add auth to tier 1 and 2

Signed-off-by: MJarmo <michal.jarmolkiewicz@sap.com>

Author: MJarmo

showroom/kubectl/otel-ingress.yaml

@@ -0,0 +1,43 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: otelcol-agent-otlp
+  namespace: tier-2
+  annotations:
+    dns.gardener.cloud/class: garden
+    dns.gardener.cloud/dnsnames: otlp.ingress.otel-audit-log.msp06.shoot.gardener.cc-one.showroom.apeirora.eu
+    dns.gardener.cloud/ttl: "600"
+    cert.gardener.cloud/purpose: managed
+    nginx.ingress.kubernetes.io/proxy-body-size: "10m"
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+spec:
+  ingressClassName: nginx
+  tls:
+    - hosts:
+        - otlp.ingress.otel-audit-log.msp06.shoot.gardener.cc-one.showroom.apeirora.eu
+      secretName: otlp-certificate
+  rules:
+    - host: otlp.ingress.otel-audit-log.msp06.shoot.gardener.cc-one.showroom.apeirora.eu
+      http:
+        paths:
+          - path: /v1/logs
+            pathType: Prefix
+            backend:
+              service:
+                name: otelcol-agent
+                port:
+                  number: 4318
+          - path: /v1/traces
+            pathType: Prefix
+            backend:
+              service:
+                name: otelcol-agent
+                port:
+                  number: 4318
+          - path: /v1/metrics
+            pathType: Prefix
+            backend:
+              service:
+                name: otelcol-agent
+                port:
+                  number: 4318

showroom/kubectl/tier-1.yaml

@@ -9,6 +9,14 @@ metadata:
   name: dice-java-otelcol-config
 data:
   config.yaml: |
+    extensions:
+      basicauth/client:
+        client_auth:
+          # TEST-ONLY: plaintext credentials in a ConfigMap are NOT production-ready.
+          # For production use a Kubernetes Secret and/or external secret store, and rotate credentials.
+          username: tier1-ingest
+          password: tier1-ingest-secret
+
     receivers:
       otlp:
         protocols:
@@ -18,31 +26,34 @@ data:
             endpoint: 0.0.0.0:4318
 
     processors:
-      batch: # used to optimize export calls in all pipelines
+      batch:
         send_batch_size: 1024
         timeout: 5s
 
     exporters:
-      otlp:
-        endpoint: log-sink.tier-3.svc.cluster.local:4317
+      otlphttp:
+        endpoint: http://otelcol-agent.tier-2.svc.cluster.local:4318
         tls:
           insecure: true
+        auth:
+          authenticator: basicauth/client
       debug:
 
     service:
+      extensions: [basicauth/client]
       pipelines:
         logs:
           receivers: [otlp]
           processors: [batch]
-          exporters: [otlp, debug]
+          exporters: [otlphttp, debug]
         metrics:
           receivers: [otlp]
           processors: [batch]
-          exporters: [otlp, debug]
+          exporters: [otlphttp, debug]
         traces:
           receivers: [otlp]
           processors: [batch]
-          exporters: [otlp, debug]
+          exporters: [otlphttp, debug]
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -87,7 +98,6 @@ spec:
           image: otel/opentelemetry-collector-contrib:latest
           imagePullPolicy: Always
           args:
-            # see ConfigMap mapped as volume below
             - "--config=/etc/otelcol-contrib/config.yaml"
           ports:
             - name: otlp-grpc

showroom/kubectl/tier-2.yaml

@@ -17,14 +17,29 @@ data:
         create_directory: true
       health_check:
         endpoint: ${env:MY_POD_IP}:13133
+      basicauth/server:
+        htpasswd:
+          inline: |
+            # TEST-ONLY: plaintext htpasswd entries are NOT production-ready.
+            # For production generate a bcrypt htpasswd line (e.g. `htpasswd -nbBC 10 USER PASS`)
+            # and store it in a Kubernetes Secret (or external secret store).
+         #####
+      basicauth/client:
+        client_auth:
+          username: ${env:OPENSEARCH_USERNAME}
+          password: ${env:OPENSEARCH_PASSWORD}
 
     receivers:
       otlp:
         protocols:
           grpc:
             endpoint: 0.0.0.0:4317
+            auth:
+              authenticator: basicauth/server
           http:
             endpoint: 0.0.0.0:4318
+            auth:
+              authenticator: basicauth/server
 
     processors:
       batch:
@@ -35,24 +50,34 @@ data:
       # Export logs directly to OpenSearch in namespace 'tier-3'.
       # If your OpenSearch installation requires authentication, provide username/password
       # via Kubernetes Secret and reference them using env vars in the DaemonSet below.
-      elasticsearch:
-        endpoints: ["http://opensearch-cluster-master.tier-3.svc.cluster.local:9200"]
-        # username: "admin"
-        # password: "changeme"
+      opensearch:
+        http:
+          endpoint: https://opensearch-cluster-master.tier-3.svc.cluster.local:9200
+          tls:
+            insecure_skip_verify: true
+          auth:
+            authenticator: basicauth/client
+        logs_index: otel-logs
+        traces_index: otel-traces
         sending_queue:
           enabled: true
           storage: file_storage
-        # retry_on_failure: # FIXME elasticsearch exporter doesn't support retry_on_failure yet
-        #   enabled: true
-      debug:
+      debug/logs:
+        verbosity: detailed
+      debug/metrics:
+        verbosity: basic
 
     service:
-      extensions: [file_storage, health_check]
+      extensions: [file_storage, health_check, basicauth/server, basicauth/client]
       pipelines:
         logs:
           receivers: [otlp]
           processors: [batch]
-          exporters: [elasticsearch, debug]
+          exporters: [opensearch, debug/logs]
+        metrics:
+          receivers: [otlp]
+          processors: [batch]
+          exporters: [debug/metrics]
       telemetry:
         metrics:
           readers:
@@ -134,16 +159,16 @@ spec:
                 fieldRef:
                   fieldPath: status.podIP
             # If OpenSearch requires basic auth, you can pass credentials via env vars
-            # - name: OPENSEARCH_USERNAME
-            #   valueFrom:
-            #     secretKeyRef:
-            #       name: opensearch-credentials
-            #       key: username
-            # - name: OPENSEARCH_PASSWORD
-            #   valueFrom:
-            #     secretKeyRef:
-            #       name: opensearch-credentials
-            #       key: password
+            - name: OPENSEARCH_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: opensearch-credentials
+                  key: username
+            - name: OPENSEARCH_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: opensearch-credentials
+                  key: password
           resources:
             limits:
               memory: 256Mi
@@ -197,9 +222,7 @@ metadata:
     app: otelcol-agent
     component: otel-collector
 spec:
-  type: ClusterIP
-  internalTrafficPolicy: Local
-  clusterIP: None
+  type: LoadBalancer
   selector:
     app: otelcol-agent
     component: otel-collector