open-telemetry
diff --git a/Diff for: ‎.chloggen/3380-ta-serviceaccount-check.yaml
+16 b/Diff for: ‎.chloggen/3380-ta-serviceaccount-check.yaml
+16
diff --git a/Diff for: ‎.chloggen/3384-build-musl-python-autoinstrumentation.yaml
+16 b/Diff for: ‎.chloggen/3384-build-musl-python-autoinstrumentation.yaml
+16
diff --git a/Diff for: ‎.chloggen/httpd_safe_conf.yaml
+16 b/Diff for: ‎.chloggen/httpd_safe_conf.yaml
+16
diff --git a/Diff for: ‎.chloggen/kubeletstats.yaml
+16 b/Diff for: ‎.chloggen/kubeletstats.yaml
+16
diff --git a/Diff for: ‎Makefile
+4-1 b/Diff for: ‎Makefile
+4-1
diff --git a/Diff for: ‎README.md
+3-47 b/Diff for: ‎README.md
+3-47
diff --git a/Diff for: ‎RELEASE.md
+1-1 b/Diff for: ‎RELEASE.md
+1-1
diff --git a/Diff for: ‎apis/v1alpha1/targetallocator_webhook.go
+6-1 b/Diff for: ‎apis/v1alpha1/targetallocator_webhook.go
+6-1
diff --git a/Diff for: ‎apis/v1alpha1/targetallocator_webhook_test.go
+16-12 b/Diff for: ‎apis/v1alpha1/targetallocator_webhook_test.go
+16-12
diff --git a/Diff for: ‎apis/v1beta1/collector_webhook.go
+6-1 b/Diff for: ‎apis/v1beta1/collector_webhook.go
+6-1
diff --git a/Diff for: ‎apis/v1beta1/collector_webhook_test.go
+16-12 b/Diff for: ‎apis/v1beta1/collector_webhook_test.go
+16-12
diff --git a/Diff for: ‎apis/v1beta1/targetallocator_rbac.go
+1-1 b/Diff for: ‎apis/v1beta1/targetallocator_rbac.go
+1-1
@@ -0,0 +1,16 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: bug_fix
+
+# The name of the component, or a single word describing the area of concern, (e.g. collector, target allocator, auto-instrumentation, opamp, github action)
+component: target allocator
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: "Permission check fixed for the serviceaccount of the target allocator"
+
+# One or more tracking issues related to the change
+issues: [3380]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:
@@ -0,0 +1,16 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. collector, target allocator, auto-instrumentation, opamp, github action)
+component: auto-instrumentation
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: build musl based auto-instrumentation in Python docker image
+
+# One or more tracking issues related to the change
+issues: [2264]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:
@@ -0,0 +1,16 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: 'enhancement'
+
+# The name of the component, or a single word describing the area of concern, (e.g. collector, target allocator, auto-instrumentation, opamp, github action)
+component: 'auto-instrumentation'
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: 'An empty line should come before the addition of Include ...opentemetry_agent.conf, as a protection measure against cases of httpd.conf w/o a blank last line'
+
+# One or more tracking issues related to the change
+issues: [3401]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:
@@ -0,0 +1,16 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. collector, target allocator, auto-instrumentation, opamp, github action)
+component: collector
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: "Add automatic RBAC creation for the `kubeletstats` receiver."
+
+# One or more tracking issues related to the change
+issues: [3155]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:
@@ -204,9 +204,12 @@ add-image-opampbridge:
 add-rbac-permissions-to-operator: manifests kustomize
 	# Kustomize only allows patches in the folder where the kustomization is located
 	# This folder is ignored by .gitignore
-	cp -r tests/e2e-automatic-rbac/extra-permissions-operator/ config/rbac/extra-permissions-operator
+	mkdir -p config/rbac/extra-permissions-operator
+	cp -r tests/e2e-automatic-rbac/extra-permissions-operator/* config/rbac/extra-permissions-operator
 	cd config/rbac && $(KUSTOMIZE) edit add patch --kind ClusterRole --name manager-role --path extra-permissions-operator/namespaces.yaml
 	cd config/rbac && $(KUSTOMIZE) edit add patch --kind ClusterRole --name manager-role --path extra-permissions-operator/nodes.yaml
+	cd config/rbac && $(KUSTOMIZE) edit add patch --kind ClusterRole --name manager-role --path extra-permissions-operator/nodes-stats.yaml
+	cd config/rbac && $(KUSTOMIZE) edit add patch --kind ClusterRole --name manager-role --path extra-permissions-operator/nodes-proxy.yaml
 	cd config/rbac && $(KUSTOMIZE) edit add patch --kind ClusterRole --name manager-role --path extra-permissions-operator/rbac.yaml
 	cd config/rbac && $(KUSTOMIZE) edit add patch --kind ClusterRole --name manager-role --path extra-permissions-operator/replicaset.yaml
 
 
@@ -790,53 +790,9 @@ The priority for setting resource attributes is as follows (first found wins):
 This priority is applied for each resource attribute separately, so it is possible to set some attributes via
 annotations and others via labels.
 
-## Compatibility matrix
-
-### OpenTelemetry Operator vs. OpenTelemetry Collector
-
-The OpenTelemetry Operator follows the same versioning as the operand (OpenTelemetry Collector) up to the minor part of the version. For example, the OpenTelemetry Operator v0.18.1 tracks OpenTelemetry Collector 0.18.0. The patch part of the version indicates the patch level of the operator itself, not that of OpenTelemetry Collector. Whenever a new patch version is released for OpenTelemetry Collector, we'll release a new patch version of the operator.
-
-By default, the OpenTelemetry Operator ensures consistent versioning between itself and the managed `OpenTelemetryCollector` resources. That is, if the OpenTelemetry Operator is based on version `0.40.0`, it will create resources with an underlying OpenTelemetry Collector at version `0.40.0`.
-
-When a custom `Spec.Image` is used with an `OpenTelemetryCollector` resource, the OpenTelemetry Operator will not manage this versioning and upgrading. In this scenario, it is best practice that the OpenTelemetry Operator version should match the underlying core version. Given a `OpenTelemetryCollector` resource with a `Spec.Image` configured to a custom image based on underlying OpenTelemetry Collector at version `0.40.0`, it is recommended that the OpenTelemetry Operator is kept at version `0.40.0`.
-
-### OpenTelemetry Operator vs. Kubernetes vs. Cert Manager vs Prometheus Operator
-
-We strive to be compatible with the widest range of Kubernetes versions as possible, but some changes to Kubernetes itself require us to break compatibility with older Kubernetes versions, be it because of code incompatibilities, or in the name of maintainability. Every released operator will support a specific range of Kubernetes versions, to be determined at the latest during the release.
-
-We use `cert-manager` for some features of this operator and the third column shows the versions of the `cert-manager` that are known to work with this operator's versions.
-
-The Target Allocator supports prometheus-operator CRDs like ServiceMonitor, and it does so by using packages imported from prometheus-operator itself. The table shows which version is shipped with a given operator version.
-Generally speaking, these are backwards compatible, but specific features require the appropriate package versions.
-
-The OpenTelemetry Operator _might_ work on versions outside of the given range, but when opening new issues, please make sure to test your scenario on a supported version.
-
-| OpenTelemetry Operator | Kubernetes     | Cert-Manager | Prometheus-Operator |
-|------------------------|----------------| ------------ |---------------------|
-| v0.111.0               | v1.23 to v1.31 | v1           | v0.76.0             |
-| v0.110.0               | v1.23 to v1.31 | v1           | v0.76.0             |
-| v0.109.0               | v1.23 to v1.31 | v1           | v0.76.0             |
-| v0.108.0               | v1.23 to v1.31 | v1           | v0.76.0             |
-| v0.107.0               | v1.23 to v1.30 | v1           | v0.75.0             |
-| v0.106.0               | v1.23 to v1.30 | v1           | v0.75.0             |
-| v0.105.0               | v1.23 to v1.30 | v1           | v0.74.0             |
-| v0.104.0               | v1.23 to v1.30 | v1           | v0.74.0             |
-| v0.103.0               | v1.23 to v1.30 | v1           | v0.74.0             |
-| v0.102.0               | v1.23 to v1.30 | v1           | v0.71.2             |
-| v0.101.0               | v1.23 to v1.30 | v1           | v0.71.2             |
-| v0.100.0               | v1.23 to v1.29 | v1           | v0.71.2             |
-| v0.99.0                | v1.23 to v1.29 | v1           | v0.71.2             |
-| v0.98.0                | v1.23 to v1.29 | v1           | v0.71.2             |
-| v0.97.0                | v1.23 to v1.29 | v1           | v0.71.2             |
-| v0.96.0                | v1.23 to v1.29 | v1           | v0.71.2             |
-| v0.95.0                | v1.23 to v1.29 | v1           | v0.71.2             |
-| v0.94.0                | v1.23 to v1.29 | v1           | v0.71.0             |
-| v0.93.0                | v1.23 to v1.29 | v1           | v0.71.0             |
-| v0.92.0                | v1.23 to v1.29 | v1           | v0.71.0             |
-| v0.91.0                | v1.23 to v1.29 | v1           | v0.70.0             |
-| v0.90.0                | v1.23 to v1.28 | v1           | v0.69.1             |
-| v0.89.0                | v1.23 to v1.28 | v1           | v0.69.1             |
-| v0.88.0                | v1.23 to v1.28 | v1           | v0.68.0             |
+## Compatibility 
+
+See [here](docs/compatibility.md).
 
 ## Contributing and Developing
 
 
@@ -12,7 +12,7 @@ Steps to release a new version of the OpenTelemetry Operator:
         > DO NOT BUMP JAVA PAST `1.X.X` AND DO NOT BUMP .NET PAST `1.2.0`. Upgrades past these versions will introduce breaking HTTP semantic convention changes.
    1. Check if the compatible OpenShift versions are updated in the `Makefile`.
    1. Update the bundle by running `make bundle VERSION=$VERSION`.
-   1. Change the compatibility matrix in the [readme](./README.md) file, using the OpenTelemetry Operator version to be released and the current latest Kubernetes version as the latest supported version. Remove the oldest entry.
+   1. Change the compatibility matrix in the [compatibility doc](./docs/compatibility.md) file, using the OpenTelemetry Operator version to be released and the current latest Kubernetes version as the latest supported version. Remove the oldest entry.
    1. Update release schedule table, by moving the current release manager to the end of the table with updated release version.
    1. Add the changes to the changelog by running `make chlog-update VERSION=$VERSION`.
    1. Check the OpenTelemetry Collector's changelog and ensure migration steps are present in `pkg/collector/upgrade`
 
@@ -26,6 +26,7 @@ import (
 
 	"github.com/open-telemetry/opentelemetry-operator/apis/v1beta1"
 	"github.com/open-telemetry/opentelemetry-operator/internal/config"
+	"github.com/open-telemetry/opentelemetry-operator/internal/naming"
 	"github.com/open-telemetry/opentelemetry-operator/internal/rbac"
 )
 
@@ -119,7 +120,11 @@ func (w TargetAllocatorWebhook) validate(ctx context.Context, ta *TargetAllocato
 
 	// if the prometheusCR is enabled, it needs a suite of permissions to function
 	if ta.Spec.PrometheusCR.Enabled {
-		warnings, err := v1beta1.CheckTargetAllocatorPrometheusCRPolicyRules(ctx, w.reviewer, ta.Spec.ServiceAccount, ta.GetNamespace())
+		saname := ta.Spec.ServiceAccount
+		if len(ta.Spec.ServiceAccount) == 0 {
+			saname = naming.TargetAllocatorServiceAccount(ta.Name)
+		}
+		warnings, err := v1beta1.CheckTargetAllocatorPrometheusCRPolicyRules(ctx, w.reviewer, ta.GetNamespace(), saname)
 		if err != nil || len(warnings) > 0 {
 			return warnings, err
 		}
 
@@ -224,25 +224,29 @@ func TestTargetAllocatorValidatingWebhook(t *testing.T) {
 			name:          "prom CR admissions warning",
 			shouldFailSar: true, // force failure
 			targetallocator: TargetAllocator{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test-ta",
+					Namespace: "test-ns",
+				},
 				Spec: TargetAllocatorSpec{
 					PrometheusCR: v1beta1.TargetAllocatorPrometheusCR{
 						Enabled: true,
 					},
 				},
 			},
 			expectedWarnings: []string{
-				"missing the following rules for monitoring.coreos.com/servicemonitors: [*]",
-				"missing the following rules for monitoring.coreos.com/podmonitors: [*]",
-				"missing the following rules for nodes/metrics: [get,list,watch]",
-				"missing the following rules for services: [get,list,watch]",
-				"missing the following rules for endpoints: [get,list,watch]",
-				"missing the following rules for namespaces: [get,list,watch]",
-				"missing the following rules for networking.k8s.io/ingresses: [get,list,watch]",
-				"missing the following rules for nodes: [get,list,watch]",
-				"missing the following rules for pods: [get,list,watch]",
-				"missing the following rules for configmaps: [get]",
-				"missing the following rules for discovery.k8s.io/endpointslices: [get,list,watch]",
-				"missing the following rules for nonResourceURL: /metrics: [get]",
+				"missing the following rules for system:serviceaccount:test-ns:test-ta-targetallocator - monitoring.coreos.com/servicemonitors: [*]",
+				"missing the following rules for system:serviceaccount:test-ns:test-ta-targetallocator - monitoring.coreos.com/podmonitors: [*]",
+				"missing the following rules for system:serviceaccount:test-ns:test-ta-targetallocator - nodes/metrics: [get,list,watch]",
+				"missing the following rules for system:serviceaccount:test-ns:test-ta-targetallocator - services: [get,list,watch]",
+				"missing the following rules for system:serviceaccount:test-ns:test-ta-targetallocator - endpoints: [get,list,watch]",
+				"missing the following rules for system:serviceaccount:test-ns:test-ta-targetallocator - namespaces: [get,list,watch]",
+				"missing the following rules for system:serviceaccount:test-ns:test-ta-targetallocator - networking.k8s.io/ingresses: [get,list,watch]",
+				"missing the following rules for system:serviceaccount:test-ns:test-ta-targetallocator - nodes: [get,list,watch]",
+				"missing the following rules for system:serviceaccount:test-ns:test-ta-targetallocator - pods: [get,list,watch]",
+				"missing the following rules for system:serviceaccount:test-ns:test-ta-targetallocator - configmaps: [get]",
+				"missing the following rules for system:serviceaccount:test-ns:test-ta-targetallocator - discovery.k8s.io/endpointslices: [get,list,watch]",
+				"missing the following rules for system:serviceaccount:test-ns:test-ta-targetallocator - nonResourceURL: /metrics: [get]",
 			},
 		},
 		{
 
@@ -29,6 +29,7 @@ import (
 	"github.com/open-telemetry/opentelemetry-operator/internal/config"
 	"github.com/open-telemetry/opentelemetry-operator/internal/fips"
 	ta "github.com/open-telemetry/opentelemetry-operator/internal/manifests/targetallocator/adapters"
+	"github.com/open-telemetry/opentelemetry-operator/internal/naming"
 	"github.com/open-telemetry/opentelemetry-operator/internal/rbac"
 	"github.com/open-telemetry/opentelemetry-operator/pkg/featuregate"
 )
@@ -341,8 +342,12 @@ func (c CollectorWebhook) validateTargetAllocatorConfig(ctx context.Context, r *
 	}
 	// if the prometheusCR is enabled, it needs a suite of permissions to function
 	if r.Spec.TargetAllocator.PrometheusCR.Enabled {
+		saname := r.Spec.TargetAllocator.ServiceAccount
+		if len(r.Spec.TargetAllocator.ServiceAccount) == 0 {
+			saname = naming.TargetAllocatorServiceAccount(r.Name)
+		}
 		warnings, err := CheckTargetAllocatorPrometheusCRPolicyRules(
-			ctx, c.reviewer, r.Spec.TargetAllocator.ServiceAccount, r.GetNamespace())
+			ctx, c.reviewer, r.GetNamespace(), saname)
 		if err != nil || len(warnings) > 0 {
 			return warnings, err
 		}
 
@@ -651,6 +651,10 @@ func TestOTELColValidatingWebhook(t *testing.T) {
 			name:          "prom CR admissions warning",
 			shouldFailSar: true, // force failure
 			otelcol: v1beta1.OpenTelemetryCollector{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "adm-warning",
+					Namespace: "test-ns",
+				},
 				Spec: v1beta1.OpenTelemetryCollectorSpec{
 					Mode: v1beta1.ModeStatefulSet,
 					OpenTelemetryCommonFields: v1beta1.OpenTelemetryCommonFields{
@@ -693,18 +697,18 @@ func TestOTELColValidatingWebhook(t *testing.T) {
 				},
 			},
 			expectedWarnings: []string{
-				"missing the following rules for monitoring.coreos.com/servicemonitors: [*]",
-				"missing the following rules for monitoring.coreos.com/podmonitors: [*]",
-				"missing the following rules for nodes/metrics: [get,list,watch]",
-				"missing the following rules for services: [get,list,watch]",
-				"missing the following rules for endpoints: [get,list,watch]",
-				"missing the following rules for namespaces: [get,list,watch]",
-				"missing the following rules for networking.k8s.io/ingresses: [get,list,watch]",
-				"missing the following rules for nodes: [get,list,watch]",
-				"missing the following rules for pods: [get,list,watch]",
-				"missing the following rules for configmaps: [get]",
-				"missing the following rules for discovery.k8s.io/endpointslices: [get,list,watch]",
-				"missing the following rules for nonResourceURL: /metrics: [get]",
+				"missing the following rules for system:serviceaccount:test-ns:adm-warning-targetallocator - monitoring.coreos.com/servicemonitors: [*]",
+				"missing the following rules for system:serviceaccount:test-ns:adm-warning-targetallocator - monitoring.coreos.com/podmonitors: [*]",
+				"missing the following rules for system:serviceaccount:test-ns:adm-warning-targetallocator - nodes/metrics: [get,list,watch]",
+				"missing the following rules for system:serviceaccount:test-ns:adm-warning-targetallocator - services: [get,list,watch]",
+				"missing the following rules for system:serviceaccount:test-ns:adm-warning-targetallocator - endpoints: [get,list,watch]",
+				"missing the following rules for system:serviceaccount:test-ns:adm-warning-targetallocator - namespaces: [get,list,watch]",
+				"missing the following rules for system:serviceaccount:test-ns:adm-warning-targetallocator - networking.k8s.io/ingresses: [get,list,watch]",
+				"missing the following rules for system:serviceaccount:test-ns:adm-warning-targetallocator - nodes: [get,list,watch]",
+				"missing the following rules for system:serviceaccount:test-ns:adm-warning-targetallocator - pods: [get,list,watch]",
+				"missing the following rules for system:serviceaccount:test-ns:adm-warning-targetallocator - configmaps: [get]",
+				"missing the following rules for system:serviceaccount:test-ns:adm-warning-targetallocator - discovery.k8s.io/endpointslices: [get,list,watch]",
+				"missing the following rules for system:serviceaccount:test-ns:adm-warning-targetallocator - nonResourceURL: /metrics: [get]",
 			},
 		},
 		{
 
@@ -61,8 +61,8 @@ func CheckTargetAllocatorPrometheusCRPolicyRules(
 	serviceAccountName string) (warnings []string, err error) {
 	subjectAccessReviews, err := reviewer.CheckPolicyRules(
 		ctx,
-		namespace,
 		serviceAccountName,
+		namespace,
 		targetAllocatorCRPolicyRules...,
 	)
 	if err != nil {