From 4c90d57e68a25c0dc0d5372f52a429c7d74d539c Mon Sep 17 00:00:00 2001 From: Mohamed-Amine Bouqsimi Date: Mon, 27 Jun 2022 14:19:59 +0200 Subject: [PATCH] operator: Support TLS enabled lokistack-gateway (Kubernetes native) (#6478) --- operator/CHANGELOG.md | 1 + .../apis/config/v1/projectconfig_types.go | 1 + ...-operator-manager-config_v1_configmap.yaml | 1 + operator/cmd/loki-broker/main.go | 1 + .../config.grafana.com_projectconfigs.yaml | 2 + .../openshift/controller_manager_config.yaml | 1 + operator/docs/howto_connect_grafana.md | 2 +- operator/internal/manifests/build_test.go | 77 +++++++++++++++++++ operator/internal/manifests/compactor.go | 8 +- operator/internal/manifests/distributor.go | 8 +- operator/internal/manifests/gateway.go | 2 +- .../internal/manifests/gateway_tenants.go | 2 +- .../manifests/gateway_tenants_test.go | 3 + operator/internal/manifests/indexgateway.go | 8 +- operator/internal/manifests/ingester.go | 8 +- .../internal/manifests/openshift/configure.go | 2 +- operator/internal/manifests/options.go | 1 + operator/internal/manifests/querier.go | 8 +- operator/internal/manifests/query-frontend.go | 8 +- operator/internal/manifests/ruler.go | 8 +- operator/internal/manifests/service.go | 58 ++++++++++++++ .../internal/manifests/service_monitor.go | 64 --------------- operator/main.go | 6 ++ 23 files changed, 184 insertions(+), 96 deletions(-) diff --git a/operator/CHANGELOG.md b/operator/CHANGELOG.md index e89dc12eae..d81e649334 100644 --- a/operator/CHANGELOG.md +++ b/operator/CHANGELOG.md @@ -1,5 +1,6 @@ ## Main +- [6411](https://github.com/grafana/loki/pull/6478) **aminesnow**: Support TLS enabled lokistack-gateway for vanilla kubernetes deployments - [6504](https://github.com/grafana/loki/pull/6504) **periklis**: Disable usage report on OpenShift - [6411](https://github.com/grafana/loki/pull/6411) **Red-GV**: Extend schema validation in LokiStack webhook - [6334](https://github.com/grafana/loki/pull/6433) **periklis**: Move operator cli flags to component config diff --git a/operator/apis/config/v1/projectconfig_types.go b/operator/apis/config/v1/projectconfig_types.go index eeec86ae48..234522509c 100644 --- a/operator/apis/config/v1/projectconfig_types.go +++ b/operator/apis/config/v1/projectconfig_types.go @@ -9,6 +9,7 @@ import ( type FeatureFlags struct { EnableCertificateSigningService bool `json:"enableCertSigningService,omitempty"` EnableServiceMonitors bool `json:"enableServiceMonitors,omitempty"` + EnableTLSHTTPServices bool `json:"enableTlsHttpServices,omitempty"` EnableTLSServiceMonitorConfig bool `json:"enableTlsServiceMonitorConfig,omitempty"` EnableTLSGRPCServices bool `json:"enableTlsGrpcServices,omitempty"` EnablePrometheusAlerts bool `json:"enableLokiStackAlerts,omitempty"` diff --git a/operator/bundle/manifests/loki-operator-manager-config_v1_configmap.yaml b/operator/bundle/manifests/loki-operator-manager-config_v1_configmap.yaml index 73421c6399..97a91f5dbb 100644 --- a/operator/bundle/manifests/loki-operator-manager-config_v1_configmap.yaml +++ b/operator/bundle/manifests/loki-operator-manager-config_v1_configmap.yaml @@ -18,6 +18,7 @@ data: enableCertSigningService: true enableServiceMonitors: true enableTlsServiceMonitorConfig: true + enableTlsHttpServices: true enableTlsGRPCServices: true enableLokiStackAlerts: true enableLokiStackGateway: true diff --git a/operator/cmd/loki-broker/main.go b/operator/cmd/loki-broker/main.go index bfb2546f27..0e5f6e8e93 100644 --- a/operator/cmd/loki-broker/main.go +++ b/operator/cmd/loki-broker/main.go @@ -38,6 +38,7 @@ func (c *config) registerFlags(f *flag.FlagSet) { c.featureFlags = manifests.FeatureFlags{} f.BoolVar(&c.featureFlags.EnableCertificateSigningService, "with-cert-signing-service", false, "Enable usage of cert-signing service for scraping prometheus metrics via TLS.") f.BoolVar(&c.featureFlags.EnableServiceMonitors, "with-service-monitors", false, "Enable service monitors for all LokiStack components.") + f.BoolVar(&c.featureFlags.EnableTLSHTTPServices, "with-http-tls-services", false, "Enables TLS for lokistack-gateway.") f.BoolVar(&c.featureFlags.EnableTLSServiceMonitorConfig, "with-tls-service-monitors", false, "Enable TLS endpoint for service monitors.") f.BoolVar(&c.featureFlags.EnablePrometheusAlerts, "with-prometheus-alerts", false, "Enables prometheus alerts") f.BoolVar(&c.featureFlags.EnableGateway, "with-lokistack-gateway", false, "Enables the manifest creation for the entire lokistack-gateway.") diff --git a/operator/config/crd/bases/config.grafana.com_projectconfigs.yaml b/operator/config/crd/bases/config.grafana.com_projectconfigs.yaml index aa976e9c3e..a25f876fb0 100644 --- a/operator/config/crd/bases/config.grafana.com_projectconfigs.yaml +++ b/operator/config/crd/bases/config.grafana.com_projectconfigs.yaml @@ -78,6 +78,8 @@ spec: type: boolean enableTlsServiceMonitorConfig: type: boolean + enableTlsHttpServices: + type: boolean type: object gracefulShutDown: description: GracefulShutdownTimeout is the duration given to runnable diff --git a/operator/config/overlays/openshift/controller_manager_config.yaml b/operator/config/overlays/openshift/controller_manager_config.yaml index 62f0adc083..b4148d7806 100644 --- a/operator/config/overlays/openshift/controller_manager_config.yaml +++ b/operator/config/overlays/openshift/controller_manager_config.yaml @@ -15,6 +15,7 @@ featureFlags: enableCertSigningService: true enableServiceMonitors: true enableTlsServiceMonitorConfig: true + enableTlsHttpServices: true enableTlsGRPCServices: true enableLokiStackAlerts: true enableLokiStackGateway: true diff --git a/operator/docs/howto_connect_grafana.md b/operator/docs/howto_connect_grafana.md index 0564001616..4ad98e3525 100644 --- a/operator/docs/howto_connect_grafana.md +++ b/operator/docs/howto_connect_grafana.md @@ -67,7 +67,7 @@ datasources: httpHeaderValue1: ${LOKI_TENANT_ID} ``` -If the operator was started with the `--with-tls-service-monitors` option, then the protocol used to access the service needs to be set to `https` and, depending on the used certificate another option needs to be added to the `jsonData`: `tlsSkipVerify: true` +If the operator was started with the `--with-http-tls-services` option, then the protocol used to access the service needs to be set to `https` and, depending on the used certificate another option needs to be added to the `jsonData`: `tlsSkipVerify: true` The values for the variables used in the configuration file depend on the Lokistack deployment and which Loki tenant needs to be accessed. diff --git a/operator/internal/manifests/build_test.go b/operator/internal/manifests/build_test.go index c8ba075103..8b3fa7496c 100644 --- a/operator/internal/manifests/build_test.go +++ b/operator/internal/manifests/build_test.go @@ -219,6 +219,80 @@ func TestBuildAll_WithFeatureFlags_EnableCertificateSigningService(t *testing.T) } } +func TestBuildAll_WithFeatureFlags_EnableTLSHTTPServices(t *testing.T) { + opts := Options{ + Name: "test", + Namespace: "test", + Stack: lokiv1beta1.LokiStackSpec{ + Size: lokiv1beta1.SizeOneXSmall, + Rules: &lokiv1beta1.RulesSpec{ + Enabled: true, + }, + }, + Flags: FeatureFlags{ + EnableTLSHTTPServices: true, + }, + } + + err := ApplyDefaultSettings(&opts) + require.NoError(t, err) + objects, buildErr := BuildAll(opts) + require.NoError(t, buildErr) + + for _, obj := range objects { + var ( + name string + vs []corev1.Volume + vms []corev1.VolumeMount + args []string + rps corev1.URIScheme + lps corev1.URIScheme + ) + + switch o := obj.(type) { + case *appsv1.Deployment: + name = o.Name + vs = o.Spec.Template.Spec.Volumes + vms = o.Spec.Template.Spec.Containers[0].VolumeMounts + args = o.Spec.Template.Spec.Containers[0].Args + rps = o.Spec.Template.Spec.Containers[0].ReadinessProbe.ProbeHandler.HTTPGet.Scheme + lps = o.Spec.Template.Spec.Containers[0].LivenessProbe.ProbeHandler.HTTPGet.Scheme + case *appsv1.StatefulSet: + name = o.Name + vs = o.Spec.Template.Spec.Volumes + vms = o.Spec.Template.Spec.Containers[0].VolumeMounts + args = o.Spec.Template.Spec.Containers[0].Args + rps = o.Spec.Template.Spec.Containers[0].ReadinessProbe.ProbeHandler.HTTPGet.Scheme + lps = o.Spec.Template.Spec.Containers[0].LivenessProbe.ProbeHandler.HTTPGet.Scheme + default: + continue + } + + secretName := fmt.Sprintf("%s-http", name) + expVolume := corev1.Volume{ + Name: secretName, + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: secretName, + }, + }, + } + require.Contains(t, vs, expVolume) + + expVolumeMount := corev1.VolumeMount{ + Name: secretName, + ReadOnly: false, + MountPath: "/var/run/tls/http", + } + require.Contains(t, vms, expVolumeMount) + + require.Contains(t, args, "-server.http-tls-cert-path=/var/run/tls/http/tls.crt") + require.Contains(t, args, "-server.http-tls-key-path=/var/run/tls/http/tls.key") + require.Equal(t, corev1.URISchemeHTTPS, rps) + require.Equal(t, corev1.URISchemeHTTPS, lps) + } +} + func TestBuildAll_WithFeatureFlags_EnableTLSServiceMonitorConfig(t *testing.T) { opts := Options{ Name: "test", @@ -231,6 +305,7 @@ func TestBuildAll_WithFeatureFlags_EnableTLSServiceMonitorConfig(t *testing.T) { }, Flags: FeatureFlags{ EnableServiceMonitors: true, + EnableTLSHTTPServices: true, EnableTLSServiceMonitorConfig: true, }, } @@ -480,6 +555,7 @@ func TestBuildAll_WithFeatureFlags_EnableGateway(t *testing.T) { }, Flags: FeatureFlags{ EnableGateway: false, + EnableTLSHTTPServices: true, EnableTLSServiceMonitorConfig: false, }, }, @@ -517,6 +593,7 @@ func TestBuildAll_WithFeatureFlags_EnableGateway(t *testing.T) { }, Flags: FeatureFlags{ EnableGateway: true, + EnableTLSHTTPServices: true, EnableTLSServiceMonitorConfig: true, }, }, diff --git a/operator/internal/manifests/compactor.go b/operator/internal/manifests/compactor.go index 52c910d4b3..25334ec5d6 100644 --- a/operator/internal/manifests/compactor.go +++ b/operator/internal/manifests/compactor.go @@ -20,8 +20,8 @@ import ( // BuildCompactor builds the k8s objects required to run Loki Compactor. func BuildCompactor(opts Options) ([]client.Object, error) { statefulSet := NewCompactorStatefulSet(opts) - if opts.Flags.EnableTLSServiceMonitorConfig { - if err := configureCompactorServiceMonitorPKI(statefulSet, opts.Name); err != nil { + if opts.Flags.EnableTLSHTTPServices { + if err := configureCompactorHTTPServicePKI(statefulSet, opts.Name); err != nil { return nil, err } } @@ -220,9 +220,9 @@ func NewCompactorHTTPService(opts Options) *corev1.Service { } } -func configureCompactorServiceMonitorPKI(statefulSet *appsv1.StatefulSet, stackName string) error { +func configureCompactorHTTPServicePKI(statefulSet *appsv1.StatefulSet, stackName string) error { serviceName := serviceNameCompactorHTTP(stackName) - return configureServiceMonitorPKI(&statefulSet.Spec.Template.Spec, serviceName) + return configureHTTPServicePKI(&statefulSet.Spec.Template.Spec, serviceName) } func configureCompactorGRPCServicePKI(sts *appsv1.StatefulSet, stackName string) error { diff --git a/operator/internal/manifests/distributor.go b/operator/internal/manifests/distributor.go index 71674fe54a..0fa7f4c6fd 100644 --- a/operator/internal/manifests/distributor.go +++ b/operator/internal/manifests/distributor.go @@ -19,8 +19,8 @@ import ( // BuildDistributor returns a list of k8s objects for Loki Distributor func BuildDistributor(opts Options) ([]client.Object, error) { deployment := NewDistributorDeployment(opts) - if opts.Flags.EnableTLSServiceMonitorConfig { - if err := configureDistributorServiceMonitorPKI(deployment, opts.Name); err != nil { + if opts.Flags.EnableTLSHTTPServices { + if err := configureDistributorHTTPServicePKI(deployment, opts.Name); err != nil { return nil, err } } @@ -196,9 +196,9 @@ func NewDistributorHTTPService(opts Options) *corev1.Service { } } -func configureDistributorServiceMonitorPKI(deployment *appsv1.Deployment, stackName string) error { +func configureDistributorHTTPServicePKI(deployment *appsv1.Deployment, stackName string) error { serviceName := serviceNameDistributorHTTP(stackName) - return configureServiceMonitorPKI(&deployment.Spec.Template.Spec, serviceName) + return configureHTTPServicePKI(&deployment.Spec.Template.Spec, serviceName) } func configureDistributorGRPCServicePKI(deployment *appsv1.Deployment, stackName, stackNS string) error { diff --git a/operator/internal/manifests/gateway.go b/operator/internal/manifests/gateway.go index c98b7bf398..38cc884aa7 100644 --- a/operator/internal/manifests/gateway.go +++ b/operator/internal/manifests/gateway.go @@ -40,7 +40,7 @@ func BuildGateway(opts Options) ([]client.Object, error) { objs := []client.Object{cm, dpl, svc, ing} - if opts.Flags.EnableTLSServiceMonitorConfig { + if opts.Flags.EnableTLSHTTPServices { serviceName := serviceNameGatewayHTTP(opts.Name) if err := configureGatewayMetricsPKI(&dpl.Spec.Template.Spec, serviceName); err != nil { return nil, err diff --git a/operator/internal/manifests/gateway_tenants.go b/operator/internal/manifests/gateway_tenants.go index dba5e04ca5..a91ed4ef99 100644 --- a/operator/internal/manifests/gateway_tenants.go +++ b/operator/internal/manifests/gateway_tenants.go @@ -72,7 +72,7 @@ func configureDeploymentForMode(d *appsv1.Deployment, mode lokiv1beta1.ModeType, caBundleName, caBundleDir, caFile, - flags.EnableTLSServiceMonitorConfig, + flags.EnableTLSHTTPServices, flags.EnableCertificateSigningService, secretName, serverName, diff --git a/operator/internal/manifests/gateway_tenants_test.go b/operator/internal/manifests/gateway_tenants_test.go index 64a985a019..37a321fdcc 100644 --- a/operator/internal/manifests/gateway_tenants_test.go +++ b/operator/internal/manifests/gateway_tenants_test.go @@ -357,6 +357,7 @@ func TestConfigureDeploymentForMode(t *testing.T) { stackName: "test", stackNs: "test-ns", flags: FeatureFlags{ + EnableTLSHTTPServices: true, EnableTLSServiceMonitorConfig: true, }, dpl: &appsv1.Deployment{ @@ -536,6 +537,7 @@ func TestConfigureDeploymentForMode(t *testing.T) { stackName: "test", stackNs: "test-ns", flags: FeatureFlags{ + EnableTLSHTTPServices: true, EnableTLSServiceMonitorConfig: true, EnableCertificateSigningService: true, }, @@ -822,6 +824,7 @@ func TestConfigureServiceMonitorForMode(t *testing.T) { desc: "openshift-logging mode with-tls-service-monitor-config", mode: lokiv1beta1.OpenshiftLogging, flags: FeatureFlags{ + EnableTLSHTTPServices: true, EnableTLSServiceMonitorConfig: true, }, sm: &monitoringv1.ServiceMonitor{ diff --git a/operator/internal/manifests/indexgateway.go b/operator/internal/manifests/indexgateway.go index 0394b37230..439f90ad44 100644 --- a/operator/internal/manifests/indexgateway.go +++ b/operator/internal/manifests/indexgateway.go @@ -19,8 +19,8 @@ import ( // BuildIndexGateway returns a list of k8s objects for Loki IndexGateway func BuildIndexGateway(opts Options) ([]client.Object, error) { statefulSet := NewIndexGatewayStatefulSet(opts) - if opts.Flags.EnableTLSServiceMonitorConfig { - if err := configureIndexGatewayServiceMonitorPKI(statefulSet, opts.Name); err != nil { + if opts.Flags.EnableTLSHTTPServices { + if err := configureIndexGatewayHTTPServicePKI(statefulSet, opts.Name); err != nil { return nil, err } } @@ -220,9 +220,9 @@ func NewIndexGatewayHTTPService(opts Options) *corev1.Service { } } -func configureIndexGatewayServiceMonitorPKI(statefulSet *appsv1.StatefulSet, stackName string) error { +func configureIndexGatewayHTTPServicePKI(statefulSet *appsv1.StatefulSet, stackName string) error { serviceName := serviceNameIndexGatewayHTTP(stackName) - return configureServiceMonitorPKI(&statefulSet.Spec.Template.Spec, serviceName) + return configureHTTPServicePKI(&statefulSet.Spec.Template.Spec, serviceName) } func configureIndexGatewayGRPCServicePKI(sts *appsv1.StatefulSet, stackName string) error { diff --git a/operator/internal/manifests/ingester.go b/operator/internal/manifests/ingester.go index 2265d4a9b0..4394913516 100644 --- a/operator/internal/manifests/ingester.go +++ b/operator/internal/manifests/ingester.go @@ -23,8 +23,8 @@ import ( // BuildIngester builds the k8s objects required to run Loki Ingester func BuildIngester(opts Options) ([]client.Object, error) { statefulSet := NewIngesterStatefulSet(opts) - if opts.Flags.EnableTLSServiceMonitorConfig { - if err := configureIngesterServiceMonitorPKI(statefulSet, opts.Name); err != nil { + if opts.Flags.EnableTLSHTTPServices { + if err := configureIngesterHTTPServicePKI(statefulSet, opts.Name); err != nil { return nil, err } } @@ -252,9 +252,9 @@ func NewIngesterHTTPService(opts Options) *corev1.Service { } } -func configureIngesterServiceMonitorPKI(statefulSet *appsv1.StatefulSet, stackName string) error { +func configureIngesterHTTPServicePKI(statefulSet *appsv1.StatefulSet, stackName string) error { serviceName := serviceNameIngesterHTTP(stackName) - return configureServiceMonitorPKI(&statefulSet.Spec.Template.Spec, serviceName) + return configureHTTPServicePKI(&statefulSet.Spec.Template.Spec, serviceName) } func configureIngesterGRPCServicePKI(sts *appsv1.StatefulSet, stackName, stackNS string) error { diff --git a/operator/internal/manifests/openshift/configure.go b/operator/internal/manifests/openshift/configure.go index 42efca26a9..9cd489c735 100644 --- a/operator/internal/manifests/openshift/configure.go +++ b/operator/internal/manifests/openshift/configure.go @@ -107,7 +107,7 @@ func ConfigureGatewayDeployment( gwContainer.LivenessProbe.ProbeHandler.HTTPGet.Scheme = corev1.URISchemeHTTPS gwContainer.Args = gwArgs - // Create and mount TLS secrets volumes if it's not already done by the service monitor config. + // Create and mount TLS secrets volumes if not already created. if !withTLS { gwVolumes = append(gwVolumes, corev1.Volume{ Name: secretVolumeName, diff --git a/operator/internal/manifests/options.go b/operator/internal/manifests/options.go index da26c70d04..2c29b1b527 100644 --- a/operator/internal/manifests/options.go +++ b/operator/internal/manifests/options.go @@ -37,6 +37,7 @@ type Options struct { type FeatureFlags struct { EnableCertificateSigningService bool EnableServiceMonitors bool + EnableTLSHTTPServices bool EnableTLSServiceMonitorConfig bool EnableTLSGRPCServices bool EnablePrometheusAlerts bool diff --git a/operator/internal/manifests/querier.go b/operator/internal/manifests/querier.go index 965e88aba3..d917dadf5c 100644 --- a/operator/internal/manifests/querier.go +++ b/operator/internal/manifests/querier.go @@ -21,8 +21,8 @@ import ( // BuildQuerier returns a list of k8s objects for Loki Querier func BuildQuerier(opts Options) ([]client.Object, error) { deployment := NewQuerierDeployment(opts) - if opts.Flags.EnableTLSServiceMonitorConfig { - if err := configureQuerierServiceMonitorPKI(deployment, opts.Name); err != nil { + if opts.Flags.EnableTLSHTTPServices { + if err := configureQuerierHTTPServicePKI(deployment, opts.Name); err != nil { return nil, err } } @@ -202,9 +202,9 @@ func NewQuerierHTTPService(opts Options) *corev1.Service { } } -func configureQuerierServiceMonitorPKI(deployment *appsv1.Deployment, stackName string) error { +func configureQuerierHTTPServicePKI(deployment *appsv1.Deployment, stackName string) error { serviceName := serviceNameQuerierHTTP(stackName) - return configureServiceMonitorPKI(&deployment.Spec.Template.Spec, serviceName) + return configureHTTPServicePKI(&deployment.Spec.Template.Spec, serviceName) } func configureQuerierGRPCServicePKI(deployment *appsv1.Deployment, stackName, stackNS string) error { diff --git a/operator/internal/manifests/query-frontend.go b/operator/internal/manifests/query-frontend.go index 7689e2536b..53402123f1 100644 --- a/operator/internal/manifests/query-frontend.go +++ b/operator/internal/manifests/query-frontend.go @@ -17,8 +17,8 @@ import ( // BuildQueryFrontend returns a list of k8s objects for Loki QueryFrontend func BuildQueryFrontend(opts Options) ([]client.Object, error) { deployment := NewQueryFrontendDeployment(opts) - if opts.Flags.EnableTLSServiceMonitorConfig { - if err := configureQueryFrontendServiceMonitorPKI(deployment, opts.Name); err != nil { + if opts.Flags.EnableTLSHTTPServices { + if err := configureQueryFrontendHTTPServicePKI(deployment, opts.Name); err != nil { return nil, err } } @@ -206,9 +206,9 @@ func NewQueryFrontendHTTPService(opts Options) *corev1.Service { } } -func configureQueryFrontendServiceMonitorPKI(deployment *appsv1.Deployment, stackName string) error { +func configureQueryFrontendHTTPServicePKI(deployment *appsv1.Deployment, stackName string) error { serviceName := serviceNameQueryFrontendHTTP(stackName) - return configureServiceMonitorPKI(&deployment.Spec.Template.Spec, serviceName) + return configureHTTPServicePKI(&deployment.Spec.Template.Spec, serviceName) } func configureQueryFrontendGRPCServicePKI(deployment *appsv1.Deployment, stackName string) error { diff --git a/operator/internal/manifests/ruler.go b/operator/internal/manifests/ruler.go index f0545b205f..45001c34c1 100644 --- a/operator/internal/manifests/ruler.go +++ b/operator/internal/manifests/ruler.go @@ -20,8 +20,8 @@ import ( // BuildRuler returns a list of k8s objects for Loki Stack Ruler func BuildRuler(opts Options) ([]client.Object, error) { statefulSet := NewRulerStatefulSet(opts) - if opts.Flags.EnableTLSServiceMonitorConfig { - if err := configureRulerServiceMonitorPKI(statefulSet, opts.Name); err != nil { + if opts.Flags.EnableTLSHTTPServices { + if err := configureRulerHTTPServicePKI(statefulSet, opts.Name); err != nil { return nil, err } } @@ -266,9 +266,9 @@ func NewRulerHTTPService(opts Options) *corev1.Service { } } -func configureRulerServiceMonitorPKI(statefulSet *appsv1.StatefulSet, stackName string) error { +func configureRulerHTTPServicePKI(statefulSet *appsv1.StatefulSet, stackName string) error { serviceName := serviceNameRulerHTTP(stackName) - return configureServiceMonitorPKI(&statefulSet.Spec.Template.Spec, serviceName) + return configureHTTPServicePKI(&statefulSet.Spec.Template.Spec, serviceName) } func configureRulerGRPCServicePKI(sts *appsv1.StatefulSet, stackName string) error { diff --git a/operator/internal/manifests/service.go b/operator/internal/manifests/service.go index 2816337723..19ce5fea05 100644 --- a/operator/internal/manifests/service.go +++ b/operator/internal/manifests/service.go @@ -46,3 +46,61 @@ func configureGRPCServicePKI(podSpec *corev1.PodSpec, serviceName string) error return nil } + +func configureHTTPServicePKI(podSpec *corev1.PodSpec, serviceName string) error { + secretVolumeSpec := corev1.PodSpec{ + Volumes: []corev1.Volume{ + { + Name: serviceName, + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: serviceName, + }, + }, + }, + }, + } + secretContainerSpec := corev1.Container{ + VolumeMounts: []corev1.VolumeMount{ + { + Name: serviceName, + ReadOnly: false, + MountPath: httpTLSDir, + }, + }, + Args: []string{ + fmt.Sprintf("-server.http-tls-cert-path=%s", path.Join(httpTLSDir, tlsCertFile)), + fmt.Sprintf("-server.http-tls-key-path=%s", path.Join(httpTLSDir, tlsKeyFile)), + }, + } + uriSchemeContainerSpec := corev1.Container{ + ReadinessProbe: &corev1.Probe{ + ProbeHandler: corev1.ProbeHandler{ + HTTPGet: &corev1.HTTPGetAction{ + Scheme: corev1.URISchemeHTTPS, + }, + }, + }, + LivenessProbe: &corev1.Probe{ + ProbeHandler: corev1.ProbeHandler{ + HTTPGet: &corev1.HTTPGetAction{ + Scheme: corev1.URISchemeHTTPS, + }, + }, + }, + } + + if err := mergo.Merge(podSpec, secretVolumeSpec, mergo.WithAppendSlice); err != nil { + return kverrors.Wrap(err, "failed to merge volumes") + } + + if err := mergo.Merge(&podSpec.Containers[0], secretContainerSpec, mergo.WithAppendSlice); err != nil { + return kverrors.Wrap(err, "failed to merge container") + } + + if err := mergo.Merge(&podSpec.Containers[0], uriSchemeContainerSpec, mergo.WithOverride); err != nil { + return kverrors.Wrap(err, "failed to merge container") + } + + return nil +} diff --git a/operator/internal/manifests/service_monitor.go b/operator/internal/manifests/service_monitor.go index ed4335dd22..07b1d0542b 100644 --- a/operator/internal/manifests/service_monitor.go +++ b/operator/internal/manifests/service_monitor.go @@ -1,16 +1,10 @@ package manifests import ( - "fmt" - "path" - - "github.com/ViaQ/logerr/v2/kverrors" - corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" "sigs.k8s.io/controller-runtime/pkg/client" - "github.com/imdario/mergo" monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1" ) @@ -147,61 +141,3 @@ func newServiceMonitor(namespace, serviceMonitorName string, labels labels.Set, }, } } - -func configureServiceMonitorPKI(podSpec *corev1.PodSpec, serviceName string) error { - secretVolumeSpec := corev1.PodSpec{ - Volumes: []corev1.Volume{ - { - Name: serviceName, - VolumeSource: corev1.VolumeSource{ - Secret: &corev1.SecretVolumeSource{ - SecretName: serviceName, - }, - }, - }, - }, - } - secretContainerSpec := corev1.Container{ - VolumeMounts: []corev1.VolumeMount{ - { - Name: serviceName, - ReadOnly: false, - MountPath: httpTLSDir, - }, - }, - Args: []string{ - fmt.Sprintf("-server.http-tls-cert-path=%s", path.Join(httpTLSDir, tlsCertFile)), - fmt.Sprintf("-server.http-tls-key-path=%s", path.Join(httpTLSDir, tlsKeyFile)), - }, - } - uriSchemeContainerSpec := corev1.Container{ - ReadinessProbe: &corev1.Probe{ - ProbeHandler: corev1.ProbeHandler{ - HTTPGet: &corev1.HTTPGetAction{ - Scheme: corev1.URISchemeHTTPS, - }, - }, - }, - LivenessProbe: &corev1.Probe{ - ProbeHandler: corev1.ProbeHandler{ - HTTPGet: &corev1.HTTPGetAction{ - Scheme: corev1.URISchemeHTTPS, - }, - }, - }, - } - - if err := mergo.Merge(podSpec, secretVolumeSpec, mergo.WithAppendSlice); err != nil { - return kverrors.Wrap(err, "failed to merge volumes") - } - - if err := mergo.Merge(&podSpec.Containers[0], secretContainerSpec, mergo.WithAppendSlice); err != nil { - return kverrors.Wrap(err, "failed to merge container") - } - - if err := mergo.Merge(&podSpec.Containers[0], uriSchemeContainerSpec, mergo.WithOverride); err != nil { - return kverrors.Wrap(err, "failed to merge container") - } - - return nil -} diff --git a/operator/main.go b/operator/main.go index d59a16feaf..0816196c43 100644 --- a/operator/main.go +++ b/operator/main.go @@ -71,6 +71,11 @@ func main() { os.Exit(1) } + if ctrlCfg.Flags.EnableTLSServiceMonitorConfig && !ctrlCfg.Flags.EnableTLSHTTPServices { + logger.Error(kverrors.New("enableTlsServiceMonitorConfig flag requires enableTlsHttpServices"), "") + os.Exit(1) + } + if ctrlCfg.Flags.EnableServiceMonitors || ctrlCfg.Flags.EnableTLSServiceMonitorConfig { utilruntime.Must(monitoringv1.AddToScheme(scheme)) } @@ -92,6 +97,7 @@ func main() { featureFlags := manifests.FeatureFlags{ EnableCertificateSigningService: ctrlCfg.Flags.EnableCertificateSigningService, EnableServiceMonitors: ctrlCfg.Flags.EnableServiceMonitors, + EnableTLSHTTPServices: ctrlCfg.Flags.EnableTLSHTTPServices, EnableTLSServiceMonitorConfig: ctrlCfg.Flags.EnableTLSServiceMonitorConfig, EnableTLSGRPCServices: ctrlCfg.Flags.EnableTLSGRPCServices, EnablePrometheusAlerts: ctrlCfg.Flags.EnablePrometheusAlerts,