fix(operator): Return quickstart script to working condition and improve rootless usage (#19960)

Author: xperimental

operator/Makefile

@@ -224,13 +224,8 @@ ifndef ignore-not-found
 endif
 
 .PHONY: quickstart
-ifeq ($(or $(findstring openshift-logging,$(IMG)),$(findstring openshift-logging,$(BUNDLE_IMG))),openshift-logging)
 quickstart: $(KIND) ## Quickstart full dev environment on local kind cluster
 	@./quickstart.sh $(filter-out $@,$(MAKECMDGOALS))
-else
-quickstart: oci-build oci-push $(KIND)
-	@./quickstart.sh $(filter-out $@,$(MAKECMDGOALS))
-endif
 
 .PHONY: quickstart-cleanup
 quickstart-cleanup: $(KIND) ## Cleanup for quickstart set up

operator/docs/prologue/quickstart.md

@@ -29,7 +29,7 @@ make quickstart
 If you want to test local changes from your repository fork, you need to provide an image registry organization that you own that has an image repository name `loki-operator`(e.g., `quay.io/my-company-org/loki-operator`). The command to use your custom images is:
 
 ```shell
-make quickstart REGISTRY_BASE=quay.io/my-company-org
+make oci-build oci-push quickstart REGISTRY_BASE=quay.io/my-company-org
 ```
 
 ## Further reading

operator/hack/addons_cert_manager.yaml

@@ -16,8 +16,9 @@ spec:
       - args:
         - generate
         - --destination=loki
-        - --destination-url=http://token-refresher.default.svc.cluster.local:8080/api/logs/v1/test-oidc/loki/api/v1/push
+        - --url=http://token-refresher.default.svc.cluster.local:8080/api/logs/v1/test-oidc/loki/api/v1/push
         - --tenant=test-oidc
+        - --disable-security-check
         image: quay.io/openshift-logging/cluster-logging-load-client:latest
         imagePullPolicy: Always
         name: logger

operator/hack/addons_logger.yaml

@@ -39,7 +39,8 @@ spec:
         - --oidc.client-id=$(OIDC_CLIENT_ID)
         - --oidc.client-secret=$(OIDC_CLIENT_SECRET)
         - --oidc.issuer-url=$(OIDC_ISSUER_URL)
-        - --url=http://lokistack-dev-gateway-http.default.svc:8080
+        - --url=https://lokistack-dev-gateway-http.default.svc:8080
+        - --upstream.ca-file=/etc/certs/service-ca.crt
         env:
         - name: OIDC_AUDIENCE
           valueFrom:
@@ -61,13 +62,20 @@ spec:
             secretKeyRef:
               key: issuerUrl
               name: token-refresher-oidc
-        image: quay.io/observatorium/token-refresher:master-2021-03-05-b34376b
+        image: quay.io/observatorium/token-refresher:master-2024-12-11-08b888a
         name: token-refresher
         ports:
         - containerPort: 8081
           name: internal
         - containerPort: 8080
           name: web
+        volumeMounts:
+        - mountPath: /etc/certs
+          name: certificates
+      volumes:
+      - name: certificates
+        configMap:
+          name: lokistack-dev-gateway-ca-bundle
 ---
 apiVersion: v1
 kind: Service

operator/hack/addons_token_refresher.yaml

@@ -51,9 +51,10 @@ rules:
   - apiGroups:
       - ""
     resources:
-      - services
       - endpoints
+      - nodes
       - secrets
+      - services
     verbs:
       - get
       - list
@@ -90,6 +91,14 @@ rules:
       - get
       - list
       - watch
+  - apiGroups:
+    - discovery.k8s.io
+    resources:
+    - endpointslices
+    verbs:
+    - get
+    - list
+    - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -114,6 +123,8 @@ spec:
   selector:
     matchLabels:
       app: traefik
+  strategy:
+    type: Recreate
   template:
     metadata:
       labels:
@@ -122,27 +133,27 @@ spec:
       serviceAccountName: traefik
       containers:
         - name: traefik
-          image: traefik:v2.7.0
+          image: traefik:v3.6.2
           args:
             - --api.insecure
             - --api.dashboard
             - --log.level=debug
             - --accesslog=true
-            - --entryPoints.web.address=:80
-            - --entryPoints.websecure.address=:443
+            - --entryPoints.traefik.address=:8082
+            - --entryPoints.web.address=:8081
+            - --entryPoints.websecure.address=:8443
             - --providers.kubernetesIngress
             - --providers.file.filename=/config/config.yaml
             - --providers.file.watch=false
           ports:
           - name: http
-            containerPort: 80
-            hostPort: 80
+            containerPort: 8081
+            hostPort: 8081
           - name: https
-            containerPort: 443
-            hostPort: 443
+            containerPort: 8443
           - name: admin
-            containerPort: 8080
-            hostPort: 8080
+            containerPort: 8082
+            hostPort: 8082
           securityContext:
             capabilities:
               drop:

operator/hack/addons_traefik.yaml

@@ -10,12 +10,9 @@ nodes:
       kubeletExtraArgs:
         node-labels: "ingress-ready=true"
   extraPortMappings:
-  # Ingress Controller Web Port
-  - containerPort: 80
-    hostPort: 80
-  # Ingress Controller Web Secure Port
-  - containerPort: 443
-    hostPort: 443
-  # Ingress Controller Admin Port
-  - containerPort: 8080
-    hostPort: 8080
+  # Traefik Web Port
+  - containerPort: 8081
+    hostPort: 8081
+  # Traefik Admin Port
+  - containerPort: 8082
+    hostPort: 8082

operator/hack/kind_config.yaml

@@ -48,6 +48,11 @@ lokistack(){
     echo "- Deploy Loki Stack...                    -"
     echo "-------------------------------------------"
     kubectl apply -f ./hack/lokistack_gateway_dev.yaml
+
+    echo "-------------------------------------------"
+    echo "- Wait for LokiStack (~ 90s)...           -"
+    echo "-------------------------------------------"
+    kubectl wait --for=condition=Ready --timeout=5m lokistack/lokistack-dev
 }
 
 logger() {
@@ -73,8 +78,7 @@ certificates() {
 }
 
 check() {
-    # shellcheck disable=SC2154
-    ${LOGCLI} --addr "http://localhost/token-refresher/api/logs/v1/test-oidc" labels
+    logcli --addr "http://localhost:8081/token-refresher/api/logs/v1/test-oidc" labels
 }
 
 case ${1:-"*"} in
@@ -112,9 +116,9 @@ help)
 
 *)
     setup
+    certificates
     deps
     operator
-    certificates
     lokistack
     logger
     ;;