From 69f7f79bf3f9fe90eeb39dfac7e8a7b60791d205 Mon Sep 17 00:00:00 2001 From: Ben B Date: Wed, 25 Jan 2023 18:33:49 +0100 Subject: [PATCH] [processor/resourcedetectionprocessor] support tls on openshift (#17963) * [internal/metadataproviders] support tls settings to fetch openshift data Signed-off-by: Benedikt Bongartz * [processor/resourcedetectionprocessor] support tls config Signed-off-by: Benedikt Bongartz * chloggen: add changelog Signed-off-by: Benedikt Bongartz Signed-off-by: Benedikt Bongartz --- ...ectionprocessor_support_tls_openshift.yaml | 16 ++++++++++++ .../metadataproviders/openshift/metadata.go | 25 ++++++++++++++++--- .../openshift/metadata_test.go | 4 +-- .../resourcedetectionprocessor/config_test.go | 4 +++ .../internal/openshift/config.go | 15 ++++++++++- .../internal/openshift/openshift.go | 9 +++++-- .../testdata/config.yaml | 2 ++ 7 files changed, 66 insertions(+), 9 deletions(-) create mode 100755 .chloggen/resourcedetectionprocessor_support_tls_openshift.yaml diff --git a/.chloggen/resourcedetectionprocessor_support_tls_openshift.yaml b/.chloggen/resourcedetectionprocessor_support_tls_openshift.yaml new file mode 100755 index 000000000000..39588c235ee3 --- /dev/null +++ b/.chloggen/resourcedetectionprocessor_support_tls_openshift.yaml @@ -0,0 +1,16 @@ +# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix' +change_type: enhancement + +# The name of the component, or a single word describing the area of concern, (e.g. filelogreceiver) +component: resourcedetectionprocessor/openshift + +# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`). +note: Respect tls config when connecting to the api server. + +# One or more tracking issues related to the change +issues: [17961] + +# (Optional) One or more lines of additional information to render under the primary note. +# These lines will be padded with 2 spaces and then inserted directly into the document. +# Use pipe (|) for multiline entries. +subtext: diff --git a/internal/metadataproviders/openshift/metadata.go b/internal/metadataproviders/openshift/metadata.go index 199e0646c7c6..eca6e0ebb4a3 100644 --- a/internal/metadataproviders/openshift/metadata.go +++ b/internal/metadataproviders/openshift/metadata.go @@ -16,8 +16,10 @@ package openshift // import "github.com/open-telemetry/opentelemetry-collector-c import ( "context" + "crypto/tls" "encoding/json" "fmt" + "io" "net/http" "strings" ) @@ -30,11 +32,19 @@ type Provider interface { } // NewProvider creates a new metadata provider. -func NewProvider(address, token string) Provider { +func NewProvider(address, token string, tlsCfg *tls.Config) Provider { + cl := &http.Client{} + + if tlsCfg != nil { + transport := http.DefaultTransport.(*http.Transport).Clone() + transport.TLSClientConfig = tlsCfg + cl.Transport = transport + } + return &openshiftProvider{ address: address, token: token, - client: &http.Client{}, + client: cl, } } @@ -81,11 +91,18 @@ func (o *openshiftProvider) Infrastructure(ctx context.Context) (*Infrastructure if err != nil { return nil, err } - res := &InfrastructureAPIResponse{} - if err := json.NewDecoder(resp.Body).Decode(res); err != nil { + data, err := io.ReadAll(resp.Body) + if err != nil { return nil, err } + res := &InfrastructureAPIResponse{} + if err := json.Unmarshal(data, res); err != nil { + return nil, fmt.Errorf("unable to unmarshal response, err: %w, response: %s", + err, string(data), + ) + } + return res, nil } diff --git a/internal/metadataproviders/openshift/metadata_test.go b/internal/metadataproviders/openshift/metadata_test.go index 467af24e05af..20a598fcabb1 100644 --- a/internal/metadataproviders/openshift/metadata_test.go +++ b/internal/metadataproviders/openshift/metadata_test.go @@ -26,9 +26,9 @@ import ( ) func TestNewProvider(t *testing.T) { - provider1 := NewProvider("127.0.0.1:4444", "abc") + provider1 := NewProvider("127.0.0.1:4444", "abc", nil) assert.NotNil(t, provider1) - provider2 := NewProvider("", "") + provider2 := NewProvider("", "", nil) assert.NotNil(t, provider2) } diff --git a/processor/resourcedetectionprocessor/config_test.go b/processor/resourcedetectionprocessor/config_test.go index 64ca4dbd20d8..de8c90a4154e 100644 --- a/processor/resourcedetectionprocessor/config_test.go +++ b/processor/resourcedetectionprocessor/config_test.go @@ -23,6 +23,7 @@ import ( "github.com/stretchr/testify/require" "go.opentelemetry.io/collector/component" "go.opentelemetry.io/collector/config/confighttp" + "go.opentelemetry.io/collector/config/configtls" "go.opentelemetry.io/collector/confmap/confmaptest" "github.com/open-telemetry/opentelemetry-collector-contrib/processor/resourcedetectionprocessor/internal" @@ -51,6 +52,9 @@ func TestLoadConfig(t *testing.T) { OpenShiftConfig: openshift.Config{ Address: "127.0.0.1:4444", Token: "some_token", + TLSSettings: configtls.TLSClientSetting{ + Insecure: true, + }, }, }, HTTPClientSettings: cfg, diff --git a/processor/resourcedetectionprocessor/internal/openshift/config.go b/processor/resourcedetectionprocessor/internal/openshift/config.go index 63bbc5a5b3bf..2373bd655b85 100644 --- a/processor/resourcedetectionprocessor/internal/openshift/config.go +++ b/processor/resourcedetectionprocessor/internal/openshift/config.go @@ -17,9 +17,14 @@ package openshift // import "github.com/open-telemetry/opentelemetry-collector-c import ( "fmt" "os" + + "go.opentelemetry.io/collector/config/configtls" ) -const defaultServiceTokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token" //#nosec +const ( + defaultServiceTokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token" //#nosec + defaultCAPath = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" //#nosec +) func readK8STokenFromFile() (string, error) { token, err := os.ReadFile(defaultServiceTokenPath) @@ -49,6 +54,10 @@ type Config struct { // Token is used to identify against the openshift api server Token string `mapstructure:"token"` + + // TLSSettings contains TLS configurations that are specific to client + // connection used to communicate with the Openshift API. + TLSSettings configtls.TLSClientSetting `mapstructure:"tls"` } // MergeWithDefaults fills unset fields with default values. @@ -68,5 +77,9 @@ func (c *Config) MergeWithDefaults() error { } c.Address = addr } + + if !c.TLSSettings.Insecure && c.TLSSettings.CAFile == "" { + c.TLSSettings.CAFile = defaultCAPath + } return nil } diff --git a/processor/resourcedetectionprocessor/internal/openshift/openshift.go b/processor/resourcedetectionprocessor/internal/openshift/openshift.go index cf82e7330f38..e47e93c794ea 100644 --- a/processor/resourcedetectionprocessor/internal/openshift/openshift.go +++ b/processor/resourcedetectionprocessor/internal/openshift/openshift.go @@ -40,9 +40,14 @@ func NewDetector(set processor.CreateSettings, dcfg internal.DetectorConfig) (in return nil, err } + tlsCfg, err := userCfg.TLSSettings.LoadTLSConfig() + if err != nil { + return nil, err + } + return &detector{ logger: set.Logger, - provider: ocp.NewProvider(userCfg.Address, userCfg.Token), + provider: ocp.NewProvider(userCfg.Address, userCfg.Token, tlsCfg), }, nil } @@ -57,7 +62,7 @@ func (d *detector) Detect(ctx context.Context) (resource pcommon.Resource, schem infra, err := d.provider.Infrastructure(ctx) if err != nil { - d.logger.Debug("OpenShift detector metadata retrieval failed", zap.Error(err)) + d.logger.Error("OpenShift detector metadata retrieval failed", zap.Error(err)) // return an empty Resource and no error return res, "", nil } diff --git a/processor/resourcedetectionprocessor/testdata/config.yaml b/processor/resourcedetectionprocessor/testdata/config.yaml index aa4d5d0085b2..389f4a891ff2 100644 --- a/processor/resourcedetectionprocessor/testdata/config.yaml +++ b/processor/resourcedetectionprocessor/testdata/config.yaml @@ -6,6 +6,8 @@ resourcedetection/openshift: openshift: address: "127.0.0.1:4444" token: "some_token" + tls: + insecure: true resourcedetection/gcp: detectors: [env, gcp]