From 03c871841217f87cefb0c571224abcb114f403ba Mon Sep 17 00:00:00 2001 From: Julien Pinsonneau Date: Tue, 14 Jun 2022 16:42:57 +0200 Subject: [PATCH 1/4] skip tls checks & add tenant id --- api/v1alpha1/flowcollector_types.go | 5 +++++ config/crd/bases/flows.netobserv.io_flowcollectors.yaml | 6 ++++++ controllers/consoleplugin/consoleplugin_objects.go | 6 ++++++ controllers/consoleplugin/consoleplugin_test.go | 6 ++++-- controllers/flowlogspipeline/flp_objects.go | 9 +++++++++ docs/FlowCollector.md | 9 +++++++++ 6 files changed, 39 insertions(+), 2 deletions(-) diff --git a/api/v1alpha1/flowcollector_types.go b/api/v1alpha1/flowcollector_types.go index a5f9d629d..061467a26 100644 --- a/api/v1alpha1/flowcollector_types.go +++ b/api/v1alpha1/flowcollector_types.go @@ -282,6 +282,11 @@ type FlowCollectorLoki struct { // and querier are int he same host). QuerierURL string `json:"querierUrl,omitempty"` + //+kubebuilder:default:="netobserv" + // TenantID is the Loki X-Scope-OrgID that identifies the tenant for each request. + // it will be ignored if instanceSpec is specified + TenantID string `json:"tenantID,omitempty"` + //+kubebuilder:default:="1s" // BatchWait is max time to wait before sending a batch BatchWait metav1.Duration `json:"batchWait,omitempty"` diff --git a/config/crd/bases/flows.netobserv.io_flowcollectors.yaml b/config/crd/bases/flows.netobserv.io_flowcollectors.yaml index 690076ffa..d548137dd 100644 --- a/config/crd/bases/flows.netobserv.io_flowcollectors.yaml +++ b/config/crd/bases/flows.netobserv.io_flowcollectors.yaml @@ -1524,6 +1524,12 @@ spec: description: StaticLabels is a map of common labels to set on each flow type: object + tenantID: + default: netobserv + description: TenantID is the Loki X-Scope-OrgID that identifies + the tenant for each request. it will be ignored if instanceSpec + is specified + type: string timeout: default: 10s description: Timeout is the maximum time connection / request diff --git a/controllers/consoleplugin/consoleplugin_objects.go b/controllers/consoleplugin/consoleplugin_objects.go index 4d61a35d4..04e52602f 100644 --- a/controllers/consoleplugin/consoleplugin_objects.go +++ b/controllers/consoleplugin/consoleplugin_objects.go @@ -103,6 +103,9 @@ func buildArgs(desired *flowsv1alpha1.FlowCollectorConsolePlugin, desiredLoki *f "-key", "/var/serving-cert/tls.key", "-loki", querierURL(desiredLoki), "-loki-labels", strings.Join(constants.LokiIndexFields, ","), + "-loki-tenant-id", desiredLoki.TenantID, + //TODO: add loki tls config https://issues.redhat.com/browse/NETOBSERV-309 + "-loki-skip-tls", "true", "-loglevel", desired.LogLevel, "-frontend-config", configPath + configFile, } @@ -137,6 +140,9 @@ func (b *builder) podTemplate(cmDigest string) *corev1.PodTemplateSpec { "-key", "/var/serving-cert/tls.key", "-loki", querierURL(b.desiredLoki), "-loki-labels", strings.Join(constants.LokiIndexFields, ","), + "-loki-tenant-id", b.desiredLoki.TenantID, + //TODO: add loki tls config https://issues.redhat.com/browse/NETOBSERV-309 + "-loki-skip-tls", "true", "-loglevel", b.desired.LogLevel, "-frontend-config", configPath + configFile, }, diff --git a/controllers/consoleplugin/consoleplugin_test.go b/controllers/consoleplugin/consoleplugin_test.go index c6627b555..38a94d698 100644 --- a/controllers/consoleplugin/consoleplugin_test.go +++ b/controllers/consoleplugin/consoleplugin_test.go @@ -22,6 +22,8 @@ var testArgs = []string{ "-key", "/var/serving-cert/tls.key", "-loki", "http://loki:3100/", "-loki-labels", "SrcK8S_Namespace,SrcK8S_OwnerName,DstK8S_Namespace,DstK8S_OwnerName,FlowDirection", + "-loki-tenant-id", "netobserv", + "-loki-skip-tls", "true", "-loglevel", "info", "-frontend-config", "/opt/app-root/config.yaml", } @@ -128,7 +130,7 @@ func TestContainerUpdateCheck(t *testing.T) { //equals specs podSpec, containerConfig := getContainerSpecs() - loki := &flowsv1alpha1.FlowCollectorLoki{URL: "http://loki:3100/"} + loki := &flowsv1alpha1.FlowCollectorLoki{URL: "http://loki:3100/", TenantID: "netobserv"} fmt.Printf("%v\n", buildArgs(&containerConfig, loki)) assert.Equal(containerNeedsUpdate(&podSpec, &containerConfig, loki), false) @@ -181,7 +183,7 @@ func TestBuiltContainer(t *testing.T) { //newly created containers should not need update plugin := getPluginConfig() - loki := &flowsv1alpha1.FlowCollectorLoki{URL: "http://foo:1234"} + loki := &flowsv1alpha1.FlowCollectorLoki{URL: "http://foo:1234", TenantID: "netobserv"} builder := newBuilder(testNamespace, &plugin, loki) newContainer := builder.podTemplate("digest") assert.Equal(containerNeedsUpdate(&newContainer.Spec, &plugin, loki), false) diff --git a/controllers/flowlogspipeline/flp_objects.go b/controllers/flowlogspipeline/flp_objects.go index 294cefb8a..bfdf1cef3 100644 --- a/controllers/flowlogspipeline/flp_objects.go +++ b/controllers/flowlogspipeline/flp_objects.go @@ -16,6 +16,8 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" + promConfig "github.com/prometheus/common/config" + flowsv1alpha1 "github.com/netobserv/network-observability-operator/api/v1alpha1" "github.com/netobserv/network-observability-operator/controllers/constants" "github.com/netobserv/network-observability-operator/pkg/helper" @@ -243,6 +245,13 @@ func (b *builder) addTransformStages(lastStage *config.PipelineBuilderStage) { lokiWrite.URL = b.desiredLoki.URL lokiWrite.TimestampLabel = "TimeFlowEndMs" lokiWrite.TimestampScale = "1ms" + lokiWrite.TenantID = b.desiredLoki.TenantID + //TODO: set proper tls config https://issues.redhat.com/browse/NETOBSERV-309 + lokiWrite.ClientConfig = &promConfig.HTTPClientConfig{ + TLSConfig: promConfig.TLSConfig{ + InsecureSkipVerify: true, + }, + } } enrichedStage.WriteLoki("loki", lokiWrite) diff --git a/docs/FlowCollector.md b/docs/FlowCollector.md index 98879371e..3b3339fd2 100644 --- a/docs/FlowCollector.md +++ b/docs/FlowCollector.md @@ -2682,6 +2682,15 @@ Loki contains settings related to the loki client Default: map[app:netobserv-flowcollector]
false + + tenantID + string + + TenantID is the Loki X-Scope-OrgID that identifies the tenant for each request. it will be ignored if instanceSpec is specified
+
+ Default: netobserv
+ + false timeout string From 01f35e8b67e0cb8b018f6b82f5654e50542ca797 Mon Sep 17 00:00:00 2001 From: Julien Pinsonneau Date: Wed, 15 Jun 2022 13:58:44 +0200 Subject: [PATCH 2/4] temporary fix --- vendor/github.com/prometheus/common/config/http_config.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/vendor/github.com/prometheus/common/config/http_config.go b/vendor/github.com/prometheus/common/config/http_config.go index 4b8724171..5e4a7bdd1 100644 --- a/vendor/github.com/prometheus/common/config/http_config.go +++ b/vendor/github.com/prometheus/common/config/http_config.go @@ -11,6 +11,7 @@ // See the License for the specific language governing permissions and // limitations under the License. +//go:build go1.8 // +build go1.8 package config @@ -188,13 +189,13 @@ type HTTPClientConfig struct { // Authorization.CredentialsFile. BearerTokenFile string `yaml:"bearer_token_file,omitempty" json:"bearer_token_file,omitempty"` // HTTP proxy server to use to connect to the targets. - ProxyURL URL `yaml:"proxy_url,omitempty" json:"proxy_url,omitempty"` + ProxyURL *URL `yaml:"proxy_url,omitempty" json:"proxy_url,omitempty"` // TLSConfig to use to connect to the targets. TLSConfig TLSConfig `yaml:"tls_config,omitempty" json:"tls_config,omitempty"` // FollowRedirects specifies whether the client should follow HTTP 3xx redirects. // The omitempty flag is not set, because it would be hidden from the // marshalled configuration when set to false. - FollowRedirects bool `yaml:"follow_redirects" json:"follow_redirects"` + FollowRedirects bool `yaml:"follow_redirects,omitempty" json:"follow_redirects,omitempty"` } // SetDirectory joins any relative file paths with dir. From 476519e63137567fe67eb771d8faa9e0bb286230 Mon Sep 17 00:00:00 2001 From: Julien Pinsonneau Date: Wed, 20 Jul 2022 17:02:27 +0200 Subject: [PATCH 3/4] added HTTPClientConfig test check --- .../consoleplugin/consoleplugin_test.go | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/controllers/consoleplugin/consoleplugin_test.go b/controllers/consoleplugin/consoleplugin_test.go index 38a94d698..b585622ed 100644 --- a/controllers/consoleplugin/consoleplugin_test.go +++ b/controllers/consoleplugin/consoleplugin_test.go @@ -1,6 +1,7 @@ package consoleplugin import ( + "encoding/json" "fmt" "testing" @@ -12,6 +13,8 @@ import ( flowsv1alpha1 "github.com/netobserv/network-observability-operator/api/v1alpha1" "github.com/netobserv/network-observability-operator/controllers/constants" + + promConfig "github.com/prometheus/common/config" ) const testImage = "quay.io/netobserv/network-observability-console-plugin:dev" @@ -248,3 +251,20 @@ func TestAutoScalerUpdateCheck(t *testing.T) { autoScalerSpec.Namespace = "NewNamespace" assert.Equal(autoScalerNeedsUpdate(&autoScalerSpec, &plugin, testNamespace), true) } + +//ensure HTTPClientConfig Marshal / Unmarshal works as expected for ProxyURL *URL +//ProxyURL should not be set when only TLSConfig.InsecureSkipVerify is specified +func TestHTTPClientConfig(t *testing.T) { + config := promConfig.HTTPClientConfig{ + TLSConfig: promConfig.TLSConfig{ + InsecureSkipVerify: true, + }, + } + bs, _ := json.Marshal(config) + assert.Equal(t, string(bs), `{"tls_config":{"insecure_skip_verify":true}}`) + + config2 := promConfig.HTTPClientConfig{} + json.Unmarshal(bs, &config2) + assert.Equal(t, config2.TLSConfig.InsecureSkipVerify, true) + assert.Nil(t, config2.ProxyURL) +} From 46ad22c012653f62d144c8418daba30747265508 Mon Sep 17 00:00:00 2001 From: Julien Pinsonneau Date: Thu, 21 Jul 2022 13:32:55 +0200 Subject: [PATCH 4/4] forked prometheus/common --- .../consoleplugin/consoleplugin_test.go | 15 ++++++-- go.mod | 2 ++ go.sum | 4 +-- .../prometheus/common/config/http_config.go | 34 +++++-------------- vendor/modules.txt | 2 +- 5 files changed, 25 insertions(+), 32 deletions(-) diff --git a/controllers/consoleplugin/consoleplugin_test.go b/controllers/consoleplugin/consoleplugin_test.go index b585622ed..d5c5fb157 100644 --- a/controllers/consoleplugin/consoleplugin_test.go +++ b/controllers/consoleplugin/consoleplugin_test.go @@ -260,11 +260,20 @@ func TestHTTPClientConfig(t *testing.T) { InsecureSkipVerify: true, }, } + err := config.Validate() + assert.Nil(t, err) + bs, _ := json.Marshal(config) - assert.Equal(t, string(bs), `{"tls_config":{"insecure_skip_verify":true}}`) + assert.Equal(t, string(bs), `{"proxy_url":null,"tls_config":{"insecure_skip_verify":true},"follow_redirects":false}`) config2 := promConfig.HTTPClientConfig{} - json.Unmarshal(bs, &config2) + err = json.Unmarshal(bs, &config2) + assert.Nil(t, err) + assert.Equal(t, config2.TLSConfig.InsecureSkipVerify, true) + assert.Equal(t, config2.ProxyURL, promConfig.URL{}) + + err = config2.Validate() + assert.Nil(t, err) assert.Equal(t, config2.TLSConfig.InsecureSkipVerify, true) - assert.Nil(t, config2.ProxyURL) + assert.Nil(t, config2.ProxyURL.URL, nil) } diff --git a/go.mod b/go.mod index 0acd0b453..31d89020b 100644 --- a/go.mod +++ b/go.mod @@ -18,3 +18,5 @@ require ( k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 sigs.k8s.io/controller-runtime v0.11.0 ) + +replace github.com/prometheus/common v0.32.1 => github.com/netobserv/prometheus-common v0.31.2-0.20220720134304-43e74fd22881 diff --git a/go.sum b/go.sum index 415f8e1da..74d8efbf9 100644 --- a/go.sum +++ b/go.sum @@ -775,6 +775,8 @@ github.com/netobserv/flowlogs-pipeline v0.1.2-0.20220616154151-f71171409f0b/go.m github.com/netobserv/gopipes v0.1.1/go.mod h1:eGoHZW1ON8Dx/zmDXUhsbVNqatPjtpdO0UZBmGZGmVI= github.com/netobserv/loki-client-go v0.0.0-20211018150932-cb17208397a9/go.mod h1:LHXpc5tjKvsfZn0pwLKrvlgEhZcCaw3Di9mUEZGAI4E= github.com/netobserv/netobserv-ebpf-agent v0.1.1-0.20220608092850-3fd4695b7cc2/go.mod h1:996FEHp8Xj+AKCkiN4eH3dl/yF2DzuYM0kchWZOrapM= +github.com/netobserv/prometheus-common v0.31.2-0.20220720134304-43e74fd22881 h1:hx5bi6xBovRjmwUoVJBzhJ3EDo4K4ZUsqqKrJuQ2vMI= +github.com/netobserv/prometheus-common v0.31.2-0.20220720134304-43e74fd22881/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= github.com/netsampler/goflow2 v1.1.1-0.20220509155230-5300494e4785/go.mod h1:yqw2cLe+lbnDN1+JKBqxoj2FKOA83iB8wV0aCKnlesg= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= @@ -894,8 +896,6 @@ github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9 github.com/prometheus/common v0.28.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= github.com/prometheus/common v0.30.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= github.com/prometheus/common v0.31.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= -github.com/prometheus/common v0.32.1 h1:hWIdL3N2HoUx3B8j3YN9mWor0qhY/NlEKZEaXxuIRh4= -github.com/prometheus/common v0.32.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= diff --git a/vendor/github.com/prometheus/common/config/http_config.go b/vendor/github.com/prometheus/common/config/http_config.go index 5e4a7bdd1..6ca9e2fce 100644 --- a/vendor/github.com/prometheus/common/config/http_config.go +++ b/vendor/github.com/prometheus/common/config/http_config.go @@ -11,7 +11,6 @@ // See the License for the specific language governing permissions and // limitations under the License. -//go:build go1.8 // +build go1.8 package config @@ -160,9 +159,6 @@ type OAuth2 struct { Scopes []string `yaml:"scopes,omitempty" json:"scopes,omitempty"` TokenURL string `yaml:"token_url" json:"token_url"` EndpointParams map[string]string `yaml:"endpoint_params,omitempty" json:"endpoint_params,omitempty"` - - // TLSConfig is used to connect to the token URL. - TLSConfig TLSConfig `yaml:"tls_config,omitempty"` } // SetDirectory joins any relative file paths with dir. @@ -171,7 +167,6 @@ func (a *OAuth2) SetDirectory(dir string) { return } a.ClientSecretFile = JoinDir(dir, a.ClientSecretFile) - a.TLSConfig.SetDirectory(dir) } // HTTPClientConfig configures an HTTP client. @@ -189,13 +184,13 @@ type HTTPClientConfig struct { // Authorization.CredentialsFile. BearerTokenFile string `yaml:"bearer_token_file,omitempty" json:"bearer_token_file,omitempty"` // HTTP proxy server to use to connect to the targets. - ProxyURL *URL `yaml:"proxy_url,omitempty" json:"proxy_url,omitempty"` + ProxyURL URL `yaml:"proxy_url,omitempty" json:"proxy_url,omitempty"` // TLSConfig to use to connect to the targets. TLSConfig TLSConfig `yaml:"tls_config,omitempty" json:"tls_config,omitempty"` // FollowRedirects specifies whether the client should follow HTTP 3xx redirects. // The omitempty flag is not set, because it would be hidden from the // marshalled configuration when set to false. - FollowRedirects bool `yaml:"follow_redirects,omitempty" json:"follow_redirects,omitempty"` + FollowRedirects bool `yaml:"follow_redirects" json:"follow_redirects"` } // SetDirectory joins any relative file paths with dir. @@ -269,6 +264,10 @@ func (c *HTTPClientConfig) Validate() error { return fmt.Errorf("at most one of oauth2 client_secret & client_secret_file must be configured") } } + // Change empty URL to nil to avoid connection errors + if c.ProxyURL.URL != nil && *c.ProxyURL.URL == (url.URL{}) { + c.ProxyURL.URL = nil + } return nil } @@ -599,25 +598,7 @@ func (rt *oauth2RoundTripper) RoundTrip(req *http.Request) (*http.Response, erro EndpointParams: mapToValues(rt.config.EndpointParams), } - tlsConfig, err := NewTLSConfig(&rt.config.TLSConfig) - if err != nil { - return nil, err - } - - var t http.RoundTripper - if len(rt.config.TLSConfig.CAFile) == 0 { - t = &http.Transport{TLSClientConfig: tlsConfig} - } else { - t, err = NewTLSRoundTripper(tlsConfig, rt.config.TLSConfig.CAFile, func(tls *tls.Config) (http.RoundTripper, error) { - return &http.Transport{TLSClientConfig: tls}, nil - }) - if err != nil { - return nil, err - } - } - - ctx := context.WithValue(context.Background(), oauth2.HTTPClient, &http.Client{Transport: t}) - tokenSource := config.TokenSource(ctx) + tokenSource := config.TokenSource(context.Background()) rt.mtx.Lock() rt.secret = secret @@ -786,6 +767,7 @@ func NewTLSRoundTripper( return nil, err } t.rt = rt + _, t.hashCAFile, err = t.getCAWithHash() if err != nil { return nil, err diff --git a/vendor/modules.txt b/vendor/modules.txt index 24004ad7e..6ffe6d46b 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -139,7 +139,7 @@ github.com/prometheus/client_golang/prometheus/internal github.com/prometheus/client_golang/prometheus/promhttp # github.com/prometheus/client_model v0.2.0 github.com/prometheus/client_model/go -# github.com/prometheus/common v0.32.1 +# github.com/prometheus/common v0.32.1 => github.com/netobserv/prometheus-common v0.31.2-0.20220720134304-43e74fd22881 ## explicit github.com/prometheus/common/config github.com/prometheus/common/expfmt