[release-5.7] Backport PR grafana/loki#9346

operator/CHANGELOG.md

@@ -1,5 +1,6 @@
 ## Main
 
+- [9346](https://github.com/grafana/loki/pull/9346) **periklis**: Enable Route by default on OpenShift clusters
 - [9036](https://github.com/grafana/loki/pull/9036) **periklis**: Update Loki operand to v2.8.0
 - [8978](https://github.com/grafana/loki/pull/8978) **aminesnow**: Add watch for the object storage secret
 - [8958](https://github.com/grafana/loki/pull/8958) **periklis**: Align common instance addr with memberlist advertise addr

operator/apis/config/v1/projectconfig_types.go

@@ -28,17 +28,15 @@ type BuiltInCertManagement struct {
 
 // OpenShiftFeatureGates is the supported set of all operator features gates on OpenShift.
 type OpenShiftFeatureGates struct {
+	// Enabled defines the flag to enable that these feature gates are used against OpenShift Container Platform releases.
+	Enabled bool `json:"enabled,omitempty"`
+
 	// ServingCertsService enables OpenShift service-ca annotations on the lokistack-gateway service only
 	// to use the in-platform CA and generate a TLS cert/key pair per service for
 	// in-cluster data-in-transit encryption.
 	// More details: https://docs.openshift.com/container-platform/latest/security/certificate_types_descriptions/service-ca-certificates.html
 	ServingCertsService bool `json:"servingCertsService,omitempty"`
 
-	// GatewayRoute enables creating an OpenShift Route for the LokiStack
-	// gateway to expose the service to public internet access.
-	// More details: https://docs.openshift.com/container-platform/latest/networking/understanding-networking.html
-	GatewayRoute bool `json:"gatewayRoute,omitempty"`
-
 	// ExtendedRuleValidation enables extended validation of AlertingRule and RecordingRule
 	// to enforce tenancy in an OpenShift context.
 	ExtendedRuleValidation bool `json:"ruleExtendedValidation,omitempty"`

operator/bundle/community-openshift/manifests/loki-operator-manager-config_v1_configmap.yaml

@@ -51,8 +51,8 @@ data:
       # OpenShift feature gates
       #
       openshift:
+        enabled: true
         servingCertsService: true
-        gatewayRoute: true
         ruleExtendedValidation: true
         clusterTLSPolicy: true
         clusterProxy: true

operator/bundle/community-openshift/manifests/loki-operator.clusterserviceversion.yaml

@@ -150,7 +150,7 @@ metadata:
     categories: OpenShift Optional, Logging & Tracing
     certified: "false"
     containerImage: docker.io/grafana/loki-operator:main-99acb9b
-    createdAt: "2023-05-04T16:51:30Z"
+    createdAt: "2023-05-23T07:47:18Z"
     description: The Community Loki Operator provides Kubernetes native deployment
       and management of Loki and related logging components.
     operators.operatorframework.io/builder: operator-sdk-unknown
@@ -1206,7 +1206,6 @@ spec:
 
     In addition it enables the following OpenShift-only related feature gates:
     * `servingCertsService`: Enables OpenShift ServiceCA annotations on the lokistack-gateway service only.
-    * `gatewayRoute`: Enables creating an OpenShift Route for the LokiStack.
     * `ruleExtendedValidation`: Enables extended validation of AlertingRule and RecordingRule to enforce tenancy in an OpenShift context.
     * `clusterTLSPolicy`: Enables usage of TLS policies set in the API Server.
     * `clusterProxy`: Enables usage of the proxy variables set in the proxy resource.

operator/bundle/community/manifests/loki-operator.clusterserviceversion.yaml

@@ -150,7 +150,7 @@ metadata:
     categories: OpenShift Optional, Logging & Tracing
     certified: "false"
     containerImage: docker.io/grafana/loki-operator:main-99acb9b
-    createdAt: "2023-05-04T16:51:25Z"
+    createdAt: "2023-05-23T07:47:15Z"
     description: The Community Loki Operator provides Kubernetes native deployment
       and management of Loki and related logging components.
     operators.operatorframework.io/builder: operator-sdk-unknown

operator/bundle/openshift/manifests/loki-operator-manager-config_v1_configmap.yaml

@@ -54,8 +54,8 @@ data:
       # OpenShift feature gates
       #
       openshift:
+        enabled: true
         servingCertsService: true
-        gatewayRoute: true
         ruleExtendedValidation: true
         clusterTLSPolicy: true
         clusterProxy: true

operator/bundle/openshift/manifests/loki-operator.clusterserviceversion.yaml

@@ -150,7 +150,7 @@ metadata:
     categories: OpenShift Optional, Logging & Tracing
     certified: "false"
     containerImage: quay.io/openshift-logging/loki-operator:v0.1.0
-    createdAt: "2023-05-04T16:51:35Z"
+    createdAt: "2023-05-23T07:47:20Z"
     description: |
       The Loki Operator for OCP provides a means for configuring and managing a Loki stack for cluster logging.
       ## Prerequisites and Requirements

operator/config/manifests/community-openshift/bases/loki-operator.clusterserviceversion.yaml

@@ -2023,7 +2023,6 @@ spec:
 
     In addition it enables the following OpenShift-only related feature gates:
     * `servingCertsService`: Enables OpenShift ServiceCA annotations on the lokistack-gateway service only.
-    * `gatewayRoute`: Enables creating an OpenShift Route for the LokiStack.
     * `ruleExtendedValidation`: Enables extended validation of AlertingRule and RecordingRule to enforce tenancy in an OpenShift context.
     * `clusterTLSPolicy`: Enables usage of TLS policies set in the API Server.
     * `clusterProxy`: Enables usage of the proxy variables set in the proxy resource.

operator/config/overlays/community-openshift/controller_manager_config.yaml

@@ -48,8 +48,8 @@ featureGates:
   # OpenShift feature gates
   #
   openshift:
+    enabled: true
     servingCertsService: true
-    gatewayRoute: true
     ruleExtendedValidation: true
     clusterTLSPolicy: true
     clusterProxy: true

operator/config/overlays/openshift/controller_manager_config.yaml

@@ -51,8 +51,8 @@ featureGates:
   # OpenShift feature gates
   #
   openshift:
+    enabled: true
     servingCertsService: true
-    gatewayRoute: true
     ruleExtendedValidation: true
     clusterTLSPolicy: true
     clusterProxy: true

operator/controllers/loki/lokistack_controller.go

@@ -217,7 +217,7 @@ func (r *LokiStackReconciler) buildController(bld k8s.Builder) error {
 		bld = bld.Owns(&monitoringv1.PrometheusRule{}, updateOrDeleteOnlyPred)
 	}
 
-	if r.FeatureGates.OpenShift.GatewayRoute {
+	if r.FeatureGates.OpenShift.Enabled {
 		bld = bld.Owns(&routev1.Route{}, updateOrDeleteOnlyPred)
 	} else {
 		bld = bld.Owns(&networkingv1.Ingress{}, updateOrDeleteOnlyPred)

operator/controllers/loki/lokistack_controller_test.go

@@ -152,7 +152,7 @@ func TestLokiStackController_RegisterOwnedResourcesForUpdateOrDeleteOnly(t *test
 			ownCallsCount: 11,
 			featureGates: configv1.FeatureGates{
 				OpenShift: configv1.OpenShiftFeatureGates{
-					GatewayRoute: false,
+					Enabled: false,
 				},
 			},
 			pred: updateOrDeleteOnlyPred,
@@ -163,7 +163,7 @@ func TestLokiStackController_RegisterOwnedResourcesForUpdateOrDeleteOnly(t *test
 			ownCallsCount: 11,
 			featureGates: configv1.FeatureGates{
 				OpenShift: configv1.OpenShiftFeatureGates{
-					GatewayRoute: true,
+					Enabled: true,
 				},
 			},
 			pred: updateOrDeleteOnlyPred,

operator/docs/operator/api.md

@@ -1604,10 +1604,12 @@ are degraded or the cluster cannot connect to object storage.</p>
 </thead>
 <tbody><tr><td><p>&#34;1x.extra-small&#34;</p></td>
 <td><p>SizeOneXExtraSmall defines the size of a single Loki deployment
-with extra small resources/limits requirements and without HA support.
-This size is ultimately dedicated for development and demo purposes.
-DO NOT USE THIS IN PRODUCTION!</p>
-<p>FIXME: Add clear description of ingestion/query performance expectations.</p>
+with minimal resource requirements and without HA support.</p>
+<p>This is ONLY for development, testing, or demos on limited single-node clusters.
+There are NO performance guarantees.
+LokiStack will use whatever resources are available,
+and WILL NOT FUNCTION CORRECTLY if there is not enough memory or CPU.</p>
+<p>DO NOT USE THIS IN PRODUCTION!</p>
 </td>
 </tr><tr><td><p>&#34;1x.medium&#34;</p></td>
 <td><p>SizeOneXMedium defines the size of a single Loki deployment

operator/docs/operator/feature-gates.md

@@ -342,29 +342,27 @@ when using HTTPEncryption or GRPCEncryption.</p>
 <tbody>
 <tr>
 <td>
-<code>servingCertsService</code><br/>
+<code>enabled</code><br/>
 <em>
 bool
 </em>
 </td>
 <td>
-<p>ServingCertsService enables OpenShift service-ca annotations on the lokistack-gateway service only
-to use the in-platform CA and generate a TLS cert/key pair per service for
-in-cluster data-in-transit encryption.
-More details: <a href="https://docs.openshift.com/container-platform/latest/security/certificate_types_descriptions/service-ca-certificates.html">https://docs.openshift.com/container-platform/latest/security/certificate_types_descriptions/service-ca-certificates.html</a></p>
+<p>Enabled defines the flag to enable that these feature gates are used against OpenShift Container Platform releases.</p>
 </td>
 </tr>
 <tr>
 <td>
-<code>gatewayRoute</code><br/>
+<code>servingCertsService</code><br/>
 <em>
 bool
 </em>
 </td>
 <td>
-<p>GatewayRoute enables creating an OpenShift Route for the LokiStack
-gateway to expose the service to public internet access.
-More details: <a href="https://docs.openshift.com/container-platform/latest/networking/understanding-networking.html">https://docs.openshift.com/container-platform/latest/networking/understanding-networking.html</a></p>
+<p>ServingCertsService enables OpenShift service-ca annotations on the lokistack-gateway service only
+to use the in-platform CA and generate a TLS cert/key pair per service for
+in-cluster data-in-transit encryption.
+More details: <a href="https://docs.openshift.com/container-platform/latest/security/certificate_types_descriptions/service-ca-certificates.html">https://docs.openshift.com/container-platform/latest/security/certificate_types_descriptions/service-ca-certificates.html</a></p>
 </td>
 </tr>
 <tr>

operator/internal/manifests/gateway_tenants.go

@@ -25,10 +25,23 @@ func ApplyGatewayDefaultOptions(opts *Options) error {
 		return nil
 	}
 
+	if !opts.Gates.OpenShift.Enabled {
+		return nil
+	}
+
+	o := openshift.NewOptions(
+		opts.Name,
+		opts.Namespace,
+		GatewayName(opts.Name),
+		serviceNameGatewayHTTP(opts.Name),
+		gatewayHTTPPortName,
+		ComponentLabels(LabelGatewayComponent, opts.Name),
+		RulerName(opts.Name),
+	)
+
 	switch opts.Stack.Tenants.Mode {
 	case lokiv1.Static, lokiv1.Dynamic:
-		return nil // continue using user input
-
+		// Do nothing as per tenants provided by LokiStack CR
 	case lokiv1.OpenshiftLogging, lokiv1.OpenshiftNetwork:
 		tenantData := make(map[string]openshift.TenantData)
 		for name, tenant := range opts.Tenants.Configs {
@@ -37,23 +50,11 @@ func ApplyGatewayDefaultOptions(opts *Options) error {
 			}
 		}
 
-		defaults := openshift.NewOptions(
-			opts.Stack.Tenants.Mode,
-			opts.Name,
-			opts.Namespace,
-			GatewayName(opts.Name),
-			opts.GatewayBaseDomain,
-			serviceNameGatewayHTTP(opts.Name),
-			gatewayHTTPPortName,
-			ComponentLabels(LabelGatewayComponent, opts.Name),
-			tenantData,
-			RulerName(opts.Name),
-		)
-
-		if err := mergo.Merge(&opts.OpenShiftOptions, &defaults, mergo.WithOverride); err != nil {
-			return kverrors.Wrap(err, "failed to merge defaults for mode openshift")
-		}
+		o.WithTenantsForMode(opts.Stack.Tenants.Mode, opts.GatewayBaseDomain, tenantData)
+	}
 
+	if err := mergo.Merge(&opts.OpenShiftOptions, o, mergo.WithOverride); err != nil {
+		return kverrors.Wrap(err, "failed to merge defaults for mode openshift")
 	}
 
 	return nil
@@ -83,6 +84,27 @@ func configureGatewayServiceForMode(s *corev1.ServiceSpec, mode lokiv1.ModeType)
 }
 
 func configureGatewayObjsForMode(objs []client.Object, opts Options) []client.Object {
+	if !opts.Gates.OpenShift.Enabled {
+		return objs
+	}
+
+	openShiftObjs := openshift.BuildGatewayObjects(opts.OpenShiftOptions)
+
+	var cObjs []client.Object
+	for _, o := range objs {
+		switch o.(type) {
+		// Drop Ingress in favor of Route in OpenShift.
+		// Ingress is not supported as OAuthRedirectReference
+		// in ServiceAccounts used as OAuthClient in OpenShift.
+		case *networkingv1.Ingress:
+			continue
+		}
+
+		cObjs = append(cObjs, o)
+	}
+
+	objs = append(cObjs, openShiftObjs...)
+
 	switch opts.Stack.Tenants.Mode {
 	case lokiv1.Static, lokiv1.Dynamic:
 		// nothing to configure
@@ -101,22 +123,8 @@ func configureGatewayObjsForMode(objs []client.Object, opts Options) []client.Ob
 			}
 		}
 
-		openShiftObjs := openshift.BuildGatewayObjects(opts.OpenShiftOptions)
-
-		var cObjs []client.Object
-		for _, o := range objs {
-			switch o.(type) {
-			// Drop Ingress in favor of Route in OpenShift.
-			// Ingress is not supported as OAuthRedirectReference
-			// in ServiceAccounts used as OAuthClient in OpenShift.
-			case *networkingv1.Ingress:
-				continue
-			}
-
-			cObjs = append(cObjs, o)
-		}
-
-		objs = append(cObjs, openShiftObjs...)
+		openShiftObjs := openshift.BuildGatewayTenantModeObjects(opts.OpenShiftOptions)
+		objs = append(objs, openShiftObjs...)
 	}
 
 	return objs