Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: Documentation for Traces mTLS support #361

Merged
merged 3 commits into from
Aug 24, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions apis/telemetry/v1alpha1/shared_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -51,13 +51,13 @@ type Header struct {
type OtlpTLS struct {
// Defines whether to send requests using plaintext instead of TLS.
Insecure bool `json:"insecure"`
// Defines whether to skip TLS certificate verification.
// Defines whether to skip server certificate verification when using TLS.
InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"`
// Defines the CA certificate.
// Defines an optional CA certificate for server certificate verification when using TLS. The certificate needs to be provided in PEM format.
CA ValueType `json:"ca,omitempty"`
// Defines the client certificate.
// Defines a client certificate to use when using TLS. The certificate needs to be provided in PEM format.
Cert ValueType `json:"cert,omitempty"`
// Defines the client key.
// Defines the client key to use when using TLS. The key needs to be provided in PEM format.
Key ValueType `json:"key,omitempty"`
}

Expand Down
14 changes: 10 additions & 4 deletions config/crd/bases/telemetry.kyma-project.io_tracepipelines.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -182,7 +182,9 @@ spec:
description: Defines TLS options for the OTLP output.
properties:
ca:
description: Defines the CA certificate.
description: Defines an optional CA certificate for server
certificate verification when using TLS. The certificate
needs to be provided in PEM format.
properties:
value:
description: Value that can contain references to
Expand All @@ -205,7 +207,9 @@ spec:
type: object
type: object
cert:
description: Defines the client certificate.
description: Defines a client certificate to use when
using TLS. The certificate needs to be provided in PEM
format.
properties:
value:
description: Value that can contain references to
Expand All @@ -232,10 +236,12 @@ spec:
instead of TLS.
type: boolean
insecureSkipVerify:
description: Defines whether to skip TLS certificate verification.
description: Defines whether to skip server certificate
verification when using TLS.
type: boolean
key:
description: Defines the client key.
description: Defines the client key to use when using
TLS. The key needs to be provided in PEM format.
properties:
value:
description: Value that can contain references to
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -217,7 +217,9 @@ spec:
description: Defines TLS options for the OTLP output.
properties:
ca:
description: Defines the CA certificate.
description: Defines an optional CA certificate for server
certificate verification when using TLS. The certificate
needs to be provided in PEM format.
properties:
value:
description: Value that can contain references to
Expand All @@ -240,7 +242,9 @@ spec:
type: object
type: object
cert:
description: Defines the client certificate.
description: Defines a client certificate to use when
using TLS. The certificate needs to be provided in PEM
format.
properties:
value:
description: Value that can contain references to
Expand All @@ -267,10 +271,12 @@ spec:
instead of TLS.
type: boolean
insecureSkipVerify:
description: Defines whether to skip TLS certificate verification.
description: Defines whether to skip server certificate
verification when using TLS.
type: boolean
key:
description: Defines the client key.
description: Defines the client key to use when using
TLS. The key needs to be provided in PEM format.
properties:
value:
description: Value that can contain references to
Expand Down
8 changes: 4 additions & 4 deletions docs/user/02-logs.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ Your application must log to `stdout` or `stderr`, which is the recommended way

The Telemetry module provides [Fluent Bit](https://fluentbit.io/) as a log agent. Fluent Bit collects all application logs of the cluster workload and ships them to a backend.

![Architecture](./assets/logging-arch.drawio.svg)
![Architecture](./assets/logs-arch.drawio.svg)

1. Container logs are stored by the Kubernetes container runtime under the `var/log` directory and its subdirectories.
2. Fluent Bit runs as a [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) (one instance per Node), detects any new log files in the folder, and tails them using a filesystem buffer for reliability.
Expand All @@ -28,7 +28,7 @@ The Telemetry module provides [Fluent Bit](https://fluentbit.io/) as a log agent
Fluent Bit comes with a pipeline concept, which supports a flexible combination of inputs with outputs and filtering in between; for details, see [Fluent Bit: Output](https://docs.fluentbit.io/manual/concepts/data-pipeline/output).
Kyma's Telemetry module brings a predefined setup of the Fluent Bit DaemonSet and a base configuration, which assures that the application logs of the workloads in the cluster are processed reliably and efficiently. Additionally, the telemetry module provides a Kubernetes API called `LogPipeline` to configure outputs with some filtering capabilities.

![Pipeline Concept](./assets/logging-pipelines.drawio.svg)
![Pipeline Concept](./assets/logs-pipelines.drawio.svg)

1. A central `tail` input plugin reads the application logs.

Expand All @@ -42,7 +42,7 @@ This approach assures a reliable buffer management and isolation of pipelines, w

The LogPipeline resource is managed by Telemetry Manager, a typical Kubernetes [operator](https://kubernetes.io/docs/concepts/extend-kubernetes/operator/) responsible for managing the custom parts of the Fluent Bit configuration.

![Manager resources](./assets/logging-resources.drawio.svg)
![Manager resources](./assets/logs-resources.drawio.svg)

Telemetry Manager watches all LogPipeline resources and related Secrets. Whenever the configuration changes, Telemetry Manager validates the configuration (with a [validating webhook](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/)) and generates a new configuration for the Fluent Bit DaemonSet, where several ConfigMaps for the different aspects of the configuration are generated. Furthermore, referenced Secrets are copied into one Secret that is also mounted to the DaemonSet.

Expand Down Expand Up @@ -324,7 +324,7 @@ spec:

After a log record has been read, it is preprocessed by centrally configured plugins, like the `kubernetes` filter. Thus, when a record is ready to be processed by the sections defined in the LogPipeline definition, it has several attributes available for processing and shipment.

![Flow](./assets/logging-flow.drawio.svg)
![Flow](./assets/logs-flow.drawio.svg)

Learn more about the flow of the log record through the general pipeline and the available log attributes in the following sections.

Expand Down
73 changes: 63 additions & 10 deletions docs/user/03-traces.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,9 @@ Observability tools aim to show the big picture, no matter if you're monitoring

The diagram shows how distributed tracing helps to track the request path:

![Distributed tracing](./assets/tracing-intro.drawio.svg)
![Distributed tracing](./assets/traces-intro.drawio.svg)

The goal of the Telemetry Module is to support you in collecting all relevant trace data in a Kyma cluster, enrich them and ship them to a backend for further analysis. Kyma modules like Istio or Serverless contribute traces transparently.
## Prerequisites

For a complete recording of a distributed trace, it is [essential](https://www.w3.org/TR/trace-context/#problem-statement) that every involved component is at least propagating the trace context. In Kyma, all components involved in users' requests support the [W3C Trace Context protocol](https://www.w3.org/TR/trace-context), which is a vendor-neutral protocol gaining more and more support by all kinds of vendors and tools. The involved Kyma components are mainly Istio, Serverless, and Eventing.
Expand All @@ -20,7 +21,7 @@ Furthermore, an application should enrich a trace with additional span data and

The Telemetry module provides an in-cluster central deployment of an [OTel Collector](https://opentelemetry.io/docs/collector/) acting as a gateway. The gateway exposes endpoints for the OTLP protocol for GRPC and HTTP-based communication using the dedicated `telemetry-otlp-traces` service, where all Kyma components and users' applications should send the trace data to.

![Architecture](./assets/tracing-arch.drawio.svg)
![Architecture](./assets/traces-arch.drawio.svg)

1. An end-to-end request is triggered and populates across the distributed application. Every involved component propagates the trace context using the [W3C Trace Context](https://www.w3.org/TR/trace-context/) protocol.
2. The involved components that have contributed a new span to the trace send the related span data to the trace gateway using the `telemetry-otlp-traces` service. The communication happens based on the [OTLP](https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/protocol/otlp.md) protocol either using GRPC or HTTP.
Expand All @@ -30,8 +31,8 @@ The Telemetry module provides an in-cluster central deployment of an [OTel Colle
1. The backend can also run out-cluster, if authentication has been set up.
1. The trace data can be consumed using the backend system.

### OTel Collector
The OTel Collector comes with a [concept](https://opentelemetry.io/docs/collector/configuration/) of pipelines consisting of receivers, processors, and exporters, with which you can flexibly plug pipelines together. Kyma's TracePipeline provides a hardened setup of an OTel Collector and also abstracts the underlying pipeline concept. Such abstraction has the following benefits:
### Trace Gateway
In a Kyma cluster, the Trace Gateway is the central component to which all parties of traces can send their individual span. The gateway collects, enriches, and dispatches the data to the configured backend. The gateway is based on the Otel Collector and comes with a concept of pipelines consisting of receivers, processors, and exporters, with which you can flexibly plug pipelines together (see [Otel Collector: Configuration](https://opentelemetry.io/docs/collector/configuration/)). Kyma's TracePipeline provides a hardened setup of an OTel Collector, and also abstracts the underlying pipeline concept. Such abstraction has the following benefits:
- Supportability - all features are tested and supported
- Migratability - smooth migration experiences when switching underlying technologies or architectures
- Native Kubernetes support - API provided by Kyma allows for an easy integration with Secrets, for example, served by the [SAP BTP Service Operator](https://github.com/SAP/sap-btp-service-operator#readme). Telemetry Manager takes care of the full lifecycle.
Expand All @@ -42,7 +43,7 @@ The downside is that only a limited set of features is available. If you want to
### Telemetry Manager
The TracePipeline resource is managed by Telemetry Manager, a typical Kubernetes [operator](https://kubernetes.io/docs/concepts/extend-kubernetes/operator/) responsible for managing the custom parts of the OTel Collector configuration.

![Manager resources](./assets/tracing-resources.drawio.svg)
![Manager resources](./assets/traces-resources.drawio.svg)

Telemetry Manager watches all TracePipeline resources and related Secrets. Whenever the configuration changes, it validates the configuration and generates a new configuration for OTel Collector, where a ConfigMap for the configuration is generated. Referenced Secrets are copied into one Secret that is mounted to the OTel Collector as well.
Furthermore, the manager takes care of the full lifecycle of the OTel Collector Deployment itself. Only if there is a TracePipeline defined, the collector is deployed. At anytime, you can opt out of using the tracing feature by not specifying a TracePipeline.
Expand Down Expand Up @@ -121,19 +122,43 @@ spec:
To integrate with external systems, you must configure authentication details. At the moment, Basic Authentication and custom headers are supported.

<div tabs>
<details>
<summary>Mutual TLS</summary>

```yaml
apiVersion: telemetry.kyma-project.io/v1alpha1
kind: TracePipeline
metadata:
name: backend
spec:
output:
otlp:
endpoint:
value: https://backend.example.com/otlp:4317
tls:
cert:
value: |
-----BEGIN CERTIFICATE-----
...
key:
value: |
-----BEGIN RSA PRIVATE KEY-----
...
```
</details>
<details>
<summary>Basic authentication</summary>

```yaml
apiVersion: telemetry.kyma-project.io/v1alpha1
kind: TracePipeline
metadata:
name: jaeger
name: backend
spec:
output:
otlp:
endpoint:
value: http://jaeger-collector.jaeger.svc.cluster.local:4317
value: https://backend.example.com/otlp:4317
authentication:
basic:
user:
Expand All @@ -149,12 +174,12 @@ To integrate with external systems, you must configure authentication details. A
apiVersion: telemetry.kyma-project.io/v1alpha1
kind: TracePipeline
metadata:
name: jaeger
name: backend
spec:
output:
otlp:
endpoint:
value: http://jaeger-collector.jaeger.svc.cluster.local:4317
value: https://backend.example.com/otlp:4317
headers:
- name: Authorization
value: "Bearer myToken"
Expand All @@ -169,14 +194,42 @@ Integrations into external systems usually require authentication details dealin
Use the **valueFrom** attribute to map Secret keys as in the following examples:

<div tabs>
<details>
<summary>Mutual TLS</summary>

```yaml
apiVersion: telemetry.kyma-project.io/v1alpha1
kind: TracePipeline
metadata:
name: backend
spec:
output:
otlp:
endpoint:
value: https://backend.example.com/otlp:4317
tls:
cert:
valueFrom:
secretKeyRef:
name: backend
namespace: default
key: cert
key:
valueFrom:
secretKeyRef:
name: backend
namespace: default
key: key
```
</details>
<details>
<summary>Basic authentication</summary>

```yaml
apiVersion: telemetry.kyma-project.io/v1alpha1
kind: TracePipeline
metadata:
name: jaeger
name: backend
spec:
output:
otlp:
Expand Down
Loading