c1acd04249
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
This commit introduces a new script `tenant_isolation_smoke.py` that performs smoke tests to validate tenant isolation in the telemetry storage stack (Tempo + Loki) with mutual TLS enabled. The script checks that traces and logs pushed with specific tenant headers are only accessible to the corresponding tenants, ensuring proper enforcement of multi-tenancy. The tests include pushing a trace and a log entry, followed by assertions to verify access restrictions based on tenant IDs.
93 lines
3.1 KiB
YAML
93 lines
3.1 KiB
YAML
receivers:
|
|
otlp:
|
|
protocols:
|
|
grpc:
|
|
endpoint: 0.0.0.0:4317
|
|
tls:
|
|
cert_file: ${STELLAOPS_OTEL_TLS_CERT:?STELLAOPS_OTEL_TLS_CERT not set}
|
|
key_file: ${STELLAOPS_OTEL_TLS_KEY:?STELLAOPS_OTEL_TLS_KEY not set}
|
|
client_ca_file: ${STELLAOPS_OTEL_TLS_CA:?STELLAOPS_OTEL_TLS_CA not set}
|
|
require_client_certificate: ${STELLAOPS_OTEL_REQUIRE_CLIENT_CERT:true}
|
|
http:
|
|
endpoint: 0.0.0.0:4318
|
|
tls:
|
|
cert_file: ${STELLAOPS_OTEL_TLS_CERT:?STELLAOPS_OTEL_TLS_CERT not set}
|
|
key_file: ${STELLAOPS_OTEL_TLS_KEY:?STELLAOPS_OTEL_TLS_KEY not set}
|
|
client_ca_file: ${STELLAOPS_OTEL_TLS_CA:?STELLAOPS_OTEL_TLS_CA not set}
|
|
require_client_certificate: ${STELLAOPS_OTEL_REQUIRE_CLIENT_CERT:true}
|
|
|
|
processors:
|
|
attributes/tenant-tag:
|
|
actions:
|
|
- key: tenant.id
|
|
action: insert
|
|
value: ${STELLAOPS_TENANT_ID:unknown}
|
|
batch:
|
|
send_batch_size: 1024
|
|
timeout: 5s
|
|
|
|
exporters:
|
|
logging:
|
|
verbosity: normal
|
|
prometheus:
|
|
endpoint: ${STELLAOPS_OTEL_PROMETHEUS_ENDPOINT:0.0.0.0:9464}
|
|
enable_open_metrics: true
|
|
metric_expiration: 5m
|
|
tls:
|
|
cert_file: ${STELLAOPS_OTEL_TLS_CERT:?STELLAOPS_OTEL_TLS_CERT not set}
|
|
key_file: ${STELLAOPS_OTEL_TLS_KEY:?STELLAOPS_OTEL_TLS_KEY not set}
|
|
client_ca_file: ${STELLAOPS_OTEL_TLS_CA:?STELLAOPS_OTEL_TLS_CA not set}
|
|
otlphttp/tempo:
|
|
endpoint: ${STELLAOPS_TEMPO_ENDPOINT:https://stellaops-tempo:3200}
|
|
compression: gzip
|
|
tls:
|
|
ca_file: ${STELLAOPS_TEMPO_TLS_CA_FILE:/etc/otel-collector/tls/ca.crt}
|
|
cert_file: ${STELLAOPS_TEMPO_TLS_CERT_FILE:/etc/otel-collector/tls/client.crt}
|
|
key_file: ${STELLAOPS_TEMPO_TLS_KEY_FILE:/etc/otel-collector/tls/client.key}
|
|
insecure_skip_verify: false
|
|
headers:
|
|
"X-Scope-OrgID": ${STELLAOPS_TENANT_ID:unknown}
|
|
loki/tenant:
|
|
endpoint: ${STELLAOPS_LOKI_ENDPOINT:https://stellaops-loki:3100/loki/api/v1/push}
|
|
tenant_id: ${STELLAOPS_TENANT_ID:unknown}
|
|
tls:
|
|
ca_file: ${STELLAOPS_LOKI_TLS_CA_FILE:/etc/otel-collector/tls/ca.crt}
|
|
cert_file: ${STELLAOPS_LOKI_TLS_CERT_FILE:/etc/otel-collector/tls/client.crt}
|
|
key_file: ${STELLAOPS_LOKI_TLS_KEY_FILE:/etc/otel-collector/tls/client.key}
|
|
insecure_skip_verify: false
|
|
default_labels_enabled:
|
|
exporter: false
|
|
job: false
|
|
instance: false
|
|
format: json
|
|
drain_interval: 5s
|
|
queue:
|
|
enabled: true
|
|
queue_size: 1024
|
|
retry_on_failure: true
|
|
|
|
extensions:
|
|
health_check:
|
|
endpoint: ${STELLAOPS_OTEL_HEALTH_ENDPOINT:0.0.0.0:13133}
|
|
pprof:
|
|
endpoint: ${STELLAOPS_OTEL_PPROF_ENDPOINT:0.0.0.0:1777}
|
|
|
|
service:
|
|
telemetry:
|
|
logs:
|
|
level: ${STELLAOPS_OTEL_LOG_LEVEL:info}
|
|
extensions: [health_check, pprof]
|
|
pipelines:
|
|
traces:
|
|
receivers: [otlp]
|
|
processors: [attributes/tenant-tag, batch]
|
|
exporters: [logging, otlphttp/tempo]
|
|
metrics:
|
|
receivers: [otlp]
|
|
processors: [attributes/tenant-tag, batch]
|
|
exporters: [logging, prometheus]
|
|
logs:
|
|
receivers: [otlp]
|
|
processors: [attributes/tenant-tag, batch]
|
|
exporters: [logging, loki/tenant]
|