add CA to Otel exporter on startup

pdabelf5 · pdabelf5 · commit 568bcdb8b334 · 2025-05-13T10:02:55.000+01:00
diff --git a/cmd/nginx-ingress/main.go b/cmd/nginx-ingress/main.go
@@ -182,13 +182,18 @@ func main() {
 	if err != nil {
 		logEventAndExit(ctx, eventRecorder, pod, secretErrorReason, err)
 	}
+
 	globalConfigurationValidator := createGlobalConfigurationValidator()
 
 	mustProcessGlobalConfiguration(ctx)
 
 	cfgParams := configs.NewDefaultConfigParams(ctx, *nginxPlus)
 	cfgParams = processConfigMaps(kubeClient, cfgParams, nginxManager, templateExecutor, eventRecorder)
 
+	if err := processOtelTrustedCertSecret(kubeClient, nginxManager, cfgParams, controllerNamespace); err != nil {
+		logEventAndExit(ctx, eventRecorder, pod, secretErrorReason, err)
+	}
+
 	staticCfgParams := &configs.StaticConfigParams{
 		DisableIPV6:                    *disableIPV6,
 		DefaultHTTPListenerPort:        *defaultHTTPListenerPort,
@@ -385,6 +390,23 @@ func processMgmtTrustedCertSecret(kubeClient *kubernetes.Clientset, nginxManager
 	return nil
 }
 
+func processOtelTrustedCertSecret(kubeClient *kubernetes.Clientset, nginxManager nginx.Manager, cfgParams *configs.ConfigParams, controllerNamespace string) error {
+	if cfgParams.MainOtelExporterTrustedCA == "" {
+		return nil
+	}
+
+	trustedCertSecretNsName := controllerNamespace + "/" + cfgParams.MainOtelExporterTrustedCA
+
+	secret, err := getAndValidateSecret(kubeClient, trustedCertSecretNsName, secrets.SecretTypeCA)
+	if err != nil {
+		return fmt.Errorf("error trying to get the trusted cert secret %v: %w", trustedCertSecretNsName, err)
+	}
+
+	caBytes, _ := configs.GenerateCAFileContent(secret)
+	nginxManager.CreateSecret(fmt.Sprintf("%s-%s-%s", controllerNamespace, cfgParams.MainOtelExporterTrustedCA, configs.CACrtKey), caBytes, nginx.ReadWriteOnlyFileMode)
+	return nil
+}
+
 func mustCreateConfigAndKubeClient(ctx context.Context) (*rest.Config, *kubernetes.Clientset) {
 	l := nl.LoggerFromContext(ctx)
 	var config *rest.Config
diff --git a/internal/configs/configmaps.go b/internal/configs/configmaps.go
@@ -1012,7 +1012,7 @@ func GenerateNginxMainConfig(staticCfgParams *StaticConfigParams, config *Config
 		MainOtelLoadModule:                 config.MainOtelLoadModule,
 		MainOtelGlobalTraceEnabled:         config.MainOtelGlobalTraceEnabled,
 		MainOtelExporterEndpoint:           config.MainOtelExporterEndpoint,
-		MainOtelExporterTrustedCA:          config.MainOtelExporterTrustedCA,
+		MainOtelExporterTrustedCA:          fmt.Sprintf("%s-%s-%s", os.Getenv("POD_NAMESPACE"), config.MainOtelExporterTrustedCA, CACrtKey),
 		MainOtelExporterHeaderName:         config.MainOtelExporterHeaderName,
 		MainOtelExporterHeaderValue:        config.MainOtelExporterHeaderValue,
 		MainOtelServiceName:                config.MainOtelServiceName,
diff --git a/internal/configs/version1/nginx-plus.tmpl b/internal/configs/version1/nginx-plus.tmpl
@@ -146,14 +146,14 @@ http {
     ssl_dhparam {{.SSLDHParam}};
     {{- end}}
 
-    {{- if .MainOtelLoadModule}}
+    {{- if .MainOtelLoadModule }}
     otel_exporter {
-        endpoint {{ .MainOtelExporterEndpoint}};
-        {{ if and .MainOtelExporterHeaderName .MainOtelExporterHeaderValue }}
+        endpoint {{ .MainOtelExporterEndpoint }};
+        {{- if and .MainOtelExporterHeaderName .MainOtelExporterHeaderValue }}
         header {{ .MainOtelExporterHeaderName }} "{{ .MainOtelExporterHeaderValue }}";
         {{- end }}
-        {{ if .MainOtelExporterTrustedCA}}
-    #   trusted_certificate <path>;
+        {{- if .MainOtelExporterTrustedCA }}
+        trusted_certificate /etc/nginx/secrets/{{ .MainOtelExporterTrustedCA }};
         {{- end }}
     }
 
diff --git a/internal/configs/version1/nginx.tmpl b/internal/configs/version1/nginx.tmpl
@@ -108,14 +108,14 @@ http {
     ssl_dhparam {{.SSLDHParam}};
     {{- end}}
 
-    {{- if .MainOtelLoadModule}}
+    {{- if .MainOtelLoadModule }}
     otel_exporter {
-        endpoint {{ .MainOtelExporterEndpoint}};
+        endpoint {{ .MainOtelExporterEndpoint }};
         {{- if and .MainOtelExporterHeaderName .MainOtelExporterHeaderValue }}
         header {{ .MainOtelExporterHeaderName }} "{{ .MainOtelExporterHeaderValue }}";
         {{- end }}
-        {{- if .MainOtelExporterTrustedCA}}
-    #   trusted_certificate <path>;
+        {{- if .MainOtelExporterTrustedCA }}
+        trusted_certificate /etc/nginx/secrets/{{ .MainOtelExporterTrustedCA }};
         {{- end }}
     }
 
