Skip to content

Commit

Permalink
Sanitize volume names for ca bundle and certificates
Browse files Browse the repository at this point in the history 
Signed-off-by: Ruben Vargas <ruben.vp8510@gmail.com>
  • Loading branch information
@rubenvp8510
rubenvp8510 committed Jul 12, 2024
1 parent 7d2f057 commit 350a27e
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 10 deletions.
10 changes: 6 additions & 4 deletions internal/manifests/distributor/distributor.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,11 +77,12 @@ func resources(tempo v1alpha1.TempoStack) corev1.ResourceRequirements {
func configureReceiversTLS(dep *v1.Deployment, caSecretName, certSecretName string) error {
podSpec := &dep.Spec.Template.Spec
if caSecretName != "" {
volumeName := naming.DNSName(caSecretName)
/*Configure CA*/
secretCAVolumeSpec := corev1.PodSpec{
Volumes: []corev1.Volume{
{
Name: caSecretName,
Name: volumeName,
VolumeSource: corev1.VolumeSource{
ConfigMap: &corev1.ConfigMapVolumeSource{
LocalObjectReference: corev1.LocalObjectReference{
Expand All @@ -96,7 +97,7 @@ func configureReceiversTLS(dep *v1.Deployment, caSecretName, certSecretName stri
secretCAContainerSpec := corev1.Container{
VolumeMounts: []corev1.VolumeMount{
{
Name: caSecretName,
Name: volumeName,
ReadOnly: true,
MountPath: manifestutils.ReceiverTLSCADir,
},
Expand All @@ -110,11 +111,12 @@ func configureReceiversTLS(dep *v1.Deployment, caSecretName, certSecretName stri
return kverrors.Wrap(err, "failed to merge container")
}
}
secretVolumeName := naming.DNSName(certSecretName)

secretCertVolumeSpec := corev1.PodSpec{
Volumes: []corev1.Volume{
{
Name: certSecretName,
Name: secretVolumeName,
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: certSecretName,
Expand All @@ -126,7 +128,7 @@ func configureReceiversTLS(dep *v1.Deployment, caSecretName, certSecretName stri
secretCertContainerSpec := corev1.Container{
VolumeMounts: []corev1.VolumeMount{
{
Name: certSecretName,
Name: secretVolumeName,
ReadOnly: true,
MountPath: manifestutils.ReceiverTLSCertDir,
},
Expand Down
17 changes: 11 additions & 6 deletions internal/manifests/manifestutils/tls.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import (
"k8s.io/apimachinery/pkg/labels"

"github.com/grafana/tempo-operator/apis/tempo/v1alpha1"
"github.com/grafana/tempo-operator/internal/manifests/naming"
)

// MountCAConfigMap mounts the CA ConfigMap in a pod.
Expand All @@ -22,15 +23,17 @@ func MountCAConfigMap(
return err
}

volumeName := naming.DNSName(caConfigMap)

pod.Containers[containerIdx].VolumeMounts = append(pod.Containers[containerIdx].VolumeMounts, corev1.VolumeMount{
Name: caConfigMap,
Name: volumeName,
MountPath: caDir,
ReadOnly: true,
})

if !containsVolume(pod, caConfigMap) {
if !containsVolume(pod, volumeName) {
pod.Volumes = append(pod.Volumes, corev1.Volume{
Name: caConfigMap,
Name: volumeName,
VolumeSource: corev1.VolumeSource{
ConfigMap: &corev1.ConfigMapVolumeSource{
LocalObjectReference: corev1.LocalObjectReference{
Expand All @@ -56,15 +59,17 @@ func MountCertSecret(
return err
}

volumeName := naming.DNSName(certSecret)

pod.Containers[containerIdx].VolumeMounts = append(pod.Containers[containerIdx].VolumeMounts, corev1.VolumeMount{
Name: certSecret,
Name: volumeName,
MountPath: certDir,
ReadOnly: true,
})

if !containsVolume(pod, certSecret) {
if !containsVolume(pod, volumeName) {
pod.Volumes = append(pod.Volumes, corev1.Volume{
Name: certSecret,
Name: volumeName,
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: certSecret,
Expand Down

0 comments on commit 350a27e

Please sign in to comment.