Use TLS via OpenShift service annotation when gateway/multitenancy is…

[rubenvp8510]

… disabled

Fixes #963

This PR doesn't cover monolitic. I would prefer to do it in a separate PR. in this way I can keep this PR small and move forward faster.

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 33.33333% with 16 lines in your changes missing coverage. Please review.

Project coverage is 73.22%. Comparing base (e122de4) to head (88ea2e2).

Files	Patch %	Lines
internal/manifests/distributor/distributor.go	34.78%	13 Missing and 2 partials ⚠️
internal/webhooks/tempostack_webhook.go	0.00%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #962      +/-   ##
==========================================
- Coverage   73.36%   73.22%   -0.14%     
==========================================
  Files         105      105              
  Lines        6487     6503      +16     
==========================================
+ Hits         4759     4762       +3     
- Misses       1438     1450      +12     
- Partials      290      291       +1     

Flag	Coverage Δ
unittests	73.22% <33.33%> (-0.14%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[pavolloffay]

Could you please document how users could setup TLS to report data with the OCP service CA?

Is it enabled by default on OCP?

[rubenvp8510]

I will include a brief explanation here. I think a more elaborate way on how to configure this on the client side (may be using otel collector) should be in the documentation and not in the subtext . Just my opinion.

[rubenvp8510]

Added a brief explanation, as I said I would prefer a more deep explanation on the documentation. As this is only a changelog. But if you thing I should include something here I'm not opposites.

[rubenvp8510]

Done.

[rubenvp8510]

@pavolloffay Should we make TLS enable by default on OpenShift? following the principle of "making secure by default"?

[pavolloffay]

Do you mean using servicing certs on the Gateway public HTTTP and gRPC APIs (the users would need to use the service CA)?

[rubenvp8510]

Do you mean using servicing certs on the Gateway public HTTTP and gRPC APIs (the users would need to use the service CA)?

I don't understand well the question. From what I can see the gateway case is already implemented. This PR what it does is to use the service CA for the case when the gateway is not enabled. This means configure the distributor to use it directly (without the gateway)

[pavolloffay]

LGTM,

I would just document into release notes how the clients can inject CA cert.

[pavolloffay]

How are we going to expose this in the monolithic CR? It would be great to come up with a similar config. Do you have CRD draft?

[rubenvp8510]

How are we going to expose this in the monolithic CR? It would be great to come up with a similar config. Do you have CRD draft?

I don't have a draft, but I would say we can apply the same, if TLS is enabled but not certName is specified AND we are on openshift. we can use the service Certificate.