Add TLS support to auto-instrumentation

pavolloffay · pavolloffay · commit 7a91a2431c90 · 2024-10-08T18:25:33.000+02:00
Signed-off-by: Pavol Loffay &lt;p.loffay@gmail.com&gt;
diff --git a/apis/v1alpha1/instrumentation_types.go b/apis/v1alpha1/instrumentation_types.go
@@ -97,8 +97,31 @@ type Resource struct {
 // Exporter defines OTLP exporter configuration.
 type Exporter struct {
 	// Endpoint is address of the collector with OTLP endpoint.
+	// The TLS is enabled
 	// +optional
 	Endpoint string `json:"endpoint,omitempty"`
+
+	// TLS defines certificates for TLS.
+	// TLS needs to be enabled by specifying https:// scheme in the Endpoint.
+	TLS *TLS `json:"tls,omitempty"`
+}
+
+// TLS defines TLS configuration for exporter.
+type TLS struct {
+	// SecretName defines a secret name that will be used to configure TLS on the exporter.
+	// It is user responsibility to create the secret in the namespace of the workload.
+	// The secret should contain keys ca.crt, tls.key, tls.crt
+	SecretName string `json:"secretName,omitempty"`
+	// CA defines the key of certificate in the secret or absolute path to a certificate.
+	// The absolute path can be used when certificate is already present on the workload filesystem e.g.
+	// /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
+	CA string `json:"ca,omitempty"`
+	// Cert defines the key of the client certificate in the secret or absolute path to a certificate.
+	// The absolute path can be used when certificate is already present on the workload filesystem.
+	Cert string `json:"cert,omitempty"`
+	// Key defines a key of the private key in the secret or absolute path to a certificate.
+	// The absolute path can be used when certificate is already present on the workload filesystem.
+	Key string `json:"key,omitempty"`
 }
 
 // Sampler defines sampling configuration.
diff --git a/apis/v1alpha1/zz_generated.deepcopy.go b/apis/v1alpha1/zz_generated.deepcopy.go
diff --git a/bundle/community/manifests/opentelemetry-operator.clusterserviceversion.yaml b/bundle/community/manifests/opentelemetry-operator.clusterserviceversion.yaml
@@ -99,7 +99,7 @@ metadata:
     categories: Logging & Tracing,Monitoring
     certified: "false"
     containerImage: ghcr.io/open-telemetry/opentelemetry-operator/opentelemetry-operator
-    createdAt: "2024-09-19T17:15:52Z"
+    createdAt: "2024-10-08T16:24:01Z"
     description: Provides the OpenTelemetry components, including the Collector
     operators.operatorframework.io/builder: operator-sdk-v1.29.0
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
diff --git a/bundle/community/manifests/opentelemetry.io_instrumentations.yaml b/bundle/community/manifests/opentelemetry.io_instrumentations.yaml
@@ -409,6 +409,17 @@ spec:
                 properties:
                   endpoint:
                     type: string
+                  tls:
+                    properties:
+                      ca:
+                        type: string
+                      cert:
+                        type: string
+                      key:
+                        type: string
+                      secretName:
+                        type: string
+                    type: object
                 type: object
               go:
                 properties:
diff --git a/bundle/openshift/manifests/opentelemetry-operator.clusterserviceversion.yaml b/bundle/openshift/manifests/opentelemetry-operator.clusterserviceversion.yaml
@@ -99,7 +99,7 @@ metadata:
     categories: Logging & Tracing,Monitoring
     certified: "false"
     containerImage: ghcr.io/open-telemetry/opentelemetry-operator/opentelemetry-operator
-    createdAt: "2024-09-19T17:16:12Z"
+    createdAt: "2024-10-08T16:24:02Z"
     description: Provides the OpenTelemetry components, including the Collector
     operators.operatorframework.io/builder: operator-sdk-v1.29.0
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
diff --git a/bundle/openshift/manifests/opentelemetry.io_instrumentations.yaml b/bundle/openshift/manifests/opentelemetry.io_instrumentations.yaml
@@ -409,6 +409,17 @@ spec:
                 properties:
                   endpoint:
                     type: string
+                  tls:
+                    properties:
+                      ca:
+                        type: string
+                      cert:
+                        type: string
+                      key:
+                        type: string
+                      secretName:
+                        type: string
+                    type: object
                 type: object
               go:
                 properties:
diff --git a/config/crd/bases/opentelemetry.io_instrumentations.yaml b/config/crd/bases/opentelemetry.io_instrumentations.yaml
@@ -407,6 +407,17 @@ spec:
                 properties:
                   endpoint:
                     type: string
+                  tls:
+                    properties:
+                      ca:
+                        type: string
+                      cert:
+                        type: string
+                      key:
+                        type: string
+                      secretName:
+                        type: string
+                    type: object
                 type: object
               go:
                 properties:
diff --git a/pkg/constants/env.go b/pkg/constants/env.go
@@ -15,12 +15,16 @@
 package constants
 
 const (
-	EnvOTELServiceName          = "OTEL_SERVICE_NAME"
-	EnvOTELExporterOTLPEndpoint = "OTEL_EXPORTER_OTLP_ENDPOINT"
-	EnvOTELResourceAttrs        = "OTEL_RESOURCE_ATTRIBUTES"
-	EnvOTELPropagators          = "OTEL_PROPAGATORS"
-	EnvOTELTracesSampler        = "OTEL_TRACES_SAMPLER"
-	EnvOTELTracesSamplerArg     = "OTEL_TRACES_SAMPLER_ARG"
+	EnvOTELServiceName      = "OTEL_SERVICE_NAME"
+	EnvOTELResourceAttrs    = "OTEL_RESOURCE_ATTRIBUTES"
+	EnvOTELPropagators      = "OTEL_PROPAGATORS"
+	EnvOTELTracesSampler    = "OTEL_TRACES_SAMPLER"
+	EnvOTELTracesSamplerArg = "OTEL_TRACES_SAMPLER_ARG"
+
+	EnvOTELExporterOTLPEndpoint      = "OTEL_EXPORTER_OTLP_ENDPOINT"
+	EnvOTELExporterCertificate       = "OTEL_EXPORTER_OTLP_CERTIFICATE"
+	EnvOTELExporterClientCertificate = "OTEL_EXPORTER_OTLP_CLIENT_CERTIFICATE"
+	EnvOTELExporterClientKey         = "OTEL_EXPORTER_OTLP_CLIENT_KEY"
 
 	InstrumentationPrefix                           = "instrumentation.opentelemetry.io/"
 	AnnotationDefaultAutoInstrumentationJava        = InstrumentationPrefix + "default-auto-instrumentation-java-image"
diff --git a/pkg/instrumentation/sdk.go b/pkg/instrumentation/sdk.go
@@ -17,6 +17,7 @@ package instrumentation
 import (
 	"context"
 	"fmt"
+	"path/filepath"
 	"sort"
 	"strings"
 	"time"
@@ -44,6 +45,9 @@ const (
 	volumeName        = "opentelemetry-auto-instrumentation"
 	initContainerName = "opentelemetry-auto-instrumentation"
 	sideCarName       = "opentelemetry-auto-instrumentation"
+
+	exporterCertsVolumeName = volumeName + "-exporter-certs"
+	exporterCertsMountPath  = "/otel-auto-instrumentation-exporter-certs"
 )
 
 // inject a new sidecar container to the given pod, based on the given OpenTelemetryCollector.
@@ -304,6 +308,7 @@ func (i *sdkInjector) injectCommonSDKConfig(ctx context.Context, otelinst v1alph
 			Value: chooseServiceName(pod, useLabelsForResourceAttributes, resourceMap, appIndex),
 		})
 	}
+	configureExporter(otelinst.Spec.Exporter, &pod, container)
 	if otelinst.Spec.Exporter.Endpoint != "" {
 		idx = getIndexOfEnv(container.Env, constants.EnvOTELExporterOTLPEndpoint)
 		if idx == -1 {
@@ -413,6 +418,85 @@ func (i *sdkInjector) injectCommonSDKConfig(ctx context.Context, otelinst v1alph
 	return pod
 }
 
+func configureExporter(exporter v1alpha1.Exporter, pod *corev1.Pod, container *corev1.Container) {
+	if exporter.Endpoint != "" {
+		if getIndexOfEnv(container.Env, constants.EnvOTELExporterOTLPEndpoint) == -1 {
+			container.Env = append(container.Env, corev1.EnvVar{
+				Name:  constants.EnvOTELExporterOTLPEndpoint,
+				Value: exporter.Endpoint,
+			})
+		}
+	}
+	if exporter.TLS == nil {
+		return
+	}
+
+	if exporter.TLS.CA != "" {
+		val := fmt.Sprintf("%s/%s", exporterCertsMountPath, exporter.TLS.CA)
+		if filepath.IsAbs(exporter.TLS.CA) {
+			val = exporter.TLS.CA
+		}
+		if getIndexOfEnv(container.Env, constants.EnvOTELExporterCertificate) == -1 {
+			container.Env = append(container.Env, corev1.EnvVar{
+				Name:  constants.EnvOTELExporterCertificate,
+				Value: val,
+			})
+		}
+	}
+	if exporter.TLS.Cert != "" {
+		val := fmt.Sprintf("%s/%s", exporterCertsMountPath, exporter.TLS.Cert)
+		if filepath.IsAbs(exporter.TLS.Cert) {
+			val = exporter.TLS.Cert
+		}
+		if getIndexOfEnv(container.Env, constants.EnvOTELExporterClientCertificate) == -1 {
+			container.Env = append(container.Env, corev1.EnvVar{
+				Name:  constants.EnvOTELExporterClientCertificate,
+				Value: val,
+			})
+		}
+	}
+	if exporter.TLS.Key != "" {
+		val := fmt.Sprintf("%s/%s", exporterCertsMountPath, exporter.TLS.Key)
+		if filepath.IsAbs(exporter.TLS.Key) {
+			val = exporter.TLS.Key
+		}
+		if getIndexOfEnv(container.Env, constants.EnvOTELExporterClientKey) == -1 {
+			container.Env = append(container.Env, corev1.EnvVar{
+				Name:  constants.EnvOTELExporterClientKey,
+				Value: val,
+			})
+		}
+	}
+
+	if exporter.TLS.SecretName != "" {
+		addVolume := true
+		for _, vol := range pod.Spec.Volumes {
+			if vol.Name == exporterCertsVolumeName {
+				addVolume = false
+			}
+		}
+		if addVolume {
+			pod.Spec.Volumes = append(pod.Spec.Volumes, corev1.Volume{
+				Name: exporterCertsVolumeName,
+				VolumeSource: corev1.VolumeSource{
+					Secret: &corev1.SecretVolumeSource{SecretName: exporter.TLS.SecretName},
+				}})
+		}
+		addVolumeMount := true
+		for _, vol := range container.VolumeMounts {
+			if vol.Name == exporterCertsVolumeName {
+				addVolumeMount = false
+			}
+		}
+		if addVolumeMount {
+			container.VolumeMounts = append(container.VolumeMounts, corev1.VolumeMount{
+				Name:      exporterCertsVolumeName,
+				MountPath: exporterCertsMountPath,
+			})
+		}
+	}
+}
+
 // chooseServiceName returns the service name to be used in the instrumentation.
 // The precedence is as follows:
 // 1. label or annotation with key "service.name" or "app.kubernetes.io/name".
diff --git a/pkg/instrumentation/sdk_test.go b/pkg/instrumentation/sdk_test.go
@@ -2565,3 +2565,51 @@ func TestChooseServiceName(t *testing.T) {
 		})
 	}
 }
+
+func TestExporter(t *testing.T) {
+	exp := v1alpha1.Exporter{
+		Endpoint: "http://collector:4318",
+		TLS: &v1alpha1.TLS{
+			SecretName: "my-certs",
+			CA:         "ca.crt",
+			Cert:       "cert.crt",
+			Key:        "key.key",
+		},
+	}
+	pod := corev1.Pod{
+		Spec: corev1.PodSpec{
+			Containers: []corev1.Container{
+				{},
+			},
+		},
+	}
+	configureExporter(exp, &pod, &pod.Spec.Containers[0])
+	assert.Equal(t, []corev1.EnvVar{
+		{
+			Name:  "OTEL_EXPORTER_OTLP_ENDPOINT",
+			Value: "http://collector:4318",
+		},
+		{
+			Name:  "OTEL_EXPORTER_OTLP_CERTIFICATE",
+			Value: "/otel-auto-instrumentation-exporter-certs/ca.crt",
+		},
+		{
+			Name:  "OTEL_EXPORTER_OTLP_CLIENT_CERTIFICATE",
+			Value: "/otel-auto-instrumentation-exporter-certs/cert.crt",
+		},
+		{
+			Name:  "OTEL_EXPORTER_OTLP_CLIENT_KEY",
+			Value: "/otel-auto-instrumentation-exporter-certs/key.key",
+		},
+	}, pod.Spec.Containers[0].Env)
+	assert.Equal(t, []corev1.Volume{
+		{
+			Name: "opentelemetry-auto-instrumentation-exporter-certs",
+			VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					SecretName: "my-certs",
+				},
+			},
+		},
+	}, pod.Spec.Volumes)
+}
