send service accounts auth token

netobserv · Jul 22, 2022 · 889ae0f · 889ae0f
1 parent e33031a
commit 889ae0f
Show file tree

Hide file tree

Showing 6 changed files with 110 additions and 40 deletions.
diff --git a/api/v1alpha1/flowcollector_types.go b/api/v1alpha1/flowcollector_types.go
@@ -288,6 +288,11 @@ type FlowCollectorLoki struct {
 	// it will be ignored if instanceSpec is specified
 	TenantID string `json:"tenantID,omitempty"`
 
+	//+kubebuilder:default:=false
+	// SendAuthToken is a flag to enable or disable Authorization header from service account secret
+	// It allows authentication to loki operator gateway
+	SendAuthToken bool `json:"sendAuthToken,omitempty"`
+
 	//+kubebuilder:default:="1s"
 	// BatchWait is max time to wait before sending a batch
 	BatchWait metav1.Duration `json:"batchWait,omitempty"`

diff --git a/config/crd/bases/flows.netobserv.io_flowcollectors.yaml b/config/crd/bases/flows.netobserv.io_flowcollectors.yaml
@@ -1521,6 +1521,12 @@ spec:
                       If empty, the URL value will be used (assuming that the Loki
                       ingester and querier are int he same host).
                     type: string
+                  sendAuthToken:
+                    default: false
+                    description: SendAuthToken is a flag to enable or disable Authorization
+                      header from service account secret It allows authentication
+                      to loki operator gateway
+                    type: boolean
                   staticLabels:
                     additionalProperties:
                       type: string

diff --git a/controllers/consoleplugin/consoleplugin_objects.go b/controllers/consoleplugin/consoleplugin_objects.go
@@ -25,6 +25,7 @@ const configMapName = "console-plugin-config"
 const configFile = "config.yaml"
 const configVolume = "config-volume"
 const configPath = "/opt/app-root/"
+const tokensPath = "/var/run/secrets/tokens/"
 
 // PodConfigurationDigest is an annotation name to facilitate pod restart after
 // any external configuration change
@@ -97,18 +98,28 @@ func (b *builder) deployment(cmDigest string) *appsv1.Deployment {
 	}
 }
 
+func tokenPath(desiredLoki *flowsv1alpha1.FlowCollectorLoki) string {
+	if desiredLoki.SendAuthToken {
+		return tokensPath + constants.PluginName
+	}
+	return ""
+}
+
 func buildArgs(desired *flowsv1alpha1.FlowCollectorConsolePlugin, desiredLoki *flowsv1alpha1.FlowCollectorLoki) []string {
-	return []string{
+	args := []string{
 		"-cert", "/var/serving-cert/tls.crt",
 		"-key", "/var/serving-cert/tls.key",
 		"-loki", querierURL(desiredLoki),
 		"-loki-labels", strings.Join(constants.LokiIndexFields, ","),
 		"-loki-tenant-id", desiredLoki.TenantID,
+		"-loki-token-path", tokenPath(desiredLoki),
 		//TODO: add loki tls config https://issues.redhat.com/browse/NETOBSERV-309
 		"-loki-skip-tls", "true",
 		"-loglevel", desired.LogLevel,
 		"-frontend-config", configPath + configFile,
 	}
+
+	return args
 }
 
 func (b *builder) podTemplate(cmDigest string) *corev1.PodTemplateSpec {
@@ -125,45 +136,57 @@ func (b *builder) podTemplate(cmDigest string) *corev1.PodTemplateSpec {
 				Image:           b.desired.Image,
 				ImagePullPolicy: corev1.PullPolicy(b.desired.ImagePullPolicy),
 				Resources:       *b.desired.Resources.DeepCopy(),
-				VolumeMounts: []corev1.VolumeMount{{
-					Name:      secretName,
-					MountPath: "/var/serving-cert",
-					ReadOnly:  true,
-				},
+				VolumeMounts: []corev1.VolumeMount{
+					{
+						Name:      secretName,
+						MountPath: "/var/serving-cert",
+						ReadOnly:  true,
+					},
 					{
 						Name:      configVolume,
 						MountPath: configPath,
 						ReadOnly:  true,
-					}},
-				Args: []string{
-					"-cert", "/var/serving-cert/tls.crt",
-					"-key", "/var/serving-cert/tls.key",
-					"-loki", querierURL(b.desiredLoki),
-					"-loki-labels", strings.Join(constants.LokiIndexFields, ","),
-					"-loki-tenant-id", b.desiredLoki.TenantID,
-					//TODO: add loki tls config https://issues.redhat.com/browse/NETOBSERV-309
-					"-loki-skip-tls", "true",
-					"-loglevel", b.desired.LogLevel,
-					"-frontend-config", configPath + configFile,
+					},
+					{
+						MountPath: tokensPath,
+						Name:      constants.PluginName,
+					},
 				},
+				Args: buildArgs(b.desired, b.desiredLoki),
 			}},
-			Volumes: []corev1.Volume{{
-				Name: secretName,
-				VolumeSource: corev1.VolumeSource{
-					Secret: &corev1.SecretVolumeSource{
-						SecretName: secretName,
+			Volumes: []corev1.Volume{
+				{
+					Name: secretName,
+					VolumeSource: corev1.VolumeSource{
+						Secret: &corev1.SecretVolumeSource{
+							SecretName: secretName,
+						},
 					},
 				},
-			}, {
-				Name: configVolume,
-				VolumeSource: corev1.VolumeSource{
-					ConfigMap: &corev1.ConfigMapVolumeSource{
-						LocalObjectReference: corev1.LocalObjectReference{
-							Name: configMapName,
+				{
+					Name: configVolume,
+					VolumeSource: corev1.VolumeSource{
+						ConfigMap: &corev1.ConfigMapVolumeSource{
+							LocalObjectReference: corev1.LocalObjectReference{
+								Name: configMapName,
+							},
+						},
+					},
+				},
+				{
+					Name: constants.PluginName,
+					VolumeSource: corev1.VolumeSource{
+						Projected: &corev1.ProjectedVolumeSource{
+							Sources: []corev1.VolumeProjection{
+								{
+									ServiceAccountToken: &corev1.ServiceAccountTokenProjection{
+										Path: constants.PluginName,
+									},
+								},
+							},
 						},
 					},
 				},
-			},
 			},
 			ServiceAccountName: constants.PluginName,
 		},

diff --git a/controllers/consoleplugin/consoleplugin_test.go b/controllers/consoleplugin/consoleplugin_test.go
@@ -26,6 +26,7 @@ var testArgs = []string{
 	"-loki", "http://loki:3100/",
 	"-loki-labels", "SrcK8S_Namespace,SrcK8S_OwnerName,DstK8S_Namespace,DstK8S_OwnerName,FlowDirection",
 	"-loki-tenant-id", "netobserv",
+	"-loki-token-path", "",
 	"-loki-skip-tls", "true",
 	"-loglevel", "info",
 	"-frontend-config", "/opt/app-root/config.yaml",

diff --git a/controllers/flowlogspipeline/flp_objects.go b/controllers/flowlogspipeline/flp_objects.go
@@ -27,6 +27,7 @@ const configMapName = "flowlogs-pipeline-config"
 const configVolume = "config-volume"
 const configPath = "/etc/flowlogs-pipeline"
 const configFile = "config.json"
+const tokensPath = "/var/run/secrets/tokens/"
 
 const (
 	healthServiceName       = "health"
@@ -151,10 +152,16 @@ func (b *builder) podTemplate(hostNetwork bool, configDigest string) corev1.PodT
 		ImagePullPolicy: corev1.PullPolicy(b.desired.ImagePullPolicy),
 		Args:            []string{fmt.Sprintf(`--config=%s/%s`, configPath, configFile)},
 		Resources:       *b.desired.Resources.DeepCopy(),
-		VolumeMounts: []corev1.VolumeMount{{
-			MountPath: configPath,
-			Name:      configVolume,
-		}},
+		VolumeMounts: []corev1.VolumeMount{
+			{
+				MountPath: configPath,
+				Name:      configVolume,
+			},
+			{
+				MountPath: tokensPath,
+				Name:      constants.FLPName,
+			},
+		},
 		Ports: ports,
 	}
 	if b.desired.EnableKubeProbes {
@@ -194,16 +201,32 @@ func (b *builder) podTemplate(hostNetwork bool, configDigest string) corev1.PodT
 		},
 		Spec: corev1.PodSpec{
 			Tolerations: tolerations,
-			Volumes: []corev1.Volume{{
-				Name: configVolume,
-				VolumeSource: corev1.VolumeSource{
-					ConfigMap: &corev1.ConfigMapVolumeSource{
-						LocalObjectReference: corev1.LocalObjectReference{
-							Name: configMapName + b.confKindSuffix,
+			Volumes: []corev1.Volume{
+				{
+					Name: configVolume,
+					VolumeSource: corev1.VolumeSource{
+						ConfigMap: &corev1.ConfigMapVolumeSource{
+							LocalObjectReference: corev1.LocalObjectReference{
+								Name: configMapName + b.confKindSuffix,
+							},
 						},
 					},
 				},
-			}},
+				{
+					Name: constants.FLPName + b.confKindSuffix,
+					VolumeSource: corev1.VolumeSource{
+						Projected: &corev1.ProjectedVolumeSource{
+							Sources: []corev1.VolumeProjection{
+								{
+									ServiceAccountToken: &corev1.ServiceAccountTokenProjection{
+										Path: constants.FLPName,
+									},
+								},
+							},
+						},
+					},
+				},
+			},
 			Containers:         []corev1.Container{container},
 			ServiceAccountName: constants.FLPName + b.confKindSuffix,
 			HostNetwork:        hostNetwork,
@@ -246,6 +269,9 @@ func (b *builder) addTransformStages(lastStage *config.PipelineBuilderStage) {
 		lokiWrite.TimestampLabel = "TimeFlowEndMs"
 		lokiWrite.TimestampScale = "1ms"
 		lokiWrite.TenantID = b.desiredLoki.TenantID
+		if b.desiredLoki.SendAuthToken {
+			lokiWrite.BearerAuthTokenPath = tokensPath + constants.FLPName
+		}
 		//TODO: set proper tls config https://issues.redhat.com/browse/NETOBSERV-309
 		lokiWrite.ClientConfig = &promConfig.HTTPClientConfig{
 			TLSConfig: promConfig.TLSConfig{

diff --git a/docs/FlowCollector.md b/docs/FlowCollector.md
@@ -2673,6 +2673,15 @@ Settings related to the Loki client, used as a flow store.
           QuerierURL specifies the address of the Loki querier service, in case it is different from the Loki ingester URL. If empty, the URL value will be used (assuming that the Loki ingester and querier are int he same host).<br/>
         </td>
         <td>false</td>
+      </tr><tr>
+        <td><b>sendAuthToken</b></td>
+        <td>boolean</td>
+        <td>
+          SendAuthToken is a flag to enable or disable Authorization header from service account secret It allows authentication to loki operator gateway<br/>
+          <br/>
+            <i>Default</i>: false<br/>
+        </td>
+        <td>false</td>
       </tr><tr>
         <td><b>staticLabels</b></td>
         <td>map[string]string</td>