added gossipConfig for VMAlertmanager (#1051)

* added client tls configuration * added changelog entry
VictoriaMetrics · Jul 30, 2024 · 7f0d74d · 7f0d74d
1 parent a2ff4b1
commit 7f0d74d
Show file tree

Hide file tree

Showing 10 changed files with 810 additions and 129 deletions.
diff --git a/api/operator/v1beta1/vmalertmanager_types.go b/api/operator/v1beta1/vmalertmanager_types.go
@@ -302,6 +302,9 @@ type VMAlertmanagerSpec struct {
 	// WebConfig defines configuration for webserver
 	// https://github.com/prometheus/alertmanager/blob/main/docs/https.md
 	WebConfig *AlertmanagerWebConfig `json:"webConfig,omitempty"`
+
+	// GossipConfig defines gossip TLS configuration for Alertmanager cluster
+	GossipConfig *AlertmanagerGossipConfig `json:"gossipConfig,omitempty"`
 }
 
 // UnmarshalJSON implements json.Unmarshaler interface
@@ -560,10 +563,18 @@ func (cr *VMAlertmanager) SetUpdateStatusTo(ctx context.Context, r client.Client
 	return nil
 }
 
+// AlertmanagerGossipConfig defines Gossip TLS configuration for alertmanager
+type AlertmanagerGossipConfig struct {
+	// TLSServerConfig defines server TLS configuration for alertmanager
+	TLSServerConfig *TLSServerConfig `json:"tls_server_config,omitempty"`
+	// TLSClientConfig defines client TLS configuration for alertmanager
+	TLSClientConfig *TLSClientConfig `json:"tls_client_config,omitempty"`
+}
+
 // AlertmanagerWebConfig defines web server configuration for alertmanager
 type AlertmanagerWebConfig struct {
-	// TLSServerConfig defines tls configuration for alertmanager web server
-	TLSServerConfig *WebserverTLSConfig `json:"tls_server_config,omitempty"`
+	// TLSServerConfig defines server TLS configuration for alertmanager
+	TLSServerConfig *TLSServerConfig `json:"tls_server_config,omitempty"`
 	// HTTPServerConfig defines http server configuration for alertmanager web server
 	HTTPServerConfig *AlertmanagerHTTPConfig `json:"http_server_config,omitempty"`
 	// BasicAuthUsers Usernames and hashed passwords that have full access to the web server

diff --git a/api/operator/v1beta1/vmalertmanager_webhook.go b/api/operator/v1beta1/vmalertmanager_webhook.go
@@ -52,10 +52,10 @@ func (r *VMAlertmanager) sanityCheck() error {
 		}
 		if r.Spec.WebConfig.TLSServerConfig != nil {
 			tc := r.Spec.WebConfig.TLSServerConfig
-			if tc.CertFile == "" && tc.CertSecretRef == nil {
+			if tc.Certs.CertFile == "" && tc.Certs.CertSecretRef == nil {
 				return fmt.Errorf("either cert_secret_ref or cert_file must be set for tls_server_config")
 			}
-			if tc.KeyFile == "" && tc.KeySecretRef == nil {
+			if tc.Certs.KeyFile == "" && tc.Certs.KeySecretRef == nil {
 				return fmt.Errorf("either key_secret_ref or key_file must be set for tls_server_config")
 			}
 			if tc.ClientAuthType == "RequireAndVerifyClientCert" {
@@ -65,6 +65,31 @@ func (r *VMAlertmanager) sanityCheck() error {
 			}
 		}
 	}
+	if r.Spec.GossipConfig != nil {
+		if r.Spec.GossipConfig.TLSServerConfig != nil {
+			tc := r.Spec.GossipConfig.TLSServerConfig
+			if tc.Certs.CertFile == "" && tc.Certs.CertSecretRef == nil {
+				return fmt.Errorf("either cert_secret_ref or cert_file must be set for tls_server_config")
+			}
+			if tc.Certs.KeyFile == "" && tc.Certs.KeySecretRef == nil {
+				return fmt.Errorf("either key_secret_ref or key_file must be set for tls_server_config")
+			}
+			if tc.ClientAuthType == "RequireAndVerifyClientCert" {
+				if tc.ClientCAFile == "" && tc.ClientCASecretRef == nil {
+					return fmt.Errorf("either client_ca_secret_ref or client_ca_file must be set for tls_server_config with enabled RequireAndVerifyClientCert")
+				}
+			}
+		}
+		if r.Spec.GossipConfig.TLSClientConfig != nil {
+			tc := r.Spec.GossipConfig.TLSClientConfig
+			if tc.Certs.CertFile == "" && tc.Certs.CertSecretRef == nil {
+				return fmt.Errorf("either cert_secret_ref or cert_file must be set for tls_client_config")
+			}
+			if tc.Certs.KeyFile == "" && tc.Certs.KeySecretRef == nil {
+				return fmt.Errorf("either key_secret_ref or key_file must be set for tls_client_config")
+			}
+		}
+	}
 	return nil
 }
 

diff --git a/api/operator/v1beta1/vmextra_types.go b/api/operator/v1beta1/vmextra_types.go
@@ -899,22 +899,8 @@ func (c *TLSConfig) BuildAssetPath(prefix, name, key string) string {
 	return fmt.Sprintf("%s_%s_%s", prefix, name, key)
 }
 
-// WebserverTLSConfig defines TLS configuration for the applications webserver
-type WebserverTLSConfig struct {
-	// ClientAuthType defines server policy for client authentication
-	// If you want to enable client authentication (aka mTLS), you need to use RequireAndVerifyClientCert
-	// Note, mTLS is supported only at enterprise version of VictoriaMetrics components
-	// +kubebuilder:validation:Enum=NoClientCert;RequireAndVerifyClientCert
-	ClientAuthType string `json:"client_auth_type,omitempty"`
-
-	// ClientCA defines reference for secret with CA content under given key
-	// mutually exclusive with ClientCAFile
-	ClientCASecretRef *v1.SecretKeySelector `json:"client_ca_secret_ref,omitempty"`
-	// ClientCAFile defines path to the pre-mounted file with CA
-	// mutually exclusive with ClientCASecretRef
-	ClientCAFile string `json:"client_ca_file,omitempty"`
-	// Cert defines reference for secret with CA content under given key
-	// mutually exclusive with CertFile
+// Certs defines TLS certs configuration
+type Certs struct {
 	CertSecretRef *v1.SecretKeySelector `json:"cert_secret_ref,omitempty"`
 	// CertFile defines path to the pre-mounted file with certificate
 	// mutually exclusive with CertSecretRef
@@ -925,6 +911,23 @@ type WebserverTLSConfig struct {
 	// KeyFile defines path to the pre-mounted file with certificate key
 	// mutually exclusive with KeySecretRef
 	KeyFile string `json:"key_file,omitempty"`
+}
+
+// TLSServerConfig defines TLS configuration for the application's server
+type TLSServerConfig struct {
+	// ClientCASecretRef defines reference for secret with CA content under given key
+	// mutually exclusive with ClientCAFile
+	ClientCASecretRef *v1.SecretKeySelector `json:"client_ca_secret_ref,omitempty"`
+	// ClientCAFile defines path to the pre-mounted file with CA
+	// mutually exclusive with ClientCASecretRef
+	ClientCAFile string `json:"client_ca_file,omitempty"`
+	// Cert defines reference for secret with CA content under given key
+	// mutually exclusive with CertFile
+	// ClientAuthType defines server policy for client authentication
+	// If you want to enable client authentication (aka mTLS), you need to use RequireAndVerifyClientCert
+	// Note, mTLS is supported only at enterprise version of VictoriaMetrics components
+	// +kubebuilder:validation:Enum=NoClientCert;RequireAndVerifyClientCert
+	ClientAuthType string `json:"client_auth_type,omitempty"`
 	// MinVersion minimum TLS version that is acceptable.
 	// +kubebuilder:validation:Enum=TLS10;TLS11;TLS12;TLS13
 	MinVersion string `json:"min_version,omitempty"`
@@ -940,4 +943,23 @@ type WebserverTLSConfig struct {
 	// PreferServerCipherSuites controls whether the server selects the
 	// client's most preferred ciphersuite
 	PreferServerCipherSuites bool `json:"prefer_server_cipher_suites,omitempty"`
+	// Certs defines cert, CA and key for TLS auth
+	Certs `json:",inline"`
+}
+
+// TLSClientConfig defines TLS configuration for the application's client
+type TLSClientConfig struct {
+	// CA defines reference for secret with CA content under given key
+	// mutually exclusive with CAFile
+	CASecretRef *v1.SecretKeySelector `json:"ca_secret_ref,omitempty"`
+	// CAFile defines path to the pre-mounted file with CA
+	// mutually exclusive with CASecretRef
+	CAFile string `json:"ca_file,omitempty"`
+	// Cert defines reference for secret with CA content under given key
+	// mutually exclusive with CertFile
+	InsecureSkipVerify bool `json:"insecure_skip_verify,omitempty"`
+	// ServerName indicates a name of a server
+	ServerName string `json:"server_name,omitempty"`
+	// Certs defines cert, CA and key for TLS auth
+	Certs `json:",inline"`
 }
diff --git a/api/operator/v1beta1/zz_generated.deepcopy.go b/api/operator/v1beta1/zz_generated.deepcopy.go