Feat(GPX-669):Multena: Add TLS support for datasources

infra/gp-multena/Chart.yaml

@@ -15,9 +15,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.2.11
+version: 1.3.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 0.3.1
+appVersion: 0.5.0

infra/gp-multena/templates/configmaps.yaml

@@ -7,33 +7,42 @@ metadata:
     {{- include "gp-multena.labels" . | nindent 4 }}
 data:
   config.yaml: |-
-      proxy:
-        log_level: {{ .Values.multena.logLevel }}
-        provider: {{ .Values.multena.provider}}
-        thanos_url: {{ .Values.multena.thanosUrl }}
-        loki_url: {{ .Values.multena.lokiUrl }}
-        jwks_cert_url: {{ .Values.multena.jwksCertUrl}}
-        admin_group: {{ .Values.multena.adminGroup }}
-        insecure_skip_verify: {{ .Values.multena.insecureSkipVerify }}
-        log_tokens: {{ .Values.multena.logTokens }}
-        port: {{ .Values.service.port }}
-        metrics_port: {{ .Values.service.metricsPort }}
-        host: 0.0.0.0
-        tenant_labels:
-          thanos: {{ .Values.multena.tenantLabels.thanos }}
-          loki: {{ .Values.multena.tenantLabels.loki }}
-      {{- if eq .Values.multena.provider "mysql" }}
-      db:
-        enabled: true
-        user: {{ .Values.multena.db.user }}
-        password_path: /etc/secrets/db/password
-        host: {{ .Values.multena.db.host }}
-        port: {{ .Values.multena.db.port }}
-        db_name: {{ .Values.multena.db.dbName }}
-        query: {{ .Values.multena.db.query }}
-      {{- end }}
-      dev:
-        enabled: {{ .Values.multena.dev }}
+    log:
+      level: {{ .Values.multena.log.level }}
+      log_tokens: {{ .Values.multena.log.logTokens }}
+    tenant_provider: {{ .Values.multena.provider }}
+    web:
+      proxy_port: {{ .Values.service.webPort }}
+      metrics_port: {{ .Values.service.metricsPort }}
+      host: 0.0.0.0
+      insecure_skip_verify: false
+      trusted_root_ca_path: "/etc/secrets/ca"
+      jwks_cert_url: {{ .Values.multena.jwksCertUrl }}
+    admin:
+      bypass: {{ .Values.multena.admin.bypass }}
+      group: {{ .Values.multena.admin.group }}
+    {{- if .Values.multena.db.enabled }}
+    db:
+      enabled: true
+      user: {{ .Values.multena.db.user }}
+      password_path: {{ .Values.multena.db.passwordPath }}
+      host: {{ .Values.multena.db.host }}
+      port: {{ .Values.multena.db.port }}
+      dbName: {{ .Values.multena.db.dbName }}
+      query: {{ .Values.multena.db.query }}
+    {{- end }}
+    thanos:
+      url: {{ .Values.multena.thanos.url }}
+      tenant_label: {{ .Values.multena.thanos.tenantLabel }}
+      cert: "/etc/secrets/ca/thanos/{{ .Values.tls.thanos.cert }}"
+      key: "/etc/secrets/ca/thanos/{{ .Values.tls.thanos.key }}"
+    loki:
+      url: {{ .Values.multena.loki.url }}
+      tenant_label: {{ .Values.multena.loki.tenantLabel }}
+      cert: "/etc/secrets/ca/loki/{{ .Values.tls.loki.cert }}"
+      key: "/etc/secrets/ca/loki/{{ .Values.tls.loki.key }}"
+
+
 ---
 {{- if eq .Values.multena.provider "configmap" }}
 apiVersion: v1
@@ -45,8 +54,8 @@ metadata:
     {{- include "gp-multena.labels" . | nindent 4 }}
 data:
   labels.yaml: |-
-    groups:
-      - example_group: ["example_namespace"]
     users:
       - example_user: [ "example_namespace" ]
+    groups:
+      - example_group: ["example_namespace"]
 {{- end }}

infra/gp-multena/templates/deployment.yaml

@@ -30,7 +30,7 @@ spec:
           imagePullPolicy: {{ .Values.image.pullPolicy | default "IfNotPresent"  }}
           ports:
             - name: http
-              containerPort: {{ .Values.service.port }}
+              containerPort: {{ .Values.service.webPort }}
               protocol: TCP
             - name: metrics
               containerPort: {{ .Values.service.metricsPort }}
@@ -58,18 +58,26 @@ spec:
             timeoutSeconds: {{ .Values.probes.livenessProbe.timeoutSeconds }}
           {{- end }}
           volumeMounts:
-            - mountPath: /etc/pki/ca-trust/source/anchors/
+            - mountPath: /etc/secrets/ca/
               name: openshift-service-ca
             - mountPath: /etc/config/config/
               name: multena-config
-              {{- if eq .Values.multena.provider "configmap" }}
+            {{- if eq .Values.multena.provider "configmap" }}
             - mountPath: /etc/config/labels/
               name: multena-labels
-              {{- end }}
-              {{- if eq .Values.multena.provider "mysql" }}
+            {{- end }}
+            {{- if eq .Values.multena.provider "mysql" }}
             - mountPath: /etc/secrets/db/
               name: multena-db-secret
-              {{- end }}
+            {{- end }}
+            {{- if eq .Values.tls.loki.enabled true }}
+            - mountPath: /etc/secrets/ca/loki/
+              name: multena-loki-tls-secret
+            {{- end }}
+            {{- if eq .Values.tls.thanos.enabled true }}
+            - mountPath: /etc/secrets/ca/thanos/
+              name: multena-thanos-tls-secret
+            {{- end }}
       volumes:
         - configMap:
             name: openshift-service-ca.crt
@@ -87,6 +95,16 @@ spec:
           secret:
             secretName: {{ include "gp-multena.secretName" . }}
           {{- end }}
+          {{- if eq .Values.tls.loki.enabled true }}
+        - name: multena-loki-tls-secret
+          secret:
+            secretName: {{ .Values.tls.loki.secretName }}
+          {{- end }}
+          {{- if eq .Values.tls.thanos.enabled true }}
+        - name: multena-thanos-tls-secret
+          secret:
+            secretName: {{ .Values.tls.thanos.secretName }}
+          {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

infra/gp-multena/templates/service.yaml

@@ -7,7 +7,7 @@ metadata:
     {{- include "gp-multena.labels" . | nindent 4 }}
 spec:
   ports:
-    - port: {{ .Values.service.port }}
+    - port: {{ .Values.service.webPort }}
       targetPort: http
       protocol: TCP
       name: {{ include "gp-multena.name" . }}

infra/gp-multena/templates/system-datasources.yaml

@@ -2,44 +2,48 @@
 apiVersion: grafana.integreatly.org/v1beta1
 kind: GrafanaDatasource
 metadata:
-  name: multena-metrics-datasource
+  name: {{ include "gp-multena.name" . }}-metrics-datasource
   namespace: {{ .Release.Namespace }}
 spec:
+  datasource:
+    name: metrics-multena (Thanos)
+    uid: metrics-multena
+    type: prometheus
+    url: "http://{{ include "gp-multena.name" . }}:{{ .Values.service.webPort }}"
+    access: proxy
+    editable: true
+    isDefault: false
+    jsonData:
+      httpMethod: POST
+      oauthPassThru: true
+      manageAlerts: false
   instanceSelector:
     matchLabels:
-      monitoring.gepardec.com/system: "true"
-  datasource:
-      name: metrics-multena (Thanos)
-      uid: metrics-multena
-      type: prometheus
-      url: "http://{{ include "gp-multena.name" . }}:{{ .Values.service.port }}"
-      access: proxy
-      editable: true
-      isDefault: false
-      jsonData:
-        httpMethod: POST
-        oauthPassThru: true
-        manageAlerts: false
+      monitoring.gepardec.com/system: 'true'
+
 ---
 apiVersion: grafana.integreatly.org/v1beta1
 kind: GrafanaDatasource
 metadata:
-  name: multena-application-logs-datasource
+  name: {{ include "gp-multena.name" . }}-logs-datasource
   namespace: {{ .Release.Namespace }}
 spec:
+  datasource:
+    name: logs-multena (Loki-Application)
+    uid: logs-multena
+    type: loki
+    url: "http://{{ include "gp-multena.name" . }}:{{ .Values.service.webPort }}"
+    access: proxy
+    editable: true
+    isDefault: false
+    jsonData:
+      httpMethod: POST
+      oauthPassThru: true
+      manageAlerts: false
+      httpHeaderName1: X-Scope-OrgID
+    secureJsonData:
+      httpHeaderValue1: "application"
   instanceSelector:
     matchLabels:
-      monitoring.gepardec.com/system: "true"
-  datasource:
-      name: logs-multena (Loki-Application)
-      uid: logs-multena
-      type: loki
-      url: "http://{{ include "gp-multena.name" . }}:{{ .Values.service.port }}"
-      access: proxy
-      editable: true
-      isDefault: false
-      jsonData:
-        httpMethod: POST
-        oauthPassThru: true
-        manageAlerts: false
+      monitoring.gepardec.com/system: 'true'
 {{- end }}

infra/gp-multena/templates/tls-copy.yaml

@@ -0,0 +1,56 @@
+{{- if .Values.tls.copy.loki.enabled }}
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: copy-secret-policy-loki
+spec:
+  generateExisting: true
+  validationFailureAction: enforce
+  rules:
+    - name: clone-{{ .Values.tls.loki.secretName }}-tls
+      match:
+        any:
+          - resources:
+              kinds:
+                - Namespace
+              names:
+                - {{ .Release.Namespace }}
+      generate:
+        kind: Secret
+        apiVersion: v1
+        name: {{ .Values.tls.loki.secretName }}
+        # namespace for the generated resource
+        namespace: "{{`{{request.object.metadata.name}}`}}"
+        synchronize: true
+        clone:
+          namespace: {{ .Values.tls.copy.loki.secretNamespace }}
+          name: {{ .Values.tls.loki.secretName }}
+{{- end }}
+{{- if .Values.tls.copy.thanos.enabled  }}
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: copy-secret-policy-thanos
+spec:
+  generateExisting: true
+  validationFailureAction: enforce
+  rules:
+    - name: clone-{{ .Values.tls.thanos.secretName }}-tls
+      match:
+        any:
+          - resources:
+              kinds:
+                - Namespace
+              names:
+                - {{ .Release.Namespace }}
+      generate:
+        kind: Secret
+        apiVersion: v1
+        name: {{ .Values.tls.thanos.secretName }}
+        # namespace for the generated resource
+        namespace: "{{`{{request.object.metadata.name}}`}}"
+        synchronize: true
+        clone:
+          namespace: {{ .Values.tls.copy.thanos.secretNamespace }}
+          name: {{ .Values.tls.thanos.secretName }}
+{{- end }}

infra/gp-multena/values.yaml

@@ -1,9 +1,58 @@
+GrafanaOperatorDatasources: true
+tls:
+  loki:
+      enabled: true
+      secretName: loki-query-frontend-http
+      cert: tls.crt
+      key: tls.key
+  thanos:
+      enabled: false
+      secretName: thanos-querier-tls
+      cert: tls.crt
+      key: tls.key
+  copy:
+    loki:
+      enabled: true
+      secretNamespace: openshift-logging
+    thanos:
+      enabled: false
+      secretNamespace: openshift-monitoring
+
+multena:
+  provider: configmap
+  jwksCertUrl: https://sso.keycloak-namespace.svc.cluster.local:8443/realms/internal/protocol/openid-connect/certs
+  log:
+    level: INFO
+    logTokens: false
+  admin:
+    bypass: false
+    group: gepardec-run-admins
+  thanos:
+    url: https://thanos-querier.openshift-monitoring.svc.cluster.local:9091
+    tenantLabel: namespace
+  loki:
+    url: https://loki-query-frontend-http.openshift-logging.svc.cluster.local:3100
+    tenantLabel: kubernetes_namespace_name
+  db:
+    enabled: false
+    user: multitenant
+    passwordPath: "/etc/secrets/db/password"
+    host: localhost
+    port: 3306
+    dbName: example
+    query: "SELECT * FROM users WHERE username = ?"
+
+service:
+  webPort: 8080
+  metricsPort: 8081
+
 replicas: 1
+
 image:
   repository: ghcr.io/gepaplexx/multena-proxy
   pullPolicy: IfNotPresent
-  tag: "0.3.1"
-GrafanaOperatorDatasources: true
+  tag: "0.5.0"
+
 probes:
   readinessProbe:
     enabled: true
@@ -15,33 +64,12 @@ probes:
     initialDelaySeconds: 1
     periodSeconds: 10
     timeoutSeconds: 10
+
 serviceAccount:
   create: true
   name: ""
+
 resources:
   requests:
     cpu: 10m
-    memory: 20M
-multena:
-  dev: false
-  logLevel: INFO
-  adminGroup: gepardec-run-admins
-  jwksCertUrl: https://sso.keycloak-namespace.svc.cluster.local:8443/realms/internal/protocol/openid-connect/certs
-  thanosUrl: https://thanos-querier.openshift-monitoring.svc.cluster.local:9091
-  lokiUrl: https://loki-gateway-http.openshift-logging.svc.cluster.local:8080/api/logs/v1/application/
-  provider: configmap
-  insecureSkipVerify: false
-  logTokens: false
-  tenantLabels:
-    thanos: namespace
-    loki: kubernetes_namespace_name
-  db:
-    user: multitenant
-    existingSecret: ""
-    host: localhost
-    port: 3306
-    dbName: example
-    query: "SELECT * FROM users WHERE username = ?"
-service:
-  port: 8080
-  metricsPort: 8081
+    memory: 20M