From 68a1f71fdfdcbdf6b3e2bafc37d168c526fc6846 Mon Sep 17 00:00:00 2001 From: Olivier Cazade Date: Tue, 12 Sep 2023 15:18:47 +0200 Subject: [PATCH] Fix cacert monitoring copy --- controllers/constants/constants.go | 3 +++ controllers/flowcollector_objects.go | 16 +++++++--------- .../flowlogspipeline/flp_ingest_reconciler.go | 5 +++++ .../flowlogspipeline/flp_monolith_reconciler.go | 5 +++++ controllers/flowlogspipeline/flp_reconciler.go | 12 ++++++++++++ .../flowlogspipeline/flp_transfo_reconciler.go | 4 ++++ pkg/watchers/watcher.go | 8 ++++++++ 7 files changed, 44 insertions(+), 9 deletions(-) diff --git a/controllers/constants/constants.go b/controllers/constants/constants.go index 98a2f79b5..188a91366 100644 --- a/controllers/constants/constants.go +++ b/controllers/constants/constants.go @@ -32,6 +32,9 @@ const ( NewConnectionType = "newConnection" HeartbeatType = "heartbeat" EndConnectionType = "endConnection" + + MonitoringNamespace = "openshift-monitoring" + MonitoringServiceAccount = "prometheus-k8s" ) var LokiIndexFields = []string{"SrcK8S_Namespace", "SrcK8S_OwnerName", "DstK8S_Namespace", "DstK8S_OwnerName", "FlowDirection"} diff --git a/controllers/flowcollector_objects.go b/controllers/flowcollector_objects.go index 15e9b4879..dbfa56435 100644 --- a/controllers/flowcollector_objects.go +++ b/controllers/flowcollector_objects.go @@ -14,13 +14,11 @@ import ( var healthDashboardEmbed string const ( - downstreamLabelKey = "openshift.io/cluster-monitoring" - downstreamLabelValue = "true" - roleSuffix = "-metrics-reader" - monitoringServiceAccount = "prometheus-k8s" - monitoringNamespace = "openshift-monitoring" - dashboardCMNamespace = "openshift-config-managed" - dashboardCMAnnotation = "console.openshift.io/dashboard" + downstreamLabelKey = "openshift.io/cluster-monitoring" + downstreamLabelValue = "true" + roleSuffix = "-metrics-reader" + dashboardCMNamespace = "openshift-config-managed" + dashboardCMAnnotation = "console.openshift.io/dashboard" flowDashboardCMName = "grafana-dashboard-netobserv-flow-metrics" flowDashboardCMFile = "netobserv-flow-metrics.json" @@ -74,8 +72,8 @@ func buildRoleBindingMonitoringReader(ns string) *rbacv1.ClusterRoleBinding { }, Subjects: []rbacv1.Subject{{ Kind: "ServiceAccount", - Name: monitoringServiceAccount, - Namespace: monitoringNamespace, + Name: constants.MonitoringServiceAccount, + Namespace: constants.MonitoringNamespace, }}, } } diff --git a/controllers/flowlogspipeline/flp_ingest_reconciler.go b/controllers/flowlogspipeline/flp_ingest_reconciler.go index 411913d92..38312a5ae 100644 --- a/controllers/flowlogspipeline/flp_ingest_reconciler.go +++ b/controllers/flowlogspipeline/flp_ingest_reconciler.go @@ -116,6 +116,11 @@ func (r *flpIngesterReconciler) reconcile(ctx context.Context, desired *flowslat return err } + // Watch for monitoring caCert + if err = reconcileMonitoringCacert(ctx, r.Common, &desired.Spec.Processor.Metrics.Server.TLS); err != nil { + return err + } + return r.reconcileDaemonSet(ctx, builder.daemonSet(annotations)) } diff --git a/controllers/flowlogspipeline/flp_monolith_reconciler.go b/controllers/flowlogspipeline/flp_monolith_reconciler.go index aed899908..272fd66eb 100644 --- a/controllers/flowlogspipeline/flp_monolith_reconciler.go +++ b/controllers/flowlogspipeline/flp_monolith_reconciler.go @@ -125,6 +125,11 @@ func (r *flpMonolithReconciler) reconcile(ctx context.Context, desired *flowslat return err } + // Watch for monitoring caCert + if err = reconcileMonitoringCacert(ctx, r.Common, &desired.Spec.Processor.Metrics.Server.TLS); err != nil { + return err + } + return r.reconcileDaemonSet(ctx, builder.daemonSet(annotations)) } diff --git a/controllers/flowlogspipeline/flp_reconciler.go b/controllers/flowlogspipeline/flp_reconciler.go index fd7297635..e0a815e40 100644 --- a/controllers/flowlogspipeline/flp_reconciler.go +++ b/controllers/flowlogspipeline/flp_reconciler.go @@ -5,6 +5,7 @@ import ( "fmt" flowslatest "github.com/netobserv/network-observability-operator/api/v1beta1" + "github.com/netobserv/network-observability-operator/controllers/constants" "github.com/netobserv/network-observability-operator/controllers/reconcilers" "github.com/netobserv/network-observability-operator/pkg/helper" "github.com/netobserv/network-observability-operator/pkg/watchers" @@ -101,3 +102,14 @@ func annotateKafkaCerts(ctx context.Context, info *reconcilers.Common, spec *flo } return nil } + +func reconcileMonitoringCacert(ctx context.Context, info *reconcilers.Common, tlsConfig *flowslatest.ServerTLS) error { + if !tlsConfig.InsecureSkipVerify && tlsConfig.ProvidedCaFile != nil && tlsConfig.ProvidedCaFile.File != "" { + _, err := info.Watcher.ProcessFileReference(ctx, info.Client, *tlsConfig.ProvidedCaFile, constants.MonitoringNamespace) + if err != nil { + return err + } + } + + return nil +} diff --git a/controllers/flowlogspipeline/flp_transfo_reconciler.go b/controllers/flowlogspipeline/flp_transfo_reconciler.go index f8826232d..3fad829c9 100644 --- a/controllers/flowlogspipeline/flp_transfo_reconciler.go +++ b/controllers/flowlogspipeline/flp_transfo_reconciler.go @@ -128,6 +128,10 @@ func (r *flpTransformerReconciler) reconcile(ctx context.Context, desired *flows if err = annotateKafkaExporterCerts(ctx, r.Common, desired.Spec.Exporters, annotations); err != nil { return err } + // Watch for monitoring caCert + if err = reconcileMonitoringCacert(ctx, r.Common, &desired.Spec.Processor.Metrics.Server.TLS); err != nil { + return err + } return r.reconcileDeployment(ctx, &desired.Spec.Processor, &builder, annotations) } diff --git a/pkg/watchers/watcher.go b/pkg/watchers/watcher.go index 9f2393921..418422937 100644 --- a/pkg/watchers/watcher.go +++ b/pkg/watchers/watcher.go @@ -101,6 +101,14 @@ func (w *Watcher) ProcessCACert(ctx context.Context, cl helper.Client, tls *flow return caDigest, nil } +func (w *Watcher) ProcessFileReference(ctx context.Context, cl helper.Client, file flowslatest.FileReference, targetNamespace string) (fileDigest string, err error) { + fileDigest, err = w.reconcile(ctx, cl, w.refFromFile(&file), targetNamespace) + if err != nil { + return "", err + } + return fileDigest, nil +} + func (w *Watcher) ProcessSASL(ctx context.Context, cl helper.Client, sasl *flowslatest.SASLConfig, targetNamespace string) (idDigest string, secretDigest string, err error) { idDigest, err = w.reconcile(ctx, cl, w.refFromFile(&sasl.ClientIDReference), targetNamespace) if err != nil {