Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add MTLS.permissiveMetrics to optionally enable Istio permissive mo… #889

Merged
merged 1 commit into from
Jan 28, 2025
Merged

feat: add MTLS.permissiveMetrics to optionally enable Istio permissive mo… #889

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions api/v1beta1/temporalcluster_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -715,6 +715,11 @@ type MTLSSpec struct {
// Useless if mTLS provider is not cert-manager.
// +optional
RenewBefore *metav1.Duration `json:"renewBefore,omitempty"`
// PermissiveMetrics allows insecure HTTP requests to the metrics endpoint.
// This is handy if the metrics collector does not support mTLS.
// Useless if mTLS provider is not istio
// +optional
PermissiveMetrics bool `json:"permissiveMetrics"`
}

func (m *MTLSSpec) InternodeEnabled() bool {
Expand Down
6 changes: 6 additions & 0 deletions config/crd/bases/temporal.io_temporalclusters.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -643,6 +643,12 @@ spec:
description: Enabled defines if the operator should enable mTLS for network between cluster nodes.
type: boolean
type: object
permissiveMetrics:
description: |-
PermissiveMetrics allows insecure HTTP requests to the metrics endpoint.
This is handy if the metrics collector does not support mTLS.
Useless if mTLS provider is not istio
type: boolean
provider:
default: cert-manager
description: Provider defines the tool used to manage mTLS certificates.
Expand Down
18 changes: 16 additions & 2 deletions docs/api/v1beta1.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2056,6 +2056,20 @@ issued certificate’s duration. Minimum accepted value is 5 minutes.
Useless if mTLS provider is not cert-manager.</p>
</td>
</tr>
<tr>
<td>
<code>permissiveMetrics</code><br>
<em>
bool
</em>
</td>
<td>
<em>(Optional)</em>
<p>PermissiveMetrics allows insecure HTTP requests to the metrics endpoint.
This is handy if the metrics collector does not support mTLS.
Useless if mTLS provider is not istio</p>
</td>
</tr>
</tbody>
</table>
</div>
Expand Down Expand Up @@ -2388,7 +2402,7 @@ map[string]string
<td>
<code>override</code><br>
<em>
<a href="https://prometheus-operator.dev/docs/api-reference/api/#monitoring.coreos.com/v1.ServiceMonitorSpec">
<a href="https://prometheus-operator.dev/docs/operator/api/#monitoring.coreos.com/v1.ServiceMonitorSpec">
github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1.ServiceMonitorSpec
</a>
</em>
Expand All @@ -2403,7 +2417,7 @@ All fields can be overwritten except &ldquo;endpoints&rdquo;, &ldquo;selector&rd
<td>
<code>metricRelabelings</code><br>
<em>
<a href="https://prometheus-operator.dev/docs/api-reference/api/#monitoring.coreos.com/v1.RelabelConfig">
<a href="https://prometheus-operator.dev/docs/operator/api/#monitoring.coreos.com/v1.RelabelConfig">
[]github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1.RelabelConfig
</a>
</em>
Expand Down
15 changes: 14 additions & 1 deletion docs/features/mtls/istio.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,4 +16,17 @@ spec:
# [...]
```

The Operator creates for each temporal services a `DestinationRule` and a `PeerAuthentication`. They both ensure mutual and strict mTLS.
The Operator creates for each temporal services a `DestinationRule` and a `PeerAuthentication`. They both ensure mutual and strict mTLS.

## Allowing permissive mTLS for metrics

If your metrics collector isn't using Istio or is otherwise unable to connect using mTLS, you can enable permissive mode for the metrics port.

```yaml
spec:
# [...]
mTLS:
provider: istio
permissiveMetrics: true
# [...]
```
10 changes: 10 additions & 0 deletions internal/resource/mtls/istio/peer_authentication_builder.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,16 @@ func (b *PeerAuthenticationBuilder) Update(object client.Object) error {
},
}

if b.instance.Spec.Metrics.IsEnabled() && b.instance.Spec.MTLS.PermissiveMetrics {
if b.instance.Spec.Metrics.Prometheus != nil && b.instance.Spec.Metrics.Prometheus.ListenPort != nil {
pa.Spec.PortLevelMtls = map[uint32]*istioapisecurityv1beta1.PeerAuthentication_MutualTLS{
uint32(*b.instance.Spec.Metrics.Prometheus.ListenPort): { //nolint:gosec
Mode: istioapisecurityv1beta1.PeerAuthentication_MutualTLS_PERMISSIVE,
},
}
}
}

if err := controllerutil.SetControllerReference(b.instance, pa, b.scheme); err != nil {
return fmt.Errorf("failed setting controller reference: %w", err)
}
Expand Down