Skip to content

operator: Configure gateway to honor the global TLS security profile #6870

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Sep 6, 2022
Merged

operator: Configure gateway to honor the global TLS security profile #6870

merged 11 commits into from
Sep 6, 2022

Conversation

aminesnow
Copy link
Contributor

@aminesnow aminesnow commented Aug 10, 2022
edited
Loading

What this PR does / why we need it:
This PR enables the gateway to be configured with the minimum TLS version and ciphers defined in the global apiservers configuration on the OpenShift Platform.

Checklist

  • Documentation added
  • Tests updated
  • Is this an important fix or new feature? Add an entry in the CHANGELOG.md.
  • Changes that require user attention or interaction to upgrade are documented in docs/sources/upgrading/_index.md

@aminesnow aminesnow changed the title Operator: Configure loki-operator to honor the global tlsSecurityProfile on Openshift Operator: Configure gateway to honor the global tlsSecurityProfile on Openshift Aug 10, 2022
@aminesnow aminesnow marked this pull request as ready for review August 10, 2022 17:06
@aminesnow aminesnow requested a review from a team as a code owner August 10, 2022 17:06
@grafanabot
Copy link
Contributor

./tools/diff_coverage.sh ../loki-main/test_results.txt test_results.txt ingester,distributor,querier,querier/queryrange,iter,storage,chunkenc,logql,loki

Change in test coverage per package. Green indicates 0 or positive change, red indicates that test coverage for a package fell.

+           ingester	0%
+        distributor	0%
+            querier	0%
+ querier/queryrange	0%
+               iter	0%
+            storage	0%
+           chunkenc	0%
+              logql	0%
+               loki	0%

Red-GV
Red-GV reviewed Aug 25, 2022
View reviewed changes
Copy link
Contributor

@Red-GV Red-GV left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good so far!

A few comments on this one:

operator/internal/handlers/lokistack_create_or_update.go Outdated
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if the better option here is to expand the Options structure to also have an optional TLS configuration pieces from the apiServer object.

Also, returning an error here causes an issue in base K8s, no? We should only return a degraded error if we are on an OpenShift cluster.

Copy link
Collaborator

@xperimental xperimental Aug 26, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree that adding it to Options is probably a better deal. We can also convert the TLSSecurityProfile to the information we actually need (minimum TLS version and cipher list) before passing it into the manifest generation.

The request to get the APIServer resource can only be done on OpenShift and will fail on other clusters. But even on OpenShift it can not be assumed that the TLSSecurityProfile is configured. This leads to the question what a sensible fallback is, I'd say either we go with the intermediate profile like the PR implementation already does or we skip configuring the TLS version and ciphers like we did before.

operator/internal/manifests/gateway_tenants_test.go Outdated
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe move this to some helper function to reference rather than put the entire list here? Perhaps there's a way to grab all the cipher-suites and filter them by tls version allowed?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

An alternative would be to configure some "dummy values" just for testing.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh! I hadn't noticed this was the test file. Yeah, maybe some dummy values would be best.

periklis
periklis requested changes Aug 29, 2022
View reviewed changes
Copy link
Collaborator

@periklis periklis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a great start into supporting a TLS profile for our managed components in Loki. This work is really awesome 🚀

In general the code looks clear and concise for me. However, we need to polish out this feature for k8s first and make the automation piggypacking on openshiftv1.ApiServers CRD only optional. Thus I suggest to address this like this:

  • First let's add a configuration option in the operator configuration for selecting one of the three named profiles. All three are general names from Mozilla's work on groups TLS versions and cipher suites.
  • Add a feature flag for OpenShift that overwrites per default the operator config for TLSProfile with the values from the APIServer CRD.
  • In general pass anything from the CRD or the operator configuration to the custom manifest.Options with new fields and minimize the exposure to optional CRDs.

WDYT? (cc @xperimental @Red-GV )

@grafanabot
Copy link
Contributor

./tools/diff_coverage.sh ../loki-main/test_results.txt test_results.txt ingester,distributor,querier,querier/queryrange,iter,storage,chunkenc,logql,loki

Change in test coverage per package. Green indicates 0 or positive change, red indicates that test coverage for a package fell.

+           ingester	0%
+        distributor	0%
+            querier	0%
+ querier/queryrange	0%
+               iter	0%
+            storage	0%
+           chunkenc	0%
+              logql	0%
+               loki	0%

periklis
periklis requested changes Aug 30, 2022
View reviewed changes
Copy link
Collaborator

@periklis periklis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks way better and more decoupled than the first version. However I suggest to decouple from using enumerations from the openshift/api package to remove the burden of maintaining version compatibility in general (as per both our code base and openshift/api depend on k8s).

I suggest simply to create an enumeration for three TLS Profiles (https://wiki.mozilla.org/Security/Server_Side_TLS) and use it across our code base. In addition I suggest to replace DisableAPIServerTLSProfile with a simple TLSProfile field so non-openshift users can declare what profile they want to choose directly.

@aminesnow
Copy link
Contributor Author

@periklis Thanks for the feedback!
There is actually a 4th enum value Custom, and it allows the user to define a custom profile. I would like to keep supporting it in addition to the 3 main ones.
Also, DisableAPIServerTLSProfile is defined in the openshift options because by default, when using openshift, we get the profile from the api server, and this allows the user to disable it so that they can define their own setting. So I'm confused by your comment regarding this..

@periklis
Copy link
Collaborator

@periklis Thanks for the feedback! There is actually a 4th enum value Custom, and it allows the user to define a custom profile. I would like to keep supporting it in addition to the 3 main ones.

Supporting Custom would require to add a set of two fields one for TLSMinVersion and one for TLSCipherSuites in the operator project config. I would like to skip this extra options if nobody asks for them.

Also, DisableAPIServerTLSProfile is defined in the openshift options because by default, when using openshift, we get the profile from the api server, and this allows the user to disable it so that they can define their own setting. So I'm confused by your comment regarding this..

An Options with DisableAPIServer... as a prefix is quite confusing for normal k8s users. I even doubt if this feature is well known and understood in the OpenShift ecosystem. Thus I would like to lower the confusion by making this field the input enumeration to select one of the three public listed profiles (See link to Mozilla). Our project config for OpenShift users will let this field empty and use the ApiServer CRD to fetch the profile.

@aminesnow
Copy link
Contributor Author

@periklis understood, thanks for the explanation!

@grafanabot
Copy link
Contributor

./tools/diff_coverage.sh ../loki-main/test_results.txt test_results.txt ingester,distributor,querier,querier/queryrange,iter,storage,chunkenc,logql,loki

Change in test coverage per package. Green indicates 0 or positive change, red indicates that test coverage for a package fell.

+           ingester	0%
+        distributor	0%
+            querier	0%
+ querier/queryrange	0%
+               iter	0%
+            storage	0%
+           chunkenc	0%
+              logql	0%
+               loki	0%

1 similar comment
@grafanabot
Copy link
Contributor

./tools/diff_coverage.sh ../loki-main/test_results.txt test_results.txt ingester,distributor,querier,querier/queryrange,iter,storage,chunkenc,logql,loki

Change in test coverage per package. Green indicates 0 or positive change, red indicates that test coverage for a package fell.

+           ingester	0%
+        distributor	0%
+            querier	0%
+ querier/queryrange	0%
+               iter	0%
+            storage	0%
+           chunkenc	0%
+              logql	0%
+               loki	0%

@grafanabot
Copy link
Contributor

./tools/diff_coverage.sh ../loki-main/test_results.txt test_results.txt ingester,distributor,querier,querier/queryrange,iter,storage,chunkenc,logql,loki

Change in test coverage per package. Green indicates 0 or positive change, red indicates that test coverage for a package fell.

+           ingester	0.1%
+        distributor	0%
+            querier	0%
+ querier/queryrange	0%
+               iter	0%
+            storage	0%
+           chunkenc	0%
+              logql	0%
+               loki	0%

periklis
periklis requested changes Sep 1, 2022
View reviewed changes
@grafanabot
Copy link
Contributor

./tools/diff_coverage.sh ../loki-main/test_results.txt test_results.txt ingester,distributor,querier,querier/queryrange,iter,storage,chunkenc,logql,loki

Change in test coverage per package. Green indicates 0 or positive change, red indicates that test coverage for a package fell.

+           ingester	0%
+        distributor	0%
+            querier	0%
+ querier/queryrange	0%
+               iter	0%
+            storage	0%
+           chunkenc	0%
+              logql	0%
+               loki	0%

@grafanabot
Copy link
Contributor

./tools/diff_coverage.sh ../loki-main/test_results.txt test_results.txt ingester,distributor,querier,querier/queryrange,iter,storage,chunkenc,logql,loki

Change in test coverage per package. Green indicates 0 or positive change, red indicates that test coverage for a package fell.

+           ingester	0%
+        distributor	0%
+            querier	0%
+ querier/queryrange	0%
+               iter	0%
+            storage	0%
+           chunkenc	0%
-              logql	-0.4%
+               loki	0%

periklis
periklis requested changes Sep 5, 2022
View reviewed changes
@grafanabot
Copy link
Contributor

./tools/diff_coverage.sh ../loki-main/test_results.txt test_results.txt ingester,distributor,querier,querier/queryrange,iter,storage,chunkenc,logql,loki

Change in test coverage per package. Green indicates 0 or positive change, red indicates that test coverage for a package fell.

+           ingester	0%
+        distributor	0%
+            querier	0%
+ querier/queryrange	0%
+               iter	0%
+            storage	0%
+           chunkenc	0%
+              logql	0%
+               loki	0%

@grafanabot
Copy link
Contributor

./tools/diff_coverage.sh ../loki-main/test_results.txt test_results.txt ingester,distributor,querier,querier/queryrange,iter,storage,chunkenc,logql,loki

Change in test coverage per package. Green indicates 0 or positive change, red indicates that test coverage for a package fell.

+           ingester	0%
+        distributor	0%
+            querier	0%
+ querier/queryrange	0%
+               iter	0%
+            storage	0%
+           chunkenc	0%
+              logql	0%
+               loki	0%

periklis
periklis reviewed Sep 6, 2022
View reviewed changes
Copy link
Collaborator

@periklis periklis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor suggestions and we are good to go

@grafanabot
Copy link
Contributor

./tools/diff_coverage.sh ../loki-main/test_results.txt test_results.txt ingester,distributor,querier,querier/queryrange,iter,storage,chunkenc,logql,loki

Change in test coverage per package. Green indicates 0 or positive change, red indicates that test coverage for a package fell.

+           ingester	0%
+        distributor	0%
+            querier	0%
+ querier/queryrange	0%
+               iter	0%
+            storage	0%
+           chunkenc	0%
+              logql	0%
+               loki	0%

@grafanabot
Copy link
Contributor

./tools/diff_coverage.sh ../loki-main/test_results.txt test_results.txt ingester,distributor,querier,querier/queryrange,iter,storage,chunkenc,logql,loki

Change in test coverage per package. Green indicates 0 or positive change, red indicates that test coverage for a package fell.

+           ingester	0%
+        distributor	0%
+            querier	0%
+ querier/queryrange	0%
+               iter	0%
+            storage	0%
+           chunkenc	0%
+              logql	0%
+               loki	0%

@periklis periklis changed the title Operator: Configure gateway to honor the global tlsSecurityProfile on Openshift operator: Configure gateway to honor the global TLS security profile Sep 6, 2022
@periklis periklis merged commit a068c12 into grafana:main Sep 6, 2022
@periklis periklis mentioned this pull request Sep 9, 2022
Merged
4 tasks
lxwzy pushed a commit to lxwzy/loki that referenced this pull request Nov 7, 2022
@lxwzy
operator: Configure gateway to honor the global TLS security profile (g…
91a6ea3 
…rafana#6870)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xperimental xperimental xperimental left review comments

@periklis periklis periklis approved these changes

+1 more reviewer

@Red-GV Red-GV Red-GV left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
sig/operator size/L
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@aminesnow @grafanabot @periklis @xperimental @Red-GV