Skip to content

Commit a3feb2c

Browse files
authored
Add TLS support to auto-instrumentation (#3338)
* Add TLS support to auto-instrumentation Signed-off-by: Pavol Loffay <[email protected]> * Fix Signed-off-by: Pavol Loffay <[email protected]> * Fix Signed-off-by: Pavol Loffay <[email protected]> * More validation Signed-off-by: Pavol Loffay <[email protected]> --------- Signed-off-by: Pavol Loffay <[email protected]>
1 parent 7a79233 commit a3feb2c

29 files changed

+1132
-20
lines changed

.chloggen/inst-tls.yaml

+34
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
2+
change_type: enhancement
3+
4+
# The name of the component, or a single word describing the area of concern, (e.g. collector, target allocator, auto-instrumentation, opamp, github action)
5+
component: auto-instrumentation
6+
7+
# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
8+
note: Add support for specifying exporter TLS certificates in auto-instrumentation.
9+
10+
# One or more tracking issues related to the change
11+
issues: [3338]
12+
13+
# (Optional) One or more lines of additional information to render under the primary note.
14+
# These lines will be padded with 2 spaces and then inserted directly into the document.
15+
# Use pipe (|) for multiline entries.
16+
subtext: |
17+
Now Instrumentation CR supports specifying TLS certificates for exporter:
18+
```yaml
19+
spec:
20+
exporter:
21+
endpoint: https://otel-collector:4317
22+
tls:
23+
secretName: otel-tls-certs
24+
configMapName: otel-ca-bundle
25+
# otel-ca-bundle
26+
ca: ca.crt
27+
# present in otel-tls-certs
28+
cert: tls.crt
29+
# present in otel-tls-certs
30+
key: tls.key
31+
```
32+
33+
* Propagating secrets across namespaces can be done with https://github.com/EmberStack/kubernetes-reflector or https://github.com/zakkg3/ClusterSecret
34+
* Restarting workloads on certificate renewal can be done with https://github.com/stakater/Reloader or https://github.com/wave-k8s/wave

apis/v1alpha1/instrumentation_types.go

+29
Original file line numberDiff line numberDiff line change
@@ -97,8 +97,37 @@ type Resource struct {
9797
// Exporter defines OTLP exporter configuration.
9898
type Exporter struct {
9999
// Endpoint is address of the collector with OTLP endpoint.
100+
// If the endpoint defines https:// scheme TLS has to be specified.
100101
// +optional
101102
Endpoint string `json:"endpoint,omitempty"`
103+
104+
// TLS defines certificates for TLS.
105+
// TLS needs to be enabled by specifying https:// scheme in the Endpoint.
106+
TLS *TLS `json:"tls,omitempty"`
107+
}
108+
109+
// TLS defines TLS configuration for exporter.
110+
type TLS struct {
111+
// SecretName defines secret name that will be used to configure TLS on the exporter.
112+
// It is user responsibility to create the secret in the namespace of the workload.
113+
// The secret must contain client certificate (Cert) and private key (Key).
114+
// The CA certificate might be defined in the secret or in the config map.
115+
SecretName string `json:"secretName,omitempty"`
116+
117+
// ConfigMapName defines configmap name with CA certificate. If it is not defined CA certificate will be
118+
// used from the secret defined in SecretName.
119+
ConfigMapName string `json:"configMapName,omitempty"`
120+
121+
// CA defines the key of certificate (e.g. ca.crt) in the configmap map, secret or absolute path to a certificate.
122+
// The absolute path can be used when certificate is already present on the workload filesystem e.g.
123+
// /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
124+
CA string `json:"ca,omitempty"`
125+
// Cert defines the key (e.g. tls.crt) of the client certificate in the secret or absolute path to a certificate.
126+
// The absolute path can be used when certificate is already present on the workload filesystem.
127+
Cert string `json:"cert,omitempty"`
128+
// Key defines a key (e.g. tls.key) of the private key in the secret or absolute path to a certificate.
129+
// The absolute path can be used when certificate is already present on the workload filesystem.
130+
Key string `json:"key,omitempty"`
102131
}
103132

104133
// Sampler defines sampling configuration.

apis/v1alpha1/instrumentation_webhook.go

+22
Original file line numberDiff line numberDiff line change
@@ -236,9 +236,31 @@ func (w InstrumentationWebhook) validate(r *Instrumentation) (admission.Warnings
236236
default:
237237
return warnings, fmt.Errorf("spec.sampler.type is not valid: %s", r.Spec.Sampler.Type)
238238
}
239+
240+
warnings = append(warnings, validateExporter(r.Spec.Exporter)...)
241+
239242
return warnings, nil
240243
}
241244

245+
func validateExporter(exporter Exporter) []string {
246+
var warnings []string
247+
if exporter.TLS != nil {
248+
tls := exporter.TLS
249+
if tls.Key != "" && tls.Cert == "" || tls.Cert != "" && tls.Key == "" {
250+
warnings = append(warnings, "both exporter.tls.key and exporter.tls.cert mut be set")
251+
}
252+
253+
if !strings.HasPrefix(exporter.Endpoint, "https://") {
254+
warnings = append(warnings, "exporter.tls is configured but exporter.endpoint is not enabling TLS with https://")
255+
}
256+
}
257+
if strings.HasPrefix(exporter.Endpoint, "https://") && exporter.TLS == nil {
258+
warnings = append(warnings, "exporter is using https:// but exporter.tls is unset")
259+
}
260+
261+
return warnings
262+
}
263+
242264
func validateJaegerRemoteSamplerArgument(argument string) error {
243265
parts := strings.Split(argument, ",")
244266

apis/v1alpha1/instrumentation_webhook_test.go

+88
Original file line numberDiff line numberDiff line change
@@ -113,6 +113,94 @@ func TestInstrumentationValidatingWebhook(t *testing.T) {
113113
},
114114
},
115115
},
116+
{
117+
name: "exporter: tls cert set but missing key",
118+
inst: Instrumentation{
119+
Spec: InstrumentationSpec{
120+
Sampler: Sampler{
121+
Type: ParentBasedTraceIDRatio,
122+
Argument: "0.99",
123+
},
124+
Exporter: Exporter{
125+
Endpoint: "https://collector:4317",
126+
TLS: &TLS{
127+
Cert: "cert",
128+
},
129+
},
130+
},
131+
},
132+
warnings: []string{"both exporter.tls.key and exporter.tls.cert mut be set"},
133+
},
134+
{
135+
name: "exporter: tls key set but missing cert",
136+
inst: Instrumentation{
137+
Spec: InstrumentationSpec{
138+
Sampler: Sampler{
139+
Type: ParentBasedTraceIDRatio,
140+
Argument: "0.99",
141+
},
142+
Exporter: Exporter{
143+
Endpoint: "https://collector:4317",
144+
TLS: &TLS{
145+
Key: "key",
146+
},
147+
},
148+
},
149+
},
150+
warnings: []string{"both exporter.tls.key and exporter.tls.cert mut be set"},
151+
},
152+
{
153+
name: "exporter: tls set but using http://",
154+
inst: Instrumentation{
155+
Spec: InstrumentationSpec{
156+
Sampler: Sampler{
157+
Type: ParentBasedTraceIDRatio,
158+
Argument: "0.99",
159+
},
160+
Exporter: Exporter{
161+
Endpoint: "http://collector:4317",
162+
TLS: &TLS{
163+
Key: "key",
164+
Cert: "cert",
165+
},
166+
},
167+
},
168+
},
169+
warnings: []string{"exporter.tls is configured but exporter.endpoint is not enabling TLS with https://"},
170+
},
171+
{
172+
name: "exporter: exporter using http://, but the tls is nil",
173+
inst: Instrumentation{
174+
Spec: InstrumentationSpec{
175+
Sampler: Sampler{
176+
Type: ParentBasedTraceIDRatio,
177+
Argument: "0.99",
178+
},
179+
Exporter: Exporter{
180+
Endpoint: "https://collector:4317",
181+
},
182+
},
183+
},
184+
warnings: []string{"exporter is using https:// but exporter.tls is unset"},
185+
},
186+
{
187+
name: "exporter no warning set",
188+
inst: Instrumentation{
189+
Spec: InstrumentationSpec{
190+
Sampler: Sampler{
191+
Type: ParentBasedTraceIDRatio,
192+
Argument: "0.99",
193+
},
194+
Exporter: Exporter{
195+
Endpoint: "https://collector:4317",
196+
TLS: &TLS{
197+
Key: "key",
198+
Cert: "cert",
199+
},
200+
},
201+
},
202+
},
203+
},
116204
}
117205

118206
for _, test := range tests {

apis/v1alpha1/zz_generated.deepcopy.go

+21-1
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

bundle/community/manifests/opentelemetry-operator.clusterserviceversion.yaml

+3-1
Original file line numberDiff line numberDiff line change
@@ -99,7 +99,7 @@ metadata:
9999
categories: Logging & Tracing,Monitoring
100100
certified: "false"
101101
containerImage: ghcr.io/open-telemetry/opentelemetry-operator/opentelemetry-operator
102-
createdAt: "2024-10-08T09:52:53Z"
102+
createdAt: "2024-10-10T15:31:51Z"
103103
description: Provides the OpenTelemetry components, including the Collector
104104
operators.operatorframework.io/builder: operator-sdk-v1.29.0
105105
operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
@@ -284,7 +284,9 @@ spec:
284284
- ""
285285
resources:
286286
- namespaces
287+
- secrets
287288
verbs:
289+
- get
288290
- list
289291
- watch
290292
- apiGroups:

bundle/community/manifests/opentelemetry.io_instrumentations.yaml

+13
Original file line numberDiff line numberDiff line change
@@ -409,6 +409,19 @@ spec:
409409
properties:
410410
endpoint:
411411
type: string
412+
tls:
413+
properties:
414+
ca:
415+
type: string
416+
cert:
417+
type: string
418+
configMapName:
419+
type: string
420+
key:
421+
type: string
422+
secretName:
423+
type: string
424+
type: object
412425
type: object
413426
go:
414427
properties:

bundle/openshift/manifests/opentelemetry-operator.clusterserviceversion.yaml

+3-1
Original file line numberDiff line numberDiff line change
@@ -99,7 +99,7 @@ metadata:
9999
categories: Logging & Tracing,Monitoring
100100
certified: "false"
101101
containerImage: ghcr.io/open-telemetry/opentelemetry-operator/opentelemetry-operator
102-
createdAt: "2024-10-08T09:52:57Z"
102+
createdAt: "2024-10-10T15:31:51Z"
103103
description: Provides the OpenTelemetry components, including the Collector
104104
operators.operatorframework.io/builder: operator-sdk-v1.29.0
105105
operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
@@ -284,7 +284,9 @@ spec:
284284
- ""
285285
resources:
286286
- namespaces
287+
- secrets
287288
verbs:
289+
- get
288290
- list
289291
- watch
290292
- apiGroups:

bundle/openshift/manifests/opentelemetry.io_instrumentations.yaml

+13
Original file line numberDiff line numberDiff line change
@@ -409,6 +409,19 @@ spec:
409409
properties:
410410
endpoint:
411411
type: string
412+
tls:
413+
properties:
414+
ca:
415+
type: string
416+
cert:
417+
type: string
418+
configMapName:
419+
type: string
420+
key:
421+
type: string
422+
secretName:
423+
type: string
424+
type: object
412425
type: object
413426
go:
414427
properties:

config/crd/bases/opentelemetry.io_instrumentations.yaml

+13
Original file line numberDiff line numberDiff line change
@@ -407,6 +407,19 @@ spec:
407407
properties:
408408
endpoint:
409409
type: string
410+
tls:
411+
properties:
412+
ca:
413+
type: string
414+
cert:
415+
type: string
416+
configMapName:
417+
type: string
418+
key:
419+
type: string
420+
secretName:
421+
type: string
422+
type: object
410423
type: object
411424
go:
412425
properties:

config/rbac/role.yaml

+2
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,9 @@ rules:
3030
- ""
3131
resources:
3232
- namespaces
33+
- secrets
3334
verbs:
35+
- get
3436
- list
3537
- watch
3638
- apiGroups:

0 commit comments

Comments
 (0)