grafana · periklis · Jan 10, 2024 · Dec 13, 2023 · Dec 14, 2023 · Dec 14, 2023
@@ -139,6 +139,7 @@ func extractS3ConfigSecret(s *corev1.Secret) (*storage.S3StorageConfig, error) {
 	roleArn := s.Data[storage.KeyAWSRoleArn]
 	// Optional fields
 	region := s.Data[storage.KeyAWSRegion]
+	audience := s.Data[storage.KeyAWSAudience]
 
 	if len(roleArn) == 0 {
 		if len(endpoint) == 0 {
@@ -166,6 +167,7 @@ func extractS3ConfigSecret(s *corev1.Secret) (*storage.S3StorageConfig, error) {
 		Endpoint: string(endpoint),
 		Buckets:  string(buckets),
 		Region:   string(region),
+		Audience: string(audience),
 		SSE:      sseCfg,
 	}, nil
 }

@@ -8,6 +8,7 @@ import (
 	"github.com/imdario/mergo"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/utils/pointer"
 
 	lokiv1 "github.com/grafana/loki/operator/apis/loki/v1"
 )
@@ -106,7 +107,7 @@ func configureStatefulSetCA(s *appsv1.StatefulSet, tls *TLSConfig) error {
 }
 
 func ensureObjectStoreCredentials(p *corev1.PodSpec, opts Options) corev1.PodSpec {
-	var envVarFromSecret = func(name, secretName, secretKey string) corev1.EnvVar {
+	envVarFromSecret := func(name, secretName, secretKey string) corev1.EnvVar {
 		return corev1.EnvVar{
 			Name: name,
 			ValueFrom: &corev1.EnvVarSource{
@@ -139,6 +140,11 @@ func ensureObjectStoreCredentials(p *corev1.PodSpec, opts Options) corev1.PodSpe
 		MountPath: secretDirectory,
 	})
 
+	if wifEnabled(opts) {
+		volumes = append(volumes, saTokenVolume(opts))
+		container.VolumeMounts = append(container.VolumeMounts, saTokenVolumeMount(opts))
+	}
+
 	var storeEnvVars []corev1.EnvVar
 	switch storeType {
 	case lokiv1.ObjectStorageSecretAlibabaCloud:
@@ -164,7 +170,7 @@ func ensureObjectStoreCredentials(p *corev1.PodSpec, opts Options) corev1.PodSpe
 			envVarFromSecret(EnvAWSAccessKeySecret, secretName, KeyAWSAccessKeySecret),
 		}
 		// STS Auth Workflow
-		if opts.S3 != nil && opts.S3.RoleArn == "" {
+		if wifEnabled(opts) {
 			storeEnvVars = []corev1.EnvVar{
 				envVarFromSecret(EnvAWSRoleArn, secretName, KeyAWSRoleArn),
 				// TODO (JoaoBraveCoding) fix
@@ -223,3 +229,51 @@ func ensureCAForS3(p *corev1.PodSpec, tls *TLSConfig) corev1.PodSpec {
 		Volumes: volumes,
 	}
 }
+
+func wifEnabled(opts Options) bool {
+	storeType := opts.SharedStore
+	switch storeType {
+	case lokiv1.ObjectStorageSecretS3:
+		return opts.S3 != nil && opts.S3.RoleArn == ""
+	default:
+		return false
+	}
+}
+
+func saTokenVolumeMount(opts Options) corev1.VolumeMount {
+	var wiToken string
+	storeType := opts.SharedStore
+	switch storeType {
+	case lokiv1.ObjectStorageSecretS3:
+		wiToken = opts.S3.WebIdentityTokenFile
+	}
+	return corev1.VolumeMount{
+		Name:      saTokenVolumeName,
+		MountPath: wiToken,
+	}
+}
+
+func saTokenVolume(opts Options) corev1.Volume {
+	var audience string
+	storeType := opts.SharedStore
+	switch storeType {
+	case lokiv1.ObjectStorageSecretS3:
+		audience = opts.S3.Audience
+	}
+	return corev1.Volume{
+		Name: saTokenVolumeName,
+		VolumeSource: corev1.VolumeSource{
+			Projected: &corev1.ProjectedVolumeSource{
+				Sources: []corev1.VolumeProjection{
+					{
+						ServiceAccountToken: &corev1.ServiceAccountTokenProjection{
+							ExpirationSeconds: pointer.Int64(saTokenExpiration),
+							Path:              corev1.ServiceAccountTokenKey,
+							Audience:          audience,
+						},
+					},
+				},
+			},
+		},
+	}
+}
@@ -40,6 +40,7 @@ type S3StorageConfig struct {
 	Buckets              string
 	RoleArn              string
 	WebIdentityTokenFile string
+	Audience             string
 	SSE                  S3SSEConfig
 }
 

@@ -53,6 +53,8 @@ const (
 	KeyAWSSseKmsKeyID = "sse_kms_key_id"
 	// KeyAWSRoleArn is the secret data key for the AWS STS role ARN.
 	KeyAWSRoleArn = "role_arn"
+	// KeyAWSAudience is the audience for the AWS STS workflow.
+	KeyAWSAudience = "audience"
 
 	// KeyAzureStorageAccountKey is the secret data key for the Azure storage account key.
 	KeyAzureStorageAccountKey = "account_key"
@@ -99,6 +101,11 @@ const (
 	// KeySwiftPassword is the secret data key for the OpenStack Swift password.
 	KeySwiftUsername = "username"
 
+	saTokenVolumeName         = "bound-sa-token"
+	saTokenVolumeK8sDirectory = "/var/run/secrets/kubernetes/serviceaccount"
+	saTokenVolumeOcpDirectory = "/var/run/secrets/openshift/serviceaccount"
+	saTokenExpiration         = 3600
+
 	secretDirectory  = "/etc/storage/secrets"
 	storageTLSVolume = "storage-tls"
 	caDirectory      = "/etc/storage/ca"