Veryfy sign processor

[MJarmo]

This PR adds a new certificatelogverify processor that verifies the integrity and authenticity of log records that have been signed with a certificate. The processor is designed to work in conjunction with a certificate signing processor to provide tampering resistance for log data in OpenTelemetry pipelines.

Key Features:

• Certificate-based verification: Reads RSA certificates from Kubernetes secrets to verify log signatures
• Hash verification: Recomputes hashes from log content and compares them with received hashes to detect tampering
• Signature verification: Uses RSA public keys from certificates to verify PKCS1v15 signatures
• Flexible content signing: Supports verification of different content types (body, meta, or attr) as specified by the signing processor
• Multiple hash algorithms: Supports SHA256 and SHA512 hash algorithms
• Automatic filtering: Removes log records that fail verification from the pipeline
• Kubernetes integration: Seamlessly integrates with Kubernetes secrets for certificate management, including retry logic for secret fetching
• Deterministic serialization: Uses deterministic JSON serialization to ensure consistent hash computation

How it works:

1. On startup, the processor fetches the certificate from the specified Kubernetes secret
2. For each log record, it reads the otel.log.hash, otel.log.signature, and otel.log.sign_content attributes
3. It recomputes the hash using the same serialization logic as the signing processor
4. Compares the recomputed hash with the received hash using constant-time comparison
5. Verifies the signature using the certificate's RSA public key
6. Log records that fail verification are filtered out and logged as errors

Implementation details:

• Uses constant-time hash comparison to prevent timing attacks
• Handles base64-encoded certificates and signatures
• Supports both in-cluster and out-of-cluster Kubernetes configurations
• Includes comprehensive error handling and logging
• Provides telemetry metrics for processed log records

Link to tracking issue

Fixes

Testing

The processor has been tested through:

• Manual integration testing: Deployed in Kubernetes environments with test certificates and log records
• End-to-end verification: Tested with certificate-signed logs from a signing processor to verify complete workflow

Test scenarios covered:

• Successful verification of correctly signed logs
• Detection of tampered log content (hash mismatch)
• TODO:
• Detection of invalid signatures
• Handling of missing required attributes
• Certificate loading from Kubernetes secrets (both in-cluster and via kubeconfig)
• Retry logic for secret fetching during startup

Documentation

Comprehensive documentation has been added in processor/certificatelogverifyprocessor/README.md including:

• Overview: Explanation of processor functionality and use cases
• Prerequisites: Required dependencies and setup requirements
• Building: Instructions for building the collector with this processor and creating Docker images
• Kubernetes Deployment: Complete deployment guide including:
  • Step-by-step manual deployment instructions
  • Automated deployment scripts for Linux/Mac and Windows
  • Kustomize-based deployment
  • RBAC configuration examples
• Configuration: Detailed explanation of all configuration options:
  • hash_algorithm: SHA256 or SHA512 (default: SHA256)
  • sign_content: body, meta, or attr (default: body)
  • k8s_secret: Kubernetes secret configuration (name, namespace, cert_key)
• How It Works: Technical explanation of the verification process
• Expected Log Attributes: Documentation of required attributes (otel.log.hash, otel.log.signature, otel.log.sign_content)
• Troubleshooting: Common issues and solutions for secret access, permissions, and verification failures
• Example Deployments: Multiple deployment scenarios with complete examples

Additional documentation:

• Kubernetes manifests in k8s/ directory:
  • deployment-all-in-one.yaml: Complete deployment with all resources
  • configmap.yaml: Example collector configuration
  • Dockerfile: Multi-stage build for secure container image
• Processor metadata in metadata.yaml with telemetry metrics definition