Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

refactor: move tls block to spec.client #1690

Merged
merged 5 commits into from
Oct 28, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 7 additions & 4 deletions api/v1beta1/grafana_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -89,14 +89,14 @@ type External struct {
AdminUser *v1.SecretKeySelector `json:"adminUser,omitempty"`
// AdminPassword key to talk to the external grafana instance.
AdminPassword *v1.SecretKeySelector `json:"adminPassword,omitempty"`
// TLS Configuration used to talk with the external grafana instance.
// DEPRECATED, use top level `tls` instead.
// +optional
TLS *ExternalTLSConfig `json:"tls,omitempty"`
TLS *TLSConfig `json:"tls,omitempty"`
}

// TLS Configuration to an external Grafana endpoint
// TLSConfig specifies options to use when communicating with the Grafana endpoint
// +kubebuilder:validation:XValidation:rule="(has(self.insecureSkipVerify) && !(has(self.certSecretRef))) || (has(self.certSecretRef) && !(has(self.insecureSkipVerify)))", message="insecureSkipVerify and certSecretRef cannot be set at the same time"
type ExternalTLSConfig struct {
type TLSConfig struct {
// Disable the CA check of the server
// +optional
InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"`
Expand All @@ -116,6 +116,9 @@ type GrafanaClient struct {
// +nullable
// If the operator should send it's request through the grafana instances ingress object instead of through the service.
PreferIngress *bool `json:"preferIngress,omitempty"`
// TLS Configuration used to talk with the grafana instance.
// +optional
TLS *TLSConfig `json:"tls,omitempty"`
}

// GrafanaPreferences holds Grafana preferences API settings
Expand Down
47 changes: 26 additions & 21 deletions api/v1beta1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

29 changes: 27 additions & 2 deletions config/crd/bases/grafana.integreatly.org_grafanas.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,32 @@ spec:
timeout:
nullable: true
type: integer
tls:
description: TLS Configuration used to talk with the grafana instance.
properties:
certSecretRef:
description: Use a secret as a reference to give TLS Certificate
information
properties:
name:
description: name is unique within a namespace to reference
a secret resource.
type: string
namespace:
description: namespace defines the space within which
the secret name must be unique.
type: string
type: object
x-kubernetes-map-type: atomic
insecureSkipVerify:
description: Disable the CA check of the server
type: boolean
type: object
x-kubernetes-validations:
- message: insecureSkipVerify and certSecretRef cannot be set
at the same time
rule: (has(self.insecureSkipVerify) && !(has(self.certSecretRef)))
|| (has(self.certSecretRef) && !(has(self.insecureSkipVerify)))
type: object
config:
additionalProperties:
Expand Down Expand Up @@ -8224,8 +8250,7 @@ spec:
type: object
x-kubernetes-map-type: atomic
tls:
description: TLS Configuration used to talk with the external
grafana instance.
description: DEPRECATED, use top level `tls` instead.
properties:
certSecretRef:
description: Use a secret as a reference to give TLS Certificate
Expand Down
12 changes: 10 additions & 2 deletions controllers/client/tls.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,18 @@ var (

// build the tls.Config object based on the content of the Grafana CR object
func buildTLSConfiguration(ctx context.Context, c client.Client, grafana *v1beta1.Grafana) (*tls.Config, error) {
if grafana.IsInternal() || grafana.Spec.External.TLS == nil {
var tlsConfigBlock *v1beta1.TLSConfig
switch {
case grafana.Spec.Client != nil && grafana.Spec.Client.TLS != nil:
// prefer top level if set, fall back to deprecated field
tlsConfigBlock = grafana.Spec.Client.TLS
case grafana.Spec.External != nil && grafana.Spec.External.TLS != nil:
// fall back to external tls field if set
tlsConfigBlock = grafana.Spec.External.TLS
default:
// if nothing is specified, ignore tls settings
return nil, nil
}
tlsConfigBlock := grafana.Spec.External.TLS

if tlsConfigBlock.InsecureSkipVerify {
return InsecureTLSConfiguration, nil
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,32 @@ spec:
timeout:
nullable: true
type: integer
tls:
description: TLS Configuration used to talk with the grafana instance.
properties:
certSecretRef:
description: Use a secret as a reference to give TLS Certificate
information
properties:
name:
description: name is unique within a namespace to reference
a secret resource.
type: string
namespace:
description: namespace defines the space within which
the secret name must be unique.
type: string
type: object
x-kubernetes-map-type: atomic
insecureSkipVerify:
description: Disable the CA check of the server
type: boolean
type: object
x-kubernetes-validations:
- message: insecureSkipVerify and certSecretRef cannot be set
at the same time
rule: (has(self.insecureSkipVerify) && !(has(self.certSecretRef)))
|| (has(self.certSecretRef) && !(has(self.insecureSkipVerify)))
type: object
config:
additionalProperties:
Expand Down Expand Up @@ -8224,8 +8250,7 @@ spec:
type: object
x-kubernetes-map-type: atomic
tls:
description: TLS Configuration used to talk with the external
grafana instance.
description: DEPRECATED, use top level `tls` instead.
properties:
certSecretRef:
description: Use a secret as a reference to give TLS Certificate
Expand Down
29 changes: 27 additions & 2 deletions deploy/kustomize/base/crds.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1853,6 +1853,32 @@ spec:
timeout:
nullable: true
type: integer
tls:
description: TLS Configuration used to talk with the grafana instance.
properties:
certSecretRef:
description: Use a secret as a reference to give TLS Certificate
information
properties:
name:
description: name is unique within a namespace to reference
a secret resource.
type: string
namespace:
description: namespace defines the space within which
the secret name must be unique.
type: string
type: object
x-kubernetes-map-type: atomic
insecureSkipVerify:
description: Disable the CA check of the server
type: boolean
type: object
x-kubernetes-validations:
- message: insecureSkipVerify and certSecretRef cannot be set
at the same time
rule: (has(self.insecureSkipVerify) && !(has(self.certSecretRef)))
|| (has(self.certSecretRef) && !(has(self.insecureSkipVerify)))
type: object
config:
additionalProperties:
Expand Down Expand Up @@ -10010,8 +10036,7 @@ spec:
type: object
x-kubernetes-map-type: atomic
tls:
description: TLS Configuration used to talk with the external
grafana instance.
description: DEPRECATED, use top level `tls` instead.
properties:
certSecretRef:
description: Use a secret as a reference to give TLS Certificate
Expand Down
81 changes: 79 additions & 2 deletions docs/docs/api.md
Original file line number Diff line number Diff line change
Expand Up @@ -3758,6 +3758,83 @@ Client defines how the grafana-operator talks to the grafana instance.
<br/>
</td>
<td>false</td>
</tr><tr>
<td><b><a href="#grafanaspecclienttls">tls</a></b></td>
<td>object</td>
<td>
TLS Configuration used to talk with the grafana instance.<br/>
<br/>
<i>Validations</i>:<li>(has(self.insecureSkipVerify) && !(has(self.certSecretRef))) || (has(self.certSecretRef) && !(has(self.insecureSkipVerify))): insecureSkipVerify and certSecretRef cannot be set at the same time</li>
</td>
<td>false</td>
</tr></tbody>
</table>


### Grafana.spec.client.tls
<sup><sup>[↩ Parent](#grafanaspecclient)</sup></sup>



TLS Configuration used to talk with the grafana instance.

<table>
<thead>
<tr>
<th>Name</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody><tr>
<td><b><a href="#grafanaspecclienttlscertsecretref">certSecretRef</a></b></td>
<td>object</td>
<td>
Use a secret as a reference to give TLS Certificate information<br/>
</td>
<td>false</td>
</tr><tr>
<td><b>insecureSkipVerify</b></td>
<td>boolean</td>
<td>
Disable the CA check of the server<br/>
</td>
<td>false</td>
</tr></tbody>
</table>


### Grafana.spec.client.tls.certSecretRef
<sup><sup>[↩ Parent](#grafanaspecclienttls)</sup></sup>



Use a secret as a reference to give TLS Certificate information

<table>
<thead>
<tr>
<th>Name</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody><tr>
<td><b>name</b></td>
<td>string</td>
<td>
name is unique within a namespace to reference a secret resource.<br/>
</td>
<td>false</td>
</tr><tr>
<td><b>namespace</b></td>
<td>string</td>
<td>
namespace defines the space within which the secret name must be unique.<br/>
</td>
<td>false</td>
</tr></tbody>
</table>

Expand Down Expand Up @@ -19465,7 +19542,7 @@ External enables you to configure external grafana instances that is not managed
<td><b><a href="#grafanaspecexternaltls">tls</a></b></td>
<td>object</td>
<td>
TLS Configuration used to talk with the external grafana instance.<br/>
DEPRECATED, use top level `tls` instead.<br/>
<br/>
<i>Validations</i>:<li>(has(self.insecureSkipVerify) && !(has(self.certSecretRef))) || (has(self.certSecretRef) && !(has(self.insecureSkipVerify))): insecureSkipVerify and certSecretRef cannot be set at the same time</li>
</td>
Expand Down Expand Up @@ -19620,7 +19697,7 @@ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/nam



TLS Configuration used to talk with the external grafana instance.
DEPRECATED, use top level `tls` instead.

<table>
<thead>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,10 @@
title: "Add TLS management block in Grafana CR External block"
linkTitle: "Add TLS management block in Grafana CR External block"
---
{{% pageinfo color="info" %}}
TLS settings are top level options (`spec.client.tls`) as of [#1690](https://github.com/grafana/grafana-operator/pull/1690) and apply to _all_ Grafana instances.
Other than this change, the original proposal still holds
{{% /pageinfo %}}

## Summary

Expand Down
11 changes: 11 additions & 0 deletions tests/e2e/example-test/11-assert.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: grafana.integreatly.org/v1beta1
kind: Grafana
metadata:
name: grafana-tls
spec:
version: 10.4.3
status:
(wildcard('https://grafana-tls-service.*:3000', adminUrl || '')): true
stage: complete
stageStatus: success
version: 10.4.3
Loading
Loading