Skip to content

Commit

Permalink
Use openshift sertvice annotation when gateway is disabled (monolithi…
Browse files Browse the repository at this point in the history 
…c) (#975)

Signed-off-by: Ruben Vargas <[email protected]>
  • Loading branch information
@rubenvp8510
rubenvp8510 authored Jul 12, 2024
1 parent 5d1772f commit 7d2f057
Show file tree
Hide file tree
Showing 26 changed files with 646 additions and 47 deletions.
41 changes: 41 additions & 0 deletions .chloggen/tls_cert_serv_mono.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
change_type: enhancement

# The name of the component, or a single word describing the area of concern, (e.g. tempostack, tempomonolithic, github action)
component: tempomonolithic

# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
note: Use TLS via OpenShift service annotation when gateway/multitenancy is disabled (monolithic)

# One or more tracking issues related to the change
issues: [963]

# (Optional) One or more lines of additional information to render under the primary note.
# These lines will be padded with 2 spaces and then inserted directly into the document.
# Use pipe (|) for multiline entries.
subtext: |
On OpenShift when operator config `servingCertsService` is enabled and the following TempoMonolithic CR is used.
The operator provisions OpenShift serving certificates for the distributor ingest APIs
```
apiVersion: tempo.grafana.com/v1alpha1
kind: TempoMonolithic
spec:
ingestion:
otlp:
grpc:
tls:
enabled: true
```
or
```
apiVersion: tempo.grafana.com/v1alpha1
kind: TempoMonolithic
spec:
ingestion:
otlp:
http:
tls:
enabled: true
```
No `certName` and `caName` should be provided, If you specify it, those will be used instead.
6 changes: 6 additions & 0 deletions apis/tempo/v1alpha1/tempomonolithic_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -190,6 +190,9 @@ type MonolithicIngestionOTLPProtocolsGRPCSpec struct {

// TLS defines the TLS configuration for OTLP/gRPC ingestion.
//
// On OpenShift when operator config `servingCertsService` and TLS is enabled but no `certName` and `caName`
// are provided it will use OpenShift serving certificate service.
//
// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="TLS"
TLS *TLSSpec `json:"tls,omitempty"`
Expand All @@ -207,6 +210,9 @@ type MonolithicIngestionOTLPProtocolsHTTPSpec struct {

// TLS defines the TLS configuration for OTLP/HTTP ingestion.
//
// On OpenShift when operator config `servingCertsService` and TLS is enabled but no `certName` and `caName`
// are provided it will use OpenShift serving certificate service.
//
// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="TLS"
TLS *TLSSpec `json:"tls,omitempty"`
Expand Down
12 changes: 9 additions & 3 deletions bundle/community/manifests/tempo-operator.clusterserviceversion.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ metadata:
capabilities: Deep Insights
categories: Logging & Tracing,Monitoring
containerImage: ghcr.io/grafana/tempo-operator/tempo-operator:v0.11.1
createdAt: "2024-07-09T01:46:53Z"
createdAt: "2024-07-10T03:57:59Z"
description: Create and manage deployments of Tempo, a high-scale distributed
tracing backend.
operatorframework.io/cluster-monitoring: "true"
Expand Down Expand Up @@ -249,7 +249,10 @@ spec:
- description: GRPC defines the OTLP over gRPC configuration.
displayName: gRPC
path: ingestion.otlp.grpc
- description: TLS defines the TLS configuration for OTLP/gRPC ingestion.
- description: "TLS defines the TLS configuration for OTLP/gRPC ingestion. \n
On OpenShift when operator config `servingCertsService` and TLS is enabled
\ but no `certName` and `caName` are provided it will use OpenShift serving
certificate service."
displayName: TLS
path: ingestion.otlp.grpc.tls
- description: CA is the name of a ConfigMap containing a CA certificate (service-ca.crt).
Expand All @@ -271,7 +274,10 @@ spec:
- description: HTTP defines the OTLP over HTTP configuration.
displayName: HTTP
path: ingestion.otlp.http
- description: TLS defines the TLS configuration for OTLP/HTTP ingestion.
- description: "TLS defines the TLS configuration for OTLP/HTTP ingestion. \n
On OpenShift when operator config `servingCertsService` and TLS is enabled
\ but no `certName` and `caName` are provided it will use OpenShift serving
certificate service."
displayName: TLS
path: ingestion.otlp.http.tls
- description: CA is the name of a ConfigMap containing a CA certificate (service-ca.crt).
Expand Down
16 changes: 12 additions & 4 deletions bundle/community/manifests/tempo.grafana.com_tempomonolithics.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -963,8 +963,12 @@ spec:
Default: enabled.
type: boolean
tls:
description: TLS defines the TLS configuration for OTLP/gRPC
ingestion.
description: |-
TLS defines the TLS configuration for OTLP/gRPC ingestion.
On OpenShift when operator config `servingCertsService` and TLS is enabled but no `certName` and `caName`
are provided it will use OpenShift serving certificate service.
properties:
caName:
description: |-
Expand Down Expand Up @@ -997,8 +1001,12 @@ spec:
Default: enabled.
type: boolean
tls:
description: TLS defines the TLS configuration for OTLP/HTTP
ingestion.
description: |-
TLS defines the TLS configuration for OTLP/HTTP ingestion.
On OpenShift when operator config `servingCertsService` and TLS is enabled but no `certName` and `caName`
are provided it will use OpenShift serving certificate service.
properties:
caName:
description: |-
Expand Down
12 changes: 9 additions & 3 deletions bundle/openshift/manifests/tempo-operator.clusterserviceversion.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ metadata:
capabilities: Deep Insights
categories: Logging & Tracing,Monitoring
containerImage: ghcr.io/grafana/tempo-operator/tempo-operator:v0.11.1
createdAt: "2024-07-09T01:46:51Z"
createdAt: "2024-07-10T03:57:57Z"
description: Create and manage deployments of Tempo, a high-scale distributed
tracing backend.
operatorframework.io/cluster-monitoring: "true"
Expand Down Expand Up @@ -249,7 +249,10 @@ spec:
- description: GRPC defines the OTLP over gRPC configuration.
displayName: gRPC
path: ingestion.otlp.grpc
- description: TLS defines the TLS configuration for OTLP/gRPC ingestion.
- description: "TLS defines the TLS configuration for OTLP/gRPC ingestion. \n
On OpenShift when operator config `servingCertsService` and TLS is enabled
\ but no `certName` and `caName` are provided it will use OpenShift serving
certificate service."
displayName: TLS
path: ingestion.otlp.grpc.tls
- description: CA is the name of a ConfigMap containing a CA certificate (service-ca.crt).
Expand All @@ -271,7 +274,10 @@ spec:
- description: HTTP defines the OTLP over HTTP configuration.
displayName: HTTP
path: ingestion.otlp.http
- description: TLS defines the TLS configuration for OTLP/HTTP ingestion.
- description: "TLS defines the TLS configuration for OTLP/HTTP ingestion. \n
On OpenShift when operator config `servingCertsService` and TLS is enabled
\ but no `certName` and `caName` are provided it will use OpenShift serving
certificate service."
displayName: TLS
path: ingestion.otlp.http.tls
- description: CA is the name of a ConfigMap containing a CA certificate (service-ca.crt).
Expand Down
16 changes: 12 additions & 4 deletions bundle/openshift/manifests/tempo.grafana.com_tempomonolithics.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -963,8 +963,12 @@ spec:
Default: enabled.
type: boolean
tls:
description: TLS defines the TLS configuration for OTLP/gRPC
ingestion.
description: |-
TLS defines the TLS configuration for OTLP/gRPC ingestion.
On OpenShift when operator config `servingCertsService` and TLS is enabled but no `certName` and `caName`
are provided it will use OpenShift serving certificate service.
properties:
caName:
description: |-
Expand Down Expand Up @@ -997,8 +1001,12 @@ spec:
Default: enabled.
type: boolean
tls:
description: TLS defines the TLS configuration for OTLP/HTTP
ingestion.
description: |-
TLS defines the TLS configuration for OTLP/HTTP ingestion.
On OpenShift when operator config `servingCertsService` and TLS is enabled but no `certName` and `caName`
are provided it will use OpenShift serving certificate service.
properties:
caName:
description: |-
Expand Down
16 changes: 12 additions & 4 deletions config/crd/bases/tempo.grafana.com_tempomonolithics.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -959,8 +959,12 @@ spec:
Default: enabled.
type: boolean
tls:
description: TLS defines the TLS configuration for OTLP/gRPC
ingestion.
description: |-
TLS defines the TLS configuration for OTLP/gRPC ingestion.
On OpenShift when operator config `servingCertsService` and TLS is enabled but no `certName` and `caName`
are provided it will use OpenShift serving certificate service.
properties:
caName:
description: |-
Expand Down Expand Up @@ -993,8 +997,12 @@ spec:
Default: enabled.
type: boolean
tls:
description: TLS defines the TLS configuration for OTLP/HTTP
ingestion.
description: |-
TLS defines the TLS configuration for OTLP/HTTP ingestion.
On OpenShift when operator config `servingCertsService` and TLS is enabled but no `certName` and `caName`
are provided it will use OpenShift serving certificate service.
properties:
caName:
description: |-
Expand Down
10 changes: 8 additions & 2 deletions config/manifests/community/bases/tempo-operator.clusterserviceversion.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -178,7 +178,10 @@ spec:
- description: GRPC defines the OTLP over gRPC configuration.
displayName: gRPC
path: ingestion.otlp.grpc
- description: TLS defines the TLS configuration for OTLP/gRPC ingestion.
- description: "TLS defines the TLS configuration for OTLP/gRPC ingestion. \n
On OpenShift when operator config `servingCertsService` and TLS is enabled
\ but no `certName` and `caName` are provided it will use OpenShift serving
certificate service."
displayName: TLS
path: ingestion.otlp.grpc.tls
- description: CA is the name of a ConfigMap containing a CA certificate (service-ca.crt).
Expand All @@ -200,7 +203,10 @@ spec:
- description: HTTP defines the OTLP over HTTP configuration.
displayName: HTTP
path: ingestion.otlp.http
- description: TLS defines the TLS configuration for OTLP/HTTP ingestion.
- description: "TLS defines the TLS configuration for OTLP/HTTP ingestion. \n
On OpenShift when operator config `servingCertsService` and TLS is enabled
\ but no `certName` and `caName` are provided it will use OpenShift serving
certificate service."
displayName: TLS
path: ingestion.otlp.http.tls
- description: CA is the name of a ConfigMap containing a CA certificate (service-ca.crt).
Expand Down
10 changes: 8 additions & 2 deletions config/manifests/openshift/bases/tempo-operator.clusterserviceversion.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -178,7 +178,10 @@ spec:
- description: GRPC defines the OTLP over gRPC configuration.
displayName: gRPC
path: ingestion.otlp.grpc
- description: TLS defines the TLS configuration for OTLP/gRPC ingestion.
- description: "TLS defines the TLS configuration for OTLP/gRPC ingestion. \n
On OpenShift when operator config `servingCertsService` and TLS is enabled
\ but no `certName` and `caName` are provided it will use OpenShift serving
certificate service."
displayName: TLS
path: ingestion.otlp.grpc.tls
- description: CA is the name of a ConfigMap containing a CA certificate (service-ca.crt).
Expand All @@ -200,7 +203,10 @@ spec:
- description: HTTP defines the OTLP over HTTP configuration.
displayName: HTTP
path: ingestion.otlp.http
- description: TLS defines the TLS configuration for OTLP/HTTP ingestion.
- description: "TLS defines the TLS configuration for OTLP/HTTP ingestion. \n
On OpenShift when operator config `servingCertsService` and TLS is enabled
\ but no `certName` and `caName` are provided it will use OpenShift serving
certificate service."
displayName: TLS
path: ingestion.otlp.http.tls
- description: CA is the name of a ConfigMap containing a CA certificate (service-ca.crt).
Expand Down
4 changes: 2 additions & 2 deletions docs/spec/tempo.grafana.com_tempomonolithics.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,14 +9,14 @@ spec: # TempoMonolithicSpec defines the desir
otlp: # OTLP defines the ingestion configuration for the OTLP protocol.
grpc: # GRPC defines the OTLP over gRPC configuration.
enabled: true # Enabled defines if OTLP over gRPC is enabled. Default: enabled.
tls: # TLS defines the TLS configuration for OTLP/gRPC ingestion.
tls: # TLS defines the TLS configuration for OTLP/gRPC ingestion. On OpenShift when operator config `servingCertsService` and TLS is enabled but no `certName` and `caName` are provided it will use OpenShift serving certificate service.
enabled: false # Enabled defines if TLS is enabled.
caName: "" # CA is the name of a ConfigMap containing a CA certificate (service-ca.crt). It needs to be in the same namespace as the Tempo custom resource.
certName: "" # Cert is the name of a Secret containing a certificate (tls.crt) and private key (tls.key). It needs to be in the same namespace as the Tempo custom resource.
minVersion: "" # MinVersion defines the minimum acceptable TLS version.
http: # HTTP defines the OTLP over HTTP configuration.
enabled: true # Enabled defines if OTLP over HTTP is enabled. Default: enabled.
tls: # TLS defines the TLS configuration for OTLP/HTTP ingestion.
tls: # TLS defines the TLS configuration for OTLP/HTTP ingestion. On OpenShift when operator config `servingCertsService` and TLS is enabled but no `certName` and `caName` are provided it will use OpenShift serving certificate service.
enabled: false # Enabled defines if TLS is enabled.
caName: "" # CA is the name of a ConfigMap containing a CA certificate (service-ca.crt). It needs to be in the same namespace as the Tempo custom resource.
certName: "" # Cert is the name of a Secret containing a certificate (tls.crt) and private key (tls.key). It needs to be in the same namespace as the Tempo custom resource.
Expand Down
25 changes: 17 additions & 8 deletions internal/manifests/monolithic/build.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,23 @@ func BuildAll(opts Options) ([]client.Object, error) {
maps.Copy(extraStsAnnotations, annotations)
}

if opts.CtrlConfig.Gates.OpenShift.ServingCertsService {
manifests = append(manifests, manifestutils.NewConfigMapCABundle(
tempo.Namespace,
naming.ServingCABundleName(tempo.Name),
CommonLabels(tempo.Name),
))
if ingestionHTTPTLSEnabled(tempo) && tlsSecretAndBundleEmptyHTTP(tempo) {
tempo.Spec.Ingestion.OTLP.HTTP.TLS.CA = naming.ServingCABundleName(tempo.Name)
tempo.Spec.Ingestion.OTLP.HTTP.TLS.Cert = naming.ServingCertName(manifestutils.TempoMonolithComponentName, tempo.Name)
}

if ingestionGRPCTLSEnabled(tempo) && tlsSecretAndBundleEmptyGRPC(tempo) {
tempo.Spec.Ingestion.OTLP.GRPC.TLS.CA = naming.ServingCABundleName(tempo.Name)
tempo.Spec.Ingestion.OTLP.GRPC.TLS.Cert = naming.ServingCertName(manifestutils.TempoMonolithComponentName, tempo.Name)
}
}

statefulSet, err := BuildTempoStatefulset(opts, extraStsAnnotations)
if err != nil {
return nil, err
Expand All @@ -64,14 +81,6 @@ func BuildAll(opts Options) ([]client.Object, error) {
services := BuildServices(opts)
manifests = append(manifests, services...)

if opts.CtrlConfig.Gates.OpenShift.ServingCertsService {
manifests = append(manifests, manifestutils.NewConfigMapCABundle(
tempo.Namespace,
naming.ServingCABundleName(tempo.Name),
CommonLabels(tempo.Name),
))
}

if tempo.Spec.JaegerUI != nil && tempo.Spec.JaegerUI.Enabled {
if tempo.Spec.JaegerUI.Ingress != nil && tempo.Spec.JaegerUI.Ingress.Enabled {
manifests = append(manifests, BuildJaegerUIIngress(opts))
Expand Down
1 change: 1 addition & 0 deletions internal/manifests/monolithic/configmap.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -237,6 +237,7 @@ func buildTempoConfig(opts Options) ([]byte, error) {
if tempo.Spec.Ingestion.OTLP.GRPC != nil && tempo.Spec.Ingestion.OTLP.GRPC.Enabled {
receiverTLS, err := configureReceiverTLS(tempo.Spec.Ingestion.OTLP.GRPC.TLS, opts.TLSProfile,
manifestutils.ReceiverGRPCTLSCADir, manifestutils.ReceiverGRPCTLSCertDir)

if err != nil {
return nil, err
}
Expand Down
14 changes: 11 additions & 3 deletions internal/manifests/monolithic/services.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,13 @@ func BuildServices(opts Options) []client.Object {
// buildTempoService creates the service for a monolithic deployment.
func buildTempoService(opts Options) *corev1.Service {
tempo := opts.Tempo
annotations := map[string]string{}

if opts.CtrlConfig.Gates.OpenShift.ServingCertsService && ingestionTLSEnabled(tempo) &&
tlsSecretAndBundleEmpty(tempo) {
annotations["service.beta.openshift.io/serving-cert-secret-name"] = naming.ServingCertName(manifestutils.TempoMonolithComponentName, tempo.Name)
}

labels := ComponentLabels(manifestutils.TempoMonolithComponentName, tempo.Name)
ports := []corev1.ServicePort{{
Name: manifestutils.HttpPortName,
Expand Down Expand Up @@ -62,9 +69,10 @@ func buildTempoService(opts Options) *corev1.Service {
Kind: "Service",
},
ObjectMeta: metav1.ObjectMeta{
Name: naming.Name(manifestutils.TempoMonolithComponentName, tempo.Name),
Namespace: tempo.Namespace,
Labels: labels,
Name: naming.Name(manifestutils.TempoMonolithComponentName, tempo.Name),
Namespace: tempo.Namespace,
Labels: labels,
Annotations: annotations,
},
Spec: corev1.ServiceSpec{
Ports: ports,
Expand Down
Loading

0 comments on commit 7d2f057

Please sign in to comment.