LOG-8006: Can't create networkPolicy for s3 output.

Clee2691 · openshift-merge-bot[bot] · commit 28c8b02e041f · 2025-10-29T16:40:18.000Z
diff --git a/bundle/manifests/cluster-logging.clusterserviceversion.yaml b/bundle/manifests/cluster-logging.clusterserviceversion.yaml
@@ -82,7 +82,7 @@ metadata:
     categories: OpenShift Optional, Logging & Tracing, Observability
     certified: "false"
     containerImage: quay.io/openshift-logging/cluster-logging-operator:latest
-    createdAt: "2025-10-10T20:13:29Z"
+    createdAt: "2025-10-27T15:33:17Z"
     description: The Red Hat OpenShift Logging Operator for OCP provides a means for
       configuring and managing log collection and forwarding.
     features.operators.openshift.io/cnf: "false"
@@ -502,7 +502,8 @@ spec:
           logs
         displayName: Amazon CloudWatch
         path: outputs[0].cloudwatch
-      - description: Authentication sets credentials for authenticating the requests.
+      - description: Authentication sets credentials for authenticating requests to
+          cloudwatch services.
         displayName: Authentication Options
         path: outputs[0].cloudwatch.authentication
       - description: |-
@@ -536,7 +537,14 @@ spec:
         path: outputs[0].cloudwatch.authentication.assumeRole.roleARN.secretName
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:text
-      - description: AWSAccessKey points to the AWS access key id and secret to be
+      - description: |-
+          SessionName is an optional identifier for the assumed role session.
+          If not provided, a default session name will be generated.
+        displayName: Session Name
+        path: outputs[0].cloudwatch.authentication.assumeRole.sessionName
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:text
+      - description: AwsAccessKey points to the AWS access key id and secret to be
           used for authentication.
         displayName: Access Key
         path: outputs[0].cloudwatch.authentication.awsAccessKey
@@ -570,7 +578,7 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:text
       - description: |-
-          IAMRole points to the secret containing the role ARN to be used for authentication.
+          IamRole points to the secret containing the role ARN to be used for authentication.
           This can be used for authentication in STS-enabled clusters when additionally specifying
           a web identity token
         displayName: Amazon IAM Role
@@ -728,23 +736,23 @@ spec:
       - description: |-
           Index is the index for the logs. This supports template syntax to allow dynamic per-event values.
 
-          The Index can be a combination of static and dynamic values consisting of field paths followed by `||` followed by another field path or a static value.
+          The Index can be a combination of static and dynamic values consisting of field paths followed by `\|\|` followed by another field path or a static value.
 
-          A dynamic value is encased in single curly brackets `{}` and MUST end with a static fallback value separated with `||`.
+          A dynamic value is encased in single curly brackets `{}` and MUST end with a static fallback value separated with `\|\|`.
 
           Static values can only contain alphanumeric characters along with dashes, underscores, dots and forward slashes.
 
-          When forwarding logs to the Red Hat Managed Elasticsearch, the index must match the pattern ^(app|infra|audit)-write$
+          When forwarding logs to the Red Hat Managed Elasticsearch, the index must match the pattern ^(app\|infra\|audit)-write$
           where the prefix depends upon the log_type. This requires defining a distinct output for each log type or distinct pipelines
           with the openshiftLabels filter. See the product documentation for examples.
 
           Example:
 
-           1. foo-{.bar||"none"}
+           1. foo-{.bar\|\|"none"}
 
-           2. {.foo||.bar||"missing"}
+           2. {.foo\|\|.bar\|\|"missing"}
 
-           3. foo.{.bar.baz||.qux.quux.corge||.grault||"nil"}-waldo.fred{.plugh||"none"}
+           3. foo.{.bar.baz\|\|.qux.quux.corge\|\|.grault\|\|"nil"}-waldo.fred{.plugh\|\|"none"}
         displayName: Log Index
         path: outputs[0].elasticsearch.index
         x-descriptors:
@@ -1460,6 +1468,193 @@ spec:
         path: outputs[0].rateLimit.maxRecordsPerSecond
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:number
+      - description: S3 configures forwarding log events to Amazon S3 buckets
+        displayName: Amazon S3
+        path: outputs[0].s3
+      - description: Authentication sets credentials for authenticating the requests.
+        displayName: Authentication Options
+        path: outputs[0].s3.authentication
+      - description: |-
+          AssumeRole specifies an additional AWS role to assume for forwarding logs.
+          This enables cross-account log forwarding by using the initial role to authenticate,
+          then assume a role in order to access cross-account services.
+        displayName: Assume Role
+        path: outputs[0].s3.authentication.assumeRole
+      - description: |-
+          ExternalID is the external ID to match when assuming the role.
+          This is optional and can be used as an additional security measure to ensure that only the intended
+          entity can assume the role.
+
+          The ExternalId must be a minimum of 2 characters and a maximum of 1,224 characters.
+          The value must be alphanumeric without whitespace and can also include the following symbols:
+          plus(+), equal(=), comma(,), period(.), at(@), colon(:), forward slash(/), and hyphen(-).
+        displayName: External ID
+        path: outputs[0].s3.authentication.assumeRole.externalID
+      - description: RoleARN points to the secret containing the ARN of the role to
+          assume for cross-account access.
+        displayName: Assume Role ARN Secret
+        path: outputs[0].s3.authentication.assumeRole.roleARN
+      - description: Key contains the name of the key inside the referenced Secret.
+        displayName: Key Name
+        path: outputs[0].s3.authentication.assumeRole.roleARN.key
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:text
+      - description: SecretName contains the name of the Secret containing the referenced
+          value.
+        displayName: Secret Name
+        path: outputs[0].s3.authentication.assumeRole.roleARN.secretName
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:text
+      - description: |-
+          SessionName is an optional identifier for the assumed role session.
+          If not provided, a default session name will be generated.
+        displayName: Session Name
+        path: outputs[0].s3.authentication.assumeRole.sessionName
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:text
+      - description: AwsAccessKey points to the AWS access key id and secret to be
+          used for authentication.
+        displayName: Access Key
+        path: outputs[0].s3.authentication.awsAccessKey
+      - description: KeyId points to the AWS access key id to be used for authentication.
+        displayName: Secret with Access Key ID
+        path: outputs[0].s3.authentication.awsAccessKey.keyId
+      - description: Key contains the name of the key inside the referenced Secret.
+        displayName: Key Name
+        path: outputs[0].s3.authentication.awsAccessKey.keyId.key
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:text
+      - description: SecretName contains the name of the Secret containing the referenced
+          value.
+        displayName: Secret Name
+        path: outputs[0].s3.authentication.awsAccessKey.keyId.secretName
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:text
+      - description: KeySecret points to the AWS access key secret to be used for
+          authentication.
+        displayName: Secret with Access Key Secret
+        path: outputs[0].s3.authentication.awsAccessKey.keySecret
+      - description: Key contains the name of the key inside the referenced Secret.
+        displayName: Key Name
+        path: outputs[0].s3.authentication.awsAccessKey.keySecret.key
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:text
+      - description: SecretName contains the name of the Secret containing the referenced
+          value.
+        displayName: Secret Name
+        path: outputs[0].s3.authentication.awsAccessKey.keySecret.secretName
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:text
+      - description: |-
+          IamRole points to the secret containing the role ARN to be used for authentication.
+          This can be used for authentication in STS-enabled clusters when additionally specifying
+          a web identity token
+        displayName: Amazon IAM Role
+        path: outputs[0].s3.authentication.iamRole
+      - description: |-
+          RoleARN specifies the secret containing the role ARN to be used for AWS authentication.
+          This role requires an OIDC provider to be configured in an STS-enabled cluster.
+        displayName: RoleARN Secret
+        path: outputs[0].s3.authentication.iamRole.roleARN
+      - description: Key contains the name of the key inside the referenced Secret.
+        displayName: Key Name
+        path: outputs[0].s3.authentication.iamRole.roleARN.key
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:text
+      - description: SecretName contains the name of the Secret containing the referenced
+          value.
+        displayName: Secret Name
+        path: outputs[0].s3.authentication.iamRole.roleARN.secretName
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:text
+      - description: Token specifies a bearer token to be used for authenticating
+          requests.
+        displayName: Token
+        path: outputs[0].s3.authentication.iamRole.token
+      - description: From is the source from where to find the token
+        displayName: Token Source
+        path: outputs[0].s3.authentication.iamRole.token.from
+      - description: Use Secret if the value should be sourced from a Secret in the
+          same namespace.
+        displayName: Token Secret
+        path: outputs[0].s3.authentication.iamRole.token.secret
+      - description: Name of the key used to get the value from the referenced Secret.
+        displayName: Key Name
+        path: outputs[0].s3.authentication.iamRole.token.secret.key
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:text
+      - description: Name of secret
+        displayName: Secret Name
+        path: outputs[0].s3.authentication.iamRole.token.secret.name
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:text
+      - description: Type is the type of cloudwatch authentication to configure
+        displayName: Authentication Type
+        path: outputs[0].s3.authentication.type
+      - description: |-
+          Bucket specifies the S3 bucket name where logs will be stored.
+
+          String name absent leading `s3://` or trailing `/` and truncated to 63 characters to meet length restrictions
+        displayName: S3 Bucket Name
+        path: outputs[0].s3.bucket
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:text
+      - description: |-
+          KeyPrefix is a templated string that defines the S3 key prefix for log objects.  It is a combination of
+          static or dynamic values consisting of field paths separated by `\|\|` and ending with a static
+          fallback value (e.g. logs_{.kubernetes.namespace_name\|\|.hostname\|\|"unknown"}_my_workload_{.openshift.sequence_id\|\|"none"}).
+
+          Prefixes are necessary for partitioning logs from other objects in the bucket.  If the prefix represents a
+          directory, it must end in `/` to act as a directory path. A trailing `/` (forward slash) is not automatically added.
+
+          Dynamic values are encased in single curly brackets `{}` and MUST end with a static fallback value separated
+          with `\|\|`. Static values can only contain alphanumeric characters along with dashes, underscores, dots and forward slashes.
+
+          Examples:
+
+           1. logs_{.kubernetes.namespace_name\|\|"none"}/
+
+           2. {.log_type\|\|.log_source\|\|"missing"}/
+
+           3. my_workload.{.hostname\|\|.qux.quux.corge\|\|.grault\|\|"nil"}-waldo.fred{.plugh\|\|"none"}/
+        displayName: Key Prefix
+        path: outputs[0].s3.keyPrefix
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:text
+      - displayName: Amazon Region
+        path: outputs[0].s3.region
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:text
+      - description: Tuning specs tuning for the output
+        displayName: Tuning Options
+        path: outputs[0].s3.tuning
+      - description: |-
+          Compression causes data to be compressed before sending over the network.
+          It is an error if the compression type is not supported by the output.
+        displayName: Compression
+        path: outputs[0].s3.tuning.compression
+      - displayName: Delivery Mode
+        path: outputs[0].s3.tuning.deliveryMode
+      - description: MaxRetryDuration is the maximum time to wait between retry attempts
+          after a delivery failure.
+        displayName: Maximum Retry Duration
+        path: outputs[0].s3.tuning.maxRetryDuration
+      - description: MaxWrite limits the maximum payload in terms of bytes of a single
+          "send" to the output.
+        displayName: Batch Size
+        path: outputs[0].s3.tuning.maxWrite
+      - description: MinRetryDuration is the minimum time to wait between attempts
+          to retry after delivery a failure.
+        displayName: Minimum Retry Duration
+        path: outputs[0].s3.tuning.minRetryDuration
+      - description: |-
+          URL is the custom S3-compatible endpoint URL.
+          If not specified, the default AWS S3 endpoint will be used.
+          This is useful for S3-compatible services like MinIO, Ceph Object Gateway, or Dell EMC ECS.
+        displayName: Custom Endpoint URL
+        path: outputs[0].s3.url
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:text
       - description: Splunk configures forwarding log events to Splunk's HTTP event
           collector
         displayName: Splunk
diff --git a/internal/network/ports.go b/internal/network/ports.go
@@ -80,9 +80,13 @@ func getPortProtocolFromOutputURL(output obs.OutputSpec) []factory.PortProtocol
 			urlStr = output.HTTP.URL
 		}
 	case obs.OutputTypeCloudwatch:
-		if output.Cloudwatch != nil && output.Cloudwatch.URL != "" {
+		if output.Cloudwatch != nil {
 			urlStr = output.Cloudwatch.URL
 		}
+	case obs.OutputTypeS3:
+		if output.S3 != nil {
+			urlStr = output.S3.URL
+		}
 	case obs.OutputTypeKafka:
 		// For kafka, prefer the URL over the broker URLs
 		if output.Kafka != nil {
@@ -180,7 +184,7 @@ func getDefaultPort(outputType obs.OutputType, urlStr string) int32 {
 		return 4318
 	case obs.OutputTypeLokiStack: // LokiStack uses 8080
 		return 8080
-	case obs.OutputTypeCloudwatch, obs.OutputTypeAzureMonitor, obs.OutputTypeGoogleCloudLogging:
+	case obs.OutputTypeCloudwatch, obs.OutputTypeAzureMonitor, obs.OutputTypeGoogleCloudLogging, obs.OutputTypeS3:
 		return 443
 	case obs.OutputTypeKafka:
 		// Kafka uses 9092 for plaintext (tcp), 9093 for TLS
diff --git a/internal/network/ports_test.go b/internal/network/ports_test.go
@@ -48,6 +48,7 @@ var _ = Describe("Network Ports", func() {
 		Entry("should return 443 for AzureMonitor", obs.OutputTypeAzureMonitor, "", int32(443)),
 		Entry("should return 443 for GoogleCloudLogging", obs.OutputTypeGoogleCloudLogging, "", int32(443)),
 		Entry("should return 8080 for LokiStack", obs.OutputTypeLokiStack, "", int32(8080)),
+		Entry("should return 443 for S3", obs.OutputTypeS3, "", int32(443)),
 
 		// Kafka with different schemes
 		Entry("should return 9092 for plaintext Kafka", obs.OutputTypeKafka, "tcp://kafka.example.com", int32(9092)),
@@ -60,6 +61,12 @@ var _ = Describe("Network Ports", func() {
 		Entry("should return 443 for HTTP with no scheme", obs.OutputTypeHTTP, "", int32(443)),
 	)
 
+	It("should not panic for all supported output types", func() {
+		for _, outputType := range obs.OutputTypes {
+			Expect(func() { getDefaultPort(outputType, "") }).ToNot(Panic())
+		}
+	})
+
 	It("should panic for unknown output type", func() {
 		Expect(func() { getDefaultPort(obs.OutputType("unknown"), "") }).To(Panic())
 	})
@@ -245,6 +252,25 @@ var _ = Describe("Network Ports", func() {
 			),
 		)
 
+		DescribeTable("S3",
+			func(urlStr string, expected []factory.PortProtocol) {
+				output := obs.OutputSpec{
+					Type: obs.OutputTypeS3,
+					S3:   &obs.S3{URL: urlStr},
+				}
+				ports := getPortProtocolFromOutputURL(output)
+				Expect(ports).To(Equal(expected))
+			},
+			Entry("should extract port from S3 URL",
+				"https://some-s3-bucket.com:5555",
+				[]factory.PortProtocol{{Port: 5555, Protocol: corev1.ProtocolTCP}},
+			),
+			Entry("should use default port for S3 without explicit port",
+				"https://s3.amazonaws.com",
+				[]factory.PortProtocol{{Port: 443, Protocol: corev1.ProtocolTCP}},
+			),
+		)
+
 		DescribeTable("Kafka",
 			func(kafka *obs.Kafka, expectedPorts []factory.PortProtocol) {
 				output := obs.OutputSpec{
