You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
2
+
change_type: enhancement
3
+
4
+
# The name of the component, or a single word describing the area of concern, (e.g. collector, target allocator, auto-instrumentation, opamp, github action)
5
+
component: target allocator, collector
6
+
7
+
# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
8
+
note: "Enable mTLS between the TA and collector for passing secrets in the scrape_config securely"
9
+
10
+
# One or more tracking issues related to the change
11
+
issues: [1669]
12
+
13
+
# (Optional) One or more lines of additional information to render under the primary note.
14
+
# These lines will be padded with 2 spaces and then inserted directly into the document.
15
+
# Use pipe (|) for multiline entries.
16
+
subtext: |
17
+
This change enables mTLS between the collector and the target allocator (requires cert-manager).
18
+
This is necessary for passing secrets securely from the TA to the collector for scraping endpoints that have authentication.
Copy file name to clipboardexpand all lines: cmd/otel-allocator/README.md
+35-2
Original file line number
Diff line number
Diff line change
@@ -211,9 +211,42 @@ rules:
211
211
212
212
### Service / Pod monitor endpoint credentials
213
213
214
-
If your service or pod monitor endpoints require credentials or other supported form of authentication (bearer token, basic auth, OAuth2 etc.), you need to ensure that the collector has access to this information. Due to some limitations in how the endpoints configuration is handled, target allocator currently does **not** support credentials provided via secrets. It is only possible to provide credentials in a file (for more details see issue https://github.com/open-telemetry/opentelemetry-operator/issues/1669).
214
+
If your service or pod monitor endpoints require authentication (such as bearer tokens, basic auth, OAuth2, etc.), you must ensure that the collector has access to these credentials.
215
+
216
+
To secure the connection between the target allocator and the collector so that the secrets can be retrieved, mTLS is used. This involves the use of cert-manager to manage the CA, server, and client certificates.
217
+
218
+
Prerequisites:
219
+
- Ensure cert-manager is installed in your Kubernetes cluster.
220
+
- Grant RBAC Permissions:
221
+
222
+
- The target allocator needs the appropriate RBAC permissions to get the secrets referenced in the Service / Pod monitor.
223
+
224
+
- The operator needs the appropriate RBAC permissions to manage cert-manager resources. The following clusterRole can be used to grant the necessary permissions:
0 commit comments