Allow otlp grpc and http to be enabled with TLS (#977)

Signed-off-by: Ruben Vargas <[email protected]>
grafana · Jul 12, 2024 · 89d1bb7 · 89d1bb7
1 parent 75de22c
commit 89d1bb7
Show file tree

Hide file tree

Showing 16 changed files with 626 additions and 31 deletions.
diff --git a/.chloggen/fix_tls_monolithic_both_enabled.yaml b/.chloggen/fix_tls_monolithic_both_enabled.yaml
@@ -0,0 +1,16 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: bug_fix
+
+# The name of the component, or a single word describing the area of concern, (e.g. tempostack, tempomonolithic, github action)
+component: tempomonolithic
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Allow create a monolithic with tls enabled on both grpc/http
+
+# One or more tracking issues related to the change
+issues: [976]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:
diff --git a/internal/manifests/manifestutils/paths.go b/internal/manifests/manifestutils/paths.go
@@ -14,6 +14,16 @@ const (
 	// ReceiverTLSCertDir returns the mount path of the receivers certificates (for ingesting traces).
 	ReceiverTLSCertDir = TLSDir + "/receiver"
 
+	// ReceiverGRPCTLSCADir is the path that is mounted from the configmap for TLS for receiver.
+	ReceiverGRPCTLSCADir = "/var/run/ca-receiver/grpc"
+	// ReceiverGRPCTLSCertDir returns the mount path of the receivers certificates (for ingesting traces).
+	ReceiverGRPCTLSCertDir = TLSDir + "/receiver/grpc"
+
+	// ReceiverHTTPTLSCADir is the path that is mounted from the configmap for TLS for receiver.
+	ReceiverHTTPTLSCADir = "/var/run/ca-receiver/http"
+	// ReceiverHTTPTLSCertDir returns the mount path of the receivers certificates (for ingesting traces).
+	ReceiverHTTPTLSCertDir = TLSDir + "/receiver/http"
+
 	// StorageTLSCADir contains the CA file for accessing object storage.
 	StorageTLSCADir = TLSDir + "/storage/ca"
 	// StorageTLSCertDir contains the certificate and key file for accessing object storage.

diff --git a/internal/manifests/manifestutils/tls.go b/internal/manifests/manifestutils/tls.go
@@ -27,16 +27,19 @@ func MountCAConfigMap(
 		MountPath: caDir,
 		ReadOnly:  true,
 	})
-	pod.Volumes = append(pod.Volumes, corev1.Volume{
-		Name: caConfigMap,
-		VolumeSource: corev1.VolumeSource{
-			ConfigMap: &corev1.ConfigMapVolumeSource{
-				LocalObjectReference: corev1.LocalObjectReference{
-					Name: caConfigMap,
+
+	if !containsVolume(pod, caConfigMap) {
+		pod.Volumes = append(pod.Volumes, corev1.Volume{
+			Name: caConfigMap,
+			VolumeSource: corev1.VolumeSource{
+				ConfigMap: &corev1.ConfigMapVolumeSource{
+					LocalObjectReference: corev1.LocalObjectReference{
+						Name: caConfigMap,
+					},
 				},
 			},
-		},
-	})
+		})
+	}
 
 	return nil
 }
@@ -58,14 +61,17 @@ func MountCertSecret(
 		MountPath: certDir,
 		ReadOnly:  true,
 	})
-	pod.Volumes = append(pod.Volumes, corev1.Volume{
-		Name: certSecret,
-		VolumeSource: corev1.VolumeSource{
-			Secret: &corev1.SecretVolumeSource{
-				SecretName: certSecret,
+
+	if !containsVolume(pod, certSecret) {
+		pod.Volumes = append(pod.Volumes, corev1.Volume{
+			Name: certSecret,
+			VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					SecretName: certSecret,
+				},
 			},
-		},
-	})
+		})
+	}
 
 	return nil
 }
@@ -117,3 +123,13 @@ func findContainerIndex(pod *corev1.PodSpec, containerName string) (int, error)
 
 	return -1, fmt.Errorf("cannot find container %s", containerName)
 }
+
+func containsVolume(pod *corev1.PodSpec, volumeName string) bool {
+	for _, volume := range pod.Volumes {
+		if volume.Name == volumeName {
+			return true
+		}
+	}
+
+	return false
+}
diff --git a/internal/manifests/monolithic/configmap.go b/internal/manifests/monolithic/configmap.go
@@ -139,15 +139,15 @@ func BuildConfigMap(opts Options) (*corev1.ConfigMap, map[string]string, error)
 	return configMap, extraAnnotations, nil
 }
 
-func configureReceiverTLS(tlsSpec *v1alpha1.TLSSpec, tlsProfile tlsprofile.TLSProfileOptions) (tempoReceiverTLSConfig, error) {
+func configureReceiverTLS(tlsSpec *v1alpha1.TLSSpec, tlsProfile tlsprofile.TLSProfileOptions, caCertDir, certDir string) (tempoReceiverTLSConfig, error) {
 	tlsCfg := tempoReceiverTLSConfig{}
 	if tlsSpec != nil && tlsSpec.Enabled {
 		if tlsSpec.Cert != "" {
-			tlsCfg.CertFile = path.Join(manifestutils.ReceiverTLSCertDir, manifestutils.TLSCertFilename)
-			tlsCfg.KeyFile = path.Join(manifestutils.ReceiverTLSCertDir, manifestutils.TLSKeyFilename)
+			tlsCfg.CertFile = path.Join(certDir, manifestutils.TLSCertFilename)
+			tlsCfg.KeyFile = path.Join(certDir, manifestutils.TLSKeyFilename)
 		}
 		if tlsSpec.CA != "" {
-			tlsCfg.CAFile = path.Join(manifestutils.ReceiverTLSCADir, manifestutils.TLSCAFilename)
+			tlsCfg.CAFile = path.Join(caCertDir, manifestutils.TLSCAFilename)
 		}
 		if tlsSpec.MinVersion != "" {
 			tlsCfg.MinVersion = tlsSpec.MinVersion
@@ -230,7 +230,8 @@ func buildTempoConfig(opts Options) ([]byte, error) {
 	if tempo.Spec.Ingestion != nil {
 		if tempo.Spec.Ingestion.OTLP != nil {
 			if tempo.Spec.Ingestion.OTLP.GRPC != nil && tempo.Spec.Ingestion.OTLP.GRPC.Enabled {
-				receiverTLS, err := configureReceiverTLS(tempo.Spec.Ingestion.OTLP.GRPC.TLS, opts.TLSProfile)
+				receiverTLS, err := configureReceiverTLS(tempo.Spec.Ingestion.OTLP.GRPC.TLS, opts.TLSProfile,
+					manifestutils.ReceiverGRPCTLSCADir, manifestutils.ReceiverGRPCTLSCertDir)
 				if err != nil {
 					return nil, err
 				}
@@ -246,7 +247,8 @@ func buildTempoConfig(opts Options) ([]byte, error) {
 			}
 
 			if tempo.Spec.Ingestion.OTLP.HTTP != nil && tempo.Spec.Ingestion.OTLP.HTTP.Enabled {
-				receiverTLS, err := configureReceiverTLS(tempo.Spec.Ingestion.OTLP.HTTP.TLS, opts.TLSProfile)
+				receiverTLS, err := configureReceiverTLS(tempo.Spec.Ingestion.OTLP.HTTP.TLS,
+					opts.TLSProfile, manifestutils.ReceiverHTTPTLSCADir, manifestutils.ReceiverHTTPTLSCertDir)
 				if err != nil {
 					return nil, err
 				}

diff --git a/internal/manifests/monolithic/configmap_test.go b/internal/manifests/monolithic/configmap_test.go
@@ -170,9 +170,115 @@ distributor:
       protocols:
         grpc:
           tls:
-            client_ca_file: /var/run/ca-receiver/service-ca.crt
-            cert_file: /var/run/tls/receiver/tls.crt
-            key_file: /var/run/tls/receiver/tls.key
+            client_ca_file: /var/run/ca-receiver/grpc/service-ca.crt
+            cert_file: /var/run/tls/receiver/grpc/tls.crt
+            key_file: /var/run/tls/receiver/grpc/tls.key
+            min_version: "1.3"
+usage_report:
+  reporting_enabled: false
+`,
+		},
+		{
+			name: "OTLP/HTTP with TLS",
+			spec: v1alpha1.TempoMonolithicSpec{
+				Ingestion: &v1alpha1.MonolithicIngestionSpec{
+					OTLP: &v1alpha1.MonolithicIngestionOTLPSpec{
+						GRPC: &v1alpha1.MonolithicIngestionOTLPProtocolsGRPCSpec{
+							Enabled: false,
+						},
+						HTTP: &v1alpha1.MonolithicIngestionOTLPProtocolsHTTPSpec{
+							Enabled: true,
+							TLS: &v1alpha1.TLSSpec{
+								Enabled:    true,
+								CA:         "ca",
+								Cert:       "cert",
+								MinVersion: "1.3",
+							},
+						},
+					},
+				},
+			},
+			expected: `
+server:
+  http_listen_port: 3200
+internal_server:
+  enable: true
+  http_listen_address: 0.0.0.0
+storage:
+  trace:
+    backend: local
+    wal:
+      path: /var/tempo/wal
+    local:
+      path: /var/tempo/blocks
+distributor:
+  receivers:
+    otlp:
+      protocols:
+        http:
+          tls:
+            client_ca_file: /var/run/ca-receiver/http/service-ca.crt
+            cert_file: /var/run/tls/receiver/http/tls.crt
+            key_file: /var/run/tls/receiver/http/tls.key
+            min_version: "1.3"
+usage_report:
+  reporting_enabled: false
+`,
+		},
+		{
+			name: "OTLP/HTTP and OTLP/Grpc with TLS",
+			spec: v1alpha1.TempoMonolithicSpec{
+				Ingestion: &v1alpha1.MonolithicIngestionSpec{
+					OTLP: &v1alpha1.MonolithicIngestionOTLPSpec{
+						GRPC: &v1alpha1.MonolithicIngestionOTLPProtocolsGRPCSpec{
+							Enabled: true,
+							TLS: &v1alpha1.TLSSpec{
+								Enabled:    true,
+								CA:         "ca",
+								Cert:       "cert",
+								MinVersion: "1.3",
+							},
+						},
+						HTTP: &v1alpha1.MonolithicIngestionOTLPProtocolsHTTPSpec{
+							Enabled: true,
+							TLS: &v1alpha1.TLSSpec{
+								Enabled:    true,
+								CA:         "ca",
+								Cert:       "cert",
+								MinVersion: "1.3",
+							},
+						},
+					},
+				},
+			},
+			expected: `
+server:
+  http_listen_port: 3200
+internal_server:
+  enable: true
+  http_listen_address: 0.0.0.0
+storage:
+  trace:
+    backend: local
+    wal:
+      path: /var/tempo/wal
+    local:
+      path: /var/tempo/blocks
+distributor:
+  receivers:
+    otlp:
+      protocols:
+        http:
+          tls:
+            client_ca_file: /var/run/ca-receiver/http/service-ca.crt
+            cert_file: /var/run/tls/receiver/http/tls.crt
+            key_file: /var/run/tls/receiver/http/tls.key
+            min_version: "1.3"
+        grpc:
+          tls:
+            client_ca_file: /var/run/ca-receiver/grpc/service-ca.crt
+            cert_file: /var/run/tls/receiver/grpc/tls.crt
+            key_file: /var/run/tls/receiver/grpc/tls.key
             min_version: "1.3"
 usage_report:
   reporting_enabled: false
@@ -222,9 +328,9 @@ distributor:
       protocols:
         grpc:
           tls:
-            client_ca_file: /var/run/ca-receiver/service-ca.crt
-            cert_file: /var/run/tls/receiver/tls.crt
-            key_file: /var/run/tls/receiver/tls.key
+            client_ca_file: /var/run/ca-receiver/grpc/service-ca.crt
+            cert_file: /var/run/tls/receiver/grpc/tls.crt
+            key_file: /var/run/tls/receiver/grpc/tls.key
             min_version: "1.2"
             cipher_suites: [abc]
 usage_report:

diff --git a/internal/manifests/monolithic/statefulset.go b/internal/manifests/monolithic/statefulset.go
@@ -121,7 +121,7 @@ func BuildTempoStatefulset(opts Options, extraAnnotations map[string]string) (*a
 			tempo.Spec.Ingestion.OTLP.GRPC.TLS != nil && tempo.Spec.Ingestion.OTLP.GRPC.TLS.Enabled {
 			err := manifestutils.MountTLSSpecVolumes(
 				&sts.Spec.Template.Spec, "tempo", *tempo.Spec.Ingestion.OTLP.GRPC.TLS,
-				manifestutils.ReceiverTLSCADir, manifestutils.ReceiverTLSCertDir,
+				manifestutils.ReceiverGRPCTLSCADir, manifestutils.ReceiverGRPCTLSCertDir,
 			)
 			if err != nil {
 				return nil, err
@@ -132,7 +132,7 @@ func BuildTempoStatefulset(opts Options, extraAnnotations map[string]string) (*a
 			tempo.Spec.Ingestion.OTLP.HTTP.TLS != nil && tempo.Spec.Ingestion.OTLP.HTTP.TLS.Enabled {
 			err := manifestutils.MountTLSSpecVolumes(
 				&sts.Spec.Template.Spec, "tempo", *tempo.Spec.Ingestion.OTLP.HTTP.TLS,
-				manifestutils.ReceiverTLSCADir, manifestutils.ReceiverTLSCertDir,
+				manifestutils.ReceiverHTTPTLSCADir, manifestutils.ReceiverHTTPTLSCertDir,
 			)
 			if err != nil {
 				return nil, err

diff --git a/internal/manifests/monolithic/statefulset_test.go b/internal/manifests/monolithic/statefulset_test.go
@@ -427,12 +427,12 @@ func TestStatefulsetReceiverTLS(t *testing.T) {
 		},
 		{
 			Name:      "custom-ca",
-			MountPath: "/var/run/ca-receiver",
+			MountPath: "/var/run/ca-receiver/grpc",
 			ReadOnly:  true,
 		},
 		{
 			Name:      "custom-cert",
-			MountPath: "/var/run/tls/receiver",
+			MountPath: "/var/run/tls/receiver/grpc",
 			ReadOnly:  true,
 		},
 	}, sts.Spec.Template.Spec.Containers[0].VolumeMounts)

diff --git a/tests/e2e/monolithic-receivers-tls/01-assert.yaml b/tests/e2e/monolithic-receivers-tls/01-assert.yaml
@@ -0,0 +1,75 @@
+apiVersion: tempo.grafana.com/v1alpha1
+kind: TempoMonolithic
+metadata:
+  name: simplest
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: tempo-simplest
+  labels:
+    app.kubernetes.io/instance: simplest
+    app.kubernetes.io/managed-by: tempo-operator
+    app.kubernetes.io/name: tempo-monolithic
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: simplest
+      app.kubernetes.io/managed-by: tempo-operator
+      app.kubernetes.io/name: tempo-monolithic
+status:
+  readyReplicas: 1
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/instance: simplest
+    app.kubernetes.io/managed-by: tempo-operator
+    app.kubernetes.io/name: tempo-monolithic
+  name: tempo-simplest
+spec:
+  ports:
+    - name: http
+      port: 3200
+      protocol: TCP
+      targetPort: http
+    - name: otlp-grpc
+      port: 4317
+      protocol: TCP
+      targetPort: otlp-grpc
+    - name: otlp-http
+      port: 4318
+      protocol: TCP
+      targetPort: otlp-http
+  selector:
+    app.kubernetes.io/instance: simplest
+    app.kubernetes.io/managed-by: tempo-operator
+    app.kubernetes.io/name: tempo-monolithic
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/instance: simplest
+    app.kubernetes.io/managed-by: tempo-operator
+    app.kubernetes.io/name: tempo-monolithic
+  name: tempo-simplest-jaegerui
+spec:
+  ports:
+    - name: jaeger-grpc
+      port: 16685
+      protocol: TCP
+      targetPort: jaeger-grpc
+    - name: jaeger-ui
+      port: 16686
+      protocol: TCP
+      targetPort: jaeger-ui
+    - name: jaeger-metrics
+      port: 16687
+      protocol: TCP
+      targetPort: jaeger-metrics
+  selector:
+    app.kubernetes.io/instance: simplest
+    app.kubernetes.io/managed-by: tempo-operator
+    app.kubernetes.io/name: tempo-monolithic