OpenTelemetry OTLP traces

[guicassolato]

Replaces Jaeger Thrift integration with OpenTelemetry OTLP.

• Server command-line --tracing-service-endpoint now requires 'rpc' or 'http' URL scheme and builds the client accordingly
• New server command-line option: --tracing-service-insecure=bool - disable TLS for the tracing service connection (default: false)

Verification steps

Scenario	Collector	Protocol	TLS	Auth
1	Jaeger	RPC	NO	None
2	Jaeger	HTTP	NO	None
3	OpenTelemetry Collector	RPC	NO	None
4	OpenTelemetry Collector	RPC	NO	BasicAuth
5	OpenTelemetry Collector	RPC	YES	None
6	OpenTelemetry Collector	RPC	YES	BasicAuth
7	OpenTelemetry Collector	HTTP	NO	None
8	OpenTelemetry Collector	HTTP	NO	BasicAuth
9	OpenTelemetry Collector	HTTP	YES	None
10	OpenTelemetry Collector	HTTP	YES	BasicAuth

For each test scenario above, you need to run the Authorino server locally passing the command-line arguments that will activate the configuration, and then send at least one request to the server.

In some cases, one or more setup steps are required before running the Authorino server and sending requests. These include deploying and/or configuring the tracing collector service.

To send requests to Authorino, use the following grpcurl command:

grpcurl -plaintext -d @ localhost:50051 envoy.service.auth.v3.Authorization.Check <<EOF
{
  "attributes": {
    "request": {
      "http": {
        "host": "localhost"
      }
    }
  }
}
EOF

Authorino will respond with the auto-generated request ID, which can be checked in the Jaeger UI (authorino.request_id tag).

Setup

Setup the cluster and build the server:

make cluster install build

Create an AuthConfig:

kubectl apply -f -<<EOF
apiVersion: authorino.kuadrant.io/v1beta1
kind: AuthConfig
metadata:
  name: authconfig
spec:
  hosts: ["localhost"]
  response:
  - name: x-auth-data
    json:
      properties:
      - name: request_id
        valueFrom:
          authJSON: context.request.http.id
EOF

Execution of the scenarios

The order of execution of the scenarios was arranged to reduce the number of steps required for setting up/reconfiguring the tracing collector services.

❶ Integration with Jaeger

Deploy Jaeger:

kubectl apply -f https://raw.githubusercontent.com/Kuadrant/authorino-examples/main/tracing/jaeger.yaml
kubectl port-forward deployment/jaeger 14251:14251 2>&1 >/dev/null &
kubectl port-forward deployment/jaeger 9412:9412 2>&1 >/dev/null &
kubectl port-forward deployment/jaeger 16686:16686 2>&1 >/dev/null &
firefox -private-window "http://localhost:16686"

For each scenario below, run Authorino, send a request and check the trace in the Jaeger UI:

• Scenario 1 (protocol: rpc, tls: no, auth: none)

  bin/authorino server --tracing-service-endpoint="rpc://localhost:14251" --tracing-service-insecure=true

• Scenario 2 (protocol: http, tls: no, auth: none)

  bin/authorino server --tracing-service-endpoint="http://localhost:9412" --tracing-service-insecure=true

❷ Integration via OpenTelemetry Collector → Jaeger (without TLS/auth)

Deploy OpenTelemetry Collector:

kubectl apply -f https://raw.githubusercontent.com/Kuadrant/authorino-examples/main/tracing/opentelemetry-collector.yaml
kubectl port-forward deployment/otel-collector 4317:4317 2>&1 >/dev/null &
kubectl port-forward deployment/otel-collector 4318:4318 2>&1 >/dev/null &

For each scenario below, run Authorino, send a request and check the trace in the Jaeger UI:

• Scenario 3 (protocol: rpc, tls: no, auth: none)

  bin/authorino server --tracing-service-endpoint="rpc://localhost:4317" --tracing-service-insecure=true

• Scenario 7 (protocol: http, tls: no, auth: none)

  bin/authorino server --tracing-service-endpoint="http://localhost:4318" --tracing-service-insecure=true

❸ Integration via OpenTelemetry Collector → Jaeger (with TLS/auth)

Generate the TLS certificate for the OpenTelemetry Collector server:

make cert-manager
curl -S https://raw.githubusercontent.com/Kuadrant/authorino-examples/main/tracing/opentelemetry-collector-certs.yaml | \
  sed 's/\$(NAMESPACE)/default/;s/dnsNames:/dnsNames:\n  - localhost/' | kubectl apply -f -

Add the OpenTelemetry CA certificate to the chain of trusted certs:

kubectl get secret/otel-ca-cert -o jsonpath='{.data.ca\.crt}' | base64 -d > /tmp/otel-ca-cert.crt

• On Linux, in the same shell where then running the Authorino server:

  export SSL_CERT_FILE=/tmp/otel-ca-cert.crt

• On MacOS:

  sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /tmp/otel-ca-cert.crt

Redeploy OpenTelemetry Collector with TLS and basic auth enabled:

kubectl apply -f https://raw.githubusercontent.com/Kuadrant/authorino-examples/main/tracing/opentelemetry-collector-tls-basicauth.yaml
ps ax | grep 'kubectl port-forward deployment/otel-collector' | grep -v 'grep' | awk '{print $1}' | xargs kill
kubectl port-forward deployment/otel-collector 4317:4317 2>&1 >/dev/null &
kubectl port-forward deployment/otel-collector 4318:4318 2>&1 >/dev/null &

For each scenario below, run Authorino, send a request and check the trace in the Jaeger UI:

• Scenario 6 (protocol: rpc, tls: yes, auth: basic)

  bin/authorino server --tracing-service-endpoint="rpc://otel:secret@localhost:4317"

• Scenario 10 (protocol: http, tls: yes, auth: basic)

  bin/authorino server --tracing-service-endpoint="http://otel:secret@localhost:4318"
  

❹ Integration via OpenTelemetry Collector → Jaeger (with TLS, without auth)

Edit configmap/otel-collector-conf commenting the auth: {…} properties under receiver.otlp.protocols:

kubectl edit configmap/otel-collector-conf

Redeploy OpenTelemetry Collector:

kubectl rollout restart deployment/otel-collector
ps ax | grep 'kubectl port-forward deployment/otel-collector' | grep -v 'grep' | awk '{print $1}' | xargs kill
kubectl port-forward deployment/otel-collector 4317:4317 2>&1 >/dev/null &
kubectl port-forward deployment/otel-collector 4318:4318 2>&1 >/dev/null &

For each scenario below, run Authorino, send a request and check the trace in the Jaeger UI:

• Scenario 5 (protocol: rpc, tls: yes, auth: none)

  bin/authorino server --tracing-service-endpoint="rpc://localhost:4317"

• Scenario 9 (protocol: http, tls: yes, auth: none)

  bin/authorino server --tracing-service-endpoint="http://localhost:4318"

❺ Integration via OpenTelemetry Collector → Jaeger (without TLS, with auth)

Edit configmap/otel-collector-conf uncommenting the tls: {…} properties and commenting the auth: {…} ones under receiver.otlp.protocols:

kubectl edit configmap/otel-collector-conf

Redeploy OpenTelemetry Collector:

kubectl rollout restart deployment/otel-collector
ps ax | grep 'kubectl port-forward deployment/otel-collector' | grep -v 'grep' | awk '{print $1}' | xargs kill
kubectl port-forward deployment/otel-collector 4317:4317 2>&1 >/dev/null &
kubectl port-forward deployment/otel-collector 4318:4318 2>&1 >/dev/null &

For each scenario below, run Authorino, send a request and check the trace in the Jaeger UI:

• Scenario 4 (protocol: rpc, tls: no, auth: basic)

  bin/authorino server --tracing-service-endpoint="rpc://otel:secret@localhost:4317" --tracing-service-insecure=true

• Scenario 8 (protocol: http, tls: no, auth: basic)

  bin/authorino server --tracing-service-endpoint="http://otel:secret@localhost:4318" --tracing-service-insecure=true

[eguzki]

Verification tests run locally:

• Scenario 1 (protocol: rpc, tls: no, auth: none)
• Scenario 2 (protocol: http, tls: no, auth: none)
• Scenario 3 (protocol: rpc, tls: no, auth: none)
• Scenario 4 (protocol: rpc, tls: no, auth: basic)
• Scenario 5 (protocol: rpc, tls: yes, auth: none)
• Scenario 6 (protocol: rpc, tls: yes, auth: basic)
• Scenario 7 (protocol: http, tls: no, auth: none)
• Scenario 8 (protocol: http, tls: no, auth: basic)
• Scenario 9 (protocol: http, tls: yes, auth: none)
• Scenario 10 (protocol: http, tls: yes, auth: basic)

[eguzki]

From https://www.jaegertracing.io/docs/1.43/apis/#opentelemetry-protocol-stable

Since v1.35, the Jaeger backend can receive trace data from the OpenTelemetry SDKs in their native [OpenTelemetry Protocol (OTLP)](https://opentelemetry.io/docs/reference/specification/protocol/). It is no longer necessary to configure the OpenTelemetry SDKs with Jaeger exporters, nor deploy the OpenTelemetry Collectors between the OpenTelemetry SDKs and the Jaeger backend.

[eguzki]

For the scenarios 5 and 9 it says: Edit configmap/otel-collector-conf commenting the tls: {…} properties under receiver.otlp.protocols:. Since it is about TLS on and AUTH off, it should be about commenting out auth, right?