fix(nvca): render only the selected OTel collector auth extension#233
fix(nvca): render only the selected OTel collector auth extension#233cr7258 wants to merge 2 commits into
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (3)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughThe OTel collector configuration is rendered per backend, selecting OAuth2 or bearer-token authentication. ConfigMap reconciliation propagates rendering errors, and tests validate authentication modes, client IDs, and collector sections. ChangesOTel authenticator configuration
Estimated code review effort: 3 (Moderate) | ~20 minutes Sequence Diagram(s)sequenceDiagram
participant BackendReconciler
participant OTelTemplate
participant ConfigMap
BackendReconciler->>OTelTemplate: Render with backend OAuth2 eligibility
OTelTemplate-->>BackendReconciler: Return config.yaml data
BackendReconciler->>ConfigMap: Store rendered configuration
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 golangci-lint (2.12.2)level=error msg="[linters_context] typechecking error: pattern ./...: directory prefix . does not contain main module or its selected dependencies" Comment |
4d58023 to
dc756fa
Compare
|
The Go and Rust CodeQL CI failures on this PR were caused by the fork workflow attempting to post PR comments with a read-only |
Signed-off-by: Seven Cheng <sevenc@nvidia.com>
dc756fa to
243d052
Compare
There was a problem hiding this comment.
could you please also clean this client ID placeholder? keep it as empty.
Signed-off-by: Seven Cheng <sevenc@nvidia.com>
TL;DR
When the NVCA OTel Collector uses SAK-based bearer-token authentication, nvca-operator still includes the unused oauth2client extension in the generated configuration. Because the OAuth2 Token URL is empty in SAK mode, configuration validation fails, and the nvca-otel-collector container enters CrashLoopBackOff, preventing Kubernetes events from being exported to the Event Ledger.
Additional Details
The operator already determines the OTel Collector authentication mode from the
NVCFBackendconfiguration:bearertokenauthis selected for SAK-based authentication.However,
otel_collector_config.yamlpreviously rendered both authentication extensions regardless of the selected mode:In SAK mode, the Collector is configured to authenticate to the Event Ledger using the NGC service API key through
bearertokenauth. OAuth2 is not selected, soNVCA_OTEL_COLLECTOR_OAUTH_TOKEN_URLis populated with an empty value.Although the exporter selects
bearertokenauth, the OTel Collector validates every configured extension during startup. Validation of the unusedoauth2clientextension therefore fails with:As a result, the
nvca-otel-collectorcontainer entersCrashLoopBackOffand never becomes ready.This PR changes the embedded Collector configuration into a mode-aware template:
oauth2client.bearertokenauth.otelCollectorConfigTemplateDataprovides the selected authentication mode to the template.Issues
NO-REF
Nvbug: https://nvbugspro.nvidia.com/bug/6470916
Checklist
Summary by CodeRabbit
config.yaml, including correct handling of empty OAuth client ID when vault is disabled.