Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add TLS support to auto-instrumentation #3338

Merged
merged 4 commits into from
Oct 11, 2024
Merged

Add TLS support to auto-instrumentation #3338

merged 4 commits into from
Oct 11, 2024

Conversation

pavolloffay
Copy link
Member

@pavolloffay pavolloffay commented Oct 8, 2024
edited
Loading

Description:

Link to tracking Issue(s):

Todos:

Testing:

On OpenShifit

kubectl apply -f - <<EOF
apiVersion: opentelemetry.io/v1beta1
kind: OpenTelemetryCollector
metadata:
  name: simplest
  annotations:
    service.beta.openshift.io/serving-cert-secret-name: otelcol
spec:
  volumeMounts:
  - name: otelcol-certs
    mountPath: /otelcol-certs
  volumes:
  - name: otelcol-certs
    secret: 
      secretName: otelcol
    
  config:
    receivers:
      otlp:
        protocols:
          grpc:
            endpoint: 0.0.0.0:4317
            tls:
              cert_file: /otelcol-certs/tls.crt
              key_file: /otelcol-certs/tls.key
          http:
            endpoint: 0.0.0.0:4318
            tls:
              cert_file: /otelcol-certs/tls.crt
              key_file: /otelcol-certs/tls.key
    processors:
    exporters:
      debug: {}

    service:
      pipelines:
        traces:
          receivers: [otlp]
          processors: []
          exporters: [debug]
EOF


kubectl apply -f - <<EOF
apiVersion: opentelemetry.io/v1alpha1
kind: Instrumentation
metadata:
  name: my-instrumentation
spec:
  exporter:
    endpoint: https://simplest-collector.tracing-system.svc.cluster.local:4317
    tls:
      ca: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
  propagators:
    - tracecontext
    - baggage
    - b3
  sampler:
    type: parentbased_traceidratio
    argument: "1"
EOF

kubectl apply -f https://raw.githubusercontent.com/pavolloffay/kubecon-eu-2024-opentelemetry-kubernetes-tracing-tutorial/main/app/k8s.yaml
kubectl patch deployment frontend-deployment -n tutorial-application -p '{"spec": {"template":{"metadata":{"annotations":{"instrumentation.opentelemetry.io/inject-sdk":"tracing-system/my-instrumentation"}}}} }'
kubectl patch deployment backend1-deployment -n tutorial-application -p '{"spec": {"template":{"metadata":{"annotations":{"instrumentation.opentelemetry.io/inject-python":"tracing-system/my-instrumentation"}}}} }'
kubectl patch deployment backend2-deployment -n tutorial-application -p '{"spec": {"template":{"metadata":{"annotations":{"instrumentation.opentelemetry.io/inject-java":"tracing-system/my-instrumentation"}}}} }'
k get pods -n tutorial-application -w 
kubectl port-forward service/frontend-service -n tutorial-application 4000:4000

Another Example for Openshift Ca bundle and serving certs

kubectl apply -f - <<EOF
apiVersion: tempo.grafana.com/v1alpha1
kind: TempoMonolithic
metadata:
  name: tempo
spec:
  storage:
    traces:
      backend: memory 
      size: 1Gi 
  ingestion:
    otlp:
      grpc:
        enabled: true
        tls:
          enabled: true
      http:
        enabled: true
        tls:
          enabled: true
  jaegerui:
    enabled: true 
    route:
      enabled: true 
EOF


kubectl apply -f - <<EOF
apiVersion: v1
kind: ConfigMap
metadata:
  name: otelcol-cabundle
  annotations:
    service.beta.openshift.io/inject-cabundle: "true"
EOF

kubectl apply -f - <<EOF
apiVersion: opentelemetry.io/v1beta1
kind: OpenTelemetryCollector
metadata:
  name: simplest
  annotations:
    service.beta.openshift.io/serving-cert-secret-name: otelcol
spec:
  volumeMounts:
  - name: otelcol-certs
    mountPath: /otelcol-certs
  - name: otelcol-ca
    mountPath: /otelcol-certs-ca
  volumes:
  - name: otelcol-certs
    secret: 
      secretName: otelcol
  - name: otelcol-ca
    configMap: 
      name: otelcol-cabundle
    
  config:
    receivers:
      otlp:
        protocols:
          grpc:
            endpoint: 0.0.0.0:4317
            tls:
              cert_file: /otelcol-certs/tls.crt
              key_file: /otelcol-certs/tls.key
          http:
            endpoint: 0.0.0.0:4318
            tls:
              cert_file: /otelcol-certs/tls.crt
              key_file: /otelcol-certs/tls.key
    processors:
    exporters:
      otlp:
        endpoint: https://tempo-tempo.tracing-system.svc.cluster.local:4317
        tls:
          ca_file: /otelcol-certs-ca/service-ca.crt
      debug: {}

    service:
      pipelines:
        traces:
          receivers: [otlp]
          processors: []
          exporters: [debug,otlp]
EOF



kubectl apply -f - <<EOF
apiVersion: v1
kind: ConfigMap
metadata:
  name: otelcol-cabundle
  namespace: tutorial-application
  annotations:
    service.beta.openshift.io/inject-cabundle: "true"
EOF

kubectl apply -f - <<EOF
apiVersion: opentelemetry.io/v1alpha1
kind: Instrumentation
metadata:
  name: my-instrumentation
spec:
  exporter:
    endpoint: https://simplest-collector.tracing-system.svc.cluster.local:4317
    tls:
      configMapName: otelcol-cabundle
      ca: service-ca.crt
  propagators:
    - tracecontext
    - baggage
    - b3
  sampler:
    type: parentbased_traceidratio
    argument: "1"
  python:
    env:
      # Required if endpoint is set to 4317.
      # Python autoinstrumentation uses http/proto by default
      # so data must be sent to 4318 instead of 4317.
      - name: OTEL_EXPORTER_OTLP_ENDPOINT
        value: https://simplest-collector.tracing-system.svc.cluster.local:4318
EOF

Documentation:

@pavolloffay pavolloffay requested a review from a team as a code owner October 8, 2024 16:26
@pavolloffay pavolloffay marked this pull request as draft October 8, 2024 16:26
@pavolloffay pavolloffay marked this pull request as ready for review October 9, 2024 17:12
jaronoff97
jaronoff97 reviewed Oct 9, 2024
View reviewed changes
apis/v1alpha1/instrumentation_types.go Outdated Show resolved Hide resolved
apis/v1alpha1/instrumentation_types.go Outdated Show resolved Hide resolved
apis/v1alpha1/instrumentation_types.go Outdated Show resolved Hide resolved
pkg/instrumentation/exporter.go Show resolved Hide resolved
frzifus
frzifus reviewed Oct 9, 2024
View reviewed changes
apis/v1alpha1/instrumentation_types.go Outdated Show resolved Hide resolved
apis/v1alpha1/instrumentation_types.go

// CA defines the key of certificate in the configmap map, secret or absolute path to a certificate.
// The absolute path can be used when certificate is already present on the workload filesystem e.g.
// /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
// /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
// +optional

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@frzifus what does the +optional do ? It does not seem to have any effect on the generated bundle or code.

We should get rid of it https://book.kubebuilder.io/reference/markers I will submit a follow up PR to remove +optional

apis/v1alpha1/instrumentation_types.go Show resolved Hide resolved
pkg/instrumentation/podmutator.go Outdated Show resolved Hide resolved
apis/v1alpha1/instrumentation_types.go Outdated Show resolved Hide resolved
iblancasa
iblancasa reviewed Oct 10, 2024
View reviewed changes
apis/v1alpha1/instrumentation_types.go

// ConfigMapName defines configmap name with CA certificate. If it is not defined CA certificate will be
// used from the secret defined in SecretName.
ConfigMapName string `json:"configMapName,omitempty"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure about this name because it is something associated to the CA directly. Maybe configMapName -> caConfigMap.

pkg/instrumentation/exporter.go Show resolved Hide resolved
pkg/instrumentation/podmutator.go Outdated Show resolved Hide resolved
@pavolloffay pavolloffay mentioned this pull request Oct 10, 2024
Open
@pavolloffay
Add TLS support to auto-instrumentation
4e8d00b 
Signed-off-by: Pavol Loffay <p.loffay@gmail.com>
jaronoff97
jaronoff97 reviewed Oct 10, 2024
View reviewed changes
apis/v1alpha1/instrumentation_webhook.go Outdated
@@ -236,6 +236,14 @@ func (w InstrumentationWebhook) validate(r *Instrumentation) (admission.Warnings
default:
return warnings, fmt.Errorf("spec.sampler.type is not valid: %s", r.Spec.Sampler.Type)
}

if r.Spec.Exporter.TLS != nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's also add a validation that if the scheme for the endpoint contains https TLS must be defined.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no, this can break already existing installations. Users could configure env vars in the env section or directly on their deployments.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's go the reverse and if TLS is set we should block when https is not set. If HTTPS is set, TLS doesn't need to be set.

pkg/instrumentation/exporter_test.go Outdated Show resolved Hide resolved
pkg/instrumentation/exporter.go
}
// the name cannot be longer than 63 characters
secretVolumeName := naming.Truncate("otel-auto-secret-%s", 63, exporter.TLS.SecretName)
secretMountPath := fmt.Sprintf("/otel-auto-instrumentation-secret-%s", exporter.TLS.SecretName)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we care about the max for a mount path? I'm not 100% there is one (i couldn't find anything in the kube API docs) but given we truncate the names here, i feel like we should try to keep the mount path name minimal too.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that does not seem to be an issue only the volume name

pkg/instrumentation/exporter_test.go Show resolved Hide resolved
tests/e2e-instrumentation/instrumentation-java-tls/chainsaw-test.yaml
file: 01-assert.yaml
catch:
- podLogs:
selector: app=my-java
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we run a curl against the collector to see that span traffic made it successfully to the collector?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't do this for auto-instrumentation tests there is a booked ticket for it #552

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

okay fine :P I can do this post my refactor.

@pavolloffay
Fix
ed2db96 
Signed-off-by: Pavol Loffay <p.loffay@gmail.com>
@pavolloffay pavolloffay mentioned this pull request Oct 11, 2024
Closed
@pavolloffay
Fix
2849547 
Signed-off-by: Pavol Loffay <p.loffay@gmail.com>
@pavolloffay
More validation
6bed105 
Signed-off-by: Pavol Loffay <p.loffay@gmail.com>
@pavolloffay pavolloffay merged commit a3feb2c into open-telemetry:main Oct 11, 2024
35 checks passed
@alexkruc alexkruc mentioned this pull request Dec 5, 2024
Closed
araiu added a commit to araiu/opentelemetry-helm-charts that referenced this pull request Dec 5, 2024
@araiu
Update operator clusterrole
17cb750 
* `secrets`:  Add TLS support to auto-instrumentation  [#3338](open-telemetry/opentelemetry-operator#3338)
* `targetallocators`: Generate only TargetAllocator CR from Collector CR [#3402](open-telemetry/opentelemetry-operator#3402)
araiu added a commit to araiu/opentelemetry-helm-charts that referenced this pull request Dec 5, 2024
@araiu
Update operator clusterrole
32fba45 
* `secrets`:  Add TLS support to auto-instrumentation  [#3338](open-telemetry/opentelemetry-operator#3338)
* `targetallocators`: Generate only TargetAllocator CR from Collector CR [#3402](open-telemetry/opentelemetry-operator#3402)
araiu added a commit to araiu/opentelemetry-helm-charts that referenced this pull request Dec 5, 2024
@araiu
Update operator clusterrole
c596b9a 
* `secrets`:  Add TLS support to auto-instrumentation  [#3338](open-telemetry/opentelemetry-operator#3338)
* `targetallocators`: Generate only TargetAllocator CR from Collector CR [#3402](open-telemetry/opentelemetry-operator#3402)
araiu added a commit to araiu/opentelemetry-helm-charts that referenced this pull request Dec 6, 2024
@araiu
Update operator clusterrole
ef21865 
* `secrets`:  Add TLS support to auto-instrumentation  [#3338](open-telemetry/opentelemetry-operator#3338)
* `targetallocators`: Generate only TargetAllocator CR from Collector CR [#3402](open-telemetry/opentelemetry-operator#3402)
TylerHelmuth pushed a commit to open-telemetry/opentelemetry-helm-charts that referenced this pull request Dec 6, 2024
@araiu
Release operator 0.114.0 (#1448)
11361d7 
* Release operator 0.114.1

Signed-off-by: Alex Raiu <raiu.andrei@protonmail.com>

* Update operator clusterrole

* `secrets`:  Add TLS support to auto-instrumentation  [#3338](open-telemetry/opentelemetry-operator#3338)
* `targetallocators`: Generate only TargetAllocator CR from Collector CR [#3402](open-telemetry/opentelemetry-operator#3402)

* Add `targetAllocatorFallbackStrategy` feature flag

Feature flag available since `v0.114.0` (Add allocation_fallback_strategy option as fallback strategy for per-node strategy [#3482](open-telemetry/opentelemetry-operator#3482))

* Update operator-test with manager label

Adding `control-plane: controller-manager` label to match [operator-restart e2e test](open-telemetry/opentelemetry-operator#3486)

---------

Signed-off-by: Alex Raiu <raiu.andrei@protonmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@frzifus frzifus frzifus approved these changes

@jaronoff97 jaronoff97 jaronoff97 approved these changes

@iblancasa iblancasa Awaiting requested review from iblancasa

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Enable TLS between the collector and application pods
4 participants
@pavolloffay @iblancasa @jaronoff97 @frzifus