Uploaded image for project: 'Network Observability'
  1. Network Observability
  2. NETOBSERV-773

Copy certificates across namespaces

    • Icon: Story Story
    • Resolution: Done
    • Icon: Undefined Undefined
    • netobserv-1.3
    • None
    • None
    • BU Product Work
    • False
    • None
    • False
    • OCPSTRAT-156 - Netobserv operator: Make configuration simpler
    • Hide
      Previously, certificate configuration (such as used for Kafka and Loki) did not allow to specify a namespace field, implying that the certificates had to be in the same namespace where Network Observability is deployed. Moreover, when using Kafka with TLS / mTLS, the user had to manually copy the certificate(s) to the privileged namespace where the eBPF agent pods are deployed, and to manually take care about certificate updates (such as in case of rotation).

      This new feature simplifies Network Observability setup by adding a namespace field for certificates in the FlowCollector resource. As a result, users can now install Loki or Kafka in different namespaces without needing to manually copy their certificates in Network Observability namespace. The original certificates are watched so that the copies are automatically updated when needed.
      Show
      Previously, certificate configuration (such as used for Kafka and Loki) did not allow to specify a namespace field, implying that the certificates had to be in the same namespace where Network Observability is deployed. Moreover, when using Kafka with TLS / mTLS, the user had to manually copy the certificate(s) to the privileged namespace where the eBPF agent pods are deployed, and to manually take care about certificate updates (such as in case of rotation). This new feature simplifies Network Observability setup by adding a namespace field for certificates in the FlowCollector resource. As a result, users can now install Loki or Kafka in different namespaces without needing to manually copy their certificates in Network Observability namespace. The original certificates are watched so that the copies are automatically updated when needed.
    • NetObserv - Sprint 235, NetObserv - Sprint 236, NetObserv - Sprint 237

      Based on https://issues.redhat.com/browse/NETOBSERV-684 (certificate watchers), we can implement copying certificates from other namespaces when they are not already in the desired namespace.

      It should address two use cases:

      • When using Kafka + TLS + eBPF agent, users are currently required to manually copy Kafka certificates in eBPF's privileged namespace
      • When Loki, or Kafka, is installed in a different namespace than netobserv', users are required to manually copy their certificates in netobserv namespace

      We need to add a new "Namespace" field in TLS certificate config, in FlowCollector, that designate the source namespace where the certificate exists. When not provided, it is assumed to be same as "spec.namespace".

      Note that the work was already partially implemented there: https://github.com/netobserv/network-observability-operator/pull/172/ (dependent operators PR) => copying to privileged namespace was done, but done allowing copy from any namespace

            jtakvori Joel Takvorian
            jtakvori Joel Takvorian
            Mehul Modi Mehul Modi
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: