diff --git a/.chloggen/tls_cert_serv_mono.yaml b/.chloggen/tls_cert_serv_mono.yaml new file mode 100755 index 000000000..04d077219 --- /dev/null +++ b/.chloggen/tls_cert_serv_mono.yaml @@ -0,0 +1,41 @@ +# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix' +change_type: enhancement + +# The name of the component, or a single word describing the area of concern, (e.g. tempostack, tempomonolithic, github action) +component: tempomonolithic + +# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`). +note: Use TLS via OpenShift service annotation when gateway/multitenancy is disabled (monolithic) + +# One or more tracking issues related to the change +issues: [963] + +# (Optional) One or more lines of additional information to render under the primary note. +# These lines will be padded with 2 spaces and then inserted directly into the document. +# Use pipe (|) for multiline entries. +subtext: | + On OpenShift when operator config `servingCertsService` is enabled and the following TempoMonolithic CR is used. + The operator provisions OpenShift serving certificates for the distributor ingest APIs + + ``` + apiVersion: tempo.grafana.com/v1alpha1 + kind: TempoMonolithic + spec: + ingestion: + otlp: + grpc: + tls: + enabled: true + ``` + or + ``` + apiVersion: tempo.grafana.com/v1alpha1 + kind: TempoMonolithic + spec: + ingestion: + otlp: + http: + tls: + enabled: true + ``` + No `certName` and `caName` should be provided, If you specify it, those will be used instead. diff --git a/apis/tempo/v1alpha1/tempomonolithic_types.go b/apis/tempo/v1alpha1/tempomonolithic_types.go index 37e97a99a..1d56c4400 100644 --- a/apis/tempo/v1alpha1/tempomonolithic_types.go +++ b/apis/tempo/v1alpha1/tempomonolithic_types.go @@ -190,6 +190,9 @@ type MonolithicIngestionOTLPProtocolsGRPCSpec struct { // TLS defines the TLS configuration for OTLP/gRPC ingestion. // + // On OpenShift when operator config `servingCertsService` and TLS is enabled but no `certName` and `caName` + // are provided it will use OpenShift serving certificate service. + // // +kubebuilder:validation:Optional // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="TLS" TLS *TLSSpec `json:"tls,omitempty"` @@ -207,6 +210,9 @@ type MonolithicIngestionOTLPProtocolsHTTPSpec struct { // TLS defines the TLS configuration for OTLP/HTTP ingestion. // + // On OpenShift when operator config `servingCertsService` and TLS is enabled but no `certName` and `caName` + // are provided it will use OpenShift serving certificate service. + // // +kubebuilder:validation:Optional // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="TLS" TLS *TLSSpec `json:"tls,omitempty"` diff --git a/bundle/community/manifests/tempo-operator.clusterserviceversion.yaml b/bundle/community/manifests/tempo-operator.clusterserviceversion.yaml index b3719295c..13fa3df57 100644 --- a/bundle/community/manifests/tempo-operator.clusterserviceversion.yaml +++ b/bundle/community/manifests/tempo-operator.clusterserviceversion.yaml @@ -74,7 +74,7 @@ metadata: capabilities: Deep Insights categories: Logging & Tracing,Monitoring containerImage: ghcr.io/grafana/tempo-operator/tempo-operator:v0.11.1 - createdAt: "2024-07-09T01:46:53Z" + createdAt: "2024-07-10T03:57:59Z" description: Create and manage deployments of Tempo, a high-scale distributed tracing backend. operatorframework.io/cluster-monitoring: "true" @@ -249,7 +249,10 @@ spec: - description: GRPC defines the OTLP over gRPC configuration. displayName: gRPC path: ingestion.otlp.grpc - - description: TLS defines the TLS configuration for OTLP/gRPC ingestion. + - description: "TLS defines the TLS configuration for OTLP/gRPC ingestion. \n + On OpenShift when operator config `servingCertsService` and TLS is enabled + \ but no `certName` and `caName` are provided it will use OpenShift serving + certificate service." displayName: TLS path: ingestion.otlp.grpc.tls - description: CA is the name of a ConfigMap containing a CA certificate (service-ca.crt). @@ -271,7 +274,10 @@ spec: - description: HTTP defines the OTLP over HTTP configuration. displayName: HTTP path: ingestion.otlp.http - - description: TLS defines the TLS configuration for OTLP/HTTP ingestion. + - description: "TLS defines the TLS configuration for OTLP/HTTP ingestion. \n + On OpenShift when operator config `servingCertsService` and TLS is enabled + \ but no `certName` and `caName` are provided it will use OpenShift serving + certificate service." displayName: TLS path: ingestion.otlp.http.tls - description: CA is the name of a ConfigMap containing a CA certificate (service-ca.crt). diff --git a/bundle/community/manifests/tempo.grafana.com_tempomonolithics.yaml b/bundle/community/manifests/tempo.grafana.com_tempomonolithics.yaml index 0c354d2b6..ae585d652 100644 --- a/bundle/community/manifests/tempo.grafana.com_tempomonolithics.yaml +++ b/bundle/community/manifests/tempo.grafana.com_tempomonolithics.yaml @@ -963,8 +963,12 @@ spec: Default: enabled. type: boolean tls: - description: TLS defines the TLS configuration for OTLP/gRPC - ingestion. + description: |- + TLS defines the TLS configuration for OTLP/gRPC ingestion. + + + On OpenShift when operator config `servingCertsService` and TLS is enabled but no `certName` and `caName` + are provided it will use OpenShift serving certificate service. properties: caName: description: |- @@ -997,8 +1001,12 @@ spec: Default: enabled. type: boolean tls: - description: TLS defines the TLS configuration for OTLP/HTTP - ingestion. + description: |- + TLS defines the TLS configuration for OTLP/HTTP ingestion. + + + On OpenShift when operator config `servingCertsService` and TLS is enabled but no `certName` and `caName` + are provided it will use OpenShift serving certificate service. properties: caName: description: |- diff --git a/bundle/openshift/manifests/tempo-operator.clusterserviceversion.yaml b/bundle/openshift/manifests/tempo-operator.clusterserviceversion.yaml index bda350c9b..7962f2949 100644 --- a/bundle/openshift/manifests/tempo-operator.clusterserviceversion.yaml +++ b/bundle/openshift/manifests/tempo-operator.clusterserviceversion.yaml @@ -74,7 +74,7 @@ metadata: capabilities: Deep Insights categories: Logging & Tracing,Monitoring containerImage: ghcr.io/grafana/tempo-operator/tempo-operator:v0.11.1 - createdAt: "2024-07-09T01:46:51Z" + createdAt: "2024-07-10T03:57:57Z" description: Create and manage deployments of Tempo, a high-scale distributed tracing backend. operatorframework.io/cluster-monitoring: "true" @@ -249,7 +249,10 @@ spec: - description: GRPC defines the OTLP over gRPC configuration. displayName: gRPC path: ingestion.otlp.grpc - - description: TLS defines the TLS configuration for OTLP/gRPC ingestion. + - description: "TLS defines the TLS configuration for OTLP/gRPC ingestion. \n + On OpenShift when operator config `servingCertsService` and TLS is enabled + \ but no `certName` and `caName` are provided it will use OpenShift serving + certificate service." displayName: TLS path: ingestion.otlp.grpc.tls - description: CA is the name of a ConfigMap containing a CA certificate (service-ca.crt). @@ -271,7 +274,10 @@ spec: - description: HTTP defines the OTLP over HTTP configuration. displayName: HTTP path: ingestion.otlp.http - - description: TLS defines the TLS configuration for OTLP/HTTP ingestion. + - description: "TLS defines the TLS configuration for OTLP/HTTP ingestion. \n + On OpenShift when operator config `servingCertsService` and TLS is enabled + \ but no `certName` and `caName` are provided it will use OpenShift serving + certificate service." displayName: TLS path: ingestion.otlp.http.tls - description: CA is the name of a ConfigMap containing a CA certificate (service-ca.crt). diff --git a/bundle/openshift/manifests/tempo.grafana.com_tempomonolithics.yaml b/bundle/openshift/manifests/tempo.grafana.com_tempomonolithics.yaml index 0c354d2b6..ae585d652 100644 --- a/bundle/openshift/manifests/tempo.grafana.com_tempomonolithics.yaml +++ b/bundle/openshift/manifests/tempo.grafana.com_tempomonolithics.yaml @@ -963,8 +963,12 @@ spec: Default: enabled. type: boolean tls: - description: TLS defines the TLS configuration for OTLP/gRPC - ingestion. + description: |- + TLS defines the TLS configuration for OTLP/gRPC ingestion. + + + On OpenShift when operator config `servingCertsService` and TLS is enabled but no `certName` and `caName` + are provided it will use OpenShift serving certificate service. properties: caName: description: |- @@ -997,8 +1001,12 @@ spec: Default: enabled. type: boolean tls: - description: TLS defines the TLS configuration for OTLP/HTTP - ingestion. + description: |- + TLS defines the TLS configuration for OTLP/HTTP ingestion. + + + On OpenShift when operator config `servingCertsService` and TLS is enabled but no `certName` and `caName` + are provided it will use OpenShift serving certificate service. properties: caName: description: |- diff --git a/config/crd/bases/tempo.grafana.com_tempomonolithics.yaml b/config/crd/bases/tempo.grafana.com_tempomonolithics.yaml index 20309c969..4d28c00ea 100644 --- a/config/crd/bases/tempo.grafana.com_tempomonolithics.yaml +++ b/config/crd/bases/tempo.grafana.com_tempomonolithics.yaml @@ -959,8 +959,12 @@ spec: Default: enabled. type: boolean tls: - description: TLS defines the TLS configuration for OTLP/gRPC - ingestion. + description: |- + TLS defines the TLS configuration for OTLP/gRPC ingestion. + + + On OpenShift when operator config `servingCertsService` and TLS is enabled but no `certName` and `caName` + are provided it will use OpenShift serving certificate service. properties: caName: description: |- @@ -993,8 +997,12 @@ spec: Default: enabled. type: boolean tls: - description: TLS defines the TLS configuration for OTLP/HTTP - ingestion. + description: |- + TLS defines the TLS configuration for OTLP/HTTP ingestion. + + + On OpenShift when operator config `servingCertsService` and TLS is enabled but no `certName` and `caName` + are provided it will use OpenShift serving certificate service. properties: caName: description: |- diff --git a/config/manifests/community/bases/tempo-operator.clusterserviceversion.yaml b/config/manifests/community/bases/tempo-operator.clusterserviceversion.yaml index e9ef9757b..ed3f43965 100644 --- a/config/manifests/community/bases/tempo-operator.clusterserviceversion.yaml +++ b/config/manifests/community/bases/tempo-operator.clusterserviceversion.yaml @@ -178,7 +178,10 @@ spec: - description: GRPC defines the OTLP over gRPC configuration. displayName: gRPC path: ingestion.otlp.grpc - - description: TLS defines the TLS configuration for OTLP/gRPC ingestion. + - description: "TLS defines the TLS configuration for OTLP/gRPC ingestion. \n + On OpenShift when operator config `servingCertsService` and TLS is enabled + \ but no `certName` and `caName` are provided it will use OpenShift serving + certificate service." displayName: TLS path: ingestion.otlp.grpc.tls - description: CA is the name of a ConfigMap containing a CA certificate (service-ca.crt). @@ -200,7 +203,10 @@ spec: - description: HTTP defines the OTLP over HTTP configuration. displayName: HTTP path: ingestion.otlp.http - - description: TLS defines the TLS configuration for OTLP/HTTP ingestion. + - description: "TLS defines the TLS configuration for OTLP/HTTP ingestion. \n + On OpenShift when operator config `servingCertsService` and TLS is enabled + \ but no `certName` and `caName` are provided it will use OpenShift serving + certificate service." displayName: TLS path: ingestion.otlp.http.tls - description: CA is the name of a ConfigMap containing a CA certificate (service-ca.crt). diff --git a/config/manifests/openshift/bases/tempo-operator.clusterserviceversion.yaml b/config/manifests/openshift/bases/tempo-operator.clusterserviceversion.yaml index fdbf1208f..df531fa4c 100644 --- a/config/manifests/openshift/bases/tempo-operator.clusterserviceversion.yaml +++ b/config/manifests/openshift/bases/tempo-operator.clusterserviceversion.yaml @@ -178,7 +178,10 @@ spec: - description: GRPC defines the OTLP over gRPC configuration. displayName: gRPC path: ingestion.otlp.grpc - - description: TLS defines the TLS configuration for OTLP/gRPC ingestion. + - description: "TLS defines the TLS configuration for OTLP/gRPC ingestion. \n + On OpenShift when operator config `servingCertsService` and TLS is enabled + \ but no `certName` and `caName` are provided it will use OpenShift serving + certificate service." displayName: TLS path: ingestion.otlp.grpc.tls - description: CA is the name of a ConfigMap containing a CA certificate (service-ca.crt). @@ -200,7 +203,10 @@ spec: - description: HTTP defines the OTLP over HTTP configuration. displayName: HTTP path: ingestion.otlp.http - - description: TLS defines the TLS configuration for OTLP/HTTP ingestion. + - description: "TLS defines the TLS configuration for OTLP/HTTP ingestion. \n + On OpenShift when operator config `servingCertsService` and TLS is enabled + \ but no `certName` and `caName` are provided it will use OpenShift serving + certificate service." displayName: TLS path: ingestion.otlp.http.tls - description: CA is the name of a ConfigMap containing a CA certificate (service-ca.crt). diff --git a/docs/spec/tempo.grafana.com_tempomonolithics.yaml b/docs/spec/tempo.grafana.com_tempomonolithics.yaml index 95992f7eb..3ab1b69a4 100644 --- a/docs/spec/tempo.grafana.com_tempomonolithics.yaml +++ b/docs/spec/tempo.grafana.com_tempomonolithics.yaml @@ -9,14 +9,14 @@ spec: # TempoMonolithicSpec defines the desir otlp: # OTLP defines the ingestion configuration for the OTLP protocol. grpc: # GRPC defines the OTLP over gRPC configuration. enabled: true # Enabled defines if OTLP over gRPC is enabled. Default: enabled. - tls: # TLS defines the TLS configuration for OTLP/gRPC ingestion. + tls: # TLS defines the TLS configuration for OTLP/gRPC ingestion. On OpenShift when operator config `servingCertsService` and TLS is enabled but no `certName` and `caName` are provided it will use OpenShift serving certificate service. enabled: false # Enabled defines if TLS is enabled. caName: "" # CA is the name of a ConfigMap containing a CA certificate (service-ca.crt). It needs to be in the same namespace as the Tempo custom resource. certName: "" # Cert is the name of a Secret containing a certificate (tls.crt) and private key (tls.key). It needs to be in the same namespace as the Tempo custom resource. minVersion: "" # MinVersion defines the minimum acceptable TLS version. http: # HTTP defines the OTLP over HTTP configuration. enabled: true # Enabled defines if OTLP over HTTP is enabled. Default: enabled. - tls: # TLS defines the TLS configuration for OTLP/HTTP ingestion. + tls: # TLS defines the TLS configuration for OTLP/HTTP ingestion. On OpenShift when operator config `servingCertsService` and TLS is enabled but no `certName` and `caName` are provided it will use OpenShift serving certificate service. enabled: false # Enabled defines if TLS is enabled. caName: "" # CA is the name of a ConfigMap containing a CA certificate (service-ca.crt). It needs to be in the same namespace as the Tempo custom resource. certName: "" # Cert is the name of a Secret containing a certificate (tls.crt) and private key (tls.key). It needs to be in the same namespace as the Tempo custom resource. diff --git a/internal/manifests/monolithic/build.go b/internal/manifests/monolithic/build.go index 247133b5d..32c63c3db 100644 --- a/internal/manifests/monolithic/build.go +++ b/internal/manifests/monolithic/build.go @@ -55,6 +55,23 @@ func BuildAll(opts Options) ([]client.Object, error) { maps.Copy(extraStsAnnotations, annotations) } + if opts.CtrlConfig.Gates.OpenShift.ServingCertsService { + manifests = append(manifests, manifestutils.NewConfigMapCABundle( + tempo.Namespace, + naming.ServingCABundleName(tempo.Name), + CommonLabels(tempo.Name), + )) + if ingestionHTTPTLSEnabled(tempo) && tlsSecretAndBundleEmptyHTTP(tempo) { + tempo.Spec.Ingestion.OTLP.HTTP.TLS.CA = naming.ServingCABundleName(tempo.Name) + tempo.Spec.Ingestion.OTLP.HTTP.TLS.Cert = naming.ServingCertName(manifestutils.TempoMonolithComponentName, tempo.Name) + } + + if ingestionGRPCTLSEnabled(tempo) && tlsSecretAndBundleEmptyGRPC(tempo) { + tempo.Spec.Ingestion.OTLP.GRPC.TLS.CA = naming.ServingCABundleName(tempo.Name) + tempo.Spec.Ingestion.OTLP.GRPC.TLS.Cert = naming.ServingCertName(manifestutils.TempoMonolithComponentName, tempo.Name) + } + } + statefulSet, err := BuildTempoStatefulset(opts, extraStsAnnotations) if err != nil { return nil, err @@ -64,14 +81,6 @@ func BuildAll(opts Options) ([]client.Object, error) { services := BuildServices(opts) manifests = append(manifests, services...) - if opts.CtrlConfig.Gates.OpenShift.ServingCertsService { - manifests = append(manifests, manifestutils.NewConfigMapCABundle( - tempo.Namespace, - naming.ServingCABundleName(tempo.Name), - CommonLabels(tempo.Name), - )) - } - if tempo.Spec.JaegerUI != nil && tempo.Spec.JaegerUI.Enabled { if tempo.Spec.JaegerUI.Ingress != nil && tempo.Spec.JaegerUI.Ingress.Enabled { manifests = append(manifests, BuildJaegerUIIngress(opts)) diff --git a/internal/manifests/monolithic/configmap.go b/internal/manifests/monolithic/configmap.go index 83fe0ec5d..ba3552095 100644 --- a/internal/manifests/monolithic/configmap.go +++ b/internal/manifests/monolithic/configmap.go @@ -237,6 +237,7 @@ func buildTempoConfig(opts Options) ([]byte, error) { if tempo.Spec.Ingestion.OTLP.GRPC != nil && tempo.Spec.Ingestion.OTLP.GRPC.Enabled { receiverTLS, err := configureReceiverTLS(tempo.Spec.Ingestion.OTLP.GRPC.TLS, opts.TLSProfile, manifestutils.ReceiverGRPCTLSCADir, manifestutils.ReceiverGRPCTLSCertDir) + if err != nil { return nil, err } diff --git a/internal/manifests/monolithic/services.go b/internal/manifests/monolithic/services.go index 075a07364..a564e4d60 100644 --- a/internal/manifests/monolithic/services.go +++ b/internal/manifests/monolithic/services.go @@ -29,6 +29,13 @@ func BuildServices(opts Options) []client.Object { // buildTempoService creates the service for a monolithic deployment. func buildTempoService(opts Options) *corev1.Service { tempo := opts.Tempo + annotations := map[string]string{} + + if opts.CtrlConfig.Gates.OpenShift.ServingCertsService && ingestionTLSEnabled(tempo) && + tlsSecretAndBundleEmpty(tempo) { + annotations["service.beta.openshift.io/serving-cert-secret-name"] = naming.ServingCertName(manifestutils.TempoMonolithComponentName, tempo.Name) + } + labels := ComponentLabels(manifestutils.TempoMonolithComponentName, tempo.Name) ports := []corev1.ServicePort{{ Name: manifestutils.HttpPortName, @@ -62,9 +69,10 @@ func buildTempoService(opts Options) *corev1.Service { Kind: "Service", }, ObjectMeta: metav1.ObjectMeta{ - Name: naming.Name(manifestutils.TempoMonolithComponentName, tempo.Name), - Namespace: tempo.Namespace, - Labels: labels, + Name: naming.Name(manifestutils.TempoMonolithComponentName, tempo.Name), + Namespace: tempo.Namespace, + Labels: labels, + Annotations: annotations, }, Spec: corev1.ServiceSpec{ Ports: ports, diff --git a/internal/manifests/monolithic/services_test.go b/internal/manifests/monolithic/services_test.go index 30f7f28ac..ee1c9a28e 100644 --- a/internal/manifests/monolithic/services_test.go +++ b/internal/manifests/monolithic/services_test.go @@ -45,9 +45,10 @@ func TestBuildServices(t *testing.T) { Kind: "Service", }, ObjectMeta: metav1.ObjectMeta{ - Name: "tempo-sample", - Namespace: "default", - Labels: ComponentLabels("tempo", "sample"), + Name: "tempo-sample", + Namespace: "default", + Labels: ComponentLabels("tempo", "sample"), + Annotations: map[string]string{}, }, Spec: corev1.ServiceSpec{ Ports: []corev1.ServicePort{{ @@ -79,9 +80,10 @@ func TestBuildServices(t *testing.T) { Kind: "Service", }, ObjectMeta: metav1.ObjectMeta{ - Name: "tempo-sample", - Namespace: "default", - Labels: ComponentLabels("tempo", "sample"), + Name: "tempo-sample", + Namespace: "default", + Labels: ComponentLabels("tempo", "sample"), + Annotations: map[string]string{}, }, Spec: corev1.ServiceSpec{ Ports: []corev1.ServicePort{ @@ -121,9 +123,10 @@ func TestBuildServices(t *testing.T) { Kind: "Service", }, ObjectMeta: metav1.ObjectMeta{ - Name: "tempo-sample", - Namespace: "default", - Labels: ComponentLabels("tempo", "sample"), + Name: "tempo-sample", + Namespace: "default", + Labels: ComponentLabels("tempo", "sample"), + Annotations: map[string]string{}, }, Spec: corev1.ServiceSpec{ Ports: []corev1.ServicePort{ @@ -159,9 +162,10 @@ func TestBuildServices(t *testing.T) { Kind: "Service", }, ObjectMeta: metav1.ObjectMeta{ - Name: "tempo-sample", - Namespace: "default", - Labels: ComponentLabels("tempo", "sample"), + Name: "tempo-sample", + Namespace: "default", + Labels: ComponentLabels("tempo", "sample"), + Annotations: map[string]string{}, }, Spec: corev1.ServiceSpec{ Ports: []corev1.ServicePort{ diff --git a/internal/manifests/monolithic/util.go b/internal/manifests/monolithic/util.go new file mode 100644 index 000000000..5478a318e --- /dev/null +++ b/internal/manifests/monolithic/util.go @@ -0,0 +1,43 @@ +package monolithic + +import "github.com/grafana/tempo-operator/apis/tempo/v1alpha1" + +func ingestionTLSEnabled(tempo v1alpha1.TempoMonolithic) bool { + return ingestionGRPCTLSEnabled(tempo) || ingestionHTTPTLSEnabled(tempo) +} + +func tlsSecretAndBundleEmpty(tempo v1alpha1.TempoMonolithic) bool { + return tlsSecretAndBundleEmptyGRPC(tempo) || tlsSecretAndBundleEmptyHTTP(tempo) + +} +func tlsSecretAndBundleEmptyGRPC(tempo v1alpha1.TempoMonolithic) bool { + if tempo.Spec.Ingestion != nil && tempo.Spec.Ingestion.OTLP != nil && + tempo.Spec.Ingestion.OTLP.GRPC != nil && tempo.Spec.Ingestion.OTLP.GRPC.TLS != nil { + return tempo.Spec.Ingestion.OTLP.GRPC.TLS.Cert == "" && tempo.Spec.Ingestion.OTLP.GRPC.TLS.CA == "" + } + return false +} + +func tlsSecretAndBundleEmptyHTTP(tempo v1alpha1.TempoMonolithic) bool { + if tempo.Spec.Ingestion != nil && tempo.Spec.Ingestion.OTLP != nil && + tempo.Spec.Ingestion.OTLP.HTTP != nil && tempo.Spec.Ingestion.OTLP.HTTP.TLS != nil { + return tempo.Spec.Ingestion.OTLP.HTTP.TLS.Cert == "" && tempo.Spec.Ingestion.OTLP.HTTP.TLS.CA == "" + } + return false +} + +func ingestionGRPCTLSEnabled(tempo v1alpha1.TempoMonolithic) bool { + if tempo.Spec.Ingestion != nil && tempo.Spec.Ingestion.OTLP != nil && + tempo.Spec.Ingestion.OTLP.GRPC != nil && tempo.Spec.Ingestion.OTLP.GRPC.TLS != nil { + return tempo.Spec.Ingestion.OTLP.GRPC.TLS.Enabled + } + return false +} + +func ingestionHTTPTLSEnabled(tempo v1alpha1.TempoMonolithic) bool { + if tempo.Spec.Ingestion != nil && tempo.Spec.Ingestion.OTLP != nil && + tempo.Spec.Ingestion.OTLP.HTTP != nil && tempo.Spec.Ingestion.OTLP.HTTP.TLS != nil { + return tempo.Spec.Ingestion.OTLP.HTTP.TLS.Enabled + } + return false +} diff --git a/tests/e2e-openshift/tls-monolithic-singletenant/00-assert.yaml b/tests/e2e-openshift/tls-monolithic-singletenant/00-assert.yaml new file mode 100644 index 000000000..dbc975a38 --- /dev/null +++ b/tests/e2e-openshift/tls-monolithic-singletenant/00-assert.yaml @@ -0,0 +1,7 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: minio + namespace: chainsaw-tls-mono-st +status: + readyReplicas: 1 diff --git a/tests/e2e-openshift/tls-monolithic-singletenant/00-install-storage.yaml b/tests/e2e-openshift/tls-monolithic-singletenant/00-install-storage.yaml new file mode 100644 index 000000000..5ac1ff30f --- /dev/null +++ b/tests/e2e-openshift/tls-monolithic-singletenant/00-install-storage.yaml @@ -0,0 +1,85 @@ +# The namespace is auto-deleted by chainsaw after the test run. +apiVersion: v1 +kind: Namespace +metadata: + name: chainsaw-tls-mono-st +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + labels: + app.kubernetes.io/name: minio + name: minio + namespace: chainsaw-tls-mono-st +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 2Gi +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: minio + namespace: chainsaw-tls-mono-st +spec: + selector: + matchLabels: + app.kubernetes.io/name: minio + strategy: + type: Recreate + template: + metadata: + labels: + app.kubernetes.io/name: minio + spec: + containers: + - command: + - /bin/sh + - -c + - | + mkdir -p /storage/tempo && \ + minio server /storage + env: + - name: MINIO_ACCESS_KEY + value: tempo + - name: MINIO_SECRET_KEY + value: supersecret + image: minio/minio + name: minio + ports: + - containerPort: 9000 + volumeMounts: + - mountPath: /storage + name: storage + volumes: + - name: storage + persistentVolumeClaim: + claimName: minio +--- +apiVersion: v1 +kind: Service +metadata: + name: minio + namespace: chainsaw-tls-mono-st +spec: + ports: + - port: 9000 + protocol: TCP + targetPort: 9000 + selector: + app.kubernetes.io/name: minio + type: ClusterIP +--- +apiVersion: v1 +kind: Secret +metadata: + name: minio + namespace: chainsaw-tls-mono-st +stringData: + endpoint: http://minio:9000 + bucket: tempo + access_key_id: tempo + access_key_secret: supersecret +type: Opaque diff --git a/tests/e2e-openshift/tls-monolithic-singletenant/01-assert.yaml b/tests/e2e-openshift/tls-monolithic-singletenant/01-assert.yaml new file mode 100644 index 000000000..268f5564f --- /dev/null +++ b/tests/e2e-openshift/tls-monolithic-singletenant/01-assert.yaml @@ -0,0 +1,121 @@ +apiVersion: tempo.grafana.com/v1alpha1 +kind: TempoMonolithic +metadata: + name: monolithic-cert + namespace: chainsaw-tls-mono-st +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + labels: + app.kubernetes.io/component: tempo + app.kubernetes.io/instance: monolithic-cert + app.kubernetes.io/managed-by: tempo-operator + app.kubernetes.io/name: tempo-monolithic + name: tempo-monolithic-st + namespace: chainsaw-tls-mono-st +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: tempo + app.kubernetes.io/instance: monolithic-cert + app.kubernetes.io/managed-by: tempo-operator + app.kubernetes.io/name: tempo-monolithic + template: + metadata: + labels: + app.kubernetes.io/component: tempo + app.kubernetes.io/instance: monolithic-cert + app.kubernetes.io/managed-by: tempo-operator + app.kubernetes.io/name: tempo-monolithic + spec: + containers: + - name: tempo + - name: tempo-query +status: + availableReplicas: 1 + currentReplicas: 1 + readyReplicas: 1 + replicas: 1 +--- +apiVersion: v1 +kind: Pod +metadata: + labels: + app.kubernetes.io/component: tempo + app.kubernetes.io/instance: monolithic-cert + app.kubernetes.io/managed-by: tempo-operator + app.kubernetes.io/name: tempo-monolithic + namespace: chainsaw-tls-mono-st +status: + containerStatuses: + - name: tempo + ready: true + started: true + - name: tempo-query + ready: true + started: true + phase: Running +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: tempo + app.kubernetes.io/instance: mono-cert + app.kubernetes.io/managed-by: tempo-operator + app.kubernetes.io/name: tempo-monolithic + name: tempo-monolithic-cert + namespace: chainsaw-tls-mono-st +spec: + ipFamilyPolicy: SingleStack + ports: + - name: http + port: 3200 + protocol: TCP + targetPort: http + - name: otlp-grpc + port: 4317 + protocol: TCP + targetPort: otlp-grpc + - name: otlp-http + port: 4318 + protocol: TCP + targetPort: otlp-http + selector: + app.kubernetes.io/component: tempo + app.kubernetes.io/instance: mono-cert + app.kubernetes.io/managed-by: tempo-operator + app.kubernetes.io/name: tempo-monolithic +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: jaegerui + app.kubernetes.io/instance: monolithic-cert + app.kubernetes.io/managed-by: tempo-operator + app.kubernetes.io/name: tempo-monolithic + name: mono-cert-jaegerui + namespace: chainsaw-tls-mono-st +spec: + ipFamilyPolicy: SingleStack + ports: + - name: jaeger-grpc + port: 16685 + protocol: TCP + targetPort: jaeger-grpc + - name: jaeger-ui + port: 16686 + protocol: TCP + targetPort: jaeger-ui + - name: jaeger-metrics + port: 16687 + protocol: TCP + targetPort: jaeger-metrics + selector: + app.kubernetes.io/component: tempo + app.kubernetes.io/instance: monolithic-cert + app.kubernetes.io/managed-by: tempo-operator + app.kubernetes.io/name: tempo-monolithic diff --git a/tests/e2e-openshift/tls-monolithic-singletenant/01-install-tempo.yaml b/tests/e2e-openshift/tls-monolithic-singletenant/01-install-tempo.yaml new file mode 100644 index 000000000..e8f0e5dd9 --- /dev/null +++ b/tests/e2e-openshift/tls-monolithic-singletenant/01-install-tempo.yaml @@ -0,0 +1,16 @@ +apiVersion: tempo.grafana.com/v1alpha1 +kind: TempoMonolithic +metadata: + name: mono-cert + namespace: chainsaw-tls-mono-st +spec: + jaegerui: + enabled: true + ingestion: + otlp: + grpc: + tls: + enabled: true + http: + tls: + enabled: true \ No newline at end of file diff --git a/tests/e2e-openshift/tls-monolithic-singletenant/02-assert.yaml b/tests/e2e-openshift/tls-monolithic-singletenant/02-assert.yaml new file mode 100644 index 000000000..393cf1657 --- /dev/null +++ b/tests/e2e-openshift/tls-monolithic-singletenant/02-assert.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: dev-collector + namespace: chainsaw-tls-mono-st +status: + readyReplicas: 1 diff --git a/tests/e2e-openshift/tls-monolithic-singletenant/02-install-otelcol.yaml b/tests/e2e-openshift/tls-monolithic-singletenant/02-install-otelcol.yaml new file mode 100644 index 000000000..087e9f6e5 --- /dev/null +++ b/tests/e2e-openshift/tls-monolithic-singletenant/02-install-otelcol.yaml @@ -0,0 +1,39 @@ +# based on config/samples/otelcol_v1alpha1_openshift.yaml +apiVersion: opentelemetry.io/v1alpha1 +kind: OpenTelemetryCollector +metadata: + name: dev + namespace: chainsaw-tls-monolithic-singletenant +spec: + config: | + receivers: + otlp/grpc: + protocols: + grpc: + otlp/http: + protocols: + http: + exporters: + otlp: + endpoint: tempo-monolithic-cert.chainsaw-tls-monolithic-singletenant.svc.cluster.local:4317 + tls: + insecure: false + ca_file: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt" + otlphttp: + endpoint: https://tempo-monolithic-cert.chainsaw-tls-monolithic-singletenant.svc.cluster.local:4318 + tls: + insecure: false + ca_file: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt" + service: + telemetry: + logs: + level: "DEBUG" + development: true + encoding: "json" + pipelines: + traces/grpc: + receivers: [otlp/grpc] + exporters: [otlp] + traces/http: + receivers: [otlp/http] + exporters: [otlphttp] diff --git a/tests/e2e-openshift/tls-monolithic-singletenant/03-assert.yaml b/tests/e2e-openshift/tls-monolithic-singletenant/03-assert.yaml new file mode 100644 index 000000000..14d0c8daf --- /dev/null +++ b/tests/e2e-openshift/tls-monolithic-singletenant/03-assert.yaml @@ -0,0 +1,19 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: generate-traces-grpc + namespace: tls-monolithic-singletenant +status: + conditions: + - status: "True" + type: Complete +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: generate-traces-http + namespace: tls-monolithic-singletenant +status: + conditions: + - status: "True" + type: Complete diff --git a/tests/e2e-openshift/tls-monolithic-singletenant/03-generate-traces.yaml b/tests/e2e-openshift/tls-monolithic-singletenant/03-generate-traces.yaml new file mode 100644 index 000000000..63cce4acb --- /dev/null +++ b/tests/e2e-openshift/tls-monolithic-singletenant/03-generate-traces.yaml @@ -0,0 +1,38 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: generate-traces-grpc + namespace: tls-monolithic-singletenant +spec: + template: + spec: + containers: + - name: telemetrygen + image: ghcr.io/open-telemetry/opentelemetry-collector-contrib/telemetrygen:v0.92.0 + args: + - traces + - --otlp-endpoint=dev-collector:4317 + - --service=grpc + - --otlp-insecure + - --traces=10 + restartPolicy: Never +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: generate-traces-http + namespace: tls-monolithic-singletenant +spec: + template: + spec: + containers: + - name: telemetrygen + image: ghcr.io/open-telemetry/opentelemetry-collector-contrib/telemetrygen:v0.92.0 + args: + - traces + - --otlp-endpoint=dev-collector:4318 + - --otlp-http + - --otlp-insecure + - --service=http + - --traces=10 + restartPolicy: Never diff --git a/tests/e2e-openshift/tls-monolithic-singletenant/04-assert.yaml b/tests/e2e-openshift/tls-monolithic-singletenant/04-assert.yaml new file mode 100644 index 000000000..5a77fd2cf --- /dev/null +++ b/tests/e2e-openshift/tls-monolithic-singletenant/04-assert.yaml @@ -0,0 +1,19 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: verify-traces-grpc + namespace: tls-monolithic-singletenant +status: + conditions: + - status: "True" + type: Complete +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: verify-traces-http + namespace: tls-monolithic-singletenant +status: + conditions: + - status: "True" + type: Complete diff --git a/tests/e2e-openshift/tls-monolithic-singletenant/04-verify-traces.yaml b/tests/e2e-openshift/tls-monolithic-singletenant/04-verify-traces.yaml new file mode 100644 index 000000000..fa7b58ac3 --- /dev/null +++ b/tests/e2e-openshift/tls-monolithic-singletenant/04-verify-traces.yaml @@ -0,0 +1,49 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: verify-traces-grpc + namespace: tls-monolithic-singletenant +spec: + template: + spec: + containers: + - name: verify-traces + image: ghcr.io/grafana/tempo-operator/test-utils:main + command: + - /bin/bash + - -eux + - -c + args: + - | + curl -v -G http://tempo-simplest-query-frontend:16686/api/traces --data-urlencode "service=grpc" | tee /tmp/jaeger.out + num_traces=$(jq ".data | length" /tmp/jaeger.out) + if [[ "$num_traces" -ne 10 ]]; then + echo && echo "The Jaeger API returned $num_traces instead of 10 traces." + exit 1 + fi + restartPolicy: Never +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: verify-traces-http + namespace: tls-monolithic-singletenant +spec: + template: + spec: + containers: + - name: verify-traces + image: ghcr.io/grafana/tempo-operator/test-utils:main + command: + - /bin/bash + - -eux + - -c + args: + - | + curl -v -G http://tempo-simplest-query-frontend:16686/api/traces --data-urlencode "service=http" | tee /tmp/jaeger.out + num_traces=$(jq ".data | length" /tmp/jaeger.out) + if [[ "$num_traces" -ne 10 ]]; then + echo && echo "The Jaeger API returned $num_traces instead of 10 traces." + exit 1 + fi + restartPolicy: Never diff --git a/tests/e2e-openshift/tls-monolithic-singletenant/chainsaw-test.yaml b/tests/e2e-openshift/tls-monolithic-singletenant/chainsaw-test.yaml new file mode 100755 index 000000000..20c34e171 --- /dev/null +++ b/tests/e2e-openshift/tls-monolithic-singletenant/chainsaw-test.yaml @@ -0,0 +1,38 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: tls-singletenant +spec: + steps: + - name: step-00 + try: + - apply: + file: 00-install-storage.yaml + - assert: + file: 00-assert.yaml + - name: step-01 + try: + - apply: + file: 01-install-tempo.yaml + - assert: + file: 01-assert.yaml + - name: step-02 + try: + - apply: + file: 02-install-otelcol.yaml + - assert: + file: 02-assert.yaml + - name: step-03 + try: + - apply: + file: 03-generate-traces.yaml + - assert: + file: 03-assert.yaml + - name: step-04 + try: + - apply: + file: 04-verify-traces.yaml + - assert: + file: 04-assert.yaml