Remote otel collector configuration

[jvanz]

Description

Updates the collector to allow the communication with a remote OpenTelemetry collector. Also updates the policy server reconciler to replicate the same configuration in the policy server deployment enabling it to send data to the same remote Otel collector.

Fix #933

Tests

Warning

This PR was tested together with the changes from this Helm chart changes

Create a simple cluster with required dependencies:

k3d cluster create 

helm repo add jetstack https://charts.jetstack.io --force-update
helm upgrade -i --wait cert-manager jetstack/cert-manager \
        -n cert-manager --create-namespace \
        --set crds.enabled=true

helm repo add --force-update open-telemetry https://open-telemetry.github.io/opentelemetry-helm-charts
helm upgrade -i --wait my-opentelemetry-operator open-telemetry/opentelemetry-operator \
        --set "manager.collectorImage.repository=otel/opentelemetry-collector-contrib" \
        -n open-telemetry --create-namespace

I've tested this changes with this Otel collector configuration

# cert-manager resources
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: my-client-certificate
  namespace: kubewarden
spec:
  dnsNames:
  - my-collector-collector.kubewarden.svc
  - my-collector-collector.kubewarden.svc.cluster.local
  issuerRef:
    kind: Issuer
    name: my-client-selfsigned-issuer
  secretName: my-client-cert
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: my-client-selfsigned-issuer
  namespace: kubewarden
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: my-certificate
  namespace: kubewarden
spec:
  dnsNames:
  - my-collector-collector.kubewarden.svc
  - my-collector-collector.kubewarden.svc.cluster.local
  issuerRef:
    kind: Issuer
    name: my-selfsigned-issuer
  secretName: my-server-cert
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: my-selfsigned-issuer
  namespace: kubewarden
spec:
  selfSigned: {}
---
apiVersion: opentelemetry.io/v1beta1
kind: OpenTelemetryCollector
metadata:
  name: my-collector
  namespace: kubewarden
spec:
  mode: deployment # This configuration is omittable.
  volumes:
    - name: server-certificate
      secret:
        secretName: my-server-cert
    - name: client-certificate
      secret:
        secretName: my-client-cert
  volumeMounts:
    - name: server-certificate
      mountPath: /tmp/etc/ssl/certs/my-server-cert
      readOnly: true
    - name: client-certificate
      mountPath: /tmp/etc/ssl/certs/my-client-cert
      readOnly: true
  config:
    receivers:
      otlp:
        protocols:
          grpc:
            tls:
              cert_file: /tmp/etc/ssl/certs/my-server-cert/tls.crt
              key_file: /tmp/etc/ssl/certs/my-server-cert/tls.key
              client_ca_file: /tmp/etc/ssl/certs/my-client-cert/ca.crt
              # ca_file: /tmp/etc/ssl/certs/my-server-cert/ca.crt
              # client_ca_file_reload: true
    processors: {}
    exporters:
      debug:
        verbosity: normal
      prometheus:
        endpoint: ":8080"
    service:
      pipelines:
        metrics:
          receivers: [otlp]
          processors: []
          exporters: [debug, prometheus]
        traces:
          receivers: [otlp]
          processors: []
          exporters: [debug]

[codecov]

Codecov Report

Attention: Patch coverage is 3.09278% with 94 lines in your changes missing coverage. Please review.

Project coverage is 67.35%. Comparing base (1eca73e) to head (9b4ddd0).
Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
...l/controller/policyserver_controller_deployment.go	3.19%	89 Missing and 2 partials ⚠️
internal/metrics/metrics.go	0.00%	3 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #934      +/-   ##
==========================================
- Coverage   69.44%   67.35%   -2.09%     
==========================================
  Files          30       30              
  Lines        3040     3128      +88     
==========================================
- Hits         2111     2107       -4     
- Misses        763      852      +89     
- Partials      166      169       +3     

Flag	Coverage Δ
integration-tests	56.59% <3.09%> (-1.79%)	⬇️
unit-tests	40.41% <0.00%> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[jvanz]

This is a breaking change. But considering that we are doing a major change on how we integrate with OpenTelemetry, I think is the right time and worth it. It will simplify the configuration and avoid confusion.

[flavio]

It looks good. I left some minor comments, some of them are not mandatory.

Please address the linter warnings before merging the PR

[flavio]

This is generic reflection. I've double checked the code, we create the deployment definition by add some default env variables and then we append the ones provided by the user via the .spec.Env list. Then we keep adding more env variables to the list if needed, like we are doing here.

Kubernetes' uses a list, not a hash to store these env variables. Hence there's the chance of the user defining variables we need to control. Should we change all the code to ensure our env variables have precedence over the ones provided by the user?

Maybe this is something to be done with another PR.

What do you think @kubewarden/kubewarden-developers ?

[jvanz]

Yes, I was thinking about that as well. Another option is to add some validation in the webhook to prevent the users from deploying a policy server with a configuration that can cause issues. Therefore, we can at least tell them why the controller cannot deploy the policy server. Instead of allow they to deploy and notice that something is not working as they expected afterwards.

[viccuad]

Does this need to be idempotent? (same for otelClientCertificateSecret).
If the values change, to me it seems that we append again, instead of removing the old ones?

[flavio]

This is idempotent, give we always start from an empty Deployment and add all the data defined inside of the PolicyServer spec, plus all the values we deem required.

@kubewarden/kubewarden-developers am I right?

[viccuad]

I think you are right, I consider this resolved.

[flavio]

I think this looks good. Please wait for everybody's approvals before merging

[viccuad]

LGTM!

[flavio]

Merging, addressing the code coverage is tough, we will track this technical debt and address that after the 1.20 release