Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

operator: Add OpenShift CloudCredentials support for AWS STS #11524

Merged
merged 64 commits into from
Jan 26, 2024
Merged

operator: Add OpenShift CloudCredentials support for AWS STS #11524

merged 64 commits into from
Jan 26, 2024

Conversation

JoaoBraveCoding
Copy link
Collaborator

@JoaoBraveCoding JoaoBraveCoding commented Dec 19, 2023
edited by periklis
Loading

What this PR does / why we need it:
The following PR adds auxiliary automation to reconcile the cloud credentials secret for OpenShift clusters installations on AWS using STS as the default method for cloud credentials. In detail the installation of the Loki Operator requires from the cluster administrator to provide a AWS Role ARN that will be used by the operands (i.e. Loki) to request short-lived token from STS to access S3. The enablement is based on the following OpenShift proposals:

Effectively the underlying implementation utilizes the CredentialsRequest using the Loki Operator AWS Role ARN to request the credentials secret from the OpenShift cloud-credentials-operator. It minimizes user input on object storage access for LokiStack installation to a list of buckets and an AWS region.

Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:
Depends on:

Checklist

  • Reviewed the CONTRIBUTING.md guide (required)
  • Documentation added
  • Tests updated
  • CHANGELOG.md updated
    • If the change is worth mentioning in the release notes, add add-to-release-notes label
  • Changes that require user attention or interaction to upgrade are documented in docs/sources/setup/upgrade/_index.md
  • For Helm chart changes bump the Helm chart version in production/helm/loki/Chart.yaml and update production/helm/loki/CHANGELOG.md and production/helm/loki/README.md. Example PR
  • If the change is deprecating or removing a configuration option, update the deprecated-config.yaml and deleted-config.yaml files respectively in the tools/deprecated-config-checker directory. Example PR

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Dec 19, 2023
edited
Loading

Trivy scan found the following vulnerabilities:

  • HIGH, Target: docker.io/grafana/loki:main-e1a8141 (alpine 3.18.4), Type: alpine openssl: Incorrect cipher key and IV length processing in libcrypto3 v3.1.3-r0. Fixed in v3.1.4-r0
  • HIGH, Target: docker.io/grafana/loki:main-e1a8141 (alpine 3.18.4), Type: alpine openssl: Incorrect cipher key and IV length processing in libssl3 v3.1.3-r0. Fixed in v3.1.4-r0
    \nTo see more details on these vulnerabilities, and how/where to fix them, please run docker build -t grafana/loki:main-e1a8141 -f cmd/loki/Dockerfile .
    trivy i grafana/loki:main-e1a8141 on your branch. If these were not introduced by your PR, please considering fixing them in via a subsequent PR. Thanks!

@JoaoBraveCoding JoaoBraveCoding changed the title operator: adds AWS sts support operator: adds CCO support for Openshift AWS STS Dec 20, 2023
periklis
periklis reviewed Dec 20, 2023
View reviewed changes
operator/go.mod Outdated Show resolved Hide resolved
JoaoBraveCoding
JoaoBraveCoding commented Jan 25, 2024
View reviewed changes
Copy link
Collaborator Author

@JoaoBraveCoding JoaoBraveCoding left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm (can't approve my own PR 😅)

@periklis periklis enabled auto-merge (squash) January 25, 2024 18:48
auto-merge was automatically disabled January 26, 2024 16:50

Merge queue setting changed

@periklis periklis merged commit fe4ba0c into grafana:main Jan 26, 2024
14 checks passed
Gordejj pushed a commit to Gordejj/loki that referenced this pull request Jan 29, 2024
@JoaoBraveCoding @periklis @Gordejj
operator: Add OpenShift CloudCredentials support for AWS STS (grafana…
9e2f855 
…#11524)

Co-authored-by: Periklis Tsirakidis <periklis@redhat.com>
rhnasc pushed a commit to inloco/loki that referenced this pull request Apr 12, 2024
@JoaoBraveCoding @periklis @rhnasc
operator: Add OpenShift CloudCredentials support for AWS STS (grafana…
5a47423 
…#11524)

Co-authored-by: Periklis Tsirakidis <periklis@redhat.com>
@JoaoBraveCoding JoaoBraveCoding deleted the log-4701 branch July 9, 2024 14:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@periklis periklis periklis approved these changes

@xperimental xperimental Awaiting requested review from xperimental xperimental is a code owner

Assignees

@periklis periklis

Labels
sig/operator size/XXL
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@JoaoBraveCoding @periklis