Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add TLS support to auto-instrumentation #3338

Merged
merged 4 commits into from
Oct 11, 2024

Conversation

pavolloffay
Copy link
Member

@pavolloffay pavolloffay commented Oct 8, 2024

Description:

Link to tracking Issue(s):

Todos:

Testing:

On OpenShifit

kubectl apply -f - <<EOF
apiVersion: opentelemetry.io/v1beta1
kind: OpenTelemetryCollector
metadata:
  name: simplest
  annotations:
    service.beta.openshift.io/serving-cert-secret-name: otelcol
spec:
  volumeMounts:
  - name: otelcol-certs
    mountPath: /otelcol-certs
  volumes:
  - name: otelcol-certs
    secret: 
      secretName: otelcol
    
  config:
    receivers:
      otlp:
        protocols:
          grpc:
            endpoint: 0.0.0.0:4317
            tls:
              cert_file: /otelcol-certs/tls.crt
              key_file: /otelcol-certs/tls.key
          http:
            endpoint: 0.0.0.0:4318
            tls:
              cert_file: /otelcol-certs/tls.crt
              key_file: /otelcol-certs/tls.key
    processors:
    exporters:
      debug: {}

    service:
      pipelines:
        traces:
          receivers: [otlp]
          processors: []
          exporters: [debug]
EOF


kubectl apply -f - <<EOF
apiVersion: opentelemetry.io/v1alpha1
kind: Instrumentation
metadata:
  name: my-instrumentation
spec:
  exporter:
    endpoint: https://simplest-collector.tracing-system.svc.cluster.local:4317
    tls:
      ca: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
  propagators:
    - tracecontext
    - baggage
    - b3
  sampler:
    type: parentbased_traceidratio
    argument: "1"
EOF

kubectl apply -f https://raw.githubusercontent.com/pavolloffay/kubecon-eu-2024-opentelemetry-kubernetes-tracing-tutorial/main/app/k8s.yaml
kubectl patch deployment frontend-deployment -n tutorial-application -p '{"spec": {"template":{"metadata":{"annotations":{"instrumentation.opentelemetry.io/inject-sdk":"tracing-system/my-instrumentation"}}}} }'
kubectl patch deployment backend1-deployment -n tutorial-application -p '{"spec": {"template":{"metadata":{"annotations":{"instrumentation.opentelemetry.io/inject-python":"tracing-system/my-instrumentation"}}}} }'
kubectl patch deployment backend2-deployment -n tutorial-application -p '{"spec": {"template":{"metadata":{"annotations":{"instrumentation.opentelemetry.io/inject-java":"tracing-system/my-instrumentation"}}}} }'
k get pods -n tutorial-application -w 
kubectl port-forward service/frontend-service -n tutorial-application 4000:4000 

Another Example for Openshift Ca bundle and serving certs

kubectl apply -f - <<EOF
apiVersion: tempo.grafana.com/v1alpha1
kind: TempoMonolithic
metadata:
  name: tempo
spec:
  storage:
    traces:
      backend: memory 
      size: 1Gi 
  ingestion:
    otlp:
      grpc:
        enabled: true
        tls:
          enabled: true
      http:
        enabled: true
        tls:
          enabled: true
  jaegerui:
    enabled: true 
    route:
      enabled: true 
EOF


kubectl apply -f - <<EOF
apiVersion: v1
kind: ConfigMap
metadata:
  name: otelcol-cabundle
  annotations:
    service.beta.openshift.io/inject-cabundle: "true"
EOF

kubectl apply -f - <<EOF
apiVersion: opentelemetry.io/v1beta1
kind: OpenTelemetryCollector
metadata:
  name: simplest
  annotations:
    service.beta.openshift.io/serving-cert-secret-name: otelcol
spec:
  volumeMounts:
  - name: otelcol-certs
    mountPath: /otelcol-certs
  - name: otelcol-ca
    mountPath: /otelcol-certs-ca
  volumes:
  - name: otelcol-certs
    secret: 
      secretName: otelcol
  - name: otelcol-ca
    configMap: 
      name: otelcol-cabundle
    
  config:
    receivers:
      otlp:
        protocols:
          grpc:
            endpoint: 0.0.0.0:4317
            tls:
              cert_file: /otelcol-certs/tls.crt
              key_file: /otelcol-certs/tls.key
          http:
            endpoint: 0.0.0.0:4318
            tls:
              cert_file: /otelcol-certs/tls.crt
              key_file: /otelcol-certs/tls.key
    processors:
    exporters:
      otlp:
        endpoint: https://tempo-tempo.tracing-system.svc.cluster.local:4317
        tls:
          ca_file: /otelcol-certs-ca/service-ca.crt
      debug: {}

    service:
      pipelines:
        traces:
          receivers: [otlp]
          processors: []
          exporters: [debug,otlp]
EOF



kubectl apply -f - <<EOF
apiVersion: v1
kind: ConfigMap
metadata:
  name: otelcol-cabundle
  namespace: tutorial-application
  annotations:
    service.beta.openshift.io/inject-cabundle: "true"
EOF

kubectl apply -f - <<EOF
apiVersion: opentelemetry.io/v1alpha1
kind: Instrumentation
metadata:
  name: my-instrumentation
spec:
  exporter:
    endpoint: https://simplest-collector.tracing-system.svc.cluster.local:4317
    tls:
      configMapName: otelcol-cabundle
      ca: service-ca.crt
  propagators:
    - tracecontext
    - baggage
    - b3
  sampler:
    type: parentbased_traceidratio
    argument: "1"
  python:
    env:
      # Required if endpoint is set to 4317.
      # Python autoinstrumentation uses http/proto by default
      # so data must be sent to 4318 instead of 4317.
      - name: OTEL_EXPORTER_OTLP_ENDPOINT
        value: https://simplest-collector.tracing-system.svc.cluster.local:4318
EOF

Documentation:

@pavolloffay pavolloffay requested a review from a team as a code owner October 8, 2024 16:26
@pavolloffay pavolloffay marked this pull request as draft October 8, 2024 16:26
@pavolloffay pavolloffay marked this pull request as ready for review October 9, 2024 17:12
apis/v1alpha1/instrumentation_types.go Outdated Show resolved Hide resolved
apis/v1alpha1/instrumentation_types.go Outdated Show resolved Hide resolved
apis/v1alpha1/instrumentation_types.go Outdated Show resolved Hide resolved
pkg/instrumentation/exporter.go Show resolved Hide resolved
apis/v1alpha1/instrumentation_types.go Outdated Show resolved Hide resolved

// CA defines the key of certificate in the configmap map, secret or absolute path to a certificate.
// The absolute path can be used when certificate is already present on the workload filesystem e.g.
// /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
// /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
// +optional

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@frzifus what does the +optional do ? It does not seem to have any effect on the generated bundle or code.

We should get rid of it https://book.kubebuilder.io/reference/markers I will submit a follow up PR to remove +optional

apis/v1alpha1/instrumentation_types.go Show resolved Hide resolved
pkg/instrumentation/podmutator.go Outdated Show resolved Hide resolved
apis/v1alpha1/instrumentation_types.go Outdated Show resolved Hide resolved

// ConfigMapName defines configmap name with CA certificate. If it is not defined CA certificate will be
// used from the secret defined in SecretName.
ConfigMapName string `json:"configMapName,omitempty"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure about this name because it is something associated to the CA directly. Maybe configMapName -> caConfigMap.

pkg/instrumentation/exporter.go Show resolved Hide resolved
pkg/instrumentation/podmutator.go Outdated Show resolved Hide resolved
@@ -236,6 +236,14 @@ func (w InstrumentationWebhook) validate(r *Instrumentation) (admission.Warnings
default:
return warnings, fmt.Errorf("spec.sampler.type is not valid: %s", r.Spec.Sampler.Type)
}

if r.Spec.Exporter.TLS != nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's also add a validation that if the scheme for the endpoint contains https TLS must be defined.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no, this can break already existing installations. Users could configure env vars in the env section or directly on their deployments.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's go the reverse and if TLS is set we should block when https is not set. If HTTPS is set, TLS doesn't need to be set.

pkg/instrumentation/exporter_test.go Outdated Show resolved Hide resolved
}
// the name cannot be longer than 63 characters
secretVolumeName := naming.Truncate("otel-auto-secret-%s", 63, exporter.TLS.SecretName)
secretMountPath := fmt.Sprintf("/otel-auto-instrumentation-secret-%s", exporter.TLS.SecretName)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we care about the max for a mount path? I'm not 100% there is one (i couldn't find anything in the kube API docs) but given we truncate the names here, i feel like we should try to keep the mount path name minimal too.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that does not seem to be an issue only the volume name

pkg/instrumentation/exporter_test.go Show resolved Hide resolved
file: 01-assert.yaml
catch:
- podLogs:
selector: app=my-java
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we run a curl against the collector to see that span traffic made it successfully to the collector?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't do this for auto-instrumentation tests there is a booked ticket for it #552

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

okay fine :P I can do this post my refactor.

Signed-off-by: Pavol Loffay <[email protected]>
Signed-off-by: Pavol Loffay <[email protected]>
Signed-off-by: Pavol Loffay <[email protected]>
@pavolloffay pavolloffay merged commit a3feb2c into open-telemetry:main Oct 11, 2024
35 checks passed
araiu added a commit to araiu/opentelemetry-helm-charts that referenced this pull request Dec 5, 2024
* `secrets`:  Add TLS support to auto-instrumentation  [#3338](open-telemetry/opentelemetry-operator#3338)
* `targetallocators`: Generate only TargetAllocator CR from Collector CR [#3402](open-telemetry/opentelemetry-operator#3402)
araiu added a commit to araiu/opentelemetry-helm-charts that referenced this pull request Dec 5, 2024
* `secrets`:  Add TLS support to auto-instrumentation  [#3338](open-telemetry/opentelemetry-operator#3338)
* `targetallocators`: Generate only TargetAllocator CR from Collector CR [#3402](open-telemetry/opentelemetry-operator#3402)
araiu added a commit to araiu/opentelemetry-helm-charts that referenced this pull request Dec 5, 2024
* `secrets`:  Add TLS support to auto-instrumentation  [#3338](open-telemetry/opentelemetry-operator#3338)
* `targetallocators`: Generate only TargetAllocator CR from Collector CR [#3402](open-telemetry/opentelemetry-operator#3402)
araiu added a commit to araiu/opentelemetry-helm-charts that referenced this pull request Dec 6, 2024
* `secrets`:  Add TLS support to auto-instrumentation  [#3338](open-telemetry/opentelemetry-operator#3338)
* `targetallocators`: Generate only TargetAllocator CR from Collector CR [#3402](open-telemetry/opentelemetry-operator#3402)
TylerHelmuth pushed a commit to open-telemetry/opentelemetry-helm-charts that referenced this pull request Dec 6, 2024
* Release operator 0.114.1

Signed-off-by: Alex Raiu <[email protected]>

* Update operator clusterrole

* `secrets`:  Add TLS support to auto-instrumentation  [#3338](open-telemetry/opentelemetry-operator#3338)
* `targetallocators`: Generate only TargetAllocator CR from Collector CR [#3402](open-telemetry/opentelemetry-operator#3402)

* Add `targetAllocatorFallbackStrategy` feature flag

Feature flag available since `v0.114.0` (Add allocation_fallback_strategy option as fallback strategy for per-node strategy [#3482](open-telemetry/opentelemetry-operator#3482))

* Update operator-test with manager label

Adding `control-plane: controller-manager` label to match [operator-restart e2e test](open-telemetry/opentelemetry-operator#3486)

---------

Signed-off-by: Alex Raiu <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Enable TLS between the collector and application pods
4 participants