-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NETOBSERV-396: Flp prom tls #158
NETOBSERV-396: Flp prom tls #158
Conversation
maximum: 65535 | ||
minimum: 1 | ||
type: integer | ||
tlsType: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the difference between tlsType: DISABLED
and enable: false
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, I changed it and manualtls only contain cert configuration now.
api/v1alpha1/flowcollector_types.go
Outdated
|
||
// TLS configuration. | ||
// +optional | ||
ManualTLS ClientTLS `json:"manualTls"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we should not reuse ClientTLS
here, and create a new struct, I believe it is not 100% relevant when used to configure tls on server side (or at least it should be renamed).
As @jpinsonneau pointed, ClientTLS.enable
setting can be confusing as we have TLSType
here. Also I believe InsecureSkipVerify is not relevant on server side?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, after Julien comment, I changed the code to use CertificateReference instead of ClientTLS
api/v1alpha1/flowcollector_types.go
Outdated
@@ -201,6 +201,37 @@ type FlowCollectorKafka struct { | |||
TLS ClientTLS `json:"tls"` | |||
} | |||
|
|||
const ( | |||
PrometheusTLSDiasbled = "DISABLED" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: typo "Disabled"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed thanks
@@ -508,6 +539,48 @@ func (b *builder) service(old *corev1.Service) *corev1.Service { | |||
return newService | |||
} | |||
|
|||
func (b *builder) promService(old *corev1.Service) *corev1.Service { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I already didn't like much this pattern of "if service doesn't exist do ... else do ..." (I blame myself for that), now it spreads in the code, it's ok for this PR but at some point I'd like to see if we can have something more concise | readable | elegant ...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree, but as your comment state this come from the immutable cluster ip field in the service.
I am curious to know how the kubectl cli works when updating a service. Does it first check existing service and enrich the new one? This would be strange since it add a lot of service specific code to kubectl.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i'm not sure either
197dd66
to
12ea196
Compare
api/v1alpha1/flowcollector_types.go
Outdated
// Select the type of TLS configuration | ||
// "DISABLED" (default) to not configure TLS for the endpoint, "MANUAL" to manually provide cert file and a key file, | ||
// and "AUTO" to use Openshift auto generated certificate using annotations | ||
// +unionDiscriminator |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cc @mariomac is that how unionDiscriminator
works? Looking at your PR, I would think that the enum
values need to match the discriminated field names; in other words, here, the enum for MANUAL
would have to be ManualTLS
?
or this is pure coincidence in your code (with IPFIX/EBPF) and it is not required?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PS I could find any doc about this unionDiscriminator
annotation, do you have a link?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
According to the documentation here
Discriminant values should be PascalCase and should be equivalent to the camelCase field name (json tag) of one member of the union
So having the enum and the field name matching is a recommendation, I will change the name here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah, in the PR @jotak mention, it is done different, following the suggestion of an API review comment, but double-checking the documentation examples, it seems the correct way is the way Olivier did.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Mostly LGTM. Just few comments open for discussion
api/v1alpha1/flowcollector_types.go
Outdated
|
||
// TLS configuration. | ||
// +optional | ||
Manual *CertificateReference `json:"manual"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd change manual
by certificate
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
According to the recommendation this field name should match with the name in the enum discriminator.
I will also set it to provided to match your other comment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could it be CERTIFICATE
is a valid option for the tls
type field instead of MANUAL
or PROVIDED
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think having only CERTIFICATE would be a bit ambiguous since AUTO mode also use certificate, it is just that they are generated and not provided by the user.
api/v1alpha1/flowcollector_types.go
Outdated
// "DISABLED" (default) to not configure TLS for the endpoint, "MANUAL" to manually provide cert file and a key file, | ||
// and "AUTO" to use Openshift auto generated certificate using annotations | ||
// +unionDiscriminator | ||
// +kubebuilder:validation:Enum:="DISABLED";"MANUAL";"AUTO" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd change MANUAL
by PROVIDED
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed, thanks!
@@ -510,6 +540,48 @@ func (b *builder) service(old *corev1.Service) *corev1.Service { | |||
return newService | |||
} | |||
|
|||
func (b *builder) promService(old *corev1.Service) *corev1.Service { | |||
if old == nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see that later, promService
method is invoked with a non-nil object and also explicitly nil
.
Could be this method explicitly divided into two? e.g.:
func (b *builder) newPromService() *corev1.Service
func (b *builder) updatedPromService(old *corev1.Service) *corev1.Service
@@ -123,8 +126,8 @@ func (r *FLPReconciler) GetServiceName(kafka *flowsv1alpha1.FlowCollectorKafka) | |||
} | |||
|
|||
func (r *FLPReconciler) Reconcile(ctx context.Context, desired *flowsv1alpha1.FlowCollector) error { | |||
for _, singleFlp := range r.singleReconcilers { | |||
err := singleFlp.Reconcile(ctx, desired) | |||
for i := 0; i < len(r.singleReconcilers); i++ { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe it's more "idiomatic":
for i := range r.singleReconcilers
but do it as you prefer.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, thanks
/lgtm Tested with this ServiceMonitor (in "AUTO" mode) :
Prom config in CR:
Two remarks:
|
Quick update: I'm trying with this ServiceMonitor and it doesn't work, I don't know why:
Whereas this works: oc exec -n openshift-monitoring prometheus-k8s-0 -- curl https://flowlogs-pipeline-prom.network-observability.svc:9102/metrics --cacert /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt Which I believe should be an equivalent call... |
The CA cert file was already present in the prometheus pod? |
Yeah I expected the curl command would fail, but it worked :) - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
interval: 30s
port: metrics
scheme: https
tlsConfig:
caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
serverName: ovn-kubernetes-node.openshift-ovn-kubernetes.svc They all use the same |
/ok-to-test |
New image: ["quay.io/netobserv/network-observability-operator:0785789"]. It will expire after two weeks. |
I got the service monitor working with this config:
My understanding is that user workload metrics are handled by different pods in a different namespace. The contrary to the openshift monitoring pod the ca cert may not be already there. |
/lgtm |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: OlivierCazade The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Adding TLS to the FLP prometheus configuration.
This provide two options:
Breaking change:
spec.flowlogsPipeline.prometheusPort
is nowspec.flowlogsPipeline.prometheus.port