Merge branch 'main' into matth.versioned_config

.chloggen/2833-fix-detector-resourcedetectionprocessor.yaml

@@ -0,0 +1,16 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: bug_fix
+
+# The name of the component, or a single word describing the area of concern, (e.g. collector, target allocator, auto-instrumentation, opamp, github action)
+component: collector
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: "Use the k8snode detector instead of kubernetes for the automatic RBAC creation for the resourcedetector"
+
+# One or more tracking issues related to the change
+issues: [2833]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:

.chloggen/2862-fix-clusterrolebinding-names.yaml

@@ -0,0 +1,16 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: bug_fix
+
+# The name of the component, or a single word describing the area of concern, (e.g. collector, target allocator, auto-instrumentation, opamp, github action)
+component: collector
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: "When two Collectors are created with the same name but different namespaces, the ClusterRoleBinding created by the first will be overriden by the second one."
+
+# One or more tracking issues related to the change
+issues: [2862]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:

.chloggen/add-collector-pool-healthy.yaml

@@ -0,0 +1,16 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. collector, target allocator, auto-instrumentation, opamp, github action)
+component: opamp
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Add healthy field at collector pool level in opamp bridge heartbeat
+
+# One or more tracking issues related to the change
+issues: [2936]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:

.chloggen/fix-labels-annotations-filter.yaml

@@ -0,0 +1,16 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: 'bug_fix'
+
+# The name of the component, or a single word describing the area of concern, (e.g. collector, target allocator, auto-instrumentation, opamp, github action)
+component: collector
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Fix of Labels and Annotations filter
+
+# One or more tracking issues related to the change
+issues: [2770]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:

.chloggen/replace-create-rbac-permissions-by-checking-the-sa-permissions.yaml

@@ -0,0 +1,16 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. collector, target allocator, auto-instrumentation, opamp, github action)
+component: operator
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Automatically enable RBAC creation if operator SA can create clusterroles and bindings. --create-rbac-permissions flag is noop and deprecated now.
+
+# One or more tracking issues related to the change
+issues: [2588]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:

.chloggen/ta-add-https.yaml

@@ -0,0 +1,18 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. collector, target allocator, auto-instrumentation, opamp, github action)
+component: target allocator
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Added option for creating an mTLS-configured HTTPS server to fetch scrape config with real secret values.
+
+# One or more tracking issues related to the change
+issues: [1669]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext: |
+  The change introduces an option to create an additional HTTPS server with mTLS configuration. 
+  This server is specifically utilized for obtaining the scrape configuration with actual secret values.

.github/workflows/e2e.yaml

@@ -24,6 +24,7 @@ jobs:
          - "1.29"
        group:
          - e2e
+         - e2e-automatic-rbac
          - e2e-autoscale
          - e2e-instrumentation
          - e2e-opampbridge
@@ -39,8 +40,9 @@ jobs:
          - group: e2e-multi-instrumentation
            setup: "add-multi-instrumentation-params prepare-e2e"
          - group: e2e-metadata-filters
-           setup: "add-operator-arg OPERATOR_ARG='--annotations-filter=*filter.out --labels=*filter.out' prepare-e2e"
-
+           setup: "add-operator-arg OPERATOR_ARG='--annotations-filter=.*filter.out --labels=.*filter.out' prepare-e2e"
+         - group: e2e-automatic-rbac
+           setup: "add-rbac-permissions-to-operator prepare-e2e"
     steps:
     - name: Check out code into the Go module directory
       uses: actions/checkout@v4
@@ -55,7 +57,7 @@ jobs:
         path: bin
         key: ${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('Makefile') }}-${{ steps.setup-go.outputs.go-version }}
     - name: Install chainsaw
-      uses: kyverno/action-install-chainsaw@v0.1.9
+      uses: kyverno/action-install-chainsaw@v0.2.0
     - name: Install tools
       run: make install-tools
     - name: Prepare e2e tests

.gitignore

@@ -38,6 +38,7 @@ config/manager/kustomization.yaml
 # test resources
 kubeconfig
 tests/_build/
+config/rbac/extra-permissions-operator/
 
 # autoinstrumentation artifacts
 build

Makefile

@@ -157,9 +157,15 @@ add-multi-instrumentation-params:
 add-image-opampbridge:
 	@$(MAKE) add-operator-arg OPERATOR_ARG=--operator-opamp-bridge-image=$(OPERATOROPAMPBRIDGE_IMG)
 
-.PHONY: enable-operator-featuregates
-enable-operator-featuregates: OPERATOR_ARG = --feature-gates=$(FEATUREGATES)
-enable-operator-featuregates: add-operator-arg
+.PHONY: add-rbac-permissions-to-operator
+add-rbac-permissions-to-operator: manifests kustomize
+	# Kustomize only allows patches in the folder where the kustomization is located
+	# This folder is ignored by .gitignore
+	cp -r tests/e2e-automatic-rbac/extra-permissions-operator/ config/rbac/extra-permissions-operator
+	cd config/rbac && $(KUSTOMIZE) edit add patch --kind ClusterRole --name manager-role --path extra-permissions-operator/namespaces.yaml
+	cd config/rbac && $(KUSTOMIZE) edit add patch --kind ClusterRole --name manager-role --path extra-permissions-operator/nodes.yaml
+	cd config/rbac && $(KUSTOMIZE) edit add patch --kind ClusterRole --name manager-role --path extra-permissions-operator/rbac.yaml
+	cd config/rbac && $(KUSTOMIZE) edit add patch --kind ClusterRole --name manager-role --path extra-permissions-operator/replicaset.yaml
 
 # Deploy controller in the current Kubernetes context, configured in ~/.kube/config
 .PHONY: deploy
@@ -217,6 +223,11 @@ generate: controller-gen
 e2e: chainsaw
 	$(CHAINSAW) test --test-dir ./tests/e2e
 
+# end-to-end-test for testing automatic RBAC creation
+.PHONY: e2e-automatic-rbac
+e2e-automatic-rbac: chainsaw
+	$(CHAINSAW) test --test-dir ./tests/e2e-automatic-rbac
+
 # end-to-end-test for testing autoscale
 .PHONY: e2e-autoscale
 e2e-autoscale: chainsaw
@@ -272,9 +283,6 @@ e2e-upgrade: undeploy chainsaw
 .PHONY: prepare-e2e
 prepare-e2e: chainsaw set-image-controller add-image-targetallocator add-image-opampbridge container container-target-allocator container-operator-opamp-bridge start-kind cert-manager install-metrics-server install-targetallocator-prometheus-crds load-image-all deploy
 
-.PHONY: prepare-e2e-with-featuregates
-prepare-e2e-with-featuregates: chainsaw enable-operator-featuregates prepare-e2e
-
 .PHONY: scorecard-tests
 scorecard-tests: operator-sdk
 	$(OPERATOR_SDK) scorecard -w=5m bundle || (echo "scorecard test failed" && exit 1)
@@ -320,10 +328,6 @@ endif
 install-metrics-server:
 	./hack/install-metrics-server.sh
 
-.PHONY: install-prometheus-operator
-install-prometheus-operator:
-	./hack/install-prometheus-operator.sh
-
 # This only installs the CRDs Target Allocator supports
 .PHONY: install-targetallocator-prometheus-crds
 install-targetallocator-prometheus-crds:

README.md

@@ -777,10 +777,13 @@ Emeritus Approvers:
 
 Target Allocator Maintainers ([@open-telemetry/operator-ta-maintainers](https://github.com/orgs/open-telemetry/teams/operator-ta-maintainers)):
 
-- [Anthony Mirabella](https://github.com/Aneurysm9), AWS
 - [Kristina Pathak](https://github.com/kristinapathak), Lightstep
 - [Sebastian Poxhofer](https://github.com/secustor)
 
+Emeritus Target Allocator Maintainers
+
+- [Anthony Mirabella](https://github.com/Aneurysm9), AWS
+
 Maintainers ([@open-telemetry/operator-maintainers](https://github.com/orgs/open-telemetry/teams/operator-maintainers)):
 
 - [Jacob Aronoff](https://github.com/jaronoff97), Lightstep

apis/v1beta1/collector_webhook.go

@@ -20,7 +20,6 @@ import (
 	"strings"
 
 	"github.com/go-logr/logr"
-	authorizationv1 "k8s.io/api/authorization/v1"
 	autoscalingv2 "k8s.io/api/autoscaling/v2"
 	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -191,7 +190,7 @@ func (c CollectorWebhook) validate(ctx context.Context, r *OpenTelemetryCollecto
 
 	nullObjects := r.Spec.Config.nullObjects()
 	if len(nullObjects) > 0 {
-		warnings = append(warnings, fmt.Sprintf("Collector config spec.config has null objects: %s. For compatibility tooling (kustomize and kubectl edit) it is recommended to use empty obejects e.g. batch: {}.", strings.Join(nullObjects, ", ")))
+		warnings = append(warnings, fmt.Sprintf("Collector config spec.config has null objects: %s. For compatibility with other tooling, such as kustomize and kubectl edit, it is recommended to use empty objects e.g. batch: {}.", strings.Join(nullObjects, ", ")))
 	}
 
 	// validate volumeClaimTemplates
@@ -359,7 +358,7 @@ func (c CollectorWebhook) validateTargetAllocatorConfig(ctx context.Context, r *
 		if subjectAccessReviews, err := c.reviewer.CheckPolicyRules(ctx, r.GetNamespace(), r.Spec.TargetAllocator.ServiceAccount, targetAllocatorCRPolicyRules...); err != nil {
 			return nil, fmt.Errorf("unable to check rbac rules %w", err)
 		} else if allowed, deniedReviews := rbac.AllSubjectAccessReviewsAllowed(subjectAccessReviews); !allowed {
-			return warningsGroupedByResource(deniedReviews), nil
+			return rbac.WarningsGroupedByResource(deniedReviews), nil
 		}
 	}
 
@@ -407,28 +406,6 @@ func checkAutoscalerSpec(autoscaler *AutoscalerSpec) error {
 	return nil
 }
 
-// warningsGroupedByResource is a helper to take the missing permissions and format them as warnings.
-func warningsGroupedByResource(reviews []*authorizationv1.SubjectAccessReview) []string {
-	fullResourceToVerbs := make(map[string][]string)
-	for _, review := range reviews {
-		if review.Spec.ResourceAttributes != nil {
-			key := fmt.Sprintf("%s/%s", review.Spec.ResourceAttributes.Group, review.Spec.ResourceAttributes.Resource)
-			if len(review.Spec.ResourceAttributes.Group) == 0 {
-				key = review.Spec.ResourceAttributes.Resource
-			}
-			fullResourceToVerbs[key] = append(fullResourceToVerbs[key], review.Spec.ResourceAttributes.Verb)
-		} else if review.Spec.NonResourceAttributes != nil {
-			key := fmt.Sprintf("nonResourceURL: %s", review.Spec.NonResourceAttributes.Path)
-			fullResourceToVerbs[key] = append(fullResourceToVerbs[key], review.Spec.NonResourceAttributes.Verb)
-		}
-	}
-	var warnings []string
-	for fullResource, verbs := range fullResourceToVerbs {
-		warnings = append(warnings, fmt.Sprintf("missing the following rules for %s: [%s]", fullResource, strings.Join(verbs, ",")))
-	}
-	return warnings
-}
-
 func SetupCollectorWebhook(mgr ctrl.Manager, cfg config.Config, reviewer *rbac.Reviewer) error {
 	cvw := &CollectorWebhook{
 		reviewer: reviewer,

apis/v1beta1/collector_webhook_test.go

@@ -72,7 +72,7 @@ func TestValidate(t *testing.T) {
 			},
 
 			warnings: []string{
-				"Collector config spec.config has null objects: extensions.foo:, processors.batch:, processors.foo:. For compatibility tooling (kustomize and kubectl edit) it is recommended to use empty obejects e.g. batch: {}.",
+				"Collector config spec.config has null objects: extensions.foo:, processors.batch:, processors.foo:. For compatibility with other tooling, such as kustomize and kubectl edit, it is recommended to use empty objects e.g. batch: {}.",
 			},
 		},
 	}

autoinstrumentation/nodejs/package.json

@@ -11,20 +11,20 @@
     "devDependencies": {
         "copyfiles": "^2.4.1",
         "rimraf": "^5.0.5",
-        "typescript": "^5.4.2"
+        "typescript": "^5.4.5"
     },
     "dependencies": {
         "@opentelemetry/api": "1.8.0",
-        "@opentelemetry/auto-instrumentations-node": "0.45.0",
-        "@opentelemetry/exporter-metrics-otlp-grpc": "0.49.1",
-        "@opentelemetry/exporter-prometheus": "0.49.1",
-        "@opentelemetry/exporter-trace-otlp-grpc": "0.49.1",
-        "@opentelemetry/resource-detector-alibaba-cloud": "0.28.7",
-        "@opentelemetry/resource-detector-aws": "1.4.0",
-        "@opentelemetry/resource-detector-container": "0.3.7",
-        "@opentelemetry/resource-detector-gcp": "0.29.7",
-        "@opentelemetry/resources": "1.22.0",
-        "@opentelemetry/sdk-metrics": "1.22.0",
-        "@opentelemetry/sdk-node": "0.49.1"
+        "@opentelemetry/auto-instrumentations-node": "0.46.0",
+        "@opentelemetry/exporter-metrics-otlp-grpc": "0.51.0",
+        "@opentelemetry/exporter-prometheus": "0.51.0",
+        "@opentelemetry/exporter-trace-otlp-grpc": "0.51.0",
+        "@opentelemetry/resource-detector-alibaba-cloud": "0.28.9",
+        "@opentelemetry/resource-detector-aws": "1.4.2",
+        "@opentelemetry/resource-detector-container": "0.3.9",
+        "@opentelemetry/resource-detector-gcp": "0.29.9",
+        "@opentelemetry/resources": "1.24.0",
+        "@opentelemetry/sdk-metrics": "1.24.0",
+        "@opentelemetry/sdk-node": "0.51.0"
     }
 }

bundle/manifests/opentelemetry-operator.clusterserviceversion.yaml

@@ -99,7 +99,7 @@ metadata:
     categories: Logging & Tracing,Monitoring
     certified: "false"
     containerImage: ghcr.io/open-telemetry/opentelemetry-operator/opentelemetry-operator
-    createdAt: "2024-04-30T12:37:39Z"
+    createdAt: "2024-05-03T15:21:44Z"
     description: Provides the OpenTelemetry components, including the Collector
     operators.operatorframework.io/builder: operator-sdk-v1.29.0
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
@@ -499,6 +499,11 @@ spec:
                 - --zap-log-level=info
                 - --zap-time-encoding=rfc3339nano
                 - --enable-nginx-instrumentation=true
+                env:
+                - name: SERVICE_ACCOUNT_NAME
+                  valueFrom:
+                    fieldRef:
+                      fieldPath: spec.serviceAccountName
                 image: ghcr.io/open-telemetry/opentelemetry-operator/opentelemetry-operator:0.99.0
                 livenessProbe:
                   httpGet:

cmd/operator-opamp-bridge/agent/agent.go

@@ -119,11 +119,17 @@ func (agent *Agent) generateCollectorPoolHealth() (map[string]*protobufs.Compone
 		if err != nil {
 			return nil, err
 		}
+
+		isPoolHealthy := true
+		for _, pod := range podMap {
+			isPoolHealthy = isPoolHealthy && pod.Healthy
+		}
 		healthMap[key.String()] = &protobufs.ComponentHealth{
 			StartTimeUnixNano:  uint64(col.ObjectMeta.GetCreationTimestamp().UnixNano()),
 			StatusTimeUnixNano: uint64(agent.clock.Now().UnixNano()),
 			Status:             col.Status.Scale.StatusReplicas,
 			ComponentHealthMap: podMap,
+			Healthy:            isPoolHealthy,
 		}
 	}
 	return healthMap, nil

cmd/operator-opamp-bridge/agent/agent_test.go

@@ -272,7 +272,7 @@ func TestAgent_getHealth(t *testing.T) {
 					StatusTimeUnixNano: uint64(fakeClock.Now().UnixNano()),
 					ComponentHealthMap: map[string]*protobufs.ComponentHealth{
 						"testnamespace/collector": {
-							Healthy:            false, // we're working with mocks so the status will never be reconciled.
+							Healthy:            true,
 							StartTimeUnixNano:  collectorStartTime,
 							LastError:          "",
 							Status:             "",
@@ -305,15 +305,15 @@ func TestAgent_getHealth(t *testing.T) {
 					StatusTimeUnixNano: uint64(fakeClock.Now().UnixNano()),
 					ComponentHealthMap: map[string]*protobufs.ComponentHealth{
 						"testnamespace/collector": {
-							Healthy:            false, // we're working with mocks so the status will never be reconciled.
+							Healthy:            true,
 							StartTimeUnixNano:  collectorStartTime,
 							LastError:          "",
 							Status:             "",
 							StatusTimeUnixNano: uint64(fakeClock.Now().UnixNano()),
 							ComponentHealthMap: map[string]*protobufs.ComponentHealth{},
 						},
 						"testnamespace/other": {
-							Healthy:            false, // we're working with mocks so the status will never be reconciled.
+							Healthy:            true,
 							StartTimeUnixNano:  collectorStartTime,
 							LastError:          "",
 							Status:             "",
@@ -345,7 +345,7 @@ func TestAgent_getHealth(t *testing.T) {
 					StatusTimeUnixNano: uint64(fakeClock.Now().UnixNano()),
 					ComponentHealthMap: map[string]*protobufs.ComponentHealth{
 						"other/third": {
-							Healthy:            false, // we're working with mocks so the status will never be reconciled.
+							Healthy:            true,
 							StartTimeUnixNano:  collectorStartTime,
 							LastError:          "",
 							Status:             "",