VolumeSource{
2976+
ConfigMap: &corev1.ConfigMapVolumeSource{
2977+
LocalObjectReference: corev1.LocalObjectReference{
2978+
Name: "test",
2979+
},
2980+
},
2981+
},
2982+
},
2983+
},
2984+
},
2985+
},
2986+
},
2987+
},
2988+
},
27972989
}
27982990

27992991
for _, tc := range tc {

0 commit comments

Comments
 (0)