Skip to content

Commit 63f80a8

Browse files
Merge pull request #998 from fabriziosestito/feat/add-otlp-tls-flags
feat: add otlp tls configuration
2 parents 7a38476 + f0879b1 commit 63f80a8

10 files changed

+354
-211
lines changed

Cargo.lock

+3
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Cargo.toml

+7-2
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,11 @@ k8s-openapi = { version = "0.23.0", default-features = false, features = [
2323
lazy_static = "1.4.0"
2424
mime = "0.3"
2525
num_cpus = "1.16.0"
26-
opentelemetry-otlp = { version = "0.27.0", features = ["metrics", "tonic"] }
26+
opentelemetry-otlp = { version = "0.27.0", features = [
27+
"metrics",
28+
"tonic",
29+
"tls",
30+
] }
2731
opentelemetry = { version = "0.27.0", default-features = false, features = [
2832
"metrics",
2933
"trace",
@@ -61,6 +65,7 @@ tikv-jemallocator = { version = "0.5.4", features = [
6165
jemalloc_pprof = "0.4.1"
6266
tikv-jemalloc-ctl = "0.5.4"
6367
rhai = { version = "1.19.0", features = ["sync"] }
68+
tonic = { version = "0.12.3" }
6469

6570
[target.'cfg(target_os = "linux")'.dependencies]
6671
inotify = "0.11"
@@ -74,9 +79,9 @@ tower = { version = "0.5", features = ["util"] }
7479
http-body-util = "0.1.1"
7580
testcontainers = { version = "0.23", features = ["watchdog"] }
7681
backon = { version = "1.3", features = ["tokio-sleep"] }
82+
rcgen = { version = "0.13", features = ["crypto"] }
7783

7884
[target.'cfg(target_os = "linux")'.dev-dependencies]
79-
rcgen = { version = "0.13", features = ["crypto"] }
8085
openssl = "0.10"
8186
reqwest = { version = "0.12", default-features = false, features = [
8287
"charset",

src/cli.rs

+173-153
Original file line numberDiff line numberDiff line change
@@ -22,160 +22,180 @@ lazy_static! {
2222

2323
pub(crate) fn build_cli() -> Command {
2424
let mut args = vec![
25-
Arg::new("log-level")
26-
.long("log-level")
27-
.value_name("LOG_LEVEL")
28-
.env("KUBEWARDEN_LOG_LEVEL")
29-
.default_value("info")
30-
.value_parser([
31-
PossibleValue::new("trace"),
32-
PossibleValue::new("debug"),
33-
PossibleValue::new("info"),
34-
PossibleValue::new("warn"),
35-
PossibleValue::new("error"),
36-
])
37-
.help("Log level"),
38-
Arg::new("log-fmt")
39-
.long("log-fmt")
40-
.value_name("LOG_FMT")
41-
.env("KUBEWARDEN_LOG_FMT")
42-
.default_value("text")
43-
.value_parser([
44-
PossibleValue::new("text"),
45-
PossibleValue::new("json"),
46-
PossibleValue::new("otlp"),
47-
])
48-
.help("Log output format"),
49-
Arg::new("log-no-color")
50-
.long("log-no-color")
51-
.env("NO_COLOR")
52-
.action(ArgAction::SetTrue)
53-
.help("Disable colored output for logs"),
54-
Arg::new("address")
55-
.long("addr")
56-
.value_name("BIND_ADDRESS")
57-
.default_value("0.0.0.0")
58-
.env("KUBEWARDEN_BIND_ADDRESS")
59-
.help("Bind against ADDRESS"),
60-
Arg::new("port")
61-
.long("port")
62-
.value_name("PORT")
63-
.default_value("3000")
64-
.env("KUBEWARDEN_PORT")
65-
.help("Listen on PORT"),
66-
Arg::new("workers")
67-
.long("workers")
68-
.value_name("WORKERS_NUMBER")
69-
.env("KUBEWARDEN_WORKERS")
70-
.help("Number of workers thread to create"),
71-
Arg::new("cert-file")
72-
.long("cert-file")
73-
.value_name("CERT_FILE")
74-
.default_value("")
75-
.env("KUBEWARDEN_CERT_FILE")
76-
.help("Path to an X.509 certificate file for HTTPS"),
77-
Arg::new("key-file")
78-
.long("key-file")
79-
.value_name("KEY_FILE")
80-
.default_value("")
81-
.env("KUBEWARDEN_KEY_FILE")
82-
.help("Path to an X.509 private key file for HTTPS"),
83-
Arg::new("policies")
84-
.long("policies")
85-
.value_name("POLICIES_FILE")
86-
.env("KUBEWARDEN_POLICIES")
87-
.default_value("policies.yml")
88-
.help("YAML file holding the policies to be loaded and their settings"),
89-
Arg::new("policies-download-dir")
90-
.long("policies-download-dir")
91-
.value_name("POLICIES_DOWNLOAD_DIR")
92-
.default_value(".")
93-
.env("KUBEWARDEN_POLICIES_DOWNLOAD_DIR")
94-
.help("Download path for the policies"),
95-
Arg::new("sigstore-cache-dir")
96-
.long("sigstore-cache-dir")
97-
.value_name("SIGSTORE_CACHE_DIR")
98-
.default_value("sigstore-data")
99-
.env("KUBEWARDEN_SIGSTORE_CACHE_DIR")
100-
.help("Directory used to cache sigstore data"),
101-
Arg::new("sources-path")
102-
.long("sources-path")
103-
.value_name("SOURCES_PATH")
104-
.env("KUBEWARDEN_SOURCES_PATH")
105-
.help("YAML file holding source information (https, registry insecure hosts, custom CA's...)"),
106-
Arg::new("verification-path")
107-
.long("verification-path")
108-
.value_name("VERIFICATION_CONFIG_PATH")
109-
.env("KUBEWARDEN_VERIFICATION_CONFIG_PATH")
110-
.help("YAML file holding verification information (URIs, keys, annotations...)"),
111-
Arg::new("docker-config-json-path")
112-
.long("docker-config-json-path")
113-
.value_name("DOCKER_CONFIG")
114-
.env("KUBEWARDEN_DOCKER_CONFIG_JSON_PATH")
115-
.help("Path to a Docker config.json-like path. Can be used to indicate registry authentication details"),
116-
Arg::new("enable-metrics")
117-
.long("enable-metrics")
118-
.env("KUBEWARDEN_ENABLE_METRICS")
119-
.action(ArgAction::SetTrue)
120-
.help("Enable metrics"),
121-
Arg::new("always-accept-admission-reviews-on-namespace")
122-
.long("always-accept-admission-reviews-on-namespace")
123-
.value_name("NAMESPACE")
124-
.env("KUBEWARDEN_ALWAYS_ACCEPT_ADMISSION_REVIEWS_ON_NAMESPACE")
125-
.required(false)
126-
.help("Always accept AdmissionReviews that target the given namespace"),
127-
Arg::new("disable-timeout-protection")
128-
.long("disable-timeout-protection")
129-
.action(ArgAction::SetTrue)
130-
.env("KUBEWARDEN_DISABLE_TIMEOUT_PROTECTION")
131-
.help("Disable policy timeout protection"),
132-
Arg::new("policy-timeout")
133-
.long("policy-timeout")
134-
.env("KUBEWARDEN_POLICY_TIMEOUT")
135-
.value_name("MAXIMUM_EXECUTION_TIME_SECONDS")
136-
.default_value("2")
137-
.help("Interrupt policy evaluation after the given time"),
138-
Arg::new("daemon")
139-
.long("daemon")
140-
.env("KUBEWARDEN_DAEMON")
141-
.action(ArgAction::SetTrue)
142-
.help("If set, runs policy-server in detached mode as a daemon"),
143-
Arg::new("daemon-pid-file")
144-
.long("daemon-pid-file")
145-
.env("KUBEWARDEN_DAEMON_PID_FILE")
146-
.default_value("policy-server.pid")
147-
.help("Path to pid file, used only when running in daemon mode"),
148-
Arg::new("daemon-stdout-file")
149-
.long("daemon-stdout-file")
150-
.env("KUBEWARDEN_DAEMON_STDOUT_FILE")
151-
.required(false)
152-
.help("Path to file holding stdout, used only when running in daemon mode"),
153-
Arg::new("daemon-stderr-file")
154-
.long("daemon-stderr-file")
155-
.env("KUBEWARDEN_DAEMON_STDERR_FILE")
156-
.required(false)
157-
.help("Path to file holding stderr, used only when running in daemon mode"),
158-
Arg::new("ignore-kubernetes-connection-failure")
159-
.long("ignore-kubernetes-connection-failure")
160-
.env("KUBEWARDEN_IGNORE_KUBERNETES_CONNECTION_FAILURE")
161-
.action(ArgAction::SetTrue)
162-
.help("Do not exit with an error if the Kubernetes connection fails. This will cause context aware policies to break when there's no connection with Kubernetes."),
163-
Arg::new("enable-pprof")
164-
.long("enable-pprof")
165-
.env("KUBEWARDEN_ENABLE_PPROF")
166-
.action(ArgAction::SetTrue)
167-
.help("Enable pprof profiling"),
168-
Arg::new("continue-on-errors")
169-
.long("continue-on-errors")
170-
.env("KUBEWARDEN_CONTINUE_ON_ERRORS")
171-
.action(ArgAction::SetTrue)
172-
.hide(true),
173-
Arg::new("otlp-endpoint")
174-
.long("otlp-endpoint")
175-
.env("OTEL_EXPORTER_OTLP_ENDPOINT")
176-
.default_value("http://localhost:4317")
177-
.help("The OTLP gRPC endpoint for exporting traces and metrics.")
25+
Arg::new("log-level")
26+
.long("log-level")
27+
.value_name("LOG_LEVEL")
28+
.env("KUBEWARDEN_LOG_LEVEL")
29+
.default_value("info")
30+
.value_parser([
31+
PossibleValue::new("trace"),
32+
PossibleValue::new("debug"),
33+
PossibleValue::new("info"),
34+
PossibleValue::new("warn"),
35+
PossibleValue::new("error"),
36+
])
37+
.help("Log level"),
38+
39+
Arg::new("log-fmt")
40+
.long("log-fmt")
41+
.value_name("LOG_FMT")
42+
.env("KUBEWARDEN_LOG_FMT")
43+
.default_value("text")
44+
.value_parser([
45+
PossibleValue::new("text"),
46+
PossibleValue::new("json"),
47+
PossibleValue::new("otlp"),
48+
])
49+
.help("Log output format"),
50+
51+
Arg::new("log-no-color")
52+
.long("log-no-color")
53+
.env("NO_COLOR")
54+
.action(ArgAction::SetTrue)
55+
.help("Disable colored output for logs"),
56+
57+
Arg::new("address")
58+
.long("addr")
59+
.value_name("BIND_ADDRESS")
60+
.default_value("0.0.0.0")
61+
.env("KUBEWARDEN_BIND_ADDRESS")
62+
.help("Bind against ADDRESS"),
63+
64+
Arg::new("port")
65+
.long("port")
66+
.value_name("PORT")
67+
.default_value("3000")
68+
.env("KUBEWARDEN_PORT")
69+
.help("Listen on PORT"),
70+
71+
Arg::new("workers")
72+
.long("workers")
73+
.value_name("WORKERS_NUMBER")
74+
.env("KUBEWARDEN_WORKERS")
75+
.help("Number of worker threads to create"),
76+
77+
Arg::new("cert-file")
78+
.long("cert-file")
79+
.value_name("CERT_FILE")
80+
.default_value("")
81+
.env("KUBEWARDEN_CERT_FILE")
82+
.help("Path to an X.509 certificate file for HTTPS"),
83+
84+
Arg::new("key-file")
85+
.long("key-file")
86+
.value_name("KEY_FILE")
87+
.default_value("")
88+
.env("KUBEWARDEN_KEY_FILE")
89+
.help("Path to an X.509 private key file for HTTPS"),
90+
91+
Arg::new("policies")
92+
.long("policies")
93+
.value_name("POLICIES_FILE")
94+
.env("KUBEWARDEN_POLICIES")
95+
.default_value("policies.yml")
96+
.help("YAML file holding the policies to be loaded and their settings"),
97+
98+
Arg::new("policies-download-dir")
99+
.long("policies-download-dir")
100+
.value_name("POLICIES_DOWNLOAD_DIR")
101+
.default_value(".")
102+
.env("KUBEWARDEN_POLICIES_DOWNLOAD_DIR")
103+
.help("Download path for the policies"),
104+
105+
Arg::new("sigstore-cache-dir")
106+
.long("sigstore-cache-dir")
107+
.value_name("SIGSTORE_CACHE_DIR")
108+
.default_value("sigstore-data")
109+
.env("KUBEWARDEN_SIGSTORE_CACHE_DIR")
110+
.help("Directory used to cache sigstore data"),
111+
112+
Arg::new("sources-path")
113+
.long("sources-path")
114+
.value_name("SOURCES_PATH")
115+
.env("KUBEWARDEN_SOURCES_PATH")
116+
.help("YAML file holding source information (https, registry insecure hosts, custom CA's...)"),
117+
118+
Arg::new("verification-path")
119+
.long("verification-path")
120+
.value_name("VERIFICATION_CONFIG_PATH")
121+
.env("KUBEWARDEN_VERIFICATION_CONFIG_PATH")
122+
.help("YAML file holding verification information (URIs, keys, annotations...)"),
123+
124+
Arg::new("docker-config-json-path")
125+
.long("docker-config-json-path")
126+
.value_name("DOCKER_CONFIG")
127+
.env("KUBEWARDEN_DOCKER_CONFIG_JSON_PATH")
128+
.help("Path to a Docker config.json-like path. Can be used to indicate registry authentication details"),
129+
130+
Arg::new("enable-metrics")
131+
.long("enable-metrics")
132+
.env("KUBEWARDEN_ENABLE_METRICS")
133+
.action(ArgAction::SetTrue)
134+
.help("Enable metrics"),
135+
136+
Arg::new("always-accept-admission-reviews-on-namespace")
137+
.long("always-accept-admission-reviews-on-namespace")
138+
.value_name("NAMESPACE")
139+
.env("KUBEWARDEN_ALWAYS_ACCEPT_ADMISSION_REVIEWS_ON_NAMESPACE")
140+
.required(false)
141+
.help("Always accept AdmissionReviews that target the given namespace"),
142+
143+
Arg::new("disable-timeout-protection")
144+
.long("disable-timeout-protection")
145+
.action(ArgAction::SetTrue)
146+
.env("KUBEWARDEN_DISABLE_TIMEOUT_PROTECTION")
147+
.help("Disable policy timeout protection"),
148+
149+
Arg::new("policy-timeout")
150+
.long("policy-timeout")
151+
.env("KUBEWARDEN_POLICY_TIMEOUT")
152+
.value_name("MAXIMUM_EXECUTION_TIME_SECONDS")
153+
.default_value("2")
154+
.help("Interrupt policy evaluation after the given time"),
155+
156+
Arg::new("daemon")
157+
.long("daemon")
158+
.env("KUBEWARDEN_DAEMON")
159+
.action(ArgAction::SetTrue)
160+
.help("If set, runs policy-server in detached mode as a daemon"),
161+
162+
Arg::new("daemon-pid-file")
163+
.long("daemon-pid-file")
164+
.env("KUBEWARDEN_DAEMON_PID_FILE")
165+
.default_value("policy-server.pid")
166+
.help("Path to the PID file, used only when running in daemon mode"),
167+
168+
Arg::new("daemon-stdout-file")
169+
.long("daemon-stdout-file")
170+
.env("KUBEWARDEN_DAEMON_STDOUT_FILE")
171+
.required(false)
172+
.help("Path to the file holding stdout, used only when running in daemon mode"),
173+
174+
Arg::new("daemon-stderr-file")
175+
.long("daemon-stderr-file")
176+
.env("KUBEWARDEN_DAEMON_STDERR_FILE")
177+
.required(false)
178+
.help("Path to the file holding stderr, used only when running in daemon mode"),
179+
180+
Arg::new("ignore-kubernetes-connection-failure")
181+
.long("ignore-kubernetes-connection-failure")
182+
.env("KUBEWARDEN_IGNORE_KUBERNETES_CONNECTION_FAILURE")
183+
.action(ArgAction::SetTrue)
184+
.help("Do not exit with an error if the Kubernetes connection fails. This will cause context-aware policies to break when there's no connection with Kubernetes."),
185+
186+
Arg::new("enable-pprof")
187+
.long("enable-pprof")
188+
.env("KUBEWARDEN_ENABLE_PPROF")
189+
.action(ArgAction::SetTrue)
190+
.help("Enable pprof profiling"),
191+
192+
Arg::new("continue-on-errors")
193+
.long("continue-on-errors")
194+
.env("KUBEWARDEN_CONTINUE_ON_ERRORS")
195+
.action(ArgAction::SetTrue)
196+
.hide(true),
178197
];
198+
179199
args.sort_by(|a, b| a.get_id().cmp(b.get_id()));
180200

181201
Command::new(crate_name!())

0 commit comments

Comments
 (0)