Merge branch 'main' into bloom

Author: ccding

operator/.golangci.yaml

@@ -1,6 +1,6 @@
 ---
 # golangci.com configuration
-# https://github.com/golangci/golangci/wiki/Configuration
+# https://golangci-lint.run/usage/configuration/
 linters-settings:
   copyloopvar:
     check-alias: true
@@ -12,9 +12,8 @@ linters-settings:
     - blank
     - dot
   govet:
-    shadow: true
-  maligned:
-    suggest-new: true
+    enable:
+    - shadow
   misspell:
     locale: US
   revive:
@@ -43,8 +42,3 @@ linters:
 
 issues:
   exclude-use-default: false
-  exclude-rules:
-    # - text: "could be of size"
-    #   path: api/v1beta1/lokistack_types.go
-    #   linters:
-    #     - maligned

operator/Makefile

@@ -177,6 +177,7 @@ scorecard: generate go-generate bundle-all ## Run scorecard tests for all bundle
 
 .PHONY: lint
 lint: $(GOLANGCI_LINT) | generate ## Run golangci-lint on source code.
+	$(GOLANGCI_LINT) config verify
 	$(GOLANGCI_LINT) run --timeout=5m ./...
 
 .PHONY: lint-fix

operator/bundle/community-openshift/manifests/loki-operator.clusterserviceversion.yaml

@@ -150,7 +150,7 @@ metadata:
     categories: OpenShift Optional, Logging & Tracing
     certified: "false"
     containerImage: docker.io/grafana/loki-operator:0.7.1
-    createdAt: "2025-01-28T16:41:41Z"
+    createdAt: "2025-02-18T18:01:36Z"
     description: The Community Loki Operator provides Kubernetes native deployment
       and management of Loki and related logging components.
     features.operators.openshift.io/disconnected: "true"
@@ -1850,7 +1850,7 @@ spec:
                 - /manager
                 env:
                 - name: RELATED_IMAGE_LOKI
-                  value: docker.io/grafana/loki:3.3.2
+                  value: docker.io/grafana/loki:3.4.2
                 - name: RELATED_IMAGE_GATEWAY
                   value: quay.io/observatorium/api:latest
                 - name: RELATED_IMAGE_OPA
@@ -1980,7 +1980,7 @@ spec:
   provider:
     name: Grafana Loki SIG Operator
   relatedImages:
-  - image: docker.io/grafana/loki:3.3.2
+  - image: docker.io/grafana/loki:3.4.2
     name: loki
   - image: quay.io/observatorium/api:latest
     name: gateway

operator/bundle/community/manifests/loki-operator.clusterserviceversion.yaml

@@ -150,7 +150,7 @@ metadata:
     categories: OpenShift Optional, Logging & Tracing
     certified: "false"
     containerImage: docker.io/grafana/loki-operator:0.7.1
-    createdAt: "2025-01-28T16:41:37Z"
+    createdAt: "2025-02-18T18:01:33Z"
     description: The Community Loki Operator provides Kubernetes native deployment
       and management of Loki and related logging components.
     operators.operatorframework.io/builder: operator-sdk-unknown
@@ -1830,7 +1830,7 @@ spec:
                 - /manager
                 env:
                 - name: RELATED_IMAGE_LOKI
-                  value: docker.io/grafana/loki:3.3.2
+                  value: docker.io/grafana/loki:3.4.2
                 - name: RELATED_IMAGE_GATEWAY
                   value: quay.io/observatorium/api:latest
                 - name: RELATED_IMAGE_OPA
@@ -1948,7 +1948,7 @@ spec:
   provider:
     name: Grafana Loki SIG Operator
   relatedImages:
-  - image: docker.io/grafana/loki:3.3.2
+  - image: docker.io/grafana/loki:3.4.2
     name: loki
   - image: quay.io/observatorium/api:latest
     name: gateway

operator/bundle/openshift/manifests/loki-operator.clusterserviceversion.yaml

@@ -150,7 +150,7 @@ metadata:
     categories: OpenShift Optional, Logging & Tracing
     certified: "false"
     containerImage: quay.io/openshift-logging/loki-operator:0.1.0
-    createdAt: "2025-01-28T16:41:44Z"
+    createdAt: "2025-02-18T18:01:39Z"
     description: |
       The Loki Operator for OCP provides a means for configuring and managing a Loki stack for cluster logging.
       ## Prerequisites and Requirements
@@ -1835,7 +1835,7 @@ spec:
                 - /manager
                 env:
                 - name: RELATED_IMAGE_LOKI
-                  value: quay.io/openshift-logging/loki:v3.3.2
+                  value: quay.io/openshift-logging/loki:v3.4.2
                 - name: RELATED_IMAGE_GATEWAY
                   value: quay.io/observatorium/api:latest
                 - name: RELATED_IMAGE_OPA
@@ -1959,7 +1959,7 @@ spec:
   provider:
     name: Red Hat
   relatedImages:
-  - image: quay.io/openshift-logging/loki:v3.3.2
+  - image: quay.io/openshift-logging/loki:v3.4.2
     name: loki
   - image: quay.io/observatorium/api:latest
     name: gateway

operator/config/overlays/community-openshift/manager_related_image_patch.yaml

@@ -9,7 +9,7 @@ spec:
         - name: manager
           env:
           - name: RELATED_IMAGE_LOKI
-            value: docker.io/grafana/loki:3.3.2
+            value: docker.io/grafana/loki:3.4.2
           - name: RELATED_IMAGE_GATEWAY
             value: quay.io/observatorium/api:latest
           - name: RELATED_IMAGE_OPA

operator/config/overlays/community/manager_related_image_patch.yaml

@@ -9,7 +9,7 @@ spec:
         - name: manager
           env:
           - name: RELATED_IMAGE_LOKI
-            value: docker.io/grafana/loki:3.3.2
+            value: docker.io/grafana/loki:3.4.2
           - name: RELATED_IMAGE_GATEWAY
             value: quay.io/observatorium/api:latest
           - name: RELATED_IMAGE_OPA

operator/config/overlays/development/manager_related_image_patch.yaml

@@ -9,6 +9,6 @@ spec:
         - name: manager
           env:
           - name: RELATED_IMAGE_LOKI
-            value: docker.io/grafana/loki:3.3.2
+            value: docker.io/grafana/loki:3.4.2
           - name: RELATED_IMAGE_GATEWAY
             value: quay.io/observatorium/api:latest

operator/config/overlays/openshift/manager_related_image_patch.yaml

@@ -9,7 +9,7 @@ spec:
         - name: manager
           env:
           - name: RELATED_IMAGE_LOKI
-            value: quay.io/openshift-logging/loki:v3.3.2
+            value: quay.io/openshift-logging/loki:v3.4.2
           - name: RELATED_IMAGE_GATEWAY
             value: quay.io/observatorium/api:latest
           - name: RELATED_IMAGE_OPA

operator/docs/operator/compatibility.md

@@ -32,3 +32,4 @@ The versions of Loki compatible to be run with the Loki Operator are:
 * v3.2.0
 * v3.2.1
 * v3.3.2
+* v3.4.2

operator/hack/addons_dev.yaml

@@ -29,7 +29,7 @@ spec:
     spec:
       containers:
         - name: logcli
-          image: docker.io/grafana/logcli:3.3.2-amd64
+          image: docker.io/grafana/logcli:3.4.2-amd64
           imagePullPolicy: IfNotPresent
           command:
             - /bin/sh
@@ -73,7 +73,7 @@ spec:
     spec:
       containers:
         - name: promtail
-          image: docker.io/grafana/promtail:3.3.2
+          image: docker.io/grafana/promtail:3.4.2
           args:
             - -config.file=/etc/promtail/promtail.yaml
             - -log.level=info

operator/hack/addons_ocp.yaml

@@ -29,7 +29,7 @@ spec:
     spec:
       containers:
         - name: logcli
-          image: docker.io/grafana/logcli:3.3.2-amd64
+          image: docker.io/grafana/logcli:3.4.2-amd64
           imagePullPolicy: IfNotPresent
           command:
             - /bin/sh
@@ -70,7 +70,7 @@ spec:
     spec:
       containers:
         - name: promtail
-          image: docker.io/grafana/promtail:3.3.2
+          image: docker.io/grafana/promtail:3.4.2
           args:
             - -config.file=/etc/promtail/promtail.yaml
             - -log.level=info

operator/internal/manifests/storage/configure.go

@@ -29,17 +29,23 @@ var (
 // based on the object storage type. Currently supported amendments:
 // - All: Ensure object storage secret mounted and auth projected as env vars.
 // - GCS: Ensure env var GOOGLE_APPLICATION_CREDENTIALS in container
-// - S3: Ensure mounting custom CA configmap if any TLSConfig given
+// - S3 & Swift: Ensure mounting custom CA configmap if any TLSConfig given
 func ConfigureDeployment(d *appsv1.Deployment, opts Options) error {
 	switch opts.SharedStore {
-	case lokiv1.ObjectStorageSecretAlibabaCloud, lokiv1.ObjectStorageSecretAzure, lokiv1.ObjectStorageSecretGCS, lokiv1.ObjectStorageSecretSwift:
+	case lokiv1.ObjectStorageSecretAlibabaCloud, lokiv1.ObjectStorageSecretAzure, lokiv1.ObjectStorageSecretGCS:
 		return configureDeployment(d, opts)
 	case lokiv1.ObjectStorageSecretS3:
 		err := configureDeployment(d, opts)
 		if err != nil {
 			return err
 		}
-		return configureDeploymentCA(d, opts.TLS)
+		return configureDeploymentCA(d, opts.TLS, lokiv1.ObjectStorageSecretS3)
+	case lokiv1.ObjectStorageSecretSwift:
+		err := configureDeployment(d, opts)
+		if err != nil {
+			return err
+		}
+		return configureDeploymentCA(d, opts.TLS, lokiv1.ObjectStorageSecretSwift)
 	default:
 		return nil
 	}
@@ -49,16 +55,21 @@ func ConfigureDeployment(d *appsv1.Deployment, opts Options) error {
 // based on the object storage type. Currently supported amendments:
 // - All: Ensure object storage secret mounted and auth projected as env vars.
 // - GCS: Ensure env var GOOGLE_APPLICATION_CREDENTIALS in container
-// - S3: Ensure mounting custom CA configmap if any TLSConfig given
+// - S3 & Swift: Ensure mounting custom CA configmap if any TLSConfig given
 func ConfigureStatefulSet(d *appsv1.StatefulSet, opts Options) error {
 	switch opts.SharedStore {
-	case lokiv1.ObjectStorageSecretAlibabaCloud, lokiv1.ObjectStorageSecretAzure, lokiv1.ObjectStorageSecretGCS, lokiv1.ObjectStorageSecretSwift:
+	case lokiv1.ObjectStorageSecretAlibabaCloud, lokiv1.ObjectStorageSecretAzure, lokiv1.ObjectStorageSecretGCS:
 		return configureStatefulSet(d, opts)
 	case lokiv1.ObjectStorageSecretS3:
 		if err := configureStatefulSet(d, opts); err != nil {
 			return err
 		}
-		return configureStatefulSetCA(d, opts.TLS)
+		return configureStatefulSetCA(d, opts.TLS, lokiv1.ObjectStorageSecretS3)
+	case lokiv1.ObjectStorageSecretSwift:
+		if err := configureStatefulSet(d, opts); err != nil {
+			return err
+		}
+		return configureStatefulSetCA(d, opts.TLS, lokiv1.ObjectStorageSecretSwift)
 	default:
 		return nil
 	}
@@ -75,16 +86,22 @@ func configureDeployment(d *appsv1.Deployment, opts Options) error {
 	return nil
 }
 
-// ConfigureDeploymentCA merges a S3 CA ConfigMap volume into the deployment spec.
-func configureDeploymentCA(d *appsv1.Deployment, tls *TLSConfig) error {
+// ConfigureDeploymentCA merges a S3 or Swift CA ConfigMap volume into the deployment spec.
+func configureDeploymentCA(d *appsv1.Deployment, tls *TLSConfig, secretType lokiv1.ObjectStorageSecretType) error {
 	if tls == nil {
 		return nil
 	}
 
-	p := ensureCAForS3(&d.Spec.Template.Spec, tls)
+	var p corev1.PodSpec
+	switch secretType {
+	case lokiv1.ObjectStorageSecretS3:
+		p = ensureCAForObjectStorage(&d.Spec.Template.Spec, tls, lokiv1.ObjectStorageSecretS3)
+	case lokiv1.ObjectStorageSecretSwift:
+		p = ensureCAForObjectStorage(&d.Spec.Template.Spec, tls, lokiv1.ObjectStorageSecretSwift)
+	}
 
 	if err := mergo.Merge(&d.Spec.Template.Spec, p, mergo.WithOverride); err != nil {
-		return kverrors.Wrap(err, "failed to merge s3 object storage ca options ")
+		return kverrors.Wrap(err, "failed to merge object storage ca options ")
 	}
 
 	return nil
@@ -101,16 +118,22 @@ func configureStatefulSet(s *appsv1.StatefulSet, opts Options) error {
 	return nil
 }
 
-// ConfigureStatefulSetCA merges a S3 CA ConfigMap volume into the statefulset spec.
-func configureStatefulSetCA(s *appsv1.StatefulSet, tls *TLSConfig) error {
+// ConfigureStatefulSetCA merges a S3 or Swift CA ConfigMap volume into the statefulset spec.
+func configureStatefulSetCA(s *appsv1.StatefulSet, tls *TLSConfig, secretType lokiv1.ObjectStorageSecretType) error {
 	if tls == nil {
 		return nil
 	}
+	var p corev1.PodSpec
 
-	p := ensureCAForS3(&s.Spec.Template.Spec, tls)
+	switch secretType {
+	case lokiv1.ObjectStorageSecretS3:
+		p = ensureCAForObjectStorage(&s.Spec.Template.Spec, tls, lokiv1.ObjectStorageSecretS3)
+	case lokiv1.ObjectStorageSecretSwift:
+		p = ensureCAForObjectStorage(&s.Spec.Template.Spec, tls, lokiv1.ObjectStorageSecretSwift)
+	}
 
 	if err := mergo.Merge(&s.Spec.Template.Spec, p, mergo.WithOverride); err != nil {
-		return kverrors.Wrap(err, "failed to merge s3 object storage ca options ")
+		return kverrors.Wrap(err, "failed to merge object storage ca options ")
 	}
 
 	return nil
@@ -254,7 +277,7 @@ func serverSideEncryption(opts Options) []corev1.EnvVar {
 	}
 }
 
-func ensureCAForS3(p *corev1.PodSpec, tls *TLSConfig) corev1.PodSpec {
+func ensureCAForObjectStorage(p *corev1.PodSpec, tls *TLSConfig, secretType lokiv1.ObjectStorageSecretType) corev1.PodSpec {
 	container := p.Containers[0].DeepCopy()
 	volumes := p.Volumes
 
@@ -275,9 +298,16 @@ func ensureCAForS3(p *corev1.PodSpec, tls *TLSConfig) corev1.PodSpec {
 		MountPath: caDirectory,
 	})
 
-	container.Args = append(container.Args,
-		fmt.Sprintf("-s3.http.ca-file=%s", path.Join(caDirectory, tls.Key)),
-	)
+	switch secretType {
+	case lokiv1.ObjectStorageSecretS3:
+		container.Args = append(container.Args,
+			fmt.Sprintf("-s3.http.ca-file=%s", path.Join(caDirectory, tls.Key)),
+		)
+	case lokiv1.ObjectStorageSecretSwift:
+		container.Args = append(container.Args,
+			fmt.Sprintf("-swift.http.tls-ca-path=%s", path.Join(caDirectory, tls.Key)),
+		)
+	}
 
 	return corev1.PodSpec{
 		Containers: []corev1.Container{