Ta update configs to enable mtls (#3015)

* Initial commit

* Added Cert Manager CRDs & RBAC validation and management

* Added relevant resources and started adding tests

* Bump github.com/gin-gonic/gin from 1.9.1 to 1.10.0 (#2953)

Bumps [github.com/gin-gonic/gin](https://github.com/gin-gonic/gin) from 1.9.1 to 1.10.0.
- [Release notes](https://github.com/gin-gonic/gin/releases)
- [Changelog](https://github.com/gin-gonic/gin/blob/master/CHANGELOG.md)
- [Commits](gin-gonic/gin@v1.9.1...v1.10.0)

---
updated-dependencies:
- dependency-name: github.com/gin-gonic/gin
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump github.com/prometheus/prometheus in the prometheus group (#2951)

Bumps the prometheus group with 1 update: [github.com/prometheus/prometheus](https://github.com/prometheus/prometheus).

Updates `github.com/prometheus/prometheus` from 0.51.2 to 0.52.0
- [Release notes](https://github.com/prometheus/prometheus/releases)
- [Changelog](https://github.com/prometheus/prometheus/blob/main/CHANGELOG.md)
- [Commits](prometheus/prometheus@v0.51.2...v0.52.0)

---
updated-dependencies:
- dependency-name: github.com/prometheus/prometheus
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prometheus
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Support for collector readinessProbe (#2944)

* enable readiness Probe for otel operator

Signed-off-by: Janario Oliveira <janario.oliveira@gmail.com>

* generate CRD and controller changes

Signed-off-by: Janario Oliveira <janario.oliveira@gmail.com>

* Adjusted code to be similar to Liveness logic

Signed-off-by: Janario Oliveira <janario.oliveira@gmail.com>

* Generated manifests

Signed-off-by: Janario Oliveira <janario.oliveira@gmail.com>

* Add changelog

Signed-off-by: Janario Oliveira <janario.oliveira@gmail.com>

* Fix lint

Signed-off-by: Janario Oliveira <janario.oliveira@gmail.com>

* Removed readinessProbe from alpha CRD

Signed-off-by: Janario Oliveira <janario.oliveira@gmail.com>

* Generated manifests

Signed-off-by: Janario Oliveira <janario.oliveira@gmail.com>

* Fix lint

Signed-off-by: Janario Oliveira <janario.oliveira@gmail.com>

* Centralized probe validation

Signed-off-by: Janario Oliveira <janario.oliveira@gmail.com>

---------

Signed-off-by: Janario Oliveira <janario.oliveira@gmail.com>
Co-authored-by: hesam.hamdarsi <hesam.hamdarsi@gmail.com>

* Bump github.com/docker/docker (#2954)

Bumps [github.com/docker/docker](https://github.com/docker/docker) from 26.0.1+incompatible to 26.0.2+incompatible.
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](moby/moby@v26.0.1...v26.0.2)

---
updated-dependencies:
- dependency-name: github.com/docker/docker
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Added new Log Enconder Config (#2927)

* Added new Log Enconder Config

Signed-off-by: Yuri Sa <yurimsa@gmail.com>

* Added new Log Enconder Config

Signed-off-by: Yuri Sa <yurimsa@gmail.com>

* Added new Log Enconder Config

Signed-off-by: Yuri Sa <yurimsa@gmail.com>

* Added new Log Enconder Config

Signed-off-by: Yuri Sa <yurimsa@gmail.com>

* Added new Log Enconder Config

Signed-off-by: Yuri Sa <yurimsa@gmail.com>

* Added new Log Enconder Config

Signed-off-by: Yuri Sa <yurimsa@gmail.com>

* Added new Debug doc

Signed-off-by: Yuri Sa <yurimsa@gmail.com>

---------

Signed-off-by: Yuri Sa <yurimsa@gmail.com>

* [chore] move VineethReddy02 to emeritus (#2957)

Signed-off-by: Juraci Paixão Kröhling <juraci@kroehling.de>

* Cleanup cluster roles and bindings  (#2938)

* Fix

Signed-off-by: Pavol Loffay <p.loffay@gmail.com>

* Fix

Signed-off-by: Pavol Loffay <p.loffay@gmail.com>

* Fix

Signed-off-by: Pavol Loffay <p.loffay@gmail.com>

* Fix

Signed-off-by: Pavol Loffay <p.loffay@gmail.com>

* Add test

Signed-off-by: Pavol Loffay <p.loffay@gmail.com>

---------

Signed-off-by: Pavol Loffay <p.loffay@gmail.com>

* Fixed non-expected warnings on TA webhook. (#2962)

Signed-off-by: Yuri Sa <yurimsa@gmail.com>

* Verify ServiceMonitor and PodMonitor are installed in prom cr availability check (#2964)

* Verify ServiceMonitor and PodMonitor are installed in prom cr availability check

* Added changelog

* Bump kyverno/action-install-chainsaw from 0.2.0 to 0.2.1 (#2968)

Bumps [kyverno/action-install-chainsaw](https://github.com/kyverno/action-install-chainsaw) from 0.2.0 to 0.2.1.
- [Release notes](https://github.com/kyverno/action-install-chainsaw/releases)
- [Commits](kyverno/action-install-chainsaw@v0.2.0...v0.2.1)

---
updated-dependencies:
- dependency-name: kyverno/action-install-chainsaw
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Fix labels for Service Monitors (#2878)

* Create a separate Service Monitor when the Prometheus exporter is present

Signed-off-by: Israel Blancas <iblancasa@gmail.com>

* Improve changelog

Signed-off-by: Israel Blancas <iblancasa@gmail.com>

* Fix prometheus-cr E2E test

Signed-off-by: Israel Blancas <iblancasa@gmail.com>

* Remove unused target

Signed-off-by: Israel Blancas <iblancasa@gmail.com>

* Add docstring

Signed-off-by: Israel Blancas <iblancasa@gmail.com>

* Fix typo

Signed-off-by: Israel Blancas <iblancasa@gmail.com>

* Change the label name

Signed-off-by: Israel Blancas <iblancasa@gmail.com>

* Change changelog description

Signed-off-by: Israel Blancas <iblancasa@gmail.com>

* Recover removed labels

Signed-off-by: Israel Blancas <iblancasa@gmail.com>

* Add missing labels

Signed-off-by: Israel Blancas <iblancasa@gmail.com>

* Remove wrong labels

Signed-off-by: Israel Blancas <iblancasa@gmail.com>

---------

Signed-off-by: Israel Blancas <iblancasa@gmail.com>

* Prepare release 0.100.0 (#2960)

* Prepare release 0.100.0

Signed-off-by: Vineeth Pothulapati <vineethpothulapati@outlook.com>

* update the chlog

* update the chlog with #2877 merge

---------

Signed-off-by: Vineeth Pothulapati <vineethpothulapati@outlook.com>

* [chore] Refactor allocation strategies (#2928)

* Refactor consistent-hashing strategy

* Refactor per-node strategy

* Refactor least-weighted strategy

* Minor allocation strategy refactor

* Add some common allocation strategy tests

* Fix collector and target reassignment

* Minor allocator fixes

* Add changelog entry

* Fix an incorrect comment

* Bring back webhook port (#2973)

* add back webhook port

* chlog

* patch 0.100.1 (#2974)

* Update the OpenTelemetry Java agent version to 2.4.0 (#2967)

* simplify deletion logic (#2971)

* Update maintainers in the operator hub PR (#2977)

Signed-off-by: Pavol Loffay <p.loffay@gmail.com>

* Support for kubernetes 1.30 version (#2975)

* Support for kubernetes 1.30 version

* Update makefile

* [chore] Move TargetAllocator CRD to v1alpha1 (#2918)

* [featuregate] Automatically set GOMEMLIMIT and GOMAXPROCS for collector, target allocator, opamp bridge (#2933)

* set things

* fix kustomize shim

* restore, better chlog

* Fix querying OpenShift user workload monitoring stack. (#2984)

* Bump alpine from 3.19 to 3.20 (#2990)

Bumps alpine from 3.19 to 3.20.

---
updated-dependencies:
- dependency-name: alpine
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump alpine from 3.19 to 3.20 in /cmd/operator-opamp-bridge (#2991)

Bumps alpine from 3.19 to 3.20.

---
updated-dependencies:
- dependency-name: alpine
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump github.com/go-logr/logr from 1.4.1 to 1.4.2 (#2987)

Bumps [github.com/go-logr/logr](https://github.com/go-logr/logr) from 1.4.1 to 1.4.2.
- [Release notes](https://github.com/go-logr/logr/releases)
- [Changelog](https://github.com/go-logr/logr/blob/master/CHANGELOG.md)
- [Commits](go-logr/logr@v1.4.1...v1.4.2)

---
updated-dependencies:
- dependency-name: github.com/go-logr/logr
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump kyverno/action-install-chainsaw from 0.2.1 to 0.2.2 (#2989)

Bumps [kyverno/action-install-chainsaw](https://github.com/kyverno/action-install-chainsaw) from 0.2.1 to 0.2.2.
- [Release notes](https://github.com/kyverno/action-install-chainsaw/releases)
- [Commits](kyverno/action-install-chainsaw@v0.2.1...v0.2.2)

---
updated-dependencies:
- dependency-name: kyverno/action-install-chainsaw
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump the otel group with 5 updates (#2986)

Bumps the otel group with 5 updates:

| Package | From | To |
| --- | --- | --- |
| [go.opentelemetry.io/otel](https://github.com/open-telemetry/opentelemetry-go) | `1.26.0` | `1.27.0` |
| [go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp](https://github.com/open-telemetry/opentelemetry-go) | `1.26.0` | `1.27.0` |
| [go.opentelemetry.io/otel/metric](https://github.com/open-telemetry/opentelemetry-go) | `1.26.0` | `1.27.0` |
| [go.opentelemetry.io/otel/sdk](https://github.com/open-telemetry/opentelemetry-go) | `1.26.0` | `1.27.0` |
| [go.opentelemetry.io/otel/sdk/metric](https://github.com/open-telemetry/opentelemetry-go) | `1.26.0` | `1.27.0` |

Updates `go.opentelemetry.io/otel` from 1.26.0 to 1.27.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-go@v1.26.0...v1.27.0)

Updates `go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp` from 1.26.0 to 1.27.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-go@v1.26.0...v1.27.0)

Updates `go.opentelemetry.io/otel/metric` from 1.26.0 to 1.27.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-go@v1.26.0...v1.27.0)

Updates `go.opentelemetry.io/otel/sdk` from 1.26.0 to 1.27.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-go@v1.26.0...v1.27.0)

Updates `go.opentelemetry.io/otel/sdk/metric` from 1.26.0 to 1.27.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-go@v1.26.0...v1.27.0)

---
updated-dependencies:
- dependency-name: go.opentelemetry.io/otel
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: otel
- dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: otel
- dependency-name: go.opentelemetry.io/otel/metric
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: otel
- dependency-name: go.opentelemetry.io/otel/sdk
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: otel
- dependency-name: go.opentelemetry.io/otel/sdk/metric
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: otel
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump alpine from 3.19 to 3.20 in /cmd/otel-allocator (#2992)

Bumps alpine from 3.19 to 3.20.

---
updated-dependencies:
- dependency-name: alpine
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Keep multiple versions of Collector Config (#2946)

* Prepare v0.101.0 release (#2994)

* Prepare v0.101.0 release

* Undo kustomize stuff

* Undo kustomize stuff again

* Undo kustomize stuff again

* Apply feedback

* Add crd metrics usage information (#2825)

* Add crd metrics usage information

Signed-off-by: Ruben Vargas <ruben.vp8510@gmail.com>

* Add mode metric

Signed-off-by: Ruben Vargas <ruben.vp8510@gmail.com>

* Refactor CR metrics

Signed-off-by: Ruben Vargas <ruben.vp8510@gmail.com>

* Add annotation to avoid generate Metrics

Signed-off-by: Ruben Vargas <ruben.vp8510@gmail.com>

* Add unit tests

Signed-off-by: Ruben Vargas <ruben.vp8510@gmail.com>

* remove space

Signed-off-by: Ruben Vargas <ruben.vp8510@gmail.com>

* remove global provider

Signed-off-by: Ruben Vargas <ruben.vp8510@gmail.com>

* Update main.go

Co-authored-by: Israel Blancas <iblancasa@gmail.com>

* revert kusttomization.yaml

Signed-off-by: Ruben Vargas <ruben.vp8510@gmail.com>

* rename some constants

Signed-off-by: Ruben Vargas <ruben.vp8510@gmail.com>

* Add connectors metrics

Signed-off-by: Ruben Vargas <ruben.vp8510@gmail.com>

* Update chlog

Signed-off-by: Ruben Vargas <ruben.vp8510@gmail.com>

* merge new with init, rename some functions, improve changelog entry

Signed-off-by: Ruben Vargas <ruben.vp8510@gmail.com>

* improve todo comment

Signed-off-by: Ruben Vargas <ruben.vp8510@gmail.com>

* fix tests

Signed-off-by: Ruben Vargas <ruben.vp8510@gmail.com>

* set flag to default false

Signed-off-by: Ruben Vargas <ruben.vp8510@gmail.com>

* fix lint issues

Signed-off-by: Ruben Vargas <ruben.vp8510@gmail.com>

* breaking line

Signed-off-by: Ruben Vargas <ruben.vp8510@gmail.com>

* Use api reader to avoid cache issues

Signed-off-by: Ruben Vargas <ruben.vp8510@gmail.com>

* Add info metric to changelog entry

Signed-off-by: Ruben Vargas <ruben.vp8510@gmail.com>

---------

Signed-off-by: Ruben Vargas <ruben.vp8510@gmail.com>
Co-authored-by: Israel Blancas <iblancasa@gmail.com>

* Update selector documentation for Target Allocator (#3001)

* Bump github.com/prometheus/prometheus in the prometheus group (#3004)

Bumps the prometheus group with 1 update: [github.com/prometheus/prometheus](https://github.com/prometheus/prometheus).


Updates `github.com/prometheus/prometheus` from 0.52.0 to 0.52.1
- [Release notes](https://github.com/prometheus/prometheus/releases)
- [Changelog](https://github.com/prometheus/prometheus/blob/main/CHANGELOG.md)
- [Commits](prometheus/prometheus@v0.52.0...v0.52.1)

---
updated-dependencies:
- dependency-name: github.com/prometheus/prometheus
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: prometheus
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump kyverno/action-install-chainsaw from 0.2.2 to 0.2.3 (#3003)

Bumps [kyverno/action-install-chainsaw](https://github.com/kyverno/action-install-chainsaw) from 0.2.2 to 0.2.3.
- [Release notes](https://github.com/kyverno/action-install-chainsaw/releases)
- [Commits](kyverno/action-install-chainsaw@v0.2.2...v0.2.3)

---
updated-dependencies:
- dependency-name: kyverno/action-install-chainsaw
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Introduce simplified parsers (#2972)

* Bump go.opentelemetry.io/otel/exporters/prometheus in the otel group (#3005)

Bumps the otel group with 1 update: [go.opentelemetry.io/otel/exporters/prometheus](https://github.com/open-telemetry/opentelemetry-go).

Updates `go.opentelemetry.io/otel/exporters/prometheus` from 0.48.0 to 0.49.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-go@example/prometheus/v0.48.0...example/prometheus/v0.49.0)

---
updated-dependencies:
- dependency-name: go.opentelemetry.io/otel/exporters/prometheus
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: otel
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump go.uber.org/zap from 1.26.0 to 1.27.0 (#3006)

Bumps [go.uber.org/zap](https://github.com/uber-go/zap) from 1.26.0 to 1.27.0.
- [Release notes](https://github.com/uber-go/zap/releases)
- [Changelog](https://github.com/uber-go/zap/blob/master/CHANGELOG.md)
- [Commits](uber-go/zap@v1.26.0...v1.27.0)

---
updated-dependencies:
- dependency-name: go.uber.org/zap
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Update Kafka version in e2e test (#3009)

* [chore] Bump opentelemetry-autoinstrumentation-python to 0.45b0 (#3000)

* chore: Bump opentelemetry-autoinstrumentation-python to 0.45b0

* [chore] add psycopg==0.45b0

* Fix annotation/label filter setting (#3008)

* fix how options are loaded by removing special casing

* oop

* chlog

* update to specific test

* oop

* Added Cert Manager CRDs & RBAC validation and management

* Added relevant resources and started adding tests

* minor change

* Minor change

* minor change

* Cleanup

* Cleanup, go tidy and resolved conflics

* Restored local dev changes

* Refactored, removed init container, minor changes

* Use correct files in TLS config

* Added default value to getHttpsListenAddr

* Added flag to enable mTLS between the Target Allocator and the Collector. go mod cleanup

* Using the enable mTLS flag

* Using feature gate in place of command line flags to enable the feature

* Removed flag from manager yaml

* Added featuregate func description

* Initial unit/e2e tests. some cleanup

* Using TA params

* Cleanup makefile from local changes

* Added step to create cert manager RBAC for e2e mtls tests

* Using Kustomize for patching certmanager permissions

* Cleanup chainsaw test

* Cleanup chainsaw tests

* e2e test case verifying Collector got secret from TA over mTLS

* Added changelog, fixed unit tests

* restored makefile

* Renamed fg import

* Linting rules for imports

* Added more tests, updated the readme

* Added steps in e2e tests for new app

* Ran go mod tidy

* Added new variable to test TA's AddTAConfigToPromConfig

* Setting otel-col-contrib 0.108.0 in e2e test until operator gets updated

* Update pkg/featuregate/featuregate.go

Co-authored-by: Jacob Aronoff <jaronoff97@users.noreply.github.com>

* Added https, serviceMonitor and tls resources assertions to e2e tests

* Using namespaced names for ClusterRoles

* Cleanup

* Added CertManager resources unit tests

* Added unit tests and e2e assertions

* Added missing assertion call

* Update 00-install.yaml

Removed collector image override for e2e test

* Update pkg/featuregate/featuregate.go

Co-authored-by: Mikołaj Świątek <mail@mikolajswiatek.com>

* Minor fixes

* Fixed tests referencing logging exporter

* Moved mTLS file naming consts

* Added missing curly bracket

* Update TA-update-configs-to-enable-mtls.yaml

* Update pkg/featuregate/featuregate.go

Co-authored-by: Mikołaj Świątek <mail@mikolajswiatek.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Janario Oliveira <janario.oliveira@gmail.com>
Signed-off-by: Yuri Sa <yurimsa@gmail.com>
Signed-off-by: Juraci Paixão Kröhling <juraci@kroehling.de>
Signed-off-by: Pavol Loffay <p.loffay@gmail.com>
Signed-off-by: Israel Blancas <iblancasa@gmail.com>
Signed-off-by: Vineeth Pothulapati <vineethpothulapati@outlook.com>
Signed-off-by: Ruben Vargas <ruben.vp8510@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Janario Oliveira <janario.oliveira@gmail.com>
Co-authored-by: hesam.hamdarsi <hesam.hamdarsi@gmail.com>
Co-authored-by: Yuri Sa <48062171+yuriolisa@users.noreply.github.com>
Co-authored-by: Juraci Paixão Kröhling <juraci.github@kroehling.de>
Co-authored-by: Pavol Loffay <p.loffay@gmail.com>
Co-authored-by: Aksel Skaar Leirvaag <52233080+akselleirv@users.noreply.github.com>
Co-authored-by: Israel Blancas <iblancasa@gmail.com>
Co-authored-by: Vineeth Pothulapati <vineethpothulapati@outlook.com>
Co-authored-by: Mikołaj Świątek <mail+sumo@mikolajswiatek.com>
Co-authored-by: Jacob Aronoff <jaronoff97@users.noreply.github.com>
Co-authored-by: OpenTelemetry Bot <107717825+opentelemetrybot@users.noreply.github.com>
Co-authored-by: Vasi Vasireddy <41936996+vasireddy99@users.noreply.github.com>
Co-authored-by: Ishwar Kanse <ikanse@redhat.com>
Co-authored-by: Matt Hagenbuch <hagenbuch.ml@gmail.com>
Co-authored-by: Tyler Helmuth <12352919+TylerHelmuth@users.noreply.github.com>
Co-authored-by: Ruben Vargas <ruben.vp8510@gmail.com>
Co-authored-by: brandonkzw <3462248+brandonkzw@users.noreply.github.com>
Co-authored-by: Mikołaj Świątek <mail@mikolajswiatek.com>

.chloggen/TA-update-configs-to-enable-mtls.yaml

@@ -0,0 +1,18 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. collector, target allocator, auto-instrumentation, opamp, github action)
+component: target allocator, collector
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: "Enable mTLS between the TA and collector for passing secrets in the scrape_config securely"
+
+# One or more tracking issues related to the change
+issues: [1669]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext: |
+  This change enables mTLS between the collector and the target allocator (requires cert-manager).
+  This is necessary for passing secrets securely from the TA to the collector for scraping endpoints that have authentication.

.github/workflows/e2e.yaml

@@ -34,13 +34,16 @@ jobs:
          - e2e-upgrade
          - e2e-multi-instrumentation
          - e2e-metadata-filters
+         - e2e-ta-collector-mtls
        include:
          - group: e2e-instrumentation
            setup: "add-instrumentation-params prepare-e2e"
          - group: e2e-multi-instrumentation
            setup: "add-instrumentation-params prepare-e2e"
          - group: e2e-metadata-filters
            setup: "add-operator-arg OPERATOR_ARG='--annotations-filter=.*filter.out --annotations-filter=config.*.gke.io.* --labels-filter=.*filter.out' prepare-e2e"
+         - group: e2e-ta-collector-mtls
+           setup: "add-operator-arg OPERATOR_ARG='--feature-gates=operator.targetallocator.mtls' add-certmanager-permissions prepare-e2e"
          - group: e2e-automatic-rbac
            setup: "add-rbac-permissions-to-operator prepare-e2e"
     steps:

.gitignore

@@ -1,4 +1,3 @@
-
 # Binaries for programs and plugins
 *.exe
 *.exe~
@@ -39,8 +38,9 @@ config/manager/kustomization.yaml
 kubeconfig
 tests/_build/
 config/rbac/extra-permissions-operator/
+config/rbac/certmanager-permissions/
 
 # autoinstrumentation artifacts
 build
 node_modules
-package-lock.json
+package-lock.json

Makefile

@@ -312,6 +312,18 @@ e2e-prometheuscr: chainsaw
 e2e-targetallocator: chainsaw
 	$(CHAINSAW) test --test-dir ./tests/e2e-targetallocator
 
+.PHONY: add-certmanager-permissions
+add-certmanager-permissions: 
+	# Kustomize only allows patches in the folder where the kustomization is located
+	# This folder is ignored by .gitignore
+	cp -r tests/e2e-ta-collector-mtls/certmanager-permissions config/rbac/certmanager-permissions
+	cd config/rbac && $(KUSTOMIZE) edit add patch --kind ClusterRole --name manager-role --path certmanager-permissions/certmanager.yaml
+
+# Target allocator collector mTLS end-to-tests
+.PHONY: e2e-ta-collector-mtls
+e2e-ta-collector-mtls: chainsaw
+	$(CHAINSAW) test --test-dir ./tests/e2e-ta-collector-mtls
+
 # end-to-end-test for Annotations/Labels Filters
 .PHONY: e2e-metadata-filters
 e2e-metadata-filters: chainsaw

cmd/otel-allocator/README.md

@@ -211,9 +211,42 @@ rules:
 
 ### Service / Pod monitor endpoint credentials
 
-If your service or pod monitor endpoints require credentials or other supported form of authentication (bearer token, basic auth, OAuth2 etc.), you need to ensure that the collector has access to this information. Due to some limitations in how the endpoints configuration is handled, target allocator currently does **not** support credentials provided via secrets. It is only possible to provide credentials in a file (for more details see issue https://github.com/open-telemetry/opentelemetry-operator/issues/1669).
+If your service or pod monitor endpoints require authentication (such as bearer tokens, basic auth, OAuth2, etc.), you must ensure that the collector has access to these credentials.
+
+To secure the connection between the target allocator and the collector so that the secrets can be retrieved, mTLS is used. This involves the use of cert-manager to manage the CA, server, and client certificates.
+
+Prerequisites:
+- Ensure cert-manager is installed in your Kubernetes cluster.
+- Grant RBAC Permissions:
+
+    - The target allocator needs the appropriate RBAC permissions to get the secrets referenced in the Service / Pod monitor.
+
+    -  The operator needs the appropriate RBAC permissions to manage cert-manager resources. The following clusterRole can be used to grant the necessary permissions:
+
+        ```yaml
+        apiVersion: rbac.authorization.k8s.io/v1
+        kind: ClusterRole
+        metadata:
+          name:  opentelemetry-operator-controller-manager-cert-manager-role
+        rules:
+        - apiGroups:
+          - cert-manager.io
+          resources:
+          - issuers
+          - certificaterequests
+          - certificates
+          verbs:
+          - create
+          - get
+          - list
+          - watch
+          - update
+          - patch
+          - delete
+        ```
+
+- Enable the `operator.targetallocator.mtls` feature gate in the operator's deployment. 
 
-In order to ensure your endpoints can be scraped, your collector instance needs to have the particular secret mounted as a file at the correct path.
 
 
 # Design

cmd/otel-allocator/config/config.go

@@ -115,29 +115,34 @@ func LoadFromCLI(target *Config, flagSet *pflag.FlagSet) error {
 		target.PrometheusCR.Enabled = prometheusCREnabled
 	}
 
-	target.HTTPS.Enabled, err = getHttpsEnabled(flagSet)
-	if err != nil {
+	if httpsEnabled, changed, err := getHttpsEnabled(flagSet); err != nil {
 		return err
+	} else if changed {
+		target.HTTPS.Enabled = httpsEnabled
 	}
 
-	target.HTTPS.ListenAddr, err = getHttpsListenAddr(flagSet)
-	if err != nil {
+	if listenAddrHttps, changed, err := getHttpsListenAddr(flagSet); err != nil {
 		return err
+	} else if changed {
+		target.HTTPS.ListenAddr = listenAddrHttps
 	}
 
-	target.HTTPS.CAFilePath, err = getHttpsCAFilePath(flagSet)
-	if err != nil {
+	if caFilePath, changed, err := getHttpsCAFilePath(flagSet); err != nil {
 		return err
+	} else if changed {
+		target.HTTPS.CAFilePath = caFilePath
 	}
 
-	target.HTTPS.TLSCertFilePath, err = getHttpsTLSCertFilePath(flagSet)
-	if err != nil {
+	if tlsCertFilePath, changed, err := getHttpsTLSCertFilePath(flagSet); err != nil {
 		return err
+	} else if changed {
+		target.HTTPS.TLSCertFilePath = tlsCertFilePath
 	}
 
-	target.HTTPS.TLSKeyFilePath, err = getHttpsTLSKeyFilePath(flagSet)
-	if err != nil {
+	if tlsKeyFilePath, changed, err := getHttpsTLSKeyFilePath(flagSet); err != nil {
 		return err
+	} else if changed {
+		target.HTTPS.TLSKeyFilePath = tlsKeyFilePath
 	}
 
 	return nil

cmd/otel-allocator/config/config_test.go

@@ -64,6 +64,7 @@ func TestLoad(t *testing.T) {
 				},
 				HTTPS: HTTPSServerConfig{
 					Enabled:         true,
+					ListenAddr:      ":8443",
 					CAFilePath:      "/path/to/ca.pem",
 					TLSCertFilePath: "/path/to/cert.pem",
 					TLSKeyFilePath:  "/path/to/key.pem",

cmd/otel-allocator/config/flags.go

@@ -78,22 +78,47 @@ func getPrometheusCREnabled(flagSet *pflag.FlagSet) (value bool, changed bool, e
 	return
 }
 
-func getHttpsListenAddr(flagSet *pflag.FlagSet) (string, error) {
-	return flagSet.GetString(listenAddrHttpsFlagName)
+func getHttpsListenAddr(flagSet *pflag.FlagSet) (value string, changed bool, err error) {
+	if changed = flagSet.Changed(listenAddrHttpsFlagName); !changed {
+		value, err = ":8443", nil
+		return
+	}
+	value, err = flagSet.GetString(listenAddrHttpsFlagName)
+	return
 }
 
-func getHttpsEnabled(flagSet *pflag.FlagSet) (bool, error) {
-	return flagSet.GetBool(httpsEnabledFlagName)
+func getHttpsEnabled(flagSet *pflag.FlagSet) (value bool, changed bool, err error) {
+	if changed = flagSet.Changed(httpsEnabledFlagName); !changed {
+		value, err = false, nil
+		return
+	}
+	value, err = flagSet.GetBool(httpsEnabledFlagName)
+	return
 }
 
-func getHttpsCAFilePath(flagSet *pflag.FlagSet) (string, error) {
-	return flagSet.GetString(httpsCAFilePathFlagName)
+func getHttpsCAFilePath(flagSet *pflag.FlagSet) (value string, changed bool, err error) {
+	if changed = flagSet.Changed(httpsCAFilePathFlagName); !changed {
+		value, err = "", nil
+		return
+	}
+	value, err = flagSet.GetString(httpsCAFilePathFlagName)
+	return
 }
 
-func getHttpsTLSCertFilePath(flagSet *pflag.FlagSet) (string, error) {
-	return flagSet.GetString(httpsTLSCertFilePathFlagName)
+func getHttpsTLSCertFilePath(flagSet *pflag.FlagSet) (value string, changed bool, err error) {
+	if changed = flagSet.Changed(httpsTLSCertFilePathFlagName); !changed {
+		value, err = "", nil
+		return
+	}
+	value, err = flagSet.GetString(httpsTLSCertFilePathFlagName)
+	return
 }
 
-func getHttpsTLSKeyFilePath(flagSet *pflag.FlagSet) (string, error) {
-	return flagSet.GetString(httpsTLSKeyFilePathFlagName)
+func getHttpsTLSKeyFilePath(flagSet *pflag.FlagSet) (value string, changed bool, err error) {
+	if changed = flagSet.Changed(httpsTLSKeyFilePathFlagName); !changed {
+		value, err = "", nil
+		return
+	}
+	value, err = flagSet.GetString(httpsTLSKeyFilePathFlagName)
+	return
 }

cmd/otel-allocator/config/flags_test.go

@@ -77,13 +77,19 @@ func TestFlagGetters(t *testing.T) {
 			name:          "HttpsServer",
 			flagArgs:      []string{"--" + httpsEnabledFlagName, "true"},
 			expectedValue: true,
-			getterFunc:    func(fs *pflag.FlagSet) (interface{}, error) { return getHttpsEnabled(fs) },
+			getterFunc: func(fs *pflag.FlagSet) (interface{}, error) {
+				value, _, err := getHttpsEnabled(fs)
+				return value, err
+			},
 		},
 		{
 			name:          "HttpsServerKey",
 			flagArgs:      []string{"--" + httpsTLSKeyFilePathFlagName, "/path/to/tls.key"},
 			expectedValue: "/path/to/tls.key",
-			getterFunc:    func(fs *pflag.FlagSet) (interface{}, error) { return getHttpsTLSKeyFilePath(fs) },
+			getterFunc: func(fs *pflag.FlagSet) (interface{}, error) {
+				value, _, err := getHttpsTLSKeyFilePath(fs)
+				return value, err
+			},
 		},
 	}
 

cmd/otel-allocator/config/testdata/config_test.yaml

@@ -7,6 +7,7 @@ prometheus_cr:
   scrape_interval: 60s
 https:
   enabled: true
+  listen_addr: :8443
   ca_file_path: /path/to/ca.pem
   tls_cert_file_path: /path/to/cert.pem
   tls_key_file_path: /path/to/key.pem