Complex pipeline where evertything is TLS encrypted and certs are rotated (#157)

* Complex pipeline where evertything is TLS encrypted and certs are rotated

Signed-off-by: Jirka Kremser <jiri.kremser@gmail.com>

* Update examples/pipelines-tls/setup.sh

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update examples/vllm/setup.sh

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update examples/otel-operator/setup.sh

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Jirka Kremser <jiri.kremser@gmail.com>

* Update dashboard and add SSL comm betweek KEDA and OTel Scaler

Signed-off-by: Jirka Kremser <jiri.kremser@gmail.com>

---------

Signed-off-by: Jirka Kremser <jiri.kremser@gmail.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: jkremser

examples/otel-operator/setup.sh

@@ -4,7 +4,10 @@ DIR="${DIR:-$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )}"
 #export PR_BRANCH=
 #export GH_PAT=
 
-command -v figlet &> /dev/null && figlet -w155 OTel Operator + GitHub receiver
+command -v figlet &> /dev/null && {
+  __wid=$(/usr/bin/tput cols) && _wid=$((__wid<155?__wid:155))
+  figlet -w${_wid} OTel Operator + GitHub receiver
+}
 [ -z "${PR_BRANCH}" ] && echo "Set PR_BRANCH env variable to a branch name from which a PR is opened against kedify/otel-add-on repo" && exit 1
 [ -z "${GH_PAT}" ] && echo "Set GH_PAT env variable to a PAT token that has read permissions for content on kedify/otel-add-on repo"  && exit 1
 

examples/pipelines-tls/architecture-simple.mermaid

@@ -0,0 +1,11 @@
+%% mermaid-ascii -f architecture-simple.mermaid -x 18 > architecture.ascii
+
+graph LR
+classDef red color:#ff0000
+nginxN -->|OTLP/gRPC| router:::red
+router:::red -->|Remote-Write| Prometheus
+router:::red -->|OTLP/gRPC| KEDA-Scaler
+Prometheus -->|HTTP| Grafana
+KEDA-Scaler -->|gRPC| KEDA
+
+OTelOperator

examples/pipelines-tls/architecture.ascii

@@ -0,0 +1,16 @@
+┌──────────────┐                  ┌───────────┐                  ┌─────────────┐                  ┌─────────┐
+│              │                  │           │                  │             │                  │         │
+│    nginxN    ├────OTLP/gRPC────►│   router  ├──Remote-Write───►│  Prometheus ├──────HTTP───────►│ Grafana │
+│              │                  │           │                  │             │                  │         │
+└──────────────┘                  └─────┬─────┘                  └─────────────┘                  └─────────┘
+                                        │                                                                    
+                                        │                                                                    
+                                        │                                                                    
+                                    OTLP/gRPC                                                                
+                                        │                                                                    
+┌──────────────┐                        │                        ┌─────────────┐                  ┌─────────┐
+│              │                        │                        │             │                  │         │
+│ OTelOperator │                        └───────────────────────►│ KEDA-Scaler ├──────gRPC───────►│   KEDA  │
+│              │                                                 │             │                  │         │
+└──────────────┘                                                 └─────────────┘                  └─────────┘
+

examples/pipelines-tls/architecture.mermaid

@@ -0,0 +1,14 @@
+%% mmdc -i architecture.mermaid -o architecture.svg
+
+graph LR
+subgraph workloads
+    1
+    2
+    3
+end
+1(nginx1) & 2(nginx2) & 3(nginxN) --OTLP/gRPC--> R{router}
+R --OTLP/gRPC--> KS(KEDA Scaler)
+KS <--gRPC--> K[KEDA]
+R --Remote-Write--> P[Prometheus]
+P ~~~ G[Grafana] <--HTTP--> P
+G ~~~ P

examples/pipelines-tls/architecture.svg

@@ -0,0 +1,169 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: keda-otel-root-ca-issuer-selfsigned
+spec:
+  selfSigned: {}
+---
+# kubectl get secret keda-otel-root-ca-secret -n cert-manager -o jsonpath='{.data.tls\.crt}' |  base64 --decode | openssl x509 -noout -text
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: keda-otel-root-ca-cert
+  namespace: cert-manager
+spec:
+  isCA: true
+  commonName: keda-otel-root-ca
+  secretName: keda-otel-root-ca-secret
+  duration: 87600h # 10y
+  renewBefore: 78840h # 9y
+  privateKey:
+    rotationPolicy: Always
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: keda-otel-root-ca-issuer-selfsigned
+    kind: ClusterIssuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: keda-otel-ca-issuer
+spec:
+  ca:
+    secretName: keda-otel-root-ca-secret
+---
+# this CR will make sure the CA cert is available in all k8s namespaces
+# if we don't want to expose the root CA directly, we would create an intermediate CA signed by root CA and expose
+# this one to a sub set of services
+apiVersion: trust.cert-manager.io/v1alpha1
+kind: Bundle
+metadata:
+  name: keda-otel-root-ca-bundle
+  namespace: cert-manager
+spec:
+  sources:
+    - useDefaultCAs: false
+    - secret:
+        name: keda-otel-root-ca-secret
+        key: "tls.crt"
+  target:
+    secret:
+      key: "rootCA.crt"
+---
+# CERTS:
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: router-collector-cert
+  namespace: observability
+spec:
+  secretName: router-collector-cert-secret
+  duration: 1h
+  renewBefore: 45m
+  privateKey:
+    rotationPolicy: Always
+  usages:
+    - server auth
+    - client auth
+  dnsNames:
+    - "router-collector.observability.svc.cluster.local"
+    - "router-collector.observability.svc"
+    - "router-collector"
+  issuerRef:
+    name:  keda-otel-root-ca-issuer-selfsigned
+    kind: ClusterIssuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: sidecar-collector-cert
+  namespace: app
+spec:
+  secretName: sidecar-collector-cert-secret
+  duration: 1h
+  renewBefore: 45m
+  privateKey:
+    rotationPolicy: Always
+  usages:
+    - server auth
+    - client auth
+  dnsNames:
+    - "nginx.app.svc.cluster.local"
+    - "nginx.app.svc"
+    - "nginx"
+  issuerRef:
+    name:  keda-otel-root-ca-issuer-selfsigned
+    kind: ClusterIssuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: keda-otel-scaler-cert
+  namespace: keda
+spec:
+  secretName: keda-otel-scaler-cert-secret
+  duration: 1h
+  renewBefore: 45m
+  privateKey:
+    rotationPolicy: Always
+  usages:
+    - server auth
+    - client auth
+  dnsNames:
+    - "keda-otel-scaler.keda.svc.cluster.local"
+    - "keda-otel-scaler.keda.svc"
+    - "keda-otel-scaler"
+  issuerRef:
+    name:  keda-otel-root-ca-issuer-selfsigned
+    kind: ClusterIssuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: prometheus-cert
+  namespace: observability
+spec:
+  secretName: prometheus-cert-secret
+  duration: 1h
+  renewBefore: 45m
+  privateKey:
+    rotationPolicy: Always
+  usages:
+    - server auth
+    - client auth
+  dnsNames:
+    - "prometheus.observability.svc.cluster.local"
+    - "prometheus.observability.svc"
+    - "prometheus"
+  issuerRef:
+    name:  keda-otel-root-ca-issuer-selfsigned
+    kind: ClusterIssuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: grafana-cert
+  namespace: observability
+spec:
+  secretName: grafana-cert-secret
+  duration: 1h
+  renewBefore: 45m
+  privateKey:
+    rotationPolicy: Always
+  usages:
+    - server auth
+    - client auth
+  dnsNames:
+    - "grafana.observability.svc.cluster.local"
+    - "grafana.observability.svc"
+    - "grafana"
+  issuerRef:
+    name:  keda-otel-root-ca-issuer-selfsigned
+    kind: ClusterIssuer
+    group: cert-manager.io