Skip to content

Commit b038590

Browse files
ItielOlenickdependabot[bot]janariohesamhamdarsiyuriolisa
authored
Ta update configs to enable mtls (#3015)
* Initial commit * Added Cert Manager CRDs & RBAC validation and management * Added relevant resources and started adding tests * Bump github.com/gin-gonic/gin from 1.9.1 to 1.10.0 (#2953) Bumps [github.com/gin-gonic/gin](https://github.com/gin-gonic/gin) from 1.9.1 to 1.10.0. - [Release notes](https://github.com/gin-gonic/gin/releases) - [Changelog](https://github.com/gin-gonic/gin/blob/master/CHANGELOG.md) - [Commits](gin-gonic/gin@v1.9.1...v1.10.0) --- updated-dependencies: - dependency-name: github.com/gin-gonic/gin dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump github.com/prometheus/prometheus in the prometheus group (#2951) Bumps the prometheus group with 1 update: [github.com/prometheus/prometheus](https://github.com/prometheus/prometheus). Updates `github.com/prometheus/prometheus` from 0.51.2 to 0.52.0 - [Release notes](https://github.com/prometheus/prometheus/releases) - [Changelog](https://github.com/prometheus/prometheus/blob/main/CHANGELOG.md) - [Commits](prometheus/prometheus@v0.51.2...v0.52.0) --- updated-dependencies: - dependency-name: github.com/prometheus/prometheus dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prometheus ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Support for collector readinessProbe (#2944) * enable readiness Probe for otel operator Signed-off-by: Janario Oliveira <[email protected]> * generate CRD and controller changes Signed-off-by: Janario Oliveira <[email protected]> * Adjusted code to be similar to Liveness logic Signed-off-by: Janario Oliveira <[email protected]> * Generated manifests Signed-off-by: Janario Oliveira <[email protected]> * Add changelog Signed-off-by: Janario Oliveira <[email protected]> * Fix lint Signed-off-by: Janario Oliveira <[email protected]> * Removed readinessProbe from alpha CRD Signed-off-by: Janario Oliveira <[email protected]> * Generated manifests Signed-off-by: Janario Oliveira <[email protected]> * Fix lint Signed-off-by: Janario Oliveira <[email protected]> * Centralized probe validation Signed-off-by: Janario Oliveira <[email protected]> --------- Signed-off-by: Janario Oliveira <[email protected]> Co-authored-by: hesam.hamdarsi <[email protected]> * Bump github.com/docker/docker (#2954) Bumps [github.com/docker/docker](https://github.com/docker/docker) from 26.0.1+incompatible to 26.0.2+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](moby/moby@v26.0.1...v26.0.2) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Added new Log Enconder Config (#2927) * Added new Log Enconder Config Signed-off-by: Yuri Sa <[email protected]> * Added new Log Enconder Config Signed-off-by: Yuri Sa <[email protected]> * Added new Log Enconder Config Signed-off-by: Yuri Sa <[email protected]> * Added new Log Enconder Config Signed-off-by: Yuri Sa <[email protected]> * Added new Log Enconder Config Signed-off-by: Yuri Sa <[email protected]> * Added new Log Enconder Config Signed-off-by: Yuri Sa <[email protected]> * Added new Debug doc Signed-off-by: Yuri Sa <[email protected]> --------- Signed-off-by: Yuri Sa <[email protected]> * [chore] move VineethReddy02 to emeritus (#2957) Signed-off-by: Juraci Paixão Kröhling <[email protected]> * Cleanup cluster roles and bindings (#2938) * Fix Signed-off-by: Pavol Loffay <[email protected]> * Fix Signed-off-by: Pavol Loffay <[email protected]> * Fix Signed-off-by: Pavol Loffay <[email protected]> * Fix Signed-off-by: Pavol Loffay <[email protected]> * Add test Signed-off-by: Pavol Loffay <[email protected]> --------- Signed-off-by: Pavol Loffay <[email protected]> * Fixed non-expected warnings on TA webhook. (#2962) Signed-off-by: Yuri Sa <[email protected]> * Verify ServiceMonitor and PodMonitor are installed in prom cr availability check (#2964) * Verify ServiceMonitor and PodMonitor are installed in prom cr availability check * Added changelog * Bump kyverno/action-install-chainsaw from 0.2.0 to 0.2.1 (#2968) Bumps [kyverno/action-install-chainsaw](https://github.com/kyverno/action-install-chainsaw) from 0.2.0 to 0.2.1. - [Release notes](https://github.com/kyverno/action-install-chainsaw/releases) - [Commits](kyverno/action-install-chainsaw@v0.2.0...v0.2.1) --- updated-dependencies: - dependency-name: kyverno/action-install-chainsaw dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Fix labels for Service Monitors (#2878) * Create a separate Service Monitor when the Prometheus exporter is present Signed-off-by: Israel Blancas <[email protected]> * Improve changelog Signed-off-by: Israel Blancas <[email protected]> * Fix prometheus-cr E2E test Signed-off-by: Israel Blancas <[email protected]> * Remove unused target Signed-off-by: Israel Blancas <[email protected]> * Add docstring Signed-off-by: Israel Blancas <[email protected]> * Fix typo Signed-off-by: Israel Blancas <[email protected]> * Change the label name Signed-off-by: Israel Blancas <[email protected]> * Change changelog description Signed-off-by: Israel Blancas <[email protected]> * Recover removed labels Signed-off-by: Israel Blancas <[email protected]> * Add missing labels Signed-off-by: Israel Blancas <[email protected]> * Remove wrong labels Signed-off-by: Israel Blancas <[email protected]> --------- Signed-off-by: Israel Blancas <[email protected]> * Prepare release 0.100.0 (#2960) * Prepare release 0.100.0 Signed-off-by: Vineeth Pothulapati <[email protected]> * update the chlog * update the chlog with #2877 merge --------- Signed-off-by: Vineeth Pothulapati <[email protected]> * [chore] Refactor allocation strategies (#2928) * Refactor consistent-hashing strategy * Refactor per-node strategy * Refactor least-weighted strategy * Minor allocation strategy refactor * Add some common allocation strategy tests * Fix collector and target reassignment * Minor allocator fixes * Add changelog entry * Fix an incorrect comment * Bring back webhook port (#2973) * add back webhook port * chlog * patch 0.100.1 (#2974) * Update the OpenTelemetry Java agent version to 2.4.0 (#2967) * simplify deletion logic (#2971) * Update maintainers in the operator hub PR (#2977) Signed-off-by: Pavol Loffay <[email protected]> * Support for kubernetes 1.30 version (#2975) * Support for kubernetes 1.30 version * Update makefile * [chore] Move TargetAllocator CRD to v1alpha1 (#2918) * [featuregate] Automatically set GOMEMLIMIT and GOMAXPROCS for collector, target allocator, opamp bridge (#2933) * set things * fix kustomize shim * restore, better chlog * Fix querying OpenShift user workload monitoring stack. (#2984) * Bump alpine from 3.19 to 3.20 (#2990) Bumps alpine from 3.19 to 3.20. --- updated-dependencies: - dependency-name: alpine dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump alpine from 3.19 to 3.20 in /cmd/operator-opamp-bridge (#2991) Bumps alpine from 3.19 to 3.20. --- updated-dependencies: - dependency-name: alpine dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump github.com/go-logr/logr from 1.4.1 to 1.4.2 (#2987) Bumps [github.com/go-logr/logr](https://github.com/go-logr/logr) from 1.4.1 to 1.4.2. - [Release notes](https://github.com/go-logr/logr/releases) - [Changelog](https://github.com/go-logr/logr/blob/master/CHANGELOG.md) - [Commits](go-logr/logr@v1.4.1...v1.4.2) --- updated-dependencies: - dependency-name: github.com/go-logr/logr dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump kyverno/action-install-chainsaw from 0.2.1 to 0.2.2 (#2989) Bumps [kyverno/action-install-chainsaw](https://github.com/kyverno/action-install-chainsaw) from 0.2.1 to 0.2.2. - [Release notes](https://github.com/kyverno/action-install-chainsaw/releases) - [Commits](kyverno/action-install-chainsaw@v0.2.1...v0.2.2) --- updated-dependencies: - dependency-name: kyverno/action-install-chainsaw dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump the otel group with 5 updates (#2986) Bumps the otel group with 5 updates: | Package | From | To | | --- | --- | --- | | [go.opentelemetry.io/otel](https://github.com/open-telemetry/opentelemetry-go) | `1.26.0` | `1.27.0` | | [go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp](https://github.com/open-telemetry/opentelemetry-go) | `1.26.0` | `1.27.0` | | [go.opentelemetry.io/otel/metric](https://github.com/open-telemetry/opentelemetry-go) | `1.26.0` | `1.27.0` | | [go.opentelemetry.io/otel/sdk](https://github.com/open-telemetry/opentelemetry-go) | `1.26.0` | `1.27.0` | | [go.opentelemetry.io/otel/sdk/metric](https://github.com/open-telemetry/opentelemetry-go) | `1.26.0` | `1.27.0` | Updates `go.opentelemetry.io/otel` from 1.26.0 to 1.27.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.26.0...v1.27.0) Updates `go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp` from 1.26.0 to 1.27.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.26.0...v1.27.0) Updates `go.opentelemetry.io/otel/metric` from 1.26.0 to 1.27.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.26.0...v1.27.0) Updates `go.opentelemetry.io/otel/sdk` from 1.26.0 to 1.27.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.26.0...v1.27.0) Updates `go.opentelemetry.io/otel/sdk/metric` from 1.26.0 to 1.27.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.26.0...v1.27.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel dependency-type: direct:production update-type: version-update:semver-minor dependency-group: otel - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp dependency-type: direct:production update-type: version-update:semver-minor dependency-group: otel - dependency-name: go.opentelemetry.io/otel/metric dependency-type: direct:production update-type: version-update:semver-minor dependency-group: otel - dependency-name: go.opentelemetry.io/otel/sdk dependency-type: direct:production update-type: version-update:semver-minor dependency-group: otel - dependency-name: go.opentelemetry.io/otel/sdk/metric dependency-type: direct:production update-type: version-update:semver-minor dependency-group: otel ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump alpine from 3.19 to 3.20 in /cmd/otel-allocator (#2992) Bumps alpine from 3.19 to 3.20. --- updated-dependencies: - dependency-name: alpine dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Keep multiple versions of Collector Config (#2946) * Prepare v0.101.0 release (#2994) * Prepare v0.101.0 release * Undo kustomize stuff * Undo kustomize stuff again * Undo kustomize stuff again * Apply feedback * Add crd metrics usage information (#2825) * Add crd metrics usage information Signed-off-by: Ruben Vargas <[email protected]> * Add mode metric Signed-off-by: Ruben Vargas <[email protected]> * Refactor CR metrics Signed-off-by: Ruben Vargas <[email protected]> * Add annotation to avoid generate Metrics Signed-off-by: Ruben Vargas <[email protected]> * Add unit tests Signed-off-by: Ruben Vargas <[email protected]> * remove space Signed-off-by: Ruben Vargas <[email protected]> * remove global provider Signed-off-by: Ruben Vargas <[email protected]> * Update main.go Co-authored-by: Israel Blancas <[email protected]> * revert kusttomization.yaml Signed-off-by: Ruben Vargas <[email protected]> * rename some constants Signed-off-by: Ruben Vargas <[email protected]> * Add connectors metrics Signed-off-by: Ruben Vargas <[email protected]> * Update chlog Signed-off-by: Ruben Vargas <[email protected]> * merge new with init, rename some functions, improve changelog entry Signed-off-by: Ruben Vargas <[email protected]> * improve todo comment Signed-off-by: Ruben Vargas <[email protected]> * fix tests Signed-off-by: Ruben Vargas <[email protected]> * set flag to default false Signed-off-by: Ruben Vargas <[email protected]> * fix lint issues Signed-off-by: Ruben Vargas <[email protected]> * breaking line Signed-off-by: Ruben Vargas <[email protected]> * Use api reader to avoid cache issues Signed-off-by: Ruben Vargas <[email protected]> * Add info metric to changelog entry Signed-off-by: Ruben Vargas <[email protected]> --------- Signed-off-by: Ruben Vargas <[email protected]> Co-authored-by: Israel Blancas <[email protected]> * Update selector documentation for Target Allocator (#3001) * Bump github.com/prometheus/prometheus in the prometheus group (#3004) Bumps the prometheus group with 1 update: [github.com/prometheus/prometheus](https://github.com/prometheus/prometheus). Updates `github.com/prometheus/prometheus` from 0.52.0 to 0.52.1 - [Release notes](https://github.com/prometheus/prometheus/releases) - [Changelog](https://github.com/prometheus/prometheus/blob/main/CHANGELOG.md) - [Commits](prometheus/prometheus@v0.52.0...v0.52.1) --- updated-dependencies: - dependency-name: github.com/prometheus/prometheus dependency-type: direct:production update-type: version-update:semver-patch dependency-group: prometheus ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump kyverno/action-install-chainsaw from 0.2.2 to 0.2.3 (#3003) Bumps [kyverno/action-install-chainsaw](https://github.com/kyverno/action-install-chainsaw) from 0.2.2 to 0.2.3. - [Release notes](https://github.com/kyverno/action-install-chainsaw/releases) - [Commits](kyverno/action-install-chainsaw@v0.2.2...v0.2.3) --- updated-dependencies: - dependency-name: kyverno/action-install-chainsaw dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Introduce simplified parsers (#2972) * Bump go.opentelemetry.io/otel/exporters/prometheus in the otel group (#3005) Bumps the otel group with 1 update: [go.opentelemetry.io/otel/exporters/prometheus](https://github.com/open-telemetry/opentelemetry-go). Updates `go.opentelemetry.io/otel/exporters/prometheus` from 0.48.0 to 0.49.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@example/prometheus/v0.48.0...example/prometheus/v0.49.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel/exporters/prometheus dependency-type: direct:production update-type: version-update:semver-minor dependency-group: otel ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump go.uber.org/zap from 1.26.0 to 1.27.0 (#3006) Bumps [go.uber.org/zap](https://github.com/uber-go/zap) from 1.26.0 to 1.27.0. - [Release notes](https://github.com/uber-go/zap/releases) - [Changelog](https://github.com/uber-go/zap/blob/master/CHANGELOG.md) - [Commits](uber-go/zap@v1.26.0...v1.27.0) --- updated-dependencies: - dependency-name: go.uber.org/zap dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update Kafka version in e2e test (#3009) * [chore] Bump opentelemetry-autoinstrumentation-python to 0.45b0 (#3000) * chore: Bump opentelemetry-autoinstrumentation-python to 0.45b0 * [chore] add psycopg==0.45b0 * Fix annotation/label filter setting (#3008) * fix how options are loaded by removing special casing * oop * chlog * update to specific test * oop * Added Cert Manager CRDs & RBAC validation and management * Added relevant resources and started adding tests * minor change * Minor change * minor change * Cleanup * Cleanup, go tidy and resolved conflics * Restored local dev changes * Refactored, removed init container, minor changes * Use correct files in TLS config * Added default value to getHttpsListenAddr * Added flag to enable mTLS between the Target Allocator and the Collector. go mod cleanup * Using the enable mTLS flag * Using feature gate in place of command line flags to enable the feature * Removed flag from manager yaml * Added featuregate func description * Initial unit/e2e tests. some cleanup * Using TA params * Cleanup makefile from local changes * Added step to create cert manager RBAC for e2e mtls tests * Using Kustomize for patching certmanager permissions * Cleanup chainsaw test * Cleanup chainsaw tests * e2e test case verifying Collector got secret from TA over mTLS * Added changelog, fixed unit tests * restored makefile * Renamed fg import * Linting rules for imports * Added more tests, updated the readme * Added steps in e2e tests for new app * Ran go mod tidy * Added new variable to test TA's AddTAConfigToPromConfig * Setting otel-col-contrib 0.108.0 in e2e test until operator gets updated * Update pkg/featuregate/featuregate.go Co-authored-by: Jacob Aronoff <[email protected]> * Added https, serviceMonitor and tls resources assertions to e2e tests * Using namespaced names for ClusterRoles * Cleanup * Added CertManager resources unit tests * Added unit tests and e2e assertions * Added missing assertion call * Update 00-install.yaml Removed collector image override for e2e test * Update pkg/featuregate/featuregate.go Co-authored-by: Mikołaj Świątek <[email protected]> * Minor fixes * Fixed tests referencing logging exporter * Moved mTLS file naming consts * Added missing curly bracket * Update TA-update-configs-to-enable-mtls.yaml * Update pkg/featuregate/featuregate.go Co-authored-by: Mikołaj Świątek <[email protected]> --------- Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Janario Oliveira <[email protected]> Signed-off-by: Yuri Sa <[email protected]> Signed-off-by: Juraci Paixão Kröhling <[email protected]> Signed-off-by: Pavol Loffay <[email protected]> Signed-off-by: Israel Blancas <[email protected]> Signed-off-by: Vineeth Pothulapati <[email protected]> Signed-off-by: Ruben Vargas <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Janario Oliveira <[email protected]> Co-authored-by: hesam.hamdarsi <[email protected]> Co-authored-by: Yuri Sa <[email protected]> Co-authored-by: Juraci Paixão Kröhling <[email protected]> Co-authored-by: Pavol Loffay <[email protected]> Co-authored-by: Aksel Skaar Leirvaag <[email protected]> Co-authored-by: Israel Blancas <[email protected]> Co-authored-by: Vineeth Pothulapati <[email protected]> Co-authored-by: Mikołaj Świątek <[email protected]> Co-authored-by: Jacob Aronoff <[email protected]> Co-authored-by: OpenTelemetry Bot <[email protected]> Co-authored-by: Vasi Vasireddy <[email protected]> Co-authored-by: Ishwar Kanse <[email protected]> Co-authored-by: Matt Hagenbuch <[email protected]> Co-authored-by: Tyler Helmuth <[email protected]> Co-authored-by: Ruben Vargas <[email protected]> Co-authored-by: brandonkzw <[email protected]> Co-authored-by: Mikołaj Świątek <[email protected]>
1 parent 65b40cb commit b038590

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

58 files changed

+2706
-71
lines changed
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
2+
change_type: enhancement
3+
4+
# The name of the component, or a single word describing the area of concern, (e.g. collector, target allocator, auto-instrumentation, opamp, github action)
5+
component: target allocator, collector
6+
7+
# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
8+
note: "Enable mTLS between the TA and collector for passing secrets in the scrape_config securely"
9+
10+
# One or more tracking issues related to the change
11+
issues: [1669]
12+
13+
# (Optional) One or more lines of additional information to render under the primary note.
14+
# These lines will be padded with 2 spaces and then inserted directly into the document.
15+
# Use pipe (|) for multiline entries.
16+
subtext: |
17+
This change enables mTLS between the collector and the target allocator (requires cert-manager).
18+
This is necessary for passing secrets securely from the TA to the collector for scraping endpoints that have authentication.

.github/workflows/e2e.yaml

+3
Original file line numberDiff line numberDiff line change
@@ -34,13 +34,16 @@ jobs:
3434
- e2e-upgrade
3535
- e2e-multi-instrumentation
3636
- e2e-metadata-filters
37+
- e2e-ta-collector-mtls
3738
include:
3839
- group: e2e-instrumentation
3940
setup: "add-instrumentation-params prepare-e2e"
4041
- group: e2e-multi-instrumentation
4142
setup: "add-instrumentation-params prepare-e2e"
4243
- group: e2e-metadata-filters
4344
setup: "add-operator-arg OPERATOR_ARG='--annotations-filter=.*filter.out --annotations-filter=config.*.gke.io.* --labels-filter=.*filter.out' prepare-e2e"
45+
- group: e2e-ta-collector-mtls
46+
setup: "add-operator-arg OPERATOR_ARG='--feature-gates=operator.targetallocator.mtls' add-certmanager-permissions prepare-e2e"
4447
- group: e2e-automatic-rbac
4548
setup: "add-rbac-permissions-to-operator prepare-e2e"
4649
steps:

.gitignore

+2-2
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,3 @@
1-
21
# Binaries for programs and plugins
32
*.exe
43
*.exe~
@@ -39,8 +38,9 @@ config/manager/kustomization.yaml
3938
kubeconfig
4039
tests/_build/
4140
config/rbac/extra-permissions-operator/
41+
config/rbac/certmanager-permissions/
4242

4343
# autoinstrumentation artifacts
4444
build
4545
node_modules
46-
package-lock.json
46+
package-lock.json

Makefile

+12
Original file line numberDiff line numberDiff line change
@@ -312,6 +312,18 @@ e2e-prometheuscr: chainsaw
312312
e2e-targetallocator: chainsaw
313313
$(CHAINSAW) test --test-dir ./tests/e2e-targetallocator
314314

315+
.PHONY: add-certmanager-permissions
316+
add-certmanager-permissions:
317+
# Kustomize only allows patches in the folder where the kustomization is located
318+
# This folder is ignored by .gitignore
319+
cp -r tests/e2e-ta-collector-mtls/certmanager-permissions config/rbac/certmanager-permissions
320+
cd config/rbac && $(KUSTOMIZE) edit add patch --kind ClusterRole --name manager-role --path certmanager-permissions/certmanager.yaml
321+
322+
# Target allocator collector mTLS end-to-tests
323+
.PHONY: e2e-ta-collector-mtls
324+
e2e-ta-collector-mtls: chainsaw
325+
$(CHAINSAW) test --test-dir ./tests/e2e-ta-collector-mtls
326+
315327
# end-to-end-test for Annotations/Labels Filters
316328
.PHONY: e2e-metadata-filters
317329
e2e-metadata-filters: chainsaw

cmd/otel-allocator/README.md

+35-2
Original file line numberDiff line numberDiff line change
@@ -211,9 +211,42 @@ rules:
211211

212212
### Service / Pod monitor endpoint credentials
213213

214-
If your service or pod monitor endpoints require credentials or other supported form of authentication (bearer token, basic auth, OAuth2 etc.), you need to ensure that the collector has access to this information. Due to some limitations in how the endpoints configuration is handled, target allocator currently does **not** support credentials provided via secrets. It is only possible to provide credentials in a file (for more details see issue https://github.com/open-telemetry/opentelemetry-operator/issues/1669).
214+
If your service or pod monitor endpoints require authentication (such as bearer tokens, basic auth, OAuth2, etc.), you must ensure that the collector has access to these credentials.
215+
216+
To secure the connection between the target allocator and the collector so that the secrets can be retrieved, mTLS is used. This involves the use of cert-manager to manage the CA, server, and client certificates.
217+
218+
Prerequisites:
219+
- Ensure cert-manager is installed in your Kubernetes cluster.
220+
- Grant RBAC Permissions:
221+
222+
- The target allocator needs the appropriate RBAC permissions to get the secrets referenced in the Service / Pod monitor.
223+
224+
- The operator needs the appropriate RBAC permissions to manage cert-manager resources. The following clusterRole can be used to grant the necessary permissions:
225+
226+
```yaml
227+
apiVersion: rbac.authorization.k8s.io/v1
228+
kind: ClusterRole
229+
metadata:
230+
name: opentelemetry-operator-controller-manager-cert-manager-role
231+
rules:
232+
- apiGroups:
233+
- cert-manager.io
234+
resources:
235+
- issuers
236+
- certificaterequests
237+
- certificates
238+
verbs:
239+
- create
240+
- get
241+
- list
242+
- watch
243+
- update
244+
- patch
245+
- delete
246+
```
247+
248+
- Enable the `operator.targetallocator.mtls` feature gate in the operator's deployment.
215249

216-
In order to ensure your endpoints can be scraped, your collector instance needs to have the particular secret mounted as a file at the correct path.
217250

218251

219252
# Design

cmd/otel-allocator/config/config.go

+15-10
Original file line numberDiff line numberDiff line change
@@ -115,29 +115,34 @@ func LoadFromCLI(target *Config, flagSet *pflag.FlagSet) error {
115115
target.PrometheusCR.Enabled = prometheusCREnabled
116116
}
117117

118-
target.HTTPS.Enabled, err = getHttpsEnabled(flagSet)
119-
if err != nil {
118+
if httpsEnabled, changed, err := getHttpsEnabled(flagSet); err != nil {
120119
return err
120+
} else if changed {
121+
target.HTTPS.Enabled = httpsEnabled
121122
}
122123

123-
target.HTTPS.ListenAddr, err = getHttpsListenAddr(flagSet)
124-
if err != nil {
124+
if listenAddrHttps, changed, err := getHttpsListenAddr(flagSet); err != nil {
125125
return err
126+
} else if changed {
127+
target.HTTPS.ListenAddr = listenAddrHttps
126128
}
127129

128-
target.HTTPS.CAFilePath, err = getHttpsCAFilePath(flagSet)
129-
if err != nil {
130+
if caFilePath, changed, err := getHttpsCAFilePath(flagSet); err != nil {
130131
return err
132+
} else if changed {
133+
target.HTTPS.CAFilePath = caFilePath
131134
}
132135

133-
target.HTTPS.TLSCertFilePath, err = getHttpsTLSCertFilePath(flagSet)
134-
if err != nil {
136+
if tlsCertFilePath, changed, err := getHttpsTLSCertFilePath(flagSet); err != nil {
135137
return err
138+
} else if changed {
139+
target.HTTPS.TLSCertFilePath = tlsCertFilePath
136140
}
137141

138-
target.HTTPS.TLSKeyFilePath, err = getHttpsTLSKeyFilePath(flagSet)
139-
if err != nil {
142+
if tlsKeyFilePath, changed, err := getHttpsTLSKeyFilePath(flagSet); err != nil {
140143
return err
144+
} else if changed {
145+
target.HTTPS.TLSKeyFilePath = tlsKeyFilePath
141146
}
142147

143148
return nil

cmd/otel-allocator/config/config_test.go

+1
Original file line numberDiff line numberDiff line change
@@ -64,6 +64,7 @@ func TestLoad(t *testing.T) {
6464
},
6565
HTTPS: HTTPSServerConfig{
6666
Enabled: true,
67+
ListenAddr: ":8443",
6768
CAFilePath: "/path/to/ca.pem",
6869
TLSCertFilePath: "/path/to/cert.pem",
6970
TLSKeyFilePath: "/path/to/key.pem",

cmd/otel-allocator/config/flags.go

+35-10
Original file line numberDiff line numberDiff line change
@@ -78,22 +78,47 @@ func getPrometheusCREnabled(flagSet *pflag.FlagSet) (value bool, changed bool, e
7878
return
7979
}
8080

81-
func getHttpsListenAddr(flagSet *pflag.FlagSet) (string, error) {
82-
return flagSet.GetString(listenAddrHttpsFlagName)
81+
func getHttpsListenAddr(flagSet *pflag.FlagSet) (value string, changed bool, err error) {
82+
if changed = flagSet.Changed(listenAddrHttpsFlagName); !changed {
83+
value, err = ":8443", nil
84+
return
85+
}
86+
value, err = flagSet.GetString(listenAddrHttpsFlagName)
87+
return
8388
}
8489

85-
func getHttpsEnabled(flagSet *pflag.FlagSet) (bool, error) {
86-
return flagSet.GetBool(httpsEnabledFlagName)
90+
func getHttpsEnabled(flagSet *pflag.FlagSet) (value bool, changed bool, err error) {
91+
if changed = flagSet.Changed(httpsEnabledFlagName); !changed {
92+
value, err = false, nil
93+
return
94+
}
95+
value, err = flagSet.GetBool(httpsEnabledFlagName)
96+
return
8797
}
8898

89-
func getHttpsCAFilePath(flagSet *pflag.FlagSet) (string, error) {
90-
return flagSet.GetString(httpsCAFilePathFlagName)
99+
func getHttpsCAFilePath(flagSet *pflag.FlagSet) (value string, changed bool, err error) {
100+
if changed = flagSet.Changed(httpsCAFilePathFlagName); !changed {
101+
value, err = "", nil
102+
return
103+
}
104+
value, err = flagSet.GetString(httpsCAFilePathFlagName)
105+
return
91106
}
92107

93-
func getHttpsTLSCertFilePath(flagSet *pflag.FlagSet) (string, error) {
94-
return flagSet.GetString(httpsTLSCertFilePathFlagName)
108+
func getHttpsTLSCertFilePath(flagSet *pflag.FlagSet) (value string, changed bool, err error) {
109+
if changed = flagSet.Changed(httpsTLSCertFilePathFlagName); !changed {
110+
value, err = "", nil
111+
return
112+
}
113+
value, err = flagSet.GetString(httpsTLSCertFilePathFlagName)
114+
return
95115
}
96116

97-
func getHttpsTLSKeyFilePath(flagSet *pflag.FlagSet) (string, error) {
98-
return flagSet.GetString(httpsTLSKeyFilePathFlagName)
117+
func getHttpsTLSKeyFilePath(flagSet *pflag.FlagSet) (value string, changed bool, err error) {
118+
if changed = flagSet.Changed(httpsTLSKeyFilePathFlagName); !changed {
119+
value, err = "", nil
120+
return
121+
}
122+
value, err = flagSet.GetString(httpsTLSKeyFilePathFlagName)
123+
return
99124
}

cmd/otel-allocator/config/flags_test.go

+8-2
Original file line numberDiff line numberDiff line change
@@ -77,13 +77,19 @@ func TestFlagGetters(t *testing.T) {
7777
name: "HttpsServer",
7878
flagArgs: []string{"--" + httpsEnabledFlagName, "true"},
7979
expectedValue: true,
80-
getterFunc: func(fs *pflag.FlagSet) (interface{}, error) { return getHttpsEnabled(fs) },
80+
getterFunc: func(fs *pflag.FlagSet) (interface{}, error) {
81+
value, _, err := getHttpsEnabled(fs)
82+
return value, err
83+
},
8184
},
8285
{
8386
name: "HttpsServerKey",
8487
flagArgs: []string{"--" + httpsTLSKeyFilePathFlagName, "/path/to/tls.key"},
8588
expectedValue: "/path/to/tls.key",
86-
getterFunc: func(fs *pflag.FlagSet) (interface{}, error) { return getHttpsTLSKeyFilePath(fs) },
89+
getterFunc: func(fs *pflag.FlagSet) (interface{}, error) {
90+
value, _, err := getHttpsTLSKeyFilePath(fs)
91+
return value, err
92+
},
8793
},
8894
}
8995

cmd/otel-allocator/config/testdata/config_test.yaml

+1
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ prometheus_cr:
77
scrape_interval: 60s
88
https:
99
enabled: true
10+
listen_addr: :8443
1011
ca_file_path: /path/to/ca.pem
1112
tls_cert_file_path: /path/to/cert.pem
1213
tls_key_file_path: /path/to/key.pem

0 commit comments

Comments
 (0)