opentelemetry-helm-charts icon indicating copy to clipboard operation
opentelemetry-helm-charts copied to clipboard

Published 20 hours ago verified publisher icon open-telemetry

[Opentelmetry-operator] Provision a TLS Certificate for the OpenTelemetry Operator

Open jainkh opened this issue 1 year ago • 13 comments

I am trying to find the documentation or example how to manually provision opentelmetry operator with tls certificate. The reason why I need to do because I already have crt-manager installed in our AKS cluster with other namespace, so installing opentelemetry operator out of the box seems to be not working.

I have tried creating cert and key for operator and ca cert. Used the following command

helm install --set admissionWebhooks.certManager.enabled=false --set admissionWebhooks.autoGenerateCert.enabled=false --set admissionWebhooks.cert_file=t:\opentelemetry\operator.crt --set admissionWebhooks.key_file=t:\opentelemetry\operator.key --set admissionWebhooks.ca_file=t:\opentelemetry\ca.crt --namespace kccp-opentelemetry opentelemetry-operator open-telemetry/opentelemetry-operator

Error: INSTALLATION FAILED: values don't meet the specifications of the schema(s) in the following chart(s): opentelemetry-operator:

  • admissionWebhooks: Additional property ca_file is not allowed
  • admissionWebhooks: Additional property key_file is not allowed
  • admissionWebhooks: Additional property cert_file is not allowed

If I tried this way

helm install --set admissionWebhooks.certManager.enabled=false --set admissionWebhooks.autoGenerateCert.enabled=false --set admissionWebhooks.certFile=t:\opentelemetry\operator.crt --set admissionWebhooks.keyFile=t:\opentelemetry\operator.key --set admissionWebhooks.caFile=t:\opentelemetry\ca.crt --namespace kccp-opentelemetry opentelemetry-operator open-telemetry/opentelemetry-operator

Error: INSTALLATION FAILED: template: opentelemetry-operator/templates/admission-webhooks/operator-webhook.yaml:2:23: executing "opentelemetry-operator/templates/admission-webhooks/operator-webhook.yaml" at <include "opentelemetry-operator.WebhookCert" .>: error calling include: template: opentelemetry-operator/templates/_helpers.tpl:120:36: executing "opentelemetry-operator.WebhookCert" at <.Values.admissionWebhooks.cert_file>: wrong type for value; expected string; got interface {}

jainkh avatar Apr 15 '24 17:04 jainkh

@jainkh what happens with the second way? We recently had a release with breaking changes that changed the name of those cert variables.

TylerHelmuth avatar Apr 15 '24 22:04 TylerHelmuth

@TylerHelmuth updated the description

jainkh avatar Apr 15 '24 22:04 jainkh

Can you try either using a values.yaml file or wrapping your file paths in quotes?

TylerHelmuth avatar Apr 15 '24 22:04 TylerHelmuth

@TylerHelmuth wrapping in quotes doesn't work

C:\Users\Himanshu>helm install --set admissionWebhooks.certManager.enabled=false --set admissionWebhooks.autoGenerateCert.enabled=false --set admissionWebhooks.certFile="t:\opentelemetry\operator.crt" --set admissionWebhooks.keyFile="t:\opentelemetry\operator.key" --set admissionWebhooks.caFile="t:\opentelemetr
y\ca.crt" --namespace kccp-opentelemetry opentelemetry-operator open-telemetry/opentelemetry-operator

Error: INSTALLATION FAILED: template: opentelemetry-operator/templates/admission-webhooks/operator-webhook.yaml:2:23: executing "opentelemetry-operator/templates/admission-webhooks/operator-webhook.yaml" at <include "opentelemetry-operator.WebhookCert" .>: error calling include: template: opentelemetry-operator/templates/_helpers.tpl:120:36: executing "opentelemetry-operator.WebhookCert" at <.Values.admissionWebhooks.cert_file>: wrong type for value; expected string; got interface {}

jainkh avatar Apr 16 '24 02:04 jainkh

@jinja2 can you take a look?

TylerHelmuth avatar Apr 16 '24 06:04 TylerHelmuth

@TylerHelmuth or @jinja2 is there any workaround i could try, Can I install just collector? I believe that also needs cert-manager to be installed in aks cluster?

jainkh avatar Apr 16 '24 18:04 jainkh

Let me take a look, the error indicates that I might have missed references to the old variable name. I'll make a fix PR. @jainkh you can use the admissionWebhooks.autoGenerateCert.enabled option so helm chart will create one for you. But since you have certmanager installed already, I think you might be able to setup the release to use a certificate managed by the existing cert-manager by passing in the injection annotation to the webhook. I haven't tried it myself, so I am not sure if you can have the chart not install certmanager as subchart but still create the certificate object.

jinja2 avatar Apr 16 '24 19:04 jinja2

Looking at the chart again, it does not try to install cert-manager as subchart anyways. Not sure why you are not able to use the existing cert-manager to provision the cert then. The readme has some instructions for it here.

jinja2 avatar Apr 16 '24 20:04 jinja2

@jinja2 I have cert manager installed in different namespace and an old version like 1.12.. I believe this operator expect it to be installed in cert-manager namespace? I did try earlier but was running into issues. Therefore, I picked this approach of provisioning tls certificate managed by us.

jainkh avatar Apr 17 '24 02:04 jainkh

fyi, we did make a new version of the chart, 0.55.2, which should have the fix.

jinja2 avatar Apr 17 '24 15:04 jinja2

@jinja2 or @TylerHelmuth does new version release, I shall try above commands? or I need to do something else to get this specific version?

jainkh avatar Apr 17 '24 19:04 jainkh

@TylerHelmuth or @jinja2 any update on this?

jainkh avatar Apr 29 '24 17:04 jainkh

See https://github.com/open-telemetry/opentelemetry-helm-charts/blob/main/charts/opentelemetry-operator/UPGRADING.md#0540-to-0552. Trying with the latest chart version should solve your problem

TylerHelmuth avatar Apr 29 '24 19:04 TylerHelmuth