fix(operator): Add missing groupBy label for all rules on OpenShift

operator/internal/manifests/openshift/alertingrule.go

@@ -5,23 +5,32 @@ import lokiv1 "github.com/grafana/loki/operator/apis/loki/v1"
 func AlertingRuleTenantLabels(ar *lokiv1.AlertingRule) {
 	switch ar.Spec.TenantID {
 	case tenantApplication:
-		for groupIdx, group := range ar.Spec.Groups {
-			group := group
-			for ruleIdx, rule := range group.Rules {
-				rule := rule
-				if rule.Labels == nil {
-					rule.Labels = map[string]string{}
-				}
-				rule.Labels[opaDefaultLabelMatcher] = ar.Namespace
-				group.Rules[ruleIdx] = rule
-			}
-			ar.Spec.Groups[groupIdx] = group
-		}
-	case tenantInfrastructure, tenantAudit:
-		// Do nothing
-	case tenantNetwork:
-		// Do nothing
+		appendAlertingRuleLabels(ar, map[string]string{
+			opaDefaultLabelMatcher:    ar.Namespace,
+			ocpMonitoringGroupByLabel: ar.Namespace,
+		})
+	case tenantInfrastructure, tenantAudit, tenantNetwork:
+		appendAlertingRuleLabels(ar, map[string]string{
+			ocpMonitoringGroupByLabel: ar.Namespace,
+		})
 	default:
 		// Do nothing
 	}
 }
+
+func appendAlertingRuleLabels(ar *lokiv1.AlertingRule, labels map[string]string) {
+	for groupIdx, group := range ar.Spec.Groups {
+		for ruleIdx, rule := range group.Rules {
+			if rule.Labels == nil {
+				rule.Labels = map[string]string{}
+			}
+
+			for name, value := range labels {
+				rule.Labels[name] = value
+			}
+
+			group.Rules[ruleIdx] = rule
+		}
+		ar.Spec.Groups[groupIdx] = group
+	}
+}

operator/internal/manifests/openshift/alertingrule_test.go

@@ -46,7 +46,8 @@ func TestAlertingRuleTenantLabels(t *testing.T) {
 								{
 									Alert: "alert",
 									Labels: map[string]string{
-										opaDefaultLabelMatcher: "test-ns",
+										opaDefaultLabelMatcher:    "test-ns",
+										ocpMonitoringGroupByLabel: "test-ns",
 									},
 								},
 							},
@@ -57,6 +58,9 @@ func TestAlertingRuleTenantLabels(t *testing.T) {
 		},
 		{
 			rule: &lokiv1.AlertingRule{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "test-ns",
+				},
 				Spec: lokiv1.AlertingRuleSpec{
 					TenantID: tenantInfrastructure,
 					Groups: []*lokiv1.AlertingRuleGroup{
@@ -72,6 +76,9 @@ func TestAlertingRuleTenantLabels(t *testing.T) {
 				},
 			},
 			want: &lokiv1.AlertingRule{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "test-ns",
+				},
 				Spec: lokiv1.AlertingRuleSpec{
 					TenantID: tenantInfrastructure,
 					Groups: []*lokiv1.AlertingRuleGroup{
@@ -80,6 +87,9 @@ func TestAlertingRuleTenantLabels(t *testing.T) {
 							Rules: []*lokiv1.AlertingRuleGroupSpec{
 								{
 									Alert: "alert",
+									Labels: map[string]string{
+										ocpMonitoringGroupByLabel: "test-ns",
+									},
 								},
 							},
 						},
@@ -89,6 +99,9 @@ func TestAlertingRuleTenantLabels(t *testing.T) {
 		},
 		{
 			rule: &lokiv1.AlertingRule{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "test-ns",
+				},
 				Spec: lokiv1.AlertingRuleSpec{
 					TenantID: tenantAudit,
 					Groups: []*lokiv1.AlertingRuleGroup{
@@ -104,6 +117,9 @@ func TestAlertingRuleTenantLabels(t *testing.T) {
 				},
 			},
 			want: &lokiv1.AlertingRule{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "test-ns",
+				},
 				Spec: lokiv1.AlertingRuleSpec{
 					TenantID: tenantAudit,
 					Groups: []*lokiv1.AlertingRuleGroup{
@@ -112,6 +128,9 @@ func TestAlertingRuleTenantLabels(t *testing.T) {
 							Rules: []*lokiv1.AlertingRuleGroupSpec{
 								{
 									Alert: "alert",
+									Labels: map[string]string{
+										ocpMonitoringGroupByLabel: "test-ns",
+									},
 								},
 							},
 						},
@@ -121,6 +140,9 @@ func TestAlertingRuleTenantLabels(t *testing.T) {
 		},
 		{
 			rule: &lokiv1.AlertingRule{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "test-ns",
+				},
 				Spec: lokiv1.AlertingRuleSpec{
 					TenantID: tenantNetwork,
 					Groups: []*lokiv1.AlertingRuleGroup{
@@ -136,6 +158,9 @@ func TestAlertingRuleTenantLabels(t *testing.T) {
 				},
 			},
 			want: &lokiv1.AlertingRule{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "test-ns",
+				},
 				Spec: lokiv1.AlertingRuleSpec{
 					TenantID: tenantNetwork,
 					Groups: []*lokiv1.AlertingRuleGroup{
@@ -144,6 +169,9 @@ func TestAlertingRuleTenantLabels(t *testing.T) {
 							Rules: []*lokiv1.AlertingRuleGroupSpec{
 								{
 									Alert: "alert",
+									Labels: map[string]string{
+										ocpMonitoringGroupByLabel: "test-ns",
+									},
 								},
 							},
 						},
@@ -153,6 +181,9 @@ func TestAlertingRuleTenantLabels(t *testing.T) {
 		},
 		{
 			rule: &lokiv1.AlertingRule{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "test-ns",
+				},
 				Spec: lokiv1.AlertingRuleSpec{
 					TenantID: "unknown",
 					Groups: []*lokiv1.AlertingRuleGroup{
@@ -168,6 +199,9 @@ func TestAlertingRuleTenantLabels(t *testing.T) {
 				},
 			},
 			want: &lokiv1.AlertingRule{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "test-ns",
+				},
 				Spec: lokiv1.AlertingRuleSpec{
 					TenantID: "unknown",
 					Groups: []*lokiv1.AlertingRuleGroup{

operator/internal/manifests/openshift/opa_openshift.go

@@ -13,14 +13,15 @@ import (
 )
 
 const (
-	envRelatedImageOPA      = "RELATED_IMAGE_OPA"
-	defaultOPAImage         = "quay.io/observatorium/opa-openshift:latest"
-	opaContainerName        = "opa"
-	opaDefaultPackage       = "lokistack"
-	opaDefaultAPIGroup      = "loki.grafana.com"
-	opaMetricsPortName      = "opa-metrics"
-	opaDefaultLabelMatcher  = "kubernetes_namespace_name"
-	opaNetworkLabelMatchers = "SrcK8S_Namespace,DstK8S_Namespace"
+	envRelatedImageOPA        = "RELATED_IMAGE_OPA"
+	defaultOPAImage           = "quay.io/observatorium/opa-openshift:latest"
+	opaContainerName          = "opa"
+	opaDefaultPackage         = "lokistack"
+	opaDefaultAPIGroup        = "loki.grafana.com"
+	opaMetricsPortName        = "opa-metrics"
+	opaDefaultLabelMatcher    = "kubernetes_namespace_name"
+	opaNetworkLabelMatchers   = "SrcK8S_Namespace,DstK8S_Namespace"
+	ocpMonitoringGroupByLabel = "namespace"
 )
 
 func newOPAOpenShiftContainer(mode lokiv1.ModeType, secretVolumeName, tlsDir, minTLSVersion, ciphers string, withTLS bool, adminGroups []string) corev1.Container {

operator/internal/manifests/openshift/recordingrule.go

@@ -0,0 +1,36 @@
+package openshift
+
+import lokiv1 "github.com/grafana/loki/operator/apis/loki/v1"
+
+func RecordingRuleTenantLabels(r *lokiv1.RecordingRule) {
+	switch r.Spec.TenantID {
+	case tenantApplication:
+		appendRecordingRuleLabels(r, map[string]string{
+			opaDefaultLabelMatcher:    r.Namespace,
+			ocpMonitoringGroupByLabel: r.Namespace,
+		})
+	case tenantInfrastructure, tenantAudit, tenantNetwork:
+		appendRecordingRuleLabels(r, map[string]string{
+			ocpMonitoringGroupByLabel: r.Namespace,
+		})
+	default:
+		// Do nothing
+	}
+}
+
+func appendRecordingRuleLabels(ar *lokiv1.RecordingRule, labels map[string]string) {
+	for groupIdx, group := range ar.Spec.Groups {
+		for ruleIdx, rule := range group.Rules {
+			if rule.Labels == nil {
+				rule.Labels = map[string]string{}
+			}
+
+			for name, value := range labels {
+				rule.Labels[name] = value
+			}
+
+			group.Rules[ruleIdx] = rule
+		}
+		ar.Spec.Groups[groupIdx] = group
+	}
+}

operator/internal/manifests/openshift/recordingrule_test.go

@@ -46,7 +46,8 @@ func TestRecordingRuleTenantLabels(t *testing.T) {
 								{
 									Record: "record",
 									Labels: map[string]string{
-										opaDefaultLabelMatcher: "test-ns",
+										opaDefaultLabelMatcher:    "test-ns",
+										ocpMonitoringGroupByLabel: "test-ns",
 									},
 								},
 							},
@@ -57,6 +58,9 @@ func TestRecordingRuleTenantLabels(t *testing.T) {
 		},
 		{
 			rule: &lokiv1.RecordingRule{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "test-ns",
+				},
 				Spec: lokiv1.RecordingRuleSpec{
 					TenantID: tenantInfrastructure,
 					Groups: []*lokiv1.RecordingRuleGroup{
@@ -72,6 +76,9 @@ func TestRecordingRuleTenantLabels(t *testing.T) {
 				},
 			},
 			want: &lokiv1.RecordingRule{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "test-ns",
+				},
 				Spec: lokiv1.RecordingRuleSpec{
 					TenantID: tenantInfrastructure,
 					Groups: []*lokiv1.RecordingRuleGroup{
@@ -80,6 +87,9 @@ func TestRecordingRuleTenantLabels(t *testing.T) {
 							Rules: []*lokiv1.RecordingRuleGroupSpec{
 								{
 									Record: "record",
+									Labels: map[string]string{
+										ocpMonitoringGroupByLabel: "test-ns",
+									},
 								},
 							},
 						},
@@ -89,6 +99,9 @@ func TestRecordingRuleTenantLabels(t *testing.T) {
 		},
 		{
 			rule: &lokiv1.RecordingRule{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "test-ns",
+				},
 				Spec: lokiv1.RecordingRuleSpec{
 					TenantID: tenantAudit,
 					Groups: []*lokiv1.RecordingRuleGroup{
@@ -104,6 +117,9 @@ func TestRecordingRuleTenantLabels(t *testing.T) {
 				},
 			},
 			want: &lokiv1.RecordingRule{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "test-ns",
+				},
 				Spec: lokiv1.RecordingRuleSpec{
 					TenantID: tenantAudit,
 					Groups: []*lokiv1.RecordingRuleGroup{
@@ -112,6 +128,9 @@ func TestRecordingRuleTenantLabels(t *testing.T) {
 							Rules: []*lokiv1.RecordingRuleGroupSpec{
 								{
 									Record: "record",
+									Labels: map[string]string{
+										ocpMonitoringGroupByLabel: "test-ns",
+									},
 								},
 							},
 						},
@@ -121,6 +140,9 @@ func TestRecordingRuleTenantLabels(t *testing.T) {
 		},
 		{
 			rule: &lokiv1.RecordingRule{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "test-ns",
+				},
 				Spec: lokiv1.RecordingRuleSpec{
 					TenantID: tenantNetwork,
 					Groups: []*lokiv1.RecordingRuleGroup{
@@ -136,6 +158,9 @@ func TestRecordingRuleTenantLabels(t *testing.T) {
 				},
 			},
 			want: &lokiv1.RecordingRule{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "test-ns",
+				},
 				Spec: lokiv1.RecordingRuleSpec{
 					TenantID: tenantNetwork,
 					Groups: []*lokiv1.RecordingRuleGroup{
@@ -144,6 +169,9 @@ func TestRecordingRuleTenantLabels(t *testing.T) {
 							Rules: []*lokiv1.RecordingRuleGroupSpec{
 								{
 									Record: "record",
+									Labels: map[string]string{
+										ocpMonitoringGroupByLabel: "test-ns",
+									},
 								},
 							},
 						},
@@ -153,6 +181,9 @@ func TestRecordingRuleTenantLabels(t *testing.T) {
 		},
 		{
 			rule: &lokiv1.RecordingRule{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "test-ns",
+				},
 				Spec: lokiv1.RecordingRuleSpec{
 					TenantID: "unknown",
 					Groups: []*lokiv1.RecordingRuleGroup{
@@ -168,6 +199,9 @@ func TestRecordingRuleTenantLabels(t *testing.T) {
 				},
 			},
 			want: &lokiv1.RecordingRule{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "test-ns",
+				},
 				Spec: lokiv1.RecordingRuleSpec{
 					TenantID: "unknown",
 					Groups: []*lokiv1.RecordingRuleGroup{