NETOBSERV-773 Copy certificates across namespaces #326
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov Report
@@ Coverage Diff @@
## main #326 +/- ##
==========================================
+ Coverage 51.42% 53.45% +2.02%
==========================================
Files 43 45 +2
Lines 5186 5328 +142
==========================================
+ Hits 2667 2848 +181
+ Misses 2323 2279 -44
- Partials 196 201 +5
Flags with carried forward coverage won't be shown. Click here to find out more.
|
|
/ok-to-test |
openshift-ci
bot
added
the
ok-to-test
- Any certificate (secret/cm) can now be referenced from any namespace, which makes the operator watch the original and copy it to a target namespace. It allows not only to deploy Loki (or Kafka) in any namespace, but also fixes the issue of ebpf pods not having access to kafka CA/key without manual intervention And quite a big refactoring: - New "watchers" and "volumes" packages - Creation of volumes is now using a builder-style approach allowing to incrementally add volumes and get at the same time their path. It avoid having discrepancies between mounted volumes and their related path reference. - Watching certificates (or any CM/secret) now uses digest hash of content instead of metadata, to avoid triggering pods restart when a cm/secret was changed despite its content remaining the same - Some things are moved around to make internal APIs easier to use, less parameters in functions, etc. - New extensive integration tests on certificates management Fix failing tests
|
New changes are detected. LGTM label has been removed. |
github-actions
bot
removed
the
ok-to-test
|
/ok-to-test |
openshift-ci
bot
added
the
ok-to-test
jotak
added
ok-to-test
|
New images:
They will expire after two weeks. Catalog source: apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
name: netobserv-dev
namespace: openshift-marketplace
spec:
sourceType: grpc
image: quay.io/netobserv/network-observability-operator-catalog:v0.0.0-338d168
displayName: NetObserv development catalog
publisher: Me
updateStrategy:
registryPoll:
interval: 1m |
memodi
requested changes
May 25, 2023
There was a problem hiding this comment.
@jotak - I think I am hitting a bug w/ KAFKA scenario, where I have both of them in different NS and FLP pods are getting 403 error:
time=2023-05-25T20:34:13Z level=info component=client error=server returned HTTP status 403 Forbidden (403): fields.level=error fields.msg=final error sending batch host=lokistack-gateway-http.netobserv-loki.svc.cluster.local:8080 module=export/loki status=403
here's loki and kafka config:
{
"authToken": "FORWARD",
"batchSize": 10485760,
"batchWait": "1s",
"maxBackoff": "5s",
"maxRetries": 2,
"minBackoff": "1s",
"staticLabels": {
"app": "netobserv-flowcollector"
},
"statusTls": {
"caCert": {
"namespace": ""
},
"enable": false,
"insecureSkipVerify": false,
"userCert": {
"namespace": ""
}
},
"tenantID": "netobserv",
"timeout": "10s",
"tls": {
"caCert": {
"certFile": "service-ca.crt",
"name": "lokistack-gateway-ca-bundle",
"namespace": "netobserv-loki",
"type": "configmap"
},
"enable": true,
"insecureSkipVerify": false,
"userCert": {
"namespace": "netobserv-loki"
}
},
"url": "https://lokistack-gateway-http.netobserv-loki.svc.cluster.local:8080/api/logs/v1/network/"
}
{
"address": "kafka-cluster-kafka-bootstrap.netobserv-kafka",
"tls": {
"caCert": {
"certFile": "ca.crt",
"name": "kafka-cluster-cluster-ca-cert",
"namespace": "netobserv-kafka",
"type": "secret"
},
"enable": true,
"insecureSkipVerify": false,
"userCert": {
"certFile": "user.crt",
"certKey": "user.key",
"name": "flp-kafka",
"namespace": "netobserv-kafka",
"type": "secret"
}
},
"topic": "network-flows"
}
perhaps we're using incorrect certs to connect with Loki in this scenario?
|
@memodi I don't remember if I tested loki AND kafka in different namespaces, so let me get a try. Just in case: you did deploy the clusterrolebinding for reading loki logs just as usual? ie. FLP's service account has permissions to write logs? |
ah, that might be it. I didn't update the CRD to work with KAFKA mode, my bad. |
github-actions
bot
removed
the
ok-to-test
jotak
added
the
ok-to-test
jotak
added
ok-to-test
|
New images:
They will expire after two weeks. Catalog source: apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
name: netobserv-dev
namespace: openshift-marketplace
spec:
sourceType: grpc
image: quay.io/netobserv/network-observability-operator-catalog:v0.0.0-2d6ecc1
displayName: NetObserv development catalog
publisher: Me
updateStrategy:
registryPoll:
interval: 1m |
github-actions
bot
removed
the
ok-to-test
|
/ok-to-test |
openshift-ci
bot
added
the
ok-to-test
|
New images:
They will expire after two weeks. Catalog source: apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
name: netobserv-dev
namespace: openshift-marketplace
spec:
sourceType: grpc
image: quay.io/netobserv/network-observability-operator-catalog:v0.0.0-ce1b60c
displayName: NetObserv development catalog
publisher: Me
updateStrategy:
registryPoll:
interval: 1m |
|
Although I did not find issues for changes in this PR, I came across NETOBSERV-1070 bug for FLP metrics server. /label qe-approved |
|
thanks @memodi ! |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jotak The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
(merging .. was previously reviewed before last rebase) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
And quite a big refactoring: