diff --git a/pkg/controller/installation/windows_controller.go b/pkg/controller/installation/windows_controller.go index a627d7746d..1570533bb8 100644 --- a/pkg/controller/installation/windows_controller.go +++ b/pkg/controller/installation/windows_controller.go @@ -372,7 +372,7 @@ func (r *ReconcileWindows) Reconcile(ctx context.Context, request reconcile.Requ } // The key pair is created by the core controller, so if it isn't set, requeue to wait until it is - nodePrometheusTLS, err = certificateManager.GetKeyPair(r.client, render.NodePrometheusTLSServerSecret, common.OperatorNamespace(), dns.GetServiceDNSNames(render.CalicoNodeMetricsService, common.CalicoNamespace, r.clusterDomain)) + nodePrometheusTLS, err = certificateManager.GetKeyPair(r.client, render.NodePrometheusTLSServerSecret, common.OperatorNamespace(), dns.GetServiceDNSNames(render.WindowsNodeMetricsService, common.CalicoNamespace, r.clusterDomain)) if err != nil { r.status.SetDegraded(operatorv1.ResourceCreateError, "Error getting TLS certificate", err, reqLogger) return reconcile.Result{}, err diff --git a/pkg/render/fluentd.go b/pkg/render/fluentd.go index 323b3a590c..7146fe6ff7 100644 --- a/pkg/render/fluentd.go +++ b/pkg/render/fluentd.go @@ -56,6 +56,7 @@ const ( // use-case for this credential. However, it is used on all TLS connections served by fluentd. FluentdPrometheusTLSSecretName = "tigera-fluentd-prometheus-tls" FluentdMetricsService = "fluentd-metrics" + FluentdMetricsServiceWindows = "fluentd-metrics-windows" FluentdMetricsPortName = "fluentd-metrics-port" FluentdMetricsPort = 9081 FluentdPolicyName = networkpolicy.TigeraComponentPolicyPrefix + "allow-fluentd-node" @@ -214,6 +215,16 @@ func (c *fluentdComponent) fluentdNodeName() string { return FluentdNodeName } +// Use different service names depending on the OS type ("fluentd-metrics" +// vs "fluentd-metrics-windows") in order to help identify which OS daemonset +// we are referring to. +func (c *fluentdComponent) fluentdMetricsServiceName() string { + if c.cfg.OSType == rmeta.OSTypeWindows { + return FluentdMetricsServiceWindows + } + return FluentdMetricsService +} + func (c *fluentdComponent) readinessCmd() []string { if c.cfg.OSType == rmeta.OSTypeWindows { // On Windows, we rely on bash via msys2 installed by the fluentd base image. @@ -584,12 +595,12 @@ func (c *fluentdComponent) metricsService() *corev1.Service { return &corev1.Service{ TypeMeta: metav1.TypeMeta{Kind: "Service", APIVersion: "v1"}, ObjectMeta: metav1.ObjectMeta{ - Name: FluentdMetricsService, + Name: c.fluentdMetricsServiceName(), Namespace: LogCollectorNamespace, - Labels: map[string]string{"k8s-app": FluentdNodeName}, + Labels: map[string]string{"k8s-app": c.fluentdNodeName()}, }, Spec: corev1.ServiceSpec{ - Selector: map[string]string{"k8s-app": FluentdNodeName}, + Selector: map[string]string{"k8s-app": c.fluentdNodeName()}, // Important: "None" tells Kubernetes that we want a headless service with // no kube-proxy load balancer. If we omit this then kube-proxy will render // a huge set of iptables rules for this service since there's an instance @@ -795,13 +806,9 @@ func (c *fluentdComponent) envvars() []corev1.EnvVar { corev1.EnvVar{Name: "ELASTIC_WAF_INDEX_SHARDS", Value: strconv.Itoa(c.cfg.ESClusterConfig.Shards())}, corev1.EnvVar{Name: "ELASTIC_L7_INDEX_SHARDS", Value: strconv.Itoa(c.cfg.ESClusterConfig.Shards())}, corev1.EnvVar{Name: "ELASTIC_RUNTIME_INDEX_SHARDS", Value: strconv.Itoa(c.cfg.ESClusterConfig.Shards())}, + corev1.EnvVar{Name: "CA_CRT_PATH", Value: c.trustedBundlePath()}, ) - if c.SupportedOSType() != rmeta.OSTypeWindows { - envs = append(envs, - corev1.EnvVar{Name: "CA_CRT_PATH", Value: c.cfg.TrustedBundle.MountPath()}, - ) - } return envs } diff --git a/pkg/render/fluentd_test.go b/pkg/render/fluentd_test.go index 4748e94177..b0f576da96 100644 --- a/pkg/render/fluentd_test.go +++ b/pkg/render/fluentd_test.go @@ -242,7 +242,7 @@ var _ = Describe("Tigera Secure Fluentd rendering tests", func() { }{ {name: "tigera-fluentd", ns: "", group: "", version: "v1", kind: "Namespace"}, {name: render.FluentdPolicyName, ns: render.LogCollectorNamespace, group: "projectcalico.org", version: "v3", kind: "NetworkPolicy"}, - {name: render.FluentdMetricsService, ns: render.LogCollectorNamespace, group: "", version: "v1", kind: "Service"}, + {name: render.FluentdMetricsServiceWindows, ns: render.LogCollectorNamespace, group: "", version: "v1", kind: "Service"}, {name: "tigera-fluentd-windows", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, {name: "tigera-fluentd-windows", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "fluentd-node-windows", ns: "tigera-fluentd", group: "", version: "v1", kind: "ServiceAccount"}, diff --git a/pkg/render/monitor/monitor.go b/pkg/render/monitor/monitor.go index 5fcceb48ee..b5c77cebb6 100644 --- a/pkg/render/monitor/monitor.go +++ b/pkg/render/monitor/monitor.go @@ -743,7 +743,15 @@ func (mc *monitorComponent) serviceMonitorCalicoNode() *monitoringv1.ServiceMoni Labels: map[string]string{"team": "network-operators"}, }, Spec: monitoringv1.ServiceMonitorSpec{ - Selector: metav1.LabelSelector{MatchLabels: map[string]string{"k8s-app": "calico-node"}}, + Selector: metav1.LabelSelector{ + MatchExpressions: []metav1.LabelSelectorRequirement{ + { + Key: "k8s-app", + Operator: metav1.LabelSelectorOpIn, + Values: []string{"calico-node", "calico-node-windows"}, + }, + }, + }, NamespaceSelector: monitoringv1.NamespaceSelector{MatchNames: []string{"calico-system"}}, Endpoints: []monitoringv1.Endpoint{ { @@ -815,7 +823,15 @@ func (mc *monitorComponent) serviceMonitorFluentd() *monitoringv1.ServiceMonitor Labels: map[string]string{"team": "network-operators"}, }, Spec: monitoringv1.ServiceMonitorSpec{ - Selector: metav1.LabelSelector{MatchLabels: map[string]string{"k8s-app": "fluentd-node"}}, + Selector: metav1.LabelSelector{ + MatchExpressions: []metav1.LabelSelectorRequirement{ + { + Key: "k8s-app", + Operator: metav1.LabelSelectorOpIn, + Values: []string{"fluentd-node", "fluentd-node-windows"}, + }, + }, + }, NamespaceSelector: monitoringv1.NamespaceSelector{MatchNames: []string{render.LogCollectorNamespace}}, Endpoints: []monitoringv1.Endpoint{ { diff --git a/pkg/render/monitor/monitor_test.go b/pkg/render/monitor/monitor_test.go index ede1465aa3..1f6f7c09b5 100644 --- a/pkg/render/monitor/monitor_test.go +++ b/pkg/render/monitor/monitor_test.go @@ -414,8 +414,15 @@ var _ = Describe("monitor rendering tests", func() { Expect(ok).To(BeTrue()) Expect(servicemonitorObj.ObjectMeta.Labels).To(HaveLen(1)) Expect(servicemonitorObj.ObjectMeta.Labels["team"]).To(Equal("network-operators")) - Expect(servicemonitorObj.Spec.Selector.MatchLabels).To(HaveLen(1)) - Expect(servicemonitorObj.Spec.Selector.MatchLabels["k8s-app"]).To(Equal("fluentd-node")) + Expect(servicemonitorObj.Spec.Selector.MatchLabels).To(HaveLen(0)) + Expect(servicemonitorObj.Spec.Selector.MatchExpressions).To(HaveLen(1)) + Expect(servicemonitorObj.Spec.Selector.MatchExpressions).To(ConsistOf([]metav1.LabelSelectorRequirement{ + { + Key: "k8s-app", + Operator: metav1.LabelSelectorOpIn, + Values: []string{"fluentd-node", "fluentd-node-windows"}, + }, + })) Expect(servicemonitorObj.Spec.NamespaceSelector.MatchNames).To(HaveLen(1)) Expect(servicemonitorObj.Spec.NamespaceSelector.MatchNames[0]).To(Equal("tigera-fluentd")) Expect(servicemonitorObj.Spec.Endpoints).To(HaveLen(1)) @@ -444,8 +451,13 @@ var _ = Describe("monitor rendering tests", func() { Expect(ok).To(BeTrue()) Expect(servicemonitorObj.ObjectMeta.Labels).To(HaveLen(1)) Expect(servicemonitorObj.ObjectMeta.Labels["team"]).To(Equal("network-operators")) - Expect(servicemonitorObj.Spec.Selector.MatchLabels).To(HaveLen(1)) - Expect(servicemonitorObj.Spec.Selector.MatchLabels["k8s-app"]).To(Equal("calico-node")) + Expect(servicemonitorObj.Spec.Selector.MatchLabels).To(HaveLen(0)) + Expect(servicemonitorObj.Spec.Selector.MatchExpressions).To(HaveLen(1)) + Expect(servicemonitorObj.Spec.Selector.MatchExpressions).To(ConsistOf([]metav1.LabelSelectorRequirement{ + {Key: "k8s-app", + Operator: metav1.LabelSelectorOpIn, + Values: []string{"calico-node", "calico-node-windows"}}, + })) Expect(servicemonitorObj.Spec.NamespaceSelector.MatchNames).To(HaveLen(1)) Expect(servicemonitorObj.Spec.NamespaceSelector.MatchNames[0]).To(Equal("calico-system")) Expect(servicemonitorObj.Spec.Endpoints).To(HaveLen(2)) @@ -475,8 +487,15 @@ var _ = Describe("monitor rendering tests", func() { servicemonitorObj, ok = rtest.GetResource(toCreate, "fluentd-metrics", common.TigeraPrometheusNamespace, "monitoring.coreos.com", "v1", monitoringv1.ServiceMonitorsKind).(*monitoringv1.ServiceMonitor) Expect(ok).To(BeTrue()) - Expect(servicemonitorObj.Spec.Selector.MatchLabels).To(HaveLen(1)) - Expect(servicemonitorObj.Spec.Selector.MatchLabels["k8s-app"]).To(Equal("fluentd-node")) + Expect(servicemonitorObj.Spec.Selector.MatchLabels).To(HaveLen(0)) + Expect(servicemonitorObj.Spec.Selector.MatchExpressions).To(HaveLen(1)) + Expect(servicemonitorObj.Spec.Selector.MatchExpressions).To(ConsistOf([]metav1.LabelSelectorRequirement{ + { + Key: "k8s-app", + Operator: metav1.LabelSelectorOpIn, + Values: []string{"fluentd-node", "fluentd-node-windows"}, + }, + })) Expect(servicemonitorObj.Spec.NamespaceSelector.MatchNames).To(HaveLen(1)) Expect(servicemonitorObj.Spec.NamespaceSelector.MatchNames[0]).To(Equal("tigera-fluentd")) Expect(servicemonitorObj.Spec.Endpoints).To(HaveLen(1))