Skip to content

Commit

Permalink
Merge pull request #998 from fabriziosestito/feat/add-otlp-tls-flags
Browse files Browse the repository at this point in the history 
feat: add otlp tls configuration
  • Loading branch information
@fabriziosestito
fabriziosestito authored Dec 11, 2024
2 parents 7a38476 + f0879b1 commit 63f80a8
Show file tree
Hide file tree
Showing 10 changed files with 354 additions and 211 deletions.
3 changes: 3 additions & 0 deletions Cargo.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

9 changes: 7 additions & 2 deletions Cargo.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,11 @@ k8s-openapi = { version = "0.23.0", default-features = false, features = [
lazy_static = "1.4.0"
mime = "0.3"
num_cpus = "1.16.0"
opentelemetry-otlp = { version = "0.27.0", features = ["metrics", "tonic"] }
opentelemetry-otlp = { version = "0.27.0", features = [
"metrics",
"tonic",
"tls",
] }
opentelemetry = { version = "0.27.0", default-features = false, features = [
"metrics",
"trace",
Expand Down Expand Up @@ -61,6 +65,7 @@ tikv-jemallocator = { version = "0.5.4", features = [
jemalloc_pprof = "0.4.1"
tikv-jemalloc-ctl = "0.5.4"
rhai = { version = "1.19.0", features = ["sync"] }
tonic = { version = "0.12.3" }

[target.'cfg(target_os = "linux")'.dependencies]
inotify = "0.11"
Expand All @@ -74,9 +79,9 @@ tower = { version = "0.5", features = ["util"] }
http-body-util = "0.1.1"
testcontainers = { version = "0.23", features = ["watchdog"] }
backon = { version = "1.3", features = ["tokio-sleep"] }
rcgen = { version = "0.13", features = ["crypto"] }

[target.'cfg(target_os = "linux")'.dev-dependencies]
rcgen = { version = "0.13", features = ["crypto"] }
openssl = "0.10"
reqwest = { version = "0.12", default-features = false, features = [
"charset",
Expand Down
326 changes: 173 additions & 153 deletions src/cli.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,160 +22,180 @@ lazy_static! {

pub(crate) fn build_cli() -> Command {
let mut args = vec![
Arg::new("log-level")
.long("log-level")
.value_name("LOG_LEVEL")
.env("KUBEWARDEN_LOG_LEVEL")
.default_value("info")
.value_parser([
PossibleValue::new("trace"),
PossibleValue::new("debug"),
PossibleValue::new("info"),
PossibleValue::new("warn"),
PossibleValue::new("error"),
])
.help("Log level"),
Arg::new("log-fmt")
.long("log-fmt")
.value_name("LOG_FMT")
.env("KUBEWARDEN_LOG_FMT")
.default_value("text")
.value_parser([
PossibleValue::new("text"),
PossibleValue::new("json"),
PossibleValue::new("otlp"),
])
.help("Log output format"),
Arg::new("log-no-color")
.long("log-no-color")
.env("NO_COLOR")
.action(ArgAction::SetTrue)
.help("Disable colored output for logs"),
Arg::new("address")
.long("addr")
.value_name("BIND_ADDRESS")
.default_value("0.0.0.0")
.env("KUBEWARDEN_BIND_ADDRESS")
.help("Bind against ADDRESS"),
Arg::new("port")
.long("port")
.value_name("PORT")
.default_value("3000")
.env("KUBEWARDEN_PORT")
.help("Listen on PORT"),
Arg::new("workers")
.long("workers")
.value_name("WORKERS_NUMBER")
.env("KUBEWARDEN_WORKERS")
.help("Number of workers thread to create"),
Arg::new("cert-file")
.long("cert-file")
.value_name("CERT_FILE")
.default_value("")
.env("KUBEWARDEN_CERT_FILE")
.help("Path to an X.509 certificate file for HTTPS"),
Arg::new("key-file")
.long("key-file")
.value_name("KEY_FILE")
.default_value("")
.env("KUBEWARDEN_KEY_FILE")
.help("Path to an X.509 private key file for HTTPS"),
Arg::new("policies")
.long("policies")
.value_name("POLICIES_FILE")
.env("KUBEWARDEN_POLICIES")
.default_value("policies.yml")
.help("YAML file holding the policies to be loaded and their settings"),
Arg::new("policies-download-dir")
.long("policies-download-dir")
.value_name("POLICIES_DOWNLOAD_DIR")
.default_value(".")
.env("KUBEWARDEN_POLICIES_DOWNLOAD_DIR")
.help("Download path for the policies"),
Arg::new("sigstore-cache-dir")
.long("sigstore-cache-dir")
.value_name("SIGSTORE_CACHE_DIR")
.default_value("sigstore-data")
.env("KUBEWARDEN_SIGSTORE_CACHE_DIR")
.help("Directory used to cache sigstore data"),
Arg::new("sources-path")
.long("sources-path")
.value_name("SOURCES_PATH")
.env("KUBEWARDEN_SOURCES_PATH")
.help("YAML file holding source information (https, registry insecure hosts, custom CA's...)"),
Arg::new("verification-path")
.long("verification-path")
.value_name("VERIFICATION_CONFIG_PATH")
.env("KUBEWARDEN_VERIFICATION_CONFIG_PATH")
.help("YAML file holding verification information (URIs, keys, annotations...)"),
Arg::new("docker-config-json-path")
.long("docker-config-json-path")
.value_name("DOCKER_CONFIG")
.env("KUBEWARDEN_DOCKER_CONFIG_JSON_PATH")
.help("Path to a Docker config.json-like path. Can be used to indicate registry authentication details"),
Arg::new("enable-metrics")
.long("enable-metrics")
.env("KUBEWARDEN_ENABLE_METRICS")
.action(ArgAction::SetTrue)
.help("Enable metrics"),
Arg::new("always-accept-admission-reviews-on-namespace")
.long("always-accept-admission-reviews-on-namespace")
.value_name("NAMESPACE")
.env("KUBEWARDEN_ALWAYS_ACCEPT_ADMISSION_REVIEWS_ON_NAMESPACE")
.required(false)
.help("Always accept AdmissionReviews that target the given namespace"),
Arg::new("disable-timeout-protection")
.long("disable-timeout-protection")
.action(ArgAction::SetTrue)
.env("KUBEWARDEN_DISABLE_TIMEOUT_PROTECTION")
.help("Disable policy timeout protection"),
Arg::new("policy-timeout")
.long("policy-timeout")
.env("KUBEWARDEN_POLICY_TIMEOUT")
.value_name("MAXIMUM_EXECUTION_TIME_SECONDS")
.default_value("2")
.help("Interrupt policy evaluation after the given time"),
Arg::new("daemon")
.long("daemon")
.env("KUBEWARDEN_DAEMON")
.action(ArgAction::SetTrue)
.help("If set, runs policy-server in detached mode as a daemon"),
Arg::new("daemon-pid-file")
.long("daemon-pid-file")
.env("KUBEWARDEN_DAEMON_PID_FILE")
.default_value("policy-server.pid")
.help("Path to pid file, used only when running in daemon mode"),
Arg::new("daemon-stdout-file")
.long("daemon-stdout-file")
.env("KUBEWARDEN_DAEMON_STDOUT_FILE")
.required(false)
.help("Path to file holding stdout, used only when running in daemon mode"),
Arg::new("daemon-stderr-file")
.long("daemon-stderr-file")
.env("KUBEWARDEN_DAEMON_STDERR_FILE")
.required(false)
.help("Path to file holding stderr, used only when running in daemon mode"),
Arg::new("ignore-kubernetes-connection-failure")
.long("ignore-kubernetes-connection-failure")
.env("KUBEWARDEN_IGNORE_KUBERNETES_CONNECTION_FAILURE")
.action(ArgAction::SetTrue)
.help("Do not exit with an error if the Kubernetes connection fails. This will cause context aware policies to break when there's no connection with Kubernetes."),
Arg::new("enable-pprof")
.long("enable-pprof")
.env("KUBEWARDEN_ENABLE_PPROF")
.action(ArgAction::SetTrue)
.help("Enable pprof profiling"),
Arg::new("continue-on-errors")
.long("continue-on-errors")
.env("KUBEWARDEN_CONTINUE_ON_ERRORS")
.action(ArgAction::SetTrue)
.hide(true),
Arg::new("otlp-endpoint")
.long("otlp-endpoint")
.env("OTEL_EXPORTER_OTLP_ENDPOINT")
.default_value("http://localhost:4317")
.help("The OTLP gRPC endpoint for exporting traces and metrics.")
Arg::new("log-level")
.long("log-level")
.value_name("LOG_LEVEL")
.env("KUBEWARDEN_LOG_LEVEL")
.default_value("info")
.value_parser([
PossibleValue::new("trace"),
PossibleValue::new("debug"),
PossibleValue::new("info"),
PossibleValue::new("warn"),
PossibleValue::new("error"),
])
.help("Log level"),

Arg::new("log-fmt")
.long("log-fmt")
.value_name("LOG_FMT")
.env("KUBEWARDEN_LOG_FMT")
.default_value("text")
.value_parser([
PossibleValue::new("text"),
PossibleValue::new("json"),
PossibleValue::new("otlp"),
])
.help("Log output format"),

Arg::new("log-no-color")
.long("log-no-color")
.env("NO_COLOR")
.action(ArgAction::SetTrue)
.help("Disable colored output for logs"),

Arg::new("address")
.long("addr")
.value_name("BIND_ADDRESS")
.default_value("0.0.0.0")
.env("KUBEWARDEN_BIND_ADDRESS")
.help("Bind against ADDRESS"),

Arg::new("port")
.long("port")
.value_name("PORT")
.default_value("3000")
.env("KUBEWARDEN_PORT")
.help("Listen on PORT"),

Arg::new("workers")
.long("workers")
.value_name("WORKERS_NUMBER")
.env("KUBEWARDEN_WORKERS")
.help("Number of worker threads to create"),

Arg::new("cert-file")
.long("cert-file")
.value_name("CERT_FILE")
.default_value("")
.env("KUBEWARDEN_CERT_FILE")
.help("Path to an X.509 certificate file for HTTPS"),

Arg::new("key-file")
.long("key-file")
.value_name("KEY_FILE")
.default_value("")
.env("KUBEWARDEN_KEY_FILE")
.help("Path to an X.509 private key file for HTTPS"),

Arg::new("policies")
.long("policies")
.value_name("POLICIES_FILE")
.env("KUBEWARDEN_POLICIES")
.default_value("policies.yml")
.help("YAML file holding the policies to be loaded and their settings"),

Arg::new("policies-download-dir")
.long("policies-download-dir")
.value_name("POLICIES_DOWNLOAD_DIR")
.default_value(".")
.env("KUBEWARDEN_POLICIES_DOWNLOAD_DIR")
.help("Download path for the policies"),

Arg::new("sigstore-cache-dir")
.long("sigstore-cache-dir")
.value_name("SIGSTORE_CACHE_DIR")
.default_value("sigstore-data")
.env("KUBEWARDEN_SIGSTORE_CACHE_DIR")
.help("Directory used to cache sigstore data"),

Arg::new("sources-path")
.long("sources-path")
.value_name("SOURCES_PATH")
.env("KUBEWARDEN_SOURCES_PATH")
.help("YAML file holding source information (https, registry insecure hosts, custom CA's...)"),

Arg::new("verification-path")
.long("verification-path")
.value_name("VERIFICATION_CONFIG_PATH")
.env("KUBEWARDEN_VERIFICATION_CONFIG_PATH")
.help("YAML file holding verification information (URIs, keys, annotations...)"),

Arg::new("docker-config-json-path")
.long("docker-config-json-path")
.value_name("DOCKER_CONFIG")
.env("KUBEWARDEN_DOCKER_CONFIG_JSON_PATH")
.help("Path to a Docker config.json-like path. Can be used to indicate registry authentication details"),

Arg::new("enable-metrics")
.long("enable-metrics")
.env("KUBEWARDEN_ENABLE_METRICS")
.action(ArgAction::SetTrue)
.help("Enable metrics"),

Arg::new("always-accept-admission-reviews-on-namespace")
.long("always-accept-admission-reviews-on-namespace")
.value_name("NAMESPACE")
.env("KUBEWARDEN_ALWAYS_ACCEPT_ADMISSION_REVIEWS_ON_NAMESPACE")
.required(false)
.help("Always accept AdmissionReviews that target the given namespace"),

Arg::new("disable-timeout-protection")
.long("disable-timeout-protection")
.action(ArgAction::SetTrue)
.env("KUBEWARDEN_DISABLE_TIMEOUT_PROTECTION")
.help("Disable policy timeout protection"),

Arg::new("policy-timeout")
.long("policy-timeout")
.env("KUBEWARDEN_POLICY_TIMEOUT")
.value_name("MAXIMUM_EXECUTION_TIME_SECONDS")
.default_value("2")
.help("Interrupt policy evaluation after the given time"),

Arg::new("daemon")
.long("daemon")
.env("KUBEWARDEN_DAEMON")
.action(ArgAction::SetTrue)
.help("If set, runs policy-server in detached mode as a daemon"),

Arg::new("daemon-pid-file")
.long("daemon-pid-file")
.env("KUBEWARDEN_DAEMON_PID_FILE")
.default_value("policy-server.pid")
.help("Path to the PID file, used only when running in daemon mode"),

Arg::new("daemon-stdout-file")
.long("daemon-stdout-file")
.env("KUBEWARDEN_DAEMON_STDOUT_FILE")
.required(false)
.help("Path to the file holding stdout, used only when running in daemon mode"),

Arg::new("daemon-stderr-file")
.long("daemon-stderr-file")
.env("KUBEWARDEN_DAEMON_STDERR_FILE")
.required(false)
.help("Path to the file holding stderr, used only when running in daemon mode"),

Arg::new("ignore-kubernetes-connection-failure")
.long("ignore-kubernetes-connection-failure")
.env("KUBEWARDEN_IGNORE_KUBERNETES_CONNECTION_FAILURE")
.action(ArgAction::SetTrue)
.help("Do not exit with an error if the Kubernetes connection fails. This will cause context-aware policies to break when there's no connection with Kubernetes."),

Arg::new("enable-pprof")
.long("enable-pprof")
.env("KUBEWARDEN_ENABLE_PPROF")
.action(ArgAction::SetTrue)
.help("Enable pprof profiling"),

Arg::new("continue-on-errors")
.long("continue-on-errors")
.env("KUBEWARDEN_CONTINUE_ON_ERRORS")
.action(ArgAction::SetTrue)
.hide(true),
];

args.sort_by(|a, b| a.get_id().cmp(b.get_id()));

Command::new(crate_name!())
Expand Down
Loading

0 comments on commit 63f80a8

Please sign in to comment.