Merge branch 'main' into helm/checksum

docs/sources/configure/_index.md

@@ -1937,6 +1937,10 @@ client:
 # Maximum number of outstanding tasks per tenant.
 # CLI flag: -bloom-gateway.max-outstanding-per-tenant
 [max_outstanding_per_tenant: <int> | default = 1024]
+
+# How many tasks are multiplexed at once.
+# CLI flag: -bloom-gateway.num-multiplex-tasks
+[num_multiplex_tasks: <int> | default = 512]
 ```
 
 ### storage_config

operator/CHANGELOG.md

@@ -1,5 +1,6 @@
 ## Main
 
+- [12165](https://github.com/grafana/loki/pull/12165) **JoaoBraveCoding**: Change attribute value used for CCO-based credential mode
 - [12157](https://github.com/grafana/loki/pull/12157) **periklis**: Fix managed auth features annotation for community-openshift bundle
 - [12104](https://github.com/grafana/loki/pull/12104) **periklis**: Upgrade build and runtime dependencies
 - [11928](https://github.com/grafana/loki/pull/11928) **periklis**: Fix remote write client timeout config rename

operator/apis/config/v1/projectconfig_types.go

@@ -52,9 +52,9 @@ type OpenShiftFeatureGates struct {
 	// Dashboards enables the loki-mixin dashboards into the OpenShift Console
 	Dashboards bool `json:"dashboards,omitempty"`
 
-	// ManagedAuthEnv is true when OpenShift-functions are enabled and the operator has detected
+	// TokenCCOAuthEnv is true when OpenShift-functions are enabled and the operator has detected
 	// that it is running with some kind of "workload identity" (AWS STS, Azure WIF) enabled.
-	ManagedAuthEnv bool
+	TokenCCOAuthEnv bool
 }
 
 // FeatureGates is the supported set of all operator feature gates.

operator/apis/loki/v1/lokistack_types.go

@@ -1070,12 +1070,10 @@ const (
 	ReasonMissingObjectStorageSecret LokiStackConditionReason = "MissingObjectStorageSecret"
 	// ReasonInvalidObjectStorageSecret when the format of the secret is invalid.
 	ReasonInvalidObjectStorageSecret LokiStackConditionReason = "InvalidObjectStorageSecret"
-	// ReasonMissingCredentialsRequest when the required request for managed auth credentials to object
-	// storage is missing.
-	ReasonMissingCredentialsRequest LokiStackConditionReason = "MissingCredentialsRequest"
-	// ReasonMissingManagedAuthSecret when the required secret for managed auth credentials to object
-	// storage is missing.
-	ReasonMissingManagedAuthSecret LokiStackConditionReason = "MissingManagedAuthenticationSecret"
+	// ReasonMissingTokenCCOAuthSecret when the secret generated by CCO for token authentication is missing.
+	// This is usually a transient error because the secret is not immediately available after creating the
+	// CredentialsRequest, but it can persist if the CCO or its configuration are incorrect.
+	ReasonMissingTokenCCOAuthSecret LokiStackConditionReason = "MissingTokenCCOAuthenticationSecret"
 	// ReasonInvalidObjectStorageSchema when the spec contains an invalid schema(s).
 	ReasonInvalidObjectStorageSchema LokiStackConditionReason = "InvalidObjectStorageSchema"
 	// ReasonMissingObjectStorageCAConfigMap when the required configmap to verify object storage
@@ -1204,7 +1202,7 @@ type LokiStackComponentStatus struct {
 
 // CredentialMode represents the type of authentication used for accessing the object storage.
 //
-// +kubebuilder:validation:Enum=static;token;managed
+// +kubebuilder:validation:Enum=static;token;token-cco
 type CredentialMode string
 
 const (
@@ -1216,11 +1214,11 @@ const (
 	// Instead, they are generated during runtime using a service, which allows for shorter-lived credentials and
 	// much more granular control. This authentication mode is not supported for all object storage types.
 	CredentialModeToken CredentialMode = "token"
-	// CredentialModeManaged represents the usage of short-lived tokens retrieved from a credential source.
-	// This mode is similar to CredentialModeToken,but instead of having a user-configured credential source,
-	// it is configured by the environment, for example the Cloud Credential Operator in OpenShift.
-	// This mode is only supported for certain object storage types in certain runtime environments.
-	CredentialModeManaged CredentialMode = "managed"
+	// CredentialModeTokenCCO represents the usage of short-lived tokens retrieved from a credential source.
+	// This mode is similar to CredentialModeToken, but instead of having a user-configured credential source,
+	// it is configured by the environment and the operator relies on the Cloud Credential Operator to provide
+	// a secret. This mode is only supported for certain object storage types in certain runtime environments.
+	CredentialModeTokenCCO CredentialMode = "token-cco"
 )
 
 // LokiStackStorageStatus defines the observed state of

operator/bundle/community-openshift/manifests/loki-operator.clusterserviceversion.yaml

@@ -150,7 +150,7 @@ metadata:
     categories: OpenShift Optional, Logging & Tracing
     certified: "false"
     containerImage: docker.io/grafana/loki-operator:0.5.0
-    createdAt: "2024-03-11T16:01:17Z"
+    createdAt: "2024-03-12T09:52:37Z"
     description: The Community Loki Operator provides Kubernetes native deployment
       and management of Loki and related logging components.
     features.operators.openshift.io/disconnected: "true"

operator/bundle/community-openshift/manifests/loki.grafana.com_lokistacks.yaml

@@ -635,7 +635,7 @@ spec:
                         enum:
                         - static
                         - token
-                        - managed
+                        - token-cco
                         type: string
                       name:
                         description: Name of a secret in the namespace configured
@@ -3819,7 +3819,7 @@ spec:
                     enum:
                     - static
                     - token
-                    - managed
+                    - token-cco
                     type: string
                   schemas:
                     description: |-

operator/bundle/community/manifests/loki-operator.clusterserviceversion.yaml

@@ -150,7 +150,7 @@ metadata:
     categories: OpenShift Optional, Logging & Tracing
     certified: "false"
     containerImage: docker.io/grafana/loki-operator:0.5.0
-    createdAt: "2024-03-11T16:01:16Z"
+    createdAt: "2024-03-12T09:52:36Z"
     description: The Community Loki Operator provides Kubernetes native deployment
       and management of Loki and related logging components.
     operators.operatorframework.io/builder: operator-sdk-unknown

operator/bundle/community/manifests/loki.grafana.com_lokistacks.yaml

@@ -635,7 +635,7 @@ spec:
                         enum:
                         - static
                         - token
-                        - managed
+                        - token-cco
                         type: string
                       name:
                         description: Name of a secret in the namespace configured
@@ -3819,7 +3819,7 @@ spec:
                     enum:
                     - static
                     - token
-                    - managed
+                    - token-cco
                     type: string
                   schemas:
                     description: |-

operator/bundle/openshift/manifests/loki-operator.clusterserviceversion.yaml

@@ -150,7 +150,7 @@ metadata:
     categories: OpenShift Optional, Logging & Tracing
     certified: "false"
     containerImage: quay.io/openshift-logging/loki-operator:0.1.0
-    createdAt: "2024-03-11T16:01:19Z"
+    createdAt: "2024-03-12T09:52:39Z"
     description: |
       The Loki Operator for OCP provides a means for configuring and managing a Loki stack for cluster logging.
       ## Prerequisites and Requirements

operator/bundle/openshift/manifests/loki.grafana.com_lokistacks.yaml

@@ -635,7 +635,7 @@ spec:
                         enum:
                         - static
                         - token
-                        - managed
+                        - token-cco
                         type: string
                       name:
                         description: Name of a secret in the namespace configured
@@ -3819,7 +3819,7 @@ spec:
                     enum:
                     - static
                     - token
-                    - managed
+                    - token-cco
                     type: string
                   schemas:
                     description: |-

operator/config/crd/bases/loki.grafana.com_lokistacks.yaml

@@ -617,7 +617,7 @@ spec:
                         enum:
                         - static
                         - token
-                        - managed
+                        - token-cco
                         type: string
                       name:
                         description: Name of a secret in the namespace configured
@@ -3801,7 +3801,7 @@ spec:
                     enum:
                     - static
                     - token
-                    - managed
+                    - token-cco
                     type: string
                   schemas:
                     description: |-

operator/controllers/loki/lokistack_controller.go

@@ -110,7 +110,7 @@ type LokiStackReconciler struct {
 	Log          logr.Logger
 	Scheme       *runtime.Scheme
 	FeatureGates configv1.FeatureGates
-	AuthConfig   *config.ManagedAuthConfig
+	AuthConfig   *config.TokenCCOAuthConfig
 }
 
 // +kubebuilder:rbac:groups=loki.grafana.com,resources=lokistacks,verbs=get;list;watch;create;update;patch;delete
@@ -179,7 +179,7 @@ func (r *LokiStackReconciler) updateResources(ctx context.Context, req ctrl.Requ
 		}
 	}
 
-	if r.FeatureGates.OpenShift.ManagedAuthEnv {
+	if r.FeatureGates.OpenShift.TokenCCOAuthEnv {
 		if err := handlers.CreateUpdateDeleteCredentialsRequest(ctx, r.Log, r.Scheme, r.AuthConfig, r.Client, req); err != nil {
 			return "", err
 		}

operator/docs/operator/api.md

@@ -1115,13 +1115,7 @@ string
 <th>Description</th>
 </tr>
 </thead>
-<tbody><tr><td><p>&#34;managed&#34;</p></td>
-<td><p>CredentialModeManaged represents the usage of short-lived tokens retrieved from a credential source.
-This mode is similar to CredentialModeToken,but instead of having a user-configured credential source,
-it is configured by the environment, for example the Cloud Credential Operator in OpenShift.
-This mode is only supported for certain object storage types in certain runtime environments.</p>
-</td>
-</tr><tr><td><p>&#34;static&#34;</p></td>
+<tbody><tr><td><p>&#34;static&#34;</p></td>
 <td><p>CredentialModeStatic represents the usage of static, long-lived credentials stored in a Secret.
 This is the default authentication mode and available for all supported object storage types.</p>
 </td>
@@ -1131,6 +1125,12 @@ In this mode the static configuration does not contain credentials needed for th
 Instead, they are generated during runtime using a service, which allows for shorter-lived credentials and
 much more granular control. This authentication mode is not supported for all object storage types.</p>
 </td>
+</tr><tr><td><p>&#34;token-cco&#34;</p></td>
+<td><p>CredentialModeTokenCCO represents the usage of short-lived tokens retrieved from a credential source.
+This mode is similar to CredentialModeToken, but instead of having a user-configured credential source,
+it is configured by the environment and the operator relies on the Cloud Credential Operator to provide
+a secret. This mode is only supported for certain object storage types in certain runtime environments.</p>
+</td>
 </tr></tbody>
 </table>
 
@@ -1779,10 +1779,6 @@ with the select cluster size.</p>
 </tr><tr><td><p>&#34;InvalidTenantsConfiguration&#34;</p></td>
 <td><p>ReasonInvalidTenantsConfiguration when the tenant configuration provided is invalid.</p>
 </td>
-</tr><tr><td><p>&#34;MissingCredentialsRequest&#34;</p></td>
-<td><p>ReasonMissingCredentialsRequest when the required request for managed auth credentials to object
-storage is missing.</p>
-</td>
 </tr><tr><td><p>&#34;MissingGatewayTenantAuthenticationConfig&#34;</p></td>
 <td><p>ReasonMissingGatewayAuthenticationConfig when the config for when a tenant is missing authentication config</p>
 </td>
@@ -1797,10 +1793,6 @@ for authentication is missing.</p>
 <td><p>ReasonMissingGatewayTenantSecret when the required tenant secret
 for authentication is missing.</p>
 </td>
-</tr><tr><td><p>&#34;MissingManagedAuthenticationSecret&#34;</p></td>
-<td><p>ReasonMissingManagedAuthSecret when the required secret for managed auth credentials to object
-storage is missing.</p>
-</td>
 </tr><tr><td><p>&#34;MissingObjectStorageCAConfigMap&#34;</p></td>
 <td><p>ReasonMissingObjectStorageCAConfigMap when the required configmap to verify object storage
 certificates is missing.</p>
@@ -1813,6 +1805,11 @@ storage is missing.</p>
 <td><p>ReasonMissingRulerSecret when the required secret to authorization remote write connections
 for the ruler is missing.</p>
 </td>
+</tr><tr><td><p>&#34;MissingTokenCCOAuthenticationSecret&#34;</p></td>
+<td><p>ReasonMissingTokenCCOAuthSecret when the secret generated by CCO for token authentication is missing.
+This is usually a transient error because the secret is not immediately available after creating the
+CredentialsRequest, but it can persist if the CCO or its configuration are incorrect.</p>
+</td>
 </tr><tr><td><p>&#34;PendingComponents&#34;</p></td>
 <td><p>ReasonPendingComponents when all/some LokiStack components pending dependencies</p>
 </td>

operator/docs/operator/feature-gates.md

@@ -411,13 +411,13 @@ bool
 </tr>
 <tr>
 <td>
-<code>ManagedAuthEnv</code><br/>
+<code>TokenCCOAuthEnv</code><br/>
 <em>
 bool
 </em>
 </td>
 <td>
-<p>ManagedAuthEnv is true when OpenShift-functions are enabled and the operator has detected
+<p>TokenCCOAuthEnv is true when OpenShift-functions are enabled and the operator has detected
 that it is running with some kind of &ldquo;workload identity&rdquo; (AWS STS, Azure WIF) enabled.</p>
 </td>
 </tr>

operator/docs/user-guides/forwarding_logs_to_gateway.md

@@ -16,7 +16,7 @@ toc: true
 
 This document will describe how to send application, infrastructure, audit and network logs to the LokiStack Gateway as different tenants using Promtail or Fluentd. The built-in gateway provides secure access to the distributor (and query-frontend) via consulting an OAuth/OIDC endpoint for the request subject.
 
-__Please read the [hacking guide](./hack_loki_operator.md) before proceeding with the following instructions.__
+__Please read the [hacking guide](../operator/hack_loki_operator.md) before proceeding with the following instructions.__
 
 _Note: While this document will only give instructions for two methods of log forwarding into the gateway, the examples given in the Promtail and Fluentd sections can be extrapolated to other log forwarders._
 

operator/docs/user-guides/forwarding_logs_without_gateway.md

@@ -15,7 +15,7 @@ toc: true
 
 This document describes how to send application, infrastructure, and audit logs to the Loki Distributor as different tenants using Fluentd or Vector.
 
-__Please read the [hacking guide](./hack_loki_operator.md) before proceeding with the following instructions.__
+__Please read the [hacking guide](../operator/hack_loki_operator.md) before proceeding with the following instructions.__
 
 _Note:_ This document only applies to OpenShift-based deployments.
 

operator/docs/user-guides/howto_connect_grafana.md

@@ -42,7 +42,7 @@ If your LokiStack deployment has the gateway enabled, use one of the first two o
 
 The preferred option for accessing the data stored in Loki managed by loki-operator when running on OpenShift with the default OpenShift tenancy model is to go through the LokiStack gateway and do proper authentication against the authentication service included in OpenShift.
 
-An example configuration authenticating to the gateway in this manner is available in  [`addon_grafana_gateway_ocp_oauth.yaml`](../../hack/addon_grafana_gateway_ocp_oauth.yaml).
+An example configuration authenticating to the gateway in this manner is available in  [`addon_grafana_gateway_ocp_oauth.yaml`](https://raw.githubusercontent.com/grafana/loki/main/operator/hack/addon_grafana_gateway_ocp_oauth.yaml).
 
 The configuration uses `oauth-proxy` to authenticate the user to the Grafana instance and forwards the token through Grafana to LokiStack's gateway service. This enables the configuration to fully take advantage of the tenancy model, so that users can only see the logs of their applications and only admins can view infrastructure and audit logs.
 
@@ -54,7 +54,7 @@ Similar to the above configuration this variant makes use of `oauth-proxy` to au
 
 As this configuration does not provide any tenancy it should only be used for testing or debugging a LokiStack. It does not completely bypass authentication though, so no public access of the data stored in Loki is possible.
 
-An example configuration using this technique is available in [`addon_grafana_gateway_ocp.yaml`](../hack/addon_grafana_gateway_ocp.yaml).
+An example configuration using this technique is available in [`addon_grafana_gateway_ocp.yaml`](https://raw.githubusercontent.com/grafana/loki/main/operator/hack/addon_grafana_gateway_ocp.yaml).
 
 ### Accessing the Query-Frontend Directly