Skip to content

Commit

Permalink
add policy opentelemetry/inject-otel-environment-variable
Browse files Browse the repository at this point in the history
Signed-off-by: Damien Degois <[email protected]>
  • Loading branch information
babs committed Dec 27, 2024
1 parent ebc3671 commit 1fd174b
Show file tree
Hide file tree
Showing 13 changed files with 439 additions and 0 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
apiVersion: v1
kind: Pod
metadata:
name: inject-before-preexisting-env
namespace: default
spec:
containers:
- name: debdiag
image: ghcr.io/babs/debdiag:0
env:
- name: OTEL_EXPORTER_OTLP_ENDPOINT
value: http://opentelemetry-collector.opentelemetry-collector:4317
- name: TEST_ENV
value: test
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: v1
kind: Pod
metadata:
name: inject-custom-endpoint-ns
namespace: ns-w-custom-endpoint
spec:
containers:
- name: debdiag
image: ghcr.io/babs/debdiag:0
env:
- name: OTEL_EXPORTER_OTLP_ENDPOINT
value: http://http-collector:4318
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
apiVersion: v1
kind: Pod
metadata:
annotations:
otel.corp.org/otlp-endpoint: http://http-collector:4318
name: inject-custom-endpoint-pod
namespace: default
spec:
containers:
- name: debdiag
image: ghcr.io/babs/debdiag:0
env:
- name: OTEL_EXPORTER_OTLP_ENDPOINT
value: http://http-collector:4318
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
apiVersion: v1
kind: Pod
metadata:
namespace: default
name: inject-custom-endpoint
annotations:
otel.corp.org/otlp-endpoint: http://custom-endpoint:4318
spec:
containers:
- name: debdiag
image: ghcr.io/babs/debdiag:0
env:
- name: OTEL_EXPORTER_OTLP_ENDPOINT
value: http://custom-endpoint:4318
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: v1
kind: Pod
metadata:
name: inject-default
namespace: ns-wo-annotations
spec:
containers:
- name: debdiag
image: ghcr.io/babs/debdiag:0
env:
- name: OTEL_EXPORTER_OTLP_ENDPOINT
value: http://opentelemetry-collector.opentelemetry-collector:4317
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: v1
kind: Pod
metadata:
name: inject-ns
namespace: ns-w-inject-true
spec:
containers:
- name: debdiag
image: ghcr.io/babs/debdiag:0
env:
- name: OTEL_EXPORTER_OTLP_ENDPOINT
value: http://opentelemetry-collector.opentelemetry-collector:4317
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
apiVersion: v1
kind: Pod
metadata:
annotations:
otel.corp.org/inject-env-var: "true"
name: inject-pod
namespace: ns-wo-annotations
spec:
containers:
- name: debdiag
image: ghcr.io/babs/debdiag:0
env:
- name: OTEL_EXPORTER_OTLP_ENDPOINT
value: http://opentelemetry-collector.opentelemetry-collector:4317
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
apiVersion: cli.kyverno.io/v1alpha1
kind: Test
metadata:
name: inject-otel-environment-variable
policies:
- ../inject-otel-environment-variable.yaml
resources:
- resource.yaml
variables: values.yaml
results:
- policy: inject-otel-environment-variable
rule: inject-otel-environment-variable
resources:
- no-inject-pod
kind: Pod
result: skip

- policy: inject-otel-environment-variable
rule: inject-otel-environment-variable
resources:
- no-inject-ns
kind: Pod
result: skip

- policy: inject-otel-environment-variable
rule: inject-otel-environment-variable
resources:
- inject-ns
patchedResources: expected/inject-ns.yaml
kind: Pod
result: pass

- policy: inject-otel-environment-variable
rule: inject-otel-environment-variable
resources:
- inject-pod
patchedResources: expected/inject-pod.yaml
kind: Pod
result: pass

- policy: inject-otel-environment-variable
rule: inject-otel-environment-variable
resources:
- inject-default
patchedResources: expected/inject-default.yaml
kind: Pod
result: pass

- policy: inject-otel-environment-variable
rule: inject-otel-environment-variable
resources:
- inject-before-preexisting-env
patchedResources: expected/inject-before-preexisting-env.yaml
kind: Pod
result: pass

- policy: inject-otel-environment-variable
rule: inject-otel-environment-variable
resources:
- inject-custom-endpoint-pod
patchedResources: expected/inject-custom-endpoint-pod.yaml
kind: Pod
result: pass

- policy: inject-otel-environment-variable
rule: inject-otel-environment-variable
resources:
- inject-custom-endpoint-ns
patchedResources: expected/inject-custom-endpoint-ns.yaml
kind: Pod
result: pass

## Enable for ConfigMap namespace filtering (see rule comments ConfigMap-NS-Filtering for detail)
# - policy: inject-otel-environment-variable
# rule: inject-otel-environment-variable
# resources:
# - no-inject-ns-excluded-by-configmap
# kind: Pod
# result: skip
Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
apiVersion: v1
kind: Pod
metadata:
name: no-inject-pod
namespace: ns-wo-annotations
annotations:
otel.corp.org/inject-env-var: "false"
spec:
containers:
- name: debdiag
image: ghcr.io/babs/debdiag:0
---
apiVersion: v1
kind: Pod
metadata:
name: no-inject-ns
namespace: ns-w-inject-false
spec:
containers:
- name: debdiag
image: ghcr.io/babs/debdiag:0
---
apiVersion: v1
kind: Pod
metadata:
name: inject-ns
namespace: ns-w-inject-true
spec:
containers:
- name: debdiag
image: ghcr.io/babs/debdiag:0
---
apiVersion: v1
kind: Pod
metadata:
name: inject-pod
namespace: ns-wo-annotations
annotations:
otel.corp.org/inject-env-var: "true"
spec:
containers:
- name: debdiag
image: ghcr.io/babs/debdiag:0
---
apiVersion: v1
kind: Pod
metadata:
name: inject-default
namespace: ns-wo-annotations
spec:
containers:
- name: debdiag
image: ghcr.io/babs/debdiag:0
---
apiVersion: v1
kind: Pod
metadata:
name: inject-before-preexisting-env
spec:
containers:
- name: debdiag
image: ghcr.io/babs/debdiag:0
env:
- name: TEST_ENV
value: test
---
apiVersion: v1
kind: Pod
metadata:
name: inject-custom-endpoint-pod
annotations:
otel.corp.org/otlp-endpoint: http://http-collector:4318
spec:
containers:
- name: debdiag
image: ghcr.io/babs/debdiag:0
---
apiVersion: v1
kind: Pod
metadata:
name: inject-custom-endpoint-ns
namespace: ns-w-custom-endpoint
spec:
containers:
- name: debdiag
image: ghcr.io/babs/debdiag:0
---
apiVersion: v1
kind: Pod
metadata:
name: no-inject-ns-excluded-by-configmap
namespace: ns-excluded-by-configmap
spec:
containers:
- name: debdiag
image: ghcr.io/babs/debdiag:0
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
apiVersion: cli.kyverno.io/v1alpha1
kind: Values
policies:
- name: inject-otel-environment-variable
rules:
- name: inject-otel-environment-variable
values:
namespacefilters.data.exclude: '["ns-excluded-by-configmap"]'
# Global Reference simulation
namespaces:
- metadata:
name: ns-wo-annotations
- metadata:
name: ns-w-inject-true
annotations:
otel.corp.org/inject-env-var: "true"
- metadata:
name: ns-w-inject-false
annotations:
otel.corp.org/inject-env-var: "false"
- metadata:
name: ns-w-custom-endpoint
annotations:
otel.corp.org/otlp-endpoint: "http://http-collector:4318"
34 changes: 34 additions & 0 deletions opentelemetry/inject-otel-environment-variable/artifacthub-pkg.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
name: inject-otel-environment-variable
version: 1.0.0
displayName: Inject OpenTelemetry environment variable
createdAt: "2024-12-27T00:00:00.000Z"
description: >-
Injects OpenTelemetry `OTEL_EXPORTER_OTLP_ENDPOINT` env var in `containers` and `initContainers`.
Injection can be controlled by `otel.corp.org/inject-env-var: "false"` annotation on the Pod or at the Namespace level.
Value of the injected env var can also be overridden per Pod or Namespace via `otel.corp.org/otlp-endpoint: "http://xxxx:4317"` annotation.
The env var will be injected first, meaning that if one is already declared, the later will takes precedence over the injected one.
To avoid stress on the control plane API, a GlobalContextEntry containing Namespaces has to be declared (group: '', version: v1, resource: namespaces)
and `cache.kyverno.io/enabled: "true"` should be set on the `namespacefilters` ConfigMap (see rule comments ConfigMap-NS-Filtering).
install: |-
```shell
kubectl apply \
-f https://raw.githubusercontent.com/kyverno/policies/main/opentelemetry/inject-otel-environment-variable/globalcontext.yaml
-f https://raw.githubusercontent.com/kyverno/policies/main/opentelemetry/inject-otel-environment-variable/inject-otel-environment-variable.yaml
```
keywords:
- kyverno
- OpenTelemetry
readme: |
Injects OpenTelemetry `OTEL_EXPORTER_OTLP_ENDPOINT` env var in `containers` and `initContainers`.
Injection can be controlled by `otel.corp.org/inject-env-var: "false"` annotation on the Pod or at the Namespace level.
Value of the injected env var can also be overridden per Pod or Namespace via `otel.corp.org/otlp-endpoint: "http://xxxx:4317"` annotation.
The env var will be injected first, meaning that if one is already declared, the later will takes precedence over the injected one.
To avoid stress on the control plane API, a GlobalContextEntry containing Namespaces has to be declared (group: '', version: v1, resource: namespaces)
and `cache.kyverno.io/enabled: "true"` should be set on the `namespacefilters` ConfigMap (see rule comments ConfigMap-NS-Filtering).
Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
annotations:
kyverno/version: "1.13.0"
kyverno/category: "OpenTelemetry"
kyverno/subject: "Pod"
digest: ffa101097cabaa69e4c3ddfa07d7d4526c5e9a4e32005d794ab37f6c118d6df9
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: kyverno.io/v2alpha1
kind: GlobalContextEntry
metadata:
name: namespaces
spec:
kubernetesResource:
group: ''
version: v1
resource: namespaces
Loading

0 comments on commit 1fd174b

Please sign in to comment.