From 7bb9fd533e0b98de87cc9b1c88076c975e3de172 Mon Sep 17 00:00:00 2001 From: Ruben Vargas Date: Wed, 10 Jul 2024 09:28:45 -0600 Subject: [PATCH] Allow otlp grpc and http to be enabled with TLS Signed-off-by: Ruben Vargas --- .../fix_tls_monolithic_both_enabled.yaml | 16 +++ internal/manifests/manifestutils/paths.go | 10 ++ internal/manifests/manifestutils/tls.go | 48 ++++--- internal/manifests/monolithic/configmap.go | 14 +- .../manifests/monolithic/configmap_test.go | 12 +- internal/manifests/monolithic/statefulset.go | 4 +- .../manifests/monolithic/statefulset_test.go | 4 +- .../monolithic-receivers-tls/01-assert.yaml | 75 +++++++++++ .../01-install-tempo.yaml | 71 ++++++++++ .../monolithic-receivers-tls/02-assert.yaml | 38 ++++++ .../02-install-otel.yaml | 126 ++++++++++++++++++ .../monolithic-receivers-tls/03-assert.yaml | 8 ++ .../03-generate-traces.yaml | 36 +++++ .../monolithic-receivers-tls/04-assert.yaml | 17 +++ .../04-verify-traces.yaml | 47 +++++++ .../chainsaw-test.yaml | 32 +++++ 16 files changed, 527 insertions(+), 31 deletions(-) create mode 100755 .chloggen/fix_tls_monolithic_both_enabled.yaml create mode 100644 tests/e2e/monolithic-receivers-tls/01-assert.yaml create mode 100644 tests/e2e/monolithic-receivers-tls/01-install-tempo.yaml create mode 100644 tests/e2e/monolithic-receivers-tls/02-assert.yaml create mode 100644 tests/e2e/monolithic-receivers-tls/02-install-otel.yaml create mode 100644 tests/e2e/monolithic-receivers-tls/03-assert.yaml create mode 100644 tests/e2e/monolithic-receivers-tls/03-generate-traces.yaml create mode 100644 tests/e2e/monolithic-receivers-tls/04-assert.yaml create mode 100644 tests/e2e/monolithic-receivers-tls/04-verify-traces.yaml create mode 100755 tests/e2e/monolithic-receivers-tls/chainsaw-test.yaml diff --git a/.chloggen/fix_tls_monolithic_both_enabled.yaml b/.chloggen/fix_tls_monolithic_both_enabled.yaml new file mode 100755 index 000000000..a9c4fa9aa --- /dev/null +++ b/.chloggen/fix_tls_monolithic_both_enabled.yaml @@ -0,0 +1,16 @@ +# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix' +change_type: bug_fix + +# The name of the component, or a single word describing the area of concern, (e.g. tempostack, tempomonolithic, github action) +component: tempomonolithic + +# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`). +note: Allow create a monolithic with tls enabled on both grpc/http + +# One or more tracking issues related to the change +issues: [976] + +# (Optional) One or more lines of additional information to render under the primary note. +# These lines will be padded with 2 spaces and then inserted directly into the document. +# Use pipe (|) for multiline entries. +subtext: diff --git a/internal/manifests/manifestutils/paths.go b/internal/manifests/manifestutils/paths.go index 8006a3388..436152847 100644 --- a/internal/manifests/manifestutils/paths.go +++ b/internal/manifests/manifestutils/paths.go @@ -14,6 +14,16 @@ const ( // ReceiverTLSCertDir returns the mount path of the receivers certificates (for ingesting traces). ReceiverTLSCertDir = TLSDir + "/receiver" + // ReceiverGRPCTLSCADir is the path that is mounted from the configmap for TLS for receiver. + ReceiverGRPCTLSCADir = "/var/run/ca-receiver/grpc" + // ReceiverGRPCTLSCertDir returns the mount path of the receivers certificates (for ingesting traces). + ReceiverGRPCTLSCertDir = TLSDir + "/receiver/grpc" + + // ReceiverHTTPTLSCADir is the path that is mounted from the configmap for TLS for receiver. + ReceiverHTTPTLSCADir = "/var/run/ca-receiver/http" + // ReceiverHTTPTLSCertDir returns the mount path of the receivers certificates (for ingesting traces). + ReceiverHTTPTLSCertDir = TLSDir + "/receiver/http" + // StorageTLSCADir contains the CA file for accessing object storage. StorageTLSCADir = TLSDir + "/storage/ca" // StorageTLSCertDir contains the certificate and key file for accessing object storage. diff --git a/internal/manifests/manifestutils/tls.go b/internal/manifests/manifestutils/tls.go index a2d657ae5..5c5301c7b 100644 --- a/internal/manifests/manifestutils/tls.go +++ b/internal/manifests/manifestutils/tls.go @@ -27,16 +27,20 @@ func MountCAConfigMap( MountPath: caDir, ReadOnly: true, }) - pod.Volumes = append(pod.Volumes, corev1.Volume{ - Name: caConfigMap, - VolumeSource: corev1.VolumeSource{ - ConfigMap: &corev1.ConfigMapVolumeSource{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: caConfigMap, + + volumeIndex, _ := findVolumeIndex(pod, caConfigMap) + if volumeIndex < 0 { + pod.Volumes = append(pod.Volumes, corev1.Volume{ + Name: caConfigMap, + VolumeSource: corev1.VolumeSource{ + ConfigMap: &corev1.ConfigMapVolumeSource{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: caConfigMap, + }, }, }, - }, - }) + }) + } return nil } @@ -58,14 +62,18 @@ func MountCertSecret( MountPath: certDir, ReadOnly: true, }) - pod.Volumes = append(pod.Volumes, corev1.Volume{ - Name: certSecret, - VolumeSource: corev1.VolumeSource{ - Secret: &corev1.SecretVolumeSource{ - SecretName: certSecret, + + volumeIndex, _ := findVolumeIndex(pod, certSecret) + if volumeIndex < 0 { + pod.Volumes = append(pod.Volumes, corev1.Volume{ + Name: certSecret, + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: certSecret, + }, }, - }, - }) + }) + } return nil } @@ -117,3 +125,13 @@ func findContainerIndex(pod *corev1.PodSpec, containerName string) (int, error) return -1, fmt.Errorf("cannot find container %s", containerName) } + +func findVolumeIndex(pod *corev1.PodSpec, volumeName string) (int, error) { + for i, volume := range pod.Volumes { + if volume.Name == volumeName { + return i, nil + } + } + + return -1, fmt.Errorf("cannot find volume %s", volumeName) +} diff --git a/internal/manifests/monolithic/configmap.go b/internal/manifests/monolithic/configmap.go index 76689f332..8b2f4c05f 100644 --- a/internal/manifests/monolithic/configmap.go +++ b/internal/manifests/monolithic/configmap.go @@ -139,15 +139,15 @@ func BuildConfigMap(opts Options) (*corev1.ConfigMap, map[string]string, error) return configMap, extraAnnotations, nil } -func configureReceiverTLS(tlsSpec *v1alpha1.TLSSpec, tlsProfile tlsprofile.TLSProfileOptions) (tempoReceiverTLSConfig, error) { +func configureReceiverTLS(tlsSpec *v1alpha1.TLSSpec, tlsProfile tlsprofile.TLSProfileOptions, caCertDir, certDir string) (tempoReceiverTLSConfig, error) { tlsCfg := tempoReceiverTLSConfig{} if tlsSpec != nil && tlsSpec.Enabled { if tlsSpec.Cert != "" { - tlsCfg.CertFile = path.Join(manifestutils.ReceiverTLSCertDir, manifestutils.TLSCertFilename) - tlsCfg.KeyFile = path.Join(manifestutils.ReceiverTLSCertDir, manifestutils.TLSKeyFilename) + tlsCfg.CertFile = path.Join(certDir, manifestutils.TLSCertFilename) + tlsCfg.KeyFile = path.Join(certDir, manifestutils.TLSKeyFilename) } if tlsSpec.CA != "" { - tlsCfg.CAFile = path.Join(manifestutils.ReceiverTLSCADir, manifestutils.TLSCAFilename) + tlsCfg.CAFile = path.Join(caCertDir, manifestutils.TLSCAFilename) } if tlsSpec.MinVersion != "" { tlsCfg.MinVersion = tlsSpec.MinVersion @@ -230,7 +230,8 @@ func buildTempoConfig(opts Options) ([]byte, error) { if tempo.Spec.Ingestion != nil { if tempo.Spec.Ingestion.OTLP != nil { if tempo.Spec.Ingestion.OTLP.GRPC != nil && tempo.Spec.Ingestion.OTLP.GRPC.Enabled { - receiverTLS, err := configureReceiverTLS(tempo.Spec.Ingestion.OTLP.GRPC.TLS, opts.TLSProfile) + receiverTLS, err := configureReceiverTLS(tempo.Spec.Ingestion.OTLP.GRPC.TLS, opts.TLSProfile, + manifestutils.ReceiverGRPCTLSCADir, manifestutils.ReceiverGRPCTLSCertDir) if err != nil { return nil, err } @@ -246,7 +247,8 @@ func buildTempoConfig(opts Options) ([]byte, error) { } if tempo.Spec.Ingestion.OTLP.HTTP != nil && tempo.Spec.Ingestion.OTLP.HTTP.Enabled { - receiverTLS, err := configureReceiverTLS(tempo.Spec.Ingestion.OTLP.HTTP.TLS, opts.TLSProfile) + receiverTLS, err := configureReceiverTLS(tempo.Spec.Ingestion.OTLP.HTTP.TLS, + opts.TLSProfile, manifestutils.ReceiverHTTPTLSCADir, manifestutils.ReceiverHTTPTLSCertDir) if err != nil { return nil, err } diff --git a/internal/manifests/monolithic/configmap_test.go b/internal/manifests/monolithic/configmap_test.go index 19e58bec1..e78c21aeb 100644 --- a/internal/manifests/monolithic/configmap_test.go +++ b/internal/manifests/monolithic/configmap_test.go @@ -170,9 +170,9 @@ distributor: protocols: grpc: tls: - client_ca_file: /var/run/ca-receiver/service-ca.crt - cert_file: /var/run/tls/receiver/tls.crt - key_file: /var/run/tls/receiver/tls.key + client_ca_file: /var/run/ca-receiver/grpc/service-ca.crt + cert_file: /var/run/tls/receiver/grpc/tls.crt + key_file: /var/run/tls/receiver/grpc/tls.key min_version: "1.3" usage_report: reporting_enabled: false @@ -222,9 +222,9 @@ distributor: protocols: grpc: tls: - client_ca_file: /var/run/ca-receiver/service-ca.crt - cert_file: /var/run/tls/receiver/tls.crt - key_file: /var/run/tls/receiver/tls.key + client_ca_file: /var/run/ca-receiver/grpc/service-ca.crt + cert_file: /var/run/tls/receiver/grpc/tls.crt + key_file: /var/run/tls/receiver/grpc/tls.key min_version: "1.2" cipher_suites: [abc] usage_report: diff --git a/internal/manifests/monolithic/statefulset.go b/internal/manifests/monolithic/statefulset.go index b2348de6f..dc9153b47 100644 --- a/internal/manifests/monolithic/statefulset.go +++ b/internal/manifests/monolithic/statefulset.go @@ -121,7 +121,7 @@ func BuildTempoStatefulset(opts Options, extraAnnotations map[string]string) (*a tempo.Spec.Ingestion.OTLP.GRPC.TLS != nil && tempo.Spec.Ingestion.OTLP.GRPC.TLS.Enabled { err := manifestutils.MountTLSSpecVolumes( &sts.Spec.Template.Spec, "tempo", *tempo.Spec.Ingestion.OTLP.GRPC.TLS, - manifestutils.ReceiverTLSCADir, manifestutils.ReceiverTLSCertDir, + manifestutils.ReceiverGRPCTLSCADir, manifestutils.ReceiverGRPCTLSCertDir, ) if err != nil { return nil, err @@ -132,7 +132,7 @@ func BuildTempoStatefulset(opts Options, extraAnnotations map[string]string) (*a tempo.Spec.Ingestion.OTLP.HTTP.TLS != nil && tempo.Spec.Ingestion.OTLP.HTTP.TLS.Enabled { err := manifestutils.MountTLSSpecVolumes( &sts.Spec.Template.Spec, "tempo", *tempo.Spec.Ingestion.OTLP.HTTP.TLS, - manifestutils.ReceiverTLSCADir, manifestutils.ReceiverTLSCertDir, + manifestutils.ReceiverHTTPTLSCADir, manifestutils.ReceiverHTTPTLSCertDir, ) if err != nil { return nil, err diff --git a/internal/manifests/monolithic/statefulset_test.go b/internal/manifests/monolithic/statefulset_test.go index ff3bcfc76..cf27e79f5 100644 --- a/internal/manifests/monolithic/statefulset_test.go +++ b/internal/manifests/monolithic/statefulset_test.go @@ -427,12 +427,12 @@ func TestStatefulsetReceiverTLS(t *testing.T) { }, { Name: "custom-ca", - MountPath: "/var/run/ca-receiver", + MountPath: "/var/run/ca-receiver/grpc", ReadOnly: true, }, { Name: "custom-cert", - MountPath: "/var/run/tls/receiver", + MountPath: "/var/run/tls/receiver/grpc", ReadOnly: true, }, }, sts.Spec.Template.Spec.Containers[0].VolumeMounts) diff --git a/tests/e2e/monolithic-receivers-tls/01-assert.yaml b/tests/e2e/monolithic-receivers-tls/01-assert.yaml new file mode 100644 index 000000000..31e8a38a6 --- /dev/null +++ b/tests/e2e/monolithic-receivers-tls/01-assert.yaml @@ -0,0 +1,75 @@ +apiVersion: tempo.grafana.com/v1alpha1 +kind: TempoMonolithic +metadata: + name: simplest +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: tempo-simplest + labels: + app.kubernetes.io/instance: simplest + app.kubernetes.io/managed-by: tempo-operator + app.kubernetes.io/name: tempo-monolithic +spec: + selector: + matchLabels: + app.kubernetes.io/instance: simplest + app.kubernetes.io/managed-by: tempo-operator + app.kubernetes.io/name: tempo-monolithic +status: + readyReplicas: 1 +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: simplest + app.kubernetes.io/managed-by: tempo-operator + app.kubernetes.io/name: tempo-monolithic + name: tempo-simplest +spec: + ports: + - name: http + port: 3200 + protocol: TCP + targetPort: http + - name: otlp-grpc + port: 4317 + protocol: TCP + targetPort: otlp-grpc + - name: otlp-http + port: 4318 + protocol: TCP + targetPort: otlp-http + selector: + app.kubernetes.io/instance: simplest + app.kubernetes.io/managed-by: tempo-operator + app.kubernetes.io/name: tempo-monolithic +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: simplest + app.kubernetes.io/managed-by: tempo-operator + app.kubernetes.io/name: tempo-monolithic + name: tempo-simplest-jaegerui +spec: + ports: + - name: jaeger-grpc + port: 16685 + protocol: TCP + targetPort: jaeger-grpc + - name: jaeger-ui + port: 16686 + protocol: TCP + targetPort: jaeger-ui + - name: jaeger-metrics + port: 16687 + protocol: TCP + targetPort: jaeger-metrics + selector: + app.kubernetes.io/instance: simplest + app.kubernetes.io/managed-by: tempo-operator + app.kubernetes.io/name: tempo-monolithic diff --git a/tests/e2e/monolithic-receivers-tls/01-install-tempo.yaml b/tests/e2e/monolithic-receivers-tls/01-install-tempo.yaml new file mode 100644 index 000000000..dc2978bc5 --- /dev/null +++ b/tests/e2e/monolithic-receivers-tls/01-install-tempo.yaml @@ -0,0 +1,71 @@ +--- +apiVersion: tempo.grafana.com/v1alpha1 +kind: TempoMonolithic +metadata: + name: simplest +spec: + jaegerui: + enabled: true + route: + enabled: true + authentication: + enabled: false + + ingestion: + otlp: + grpc: + enabled: true + tls: + enabled: true + certName: custom-cert + http: + enabled: true + tls: + enabled: true + certName: custom-cert +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: custom-ca +data: + service-ca.crt: | + -----BEGIN CERTIFICATE----- + MIIFZTCCA02gAwIBAgIUFDK4W5lEpkYZyOpFrKphNi6cu+0wDQYJKoZIhvcNAQEL + BQAwQjELMAkGA1UEBhMCTVgxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UE + CgwTRGVmYXVsdCBDb21wYW55IEx0ZDAeFw0yNDA3MTEwMDI2MjhaFw0yNzA1MDEw + MDI2MjhaMEIxCzAJBgNVBAYTAk1YMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAa + BgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQwggIiMA0GCSqGSIb3DQEBAQUAA4IC + DwAwggIKAoICAQD4oNvZiL5NVSLVh1AwVpMIHaZZ0l32vyNZzU7brLxbPMWTfDYw + 6QxTarrfsLU94TmKBroYy40jEwmm87zMKuNoerqZ73npVSwrWzFdz4lOpJzEL3k4 + XjNmeBbnutrbs1IIP+yZP2jCW2rVTn4RMfpavVwbfMyEJOqZ6bfxO3twOfqbimKn + 7pNBhnzUrzxDRIJMvvDkIUW+Y63Kydq9uI1nHV+xAf6h/MFcvmhwhMNhwqtcsyZf + 6azYTWz9LD27+HJ3sVHboFg35Bhdh0BAv8djRAA88tku6L/ybGuVcgY+Lcmjnfmn + HoGOqyCVSaC9g39yr91GqqGkcGkKTHQauf7KSxGRIJWBPo2I2jr6HAwXw2YETZs4 + UWpZWQUqH/hHTb9rW2+53xXNCJCb+3nUDsCetC2T/G9pelehXzI1PDSzu3gfPXgP + A6aBaZLct/PiNpCc6IYmrSu5Qu5GshqK42LplIcTgVKaYn3StldTe4LFnVLJor8w + bHhd0mQSDUO61snyFHrOh0mxBiSE9Kto9H3UfOwkfjinoEQgfFztZtK884S3mqbD + bou3lF0zq2lVJzvE1/EoeXGEM+C3WWVQBEhWQG1ilnbU+40RTP9/ObVSPX5H12i6 + KNr2AvvqLaLTtXFmuUJwFHJ4bXwyrnJZD0XnIjj0GV4nnQVxU42etBIBXwIDAQAB + o1MwUTAdBgNVHQ4EFgQUP6Sa/rRKYSw88pFs08EzOg3SPNwwHwYDVR0jBBgwFoAU + P6Sa/rRKYSw88pFs08EzOg3SPNwwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B + AQsFAAOCAgEADjifER3r1hUveWJcFjKMydxiOP+4MOWYyuNk1wAfeq4wi6vCR+Mg + wK8zks04J4BofiBAB5++VgUB6sYFT+lU70OCLV/m9/SnSiAb0FHWJQCrNEKCNr15 + osWoDUgHsD4Oo4JaTipd7wEECFhZSBX3zk+eLPAshbgv9SVUz0m655ZYLuK+0QE9 + A9Cj7FKmkWGQ++RHAmQww8a6RL6W3Qeua6BW3brv2hCz/3qVFX1PL9hAyl/K605i + sLqLxn/sZCA39wtNsTxr867un4xMTHioIrj5Vivx7Vb9eHlFXTmthcB/oFteYi8G + xUw3ZlI2Lxs/vbHs1PiTa1iix1X5ARVipFusKZ5ENp7ckedBOPY3cOXAgT5zQrP8 + FAy9Q7wVx7qDMN+u9aWfsTpdspOWBkVck9U6y3H/oYbhiMZ2pnSo8F43sHb3Nkms + SdvvL6RCGPpa/7O/apY5Dd80o0m5Nw9rw8656C7Dl8/325piF8l6ptcfo2Vw1ozB + 0U9LyQedMLeo4dSjufiMhREzVj3KpcEtW9P3J+/td16Y4swUJ4KYSZ09CAwguGLH + f3/58d2r50a1kBqyaU6ymSUZlITNBZsRTO8uvAlIX+AVQ+W+DovaGWUkWGK+s7CH + tzuTsE7yRoJa9ksbeGNgN5hlgMI/8tnvVM0xYSIeNHn9CWHjNONblr8= + -----END CERTIFICATE----- +--- +apiVersion: v1 +kind: Secret +metadata: + name: custom-cert +data: + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVTRENDQWpDZ0F3SUJBZ0lVTHNmekFmNXR5Y0Rob2JGSkVwT2o3bEZQUkFZd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1FqRUxNQWtHQTFVRUJoTUNUVmd4RlRBVEJnTlZCQWNNREVSbFptRjFiSFFnUTJsMGVURWNNQm9HQTFVRQpDZ3dUUkdWbVlYVnNkQ0JEYjIxd1lXNTVJRXgwWkRBZ0Z3MHlOREEzTVRFd01EVXhNVFphR0E4ME9ESTNNRE13Ck9UQXdOVEV4Tmxvd0dURVhNQlVHQTFVRUF3d09kR1Z0Y0c4dGMybHRjR3hsYzNRd2dnRWlNQTBHQ1NxR1NJYjMKRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDVTB3SVJlWFRQTWFqSnlxN1lNNnIrTmVFZjNoSVl2bWVGNzJrRwpCUHZLSit0RG02b1RXWmMwV2diQXJxK05ZTnpMWTBtaTFxeTl4UnhJVUs0Sk85M0Jnc1pEQ1dneTFabW9GaGhECnYwbm9LdUJwejNITWFrYTlNNEpaWUJpeDlDZXlaNFd4MUVncjE4bFRtbEVXYUQzOXBnbmhCUHg1NmVIbE94SlYKOThjcWxiTTFZSjAweE9ibGFzU0ZNWHV5V05Nc3RVU3dnTjJpd21MYjdBNGg3dmdLNi9EaWY3SW5JSzRMVWx1QgpZWmloTkJuVWZSdU1EK3Y4RVZBa0F4WW9KRHdzSWhrMjdsb01RSmVSSEVlUldxcTluUnhMSitCTUdWOE1vcW1lCm1iejNhMUlJKzZPc085TkFsR1dJNHVIdGc1MklNK2w3L0JjbnRqc2pkUDZubWtYQkFnTUJBQUdqWFRCYk1Ca0cKQTFVZEVRUVNNQkNDRG5SbGJYQnZMWE5wYlhCc1pYTjBNQjBHQTFVZERnUVdCQlRqRExZSEpucVFUQWFGM1BDRApuL3NVNDN2OWpEQWZCZ05WSFNNRUdEQVdnQlEvcEpyK3RFcGhMRHp5a1d6VHdUTTZEZEk4M0RBTkJna3Foa2lHCjl3MEJBUXNGQUFPQ0FnRUFWNm9HTnpIQU9PUFZDbklMK0p3WVMwbmxBNHJwZ2xzSzRsbnZUaE1KbW1OMUU0QzkKcjBIeU9XWmdIR1JmczNuQVI1RFJKMVc2MWVCTzF6NU1Sd3VKdUVaUE8xaUwwZUVOR3BQTno3S3huMTJ5Z3RJaQpWNzhUWHhiZFZvSy9BcmpWaDBJQmQ3QlBuNVhNekxWZTJidWlDdGorNkxmU0g2bXM2SHdnRXJmTXUzd2YzTjVFCmZZVWZvNWdnVHlpaUlaQU15b3FrdEl2QTZOOS9MRmF0VDlMcE1kbXJtZCsxOWpVeHZwM3dTU1pqajdxR3FhZmMKVThGZVZGU0tDemhnRE92TUJBTURFWjJIOXdoZDc5TXFvUUlGNjhSRTVVMXJSeHN3V1V4T0dPSDl2djVBNk1CSApDcE5ZbEtmOVM3NDBYWkF1Q0V5NVRVRHgxZlkyRHVVOHZzWEhIUlgxaVpnaE4yZCtsZ1l2T21JWUJnaFVJYUZRCkRBTEdodFdSWTJTZUdNWU1OS0pzYWxPTmkrcWpZYjNHL3hZUjRaejRoWVRTVTJydEtDNXpnTjdsOVZHSTlaUWkKdFhhN1p2N0lpUDVZcUdFS1MzZnpLVzdNMFR1WHg5SGdaVTRCZ1ZtKzcrTmV2TzRTRVcvclBVWnU1TDlPWlZHNgpsT053b3FRQ0tZa2lPUjRhNmhPVFgxdWdXUjdyd3J4SHMxSmJqTjR4ajNJM2FmL2dpZ29QMVJIWndrcWw5UW1RCkRvL3dWTmUrZHZRQzhPTm93dXlPdHBoOEdYQ21KVUVaRVlLajVGV0hPeWR2RGxPK3ZobEt5Y3JXb29tVGpUY08KMVdrSXBVdU5nWG1rZXIyWEJmUnlYZ3NZMGUrcFRTYk5rcDhGVElHZ1RwSmlFVVBEb2xQaklnWFJCaEE9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= + tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ1Uwd0lSZVhUUE1hakoKeXE3WU02citOZUVmM2hJWXZtZUY3MmtHQlB2S0ordERtNm9UV1pjMFdnYkFycStOWU56TFkwbWkxcXk5eFJ4SQpVSzRKTzkzQmdzWkRDV2d5MVptb0ZoaER2MG5vS3VCcHozSE1ha2E5TTRKWllCaXg5Q2V5WjRXeDFFZ3IxOGxUCm1sRVdhRDM5cGduaEJQeDU2ZUhsT3hKVjk4Y3FsYk0xWUowMHhPYmxhc1NGTVh1eVdOTXN0VVN3Z04yaXdtTGIKN0E0aDd2Z0s2L0RpZjdJbklLNExVbHVCWVppaE5CblVmUnVNRCt2OEVWQWtBeFlvSkR3c0loazI3bG9NUUplUgpIRWVSV3FxOW5SeExKK0JNR1Y4TW9xbWVtYnozYTFJSSs2T3NPOU5BbEdXSTR1SHRnNTJJTStsNy9CY250anNqCmRQNm5ta1hCQWdNQkFBRUNnZ0VBRWlzVERPVzg3WVpzZFZDNXVQUjdJdFJGQ3NvN2YxWFBURG5iOTd0OVdaZmgKK3J1ZGhGczRRRkNLazlTVTR6ZU4vTmtVSmoybGtrMDc2Z0FmZEVwMkJLZXpEZFZhS1IvaEd2U3lPdmhoVEx5Sgo3NkRwalpaSktINko5K0NVRGVBaFJkV3BnVTkwWXNCOGVDa0FvOXhQVDdzemFEVzBTaXNwUS80Z0pqL25kVHFTCjlqZGh2ellUelBpWk9qdGVtMjhMb2o4bjlZN3dmeFkyU3VCcnQ3QTBXcUVoa1lZUFNYbjcrMVJ1ZVFhOTBqS1AKc0k1R1kxb1Q3TUdSbXMwSVBNR0RQb0pnWmtGaktsMEJkV015Vm9hc2RPMkp6dEVLMG1WVTQ3Szk0dU5SaW1mawprYXprU1BKcGhaK0ZQNXNaVVNzUWxXUnhyOTcxOEJJY0JCMDNkNndQV1FLQmdRREVhV2NDWm1EbE43STlxSGlyCkMxaE0yek5HbEh0alZrYkhZT253TnBhSjVlZ1RwRjB6R3k3WlhmMUJVcS92WDlxb09qTE52R0dFT0cvQ1ZPVkEKUXNsSHptVmllWTA5cUFycG01dzd6VnppYStFSjdzL0h6cVpxNnUxUDBzdTRlRUc1aUFNR0lqV2FkZmdrSm8vYgpBckdwMndaVVcyUGs0c0FjZ285Sm9adExQd0tCZ1FEQithZjl5WGY3c1l3Mi9kb2hJY2E1Zy9QMTVURWV6byt6ClFHNHAzSXM0SmltQ0VuQXoySy9aS0VZNEcwazh4bzEvRWVCRytjdlN4M3lvL3JWTWpINzd5ZkZsSUZmZkhTWVgKaENwK2JudkJyVFJicisvR1M5T3htN2NpYzl2ZWpvU2JpL1BzZUpodlJXZDBDQ1VNb0NYQUNodXNFZXRFZndZKwpWMlJZT1ZzdS93S0JnQ0VJVVFpNFN5ZUJ2SHBlTVIwakpWQ1h0UUh6eXVTa0IvZFVOMFB0Q2xoYTBETXRlM2N5CjVTZ3RoSUJOOWNUZWJCbkszK3gxK0RpU2ZVbERtZUs2MkxzNDNSZzR0U1pmY3FaalExMVRab0cxL3Z6NnF2dEIKcC85blQwNFRkNnVvbmZVa0NNNHBScmFaaklnWDdDMjdRRUgrMGd1eDZ4VDloYTNGejI5a3ZJZGxBb0dBQ2pHSQpkbm5ENkdJb01DdWU3dWJMZnF4RWdjT05sVVRkb0ZuZWNDeTYxRFNOTWR5dU1NdE9VbWNmYVl0bGllQVZSM3cxCkFRWFhoRGdmZ1BJQnJRZ2xGQzVFbFQvaDNrTzE0TDU5VFMrWktWQmswL3ltNlJETEN5Wlh0V1BKUmlUUEt5MXIKb0IybVJSS3NvUmhjZWhGZ2Fuc2RnU2xmNTdXVkttbUZTRzJiTVJrQ2dZRUFsSUJDR0psU2R6SWNoR1FlS0hPOQpUdDE4THcwR25kbGUvTzFhYkFSa2Z3ZWlGUGZaWW8zZEQ3bzk3QlM1UnBOaWVWM1hveExMUWoyMnRxRHpZc0hUCkdDT3BtTjlqek5MaUxKV00zWlJSYmVwck8wWVdRYkJ0eUhHWVhISldZUm5oQS9nQ216N3JGTE5CTnNYYnhDZDMKa05wNEZnT0ZQSVNLZUU1cWFGR1VUaEU9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0= diff --git a/tests/e2e/monolithic-receivers-tls/02-assert.yaml b/tests/e2e/monolithic-receivers-tls/02-assert.yaml new file mode 100644 index 000000000..9f2728423 --- /dev/null +++ b/tests/e2e/monolithic-receivers-tls/02-assert.yaml @@ -0,0 +1,38 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: opentelemetry-collector + labels: + app.kubernetes.io/name: otelcol + app.kubernetes.io/instance: opentelemetry + component: standalone-collector +spec: + selector: + matchLabels: + app.kubernetes.io/name: otelcol + app.kubernetes.io/instance: opentelemetry + component: standalone-collector +status: + readyReplicas: 1 + +--- +apiVersion: v1 +kind: Service +metadata: + name: opentelemetry-collector +spec: + type: ClusterIP + ports: + - name: otlp + port: 4317 + targetPort: 4317 + protocol: TCP + appProtocol: grpc + - name: otlp-http + port: 4318 + targetPort: 4318 + protocol: TCP + selector: + app.kubernetes.io/name: otelcol + app.kubernetes.io/instance: opentelemetry + component: standalone-collector diff --git a/tests/e2e/monolithic-receivers-tls/02-install-otel.yaml b/tests/e2e/monolithic-receivers-tls/02-install-otel.yaml new file mode 100644 index 000000000..b71d87ee9 --- /dev/null +++ b/tests/e2e/monolithic-receivers-tls/02-install-otel.yaml @@ -0,0 +1,126 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: opentelemetry-collector-configmap +data: + config: | + exporters: + otlp: + endpoint: tempo-simplest:4317 + tls: + insecure: false + ca_file: "/var/run/tls/receiver/ca/service-ca.crt" + otlphttp: + endpoint: https://tempo-simplest:4318 + tls: + insecure: false + ca_file: "/var/run/tls/receiver/ca/service-ca.crt" + receivers: + otlp/grpc: + protocols: + grpc: + otlp/http: + protocols: + http: + extensions: + health_check: + service: + extensions: [health_check] + telemetry: + logs: + level: "DEBUG" + development: true + encoding: "json" + pipelines: + traces/grpc: + receivers: [otlp/grpc] + exporters: [otlp] + traces/http: + receivers: [ otlp/http ] + exporters: [ otlphttp ] +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: opentelemetry-collector + labels: + app.kubernetes.io/name: otelcol + app.kubernetes.io/instance: opentelemetry + component: standalone-collector +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/name: otelcol + app.kubernetes.io/instance: opentelemetry + component: standalone-collector + template: + metadata: + labels: + app.kubernetes.io/name: otelcol + app.kubernetes.io/instance: opentelemetry + component: standalone-collector + spec: + containers: + - name: opentelemetry-collector + command: + - /otelcol-contrib + - --config=/conf/config.yaml + image: "otel/opentelemetry-collector-contrib:0.82.0" + ports: + - name: otlp + containerPort: 4317 + protocol: TCP + - name: otlp-http + containerPort: 4318 + protocol: TCP + livenessProbe: + httpGet: + path: / + port: 13133 + readinessProbe: + httpGet: + path: / + port: 13133 + resources: + limits: + memory: 200Mi + volumeMounts: + - mountPath: /conf + name: opentelemetry-collector-configmap + - mountPath: /var/run/tls/receiver/ca + name: custom-ca + readOnly: true + volumes: + - configMap: + defaultMode: 420 + name: custom-ca + name: custom-ca + - name: opentelemetry-collector-configmap + configMap: + name: opentelemetry-collector-configmap + items: + - key: config + path: config.yaml +--- +apiVersion: v1 +kind: Service +metadata: + name: opentelemetry-collector +spec: + type: ClusterIP + ports: + - name: otlp + port: 4317 + targetPort: 4317 + protocol: TCP + appProtocol: grpc + - name: otlp-http + port: 4318 + targetPort: 4318 + protocol: TCP + selector: + app.kubernetes.io/name: otelcol + app.kubernetes.io/instance: opentelemetry + component: standalone-collector diff --git a/tests/e2e/monolithic-receivers-tls/03-assert.yaml b/tests/e2e/monolithic-receivers-tls/03-assert.yaml new file mode 100644 index 000000000..82bfacfd2 --- /dev/null +++ b/tests/e2e/monolithic-receivers-tls/03-assert.yaml @@ -0,0 +1,8 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: generate-traces-http +status: + conditions: + - status: "True" + type: Complete diff --git a/tests/e2e/monolithic-receivers-tls/03-generate-traces.yaml b/tests/e2e/monolithic-receivers-tls/03-generate-traces.yaml new file mode 100644 index 000000000..afe532cae --- /dev/null +++ b/tests/e2e/monolithic-receivers-tls/03-generate-traces.yaml @@ -0,0 +1,36 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: generate-traces-grpc +spec: + template: + spec: + containers: + - name: telemetrygen + image: ghcr.io/open-telemetry/opentelemetry-collector-contrib/telemetrygen:v0.92.0 + args: + - traces + - --otlp-endpoint=opentelemetry-collector:4317 + - --service=grpc + - --otlp-insecure + - --traces=10 + restartPolicy: Never +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: generate-traces-http +spec: + template: + spec: + containers: + - name: telemetrygen + image: ghcr.io/open-telemetry/opentelemetry-collector-contrib/telemetrygen:v0.92.0 + args: + - traces + - --otlp-endpoint=opentelemetry-collector:4318 + - --otlp-http + - --otlp-insecure + - --service=http + - --traces=10 + restartPolicy: Never diff --git a/tests/e2e/monolithic-receivers-tls/04-assert.yaml b/tests/e2e/monolithic-receivers-tls/04-assert.yaml new file mode 100644 index 000000000..1178bc292 --- /dev/null +++ b/tests/e2e/monolithic-receivers-tls/04-assert.yaml @@ -0,0 +1,17 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: verify-traces-http +status: + conditions: + - status: "True" + type: Complete +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: verify-traces-grpc +status: + conditions: + - status: "True" + type: Complete diff --git a/tests/e2e/monolithic-receivers-tls/04-verify-traces.yaml b/tests/e2e/monolithic-receivers-tls/04-verify-traces.yaml new file mode 100644 index 000000000..66c749768 --- /dev/null +++ b/tests/e2e/monolithic-receivers-tls/04-verify-traces.yaml @@ -0,0 +1,47 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: verify-traces-http +spec: + template: + spec: + containers: + - name: verify-traces + image: ghcr.io/grafana/tempo-operator/test-utils:main + command: + - /bin/bash + - -eux + - -c + args: + - | + curl -v -G http://tempo-simplest-jaegerui:16686/api/traces --data-urlencode "service=http" | tee /tmp/jaeger.out + num_traces=$(jq ".data | length" /tmp/jaeger.out) + if [[ "$num_traces" -ne 10 ]]; then + echo && echo "The Jaeger API returned $num_traces instead of 10 traces." + exit 1 + fi + restartPolicy: Never +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: verify-traces-grpc +spec: + template: + spec: + containers: + - name: verify-traces + image: ghcr.io/grafana/tempo-operator/test-utils:main + command: + - /bin/bash + - -eux + - -c + args: + - | + curl -v -G http://tempo-simplest-jaegerui:16686/api/traces --data-urlencode "service=grpc" | tee /tmp/jaeger.out + num_traces=$(jq ".data | length" /tmp/jaeger.out) + if [[ "$num_traces" -ne 10 ]]; then + echo && echo "The Jaeger API returned $num_traces instead of 10 traces." + exit 1 + fi + restartPolicy: Never diff --git a/tests/e2e/monolithic-receivers-tls/chainsaw-test.yaml b/tests/e2e/monolithic-receivers-tls/chainsaw-test.yaml new file mode 100755 index 000000000..7b7ee1042 --- /dev/null +++ b/tests/e2e/monolithic-receivers-tls/chainsaw-test.yaml @@ -0,0 +1,32 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: monolithic-receivers-tls +spec: + steps: + - name: step-01 + try: + - apply: + file: 01-install-tempo.yaml + - assert: + file: 01-assert.yaml + - name: step-02 + try: + - apply: + file: 02-install-otel.yaml + - assert: + file: 02-assert.yaml + - name: step-03 + try: + - apply: + file: 03-generate-traces.yaml + - assert: + file: 03-assert.yaml + - name: step-04 + try: + - apply: + file: 04-verify-traces.yaml + - assert: + file: 04-assert.yaml