feat(operator): Change attribute value used for CCO-based credential …

…mode (#12165)

operator/CHANGELOG.md

@@ -1,5 +1,6 @@
 ## Main
 
+- [12165](https://github.com/grafana/loki/pull/12165) **JoaoBraveCoding**: Change attribute value used for CCO-based credential mode
 - [12157](https://github.com/grafana/loki/pull/12157) **periklis**: Fix managed auth features annotation for community-openshift bundle
 - [12104](https://github.com/grafana/loki/pull/12104) **periklis**: Upgrade build and runtime dependencies
 - [11928](https://github.com/grafana/loki/pull/11928) **periklis**: Fix remote write client timeout config rename

operator/apis/config/v1/projectconfig_types.go

@@ -52,9 +52,9 @@ type OpenShiftFeatureGates struct {
 	// Dashboards enables the loki-mixin dashboards into the OpenShift Console
 	Dashboards bool `json:"dashboards,omitempty"`
 
-	// ManagedAuthEnv is true when OpenShift-functions are enabled and the operator has detected
+	// TokenCCOAuthEnv is true when OpenShift-functions are enabled and the operator has detected
 	// that it is running with some kind of "workload identity" (AWS STS, Azure WIF) enabled.
-	ManagedAuthEnv bool
+	TokenCCOAuthEnv bool
 }
 
 // FeatureGates is the supported set of all operator feature gates.

operator/apis/loki/v1/lokistack_types.go

@@ -1070,12 +1070,10 @@ const (
 	ReasonMissingObjectStorageSecret LokiStackConditionReason = "MissingObjectStorageSecret"
 	// ReasonInvalidObjectStorageSecret when the format of the secret is invalid.
 	ReasonInvalidObjectStorageSecret LokiStackConditionReason = "InvalidObjectStorageSecret"
-	// ReasonMissingCredentialsRequest when the required request for managed auth credentials to object
-	// storage is missing.
-	ReasonMissingCredentialsRequest LokiStackConditionReason = "MissingCredentialsRequest"
-	// ReasonMissingManagedAuthSecret when the required secret for managed auth credentials to object
-	// storage is missing.
-	ReasonMissingManagedAuthSecret LokiStackConditionReason = "MissingManagedAuthenticationSecret"
+	// ReasonMissingTokenCCOAuthSecret when the secret generated by CCO for token authentication is missing.
+	// This is usually a transient error because the secret is not immediately available after creating the
+	// CredentialsRequest, but it can persist if the CCO or its configuration are incorrect.
+	ReasonMissingTokenCCOAuthSecret LokiStackConditionReason = "MissingTokenCCOAuthenticationSecret"
 	// ReasonInvalidObjectStorageSchema when the spec contains an invalid schema(s).
 	ReasonInvalidObjectStorageSchema LokiStackConditionReason = "InvalidObjectStorageSchema"
 	// ReasonMissingObjectStorageCAConfigMap when the required configmap to verify object storage
@@ -1204,7 +1202,7 @@ type LokiStackComponentStatus struct {
 
 // CredentialMode represents the type of authentication used for accessing the object storage.
 //
-// +kubebuilder:validation:Enum=static;token;managed
+// +kubebuilder:validation:Enum=static;token;token-cco
 type CredentialMode string
 
 const (
@@ -1216,11 +1214,11 @@ const (
 	// Instead, they are generated during runtime using a service, which allows for shorter-lived credentials and
 	// much more granular control. This authentication mode is not supported for all object storage types.
 	CredentialModeToken CredentialMode = "token"
-	// CredentialModeManaged represents the usage of short-lived tokens retrieved from a credential source.
-	// This mode is similar to CredentialModeToken,but instead of having a user-configured credential source,
-	// it is configured by the environment, for example the Cloud Credential Operator in OpenShift.
-	// This mode is only supported for certain object storage types in certain runtime environments.
-	CredentialModeManaged CredentialMode = "managed"
+	// CredentialModeTokenCCO represents the usage of short-lived tokens retrieved from a credential source.
+	// This mode is similar to CredentialModeToken, but instead of having a user-configured credential source,
+	// it is configured by the environment and the operator relies on the Cloud Credential Operator to provide
+	// a secret. This mode is only supported for certain object storage types in certain runtime environments.
+	CredentialModeTokenCCO CredentialMode = "token-cco"
 )
 
 // LokiStackStorageStatus defines the observed state of

operator/bundle/community-openshift/manifests/loki-operator.clusterserviceversion.yaml

@@ -150,7 +150,7 @@ metadata:
     categories: OpenShift Optional, Logging & Tracing
     certified: "false"
     containerImage: docker.io/grafana/loki-operator:0.5.0
-    createdAt: "2024-03-11T16:01:17Z"
+    createdAt: "2024-03-12T09:52:37Z"
     description: The Community Loki Operator provides Kubernetes native deployment
       and management of Loki and related logging components.
     features.operators.openshift.io/disconnected: "true"

operator/bundle/community-openshift/manifests/loki.grafana.com_lokistacks.yaml

@@ -635,7 +635,7 @@ spec:
                         enum:
                         - static
                         - token
-                        - managed
+                        - token-cco
                         type: string
                       name:
                         description: Name of a secret in the namespace configured
@@ -3819,7 +3819,7 @@ spec:
                     enum:
                     - static
                     - token
-                    - managed
+                    - token-cco
                     type: string
                   schemas:
                     description: |-

operator/bundle/community/manifests/loki-operator.clusterserviceversion.yaml

@@ -150,7 +150,7 @@ metadata:
     categories: OpenShift Optional, Logging & Tracing
     certified: "false"
     containerImage: docker.io/grafana/loki-operator:0.5.0
-    createdAt: "2024-03-11T16:01:16Z"
+    createdAt: "2024-03-12T09:52:36Z"
     description: The Community Loki Operator provides Kubernetes native deployment
       and management of Loki and related logging components.
     operators.operatorframework.io/builder: operator-sdk-unknown

operator/bundle/community/manifests/loki.grafana.com_lokistacks.yaml

@@ -635,7 +635,7 @@ spec:
                         enum:
                         - static
                         - token
-                        - managed
+                        - token-cco
                         type: string
                       name:
                         description: Name of a secret in the namespace configured
@@ -3819,7 +3819,7 @@ spec:
                     enum:
                     - static
                     - token
-                    - managed
+                    - token-cco
                     type: string
                   schemas:
                     description: |-

operator/bundle/openshift/manifests/loki-operator.clusterserviceversion.yaml

@@ -150,7 +150,7 @@ metadata:
     categories: OpenShift Optional, Logging & Tracing
     certified: "false"
     containerImage: quay.io/openshift-logging/loki-operator:0.1.0
-    createdAt: "2024-03-11T16:01:19Z"
+    createdAt: "2024-03-12T09:52:39Z"
     description: |
       The Loki Operator for OCP provides a means for configuring and managing a Loki stack for cluster logging.
       ## Prerequisites and Requirements

operator/bundle/openshift/manifests/loki.grafana.com_lokistacks.yaml

@@ -635,7 +635,7 @@ spec:
                         enum:
                         - static
                         - token
-                        - managed
+                        - token-cco
                         type: string
                       name:
                         description: Name of a secret in the namespace configured
@@ -3819,7 +3819,7 @@ spec:
                     enum:
                     - static
                     - token
-                    - managed
+                    - token-cco
                     type: string
                   schemas:
                     description: |-

operator/config/crd/bases/loki.grafana.com_lokistacks.yaml

@@ -617,7 +617,7 @@ spec:
                         enum:
                         - static
                         - token
-                        - managed
+                        - token-cco
                         type: string
                       name:
                         description: Name of a secret in the namespace configured
@@ -3801,7 +3801,7 @@ spec:
                     enum:
                     - static
                     - token
-                    - managed
+                    - token-cco
                     type: string
                   schemas:
                     description: |-

operator/controllers/loki/lokistack_controller.go

@@ -110,7 +110,7 @@ type LokiStackReconciler struct {
 	Log          logr.Logger
 	Scheme       *runtime.Scheme
 	FeatureGates configv1.FeatureGates
-	AuthConfig   *config.ManagedAuthConfig
+	AuthConfig   *config.TokenCCOAuthConfig
 }
 
 // +kubebuilder:rbac:groups=loki.grafana.com,resources=lokistacks,verbs=get;list;watch;create;update;patch;delete
@@ -179,7 +179,7 @@ func (r *LokiStackReconciler) updateResources(ctx context.Context, req ctrl.Requ
 		}
 	}
 
-	if r.FeatureGates.OpenShift.ManagedAuthEnv {
+	if r.FeatureGates.OpenShift.TokenCCOAuthEnv {
 		if err := handlers.CreateUpdateDeleteCredentialsRequest(ctx, r.Log, r.Scheme, r.AuthConfig, r.Client, req); err != nil {
 			return "", err
 		}

operator/docs/operator/api.md

@@ -1115,13 +1115,7 @@ string
 <th>Description</th>
 </tr>
 </thead>
-<tbody><tr><td><p>&#34;managed&#34;</p></td>
-<td><p>CredentialModeManaged represents the usage of short-lived tokens retrieved from a credential source.
-This mode is similar to CredentialModeToken,but instead of having a user-configured credential source,
-it is configured by the environment, for example the Cloud Credential Operator in OpenShift.
-This mode is only supported for certain object storage types in certain runtime environments.</p>
-</td>
-</tr><tr><td><p>&#34;static&#34;</p></td>
+<tbody><tr><td><p>&#34;static&#34;</p></td>
 <td><p>CredentialModeStatic represents the usage of static, long-lived credentials stored in a Secret.
 This is the default authentication mode and available for all supported object storage types.</p>
 </td>
@@ -1131,6 +1125,12 @@ In this mode the static configuration does not contain credentials needed for th
 Instead, they are generated during runtime using a service, which allows for shorter-lived credentials and
 much more granular control. This authentication mode is not supported for all object storage types.</p>
 </td>
+</tr><tr><td><p>&#34;token-cco&#34;</p></td>
+<td><p>CredentialModeTokenCCO represents the usage of short-lived tokens retrieved from a credential source.
+This mode is similar to CredentialModeToken, but instead of having a user-configured credential source,
+it is configured by the environment and the operator relies on the Cloud Credential Operator to provide
+a secret. This mode is only supported for certain object storage types in certain runtime environments.</p>
+</td>
 </tr></tbody>
 </table>
 
@@ -1779,10 +1779,6 @@ with the select cluster size.</p>
 </tr><tr><td><p>&#34;InvalidTenantsConfiguration&#34;</p></td>
 <td><p>ReasonInvalidTenantsConfiguration when the tenant configuration provided is invalid.</p>
 </td>
-</tr><tr><td><p>&#34;MissingCredentialsRequest&#34;</p></td>
-<td><p>ReasonMissingCredentialsRequest when the required request for managed auth credentials to object
-storage is missing.</p>
-</td>
 </tr><tr><td><p>&#34;MissingGatewayTenantAuthenticationConfig&#34;</p></td>
 <td><p>ReasonMissingGatewayAuthenticationConfig when the config for when a tenant is missing authentication config</p>
 </td>
@@ -1797,10 +1793,6 @@ for authentication is missing.</p>
 <td><p>ReasonMissingGatewayTenantSecret when the required tenant secret
 for authentication is missing.</p>
 </td>
-</tr><tr><td><p>&#34;MissingManagedAuthenticationSecret&#34;</p></td>
-<td><p>ReasonMissingManagedAuthSecret when the required secret for managed auth credentials to object
-storage is missing.</p>
-</td>
 </tr><tr><td><p>&#34;MissingObjectStorageCAConfigMap&#34;</p></td>
 <td><p>ReasonMissingObjectStorageCAConfigMap when the required configmap to verify object storage
 certificates is missing.</p>
@@ -1813,6 +1805,11 @@ storage is missing.</p>
 <td><p>ReasonMissingRulerSecret when the required secret to authorization remote write connections
 for the ruler is missing.</p>
 </td>
+</tr><tr><td><p>&#34;MissingTokenCCOAuthenticationSecret&#34;</p></td>
+<td><p>ReasonMissingTokenCCOAuthSecret when the secret generated by CCO for token authentication is missing.
+This is usually a transient error because the secret is not immediately available after creating the
+CredentialsRequest, but it can persist if the CCO or its configuration are incorrect.</p>
+</td>
 </tr><tr><td><p>&#34;PendingComponents&#34;</p></td>
 <td><p>ReasonPendingComponents when all/some LokiStack components pending dependencies</p>
 </td>

operator/docs/operator/feature-gates.md

@@ -411,13 +411,13 @@ bool
 </tr>
 <tr>
 <td>
-<code>ManagedAuthEnv</code><br/>
+<code>TokenCCOAuthEnv</code><br/>
 <em>
 bool
 </em>
 </td>
 <td>
-<p>ManagedAuthEnv is true when OpenShift-functions are enabled and the operator has detected
+<p>TokenCCOAuthEnv is true when OpenShift-functions are enabled and the operator has detected
 that it is running with some kind of &ldquo;workload identity&rdquo; (AWS STS, Azure WIF) enabled.</p>
 </td>
 </tr>

operator/hack/deploy-aws-storage-secret.sh

@@ -37,7 +37,7 @@ readonly access_key_id
 secret_access_key=${SECRET_ACCESS_KEY:-$(aws configure get aws_secret_access_key)}
 readonly secret_access_key
 
-# Managed authentication with/without a manually provisioned AWS Role.
+# token authentication with/without a manually provisioned AWS Role.
 readonly sts=${STS:-false}
 readonly role_arn=${2-}
 

operator/internal/config/managed_auth.go

@@ -13,12 +13,12 @@ type AzureEnvironment struct {
 	Region         string
 }
 
-type ManagedAuthConfig struct {
+type TokenCCOAuthConfig struct {
 	AWS   *AWSEnvironment
 	Azure *AzureEnvironment
 }
 
-func discoverManagedAuthConfig() *ManagedAuthConfig {
+func discoverTokenCCOAuthConfig() *TokenCCOAuthConfig {
 	// AWS
 	roleARN := os.Getenv("ROLEARN")
 
@@ -30,13 +30,13 @@ func discoverManagedAuthConfig() *ManagedAuthConfig {
 
 	switch {
 	case roleARN != "":
-		return &ManagedAuthConfig{
+		return &TokenCCOAuthConfig{
 			AWS: &AWSEnvironment{
 				RoleARN: roleARN,
 			},
 		}
 	case clientID != "" && tenantID != "" && subscriptionID != "":
-		return &ManagedAuthConfig{
+		return &TokenCCOAuthConfig{
 			Azure: &AzureEnvironment{
 				ClientID:       clientID,
 				SubscriptionID: subscriptionID,

operator/internal/config/options.go

@@ -17,7 +17,7 @@ import (
 
 // LoadConfig initializes the controller configuration, optionally overriding the defaults
 // from a provided configuration file.
-func LoadConfig(scheme *runtime.Scheme, configFile string) (*configv1.ProjectConfig, *ManagedAuthConfig, ctrl.Options, error) {
+func LoadConfig(scheme *runtime.Scheme, configFile string) (*configv1.ProjectConfig, *TokenCCOAuthConfig, ctrl.Options, error) {
 	options := ctrl.Options{Scheme: scheme}
 	if configFile == "" {
 		return &configv1.ProjectConfig{}, nil, options, nil
@@ -28,13 +28,13 @@ func LoadConfig(scheme *runtime.Scheme, configFile string) (*configv1.ProjectCon
 		return nil, nil, options, fmt.Errorf("failed to parse controller manager config file: %w", err)
 	}
 
-	managedAuth := discoverManagedAuthConfig()
-	if ctrlCfg.Gates.OpenShift.Enabled && managedAuth != nil {
-		ctrlCfg.Gates.OpenShift.ManagedAuthEnv = true
+	tokenCCOAuth := discoverTokenCCOAuthConfig()
+	if ctrlCfg.Gates.OpenShift.Enabled && tokenCCOAuth != nil {
+		ctrlCfg.Gates.OpenShift.TokenCCOAuthEnv = true
 	}
 
 	options = mergeOptionsFromFile(options, ctrlCfg)
-	return ctrlCfg, managedAuth, options, nil
+	return ctrlCfg, tokenCCOAuth, options, nil
 }
 
 func mergeOptionsFromFile(o manager.Options, cfg *configv1.ProjectConfig) manager.Options {

operator/internal/handlers/credentialsrequest.go

@@ -22,7 +22,7 @@ import (
 
 // CreateUpdateDeleteCredentialsRequest creates a new CredentialsRequest resource for a Lokistack
 // to request a cloud credentials Secret resource from the OpenShift cloud-credentials-operator.
-func CreateUpdateDeleteCredentialsRequest(ctx context.Context, log logr.Logger, scheme *runtime.Scheme, managedAuth *config.ManagedAuthConfig, k k8s.Client, req ctrl.Request) error {
+func CreateUpdateDeleteCredentialsRequest(ctx context.Context, log logr.Logger, scheme *runtime.Scheme, tokenCCOAuth *config.TokenCCOAuthConfig, k k8s.Client, req ctrl.Request) error {
 	ll := log.WithValues("lokistack", req.NamespacedName, "event", "createCredentialsRequest")
 
 	var stack lokiv1.LokiStack
@@ -59,7 +59,7 @@ func CreateUpdateDeleteCredentialsRequest(ctx context.Context, log logr.Logger,
 			LokiStackNamespace: stack.Namespace,
 			RulerName:          manifests.RulerName(stack.Name),
 		},
-		ManagedAuth: managedAuth,
+		TokenCCOAuth: tokenCCOAuth,
 	}
 
 	credReq, err := openshift.BuildCredentialsRequest(opts)
@@ -99,7 +99,7 @@ func hasManagedCredentialMode(stack *lokiv1.LokiStack) bool {
 	switch stack.Spec.Storage.Secret.CredentialMode {
 	case lokiv1.CredentialModeStatic, lokiv1.CredentialModeToken:
 		return false
-	case lokiv1.CredentialModeManaged:
+	case lokiv1.CredentialModeTokenCCO:
 		return true
 	default:
 	}