From 8e1570531a433d7ac6a6d538a4c999ee148b9881 Mon Sep 17 00:00:00 2001 From: Rodrigo Pastrana Date: Tue, 9 Jul 2024 13:28:20 -0400 Subject: [PATCH] HPCC-30850 JTrace accept credentials through secrets - Reads OTLPGRCP cert from secret - Provides sample configuration Signed-off-by: Rodrigo Pastrana --- .../otlp-grpc-collector-k8s-Secret.yaml | 18 +++++++ system/jlib/jtrace.cpp | 48 +++++++++++++++++-- 2 files changed, 63 insertions(+), 3 deletions(-) create mode 100644 helm/examples/tracing/otlp-grpc-collector-k8s-Secret.yaml diff --git a/helm/examples/tracing/otlp-grpc-collector-k8s-Secret.yaml b/helm/examples/tracing/otlp-grpc-collector-k8s-Secret.yaml new file mode 100644 index 00000000000..905b822ec7d --- /dev/null +++ b/helm/examples/tracing/otlp-grpc-collector-k8s-Secret.yaml @@ -0,0 +1,18 @@ +global: + tracing: + exporters: + - type: OTLP-GRPC + endpoint: "http://myotelcollector-opentelemetry-collector.default.svc.cluster.local:4317" + useSslCredentials: true + sslCertSecretCategory: "esp" + sslCertSecretName: "jtrace-credentials" + batch: + enabled: true +secrets: + esp: + jtrace-logaccess: "jtrace-credentials" +vaults: + esp: + - name: my-jtrace-credentials-vault + url: http://${env.VAULT_SERVICE_HOST}:${env.VAULT_SERVICE_PORT}/v1/secret/data/esp/${secret} + kind: kv-v2 diff --git a/system/jlib/jtrace.cpp b/system/jlib/jtrace.cpp index f50e696c3f0..9f9272ae38d 100644 --- a/system/jlib/jtrace.cpp +++ b/system/jlib/jtrace.cpp @@ -53,6 +53,8 @@ //This seems to be defined in some window builds - avoid conflicts with the functions below #undef max +#include "jsecrets.hpp" + namespace context = opentelemetry::context; namespace nostd = opentelemetry::nostd; namespace opentel_trace = opentelemetry::trace; @@ -1224,9 +1226,49 @@ std::unique_ptr CTraceManager::createEx if (opts.use_ssl_credentials) { - StringBuffer sslCACertPath; - exportConfig->getProp("@sslCredentialsCACertPath", sslCACertPath); - opts.ssl_credentials_cacert_path = sslCACertPath.str(); + StringBuffer cacert; + + if (exportConfig->hasProp("@sslCertSecretName")) + { + StringBuffer secretName; + exportConfig->getProp("@sslCertSecretName", secretName); + + if (exportConfig->hasProp("@sslCertSecretCategory")) + { + StringBuffer secretCategory; + exportConfig->getProp("@sslCertSecretCategory", secretCategory); + + DBGLOG("JTrace: loading OTLP-GRPC 'cacert' from secret '%s' category '%s'", secretName.str(), secretCategory.str()); + Owned secretTree = getSecret(secretCategory.str(), secretName.str()); + if (secretTree) + { + DBGLOG("JTrace: secret tree created, searching for 'cacert' from secret '%s'", secretName.str()); + getSecretKeyValue(cacert.clear(), secretTree, "cacert"); + if (isEmptyString(cacert.str())) + DBGLOG("JTrace: Could not load OTLP-GRPC 'cacert' from secret '%s'", secretName.str()); + opts.ssl_credentials_cacert_as_string = cacert.str(); + } + else + { + DBGLOG("JTrace: Could not load secret '%s'", secretName.str()); + } + } + else + { + DBGLOG("JTrace: OTLP-GRPC configuration missing 'sslCertSecretCategory' attribute!"); + } + } + + if (isEmptyString(cacert.str())) + { + StringBuffer sslCACertPath; + if (exportConfig->hasProp("@sslCredentialsCACertPath")) + { + DBGLOG("JTrace: loading OTLP-GRPC 'cacert path'"); + exportConfig->getProp("@sslCredentialsCACertPath", sslCACertPath); + opts.ssl_credentials_cacert_path = sslCACertPath.str(); + } + } } if (exportConfig->hasProp("@timeOutSecs")) //grpc deadline timeout in seconds