Merge pull request #3819 from caseydavenport/auto-pick-of-#3802-origin-release-v1.37

[release-v1.37] Auto pick #3802: Add API for managed cluster variant

Author: caseydavenport

api/v1/tenant_types.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2023-2024 Tigera, Inc. All rights reserved.
+// Copyright (c) 2023-2025 Tigera, Inc. All rights reserved.
 /*
 
 Licensed under the Apache License, Version 2.0 (the "License");
@@ -93,6 +93,10 @@ type TenantSpec struct {
 
 	// DashboardsJob configures the Dashboards job
 	DashboardsJob *DashboardsJob `json:"dashboardsJob,omitempty"`
+
+	// ManagedClusterVariant is the variant of the managed cluster.
+	// +optional
+	ManagedClusterVariant *ProductVariant `json:"managedClusterVariant,omitempty"`
 }
 
 // Index defines how to store a tenant's data
@@ -144,6 +148,10 @@ func (t *Tenant) SingleTenant() bool {
 	return t != nil && t.GetNamespace() == ""
 }
 
+func (t *Tenant) ManagedClusterIsCalico() bool {
+	return t != nil && t.Spec.ManagedClusterVariant != nil && *t.Spec.ManagedClusterVariant == Calico
+}
+
 // +kubebuilder:object:root=true
 
 // TenantList contains a list of Tenant

api/v1/zz_generated.deepcopy.go

@@ -1535,6 +1535,9 @@ spec:
                         type: object
                     type: object
                 type: object
+              managedClusterVariant:
+                description: ManagedClusterVariant is the variant of the managed cluster.
+                type: string
               name:
                 description: Name is a human readable name for this tenant.
                 type: string

pkg/crds/operator/operator.tigera.io_tenants.yaml

@@ -1,4 +1,4 @@
-// Copyright (c) 2022-2024 Tigera, Inc. All rights reserved.
+// Copyright (c) 2022-2025 Tigera, Inc. All rights reserved.
 
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -406,7 +406,10 @@ func (l *linseed) linseedDeployment() *appsv1.Deployment {
 		annotations[fmt.Sprintf("hash.operator.tigera.io/%s", render.ElasticsearchLinseedUserSecret)] = rmeta.SecretsAnnotationHash(l.cfg.ElasticClientCredentialsSecret)
 	}
 
-	if l.cfg.TokenKeyPair != nil {
+	if l.cfg.TokenKeyPair != nil && !l.cfg.Tenant.ManagedClusterIsCalico() {
+		// If a token key pair is provided, configure Linseed to use it.
+		// We don't need to do this for OSS Calico managed clusters - they don't have permissions for the
+		// token controller to create tokens.
 		envVars = append(envVars,
 			corev1.EnvVar{Name: "TOKEN_CONTROLLER_ENABLED", Value: "true"},
 			corev1.EnvVar{Name: "LINSEED_TOKEN_KEY", Value: l.cfg.TokenKeyPair.VolumeMountKeyFilePath()},

pkg/render/logstorage/linseed/linseed.go

@@ -174,7 +174,7 @@ type managerComponent struct {
 	tlsSecrets     []*corev1.Secret
 	tlsAnnotations map[string]string
 	managerImage   string
-	proxyImage     string
+	voltronImage   string
 	uiAPIsImage    string
 }
 
@@ -189,7 +189,7 @@ func (c *managerComponent) ResolveImages(is *operatorv1.ImageSet) error {
 		errMsgs = append(errMsgs, err.Error())
 	}
 
-	c.proxyImage, err = components.GetReference(components.ComponentManagerProxy, reg, path, prefix, is)
+	c.voltronImage, err = components.GetReference(components.ComponentManagerProxy, reg, path, prefix, is)
 	if err != nil {
 		errMsgs = append(errMsgs, err.Error())
 	}
@@ -567,6 +567,12 @@ func (c *managerComponent) voltronContainer() corev1.Container {
 			env = append(env, corev1.EnvVar{Name: "VOLTRON_TENANT_NAMESPACE", Value: c.cfg.Tenant.Namespace})
 			linseedEndpointEnv = corev1.EnvVar{Name: "VOLTRON_LINSEED_ENDPOINT", Value: fmt.Sprintf("https://tigera-linseed.%s.svc", c.cfg.Tenant.Namespace)}
 		}
+
+		if c.cfg.Tenant.ManagedClusterIsCalico() {
+			// Enable access to / from Goldmane in Voltron.
+			env = append(env, corev1.EnvVar{Name: "GOLDMANE_ENABLED", Value: "true"})
+			env = append(env, corev1.EnvVar{Name: "MANAGED_CLUSTER_SUPPORTS_IMPERSONATION", Value: "false"})
+		}
 	}
 	env = append(env, linseedEndpointEnv)
 
@@ -576,7 +582,7 @@ func (c *managerComponent) voltronContainer() corev1.Container {
 
 	return corev1.Container{
 		Name:            VoltronName,
-		Image:           c.proxyImage,
+		Image:           c.voltronImage,
 		ImagePullPolicy: ImagePullPolicy(),
 		Env:             env,
 		VolumeMounts:    mounts,
@@ -616,6 +622,14 @@ func (c *managerComponent) managerUIAPIsContainer() corev1.Container {
 			env = append(env, corev1.EnvVar{Name: "LINSEED_URL", Value: fmt.Sprintf("https://tigera-linseed.%s.svc", c.cfg.Namespace)})
 			env = append(env, corev1.EnvVar{Name: "TENANT_NAMESPACE", Value: c.cfg.Namespace})
 		}
+
+		if c.cfg.Tenant.ManagedClusterIsCalico() {
+			// Calico clusters do not give Guardian impersonation permissions.
+			env = append(env, corev1.EnvVar{Name: "IMPERSONATE", Value: "false"})
+
+			// Calico clusters use Goldmane for policy metrics and stats.
+			env = append(env, corev1.EnvVar{Name: "GOLDMANE_ENABLED", Value: "true"})
+		}
 	}
 
 	volumeMounts := append(
@@ -837,6 +851,16 @@ func managerClusterRole(managedCluster bool, kubernetesProvider operatorv1.Provi
 				Verbs:     []string{"create"},
 			},
 		)
+
+		if tenant.ManagedClusterIsCalico() {
+			// Voltron needs permissions to write flow logs.
+			cr.Rules = append(cr.Rules,
+				rbacv1.PolicyRule{
+					APIGroups: []string{"linseed.tigera.io"},
+					Resources: []string{"flowlogs"},
+					Verbs:     []string{"create"},
+				})
+		}
 	}
 
 	if kubernetesProvider.IsOpenShift() {