Fix

Signed-off-by: Pavol Loffay <[email protected]>

Author: pavolloffay

apis/v1alpha1/instrumentation_webhook.go

@@ -236,6 +236,14 @@ func (w InstrumentationWebhook) validate(r *Instrumentation) (admission.Warnings
 	default:
 		return warnings, fmt.Errorf("spec.sampler.type is not valid: %s", r.Spec.Sampler.Type)
 	}
+
+	if r.Spec.Exporter.TLS != nil {
+		tls := r.Spec.Exporter.TLS
+		if tls.Key != "" && tls.Cert == "" || tls.Cert != "" && tls.Key == "" {
+			warnings = append(warnings, "both exporter.tls.key and exporter.tls.cert mut be set")
+		}
+	}
+
 	return warnings, nil
 }
 

apis/v1alpha1/instrumentation_webhook_test.go

@@ -113,6 +113,40 @@ func TestInstrumentationValidatingWebhook(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "tls cert set but missing key",
+			inst: Instrumentation{
+				Spec: InstrumentationSpec{
+					Sampler: Sampler{
+						Type:     ParentBasedTraceIDRatio,
+						Argument: "0.99",
+					},
+					Exporter: Exporter{
+						TLS: &TLS{
+							Cert: "cert",
+						},
+					},
+				},
+			},
+			warnings: []string{"both exporter.tls.key and exporter.tls.cert mut be set"},
+		},
+		{
+			name: "tls key set but missing cert",
+			inst: Instrumentation{
+				Spec: InstrumentationSpec{
+					Sampler: Sampler{
+						Type:     ParentBasedTraceIDRatio,
+						Argument: "0.99",
+					},
+					Exporter: Exporter{
+						TLS: &TLS{
+							Key: "key",
+						},
+					},
+				},
+			},
+			warnings: []string{"both exporter.tls.key and exporter.tls.cert mut be set"},
+		},
 	}
 
 	for _, test := range tests {

pkg/instrumentation/podmutator.go

@@ -467,45 +467,24 @@ func (pm *instPodMutator) selectInstrumentationInstanceFromNamespace(ctx context
 }
 
 func (pm *instPodMutator) validateInstrumentations(ctx context.Context, inst languageInstrumentations, podNamespace string) error {
-	var errs []error
-	if inst.Java.Instrumentation != nil {
-		if err := pm.validateInstrumentation(ctx, *inst.Java.Instrumentation, podNamespace); err != nil {
-			errs = append(errs, err)
-		}
-	}
-	if inst.Python.Instrumentation != nil {
-		if err := pm.validateInstrumentation(ctx, *inst.Python.Instrumentation, podNamespace); err != nil {
-			errs = append(errs, err)
-		}
-	}
-	if inst.NodeJS.Instrumentation != nil {
-		if err := pm.validateInstrumentation(ctx, *inst.NodeJS.Instrumentation, podNamespace); err != nil {
-			errs = append(errs, err)
-		}
-	}
-	if inst.DotNet.Instrumentation != nil {
-		if err := pm.validateInstrumentation(ctx, *inst.DotNet.Instrumentation, podNamespace); err != nil {
-			errs = append(errs, err)
-		}
-	}
-	if inst.Go.Instrumentation != nil {
-		if err := pm.validateInstrumentation(ctx, *inst.Go.Instrumentation, podNamespace); err != nil {
-			errs = append(errs, err)
-		}
-	}
-	if inst.ApacheHttpd.Instrumentation != nil {
-		if err := pm.validateInstrumentation(ctx, *inst.ApacheHttpd.Instrumentation, podNamespace); err != nil {
-			errs = append(errs, err)
-		}
-	}
-	if inst.Nginx.Instrumentation != nil {
-		if err := pm.validateInstrumentation(ctx, *inst.Nginx.Instrumentation, podNamespace); err != nil {
-			errs = append(errs, err)
-		}
+	instrumentations := []struct {
+		instrumentation *v1alpha1.Instrumentation
+	}{
+		{inst.Java.Instrumentation},
+		{inst.Python.Instrumentation},
+		{inst.NodeJS.Instrumentation},
+		{inst.DotNet.Instrumentation},
+		{inst.Go.Instrumentation},
+		{inst.ApacheHttpd.Instrumentation},
+		{inst.Nginx.Instrumentation},
+		{inst.Sdk.Instrumentation},
 	}
-	if inst.Sdk.Instrumentation != nil {
-		if err := pm.validateInstrumentation(ctx, *inst.Sdk.Instrumentation, podNamespace); err != nil {
-			errs = append(errs, err)
+	var errs []error
+	for _, i := range instrumentations {
+		if i.instrumentation != nil {
+			if err := pm.validateInstrumentation(ctx, i.instrumentation, podNamespace); err != nil {
+				errs = append(errs, err)
+			}
 		}
 	}
 
@@ -515,7 +494,7 @@ func (pm *instPodMutator) validateInstrumentations(ctx context.Context, inst lan
 	return nil
 }
 
-func (pm *instPodMutator) validateInstrumentation(ctx context.Context, inst v1alpha1.Instrumentation, podNamespace string) error {
+func (pm *instPodMutator) validateInstrumentation(ctx context.Context, inst *v1alpha1.Instrumentation, podNamespace string) error {
 	// Check if secret and configmap exists
 	// If they don't exist pod cannot start
 	var errs []error

tests/e2e-instrumentation/instrumentation-java-tls/chainsaw-test.yaml

@@ -3,7 +3,7 @@ apiVersion: chainsaw.kyverno.io/v1alpha1
 kind: Test
 metadata:
   creationTimestamp: null
-  name: instrumentation-java
+  name: instrumentation-java-tls
 spec:
   steps:
   - name: step-00

tests/e2e-instrumentation/instrumentation-java-tls/generate-certs.sh

@@ -4,8 +4,8 @@ set -ex
 
 # CA key and cert
 openssl req -new -nodes -x509 -days 9650 -keyout ca.key -out ca.crt -subj "/C=US/ST=California/L=Mountain View/O=Your Organization/OU=Your Unit/CN=localhost"
-# Server
-openssl req -new -nodes -x509 -CA ca.crt -CAkey ca.key -days 9650 -set_serial 01 -keyout server.key -out server.crt -subj "/C=US/ST=California/L=Mountain View/O=Your Organization/OU=Your Unit/CN=svc.cluster.local/CN=localhost"  -addext "subjectAltName = DNS:simplest-collector,DNS:*.tracing-system.svc.cluster.local,DNS:localhost"
+# Server, E.g. use NDS:*.default.svc.cluster.local for arbitrary collector name deployed in the default namespace
+openssl req -new -nodes -x509 -CA ca.crt -CAkey ca.key -days 9650 -set_serial 01 -keyout server.key -out server.crt -subj "/C=US/ST=California/L=Mountain View/O=Your Organization/OU=Your Unit/CN=svc.cluster.local/CN=localhost"  -addext "subjectAltName = DNS:simplest-collector,DNS:localhost"
 # Client
 openssl req -new -nodes -x509 -CA ca.crt -CAkey ca.key -days 9650 -set_serial 01 -keyout client.key -out client.crt -subj "/C=US/ST=California/L=Mountain View/O=Your Organization/OU=Your Unit/CN=svc.cluster.local/CN=localhost"