operator: Add TLS support for compactor http client

grafana · Nov 4, 2022 · 1ca00ea · 1ca00ea
1 parent e0a7b28
commit 1ca00ea
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 0 deletions.
diff --git a/operator/CHANGELOG.md b/operator/CHANGELOG.md
@@ -1,5 +1,6 @@
 ## Main
 
+- [7448](https://github.com/grafana/loki/pull/7448) **periklis**: Add TLS support for compactor delete client
 - [7596](https://github.com/grafana/loki/pull/7596) **periklis**: Fix fresh-installs with built-in cert management enabled
 - [7064](https://github.com/grafana/loki/pull/7064) **periklis**: Add support for built-in cert management
 - [7471](https://github.com/grafana/loki/pull/7471) **aminesnow**: Expose and migrate query_timeout in limits config

diff --git a/operator/internal/manifests/querier.go b/operator/internal/manifests/querier.go
@@ -225,6 +225,14 @@ func configureQuerierHTTPServicePKI(deployment *appsv1.Deployment, opts Options)
 func configureQuerierGRPCServicePKI(deployment *appsv1.Deployment, opts Options) error {
 	secretContainerSpec := corev1.Container{
 		Args: []string{
+			// Enable HTTP over TLS for compactor delete client
+			"-boltdb.shipper.compactor.client.tls-enabled=true",
+			fmt.Sprintf("-boltdb.shipper.compactor.client.tls-cipher-suites=%s", opts.TLSCipherSuites()),
+			fmt.Sprintf("-boltdb.shipper.compactor.client.tls-min-version=%s", opts.TLSProfile.MinTLSVersion),
+			fmt.Sprintf("-boltdb.shipper.compactor.client.tls-ca-path=%s", signingCAPath()),
+			fmt.Sprintf("-boltdb.shipper.compactor.client.tls-cert-path=%s", lokiServerGRPCTLSCert()),
+			fmt.Sprintf("-boltdb.shipper.compactor.client.tls-key-path=%s", lokiServerGRPCTLSKey()),
+			fmt.Sprintf("-boltdb.shipper.compactor.client.tls-server-name=%s", fqdn(serviceNameCompactorHTTP(opts.Name), opts.Namespace)),
 			// Enable GRPC over TLS for ingester client
 			"-ingester.client.tls-enabled=true",
 			fmt.Sprintf("-ingester.client.tls-cipher-suites=%s", opts.TLSCipherSuites()),

diff --git a/operator/internal/manifests/ruler.go b/operator/internal/manifests/ruler.go
@@ -301,6 +301,14 @@ func configureRulerHTTPServicePKI(statefulSet *appsv1.StatefulSet, opts Options)
 func configureRulerGRPCServicePKI(sts *appsv1.StatefulSet, opts Options) error {
 	secretContainerSpec := corev1.Container{
 		Args: []string{
+			// Enable HTTP over TLS for compactor delete client
+			"-boltdb.shipper.compactor.client.tls-enabled=true",
+			fmt.Sprintf("-boltdb.shipper.compactor.client.tls-cipher-suites=%s", opts.TLSCipherSuites()),
+			fmt.Sprintf("-boltdb.shipper.compactor.client.tls-min-version=%s", opts.TLSProfile.MinTLSVersion),
+			fmt.Sprintf("-boltdb.shipper.compactor.client.tls-ca-path=%s", signingCAPath()),
+			fmt.Sprintf("-boltdb.shipper.compactor.client.tls-cert-path=%s", lokiServerGRPCTLSCert()),
+			fmt.Sprintf("-boltdb.shipper.compactor.client.tls-key-path=%s", lokiServerGRPCTLSKey()),
+			fmt.Sprintf("-boltdb.shipper.compactor.client.tls-server-name=%s", fqdn(serviceNameCompactorHTTP(opts.Name), opts.Namespace)),
 			// Enable GRPC over TLS for boltb-shipper index-gateway client
 			"-boltdb.shipper.index-gateway-client.grpc.tls-enabled=true",
 			fmt.Sprintf("-boltdb.shipper.index-gateway-client.grpc.tls-cipher-suites=%s", opts.TLSCipherSuites()),

diff --git a/operator/internal/manifests/service_test.go b/operator/internal/manifests/service_test.go
@@ -653,6 +653,13 @@ func TestServices_WithEncryption(t *testing.T) {
 				fmt.Sprintf("-querier.frontend-client.tls-server-name=%s", fqdn(serviceNameQueryFrontendGRPC(stackName), stackNs)),
 				"-querier.frontend-client.tls-min-version=VersionTLS12",
 				"-querier.frontend-client.tls-cipher-suites=cipher1,cipher2",
+				"-boltdb.shipper.compactor.client.tls-enabled=true",
+				fmt.Sprintf("-boltdb.shipper.compactor.client.tls-ca-path=%s", signingCAPath()),
+				fmt.Sprintf("-boltdb.shipper.compactor.client.tls-cert-path=%s", lokiServerGRPCTLSCert()),
+				fmt.Sprintf("-boltdb.shipper.compactor.client.tls-key-path=%s", lokiServerGRPCTLSKey()),
+				fmt.Sprintf("-boltdb.shipper.compactor.client.tls-server-name=%s", fqdn(serviceNameCompactorHTTP(stackName), stackNs)),
+				"-boltdb.shipper.compactor.client.tls-min-version=VersionTLS12",
+				"-boltdb.shipper.compactor.client.tls-cipher-suites=cipher1,cipher2",
 				"-boltdb.shipper.index-gateway-client.grpc.tls-enabled=true",
 				fmt.Sprintf("-boltdb.shipper.index-gateway-client.grpc.tls-ca-path=%s", signingCAPath()),
 				fmt.Sprintf("-boltdb.shipper.index-gateway-client.grpc.tls-cert-path=%s", lokiServerGRPCTLSCert()),
@@ -814,6 +821,13 @@ func TestServices_WithEncryption(t *testing.T) {
 			desc:      "ruler",
 			buildFunc: BuildRuler,
 			wantArgs: []string{
+				"-boltdb.shipper.compactor.client.tls-enabled=true",
+				fmt.Sprintf("-boltdb.shipper.compactor.client.tls-ca-path=%s", signingCAPath()),
+				fmt.Sprintf("-boltdb.shipper.compactor.client.tls-cert-path=%s", lokiServerGRPCTLSCert()),
+				fmt.Sprintf("-boltdb.shipper.compactor.client.tls-key-path=%s", lokiServerGRPCTLSKey()),
+				fmt.Sprintf("-boltdb.shipper.compactor.client.tls-server-name=%s", fqdn(serviceNameCompactorHTTP(stackName), stackNs)),
+				"-boltdb.shipper.compactor.client.tls-min-version=VersionTLS12",
+				"-boltdb.shipper.compactor.client.tls-cipher-suites=cipher1,cipher2",
 				"-boltdb.shipper.index-gateway-client.grpc.tls-enabled=true",
 				fmt.Sprintf("-boltdb.shipper.index-gateway-client.grpc.tls-ca-path=%s", signingCAPath()),
 				fmt.Sprintf("-boltdb.shipper.index-gateway-client.grpc.tls-cert-path=%s", lokiServerGRPCTLSCert()),