/
options.go
123 lines (107 loc) · 3.39 KB
/
options.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
package openshift
import (
"fmt"
"math/rand"
"time"
lokiv1 "github.com/grafana/loki/operator/apis/loki/v1"
"github.com/grafana/loki/operator/internal/config"
)
// Options is the set of internal template options for rendering
// the lokistack-gateway tenants configuration file when mode openshift-logging or openshift-network.
type Options struct {
BuildOpts BuildOptions
Authentication []AuthenticationSpec
Authorization AuthorizationSpec
TokenCCOAuth *config.TokenCCOAuthConfig
}
// AuthenticationSpec describes the authentication specification
// for a single tenant to authenticate it's subjects through OpenShift Auth.
type AuthenticationSpec struct {
TenantName string
TenantID string
ServiceAccount string
RedirectURL string
CookieSecret string
}
// AuthorizationSpec describes the authorization specification
// for all tenants to authorize access for it's subjects through the
// opa-openshift sidecar.
type AuthorizationSpec struct {
OPAUrl string
}
// BuildOptions represents the set of options required to build
// extra lokistack gateway k8s objects (e.g. ServiceAccount, Route, RBAC)
// on openshift.
type BuildOptions struct {
LokiStackName string
LokiStackNamespace string
GatewayName string
GatewaySvcName string
GatewaySvcTargetPort string
GatewayRouteTimeout time.Duration
RulerName string
Labels map[string]string
AlertManagerEnabled bool
UserWorkloadAlertManagerEnabled bool
}
// TenantData defines the existing cookieSecret for lokistack reconcile.
type TenantData struct {
CookieSecret string
}
// NewOptions returns an openshift options struct.
func NewOptions(
stackName, stackNamespace string,
gwName, gwSvcName, gwPortName string,
gwWriteTimeout time.Duration,
gwLabels map[string]string,
rulerName string,
) *Options {
return &Options{
BuildOpts: BuildOptions{
LokiStackName: stackName,
LokiStackNamespace: stackNamespace,
GatewayName: gwName,
GatewaySvcName: gwSvcName,
GatewaySvcTargetPort: gwPortName,
GatewayRouteTimeout: gwWriteTimeout + gatewayRouteTimeoutExtension,
Labels: gwLabels,
RulerName: rulerName,
},
}
}
func (o *Options) WithTenantsForMode(mode lokiv1.ModeType, gwBaseDomain string, tenantConfigMap map[string]TenantData) *Options {
var (
authn []AuthenticationSpec
authz AuthorizationSpec
host = ingressHost(o.BuildOpts.LokiStackName, o.BuildOpts.LokiStackNamespace, gwBaseDomain)
)
tenants := GetTenants(mode)
for _, name := range tenants {
cookieSecret := tenantConfigMap[name].CookieSecret
if cookieSecret == "" {
cookieSecret = newCookieSecret()
}
authn = append(authn, AuthenticationSpec{
TenantName: name,
TenantID: name,
ServiceAccount: o.BuildOpts.GatewayName,
RedirectURL: fmt.Sprintf("https://%s/openshift/%s/callback", host, name),
CookieSecret: cookieSecret,
})
}
if len(tenants) > 0 {
authz = AuthorizationSpec{
OPAUrl: fmt.Sprintf("http://localhost:%d/v1/data/%s/allow", GatewayOPAHTTPPort, opaDefaultPackage),
}
}
o.Authentication = authn
o.Authorization = authz
return o
}
func newCookieSecret() string {
b := make([]rune, cookieSecretLength)
for i := range b {
b[i] = allowedRunes[rand.Intn(len(allowedRunes))]
}
return string(b)
}