-
Task
-
Resolution: Done
-
Normal
-
Logging 5.9.0
-
None
-
8
-
False
-
None
-
False
-
NEW
-
OBSDA-527 - Enable Grafana support for cloud providers in Loki
-
VERIFIED
-
Release Note Not Required
-
-
-
Log Storage - Sprint 248, Log Storage - Sprint 249, Log Storage - Sprint 250
As a LokiStack administrator I want to off-load Azure WIF configuration to the CloudCredentialOperator when running on a cluster that supports this operator so that I do not need to manually manage WIF credentials configuration on Azure and in turn a custom LokiStack Azure object storage secret.
Acceptance Criteria
- The Loki Operator offloads all Azure WIF credential generation work to the CloudCredentialOperator on OpenShift platforms with this operator available.
- The LokiStack administrator is required to provide only a very minimum S3 object storage config secret, i.e. environment, container, endpoint_suffix
- The Loki Operator needs to declare in the ClusterServiceVersion provided for OpenShift the following annotation: features.operators.openshift.io/token-auth-azure
Developer Notes.
- Consider reading and understanding the recommended approach from this documentation: https://docs.google.com/document/d/1iFNpyycby_rOY1wUew-yl3uPWlE00krTgr9XHDZOTNo/edit
- The Loki Operator needs to check (periodically) if the present APIServer supports the custom resource CredentialsRequest from cloudcredential.openshift.io/v1.
- For tenant modes openshift-logging and openshift-network the operator will create a CredentialsRequest:
- In the CloudCredentialOperator namespace.
- Provide a list of required Azure rights as listed here https://grafana.com/docs/loki/v2.9.x/storage/#azure-deployment-azure-blob-storage-single-store
- Reference a secret in the openshift-logging/netobserv namespace for the CloudCredentialOperator.
- Upon the CloudCredentialOperator providind the secret (that includes the client_id and tenant_id, federated_token_file) the Loki Operator resumes operations as in
LOG-4546to connect configure Loki's azure config for WIF.