grafana-operator icon indicating copy to clipboard operation
grafana-operator copied to clipboard

Published 20 hours ago verified publisher icon grafana

Grafana OCP route/ingress TLS Always Enabled [Bug]

Open tylerstanczak opened this issue 3 years ago • 3 comments

Describe the bug .spec.ingress.tlsEnabled value set to false but the Operator still creates a TLS edge Route

Version 4.1.0

To Reproduce Steps to reproduce the behavior:

  1. Go to 'Operator Hub'
  2. Install Grafana Operator
  3. Create a Grafana Custom Resource with .spec.ingress.enabled: true and .spec.ingress.tlsEnabled: false
  4. Route has edge TLS enabled

Expected behavior Expected a Route with TLS disabled

Suspect component/Location where the bug might be occuring Not sure...

Runtime (please complete the following information):

  • Grafana Operator Version 4.1.0
  • Environment: OpenShift 4.6.47
  • Deployment type: Operator Deployment
  • Other: [Other variables/things that might be relevant to this bug, versions of other services e.g. operator-sdk]

Additional context I added the instana-datasource plugin via .spec.deployment.env with the ENV variable GF_INSTALL_PLUGINS but I don't think this would affect the TLS setting

tylerstanczak avatar Dec 08 '21 22:12 tylerstanczak

FYI @lsteck @ravvitta

tylerstanczak avatar Dec 08 '21 22:12 tylerstanczak

It looks like we're only supporting tlsEnabled for Ingress, not for Route: https://github.com/grafana-operator/grafana-operator/blob/master/controllers/model/grafanaIngress.go#L16

pb82 avatar Dec 14 '21 12:12 pb82

We should support this for Routes as well if Ingress supports it, initially though we're going to point out the current behaviour in the docs (to avoid a breaking change).

pb82 avatar Dec 14 '21 12:12 pb82

This should be fixed in v5, I will close this issue. If anyone still sees the same issue in v5, feel free to create a new issue.

NissesSenap avatar Jun 20 '23 11:06 NissesSenap

I'm still seeing this behavior in v5 channel

[gev@blah]$ oc get sub
NAME               PACKAGE            SOURCE                CHANNEL
amq-streams        amq-streams        redhat-operators      stable
grafana-operator   grafana-operator   community-operators   v5
[gev@blah]$ oc get routes |grep grafan
grafana-route                                                     grafana-blah.mydomain.com                                                /      grafana-blah-service                                          3000    edge                 None
[smals-gev@blah]$ oc get grafana -o yaml | grep tlsEna
      tlsEnabled: false

So, I'm still having to work around this with a fake route in the Grafana object, and a custom route pointing to the grafana service on Openshift 4.12

Djeezus avatar Dec 11 '23 11:12 Djeezus

@Djeezus as mentioned above please create a new issue and how to reproduce it. To my knowledge how the new operator API works you should be able to get this to work without any issues as long as our merge logic works.

NissesSenap avatar Dec 11 '23 11:12 NissesSenap

thank you for replying @NissesSenap,

the Openshift 4.10/11/12 Grafana operator apiVersion is v1alpha1, and there is no "route"-spec there, so that may be the issue here ?

[gev@blah ~]$  oc get sub grafana-operator
NAME               PACKAGE            SOURCE                CHANNEL
grafana-operator   grafana-operator   community-operators   v5

[gev@blah ~]$ oc explain grafana.apiVersion
KIND:     Grafana
VERSION:  integreatly.org/v1alpha1

[gev@blah ~]$ oc explain grafana.spec.route
error: field "route" does not exist

Djeezus avatar Dec 12 '23 10:12 Djeezus

As I wrote in my previous comment, create a new issue. But my tip is to upgrade to version 5 of the operator, then you will get all new features.

Currently we only fix security issues in v4, and it will soon be deprecated all together, so you won't get any bug fixes there no matter what happens.

NissesSenap avatar Dec 12 '23 11:12 NissesSenap