loki statusTls CRD option

netobserv · Mar 24, 2023 · 5803074 · 5803074
1 parent f3cc255
commit 5803074
Show file tree

Hide file tree

Showing 10 changed files with 342 additions and 11 deletions.
diff --git a/api/v1alpha1/flowcollector_webhook.go b/api/v1alpha1/flowcollector_webhook.go
@@ -57,6 +57,10 @@ func (r *FlowCollector) ConvertTo(dstRaw conversion.Hub) error {
 		dst.Spec.Processor.Metrics.DisableAlerts = restored.Spec.Processor.Metrics.DisableAlerts
 	}
 
+	if restored.Spec.Loki.StatusTLS != nil {
+		dst.Spec.Loki.StatusTLS = restored.Spec.Loki.StatusTLS
+	}
+
 	return nil
 }
 
@@ -100,3 +104,10 @@ func Convert_v1beta1_FlowCollectorFLP_To_v1alpha1_FlowCollectorFLP(in *v1beta1.F
 func Convert_v1beta1_FLPMetrics_To_v1alpha1_FLPMetrics(in *v1beta1.FLPMetrics, out *FLPMetrics, s apiconversion.Scope) error {
 	return autoConvert_v1beta1_FLPMetrics_To_v1alpha1_FLPMetrics(in, out, s)
 }
+
+// This function need to be manually created because conversion-gen not able to create it intentionally because
+// we have new defined fields in v1beta1 not in v1alpha1
+// nolint:golint,stylecheck,revive
+func Convert_v1beta1_FlowCollectorLoki_To_v1alpha1_FlowCollectorLoki(in *v1beta1.FlowCollectorLoki, out *FlowCollectorLoki, s apiconversion.Scope) error {
+	return autoConvert_v1beta1_FlowCollectorLoki_To_v1alpha1_FlowCollectorLoki(in, out, s)
+}
diff --git a/api/v1alpha1/zz_generated.conversion.go b/api/v1alpha1/zz_generated.conversion.go
diff --git a/api/v1beta1/flowcollector_types.go b/api/v1beta1/flowcollector_types.go
@@ -512,6 +512,11 @@ type FlowCollectorLoki struct {
 	// tls client configuration.
 	// +optional
 	TLS ClientTLS `json:"tls"`
+
+	// tls client configuration for status URL.
+	// fallback on tls if not set
+	// +optional
+	StatusTLS *ClientTLS `json:"statusTls"`
 }
 
 // FlowCollectorConsolePlugin defines the desired ConsolePlugin state of FlowCollector

diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
diff --git a/bundle/manifests/flows.netobserv.io_flowcollectors.yaml b/bundle/manifests/flows.netobserv.io_flowcollectors.yaml
@@ -3363,6 +3363,72 @@ spec:
                     description: staticLabels is a map of common labels to set on
                       each flow.
                     type: object
+                  statusTls:
+                    description: tls client configuration for status URL. fallback
+                      on tls if not set
+                    properties:
+                      caCert:
+                        description: caCert defines the reference of the certificate
+                          for the Certificate Authority
+                        properties:
+                          certFile:
+                            description: certFile defines the path to the certificate
+                              file name within the config map or secret
+                            type: string
+                          certKey:
+                            description: certKey defines the path to the certificate
+                              private key file name within the config map or secret.
+                              Omit when the key is not necessary.
+                            type: string
+                          name:
+                            description: name of the config map or secret containing
+                              certificates
+                            type: string
+                          type:
+                            description: 'type for the certificate reference: "configmap"
+                              or "secret"'
+                            enum:
+                            - configmap
+                            - secret
+                            type: string
+                        type: object
+                      enable:
+                        default: false
+                        description: enable TLS
+                        type: boolean
+                      insecureSkipVerify:
+                        default: false
+                        description: insecureSkipVerify allows skipping client-side
+                          verification of the server certificate If set to true, CACert
+                          field will be ignored
+                        type: boolean
+                      userCert:
+                        description: userCert defines the user certificate reference,
+                          used for mTLS (you can ignore it when using regular, one-way
+                          TLS)
+                        properties:
+                          certFile:
+                            description: certFile defines the path to the certificate
+                              file name within the config map or secret
+                            type: string
+                          certKey:
+                            description: certKey defines the path to the certificate
+                              private key file name within the config map or secret.
+                              Omit when the key is not necessary.
+                            type: string
+                          name:
+                            description: name of the config map or secret containing
+                              certificates
+                            type: string
+                          type:
+                            description: 'type for the certificate reference: "configmap"
+                              or "secret"'
+                            enum:
+                            - configmap
+                            - secret
+                            type: string
+                        type: object
+                    type: object
                   statusUrl:
                     description: statusURL specifies the address of the Loki /ready
                       /metrics /config endpoints, in case it is different from the

diff --git a/config/crd/bases/flows.netobserv.io_flowcollectors.yaml b/config/crd/bases/flows.netobserv.io_flowcollectors.yaml
@@ -3350,6 +3350,72 @@ spec:
                     description: staticLabels is a map of common labels to set on
                       each flow.
                     type: object
+                  statusTls:
+                    description: tls client configuration for status URL. fallback
+                      on tls if not set
+                    properties:
+                      caCert:
+                        description: caCert defines the reference of the certificate
+                          for the Certificate Authority
+                        properties:
+                          certFile:
+                            description: certFile defines the path to the certificate
+                              file name within the config map or secret
+                            type: string
+                          certKey:
+                            description: certKey defines the path to the certificate
+                              private key file name within the config map or secret.
+                              Omit when the key is not necessary.
+                            type: string
+                          name:
+                            description: name of the config map or secret containing
+                              certificates
+                            type: string
+                          type:
+                            description: 'type for the certificate reference: "configmap"
+                              or "secret"'
+                            enum:
+                            - configmap
+                            - secret
+                            type: string
+                        type: object
+                      enable:
+                        default: false
+                        description: enable TLS
+                        type: boolean
+                      insecureSkipVerify:
+                        default: false
+                        description: insecureSkipVerify allows skipping client-side
+                          verification of the server certificate If set to true, CACert
+                          field will be ignored
+                        type: boolean
+                      userCert:
+                        description: userCert defines the user certificate reference,
+                          used for mTLS (you can ignore it when using regular, one-way
+                          TLS)
+                        properties:
+                          certFile:
+                            description: certFile defines the path to the certificate
+                              file name within the config map or secret
+                            type: string
+                          certKey:
+                            description: certKey defines the path to the certificate
+                              private key file name within the config map or secret.
+                              Omit when the key is not necessary.
+                            type: string
+                          name:
+                            description: name of the config map or secret containing
+                              certificates
+                            type: string
+                          type:
+                            description: 'type for the certificate reference: "configmap"
+                              or "secret"'
+                            enum:
+                            - configmap
+                            - secret
+                            type: string
+                        type: object
+                    type: object
                   statusUrl:
                     description: statusURL specifies the address of the Loki /ready
                       /metrics /config endpoints, in case it is different from the

diff --git a/controllers/consoleplugin/consoleplugin_objects.go b/controllers/consoleplugin/consoleplugin_objects.go
@@ -30,6 +30,7 @@ const configFile = "config.yaml"
 const configVolume = "config-volume"
 const configPath = "/opt/app-root/"
 const lokiCerts = "loki-certs"
+const lokiStatusCerts = "loki-status-certs"
 const tokensPath = "/var/run/secrets/tokens/"
 
 type builder struct {
@@ -184,6 +185,16 @@ func buildArgs(desired *flowslatest.FlowCollectorSpec) []string {
 			args = append(args, "--loki-ca-path", helper.GetCACertPath(&desired.Loki.TLS, lokiCerts))
 		}
 	}
+
+	statusTLS := helper.LokiStatusTLS(&desired.Loki)
+	if statusTLS.Enable {
+		if statusTLS.InsecureSkipVerify {
+			args = append(args, "-loki-status-skip-tls")
+		} else {
+			args = append(args, "--loki-status-ca-path", helper.GetCACertPath(&statusTLS, lokiStatusCerts))
+		}
+	}
+
 	if helper.LokiUseHostToken(&desired.Loki) {
 		args = append(args, "-loki-token-path", tokenPath(&desired.Loki))
 	}
@@ -226,6 +237,11 @@ func (b *builder) podTemplate(cmDigest string) *corev1.PodTemplateSpec {
 		volumes, volumeMounts = helper.AppendCertVolumes(volumes, volumeMounts, &b.desired.Loki.TLS, lokiCerts, b.cWatcher)
 	}
 
+	statusTLS := helper.LokiStatusTLS(&b.desired.Loki)
+	if b.desired != nil && statusTLS.Enable && !statusTLS.InsecureSkipVerify {
+		volumes, volumeMounts = helper.AppendCertVolumes(volumes, volumeMounts, &statusTLS, lokiStatusCerts, b.cWatcher)
+	}
+
 	if helper.LokiUseHostToken(&b.desired.Loki) {
 		volumes, volumeMounts = helper.AppendTokenVolume(volumes, volumeMounts, constants.PluginName, constants.PluginName)
 	}

diff --git a/controllers/consoleplugin/consoleplugin_reconciler.go b/controllers/consoleplugin/consoleplugin_reconciler.go
@@ -197,7 +197,7 @@ func (r *CPReconciler) reconcileDeployment(ctx context.Context, builder builder,
 
 	newDepl := builder.deployment(cmDigest)
 	// Annotate pod with certificate reference so that it is reloaded if modified
-	if err := r.CertWatcher.AnnotatePod(ctx, r.Client, &newDepl.Spec.Template, lokiCerts); err != nil {
+	if err := r.CertWatcher.AnnotatePod(ctx, r.Client, &newDepl.Spec.Template, lokiCerts, lokiStatusCerts); err != nil {
 		return err
 	}
 	if !r.nobjMngr.Exists(r.owned.deployment) {