mirror of
https://github.com/prometheus-operator/prometheus-operator.git
synced 2025-04-21 03:38:43 +00:00
Merge pull request #7395 from simonpasquier/follow-up-7149
chore: refactor following #7149
This commit is contained in:
Simon Pasquier
GitHub
commit
eee2d08663
4 changed files with 59 additions and 34 deletions
pkg/alertmanager
|
|
@ -15,9 +15,11 @@
|
|||
package clustertlsconfig
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"path"
|
||||
"path/filepath"
|
||||
"reflect"
|
||||
|
||||
"gopkg.in/yaml.v2"
|
||||
v1 "k8s.io/api/core/v1"
|
||||
|
|
@ -28,20 +30,22 @@ import (
|
|||
)
|
||||
|
||||
const (
|
||||
cmdflag = "cluster.tls-config"
|
||||
cliFlag = "cluster.tls-config"
|
||||
volumeName = "cluster-tls-config"
|
||||
serverVolumePrefix = "cluster-tls-server-config-"
|
||||
clientVolumePrefix = "cluster-tls-client-config-"
|
||||
serverTLSCredDir = "server_tls"
|
||||
clientTLSCredDir = "client_tls"
|
||||
ConfigFileKey = "cluster-tls-config.yaml"
|
||||
|
||||
// ConfigFileKey is the secret's key containing the YAML configuration.
|
||||
ConfigFileKey = "cluster-tls-config.yaml"
|
||||
)
|
||||
|
||||
// Config is the web configuration for prometheus and alertmanager instance.
|
||||
// Config is the Alertmanager cluster's mTLS configuration.
|
||||
//
|
||||
// Config can make a secret which holds the web config contents, as well as
|
||||
// volumes and volume mounts for referencing the secret and the
|
||||
// necessary TLS credentials.
|
||||
// Config can make a secret which holds the cluster configuration as well as
|
||||
// volumes and volume mounts for referencing the secret and the necessary TLS
|
||||
// credentials.
|
||||
type Config struct {
|
||||
clusterTLSConfig *monitoringv1.ClusterTLSConfig
|
||||
serverTLSReferences *webconfig.TLSReferences
|
||||
|
|
@ -55,7 +59,10 @@ type Config struct {
|
|||
// The Secret where the cluster TLS config will be stored will be named `secretName`.
|
||||
// All volumes containing TLS credentials related to cluster TLS configuration will be prefixed with "cluster-tls-server-config-"
|
||||
// or "cluster-tls-client-config-" respectively, for server and client credentials.
|
||||
func New(mountingDir string, secretName string, clusterTLSConfig *monitoringv1.ClusterTLSConfig) (*Config, error) {
|
||||
func New(mountingDir string, a *monitoringv1.Alertmanager) (*Config, error) {
|
||||
clusterTLSConfig := a.Spec.ClusterTLS
|
||||
secretName := fmt.Sprintf("alertmanager-%s-cluster-tls-config", a.Name)
|
||||
|
||||
if clusterTLSConfig == nil {
|
||||
return &Config{
|
||||
mountingDir: mountingDir,
|
||||
|
|
@ -70,12 +77,15 @@ func New(mountingDir string, secretName string, clusterTLSConfig *monitoringv1.C
|
|||
|
||||
serverTLSConfig := clusterTLSConfig.ServerTLS
|
||||
if err := serverTLSConfig.Validate(); err != nil {
|
||||
return nil, err
|
||||
return nil, fmt.Errorf("invalid server TLS configuration: %w", err)
|
||||
}
|
||||
|
||||
clientTLSConfig := clusterTLSConfig.ClientTLS
|
||||
if err := clientTLSConfig.Validate(); err != nil {
|
||||
return nil, err
|
||||
return nil, fmt.Errorf("invalid client TLS configuration: %w", err)
|
||||
}
|
||||
if reflect.ValueOf(clientTLSConfig.Cert).IsZero() {
|
||||
return nil, errors.New("invalid client TLS configuration: certificate is required")
|
||||
}
|
||||
|
||||
serverTLSCreds = webconfig.NewTLSReferences(path.Join(mountingDir, serverTLSCredDir), serverTLSConfig.KeySecret, serverTLSConfig.Cert, serverTLSConfig.ClientCA)
|
||||
|
|
@ -101,24 +111,24 @@ func New(mountingDir string, secretName string, clusterTLSConfig *monitoringv1.C
|
|||
func (c Config) GetMountParameters() (*monitoringv1.Argument, []v1.Volume, []v1.VolumeMount, error) {
|
||||
destinationPath := path.Join(c.mountingDir, ConfigFileKey)
|
||||
|
||||
var volumes []v1.Volume
|
||||
var mounts []v1.VolumeMount
|
||||
var arg *monitoringv1.Argument
|
||||
|
||||
// Only return an argument if the cluster TLS config and it's server component are defined.
|
||||
if c.clusterTLSConfig != nil {
|
||||
arg = c.makeArg(destinationPath)
|
||||
}
|
||||
|
||||
var volumes []v1.Volume
|
||||
cfgVolume := c.makeVolume()
|
||||
volumes = append(volumes, cfgVolume)
|
||||
|
||||
var mounts []v1.VolumeMount
|
||||
cfgMount := c.makeVolumeMount(destinationPath)
|
||||
mounts = append(mounts, cfgMount)
|
||||
|
||||
if c.serverTLSReferences != nil {
|
||||
servertlsVolumes, servertlsMounts, err := c.serverTLSReferences.GetMountParameters(serverVolumePrefix)
|
||||
if err != nil {
|
||||
return &monitoringv1.Argument{}, nil, nil, err
|
||||
return nil, nil, nil, err
|
||||
}
|
||||
volumes = append(volumes, servertlsVolumes...)
|
||||
mounts = append(mounts, servertlsMounts...)
|
||||
|
|
@ -127,7 +137,7 @@ func (c Config) GetMountParameters() (*monitoringv1.Argument, []v1.Volume, []v1.
|
|||
if c.clientTLSReferences != nil {
|
||||
clienttlsVolumes, clienttlsMounts, err := c.clientTLSReferences.GetMountParameters(clientVolumePrefix)
|
||||
if err != nil {
|
||||
return &monitoringv1.Argument{}, nil, nil, err
|
||||
return nil, nil, nil, err
|
||||
}
|
||||
volumes = append(volumes, clienttlsVolumes...)
|
||||
mounts = append(mounts, clienttlsMounts...)
|
||||
|
|
@ -164,7 +174,7 @@ func (c Config) generateConfigFileContents() ([]byte, error) {
|
|||
// makeArg() returns an argument with the name "cluster.tls-config" with the filePath
|
||||
// as its value.
|
||||
func (c Config) makeArg(filePath string) *monitoringv1.Argument {
|
||||
return &monitoringv1.Argument{Name: cmdflag, Value: filePath}
|
||||
return &monitoringv1.Argument{Name: cliFlag, Value: filePath}
|
||||
}
|
||||
|
||||
// makeVolume() creates a Volume with volumeName = "cluster-tls-config" which stores
|
||||
|
|
|
|||
|
|
@ -20,6 +20,7 @@ import (
|
|||
"github.com/stretchr/testify/require"
|
||||
"gotest.tools/v3/golden"
|
||||
v1 "k8s.io/api/core/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/utils/ptr"
|
||||
|
||||
"github.com/prometheus-operator/prometheus-operator/pkg/alertmanager/clustertlsconfig"
|
||||
|
|
@ -288,8 +289,16 @@ func TestCreateOrUpdateClusterTLSConfigSecret(t *testing.T) {
|
|||
|
||||
for _, tt := range tc {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
secretName := "test-secret"
|
||||
config, err := clustertlsconfig.New("/cluster_tls_certs_path_prefix", secretName, tt.clusterTLSConfig)
|
||||
config, err := clustertlsconfig.New(
|
||||
"/cluster_tls_certs_path_prefix",
|
||||
&monitoringv1.Alertmanager{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "test",
|
||||
},
|
||||
Spec: monitoringv1.AlertmanagerSpec{
|
||||
ClusterTLS: tt.clusterTLSConfig,
|
||||
},
|
||||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
data, err := config.ClusterTLSConfiguration()
|
||||
|
|
@ -316,7 +325,7 @@ func TestGetMountParameters(t *testing.T) {
|
|||
Name: "cluster-tls-config",
|
||||
VolumeSource: v1.VolumeSource{
|
||||
Secret: &v1.SecretVolumeSource{
|
||||
SecretName: "cluster-tls-config",
|
||||
SecretName: "alertmanager-test-cluster-tls-config",
|
||||
},
|
||||
},
|
||||
},
|
||||
|
|
@ -389,7 +398,7 @@ func TestGetMountParameters(t *testing.T) {
|
|||
Name: "cluster-tls-config",
|
||||
VolumeSource: v1.VolumeSource{
|
||||
Secret: &v1.SecretVolumeSource{
|
||||
SecretName: "cluster-tls-config",
|
||||
SecretName: "alertmanager-test-cluster-tls-config",
|
||||
},
|
||||
},
|
||||
},
|
||||
|
|
@ -499,7 +508,17 @@ func TestGetMountParameters(t *testing.T) {
|
|||
|
||||
for _, tt := range ts {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
tlsAssets, err := clustertlsconfig.New("/etc/prometheus/cluster_tls_config", "cluster-tls-config", tt.clusterTLSConfig)
|
||||
tlsAssets, err := clustertlsconfig.New(
|
||||
"/etc/prometheus/cluster_tls_config",
|
||||
&monitoringv1.Alertmanager{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "test",
|
||||
},
|
||||
Spec: monitoringv1.AlertmanagerSpec{
|
||||
ClusterTLS: tt.clusterTLSConfig,
|
||||
},
|
||||
},
|
||||
)
|
||||
require.NoError(t, err)
|
||||
|
||||
_, volumes, mounts, err := tlsAssets.GetMountParameters()
|
||||
|
|
|
|||
|
|
@ -561,11 +561,14 @@ func (c *Operator) sync(ctx context.Context, key string) error {
|
|||
}
|
||||
|
||||
if err := c.createOrUpdateWebConfigSecret(ctx, am); err != nil {
|
||||
return fmt.Errorf("synchronizing web config secret failed: %w", err)
|
||||
return fmt.Errorf("failed to synchronize the web config secret: %w", err)
|
||||
}
|
||||
|
||||
// TODO(simonpasquier): the operator should take into account changes to
|
||||
// the cluster TLS configuration to trigger a rollout of the pods (this
|
||||
// configuration doesn't support live reload).
|
||||
if err := c.createOrUpdateClusterTLSConfigSecret(ctx, am); err != nil {
|
||||
return fmt.Errorf("synchronizing cluster tls config secret failed: %w", err)
|
||||
return fmt.Errorf("failed to synchronize the cluster TLS config secret: %w", err)
|
||||
}
|
||||
|
||||
svcClient := c.kclient.CoreV1().Services(am.Namespace)
|
||||
|
|
@ -757,7 +760,6 @@ func createSSetInputHash(a monitoringv1.Alertmanager, c Config, tlsAssets *opera
|
|||
AlertmanagerAnnotations map[string]string
|
||||
AlertmanagerGeneration int64
|
||||
AlertmanagerWebHTTP2 *bool
|
||||
ALertmanagerClusterTLS string
|
||||
Config Config
|
||||
StatefulSetSpec appsv1.StatefulSetSpec
|
||||
ShardedSecret *operator.ShardedSecret
|
||||
|
|
@ -1709,11 +1711,7 @@ func (c *Operator) createOrUpdateWebConfigSecret(ctx context.Context, a *monitor
|
|||
}
|
||||
|
||||
func (c *Operator) createOrUpdateClusterTLSConfigSecret(ctx context.Context, a *monitoringv1.Alertmanager) error {
|
||||
clusterTLSConfig, err := clustertlsconfig.New(
|
||||
clusterTLSConfigDir,
|
||||
clusterTLSConfigSecretName(a.Name),
|
||||
a.Spec.ClusterTLS,
|
||||
)
|
||||
clusterTLSConfig, err := clustertlsconfig.New(clusterTLSConfigDir, a)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to initialize the configuration: %w", err)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -628,9 +628,9 @@ func makeStatefulSetSpec(logger *slog.Logger, a *monitoringv1.Alertmanager, conf
|
|||
}
|
||||
|
||||
if version.GTE(semver.MustParse("0.24.0")) {
|
||||
clusterTLSConfig, err := clustertlsconfig.New(clusterTLSConfigDir, clusterTLSConfigSecretName(a.Name), a.Spec.ClusterTLS)
|
||||
clusterTLSConfig, err := clustertlsconfig.New(clusterTLSConfigDir, a)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to create cluster TLS configuration: %w", err)
|
||||
return nil, fmt.Errorf("failed to create the cluster TLS configuration: %w", err)
|
||||
}
|
||||
|
||||
confArg, configVol, configMount, err := clusterTLSConfig.GetMountParameters()
|
||||
|
|
@ -638,9 +638,11 @@ func makeStatefulSetSpec(logger *slog.Logger, a *monitoringv1.Alertmanager, conf
|
|||
return nil, fmt.Errorf("failed to get mount parameters for cluster TLS configuration: %w", err)
|
||||
}
|
||||
|
||||
// confArg is nil if the Alertmanager resource doesn't configure mTLS for the cluster protocol.
|
||||
if confArg != nil {
|
||||
amArgs = append(amArgs, fmt.Sprintf("--%s=%s", confArg.Name, confArg.Value))
|
||||
}
|
||||
|
||||
volumes = append(volumes, configVol...)
|
||||
amVolumeMounts = append(amVolumeMounts, configMount...)
|
||||
}
|
||||
|
|
@ -795,10 +797,6 @@ func webConfigSecretName(name string) string {
|
|||
return fmt.Sprintf("%s-web-config", prefixedName(name))
|
||||
}
|
||||
|
||||
func clusterTLSConfigSecretName(name string) string {
|
||||
return fmt.Sprintf("%s-cluster-tls-config", prefixedName(name))
|
||||
}
|
||||
|
||||
func volumeName(name string) string {
|
||||
return fmt.Sprintf("%s-db", prefixedName(name))
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue