Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Add mTLS support for TracePipeline OTLP output #347

Merged
merged 9 commits into from
Aug 23, 2023
Merged

feat: Add mTLS support for TracePipeline OTLP output #347

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
d8da31f
add mTLS support for TracePipeline OTLP outout
dennis-ge Aug 21, 2023
283672b
add secret ref handling, improve code
dennis-ge Aug 21, 2023
f2d4b6e
update tls.insecure handling
dennis-ge Aug 21, 2023
e8a167c
lint
dennis-ge Aug 22, 2023
9be019e
restore insecure handling
dennis-ge Aug 22, 2023
fe99f49
remove text from docs
dennis-ge Aug 22, 2023
c48d364
rename functions
dennis-ge Aug 23, 2023
92b04f0
remove default
dennis-ge Aug 23, 2023
98a75d2
apply suggestions writing
dennis-ge Aug 23, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions apis/telemetry/v1alpha1/secret_refs.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,12 @@ func getRefsInOtlpOutput(otlpOut *OtlpOutput) []SecretKeyRef {
refs = appendIfSecretRef(refs, header.ValueType)
}

if otlpOut.TLS != nil && !otlpOut.TLS.Insecure {
refs = appendIfSecretRef(refs, otlpOut.TLS.Cert)
refs = appendIfSecretRef(refs, otlpOut.TLS.Key)
refs = appendIfSecretRef(refs, otlpOut.TLS.CA)
}

return refs
}

Expand Down
18 changes: 17 additions & 1 deletion apis/telemetry/v1alpha1/shared_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,19 +48,35 @@ type Header struct {
ValueType `json:",inline"`
}

type OtlpTLS struct {
// Defines whether to send requests via plaintext instead of TLS. This option is ignored if the endpoint scheme is `http` or `https`.
// +kubebuilder:default:=false
Insecure bool `json:"insecure"`
// Defines whether to skip TLS certificate verification.
InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"`
// Defines the CA certificate.
CA ValueType `json:"ca,omitempty"`
// Defines the client certificate.
Cert ValueType `json:"cert,omitempty"`
// Defines the client key.
Key ValueType `json:"key,omitempty"`
}

type OtlpOutput struct {
// Defines the OTLP protocol (http or grpc). Default is GRPC.
// +kubebuilder:validation:MinLength=1
// +kubebuilder:default:=grpc
// +kubebuilder:validation:Enum=grpc;http
Protocol string `json:"protocol,omitempty"`
// Defines the host and port (<host>:<port>) of an OTLP endpoint.
// Defines the host and port (<host>:<port>) of an OTLP endpoint. If the endpoint scheme is `http` or `https`, this setting takes precedence over the `tls.insecure` configuration setting.
// +kubebuilder:validation:Required
Endpoint ValueType `json:"endpoint"`
// Defines authentication options for the OTLP output
Authentication *AuthenticationOptions `json:"authentication,omitempty"`
// Defines custom headers to be added to outgoing HTTP or GRPC requests.
Headers []Header `json:"headers,omitempty"`
// Defines TLS options for the OTLP output.
TLS *OtlpTLS `json:"tls,omitempty"`
}

type AuthenticationOptions struct {
Expand Down
23 changes: 23 additions & 0 deletions apis/telemetry/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

88 changes: 87 additions & 1 deletion config/crd/bases/telemetry.kyma-project.io_tracepipelines.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,7 +116,9 @@ spec:
type: object
endpoint:
description: Defines the host and port (<host>:<port>) of
an OTLP endpoint.
an OTLP endpoint. If the endpoint scheme is `http` or `https`,
this setting takes precedence over the `tls.insecure` configuration
setting.
properties:
value:
description: Value that can contain references to Secret
Expand Down Expand Up @@ -178,6 +180,90 @@ spec:
- http
minLength: 1
type: string
tls:
description: Defines TLS options for the OTLP output.
properties:
ca:
description: Defines the CA certificate.
properties:
value:
description: Value that can contain references to
Secret values.
type: string
valueFrom:
properties:
secretKeyRef:
description: Refers to a key in a Secret. You
must provide `name` and `namespace` of the Secret,
as well as the name of the `key`.
properties:
key:
type: string
name:
type: string
namespace:
type: string
type: object
type: object
type: object
cert:
description: Defines the client certificate.
properties:
value:
description: Value that can contain references to
Secret values.
type: string
valueFrom:
properties:
secretKeyRef:
description: Refers to a key in a Secret. You
must provide `name` and `namespace` of the Secret,
as well as the name of the `key`.
properties:
key:
type: string
name:
type: string
namespace:
type: string
type: object
type: object
type: object
insecure:
default: false
description: Defines whether to send requests via plaintext
dennis-ge marked this conversation as resolved.
Show resolved Hide resolved
instead of TLS. This option is ignored if the endpoint
scheme is `http` or `https`.
type: boolean
insecureSkipVerify:
description: Defines whether to skip TLS certificate verification.
type: boolean
key:
description: Defines the client key.
properties:
value:
description: Value that can contain references to
Secret values.
type: string
valueFrom:
properties:
secretKeyRef:
description: Refers to a key in a Secret. You
must provide `name` and `namespace` of the Secret,
as well as the name of the `key`.
properties:
key:
type: string
name:
type: string
namespace:
type: string
type: object
type: object
type: object
required:
- insecure
type: object
required:
- endpoint
type: object
Expand Down
88 changes: 87 additions & 1 deletion config/development/telemetry.kyma-project.io_metricpipelines.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -151,7 +151,9 @@ spec:
type: object
endpoint:
description: Defines the host and port (<host>:<port>) of
an OTLP endpoint.
an OTLP endpoint. If the endpoint scheme is `http` or `https`,
this setting takes precedence over the `tls.insecure` configuration
setting.
properties:
value:
description: Value that can contain references to Secret
Expand Down Expand Up @@ -213,6 +215,90 @@ spec:
- http
minLength: 1
type: string
tls:
description: Defines TLS options for the OTLP output.
properties:
ca:
description: Defines the CA certificate.
properties:
value:
description: Value that can contain references to
Secret values.
type: string
valueFrom:
properties:
secretKeyRef:
description: Refers to a key in a Secret. You
must provide `name` and `namespace` of the Secret,
as well as the name of the `key`.
properties:
key:
type: string
name:
type: string
namespace:
type: string
type: object
type: object
type: object
cert:
description: Defines the client certificate.
properties:
value:
description: Value that can contain references to
Secret values.
type: string
valueFrom:
properties:
secretKeyRef:
description: Refers to a key in a Secret. You
must provide `name` and `namespace` of the Secret,
as well as the name of the `key`.
properties:
key:
type: string
name:
type: string
namespace:
type: string
type: object
type: object
type: object
insecure:
default: false
description: Defines whether to send requests via plaintext
dennis-ge marked this conversation as resolved.
Show resolved Hide resolved
instead of TLS. This option is ignored if the endpoint
scheme is `http` or `https`.
type: boolean
insecureSkipVerify:
description: Defines whether to skip TLS certificate verification.
type: boolean
key:
description: Defines the client key.
properties:
value:
description: Value that can contain references to
Secret values.
type: string
valueFrom:
properties:
secretKeyRef:
description: Refers to a key in a Secret. You
must provide `name` and `namespace` of the Secret,
as well as the name of the `key`.
properties:
key:
type: string
name:
type: string
namespace:
type: string
type: object
type: object
type: object
required:
- insecure
type: object
required:
- endpoint
type: object
Expand Down
26 changes: 25 additions & 1 deletion docs/user/resources/04-tracepipeline.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ For details, see the [TracePipeline specification file](https://github.com/kyma-
| **output.&#x200b;otlp.&#x200b;authentication.&#x200b;basic.&#x200b;user.&#x200b;valueFrom.&#x200b;secretKeyRef.&#x200b;key** | string | |
| **output.&#x200b;otlp.&#x200b;authentication.&#x200b;basic.&#x200b;user.&#x200b;valueFrom.&#x200b;secretKeyRef.&#x200b;name** | string | |
| **output.&#x200b;otlp.&#x200b;authentication.&#x200b;basic.&#x200b;user.&#x200b;valueFrom.&#x200b;secretKeyRef.&#x200b;namespace** | string | |
| **output.&#x200b;otlp.&#x200b;endpoint** (required) | object | Defines the host and port (<host>:<port>) of an OTLP endpoint. |
| **output.&#x200b;otlp.&#x200b;endpoint** (required) | object | Defines the host and port (<host>:<port>) of an OTLP endpoint. If the endpoint scheme is `http` or `https`, this setting takes precedence over the `tls.insecure` configuration setting. |
| **output.&#x200b;otlp.&#x200b;endpoint.&#x200b;value** | string | Value that can contain references to Secret values. |
| **output.&#x200b;otlp.&#x200b;endpoint.&#x200b;valueFrom** | object | |
| **output.&#x200b;otlp.&#x200b;endpoint.&#x200b;valueFrom.&#x200b;secretKeyRef** | object | Refers to a key in a Secret. You must provide `name` and `namespace` of the Secret, as well as the name of the `key`. |
Expand All @@ -81,6 +81,30 @@ For details, see the [TracePipeline specification file](https://github.com/kyma-
| **output.&#x200b;otlp.&#x200b;headers.&#x200b;valueFrom.&#x200b;secretKeyRef.&#x200b;name** | string | |
| **output.&#x200b;otlp.&#x200b;headers.&#x200b;valueFrom.&#x200b;secretKeyRef.&#x200b;namespace** | string | |
| **output.&#x200b;otlp.&#x200b;protocol** | string | Defines the OTLP protocol (http or grpc). Default is GRPC. |
| **output.&#x200b;otlp.&#x200b;tls** | object | Defines TLS options for the OTLP output. |
| **output.&#x200b;otlp.&#x200b;tls.&#x200b;ca** | object | Defines the CA certificate. |
| **output.&#x200b;otlp.&#x200b;tls.&#x200b;ca.&#x200b;value** | string | Value that can contain references to Secret values. |
| **output.&#x200b;otlp.&#x200b;tls.&#x200b;ca.&#x200b;valueFrom** | object | |
| **output.&#x200b;otlp.&#x200b;tls.&#x200b;ca.&#x200b;valueFrom.&#x200b;secretKeyRef** | object | Refers to a key in a Secret. You must provide `name` and `namespace` of the Secret, as well as the name of the `key`. |
| **output.&#x200b;otlp.&#x200b;tls.&#x200b;ca.&#x200b;valueFrom.&#x200b;secretKeyRef.&#x200b;key** | string | |
| **output.&#x200b;otlp.&#x200b;tls.&#x200b;ca.&#x200b;valueFrom.&#x200b;secretKeyRef.&#x200b;name** | string | |
| **output.&#x200b;otlp.&#x200b;tls.&#x200b;ca.&#x200b;valueFrom.&#x200b;secretKeyRef.&#x200b;namespace** | string | |
| **output.&#x200b;otlp.&#x200b;tls.&#x200b;cert** | object | Defines the client certificate. |
| **output.&#x200b;otlp.&#x200b;tls.&#x200b;cert.&#x200b;value** | string | Value that can contain references to Secret values. |
| **output.&#x200b;otlp.&#x200b;tls.&#x200b;cert.&#x200b;valueFrom** | object | |
| **output.&#x200b;otlp.&#x200b;tls.&#x200b;cert.&#x200b;valueFrom.&#x200b;secretKeyRef** | object | Refers to a key in a Secret. You must provide `name` and `namespace` of the Secret, as well as the name of the `key`. |
| **output.&#x200b;otlp.&#x200b;tls.&#x200b;cert.&#x200b;valueFrom.&#x200b;secretKeyRef.&#x200b;key** | string | |
| **output.&#x200b;otlp.&#x200b;tls.&#x200b;cert.&#x200b;valueFrom.&#x200b;secretKeyRef.&#x200b;name** | string | |
| **output.&#x200b;otlp.&#x200b;tls.&#x200b;cert.&#x200b;valueFrom.&#x200b;secretKeyRef.&#x200b;namespace** | string | |
| **output.&#x200b;otlp.&#x200b;tls.&#x200b;insecure** (required) | boolean | Defines whether to send requests via plaintext instead of TLS. This option is ignored if the endpoint scheme is `http` or `https`. |
| **output.&#x200b;otlp.&#x200b;tls.&#x200b;insecureSkipVerify** | boolean | Defines whether to skip TLS certificate verification. |
| **output.&#x200b;otlp.&#x200b;tls.&#x200b;key** | object | Defines the client key. |
| **output.&#x200b;otlp.&#x200b;tls.&#x200b;key.&#x200b;value** | string | Value that can contain references to Secret values. |
| **output.&#x200b;otlp.&#x200b;tls.&#x200b;key.&#x200b;valueFrom** | object | |
| **output.&#x200b;otlp.&#x200b;tls.&#x200b;key.&#x200b;valueFrom.&#x200b;secretKeyRef** | object | Refers to a key in a Secret. You must provide `name` and `namespace` of the Secret, as well as the name of the `key`. |
| **output.&#x200b;otlp.&#x200b;tls.&#x200b;key.&#x200b;valueFrom.&#x200b;secretKeyRef.&#x200b;key** | string | |
| **output.&#x200b;otlp.&#x200b;tls.&#x200b;key.&#x200b;valueFrom.&#x200b;secretKeyRef.&#x200b;name** | string | |
| **output.&#x200b;otlp.&#x200b;tls.&#x200b;key.&#x200b;valueFrom.&#x200b;secretKeyRef.&#x200b;namespace** | string | |

**Status:**

Expand Down
Loading