Skip to content

Commit

Permalink
Unify TLS handling (#768)
Browse files Browse the repository at this point in the history 
* use TLSSpec in TempoStack storage
* generalize mounting TLS volumes
* set tls.enabled=true if TLS was enabled previously for TempoStack
  storage

Signed-off-by: Andreas Gerstmayr <[email protected]>
  • Loading branch information
@andreasgerstmayr
andreasgerstmayr authored Feb 1, 2024
1 parent 9c43697 commit 30dd465
Show file tree
Hide file tree
Showing 26 changed files with 375 additions and 192 deletions.
2 changes: 1 addition & 1 deletion Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -141,7 +141,7 @@ build: generate fmt ## Build manager binary.

.PHONY: run
run: manifests generate ## Run a controller from your host.
@echo -e "\033[33mRemoving webhooks from the cluster. Use the normal deployment method to enable full operator functionality.\033[0m"
@echo -e "\033[33mRemoving tempo operator from the cluster. Use the normal deployment method to enable full operator functionality.\033[0m"
-kubectl delete ns $(OPERATOR_NAMESPACE)
-kubectl delete mutatingwebhookconfigurations.admissionregistration.k8s.io tempo-operator-mutating-webhook-configuration
-kubectl delete validatingwebhookconfigurations.admissionregistration.k8s.io tempo-operator-validating-webhook-configuration
Expand Down
11 changes: 4 additions & 7 deletions apis/tempo/v1alpha1/common_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,29 +4,26 @@ package v1alpha1
type TLSSpec struct {
// enabled defines if TLS is enabled.
//
// +kubebuilder:validation:Required
// +kubebuilder:validation:Optional
Enabled bool `json:"enabled"`

// caName is the name of a ConfigMap containing a CA certificate (service-ca.crt).
// It needs to be in the same namespace as the Tempo custom resource.
//
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors="urn:alm:descriptor:io.kubernetes:ConfigMap",displayName="CA ConfigMap Name"
CA string `json:"caName,omitempty"`

// certName is the name of a Secret containing a certificate (tls.crt) and private key (tls.key).
// It needs to be in the same namespace as the Tempo custom resource.
//
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors="urn:alm:descriptor:io.kubernetes:Secret",displayName="Certificate Secret Name"
Cert string `json:"certName,omitempty"`

// minVersion defines the minimum acceptable TLS version.
//
// +optional
// +kubebuilder:validation:optional
// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Min TLS Version"
MinVersion string `json:"minVersion,omitempty"`
}
13 changes: 1 addition & 12 deletions apis/tempo/v1alpha1/tempostack_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -411,7 +411,7 @@ type ObjectStorageSpec struct {
// +optional
// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="TLS Config"
TLS ObjectStorageTLSSpec `json:"tls,omitempty"`
TLS TLSSpec `json:"tls,omitempty"`

// Secret for object storage authentication.
// Name of a secret in the same namespace as the TempoStack custom resource.
Expand All @@ -422,17 +422,6 @@ type ObjectStorageSpec struct {
// Don't forget to update storageSecretField in tempostack_controller.go if this field name changes.
}

// ObjectStorageTLSSpec is the TLS configuration for reaching the object storage endpoint.
type ObjectStorageTLSSpec struct {
// CA is the name of a ConfigMap containing a `ca.crt` key with a CA certificate.
// It needs to be in the same namespace as the TempoStack custom resource.
//
// +optional
// +kubebuilder:validation:optional
// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors="urn:alm:descriptor:io.kubernetes:ConfigMap",displayName="CA ConfigMap Name"
CA string `json:"caName,omitempty"`
}

// MemberListSpec defines the configuration for the memberlist based hash ring.
type MemberListSpec struct {
// EnableIPv6 enables IPv6 support for the memberlist based hash ring.
Expand Down
15 changes: 0 additions & 15 deletions apis/tempo/v1alpha1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

18 changes: 14 additions & 4 deletions bundle/community/manifests/tempo-operator.clusterserviceversion.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ metadata:
capabilities: Deep Insights
categories: Logging & Tracing,Monitoring
containerImage: ghcr.io/grafana/tempo-operator/tempo-operator:v0.7.0
createdAt: "2024-01-30T17:07:51Z"
createdAt: "2024-02-01T12:58:43Z"
description: Create and manage deployments of Tempo, a high-scale distributed
tracing backend.
operatorframework.io/cluster-monitoring: "true"
Expand Down Expand Up @@ -393,13 +393,23 @@ spec:
- description: TLS configuration for reaching the object storage endpoint.
displayName: TLS Config
path: storage.tls
- description: CA is the name of a ConfigMap containing a `ca.crt` key with
a CA certificate. It needs to be in the same namespace as the TempoStack
custom resource.
- description: caName is the name of a ConfigMap containing a CA certificate
(service-ca.crt). It needs to be in the same namespace as the Tempo custom
resource.
displayName: CA ConfigMap Name
path: storage.tls.caName
x-descriptors:
- urn:alm:descriptor:io.kubernetes:ConfigMap
- description: certName is the name of a Secret containing a certificate (tls.crt)
and private key (tls.key). It needs to be in the same namespace as the Tempo
custom resource.
displayName: Certificate Secret Name
path: storage.tls.certName
x-descriptors:
- urn:alm:descriptor:io.kubernetes:Secret
- description: minVersion defines the minimum acceptable TLS version.
displayName: Min TLS Version
path: storage.tls.minVersion
- description: StorageClassName for PVCs used by ingester. Defaults to nil (default
storage class in the cluster).
displayName: StorageClassName for PVCs
Expand Down
4 changes: 0 additions & 4 deletions bundle/community/manifests/tempo.grafana.com_tempomonolithics.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,8 +82,6 @@ spec:
description: minVersion defines the minimum acceptable
TLS version.
type: string
required:
- enabled
type: object
required:
- enabled
Expand Down Expand Up @@ -116,8 +114,6 @@ spec:
description: minVersion defines the minimum acceptable
TLS version.
type: string
required:
- enabled
type: object
required:
- enabled
Expand Down
20 changes: 15 additions & 5 deletions bundle/community/manifests/tempo.grafana.com_tempostacks.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -418,9 +418,21 @@ spec:
endpoint.
properties:
caName:
description: CA is the name of a ConfigMap containing a `ca.crt`
key with a CA certificate. It needs to be in the same namespace
as the TempoStack custom resource.
description: caName is the name of a ConfigMap containing
a CA certificate (service-ca.crt). It needs to be in the
same namespace as the Tempo custom resource.
type: string
certName:
description: certName is the name of a Secret containing a
certificate (tls.crt) and private key (tls.key). It needs
to be in the same namespace as the Tempo custom resource.
type: string
enabled:
description: enabled defines if TLS is enabled.
type: boolean
minVersion:
description: minVersion defines the minimum acceptable TLS
version.
type: string
type: object
required:
Expand Down Expand Up @@ -586,8 +598,6 @@ spec:
description: minVersion defines the minimum acceptable
TLS version.
type: string
required:
- enabled
type: object
type: object
gateway:
Expand Down
18 changes: 14 additions & 4 deletions bundle/openshift/manifests/tempo-operator.clusterserviceversion.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ metadata:
capabilities: Deep Insights
categories: Logging & Tracing,Monitoring
containerImage: ghcr.io/grafana/tempo-operator/tempo-operator:v0.7.0
createdAt: "2024-01-30T17:07:50Z"
createdAt: "2024-02-01T12:58:42Z"
description: Create and manage deployments of Tempo, a high-scale distributed
tracing backend.
operatorframework.io/cluster-monitoring: "true"
Expand Down Expand Up @@ -393,13 +393,23 @@ spec:
- description: TLS configuration for reaching the object storage endpoint.
displayName: TLS Config
path: storage.tls
- description: CA is the name of a ConfigMap containing a `ca.crt` key with
a CA certificate. It needs to be in the same namespace as the TempoStack
custom resource.
- description: caName is the name of a ConfigMap containing a CA certificate
(service-ca.crt). It needs to be in the same namespace as the Tempo custom
resource.
displayName: CA ConfigMap Name
path: storage.tls.caName
x-descriptors:
- urn:alm:descriptor:io.kubernetes:ConfigMap
- description: certName is the name of a Secret containing a certificate (tls.crt)
and private key (tls.key). It needs to be in the same namespace as the Tempo
custom resource.
displayName: Certificate Secret Name
path: storage.tls.certName
x-descriptors:
- urn:alm:descriptor:io.kubernetes:Secret
- description: minVersion defines the minimum acceptable TLS version.
displayName: Min TLS Version
path: storage.tls.minVersion
- description: StorageClassName for PVCs used by ingester. Defaults to nil (default
storage class in the cluster).
displayName: StorageClassName for PVCs
Expand Down
4 changes: 0 additions & 4 deletions bundle/openshift/manifests/tempo.grafana.com_tempomonolithics.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,8 +82,6 @@ spec:
description: minVersion defines the minimum acceptable
TLS version.
type: string
required:
- enabled
type: object
required:
- enabled
Expand Down Expand Up @@ -116,8 +114,6 @@ spec:
description: minVersion defines the minimum acceptable
TLS version.
type: string
required:
- enabled
type: object
required:
- enabled
Expand Down
20 changes: 15 additions & 5 deletions bundle/openshift/manifests/tempo.grafana.com_tempostacks.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -418,9 +418,21 @@ spec:
endpoint.
properties:
caName:
description: CA is the name of a ConfigMap containing a `ca.crt`
key with a CA certificate. It needs to be in the same namespace
as the TempoStack custom resource.
description: caName is the name of a ConfigMap containing
a CA certificate (service-ca.crt). It needs to be in the
same namespace as the Tempo custom resource.
type: string
certName:
description: certName is the name of a Secret containing a
certificate (tls.crt) and private key (tls.key). It needs
to be in the same namespace as the Tempo custom resource.
type: string
enabled:
description: enabled defines if TLS is enabled.
type: boolean
minVersion:
description: minVersion defines the minimum acceptable TLS
version.
type: string
type: object
required:
Expand Down Expand Up @@ -586,8 +598,6 @@ spec:
description: minVersion defines the minimum acceptable
TLS version.
type: string
required:
- enabled
type: object
type: object
gateway:
Expand Down
4 changes: 0 additions & 4 deletions config/crd/bases/tempo.grafana.com_tempomonolithics.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,8 +79,6 @@ spec:
description: minVersion defines the minimum acceptable
TLS version.
type: string
required:
- enabled
type: object
required:
- enabled
Expand Down Expand Up @@ -113,8 +111,6 @@ spec:
description: minVersion defines the minimum acceptable
TLS version.
type: string
required:
- enabled
type: object
required:
- enabled
Expand Down
20 changes: 15 additions & 5 deletions config/crd/bases/tempo.grafana.com_tempostacks.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -415,9 +415,21 @@ spec:
endpoint.
properties:
caName:
description: CA is the name of a ConfigMap containing a `ca.crt`
key with a CA certificate. It needs to be in the same namespace
as the TempoStack custom resource.
description: caName is the name of a ConfigMap containing
a CA certificate (service-ca.crt). It needs to be in the
same namespace as the Tempo custom resource.
type: string
certName:
description: certName is the name of a Secret containing a
certificate (tls.crt) and private key (tls.key). It needs
to be in the same namespace as the Tempo custom resource.
type: string
enabled:
description: enabled defines if TLS is enabled.
type: boolean
minVersion:
description: minVersion defines the minimum acceptable TLS
version.
type: string
type: object
required:
Expand Down Expand Up @@ -583,8 +595,6 @@ spec:
description: minVersion defines the minimum acceptable
TLS version.
type: string
required:
- enabled
type: object
type: object
gateway:
Expand Down
16 changes: 13 additions & 3 deletions config/manifests/community/bases/tempo-operator.clusterserviceversion.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -340,13 +340,23 @@ spec:
- description: TLS configuration for reaching the object storage endpoint.
displayName: TLS Config
path: storage.tls
- description: CA is the name of a ConfigMap containing a `ca.crt` key with
a CA certificate. It needs to be in the same namespace as the TempoStack
custom resource.
- description: caName is the name of a ConfigMap containing a CA certificate
(service-ca.crt). It needs to be in the same namespace as the Tempo custom
resource.
displayName: CA ConfigMap Name
path: storage.tls.caName
x-descriptors:
- urn:alm:descriptor:io.kubernetes:ConfigMap
- description: certName is the name of a Secret containing a certificate (tls.crt)
and private key (tls.key). It needs to be in the same namespace as the Tempo
custom resource.
displayName: Certificate Secret Name
path: storage.tls.certName
x-descriptors:
- urn:alm:descriptor:io.kubernetes:Secret
- description: minVersion defines the minimum acceptable TLS version.
displayName: Min TLS Version
path: storage.tls.minVersion
- description: StorageClassName for PVCs used by ingester. Defaults to nil (default
storage class in the cluster).
displayName: StorageClassName for PVCs
Expand Down
16 changes: 13 additions & 3 deletions config/manifests/openshift/bases/tempo-operator.clusterserviceversion.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -340,13 +340,23 @@ spec:
- description: TLS configuration for reaching the object storage endpoint.
displayName: TLS Config
path: storage.tls
- description: CA is the name of a ConfigMap containing a `ca.crt` key with
a CA certificate. It needs to be in the same namespace as the TempoStack
custom resource.
- description: caName is the name of a ConfigMap containing a CA certificate
(service-ca.crt). It needs to be in the same namespace as the Tempo custom
resource.
displayName: CA ConfigMap Name
path: storage.tls.caName
x-descriptors:
- urn:alm:descriptor:io.kubernetes:ConfigMap
- description: certName is the name of a Secret containing a certificate (tls.crt)
and private key (tls.key). It needs to be in the same namespace as the Tempo
custom resource.
displayName: Certificate Secret Name
path: storage.tls.certName
x-descriptors:
- urn:alm:descriptor:io.kubernetes:Secret
- description: minVersion defines the minimum acceptable TLS version.
displayName: Min TLS Version
path: storage.tls.minVersion
- description: StorageClassName for PVCs used by ingester. Defaults to nil (default
storage class in the cluster).
displayName: StorageClassName for PVCs
Expand Down
2 changes: 1 addition & 1 deletion controllers/tempo/tempostack_controller_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -451,7 +451,7 @@ func TestStorageCustomCA(t *testing.T) {
Name: storageSecret.Name,
Type: "s3",
},
TLS: v1alpha1.ObjectStorageTLSSpec{
TLS: v1alpha1.TLSSpec{
CA: "custom-ca",
},
},
Expand Down
Loading

0 comments on commit 30dd465

Please sign in to comment.