NETOBSERV-396: Flp prom tls #158
Conversation
| maximum: 65535 | ||
| minimum: 1 | ||
| type: integer | ||
| tlsType: |
There was a problem hiding this comment.
What's the difference between tlsType: DISABLED and enable: false ?
There was a problem hiding this comment.
Thanks, I changed it and manualtls only contain cert configuration now.
api/v1alpha1/flowcollector_types.go
Outdated
|
|
||
| // TLS configuration. | ||
| // +optional | ||
| ManualTLS ClientTLS `json:"manualTls"` |
There was a problem hiding this comment.
Maybe we should not reuse ClientTLS here, and create a new struct, I believe it is not 100% relevant when used to configure tls on server side (or at least it should be renamed).
As @jpinsonneau pointed, ClientTLS.enable setting can be confusing as we have TLSType here. Also I believe InsecureSkipVerify is not relevant on server side?
There was a problem hiding this comment.
Yes, after Julien comment, I changed the code to use CertificateReference instead of ClientTLS
api/v1alpha1/flowcollector_types.go
Outdated
| @@ -201,6 +201,37 @@ type FlowCollectorKafka struct { | |||
| TLS ClientTLS `json:"tls"` | |||
| } | |||
|
|
|||
| const ( | |||
| PrometheusTLSDiasbled = "DISABLED" | |||
| @@ -508,6 +539,48 @@ func (b *builder) service(old *corev1.Service) *corev1.Service { | |||
| return newService | |||
| } | |||
|
|
|||
| func (b *builder) promService(old *corev1.Service) *corev1.Service { | |||
There was a problem hiding this comment.
I already didn't like much this pattern of "if service doesn't exist do ... else do ..." (I blame myself for that), now it spreads in the code, it's ok for this PR but at some point I'd like to see if we can have something more concise | readable | elegant ...
There was a problem hiding this comment.
I agree, but as your comment state this come from the immutable cluster ip field in the service.
I am curious to know how the kubectl cli works when updating a service. Does it first check existing service and enrich the new one? This would be strange since it add a lot of service specific code to kubectl.
OlivierCazade
force-pushed
the
flp-prom-tls
branch
from
197dd66
to
12ea196
Compare
api/v1alpha1/flowcollector_types.go
Outdated
| // Select the type of TLS configuration | ||
| // "DISABLED" (default) to not configure TLS for the endpoint, "MANUAL" to manually provide cert file and a key file, | ||
| // and "AUTO" to use Openshift auto generated certificate using annotations | ||
| // +unionDiscriminator |
There was a problem hiding this comment.
cc @mariomac is that how unionDiscriminator works? Looking at your PR, I would think that the enum values need to match the discriminated field names; in other words, here, the enum for MANUAL would have to be ManualTLS ?
or this is pure coincidence in your code (with IPFIX/EBPF) and it is not required?
There was a problem hiding this comment.
PS I could find any doc about this unionDiscriminator annotation, do you have a link?
There was a problem hiding this comment.
According to the documentation here
Discriminant values should be PascalCase and should be equivalent to the camelCase field name (json tag) of one member of the union
So having the enum and the field name matching is a recommendation, I will change the name here.
There was a problem hiding this comment.
yeah, in the PR @jotak mention, it is done different, following the suggestion of an API review comment, but double-checking the documentation examples, it seems the correct way is the way Olivier did.
api/v1alpha1/flowcollector_types.go
Outdated
|
|
||
| // TLS configuration. | ||
| // +optional | ||
| Manual *CertificateReference `json:"manual"` |
There was a problem hiding this comment.
I'd change manual by certificate
There was a problem hiding this comment.
According to the recommendation this field name should match with the name in the enum discriminator.
I will also set it to provided to match your other comment.
There was a problem hiding this comment.
could it be CERTIFICATE is a valid option for the tls type field instead of MANUAL or PROVIDED?
There was a problem hiding this comment.
I think having only CERTIFICATE would be a bit ambiguous since AUTO mode also use certificate, it is just that they are generated and not provided by the user.
api/v1alpha1/flowcollector_types.go
Outdated
| // "DISABLED" (default) to not configure TLS for the endpoint, "MANUAL" to manually provide cert file and a key file, | ||
| // and "AUTO" to use Openshift auto generated certificate using annotations | ||
| // +unionDiscriminator | ||
| // +kubebuilder:validation:Enum:="DISABLED";"MANUAL";"AUTO" |
There was a problem hiding this comment.
I'd change MANUAL by PROVIDED
There was a problem hiding this comment.
Changed, thanks!
| @@ -510,6 +540,48 @@ func (b *builder) service(old *corev1.Service) *corev1.Service { | |||
| return newService | |||
| } | |||
|
|
|||
| func (b *builder) promService(old *corev1.Service) *corev1.Service { | |||
| if old == nil { | |||
There was a problem hiding this comment.
I see that later, promService method is invoked with a non-nil object and also explicitly nil.
Could be this method explicitly divided into two? e.g.:
func (b *builder) newPromService() *corev1.Service
func (b *builder) updatedPromService(old *corev1.Service) *corev1.Service
| @@ -123,8 +126,8 @@ func (r *FLPReconciler) GetServiceName(kafka *flowsv1alpha1.FlowCollectorKafka) | |||
| } | |||
|
|
|||
| func (r *FLPReconciler) Reconcile(ctx context.Context, desired *flowsv1alpha1.FlowCollector) error { | |||
| for _, singleFlp := range r.singleReconcilers { | |||
| err := singleFlp.Reconcile(ctx, desired) | |||
| for i := 0; i < len(r.singleReconcilers); i++ { | |||
There was a problem hiding this comment.
Maybe it's more "idiomatic":
for i := range r.singleReconcilersbut do it as you prefer.
|
/lgtm Tested with this ServiceMonitor (in "AUTO" mode) : Prom config in CR: Two remarks:
|
|
Quick update: I'm trying with this ServiceMonitor and it doesn't work, I don't know why: Whereas this works: oc exec -n openshift-monitoring prometheus-k8s-0 -- curl https://flowlogs-pipeline-prom.network-observability.svc:9102/metrics --cacert /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crtWhich I believe should be an equivalent call... |
|
The CA cert file was already present in the prometheus pod? |
|
Yeah I expected the curl command would fail, but it worked :) - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
interval: 30s
port: metrics
scheme: https
tlsConfig:
caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
serverName: ovn-kubernetes-node.openshift-ovn-kubernetes.svcThey all use the same |
|
/ok-to-test |
openshift-ci
bot
added
the
ok-to-test
|
New image: ["quay.io/netobserv/network-observability-operator:0785789"]. It will expire after two weeks. |
|
I got the service monitor working with this config: My understanding is that user workload metrics are handled by different pods in a different namespace. The contrary to the openshift monitoring pod the ca cert may not be already there. |
|
/lgtm |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: OlivierCazade The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
jotak
added
the
breaking-change
Adding TLS to the FLP prometheus configuration.
This provide two options:
Breaking change:
spec.flowlogsPipeline.prometheusPortis nowspec.flowlogsPipeline.prometheus.port