Sanitize volume names for ca bundle and certificates (#982)

* Sanitize volume names for ca bundle and certificates Signed-off-by: Ruben Vargas <ruben.vp8510@gmail.com>
grafana · Jul 15, 2024 · 3f20588 · 3f20588
1 parent 058f198
commit 3f20588
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 10 deletions.
diff --git a/.chloggen/fix_ca_cofigmap_dots.yaml b/.chloggen/fix_ca_cofigmap_dots.yaml
@@ -0,0 +1,16 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: bug_fix
+
+# The name of the component, or a single word describing the area of concern, (e.g. tempostack, tempomonolithic, github action)
+component: tempostack, tempomonolithic
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Allow configmaps and secrets with dot in the name (as it is valid for those objects to have dots as part of it's name)
+
+# One or more tracking issues related to the change
+issues: [983]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:
diff --git a/internal/manifests/distributor/distributor.go b/internal/manifests/distributor/distributor.go
@@ -77,11 +77,12 @@ func resources(tempo v1alpha1.TempoStack) corev1.ResourceRequirements {
 func configureReceiversTLS(dep *v1.Deployment, caSecretName, certSecretName string) error {
 	podSpec := &dep.Spec.Template.Spec
 	if caSecretName != "" {
+		volumeName := naming.DNSName(caSecretName)
 		/*Configure CA*/
 		secretCAVolumeSpec := corev1.PodSpec{
 			Volumes: []corev1.Volume{
 				{
-					Name: caSecretName,
+					Name: volumeName,
 					VolumeSource: corev1.VolumeSource{
 						ConfigMap: &corev1.ConfigMapVolumeSource{
 							LocalObjectReference: corev1.LocalObjectReference{
@@ -96,7 +97,7 @@ func configureReceiversTLS(dep *v1.Deployment, caSecretName, certSecretName stri
 		secretCAContainerSpec := corev1.Container{
 			VolumeMounts: []corev1.VolumeMount{
 				{
-					Name:      caSecretName,
+					Name:      volumeName,
 					ReadOnly:  true,
 					MountPath: manifestutils.ReceiverTLSCADir,
 				},
@@ -110,11 +111,12 @@ func configureReceiversTLS(dep *v1.Deployment, caSecretName, certSecretName stri
 			return kverrors.Wrap(err, "failed to merge container")
 		}
 	}
+	secretVolumeName := naming.DNSName(certSecretName)
 
 	secretCertVolumeSpec := corev1.PodSpec{
 		Volumes: []corev1.Volume{
 			{
-				Name: certSecretName,
+				Name: secretVolumeName,
 				VolumeSource: corev1.VolumeSource{
 					Secret: &corev1.SecretVolumeSource{
 						SecretName: certSecretName,
@@ -126,7 +128,7 @@ func configureReceiversTLS(dep *v1.Deployment, caSecretName, certSecretName stri
 	secretCertContainerSpec := corev1.Container{
 		VolumeMounts: []corev1.VolumeMount{
 			{
-				Name:      certSecretName,
+				Name:      secretVolumeName,
 				ReadOnly:  true,
 				MountPath: manifestutils.ReceiverTLSCertDir,
 			},

diff --git a/internal/manifests/manifestutils/tls.go b/internal/manifests/manifestutils/tls.go
@@ -8,6 +8,7 @@ import (
 	"k8s.io/apimachinery/pkg/labels"
 
 	"github.com/grafana/tempo-operator/apis/tempo/v1alpha1"
+	"github.com/grafana/tempo-operator/internal/manifests/naming"
 )
 
 // MountCAConfigMap mounts the CA ConfigMap in a pod.
@@ -22,15 +23,17 @@ func MountCAConfigMap(
 		return err
 	}
 
+	volumeName := naming.DNSName(caConfigMap)
+
 	pod.Containers[containerIdx].VolumeMounts = append(pod.Containers[containerIdx].VolumeMounts, corev1.VolumeMount{
-		Name:      caConfigMap,
+		Name:      volumeName,
 		MountPath: caDir,
 		ReadOnly:  true,
 	})
 
-	if !containsVolume(pod, caConfigMap) {
+	if !containsVolume(pod, volumeName) {
 		pod.Volumes = append(pod.Volumes, corev1.Volume{
-			Name: caConfigMap,
+			Name: volumeName,
 			VolumeSource: corev1.VolumeSource{
 				ConfigMap: &corev1.ConfigMapVolumeSource{
 					LocalObjectReference: corev1.LocalObjectReference{
@@ -56,15 +59,17 @@ func MountCertSecret(
 		return err
 	}
 
+	volumeName := naming.DNSName(certSecret)
+
 	pod.Containers[containerIdx].VolumeMounts = append(pod.Containers[containerIdx].VolumeMounts, corev1.VolumeMount{
-		Name:      certSecret,
+		Name:      volumeName,
 		MountPath: certDir,
 		ReadOnly:  true,
 	})
 
-	if !containsVolume(pod, certSecret) {
+	if !containsVolume(pod, volumeName) {
 		pod.Volumes = append(pod.Volumes, corev1.Volume{
-			Name: certSecret,
+			Name: volumeName,
 			VolumeSource: corev1.VolumeSource{
 				Secret: &corev1.SecretVolumeSource{
 					SecretName: certSecret,