Automated cherry pick of #3063: Ev 4104 csr controller (#3010) (#3065)

* Ev 4104 csr controller (#3010) * Create a CSR signer for allowed TLS assets. * Ev 4104 monitor changes (#3049) * Create external prometheus configuration when configured in the Monitor CR. * Scrape typha's metrics when enabled.
tigera · Dec 14, 2023 · aa67f63 · aa67f63
1 parent 62016af
commit aa67f63
Show file tree

Hide file tree

Showing 61 changed files with 2,069 additions and 192 deletions.
diff --git a/api/v1/monitor_types.go b/api/v1/monitor_types.go
@@ -1,4 +1,4 @@
-// Copyright (c) 2021-2022 Tigera, Inc. All rights reserved.
+// Copyright (c) 2021-2023 Tigera, Inc. All rights reserved.
 /*
 
 Licensed under the Apache License, Version 2.0 (the "License");
@@ -17,11 +17,78 @@ limitations under the License.
 package v1
 
 import (
+	v1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 // MonitorSpec defines the desired state of Tigera monitor.
 type MonitorSpec struct {
+	// ExternalPrometheus optionally configures integration with an external Prometheus for scraping Calico metrics. When
+	// specified, the operator will render resources in the defined namespace. This option can be useful for configuring
+	// scraping from git-ops tools without the need of post-installation steps.
+	ExternalPrometheus *ExternalPrometheus `json:"externalPrometheus,omitempty"`
+}
+
+type ExternalPrometheus struct {
+	// ServiceMonitor when specified, the operator will create a ServiceMonitor object in the namespace. It is recommended
+	// that you configure labels if you want your prometheus instance to pick up the configuration automatically.
+	// The operator will configure 1 endpoint by default:
+	// - Params to scrape all metrics available in Calico Enterprise.
+	// - BearerTokenSecret (If not overridden, the operator will also create corresponding RBAC that allows authz to the metrics.)
+	// - TLSConfig, containing the caFile and serverName.
+	// +optional
+	ServiceMonitor *ServiceMonitor `json:"serviceMonitor,omitempty"`
+
+	// Namespace is the namespace where the operator will create resources for your Prometheus instance. The namespace
+	// must be created before the operator will create Prometheus resources.
+	// +required
+	Namespace string `json:"namespace"`
+}
+
+type ServiceMonitor struct {
+	// Labels are the metadata.labels of the ServiceMonitor. When combined with spec.serviceMonitorSelector.matchLabels
+	// on your prometheus instance, the service monitor will automatically be picked up.
+	// Default: k8s-app=tigera-prometheus
+	Labels map[string]string `json:"labels,omitempty"`
+
+	// The endpoints to scrape. This struct contains a subset of the Endpoint as defined in the prometheus docs. Fields
+	// related to connecting to our Prometheus server are automatically set by the operator.
+	Endpoints []Endpoint `json:"endpoints,omitempty"`
+}
+
+// Endpoint contains a subset of relevant fields from the Prometheus Endpoint struct.
+type Endpoint struct {
+	// Optional HTTP URL parameters
+	// Default: scrape all metrics.
+	Params map[string][]string `json:"params,omitempty"`
+
+	// Secret to mount to read bearer token for scraping targets.
+	// Recommended: when unset, the operator will create a Secret, a ClusterRole and a ClusterRoleBinding.
+	BearerTokenSecret corev1.SecretKeySelector `json:"bearerTokenSecret,omitempty"`
+
+	// Interval at which metrics should be scraped.
+	// If not specified Prometheus' global scrape interval is used.
+	Interval v1.Duration `json:"interval,omitempty"`
+
+	// Timeout after which the scrape is ended.
+	// If not specified, the Prometheus global scrape timeout is used unless it is less than `Interval` in which the latter is used.
+	ScrapeTimeout v1.Duration `json:"scrapeTimeout,omitempty"`
+
+	// HonorLabels chooses the metric's labels on collisions with target labels.
+	HonorLabels bool `json:"honorLabels,omitempty"`
+
+	// HonorTimestamps controls whether Prometheus respects the timestamps present in scraped data.
+	HonorTimestamps *bool `json:"honorTimestamps,omitempty"`
+
+	// MetricRelabelConfigs to apply to samples before ingestion.
+	MetricRelabelConfigs []*v1.RelabelConfig `json:"metricRelabelings,omitempty"`
+
+	// RelabelConfigs to apply to samples before scraping.
+	// Prometheus Operator automatically adds relabelings for a few standard Kubernetes fields.
+	// The original scrape job's name is available via the `__tmp_prometheus_job_name` label.
+	// More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config
+	RelabelConfigs []*v1.RelabelConfig `json:"relabelings,omitempty"`
 }
 
 // MonitorStatus defines the observed state of Tigera monitor.

diff --git a/api/v1/zz_generated.deepcopy.go b/api/v1/zz_generated.deepcopy.go
diff --git a/controllers/controllers.go b/controllers/controllers.go
@@ -143,6 +143,13 @@ func AddToManager(mgr ctrl.Manager, options options.AddOptions) error {
 	}).SetupWithManager(mgr, options); err != nil {
 		return fmt.Errorf("failed to create controller Windows: %v", err)
 	}
+	if err := (&CSRReconciler{
+		Client: mgr.GetClient(),
+		Log:    ctrl.Log.WithName("controllers").WithName("CertificateSigningRequest"),
+		Scheme: mgr.GetScheme(),
+	}).SetupWithManager(mgr, options); err != nil {
+		return fmt.Errorf("failed to create controller %s: %v", "CSR", err)
+	}
 	// +kubebuilder:scaffold:builder
 	return nil
 }
diff --git a/controllers/csr_controller.go b/controllers/csr_controller.go
@@ -0,0 +1,37 @@
+// Copyright (c) 2023 Tigera, Inc. All rights reserved.
+/*
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controllers
+
+import (
+	"github.com/go-logr/logr"
+	"github.com/tigera/operator/pkg/controller/csr"
+	"github.com/tigera/operator/pkg/controller/options"
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+// CSRReconciler reconciles CSRs.
+type CSRReconciler struct {
+	client.Client
+	Log    logr.Logger
+	Scheme *runtime.Scheme
+}
+
+func (r *CSRReconciler) SetupWithManager(mgr ctrl.Manager, opts options.AddOptions) error {
+	return csr.Add(mgr, opts)
+}