XML

Word

Printable

Type: Epic
Resolution: Unresolved
Priority: Normal
Fix Version/s: None
Affects Version/s: None
Component/s: Log Storage
Labels:
None

Epic Name:
Loki - CCO-Integration GCP Identity Federation Support
Blocked:
False
Blocked Reason:
None
Ready:
False
Color Status:
Green
Docs QE Status:
NEW
Epic Status:
Done
Feature Link:
OBSDA-527 - Enable Grafana support for cloud providers in Loki
Parent Link:
OBSDA-527Enable Grafana support for cloud providers in Loki
Hierarchy Progress Bar:

0% To Do, 100% In Progress, 0% Done
Release Note Text:
This update adds Loki CCO-managed support for GCP workload identity federation mechanism, for authenticated and authorized access of the corresponding object storage services
Release Note Type:
If Release Note Needed, Set a Value
Size:
S

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Intelligence Requested:
Market:

Goals

Add Loki upstream and downstream support for GCP workload identity federation mechanism for authenticated and authorized access of the corresponding object storage services.

Non-Goals

Motivation

As per all cloud providers offering identity federation getting traction in all major managed and unmanaged Kubernetes distributions the Log Storage components require support to align with this IAM pattern. Workload Identity Federation (WIF) for GCP allows a more secure and centralized access to any service to service communication from workloads and infrastructure components running on Kubernetes/OpenShift cluster. It enables a faster turnaround time on stopping unqualified access to any service in case of breaches into services of entire clusters. Specifically for log storage based on Loki it gives a more secure access to logs stored on object storage buckets w/o the need to touch the service, it's configuration and any environment. Usually service operations continue seamless by access the credentials provided to the running containers by the host. In case of credentials revocation that will cascade through the cloud provider IAM services to the hosts and in turn to the containers automatically.

Alternatives

None.

Acceptance Criteria

The LokiStack administrator can define a valid object storage secret that enables using Google Workload Identity Federation grating access to GCS.

Risk and Assumptions

None.

Documentation Considerations

Requires completion of ~~OBSDOCS-219~~ and expanding it to explain how to use the extra setting the object storage secret configuration for each cloud providers' identity federation. Beyond that it requires a concise authn/authz setting per provider that configures the granted rights to access GCS/S3/Blob Storage on each provider (See https://grafana.com/docs/loki/v2.9.x/storage/#aws-deployment-s3-single-store)

Open Questions

Additional Notes

For GCP WIF consider the following two section in the CCO's docs: overview and credentials-secret-details
Upstream Enhancement proposal: https://github.com/grafana/loki/pull/11060
OpenShift Enhancement proposal: https://github.com/openshift/enhancements/pull/1503

clones

LOG-4754 Loki - Object Storage GCP Identity Federation Support

Closed

depends on

CCO-562 GCP Workload Identity Management for layered products (OLM operators)

Release Pending

links to

openshift/release#56099: Enable Logging 6.0 on Prow

QE Tracker

To Do

Kabir Bharti

Assignee:: Robert Jacob

Reporter:: Periklis Tsirakidis

QA Contact:: Kabir Bharti

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2024/09/30 11:09 AM

Updated:: 2024/11/06 7:19 PM

Details

Description

Goals

Non-Goals

Motivation

Alternatives

Acceptance Criteria

Risk and Assumptions

Documentation Considerations

Open Questions

Additional Notes

Attachments

Issue Links

Easy Agile Planning Poker

Sub-Tasks

Activity

People

Dates