OBSDOCS-797 - Short term authentication for cloud providers

libander · libander · commit 4b701df0d8a2 · 2024-04-17T15:57:53.000-05:00
diff --git a/logging/log_storage/installing-log-storage.adoc b/logging/log_storage/installing-log-storage.adoc
@@ -26,7 +26,19 @@ include::modules/loki-create-object-storage-secret-console.adoc[leveloffset=+2]
 .Additional resources
 * xref:../../logging/log_storage/installing-log-storage.adoc#logging-loki-storage_installing-log-storage[Loki object storage]
 
-include::modules/create-lokistack-cr-console.adoc[leveloffset=+2]
+[id="installing-log-storage-loki-sts"]
+== Deploying a Loki log store on an STS enabled cluster
+
+For cloud based storage, you can use the xref:/../../authentication/managing_cloud_provider_credentials/cco-short-term-creds.adoc[Cloud Credential Operator (CCO)] and CCO utility (`ccoctl`) to configure authentication for your {logging} object store.
+
+[NOTE]
+====
+STS authentication must be configured during a new installation of {loki-op}, on an STS enabled cluster. You cannot configure an existing cluster that uses a different credentials strategy to use this feature.
+====
+
+include::modules/logging-identity-federation.adoc[leveloffset=+2]
+
+include::modules/logging-create-loki-cr-console.adoc[leveloffset=+2,tag=!pre-5.9]
 
 // Loki CLI install
 include::modules/logging-loki-cli-install.adoc[leveloffset=+2]
@@ -36,10 +48,11 @@ include::modules/loki-create-object-storage-secret-cli.adoc[leveloffset=+2]
 .Additional resources
 * xref:../../logging/log_storage/installing-log-storage.adoc#logging-loki-storage_installing-log-storage[Loki object storage]
 
-include::modules/create-lokistack-cr-cli.adoc[leveloffset=+2]
+include::modules/logging-create-loki-cr-cli.adoc[leveloffset=+2,tag=!pre-5.9]
 
 // Loki object storage
 include::modules/logging-loki-storage.adoc[leveloffset=+1]
+
 // create object storage
 include::modules/logging-loki-storage-aws.adoc[leveloffset=+2]
 include::modules/logging-loki-storage-azure.adoc[leveloffset=+2]
diff --git a/modules/logging-create-loki-cr-cli.adoc b/modules/logging-create-loki-cr-cli.adoc
@@ -3,7 +3,7 @@
 // * logging/log_storage/installing-log-storage.adoc
 
 :_mod-docs-content-type: PROCEDURE
-[id="create-lokistack-cr-cli_{context}"]
+[id="logging-create-loki-cr-cli_{context}"]
 = Creating a LokiStack custom resource by using the CLI
 
 You can create a `LokiStack` custom resource (CR) by using the {oc-first}.
@@ -17,6 +17,7 @@ You can create a `LokiStack` custom resource (CR) by using the {oc-first}.
 .Procedure
 
 . Create a `LokiStack` CR:
+// tag::pre-5.9[]
 +
 --
 .Example `LokiStack` CR
@@ -38,26 +39,53 @@ spec:
       type: s3 # <3>
   storageClassName: <storage_class_name> # <4>
   tenants:
-    mode: openshift-logging # <5>
+    mode: openshift-logging 
 ----
 <1> Specify the deployment size. In the {logging} 5.8 and later versions, the supported size options for production instances of Loki are `1x.extra-small`, `1x.small`, or `1x.medium`.
-+
+<2> Specify the name of your log store secret.
+<3> Specify the type of your log store secret.
+<4> Specify the name of a storage class for temporary storage. For best performance, specify a storage class that allocates block storage. Available storage classes for your cluster can be listed by using the `oc get storageclasses` command.
+
 [IMPORTANT]
 ====
 It is not possible to change the number `1x` for the deployment size.
 ====
-<2> Specify the name of your log store secret.
-<3> Specify the type of your log store secret.
-<4> Specify the name of a storage class for temporary storage. For best performance, specify a storage class that allocates block storage. Available storage classes for your cluster can be listed by using the `oc get storageclasses` command.
-<5> LokiStack defaults to running in multi-tenant mode, which cannot be modified. One tenant is provided for each log type: audit, infrastructure, and application logs. This enables access control for individual users and user groups to different log streams.
---
 
-. Apply the `LokiStack` CR by running the following command:
+// end::pre-5.9[]
+
+// tag::5.9[]
 +
-[source,terminal]
+.Example `LokiStack` CR
+[source,yaml]
 ----
-$ oc apply -f <filename>.yaml
+apiVersion: loki.grafana.com/v1
+kind: LokiStack
+metadata:
+  name: logging-loki # <1>
+  namespace: openshift-logging
+spec:
+  size: 1x.small # <2>
+  storage:
+    schemas:
+      - effectiveDate: '2023-10-15'
+        version: v13
+    secret:
+      name: logging-loki-s3 # <3>
+      type: s3 # <4>
+      credentialMode: # <5>
+  storageClassName: <storage_class_name> # <6>
+  tenants:
+    mode: openshift-logging
 ----
+<1> Use the name `logging-loki`.
+<2> Specify the deployment size. In the {logging} 5.8 and later versions, the supported size options for production instances of Loki are `1x.extra-small`, `1x.small`, or `1x.medium`.
+<3> Specify the secret used for your log storage.
+<4> Specify the corresponding storage type.
+<5> Optional field, {logging} 5.9 and later. Supported user configured values are as follows: `static` is the default authentication mode available for all supported object storage types using credentials stored in a Secret. `token` for short-lived tokens retrieved from a credential source. In this mode the static configuration does not contain credentials needed for the object storage. Instead, they are generated during runtime using a service, which allows for shorter-lived credentials and much more granular control. This authentication mode is not supported for all object storage types. `token-cco` is the default value when Loki is running on managed STS mode and using CCO on STS/WIF clusters.
+<6> Enter the name of a storage class for temporary storage. For best performance, specify a storage class that allocates block storage. Available storage classes for your cluster can be listed by using the `oc get storageclasses` command.
+// end::5.9[]
+
+. Apply the `LokiStack` CR by running the following command:
 
 .Verification
 
diff --git a/modules/logging-create-loki-cr-console.adoc b/modules/logging-create-loki-cr-console.adoc
@@ -0,0 +1,83 @@
+// Module included in the following assemblies:
+//
+// * logging/log_storage/installing-log-storage.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="logging-create-loki-cr-console_{context}"]
+= Creating a LokiStack custom resource by using the web console
+
+You can create a `LokiStack` custom resource (CR) by using the {product-title} web console.
+
+.Prerequisites
+
+* You have administrator permissions.
+* You have access to the {product-title} web console.
+* You installed the {loki-op}.
+
+.Procedure
+
+. Go to the *Operators* -> *Installed Operators* page. Click the *All instances* tab.
+
+. From the *Create new* drop-down list, select *LokiStack*.
+
+. Select *YAML view*, and then use the following template to create a `LokiStack` CR:
+// tag::pre-5.9[]
++
+[source,yaml]
+----
+apiVersion: loki.grafana.com/v1
+kind: LokiStack
+metadata:
+  name: logging-loki # <1>
+  namespace: openshift-logging
+spec:
+  size: 1x.small # <2>
+  storage:
+    schemas:
+    - version: v12
+      effectiveDate: '2022-06-01'
+    secret:
+      name: logging-loki-s3 # <3>
+      type: s3 # <4>
+      credentialMode: static #
+  storageClassName: <storage_class_name> # <5>
+  tenants:
+    mode: openshift-logging
+----
+<1> Use the name `logging-loki`.
+<2> Specify the deployment size. In the {logging} 5.8 and later versions, the supported size options for production instances of Loki are `1x.extra-small`, `1x.small`, or `1x.medium`.
+<3> Specify the secret used for your log storage.
+<4> Specify the corresponding storage type.
+<5> Enter the name of a storage class for temporary storage. For best performance, specify a storage class that allocates block storage. Available storage classes for your cluster can be listed by using the `oc get storageclasses` command.
+// end::pre-5.9[]
+
+// tag::5.9[]
++
+[source,yaml]
+----
+apiVersion: loki.grafana.com/v1
+kind: LokiStack
+metadata:
+  name: logging-loki # <1>
+  namespace: openshift-logging
+spec:
+  size: 1x.small # <2>
+  storage:
+    schemas:
+      - effectiveDate: '2023-10-15'
+        version: v13
+    secret:
+      name: logging-loki-s3 # <3>
+      type: s3 # <4>
+      credentialMode: # <5>
+  storageClassName: <storage_class_name> # <6>
+  tenants:
+    mode: openshift-logging
+----
+<1> Use the name `logging-loki`.
+<2> Specify the deployment size. In the {logging} 5.8 and later versions, the supported size options for production instances of Loki are `1x.extra-small`, `1x.small`, or `1x.medium`.
+<3> Specify the secret used for your log storage.
+<4> Specify the corresponding storage type.
+<5> Optional field, {logging} 5.9 and later. Supported user configured values are as follows: `static` is the default authentication mode available for all supported object storage types using credentials stored in a Secret. `token` for short-lived tokens retrieved from a credential source. In this mode the static configuration does not contain credentials needed for the object storage. Instead, they are generated during runtime using a service, which allows for shorter-lived credentials and much more granular control. This authentication mode is not supported for all object storage types. `token-cco` is the default value when Loki is running on managed STS mode and using CCO on STS/WIF clusters.
+<6> Enter the name of a storage class for temporary storage. For best performance, specify a storage class that allocates block storage. Available storage classes for your cluster can be listed by using the `oc get storageclasses` command.
+// end::5.9[]
diff --git a/modules/logging-identity-federation.adoc b/modules/logging-identity-federation.adoc
@@ -0,0 +1,62 @@
+// Module included in the following assemblies:
+// * logging/log_storage/installing-log-storage.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="logging-identity-federation_{context}"]
+= Workload identity federation
+Workload identity federation enables authentication to cloud-based log stores using short-lived tokens.
+
+.Prerequisites
+* {product-title} 4.14 and later
+* {logging-uc} 5.9 and later
+
+.Procedure
+* If you use the {product-title} web console to install the {loki-op}, STS clusters are automatically detected. You are prompted to create roles and supply the data required for the {loki-op} to create a `CredentialsRequest` object, which populates a secret.
+
+* If you use the {oc-first} to install the {loki-op}, you must manually create a subscription object using the appropriate template for your storage provider, as shown in the following examples. This authentication strategy is only supported for the storage providers indicated.
+
+.Azure sample subscription
+[source,yaml]
+----
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: loki-operator
+  namespace: openshift-operators-redhat
+spec:
+  channel: "stable-5.9"
+  installPlanApproval: Manual
+  name: loki-operator
+  source: redhat-operators
+  sourceNamespace: openshift-marketplace
+  config:
+    env:
+      - name: CLIENTID
+        value: <your_client_id>
+      - name: TENANTID
+        value: <your_tenant_id>
+      - name: SUBSCRIPTIONID
+        value: <your_subscription_id>
+      - name: REGION
+        value: <your_region>
+----
+
+.AWS sample subscription
+[source,yaml]
+----
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: loki-operator
+  namespace: openshift-operators-redhat
+spec:
+  channel: "stable-5.9"
+  installPlanApproval: Manual
+  name: loki-operator
+  source: redhat-operators
+  sourceNamespace: openshift-marketplace
+  config:
+    env:
+    - name: ROLEARN
+      value: <role_ARN>
+----
diff --git a/modules/logging-loki-storage-aws.adoc b/modules/logging-loki-storage-aws.adoc
@@ -25,3 +25,18 @@ $ oc create secret generic logging-loki-aws \
   --from-literal=access_key_secret="<aws_access_key_secret>" \
   --from-literal=region="<aws_region_of_your_bucket>"
 ----
+
+[id="AWS_storage_STS_{context}"]
+== AWS storage for STS enabled clusters
+
+If your cluster has STS enabled, the Cloud Credential Operator (CCO) supports short-term authentication using AWS tokens.
+
+You can create the Loki object storage secret manually by running the following command:
+[source,terminal,subs="+quotes"]
+----
+$ oc -n openshift-logging create secret generic "logging-loki-aws" \
+--from-literal=bucketnames="<s3_bucket_name>" \
+--from-literal=region="<bucket_region>" \
+--from-literal=audience="<oidc_audience>" <1>
+----
+<1> Optional annotation, default value is `openshift`.
diff --git a/modules/logging-loki-storage-azure.adoc b/modules/logging-loki-storage-azure.adoc
@@ -24,3 +24,18 @@ $ oc create secret generic logging-loki-azure \
   --from-literal=account_key="<azure_account_key>"
 ----
 <1> Supported environment values are `AzureGlobal`, `AzureChinaCloud`, `AzureGermanCloud`, or `AzureUSGovernment`.
+
+[id="Azure_storage_STS_{context}"]
+== Azure storage for STS enabled clusters
+
+If your cluster has STS enabled, the Cloud Credential Operator (CCO) supports short-term authentication using Azure AD Workload Identity.
+
+You can create the Loki object storage secret manually by running the following command:
+
+[source,terminal,subs="+quotes"]
+----
+$ oc -n openshift-logging create secret generic logging-loki-azure \
+--from-literal=environment="<azure_environment>" \
+--from-literal=account_name="<storage_account_name>" \
+--from-literal=container="<container_name>"
+----
