grafana · rubenvp8510 · Jul 12, 2024 · Jul 9, 2024
diff --git a/.chloggen/tls_cert_serv_mono.yaml b/.chloggen/tls_cert_serv_mono.yaml
@@ -0,0 +1,41 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. tempostack, tempomonolithic, github action)
+component: tempomonolithic
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Use TLS via OpenShift service annotation when gateway/multitenancy is disabled (monolithic)
+
+# One or more tracking issues related to the change
+issues: [963]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext: |
+  On OpenShift when operator config `servingCertsService` is enabled and the following TempoMonolithic CR is used.
+  The operator provisions OpenShift serving certificates for the distributor ingest APIs
+
+  ```
+    apiVersion: tempo.grafana.com/v1alpha1
+    kind:  TempoMonolithic
+    spec:
+      ingestion:
+        otlp:
+          grpc:
+            tls:
+              enabled: true
+  ```
+  or
+  ```
+    apiVersion: tempo.grafana.com/v1alpha1
+    kind:  TempoMonolithic
+    spec:
+      ingestion:
+        otlp:
+          http:
+            tls:
+              enabled: true
+  ```
+  No `certName` and `caName` should be provided, If you specify it, those will be used instead.
diff --git a/apis/tempo/v1alpha1/tempomonolithic_types.go b/apis/tempo/v1alpha1/tempomonolithic_types.go
@@ -190,6 +190,9 @@ type MonolithicIngestionOTLPProtocolsGRPCSpec struct {
 
 	// TLS defines the TLS configuration for OTLP/gRPC ingestion.
 	//
+	// On OpenShift when operator config `servingCertsService`  and TLS is enabled  but no `certName` and `caName`
+	// are provided it will use OpenShift serving certificate service.
+	//
 	// +kubebuilder:validation:Optional
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="TLS"
 	TLS *TLSSpec `json:"tls,omitempty"`
@@ -207,6 +210,9 @@ type MonolithicIngestionOTLPProtocolsHTTPSpec struct {
 
 	// TLS defines the TLS configuration for OTLP/HTTP ingestion.
 	//
+	// On OpenShift when operator config `servingCertsService`  and TLS is enabled  but no `certName` and `caName`
+	// are provided it will use OpenShift serving certificate service.
+	//
 	// +kubebuilder:validation:Optional
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="TLS"
 	TLS *TLSSpec `json:"tls,omitempty"`

diff --git a/bundle/community/manifests/tempo-operator.clusterserviceversion.yaml b/bundle/community/manifests/tempo-operator.clusterserviceversion.yaml
@@ -74,7 +74,7 @@ metadata:
     capabilities: Deep Insights
     categories: Logging & Tracing,Monitoring
     containerImage: ghcr.io/grafana/tempo-operator/tempo-operator:v0.11.1
-    createdAt: "2024-07-09T01:46:53Z"
+    createdAt: "2024-07-10T03:57:59Z"
     description: Create and manage deployments of Tempo, a high-scale distributed
       tracing backend.
     operatorframework.io/cluster-monitoring: "true"
@@ -249,7 +249,10 @@ spec:
       - description: GRPC defines the OTLP over gRPC configuration.
         displayName: gRPC
         path: ingestion.otlp.grpc
-      - description: TLS defines the TLS configuration for OTLP/gRPC ingestion.
+      - description: "TLS defines the TLS configuration for OTLP/gRPC ingestion. \n
+          On OpenShift when operator config `servingCertsService`  and TLS is enabled
+          \ but no `certName` and `caName` are provided it will use OpenShift serving
+          certificate service."
         displayName: TLS
         path: ingestion.otlp.grpc.tls
       - description: CA is the name of a ConfigMap containing a CA certificate (service-ca.crt).
@@ -271,7 +274,10 @@ spec:
       - description: HTTP defines the OTLP over HTTP configuration.
         displayName: HTTP
         path: ingestion.otlp.http
-      - description: TLS defines the TLS configuration for OTLP/HTTP ingestion.
+      - description: "TLS defines the TLS configuration for OTLP/HTTP ingestion. \n
+          On OpenShift when operator config `servingCertsService`  and TLS is enabled
+          \ but no `certName` and `caName` are provided it will use OpenShift serving
+          certificate service."
         displayName: TLS
         path: ingestion.otlp.http.tls
       - description: CA is the name of a ConfigMap containing a CA certificate (service-ca.crt).

diff --git a/bundle/community/manifests/tempo.grafana.com_tempomonolithics.yaml b/bundle/community/manifests/tempo.grafana.com_tempomonolithics.yaml
@@ -963,8 +963,12 @@ spec:
                               Default: enabled.
                             type: boolean
                           tls:
-                            description: TLS defines the TLS configuration for OTLP/gRPC
-                              ingestion.
+                            description: |-
+                              TLS defines the TLS configuration for OTLP/gRPC ingestion.
+
+
+                              On OpenShift when operator config `servingCertsService`  and TLS is enabled  but no `certName` and `caName`
+                              are provided it will use OpenShift serving certificate service.
                             properties:
                               caName:
                                 description: |-
@@ -997,8 +1001,12 @@ spec:
                               Default: enabled.
                             type: boolean
                           tls:
-                            description: TLS defines the TLS configuration for OTLP/HTTP
-                              ingestion.
+                            description: |-
+                              TLS defines the TLS configuration for OTLP/HTTP ingestion.
+
+
+                              On OpenShift when operator config `servingCertsService`  and TLS is enabled  but no `certName` and `caName`
+                              are provided it will use OpenShift serving certificate service.
                             properties:
                               caName:
                                 description: |-

diff --git a/bundle/openshift/manifests/tempo-operator.clusterserviceversion.yaml b/bundle/openshift/manifests/tempo-operator.clusterserviceversion.yaml
@@ -74,7 +74,7 @@ metadata:
     capabilities: Deep Insights
     categories: Logging & Tracing,Monitoring
     containerImage: ghcr.io/grafana/tempo-operator/tempo-operator:v0.11.1
-    createdAt: "2024-07-09T01:46:51Z"
+    createdAt: "2024-07-10T03:57:57Z"
     description: Create and manage deployments of Tempo, a high-scale distributed
       tracing backend.
     operatorframework.io/cluster-monitoring: "true"
@@ -249,7 +249,10 @@ spec:
       - description: GRPC defines the OTLP over gRPC configuration.
         displayName: gRPC
         path: ingestion.otlp.grpc
-      - description: TLS defines the TLS configuration for OTLP/gRPC ingestion.
+      - description: "TLS defines the TLS configuration for OTLP/gRPC ingestion. \n
+          On OpenShift when operator config `servingCertsService`  and TLS is enabled
+          \ but no `certName` and `caName` are provided it will use OpenShift serving
+          certificate service."
         displayName: TLS
         path: ingestion.otlp.grpc.tls
       - description: CA is the name of a ConfigMap containing a CA certificate (service-ca.crt).
@@ -271,7 +274,10 @@ spec:
       - description: HTTP defines the OTLP over HTTP configuration.
         displayName: HTTP
         path: ingestion.otlp.http
-      - description: TLS defines the TLS configuration for OTLP/HTTP ingestion.
+      - description: "TLS defines the TLS configuration for OTLP/HTTP ingestion. \n
+          On OpenShift when operator config `servingCertsService`  and TLS is enabled
+          \ but no `certName` and `caName` are provided it will use OpenShift serving
+          certificate service."
         displayName: TLS
         path: ingestion.otlp.http.tls
       - description: CA is the name of a ConfigMap containing a CA certificate (service-ca.crt).

diff --git a/bundle/openshift/manifests/tempo.grafana.com_tempomonolithics.yaml b/bundle/openshift/manifests/tempo.grafana.com_tempomonolithics.yaml
@@ -963,8 +963,12 @@ spec:
                               Default: enabled.
                             type: boolean
                           tls:
-                            description: TLS defines the TLS configuration for OTLP/gRPC
-                              ingestion.
+                            description: |-
+                              TLS defines the TLS configuration for OTLP/gRPC ingestion.
+
+
+                              On OpenShift when operator config `servingCertsService`  and TLS is enabled  but no `certName` and `caName`
+                              are provided it will use OpenShift serving certificate service.
                             properties:
                               caName:
                                 description: |-
@@ -997,8 +1001,12 @@ spec:
                               Default: enabled.
                             type: boolean
                           tls:
-                            description: TLS defines the TLS configuration for OTLP/HTTP
-                              ingestion.
+                            description: |-
+                              TLS defines the TLS configuration for OTLP/HTTP ingestion.
+
+
+                              On OpenShift when operator config `servingCertsService`  and TLS is enabled  but no `certName` and `caName`
+                              are provided it will use OpenShift serving certificate service.
                             properties:
                               caName:
                                 description: |-

diff --git a/config/crd/bases/tempo.grafana.com_tempomonolithics.yaml b/config/crd/bases/tempo.grafana.com_tempomonolithics.yaml
@@ -959,8 +959,12 @@ spec:
                               Default: enabled.
                             type: boolean
                           tls:
-                            description: TLS defines the TLS configuration for OTLP/gRPC
-                              ingestion.
+                            description: |-
+                              TLS defines the TLS configuration for OTLP/gRPC ingestion.
+
+
+                              On OpenShift when operator config `servingCertsService`  and TLS is enabled  but no `certName` and `caName`
+                              are provided it will use OpenShift serving certificate service.
                             properties:
                               caName:
                                 description: |-
@@ -993,8 +997,12 @@ spec:
                               Default: enabled.
                             type: boolean
                           tls:
-                            description: TLS defines the TLS configuration for OTLP/HTTP
-                              ingestion.
+                            description: |-
+                              TLS defines the TLS configuration for OTLP/HTTP ingestion.
+
+
+                              On OpenShift when operator config `servingCertsService`  and TLS is enabled  but no `certName` and `caName`
+                              are provided it will use OpenShift serving certificate service.
                             properties:
                               caName:
                                 description: |-

diff --git a/config/manifests/community/bases/tempo-operator.clusterserviceversion.yaml b/config/manifests/community/bases/tempo-operator.clusterserviceversion.yaml
@@ -178,7 +178,10 @@ spec:
       - description: GRPC defines the OTLP over gRPC configuration.
         displayName: gRPC
         path: ingestion.otlp.grpc
-      - description: TLS defines the TLS configuration for OTLP/gRPC ingestion.
+      - description: "TLS defines the TLS configuration for OTLP/gRPC ingestion. \n
+          On OpenShift when operator config `servingCertsService`  and TLS is enabled
+          \ but no `certName` and `caName` are provided it will use OpenShift serving
+          certificate service."
         displayName: TLS
         path: ingestion.otlp.grpc.tls
       - description: CA is the name of a ConfigMap containing a CA certificate (service-ca.crt).
@@ -200,7 +203,10 @@ spec:
       - description: HTTP defines the OTLP over HTTP configuration.
         displayName: HTTP
         path: ingestion.otlp.http
-      - description: TLS defines the TLS configuration for OTLP/HTTP ingestion.
+      - description: "TLS defines the TLS configuration for OTLP/HTTP ingestion. \n
+          On OpenShift when operator config `servingCertsService`  and TLS is enabled
+          \ but no `certName` and `caName` are provided it will use OpenShift serving
+          certificate service."
         displayName: TLS
         path: ingestion.otlp.http.tls
       - description: CA is the name of a ConfigMap containing a CA certificate (service-ca.crt).

diff --git a/config/manifests/openshift/bases/tempo-operator.clusterserviceversion.yaml b/config/manifests/openshift/bases/tempo-operator.clusterserviceversion.yaml
@@ -178,7 +178,10 @@ spec:
       - description: GRPC defines the OTLP over gRPC configuration.
         displayName: gRPC
         path: ingestion.otlp.grpc
-      - description: TLS defines the TLS configuration for OTLP/gRPC ingestion.
+      - description: "TLS defines the TLS configuration for OTLP/gRPC ingestion. \n
+          On OpenShift when operator config `servingCertsService`  and TLS is enabled
+          \ but no `certName` and `caName` are provided it will use OpenShift serving
+          certificate service."
         displayName: TLS
         path: ingestion.otlp.grpc.tls
       - description: CA is the name of a ConfigMap containing a CA certificate (service-ca.crt).
@@ -200,7 +203,10 @@ spec:
       - description: HTTP defines the OTLP over HTTP configuration.
         displayName: HTTP
         path: ingestion.otlp.http
-      - description: TLS defines the TLS configuration for OTLP/HTTP ingestion.
+      - description: "TLS defines the TLS configuration for OTLP/HTTP ingestion. \n
+          On OpenShift when operator config `servingCertsService`  and TLS is enabled
+          \ but no `certName` and `caName` are provided it will use OpenShift serving
+          certificate service."
         displayName: TLS
         path: ingestion.otlp.http.tls
       - description: CA is the name of a ConfigMap containing a CA certificate (service-ca.crt).

diff --git a/docs/spec/tempo.grafana.com_tempomonolithics.yaml b/docs/spec/tempo.grafana.com_tempomonolithics.yaml
@@ -9,14 +9,14 @@ spec:                                    # TempoMonolithicSpec defines the desir
     otlp:                                # OTLP defines the ingestion configuration for the OTLP protocol.
       grpc:                              # GRPC defines the OTLP over gRPC configuration.
         enabled: true                    # Enabled defines if OTLP over gRPC is enabled. Default: enabled.
-        tls:                             # TLS defines the TLS configuration for OTLP/gRPC ingestion.
+        tls:                             # TLS defines the TLS configuration for OTLP/gRPC ingestion.   On OpenShift when operator config `servingCertsService`  and TLS is enabled  but no `certName` and `caName` are provided it will use OpenShift serving certificate service.
           enabled: false                 # Enabled defines if TLS is enabled.
           caName: ""                     # CA is the name of a ConfigMap containing a CA certificate (service-ca.crt). It needs to be in the same namespace as the Tempo custom resource.
           certName: ""                   # Cert is the name of a Secret containing a certificate (tls.crt) and private key (tls.key). It needs to be in the same namespace as the Tempo custom resource.
           minVersion: ""                 # MinVersion defines the minimum acceptable TLS version.
       http:                              # HTTP defines the OTLP over HTTP configuration.
         enabled: true                    # Enabled defines if OTLP over HTTP is enabled. Default: enabled.
-        tls:                             # TLS defines the TLS configuration for OTLP/HTTP ingestion.
+        tls:                             # TLS defines the TLS configuration for OTLP/HTTP ingestion.   On OpenShift when operator config `servingCertsService`  and TLS is enabled  but no `certName` and `caName` are provided it will use OpenShift serving certificate service.
           enabled: false                 # Enabled defines if TLS is enabled.
           caName: ""                     # CA is the name of a ConfigMap containing a CA certificate (service-ca.crt). It needs to be in the same namespace as the Tempo custom resource.
           certName: ""                   # Cert is the name of a Secret containing a certificate (tls.crt) and private key (tls.key). It needs to be in the same namespace as the Tempo custom resource.

diff --git a/internal/manifests/monolithic/build.go b/internal/manifests/monolithic/build.go
@@ -55,6 +55,23 @@ func BuildAll(opts Options) ([]client.Object, error) {
 		maps.Copy(extraStsAnnotations, annotations)
 	}
 
+	if opts.CtrlConfig.Gates.OpenShift.ServingCertsService {
+		manifests = append(manifests, manifestutils.NewConfigMapCABundle(
+			tempo.Namespace,
+			naming.ServingCABundleName(tempo.Name),
+			CommonLabels(tempo.Name),
+		))
+		if ingestionHTTPTLSEnabled(tempo) && tlsSecretAndBundleEmptyHTTP(tempo) {
+			tempo.Spec.Ingestion.OTLP.HTTP.TLS.CA = naming.ServingCABundleName(tempo.Name)
+			tempo.Spec.Ingestion.OTLP.HTTP.TLS.Cert = naming.ServingCertName(manifestutils.TempoMonolithComponentName, tempo.Name)
+		}
+
+		if ingestionGRPCTLSEnabled(tempo) && tlsSecretAndBundleEmptyGRPC(tempo) {
+			tempo.Spec.Ingestion.OTLP.GRPC.TLS.CA = naming.ServingCABundleName(tempo.Name)
+			tempo.Spec.Ingestion.OTLP.GRPC.TLS.Cert = naming.ServingCertName(manifestutils.TempoMonolithComponentName, tempo.Name)
+		}
+	}
+
 	statefulSet, err := BuildTempoStatefulset(opts, extraStsAnnotations)
 	if err != nil {
 		return nil, err
@@ -64,14 +81,6 @@ func BuildAll(opts Options) ([]client.Object, error) {
 	services := BuildServices(opts)
 	manifests = append(manifests, services...)
 
-	if opts.CtrlConfig.Gates.OpenShift.ServingCertsService {
-		manifests = append(manifests, manifestutils.NewConfigMapCABundle(
-			tempo.Namespace,
-			naming.ServingCABundleName(tempo.Name),
-			CommonLabels(tempo.Name),
-		))
-	}
-
 	if tempo.Spec.JaegerUI != nil && tempo.Spec.JaegerUI.Enabled {
 		if tempo.Spec.JaegerUI.Ingress != nil && tempo.Spec.JaegerUI.Ingress.Enabled {
 			manifests = append(manifests, BuildJaegerUIIngress(opts))

diff --git a/internal/manifests/monolithic/configmap.go b/internal/manifests/monolithic/configmap.go
@@ -232,6 +232,7 @@ func buildTempoConfig(opts Options) ([]byte, error) {
 			if tempo.Spec.Ingestion.OTLP.GRPC != nil && tempo.Spec.Ingestion.OTLP.GRPC.Enabled {
 				receiverTLS, err := configureReceiverTLS(tempo.Spec.Ingestion.OTLP.GRPC.TLS, opts.TLSProfile,
 					manifestutils.ReceiverGRPCTLSCADir, manifestutils.ReceiverGRPCTLSCertDir)
+
 				if err != nil {
 					return nil, err
 				}

diff --git a/internal/manifests/monolithic/services.go b/internal/manifests/monolithic/services.go
@@ -29,6 +29,13 @@ func BuildServices(opts Options) []client.Object {
 // buildTempoService creates the service for a monolithic deployment.
 func buildTempoService(opts Options) *corev1.Service {
 	tempo := opts.Tempo
+	annotations := map[string]string{}
+
+	if opts.CtrlConfig.Gates.OpenShift.ServingCertsService && ingestionTLSEnabled(tempo) &&
+		tlsSecretAndBundleEmpty(tempo) {
+		annotations["service.beta.openshift.io/serving-cert-secret-name"] = naming.ServingCertName(manifestutils.TempoMonolithComponentName, tempo.Name)
+	}
+
 	labels := ComponentLabels(manifestutils.TempoMonolithComponentName, tempo.Name)
 	ports := []corev1.ServicePort{{
 		Name:       manifestutils.HttpPortName,
@@ -62,9 +69,10 @@ func buildTempoService(opts Options) *corev1.Service {
 			Kind:       "Service",
 		},
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      naming.Name(manifestutils.TempoMonolithComponentName, tempo.Name),
-			Namespace: tempo.Namespace,
-			Labels:    labels,
+			Name:        naming.Name(manifestutils.TempoMonolithComponentName, tempo.Name),
+			Namespace:   tempo.Namespace,
+			Labels:      labels,
+			Annotations: annotations,
 		},
 		Spec: corev1.ServiceSpec{
 			Ports:    ports,