fix(operator): add extract selectors to gateway in netobserv mode to fix

JoaoBraveCoding · JoaoBraveCoding · commit ac283a06e587 · 2025-11-24T10:08:49.000Z
fine-grained AuthZ
diff --git a/operator/internal/manifests/gateway_tenants_test.go b/operator/internal/manifests/gateway_tenants_test.go
@@ -944,6 +944,9 @@ func TestConfigureDeploymentForMode(t *testing.T) {
 							Containers: []corev1.Container{
 								{
 									Name: gatewayContainerName,
+									Args: []string{
+										"--logs.auth.extract-selectors=SrcK8S_Namespace,DstK8S_Namespace",
+									},
 								},
 								{
 									Name:  "opa",
@@ -1051,6 +1054,9 @@ func TestConfigureDeploymentForMode(t *testing.T) {
 							Containers: []corev1.Container{
 								{
 									Name: gatewayContainerName,
+									Args: []string{
+										"--logs.auth.extract-selectors=SrcK8S_Namespace,DstK8S_Namespace",
+									},
 								},
 								{
 									Name:  "opa",
diff --git a/operator/internal/manifests/openshift/configure.go b/operator/internal/manifests/openshift/configure.go
@@ -73,15 +73,23 @@ func ConfigureGatewayDeployment(
 		return kverrors.Wrap(err, "failed to merge sidecar container spec ")
 	}
 
-	if mode == lokiv1.OpenshiftLogging {
+	if mode == lokiv1.OpenshiftLogging || mode == lokiv1.OpenshiftNetwork {
 		// enable extraction of namespace selector
 		for i, c := range d.Spec.Template.Spec.Containers {
 			if c.Name != "gateway" {
 				continue
 			}
 
+			var authSelectors string
+			switch mode {
+			case lokiv1.OpenshiftLogging:
+				authSelectors = opaDefaultLabelMatchers
+			case lokiv1.OpenshiftNetwork:
+				authSelectors = opaNetworkLabelMatchers
+			}
+
 			d.Spec.Template.Spec.Containers[i].Args = append(d.Spec.Template.Spec.Containers[i].Args,
-				fmt.Sprintf("--logs.auth.extract-selectors=%s", opaDefaultLabelMatchers),
+				fmt.Sprintf("--logs.auth.extract-selectors=%s", authSelectors),
 			)
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -944,6 +944,9 @@ func TestConfigureDeploymentForMode(t *testing.T) {`
`944`	`944`	`Containers: []corev1.Container{`
`945`	`945`	`{`
`946`	`946`	`Name: gatewayContainerName,`
	`947`	`+ Args: []string{`
	`948`	`+ "--logs.auth.extract-selectors=SrcK8S_Namespace,DstK8S_Namespace",`
	`949`	`+ },`
`947`	`950`	`},`
`948`	`951`	`{`
`949`	`952`	`Name: "opa",`
`@@ -1051,6 +1054,9 @@ func TestConfigureDeploymentForMode(t *testing.T) {`
`1051`	`1054`	`Containers: []corev1.Container{`
`1052`	`1055`	`{`
`1053`	`1056`	`Name: gatewayContainerName,`
	`1057`	`+ Args: []string{`
	`1058`	`+ "--logs.auth.extract-selectors=SrcK8S_Namespace,DstK8S_Namespace",`
	`1059`	`+ },`
`1054`	`1060`	`},`
`1055`	`1061`	`{`
`1056`	`1062`	`Name: "opa",`
Original file line number	Diff line number	Diff line change
`@@ -73,15 +73,23 @@ func ConfigureGatewayDeployment(`
`73`	`73`	`return kverrors.Wrap(err, "failed to merge sidecar container spec ")`
`74`	`74`	`}`
`75`	`75`
`76`		`- if mode == lokiv1.OpenshiftLogging {`
	`76`	`+ if mode == lokiv1.OpenshiftLogging \|\| mode == lokiv1.OpenshiftNetwork {`
`77`	`77`	`// enable extraction of namespace selector`
`78`	`78`	`for i, c := range d.Spec.Template.Spec.Containers {`
`79`	`79`	`if c.Name != "gateway" {`
`80`	`80`	`continue`
`81`	`81`	`}`
`82`	`82`
	`83`	`+ var authSelectors string`
	`84`	`+ switch mode {`
	`85`	`+ case lokiv1.OpenshiftLogging:`
	`86`	`+ authSelectors = opaDefaultLabelMatchers`
	`87`	`+ case lokiv1.OpenshiftNetwork:`
	`88`	`+ authSelectors = opaNetworkLabelMatchers`
	`89`	`+ }`
	`90`	`+`
`83`	`91`	`d.Spec.Template.Spec.Containers[i].Args = append(d.Spec.Template.Spec.Containers[i].Args,`
`84`		`- fmt.Sprintf("--logs.auth.extract-selectors=%s", opaDefaultLabelMatchers),`
	`92`	`+ fmt.Sprintf("--logs.auth.extract-selectors=%s", authSelectors),`
`85`	`93`	`)`
`86`	`94`	`}`
`87`	`95`	`}`