From fe50566dabf5506e2d32ac8e18aae05b7ef451f9 Mon Sep 17 00:00:00 2001 From: Jaromir Wysoglad Date: Fri, 15 Mar 2024 08:23:08 -0400 Subject: [PATCH] [tlse] TLS for telemetry ceilometer, metricstorage --- ....openstack.org_openstackcontrolplanes.yaml | 249 +++++++++++++++++- .../v1beta1/openstackcontrolplane_types.go | 14 +- apis/core/v1beta1/zz_generated.deepcopy.go | 4 +- apis/go.mod | 23 +- apis/go.sum | 8 +- ....openstack.org_openstackcontrolplanes.yaml | 249 +++++++++++++++++- config/rbac/role.yaml | 8 + .../client/openstackclient_controller.go | 45 ++++ go.mod | 4 +- go.sum | 8 +- pkg/openstack/barbican.go | 2 +- pkg/openstack/telemetry.go | 126 ++++++++- pkg/openstackclient/funcs.go | 10 + 13 files changed, 698 insertions(+), 52 deletions(-) diff --git a/apis/bases/core.openstack.org_openstackcontrolplanes.yaml b/apis/bases/core.openstack.org_openstackcontrolplanes.yaml index a04f53839..6e57c1217 100644 --- a/apis/bases/core.openstack.org_openstackcontrolplanes.yaml +++ b/apis/bases/core.openstack.org_openstackcontrolplanes.yaml @@ -15309,7 +15309,113 @@ spec: type: object telemetry: properties: - apiOverride: + alertmanagerOverride: + properties: + route: + properties: + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + spec: + properties: + alternateBackends: + items: + properties: + kind: + enum: + - Service + - "" + type: string + name: + type: string + weight: + format: int32 + maximum: 256 + minimum: 0 + type: integer + type: object + maxItems: 3 + type: array + host: + maxLength: 253 + pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ + type: string + path: + pattern: ^/ + type: string + port: + properties: + targetPort: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - targetPort + type: object + subdomain: + maxLength: 253 + pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ + type: string + tls: + properties: + caCertificate: + type: string + certificate: + type: string + destinationCACertificate: + type: string + insecureEdgeTerminationPolicy: + type: string + key: + type: string + termination: + enum: + - edge + - reencrypt + - passthrough + type: string + required: + - termination + type: object + to: + properties: + kind: + enum: + - Service + - "" + type: string + name: + type: string + weight: + format: int32 + maximum: 256 + minimum: 0 + type: integer + type: object + wildcardPolicy: + enum: + - None + - Subdomain + - "" + type: string + type: object + type: object + tls: + properties: + secretName: + type: string + type: object + type: object + aodhApiOverride: properties: route: properties: @@ -15418,6 +15524,112 @@ spec: enabled: default: true type: boolean + prometheusOverride: + properties: + route: + properties: + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + spec: + properties: + alternateBackends: + items: + properties: + kind: + enum: + - Service + - "" + type: string + name: + type: string + weight: + format: int32 + maximum: 256 + minimum: 0 + type: integer + type: object + maxItems: 3 + type: array + host: + maxLength: 253 + pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ + type: string + path: + pattern: ^/ + type: string + port: + properties: + targetPort: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - targetPort + type: object + subdomain: + maxLength: 253 + pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ + type: string + tls: + properties: + caCertificate: + type: string + certificate: + type: string + destinationCACertificate: + type: string + insecureEdgeTerminationPolicy: + type: string + key: + type: string + termination: + enum: + - edge + - reencrypt + - passthrough + type: string + required: + - termination + type: object + to: + properties: + kind: + enum: + - Service + - "" + type: string + name: + type: string + weight: + format: int32 + maximum: 256 + minimum: 0 + type: integer + type: object + wildcardPolicy: + enum: + - None + - Subdomain + - "" + type: string + type: object + type: object + tls: + properties: + secretName: + type: string + type: object + type: object template: properties: autoscaling: @@ -15429,11 +15641,11 @@ spec: customServiceConfig: default: '# add your customization here' type: string - databaseInstance: - type: string - databaseUser: + databaseAccount: default: aodh type: string + databaseInstance: + type: string defaultConfigOverwrite: additionalProperties: type: string @@ -15505,14 +15717,10 @@ spec: passwordSelector: default: aodhService: AodhPassword - database: AodhDatabasePassword properties: aodhService: default: AodhPassword type: string - database: - default: AodhDatabasePassword - type: string service: default: CeilometerPassword type: string @@ -15568,6 +15776,8 @@ spec: maximum: 65535 minimum: 1 type: integer + prometheusTLS: + type: boolean required: - heatInstance type: object @@ -15602,13 +15812,12 @@ spec: aodhService: default: AodhPassword type: string - database: - default: AodhDatabasePassword - type: string service: default: CeilometerPassword type: string type: object + proxyImage: + type: string rabbitMqClusterName: default: rabbitmq type: string @@ -15619,11 +15828,19 @@ spec: type: string sgCoreImage: type: string + tls: + properties: + caBundleSecretName: + type: string + secretName: + type: string + type: object required: - centralImage - computeImage - ipmiImage - notificationImage + - proxyImage - secret - sgCoreImage type: object @@ -16217,6 +16434,9 @@ spec: alertingEnabled: default: true type: boolean + dashboardsEnabled: + default: false + type: boolean dataplaneNetwork: default: ctlplane pattern: ^[a-zA-Z0-9][a-zA-Z0-9\-_]*[a-zA-Z0-9]$ @@ -16275,6 +16495,13 @@ spec: required: - dataplaneNetwork type: object + prometheusTls: + properties: + caBundleSecretName: + type: string + secretName: + type: string + type: object type: object type: object type: object diff --git a/apis/core/v1beta1/openstackcontrolplane_types.go b/apis/core/v1beta1/openstackcontrolplane_types.go index 4b164ac70..b6d59c3d2 100644 --- a/apis/core/v1beta1/openstackcontrolplane_types.go +++ b/apis/core/v1beta1/openstackcontrolplane_types.go @@ -622,8 +622,18 @@ type TelemetrySection struct { // +kubebuilder:validation:Optional // +operator-sdk:csv:customresourcedefinitions:type=spec - // APIOverride, provides the ability to override the generated manifest of several child resources. - APIOverride Override `json:"apiOverride,omitempty"` + // AodhAPIOverride, provides the ability to override the generated manifest of several child resources. + AodhAPIOverride Override `json:"aodhApiOverride,omitempty"` + + // +kubebuilder:validation:Optional + // +operator-sdk:csv:customresourcedefinitions:type=spec + // PrometheusOverride, provides the ability to override the generated manifest of several child resources. + PrometheusOverride Override `json:"prometheusOverride,omitempty"` + + // +kubebuilder:validation:Optional + // +operator-sdk:csv:customresourcedefinitions:type=spec + // AlertmanagerOverride, provides the ability to override the generated manifest of several child resources. + AlertmanagerOverride Override `json:"alertmanagerOverride,omitempty"` } // SwiftSection defines the desired state of Swift service diff --git a/apis/core/v1beta1/zz_generated.deepcopy.go b/apis/core/v1beta1/zz_generated.deepcopy.go index 65db32f17..5a973122c 100644 --- a/apis/core/v1beta1/zz_generated.deepcopy.go +++ b/apis/core/v1beta1/zz_generated.deepcopy.go @@ -843,7 +843,9 @@ func (in *TLSStatus) DeepCopy() *TLSStatus { func (in *TelemetrySection) DeepCopyInto(out *TelemetrySection) { *out = *in in.Template.DeepCopyInto(&out.Template) - in.APIOverride.DeepCopyInto(&out.APIOverride) + in.AodhAPIOverride.DeepCopyInto(&out.AodhAPIOverride) + in.PrometheusOverride.DeepCopyInto(&out.PrometheusOverride) + in.AlertmanagerOverride.DeepCopyInto(&out.AlertmanagerOverride) } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TelemetrySection. diff --git a/apis/go.mod b/apis/go.mod index 047d6a23f..dd8beb44a 100644 --- a/apis/go.mod +++ b/apis/go.mod @@ -3,6 +3,10 @@ module github.com/openstack-k8s-operators/openstack-operator/apis go 1.20 require ( + github.com/go-logr/zapr v1.3.0 // indirect + github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect + github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect + github.com/google/pprof v0.0.0-20230926050212-f7f687d19a98 // indirect github.com/onsi/ginkgo/v2 v2.16.0 github.com/onsi/gomega v1.31.1 github.com/openstack-k8s-operators/barbican-operator/api v0.0.0-20240310115941-5124bc86e50e @@ -24,13 +28,18 @@ require ( github.com/openstack-k8s-operators/ovn-operator/api v0.3.1-0.20240318052728-f132fab5c943 github.com/openstack-k8s-operators/placement-operator/api v0.3.1-0.20240313145348-1dd69c7bc338 github.com/openstack-k8s-operators/swift-operator/api v0.3.1-0.20240315154317-8b38ff1e6a8d - github.com/openstack-k8s-operators/telemetry-operator/api v0.3.1-0.20240311060559-4ecd4f5c3961 + github.com/openstack-k8s-operators/telemetry-operator/api v0.3.1-0.20240320060823-d7b27511017b github.com/rabbitmq/cluster-operator/v2 v2.6.0 + github.com/rhobs/obo-prometheus-operator/pkg/apis/monitoring v0.64.1-rhobs3 // indirect + github.com/rhobs/observability-operator v0.0.20 // indirect + go.uber.org/multierr v1.11.0 // indirect + go.uber.org/zap v1.27.0 // indirect + golang.org/x/exp v0.0.0-20240213143201-ec583247a57a // indirect + golang.org/x/tools v0.18.0 // indirect k8s.io/api v0.28.8 k8s.io/apimachinery v0.28.8 k8s.io/client-go v0.28.8 sigs.k8s.io/controller-runtime v0.16.5 - ) require ( @@ -41,18 +50,14 @@ require ( github.com/evanphx/json-patch/v5 v5.9.0 // indirect github.com/fsnotify/fsnotify v1.7.0 // indirect github.com/go-logr/logr v1.4.1 // indirect - github.com/go-logr/zapr v1.3.0 // indirect github.com/go-openapi/jsonpointer v0.20.2 // indirect github.com/go-openapi/jsonreference v0.20.4 // indirect github.com/go-openapi/swag v0.22.9 // indirect - github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/protobuf v1.5.4 // indirect - github.com/google/gnostic-models v0.6.8 // indirect github.com/google/go-cmp v0.6.0 // indirect github.com/google/gofuzz v1.2.0 // indirect - github.com/google/pprof v0.0.0-20230926050212-f7f687d19a98 // indirect github.com/google/uuid v1.6.0 // indirect github.com/gophercloud/gophercloud v1.11.0 // indirect github.com/imdario/mergo v0.3.16 // indirect @@ -69,20 +74,14 @@ require ( github.com/prometheus/client_model v0.5.0 // indirect github.com/prometheus/common v0.46.0 // indirect github.com/prometheus/procfs v0.12.0 // indirect - github.com/rhobs/obo-prometheus-operator/pkg/apis/monitoring v0.64.1-rhobs3 // indirect - github.com/rhobs/observability-operator v0.0.20 // indirect github.com/robfig/cron/v3 v3.0.1 // indirect github.com/spf13/pflag v1.0.5 // indirect - go.uber.org/multierr v1.11.0 // indirect - go.uber.org/zap v1.27.0 // indirect - golang.org/x/exp v0.0.0-20240213143201-ec583247a57a // indirect golang.org/x/net v0.21.0 // indirect golang.org/x/oauth2 v0.16.0 // indirect golang.org/x/sys v0.18.0 // indirect golang.org/x/term v0.18.0 // indirect golang.org/x/text v0.14.0 // indirect golang.org/x/time v0.5.0 // indirect - golang.org/x/tools v0.18.0 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect google.golang.org/appengine v1.6.8 // indirect google.golang.org/protobuf v1.33.0 // indirect diff --git a/apis/go.sum b/apis/go.sum index 9993814a8..2c02818ec 100644 --- a/apis/go.sum +++ b/apis/go.sum @@ -33,8 +33,8 @@ github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaS github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= -github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= -github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= +github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 h1:0VpGH+cDhbDtdcweoyCVsF3fhN8kejK6rFe/2FFX2nU= +github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49/go.mod h1:BkkQ4L1KS1xMt2aWSPStnn55ChGC0DPOn2FQYj+f25M= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= @@ -113,8 +113,8 @@ github.com/openstack-k8s-operators/placement-operator/api v0.3.1-0.2024031314534 github.com/openstack-k8s-operators/placement-operator/api v0.3.1-0.20240313145348-1dd69c7bc338/go.mod h1:i7bl0Vg4iyaOR4GCfduMWq0V9k5h9ltKDnx0hZg1JDE= github.com/openstack-k8s-operators/swift-operator/api v0.3.1-0.20240315154317-8b38ff1e6a8d h1:O4nJMsX3pS3X3CUw7/wjgJXoTIPA68pJowA1CfQP6IM= github.com/openstack-k8s-operators/swift-operator/api v0.3.1-0.20240315154317-8b38ff1e6a8d/go.mod h1:/7+Ld3BHb9RDaHhXKEtCiWQmhVwpRLVeLutZxyHRPpM= -github.com/openstack-k8s-operators/telemetry-operator/api v0.3.1-0.20240311060559-4ecd4f5c3961 h1:YYeHx9q2/ohmCwezfdw+qDJywpSZVgo9Ud24Oyie2J4= -github.com/openstack-k8s-operators/telemetry-operator/api v0.3.1-0.20240311060559-4ecd4f5c3961/go.mod h1:QUHaxzPPQ1OzWvG8BJIE+D1LSpm+bdv2yfrXHXiYQ+4= +github.com/openstack-k8s-operators/telemetry-operator/api v0.3.1-0.20240320060823-d7b27511017b h1:/+tzjO+2Zsw4dctl0LwdoFTAEe8E2uWEheG292GSito= +github.com/openstack-k8s-operators/telemetry-operator/api v0.3.1-0.20240320060823-d7b27511017b/go.mod h1:y8v2Hv01KPkUIxZf6tCn3TWu7vNjmG65tvAMJFkKG6E= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= diff --git a/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml b/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml index a04f53839..6e57c1217 100644 --- a/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml +++ b/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml @@ -15309,7 +15309,113 @@ spec: type: object telemetry: properties: - apiOverride: + alertmanagerOverride: + properties: + route: + properties: + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + spec: + properties: + alternateBackends: + items: + properties: + kind: + enum: + - Service + - "" + type: string + name: + type: string + weight: + format: int32 + maximum: 256 + minimum: 0 + type: integer + type: object + maxItems: 3 + type: array + host: + maxLength: 253 + pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ + type: string + path: + pattern: ^/ + type: string + port: + properties: + targetPort: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - targetPort + type: object + subdomain: + maxLength: 253 + pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ + type: string + tls: + properties: + caCertificate: + type: string + certificate: + type: string + destinationCACertificate: + type: string + insecureEdgeTerminationPolicy: + type: string + key: + type: string + termination: + enum: + - edge + - reencrypt + - passthrough + type: string + required: + - termination + type: object + to: + properties: + kind: + enum: + - Service + - "" + type: string + name: + type: string + weight: + format: int32 + maximum: 256 + minimum: 0 + type: integer + type: object + wildcardPolicy: + enum: + - None + - Subdomain + - "" + type: string + type: object + type: object + tls: + properties: + secretName: + type: string + type: object + type: object + aodhApiOverride: properties: route: properties: @@ -15418,6 +15524,112 @@ spec: enabled: default: true type: boolean + prometheusOverride: + properties: + route: + properties: + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + spec: + properties: + alternateBackends: + items: + properties: + kind: + enum: + - Service + - "" + type: string + name: + type: string + weight: + format: int32 + maximum: 256 + minimum: 0 + type: integer + type: object + maxItems: 3 + type: array + host: + maxLength: 253 + pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ + type: string + path: + pattern: ^/ + type: string + port: + properties: + targetPort: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - targetPort + type: object + subdomain: + maxLength: 253 + pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ + type: string + tls: + properties: + caCertificate: + type: string + certificate: + type: string + destinationCACertificate: + type: string + insecureEdgeTerminationPolicy: + type: string + key: + type: string + termination: + enum: + - edge + - reencrypt + - passthrough + type: string + required: + - termination + type: object + to: + properties: + kind: + enum: + - Service + - "" + type: string + name: + type: string + weight: + format: int32 + maximum: 256 + minimum: 0 + type: integer + type: object + wildcardPolicy: + enum: + - None + - Subdomain + - "" + type: string + type: object + type: object + tls: + properties: + secretName: + type: string + type: object + type: object template: properties: autoscaling: @@ -15429,11 +15641,11 @@ spec: customServiceConfig: default: '# add your customization here' type: string - databaseInstance: - type: string - databaseUser: + databaseAccount: default: aodh type: string + databaseInstance: + type: string defaultConfigOverwrite: additionalProperties: type: string @@ -15505,14 +15717,10 @@ spec: passwordSelector: default: aodhService: AodhPassword - database: AodhDatabasePassword properties: aodhService: default: AodhPassword type: string - database: - default: AodhDatabasePassword - type: string service: default: CeilometerPassword type: string @@ -15568,6 +15776,8 @@ spec: maximum: 65535 minimum: 1 type: integer + prometheusTLS: + type: boolean required: - heatInstance type: object @@ -15602,13 +15812,12 @@ spec: aodhService: default: AodhPassword type: string - database: - default: AodhDatabasePassword - type: string service: default: CeilometerPassword type: string type: object + proxyImage: + type: string rabbitMqClusterName: default: rabbitmq type: string @@ -15619,11 +15828,19 @@ spec: type: string sgCoreImage: type: string + tls: + properties: + caBundleSecretName: + type: string + secretName: + type: string + type: object required: - centralImage - computeImage - ipmiImage - notificationImage + - proxyImage - secret - sgCoreImage type: object @@ -16217,6 +16434,9 @@ spec: alertingEnabled: default: true type: boolean + dashboardsEnabled: + default: false + type: boolean dataplaneNetwork: default: ctlplane pattern: ^[a-zA-Z0-9][a-zA-Z0-9\-_]*[a-zA-Z0-9]$ @@ -16275,6 +16495,13 @@ spec: required: - dataplaneNetwork type: object + prometheusTls: + properties: + caBundleSecretName: + type: string + secretName: + type: string + type: object type: object type: object type: object diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 0d9a9956c..349f26dab 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -442,6 +442,14 @@ rules: - patch - update - watch +- apiGroups: + - telemetry.openstack.org + resources: + - metricstorages + verbs: + - get + - list + - watch - apiGroups: - telemetry.openstack.org resources: diff --git a/controllers/client/openstackclient_controller.go b/controllers/client/openstackclient_controller.go index 8c9877b58..0693cd52d 100644 --- a/controllers/client/openstackclient_controller.go +++ b/controllers/client/openstackclient_controller.go @@ -49,6 +49,7 @@ import ( helper "github.com/openstack-k8s-operators/lib-common/modules/common/helper" common_rbac "github.com/openstack-k8s-operators/lib-common/modules/common/rbac" "github.com/openstack-k8s-operators/lib-common/modules/common/tls" + telemetryv1 "github.com/openstack-k8s-operators/telemetry-operator/api/v1beta1" "github.com/openstack-k8s-operators/lib-common/modules/common/secret" "github.com/openstack-k8s-operators/lib-common/modules/common/util" @@ -72,6 +73,7 @@ func (r *OpenStackClientReconciler) GetLogger(ctx context.Context) logr.Logger { //+kubebuilder:rbac:groups=client.openstack.org,resources=openstackclients/status,verbs=get;update;patch //+kubebuilder:rbac:groups=client.openstack.org,resources=openstackclients/finalizers,verbs=update //+kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapis,verbs=get;list;watch +//+kubebuilder:rbac:groups=telemetry.openstack.org,resources=metricstorages,verbs=get;list;watch //+kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;watch; //+kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch; // service account, role, rolebinding @@ -275,6 +277,15 @@ func (r *OpenStackClientReconciler) Reconcile(ctx context.Context, req ctrl.Requ configVars[instance.Spec.CaBundleSecretName] = env.SetValue(secretHash) } + metricStorage := &telemetryv1.MetricStorage{} + err = helper.GetClient().Get(ctx, client.ObjectKey{ + Namespace: instance.Namespace, + Name: telemetryv1.DefaultServiceName, + }, metricStorage) + if err == nil { + configVars["PrometheusTls"] = env.SetValue(fmt.Sprint(metricStorage.Spec.PrometheusTLS.Enabled())) + } + configVarsHash, err := util.HashOfInputHashes(configVars) if err != nil { return ctrl.Result{}, err @@ -453,6 +464,33 @@ func (r *OpenStackClientReconciler) SetupWithManager(mgr ctrl.Manager) error { return err } + Log := r.GetLogger(context.Background()) + metricStorageFn := func(ctx context.Context, o client.Object) []reconcile.Request { + result := []reconcile.Request{} + + // get all openstackclient CRs + openstackclients := &clientv1.OpenStackClientList{} + listOpts := []client.ListOption{ + client.InNamespace(o.GetNamespace()), + } + if err := r.Client.List(context.Background(), openstackclients, listOpts...); err != nil { + Log.Error(err, "Unable to retrieve OpenstackClient CRs %v") + return nil + } + for _, cr := range openstackclients.Items { + name := client.ObjectKey{ + Namespace: o.GetNamespace(), + Name: cr.Name, + } + Log.Info(fmt.Sprintf("OpenStackClient %s will be reconciled, because a MetricStorage %s changed", cr.Name, o.GetName())) + result = append(result, reconcile.Request{NamespacedName: name}) + } + if len(result) > 0 { + return result + } + return nil + } + return ctrl.NewControllerManagedBy(mgr). For(&clientv1.OpenStackClient{}). Owns(&corev1.Pod{}). @@ -474,6 +512,13 @@ func (r *OpenStackClientReconciler) SetupWithManager(mgr ctrl.Manager) error { handler.EnqueueRequestsFromMapFunc(r.findObjectsForSrc), builder.WithPredicates(predicate.ResourceVersionChangedPredicate{}), ). + Watches( + // Reconcile all openstackclients when a MetricStorage changes. + // This is needed to ensure the observability client is + // configured correctly when tls is enabled or disabled. + &telemetryv1.MetricStorage{}, + handler.EnqueueRequestsFromMapFunc(metricStorageFn), + ). Complete(r) } diff --git a/go.mod b/go.mod index b5b462292..db0a5e1d2 100644 --- a/go.mod +++ b/go.mod @@ -36,7 +36,7 @@ require ( github.com/openstack-k8s-operators/ovn-operator/api v0.3.1-0.20240318052728-f132fab5c943 github.com/openstack-k8s-operators/placement-operator/api v0.3.1-0.20240313145348-1dd69c7bc338 github.com/openstack-k8s-operators/swift-operator/api v0.3.1-0.20240315154317-8b38ff1e6a8d - github.com/openstack-k8s-operators/telemetry-operator/api v0.3.1-0.20240311060559-4ecd4f5c3961 + github.com/openstack-k8s-operators/telemetry-operator/api v0.3.1-0.20240320060823-d7b27511017b github.com/operator-framework/api v0.20.0 github.com/rabbitmq/cluster-operator/v2 v2.6.0 go.uber.org/zap v1.27.0 @@ -63,7 +63,7 @@ require ( github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/protobuf v1.5.4 // indirect - github.com/google/gnostic-models v0.6.8 // indirect + github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect github.com/google/go-cmp v0.6.0 // indirect github.com/google/gofuzz v1.2.0 // indirect github.com/google/pprof v0.0.0-20230926050212-f7f687d19a98 // indirect diff --git a/go.sum b/go.sum index 6ac2a1f52..e794f5668 100644 --- a/go.sum +++ b/go.sum @@ -39,8 +39,8 @@ github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaS github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= -github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= -github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= +github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 h1:0VpGH+cDhbDtdcweoyCVsF3fhN8kejK6rFe/2FFX2nU= +github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49/go.mod h1:BkkQ4L1KS1xMt2aWSPStnn55ChGC0DPOn2FQYj+f25M= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= @@ -135,8 +135,8 @@ github.com/openstack-k8s-operators/placement-operator/api v0.3.1-0.2024031314534 github.com/openstack-k8s-operators/placement-operator/api v0.3.1-0.20240313145348-1dd69c7bc338/go.mod h1:i7bl0Vg4iyaOR4GCfduMWq0V9k5h9ltKDnx0hZg1JDE= github.com/openstack-k8s-operators/swift-operator/api v0.3.1-0.20240315154317-8b38ff1e6a8d h1:O4nJMsX3pS3X3CUw7/wjgJXoTIPA68pJowA1CfQP6IM= github.com/openstack-k8s-operators/swift-operator/api v0.3.1-0.20240315154317-8b38ff1e6a8d/go.mod h1:/7+Ld3BHb9RDaHhXKEtCiWQmhVwpRLVeLutZxyHRPpM= -github.com/openstack-k8s-operators/telemetry-operator/api v0.3.1-0.20240311060559-4ecd4f5c3961 h1:YYeHx9q2/ohmCwezfdw+qDJywpSZVgo9Ud24Oyie2J4= -github.com/openstack-k8s-operators/telemetry-operator/api v0.3.1-0.20240311060559-4ecd4f5c3961/go.mod h1:QUHaxzPPQ1OzWvG8BJIE+D1LSpm+bdv2yfrXHXiYQ+4= +github.com/openstack-k8s-operators/telemetry-operator/api v0.3.1-0.20240320060823-d7b27511017b h1:/+tzjO+2Zsw4dctl0LwdoFTAEe8E2uWEheG292GSito= +github.com/openstack-k8s-operators/telemetry-operator/api v0.3.1-0.20240320060823-d7b27511017b/go.mod h1:y8v2Hv01KPkUIxZf6tCn3TWu7vNjmG65tvAMJFkKG6E= github.com/operator-framework/api v0.20.0 h1:A2YCRhr+6s0k3pRJacnwjh1Ue8BqjIGuQ2jvPg9XCB4= github.com/operator-framework/api v0.20.0/go.mod h1:rXPOhrQ6mMeXqCmpDgt1ALoar9ZlHL+Iy5qut9R99a4= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= diff --git a/pkg/openstack/barbican.go b/pkg/openstack/barbican.go index c5bf4a558..a41062dac 100644 --- a/pkg/openstack/barbican.go +++ b/pkg/openstack/barbican.go @@ -99,7 +99,7 @@ func ReconcileBarbican(ctx context.Context, instance *corev1beta1.OpenStackContr op, err := controllerutil.CreateOrPatch(ctx, helper.GetClient(), barbican, func() error { instance.Spec.Barbican.Template.DeepCopyInto(&barbican.Spec) - // FIXME: barbican webhooks are not setting this correctly yet + // FIXME: barbican webhooks are not setting this correctly yet if barbican.Spec.DatabaseAccount == "" { barbican.Spec.DatabaseAccount = "barbican" } diff --git a/pkg/openstack/telemetry.go b/pkg/openstack/telemetry.go index 3262e80e5..d09642960 100644 --- a/pkg/openstack/telemetry.go +++ b/pkg/openstack/telemetry.go @@ -4,9 +4,11 @@ import ( "context" "fmt" + "github.com/openstack-k8s-operators/lib-common/modules/common" "github.com/openstack-k8s-operators/lib-common/modules/common/condition" "github.com/openstack-k8s-operators/lib-common/modules/common/helper" "github.com/openstack-k8s-operators/lib-common/modules/common/service" + "github.com/openstack-k8s-operators/lib-common/modules/common/tls" corev1beta1 "github.com/openstack-k8s-operators/openstack-operator/apis/core/v1beta1" telemetryv1 "github.com/openstack-k8s-operators/telemetry-operator/api/v1beta1" @@ -61,10 +63,14 @@ func ReconcileTelemetry(ctx context.Context, instance *corev1beta1.OpenStackCont // preserve any previously set TLS certs, set CA cert if instance.Spec.TLS.PodLevel.Enabled { instance.Spec.Telemetry.Template.Autoscaling.Aodh.TLS = telemetry.Spec.Autoscaling.Aodh.TLS + instance.Spec.Telemetry.Template.MetricStorage.PrometheusTLS = telemetry.Spec.MetricStorage.PrometheusTLS + instance.Spec.Telemetry.Template.Ceilometer.TLS = telemetry.Spec.Ceilometer.TLS } instance.Spec.Telemetry.Template.Autoscaling.Aodh.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName + instance.Spec.Telemetry.Template.Ceilometer.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName + instance.Spec.Telemetry.Template.MetricStorage.PrometheusTLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName - svcs, err := service.GetServicesListWithLabel( + aodhSvcs, err := service.GetServicesListWithLabel( ctx, helper, instance.Namespace, @@ -74,16 +80,45 @@ func ReconcileTelemetry(ctx context.Context, instance *corev1beta1.OpenStackCont return ctrl.Result{}, err } + prometheusSvcs, err := service.GetServicesListWithLabel( + ctx, + helper, + instance.Namespace, + map[string]string{"app.kubernetes.io/name": fmt.Sprintf("%s-prometheus", telemetryv1.DefaultServiceName)}, + ) + if err != nil { + return ctrl.Result{}, err + } + alertmanagerSvcs, err := service.GetServicesListWithLabel( + ctx, + helper, + instance.Namespace, + map[string]string{"app.kubernetes.io/name": fmt.Sprintf("%s-alertmanager", telemetryv1.DefaultServiceName)}, + ) + if err != nil { + return ctrl.Result{}, err + } + + ceilometerSvcs, err := service.GetServicesListWithLabel( + ctx, + helper, + instance.Namespace, + map[string]string{common.AppSelector: "ceilometer"}, + ) + if err != nil { + return ctrl.Result{}, err + } + // make sure to get to EndpointConfig when all service got created - if len(svcs.Items) == len(instance.Spec.Telemetry.Template.Autoscaling.Aodh.Override.Service) { + if len(aodhSvcs.Items) == len(instance.Spec.Telemetry.Template.Autoscaling.Aodh.Override.Service) { endpointDetails, ctrlResult, err := EnsureEndpointConfig( ctx, instance, helper, telemetry, - svcs, + aodhSvcs, instance.Spec.Telemetry.Template.Autoscaling.Aodh.Override.Service, - instance.Spec.Telemetry.APIOverride, + instance.Spec.Telemetry.AodhAPIOverride, corev1beta1.OpenStackControlPlaneExposeTelemetryReadyCondition, false, // TODO (mschuppert) could be removed when all integrated service support TLS instance.Spec.Telemetry.Template.Autoscaling.Aodh.TLS, @@ -100,6 +135,89 @@ func ReconcileTelemetry(ctx context.Context, instance *corev1beta1.OpenStackCont instance.Spec.Telemetry.Template.Autoscaling.Aodh.TLS.API.Internal.SecretName = endpointDetails.GetEndptCertSecret(service.EndpointInternal) } + if telemetry.Status.Conditions.IsTrue(telemetryv1.MetricStorageReadyCondition) { + // EnsureEndpoint for prometheus + // NOTE: We don't manage the prometheus service, it's managed by COO, we just annotate it + endpointDetails, ctrlResult, err := EnsureEndpointConfig( + ctx, + instance, + helper, + telemetry, + prometheusSvcs, + nil, + instance.Spec.Telemetry.PrometheusOverride, + corev1beta1.OpenStackControlPlaneExposeTelemetryReadyCondition, + false, // TODO (mschuppert) could be removed when all integrated service support TLS + tls.API{ + API: tls.APIService{ + Public: tls.GenericService{ + SecretName: instance.Spec.Telemetry.Template.MetricStorage.PrometheusTLS.SecretName, + }, + }, + }, + ) + if err != nil { + return ctrlResult, err + } else if (ctrlResult != ctrl.Result{}) { + return ctrlResult, nil + } + // update TLS settings with cert secret + instance.Spec.Telemetry.Template.MetricStorage.PrometheusTLS.SecretName = endpointDetails.GetEndptCertSecret(service.EndpointPublic) + + // TODO: rewrite this once we have TLS on alertmanager + for _, alertmanagerSvc := range alertmanagerSvcs.Items { + ed := EndpointDetail{ + Name: alertmanagerSvc.Name, + Namespace: alertmanagerSvc.Namespace, + Type: service.Endpoint(alertmanagerSvc.Annotations[service.AnnotationEndpointKey]), + Service: ServiceDetails{ + Spec: &alertmanagerSvc, + }, + } + ed.Route.Create = alertmanagerSvc.ObjectMeta.Annotations[service.AnnotationIngressCreateKey] == "true" + ed.Route.TLS.Enabled = false + if instance.Spec.Telemetry.AlertmanagerOverride.Route != nil { + ed.Route.OverrideSpec = *instance.Spec.Telemetry.AlertmanagerOverride.Route + } + ctrlResult, err := ed.ensureRoute( + ctx, + instance, + helper, + &alertmanagerSvc, + telemetry, + corev1beta1.OpenStackControlPlaneExposeTelemetryReadyCondition, + ) + if err != nil { + return ctrlResult, err + } else if (ctrlResult != ctrl.Result{}) { + return ctrlResult, nil + } + } + } + + if telemetry.Status.Conditions.IsTrue(telemetryv1.CeilometerReadyCondition) { + // NOTE: We don't have svc overrides for ceilometer objects. + endpointDetails, ctrlResult, err := EnsureEndpointConfig( + ctx, + instance, + helper, + telemetry, + ceilometerSvcs, + nil, + corev1beta1.Override{}, + corev1beta1.OpenStackControlPlaneExposeTelemetryReadyCondition, + false, // TODO (mschuppert) could be removed when all integrated service support TLS + tls.API{}, + ) + if err != nil { + return ctrlResult, err + } else if (ctrlResult != ctrl.Result{}) { + return ctrlResult, nil + } + // update TLS settings with cert secret + instance.Spec.Telemetry.Template.Ceilometer.TLS.SecretName = endpointDetails.GetEndptCertSecret(service.EndpointInternal) + } + helper.GetLogger().Info("Reconciling Telemetry", telemetryNamespaceLabel, instance.Namespace, telemetryNameLabel, telemetryName) op, err := controllerutil.CreateOrPatch(ctx, helper.GetClient(), telemetry, func() error { instance.Spec.Telemetry.Template.DeepCopyInto(&telemetry.Spec) diff --git a/pkg/openstackclient/funcs.go b/pkg/openstackclient/funcs.go index 7f2b11eef..fb84ebc24 100644 --- a/pkg/openstackclient/funcs.go +++ b/pkg/openstackclient/funcs.go @@ -18,11 +18,13 @@ import ( env "github.com/openstack-k8s-operators/lib-common/modules/common/env" "github.com/openstack-k8s-operators/lib-common/modules/common/helper" + "github.com/openstack-k8s-operators/lib-common/modules/common/tls" clientv1 "github.com/openstack-k8s-operators/openstack-operator/apis/client/v1beta1" telemetryv1 "github.com/openstack-k8s-operators/telemetry-operator/api/v1beta1" corev1 "k8s.io/api/core/v1" "k8s.io/utils/ptr" + "sigs.k8s.io/controller-runtime/pkg/client" ) // ClientPodSpec func @@ -40,6 +42,14 @@ func ClientPodSpec( telemetryv1.DefaultServiceName, instance.Namespace)) envVars["PROMETHEUS_PORT"] = env.SetValue(fmt.Sprint(telemetryv1.DefaultPrometheusPort)) + metricStorage := &telemetryv1.MetricStorage{} + err := helper.GetClient().Get(ctx, client.ObjectKey{ + Namespace: instance.Namespace, + Name: telemetryv1.DefaultServiceName, + }, metricStorage) + if err == nil && metricStorage.Spec.PrometheusTLS.Enabled() { + envVars["PROMETHEUS_CA_CERT"] = env.SetValue(tls.DownstreamTLSCABundlePath) + } // create Volume and VolumeMounts volumes := clientPodVolumes(instance)