Merge branch 'main' into main

grafana · Sep 30, 2024 · 9557725 · 9557725
2 parents 766072d + ce7b2e8
commit 9557725
Show file tree

Hide file tree

Showing 69 changed files with 539 additions and 361 deletions.
diff --git a/docs/sources/setup/install/helm/reference.md b/docs/sources/setup/install/helm/reference.md
@@ -3039,6 +3039,7 @@ null
   },
   "provisioner": {
     "additionalTenants": [],
+    "affinity": {},
     "annotations": {},
     "enabled": true,
     "env": [],
@@ -3051,16 +3052,19 @@ null
       "tag": null
     },
     "labels": {},
+    "nodeSelector": {},
     "priorityClassName": null,
     "provisionedSecretPrefix": null,
     "securityContext": {
       "fsGroup": 10001,
       "runAsGroup": 10001,
       "runAsNonRoot": true,
       "runAsUser": 10001
-    }
+    },
+    "tolerations": []
   },
   "tokengen": {
+    "affinity": {},
     "annotations": {},
     "enabled": true,
     "env": [],
@@ -3069,6 +3073,7 @@ null
     "extraVolumeMounts": [],
     "extraVolumes": [],
     "labels": {},
+    "nodeSelector": {},
     "priorityClassName": "",
     "securityContext": {
       "fsGroup": 10001,
@@ -3222,6 +3227,7 @@ null
 			<td><pre lang="json">
 {
   "additionalTenants": [],
+  "affinity": {},
   "annotations": {},
   "enabled": true,
   "env": [],
@@ -3234,14 +3240,16 @@ null
     "tag": null
   },
   "labels": {},
+  "nodeSelector": {},
   "priorityClassName": null,
   "provisionedSecretPrefix": null,
   "securityContext": {
     "fsGroup": 10001,
     "runAsGroup": 10001,
     "runAsNonRoot": true,
     "runAsUser": 10001
-  }
+  },
+  "tolerations": []
 }
 </pre>
 </td>
@@ -3253,6 +3261,15 @@ null
 			<td><pre lang="json">
 []
 </pre>
+</td>
+		</tr>
+		<tr>
+			<td>enterprise.provisioner.affinity</td>
+			<td>object</td>
+			<td>Affinity for tokengen Pods</td>
+			<td><pre lang="json">
+{}
+</pre>
 </td>
 		</tr>
 		<tr>
@@ -3358,6 +3375,15 @@ null
 			<td><pre lang="json">
 {}
 </pre>
+</td>
+		</tr>
+		<tr>
+			<td>enterprise.provisioner.nodeSelector</td>
+			<td>object</td>
+			<td>Node selector for tokengen Pods</td>
+			<td><pre lang="json">
+{}
+</pre>
 </td>
 		</tr>
 		<tr>
@@ -3390,6 +3416,15 @@ null
   "runAsUser": 10001
 }
 </pre>
+</td>
+		</tr>
+		<tr>
+			<td>enterprise.provisioner.tolerations</td>
+			<td>list</td>
+			<td>Tolerations for tokengen Pods</td>
+			<td><pre lang="json">
+[]
+</pre>
 </td>
 		</tr>
 		<tr>
@@ -3398,6 +3433,7 @@ null
 			<td>Configuration for `tokengen` target</td>
 			<td><pre lang="json">
 {
+  "affinity": {},
   "annotations": {},
   "enabled": true,
   "env": [],
@@ -3406,6 +3442,7 @@ null
   "extraVolumeMounts": [],
   "extraVolumes": [],
   "labels": {},
+  "nodeSelector": {},
   "priorityClassName": "",
   "securityContext": {
     "fsGroup": 10001,
@@ -3417,6 +3454,15 @@ null
   "tolerations": []
 }
 </pre>
+</td>
+		</tr>
+		<tr>
+			<td>enterprise.tokengen.affinity</td>
+			<td>object</td>
+			<td>Affinity for tokengen Pods</td>
+			<td><pre lang="json">
+{}
+</pre>
 </td>
 		</tr>
 		<tr>
@@ -3489,6 +3535,15 @@ true
 			<td><pre lang="json">
 {}
 </pre>
+</td>
+		</tr>
+		<tr>
+			<td>enterprise.tokengen.nodeSelector</td>
+			<td>object</td>
+			<td>Node selector for tokengen Pods</td>
+			<td><pre lang="json">
+{}
+</pre>
 </td>
 		</tr>
 		<tr>

diff --git a/operator/internal/manifests/openshift/alertingrule.go b/operator/internal/manifests/openshift/alertingrule.go
@@ -5,23 +5,32 @@ import lokiv1 "github.com/grafana/loki/operator/apis/loki/v1"
 func AlertingRuleTenantLabels(ar *lokiv1.AlertingRule) {
 	switch ar.Spec.TenantID {
 	case tenantApplication:
-		for groupIdx, group := range ar.Spec.Groups {
-			group := group
-			for ruleIdx, rule := range group.Rules {
-				rule := rule
-				if rule.Labels == nil {
-					rule.Labels = map[string]string{}
-				}
-				rule.Labels[opaDefaultLabelMatcher] = ar.Namespace
-				group.Rules[ruleIdx] = rule
-			}
-			ar.Spec.Groups[groupIdx] = group
-		}
-	case tenantInfrastructure, tenantAudit:
-		// Do nothing
-	case tenantNetwork:
-		// Do nothing
+		appendAlertingRuleLabels(ar, map[string]string{
+			opaDefaultLabelMatcher:    ar.Namespace,
+			ocpMonitoringGroupByLabel: ar.Namespace,
+		})
+	case tenantInfrastructure, tenantAudit, tenantNetwork:
+		appendAlertingRuleLabels(ar, map[string]string{
+			ocpMonitoringGroupByLabel: ar.Namespace,
+		})
 	default:
 		// Do nothing
 	}
 }
+
+func appendAlertingRuleLabels(ar *lokiv1.AlertingRule, labels map[string]string) {
+	for groupIdx, group := range ar.Spec.Groups {
+		for ruleIdx, rule := range group.Rules {
+			if rule.Labels == nil {
+				rule.Labels = map[string]string{}
+			}
+
+			for name, value := range labels {
+				rule.Labels[name] = value
+			}
+
+			group.Rules[ruleIdx] = rule
+		}
+		ar.Spec.Groups[groupIdx] = group
+	}
+}
diff --git a/operator/internal/manifests/openshift/alertingrule_test.go b/operator/internal/manifests/openshift/alertingrule_test.go
@@ -46,7 +46,8 @@ func TestAlertingRuleTenantLabels(t *testing.T) {
 								{
 									Alert: "alert",
 									Labels: map[string]string{
-										opaDefaultLabelMatcher: "test-ns",
+										opaDefaultLabelMatcher:    "test-ns",
+										ocpMonitoringGroupByLabel: "test-ns",
 									},
 								},
 							},
@@ -57,6 +58,9 @@ func TestAlertingRuleTenantLabels(t *testing.T) {
 		},
 		{
 			rule: &lokiv1.AlertingRule{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "test-ns",
+				},
 				Spec: lokiv1.AlertingRuleSpec{
 					TenantID: tenantInfrastructure,
 					Groups: []*lokiv1.AlertingRuleGroup{
@@ -72,6 +76,9 @@ func TestAlertingRuleTenantLabels(t *testing.T) {
 				},
 			},
 			want: &lokiv1.AlertingRule{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "test-ns",
+				},
 				Spec: lokiv1.AlertingRuleSpec{
 					TenantID: tenantInfrastructure,
 					Groups: []*lokiv1.AlertingRuleGroup{
@@ -80,6 +87,9 @@ func TestAlertingRuleTenantLabels(t *testing.T) {
 							Rules: []*lokiv1.AlertingRuleGroupSpec{
 								{
 									Alert: "alert",
+									Labels: map[string]string{
+										ocpMonitoringGroupByLabel: "test-ns",
+									},
 								},
 							},
 						},
@@ -89,6 +99,9 @@ func TestAlertingRuleTenantLabels(t *testing.T) {
 		},
 		{
 			rule: &lokiv1.AlertingRule{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "test-ns",
+				},
 				Spec: lokiv1.AlertingRuleSpec{
 					TenantID: tenantAudit,
 					Groups: []*lokiv1.AlertingRuleGroup{
@@ -104,6 +117,9 @@ func TestAlertingRuleTenantLabels(t *testing.T) {
 				},
 			},
 			want: &lokiv1.AlertingRule{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "test-ns",
+				},
 				Spec: lokiv1.AlertingRuleSpec{
 					TenantID: tenantAudit,
 					Groups: []*lokiv1.AlertingRuleGroup{
@@ -112,6 +128,9 @@ func TestAlertingRuleTenantLabels(t *testing.T) {
 							Rules: []*lokiv1.AlertingRuleGroupSpec{
 								{
 									Alert: "alert",
+									Labels: map[string]string{
+										ocpMonitoringGroupByLabel: "test-ns",
+									},
 								},
 							},
 						},
@@ -121,6 +140,9 @@ func TestAlertingRuleTenantLabels(t *testing.T) {
 		},
 		{
 			rule: &lokiv1.AlertingRule{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "test-ns",
+				},
 				Spec: lokiv1.AlertingRuleSpec{
 					TenantID: tenantNetwork,
 					Groups: []*lokiv1.AlertingRuleGroup{
@@ -136,6 +158,9 @@ func TestAlertingRuleTenantLabels(t *testing.T) {
 				},
 			},
 			want: &lokiv1.AlertingRule{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "test-ns",
+				},
 				Spec: lokiv1.AlertingRuleSpec{
 					TenantID: tenantNetwork,
 					Groups: []*lokiv1.AlertingRuleGroup{
@@ -144,6 +169,9 @@ func TestAlertingRuleTenantLabels(t *testing.T) {
 							Rules: []*lokiv1.AlertingRuleGroupSpec{
 								{
 									Alert: "alert",
+									Labels: map[string]string{
+										ocpMonitoringGroupByLabel: "test-ns",
+									},
 								},
 							},
 						},
@@ -153,6 +181,9 @@ func TestAlertingRuleTenantLabels(t *testing.T) {
 		},
 		{
 			rule: &lokiv1.AlertingRule{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "test-ns",
+				},
 				Spec: lokiv1.AlertingRuleSpec{
 					TenantID: "unknown",
 					Groups: []*lokiv1.AlertingRuleGroup{
@@ -168,6 +199,9 @@ func TestAlertingRuleTenantLabels(t *testing.T) {
 				},
 			},
 			want: &lokiv1.AlertingRule{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "test-ns",
+				},
 				Spec: lokiv1.AlertingRuleSpec{
 					TenantID: "unknown",
 					Groups: []*lokiv1.AlertingRuleGroup{

diff --git a/operator/internal/manifests/openshift/opa_openshift.go b/operator/internal/manifests/openshift/opa_openshift.go
@@ -13,14 +13,15 @@ import (
 )
 
 const (
-	envRelatedImageOPA      = "RELATED_IMAGE_OPA"
-	defaultOPAImage         = "quay.io/observatorium/opa-openshift:latest"
-	opaContainerName        = "opa"
-	opaDefaultPackage       = "lokistack"
-	opaDefaultAPIGroup      = "loki.grafana.com"
-	opaMetricsPortName      = "opa-metrics"
-	opaDefaultLabelMatcher  = "kubernetes_namespace_name"
-	opaNetworkLabelMatchers = "SrcK8S_Namespace,DstK8S_Namespace"
+	envRelatedImageOPA        = "RELATED_IMAGE_OPA"
+	defaultOPAImage           = "quay.io/observatorium/opa-openshift:latest"
+	opaContainerName          = "opa"
+	opaDefaultPackage         = "lokistack"
+	opaDefaultAPIGroup        = "loki.grafana.com"
+	opaMetricsPortName        = "opa-metrics"
+	opaDefaultLabelMatcher    = "kubernetes_namespace_name"
+	opaNetworkLabelMatchers   = "SrcK8S_Namespace,DstK8S_Namespace"
+	ocpMonitoringGroupByLabel = "namespace"
 )
 
 func newOPAOpenShiftContainer(mode lokiv1.ModeType, secretVolumeName, tlsDir, minTLSVersion, ciphers string, withTLS bool, adminGroups []string) corev1.Container {

diff --git a/operator/internal/manifests/openshift/recordingrule.go b/operator/internal/manifests/openshift/recordingrule.go
@@ -0,0 +1,36 @@
+package openshift
+
+import lokiv1 "github.com/grafana/loki/operator/apis/loki/v1"
+
+func RecordingRuleTenantLabels(r *lokiv1.RecordingRule) {
+	switch r.Spec.TenantID {
+	case tenantApplication:
+		appendRecordingRuleLabels(r, map[string]string{
+			opaDefaultLabelMatcher:    r.Namespace,
+			ocpMonitoringGroupByLabel: r.Namespace,
+		})
+	case tenantInfrastructure, tenantAudit, tenantNetwork:
+		appendRecordingRuleLabels(r, map[string]string{
+			ocpMonitoringGroupByLabel: r.Namespace,
+		})
+	default:
+		// Do nothing
+	}
+}
+
+func appendRecordingRuleLabels(r *lokiv1.RecordingRule, labels map[string]string) {
+	for groupIdx, group := range r.Spec.Groups {
+		for ruleIdx, rule := range group.Rules {
+			if rule.Labels == nil {
+				rule.Labels = map[string]string{}
+			}
+
+			for name, value := range labels {
+				rule.Labels[name] = value
+			}
+
+			group.Rules[ruleIdx] = rule
+		}
+		r.Spec.Groups[groupIdx] = group
+	}
+}