Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow otlp grpc and http to be enabled with TLS on monolithic #977

Merged
merged 1 commit into from
Jul 12, 2024
Merged

Allow otlp grpc and http to be enabled with TLS on monolithic #977

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions .chloggen/fix_tls_monolithic_both_enabled.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
change_type: bug_fix

# The name of the component, or a single word describing the area of concern, (e.g. tempostack, tempomonolithic, github action)
component: tempomonolithic

# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
note: Allow create a monolithic with tls enabled on both grpc/http

# One or more tracking issues related to the change
issues: [976]

# (Optional) One or more lines of additional information to render under the primary note.
# These lines will be padded with 2 spaces and then inserted directly into the document.
# Use pipe (|) for multiline entries.
subtext:
10 changes: 10 additions & 0 deletions internal/manifests/manifestutils/paths.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,16 @@ const (
// ReceiverTLSCertDir returns the mount path of the receivers certificates (for ingesting traces).
ReceiverTLSCertDir = TLSDir + "/receiver"

// ReceiverGRPCTLSCADir is the path that is mounted from the configmap for TLS for receiver.
ReceiverGRPCTLSCADir = "/var/run/ca-receiver/grpc"
// ReceiverGRPCTLSCertDir returns the mount path of the receivers certificates (for ingesting traces).
ReceiverGRPCTLSCertDir = TLSDir + "/receiver/grpc"

// ReceiverHTTPTLSCADir is the path that is mounted from the configmap for TLS for receiver.
ReceiverHTTPTLSCADir = "/var/run/ca-receiver/http"
// ReceiverHTTPTLSCertDir returns the mount path of the receivers certificates (for ingesting traces).
ReceiverHTTPTLSCertDir = TLSDir + "/receiver/http"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wht don't we use path.Join here?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can but I don't think we need it, this are constants, we don't need to deal with double slashes, empty strings etc..


// StorageTLSCADir contains the CA file for accessing object storage.
StorageTLSCADir = TLSDir + "/storage/ca"
// StorageTLSCertDir contains the certificate and key file for accessing object storage.
Expand Down
46 changes: 31 additions & 15 deletions internal/manifests/manifestutils/tls.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,16 +27,19 @@ func MountCAConfigMap(
MountPath: caDir,
ReadOnly: true,
})
pod.Volumes = append(pod.Volumes, corev1.Volume{
Name: caConfigMap,
VolumeSource: corev1.VolumeSource{
ConfigMap: &corev1.ConfigMapVolumeSource{
LocalObjectReference: corev1.LocalObjectReference{
Name: caConfigMap,

if !containsVolume(pod, caConfigMap) {
pod.Volumes = append(pod.Volumes, corev1.Volume{
Name: caConfigMap,
VolumeSource: corev1.VolumeSource{
ConfigMap: &corev1.ConfigMapVolumeSource{
LocalObjectReference: corev1.LocalObjectReference{
Name: caConfigMap,
},
},
},
},
})
})
}

return nil
}
Expand All @@ -58,14 +61,17 @@ func MountCertSecret(
MountPath: certDir,
ReadOnly: true,
})
pod.Volumes = append(pod.Volumes, corev1.Volume{
Name: certSecret,
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: certSecret,

if !containsVolume(pod, certSecret) {
pod.Volumes = append(pod.Volumes, corev1.Volume{
Name: certSecret,
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: certSecret,
},
},
},
})
})
}

return nil
}
Expand Down Expand Up @@ -117,3 +123,13 @@ func findContainerIndex(pod *corev1.PodSpec, containerName string) (int, error)

return -1, fmt.Errorf("cannot find container %s", containerName)
}

func containsVolume(pod *corev1.PodSpec, volumeName string) bool {
for _, volume := range pod.Volumes {
if volume.Name == volumeName {
return true
}
}

return false
}
14 changes: 8 additions & 6 deletions internal/manifests/monolithic/configmap.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -139,15 +139,15 @@ func BuildConfigMap(opts Options) (*corev1.ConfigMap, map[string]string, error)
return configMap, extraAnnotations, nil
}

func configureReceiverTLS(tlsSpec *v1alpha1.TLSSpec, tlsProfile tlsprofile.TLSProfileOptions) (tempoReceiverTLSConfig, error) {
func configureReceiverTLS(tlsSpec *v1alpha1.TLSSpec, tlsProfile tlsprofile.TLSProfileOptions, caCertDir, certDir string) (tempoReceiverTLSConfig, error) {
tlsCfg := tempoReceiverTLSConfig{}
if tlsSpec != nil && tlsSpec.Enabled {
if tlsSpec.Cert != "" {
tlsCfg.CertFile = path.Join(manifestutils.ReceiverTLSCertDir, manifestutils.TLSCertFilename)
tlsCfg.KeyFile = path.Join(manifestutils.ReceiverTLSCertDir, manifestutils.TLSKeyFilename)
tlsCfg.CertFile = path.Join(certDir, manifestutils.TLSCertFilename)
tlsCfg.KeyFile = path.Join(certDir, manifestutils.TLSKeyFilename)
}
if tlsSpec.CA != "" {
tlsCfg.CAFile = path.Join(manifestutils.ReceiverTLSCADir, manifestutils.TLSCAFilename)
tlsCfg.CAFile = path.Join(caCertDir, manifestutils.TLSCAFilename)
}
if tlsSpec.MinVersion != "" {
tlsCfg.MinVersion = tlsSpec.MinVersion
Expand Down Expand Up @@ -230,7 +230,8 @@ func buildTempoConfig(opts Options) ([]byte, error) {
if tempo.Spec.Ingestion != nil {
if tempo.Spec.Ingestion.OTLP != nil {
if tempo.Spec.Ingestion.OTLP.GRPC != nil && tempo.Spec.Ingestion.OTLP.GRPC.Enabled {
receiverTLS, err := configureReceiverTLS(tempo.Spec.Ingestion.OTLP.GRPC.TLS, opts.TLSProfile)
receiverTLS, err := configureReceiverTLS(tempo.Spec.Ingestion.OTLP.GRPC.TLS, opts.TLSProfile,
manifestutils.ReceiverGRPCTLSCADir, manifestutils.ReceiverGRPCTLSCertDir)
if err != nil {
return nil, err
}
Expand All @@ -246,7 +247,8 @@ func buildTempoConfig(opts Options) ([]byte, error) {
}

if tempo.Spec.Ingestion.OTLP.HTTP != nil && tempo.Spec.Ingestion.OTLP.HTTP.Enabled {
receiverTLS, err := configureReceiverTLS(tempo.Spec.Ingestion.OTLP.HTTP.TLS, opts.TLSProfile)
receiverTLS, err := configureReceiverTLS(tempo.Spec.Ingestion.OTLP.HTTP.TLS,
opts.TLSProfile, manifestutils.ReceiverHTTPTLSCADir, manifestutils.ReceiverHTTPTLSCertDir)
if err != nil {
return nil, err
}
Expand Down
118 changes: 112 additions & 6 deletions internal/manifests/monolithic/configmap_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -170,9 +170,115 @@ distributor:
protocols:
grpc:
tls:
client_ca_file: /var/run/ca-receiver/service-ca.crt
cert_file: /var/run/tls/receiver/tls.crt
key_file: /var/run/tls/receiver/tls.key
client_ca_file: /var/run/ca-receiver/grpc/service-ca.crt
cert_file: /var/run/tls/receiver/grpc/tls.crt
key_file: /var/run/tls/receiver/grpc/tls.key
min_version: "1.3"
usage_report:
reporting_enabled: false
`,
},
{
name: "OTLP/HTTP with TLS",
spec: v1alpha1.TempoMonolithicSpec{
Ingestion: &v1alpha1.MonolithicIngestionSpec{
OTLP: &v1alpha1.MonolithicIngestionOTLPSpec{
GRPC: &v1alpha1.MonolithicIngestionOTLPProtocolsGRPCSpec{
Enabled: false,
},
HTTP: &v1alpha1.MonolithicIngestionOTLPProtocolsHTTPSpec{
Enabled: true,
TLS: &v1alpha1.TLSSpec{
Enabled: true,
CA: "ca",
Cert: "cert",
MinVersion: "1.3",
},
},
},
},
},
expected: `
server:
http_listen_port: 3200
internal_server:
enable: true
http_listen_address: 0.0.0.0
storage:
trace:
backend: local
wal:
path: /var/tempo/wal
local:
path: /var/tempo/blocks
distributor:
receivers:
otlp:
protocols:
http:
tls:
client_ca_file: /var/run/ca-receiver/http/service-ca.crt
cert_file: /var/run/tls/receiver/http/tls.crt
key_file: /var/run/tls/receiver/http/tls.key
min_version: "1.3"
usage_report:
reporting_enabled: false
`,
},
{
name: "OTLP/HTTP and OTLP/Grpc with TLS",
spec: v1alpha1.TempoMonolithicSpec{
Ingestion: &v1alpha1.MonolithicIngestionSpec{
OTLP: &v1alpha1.MonolithicIngestionOTLPSpec{
GRPC: &v1alpha1.MonolithicIngestionOTLPProtocolsGRPCSpec{
Enabled: true,
TLS: &v1alpha1.TLSSpec{
Enabled: true,
CA: "ca",
Cert: "cert",
MinVersion: "1.3",
},
},
HTTP: &v1alpha1.MonolithicIngestionOTLPProtocolsHTTPSpec{
Enabled: true,
TLS: &v1alpha1.TLSSpec{
Enabled: true,
CA: "ca",
Cert: "cert",
MinVersion: "1.3",
},
},
},
},
},
expected: `
server:
http_listen_port: 3200
internal_server:
enable: true
http_listen_address: 0.0.0.0
storage:
trace:
backend: local
wal:
path: /var/tempo/wal
local:
path: /var/tempo/blocks
distributor:
receivers:
otlp:
protocols:
http:
tls:
client_ca_file: /var/run/ca-receiver/http/service-ca.crt
cert_file: /var/run/tls/receiver/http/tls.crt
key_file: /var/run/tls/receiver/http/tls.key
min_version: "1.3"
grpc:
tls:
client_ca_file: /var/run/ca-receiver/grpc/service-ca.crt
cert_file: /var/run/tls/receiver/grpc/tls.crt
key_file: /var/run/tls/receiver/grpc/tls.key
min_version: "1.3"
usage_report:
reporting_enabled: false
Expand Down Expand Up @@ -222,9 +328,9 @@ distributor:
protocols:
grpc:
tls:
client_ca_file: /var/run/ca-receiver/service-ca.crt
cert_file: /var/run/tls/receiver/tls.crt
key_file: /var/run/tls/receiver/tls.key
client_ca_file: /var/run/ca-receiver/grpc/service-ca.crt
rubenvp8510 marked this conversation as resolved.
Show resolved Hide resolved
cert_file: /var/run/tls/receiver/grpc/tls.crt
key_file: /var/run/tls/receiver/grpc/tls.key
min_version: "1.2"
cipher_suites: [abc]
usage_report:
Expand Down
4 changes: 2 additions & 2 deletions internal/manifests/monolithic/statefulset.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -121,7 +121,7 @@ func BuildTempoStatefulset(opts Options, extraAnnotations map[string]string) (*a
tempo.Spec.Ingestion.OTLP.GRPC.TLS != nil && tempo.Spec.Ingestion.OTLP.GRPC.TLS.Enabled {
err := manifestutils.MountTLSSpecVolumes(
&sts.Spec.Template.Spec, "tempo", *tempo.Spec.Ingestion.OTLP.GRPC.TLS,
manifestutils.ReceiverTLSCADir, manifestutils.ReceiverTLSCertDir,
manifestutils.ReceiverGRPCTLSCADir, manifestutils.ReceiverGRPCTLSCertDir,
)
if err != nil {
return nil, err
Expand All @@ -132,7 +132,7 @@ func BuildTempoStatefulset(opts Options, extraAnnotations map[string]string) (*a
tempo.Spec.Ingestion.OTLP.HTTP.TLS != nil && tempo.Spec.Ingestion.OTLP.HTTP.TLS.Enabled {
err := manifestutils.MountTLSSpecVolumes(
&sts.Spec.Template.Spec, "tempo", *tempo.Spec.Ingestion.OTLP.HTTP.TLS,
manifestutils.ReceiverTLSCADir, manifestutils.ReceiverTLSCertDir,
manifestutils.ReceiverHTTPTLSCADir, manifestutils.ReceiverHTTPTLSCertDir,
)
if err != nil {
return nil, err
Expand Down
4 changes: 2 additions & 2 deletions internal/manifests/monolithic/statefulset_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -427,12 +427,12 @@ func TestStatefulsetReceiverTLS(t *testing.T) {
},
{
Name: "custom-ca",
MountPath: "/var/run/ca-receiver",
MountPath: "/var/run/ca-receiver/grpc",
ReadOnly: true,
},
{
Name: "custom-cert",
MountPath: "/var/run/tls/receiver",
MountPath: "/var/run/tls/receiver/grpc",
ReadOnly: true,
},
}, sts.Spec.Template.Spec.Containers[0].VolumeMounts)
Expand Down
75 changes: 75 additions & 0 deletions tests/e2e/monolithic-receivers-tls/01-assert.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
apiVersion: tempo.grafana.com/v1alpha1
kind: TempoMonolithic
metadata:
name: simplest
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: tempo-simplest
labels:
app.kubernetes.io/instance: simplest
app.kubernetes.io/managed-by: tempo-operator
app.kubernetes.io/name: tempo-monolithic
spec:
selector:
matchLabels:
app.kubernetes.io/instance: simplest
app.kubernetes.io/managed-by: tempo-operator
app.kubernetes.io/name: tempo-monolithic
status:
readyReplicas: 1
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: simplest
app.kubernetes.io/managed-by: tempo-operator
app.kubernetes.io/name: tempo-monolithic
name: tempo-simplest
spec:
ports:
- name: http
port: 3200
protocol: TCP
targetPort: http
- name: otlp-grpc
port: 4317
protocol: TCP
targetPort: otlp-grpc
- name: otlp-http
port: 4318
protocol: TCP
targetPort: otlp-http
selector:
app.kubernetes.io/instance: simplest
app.kubernetes.io/managed-by: tempo-operator
app.kubernetes.io/name: tempo-monolithic
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: simplest
app.kubernetes.io/managed-by: tempo-operator
app.kubernetes.io/name: tempo-monolithic
name: tempo-simplest-jaegerui
spec:
ports:
- name: jaeger-grpc
port: 16685
protocol: TCP
targetPort: jaeger-grpc
- name: jaeger-ui
port: 16686
protocol: TCP
targetPort: jaeger-ui
- name: jaeger-metrics
port: 16687
protocol: TCP
targetPort: jaeger-metrics
selector:
app.kubernetes.io/instance: simplest
app.kubernetes.io/managed-by: tempo-operator
app.kubernetes.io/name: tempo-monolithic
Loading