apitech
/
loki
mirror of https://github.com/grafana/loki
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Like Prometheus, but for logs.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4230 Commits
1055 Branches
354 Tags
708 MiB
Tag: Branch: Tree: fbd5bbb09d
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'fbd5bbb09d'
${ noResults }
loki/operator/internal/manifests/service.go

167 lines
4.5 KiB
Raw Normal View History Unescape

operator: Add support for gRPC over TLS for Loki components (#6224)
4 years ago
package manifests
import (
"fmt"
"github.com/ViaQ/logerr/v2/kverrors"
"github.com/imdario/mergo"
corev1 "k8s.io/api/core/v1"
operator: Add support for built-in-cert-rotation for all internal lokistack encryption (#7064)
3 years ago
"k8s.io/apimachinery/pkg/util/intstr"
operator: Add support for gRPC over TLS for Loki components (#6224)
4 years ago
)
operator: Add support for built-in-cert-rotation for all internal lokistack encryption (#7064)
3 years ago
func configureServiceCA(podSpec *corev1.PodSpec, caBundleName string) error {
secretVolumeSpec := corev1.PodSpec{
Volumes: []corev1.Volume{
{
Name: caBundleName,
VolumeSource: corev1.VolumeSource{
ConfigMap: &corev1.ConfigMapVolumeSource{
LocalObjectReference: corev1.LocalObjectReference{
Name: caBundleName,
},
},
},
},
},
}
secretContainerSpec := corev1.Container{
VolumeMounts: []corev1.VolumeMount{
{
Name: caBundleName,
ReadOnly: false,
MountPath: caBundleDir,
},
},
}
if err := mergo.Merge(podSpec, secretVolumeSpec, mergo.WithAppendSlice); err != nil {
return kverrors.Wrap(err, "failed to merge volumes")
}
if err := mergo.Merge(&podSpec.Containers[0], secretContainerSpec, mergo.WithAppendSlice); err != nil {
return kverrors.Wrap(err, "failed to merge container")
}
return nil
}
operator: Add support for gRPC over TLS for Loki components (#6224)
4 years ago
func configureGRPCServicePKI(podSpec *corev1.PodSpec, serviceName string) error {
secretVolumeSpec := corev1.PodSpec{
Volumes: []corev1.Volume{
{
Name: serviceName,
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: serviceName,
},
},
},
},
}
secretContainerSpec := corev1.Container{
VolumeMounts: []corev1.VolumeMount{
{
Name: serviceName,
ReadOnly: false,
operator: Add support for built-in-cert-rotation for all internal lokistack encryption (#7064)
3 years ago
MountPath: lokiServerGRPCTLSDir(),
operator: Add support for gRPC over TLS for Loki components (#6224)
4 years ago
},
},
Args: []string{
operator: Add support for built-in-cert-rotation for all internal lokistack encryption (#7064)
3 years ago
fmt.Sprintf("-server.grpc-tls-ca-path=%s", signingCAPath()),
fmt.Sprintf("-server.grpc-tls-cert-path=%s", lokiServerGRPCTLSCert()),
fmt.Sprintf("-server.grpc-tls-key-path=%s", lokiServerGRPCTLSKey()),
"-server.grpc-tls-client-auth=RequireAndVerifyClientCert",
operator: Add support for gRPC over TLS for Loki components (#6224)
4 years ago
},
}
if err := mergo.Merge(podSpec, secretVolumeSpec, mergo.WithAppendSlice); err != nil {
return kverrors.Wrap(err, "failed to merge volumes")
}
if err := mergo.Merge(&podSpec.Containers[0], secretContainerSpec, mergo.WithAppendSlice); err != nil {
return kverrors.Wrap(err, "failed to merge container")
}
return nil
}
operator: Support TLS enabled lokistack-gateway (Kubernetes native) (#6478)
4 years ago
operator: Add support for built-in-cert-rotation for all internal lokistack encryption (#7064)
3 years ago
func configureHTTPServicePKI(podSpec *corev1.PodSpec, serviceName, minTLSVersion, tlsCipherSuites string) error {
operator: Support TLS enabled lokistack-gateway (Kubernetes native) (#6478)
4 years ago
secretVolumeSpec := corev1.PodSpec{
Volumes: []corev1.Volume{
{
Name: serviceName,
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: serviceName,
},
},
},
},
}
operator: Add support for built-in-cert-rotation for all internal lokistack encryption (#7064)
3 years ago
operator: Support TLS enabled lokistack-gateway (Kubernetes native) (#6478)
4 years ago
secretContainerSpec := corev1.Container{
VolumeMounts: []corev1.VolumeMount{
{
Name: serviceName,
ReadOnly: false,
operator: Add support for built-in-cert-rotation for all internal lokistack encryption (#7064)
3 years ago
MountPath: lokiServerHTTPTLSDir(),
operator: Support TLS enabled lokistack-gateway (Kubernetes native) (#6478)
4 years ago
},
},
Args: []string{
operator: Add support for built-in-cert-rotation for all internal lokistack encryption (#7064)
3 years ago
// Expose ready handler through internal server without requiring mTLS
"-internal-server.enable=true",
"-internal-server.http-listen-address=",
fmt.Sprintf("-internal-server.http-tls-min-version=%s", minTLSVersion),
fmt.Sprintf("-internal-server.http-tls-cipher-suites=%s", tlsCipherSuites),
fmt.Sprintf("-internal-server.http-tls-cert-path=%s", lokiServerHTTPTLSCert()),
fmt.Sprintf("-internal-server.http-tls-key-path=%s", lokiServerHTTPTLSKey()),
// Require mTLS for any other handler
fmt.Sprintf("-server.http-tls-ca-path=%s", signingCAPath()),
fmt.Sprintf("-server.http-tls-cert-path=%s", lokiServerHTTPTLSCert()),
fmt.Sprintf("-server.http-tls-key-path=%s", lokiServerHTTPTLSKey()),
"-server.http-tls-client-auth=RequireAndVerifyClientCert",
},
Ports: []corev1.ContainerPort{
{
Name: lokiInternalHTTPPortName,
ContainerPort: internalHTTPPort,
Protocol: protocolTCP,
},
operator: Support TLS enabled lokistack-gateway (Kubernetes native) (#6478)
4 years ago
},
}
operator: Add support for built-in-cert-rotation for all internal lokistack encryption (#7064)
3 years ago
operator: Support TLS enabled lokistack-gateway (Kubernetes native) (#6478)
4 years ago
uriSchemeContainerSpec := corev1.Container{
ReadinessProbe: &corev1.Probe{
ProbeHandler: corev1.ProbeHandler{
HTTPGet: &corev1.HTTPGetAction{
Scheme: corev1.URISchemeHTTPS,
operator: Add support for built-in-cert-rotation for all internal lokistack encryption (#7064)
3 years ago
Port: intstr.FromInt(internalHTTPPort),
operator: Support TLS enabled lokistack-gateway (Kubernetes native) (#6478)
4 years ago
},
},
},
LivenessProbe: &corev1.Probe{
ProbeHandler: corev1.ProbeHandler{
HTTPGet: &corev1.HTTPGetAction{
Scheme: corev1.URISchemeHTTPS,
operator: Add support for built-in-cert-rotation for all internal lokistack encryption (#7064)
3 years ago
Port: intstr.FromInt(internalHTTPPort),
operator: Support TLS enabled lokistack-gateway (Kubernetes native) (#6478)
4 years ago
},
},
},
}
if err := mergo.Merge(podSpec, secretVolumeSpec, mergo.WithAppendSlice); err != nil {
return kverrors.Wrap(err, "failed to merge volumes")
}
if err := mergo.Merge(&podSpec.Containers[0], secretContainerSpec, mergo.WithAppendSlice); err != nil {
return kverrors.Wrap(err, "failed to merge container")
}
if err := mergo.Merge(&podSpec.Containers[0], uriSchemeContainerSpec, mergo.WithOverride); err != nil {
return kverrors.Wrap(err, "failed to merge container")
}
return nil
}