Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mTLS support for MetricPipeline OTLP output #367

Closed
a-thaler opened this issue Aug 25, 2023 · 1 comment
Closed

mTLS support for MetricPipeline OTLP output #367

a-thaler opened this issue Aug 25, 2023 · 1 comment
Labels
area/metrics MetricPipeline
Milestone
1.0.0

Comments

@a-thaler
Copy link
Collaborator

Description
A security best practice is to use mTLS to establish a secure connection a a remote party. Especially when integrating with 3party systems this is a common practice which should be supported by a MetricPipeline.

The OTLP output of the MetricPipeline supports TLS in general and a header based authentication. However, it does not provide functionality for mutual TLS yet. Also the typical settings for verifying the server-side certificate are missing.

An API to support this scenarios could look like this, which adds a general tls section introducing the missing settings for TLS and mTLS.

The related files should be provided by secrets where the secret attributes need to get mounted as files into the gateway pod.

apiVersion: telemetry.kyma-project.io/v1alpha1
kind: MetricPipeline
metadata:
  name: example
spec:
  output:
    otlp:
      endpoint:
        value: https://xxx
      headers:
        ...
      authentication:
        basic:
          ...
      # TLS settings
      tls:
        # if TLS is used, the optional CA that verifies the server certificate
        ca:
          valueFrom:
            secretKeyRef:
              key: x
              name: y
              namespace: z
        # if TLS is used, wether to skip verifying the certificate or not
        insecureSkipVerify: false
        # mTLS is used, the TLS cert to use for TLS required connections
        cert:
          valueFrom:
            secretKeyRef:
              key: x
              name: y
              namespace: z
        # mTLS is used, the TLS key to use for TLS required connections
        key:
          valueFrom:
            secretKeyRef:
              key: x
              name: y
              namespace: z

Criterias:

  • Influencing the TLS Server-Side Certificate verification is possible by skipping it or providing a custom CA
  • Providing certificate and key for mTLS is possible
  • Needed Certs/keys can be provided by secret mappings
  • Rotation of certs/keys is possible dynamically
  • Documentation is updated
  • Integration test assures functionality

Reasons
It should be possible to follow security best practices using the functionality

Attachments
supported settings of the otlpexporter: https://github.com/open-telemetry/opentelemetry-collector/blob/main/config/configtls/README.md

Related feature in TracePipeline: kyma-project/kyma#17995
@a-thaler a-thaler mentioned this issue Aug 25, 2023
Closed
32 tasks
@a-thaler
Copy link
Collaborator Author

a-thaler commented Sep 22, 2023
edited
Loading

Already implemented by #347 and #384

@a-thaler a-thaler added this to the 1.0.0 milestone Sep 22, 2023
@a-thaler a-thaler added area/metrics MetricPipeline and removed area/monitoring labels Oct 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/metrics MetricPipeline
Projects
None yet
Milestone
1.0.0
Development

No branches or pull requests
1 participant
@a-thaler