fix(operator): support private VPC S3 endpoints in Loki operator

puretension · puretension · commit 12a934a861f3 · 2025-09-23T19:11:01.000+09:00
diff --git a/operator/internal/handlers/internal/storage/secrets.go b/operator/internal/handlers/internal/storage/secrets.go
@@ -506,10 +506,20 @@ func validateS3Endpoint(endpoint string, region string) error {
 			return fmt.Errorf("%w: %s", errSecretMissingField, storage.KeyAWSRegion)
 		}
 
+		// Check if it's a standard AWS S3 endpoint
 		validEndpoint := fmt.Sprintf("https://s3.%s%s", region, awsEndpointSuffix)
-		if endpoint != validEndpoint {
-			return fmt.Errorf("%w: %s", errS3EndpointAWSInvalid, validEndpoint)
+		if endpoint == validEndpoint {
+			return nil
 		}
+
+		// Check if it's a VPC endpoint format: https://bucket.vpce-*-region.s3.region.vpce.amazonaws.com
+		// or https://vpce-*-region.s3.region.vpce.amazonaws.com
+		if strings.Contains(endpoint, ".vpce.amazonaws.com") && strings.Contains(endpoint, region) {
+			return nil
+		}
+
+		// If neither standard nor VPC endpoint format, return error
+		return fmt.Errorf("%w: %s", errS3EndpointAWSInvalid, validEndpoint)
 	}
 	return nil
 }
diff --git a/operator/internal/handlers/internal/storage/secrets_test.go b/operator/internal/handlers/internal/storage/secrets_test.go
@@ -719,6 +719,44 @@ func TestS3Extract_ForcePathStyle(t *testing.T) {
 				ForcePathStyle: true,
 			},
 		},
+		{
+			desc: "aws s3 vpc endpoint",
+			secret: &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{Name: "test"},
+				Data: map[string][]byte{
+					"endpoint":          []byte("https://bucket.vpce-1234567-us-east-1c.s3.us-east-1.vpce.amazonaws.com"),
+					"region":            []byte("us-east-1"),
+					"bucketnames":       []byte("this,that"),
+					"access_key_id":     []byte("id"),
+					"access_key_secret": []byte("secret"),
+				},
+			},
+			wantOptions: &storage.S3StorageConfig{
+				Endpoint:       "https://bucket.vpce-1234567-us-east-1c.s3.us-east-1.vpce.amazonaws.com",
+				Region:         "us-east-1",
+				Buckets:        "this,that",
+				ForcePathStyle: false,
+			},
+		},
+		{
+			desc: "aws s3 vpc endpoint without bucket prefix",
+			secret: &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{Name: "test"},
+				Data: map[string][]byte{
+					"endpoint":          []byte("https://vpce-1234567-us-east-1c.s3.us-east-1.vpce.amazonaws.com"),
+					"region":            []byte("us-east-1"),
+					"bucketnames":       []byte("this,that"),
+					"access_key_id":     []byte("id"),
+					"access_key_secret": []byte("secret"),
+				},
+			},
+			wantOptions: &storage.S3StorageConfig{
+				Endpoint:       "https://vpce-1234567-us-east-1c.s3.us-east-1.vpce.amazonaws.com",
+				Region:         "us-east-1",
+				Buckets:        "this,that",
+				ForcePathStyle: false,
+			},
+		},
 		{
 			desc: "invalid forcepathstyle value",
 			secret: &corev1.Secret{

Original file line number	Diff line number	Diff line change
`@@ -506,10 +506,20 @@ func validateS3Endpoint(endpoint string, region string) error {`
`506`	`506`	`return fmt.Errorf("%w: %s", errSecretMissingField, storage.KeyAWSRegion)`
`507`	`507`	`}`
`508`	`508`
	`509`	`+ // Check if it's a standard AWS S3 endpoint`
`509`	`510`	`validEndpoint := fmt.Sprintf("https://s3.%s%s", region, awsEndpointSuffix)`
`510`		`- if endpoint != validEndpoint {`
`511`		`- return fmt.Errorf("%w: %s", errS3EndpointAWSInvalid, validEndpoint)`
	`511`	`+ if endpoint == validEndpoint {`
	`512`	`+ return nil`
`512`	`513`	`}`
	`514`	`+`
	`515`	`+ // Check if it's a VPC endpoint format: https://bucket.vpce-*-region.s3.region.vpce.amazonaws.com`
	`516`	`+ // or https://vpce-*-region.s3.region.vpce.amazonaws.com`
	`517`	`+ if strings.Contains(endpoint, ".vpce.amazonaws.com") && strings.Contains(endpoint, region) {`
	`518`	`+ return nil`
	`519`	`+ }`
	`520`	`+`
	`521`	`+ // If neither standard nor VPC endpoint format, return error`
	`522`	`+ return fmt.Errorf("%w: %s", errS3EndpointAWSInvalid, validEndpoint)`
`513`	`523`	`}`
`514`	`524`	`return nil`
`515`	`525`	`}`