Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Add mTLS support for TracePipeline OTLP output #347

Merged
merged 9 commits into from
Aug 23, 2023
Merged

feat: Add mTLS support for TracePipeline OTLP output #347

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
d8da31f
add mTLS support for TracePipeline OTLP outout
dennis-ge Aug 21, 2023
283672b
add secret ref handling, improve code
dennis-ge Aug 21, 2023
f2d4b6e
update tls.insecure handling
dennis-ge Aug 21, 2023
e8a167c
lint
dennis-ge Aug 22, 2023
9be019e
restore insecure handling
dennis-ge Aug 22, 2023
fe99f49
remove text from docs
dennis-ge Aug 22, 2023
c48d364
rename functions
dennis-ge Aug 23, 2023
92b04f0
remove default
dennis-ge Aug 23, 2023
98a75d2
apply suggestions writing
dennis-ge Aug 23, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions apis/telemetry/v1alpha1/secret_refs.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,12 @@ func getRefsInOtlpOutput(otlpOut *OtlpOutput) []SecretKeyRef {
refs = appendIfSecretRef(refs, header.ValueType)
}

if otlpOut.TLS != nil && !otlpOut.TLS.Insecure {
refs = appendIfSecretRef(refs, otlpOut.TLS.Cert)
refs = appendIfSecretRef(refs, otlpOut.TLS.Key)
refs = appendIfSecretRef(refs, otlpOut.TLS.CA)
}

return refs
}

Expand Down
15 changes: 15 additions & 0 deletions apis/telemetry/v1alpha1/shared_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,19 @@ type Header struct {
ValueType `json:",inline"`
}

type OtlpTLS struct {
// Defines whether to send requests using plaintext instead of TLS.
Insecure bool `json:"insecure"`
// Defines whether to skip TLS certificate verification.
InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"`
// Defines the CA certificate.
CA ValueType `json:"ca,omitempty"`
// Defines the client certificate.
Cert ValueType `json:"cert,omitempty"`
// Defines the client key.
Key ValueType `json:"key,omitempty"`
}

type OtlpOutput struct {
// Defines the OTLP protocol (http or grpc). Default is GRPC.
// +kubebuilder:validation:MinLength=1
Expand All @@ -61,6 +74,8 @@ type OtlpOutput struct {
Authentication *AuthenticationOptions `json:"authentication,omitempty"`
// Defines custom headers to be added to outgoing HTTP or GRPC requests.
Headers []Header `json:"headers,omitempty"`
// Defines TLS options for the OTLP output.
TLS *OtlpTLS `json:"tls,omitempty"`
}

type AuthenticationOptions struct {
Expand Down
23 changes: 23 additions & 0 deletions apis/telemetry/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

82 changes: 82 additions & 0 deletions config/crd/bases/telemetry.kyma-project.io_tracepipelines.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -178,6 +178,88 @@ spec:
- http
minLength: 1
type: string
tls:
description: Defines TLS options for the OTLP output.
properties:
ca:
description: Defines the CA certificate.
properties:
value:
description: Value that can contain references to
Secret values.
type: string
valueFrom:
properties:
secretKeyRef:
description: Refers to a key in a Secret. You
must provide `name` and `namespace` of the Secret,
as well as the name of the `key`.
properties:
key:
type: string
name:
type: string
namespace:
type: string
type: object
type: object
type: object
cert:
description: Defines the client certificate.
properties:
value:
description: Value that can contain references to
Secret values.
type: string
valueFrom:
properties:
secretKeyRef:
description: Refers to a key in a Secret. You
must provide `name` and `namespace` of the Secret,
as well as the name of the `key`.
properties:
key:
type: string
name:
type: string
namespace:
type: string
type: object
type: object
type: object
insecure:
description: Defines whether to send requests using plaintext
instead of TLS.
type: boolean
insecureSkipVerify:
description: Defines whether to skip TLS certificate verification.
type: boolean
key:
description: Defines the client key.
properties:
value:
description: Value that can contain references to
Secret values.
type: string
valueFrom:
properties:
secretKeyRef:
description: Refers to a key in a Secret. You
must provide `name` and `namespace` of the Secret,
as well as the name of the `key`.
properties:
key:
type: string
name:
type: string
namespace:
type: string
type: object
type: object
type: object
required:
- insecure
type: object
required:
- endpoint
type: object
Expand Down
82 changes: 82 additions & 0 deletions config/development/telemetry.kyma-project.io_metricpipelines.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -213,6 +213,88 @@ spec:
- http
minLength: 1
type: string
tls:
description: Defines TLS options for the OTLP output.
properties:
ca:
description: Defines the CA certificate.
properties:
value:
description: Value that can contain references to
Secret values.
type: string
valueFrom:
properties:
secretKeyRef:
description: Refers to a key in a Secret. You
must provide `name` and `namespace` of the Secret,
as well as the name of the `key`.
properties:
key:
type: string
name:
type: string
namespace:
type: string
type: object
type: object
type: object
cert:
description: Defines the client certificate.
properties:
value:
description: Value that can contain references to
Secret values.
type: string
valueFrom:
properties:
secretKeyRef:
description: Refers to a key in a Secret. You
must provide `name` and `namespace` of the Secret,
as well as the name of the `key`.
properties:
key:
type: string
name:
type: string
namespace:
type: string
type: object
type: object
type: object
insecure:
description: Defines whether to send requests using plaintext
instead of TLS.
type: boolean
insecureSkipVerify:
description: Defines whether to skip TLS certificate verification.
type: boolean
key:
description: Defines the client key.
properties:
value:
description: Value that can contain references to
Secret values.
type: string
valueFrom:
properties:
secretKeyRef:
description: Refers to a key in a Secret. You
must provide `name` and `namespace` of the Secret,
as well as the name of the `key`.
properties:
key:
type: string
name:
type: string
namespace:
type: string
type: object
type: object
type: object
required:
- insecure
type: object
required:
- endpoint
type: object
Expand Down
24 changes: 24 additions & 0 deletions docs/user/resources/04-tracepipeline.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,30 @@ For details, see the [TracePipeline specification file](https://github.com/kyma-
| **output.​otlp.​headers.​valueFrom.​secretKeyRef.​name** | string | |
| **output.​otlp.​headers.​valueFrom.​secretKeyRef.​namespace** | string | |
| **output.​otlp.​protocol** | string | Defines the OTLP protocol (http or grpc). Default is GRPC. |
| **output.​otlp.​tls** | object | Defines TLS options for the OTLP output. |
| **output.​otlp.​tls.​ca** | object | Defines the CA certificate. |
| **output.​otlp.​tls.​ca.​value** | string | Value that can contain references to Secret values. |
| **output.​otlp.​tls.​ca.​valueFrom** | object | |
| **output.​otlp.​tls.​ca.​valueFrom.​secretKeyRef** | object | Refers to a key in a Secret. You must provide `name` and `namespace` of the Secret, as well as the name of the `key`. |
| **output.​otlp.​tls.​ca.​valueFrom.​secretKeyRef.​key** | string | |
| **output.​otlp.​tls.​ca.​valueFrom.​secretKeyRef.​name** | string | |
| **output.​otlp.​tls.​ca.​valueFrom.​secretKeyRef.​namespace** | string | |
| **output.​otlp.​tls.​cert** | object | Defines the client certificate. |
| **output.​otlp.​tls.​cert.​value** | string | Value that can contain references to Secret values. |
| **output.​otlp.​tls.​cert.​valueFrom** | object | |
| **output.​otlp.​tls.​cert.​valueFrom.​secretKeyRef** | object | Refers to a key in a Secret. You must provide `name` and `namespace` of the Secret, as well as the name of the `key`. |
| **output.​otlp.​tls.​cert.​valueFrom.​secretKeyRef.​key** | string | |
| **output.​otlp.​tls.​cert.​valueFrom.​secretKeyRef.​name** | string | |
| **output.​otlp.​tls.​cert.​valueFrom.​secretKeyRef.​namespace** | string | |
| **output.​otlp.​tls.​insecure** (required) | boolean | Defines whether to send requests using plaintext instead of TLS. |
| **output.​otlp.​tls.​insecureSkipVerify** | boolean | Defines whether to skip TLS certificate verification. |
| **output.​otlp.​tls.​key** | object | Defines the client key. |
| **output.​otlp.​tls.​key.​value** | string | Value that can contain references to Secret values. |
| **output.​otlp.​tls.​key.​valueFrom** | object | |
| **output.​otlp.​tls.​key.​valueFrom.​secretKeyRef** | object | Refers to a key in a Secret. You must provide `name` and `namespace` of the Secret, as well as the name of the `key`. |
| **output.​otlp.​tls.​key.​valueFrom.​secretKeyRef.​key** | string | |
| **output.​otlp.​tls.​key.​valueFrom.​secretKeyRef.​name** | string | |
| **output.​otlp.​tls.​key.​valueFrom.​secretKeyRef.​namespace** | string | |

**Status:**

Expand Down
24 changes: 24 additions & 0 deletions docs/user/resources/05-metricpipeline.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,30 @@ For details, see the [MetricPipeline specification file](https://github.com/kyma
| **output.​otlp.​headers.​valueFrom.​secretKeyRef.​name** | string | |
| **output.​otlp.​headers.​valueFrom.​secretKeyRef.​namespace** | string | |
| **output.​otlp.​protocol** | string | Defines the OTLP protocol (http or grpc). Default is GRPC. |
| **output.​otlp.​tls** | object | Defines TLS options for the OTLP output. |
| **output.​otlp.​tls.​ca** | object | Defines the CA certificate. |
| **output.​otlp.​tls.​ca.​value** | string | Value that can contain references to Secret values. |
| **output.​otlp.​tls.​ca.​valueFrom** | object | |
| **output.​otlp.​tls.​ca.​valueFrom.​secretKeyRef** | object | Refers to a key in a Secret. You must provide `name` and `namespace` of the Secret, as well as the name of the `key`. |
| **output.​otlp.​tls.​ca.​valueFrom.​secretKeyRef.​key** | string | |
| **output.​otlp.​tls.​ca.​valueFrom.​secretKeyRef.​name** | string | |
| **output.​otlp.​tls.​ca.​valueFrom.​secretKeyRef.​namespace** | string | |
| **output.​otlp.​tls.​cert** | object | Defines the client certificate. |
| **output.​otlp.​tls.​cert.​value** | string | Value that can contain references to Secret values. |
| **output.​otlp.​tls.​cert.​valueFrom** | object | |
| **output.​otlp.​tls.​cert.​valueFrom.​secretKeyRef** | object | Refers to a key in a Secret. You must provide `name` and `namespace` of the Secret, as well as the name of the `key`. |
| **output.​otlp.​tls.​cert.​valueFrom.​secretKeyRef.​key** | string | |
| **output.​otlp.​tls.​cert.​valueFrom.​secretKeyRef.​name** | string | |
| **output.​otlp.​tls.​cert.​valueFrom.​secretKeyRef.​namespace** | string | |
| **output.​otlp.​tls.​insecure** (required) | boolean | Defines whether to send requests using plaintext instead of TLS. |
| **output.​otlp.​tls.​insecureSkipVerify** | boolean | Defines whether to skip TLS certificate verification. |
| **output.​otlp.​tls.​key** | object | Defines the client key. |
| **output.​otlp.​tls.​key.​value** | string | Value that can contain references to Secret values. |
| **output.​otlp.​tls.​key.​valueFrom** | object | |
| **output.​otlp.​tls.​key.​valueFrom.​secretKeyRef** | object | Refers to a key in a Secret. You must provide `name` and `namespace` of the Secret, as well as the name of the `key`. |
| **output.​otlp.​tls.​key.​valueFrom.​secretKeyRef.​key** | string | |
| **output.​otlp.​tls.​key.​valueFrom.​secretKeyRef.​name** | string | |
| **output.​otlp.​tls.​key.​valueFrom.​secretKeyRef.​namespace** | string | |

**Status:**

Expand Down
6 changes: 5 additions & 1 deletion internal/otelcollector/config/exporters.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,11 @@ type OTLPExporter struct {
}

type TLS struct {
Insecure bool `yaml:"insecure"`
Insecure bool `yaml:"insecure"`
InsecureSkipVerify bool `yaml:"insecure_skip_verify,omitempty"`
CertPem string `yaml:"cert_pem,omitempty"`
KeyPem string `yaml:"key_pem,omitempty"`
CAPem string `yaml:"ca_pem,omitempty"`
}

type SendingQueue struct {
Expand Down
Loading