feat: Add TLS config to Perses client and mount certs to Deployment a…

…nd StatefulSet

Signed-off-by: Douglass Kirkley <doug.kirkley@gmail.com>

api/v1alpha1/perses_types.go

@@ -26,8 +26,14 @@ type PersesSpec struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	Metadata *Metadata `json:"metadata,omitempty"`
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// Client perses client configuration
+	Client Client `json:"client,omitempty"`
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	Config PersesConfig `json:"config,omitempty"`
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// Args extra arguments to pass to perses
+	Args []string `json:"args,omitempty"`
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	ContainerPort int32 `json:"containerPort,omitempty"`
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	Replicas *int32 `json:"replicas,omitempty"`
@@ -45,6 +51,40 @@ type Metadata struct {
 	Annotations map[string]string `json:"annotations,omitempty"`
 }
 
+type Client struct {
+	// +optional
+	// TLS the equivalent to the tls_config for perses client
+	TLS *TLS `json:"tls,omitempty"`
+}
+
+type TLS struct {
+	Enable             bool        `json:"enable"`
+	InsecureSkipVerify bool        `json:"insecureSkipVerify"`
+	CaCert             Certificate `json:"caCert"`
+	// +optional
+	UserCert *Certificate `json:"userCert,omitempty"`
+}
+
+// CertificateType types of certificate sources in k8s
+type CertificateType string
+
+const (
+	CertificateTypeSecret    CertificateType = "secret"
+	CertificateTypeConfigMap CertificateType = "configmap"
+)
+
+type Certificate struct {
+	// +kubebuilder:validation:Enum:={"secret", "configmap"}
+	// Type source type of certificate
+	Type CertificateType `json:"type"`
+	// Name of certificate k8s resource
+	Name string `json:"name"`
+	// CertFile path to certificate
+	CertFile string `json:"certFile"`
+	// CertKeyFile path to certificate key file
+	CertKeyFile string `json:"certKeyFile"`
+}
+
 // PersesStatus defines the observed state of Perses
 type PersesStatus struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=status

config/crd/bases/perses.dev_perses.yaml

@@ -959,6 +959,73 @@ spec:
                         x-kubernetes-list-type: atomic
                     type: object
                 type: object
+              args:
+                description: Args extra arguments to pass to perses
+                items:
+                  type: string
+                type: array
+              client:
+                description: Client perses client configuration
+                properties:
+                  tls:
+                    description: TLS the equivalent to the tls_config for perses client
+                    properties:
+                      caCert:
+                        properties:
+                          certFile:
+                            description: CertFile path to certificate
+                            type: string
+                          certKeyFile:
+                            description: CertKeyFile path to certificate key file
+                            type: string
+                          name:
+                            description: Name of certificate k8s resource
+                            type: string
+                          type:
+                            description: Type source type of certificate
+                            enum:
+                            - secret
+                            - configmap
+                            type: string
+                        required:
+                        - certFile
+                        - certKeyFile
+                        - name
+                        - type
+                        type: object
+                      enable:
+                        type: boolean
+                      insecureSkipVerify:
+                        type: boolean
+                      userCert:
+                        properties:
+                          certFile:
+                            description: CertFile path to certificate
+                            type: string
+                          certKeyFile:
+                            description: CertKeyFile path to certificate key file
+                            type: string
+                          name:
+                            description: Name of certificate k8s resource
+                            type: string
+                          type:
+                            description: Type source type of certificate
+                            enum:
+                            - secret
+                            - configmap
+                            type: string
+                        required:
+                        - certFile
+                        - certKeyFile
+                        - name
+                        - type
+                        type: object
+                    required:
+                    - caCert
+                    - enable
+                    - insecureSkipVerify
+                    type: object
+                type: object
               config:
                 properties:
                   api_prefix:

config/samples/perses.dev_v1alpha1_perses_tls.yaml

@@ -0,0 +1,39 @@
+apiVersion: perses.dev/v1alpha1
+kind: Perses
+metadata:
+  labels:
+    app.kubernetes.io/name: perses
+    app.kubernetes.io/instance: perses-tls-sample
+    app.kubernetes.io/part-of: perses-operator
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/created-by: perses-operator
+  name: perses-tls-sample
+  namespace: perses-dev
+spec:
+  client:
+    tls:
+      enable: true
+      caCert:
+        type: secret
+        name: perses-certs
+        certFile: ca.crt
+      userCert:
+        type: secret
+        name: perses-certs
+        certFile: tls.crt
+        certKeyFile: tls.key
+
+  config:
+    database:
+      file:
+        folder: "/etc/perses/storage"
+        extension: "yaml"
+    schemas:
+      panels_path: "/etc/perses/cue/schemas/panels"
+      queries_path: "/etc/perses/cue/schemas/queries"
+      datasources_path: "/etc/perses/cue/schemas/datasources"
+      variables_path: "/etc/perses/cue/schemas/variables"
+    ephemeral_dashboard:
+      enable: false
+      cleanup_interval: "1s"
+  containerPort: 8080

controllers/perses/deployment_controller.go

@@ -29,7 +29,6 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
-	"k8s.io/utils/ptr"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -119,7 +118,6 @@ func (r *PersesReconciler) reconcileDeployment(ctx context.Context, req ctrl.Req
 
 func (r *PersesReconciler) createPersesDeployment(
 	perses *v1alpha1.Perses) (*appsv1.Deployment, error) {
-	configName := common.GetConfigName(perses.Name)
 
 	ls, err := common.LabelsForPerses(r.Config.PersesImage, perses.Name, perses.Name, perses.Spec.Metadata)
 	if err != nil {
@@ -179,54 +177,10 @@ func (r *PersesReconciler) createPersesDeployment(
 							ContainerPort: perses.Spec.ContainerPort,
 							Name:          "perses",
 						}},
-						VolumeMounts: []corev1.VolumeMount{
-							// TODO: check if perses supports passing certificates for TLS
-							// {
-							// 	Name:      "serving-cert",
-							// 	ReadOnly:  true,
-							// 	MountPath: "/var/serving-cert",
-							// },
-							{
-								Name:      "config",
-								ReadOnly:  true,
-								MountPath: "/perses/config",
-							},
-							{
-								Name:      "storage",
-								ReadOnly:  false,
-								MountPath: "/etc/perses/storage",
-							},
-						},
-						Args: []string{"--config=/perses/config/config.yaml"},
+						VolumeMounts: common.GetVolumeMounts(perses.Spec.Client.TLS),
+						Args:         common.GetPersesArgs(perses.Spec.Client.TLS, perses.Spec.Args),
 					}},
-					Volumes: []corev1.Volume{
-						{
-							Name: "config",
-							VolumeSource: corev1.VolumeSource{
-								ConfigMap: &corev1.ConfigMapVolumeSource{
-									LocalObjectReference: corev1.LocalObjectReference{
-										Name: configName,
-									},
-									DefaultMode: ptr.To[int32](420),
-								},
-							},
-						},
-						{
-							Name: "storage",
-							VolumeSource: corev1.VolumeSource{
-								EmptyDir: &corev1.EmptyDirVolumeSource{},
-							},
-						},
-						// {
-						// 	Name: "serving-cert",
-						// 	VolumeSource: corev1.VolumeSource{
-						// 		Secret: &corev1.SecretVolumeSource{
-						// 			SecretName:  "perses-serving-cert",
-						// 			DefaultMode: &[]int32{420}[0],
-						// 		},
-						// 	},
-						// },
-					},
+					Volumes:       common.GetVolumes(perses.Name, perses.Spec.Client.TLS),
 					RestartPolicy: "Always",
 					DNSPolicy:     "ClusterFirst",
 				},

controllers/perses/statefulset_controller.go

@@ -30,7 +30,6 @@ import (
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/utils/ptr"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -121,7 +120,6 @@ func (r *PersesReconciler) reconcileStatefulSet(ctx context.Context, req ctrl.Re
 
 func (r *PersesReconciler) createPersesStatefulSet(
 	perses *v1alpha1.Perses) (*appsv1.StatefulSet, error) {
-	configName := common.GetConfigName(perses.Name)
 
 	ls, err := common.LabelsForPerses(r.Config.PersesImage, perses.Name, perses.Name, perses.Spec.Metadata)
 	if err != nil {
@@ -183,48 +181,10 @@ func (r *PersesReconciler) createPersesStatefulSet(
 							ContainerPort: perses.Spec.ContainerPort,
 							Name:          "perses",
 						}},
-						VolumeMounts: []corev1.VolumeMount{
-							// TODO: check if perses supports passing certificates for TLS
-							// {
-							// 	Name:      "serving-cert",
-							// 	ReadOnly:  true,
-							// 	MountPath: "/var/serving-cert",
-							// },
-							{
-								Name:      "config",
-								ReadOnly:  true,
-								MountPath: "/perses/config",
-							},
-							{
-								Name:      storageName,
-								ReadOnly:  false,
-								MountPath: "/etc/perses/storage",
-							},
-						},
-						Args: []string{"--config=/perses/config/config.yaml"},
+						VolumeMounts: common.GetVolumeMounts(perses.Spec.Client.TLS),
+						Args:         common.GetPersesArgs(perses.Spec.Client.TLS, perses.Spec.Args),
 					}},
-					Volumes: []corev1.Volume{
-						{
-							Name: "config",
-							VolumeSource: corev1.VolumeSource{
-								ConfigMap: &corev1.ConfigMapVolumeSource{
-									LocalObjectReference: corev1.LocalObjectReference{
-										Name: configName,
-									},
-									DefaultMode: ptr.To[int32](420),
-								},
-							},
-						},
-						// {
-						// 	Name: "serving-cert",
-						// 	VolumeSource: corev1.VolumeSource{
-						// 		Secret: &corev1.SecretVolumeSource{
-						// 			SecretName:  "perses-serving-cert",
-						// 			DefaultMode: &[]int32{420}[0],
-						// 		},
-						// 	},
-						// },
-					},
+					Volumes:       common.GetVolumes(perses.Name, perses.Spec.Client.TLS),
 					RestartPolicy: "Always",
 					DNSPolicy:     "ClusterFirst",
 				},