grafana · jpinsonneau · Sep 24, 2025 · Dec 12, 2025
@@ -237,7 +237,7 @@ type AuthenticationSpec struct {
 
 // ModeType is the authentication/authorization mode in which LokiStack Gateway will be configured.
 //
-// +kubebuilder:validation:Enum=static;dynamic;openshift-logging;openshift-network
+// +kubebuilder:validation:Enum=static;dynamic;openshift-logging;openshift-network;openshift
 type ModeType string
 
 const (
@@ -250,6 +250,8 @@ const (
 	OpenshiftLogging ModeType = "openshift-logging"
 	// OpenshiftNetwork mode provides fully automatic OpenShift in-cluster authentication and authorization support for network logs only.
 	OpenshiftNetwork ModeType = "openshift-network"
+	// Openshif mode provides fully automatic OpenShift in-cluster authentication and authorization support for application, infrastructure, audit and network logs.
+	Openshift ModeType = "openshift"
 )
 
 // TenantsSpec defines the mode, authentication and authorization
@@ -260,7 +262,7 @@ type TenantsSpec struct {
 	// +required
 	// +kubebuilder:validation:Required
 	// +kubebuilder:default:=openshift-logging
-	// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:select:static","urn:alm:descriptor:com.tectonic.ui:select:dynamic","urn:alm:descriptor:com.tectonic.ui:select:openshift-logging","urn:alm:descriptor:com.tectonic.ui:select:openshift-network"},displayName="Mode"
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:select:static","urn:alm:descriptor:com.tectonic.ui:select:dynamic","urn:alm:descriptor:com.tectonic.ui:select:openshift-logging","urn:alm:descriptor:com.tectonic.ui:select:openshift-network","urn:alm:descriptor:com.tectonic.ui:select:openshift"},displayName="Mode"
 	Mode ModeType `json:"mode"`
 	// Authentication defines the lokistack-gateway component authentication configuration spec per tenant.
 	//

@@ -1017,6 +1017,7 @@ spec:
         - urn:alm:descriptor:com.tectonic.ui:select:dynamic
         - urn:alm:descriptor:com.tectonic.ui:select:openshift-logging
         - urn:alm:descriptor:com.tectonic.ui:select:openshift-network
+        - urn:alm:descriptor:com.tectonic.ui:select:openshift
       - description: Openshift defines the configuration specific to Openshift modes.
         displayName: Openshift
         path: tenants.openshift

@@ -3872,6 +3872,7 @@ spec:
                     - dynamic
                     - openshift-logging
                     - openshift-network
+                    - openshift
                     type: string
                   openshift:
                     description: Openshift defines the configuration specific to Openshift

@@ -1010,6 +1010,7 @@ spec:
         - urn:alm:descriptor:com.tectonic.ui:select:dynamic
         - urn:alm:descriptor:com.tectonic.ui:select:openshift-logging
         - urn:alm:descriptor:com.tectonic.ui:select:openshift-network
+        - urn:alm:descriptor:com.tectonic.ui:select:openshift
       - description: Openshift defines the configuration specific to Openshift modes.
         displayName: Openshift
         path: tenants.openshift

@@ -3873,6 +3873,7 @@ spec:
                     - dynamic
                     - openshift-logging
                     - openshift-network
+                    - openshift
                     type: string
                   openshift:
                     description: Openshift defines the configuration specific to Openshift

@@ -1030,6 +1030,7 @@ spec:
         - urn:alm:descriptor:com.tectonic.ui:select:dynamic
         - urn:alm:descriptor:com.tectonic.ui:select:openshift-logging
         - urn:alm:descriptor:com.tectonic.ui:select:openshift-network
+        - urn:alm:descriptor:com.tectonic.ui:select:openshift
       - description: Openshift defines the configuration specific to Openshift modes.
         displayName: Openshift
         path: tenants.openshift

@@ -3872,6 +3872,7 @@ spec:
                     - dynamic
                     - openshift-logging
                     - openshift-network
+                    - openshift
                     type: string
                   openshift:
                     description: Openshift defines the configuration specific to Openshift

@@ -3854,6 +3854,7 @@ spec:
                     - dynamic
                     - openshift-logging
                     - openshift-network
+                    - openshift
                     type: string
                   openshift:
                     description: Openshift defines the configuration specific to Openshift

@@ -930,6 +930,7 @@ spec:
         - urn:alm:descriptor:com.tectonic.ui:select:dynamic
         - urn:alm:descriptor:com.tectonic.ui:select:openshift-logging
         - urn:alm:descriptor:com.tectonic.ui:select:openshift-network
+        - urn:alm:descriptor:com.tectonic.ui:select:openshift
       - description: Openshift defines the configuration specific to Openshift modes.
         displayName: Openshift
         path: tenants.openshift

@@ -923,6 +923,7 @@ spec:
         - urn:alm:descriptor:com.tectonic.ui:select:dynamic
         - urn:alm:descriptor:com.tectonic.ui:select:openshift-logging
         - urn:alm:descriptor:com.tectonic.ui:select:openshift-network
+        - urn:alm:descriptor:com.tectonic.ui:select:openshift
       - description: Openshift defines the configuration specific to Openshift modes.
         displayName: Openshift
         path: tenants.openshift

@@ -942,6 +942,7 @@ spec:
         - urn:alm:descriptor:com.tectonic.ui:select:dynamic
         - urn:alm:descriptor:com.tectonic.ui:select:openshift-logging
         - urn:alm:descriptor:com.tectonic.ui:select:openshift-network
+        - urn:alm:descriptor:com.tectonic.ui:select:openshift
       - description: Openshift defines the configuration specific to Openshift modes.
         displayName: Openshift
         path: tenants.openshift

@@ -2536,6 +2536,9 @@ for the memberlist.</p>
 <tbody><tr><td><p>&#34;dynamic&#34;</p></td>
 <td><p>Dynamic mode delegates the authorization to a third-party OPA-compatible endpoint.</p>
 </td>
+</tr><tr><td><p>&#34;openshift&#34;</p></td>
+<td><p>Openshif mode provides fully automatic OpenShift in-cluster authentication and authorization support for application, infrastructure, audit and network logs.</p>
+</td>
 </tr><tr><td><p>&#34;openshift-logging&#34;</p></td>
 <td><p>OpenshiftLogging mode provides fully automatic OpenShift in-cluster authentication and authorization support for application, infrastructure and audit logs.</p>
 </td>

@@ -136,7 +136,7 @@ _Note: While this document will only give instructions for two methods of log fo
 
 ## Network Observability
 
-[Network Observability](https://github.com/netobserv/network-observability-operator) also require an external loki instance and is compatible with LokiStack Gateway. You must use a separate instance than `openshift-logging` one.
+[Network Observability](https://github.com/netobserv/network-observability-operator) also require an external loki instance and is compatible with LokiStack Gateway.
 
 The Network Observability Operator can automatically install and configure dependent operators. However, if you need to configure these manually, follow the step below.
 
@@ -148,7 +148,7 @@ The Network Observability Operator can automatically install and configure depen
 - click on Create LokiStack
 - set name to `lokistack-network`
 - set `Object Storage` -> `Secret` [check object storage documentation](../lokistack/object_storage.md)
-- set `Tenants Configuration` -> `Mode` to `openshift-network`
+- set `Tenants Configuration` -> `Mode` to `openshift-network`. or `openshift` to share the same instance for both logging and network.
 
 * Create the following `ClusterRole` and `ClusterRoleBinding` which allow `flowlogs-pipeline` and `network-observability-plugin` service accounts to read and write the network logs:
 

@@ -298,7 +298,7 @@ func (r *LokiStackReconciler) enqueueForAlertManagerServices() handler.EventHand
 
 			for _, stack := range lokiStacks.Items {
 				if stack.Spec.Tenants != nil && (stack.Spec.Tenants.Mode == lokiv1.OpenshiftLogging ||
-					stack.Spec.Tenants.Mode == lokiv1.OpenshiftNetwork) {
+					stack.Spec.Tenants.Mode == lokiv1.OpenshiftNetwork || stack.Spec.Tenants.Mode == lokiv1.Openshift) {
 					requests = append(requests, reconcile.Request{
 						NamespacedName: types.NamespacedName{
 							Namespace: stack.Namespace,

@@ -99,7 +99,7 @@ func configureCertificatesForTenantMode(certs certrotation.ComponentCertificates
 	switch mode {
 	case "", lokiv1.Dynamic, lokiv1.Static:
 		return
-	case lokiv1.OpenshiftLogging, lokiv1.OpenshiftNetwork:
+	case lokiv1.OpenshiftLogging, lokiv1.OpenshiftNetwork, lokiv1.Openshift:
 		// Remove serviceCA annotations for existing secrets to
 		// enable upgrading secrets to built-in cert management
 		for name := range certs {
@@ -120,7 +120,7 @@ func configureCABundleForTenantMode(cm *corev1.ConfigMap, mode lokiv1.ModeType)
 	switch mode {
 	case "", lokiv1.Dynamic, lokiv1.Static:
 		return
-	case lokiv1.OpenshiftLogging, lokiv1.OpenshiftNetwork:
+	case lokiv1.OpenshiftLogging, lokiv1.OpenshiftNetwork, lokiv1.Openshift:
 		// Remove serviceCA annotations for existing ConfigMap to
 		// enable upgrading CABundle from built-in cert management
 		for key := range cm.Annotations {

@@ -137,6 +137,10 @@ func TestGetOptions_PruneServiceCAAnnotations_ForTenantMode(t *testing.T) {
 			mode:      lokiv1.OpenshiftNetwork,
 			wantPrune: true,
 		},
+		{
+			mode:      lokiv1.Openshift,
+			wantPrune: true,
+		},
 	}
 
 	for _, tc := range tt {

@@ -49,7 +49,7 @@ func BuildOptions(ctx context.Context, log logr.Logger, k k8s.Client, stack *lok
 	}
 
 	switch stack.Spec.Tenants.Mode {
-	case lokiv1.OpenshiftLogging, lokiv1.OpenshiftNetwork:
+	case lokiv1.OpenshiftLogging, lokiv1.OpenshiftNetwork, lokiv1.Openshift:
 		baseDomain, err = getOpenShiftBaseDomain(ctx, k)
 		if err != nil {
 			return "", tenants, err

@@ -43,7 +43,7 @@ func validateModes(stack *lokiv1.LokiStack) error {
 		}
 	}
 
-	if stack.Spec.Tenants.Mode == lokiv1.OpenshiftLogging || stack.Spec.Tenants.Mode == lokiv1.OpenshiftNetwork {
+	if stack.Spec.Tenants.Mode == lokiv1.OpenshiftLogging || stack.Spec.Tenants.Mode == lokiv1.OpenshiftNetwork || stack.Spec.Tenants.Mode == lokiv1.Openshift {
 		if stack.Spec.Tenants.Authentication != nil {
 			return kverrors.New("incompatible configuration - custom tenants configuration not required")
 		}

@@ -15,7 +15,7 @@ import (
 
 // AlertManagerSVCExists returns true if the Openshift AlertManager is present in the cluster.
 func AlertManagerSVCExists(ctx context.Context, stack lokiv1.LokiStackSpec, k k8s.Client) (bool, error) {
-	if stack.Tenants == nil || (stack.Tenants.Mode != lokiv1.OpenshiftLogging && stack.Tenants.Mode != lokiv1.OpenshiftNetwork) {
+	if stack.Tenants == nil || (stack.Tenants.Mode != lokiv1.OpenshiftLogging && stack.Tenants.Mode != lokiv1.OpenshiftNetwork && stack.Tenants.Mode != lokiv1.Openshift) {
 		return false, nil
 	}
 
@@ -32,7 +32,7 @@ func AlertManagerSVCExists(ctx context.Context, stack lokiv1.LokiStackSpec, k k8
 
 // UserWorkloadAlertManagerSVCExists returns true if the Openshift User Workload AlertManager is present in the cluster.
 func UserWorkloadAlertManagerSVCExists(ctx context.Context, stack lokiv1.LokiStackSpec, k k8s.Client) (bool, error) {
-	if stack.Tenants == nil || stack.Tenants.Mode != lokiv1.OpenshiftLogging {
+	if stack.Tenants == nil || (stack.Tenants.Mode != lokiv1.OpenshiftLogging && stack.Tenants.Mode != lokiv1.Openshift) {
 		return false, nil
 	}
 

@@ -406,7 +406,7 @@ func discoverLogLevels(ls *lokiv1.LokiStackSpec) bool {
 	}
 
 	if ls.Tenants.Mode == lokiv1.OpenshiftLogging ||
-		ls.Tenants.Mode == lokiv1.OpenshiftNetwork {
+		ls.Tenants.Mode == lokiv1.OpenshiftNetwork || ls.Tenants.Mode == lokiv1.Openshift {
 		return false
 	}
 

@@ -10,7 +10,7 @@ import (
 )
 
 func defaultOTLPAttributeConfig(ts *lokiv1.TenantsSpec) config.OTLPAttributeConfig {
-	if ts == nil || ts.Mode != lokiv1.OpenshiftLogging {
+	if ts == nil || (ts.Mode != lokiv1.OpenshiftLogging && ts.Mode != lokiv1.Openshift) {
 		return config.OTLPAttributeConfig{}
 	}