grafana · periklis · Nov 23, 2022 · Nov 18, 2022 · Nov 18, 2022 · Nov 18, 2022
@@ -2,7 +2,6 @@ package manifests
 
 import (
 	"fmt"
-	"strings"
 	"testing"
 
 	"github.com/ViaQ/logerr/v2/kverrors"
@@ -348,14 +347,6 @@ func TestBuildAll_WithFeatureGates_HTTPEncryption(t *testing.T) {
 			HTTPEncryption: true,
 		},
 	}
-	ciphers := strings.Join([]string{
-		"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-		"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-		"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-		"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-		"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-		"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
-	}, ",")
 
 	err := ApplyDefaultSettings(&opts)
 	require.NoError(t, err)
@@ -369,7 +360,6 @@ func TestBuildAll_WithFeatureGates_HTTPEncryption(t *testing.T) {
 			name string
 			vs   []corev1.Volume
 			vms  []corev1.VolumeMount
-			args []string
 			rps  corev1.URIScheme
 			lps  corev1.URIScheme
 		)
@@ -379,14 +369,12 @@ func TestBuildAll_WithFeatureGates_HTTPEncryption(t *testing.T) {
 			name = o.Name
 			vs = o.Spec.Template.Spec.Volumes
 			vms = o.Spec.Template.Spec.Containers[0].VolumeMounts
-			args = o.Spec.Template.Spec.Containers[0].Args
 			rps = o.Spec.Template.Spec.Containers[0].ReadinessProbe.ProbeHandler.HTTPGet.Scheme
 			lps = o.Spec.Template.Spec.Containers[0].LivenessProbe.ProbeHandler.HTTPGet.Scheme
 		case *appsv1.StatefulSet:
 			name = o.Name
 			vs = o.Spec.Template.Spec.Volumes
 			vms = o.Spec.Template.Spec.Containers[0].VolumeMounts
-			args = o.Spec.Template.Spec.Containers[0].Args
 			rps = o.Spec.Template.Spec.Containers[0].ReadinessProbe.ProbeHandler.HTTPGet.Scheme
 			lps = o.Spec.Template.Spec.Containers[0].LivenessProbe.ProbeHandler.HTTPGet.Scheme
 		default:
@@ -411,10 +399,6 @@ func TestBuildAll_WithFeatureGates_HTTPEncryption(t *testing.T) {
 		}
 		require.Contains(t, vms, expVolumeMount)
 
-		require.Contains(t, args, "-server.tls-min-version=VersionTLS12")
-		require.Contains(t, args, fmt.Sprintf("-server.tls-cipher-suites=%s", ciphers))
-		require.Contains(t, args, "-server.http-tls-cert-path=/var/run/tls/http/server/tls.crt")
-		require.Contains(t, args, "-server.http-tls-key-path=/var/run/tls/http/server/tls.key")
 		require.Equal(t, corev1.URISchemeHTTPS, rps)
 		require.Equal(t, corev1.URISchemeHTTPS, lps)
 	}
@@ -448,7 +432,6 @@ func TestBuildAll_WithFeatureGates_ServiceMonitorTLSEndpoints(t *testing.T) {
 			name string
 			vs   []corev1.Volume
 			vms  []corev1.VolumeMount
-			args []string
 			rps  corev1.URIScheme
 			lps  corev1.URIScheme
 		)
@@ -458,14 +441,12 @@ func TestBuildAll_WithFeatureGates_ServiceMonitorTLSEndpoints(t *testing.T) {
 			name = o.Name
 			vs = o.Spec.Template.Spec.Volumes
 			vms = o.Spec.Template.Spec.Containers[0].VolumeMounts
-			args = o.Spec.Template.Spec.Containers[0].Args
 			rps = o.Spec.Template.Spec.Containers[0].ReadinessProbe.ProbeHandler.HTTPGet.Scheme
 			lps = o.Spec.Template.Spec.Containers[0].LivenessProbe.ProbeHandler.HTTPGet.Scheme
 		case *appsv1.StatefulSet:
 			name = o.Name
 			vs = o.Spec.Template.Spec.Volumes
 			vms = o.Spec.Template.Spec.Containers[0].VolumeMounts
-			args = o.Spec.Template.Spec.Containers[0].Args
 			rps = o.Spec.Template.Spec.Containers[0].ReadinessProbe.ProbeHandler.HTTPGet.Scheme
 			lps = o.Spec.Template.Spec.Containers[0].LivenessProbe.ProbeHandler.HTTPGet.Scheme
 		default:
@@ -490,8 +471,6 @@ func TestBuildAll_WithFeatureGates_ServiceMonitorTLSEndpoints(t *testing.T) {
 		}
 		require.Contains(t, vms, expVolumeMount)
 
-		require.Contains(t, args, "-server.http-tls-cert-path=/var/run/tls/http/server/tls.crt")
-		require.Contains(t, args, "-server.http-tls-key-path=/var/run/tls/http/server/tls.key")
 		require.Equal(t, corev1.URISchemeHTTPS, rps)
 		require.Equal(t, corev1.URISchemeHTTPS, lps)
 	}
@@ -602,15 +581,6 @@ func TestBuildAll_WithFeatureGates_GRPCEncryption(t *testing.T) {
 		"test-ruler":         "test-ruler-grpc",
 	}
 
-	ciphers := strings.Join([]string{
-		"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-		"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-		"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-		"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-		"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-		"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
-	}, ",")
-
 	for _, tst := range table {
 		tst := tst
 		t.Run(tst.desc, func(t *testing.T) {
@@ -643,12 +613,6 @@ func TestBuildAll_WithFeatureGates_GRPCEncryption(t *testing.T) {
 
 				t.Run(name, func(t *testing.T) {
 					secretName := secretsMap[name]
-					args := []string{
-						"-server.grpc-tls-cert-path=/var/run/tls/grpc/server/tls.crt",
-						"-server.grpc-tls-key-path=/var/run/tls/grpc/server/tls.key",
-						"-server.tls-min-version=VersionTLS12",
-						fmt.Sprintf("-server.tls-cipher-suites=%s", ciphers),
-					}
 
 					vm := corev1.VolumeMount{
 						Name:      secretName,
@@ -666,11 +630,9 @@ func TestBuildAll_WithFeatureGates_GRPCEncryption(t *testing.T) {
 					}
 
 					if tst.BuildOptions.Gates.GRPCEncryption {
-						require.Subset(t, spec.Containers[0].Args, args)
 						require.Contains(t, spec.Containers[0].VolumeMounts, vm)
 						require.Contains(t, spec.Volumes, v)
 					} else {
-						require.NotSubset(t, spec.Containers[0].Args, args)
 						require.NotContains(t, spec.Containers[0].VolumeMounts, vm)
 						require.NotContains(t, spec.Volumes, v)
 					}

@@ -119,13 +119,6 @@ func NewCompactorStatefulSet(opts Options) *appsv1.StatefulSet {
 		SecurityContext: podSecurityContext(opts.Gates.RuntimeSeccompProfile),
 	}
 
-	if opts.Gates.HTTPEncryption || opts.Gates.GRPCEncryption {
-		podSpec.Containers[0].Args = append(podSpec.Containers[0].Args,
-			fmt.Sprintf("-server.tls-cipher-suites=%s", opts.TLSCipherSuites()),
-			fmt.Sprintf("-server.tls-min-version=%s", opts.TLSProfile.MinTLSVersion),
-		)
-	}
-
 	if opts.Stack.Template != nil && opts.Stack.Template.Compactor != nil {
 		podSpec.Tolerations = opts.Stack.Template.Compactor.Tolerations
 		podSpec.NodeSelector = opts.Stack.Template.Compactor.NodeSelector
@@ -241,7 +234,7 @@ func NewCompactorHTTPService(opts Options) *corev1.Service {
 
 func configureCompactorHTTPServicePKI(statefulSet *appsv1.StatefulSet, opts Options) error {
 	serviceName := serviceNameCompactorHTTP(opts.Name)
-	return configureHTTPServicePKI(&statefulSet.Spec.Template.Spec, serviceName, opts.TLSProfile.MinTLSVersion, opts.TLSCipherSuites())
+	return configureHTTPServicePKI(&statefulSet.Spec.Template.Spec, serviceName)
 }
 
 func configureCompactorGRPCServicePKI(sts *appsv1.StatefulSet, opts Options) error {

@@ -81,7 +81,35 @@ func ConfigOptions(opt Options) config.Options {
 	}
 
 	return config.Options{
-		Stack:     opt.Stack,
+		Stack: opt.Stack,
+		Gates: opt.Gates,
+		TLS: config.TLSOptions{
+			Ciphers:       opt.TLSProfile.Ciphers,
+			MinTLSVersion: opt.TLSProfile.MinTLSVersion,
+			Paths: config.TLSFilePaths{
+				CA: signingCAPath(),
+				GRPC: config.TLSCertPath{
+					Certificate: lokiServerGRPCTLSCert(),
+					Key:         lokiServerGRPCTLSKey(),
+				},
+				HTTP: config.TLSCertPath{
+					Certificate: lokiServerHTTPTLSCert(),
+					Key:         lokiServerHTTPTLSKey(),
+				},
+			},
+			ServerNames: config.TLSServerNames{
+				GRPC: config.GRPCServerNames{
+					IndexGateway:  fqdn(serviceNameIndexGatewayGRPC(opt.Name), opt.Namespace),
+					Ingester:      fqdn(serviceNameIngesterGRPC(opt.Name), opt.Namespace),
+					QueryFrontend: fqdn(serviceNameQueryFrontendGRPC(opt.Name), opt.Namespace),
+					Ruler:         fqdn(serviceNameRulerGRPC(opt.Name), opt.Namespace),
+				},
+				HTTP: config.HTTPServerNames{
+					Compactor: fqdn(serviceNameCompactorHTTP(opt.Name), opt.Namespace),
+					Querier:   fqdn(serviceNameQuerierHTTP(opt.Name), opt.Namespace),
+				},
+			},
+		},
 		Namespace: opt.Namespace,
 		Name:      opt.Name,
 		Compactor: config.Address{

@@ -6,8 +6,6 @@ import (
 
 	"github.com/grafana/loki/operator/internal/manifests/internal/config"
 
-	"github.com/ViaQ/logerr/v2/kverrors"
-	"github.com/imdario/mergo"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -115,13 +113,6 @@ func NewDistributorDeployment(opts Options) *appsv1.Deployment {
 		SecurityContext: podSecurityContext(opts.Gates.RuntimeSeccompProfile),
 	}
 
-	if opts.Gates.HTTPEncryption || opts.Gates.GRPCEncryption {
-		podSpec.Containers[0].Args = append(podSpec.Containers[0].Args,
-			fmt.Sprintf("-server.tls-cipher-suites=%s", opts.TLSCipherSuites()),
-			fmt.Sprintf("-server.tls-min-version=%s", opts.TLSProfile.MinTLSVersion),
-		)
-	}
-
 	if opts.Stack.Template != nil && opts.Stack.Template.Distributor != nil {
 		podSpec.Tolerations = opts.Stack.Template.Distributor.Tolerations
 		podSpec.NodeSelector = opts.Stack.Template.Distributor.NodeSelector
@@ -218,27 +209,10 @@ func NewDistributorHTTPService(opts Options) *corev1.Service {
 
 func configureDistributorHTTPServicePKI(deployment *appsv1.Deployment, opts Options) error {
 	serviceName := serviceNameDistributorHTTP(opts.Name)
-	return configureHTTPServicePKI(&deployment.Spec.Template.Spec, serviceName, opts.TLSProfile.MinTLSVersion, opts.TLSCipherSuites())
+	return configureHTTPServicePKI(&deployment.Spec.Template.Spec, serviceName)
 }
 
 func configureDistributorGRPCServicePKI(deployment *appsv1.Deployment, opts Options) error {
-	secretContainerSpec := corev1.Container{
-		Args: []string{
-			// Enable GRPC over TLS for ingester client
-			"-ingester.client.tls-enabled=true",
-			fmt.Sprintf("-ingester.client.tls-cipher-suites=%s", opts.TLSCipherSuites()),
-			fmt.Sprintf("-ingester.client.tls-min-version=%s", opts.TLSProfile.MinTLSVersion),
-			fmt.Sprintf("-ingester.client.tls-ca-path=%s", signingCAPath()),
-			fmt.Sprintf("-ingester.client.tls-cert-path=%s", lokiServerGRPCTLSCert()),
-			fmt.Sprintf("-ingester.client.tls-key-path=%s", lokiServerGRPCTLSKey()),
-			fmt.Sprintf("-ingester.client.tls-server-name=%s", fqdn(serviceNameIngesterGRPC(opts.Name), opts.Namespace)),
-		},
-	}
-
-	if err := mergo.Merge(&deployment.Spec.Template.Spec.Containers[0], secretContainerSpec, mergo.WithAppendSlice); err != nil {
-		return kverrors.Wrap(err, "failed to merge container")
-	}
-
 	serviceName := serviceNameDistributorGRPC(opts.Name)
 	return configureGRPCServicePKI(&deployment.Spec.Template.Spec, serviceName)
 }
@@ -119,13 +119,6 @@ func NewIndexGatewayStatefulSet(opts Options) *appsv1.StatefulSet {
 		SecurityContext: podSecurityContext(opts.Gates.RuntimeSeccompProfile),
 	}
 
-	if opts.Gates.HTTPEncryption || opts.Gates.GRPCEncryption {
-		podSpec.Containers[0].Args = append(podSpec.Containers[0].Args,
-			fmt.Sprintf("-server.tls-cipher-suites=%s", opts.TLSCipherSuites()),
-			fmt.Sprintf("-server.tls-min-version=%s", opts.TLSProfile.MinTLSVersion),
-		)
-	}
-
 	if opts.Stack.Template != nil && opts.Stack.Template.IndexGateway != nil {
 		podSpec.Tolerations = opts.Stack.Template.IndexGateway.Tolerations
 		podSpec.NodeSelector = opts.Stack.Template.IndexGateway.NodeSelector
@@ -242,7 +235,7 @@ func NewIndexGatewayHTTPService(opts Options) *corev1.Service {
 
 func configureIndexGatewayHTTPServicePKI(statefulSet *appsv1.StatefulSet, opts Options) error {
 	serviceName := serviceNameIndexGatewayHTTP(opts.Name)
-	return configureHTTPServicePKI(&statefulSet.Spec.Template.Spec, serviceName, opts.TLSProfile.MinTLSVersion, opts.TLSCipherSuites())
+	return configureHTTPServicePKI(&statefulSet.Spec.Template.Spec, serviceName)
 }
 
 func configureIndexGatewayGRPCServicePKI(sts *appsv1.StatefulSet, opts Options) error {

@@ -7,8 +7,6 @@ import (
 	"github.com/grafana/loki/operator/internal/manifests/internal/config"
 	"github.com/grafana/loki/operator/internal/manifests/storage"
 
-	"github.com/ViaQ/logerr/v2/kverrors"
-	"github.com/imdario/mergo"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
@@ -131,13 +129,6 @@ func NewIngesterStatefulSet(opts Options) *appsv1.StatefulSet {
 		SecurityContext: podSecurityContext(opts.Gates.RuntimeSeccompProfile),
 	}
 
-	if opts.Gates.HTTPEncryption || opts.Gates.GRPCEncryption {
-		podSpec.Containers[0].Args = append(podSpec.Containers[0].Args,
-			fmt.Sprintf("-server.tls-cipher-suites=%s", opts.TLSCipherSuites()),
-			fmt.Sprintf("-server.tls-min-version=%s", opts.TLSProfile.MinTLSVersion),
-		)
-	}
-
 	if opts.Stack.Template != nil && opts.Stack.Template.Ingester != nil {
 		podSpec.Tolerations = opts.Stack.Template.Ingester.Tolerations
 		podSpec.NodeSelector = opts.Stack.Template.Ingester.NodeSelector
@@ -271,35 +262,10 @@ func NewIngesterHTTPService(opts Options) *corev1.Service {
 
 func configureIngesterHTTPServicePKI(statefulSet *appsv1.StatefulSet, opts Options) error {
 	serviceName := serviceNameIngesterHTTP(opts.Name)
-	return configureHTTPServicePKI(&statefulSet.Spec.Template.Spec, serviceName, opts.TLSProfile.MinTLSVersion, opts.TLSCipherSuites())
+	return configureHTTPServicePKI(&statefulSet.Spec.Template.Spec, serviceName)
 }
 
 func configureIngesterGRPCServicePKI(sts *appsv1.StatefulSet, opts Options) error {
-	secretContainerSpec := corev1.Container{
-		Args: []string{
-			// Enable GRPC over TLS for ingester client
-			"-ingester.client.tls-enabled=true",
-			fmt.Sprintf("-ingester.client.tls-cipher-suites=%s", opts.TLSCipherSuites()),
-			fmt.Sprintf("-ingester.client.tls-min-version=%s", opts.TLSProfile.MinTLSVersion),
-			fmt.Sprintf("-ingester.client.tls-ca-path=%s", signingCAPath()),
-			fmt.Sprintf("-ingester.client.tls-cert-path=%s", lokiServerGRPCTLSCert()),
-			fmt.Sprintf("-ingester.client.tls-key-path=%s", lokiServerGRPCTLSKey()),
-			fmt.Sprintf("-ingester.client.tls-server-name=%s", fqdn(serviceNameIngesterGRPC(opts.Name), opts.Namespace)),
-			// Enable GRPC over TLS for boltb-shipper index-gateway client
-			"-boltdb.shipper.index-gateway-client.grpc.tls-enabled=true",
-			fmt.Sprintf("-boltdb.shipper.index-gateway-client.grpc.tls-cipher-suites=%s", opts.TLSCipherSuites()),
-			fmt.Sprintf("-boltdb.shipper.index-gateway-client.grpc.tls-min-version=%s", opts.TLSProfile.MinTLSVersion),
-			fmt.Sprintf("-boltdb.shipper.index-gateway-client.grpc.tls-ca-path=%s", signingCAPath()),
-			fmt.Sprintf("-boltdb.shipper.index-gateway-client.grpc.tls-cert-path=%s", lokiServerGRPCTLSCert()),
-			fmt.Sprintf("-boltdb.shipper.index-gateway-client.grpc.tls-key-path=%s", lokiServerGRPCTLSKey()),
-			fmt.Sprintf("-boltdb.shipper.index-gateway-client.grpc.tls-server-name=%s", fqdn(serviceNameIndexGatewayGRPC(opts.Name), opts.Namespace)),
-		},
-	}
-
-	if err := mergo.Merge(&sts.Spec.Template.Spec.Containers[0], secretContainerSpec, mergo.WithAppendSlice); err != nil {
-		return kverrors.Wrap(err, "failed to merge container")
-	}
-
 	serviceName := serviceNameIngesterGRPC(opts.Name)
 	return configureGRPCServicePKI(&sts.Spec.Template.Spec, serviceName)
 }