Fix certs monitoring copy (#414) (#416)

netobserv · Sep 14, 2023 · 5dbfa16 · 5dbfa16
1 parent 623a3b2
commit 5dbfa16
Show file tree

Hide file tree

Showing 7 changed files with 61 additions and 9 deletions.
diff --git a/controllers/constants/constants.go b/controllers/constants/constants.go
@@ -32,6 +32,9 @@ const (
 	NewConnectionType = "newConnection"
 	HeartbeatType     = "heartbeat"
 	EndConnectionType = "endConnection"
+
+	MonitoringNamespace      = "openshift-monitoring"
+	MonitoringServiceAccount = "prometheus-k8s"
 )
 
 var LokiIndexFields = []string{"SrcK8S_Namespace", "SrcK8S_OwnerName", "DstK8S_Namespace", "DstK8S_OwnerName", "FlowDirection"}

diff --git a/controllers/flowcollector_objects.go b/controllers/flowcollector_objects.go
@@ -14,13 +14,11 @@ import (
 var healthDashboardEmbed string
 
 const (
-	downstreamLabelKey       = "openshift.io/cluster-monitoring"
-	downstreamLabelValue     = "true"
-	roleSuffix               = "-metrics-reader"
-	monitoringServiceAccount = "prometheus-k8s"
-	monitoringNamespace      = "openshift-monitoring"
-	dashboardCMNamespace     = "openshift-config-managed"
-	dashboardCMAnnotation    = "console.openshift.io/dashboard"
+	downstreamLabelKey    = "openshift.io/cluster-monitoring"
+	downstreamLabelValue  = "true"
+	roleSuffix            = "-metrics-reader"
+	dashboardCMNamespace  = "openshift-config-managed"
+	dashboardCMAnnotation = "console.openshift.io/dashboard"
 
 	flowDashboardCMName = "grafana-dashboard-netobserv-flow-metrics"
 	flowDashboardCMFile = "netobserv-flow-metrics.json"
@@ -74,8 +72,8 @@ func buildRoleBindingMonitoringReader(ns string) *rbacv1.ClusterRoleBinding {
 		},
 		Subjects: []rbacv1.Subject{{
 			Kind:      "ServiceAccount",
-			Name:      monitoringServiceAccount,
-			Namespace: monitoringNamespace,
+			Name:      constants.MonitoringServiceAccount,
+			Namespace: constants.MonitoringNamespace,
 		}},
 	}
 }

diff --git a/controllers/flowlogspipeline/flp_ingest_reconciler.go b/controllers/flowlogspipeline/flp_ingest_reconciler.go
@@ -116,6 +116,11 @@ func (r *flpIngesterReconciler) reconcile(ctx context.Context, desired *flowslat
 		return err
 	}
 
+	// Watch for monitoring caCert
+	if err = reconcileMonitoringCerts(ctx, r.Common, &desired.Spec.Processor.Metrics.Server.TLS, r.Namespace); err != nil {
+		return err
+	}
+
 	return r.reconcileDaemonSet(ctx, builder.daemonSet(annotations))
 }
 

diff --git a/controllers/flowlogspipeline/flp_monolith_reconciler.go b/controllers/flowlogspipeline/flp_monolith_reconciler.go
@@ -125,6 +125,11 @@ func (r *flpMonolithReconciler) reconcile(ctx context.Context, desired *flowslat
 		return err
 	}
 
+	// Watch for monitoring caCert
+	if err = reconcileMonitoringCerts(ctx, r.Common, &desired.Spec.Processor.Metrics.Server.TLS, r.Namespace); err != nil {
+		return err
+	}
+
 	return r.reconcileDaemonSet(ctx, builder.daemonSet(annotations))
 }
 

diff --git a/controllers/flowlogspipeline/flp_reconciler.go b/controllers/flowlogspipeline/flp_reconciler.go
@@ -101,3 +101,20 @@ func annotateKafkaCerts(ctx context.Context, info *reconcilers.Common, spec *flo
 	}
 	return nil
 }
+
+func reconcileMonitoringCerts(ctx context.Context, info *reconcilers.Common, tlsConfig *flowslatest.ServerTLS, ns string) error {
+	if tlsConfig.Type == flowslatest.ServerTLSProvided && tlsConfig.Provided != nil {
+		_, err := info.Watcher.ProcessCertRef(ctx, info.Client, tlsConfig.Provided, ns)
+		if err != nil {
+			return err
+		}
+	}
+	if !tlsConfig.InsecureSkipVerify && tlsConfig.ProvidedCaFile != nil && tlsConfig.ProvidedCaFile.File != "" {
+		_, err := info.Watcher.ProcessFileReference(ctx, info.Client, *tlsConfig.ProvidedCaFile, ns)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
diff --git a/controllers/flowlogspipeline/flp_transfo_reconciler.go b/controllers/flowlogspipeline/flp_transfo_reconciler.go
@@ -128,6 +128,10 @@ func (r *flpTransformerReconciler) reconcile(ctx context.Context, desired *flows
 	if err = annotateKafkaExporterCerts(ctx, r.Common, desired.Spec.Exporters, annotations); err != nil {
 		return err
 	}
+	// Watch for monitoring caCert
+	if err = reconcileMonitoringCerts(ctx, r.Common, &desired.Spec.Processor.Metrics.Server.TLS, r.Namespace); err != nil {
+		return err
+	}
 
 	return r.reconcileDeployment(ctx, &desired.Spec.Processor, &builder, annotations)
 }

diff --git a/pkg/watchers/watcher.go b/pkg/watchers/watcher.go
@@ -101,6 +101,26 @@ func (w *Watcher) ProcessCACert(ctx context.Context, cl helper.Client, tls *flow
 	return caDigest, nil
 }
 
+func (w *Watcher) ProcessCertRef(ctx context.Context, cl helper.Client, cert *flowslatest.CertificateReference, targetNamespace string) (certDigest string, err error) {
+	if cert != nil {
+		certRef := w.refFromCert(cert)
+		certDigest, err = w.reconcile(ctx, cl, certRef, targetNamespace)
+		if err != nil {
+			return "", err
+		}
+	}
+
+	return certDigest, nil
+}
+
+func (w *Watcher) ProcessFileReference(ctx context.Context, cl helper.Client, file flowslatest.FileReference, targetNamespace string) (fileDigest string, err error) {
+	fileDigest, err = w.reconcile(ctx, cl, w.refFromFile(&file), targetNamespace)
+	if err != nil {
+		return "", err
+	}
+	return fileDigest, nil
+}
+
 func (w *Watcher) ProcessSASL(ctx context.Context, cl helper.Client, sasl *flowslatest.SASLConfig, targetNamespace string) (idDigest string, secretDigest string, err error) {
 	idDigest, err = w.reconcile(ctx, cl, w.refFromFile(&sasl.ClientIDReference), targetNamespace)
 	if err != nil {