add policy opentelemetry/inject-otel-environment-variable

Signed-off-by: Damien Degois <damien@degois.info>

opentelemetry/inject-otel-environment-variable/.kyverno-test/expected/inject-before-preexisting-env.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: inject-before-preexisting-env
+  namespace: default
+spec:
+  containers:
+  - name: debdiag
+    image: ghcr.io/babs/debdiag:0
+    env:
+    - name: OTEL_EXPORTER_OTLP_ENDPOINT
+      value: http://opentelemetry-collector.opentelemetry-collector:4317
+    - name: TEST_ENV
+      value: test

opentelemetry/inject-otel-environment-variable/.kyverno-test/expected/inject-custom-endpoint-ns.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: inject-custom-endpoint-ns
+  namespace: ns-w-custom-endpoint
+spec:
+  containers:
+  - name: debdiag
+    image: ghcr.io/babs/debdiag:0
+    env:
+    - name: OTEL_EXPORTER_OTLP_ENDPOINT
+      value: http://http-collector:4318

opentelemetry/inject-otel-environment-variable/.kyverno-test/expected/inject-custom-endpoint-pod.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    otel.corp.org/otlp-endpoint: http://http-collector:4318
+  name: inject-custom-endpoint-pod
+  namespace: default
+spec:
+  containers:
+  - name: debdiag
+    image: ghcr.io/babs/debdiag:0
+    env:
+    - name: OTEL_EXPORTER_OTLP_ENDPOINT
+      value: http://http-collector:4318

opentelemetry/inject-otel-environment-variable/.kyverno-test/expected/inject-custom-endpoint.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  namespace: default
+  name: inject-custom-endpoint
+  annotations:
+    otel.corp.org/otlp-endpoint: http://custom-endpoint:4318
+spec:
+  containers:
+  - name: debdiag
+    image: ghcr.io/babs/debdiag:0
+    env:
+    - name: OTEL_EXPORTER_OTLP_ENDPOINT
+      value: http://custom-endpoint:4318

opentelemetry/inject-otel-environment-variable/.kyverno-test/expected/inject-default.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: inject-default
+  namespace: ns-wo-annotations
+spec:
+  containers:
+  - name: debdiag
+    image: ghcr.io/babs/debdiag:0
+    env:
+    - name: OTEL_EXPORTER_OTLP_ENDPOINT
+      value: http://opentelemetry-collector.opentelemetry-collector:4317

opentelemetry/inject-otel-environment-variable/.kyverno-test/expected/inject-ns.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: inject-ns
+  namespace: ns-w-inject-true
+spec:
+  containers:
+  - name: debdiag
+    image: ghcr.io/babs/debdiag:0
+    env:
+    - name: OTEL_EXPORTER_OTLP_ENDPOINT
+      value: http://opentelemetry-collector.opentelemetry-collector:4317

opentelemetry/inject-otel-environment-variable/.kyverno-test/expected/inject-pod.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    otel.corp.org/inject-env-var: "true"
+  name: inject-pod
+  namespace: ns-wo-annotations
+spec:
+  containers:
+  - name: debdiag
+    image: ghcr.io/babs/debdiag:0
+    env:
+    - name: OTEL_EXPORTER_OTLP_ENDPOINT
+      value: http://opentelemetry-collector.opentelemetry-collector:4317

opentelemetry/inject-otel-environment-variable/.kyverno-test/kyverno-test.yaml

@@ -0,0 +1,79 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: inject-otel-environment-variable
+policies:
+  - ../inject-otel-environment-variable.yaml
+resources:
+  - resource.yaml
+variables: values.yaml
+results:
+  - policy: inject-otel-environment-variable
+    rule: inject-otel-environment-variable
+    resources:
+    - no-inject-pod
+    kind: Pod
+    result: skip
+
+  - policy: inject-otel-environment-variable
+    rule: inject-otel-environment-variable
+    resources:
+    - no-inject-ns
+    kind: Pod
+    result: skip
+
+  - policy: inject-otel-environment-variable
+    rule: inject-otel-environment-variable
+    resources:
+    - inject-ns
+    patchedResources: expected/inject-ns.yaml
+    kind: Pod
+    result: pass
+
+  - policy: inject-otel-environment-variable
+    rule: inject-otel-environment-variable
+    resources:
+    - inject-pod
+    patchedResources: expected/inject-pod.yaml
+    kind: Pod
+    result: pass
+
+  - policy: inject-otel-environment-variable
+    rule: inject-otel-environment-variable
+    resources:
+    - inject-default
+    patchedResources: expected/inject-default.yaml
+    kind: Pod
+    result: pass
+
+  - policy: inject-otel-environment-variable
+    rule: inject-otel-environment-variable
+    resources:
+    - inject-before-preexisting-env
+    patchedResources: expected/inject-before-preexisting-env.yaml
+    kind: Pod
+    result: pass
+
+  - policy: inject-otel-environment-variable
+    rule: inject-otel-environment-variable
+    resources:
+    - inject-custom-endpoint-pod
+    patchedResources: expected/inject-custom-endpoint-pod.yaml
+    kind: Pod
+    result: pass
+
+  - policy: inject-otel-environment-variable
+    rule: inject-otel-environment-variable
+    resources:
+    - inject-custom-endpoint-ns
+    patchedResources: expected/inject-custom-endpoint-ns.yaml
+    kind: Pod
+    result: pass
+
+  ## Enable for ConfigMap namespace filtering (see rule comments ConfigMap-NS-Filtering for detail)
+  # - policy: inject-otel-environment-variable
+  #   rule: inject-otel-environment-variable
+  #   resources:
+  #   - no-inject-ns-excluded-by-configmap
+  #   kind: Pod
+  #   result: skip

opentelemetry/inject-otel-environment-variable/.kyverno-test/resource.yaml

@@ -0,0 +1,96 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: no-inject-pod
+  namespace: ns-wo-annotations
+  annotations:
+    otel.corp.org/inject-env-var: "false"
+spec:
+  containers:
+  - name: debdiag
+    image: ghcr.io/babs/debdiag:0
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: no-inject-ns
+  namespace: ns-w-inject-false
+spec:
+  containers:
+  - name: debdiag
+    image: ghcr.io/babs/debdiag:0
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: inject-ns
+  namespace: ns-w-inject-true
+spec:
+  containers:
+  - name: debdiag
+    image: ghcr.io/babs/debdiag:0
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: inject-pod
+  namespace: ns-wo-annotations
+  annotations:
+    otel.corp.org/inject-env-var: "true"
+spec:
+  containers:
+  - name: debdiag
+    image: ghcr.io/babs/debdiag:0
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: inject-default
+  namespace: ns-wo-annotations
+spec:
+  containers:
+  - name: debdiag
+    image: ghcr.io/babs/debdiag:0
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: inject-before-preexisting-env
+spec:
+  containers:
+  - name: debdiag
+    image: ghcr.io/babs/debdiag:0
+    env:
+    - name: TEST_ENV
+      value: test
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: inject-custom-endpoint-pod
+  annotations:
+    otel.corp.org/otlp-endpoint: http://http-collector:4318
+spec:
+  containers:
+  - name: debdiag
+    image: ghcr.io/babs/debdiag:0
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: inject-custom-endpoint-ns
+  namespace: ns-w-custom-endpoint
+spec:
+  containers:
+  - name: debdiag
+    image: ghcr.io/babs/debdiag:0
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: no-inject-ns-excluded-by-configmap
+  namespace: ns-excluded-by-configmap
+spec:
+  containers:
+  - name: debdiag
+    image: ghcr.io/babs/debdiag:0

opentelemetry/inject-otel-environment-variable/.kyverno-test/values.yaml

@@ -0,0 +1,24 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Values
+policies:
+- name: inject-otel-environment-variable
+  rules:
+  - name: inject-otel-environment-variable
+    values:
+      namespacefilters.data.exclude: '["ns-excluded-by-configmap"]'
+      # Global Reference simulation
+      namespaces:
+      - metadata:
+          name: ns-wo-annotations
+      - metadata:
+          name: ns-w-inject-true
+          annotations:
+            otel.corp.org/inject-env-var: "true"
+      - metadata:
+          name: ns-w-inject-false
+          annotations:
+            otel.corp.org/inject-env-var: "false"
+      - metadata:
+          name: ns-w-custom-endpoint
+          annotations:
+            otel.corp.org/otlp-endpoint: "http://http-collector:4318"

opentelemetry/inject-otel-environment-variable/artifacthub-pkg.yml

@@ -0,0 +1,34 @@
+name: inject-otel-environment-variable
+version: 1.0.0
+displayName: Inject OpenTelemetry environment variable
+createdAt: "2024-12-27T00:00:00.000Z"
+description: >-
+  Injects OpenTelemetry `OTEL_EXPORTER_OTLP_ENDPOINT` env var in `containers` and `initContainers`.
+  Injection can be controlled by `otel.corp.org/inject-env-var: "false"` annotation on the Pod or at the Namespace level.
+  Value of the injected env var can also be overridden per Pod or Namespace via `otel.corp.org/otlp-endpoint: "http://xxxx:4317"` annotation.
+  The env var will be injected first, meaning that if one is already declared, the later will takes precedence over the injected one.
+  To avoid stress on the control plane API, a GlobalContextEntry containing Namespaces has to be declared (group: '', version: v1, resource: namespaces)
+  and `cache.kyverno.io/enabled: "true"` should be set on the `namespacefilters` ConfigMap (see rule comments ConfigMap-NS-Filtering).
+install: |-
+  ```shell
+  kubectl apply \
+    -f https://raw.githubusercontent.com/kyverno/policies/main/opentelemetry/inject-otel-environment-variable/globalcontext.yaml
+    -f https://raw.githubusercontent.com/kyverno/policies/main/opentelemetry/inject-otel-environment-variable/inject-otel-environment-variable.yaml
+  ```
+keywords:
+  - kyverno
+  - OpenTelemetry
+readme: |
+  Injects OpenTelemetry `OTEL_EXPORTER_OTLP_ENDPOINT` env var in `containers` and `initContainers`.
+  Injection can be controlled by `otel.corp.org/inject-env-var: "false"` annotation on the Pod or at the Namespace level.
+  Value of the injected env var can also be overridden per Pod or Namespace via `otel.corp.org/otlp-endpoint: "http://xxxx:4317"` annotation.
+  The env var will be injected first, meaning that if one is already declared, the later will takes precedence over the injected one.
+  To avoid stress on the control plane API, a GlobalContextEntry containing Namespaces has to be declared (group: '', version: v1, resource: namespaces)
+  and `cache.kyverno.io/enabled: "true"` should be set on the `namespacefilters` ConfigMap (see rule comments ConfigMap-NS-Filtering).
+
+  Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+annotations:
+  kyverno/version: "1.13.0"
+  kyverno/category: "OpenTelemetry"
+  kyverno/subject: "Pod"
+digest: ffa101097cabaa69e4c3ddfa07d7d4526c5e9a4e32005d794ab37f6c118d6df9

opentelemetry/inject-otel-environment-variable/globalcontext.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v2alpha1
+kind: GlobalContextEntry
+metadata:
+  name: namespaces
+spec:
+  kubernetesResource:
+    group: ''
+    version: v1
+    resource: namespaces