Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use TLS via OpenShift service annotation when gateway/multitenancy is… #962

Merged
merged 19 commits into from
Jul 9, 2024
Merged

Use TLS via OpenShift service annotation when gateway/multitenancy is… #962

merged 19 commits into from
Jul 9, 2024

Conversation

rubenvp8510
Copy link
Collaborator

@rubenvp8510 rubenvp8510 commented Jul 3, 2024
edited
Loading

… disabled

Fixes #963

This PR doesn't cover monolitic. I would prefer to do it in a separate PR. in this way I can keep this PR small and move forward faster.

@codecov-commenter
Copy link

codecov-commenter commented Jul 3, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 33.33333% with 16 lines in your changes missing coverage. Please review.

Project coverage is 73.22%. Comparing base (e122de4) to head (88ea2e2).

Files Patch % Lines
internal/manifests/distributor/distributor.go 34.78% 13 Missing and 2 partials ⚠️
internal/webhooks/tempostack_webhook.go 0.00% 0 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #962      +/-   ##
==========================================
- Coverage   73.36%   73.22%   -0.14%     
==========================================
  Files         105      105              
  Lines        6487     6503      +16     
==========================================
+ Hits         4759     4762       +3     
- Misses       1438     1450      +12     
- Partials      290      291       +1
Flag Coverage Δ
unittests 73.22% <33.33%> (-0.14%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

pavolloffay
pavolloffay reviewed Jul 3, 2024
View reviewed changes
apis/config/v1alpha1/projectconfig_types.go Outdated Show resolved Hide resolved
.chloggen/ingest_tls_openshift.yaml Show resolved Hide resolved
.chloggen/ingest_tls_openshift.yaml Outdated
# (Optional) One or more lines of additional information to render under the primary note.
# These lines will be padded with 2 spaces and then inserted directly into the document.
# Use pipe (|) for multiline entries.
subtext:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you please document how users could setup TLS to report data with the OCP service CA?

Is it enabled by default on OCP?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will include a brief explanation here. I think a more elaborate way on how to configure this on the client side (may be using otel collector) should be in the documentation and not in the subtext . Just my opinion.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a brief explanation, as I said I would prefer a more deep explanation on the documentation. As this is only a changelog. But if you thing I should include something here I'm not opposites.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

@rubenvp8510
Add comments on the feature gate
f904bba 
Signed-off-by: Ruben Vargas <ruben.vp8510@gmail.com>
@rubenvp8510
Add E2E tests with openshift TLS enabled
3520636 
Signed-off-by: Ruben Vargas <ruben.vp8510@gmail.com>
@rubenvp8510 rubenvp8510 force-pushed the ingest_tls_openshift branch 3 times, most recently from 16e1672 to 5903722 Compare July 4, 2024 05:08
@rubenvp8510
Improve changelog
5903722 
Signed-off-by: Ruben Vargas <ruben.vp8510@gmail.com>
@rubenvp8510
fix ci
67d3715 
Signed-off-by: Ruben Vargas <ruben.vp8510@gmail.com>
@rubenvp8510
Copy link
Collaborator Author

@pavolloffay Should we make TLS enable by default on OpenShift? following the principle of "making secure by default"?

@pavolloffay
Copy link
Collaborator

Do you mean using servicing certs on the Gateway public HTTTP and gRPC APIs (the users would need to use the service CA)?

@rubenvp8510
Copy link
Collaborator Author

Do you mean using servicing certs on the Gateway public HTTTP and gRPC APIs (the users would need to use the service CA)?

I don't understand well the question. From what I can see the gateway case is already implemented. This PR what it does is to use the service CA for the case when the gateway is not enabled. This means configure the distributor to use it directly (without the gateway)

@rubenvp8510
Improve changelog entry
5c0c525 
Signed-off-by: Ruben Vargas <ruben.vp8510@gmail.com>
andreasgerstmayr
andreasgerstmayr reviewed Jul 4, 2024
View reviewed changes
apis/config/v1alpha1/projectconfig_types.go Outdated Show resolved Hide resolved
internal/manifests/distributor/distributor.go Outdated Show resolved Hide resolved
internal/manifests/distributor/distributor.go Outdated Show resolved Hide resolved
internal/manifests/distributor/distributor.go Outdated Show resolved Hide resolved
@rubenvp8510
Use manifestutils and naming functions
ffcb50a 
Signed-off-by: Ruben Vargas <ruben.vp8510@gmail.com>
@rubenvp8510
Merge branch 'main' into ingest_tls_openshift
874f031
@rubenvp8510
Use same servingCertsService flag
c38e13c 
Signed-off-by: Ruben Vargas <ruben.vp8510@gmail.com>
@rubenvp8510
Fix e2e tests
fda004c 
Signed-off-by: Ruben Vargas <ruben.vp8510@gmail.com>
pavolloffay
pavolloffay approved these changes Jul 8, 2024
View reviewed changes
Copy link
Collaborator

@pavolloffay pavolloffay left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM,

I would just document into release notes how the clients can inject CA cert.

.chloggen/ingest_tls_openshift.yaml Show resolved Hide resolved
pavolloffay
pavolloffay requested changes Jul 8, 2024
View reviewed changes
.chloggen/ingest_tls_openshift.yaml Outdated Show resolved Hide resolved
@pavolloffay
Copy link
Collaborator

How are we going to expose this in the monolithic CR? It would be great to come up with a similar config. Do you have CRD draft?

@rubenvp8510
Copy link
Collaborator Author

How are we going to expose this in the monolithic CR? It would be great to come up with a similar config. Do you have CRD draft?

I don't have a draft, but I would say we can apply the same, if TLS is enabled but not certName is specified AND we are on openshift. we can use the service Certificate.

@rubenvp8510
Add more description to the changelog
88ea2e2 
Signed-off-by: Ruben Vargas <ruben.vp8510@gmail.com>
@rubenvp8510
Add documemntatioon direct into the CRD
353a68f 
Signed-off-by: Ruben Vargas <ruben.vp8510@gmail.com>
@rubenvp8510 rubenvp8510 merged commit 75de22c into grafana:main Jul 9, 2024
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pavolloffay pavolloffay pavolloffay approved these changes

@andreasgerstmayr andreasgerstmayr Awaiting requested review from andreasgerstmayr

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Use TLS via OpenShift service annotation when gateway/multitenancy is disabled
4 participants
@rubenvp8510 @codecov-commenter @pavolloffay @andreasgerstmayr