[processor/resourcedetectionprocessor] support tls on openshift (#17963)

* [internal/metadataproviders] support tls settings to fetch openshift data

Signed-off-by: Benedikt Bongartz <bongartz@klimlive.de>

* [processor/resourcedetectionprocessor] support tls config

Signed-off-by: Benedikt Bongartz <bongartz@klimlive.de>

* chloggen: add changelog

Signed-off-by: Benedikt Bongartz <bongartz@klimlive.de>

Signed-off-by: Benedikt Bongartz <bongartz@klimlive.de>

.chloggen/resourcedetectionprocessor_support_tls_openshift.yaml

@@ -0,0 +1,16 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. filelogreceiver)
+component: resourcedetectionprocessor/openshift
+
+# A brief description of the change.  Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Respect tls config when connecting to the api server.
+
+# One or more tracking issues related to the change
+issues: [17961]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:

internal/metadataproviders/openshift/metadata.go

@@ -16,8 +16,10 @@ package openshift // import "github.com/open-telemetry/opentelemetry-collector-c
 
 import (
 	"context"
+	"crypto/tls"
 	"encoding/json"
 	"fmt"
+	"io"
 	"net/http"
 	"strings"
 )
@@ -30,11 +32,19 @@ type Provider interface {
 }
 
 // NewProvider creates a new metadata provider.
-func NewProvider(address, token string) Provider {
+func NewProvider(address, token string, tlsCfg *tls.Config) Provider {
+	cl := &http.Client{}
+
+	if tlsCfg != nil {
+		transport := http.DefaultTransport.(*http.Transport).Clone()
+		transport.TLSClientConfig = tlsCfg
+		cl.Transport = transport
+	}
+
 	return &openshiftProvider{
 		address: address,
 		token:   token,
-		client:  &http.Client{},
+		client:  cl,
 	}
 }
 
@@ -81,11 +91,18 @@ func (o *openshiftProvider) Infrastructure(ctx context.Context) (*Infrastructure
 	if err != nil {
 		return nil, err
 	}
-	res := &InfrastructureAPIResponse{}
-	if err := json.NewDecoder(resp.Body).Decode(res); err != nil {
+	data, err := io.ReadAll(resp.Body)
+	if err != nil {
 		return nil, err
 	}
 
+	res := &InfrastructureAPIResponse{}
+	if err := json.Unmarshal(data, res); err != nil {
+		return nil, fmt.Errorf("unable to unmarshal response, err: %w, response: %s",
+			err, string(data),
+		)
+	}
+
 	return res, nil
 }
 

internal/metadataproviders/openshift/metadata_test.go

@@ -26,9 +26,9 @@ import (
 )
 
 func TestNewProvider(t *testing.T) {
-	provider1 := NewProvider("127.0.0.1:4444", "abc")
+	provider1 := NewProvider("127.0.0.1:4444", "abc", nil)
 	assert.NotNil(t, provider1)
-	provider2 := NewProvider("", "")
+	provider2 := NewProvider("", "", nil)
 	assert.NotNil(t, provider2)
 }
 

processor/resourcedetectionprocessor/config_test.go

@@ -23,6 +23,7 @@ import (
 	"github.com/stretchr/testify/require"
 	"go.opentelemetry.io/collector/component"
 	"go.opentelemetry.io/collector/config/confighttp"
+	"go.opentelemetry.io/collector/config/configtls"
 	"go.opentelemetry.io/collector/confmap/confmaptest"
 
 	"github.com/open-telemetry/opentelemetry-collector-contrib/processor/resourcedetectionprocessor/internal"
@@ -51,6 +52,9 @@ func TestLoadConfig(t *testing.T) {
 					OpenShiftConfig: openshift.Config{
 						Address: "127.0.0.1:4444",
 						Token:   "some_token",
+						TLSSettings: configtls.TLSClientSetting{
+							Insecure: true,
+						},
 					},
 				},
 				HTTPClientSettings: cfg,

processor/resourcedetectionprocessor/internal/openshift/config.go

@@ -17,9 +17,14 @@ package openshift // import "github.com/open-telemetry/opentelemetry-collector-c
 import (
 	"fmt"
 	"os"
+
+	"go.opentelemetry.io/collector/config/configtls"
 )
 
-const defaultServiceTokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token" //#nosec
+const (
+	defaultServiceTokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token"  //#nosec
+	defaultCAPath           = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" //#nosec
+)
 
 func readK8STokenFromFile() (string, error) {
 	token, err := os.ReadFile(defaultServiceTokenPath)
@@ -49,6 +54,10 @@ type Config struct {
 
 	// Token is used to identify against the openshift api server
 	Token string `mapstructure:"token"`
+
+	// TLSSettings contains TLS configurations that are specific to client
+	// connection used to communicate with the Openshift API.
+	TLSSettings configtls.TLSClientSetting `mapstructure:"tls"`
 }
 
 // MergeWithDefaults fills unset fields with default values.
@@ -68,5 +77,9 @@ func (c *Config) MergeWithDefaults() error {
 		}
 		c.Address = addr
 	}
+
+	if !c.TLSSettings.Insecure && c.TLSSettings.CAFile == "" {
+		c.TLSSettings.CAFile = defaultCAPath
+	}
 	return nil
 }

processor/resourcedetectionprocessor/internal/openshift/openshift.go

@@ -40,9 +40,14 @@ func NewDetector(set processor.CreateSettings, dcfg internal.DetectorConfig) (in
 		return nil, err
 	}
 
+	tlsCfg, err := userCfg.TLSSettings.LoadTLSConfig()
+	if err != nil {
+		return nil, err
+	}
+
 	return &detector{
 		logger:   set.Logger,
-		provider: ocp.NewProvider(userCfg.Address, userCfg.Token),
+		provider: ocp.NewProvider(userCfg.Address, userCfg.Token, tlsCfg),
 	}, nil
 }
 
@@ -57,7 +62,7 @@ func (d *detector) Detect(ctx context.Context) (resource pcommon.Resource, schem
 
 	infra, err := d.provider.Infrastructure(ctx)
 	if err != nil {
-		d.logger.Debug("OpenShift detector metadata retrieval failed", zap.Error(err))
+		d.logger.Error("OpenShift detector metadata retrieval failed", zap.Error(err))
 		// return an empty Resource and no error
 		return res, "", nil
 	}

processor/resourcedetectionprocessor/testdata/config.yaml

@@ -6,6 +6,8 @@ resourcedetection/openshift:
   openshift:
     address: "127.0.0.1:4444"
     token: "some_token"
+    tls:
+      insecure: true
 
 resourcedetection/gcp:
   detectors: [env, gcp]