Create serving certs for headless services on OpenShift (#818) #824
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -158,6 +158,16 @@ func headless(ctx context.Context, params Params) *corev1.Service { | |
| } | ||
|
|
||
| h.Name = naming.HeadlessService(params.Instance) | ||
|
|
||
| // copy to avoid modifying params.Instance.Annotations | ||
| annotations := map[string]string{ | ||
| "service.beta.openshift.io/serving-cert-secret-name": fmt.Sprintf("%s-tls", h.Name), | ||
|
There was a problem hiding this comment. This annotation should be present only if the collector is deployed on the OpenShift. IIRC there is already some machinery in the project that recognizes the platform. There was a problem hiding this comment. I had considered this, but noticed in https://github.com/jaegertracing/jaeger-operator/blob/main/pkg/service/collector.go#L28 that jaeger-operator adds the annotation regardless of the platform. My understanding is that unrecognized annotations are silently ignored, so I don't think there is any harm. Also, making this conditional would require addition unit test code. But I can make it conditional if required. |
||
| } | ||
| for k, v := range h.Annotations { | ||
| annotations[k] = v | ||
| } | ||
| h.Annotations = annotations | ||
|
|
||
| h.Spec.ClusterIP = "None" | ||
| return h | ||
| } | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The text looks good/ it explains what the annotation does. I would it makes sense here also document why someone should be doing something like this/waht is the common use case? Users are often searching for solutions for use-cases.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
More general discussion of configuring and securing the collector is not specific to the operator, so probably doesn't belong in this repo. We could add some mention of this operator functionality in https://opentelemetry.io/docs/collector/configuration/#setting-up-certificates after this PR is merged. Adding new documentation in this repo that covers common operator use cases (including but not limited to securing OTLP between agent and gateway collectors) seems beyond the scope of this PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Our users should understand why there is a headless service, when to use it and what is the use case for using those certificates.
I don't think that operator documentation belongs there. You could try to work with the docs/website sig to add an operator page there. So far there are no operator docs in opentelemetry.io.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@pavolloffay The headless service has been created by this operator for a long time. I agree the operator's documentation on it is lacking. But does that need to be resolved before this PR can be merged? Can we create an issue to improve the documentation?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe I was not clear, I wanted a better docs for the certificates - what is the use-case for them etc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can create an additional PR to add them