Skip to content

Commit

Permalink
NETOBSERV-844 Unable to have a working statusUrl in FlowCollector wit…
Browse files Browse the repository at this point in the history 
…h Loki Operator 5.6 (#307)

* loki statusTls CRD option

* addressed feedback

* rely on status URL for status TLS

* status tls default values
  • Loading branch information
@jpinsonneau
jpinsonneau authored Mar 30, 2023
1 parent 3130154 commit 55f6bd7
Show file tree
Hide file tree
Showing 14 changed files with 418 additions and 19 deletions.
9 changes: 9 additions & 0 deletions api/v1alpha1/flowcollector_webhook.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,8 @@ func (r *FlowCollector) ConvertTo(dstRaw conversion.Hub) error {
dst.Spec.Processor.Metrics.DisableAlerts = restored.Spec.Processor.Metrics.DisableAlerts
}

dst.Spec.Loki.StatusTLS = restored.Spec.Loki.StatusTLS

return nil
}

Expand Down Expand Up @@ -100,3 +102,10 @@ func Convert_v1beta1_FlowCollectorFLP_To_v1alpha1_FlowCollectorFLP(in *v1beta1.F
func Convert_v1beta1_FLPMetrics_To_v1alpha1_FLPMetrics(in *v1beta1.FLPMetrics, out *FLPMetrics, s apiconversion.Scope) error {
return autoConvert_v1beta1_FLPMetrics_To_v1alpha1_FLPMetrics(in, out, s)
}

// This function need to be manually created because conversion-gen not able to create it intentionally because
// we have new defined fields in v1beta1 not in v1alpha1
// nolint:golint,stylecheck,revive
func Convert_v1beta1_FlowCollectorLoki_To_v1alpha1_FlowCollectorLoki(in *v1beta1.FlowCollectorLoki, out *FlowCollectorLoki, s apiconversion.Scope) error {
return autoConvert_v1beta1_FlowCollectorLoki_To_v1alpha1_FlowCollectorLoki(in, out, s)
}
16 changes: 6 additions & 10 deletions api/v1alpha1/zz_generated.conversion.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

7 changes: 6 additions & 1 deletion api/v1beta1/flowcollector_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -462,6 +462,7 @@ type FlowCollectorLoki struct {
// This is useful to show error messages and some context in the frontend.
// When using the Loki Operator, set it to the Loki HTTP query frontend service, for example
// https://loki-query-frontend-http.netobserv.svc:3100/.
// statusTLS configuration will be used when statusUrl is set.
StatusURL string `json:"statusUrl,omitempty"`

//+kubebuilder:default:="netobserv"
Expand Down Expand Up @@ -509,9 +510,13 @@ type FlowCollectorLoki struct {
// staticLabels is a map of common labels to set on each flow.
StaticLabels map[string]string `json:"staticLabels,omitempty"`

// tls client configuration.
// tls client configuration for loki URL.
// +optional
TLS ClientTLS `json:"tls"`

// tls client configuration for loki status URL.
// +optional
StatusTLS ClientTLS `json:"statusTls"`
}

// FlowCollectorConsolePlugin defines the desired ConsolePlugin state of FlowCollector
Expand Down
1 change: 1 addition & 0 deletions api/v1beta1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

68 changes: 67 additions & 1 deletion bundle/manifests/flows.netobserv.io_flowcollectors.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3363,13 +3363,79 @@ spec:
description: staticLabels is a map of common labels to set on
each flow.
type: object
statusTls:
description: tls client configuration for loki status URL.
properties:
caCert:
description: caCert defines the reference of the certificate
for the Certificate Authority
properties:
certFile:
description: certFile defines the path to the certificate
file name within the config map or secret
type: string
certKey:
description: certKey defines the path to the certificate
private key file name within the config map or secret.
Omit when the key is not necessary.
type: string
name:
description: name of the config map or secret containing
certificates
type: string
type:
description: 'type for the certificate reference: "configmap"
or "secret"'
enum:
- configmap
- secret
type: string
type: object
enable:
default: false
description: enable TLS
type: boolean
insecureSkipVerify:
default: false
description: insecureSkipVerify allows skipping client-side
verification of the server certificate If set to true, CACert
field will be ignored
type: boolean
userCert:
description: userCert defines the user certificate reference,
used for mTLS (you can ignore it when using regular, one-way
TLS)
properties:
certFile:
description: certFile defines the path to the certificate
file name within the config map or secret
type: string
certKey:
description: certKey defines the path to the certificate
private key file name within the config map or secret.
Omit when the key is not necessary.
type: string
name:
description: name of the config map or secret containing
certificates
type: string
type:
description: 'type for the certificate reference: "configmap"
or "secret"'
enum:
- configmap
- secret
type: string
type: object
type: object
statusUrl:
description: statusURL specifies the address of the Loki /ready
/metrics /config endpoints, in case it is different from the
Loki querier URL. If empty, the QuerierURL value will be used.
This is useful to show error messages and some context in the
frontend. When using the Loki Operator, set it to the Loki HTTP
query frontend service, for example https://loki-query-frontend-http.netobserv.svc:3100/.
statusTLS configuration will be used when statusUrl is set.
type: string
tenantID:
default: netobserv
Expand All @@ -3383,7 +3449,7 @@ spec:
limit. A Timeout of zero means no timeout.
type: string
tls:
description: tls client configuration.
description: tls client configuration for loki URL.
properties:
caCert:
description: caCert defines the reference of the certificate
Expand Down
15 changes: 15 additions & 0 deletions bundle/manifests/netobserv-operator.clusterserviceversion.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -282,6 +282,21 @@ metadata:
"maxBackoff": "5s",
"maxRetries": 2,
"minBackoff": "1s",
"statusTls": {
"caCert": {
"certFile": "service-ca.crt",
"name": "loki-ca-bundle",
"type": "configmap"
},
"enable": false,
"insecureSkipVerify": false,
"userCert": {
"certFile": "tls.crt",
"certKey": "tls.key",
"name": "loki-query-frontend-http",
"type": "secret"
}
},
"tls": {
"caCert": {
"certFile": "service-ca.crt",
Expand Down
68 changes: 67 additions & 1 deletion config/crd/bases/flows.netobserv.io_flowcollectors.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3350,13 +3350,79 @@ spec:
description: staticLabels is a map of common labels to set on
each flow.
type: object
statusTls:
description: tls client configuration for loki status URL.
properties:
caCert:
description: caCert defines the reference of the certificate
for the Certificate Authority
properties:
certFile:
description: certFile defines the path to the certificate
file name within the config map or secret
type: string
certKey:
description: certKey defines the path to the certificate
private key file name within the config map or secret.
Omit when the key is not necessary.
type: string
name:
description: name of the config map or secret containing
certificates
type: string
type:
description: 'type for the certificate reference: "configmap"
or "secret"'
enum:
- configmap
- secret
type: string
type: object
enable:
default: false
description: enable TLS
type: boolean
insecureSkipVerify:
default: false
description: insecureSkipVerify allows skipping client-side
verification of the server certificate If set to true, CACert
field will be ignored
type: boolean
userCert:
description: userCert defines the user certificate reference,
used for mTLS (you can ignore it when using regular, one-way
TLS)
properties:
certFile:
description: certFile defines the path to the certificate
file name within the config map or secret
type: string
certKey:
description: certKey defines the path to the certificate
private key file name within the config map or secret.
Omit when the key is not necessary.
type: string
name:
description: name of the config map or secret containing
certificates
type: string
type:
description: 'type for the certificate reference: "configmap"
or "secret"'
enum:
- configmap
- secret
type: string
type: object
type: object
statusUrl:
description: statusURL specifies the address of the Loki /ready
/metrics /config endpoints, in case it is different from the
Loki querier URL. If empty, the QuerierURL value will be used.
This is useful to show error messages and some context in the
frontend. When using the Loki Operator, set it to the Loki HTTP
query frontend service, for example https://loki-query-frontend-http.netobserv.svc:3100/.
statusTLS configuration will be used when statusUrl is set.
type: string
tenantID:
default: netobserv
Expand All @@ -3370,7 +3436,7 @@ spec:
limit. A Timeout of zero means no timeout.
type: string
tls:
description: tls client configuration.
description: tls client configuration for loki URL.
properties:
caCert:
description: caCert defines the reference of the certificate
Expand Down
1 change: 1 addition & 0 deletions config/samples/flows_v1alpha1_flowcollector.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@ spec:
loki:
url: 'http://loki.netobserv.svc:3100/'
# Uncomment lines below for typical installation with loki-operator (5.6+ needed)
# and ensure tls is enabled
# url: 'https://loki-gateway-http.netobserv.svc:8080/api/logs/v1/network/'
# statusUrl: 'https://loki-query-frontend-http.netobserv.svc:3100/'
# authToken: HOST
Expand Down
15 changes: 14 additions & 1 deletion config/samples/flows_v1beta1_flowcollector.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,16 +66,29 @@ spec:
loki:
url: 'http://loki.netobserv.svc:3100/'
# Uncomment lines below for typical installation with loki-operator (5.6+ needed)
# and ensure tls and statusTls are enabled
# url: 'https://loki-gateway-http.netobserv.svc:8080/api/logs/v1/network/'
# statusUrl: 'https://loki-query-frontend-http.netobserv.svc:3100/'
# authToken: HOST
# authToken: FORWARD
tls:
enable: false
caCert:
type: configmap
name: loki-gateway-ca-bundle
certFile: service-ca.crt
insecureSkipVerify: false
statusTls:
enable: false
caCert:
certFile: service-ca.crt
name: loki-ca-bundle
type: configmap
insecureSkipVerify: false
userCert:
certFile: tls.crt
certKey: tls.key
name: loki-query-frontend-http
type: secret
batchWait: 1s
batchSize: 10485760
minBackoff: 1s
Expand Down
20 changes: 19 additions & 1 deletion controllers/consoleplugin/consoleplugin_objects.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ const configFile = "config.yaml"
const configVolume = "config-volume"
const configPath = "/opt/app-root/"
const lokiCerts = "loki-certs"
const lokiStatusCerts = "loki-status-certs"
const tokensPath = "/var/run/secrets/tokens/"

type builder struct {
Expand Down Expand Up @@ -181,9 +182,21 @@ func buildArgs(desired *flowslatest.FlowCollectorSpec) []string {
if desired.Loki.TLS.InsecureSkipVerify {
args = append(args, "-loki-skip-tls")
} else {
args = append(args, "--loki-ca-path", helper.GetCACertPath(&desired.Loki.TLS, lokiCerts))
args = append(args, "-loki-ca-path", helper.GetCACertPath(&desired.Loki.TLS, lokiCerts))
}
}

statusTLS := helper.GetLokiStatusTLS(&desired.Loki)
if statusTLS.Enable {
if statusTLS.InsecureSkipVerify {
args = append(args, "-loki-status-skip-tls")
} else {
args = append(args, "-loki-status-ca-path", helper.GetCACertPath(&statusTLS, lokiStatusCerts))
args = append(args, "-loki-status-user-cert-path", helper.GetUserCertPath(&statusTLS, lokiStatusCerts))
args = append(args, "-loki-status-user-key-path", helper.GetUserKeyPath(&statusTLS, lokiStatusCerts))
}
}

if helper.LokiUseHostToken(&desired.Loki) {
args = append(args, "-loki-token-path", tokenPath(&desired.Loki))
}
Expand Down Expand Up @@ -226,6 +239,11 @@ func (b *builder) podTemplate(cmDigest string) *corev1.PodTemplateSpec {
volumes, volumeMounts = helper.AppendCertVolumes(volumes, volumeMounts, &b.desired.Loki.TLS, lokiCerts, b.cWatcher)
}

statusTLS := helper.GetLokiStatusTLS(&b.desired.Loki)
if b.desired != nil && statusTLS.Enable && !statusTLS.InsecureSkipVerify {
volumes, volumeMounts = helper.AppendCertVolumes(volumes, volumeMounts, &statusTLS, lokiStatusCerts, b.cWatcher)
}

if helper.LokiUseHostToken(&b.desired.Loki) {
volumes, volumeMounts = helper.AppendTokenVolume(volumes, volumeMounts, constants.PluginName, constants.PluginName)
}
Expand Down
2 changes: 1 addition & 1 deletion controllers/consoleplugin/consoleplugin_reconciler.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -197,7 +197,7 @@ func (r *CPReconciler) reconcileDeployment(ctx context.Context, builder builder,

newDepl := builder.deployment(cmDigest)
// Annotate pod with certificate reference so that it is reloaded if modified
if err := r.CertWatcher.AnnotatePod(ctx, r.Client, &newDepl.Spec.Template, lokiCerts); err != nil {
if err := r.CertWatcher.AnnotatePod(ctx, r.Client, &newDepl.Spec.Template, lokiCerts, lokiStatusCerts); err != nil {
return err
}
if !r.nobjMngr.Exists(r.owned.deployment) {
Expand Down
Loading

0 comments on commit 55f6bd7

Please sign in to comment.