fix(operator): support private VPC S3 endpoints in Loki operator

This PR fixes the Loki operator's overly strict S3 endpoint validation that was rejecting private VPC S3 endpoints. The operator was only accepting the standard AWS S3 endpoint format and failing to reconcile when users configured private VPC endpoints in OpenShift environments.

The fix updates the validateS3Endpoint function to accept VPC endpoint formats while preventing bucket-specific VPC endpoints that could cause folder creation issues:
- Allows: https://vpce-*-region.s3.region.vpce.amazonaws.com (general VPC endpoint)
- Rejects: https://bucket.vpce-*-region.s3.region.vpce.amazonaws.com (bucket-specific VPC endpoint)

This maintains full backward compatibility with existing standard AWS S3 endpoints while adding support for VPC endpoints without the bucket name prefix that could lead to unwanted folder creation in S3 buckets.

Fixes #19243

Signed-off-by: puretension <[email protected]>

Author: puretension

operator/internal/handlers/internal/storage/secrets.go

@@ -506,10 +506,24 @@ func validateS3Endpoint(endpoint string, region string) error {
 			return fmt.Errorf("%w: %s", errSecretMissingField, storage.KeyAWSRegion)
 		}
 
+		// Check if it's a standard AWS S3 endpoint
 		validEndpoint := fmt.Sprintf("https://s3.%s%s", region, awsEndpointSuffix)
-		if endpoint != validEndpoint {
-			return fmt.Errorf("%w: %s", errS3EndpointAWSInvalid, validEndpoint)
+		if endpoint == validEndpoint {
+			return nil
 		}
+
+		// Check if it's a VPC endpoint format: https://vpce-*-region.s3.region.vpce.amazonaws.com
+		// Reject bucket-specific VPC endpoints to avoid folder creation issues
+		if strings.Contains(endpoint, ".vpce.amazonaws.com") && strings.Contains(endpoint, region) {
+			// Ensure it's not a bucket-specific VPC endpoint (bucket.vpce-xxx format)
+			hostname := parsedURL.Hostname()
+			if strings.HasPrefix(hostname, "vpce-") {
+				return nil
+			}
+		}
+
+		// If neither standard nor VPC endpoint format, return error
+		return fmt.Errorf("%w: %s", errS3EndpointAWSInvalid, validEndpoint)
 	}
 	return nil
 }

operator/internal/handlers/internal/storage/secrets_test.go

@@ -719,6 +719,39 @@ func TestS3Extract_ForcePathStyle(t *testing.T) {
 				ForcePathStyle: true,
 			},
 		},
+		{
+			desc: "aws s3 vpc endpoint with bucket name should fail",
+			secret: &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{Name: "test"},
+				Data: map[string][]byte{
+					"endpoint":          []byte("https://bucket.vpce-1234567-us-east-1c.s3.us-east-1.vpce.amazonaws.com"),
+					"region":            []byte("us-east-1"),
+					"bucketnames":       []byte("this,that"),
+					"access_key_id":     []byte("id"),
+					"access_key_secret": []byte("secret"),
+				},
+			},
+			wantError: "endpoint for AWS S3 must include correct region: https://s3.us-east-1.amazonaws.com",
+		},
+		{
+			desc: "aws s3 vpc endpoint without bucket prefix",
+			secret: &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{Name: "test"},
+				Data: map[string][]byte{
+					"endpoint":          []byte("https://vpce-1234567-us-east-1c.s3.us-east-1.vpce.amazonaws.com"),
+					"region":            []byte("us-east-1"),
+					"bucketnames":       []byte("this,that"),
+					"access_key_id":     []byte("id"),
+					"access_key_secret": []byte("secret"),
+				},
+			},
+			wantOptions: &storage.S3StorageConfig{
+				Endpoint:       "https://vpce-1234567-us-east-1c.s3.us-east-1.vpce.amazonaws.com",
+				Region:         "us-east-1",
+				Buckets:        "this,that",
+				ForcePathStyle: false,
+			},
+		},
 		{
 			desc: "invalid forcepathstyle value",
 			secret: &corev1.Secret{