stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
f30805ad7f5457dac581340d20d3f7a1d3afcbf6
git.stella-ops.org/deploy/telemetry
History
master c1acd04249
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Add tenant isolation smoke test for telemetry stack 
This commit introduces a new script `tenant_isolation_smoke.py` that performs smoke tests to validate tenant isolation in the telemetry storage stack (Tempo + Loki) with mutual TLS enabled. The script checks that traces and logs pushed with specific tenant headers are only accessible to the corresponding tenants, ensuring proper enforcement of multi-tenancy. The tests include pushing a trace and a log entry, followed by assertions to verify access restrictions based on tenant IDs.
2025-11-05 15:09:54 +02:00
..
storage
Align AOC tasks for Excititor and Concelier
2025-10-31 18:50:15 +02:00
.gitignore
Restructure solution layout by module
2025-10-28 15:10:40 +02:00
otel-collector-config.yaml
Add tenant isolation smoke test for telemetry stack
2025-11-05 15:09:54 +02:00
README.md
Restructure solution layout by module
2025-10-28 15:10:40 +02:00

README.md

Telemetry Collector Assets

These assets provision the default OpenTelemetry Collector instance required by DEVOPS-OBS-50-001. The collector acts as the secured ingest point for traces, metrics, and logs emitted by StellaOps services.

Contents

File Purpose
otel-collector-config.yaml Baseline collector configuration (mutual TLS, OTLP receivers, Prometheus exporter).
storage/prometheus.yaml Prometheus scrape configuration tuned for the collector and service tenants.
storage/tempo.yaml Tempo configuration with multitenancy, WAL, and compaction settings.
storage/loki.yaml Loki configuration enabling multitenant log ingestion with retention policies.
storage/tenants/*.yaml Per-tenant overrides for Tempo and Loki rate/retention controls.

Development workflow

  1. Generate development certificates (collector + client) using ops/devops/telemetry/generate_dev_tls.sh.
  2. Launch the collector via docker compose -f docker-compose.telemetry.yaml up.
  3. Launch the storage backends (Prometheus, Tempo, Loki) via docker compose -f docker-compose.telemetry-storage.yaml up.
  4. Run the smoke test: python ops/devops/telemetry/smoke_otel_collector.py.
  5. Explore the storage configuration (storage/README.md) to tune retention/limits.

The smoke test sends OTLP traffic over TLS and asserts the collector accepted traces, metrics, and logs by scraping the Prometheus metrics endpoint.

Kubernetes

The Helm chart consumes the same configuration (see values.yaml). Provide TLS material via a secret referenced by telemetry.collector.tls.secretName, containing ca.crt, tls.crt, and tls.key. Client certificates are required for ingestion and should be issued by the same CA.