NETOBSERV-1087: Added fields for ca certificate configuration

api/v1alpha1/flowcollector_webhook.go

@@ -76,6 +76,9 @@ func (r *FlowCollector) ConvertTo(dstRaw conversion.Hub) error {
 
 	dst.Spec.ConsolePlugin.Enable = restored.Spec.ConsolePlugin.Enable
 
+	dst.Spec.Processor.Metrics.Server.TLS.InsecureSkipVerify = restored.Spec.Processor.Metrics.Server.TLS.InsecureSkipVerify
+	dst.Spec.Processor.Metrics.Server.TLS.ProvidedCaFile = restored.Spec.Processor.Metrics.Server.TLS.ProvidedCaFile
+
 	if restored.Spec.Exporters != nil {
 		for _, restoredExp := range restored.Spec.Exporters {
 			if !isExporterIn(restoredExp, dst.Spec.Exporters) {
@@ -162,3 +165,11 @@ func Convert_v1beta1_FlowCollectorExporter_To_v1alpha1_FlowCollectorExporter(in
 func Convert_v1beta1_FlowCollectorEBPF_To_v1alpha1_FlowCollectorEBPF(in *v1beta1.FlowCollectorEBPF, out *FlowCollectorEBPF, s apiconversion.Scope) error {
 	return autoConvert_v1beta1_FlowCollectorEBPF_To_v1alpha1_FlowCollectorEBPF(in, out, s)
 }
+
+// // This function need to be manually created because conversion-gen not able to create it intentionally because
+// // we have new defined fields in v1beta1 not in v1alpha1
+// // nolint:golint,stylecheck,revive
+// func Convert_v1beta1_CertificateReference_To_v1alpha1_CertificateReference(in *v1beta1.CertificateReference, out *CertificateReference, s apiconversion.Scope) error {
+func Convert_v1beta1_ServerTLS_To_v1alpha1_ServerTLS(in *v1beta1.ServerTLS, out *ServerTLS, s apiconversion.Scope) error {
+	return autoConvert_v1beta1_ServerTLS_To_v1alpha1_ServerTLS(in, out, s)
+}

api/v1beta1/flowcollector_types.go

@@ -294,6 +294,15 @@ type ServerTLS struct {
 	// TLS configuration when `type` is set to `PROVIDED`.
 	// +optional
 	Provided *CertificateReference `json:"provided"`
+
+	//+kubebuilder:default:=false
+	// insecureSkipVerify allows skipping client-side verification of the provided certificate
+	// If set to true, ProvidedCaFile field will be ignored
+	InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"`
+
+	// Reference to the CA file will be ignored
+	// +optional
+	ProvidedCaFile *FileReference `json:"providedCaFile,omitempty"`
 }
 
 // `MetricsServerConfig` define the metrics server endpoint configuration for Prometheus scraper
@@ -689,6 +698,24 @@ const (
 	RefTypeConfigMap MountableType = "configmap"
 )
 
+type FileReference struct {
+	//+kubebuilder:validation:Enum=configmap;secret
+	// type for the file reference: "configmap" or "secret"
+	Type MountableType `json:"type,omitempty"`
+
+	// name of the config map or secret containing the file
+	Name string `json:"name,omitempty"`
+
+	// namespace of the config map or secret containing the file. If omitted, assumes same namespace as where NetObserv is deployed.
+	// If the namespace is different, the config map or the secret will be copied so that it can be mounted as required.
+	// +optional
+	//+kubebuilder:default:=""
+	Namespace string `json:"namespace,omitempty"`
+
+	// file defines the file name within the config map or secret
+	File string `json:"file,omitempty"`
+}
+
 type CertificateReference struct {
 	//+kubebuilder:validation:Enum=configmap;secret
 	// Type for the certificate reference: `configmap` or `secret`

bundle/manifests/flows.netobserv.io_flowcollectors.yaml

@@ -4481,6 +4481,12 @@ spec:
                           tls:
                             description: TLS configuration.
                             properties:
+                              insecureSkipVerify:
+                                default: false
+                                description: insecureSkipVerify allows skipping client-side
+                                  verification of the provided certificate If set
+                                  to true, ProvidedCaFile field will be ignored
+                                type: boolean
                               provided:
                                 description: TLS configuration when `type` is set
                                   to `PROVIDED`.
@@ -4517,6 +4523,34 @@ spec:
                                     - secret
                                     type: string
                                 type: object
+                              providedCaFile:
+                                description: Reference to the CA file will be ignored
+                                properties:
+                                  file:
+                                    description: file defines the file name within
+                                      the config map or secret
+                                    type: string
+                                  name:
+                                    description: name of the config map or secret
+                                      containing the file
+                                    type: string
+                                  namespace:
+                                    default: ""
+                                    description: namespace of the config map or secret
+                                      containing the file. If omitted, assumes same
+                                      namespace as where NetObserv is deployed. If
+                                      the namespace is different, the config map or
+                                      the secret will be copied so that it can be
+                                      mounted as required.
+                                    type: string
+                                  type:
+                                    description: 'type for the file reference: "configmap"
+                                      or "secret"'
+                                    enum:
+                                    - configmap
+                                    - secret
+                                    type: string
+                                type: object
                               type:
                                 default: DISABLED
                                 description: Select the type of TLS configuration:<br>

config/crd/bases/flows.netobserv.io_flowcollectors.yaml

@@ -4468,6 +4468,12 @@ spec:
                           tls:
                             description: TLS configuration.
                             properties:
+                              insecureSkipVerify:
+                                default: false
+                                description: insecureSkipVerify allows skipping client-side
+                                  verification of the provided certificate If set
+                                  to true, ProvidedCaFile field will be ignored
+                                type: boolean
                               provided:
                                 description: TLS configuration when `type` is set
                                   to `PROVIDED`.
@@ -4504,6 +4510,34 @@ spec:
                                     - secret
                                     type: string
                                 type: object
+                              providedCaFile:
+                                description: Reference to the CA file will be ignored
+                                properties:
+                                  file:
+                                    description: file defines the file name within
+                                      the config map or secret
+                                    type: string
+                                  name:
+                                    description: name of the config map or secret
+                                      containing the file
+                                    type: string
+                                  namespace:
+                                    default: ""
+                                    description: namespace of the config map or secret
+                                      containing the file. If omitted, assumes same
+                                      namespace as where NetObserv is deployed. If
+                                      the namespace is different, the config map or
+                                      the secret will be copied so that it can be
+                                      mounted as required.
+                                    type: string
+                                  type:
+                                    description: 'type for the file reference: "configmap"
+                                      or "secret"'
+                                    enum:
+                                    - configmap
+                                    - secret
+                                    type: string
+                                type: object
                               type:
                                 default: DISABLED
                                 description: Select the type of TLS configuration:<br>

controllers/flowlogspipeline/flp_common_objects.go

@@ -807,9 +807,12 @@ func (b *builder) serviceMonitor() *monitoringv1.ServiceMonitor {
 		flpServiceMonitorObject.Spec.Endpoints[0].TLSConfig = &monitoringv1.TLSConfig{
 			SafeTLSConfig: monitoringv1.SafeTLSConfig{
 				ServerName:         serverName,
-				InsecureSkipVerify: true,
+				InsecureSkipVerify: b.desired.Processor.Metrics.Server.TLS.InsecureSkipVerify,
 			},
 		}
+		if !b.desired.Processor.Metrics.Server.TLS.InsecureSkipVerify && b.desired.Processor.Metrics.Server.TLS.ProvidedCaFile.File != "" {
+			flpServiceMonitorObject.Spec.Endpoints[0].TLSConfig.SafeTLSConfig.CA = helper.GetSecretOrConfigMap(b.desired.Processor.Metrics.Server.TLS.ProvidedCaFile)
+		}
 	}
 
 	return &flpServiceMonitorObject

docs/FlowCollector.md

@@ -7972,12 +7972,28 @@ TLS configuration.
         </tr>
     </thead>
     <tbody><tr>
+        <td><b>insecureSkipVerify</b></td>
+        <td>boolean</td>
+        <td>
+          insecureSkipVerify allows skipping client-side verification of the provided certificate If set to true, ProvidedCaFile field will be ignored<br/>
+          <br/>
+            <i>Default</i>: false<br/>
+        </td>
+        <td>false</td>
+      </tr><tr>
         <td><b><a href="#flowcollectorspecprocessormetricsservertlsprovided-1">provided</a></b></td>
         <td>object</td>
         <td>
           TLS configuration when `type` is set to `PROVIDED`.<br/>
         </td>
         <td>false</td>
+      </tr><tr>
+        <td><b><a href="#flowcollectorspecprocessormetricsservertlsprovidedcafile">providedCaFile</a></b></td>
+        <td>object</td>
+        <td>
+          Reference to the CA file will be ignored<br/>
+        </td>
+        <td>false</td>
       </tr><tr>
         <td><b>type</b></td>
         <td>enum</td>
@@ -8051,6 +8067,58 @@ TLS configuration when `type` is set to `PROVIDED`.
 </table>
 
 
+### FlowCollector.spec.processor.metrics.server.tls.providedCaFile
+<sup><sup>[↩ Parent](#flowcollectorspecprocessormetricsservertls-1)</sup></sup>
+
+
+
+Reference to the CA file will be ignored
+
+<table>
+    <thead>
+        <tr>
+            <th>Name</th>
+            <th>Type</th>
+            <th>Description</th>
+            <th>Required</th>
+        </tr>
+    </thead>
+    <tbody><tr>
+        <td><b>file</b></td>
+        <td>string</td>
+        <td>
+          file defines the file name within the config map or secret<br/>
+        </td>
+        <td>false</td>
+      </tr><tr>
+        <td><b>name</b></td>
+        <td>string</td>
+        <td>
+          name of the config map or secret containing the file<br/>
+        </td>
+        <td>false</td>
+      </tr><tr>
+        <td><b>namespace</b></td>
+        <td>string</td>
+        <td>
+          namespace of the config map or secret containing the file. If omitted, assumes same namespace as where NetObserv is deployed. If the namespace is different, the config map or the secret will be copied so that it can be mounted as required.<br/>
+          <br/>
+            <i>Default</i>: <br/>
+        </td>
+        <td>false</td>
+      </tr><tr>
+        <td><b>type</b></td>
+        <td>enum</td>
+        <td>
+          type for the file reference: "configmap" or "secret"<br/>
+          <br/>
+            <i>Enum</i>: configmap, secret<br/>
+        </td>
+        <td>false</td>
+      </tr></tbody>
+</table>
+
+
 ### FlowCollector.spec.processor.resources
 <sup><sup>[↩ Parent](#flowcollectorspecprocessor-1)</sup></sup>
 

pkg/helper/monitoring.go

@@ -0,0 +1,28 @@
+package helper
+
+import (
+	flowslatest "github.com/netobserv/network-observability-operator/api/v1beta1"
+	monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
+	corev1 "k8s.io/api/core/v1"
+)
+
+func GetSecretOrConfigMap(file *flowslatest.FileReference) monitoringv1.SecretOrConfigMap {
+	if file.Type == flowslatest.RefTypeConfigMap {
+		return monitoringv1.SecretOrConfigMap{
+			ConfigMap: &corev1.ConfigMapKeySelector{
+				LocalObjectReference: corev1.LocalObjectReference{
+					Name: file.Name,
+				},
+				Key: file.File,
+			},
+		}
+	}
+	return monitoringv1.SecretOrConfigMap{
+		Secret: &corev1.SecretKeySelector{
+			LocalObjectReference: corev1.LocalObjectReference{
+				Name: file.Name,
+			},
+			Key: file.File,
+		},
+	}
+}

pkg/helper/monitoring_test.go

@@ -0,0 +1,36 @@
+package helper
+
+import (
+	"testing"
+
+	flowslatest "github.com/netobserv/network-observability-operator/api/v1beta1"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestConfigmapToSecretOrConfig(t *testing.T) {
+	assert := assert.New(t)
+	file := flowslatest.FileReference{
+		Type: flowslatest.RefTypeConfigMap,
+		Name: "Foo",
+		File: "test.txt",
+	}
+	res := GetSecretOrConfigMap(&file)
+	assert.Nil(res.Secret)
+	assert.NotNil(res.ConfigMap)
+	assert.Equal(res.ConfigMap.LocalObjectReference.Name, "Foo")
+	assert.Equal(res.ConfigMap.Key, "test.txt")
+}
+
+func TestSecretToSecretOrConfig(t *testing.T) {
+	assert := assert.New(t)
+	file := flowslatest.FileReference{
+		Type: flowslatest.RefTypeSecret,
+		Name: "Foo",
+		File: "test.txt",
+	}
+	res := GetSecretOrConfigMap(&file)
+	assert.Nil(res.ConfigMap)
+	assert.NotNil(res.Secret)
+	assert.Equal(res.Secret.LocalObjectReference.Name, "Foo")
+	assert.Equal(res.Secret.Key, "test.txt")
+}