feat: add otlp tls configuration

Cargo.toml

@@ -23,7 +23,11 @@ k8s-openapi = { version = "0.23.0", default-features = false, features = [
 lazy_static = "1.4.0"
 mime = "0.3"
 num_cpus = "1.16.0"
-opentelemetry-otlp = { version = "0.27.0", features = ["metrics", "tonic"] }
+opentelemetry-otlp = { version = "0.27.0", features = [
+  "metrics",
+  "tonic",
+  "tls",
+] }
 opentelemetry = { version = "0.27.0", default-features = false, features = [
   "metrics",
   "trace",
@@ -61,6 +65,7 @@ tikv-jemallocator = { version = "0.5.4", features = [
 jemalloc_pprof = "0.4.1"
 tikv-jemalloc-ctl = "0.5.4"
 rhai = { version = "1.19.0", features = ["sync"] }
+tonic = { version = "0.12.3" }
 
 [target.'cfg(target_os = "linux")'.dependencies]
 inotify = "0.11"
@@ -74,9 +79,9 @@ tower = { version = "0.5", features = ["util"] }
 http-body-util = "0.1.1"
 testcontainers = { version = "0.23", features = ["watchdog"] }
 backon = { version = "1.3", features = ["tokio-sleep"] }
+rcgen = { version = "0.13", features = ["crypto"] }
 
 [target.'cfg(target_os = "linux")'.dev-dependencies]
-rcgen = { version = "0.13", features = ["crypto"] }
 openssl = "0.10"
 reqwest = { version = "0.12", default-features = false, features = [
   "charset",

src/cli.rs

@@ -22,160 +22,180 @@ lazy_static! {
 
 pub(crate) fn build_cli() -> Command {
     let mut args = vec![
-            Arg::new("log-level")
-                .long("log-level")
-                .value_name("LOG_LEVEL")
-                .env("KUBEWARDEN_LOG_LEVEL")
-                .default_value("info")
-                .value_parser([
-                    PossibleValue::new("trace"),
-                    PossibleValue::new("debug"),
-                    PossibleValue::new("info"),
-                    PossibleValue::new("warn"),
-                    PossibleValue::new("error"),
-                ])
-                .help("Log level"),
-            Arg::new("log-fmt")
-                .long("log-fmt")
-                .value_name("LOG_FMT")
-                .env("KUBEWARDEN_LOG_FMT")
-                .default_value("text")
-                .value_parser([
-                    PossibleValue::new("text"),
-                    PossibleValue::new("json"),
-                    PossibleValue::new("otlp"),
-                ])
-                .help("Log output format"),
-            Arg::new("log-no-color")
-                .long("log-no-color")
-                .env("NO_COLOR")
-                .action(ArgAction::SetTrue)
-                .help("Disable colored output for logs"),
-            Arg::new("address")
-                .long("addr")
-                .value_name("BIND_ADDRESS")
-                .default_value("0.0.0.0")
-                .env("KUBEWARDEN_BIND_ADDRESS")
-                .help("Bind against ADDRESS"),
-            Arg::new("port")
-                .long("port")
-                .value_name("PORT")
-                .default_value("3000")
-                .env("KUBEWARDEN_PORT")
-                .help("Listen on PORT"),
-            Arg::new("workers")
-                .long("workers")
-                .value_name("WORKERS_NUMBER")
-                .env("KUBEWARDEN_WORKERS")
-                .help("Number of workers thread to create"),
-            Arg::new("cert-file")
-                .long("cert-file")
-                .value_name("CERT_FILE")
-                .default_value("")
-                .env("KUBEWARDEN_CERT_FILE")
-                .help("Path to an X.509 certificate file for HTTPS"),
-            Arg::new("key-file")
-                .long("key-file")
-                .value_name("KEY_FILE")
-                .default_value("")
-                .env("KUBEWARDEN_KEY_FILE")
-                .help("Path to an X.509 private key file for HTTPS"),
-            Arg::new("policies")
-                .long("policies")
-                .value_name("POLICIES_FILE")
-                .env("KUBEWARDEN_POLICIES")
-                .default_value("policies.yml")
-                .help("YAML file holding the policies to be loaded and their settings"),
-            Arg::new("policies-download-dir")
-                .long("policies-download-dir")
-                .value_name("POLICIES_DOWNLOAD_DIR")
-                .default_value(".")
-                .env("KUBEWARDEN_POLICIES_DOWNLOAD_DIR")
-                .help("Download path for the policies"),
-            Arg::new("sigstore-cache-dir")
-                .long("sigstore-cache-dir")
-                .value_name("SIGSTORE_CACHE_DIR")
-                .default_value("sigstore-data")
-                .env("KUBEWARDEN_SIGSTORE_CACHE_DIR")
-                .help("Directory used to cache sigstore data"),
-            Arg::new("sources-path")
-                .long("sources-path")
-                .value_name("SOURCES_PATH")
-                .env("KUBEWARDEN_SOURCES_PATH")
-                .help("YAML file holding source information (https, registry insecure hosts, custom CA's...)"),
-            Arg::new("verification-path")
-                .long("verification-path")
-                .value_name("VERIFICATION_CONFIG_PATH")
-                .env("KUBEWARDEN_VERIFICATION_CONFIG_PATH")
-                .help("YAML file holding verification information (URIs, keys, annotations...)"),
-            Arg::new("docker-config-json-path")
-                .long("docker-config-json-path")
-                .value_name("DOCKER_CONFIG")
-                .env("KUBEWARDEN_DOCKER_CONFIG_JSON_PATH")
-                .help("Path to a Docker config.json-like path. Can be used to indicate registry authentication details"),
-            Arg::new("enable-metrics")
-                .long("enable-metrics")
-                .env("KUBEWARDEN_ENABLE_METRICS")
-                .action(ArgAction::SetTrue)
-                .help("Enable metrics"),
-            Arg::new("always-accept-admission-reviews-on-namespace")
-                .long("always-accept-admission-reviews-on-namespace")
-                .value_name("NAMESPACE")
-                .env("KUBEWARDEN_ALWAYS_ACCEPT_ADMISSION_REVIEWS_ON_NAMESPACE")
-                .required(false)
-                .help("Always accept AdmissionReviews that target the given namespace"),
-            Arg::new("disable-timeout-protection")
-                .long("disable-timeout-protection")
-                .action(ArgAction::SetTrue)
-                .env("KUBEWARDEN_DISABLE_TIMEOUT_PROTECTION")
-                .help("Disable policy timeout protection"),
-            Arg::new("policy-timeout")
-                .long("policy-timeout")
-                .env("KUBEWARDEN_POLICY_TIMEOUT")
-                .value_name("MAXIMUM_EXECUTION_TIME_SECONDS")
-                .default_value("2")
-                .help("Interrupt policy evaluation after the given time"),
-            Arg::new("daemon")
-                .long("daemon")
-                .env("KUBEWARDEN_DAEMON")
-                .action(ArgAction::SetTrue)
-                .help("If set, runs policy-server in detached mode as a daemon"),
-            Arg::new("daemon-pid-file")
-                .long("daemon-pid-file")
-                .env("KUBEWARDEN_DAEMON_PID_FILE")
-                .default_value("policy-server.pid")
-                .help("Path to pid file, used only when running in daemon mode"),
-            Arg::new("daemon-stdout-file")
-                .long("daemon-stdout-file")
-                .env("KUBEWARDEN_DAEMON_STDOUT_FILE")
-                .required(false)
-                .help("Path to file holding stdout, used only when running in daemon mode"),
-            Arg::new("daemon-stderr-file")
-                .long("daemon-stderr-file")
-                .env("KUBEWARDEN_DAEMON_STDERR_FILE")
-                .required(false)
-                .help("Path to file holding stderr, used only when running in daemon mode"),
-            Arg::new("ignore-kubernetes-connection-failure")
-                .long("ignore-kubernetes-connection-failure")
-                .env("KUBEWARDEN_IGNORE_KUBERNETES_CONNECTION_FAILURE")
-                .action(ArgAction::SetTrue)
-                .help("Do not exit with an error if the Kubernetes connection fails. This will cause context aware policies to break when there's no connection with Kubernetes."),
-            Arg::new("enable-pprof")
-                .long("enable-pprof")
-                .env("KUBEWARDEN_ENABLE_PPROF")
-                .action(ArgAction::SetTrue)
-                .help("Enable pprof profiling"),
-            Arg::new("continue-on-errors")
-                .long("continue-on-errors")
-                .env("KUBEWARDEN_CONTINUE_ON_ERRORS")
-                .action(ArgAction::SetTrue)
-                .hide(true),
-            Arg::new("otlp-endpoint")
-                .long("otlp-endpoint")
-                .env("OTEL_EXPORTER_OTLP_ENDPOINT")
-                .default_value("http://localhost:4317")
-                .help("The OTLP gRPC endpoint for exporting traces and metrics.")
+        Arg::new("log-level")
+            .long("log-level")
+            .value_name("LOG_LEVEL")
+            .env("KUBEWARDEN_LOG_LEVEL")
+            .default_value("info")
+            .value_parser([
+                PossibleValue::new("trace"),
+                PossibleValue::new("debug"),
+                PossibleValue::new("info"),
+                PossibleValue::new("warn"),
+                PossibleValue::new("error"),
+            ])
+            .help("Log level"),
+
+        Arg::new("log-fmt")
+            .long("log-fmt")
+            .value_name("LOG_FMT")
+            .env("KUBEWARDEN_LOG_FMT")
+            .default_value("text")
+            .value_parser([
+                PossibleValue::new("text"),
+                PossibleValue::new("json"),
+                PossibleValue::new("otlp"),
+            ])
+            .help("Log output format"),
+
+        Arg::new("log-no-color")
+            .long("log-no-color")
+            .env("NO_COLOR")
+            .action(ArgAction::SetTrue)
+            .help("Disable colored output for logs"),
+
+        Arg::new("address")
+            .long("addr")
+            .value_name("BIND_ADDRESS")
+            .default_value("0.0.0.0")
+            .env("KUBEWARDEN_BIND_ADDRESS")
+            .help("Bind against ADDRESS"),
+
+        Arg::new("port")
+            .long("port")
+            .value_name("PORT")
+            .default_value("3000")
+            .env("KUBEWARDEN_PORT")
+            .help("Listen on PORT"),
+
+        Arg::new("workers")
+            .long("workers")
+            .value_name("WORKERS_NUMBER")
+            .env("KUBEWARDEN_WORKERS")
+            .help("Number of worker threads to create"),
+
+        Arg::new("cert-file")
+            .long("cert-file")
+            .value_name("CERT_FILE")
+            .default_value("")
+            .env("KUBEWARDEN_CERT_FILE")
+            .help("Path to an X.509 certificate file for HTTPS"),
+
+        Arg::new("key-file")
+            .long("key-file")
+            .value_name("KEY_FILE")
+            .default_value("")
+            .env("KUBEWARDEN_KEY_FILE")
+            .help("Path to an X.509 private key file for HTTPS"),
+
+        Arg::new("policies")
+            .long("policies")
+            .value_name("POLICIES_FILE")
+            .env("KUBEWARDEN_POLICIES")
+            .default_value("policies.yml")
+            .help("YAML file holding the policies to be loaded and their settings"),
+
+        Arg::new("policies-download-dir")
+            .long("policies-download-dir")
+            .value_name("POLICIES_DOWNLOAD_DIR")
+            .default_value(".")
+            .env("KUBEWARDEN_POLICIES_DOWNLOAD_DIR")
+            .help("Download path for the policies"),
+
+        Arg::new("sigstore-cache-dir")
+            .long("sigstore-cache-dir")
+            .value_name("SIGSTORE_CACHE_DIR")
+            .default_value("sigstore-data")
+            .env("KUBEWARDEN_SIGSTORE_CACHE_DIR")
+            .help("Directory used to cache sigstore data"),
+
+        Arg::new("sources-path")
+            .long("sources-path")
+            .value_name("SOURCES_PATH")
+            .env("KUBEWARDEN_SOURCES_PATH")
+            .help("YAML file holding source information (https, registry insecure hosts, custom CA's...)"),
+
+        Arg::new("verification-path")
+            .long("verification-path")
+            .value_name("VERIFICATION_CONFIG_PATH")
+            .env("KUBEWARDEN_VERIFICATION_CONFIG_PATH")
+            .help("YAML file holding verification information (URIs, keys, annotations...)"),
+
+        Arg::new("docker-config-json-path")
+            .long("docker-config-json-path")
+            .value_name("DOCKER_CONFIG")
+            .env("KUBEWARDEN_DOCKER_CONFIG_JSON_PATH")
+            .help("Path to a Docker config.json-like path. Can be used to indicate registry authentication details"),
+
+        Arg::new("enable-metrics")
+            .long("enable-metrics")
+            .env("KUBEWARDEN_ENABLE_METRICS")
+            .action(ArgAction::SetTrue)
+            .help("Enable metrics"),
+
+        Arg::new("always-accept-admission-reviews-on-namespace")
+            .long("always-accept-admission-reviews-on-namespace")
+            .value_name("NAMESPACE")
+            .env("KUBEWARDEN_ALWAYS_ACCEPT_ADMISSION_REVIEWS_ON_NAMESPACE")
+            .required(false)
+            .help("Always accept AdmissionReviews that target the given namespace"),
+
+        Arg::new("disable-timeout-protection")
+            .long("disable-timeout-protection")
+            .action(ArgAction::SetTrue)
+            .env("KUBEWARDEN_DISABLE_TIMEOUT_PROTECTION")
+            .help("Disable policy timeout protection"),
+
+        Arg::new("policy-timeout")
+            .long("policy-timeout")
+            .env("KUBEWARDEN_POLICY_TIMEOUT")
+            .value_name("MAXIMUM_EXECUTION_TIME_SECONDS")
+            .default_value("2")
+            .help("Interrupt policy evaluation after the given time"),
+
+        Arg::new("daemon")
+            .long("daemon")
+            .env("KUBEWARDEN_DAEMON")
+            .action(ArgAction::SetTrue)
+            .help("If set, runs policy-server in detached mode as a daemon"),
+
+        Arg::new("daemon-pid-file")
+            .long("daemon-pid-file")
+            .env("KUBEWARDEN_DAEMON_PID_FILE")
+            .default_value("policy-server.pid")
+            .help("Path to the PID file, used only when running in daemon mode"),
+
+        Arg::new("daemon-stdout-file")
+            .long("daemon-stdout-file")
+            .env("KUBEWARDEN_DAEMON_STDOUT_FILE")
+            .required(false)
+            .help("Path to the file holding stdout, used only when running in daemon mode"),
+
+        Arg::new("daemon-stderr-file")
+            .long("daemon-stderr-file")
+            .env("KUBEWARDEN_DAEMON_STDERR_FILE")
+            .required(false)
+            .help("Path to the file holding stderr, used only when running in daemon mode"),
+
+        Arg::new("ignore-kubernetes-connection-failure")
+            .long("ignore-kubernetes-connection-failure")
+            .env("KUBEWARDEN_IGNORE_KUBERNETES_CONNECTION_FAILURE")
+            .action(ArgAction::SetTrue)
+            .help("Do not exit with an error if the Kubernetes connection fails. This will cause context-aware policies to break when there's no connection with Kubernetes."),
+
+        Arg::new("enable-pprof")
+            .long("enable-pprof")
+            .env("KUBEWARDEN_ENABLE_PPROF")
+            .action(ArgAction::SetTrue)
+            .help("Enable pprof profiling"),
+
+        Arg::new("continue-on-errors")
+            .long("continue-on-errors")
+            .env("KUBEWARDEN_CONTINUE_ON_ERRORS")
+            .action(ArgAction::SetTrue)
+            .hide(true),
     ];
+
     args.sort_by(|a, b| a.get_id().cmp(b.get_id()));
 
     Command::new(crate_name!())