From ac283a06e58745dd9145402beb74bd237677b55e Mon Sep 17 00:00:00 2001
From: Joao Marcal <jmarcal@redhat.com>
Date: Tue, 18 Nov 2025 13:05:18 +0000
Subject: [PATCH] fix(operator): add extract selectors to gateway in netobserv
 mode to fix fine-grained AuthZ

---
 operator/internal/manifests/gateway_tenants_test.go |  6 ++++++
 operator/internal/manifests/openshift/configure.go  | 12 ++++++++++--
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/operator/internal/manifests/gateway_tenants_test.go b/operator/internal/manifests/gateway_tenants_test.go
index 57f17e7f31daf..e4678f9937833 100644
--- a/operator/internal/manifests/gateway_tenants_test.go
+++ b/operator/internal/manifests/gateway_tenants_test.go
@@ -944,6 +944,9 @@ func TestConfigureDeploymentForMode(t *testing.T) {
 							Containers: []corev1.Container{
 								{
 									Name: gatewayContainerName,
+									Args: []string{
+										"--logs.auth.extract-selectors=SrcK8S_Namespace,DstK8S_Namespace",
+									},
 								},
 								{
 									Name:  "opa",
@@ -1051,6 +1054,9 @@ func TestConfigureDeploymentForMode(t *testing.T) {
 							Containers: []corev1.Container{
 								{
 									Name: gatewayContainerName,
+									Args: []string{
+										"--logs.auth.extract-selectors=SrcK8S_Namespace,DstK8S_Namespace",
+									},
 								},
 								{
 									Name:  "opa",
diff --git a/operator/internal/manifests/openshift/configure.go b/operator/internal/manifests/openshift/configure.go
index cb8306eefbaa3..5bdde207cdbc2 100644
--- a/operator/internal/manifests/openshift/configure.go
+++ b/operator/internal/manifests/openshift/configure.go
@@ -73,15 +73,23 @@ func ConfigureGatewayDeployment(
 		return kverrors.Wrap(err, "failed to merge sidecar container spec ")
 	}
 
-	if mode == lokiv1.OpenshiftLogging {
+	if mode == lokiv1.OpenshiftLogging || mode == lokiv1.OpenshiftNetwork {
 		// enable extraction of namespace selector
 		for i, c := range d.Spec.Template.Spec.Containers {
 			if c.Name != "gateway" {
 				continue
 			}
 
+			var authSelectors string
+			switch mode {
+			case lokiv1.OpenshiftLogging:
+				authSelectors = opaDefaultLabelMatchers
+			case lokiv1.OpenshiftNetwork:
+				authSelectors = opaNetworkLabelMatchers
+			}
+
 			d.Spec.Template.Spec.Containers[i].Args = append(d.Spec.Template.Spec.Containers[i].Args,
-				fmt.Sprintf("--logs.auth.extract-selectors=%s", opaDefaultLabelMatchers),
+				fmt.Sprintf("--logs.auth.extract-selectors=%s", authSelectors),
 			)
 		}
 	}