operator: Move Loki TLS configuration into ConfigMap (#7738)

3 years ago · 72e6fcc9d2
parent fbd5bbb09d
commit 72e6fcc9d2
14 changed files with 498 additions and 504 deletions
--- a/operator/internal/manifests/build_test.go
+++ b/operator/internal/manifests/build_test.go
@ -2,7 +2,6 @@ package manifests

 import (
 	"fmt"
-	"strings"
 	"testing"

 	"github.com/ViaQ/logerr/v2/kverrors"
@ -348,14 +347,6 @@ func TestBuildAll_WithFeatureGates_HTTPEncryption(t *testing.T) {
 			HTTPEncryption: true,
 		},
 	}
-	ciphers := strings.Join([]string{
-		"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-		"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-		"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-		"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-		"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-		"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
-	}, ",")

 	err := ApplyDefaultSettings(&opts)
 	require.NoError(t, err)
@ -369,7 +360,6 @@ func TestBuildAll_WithFeatureGates_HTTPEncryption(t *testing.T) {
 			name string
 			vs   []corev1.Volume
 			vms  []corev1.VolumeMount
-			args []string
 			rps  corev1.URIScheme
 			lps  corev1.URIScheme
 		)
@ -379,14 +369,12 @@ func TestBuildAll_WithFeatureGates_HTTPEncryption(t *testing.T) {
 			name = o.Name
 			vs = o.Spec.Template.Spec.Volumes
 			vms = o.Spec.Template.Spec.Containers[0].VolumeMounts
-			args = o.Spec.Template.Spec.Containers[0].Args
 			rps = o.Spec.Template.Spec.Containers[0].ReadinessProbe.ProbeHandler.HTTPGet.Scheme
 			lps = o.Spec.Template.Spec.Containers[0].LivenessProbe.ProbeHandler.HTTPGet.Scheme
 		case *appsv1.StatefulSet:
 			name = o.Name
 			vs = o.Spec.Template.Spec.Volumes
 			vms = o.Spec.Template.Spec.Containers[0].VolumeMounts
-			args = o.Spec.Template.Spec.Containers[0].Args
 			rps = o.Spec.Template.Spec.Containers[0].ReadinessProbe.ProbeHandler.HTTPGet.Scheme
 			lps = o.Spec.Template.Spec.Containers[0].LivenessProbe.ProbeHandler.HTTPGet.Scheme
 		default:
@ -411,10 +399,6 @@ func TestBuildAll_WithFeatureGates_HTTPEncryption(t *testing.T) {
 		}
 		require.Contains(t, vms, expVolumeMount)

-		require.Contains(t, args, "-server.tls-min-version=VersionTLS12")
-		require.Contains(t, args, fmt.Sprintf("-server.tls-cipher-suites=%s", ciphers))
-		require.Contains(t, args, "-server.http-tls-cert-path=/var/run/tls/http/server/tls.crt")
-		require.Contains(t, args, "-server.http-tls-key-path=/var/run/tls/http/server/tls.key")
 		require.Equal(t, corev1.URISchemeHTTPS, rps)
 		require.Equal(t, corev1.URISchemeHTTPS, lps)
 	}
@ -448,7 +432,6 @@ func TestBuildAll_WithFeatureGates_ServiceMonitorTLSEndpoints(t *testing.T) {
 			name string
 			vs   []corev1.Volume
 			vms  []corev1.VolumeMount
-			args []string
 			rps  corev1.URIScheme
 			lps  corev1.URIScheme
 		)
@ -458,14 +441,12 @@ func TestBuildAll_WithFeatureGates_ServiceMonitorTLSEndpoints(t *testing.T) {
 			name = o.Name
 			vs = o.Spec.Template.Spec.Volumes
 			vms = o.Spec.Template.Spec.Containers[0].VolumeMounts
-			args = o.Spec.Template.Spec.Containers[0].Args
 			rps = o.Spec.Template.Spec.Containers[0].ReadinessProbe.ProbeHandler.HTTPGet.Scheme
 			lps = o.Spec.Template.Spec.Containers[0].LivenessProbe.ProbeHandler.HTTPGet.Scheme
 		case *appsv1.StatefulSet:
 			name = o.Name
 			vs = o.Spec.Template.Spec.Volumes
 			vms = o.Spec.Template.Spec.Containers[0].VolumeMounts
-			args = o.Spec.Template.Spec.Containers[0].Args
 			rps = o.Spec.Template.Spec.Containers[0].ReadinessProbe.ProbeHandler.HTTPGet.Scheme
 			lps = o.Spec.Template.Spec.Containers[0].LivenessProbe.ProbeHandler.HTTPGet.Scheme
 		default:
@ -490,8 +471,6 @@ func TestBuildAll_WithFeatureGates_ServiceMonitorTLSEndpoints(t *testing.T) {
 		}
 		require.Contains(t, vms, expVolumeMount)

-		require.Contains(t, args, "-server.http-tls-cert-path=/var/run/tls/http/server/tls.crt")
-		require.Contains(t, args, "-server.http-tls-key-path=/var/run/tls/http/server/tls.key")
 		require.Equal(t, corev1.URISchemeHTTPS, rps)
 		require.Equal(t, corev1.URISchemeHTTPS, lps)
 	}
@ -602,15 +581,6 @@ func TestBuildAll_WithFeatureGates_GRPCEncryption(t *testing.T) {
 		"test-ruler":         "test-ruler-grpc",
 	}

-	ciphers := strings.Join([]string{
-		"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-		"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-		"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-		"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-		"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-		"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
-	}, ",")
-
 	for _, tst := range table {
 		tst := tst
 		t.Run(tst.desc, func(t *testing.T) {
@ -643,12 +613,6 @@ func TestBuildAll_WithFeatureGates_GRPCEncryption(t *testing.T) {

 				t.Run(name, func(t *testing.T) {
 					secretName := secretsMap[name]
-					args := []string{
-						"-server.grpc-tls-cert-path=/var/run/tls/grpc/server/tls.crt",
-						"-server.grpc-tls-key-path=/var/run/tls/grpc/server/tls.key",
-						"-server.tls-min-version=VersionTLS12",
-						fmt.Sprintf("-server.tls-cipher-suites=%s", ciphers),
-					}

 					vm := corev1.VolumeMount{
 						Name:      secretName,
@ -666,11 +630,9 @@ func TestBuildAll_WithFeatureGates_GRPCEncryption(t *testing.T) {
 					}

 					if tst.BuildOptions.Gates.GRPCEncryption {
-						require.Subset(t, spec.Containers[0].Args, args)
 						require.Contains(t, spec.Containers[0].VolumeMounts, vm)
 						require.Contains(t, spec.Volumes, v)
 					} else {
-						require.NotSubset(t, spec.Containers[0].Args, args)
 						require.NotContains(t, spec.Containers[0].VolumeMounts, vm)
 						require.NotContains(t, spec.Volumes, v)
 					}
--- a/operator/internal/manifests/compactor.go
+++ b/operator/internal/manifests/compactor.go
@ -119,13 +119,6 @@ func NewCompactorStatefulSet(opts Options) *appsv1.StatefulSet {
 		SecurityContext: podSecurityContext(opts.Gates.RuntimeSeccompProfile),
 	}

-	if opts.Gates.HTTPEncryption || opts.Gates.GRPCEncryption {
-		podSpec.Containers[0].Args = append(podSpec.Containers[0].Args,
-			fmt.Sprintf("-server.tls-cipher-suites=%s", opts.TLSCipherSuites()),
-			fmt.Sprintf("-server.tls-min-version=%s", opts.TLSProfile.MinTLSVersion),
-		)
-	}
-
 	if opts.Stack.Template != nil && opts.Stack.Template.Compactor != nil {
 		podSpec.Tolerations = opts.Stack.Template.Compactor.Tolerations
 		podSpec.NodeSelector = opts.Stack.Template.Compactor.NodeSelector
@ -241,7 +234,7 @@ func NewCompactorHTTPService(opts Options) *corev1.Service {

 func configureCompactorHTTPServicePKI(statefulSet *appsv1.StatefulSet, opts Options) error {
 	serviceName := serviceNameCompactorHTTP(opts.Name)
-	return configureHTTPServicePKI(&statefulSet.Spec.Template.Spec, serviceName, opts.TLSProfile.MinTLSVersion, opts.TLSCipherSuites())
+	return configureHTTPServicePKI(&statefulSet.Spec.Template.Spec, serviceName)
 }

 func configureCompactorGRPCServicePKI(sts *appsv1.StatefulSet, opts Options) error {
--- a/operator/internal/manifests/config.go
+++ b/operator/internal/manifests/config.go
@ -82,6 +82,34 @@ func ConfigOptions(opt Options) config.Options {

 	return config.Options{
 		Stack: opt.Stack,
+		Gates: opt.Gates,
+		TLS: config.TLSOptions{
+			Ciphers:       opt.TLSProfile.Ciphers,
+			MinTLSVersion: opt.TLSProfile.MinTLSVersion,
+			Paths: config.TLSFilePaths{
+				CA: signingCAPath(),
+				GRPC: config.TLSCertPath{
+					Certificate: lokiServerGRPCTLSCert(),
+					Key:         lokiServerGRPCTLSKey(),
+				},
+				HTTP: config.TLSCertPath{
+					Certificate: lokiServerHTTPTLSCert(),
+					Key:         lokiServerHTTPTLSKey(),
+				},
+			},
+			ServerNames: config.TLSServerNames{
+				GRPC: config.GRPCServerNames{
+					IndexGateway:  fqdn(serviceNameIndexGatewayGRPC(opt.Name), opt.Namespace),
+					Ingester:      fqdn(serviceNameIngesterGRPC(opt.Name), opt.Namespace),
+					QueryFrontend: fqdn(serviceNameQueryFrontendGRPC(opt.Name), opt.Namespace),
+					Ruler:         fqdn(serviceNameRulerGRPC(opt.Name), opt.Namespace),
+				},
+				HTTP: config.HTTPServerNames{
+					Compactor: fqdn(serviceNameCompactorHTTP(opt.Name), opt.Namespace),
+					Querier:   fqdn(serviceNameQuerierHTTP(opt.Name), opt.Namespace),
+				},
+			},
+		},
 		Namespace: opt.Namespace,
 		Name:      opt.Name,
 		Compactor: config.Address{
--- a/operator/internal/manifests/distributor.go
+++ b/operator/internal/manifests/distributor.go
@ -6,8 +6,6 @@ import (

 	"github.com/grafana/loki/operator/internal/manifests/internal/config"

-	"github.com/ViaQ/logerr/v2/kverrors"
-	"github.com/imdario/mergo"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@ -115,13 +113,6 @@ func NewDistributorDeployment(opts Options) *appsv1.Deployment {
 		SecurityContext: podSecurityContext(opts.Gates.RuntimeSeccompProfile),
 	}

-	if opts.Gates.HTTPEncryption || opts.Gates.GRPCEncryption {
-		podSpec.Containers[0].Args = append(podSpec.Containers[0].Args,
-			fmt.Sprintf("-server.tls-cipher-suites=%s", opts.TLSCipherSuites()),
-			fmt.Sprintf("-server.tls-min-version=%s", opts.TLSProfile.MinTLSVersion),
-		)
-	}
-
 	if opts.Stack.Template != nil && opts.Stack.Template.Distributor != nil {
 		podSpec.Tolerations = opts.Stack.Template.Distributor.Tolerations
 		podSpec.NodeSelector = opts.Stack.Template.Distributor.NodeSelector
@ -218,27 +209,10 @@ func NewDistributorHTTPService(opts Options) *corev1.Service {

 func configureDistributorHTTPServicePKI(deployment *appsv1.Deployment, opts Options) error {
 	serviceName := serviceNameDistributorHTTP(opts.Name)
-	return configureHTTPServicePKI(&deployment.Spec.Template.Spec, serviceName, opts.TLSProfile.MinTLSVersion, opts.TLSCipherSuites())
+	return configureHTTPServicePKI(&deployment.Spec.Template.Spec, serviceName)
 }

 func configureDistributorGRPCServicePKI(deployment *appsv1.Deployment, opts Options) error {
-	secretContainerSpec := corev1.Container{
-		Args: []string{
-			// Enable GRPC over TLS for ingester client
-			"-ingester.client.tls-enabled=true",
-			fmt.Sprintf("-ingester.client.tls-cipher-suites=%s", opts.TLSCipherSuites()),
-			fmt.Sprintf("-ingester.client.tls-min-version=%s", opts.TLSProfile.MinTLSVersion),
-			fmt.Sprintf("-ingester.client.tls-ca-path=%s", signingCAPath()),
-			fmt.Sprintf("-ingester.client.tls-cert-path=%s", lokiServerGRPCTLSCert()),
-			fmt.Sprintf("-ingester.client.tls-key-path=%s", lokiServerGRPCTLSKey()),
-			fmt.Sprintf("-ingester.client.tls-server-name=%s", fqdn(serviceNameIngesterGRPC(opts.Name), opts.Namespace)),
-		},
-	}
-
-	if err := mergo.Merge(&deployment.Spec.Template.Spec.Containers[0], secretContainerSpec, mergo.WithAppendSlice); err != nil {
-		return kverrors.Wrap(err, "failed to merge container")
-	}
-
 	serviceName := serviceNameDistributorGRPC(opts.Name)
 	return configureGRPCServicePKI(&deployment.Spec.Template.Spec, serviceName)
 }
--- a/operator/internal/manifests/indexgateway.go
+++ b/operator/internal/manifests/indexgateway.go
@ -119,13 +119,6 @@ func NewIndexGatewayStatefulSet(opts Options) *appsv1.StatefulSet {
 		SecurityContext: podSecurityContext(opts.Gates.RuntimeSeccompProfile),
 	}

-	if opts.Gates.HTTPEncryption || opts.Gates.GRPCEncryption {
-		podSpec.Containers[0].Args = append(podSpec.Containers[0].Args,
-			fmt.Sprintf("-server.tls-cipher-suites=%s", opts.TLSCipherSuites()),
-			fmt.Sprintf("-server.tls-min-version=%s", opts.TLSProfile.MinTLSVersion),
-		)
-	}
-
 	if opts.Stack.Template != nil && opts.Stack.Template.IndexGateway != nil {
 		podSpec.Tolerations = opts.Stack.Template.IndexGateway.Tolerations
 		podSpec.NodeSelector = opts.Stack.Template.IndexGateway.NodeSelector
@ -242,7 +235,7 @@ func NewIndexGatewayHTTPService(opts Options) *corev1.Service {

 func configureIndexGatewayHTTPServicePKI(statefulSet *appsv1.StatefulSet, opts Options) error {
 	serviceName := serviceNameIndexGatewayHTTP(opts.Name)
-	return configureHTTPServicePKI(&statefulSet.Spec.Template.Spec, serviceName, opts.TLSProfile.MinTLSVersion, opts.TLSCipherSuites())
+	return configureHTTPServicePKI(&statefulSet.Spec.Template.Spec, serviceName)
 }

 func configureIndexGatewayGRPCServicePKI(sts *appsv1.StatefulSet, opts Options) error {
--- a/operator/internal/manifests/ingester.go
+++ b/operator/internal/manifests/ingester.go
@ -7,8 +7,6 @@ import (
 	"github.com/grafana/loki/operator/internal/manifests/internal/config"
 	"github.com/grafana/loki/operator/internal/manifests/storage"

-	"github.com/ViaQ/logerr/v2/kverrors"
-	"github.com/imdario/mergo"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
@ -131,13 +129,6 @@ func NewIngesterStatefulSet(opts Options) *appsv1.StatefulSet {
 		SecurityContext: podSecurityContext(opts.Gates.RuntimeSeccompProfile),
 	}

-	if opts.Gates.HTTPEncryption || opts.Gates.GRPCEncryption {
-		podSpec.Containers[0].Args = append(podSpec.Containers[0].Args,
-			fmt.Sprintf("-server.tls-cipher-suites=%s", opts.TLSCipherSuites()),
-			fmt.Sprintf("-server.tls-min-version=%s", opts.TLSProfile.MinTLSVersion),
-		)
-	}
-
 	if opts.Stack.Template != nil && opts.Stack.Template.Ingester != nil {
 		podSpec.Tolerations = opts.Stack.Template.Ingester.Tolerations
 		podSpec.NodeSelector = opts.Stack.Template.Ingester.NodeSelector
@ -271,35 +262,10 @@ func NewIngesterHTTPService(opts Options) *corev1.Service {

 func configureIngesterHTTPServicePKI(statefulSet *appsv1.StatefulSet, opts Options) error {
 	serviceName := serviceNameIngesterHTTP(opts.Name)
-	return configureHTTPServicePKI(&statefulSet.Spec.Template.Spec, serviceName, opts.TLSProfile.MinTLSVersion, opts.TLSCipherSuites())
+	return configureHTTPServicePKI(&statefulSet.Spec.Template.Spec, serviceName)
 }

 func configureIngesterGRPCServicePKI(sts *appsv1.StatefulSet, opts Options) error {
-	secretContainerSpec := corev1.Container{
-		Args: []string{
-			// Enable GRPC over TLS for ingester client
-			"-ingester.client.tls-enabled=true",
-			fmt.Sprintf("-ingester.client.tls-cipher-suites=%s", opts.TLSCipherSuites()),
-			fmt.Sprintf("-ingester.client.tls-min-version=%s", opts.TLSProfile.MinTLSVersion),
-			fmt.Sprintf("-ingester.client.tls-ca-path=%s", signingCAPath()),
-			fmt.Sprintf("-ingester.client.tls-cert-path=%s", lokiServerGRPCTLSCert()),
-			fmt.Sprintf("-ingester.client.tls-key-path=%s", lokiServerGRPCTLSKey()),
-			fmt.Sprintf("-ingester.client.tls-server-name=%s", fqdn(serviceNameIngesterGRPC(opts.Name), opts.Namespace)),
-			// Enable GRPC over TLS for boltb-shipper index-gateway client
-			"-boltdb.shipper.index-gateway-client.grpc.tls-enabled=true",
-			fmt.Sprintf("-boltdb.shipper.index-gateway-client.grpc.tls-cipher-suites=%s", opts.TLSCipherSuites()),
-			fmt.Sprintf("-boltdb.shipper.index-gateway-client.grpc.tls-min-version=%s", opts.TLSProfile.MinTLSVersion),
-			fmt.Sprintf("-boltdb.shipper.index-gateway-client.grpc.tls-ca-path=%s", signingCAPath()),
-			fmt.Sprintf("-boltdb.shipper.index-gateway-client.grpc.tls-cert-path=%s", lokiServerGRPCTLSCert()),
-			fmt.Sprintf("-boltdb.shipper.index-gateway-client.grpc.tls-key-path=%s", lokiServerGRPCTLSKey()),
-			fmt.Sprintf("-boltdb.shipper.index-gateway-client.grpc.tls-server-name=%s", fqdn(serviceNameIndexGatewayGRPC(opts.Name), opts.Namespace)),
-		},
-	}
-
-	if err := mergo.Merge(&sts.Spec.Template.Spec.Containers[0], secretContainerSpec, mergo.WithAppendSlice); err != nil {
-		return kverrors.Wrap(err, "failed to merge container")
-	}
-
 	serviceName := serviceNameIngesterGRPC(opts.Name)
 	return configureGRPCServicePKI(&sts.Spec.Template.Spec, serviceName)
 }
--- a/operator/internal/manifests/internal/config/build_test.go
+++ b/operator/internal/manifests/internal/config/build_test.go
@ -3,6 +3,7 @@ package config
 import (
 	"testing"

+	configv1 "github.com/grafana/loki/operator/apis/config/v1"
 	lokiv1 "github.com/grafana/loki/operator/apis/loki/v1"
 	"github.com/grafana/loki/operator/internal/manifests/storage"
 	"github.com/stretchr/testify/require"
@ -2307,3 +2308,330 @@ overrides:
 	require.YAMLEq(t, expCfg, string(cfg))
 	require.YAMLEq(t, expRCfg, string(rCfg))
 }
+
+func TestBuild_ConfigAndRuntimeConfig_WithTLS(t *testing.T) {
+	expCfg := `
+---
+auth_enabled: true
+chunk_store_config:
+  chunk_cache_config:
+    enable_fifocache: true
+    fifocache:
+      max_size_bytes: 500MB
+common:
+  storage:
+    s3:
+      s3: http://test.default.svc.cluster.local.:9000
+      bucketnames: loki
+      region: us-east
+      access_key_id: test
+      secret_access_key: test123
+      s3forcepathstyle: true
+  compactor_address: http://loki-compactor-http-lokistack-dev.default.svc.cluster.local:3100
+compactor:
+  compaction_interval: 2h
+  working_directory: /tmp/loki/compactor
+frontend:
+  tail_proxy_url: http://loki-querier-http-lokistack-dev.default.svc.cluster.local:3100
+  tail_tls_config:
+    tls_cert_path: /var/run/tls/http/tls.crt
+    tls_key_path: /var/run/tls/http/tls.key
+    tls_ca_path: /var/run/tls/ca.pem
+    tls_server_name: querier-http.svc
+    tls_cipher_suites: cipher1,cipher2
+    tls_min_version: VersionTLS12
+  compress_responses: true
+  max_outstanding_per_tenant: 256
+  log_queries_longer_than: 5s
+frontend_worker:
+  frontend_address: loki-query-frontend-grpc-lokistack-dev.default.svc.cluster.local:9095
+  grpc_client_config:
+    max_send_msg_size: 104857600
+    tls_enabled: true
+    tls_cert_path: /var/run/tls/grpc/tls.crt
+    tls_key_path: /var/run/tls/grpc/tls.key
+    tls_ca_path: /var/run/tls/ca.pem
+    tls_server_name: query-frontend-grpc.svc
+    tls_cipher_suites: cipher1,cipher2
+    tls_min_version: VersionTLS12
+  match_max_concurrent: true
+ingester:
+  chunk_block_size: 262144
+  chunk_encoding: snappy
+  chunk_idle_period: 1h
+  chunk_retain_period: 5m
+  chunk_target_size: 2097152
+  flush_op_timeout: 10m
+  lifecycler:
+    final_sleep: 0s
+    heartbeat_period: 5s
+    join_after: 30s
+    num_tokens: 512
+    ring:
+      replication_factor: 1
+      heartbeat_timeout: 1m
+  max_chunk_age: 2h
+  max_transfer_retries: 0
+  wal:
+    enabled: true
+    dir: /tmp/wal
+    replay_memory_ceiling: 2500
+ingester_client:
+  grpc_client_config:
+    max_recv_msg_size: 67108864
+    tls_enabled: true
+    tls_cert_path: /var/run/tls/grpc/tls.crt
+    tls_key_path: /var/run/tls/grpc/tls.key
+    tls_ca_path: /var/run/tls/ca.pem
+    tls_server_name: ingester-grpc.svc
+    tls_cipher_suites: cipher1,cipher2
+    tls_min_version: VersionTLS12
+  remote_timeout: 1s
+# NOTE: Keep the order of keys as in Loki docs
+# to enable easy diffs when vendoring newer
+# Loki releases.
+# (See https://grafana.com/docs/loki/latest/configuration/#limits_config)
+#
+# Values for not exposed fields are taken from the grafana/loki production
+# configuration manifests.
+# (See https://github.com/grafana/loki/blob/main/production/ksonnet/loki/config.libsonnet)
+limits_config:
+  ingestion_rate_strategy: global
+  ingestion_rate_mb: 4
+  ingestion_burst_size_mb: 6
+  max_label_name_length: 1024
+  max_label_value_length: 2048
+  max_label_names_per_series: 30
+  reject_old_samples: true
+  reject_old_samples_max_age: 168h
+  creation_grace_period: 10m
+  enforce_metric_name: false
+  # Keep max_streams_per_user always to 0 to default
+  # using max_global_streams_per_user always.
+  # (See https://github.com/grafana/loki/blob/main/pkg/ingester/limiter.go#L73)
+  max_streams_per_user: 0
+  max_line_size: 256000
+  max_entries_limit_per_query: 5000
+  max_global_streams_per_user: 0
+  max_chunks_per_query: 2000000
+  max_query_length: 721h
+  max_query_parallelism: 32
+  max_query_series: 500
+  cardinality_limit: 100000
+  max_streams_matchers_per_query: 1000
+  max_cache_freshness_per_query: 10m
+  per_stream_rate_limit: 3MB
+  per_stream_rate_limit_burst: 15MB
+  split_queries_by_interval: 30m
+  query_timeout: 1m
+memberlist:
+  abort_if_cluster_join_fails: true
+  bind_port: 7946
+  join_members:
+    - loki-gossip-ring-lokistack-dev.default.svc.cluster.local:7946
+  max_join_backoff: 1m
+  max_join_retries: 10
+  min_join_backoff: 1s
+querier:
+  engine:
+    max_look_back_period: 30s
+    timeout: 3m
+  extra_query_delay: 0s
+  max_concurrent: 2
+  query_ingesters_within: 3h
+  tail_max_duration: 1h
+compactor_client:
+  tls_enabled: true
+  tls_cert_path: /var/run/tls/http/tls.crt
+  tls_key_path: /var/run/tls/http/tls.key
+  tls_ca_path: /var/run/tls/ca.pem
+  tls_server_name: compactor-http.svc
+  tls_cipher_suites: cipher1,cipher2
+  tls_min_version: VersionTLS12
+query_range:
+  align_queries_with_step: true
+  cache_results: true
+  max_retries: 5
+  results_cache:
+    cache:
+      enable_fifocache: true
+      fifocache:
+        max_size_bytes: 500MB
+  parallelise_shardable_queries: true
+schema_config:
+  configs:
+    - from: "2020-10-01"
+      index:
+        period: 24h
+        prefix: index_
+      object_store: s3
+      schema: v11
+      store: boltdb-shipper
+
+internal_server:
+  enable: true
+  http_listen_address: ""
+  tls_min_version: VersionTLS12
+  tls_cipher_suites: cipher1,cipher2
+  http_tls_config:
+    cert_file: /var/run/tls/http/tls.crt
+    key_file: /var/run/tls/http/tls.key
+server:
+  graceful_shutdown_timeout: 5s
+  grpc_server_min_time_between_pings: '10s'
+  grpc_server_ping_without_stream_allowed: true
+  grpc_server_max_concurrent_streams: 1000
+  grpc_server_max_recv_msg_size: 104857600
+  grpc_server_max_send_msg_size: 104857600
+  http_listen_port: 3100
+  http_server_idle_timeout: 120s
+  http_server_write_timeout: 1m
+  tls_min_version: VersionTLS12
+  tls_cipher_suites: cipher1,cipher2
+  http_tls_config:
+    cert_file: /var/run/tls/http/tls.crt
+    key_file: /var/run/tls/http/tls.key
+    client_auth_type: RequireAndVerifyClientCert
+    client_ca_file: /var/run/tls/ca.pem
+  grpc_tls_config:
+    cert_file: /var/run/tls/grpc/tls.crt
+    key_file: /var/run/tls/grpc/tls.key
+    client_auth_type: RequireAndVerifyClientCert
+    client_ca_file: /var/run/tls/ca.pem
+  log_level: info
+storage_config:
+  boltdb_shipper:
+    active_index_directory: /tmp/loki/index
+    cache_location: /tmp/loki/index_cache
+    cache_ttl: 24h
+    resync_interval: 5m
+    shared_store: s3
+    index_gateway_client:
+      server_address: dns:///loki-index-gateway-grpc-lokistack-dev.default.svc.cluster.local:9095
+      grpc_client_config:
+        tls_enabled: true
+        tls_cert_path: /var/run/tls/grpc/tls.crt
+        tls_key_path: /var/run/tls/grpc/tls.key
+        tls_ca_path: /var/run/tls/ca.pem
+        tls_server_name: index-gateway-grpc.svc
+        tls_cipher_suites: cipher1,cipher2
+        tls_min_version: VersionTLS12
+tracing:
+  enabled: false
+analytics:
+  reporting_enabled: true
+`
+	expRCfg := `
+---
+overrides:
+`
+	opts := Options{
+		Stack: lokiv1.LokiStackSpec{
+			ReplicationFactor: 1,
+			Limits: &lokiv1.LimitsSpec{
+				Global: &lokiv1.LimitsTemplateSpec{
+					IngestionLimits: &lokiv1.IngestionLimitSpec{
+						IngestionRate:             4,
+						IngestionBurstSize:        6,
+						MaxLabelNameLength:        1024,
+						MaxLabelValueLength:       2048,
+						MaxLabelNamesPerSeries:    30,
+						MaxGlobalStreamsPerTenant: 0,
+						MaxLineSize:               256000,
+					},
+					QueryLimits: &lokiv1.QueryLimitSpec{
+						MaxEntriesLimitPerQuery: 5000,
+						MaxChunksPerQuery:       2000000,
+						MaxQuerySeries:          500,
+						QueryTimeout:            "1m",
+					},
+				},
+			},
+		},
+		Gates: configv1.FeatureGates{
+			HTTPEncryption: true,
+			GRPCEncryption: true,
+		},
+		TLS: TLSOptions{
+			Ciphers:       []string{"cipher1", "cipher2"},
+			MinTLSVersion: "VersionTLS12",
+			Paths: TLSFilePaths{
+				CA: "/var/run/tls/ca.pem",
+				GRPC: TLSCertPath{
+					Certificate: "/var/run/tls/grpc/tls.crt",
+					Key:         "/var/run/tls/grpc/tls.key",
+				},
+				HTTP: TLSCertPath{
+					Certificate: "/var/run/tls/http/tls.crt",
+					Key:         "/var/run/tls/http/tls.key",
+				},
+			},
+			ServerNames: TLSServerNames{
+				GRPC: GRPCServerNames{
+					IndexGateway:  "index-gateway-grpc.svc",
+					Ingester:      "ingester-grpc.svc",
+					QueryFrontend: "query-frontend-grpc.svc",
+					Ruler:         "ruler-grpc.svc",
+				},
+				HTTP: HTTPServerNames{
+					Compactor: "compactor-http.svc",
+					Querier:   "querier-http.svc",
+				},
+			},
+		},
+		Namespace: "test-ns",
+		Name:      "test",
+		Compactor: Address{
+			FQDN:     "loki-compactor-http-lokistack-dev.default.svc.cluster.local",
+			Port:     3100,
+			Protocol: "http",
+		},
+		FrontendWorker: Address{
+			FQDN: "loki-query-frontend-grpc-lokistack-dev.default.svc.cluster.local",
+			Port: 9095,
+		},
+		GossipRing: Address{
+			FQDN: "loki-gossip-ring-lokistack-dev.default.svc.cluster.local",
+			Port: 7946,
+		},
+		Querier: Address{
+			Protocol: "http",
+			FQDN:     "loki-querier-http-lokistack-dev.default.svc.cluster.local",
+			Port:     3100,
+		},
+		IndexGateway: Address{
+			FQDN: "loki-index-gateway-grpc-lokistack-dev.default.svc.cluster.local",
+			Port: 9095,
+		},
+		StorageDirectory: "/tmp/loki",
+		MaxConcurrent: MaxConcurrent{
+			AvailableQuerierCPUCores: 2,
+		},
+		WriteAheadLog: WriteAheadLog{
+			Directory:             "/tmp/wal",
+			IngesterMemoryRequest: 5000,
+		},
+		ObjectStorage: storage.Options{
+			SharedStore: lokiv1.ObjectStorageSecretS3,
+			S3: &storage.S3StorageConfig{
+				Endpoint:        "http://test.default.svc.cluster.local.:9000",
+				Region:          "us-east",
+				Buckets:         "loki",
+				AccessKeyID:     "test",
+				AccessKeySecret: "test123",
+			},
+			Schemas: []lokiv1.ObjectStorageSchema{
+				{
+					Version:       lokiv1.ObjectStorageSchemaV11,
+					EffectiveDate: "2020-10-01",
+				},
+			},
+		},
+		EnableRemoteReporting: true,
+	}
+	cfg, rCfg, err := Build(opts)
+	require.NoError(t, err)
+	t.Log(string(cfg))
+	require.YAMLEq(t, expCfg, string(cfg))
+	require.YAMLEq(t, expRCfg, string(rCfg))
+}
--- a/operator/internal/manifests/internal/config/loki-config.yaml
+++ b/operator/internal/manifests/internal/config/loki-config.yaml
@ -1,3 +1,4 @@
+{{- /*gotype: github.com/grafana/loki/operator/internal/manifests/internal/config.Options*/ -}}
 ---
 auth_enabled: true
 chunk_store_config:
@ -55,6 +56,15 @@ compactor:
 {{- end }}{{- end }}
 frontend:
  tail_proxy_url: {{ .Querier.Protocol }}://{{ .Querier.FQDN }}:{{ .Querier.Port }}
+{{- if .Gates.HTTPEncryption }}
+  tail_tls_config:
+    tls_cert_path: {{ .TLS.Paths.HTTP.Certificate }}
+    tls_key_path: {{ .TLS.Paths.HTTP.Key }}
+    tls_ca_path: {{ .TLS.Paths.CA }}
+    tls_server_name: {{ .TLS.ServerNames.HTTP.Querier }}
+    tls_cipher_suites: {{ .TLS.CipherSuitesString }}
+    tls_min_version: {{ .TLS.MinTLSVersion }}
+{{- end }}
  compress_responses: true
  max_outstanding_per_tenant: 256
  log_queries_longer_than: 5s
@ -62,6 +72,15 @@ frontend_worker:
  frontend_address: {{ .FrontendWorker.FQDN }}:{{ .FrontendWorker.Port }}
  grpc_client_config:
    max_send_msg_size: 104857600
+{{- if .Gates.GRPCEncryption }}
+    tls_enabled: true
+    tls_cert_path: {{ .TLS.Paths.GRPC.Certificate }}
+    tls_key_path: {{ .TLS.Paths.GRPC.Key }}
+    tls_ca_path: {{ .TLS.Paths.CA }}
+    tls_server_name: {{ .TLS.ServerNames.GRPC.QueryFrontend }}
+    tls_cipher_suites: {{ .TLS.CipherSuitesString }}
+    tls_min_version: {{ .TLS.MinTLSVersion }}
+{{- end }}
  match_max_concurrent: true
 ingester:
  chunk_block_size: 262144
@ -87,6 +106,15 @@ ingester:
 ingester_client:
  grpc_client_config:
    max_recv_msg_size: 67108864
+{{- if .Gates.GRPCEncryption }}
+    tls_enabled: true
+    tls_cert_path: {{ .TLS.Paths.GRPC.Certificate }}
+    tls_key_path: {{ .TLS.Paths.GRPC.Key }}
+    tls_ca_path: {{ .TLS.Paths.CA }}
+    tls_server_name: {{ .TLS.ServerNames.GRPC.Ingester }}
+    tls_cipher_suites: {{ .TLS.CipherSuitesString }}
+    tls_min_version: {{ .TLS.MinTLSVersion }}
+{{- end }}
  remote_timeout: 1s
 # NOTE: Keep the order of keys as in Loki docs
 # to enable easy diffs when vendoring newer
@ -152,6 +180,16 @@ querier:
  query_ingesters_within: 3h
  tail_max_duration: 1h
  max_concurrent: {{ .MaxConcurrent.AvailableQuerierCPUCores }}
+{{- if .Gates.HTTPEncryption }}
+compactor_client:
+  tls_enabled: true
+  tls_cert_path: {{ .TLS.Paths.HTTP.Certificate }}
+  tls_key_path: {{ .TLS.Paths.HTTP.Key }}
+  tls_ca_path: {{ .TLS.Paths.CA }}
+  tls_server_name: {{ .TLS.ServerNames.HTTP.Compactor }}
+  tls_cipher_suites: {{ .TLS.CipherSuitesString }}
+  tls_min_version: {{ .TLS.MinTLSVersion }}
+{{- end }}
 query_range:
  align_queries_with_step: true
  cache_results: true
@ -334,7 +372,27 @@ ruler:
  ring:
    kvstore:
      store: memberlist
+{{- if .Gates.GRPCEncryption }}
+  ruler_client:
+    tls_enabled: true
+    tls_cert_path: {{ .TLS.Paths.GRPC.Certificate }}
+    tls_key_path: {{ .TLS.Paths.GRPC.Key }}
+    tls_ca_path: {{ .TLS.Paths.CA }}
+    tls_server_name: {{ .TLS.ServerNames.GRPC.Ruler }}
+    tls_cipher_suites: {{ .TLS.CipherSuitesString }}
+    tls_min_version: {{ .TLS.MinTLSVersion }}
+{{- end }}
 {{ end }}
+{{- if .Gates.HTTPEncryption }}
+internal_server:
+  enable: true
+  http_listen_address: ""
+  tls_min_version: {{ .TLS.MinTLSVersion }}
+  tls_cipher_suites: {{ .TLS.CipherSuitesString }}
+  http_tls_config:
+    cert_file: {{ .TLS.Paths.HTTP.Certificate }}
+    key_file: {{ .TLS.Paths.HTTP.Key }}
+{{- end }}
 server:
  graceful_shutdown_timeout: 5s
  grpc_server_min_time_between_pings: '10s'
@ -345,6 +403,24 @@ server:
  http_listen_port: 3100
  http_server_idle_timeout: 120s
  http_server_write_timeout: 1m
+{{- if or .Gates.HTTPEncryption .Gates.GRPCEncryption }}
+  tls_min_version: {{ .TLS.MinTLSVersion }}
+  tls_cipher_suites: {{ .TLS.CipherSuitesString }}
+{{- if .Gates.HTTPEncryption }}
+  http_tls_config:
+    cert_file: {{ .TLS.Paths.HTTP.Certificate }}
+    key_file: {{ .TLS.Paths.HTTP.Key }}
+    client_auth_type: RequireAndVerifyClientCert
+    client_ca_file: {{ .TLS.Paths.CA }}
+{{- end }}
+{{- if .Gates.GRPCEncryption }}
+  grpc_tls_config:
+    cert_file: {{ .TLS.Paths.GRPC.Certificate }}
+    key_file: {{ .TLS.Paths.GRPC.Key }}
+    client_auth_type: RequireAndVerifyClientCert
+    client_ca_file: {{ .TLS.Paths.CA }}
+{{- end }}
+{{- end }}
  log_level: info
 storage_config:
  boltdb_shipper:
@ -355,6 +431,16 @@ storage_config:
    shared_store: {{ .ObjectStorage.SharedStore }}
    index_gateway_client:
      server_address: dns:///{{ .IndexGateway.FQDN }}:{{ .IndexGateway.Port }}
+{{- if .Gates.GRPCEncryption }}
+      grpc_client_config:
+        tls_enabled: true
+        tls_cert_path: {{ .TLS.Paths.GRPC.Certificate }}
+        tls_key_path: {{ .TLS.Paths.GRPC.Key }}
+        tls_ca_path: {{ .TLS.Paths.CA }}
+        tls_server_name: {{ .TLS.ServerNames.GRPC.IndexGateway }}
+        tls_cipher_suites: {{ .TLS.CipherSuitesString }}
+        tls_min_version: {{ .TLS.MinTLSVersion }}
+{{- end }}
 tracing:
  enabled: false
 analytics:
--- a/operator/internal/manifests/internal/config/options.go
+++ b/operator/internal/manifests/internal/config/options.go
@ -5,6 +5,7 @@ import (
 	"math"
 	"strings"

+	configv1 "github.com/grafana/loki/operator/apis/config/v1"
 	lokiv1 "github.com/grafana/loki/operator/apis/loki/v1"
 	"github.com/grafana/loki/operator/internal/manifests/storage"
 )
@ -12,6 +13,8 @@ import (
 // Options is used to render the loki-config.yaml file template
 type Options struct {
 	Stack lokiv1.LokiStackSpec
+	Gates configv1.FeatureGates
+	TLS   TLSOptions

 	Namespace             string
 	Name                  string
@ -166,3 +169,42 @@ type RetentionOptions struct {
 	Enabled           bool
 	DeleteWorkerCount uint
 }
+
+type TLSOptions struct {
+	Ciphers       []string
+	MinTLSVersion string
+	Paths         TLSFilePaths
+	ServerNames   TLSServerNames
+}
+
+func (o TLSOptions) CipherSuitesString() string {
+	return strings.Join(o.Ciphers, ",")
+}
+
+type TLSFilePaths struct {
+	CA   string
+	GRPC TLSCertPath
+	HTTP TLSCertPath
+}
+
+type TLSCertPath struct {
+	Certificate string
+	Key         string
+}
+
+type TLSServerNames struct {
+	GRPC GRPCServerNames
+	HTTP HTTPServerNames
+}
+
+type GRPCServerNames struct {
+	IndexGateway  string
+	Ingester      string
+	QueryFrontend string
+	Ruler         string
+}
+
+type HTTPServerNames struct {
+	Compactor string
+	Querier   string
+}
--- a/operator/internal/manifests/querier.go
+++ b/operator/internal/manifests/querier.go
@ -7,8 +7,6 @@ import (
 	"github.com/grafana/loki/operator/internal/manifests/internal/config"
 	"github.com/grafana/loki/operator/internal/manifests/storage"

-	"github.com/ViaQ/logerr/v2/kverrors"
-	"github.com/imdario/mergo"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@ -120,13 +118,6 @@ func NewQuerierDeployment(opts Options) *appsv1.Deployment {
 		SecurityContext: podSecurityContext(opts.Gates.RuntimeSeccompProfile),
 	}

-	if opts.Gates.HTTPEncryption || opts.Gates.GRPCEncryption {
-		podSpec.Containers[0].Args = append(podSpec.Containers[0].Args,
-			fmt.Sprintf("-server.tls-cipher-suites=%s", opts.TLSCipherSuites()),
-			fmt.Sprintf("-server.tls-min-version=%s", opts.TLSProfile.MinTLSVersion),
-		)
-	}
-
 	if opts.Stack.Template != nil && opts.Stack.Template.Querier != nil {
 		podSpec.Tolerations = opts.Stack.Template.Querier.Tolerations
 		podSpec.NodeSelector = opts.Stack.Template.Querier.NodeSelector
@ -223,51 +214,10 @@ func NewQuerierHTTPService(opts Options) *corev1.Service {

 func configureQuerierHTTPServicePKI(deployment *appsv1.Deployment, opts Options) error {
 	serviceName := serviceNameQuerierHTTP(opts.Name)
-	return configureHTTPServicePKI(&deployment.Spec.Template.Spec, serviceName, opts.TLSProfile.MinTLSVersion, opts.TLSCipherSuites())
+	return configureHTTPServicePKI(&deployment.Spec.Template.Spec, serviceName)
 }

 func configureQuerierGRPCServicePKI(deployment *appsv1.Deployment, opts Options) error {
-	secretContainerSpec := corev1.Container{
-		Args: []string{
-			// Enable HTTP over TLS for compactor delete client
-			"-boltdb.shipper.compactor.client.tls-enabled=true",
-			fmt.Sprintf("-boltdb.shipper.compactor.client.tls-cipher-suites=%s", opts.TLSCipherSuites()),
-			fmt.Sprintf("-boltdb.shipper.compactor.client.tls-min-version=%s", opts.TLSProfile.MinTLSVersion),
-			fmt.Sprintf("-boltdb.shipper.compactor.client.tls-ca-path=%s", signingCAPath()),
-			fmt.Sprintf("-boltdb.shipper.compactor.client.tls-cert-path=%s", lokiServerGRPCTLSCert()),
-			fmt.Sprintf("-boltdb.shipper.compactor.client.tls-key-path=%s", lokiServerGRPCTLSKey()),
-			fmt.Sprintf("-boltdb.shipper.compactor.client.tls-server-name=%s", fqdn(serviceNameCompactorHTTP(opts.Name), opts.Namespace)),
-			// Enable GRPC over TLS for ingester client
-			"-ingester.client.tls-enabled=true",
-			fmt.Sprintf("-ingester.client.tls-cipher-suites=%s", opts.TLSCipherSuites()),
-			fmt.Sprintf("-ingester.client.tls-min-version=%s", opts.TLSProfile.MinTLSVersion),
-			fmt.Sprintf("-ingester.client.tls-ca-path=%s", signingCAPath()),
-			fmt.Sprintf("-ingester.client.tls-cert-path=%s", lokiServerGRPCTLSCert()),
-			fmt.Sprintf("-ingester.client.tls-key-path=%s", lokiServerGRPCTLSKey()),
-			fmt.Sprintf("-ingester.client.tls-server-name=%s", fqdn(serviceNameIngesterGRPC(opts.Name), opts.Namespace)),
-			// Enable GRPC over TLS for query frontend client
-			"-querier.frontend-client.tls-enabled=true",
-			fmt.Sprintf("-querier.frontend-client.tls-cipher-suites=%s", opts.TLSCipherSuites()),
-			fmt.Sprintf("-querier.frontend-client.tls-min-version=%s", opts.TLSProfile.MinTLSVersion),
-			fmt.Sprintf("-querier.frontend-client.tls-ca-path=%s", signingCAPath()),
-			fmt.Sprintf("-querier.frontend-client.tls-cert-path=%s", lokiServerGRPCTLSCert()),
-			fmt.Sprintf("-querier.frontend-client.tls-key-path=%s", lokiServerGRPCTLSKey()),
-			fmt.Sprintf("-querier.frontend-client.tls-server-name=%s", fqdn(serviceNameQueryFrontendGRPC(opts.Name), opts.Namespace)),
-			// Enable GRPC over TLS for boltb-shipper index-gateway client
-			"-boltdb.shipper.index-gateway-client.grpc.tls-enabled=true",
-			fmt.Sprintf("-boltdb.shipper.index-gateway-client.grpc.tls-cipher-suites=%s", opts.TLSCipherSuites()),
-			fmt.Sprintf("-boltdb.shipper.index-gateway-client.grpc.tls-min-version=%s", opts.TLSProfile.MinTLSVersion),
-			fmt.Sprintf("-boltdb.shipper.index-gateway-client.grpc.tls-ca-path=%s", signingCAPath()),
-			fmt.Sprintf("-boltdb.shipper.index-gateway-client.grpc.tls-cert-path=%s", lokiServerGRPCTLSCert()),
-			fmt.Sprintf("-boltdb.shipper.index-gateway-client.grpc.tls-key-path=%s", lokiServerGRPCTLSKey()),
-			fmt.Sprintf("-boltdb.shipper.index-gateway-client.grpc.tls-server-name=%s", fqdn(serviceNameIndexGatewayGRPC(opts.Name), opts.Namespace)),
-		},
-	}
-
-	if err := mergo.Merge(&deployment.Spec.Template.Spec.Containers[0], secretContainerSpec, mergo.WithAppendSlice); err != nil {
-		return kverrors.Wrap(err, "failed to merge container")
-	}
-
 	serviceName := serviceNameQuerierGRPC(opts.Name)
 	return configureGRPCServicePKI(&deployment.Spec.Template.Spec, serviceName)
 }
--- a/operator/internal/manifests/query-frontend.go
+++ b/operator/internal/manifests/query-frontend.go
@ -6,8 +6,6 @@ import (

 	"github.com/grafana/loki/operator/internal/manifests/internal/config"

-	"github.com/ViaQ/logerr/v2/kverrors"
-	"github.com/imdario/mergo"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@ -127,13 +125,6 @@ func NewQueryFrontendDeployment(opts Options) *appsv1.Deployment {
 		SecurityContext: podSecurityContext(opts.Gates.RuntimeSeccompProfile),
 	}

-	if opts.Gates.HTTPEncryption || opts.Gates.GRPCEncryption {
-		podSpec.Containers[0].Args = append(podSpec.Containers[0].Args,
-			fmt.Sprintf("-server.tls-cipher-suites=%s", opts.TLSCipherSuites()),
-			fmt.Sprintf("-server.tls-min-version=%s", opts.TLSProfile.MinTLSVersion),
-		)
-	}
-
 	if opts.Stack.Template != nil && opts.Stack.Template.QueryFrontend != nil {
 		podSpec.Tolerations = opts.Stack.Template.QueryFrontend.Tolerations
 		podSpec.NodeSelector = opts.Stack.Template.QueryFrontend.NodeSelector
@ -229,33 +220,8 @@ func NewQueryFrontendHTTPService(opts Options) *corev1.Service {
 }

 func configureQueryFrontendHTTPServicePKI(deployment *appsv1.Deployment, opts Options) error {
-	var qfIdx int
-	for i, c := range deployment.Spec.Template.Spec.Containers {
-		if c.Name == lokiFrontendContainerName {
-			qfIdx = i
-			break
-		}
-	}
-
-	url := fmt.Sprintf("https://%s:%d", fqdn(serviceNameQuerierHTTP(opts.Name), opts.Namespace), httpPort)
-
-	containerSpec := corev1.Container{
-		Args: []string{
-			fmt.Sprintf("-frontend.tail-proxy-url=%s", url),
-			fmt.Sprintf("-frontend.tail-tls-config.tls-min-version=%s", opts.TLSProfile.MinTLSVersion),
-			fmt.Sprintf("-frontend.tail-tls-config.tls-cipher-suites=%s", opts.TLSCipherSuites()),
-			fmt.Sprintf("-frontend.tail-tls-config.tls-ca-path=%s", signingCAPath()),
-			fmt.Sprintf("-frontend.tail-tls-config.tls-cert-path=%s", lokiServerHTTPTLSCert()),
-			fmt.Sprintf("-frontend.tail-tls-config.tls-key-path=%s", lokiServerHTTPTLSKey()),
-		},
-	}
-
-	if err := mergo.Merge(&deployment.Spec.Template.Spec.Containers[qfIdx], containerSpec, mergo.WithAppendSlice); err != nil {
-		return kverrors.Wrap(err, "failed to add tls config args")
-	}
-
 	serviceName := serviceNameQueryFrontendHTTP(opts.Name)
-	return configureHTTPServicePKI(&deployment.Spec.Template.Spec, serviceName, opts.TLSProfile.MinTLSVersion, opts.TLSCipherSuites())
+	return configureHTTPServicePKI(&deployment.Spec.Template.Spec, serviceName)
 }

 func configureQueryFrontendGRPCServicePKI(deployment *appsv1.Deployment, opts Options) error {
--- a/operator/internal/manifests/ruler.go
+++ b/operator/internal/manifests/ruler.go
@ -8,8 +8,6 @@ import (
 	"github.com/grafana/loki/operator/internal/manifests/internal/config"
 	"github.com/grafana/loki/operator/internal/manifests/openshift"

-	"github.com/ViaQ/logerr/v2/kverrors"
-	"github.com/imdario/mergo"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
@ -44,7 +42,7 @@ func BuildRuler(opts Options) ([]client.Object, error) {

 	objs := []client.Object{}
 	if opts.Stack.Tenants != nil {
-		if err := configureRulerStatefulSetForMode(statefulSet, opts.Stack.Tenants.Mode, opts.Name); err != nil {
+		if err := configureRulerStatefulSetForMode(statefulSet, opts.Stack.Tenants.Mode); err != nil {
 			return nil, err
 		}

@ -154,13 +152,6 @@ func NewRulerStatefulSet(opts Options) *appsv1.StatefulSet {
 		SecurityContext: podSecurityContext(opts.Gates.RuntimeSeccompProfile),
 	}

-	if opts.Gates.HTTPEncryption || opts.Gates.GRPCEncryption {
-		podSpec.Containers[0].Args = append(podSpec.Containers[0].Args,
-			fmt.Sprintf("-server.tls-cipher-suites=%s", opts.TLSCipherSuites()),
-			fmt.Sprintf("-server.tls-min-version=%s", opts.TLSProfile.MinTLSVersion),
-		)
-	}
-
 	if opts.Stack.Template != nil && opts.Stack.Template.Ruler != nil {
 		podSpec.Tolerations = opts.Stack.Template.Ruler.Tolerations
 		podSpec.NodeSelector = opts.Stack.Template.Ruler.NodeSelector
@ -299,59 +290,15 @@ func NewRulerHTTPService(opts Options) *corev1.Service {

 func configureRulerHTTPServicePKI(statefulSet *appsv1.StatefulSet, opts Options) error {
 	serviceName := serviceNameRulerHTTP(opts.Name)
-	return configureHTTPServicePKI(&statefulSet.Spec.Template.Spec, serviceName, opts.TLSProfile.MinTLSVersion, opts.TLSCipherSuites())
+	return configureHTTPServicePKI(&statefulSet.Spec.Template.Spec, serviceName)
 }

 func configureRulerGRPCServicePKI(sts *appsv1.StatefulSet, opts Options) error {
-	secretContainerSpec := corev1.Container{
-		Args: []string{
-			// Enable HTTP over TLS for compactor delete client
-			"-boltdb.shipper.compactor.client.tls-enabled=true",
-			fmt.Sprintf("-boltdb.shipper.compactor.client.tls-cipher-suites=%s", opts.TLSCipherSuites()),
-			fmt.Sprintf("-boltdb.shipper.compactor.client.tls-min-version=%s", opts.TLSProfile.MinTLSVersion),
-			fmt.Sprintf("-boltdb.shipper.compactor.client.tls-ca-path=%s", signingCAPath()),
-			fmt.Sprintf("-boltdb.shipper.compactor.client.tls-cert-path=%s", lokiServerGRPCTLSCert()),
-			fmt.Sprintf("-boltdb.shipper.compactor.client.tls-key-path=%s", lokiServerGRPCTLSKey()),
-			fmt.Sprintf("-boltdb.shipper.compactor.client.tls-server-name=%s", fqdn(serviceNameCompactorHTTP(opts.Name), opts.Namespace)),
-			// Enable GRPC over TLS for boltb-shipper index-gateway client
-			"-boltdb.shipper.index-gateway-client.grpc.tls-enabled=true",
-			fmt.Sprintf("-boltdb.shipper.index-gateway-client.grpc.tls-cipher-suites=%s", opts.TLSCipherSuites()),
-			fmt.Sprintf("-boltdb.shipper.index-gateway-client.grpc.tls-min-version=%s", opts.TLSProfile.MinTLSVersion),
-			fmt.Sprintf("-boltdb.shipper.index-gateway-client.grpc.tls-ca-path=%s", signingCAPath()),
-			fmt.Sprintf("-boltdb.shipper.index-gateway-client.grpc.tls-cert-path=%s", lokiServerGRPCTLSCert()),
-			fmt.Sprintf("-boltdb.shipper.index-gateway-client.grpc.tls-key-path=%s", lokiServerGRPCTLSKey()),
-			fmt.Sprintf("-boltdb.shipper.index-gateway-client.grpc.tls-server-name=%s", fqdn(serviceNameIndexGatewayGRPC(opts.Name), opts.Namespace)),
-			// Enable GRPC over TLS for ingester client
-			"-ingester.client.tls-enabled=true",
-			fmt.Sprintf("-ingester.client.tls-cipher-suites=%s", opts.TLSCipherSuites()),
-			fmt.Sprintf("-ingester.client.tls-min-version=%s", opts.TLSProfile.MinTLSVersion),
-			fmt.Sprintf("-ingester.client.tls-ca-path=%s", signingCAPath()),
-			fmt.Sprintf("-ingester.client.tls-cert-path=%s", lokiServerGRPCTLSCert()),
-			fmt.Sprintf("-ingester.client.tls-key-path=%s", lokiServerGRPCTLSKey()),
-			fmt.Sprintf("-ingester.client.tls-server-name=%s", fqdn(serviceNameIngesterGRPC(opts.Name), opts.Namespace)),
-			// Enable GRPC over TLS for ruler client
-			"-ruler.client.tls-enabled=true",
-			fmt.Sprintf("-ruler.client.tls-cipher-suites=%s", opts.TLSCipherSuites()),
-			fmt.Sprintf("-ruler.client.tls-min-version=%s", opts.TLSProfile.MinTLSVersion),
-			fmt.Sprintf("-ruler.client.tls-ca-path=%s", signingCAPath()),
-			fmt.Sprintf("-ruler.client.tls-cert-path=%s", lokiServerGRPCTLSCert()),
-			fmt.Sprintf("-ruler.client.tls-key-path=%s", lokiServerGRPCTLSKey()),
-			fmt.Sprintf("-ruler.client.tls-server-name=%s", fqdn(serviceNameRulerGRPC(opts.Name), opts.Namespace)),
-		},
-	}
-
-	if err := mergo.Merge(&sts.Spec.Template.Spec.Containers[0], secretContainerSpec, mergo.WithAppendSlice); err != nil {
-		return kverrors.Wrap(err, "failed to merge container")
-	}
-
 	serviceName := serviceNameRulerGRPC(opts.Name)
 	return configureGRPCServicePKI(&sts.Spec.Template.Spec, serviceName)
 }

-func configureRulerStatefulSetForMode(
-	ss *appsv1.StatefulSet, mode lokiv1.ModeType,
-	stackName string,
-) error {
+func configureRulerStatefulSetForMode(ss *appsv1.StatefulSet, mode lokiv1.ModeType) error {
 	switch mode {
 	case lokiv1.Static, lokiv1.Dynamic:
 		return nil // nothing to configure
--- a/operator/internal/manifests/service.go
+++ b/operator/internal/manifests/service.go
@ -1,8 +1,6 @@
 package manifests

 import (
-	"fmt"
-
 	"github.com/ViaQ/logerr/v2/kverrors"
 	"github.com/imdario/mergo"
 	corev1 "k8s.io/api/core/v1"
@ -67,12 +65,6 @@ func configureGRPCServicePKI(podSpec *corev1.PodSpec, serviceName string) error
 				MountPath: lokiServerGRPCTLSDir(),
 			},
 		},
-		Args: []string{
-			fmt.Sprintf("-server.grpc-tls-ca-path=%s", signingCAPath()),
-			fmt.Sprintf("-server.grpc-tls-cert-path=%s", lokiServerGRPCTLSCert()),
-			fmt.Sprintf("-server.grpc-tls-key-path=%s", lokiServerGRPCTLSKey()),
-			"-server.grpc-tls-client-auth=RequireAndVerifyClientCert",
-		},
 	}

 	if err := mergo.Merge(podSpec, secretVolumeSpec, mergo.WithAppendSlice); err != nil {
@ -86,7 +78,7 @@ func configureGRPCServicePKI(podSpec *corev1.PodSpec, serviceName string) error
 	return nil
 }

-func configureHTTPServicePKI(podSpec *corev1.PodSpec, serviceName, minTLSVersion, tlsCipherSuites string) error {
+func configureHTTPServicePKI(podSpec *corev1.PodSpec, serviceName string) error {
 	secretVolumeSpec := corev1.PodSpec{
 		Volumes: []corev1.Volume{
 			{
@ -108,20 +100,6 @@ func configureHTTPServicePKI(podSpec *corev1.PodSpec, serviceName, minTLSVersion
 				MountPath: lokiServerHTTPTLSDir(),
 			},
 		},
-		Args: []string{
-			// Expose ready handler through internal server without requiring mTLS
-			"-internal-server.enable=true",
-			"-internal-server.http-listen-address=",
-			fmt.Sprintf("-internal-server.http-tls-min-version=%s", minTLSVersion),
-			fmt.Sprintf("-internal-server.http-tls-cipher-suites=%s", tlsCipherSuites),
-			fmt.Sprintf("-internal-server.http-tls-cert-path=%s", lokiServerHTTPTLSCert()),
-			fmt.Sprintf("-internal-server.http-tls-key-path=%s", lokiServerHTTPTLSKey()),
-			// Require mTLS for any other handler
-			fmt.Sprintf("-server.http-tls-ca-path=%s", signingCAPath()),
-			fmt.Sprintf("-server.http-tls-cert-path=%s", lokiServerHTTPTLSCert()),
-			fmt.Sprintf("-server.http-tls-key-path=%s", lokiServerHTTPTLSKey()),
-			"-server.http-tls-client-auth=RequireAndVerifyClientCert",
-		},
 		Ports: []corev1.ContainerPort{
 			{
 				Name:          lokiInternalHTTPPortName,
--- a/operator/internal/manifests/service_test.go
+++ b/operator/internal/manifests/service_test.go
@ -5,13 +5,14 @@ import (
 	"strings"
 	"testing"

-	configv1 "github.com/grafana/loki/operator/apis/config/v1"
-	lokiv1 "github.com/grafana/loki/operator/apis/loki/v1"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	configv1 "github.com/grafana/loki/operator/apis/config/v1"
+	lokiv1 "github.com/grafana/loki/operator/apis/loki/v1"
 )

 // Test that the service ports have matching deployment/statefulset/daemonset ports on the podspec.
@ -313,7 +314,6 @@ func TestServices_WithEncryption(t *testing.T) {
 	tt := []struct {
 		desc             string
 		buildFunc        func(Options) ([]client.Object, error)
-		wantArgs         []string
 		wantPorts        []corev1.ContainerPort
 		wantVolumeMounts []corev1.VolumeMount
 		wantVolumes      []corev1.Volume
@ -321,24 +321,6 @@ func TestServices_WithEncryption(t *testing.T) {
 		{
 			desc:      "compactor",
 			buildFunc: BuildCompactor,
-			wantArgs: []string{
-				"-internal-server.enable=true",
-				"-internal-server.http-listen-address=",
-				fmt.Sprintf("-internal-server.http-tls-cert-path=%s", lokiServerHTTPTLSCert()),
-				fmt.Sprintf("-internal-server.http-tls-key-path=%s", lokiServerHTTPTLSKey()),
-				"-internal-server.http-tls-cipher-suites=cipher1,cipher2",
-				"-internal-server.http-tls-min-version=VersionTLS12",
-				"-server.tls-cipher-suites=cipher1,cipher2",
-				"-server.tls-min-version=VersionTLS12",
-				fmt.Sprintf("-server.http-tls-ca-path=%s", signingCAPath()),
-				fmt.Sprintf("-server.http-tls-cert-path=%s", lokiServerHTTPTLSCert()),
-				fmt.Sprintf("-server.http-tls-key-path=%s", lokiServerHTTPTLSKey()),
-				"-server.http-tls-client-auth=RequireAndVerifyClientCert",
-				fmt.Sprintf("-server.grpc-tls-ca-path=%s", signingCAPath()),
-				fmt.Sprintf("-server.grpc-tls-cert-path=%s", lokiServerGRPCTLSCert()),
-				fmt.Sprintf("-server.grpc-tls-key-path=%s", lokiServerGRPCTLSKey()),
-				"-server.grpc-tls-client-auth=RequireAndVerifyClientCert",
-			},
 			wantPorts: []corev1.ContainerPort{
 				{
 					Name:          lokiInternalHTTPPortName,
@ -395,31 +377,6 @@ func TestServices_WithEncryption(t *testing.T) {
 		{
 			desc:      "distributor",
 			buildFunc: BuildDistributor,
-			wantArgs: []string{
-				"-ingester.client.tls-enabled=true",
-				fmt.Sprintf("-ingester.client.tls-ca-path=%s", signingCAPath()),
-				fmt.Sprintf("-ingester.client.tls-cert-path=%s", lokiServerGRPCTLSCert()),
-				fmt.Sprintf("-ingester.client.tls-key-path=%s", lokiServerGRPCTLSKey()),
-				fmt.Sprintf("-ingester.client.tls-server-name=%s", fqdn(serviceNameIngesterGRPC(stackName), stackNs)),
-				"-ingester.client.tls-min-version=VersionTLS12",
-				"-ingester.client.tls-cipher-suites=cipher1,cipher2",
-				"-internal-server.enable=true",
-				"-internal-server.http-listen-address=",
-				fmt.Sprintf("-internal-server.http-tls-cert-path=%s", lokiServerHTTPTLSCert()),
-				fmt.Sprintf("-internal-server.http-tls-key-path=%s", lokiServerHTTPTLSKey()),
-				"-internal-server.http-tls-cipher-suites=cipher1,cipher2",
-				"-internal-server.http-tls-min-version=VersionTLS12",
-				"-server.tls-cipher-suites=cipher1,cipher2",
-				"-server.tls-min-version=VersionTLS12",
-				fmt.Sprintf("-server.http-tls-ca-path=%s", signingCAPath()),
-				fmt.Sprintf("-server.http-tls-cert-path=%s", lokiServerHTTPTLSCert()),
-				fmt.Sprintf("-server.http-tls-key-path=%s", lokiServerHTTPTLSKey()),
-				"-server.http-tls-client-auth=RequireAndVerifyClientCert",
-				fmt.Sprintf("-server.grpc-tls-ca-path=%s", signingCAPath()),
-				fmt.Sprintf("-server.grpc-tls-cert-path=%s", lokiServerGRPCTLSCert()),
-				fmt.Sprintf("-server.grpc-tls-key-path=%s", lokiServerGRPCTLSKey()),
-				"-server.grpc-tls-client-auth=RequireAndVerifyClientCert",
-			},
 			wantPorts: []corev1.ContainerPort{
 				{
 					Name:          lokiInternalHTTPPortName,
@ -476,24 +433,6 @@ func TestServices_WithEncryption(t *testing.T) {
 		{
 			desc:      "index-gateway",
 			buildFunc: BuildIndexGateway,
-			wantArgs: []string{
-				"-internal-server.enable=true",
-				"-internal-server.http-listen-address=",
-				fmt.Sprintf("-internal-server.http-tls-cert-path=%s", lokiServerHTTPTLSCert()),
-				fmt.Sprintf("-internal-server.http-tls-key-path=%s", lokiServerHTTPTLSKey()),
-				"-internal-server.http-tls-cipher-suites=cipher1,cipher2",
-				"-internal-server.http-tls-min-version=VersionTLS12",
-				"-server.tls-cipher-suites=cipher1,cipher2",
-				"-server.tls-min-version=VersionTLS12",
-				fmt.Sprintf("-server.http-tls-ca-path=%s", signingCAPath()),
-				fmt.Sprintf("-server.http-tls-cert-path=%s", lokiServerHTTPTLSCert()),
-				fmt.Sprintf("-server.http-tls-key-path=%s", lokiServerHTTPTLSKey()),
-				"-server.http-tls-client-auth=RequireAndVerifyClientCert",
-				fmt.Sprintf("-server.grpc-tls-ca-path=%s", signingCAPath()),
-				fmt.Sprintf("-server.grpc-tls-cert-path=%s", lokiServerGRPCTLSCert()),
-				fmt.Sprintf("-server.grpc-tls-key-path=%s", lokiServerGRPCTLSKey()),
-				"-server.grpc-tls-client-auth=RequireAndVerifyClientCert",
-			},
 			wantPorts: []corev1.ContainerPort{
 				{
 					Name:          lokiInternalHTTPPortName,
@ -550,38 +489,6 @@ func TestServices_WithEncryption(t *testing.T) {
 		{
 			desc:      "ingester",
 			buildFunc: BuildIngester,
-			wantArgs: []string{
-				"-ingester.client.tls-enabled=true",
-				fmt.Sprintf("-ingester.client.tls-ca-path=%s", signingCAPath()),
-				fmt.Sprintf("-ingester.client.tls-cert-path=%s", lokiServerGRPCTLSCert()),
-				fmt.Sprintf("-ingester.client.tls-key-path=%s", lokiServerGRPCTLSKey()),
-				fmt.Sprintf("-ingester.client.tls-server-name=%s", fqdn(serviceNameIngesterGRPC(stackName), stackNs)),
-				"-ingester.client.tls-min-version=VersionTLS12",
-				"-ingester.client.tls-cipher-suites=cipher1,cipher2",
-				"-boltdb.shipper.index-gateway-client.grpc.tls-enabled=true",
-				fmt.Sprintf("-boltdb.shipper.index-gateway-client.grpc.tls-ca-path=%s", signingCAPath()),
-				fmt.Sprintf("-boltdb.shipper.index-gateway-client.grpc.tls-cert-path=%s", lokiServerGRPCTLSCert()),
-				fmt.Sprintf("-boltdb.shipper.index-gateway-client.grpc.tls-key-path=%s", lokiServerGRPCTLSKey()),
-				fmt.Sprintf("-boltdb.shipper.index-gateway-client.grpc.tls-server-name=%s", fqdn(serviceNameIndexGatewayGRPC(stackName), stackNs)),
-				"-boltdb.shipper.index-gateway-client.grpc.tls-min-version=VersionTLS12",
-				"-boltdb.shipper.index-gateway-client.grpc.tls-cipher-suites=cipher1,cipher2",
-				"-internal-server.enable=true",
-				"-internal-server.http-listen-address=",
-				fmt.Sprintf("-internal-server.http-tls-cert-path=%s", lokiServerHTTPTLSCert()),
-				fmt.Sprintf("-internal-server.http-tls-key-path=%s", lokiServerHTTPTLSKey()),
-				"-internal-server.http-tls-cipher-suites=cipher1,cipher2",
-				"-internal-server.http-tls-min-version=VersionTLS12",
-				"-server.tls-cipher-suites=cipher1,cipher2",
-				"-server.tls-min-version=VersionTLS12",
-				fmt.Sprintf("-server.http-tls-ca-path=%s", signingCAPath()),
-				fmt.Sprintf("-server.http-tls-cert-path=%s", lokiServerHTTPTLSCert()),
-				fmt.Sprintf("-server.http-tls-key-path=%s", lokiServerHTTPTLSKey()),
-				"-server.http-tls-client-auth=RequireAndVerifyClientCert",
-				fmt.Sprintf("-server.grpc-tls-ca-path=%s", signingCAPath()),
-				fmt.Sprintf("-server.grpc-tls-cert-path=%s", lokiServerGRPCTLSCert()),
-				fmt.Sprintf("-server.grpc-tls-key-path=%s", lokiServerGRPCTLSKey()),
-				"-server.grpc-tls-client-auth=RequireAndVerifyClientCert",
-			},
 			wantPorts: []corev1.ContainerPort{
 				{
 					Name:          lokiInternalHTTPPortName,
@ -638,52 +545,6 @@ func TestServices_WithEncryption(t *testing.T) {
 		{
 			desc:      "querier",
 			buildFunc: BuildQuerier,
-			wantArgs: []string{
-				"-ingester.client.tls-enabled=true",
-				fmt.Sprintf("-ingester.client.tls-ca-path=%s", signingCAPath()),
-				fmt.Sprintf("-ingester.client.tls-cert-path=%s", lokiServerGRPCTLSCert()),
-				fmt.Sprintf("-ingester.client.tls-key-path=%s", lokiServerGRPCTLSKey()),
-				fmt.Sprintf("-ingester.client.tls-server-name=%s", fqdn(serviceNameIngesterGRPC(stackName), stackNs)),
-				"-ingester.client.tls-min-version=VersionTLS12",
-				"-ingester.client.tls-cipher-suites=cipher1,cipher2",
-				"-querier.frontend-client.tls-enabled=true",
-				fmt.Sprintf("-querier.frontend-client.tls-ca-path=%s", signingCAPath()),
-				fmt.Sprintf("-querier.frontend-client.tls-cert-path=%s", lokiServerGRPCTLSCert()),
-				fmt.Sprintf("-querier.frontend-client.tls-key-path=%s", lokiServerGRPCTLSKey()),
-				fmt.Sprintf("-querier.frontend-client.tls-server-name=%s", fqdn(serviceNameQueryFrontendGRPC(stackName), stackNs)),
-				"-querier.frontend-client.tls-min-version=VersionTLS12",
-				"-querier.frontend-client.tls-cipher-suites=cipher1,cipher2",
-				"-boltdb.shipper.compactor.client.tls-enabled=true",
-				fmt.Sprintf("-boltdb.shipper.compactor.client.tls-ca-path=%s", signingCAPath()),
-				fmt.Sprintf("-boltdb.shipper.compactor.client.tls-cert-path=%s", lokiServerGRPCTLSCert()),
-				fmt.Sprintf("-boltdb.shipper.compactor.client.tls-key-path=%s", lokiServerGRPCTLSKey()),
-				fmt.Sprintf("-boltdb.shipper.compactor.client.tls-server-name=%s", fqdn(serviceNameCompactorHTTP(stackName), stackNs)),
-				"-boltdb.shipper.compactor.client.tls-min-version=VersionTLS12",
-				"-boltdb.shipper.compactor.client.tls-cipher-suites=cipher1,cipher2",
-				"-boltdb.shipper.index-gateway-client.grpc.tls-enabled=true",
-				fmt.Sprintf("-boltdb.shipper.index-gateway-client.grpc.tls-ca-path=%s", signingCAPath()),
-				fmt.Sprintf("-boltdb.shipper.index-gateway-client.grpc.tls-cert-path=%s", lokiServerGRPCTLSCert()),
-				fmt.Sprintf("-boltdb.shipper.index-gateway-client.grpc.tls-key-path=%s", lokiServerGRPCTLSKey()),
-				fmt.Sprintf("-boltdb.shipper.index-gateway-client.grpc.tls-server-name=%s", fqdn(serviceNameIndexGatewayGRPC(stackName), stackNs)),
-				"-boltdb.shipper.index-gateway-client.grpc.tls-min-version=VersionTLS12",
-				"-boltdb.shipper.index-gateway-client.grpc.tls-cipher-suites=cipher1,cipher2",
-				"-internal-server.enable=true",
-				"-internal-server.http-listen-address=",
-				fmt.Sprintf("-internal-server.http-tls-cert-path=%s", lokiServerHTTPTLSCert()),
-				fmt.Sprintf("-internal-server.http-tls-key-path=%s", lokiServerHTTPTLSKey()),
-				"-internal-server.http-tls-cipher-suites=cipher1,cipher2",
-				"-internal-server.http-tls-min-version=VersionTLS12",
-				"-server.tls-cipher-suites=cipher1,cipher2",
-				"-server.tls-min-version=VersionTLS12",
-				fmt.Sprintf("-server.http-tls-ca-path=%s", signingCAPath()),
-				fmt.Sprintf("-server.http-tls-cert-path=%s", lokiServerHTTPTLSCert()),
-				fmt.Sprintf("-server.http-tls-key-path=%s", lokiServerHTTPTLSKey()),
-				"-server.http-tls-client-auth=RequireAndVerifyClientCert",
-				fmt.Sprintf("-server.grpc-tls-ca-path=%s", signingCAPath()),
-				fmt.Sprintf("-server.grpc-tls-cert-path=%s", lokiServerGRPCTLSCert()),
-				fmt.Sprintf("-server.grpc-tls-key-path=%s", lokiServerGRPCTLSKey()),
-				"-server.grpc-tls-client-auth=RequireAndVerifyClientCert",
-			},
 			wantPorts: []corev1.ContainerPort{
 				{
 					Name:          lokiInternalHTTPPortName,
@ -740,30 +601,6 @@ func TestServices_WithEncryption(t *testing.T) {
 		{
 			desc:      "query-frontend",
 			buildFunc: BuildQueryFrontend,
-			wantArgs: []string{
-				"-frontend.tail-tls-config.tls-min-version=VersionTLS12",
-				"-frontend.tail-tls-config.tls-cipher-suites=cipher1,cipher2",
-				fmt.Sprintf("-frontend.tail-tls-config.tls-cert-path=%s", lokiServerHTTPTLSCert()),
-				fmt.Sprintf("-frontend.tail-tls-config.tls-key-path=%s", lokiServerHTTPTLSKey()),
-				"-frontend.tail-proxy-url=https://test-querier-http.ns.svc.cluster.local:3100",
-				fmt.Sprintf("-frontend.tail-tls-config.tls-ca-path=%s", signingCAPath()),
-				"-internal-server.enable=true",
-				"-internal-server.http-listen-address=",
-				fmt.Sprintf("-internal-server.http-tls-cert-path=%s", lokiServerHTTPTLSCert()),
-				fmt.Sprintf("-internal-server.http-tls-key-path=%s", lokiServerHTTPTLSKey()),
-				"-internal-server.http-tls-cipher-suites=cipher1,cipher2",
-				"-internal-server.http-tls-min-version=VersionTLS12",
-				"-server.tls-cipher-suites=cipher1,cipher2",
-				"-server.tls-min-version=VersionTLS12",
-				fmt.Sprintf("-server.http-tls-ca-path=%s", signingCAPath()),
-				fmt.Sprintf("-server.http-tls-cert-path=%s", lokiServerHTTPTLSCert()),
-				fmt.Sprintf("-server.http-tls-key-path=%s", lokiServerHTTPTLSKey()),
-				"-server.http-tls-client-auth=RequireAndVerifyClientCert",
-				fmt.Sprintf("-server.grpc-tls-ca-path=%s", signingCAPath()),
-				fmt.Sprintf("-server.grpc-tls-cert-path=%s", lokiServerGRPCTLSCert()),
-				fmt.Sprintf("-server.grpc-tls-key-path=%s", lokiServerGRPCTLSKey()),
-				"-server.grpc-tls-client-auth=RequireAndVerifyClientCert",
-			},
 			wantPorts: []corev1.ContainerPort{
 				{
 					Name:          lokiInternalHTTPPortName,
@ -820,52 +657,6 @@ func TestServices_WithEncryption(t *testing.T) {
 		{
 			desc:      "ruler",
 			buildFunc: BuildRuler,
-			wantArgs: []string{
-				"-boltdb.shipper.compactor.client.tls-enabled=true",
-				fmt.Sprintf("-boltdb.shipper.compactor.client.tls-ca-path=%s", signingCAPath()),
-				fmt.Sprintf("-boltdb.shipper.compactor.client.tls-cert-path=%s", lokiServerGRPCTLSCert()),
-				fmt.Sprintf("-boltdb.shipper.compactor.client.tls-key-path=%s", lokiServerGRPCTLSKey()),
-				fmt.Sprintf("-boltdb.shipper.compactor.client.tls-server-name=%s", fqdn(serviceNameCompactorHTTP(stackName), stackNs)),
-				"-boltdb.shipper.compactor.client.tls-min-version=VersionTLS12",
-				"-boltdb.shipper.compactor.client.tls-cipher-suites=cipher1,cipher2",
-				"-boltdb.shipper.index-gateway-client.grpc.tls-enabled=true",
-				fmt.Sprintf("-boltdb.shipper.index-gateway-client.grpc.tls-ca-path=%s", signingCAPath()),
-				fmt.Sprintf("-boltdb.shipper.index-gateway-client.grpc.tls-cert-path=%s", lokiServerGRPCTLSCert()),
-				fmt.Sprintf("-boltdb.shipper.index-gateway-client.grpc.tls-key-path=%s", lokiServerGRPCTLSKey()),
-				fmt.Sprintf("-boltdb.shipper.index-gateway-client.grpc.tls-server-name=%s", fqdn(serviceNameIndexGatewayGRPC(stackName), stackNs)),
-				"-boltdb.shipper.index-gateway-client.grpc.tls-min-version=VersionTLS12",
-				"-boltdb.shipper.index-gateway-client.grpc.tls-cipher-suites=cipher1,cipher2",
-				"-ingester.client.tls-enabled=true",
-				fmt.Sprintf("-ingester.client.tls-ca-path=%s", signingCAPath()),
-				fmt.Sprintf("-ingester.client.tls-cert-path=%s", lokiServerGRPCTLSCert()),
-				fmt.Sprintf("-ingester.client.tls-key-path=%s", lokiServerGRPCTLSKey()),
-				fmt.Sprintf("-ingester.client.tls-server-name=%s", fqdn(serviceNameIngesterGRPC(stackName), stackNs)),
-				"-ingester.client.tls-min-version=VersionTLS12",
-				"-ingester.client.tls-cipher-suites=cipher1,cipher2",
-				"-ruler.client.tls-enabled=true",
-				fmt.Sprintf("-ruler.client.tls-ca-path=%s", signingCAPath()),
-				fmt.Sprintf("-ruler.client.tls-cert-path=%s", lokiServerGRPCTLSCert()),
-				fmt.Sprintf("-ruler.client.tls-key-path=%s", lokiServerGRPCTLSKey()),
-				fmt.Sprintf("-ruler.client.tls-server-name=%s", fqdn(serviceNameRulerGRPC(stackName), stackNs)),
-				"-ruler.client.tls-min-version=VersionTLS12",
-				"-ruler.client.tls-cipher-suites=cipher1,cipher2",
-				"-internal-server.enable=true",
-				"-internal-server.http-listen-address=",
-				fmt.Sprintf("-internal-server.http-tls-cert-path=%s", lokiServerHTTPTLSCert()),
-				fmt.Sprintf("-internal-server.http-tls-key-path=%s", lokiServerHTTPTLSKey()),
-				"-internal-server.http-tls-cipher-suites=cipher1,cipher2",
-				"-internal-server.http-tls-min-version=VersionTLS12",
-				"-server.tls-cipher-suites=cipher1,cipher2",
-				"-server.tls-min-version=VersionTLS12",
-				fmt.Sprintf("-server.http-tls-ca-path=%s", signingCAPath()),
-				fmt.Sprintf("-server.http-tls-cert-path=%s", lokiServerHTTPTLSCert()),
-				fmt.Sprintf("-server.http-tls-key-path=%s", lokiServerHTTPTLSKey()),
-				"-server.http-tls-client-auth=RequireAndVerifyClientCert",
-				fmt.Sprintf("-server.grpc-tls-ca-path=%s", signingCAPath()),
-				fmt.Sprintf("-server.grpc-tls-cert-path=%s", lokiServerGRPCTLSCert()),
-				fmt.Sprintf("-server.grpc-tls-key-path=%s", lokiServerGRPCTLSKey()),
-				"-server.grpc-tls-client-auth=RequireAndVerifyClientCert",
-			},
 			wantPorts: []corev1.ContainerPort{
 				{
 					Name:          lokiInternalHTTPPortName,
@ -945,16 +736,6 @@ func TestServices_WithEncryption(t *testing.T) {
 					strings.Contains(s, "ca") // Certificate authorities
 			}

-			// Check args not missing
-			for _, arg := range test.wantArgs {
-				require.Contains(t, pod.Containers[0].Args, arg)
-			}
-			for _, arg := range pod.Containers[0].Args {
-				if isEncryptionRelated(arg) {
-					require.Contains(t, test.wantArgs, arg)
-				}
-			}
-
 			// Check ports not missing
 			for _, port := range test.wantPorts {
 				require.Contains(t, pod.Containers[0].Ports, port)