Merge pull request #85 from kube-logging/secret-auth

feat: add possibility to inject auth info from secrets

Makefile

@@ -65,6 +65,7 @@ help: ## Display this help.
 .PHONY: manifests
 manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
 	$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./api/..." output:crd:artifacts:config=config/crd/bases
+	$(CONTROLLER_GEN) rbac:roleName=manager-role paths="./internal/controller/telemetry/..." output:rbac:artifacts:config=./config/rbac
 	cp config/crd/bases/* charts/telemetry-controller/crds/
 
 .PHONY: generate

api/telemetry/v1alpha1/otlp_config.go

@@ -110,7 +110,7 @@ type GRPCClientConfig struct {
 	Authority string `json:"authority,omitempty" yaml:"authority,omitempty"`
 
 	// Auth configuration for outgoing RPCs.
-	Auth string `json:"auth,omitempty" yaml:"auth,omitempty"` //TODO this is a reference *configauth.Authentication
+	Auth *Authentication `json:"auth,omitempty" yaml:"auth,omitempty"`
 }
 
 // TLSClientSetting contains TLS configurations that are specific to client
@@ -174,6 +174,11 @@ type TLSSetting struct {
 	ReloadInterval time.Duration `json:"reload_interval,omitempty" yaml:"reload_interval,omitempty"`
 }
 
+type Authentication struct {
+	// AuthenticatorID specifies the name of the extension to use in order to authenticate the incoming data point.
+	AuthenticatorID string `json:"authenticator,omitempty"`
+}
+
 // ClientConfig defines settings for creating an HTTP client.
 type HTTPClientConfig struct {
 	// The target URL to send data to (e.g.: http://some.url:9411/v1/traces).
@@ -200,7 +205,7 @@ type HTTPClientConfig struct {
 	Headers map[string]configopaque.String `json:"headers,omitempty" yaml:"headers,omitempty"`
 
 	// Auth configuration for outgoing HTTP calls.
-	Auth string `json:"auth,omitempty" yaml:"auth,omitempty"` //TODO this is a reference *configauth.Authentication
+	Auth Authentication `json:"auth,omitempty" yaml:"auth,omitempty"`
 
 	// The compression key for supported compression types within collector.
 	Compression configcompression.Type `json:"compression,omitempty" yaml:"compression,omitempty"`

api/telemetry/v1alpha1/output_types.go

@@ -17,6 +17,8 @@ package v1alpha1
 import (
 	"time"
 
+	corev1 "k8s.io/api/core/v1"
+
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -28,9 +30,26 @@ type OutputSpec struct {
 	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
 	// Important: Run "make" to regenerate code after modifying this file
 
-	OTLPGRPC      *OTLPGRPC      `json:"otlp,omitempty"`
-	Fluentforward *Fluentforward `json:"fluentforward,omitempty"`
-	OTLPHTTP      *OTLPHTTP      `json:"otlphttp,omitempty"`
+	OTLPGRPC       *OTLPGRPC      `json:"otlp,omitempty"`
+	Fluentforward  *Fluentforward `json:"fluentforward,omitempty"`
+	OTLPHTTP       *OTLPHTTP      `json:"otlphttp,omitempty"`
+	Authentication *OutputAuth    `json:"authentication,omitempty"`
+}
+
+type OutputAuth struct {
+	BasicAuth  *BasicAuthConfig  `json:"basicauth,omitempty"`
+	BearerAuth *BearerAuthConfig `json:"bearerauth,omitempty"`
+}
+
+type BasicAuthConfig struct {
+	SecretRef     *corev1.SecretReference `json:"secretRef,omitempty"`
+	UsernameField string                  `json:"usernameField,omitempty"`
+	PasswordField string                  `json:"passwordField,omitempty"`
+}
+
+type BearerAuthConfig struct {
+	SecretRef  *corev1.SecretReference `json:"secretRef,omitempty"`
+	TokenField string                  `json:"tokenField,omitempty"`
 }
 
 // OTLP grpc exporter config ref: https://github.com/open-telemetry/opentelemetry-collector/blob/main/exporter/otlpexporter/config.go

charts/telemetry-controller/crds/telemetry.kube-logging.dev_outputs.yaml

@@ -41,6 +41,51 @@ spec:
           spec:
             description: OutputSpec defines the desired state of Output
             properties:
+              authentication:
+                properties:
+                  basicauth:
+                    properties:
+                      passwordField:
+                        type: string
+                      secretRef:
+                        description: |-
+                          SecretReference represents a Secret Reference. It has enough information to retrieve secret
+                          in any namespace
+                        properties:
+                          name:
+                            description: name is unique within a namespace to reference
+                              a secret resource.
+                            type: string
+                          namespace:
+                            description: namespace defines the space within which
+                              the secret name must be unique.
+                            type: string
+                        type: object
+                        x-kubernetes-map-type: atomic
+                      usernameField:
+                        type: string
+                    type: object
+                  bearerauth:
+                    properties:
+                      secretRef:
+                        description: |-
+                          SecretReference represents a Secret Reference. It has enough information to retrieve secret
+                          in any namespace
+                        properties:
+                          name:
+                            description: name is unique within a namespace to reference
+                              a secret resource.
+                            type: string
+                          namespace:
+                            description: namespace defines the space within which
+                              the secret name must be unique.
+                            type: string
+                        type: object
+                        x-kubernetes-map-type: atomic
+                      tokenField:
+                        type: string
+                    type: object
+                type: object
               fluentforward:
                 properties:
                   compress_gzip:
@@ -207,7 +252,12 @@ spec:
                 properties:
                   auth:
                     description: Auth configuration for outgoing RPCs.
-                    type: string
+                    properties:
+                      authenticator:
+                        description: AuthenticatorID specifies the name of the extension
+                          to use in order to authenticate the incoming data point.
+                        type: string
+                    type: object
                   authority:
                     description: |-
                       WithAuthority parameter configures client to rewrite ":authority" header
@@ -405,7 +455,12 @@ spec:
                 properties:
                   auth:
                     description: Auth configuration for outgoing HTTP calls.
-                    type: string
+                    properties:
+                      authenticator:
+                        description: AuthenticatorID specifies the name of the extension
+                          to use in order to authenticate the incoming data point.
+                        type: string
+                    type: object
                   compression:
                     description: The compression key for supported compression types
                       within collector.

charts/telemetry-controller/templates/rbac.yaml

@@ -50,6 +50,7 @@ rules:
       - namespaces
       - nodes
       - nodes/proxy
+      - secrets
     verbs:
       - get
       - list