fix: mount cert and ca to tempo-query (#1038)

* fix: mount cert and ca to tempo-query Signed-off-by: Benedikt Bongartz <[email protected]> * mtls: match container idx based on containername Signed-off-by: Benedikt Bongartz <[email protected]> --------- Signed-off-by: Benedikt Bongartz <[email protected]>
grafana · Sep 26, 2024 · 0c5313e · 0c5313e
1 parent cb3be90
commit 0c5313e
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 5 deletions.
diff --git a/.chloggen/fix_tls_tempo-query.yaml b/.chloggen/fix_tls_tempo-query.yaml
@@ -0,0 +1,16 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: bug_fix
+
+# The name of the component, or a single word describing the area of concern, (e.g. tempostack, tempomonolithic, github action)
+component: tempostack, tempomonolithic
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Mount CA and Certs to tempo-query when tls is enabled.
+
+# One or more tracking issues related to the change
+issues: [1038]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:
diff --git a/internal/manifests/queryfrontend/query_frontend.go b/internal/manifests/queryfrontend/query_frontend.go
@@ -30,6 +30,12 @@ const (
 	thanosQuerierOpenShiftMonitoring = "https://thanos-querier.openshift-monitoring.svc.cluster.local:9091"
 )
 
+const (
+	containerNameTempo       = "tempo"
+	containerNameJaegerQuery = "jaeger-query"
+	containerNameTempoQuery  = "tempo-query"
+)
+
 // BuildQueryFrontend creates the query-frontend objects.
 func BuildQueryFrontend(params manifestutils.Params) ([]client.Object, error) {
 	var manifests []client.Object
@@ -48,11 +54,21 @@ func BuildQueryFrontend(params manifestutils.Params) ([]client.Object, error) {
 
 	if gates.HTTPEncryption || gates.GRPCEncryption {
 		caBundleName := naming.SigningCABundleName(tempo.Name)
-		if err := manifestutils.ConfigureServiceCA(&d.Spec.Template.Spec, caBundleName, 0, 1); err != nil {
+		targetContainers := map[string]struct{}{
+			containerNameTempo:      {},
+			containerNameTempoQuery: {},
+		}
+		targets := []int{}
+		for i, c := range d.Spec.Template.Spec.Containers {
+			if _, exists := targetContainers[c.Name]; exists {
+				targets = append(targets, i)
+			}
+		}
+		if err := manifestutils.ConfigureServiceCA(&d.Spec.Template.Spec, caBundleName, targets...); err != nil {
 			return nil, err
 		}
 
-		err := manifestutils.ConfigureServicePKI(tempo.Name, manifestutils.QueryFrontendComponentName, &d.Spec.Template.Spec, 0, 1)
+		err := manifestutils.ConfigureServicePKI(tempo.Name, manifestutils.QueryFrontendComponentName, &d.Spec.Template.Spec, targets...)
 		if err != nil {
 			return nil, err
 		}
@@ -177,7 +193,7 @@ func deployment(params manifestutils.Params) (*appsv1.Deployment, error) {
 					Affinity:           manifestutils.DefaultAffinity(labels),
 					Containers: []corev1.Container{
 						{
-							Name:  "tempo",
+							Name:  containerNameTempo,
 							Image: tempoImage,
 							Env:   proxy.ReadProxyVarsFromEnv(),
 							Args: []string{
@@ -239,7 +255,7 @@ func deployment(params manifestutils.Params) (*appsv1.Deployment, error) {
 
 	if tempo.Spec.Template.QueryFrontend.JaegerQuery.Enabled {
 		jaegerQueryContainer := corev1.Container{
-			Name:  "jaeger-query",
+			Name:  containerNameJaegerQuery,
 			Image: jaegerQueryImage,
 			Env:   proxy.ReadProxyVarsFromEnv(),
 			Args: []string{
@@ -276,7 +292,7 @@ func deployment(params manifestutils.Params) (*appsv1.Deployment, error) {
 		}
 
 		tempoProxyContainer := corev1.Container{
-			Name:  "tempo-query",
+			Name:  containerNameTempoQuery,
 			Image: tempoQueryImage,
 			Env:   proxy.ReadProxyVarsFromEnv(),
 			Args: []string{