TLS WIP

jotak · jotak · commit 5579615f8f31 · 2025-11-06T09:06:35.000+01:00
diff --git a/config/samples/flowmetrics/tls_egress_traffic.yaml b/config/samples/flowmetrics/tls_egress_traffic.yaml
@@ -0,0 +1,37 @@
+apiVersion: flows.netobserv.io/v1alpha1
+kind: FlowMetric
+metadata:
+  name: tls-egress-traffic
+  namespace: netobserv
+spec:
+  type: Counter
+  valueField: Bytes
+  labels: [SrcSubnetLabel,SrcK8S_Namespace,SrcK8S_OwnerName,SrcK8S_OwnerType,DstSubnetLabel,DstK8S_Namespace,DstK8S_OwnerName,DstK8S_OwnerType,Proto,TLSVersion]
+  direction: Egress
+  filters:
+  - field: SrcK8S_Namespace
+    matchType: Presence
+  charts:
+  - dashboardName: TLS
+    title: "Egress TLS traffic"
+    unit: percent
+    type: SingleStat
+    queries:
+    - promQL: 'sum(rate(netobserv_tls_egress_traffic{TLSVersion!=""}[2m])) / sum(rate(netobserv_tls_egress_traffic[2m]))'
+      legend: ""
+  - dashboardName: TLS
+    sectionName: Per namespace
+    title: Egress traffic without TLS
+    unit: Bps
+    type: StackArea
+    queries:
+    - promQL: 'topk(10, sum(rate(netobserv_tls_egress_traffic{TLSVersion=""}[2m])) by (SrcK8S_Namespace))'
+      legend: "{{SrcK8S_Namespace}}"
+  - dashboardName: TLS
+    sectionName: Per version
+    title: Egress traffic per TLS version
+    unit: Bps
+    type: StackArea
+    queries:
+    - promQL: 'topk(10, sum(rate(netobserv_tls_egress_traffic{TLSVersion!~"|.*0x.*"}[2m])) by (TLSVersion))'
+      legend: "{{TLSVersion}}"
diff --git a/config/samples/flowmetrics/tls_ingress_traffic.yaml b/config/samples/flowmetrics/tls_ingress_traffic.yaml
@@ -0,0 +1,37 @@
+apiVersion: flows.netobserv.io/v1alpha1
+kind: FlowMetric
+metadata:
+  name: tls-ingress-traffic
+  namespace: netobserv
+spec:
+  type: Counter
+  valueField: Bytes
+  labels: [SrcSubnetLabel,SrcK8S_Namespace,SrcK8S_OwnerName,SrcK8S_OwnerType,DstSubnetLabel,DstK8S_Namespace,DstK8S_OwnerName,DstK8S_OwnerType,Proto,TLSVersion]
+  direction: Ingress
+  filters:
+  - field: DstK8S_Namespace
+    matchType: Presence
+  charts:
+  - dashboardName: TLS
+    title: "Ingress TLS traffic"
+    unit: percent
+    type: SingleStat
+    queries:
+    - promQL: 'sum(rate(netobserv_tls_ingress_traffic{TLSVersion!=""}[2m])) / sum(rate(netobserv_tls_ingress_traffic[2m]))'
+      legend: ""
+  - dashboardName: TLS
+    sectionName: Per namespace
+    title: Ingress traffic without TLS
+    unit: Bps
+    type: StackArea
+    queries:
+    - promQL: 'topk(10, sum(rate(netobserv_tls_ingress_traffic{TLSVersion=""}[2m])) by (DstK8S_Namespace))'
+      legend: "{{DstK8S_Namespace}}"
+  - dashboardName: TLS
+    sectionName: Per version
+    title: Ingress traffic per TLS version
+    unit: Bps
+    type: StackArea
+    queries:
+    - promQL: 'topk(10, sum(rate(netobserv_tls_ingress_traffic{TLSVersion!~"|.*0x.*"}[2m])) by (TLSVersion))'
+      legend: "{{TLSVersion}}"
diff --git a/internal/pkg/helper/cardinality/cardinality.json b/internal/pkg/helper/cardinality/cardinality.json
@@ -67,6 +67,7 @@
   "XlatDstAddr": "avoid",
   "Udns": "careful",
   "IPSecStatus": "fine",
+  "TLSVersion": "fine",
   "_RecordType": "fine",
   "_HashId": "avoid"
 }
diff --git a/internal/pkg/metrics/predefined_metrics.go b/internal/pkg/metrics/predefined_metrics.go
@@ -23,9 +23,9 @@ const (
 var (
 	latencyBuckets = []string{".005", ".01", ".02", ".03", ".04", ".05", ".075", ".1", ".25", "1"}
 	mapLabels      = map[string][]string{
-		tagNodes:      {"K8S_ClusterName", "SrcK8S_Zone", "DstK8S_Zone", "SrcK8S_HostName", "DstK8S_HostName"},
-		tagNamespaces: {"K8S_ClusterName", "SrcK8S_Zone", "DstK8S_Zone", "SrcK8S_Namespace", "DstK8S_Namespace", "K8S_FlowLayer", "SrcSubnetLabel", "DstSubnetLabel"},
-		tagWorkloads:  {"K8S_ClusterName", "SrcK8S_Zone", "DstK8S_Zone", "SrcK8S_Namespace", "DstK8S_Namespace", "K8S_FlowLayer", "SrcSubnetLabel", "DstSubnetLabel", "SrcK8S_OwnerName", "DstK8S_OwnerName", "SrcK8S_OwnerType", "DstK8S_OwnerType", "SrcK8S_Type", "DstK8S_Type"},
+		tagNodes:      {"K8S_ClusterName", "SrcK8S_Zone", "DstK8S_Zone", "SrcK8S_HostName", "DstK8S_HostName", "TLSVersion"},
+		tagNamespaces: {"K8S_ClusterName", "SrcK8S_Zone", "DstK8S_Zone", "SrcK8S_Namespace", "DstK8S_Namespace", "K8S_FlowLayer", "SrcSubnetLabel", "DstSubnetLabel", "TLSVersion"},
+		tagWorkloads:  {"K8S_ClusterName", "SrcK8S_Zone", "DstK8S_Zone", "SrcK8S_Namespace", "DstK8S_Namespace", "K8S_FlowLayer", "SrcSubnetLabel", "DstSubnetLabel", "SrcK8S_OwnerName", "DstK8S_OwnerName", "SrcK8S_OwnerType", "DstK8S_OwnerType", "SrcK8S_Type", "DstK8S_Type", "TLSVersion"},
 	}
 	mapValueFields = map[string]string{
 		tagBytes:   "Bytes",
@@ -321,6 +321,9 @@ func GetDefinitions(fc *flowslatest.FlowCollectorSpec, allMetrics bool) []metric
 	if !fc.Processor.IsMultiClusterEnabled() {
 		labelsToRemove = append(labelsToRemove, "K8S_ClusterName")
 	}
+	if !fc.Agent.EBPF.IsTLSTrackingEnabled() {
+		labelsToRemove = append(labelsToRemove, "TLSVersion")
+	}
 
 	var filterRecordType *metricslatest.MetricFilter
 	if fc.Processor.LogTypes != nil {

Original file line number	Diff line number	Diff line change
`@@ -67,6 +67,7 @@`
`67`	`67`	`"XlatDstAddr": "avoid",`
`68`	`68`	`"Udns": "careful",`
`69`	`69`	`"IPSecStatus": "fine",`
	`70`	`+ "TLSVersion": "fine",`
`70`	`71`	`"_RecordType": "fine",`
`71`	`72`	`"_HashId": "avoid"`
`72`	`73`	`}`