diff --git a/operator/internal/manifests/openshift/alertingrule.go b/operator/internal/manifests/openshift/alertingrule.go index 22923ed15482..e4869e9f7ca5 100644 --- a/operator/internal/manifests/openshift/alertingrule.go +++ b/operator/internal/manifests/openshift/alertingrule.go @@ -5,23 +5,32 @@ import lokiv1 "github.com/grafana/loki/operator/apis/loki/v1" func AlertingRuleTenantLabels(ar *lokiv1.AlertingRule) { switch ar.Spec.TenantID { case tenantApplication: - for groupIdx, group := range ar.Spec.Groups { - group := group - for ruleIdx, rule := range group.Rules { - rule := rule - if rule.Labels == nil { - rule.Labels = map[string]string{} - } - rule.Labels[opaDefaultLabelMatcher] = ar.Namespace - group.Rules[ruleIdx] = rule - } - ar.Spec.Groups[groupIdx] = group - } - case tenantInfrastructure, tenantAudit: - // Do nothing - case tenantNetwork: - // Do nothing + appendAlertingRuleLabels(ar, map[string]string{ + opaDefaultLabelMatcher: ar.Namespace, + ocpMonitoringGroupByLabel: ar.Namespace, + }) + case tenantInfrastructure, tenantAudit, tenantNetwork: + appendAlertingRuleLabels(ar, map[string]string{ + ocpMonitoringGroupByLabel: ar.Namespace, + }) default: // Do nothing } } + +func appendAlertingRuleLabels(ar *lokiv1.AlertingRule, labels map[string]string) { + for groupIdx, group := range ar.Spec.Groups { + for ruleIdx, rule := range group.Rules { + if rule.Labels == nil { + rule.Labels = map[string]string{} + } + + for name, value := range labels { + rule.Labels[name] = value + } + + group.Rules[ruleIdx] = rule + } + ar.Spec.Groups[groupIdx] = group + } +} diff --git a/operator/internal/manifests/openshift/alertingrule_test.go b/operator/internal/manifests/openshift/alertingrule_test.go index 91da560e2a6d..2a1d032e8ed4 100644 --- a/operator/internal/manifests/openshift/alertingrule_test.go +++ b/operator/internal/manifests/openshift/alertingrule_test.go @@ -46,7 +46,8 @@ func TestAlertingRuleTenantLabels(t *testing.T) { { Alert: "alert", Labels: map[string]string{ - opaDefaultLabelMatcher: "test-ns", + opaDefaultLabelMatcher: "test-ns", + ocpMonitoringGroupByLabel: "test-ns", }, }, }, @@ -57,6 +58,9 @@ func TestAlertingRuleTenantLabels(t *testing.T) { }, { rule: &lokiv1.AlertingRule{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "test-ns", + }, Spec: lokiv1.AlertingRuleSpec{ TenantID: tenantInfrastructure, Groups: []*lokiv1.AlertingRuleGroup{ @@ -72,6 +76,9 @@ func TestAlertingRuleTenantLabels(t *testing.T) { }, }, want: &lokiv1.AlertingRule{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "test-ns", + }, Spec: lokiv1.AlertingRuleSpec{ TenantID: tenantInfrastructure, Groups: []*lokiv1.AlertingRuleGroup{ @@ -80,6 +87,9 @@ func TestAlertingRuleTenantLabels(t *testing.T) { Rules: []*lokiv1.AlertingRuleGroupSpec{ { Alert: "alert", + Labels: map[string]string{ + ocpMonitoringGroupByLabel: "test-ns", + }, }, }, }, @@ -89,6 +99,9 @@ func TestAlertingRuleTenantLabels(t *testing.T) { }, { rule: &lokiv1.AlertingRule{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "test-ns", + }, Spec: lokiv1.AlertingRuleSpec{ TenantID: tenantAudit, Groups: []*lokiv1.AlertingRuleGroup{ @@ -104,6 +117,9 @@ func TestAlertingRuleTenantLabels(t *testing.T) { }, }, want: &lokiv1.AlertingRule{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "test-ns", + }, Spec: lokiv1.AlertingRuleSpec{ TenantID: tenantAudit, Groups: []*lokiv1.AlertingRuleGroup{ @@ -112,6 +128,9 @@ func TestAlertingRuleTenantLabels(t *testing.T) { Rules: []*lokiv1.AlertingRuleGroupSpec{ { Alert: "alert", + Labels: map[string]string{ + ocpMonitoringGroupByLabel: "test-ns", + }, }, }, }, @@ -121,6 +140,9 @@ func TestAlertingRuleTenantLabels(t *testing.T) { }, { rule: &lokiv1.AlertingRule{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "test-ns", + }, Spec: lokiv1.AlertingRuleSpec{ TenantID: tenantNetwork, Groups: []*lokiv1.AlertingRuleGroup{ @@ -136,6 +158,9 @@ func TestAlertingRuleTenantLabels(t *testing.T) { }, }, want: &lokiv1.AlertingRule{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "test-ns", + }, Spec: lokiv1.AlertingRuleSpec{ TenantID: tenantNetwork, Groups: []*lokiv1.AlertingRuleGroup{ @@ -144,6 +169,9 @@ func TestAlertingRuleTenantLabels(t *testing.T) { Rules: []*lokiv1.AlertingRuleGroupSpec{ { Alert: "alert", + Labels: map[string]string{ + ocpMonitoringGroupByLabel: "test-ns", + }, }, }, }, @@ -153,6 +181,9 @@ func TestAlertingRuleTenantLabels(t *testing.T) { }, { rule: &lokiv1.AlertingRule{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "test-ns", + }, Spec: lokiv1.AlertingRuleSpec{ TenantID: "unknown", Groups: []*lokiv1.AlertingRuleGroup{ @@ -168,6 +199,9 @@ func TestAlertingRuleTenantLabels(t *testing.T) { }, }, want: &lokiv1.AlertingRule{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "test-ns", + }, Spec: lokiv1.AlertingRuleSpec{ TenantID: "unknown", Groups: []*lokiv1.AlertingRuleGroup{ diff --git a/operator/internal/manifests/openshift/opa_openshift.go b/operator/internal/manifests/openshift/opa_openshift.go index 9175983f89e1..ccf5eac09b7a 100644 --- a/operator/internal/manifests/openshift/opa_openshift.go +++ b/operator/internal/manifests/openshift/opa_openshift.go @@ -13,14 +13,15 @@ import ( ) const ( - envRelatedImageOPA = "RELATED_IMAGE_OPA" - defaultOPAImage = "quay.io/observatorium/opa-openshift:latest" - opaContainerName = "opa" - opaDefaultPackage = "lokistack" - opaDefaultAPIGroup = "loki.grafana.com" - opaMetricsPortName = "opa-metrics" - opaDefaultLabelMatcher = "kubernetes_namespace_name" - opaNetworkLabelMatchers = "SrcK8S_Namespace,DstK8S_Namespace" + envRelatedImageOPA = "RELATED_IMAGE_OPA" + defaultOPAImage = "quay.io/observatorium/opa-openshift:latest" + opaContainerName = "opa" + opaDefaultPackage = "lokistack" + opaDefaultAPIGroup = "loki.grafana.com" + opaMetricsPortName = "opa-metrics" + opaDefaultLabelMatcher = "kubernetes_namespace_name" + opaNetworkLabelMatchers = "SrcK8S_Namespace,DstK8S_Namespace" + ocpMonitoringGroupByLabel = "namespace" ) func newOPAOpenShiftContainer(mode lokiv1.ModeType, secretVolumeName, tlsDir, minTLSVersion, ciphers string, withTLS bool, adminGroups []string) corev1.Container { diff --git a/operator/internal/manifests/openshift/recordingrule.go b/operator/internal/manifests/openshift/recordingrule.go new file mode 100644 index 000000000000..97be1bb4a17e --- /dev/null +++ b/operator/internal/manifests/openshift/recordingrule.go @@ -0,0 +1,36 @@ +package openshift + +import lokiv1 "github.com/grafana/loki/operator/apis/loki/v1" + +func RecordingRuleTenantLabels(r *lokiv1.RecordingRule) { + switch r.Spec.TenantID { + case tenantApplication: + appendRecordingRuleLabels(r, map[string]string{ + opaDefaultLabelMatcher: r.Namespace, + ocpMonitoringGroupByLabel: r.Namespace, + }) + case tenantInfrastructure, tenantAudit, tenantNetwork: + appendRecordingRuleLabels(r, map[string]string{ + ocpMonitoringGroupByLabel: r.Namespace, + }) + default: + // Do nothing + } +} + +func appendRecordingRuleLabels(r *lokiv1.RecordingRule, labels map[string]string) { + for groupIdx, group := range r.Spec.Groups { + for ruleIdx, rule := range group.Rules { + if rule.Labels == nil { + rule.Labels = map[string]string{} + } + + for name, value := range labels { + rule.Labels[name] = value + } + + group.Rules[ruleIdx] = rule + } + r.Spec.Groups[groupIdx] = group + } +} diff --git a/operator/internal/manifests/openshift/recordingrule_test.go b/operator/internal/manifests/openshift/recordingrule_test.go index 49e30de999f3..6a620bc85d8d 100644 --- a/operator/internal/manifests/openshift/recordingrule_test.go +++ b/operator/internal/manifests/openshift/recordingrule_test.go @@ -46,7 +46,8 @@ func TestRecordingRuleTenantLabels(t *testing.T) { { Record: "record", Labels: map[string]string{ - opaDefaultLabelMatcher: "test-ns", + opaDefaultLabelMatcher: "test-ns", + ocpMonitoringGroupByLabel: "test-ns", }, }, }, @@ -57,6 +58,9 @@ func TestRecordingRuleTenantLabels(t *testing.T) { }, { rule: &lokiv1.RecordingRule{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "test-ns", + }, Spec: lokiv1.RecordingRuleSpec{ TenantID: tenantInfrastructure, Groups: []*lokiv1.RecordingRuleGroup{ @@ -72,6 +76,9 @@ func TestRecordingRuleTenantLabels(t *testing.T) { }, }, want: &lokiv1.RecordingRule{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "test-ns", + }, Spec: lokiv1.RecordingRuleSpec{ TenantID: tenantInfrastructure, Groups: []*lokiv1.RecordingRuleGroup{ @@ -80,6 +87,9 @@ func TestRecordingRuleTenantLabels(t *testing.T) { Rules: []*lokiv1.RecordingRuleGroupSpec{ { Record: "record", + Labels: map[string]string{ + ocpMonitoringGroupByLabel: "test-ns", + }, }, }, }, @@ -89,6 +99,9 @@ func TestRecordingRuleTenantLabels(t *testing.T) { }, { rule: &lokiv1.RecordingRule{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "test-ns", + }, Spec: lokiv1.RecordingRuleSpec{ TenantID: tenantAudit, Groups: []*lokiv1.RecordingRuleGroup{ @@ -104,6 +117,9 @@ func TestRecordingRuleTenantLabels(t *testing.T) { }, }, want: &lokiv1.RecordingRule{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "test-ns", + }, Spec: lokiv1.RecordingRuleSpec{ TenantID: tenantAudit, Groups: []*lokiv1.RecordingRuleGroup{ @@ -112,6 +128,9 @@ func TestRecordingRuleTenantLabels(t *testing.T) { Rules: []*lokiv1.RecordingRuleGroupSpec{ { Record: "record", + Labels: map[string]string{ + ocpMonitoringGroupByLabel: "test-ns", + }, }, }, }, @@ -121,6 +140,9 @@ func TestRecordingRuleTenantLabels(t *testing.T) { }, { rule: &lokiv1.RecordingRule{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "test-ns", + }, Spec: lokiv1.RecordingRuleSpec{ TenantID: tenantNetwork, Groups: []*lokiv1.RecordingRuleGroup{ @@ -136,6 +158,9 @@ func TestRecordingRuleTenantLabels(t *testing.T) { }, }, want: &lokiv1.RecordingRule{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "test-ns", + }, Spec: lokiv1.RecordingRuleSpec{ TenantID: tenantNetwork, Groups: []*lokiv1.RecordingRuleGroup{ @@ -144,6 +169,9 @@ func TestRecordingRuleTenantLabels(t *testing.T) { Rules: []*lokiv1.RecordingRuleGroupSpec{ { Record: "record", + Labels: map[string]string{ + ocpMonitoringGroupByLabel: "test-ns", + }, }, }, }, @@ -153,6 +181,9 @@ func TestRecordingRuleTenantLabels(t *testing.T) { }, { rule: &lokiv1.RecordingRule{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "test-ns", + }, Spec: lokiv1.RecordingRuleSpec{ TenantID: "unknown", Groups: []*lokiv1.RecordingRuleGroup{ @@ -168,6 +199,9 @@ func TestRecordingRuleTenantLabels(t *testing.T) { }, }, want: &lokiv1.RecordingRule{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "test-ns", + }, Spec: lokiv1.RecordingRuleSpec{ TenantID: "unknown", Groups: []*lokiv1.RecordingRuleGroup{ diff --git a/operator/internal/manifests/openshift/recordngrule.go b/operator/internal/manifests/openshift/recordngrule.go deleted file mode 100644 index e4448affeae9..000000000000 --- a/operator/internal/manifests/openshift/recordngrule.go +++ /dev/null @@ -1,27 +0,0 @@ -package openshift - -import lokiv1 "github.com/grafana/loki/operator/apis/loki/v1" - -func RecordingRuleTenantLabels(r *lokiv1.RecordingRule) { - switch r.Spec.TenantID { - case tenantApplication: - for groupIdx, group := range r.Spec.Groups { - group := group - for ruleIdx, rule := range group.Rules { - rule := rule - if rule.Labels == nil { - rule.Labels = map[string]string{} - } - rule.Labels[opaDefaultLabelMatcher] = r.Namespace - group.Rules[ruleIdx] = rule - } - r.Spec.Groups[groupIdx] = group - } - case tenantInfrastructure, tenantAudit: - // Do nothing - case tenantNetwork: - // Do nothing - default: - // Do nothing - } -}