operator: Expose only an HTTPS gateway when in openshift-logging mode (…

…#6288)
grafana · Jun 10, 2022 · 73a144e · 73a144e
1 parent 23cc938
commit 73a144e
Show file tree

Hide file tree

Showing 11 changed files with 261 additions and 31 deletions.
diff --git a/operator/CHANGELOG.md b/operator/CHANGELOG.md
@@ -1,5 +1,6 @@
 ## Main
 
+- [6288](https://github.com/grafana/loki/pull/6288) **aminesnow**: Expose only an HTTPS gateway when in openshift mode
 - [6195](https://github.com/grafana/loki/pull/6195) **periklis**: Add ruler config support
 - [6198](https://github.com/grafana/loki/pull/6198) **periklis**: Add support for custom S3 CA
 - [6199](https://github.com/grafana/loki/pull/6199) **Red-GV**: Update GCP secret volume path

diff --git a/operator/hack/addons_ocp.yaml b/operator/hack/addons_ocp.yaml
@@ -37,12 +37,12 @@ spec:
             - name: LOKI_ORG_ID
               value: application
             - name: LOKI_ADDR
-              value: http://lokistack-dev-gateway-http.openshift-logging.svc:8080/api/logs/v1/application
+              value: https://lokistack-dev-gateway-http.openshift-logging.svc:8080/api/logs/v1/application
             - name: LOKI_BEARER_TOKEN_FILE
               value: /var/run/secrets/kubernetes.io/serviceaccount/token
           args:
             - -c
-            - while true; do logcli query '{job="systemd-journal"}'; sleep 30; done
+            - while true; do logcli --ca-cert="/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt" query '{job="systemd-journal"}'; sleep 30; done
       serviceAccountName: lokistack-dev-addons-logcli
 ---
 apiVersion: apps/v1
@@ -118,7 +118,9 @@ metadata:
 data:
   promtail.yaml: |
     clients:
-      - url: http://lokistack-dev-gateway-http.openshift-logging.svc:8080/api/logs/v1/application/loki/api/v1/push
+      - url: https://lokistack-dev-gateway-http.openshift-logging.svc:8080/api/logs/v1/application/loki/api/v1/push
+        tls_config:
+          ca_file: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
         tenant_id: application
         bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
         backoff_config:

diff --git a/operator/hack/lokistack_gateway_ocp.yaml b/operator/hack/lokistack_gateway_ocp.yaml
@@ -2,6 +2,7 @@ apiVersion: loki.grafana.com/v1beta1
 kind: LokiStack
 metadata:
   name: lokistack-dev
+  namespace: openshift-logging
 spec:
   size: 1x.extra-small
   storage:

diff --git a/operator/internal/manifests/build_test.go b/operator/internal/manifests/build_test.go
@@ -263,7 +263,7 @@ func TestBuildAll_WithFeatureFlags_EnableTLSServiceMonitorConfig(t *testing.T) {
 			continue
 		}
 
-		secretName := fmt.Sprintf("%s-http-metrics", name)
+		secretName := fmt.Sprintf("%s-http-tls", name)
 		expVolume := corev1.Volume{
 			Name: secretName,
 			VolumeSource: corev1.VolumeSource{

diff --git a/operator/internal/manifests/gateway.go b/operator/internal/manifests/gateway.go
@@ -20,7 +20,7 @@ import (
 )
 
 const (
-	tlsMetricsSercetVolume = "tls-metrics-secret"
+	tlsSecretVolume = "tls-secret"
 )
 
 // BuildGateway returns a list of k8s objects for Loki Stack Gateway
@@ -49,7 +49,7 @@ func BuildGateway(opts Options) ([]client.Object, error) {
 
 	if opts.Stack.Tenants != nil {
 		mode := opts.Stack.Tenants.Mode
-		if err := configureDeploymentForMode(dpl, mode, opts.Flags); err != nil {
+		if err := configureDeploymentForMode(dpl, mode, opts.Flags, opts.Name, opts.Namespace); err != nil {
 			return nil, err
 		}
 
@@ -356,7 +356,7 @@ func configureGatewayMetricsPKI(podSpec *corev1.PodSpec, serviceName string) err
 	secretVolumeSpec := corev1.PodSpec{
 		Volumes: []corev1.Volume{
 			{
-				Name: tlsMetricsSercetVolume,
+				Name: tlsSecretVolume,
 				VolumeSource: corev1.VolumeSource{
 					Secret: &corev1.SecretVolumeSource{
 						SecretName: secretName,
@@ -368,7 +368,7 @@ func configureGatewayMetricsPKI(podSpec *corev1.PodSpec, serviceName string) err
 	secretContainerSpec := corev1.Container{
 		VolumeMounts: []corev1.VolumeMount{
 			{
-				Name:      tlsMetricsSercetVolume,
+				Name:      tlsSecretVolume,
 				ReadOnly:  true,
 				MountPath: gateway.LokiGatewayTLSDir,
 			},

diff --git a/operator/internal/manifests/gateway_tenants.go b/operator/internal/manifests/gateway_tenants.go
@@ -56,22 +56,28 @@ func ApplyGatewayDefaultOptions(opts *Options) error {
 	return nil
 }
 
-func configureDeploymentForMode(d *appsv1.Deployment, mode lokiv1beta1.ModeType, flags FeatureFlags) error {
+func configureDeploymentForMode(d *appsv1.Deployment, mode lokiv1beta1.ModeType, flags FeatureFlags, stackName, stackNs string) error {
 	switch mode {
 	case lokiv1beta1.Static, lokiv1beta1.Dynamic:
 		return nil // nothing to configure
 	case lokiv1beta1.OpenshiftLogging:
+		serviceName := serviceNameGatewayHTTP(stackName)
+		secretName := signingServiceSecretName(serviceName)
+		serverName := fqdn(serviceName, stackNs)
 		return openshift.ConfigureGatewayDeployment(
 			d,
 			gatewayContainerName,
-			tlsMetricsSercetVolume,
+			tlsSecretVolume,
 			gateway.LokiGatewayTLSDir,
 			gateway.LokiGatewayCertFile,
 			gateway.LokiGatewayKeyFile,
 			gateway.LokiGatewayCABundleDir,
 			gateway.LokiGatewayCAFile,
 			flags.EnableTLSServiceMonitorConfig,
 			flags.EnableCertificateSigningService,
+			secretName,
+			serverName,
+			gatewayHTTPPort,
 		)
 	}