NETOBSERV-2503: use TLS by default in Service mode; make Service the default mode

[jotak]

Description

• "Service" mode now uses TLS and is the default mode
• No-TLS mode still exists but hidden, by setting the SERVER_NOTLS env on processor advanced config
• Configure certificate injection

Dependencies

• Agent: NETOBSERV-2503: allow TLS/mTLS in grpc exporter netobserv-ebpf-agent#843
• FLP: NETOBSERV-2503: allow TLS/mTLS in grpc ingestor flowlogs-pipeline#1146

Checklist

If you are not familiar with our processes or don't know what to answer in the list below, let us know in a comment: the maintainers will take care of that.

• Is this PR backed with a JIRA ticket? If so, make sure it is written as a title prefix (in general, PRs affecting the NetObserv/Network Observability product should be backed with a JIRA ticket - especially if they bring user facing changes).
• Does this PR require product documentation?
  • If so, make sure the JIRA epic is labeled with "documentation" and provides a description relevant for doc writers, such as use cases or scenarios. Any required step to activate or configure the feature should be documented there, such as new CRD knobs.
• Does this PR require a product release notes entry?
  • If so, fill in "Release Note Text" in the JIRA.
• Is there anything else the QE team should know before testing? E.g: configuration changes, environment setup, etc.
  • If so, make sure it is described in the JIRA ticket.
• QE requirements (check 1 from the list):
  • Standard QE validation, with pre-merge tests unless stated otherwise.
  • Regression tests only (e.g. refactoring with no user-facing change).
  • No QE (e.g. trivial change with high reviewer's confidence, or per agreement with the QE team).

[openshift-ci-robot]

@jotak: This pull request references NETOBSERV-2503 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.

In response to this:

Description

• Split "Service" mode into "Service-TLS" and "Service-NoTLS"
• Make "Service-TLS" the default mode
• Configure certificate injection

Dependencies

• Agent: NETOBSERV-2503: allow TLS/mTLS in grpc exporter netobserv-ebpf-agent#843
• FLP: NETOBSERV-2503: allow TLS/mTLS in grpc ingestor flowlogs-pipeline#1146

Checklist

If you are not familiar with our processes or don't know what to answer in the list below, let us know in a comment: the maintainers will take care of that.

• Is this PR backed with a JIRA ticket? If so, make sure it is written as a title prefix (in general, PRs affecting the NetObserv/Network Observability product should be backed with a JIRA ticket - especially if they bring user facing changes).
• Does this PR require product documentation?
• If so, make sure the JIRA epic is labeled with "documentation" and provides a description relevant for doc writers, such as use cases or scenarios. Any required step to activate or configure the feature should be documented there, such as new CRD knobs.
• Does this PR require a product release notes entry?
• If so, fill in "Release Note Text" in the JIRA.
• Is there anything else the QE team should know before testing? E.g: configuration changes, environment setup, etc.
• If so, make sure it is described in the JIRA ticket.
• QE requirements (check 1 from the list):
• Standard QE validation, with pre-merge tests unless stated otherwise.
• Regression tests only (e.g. refactoring with no user-facing change).
• No QE (e.g. trivial change with high reviewer's confidence, or per agreement with the QE team).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[jpinsonneau]

It feels strange to me to have that here in the list.
What's the goal of having a NoTLS mode ?

If we want to promote TLS first, I would rather put an option in the advanced config of FLP like insecureService or even hide that in an environment variable.

[jotak]

done: be1847a

[jpinsonneau]

Thanks !

So if I understand correctly you'll need to set SERVER_NOTLS env variable in both eBPF and flp advanced sections ?

[jotak]

no, just FLP. Agent reads it from FLP (like it does for the port)

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign jotak for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• DOWNSTREAM_OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jotak]

/hold
It can be reviewed / tested, but needs to merge & bump FLP and Agent PRs before merging

[jotak]

/unhold

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 74.19%. Comparing base (49a77da) to head (c49382c).
⚠️ Report is 11 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2204      +/-   ##
==========================================
+ Coverage   73.21%   74.19%   +0.97%     
==========================================
  Files          84       84              
  Lines        9391     9418      +27     
==========================================
+ Hits         6876     6988     +112     
+ Misses       2087     2005      -82     
+ Partials      428      425       -3     

Flag	Coverage Δ
unittests	74.19% <100.00%> (+0.97%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
api/flowcollector/v1beta2/flowcollector_types.go	100.00% <ø> (ø)
api/flowcollector/v1beta2/helper.go	83.33% <100.00%> (ø)
internal/controller/ebpf/agent_controller.go	60.47% <100.00%> (+1.12%)	⬆️
internal/controller/flp/flp_common_objects.go	92.85% <100.00%> (+2.36%)	⬆️
internal/controller/flp/flp_monolith_objects.go	92.50% <100.00%> (+33.26%)	⬆️

... and 9 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[openshift-ci-robot]

@jotak: This pull request references NETOBSERV-2503 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.

In response to this:

Description

• "Service" mode now uses TLS and is the default mode
• No-TLS mode still exists but hidden, by setting the SERVER_NOTLS env on processor advanced config
• Configure certificate injection

Dependencies

• Agent: NETOBSERV-2503: allow TLS/mTLS in grpc exporter netobserv-ebpf-agent#843
• FLP: NETOBSERV-2503: allow TLS/mTLS in grpc ingestor flowlogs-pipeline#1146

Checklist

If you are not familiar with our processes or don't know what to answer in the list below, let us know in a comment: the maintainers will take care of that.

• Is this PR backed with a JIRA ticket? If so, make sure it is written as a title prefix (in general, PRs affecting the NetObserv/Network Observability product should be backed with a JIRA ticket - especially if they bring user facing changes).
• Does this PR require product documentation?
• If so, make sure the JIRA epic is labeled with "documentation" and provides a description relevant for doc writers, such as use cases or scenarios. Any required step to activate or configure the feature should be documented there, such as new CRD knobs.
• Does this PR require a product release notes entry?
• If so, fill in "Release Note Text" in the JIRA.
• Is there anything else the QE team should know before testing? E.g: configuration changes, environment setup, etc.
• If so, make sure it is described in the JIRA ticket.
• QE requirements (check 1 from the list):
• Standard QE validation, with pre-merge tests unless stated otherwise.
• Regression tests only (e.g. refactoring with no user-facing change).
• No QE (e.g. trivial change with high reviewer's confidence, or per agreement with the QE team).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.