Merge pull request #397 from Andreagit97/fix-otel-grpc

fix: correctly handle both grpc and http

Author: Andreagit97

charts/runtime-enforcer/templates/agent/daemonset.yaml

@@ -57,11 +57,15 @@ spec:
         {{- if eq .Values.telemetry.collectorStrategy "default" }}
         - name: OTEL_EXPORTER_OTLP_ENDPOINT
           value: https://{{ include "runtime-enforcer.fullname" . }}-otel-collector.{{ .Release.Namespace }}.svc.cluster.local:4317
+        - name: OTEL_EXPORTER_OTLP_PROTOCOL
+          value: grpc
         - name: OTEL_EXPORTER_OTLP_CERTIFICATE
           value: {{ include "runtime-enforcer.grpc.certDir" . }}/ca.crt
         {{- else if eq .Values.telemetry.collectorStrategy "external" }}
         - name: OTEL_EXPORTER_OTLP_ENDPOINT
           value: {{ .Values.telemetry.externalCollector.endpoint }}
+        - name: OTEL_EXPORTER_OTLP_PROTOCOL
+          value: {{ .Values.telemetry.externalCollector.protocol }}
         {{- if .Values.telemetry.externalCollector.otelCollectorCertificateSecret }}
         - name: OTEL_EXPORTER_OTLP_CERTIFICATE
           value: /tmp/otel-collector-certs/ca.crt

charts/runtime-enforcer/values.schema.json

@@ -435,6 +435,13 @@
                         },
                         "otelCollectorClientCertificateSecret": {
                             "type": "string"
+                        },
+                        "protocol": {
+                            "type": "string",
+                            "enum": [
+                                "grpc",
+                                "http/protobuf"
+                            ]
                         }
                     },
                     "additionalProperties": false

charts/runtime-enforcer/values.yaml

@@ -168,13 +168,15 @@ telemetry:
         cpu: 10m
         memory: 64Mi
   externalCollector:
-    # telemetry.externalCollector.endpoint is the Otel collector endpoint to send metrics and
-    # traces to. It should be in the format https://<hostname>:<port>.
+    # telemetry.externalCollector.endpoint is the Otel collector endpoint to send signals to.
+    # For gRPC, it should be in the format <hostname>:<port>.
+    # For HTTP, it should be in the format http(s)://<hostname>:<port>.
     endpoint: ""
+    # telemetry.externalCollector.protocol is the protocol to use for the Otel collector.
+    protocol: "grpc" # @schema enum: [grpc, http/protobuf]
     # The following settings are required to configure the OpenTelemetry exporter
-    # in the controller and policy server to send metrics and traces to a remote
-    # collector using TLS. Both secrets must be created in the same namespace
-    # where the controller is deployed.
+    # to send signals and to a remote collector using TLS.
+    # Both secrets must be created in the same namespace where the controller is deployed.
     #
     # If otelCollectorCertificateSecret is not set, TLS verification is disabled
     # (insecure mode). When set, the certificate is used to validate the remote

cmd/agent/main.go

@@ -42,6 +42,7 @@ type Config struct {
 	grpcConf                  grpcexporter.Config
 	logLevel                  string
 	otlpEndpoint              string
+	otlpProtocol              string
 	otlpCACert                string
 	otlpClientCert            string
 	otlpClientKey             string
@@ -326,6 +327,8 @@ func parseFlags() Config {
 	)
 	flag.StringVar(&config.nodeName, "node-name", os.Getenv("NODE_NAME"),
 		"Node name for violation reporting (defaults to NODE_NAME env var)")
+	flag.StringVar(&config.otlpProtocol, "otlp-protocol", os.Getenv("OTEL_EXPORTER_OTLP_PROTOCOL"),
+		"OTLP protocol (defaults to OTEL_EXPORTER_OTLP_PROTOCOL env var)")
 	flag.Parse()
 	return config
 }
@@ -350,6 +353,7 @@ func main() {
 			config.otlpCACert,
 			config.otlpClientCert,
 			config.otlpClientKey,
+			config.otlpProtocol,
 		)
 		if err != nil {
 			slogger.ErrorContext(ctx, "failed to initiate violation event pipeline", "error", err)

go.mod

@@ -13,9 +13,8 @@ require (
 	github.com/stretchr/testify v1.11.1
 	go.opentelemetry.io/otel v1.42.0
 	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.18.0
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.42.0
+	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.18.0
 	go.opentelemetry.io/otel/log v0.18.0
-	go.opentelemetry.io/otel/sdk v1.42.0
 	go.opentelemetry.io/otel/sdk/log v0.18.0
 	go.opentelemetry.io/otel/trace v1.42.0
 	golang.org/x/sync v0.20.0
@@ -89,7 +88,9 @@ require (
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.42.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.42.0 // indirect
 	go.opentelemetry.io/otel/metric v1.42.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.42.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.9.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect

go.sum

@@ -193,6 +193,8 @@ go.opentelemetry.io/otel v1.42.0 h1:lSQGzTgVR3+sgJDAU/7/ZMjN9Z+vUip7leaqBKy4sho=
 go.opentelemetry.io/otel v1.42.0/go.mod h1:lJNsdRMxCUIWuMlVJWzecSMuNjE7dOYyWlqOXWkdqCc=
 go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.18.0 h1:deI9UQMoGFgrg5iLPgzueqFPHevDl+28YKfSpPTI6rY=
 go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.18.0/go.mod h1:PFx9NgpNUKXdf7J4Q3agRxMs3Y07QhTCVipKmLsMKnU=
+go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.18.0 h1:icqq3Z34UrEFk2u+HMhTtRsvo7Ues+eiJVjaJt62njs=
+go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.18.0/go.mod h1:W2m8P+d5Wn5kipj4/xmbt9uMqezEKfBjzVJadfABSBE=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.42.0 h1:THuZiwpQZuHPul65w4WcwEnkX2QIuMT+UFoOrygtoJw=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.42.0/go.mod h1:J2pvYM5NGHofZ2/Ru6zw/TNWnEQp5crgyDeSrYpXkAw=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.42.0 h1:zWWrB1U6nqhS/k6zYB74CjRpuiitRtLLi68VcgmOEto=

internal/events/events.go

@@ -5,14 +5,34 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
+	"strings"
 
 	"github.com/rancher-sandbox/runtime-enforcer/internal/tlsutil"
 	"go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc"
+	"go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp"
 	otellog "go.opentelemetry.io/otel/log"
 	sdklog "go.opentelemetry.io/otel/sdk/log"
 	"google.golang.org/grpc/credentials"
 )
 
+type protocol string
+
+const (
+	protocolGRPC         protocol = "grpc"
+	protocolHTTPProtobuf protocol = "http/protobuf"
+)
+
+func stringToProtocol(s string) (protocol, error) {
+	switch s {
+	case "grpc":
+		return protocolGRPC, nil
+	case "http/protobuf":
+		return protocolHTTPProtobuf, nil
+	default:
+		return "", fmt.Errorf("unsupported protocol: %s", s)
+	}
+}
+
 func buildTLSConfig(caCertPath, clientCertPath, clientKeyPath string) (*tls.Config, error) {
 	// Validate that the CA certificate is readable at startup.
 	if _, err := tlsutil.LoadCACertPool(caCertPath); err != nil {
@@ -50,28 +70,72 @@ func buildTLSConfig(caCertPath, clientCertPath, clientKeyPath string) (*tls.Conf
 	return cfg, nil
 }
 
-// Init creates an OTEL log provider that exports violation events to the given
-// gRPC endpoint over TLS. When caCertPath is non-empty, the connection verifies
-// the collector's certificate against the provided CA; otherwise the system
-// certificate pool is used. When clientCertPath and clientKeyPath are both
-// non-empty, the client presents a TLS certificate for mTLS authentication.
-func Init(
-	ctx context.Context,
+func createGRPCExporter(ctx context.Context,
 	endpoint, caCertPath, clientCertPath, clientKeyPath string,
-) (otellog.Logger, func(context.Context) error, error) {
+) (sdklog.Exporter, error) {
+	// if the user specified the correct path we shouldn't receive the http prefix here, but just to be sure.
+	gRPCEndpoint := strings.TrimPrefix(strings.TrimPrefix(endpoint, "https://"), "http://")
+	insecure := caCertPath == ""
 	opts := []otlploggrpc.Option{
-		otlploggrpc.WithEndpointURL(endpoint),
+		otlploggrpc.WithEndpoint(gRPCEndpoint),
 	}
-
-	if caCertPath != "" {
+	if insecure {
+		opts = append(opts, otlploggrpc.WithInsecure())
+	} else {
 		tlsConfig, err := buildTLSConfig(caCertPath, clientCertPath, clientKeyPath)
 		if err != nil {
-			return nil, nil, err
+			return nil, err
 		}
 		opts = append(opts, otlploggrpc.WithTLSCredentials(credentials.NewTLS(tlsConfig)))
 	}
+	return otlploggrpc.New(ctx, opts...)
+}
+
+func createHTTPExporter(ctx context.Context,
+	endpoint, caCertPath, clientCertPath, clientKeyPath string,
+) (sdklog.Exporter, error) {
+	// first we check if we are in insecure mode
+	insecure := strings.HasPrefix(endpoint, "http://")
+	// Strip the scheme from the endpoint: WithEndpoint expects "host:port".
+	httpEndpoint := strings.TrimPrefix(strings.TrimPrefix(endpoint, "https://"), "http://")
 
-	exporter, err := otlploggrpc.New(ctx, opts...)
+	opts := []otlploghttp.Option{
+		otlploghttp.WithEndpoint(httpEndpoint),
+	}
+
+	if insecure {
+		opts = append(opts, otlploghttp.WithInsecure())
+	} else if caCertPath != "" {
+		tlsConfig, err := buildTLSConfig(caCertPath, clientCertPath, clientKeyPath)
+		if err != nil {
+			return nil, err
+		}
+		opts = append(opts, otlploghttp.WithTLSClientConfig(tlsConfig))
+	}
+	return otlploghttp.New(ctx, opts...)
+}
+
+// Init creates an OTEL log provider that exports violation events to the given
+// endpoint. The protocol can be either "grpc" or "http/protobuf".
+// When caCertPath is non-empty, the connection verifies the collector's
+// certificate against the provided CA; otherwise insecure mode is used.
+// When clientCertPath and clientKeyPath are both non-empty, the client
+// presents a TLS certificate for mTLS authentication.
+func Init(
+	ctx context.Context,
+	endpoint, caCertPath, clientCertPath, clientKeyPath, protocol string,
+) (otellog.Logger, func(context.Context) error, error) {
+	var exporter sdklog.Exporter
+	proto, err := stringToProtocol(protocol)
+	if err != nil {
+		return nil, nil, err
+	}
+	switch proto {
+	case protocolGRPC:
+		exporter, err = createGRPCExporter(ctx, endpoint, caCertPath, clientCertPath, clientKeyPath)
+	case protocolHTTPProtobuf:
+		exporter, err = createHTTPExporter(ctx, endpoint, caCertPath, clientCertPath, clientKeyPath)
+	}
 	if err != nil {
 		return nil, nil, fmt.Errorf("failed to create OTLP log exporter: %w", err)
 	}