Back to a single Service mode

Always use TLS, except if SERVER_NOTLS env is set on FLP

Author: jotak

api/flowcollector/v1beta2/flowcollector_types.go

@@ -27,10 +27,9 @@ import (
 type FlowCollectorDeploymentModel string
 
 const (
-	DeploymentModelDirect       FlowCollectorDeploymentModel = "Direct"
-	DeploymentModelKafka        FlowCollectorDeploymentModel = "Kafka"
-	DeploymentModelServiceNoTLS FlowCollectorDeploymentModel = "Service-NoTLS"
-	DeploymentModelServiceTLS   FlowCollectorDeploymentModel = "Service-TLS"
+	DeploymentModelDirect  FlowCollectorDeploymentModel = "Direct"
+	DeploymentModelKafka   FlowCollectorDeploymentModel = "Kafka"
+	DeploymentModelService FlowCollectorDeploymentModel = "Service"
 )
 
 // Please notice that the FlowCollectorSpec's properties MUST redefine one of the default
@@ -71,15 +70,14 @@ type FlowCollectorSpec struct {
 	ConsolePlugin FlowCollectorConsolePlugin `json:"consolePlugin,omitempty"`
 
 	// `deploymentModel` defines the desired type of deployment for flow processing. Possible values are:<br>
-	// - `Service-TLS` (default) to make the flow processor listen as a Kubernetes Service, backed by a scalable Deployment.<br>
-	// - `Service-NoTLS` to make the flow processor listen as a Kubernetes Service, backed by a scalable Deployment. Version without TLS.<br>
+	// - `Service` (default) to make the flow processor listen as a Kubernetes Service, backed by a scalable Deployment.<br>
 	// - `Kafka` to make flows sent to a Kafka pipeline before consumption by the processor.<br>
 	// - `Direct` to make the flow processor listen directly from the agents using the host network, backed by a DaemonSet. Only recommended on small clusters, below 15 nodes.<br>
 	// Kafka can provide better scalability, resiliency, and high availability (for more details, see https://www.redhat.com/en/topics/integration/what-is-apache-kafka).<br>
 	// `Direct` is not recommended on large clusters as it is less memory efficient.
 	// +unionDiscriminator
-	// +kubebuilder:validation:Enum:="Service-TLS";"Service-NoTLS";"Direct";"Kafka"
-	// +kubebuilder:default:=Service-TLS
+	// +kubebuilder:validation:Enum:="Service";"Direct";"Kafka"
+	// +kubebuilder:default:=Service
 	DeploymentModel FlowCollectorDeploymentModel `json:"deploymentModel,omitempty"`
 
 	// Kafka configuration, allowing to use Kafka as a broker as part of the flow collection pipeline. Available when the `spec.deploymentModel` is `Kafka`.

api/flowcollector/v1beta2/flowcollector_validation_webhook.go

@@ -276,7 +276,7 @@ func (v *validator) validateFLPLogTypes() {
 		if !v.fc.UseLoki() {
 			v.errors = append(v.errors, errors.New("enabling conversation tracking without Loki is not allowed, as it generates extra processing for no benefit"))
 		}
-		if v.fc.UseServiceNetwork() {
+		if v.fc.DeploymentModel == DeploymentModelService {
 			v.errors = append(v.errors, errors.New("cannot enable conversation tracking when spec.deploymentModel is Service: you must disable it, or change the deployment model"))
 		}
 	}

api/flowcollector/v1beta2/flowcollector_validation_webhook_test.go

@@ -516,7 +516,7 @@ func TestValidateConntrack(t *testing.T) {
 					Name: "cluster",
 				},
 				Spec: FlowCollectorSpec{
-					DeploymentModel: DeploymentModelServiceNoTLS,
+					DeploymentModel: DeploymentModelService,
 					Processor: FlowCollectorFLP{
 						LogTypes: ptr.To(LogTypeConversations),
 					},

api/flowcollector/v1beta2/helper.go

@@ -55,10 +55,7 @@ func (spec *FlowCollectorSpec) UseConsolePlugin() bool {
 
 func (spec *FlowCollectorSpec) UseTestConsolePlugin() bool {
 	if spec.ConsolePlugin.Advanced != nil {
-		env := spec.ConsolePlugin.Advanced.Env[constants.EnvTestConsole]
-		// Use ParseBool to allow common variants ("true", "True", "1"...) and ignore non-bools
-		b, err := strconv.ParseBool(env)
-		return err == nil && b
+		return IsEnvEnabled(spec.ConsolePlugin.Advanced.Env, constants.EnvTestConsole)
 	}
 	return false
 }
@@ -67,11 +64,6 @@ func (spec *FlowCollectorSpec) UseHostNetwork() bool {
 	return spec.DeploymentModel == DeploymentModelDirect
 }
 
-func (spec *FlowCollectorSpec) UseServiceNetwork() bool {
-	return spec.DeploymentModel == DeploymentModelServiceNoTLS ||
-		spec.DeploymentModel == DeploymentModelServiceTLS
-}
-
 func (spec *FlowCollectorEBPF) IsAgentFeatureEnabled(feature AgentFeature) bool {
 	for _, f := range spec.Features {
 		if f == feature {
@@ -190,10 +182,7 @@ func (spec *FlowCollectorFLP) GetMetricsPort() int32 {
 
 func (spec *FlowCollectorSpec) HasExperimentalAlertsHealth() bool {
 	if spec.Processor.Advanced != nil {
-		env := spec.Processor.Advanced.Env["EXPERIMENTAL_ALERTS_HEALTH"]
-		// Use ParseBool to allow common variants ("true", "True", "1"...) and ignore non-bools
-		b, err := strconv.ParseBool(env)
-		return err == nil && b
+		return IsEnvEnabled(spec.Processor.Advanced.Env, "EXPERIMENTAL_ALERTS_HEALTH")
 	}
 	return false
 }
@@ -232,3 +221,10 @@ func (spec *FlowCollectorConsolePlugin) IsUnmanagedConsolePluginReplicas() bool
 	}
 	return spec.Autoscaler.IsHPAEnabled()
 }
+
+func IsEnvEnabled(vars map[string]string, key string) bool {
+	env := vars[key]
+	// Use ParseBool to allow common variants ("true", "True", "1"...) and ignore non-bools
+	b, err := strconv.ParseBool(env)
+	return err == nil && b
+}

bundle/manifests/flows.netobserv.io_flowcollectors.yaml

@@ -3217,18 +3217,16 @@ spec:
                     type: boolean
                 type: object
               deploymentModel:
-                default: Service-TLS
+                default: Service
                 description: |-
                   `deploymentModel` defines the desired type of deployment for flow processing. Possible values are:<br>
-                  - `Service-TLS` (default) to make the flow processor listen as a Kubernetes Service, backed by a scalable Deployment.<br>
-                  - `Service-NoTLS` to make the flow processor listen as a Kubernetes Service, backed by a scalable Deployment. Version without TLS.<br>
+                  - `Service` (default) to make the flow processor listen as a Kubernetes Service, backed by a scalable Deployment.<br>
                   - `Kafka` to make flows sent to a Kafka pipeline before consumption by the processor.<br>
                   - `Direct` to make the flow processor listen directly from the agents using the host network, backed by a DaemonSet. Only recommended on small clusters, below 15 nodes.<br>
                   Kafka can provide better scalability, resiliency, and high availability (for more details, see https://www.redhat.com/en/topics/integration/what-is-apache-kafka).<br>
                   `Direct` is not recommended on large clusters as it is less memory efficient.
                 enum:
-                - Service-TLS
-                - Service-NoTLS
+                - Service
                 - Direct
                 - Kafka
                 type: string

config/crd/bases/flows.netobserv.io_flowcollectors.yaml

@@ -3011,18 +3011,16 @@ spec:
                       type: boolean
                   type: object
                 deploymentModel:
-                  default: Service-TLS
+                  default: Service
                   description: |-
                     `deploymentModel` defines the desired type of deployment for flow processing. Possible values are:<br>
-                    - `Service-TLS` (default) to make the flow processor listen as a Kubernetes Service, backed by a scalable Deployment.<br>
-                    - `Service-NoTLS` to make the flow processor listen as a Kubernetes Service, backed by a scalable Deployment. Version without TLS.<br>
+                    - `Service` (default) to make the flow processor listen as a Kubernetes Service, backed by a scalable Deployment.<br>
                     - `Kafka` to make flows sent to a Kafka pipeline before consumption by the processor.<br>
                     - `Direct` to make the flow processor listen directly from the agents using the host network, backed by a DaemonSet. Only recommended on small clusters, below 15 nodes.<br>
                     Kafka can provide better scalability, resiliency, and high availability (for more details, see https://www.redhat.com/en/topics/integration/what-is-apache-kafka).<br>
                     `Direct` is not recommended on large clusters as it is less memory efficient.
                   enum:
-                    - Service-TLS
-                    - Service-NoTLS
+                    - Service
                     - Direct
                     - Kafka
                   type: string

docs/FlowCollector.md

@@ -112,15 +112,14 @@ for these features as a best effort only.
         <td>enum</td>
         <td>
           `deploymentModel` defines the desired type of deployment for flow processing. Possible values are:<br>
-- `Service-TLS` (default) to make the flow processor listen as a Kubernetes Service, backed by a scalable Deployment.<br>
-- `Service-NoTLS` to make the flow processor listen as a Kubernetes Service, backed by a scalable Deployment. Version without TLS.<br>
+- `Service` (default) to make the flow processor listen as a Kubernetes Service, backed by a scalable Deployment.<br>
 - `Kafka` to make flows sent to a Kafka pipeline before consumption by the processor.<br>
 - `Direct` to make the flow processor listen directly from the agents using the host network, backed by a DaemonSet. Only recommended on small clusters, below 15 nodes.<br>
 Kafka can provide better scalability, resiliency, and high availability (for more details, see https://www.redhat.com/en/topics/integration/what-is-apache-kafka).<br>
 `Direct` is not recommended on large clusters as it is less memory efficient.<br/>
           <br/>
-            <i>Enum</i>: Service-TLS, Service-NoTLS, Direct, Kafka<br/>
-            <i>Default</i>: Service-TLS<br/>
+            <i>Enum</i>: Service, Direct, Kafka<br/>
+            <i>Default</i>: Service<br/>
         </td>
         <td>false</td>
       </tr><tr>

helm/crds/flows.netobserv.io_flowcollectors.yaml

@@ -3015,18 +3015,16 @@ spec:
                       type: boolean
                   type: object
                 deploymentModel:
-                  default: Service-TLS
+                  default: Service
                   description: |-
                     `deploymentModel` defines the desired type of deployment for flow processing. Possible values are:<br>
-                    - `Service-TLS` (default) to make the flow processor listen as a Kubernetes Service, backed by a scalable Deployment.<br>
-                    - `Service-NoTLS` to make the flow processor listen as a Kubernetes Service, backed by a scalable Deployment. Version without TLS.<br>
+                    - `Service` (default) to make the flow processor listen as a Kubernetes Service, backed by a scalable Deployment.<br>
                     - `Kafka` to make flows sent to a Kafka pipeline before consumption by the processor.<br>
                     - `Direct` to make the flow processor listen directly from the agents using the host network, backed by a DaemonSet. Only recommended on small clusters, below 15 nodes.<br>
                     Kafka can provide better scalability, resiliency, and high availability (for more details, see https://www.redhat.com/en/topics/integration/what-is-apache-kafka).<br>
                     `Direct` is not recommended on large clusters as it is less memory efficient.
                   enum:
-                    - Service-TLS
-                    - Service-NoTLS
+                    - Service
                     - Direct
                     - Kafka
                   type: string

internal/controller/ebpf/agent_controller.go

@@ -482,9 +482,9 @@ func (c *AgentController) envConfig(ctx context.Context, coll *flowslatest.FlowC
 				Value: strconv.Itoa(int(*advancedConfig.Port)),
 			})
 		} else {
-			// Send to FLP service...
-			if coll.Spec.DeploymentModel == flowslatest.DeploymentModelServiceTLS {
-				// ... using TLS
+			skipTLS := flowslatest.IsEnvEnabled(advancedConfig.Env, "SERVER_NOTLS")
+			if !skipTLS {
+				// Send to FLP service using TLS
 				tlsCfg := flowslatest.ClientTLS{
 					Enable: true,
 					CACert: flowslatest.CertificateReference{
@@ -496,13 +496,16 @@ func (c *AgentController) envConfig(ctx context.Context, coll *flowslatest.FlowC
 				caPath := c.volumes.AddCACertificate(&tlsCfg, "svc-certs")
 				config = append(config, corev1.EnvVar{Name: envTargetTLSCACertPath, Value: caPath})
 			}
-			config = append(config, corev1.EnvVar{
-				Name:  envFlowsTargetHost,
-				Value: fmt.Sprintf("%s.%s.svc", constants.FLPName, c.Namespace),
-			}, corev1.EnvVar{
-				Name:  envFlowsTargetPort,
-				Value: strconv.Itoa(int(*advancedConfig.Port)),
-			})
+			config = append(config,
+				corev1.EnvVar{
+					Name:  envFlowsTargetHost,
+					Value: fmt.Sprintf("%s.%s.svc", constants.FLPName, c.Namespace),
+				},
+				corev1.EnvVar{
+					Name:  envFlowsTargetPort,
+					Value: strconv.Itoa(int(*advancedConfig.Port)),
+				},
+			)
 		}
 	}
 

internal/controller/ebpf/agent_controller_test.go

@@ -214,9 +214,9 @@ func TestBpfmanConfig(t *testing.T) {
 	assert.NotNil(t, ds)
 
 	assert.Equal(t, corev1.EnvVar{Name: "EBPF_PROGRAM_MANAGER_MODE", Value: "true"}, ds.Spec.Template.Spec.Containers[0].Env[0])
-	assert.Equal(t, "bpfman-maps", ds.Spec.Template.Spec.Volumes[0].Name)
+	assert.Equal(t, "bpfman-maps", ds.Spec.Template.Spec.Volumes[1].Name)
 	assert.Equal(t, map[string]string{
 		"csi.bpfman.io/maps":    "direct_flows,aggregated_flows,additional_flow_metrics,packet_record,dns_flows,global_counters,filter_map,peer_filter_map,ipsec_ingress_map,ipsec_egress_map",
 		"csi.bpfman.io/program": "netobserv",
-	}, ds.Spec.Template.Spec.Volumes[0].CSI.VolumeAttributes)
+	}, ds.Spec.Template.Spec.Volumes[1].CSI.VolumeAttributes)
 }