Add telemetry toggles

README.md

@@ -105,6 +105,17 @@ _**NOTE:** This technique is not supported on OpenShift platforms. For
               medium: Memory
   ```
 
+## Enabling Tracing
+
+Tracing of CyberArk Secrets Provider for Kubernetes is available using the
+[OpenTelemetry](https://opentelemetry.io/) standard. Tracing is disabled by
+default. You can enable tracing using environment variables.
+
+To enable traces appended to the init container's logs, set the `LOG_TRACES`
+environment variable to `true`. To instead export the traces to a Jaeger server,
+use the `JAEGER_COLLECTOR_URL` environment variable. Traces will include errors
+to assist in troubleshooting.
+
 ## Contributing
 
 We welcome contributions of all kinds to this repository. For instructions on how to get started and descriptions of our development workflows, please see our [contributing

cmd/authenticator/main.go

@@ -1,7 +1,6 @@
 package main
 
 import (
-	"context"
 	"fmt"
 	"os"
 	"time"
@@ -15,6 +14,13 @@ import (
 	"github.com/cyberark/conjur-opentelemetry-tracer/pkg/trace"
 )
 
+const (
+	tracerName        = "conjur-authn-k8s-client"
+	tracerService     = "conjur-authn-k8s-client"
+	tracerEnvironment = "production"
+	tracerID          = 1
+)
+
 func main() {
 	// Note: This will log even if the log level is set to "warn" or "error" since that's loaded after this
 	log.Info(log.CAKC048, authenticator.FullVersionName)
@@ -26,8 +32,23 @@ func main() {
 		printErrorAndExit(log.CAKC018)
 	}
 
-	tracer, _ := trace.NewTracerProvider(trace.NoopProviderType, false, trace.TracerProviderConfig{})
-	defer tracer.Shutdown(context.Background())
+	// Create a Tracer and parent Span
+	tracerType, collectorUrl := trace.TypeFromEnv()
+	ctx, tracer, cleanup, err := trace.Create(
+		tracerType,
+		trace.TracerProviderConfig{
+			TracerName:        tracerName,
+			TracerService:     tracerService,
+			TracerEnvironment: tracerEnvironment,
+			TracerID:          tracerID,
+			CollectorURL:      collectorUrl,
+			ConsoleWriter:     os.Stdout,
+		},
+	)
+	if err != nil {
+		printErrorAndExit(err.Error())
+	}
+	defer cleanup(ctx)
 
 	// Create new Authenticator
 	authn, err := authenticator.NewAuthenticator(config)
@@ -45,7 +66,7 @@ func main() {
 
 	err = backoff.Retry(func() error {
 		for {
-			err := authn.AuthenticateWithContext(context.Background())
+			err := authn.AuthenticateWithContext(ctx, tracer)
 			if err != nil {
 				return log.RecordedError(log.CAKC016)
 			}

go.mod

@@ -5,14 +5,14 @@ go 1.19
 require (
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa
-	github.com/stretchr/testify v1.7.2
-	go.opentelemetry.io/otel v1.7.0
+	github.com/stretchr/testify v1.8.4
 )
 
 require (
 	github.com/go-logr/logr v1.2.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
+	go.opentelemetry.io/otel v1.7.0 // indirect
 	go.opentelemetry.io/otel/exporters/jaeger v1.7.0 // indirect
 	go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.7.0 // indirect
 	go.opentelemetry.io/otel/sdk v1.7.0 // indirect
@@ -23,7 +23,7 @@ require (
 
 require (
 	// Version number used here is ignored
-	github.com/cyberark/conjur-opentelemetry-tracer v1.55.55
+	github.com/cyberark/conjur-opentelemetry-tracer v0.0.1-1321.0.20231010135527-11285e1be165
 	github.com/davecgh/go-spew v1.1.1 // indirect
 )
 
@@ -32,4 +32,4 @@ replace gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c => gopkg.in/yaml.v3
 replace golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7 => golang.org/x/sys v0.8.0
 
 // DO NOT EDIT: CHANGES TO THE BELOW LINE WILL BREAK AUTOMATED RELEASES
-replace github.com/cyberark/conjur-opentelemetry-tracer => github.com/cyberark/conjur-opentelemetry-tracer latest
+replace github.com/cyberark/conjur-opentelemetry-tracer => github.com/cyberark/conjur-opentelemetry-tracer v0.0.1-1321.0.20231010135527-11285e1be165

go.sum

@@ -1,7 +1,7 @@
 github.com/cenkalti/backoff v2.2.1+incompatible h1:tNowT99t7UNflLxfYYSlKYsBpXdEet03Pg2g16Swow4=
 github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM=
-github.com/cyberark/conjur-opentelemetry-tracer v0.0.1-859 h1:Mm/kEw/EeJvGAxnWVmSfRHSWxCe7MAkOV0nUG//4NJo=
-github.com/cyberark/conjur-opentelemetry-tracer v0.0.1-859/go.mod h1:knGjmz7WYYptFxOwbMTHD56oslEQrNTq2mDW9qix0fc=
+github.com/cyberark/conjur-opentelemetry-tracer v0.0.1-1321.0.20231010135527-11285e1be165 h1:8vmep0LWCDnugzexAbZkiwjHqNeJwT0YFd7SyQUe4Ng=
+github.com/cyberark/conjur-opentelemetry-tracer v0.0.1-1321.0.20231010135527-11285e1be165/go.mod h1:4wlsA7YStqCuyD1wMyLqEBlxUjoCQ/nenp6n69hawSA=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -16,11 +16,11 @@ github.com/google/go-cmp v0.5.7 h1:81/ik6ipDQS2aGcBfIN5dHDB36BwrStyeAQquSYCV4o=
 github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/stretchr/objx v0.1.0 h1:4G4v2dO3VZwixGIRoQ5Lfboy6nUhCyYzaqnIAPPhYs4=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.2 h1:4jaiDzPyXQvSd7D0EjG45355tLlV3VOECpq10pLC+8s=
-github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
+github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 go.opentelemetry.io/otel v1.7.0 h1:Z2lA3Tdch0iDcrhJXDIlC94XE+bxok1F9B+4Lz/lGsM=
 go.opentelemetry.io/otel v1.7.0/go.mod h1:5BdUoMIz5WEs0vt0CUEMtSSaTSHBBVwrhnz7+nrD5xk=
 go.opentelemetry.io/otel/exporters/jaeger v1.7.0 h1:wXgjiRldljksZkZrldGVe6XrG9u3kYDyQmkZwmm5dI0=

pkg/authenticator/authenticator.go

@@ -2,11 +2,13 @@ package authenticator
 
 import (
 	"context"
+
 	"github.com/cyberark/conjur-authn-k8s-client/pkg/access_token"
+	"github.com/cyberark/conjur-opentelemetry-tracer/pkg/trace"
 )
 
 type Authenticator interface {
 	Authenticate() error
-	AuthenticateWithContext(ctx context.Context) error
+	AuthenticateWithContext(ctx context.Context, tracer trace.Tracer) error
 	GetAccessToken() access_token.AccessToken
 }

pkg/authenticator/jwt/authenticator.go

@@ -8,8 +8,6 @@ import (
 	"net/http"
 	"os"
 
-	"go.opentelemetry.io/otel"
-
 	"github.com/cyberark/conjur-authn-k8s-client/pkg/access_token"
 	"github.com/cyberark/conjur-authn-k8s-client/pkg/authenticator/common"
 	"github.com/cyberark/conjur-authn-k8s-client/pkg/log"
@@ -56,27 +54,33 @@ func (auth *Authenticator) GetAccessToken() access_token.AccessToken {
 // certificates.
 // @deprecated Use AuthenticateWithContext instead
 func (auth *Authenticator) Authenticate() error {
-	return auth.AuthenticateWithContext(context.TODO())
+	ctx, tracer, cleanup, err := trace.Create(
+		trace.NoopProviderType,
+		trace.TracerProviderConfig{},
+	)
+	if err != nil {
+		return err
+	}
+	defer cleanup(ctx)
+
+	return auth.AuthenticateWithContext(ctx, tracer)
 }
 
-func (auth *Authenticator) AuthenticateWithContext(ctx context.Context) error {
+func (auth *Authenticator) AuthenticateWithContext(ctx context.Context, tr trace.Tracer) error {
 	log.Info(log.CAKC066)
 
-	tr := trace.NewOtelTracer(otel.Tracer("conjur-authn-k8s-client"))
-	spanCtx, span := tr.Start(ctx, "Authenticate")
+	ctx, span := tr.Start(ctx, "Authenticate")
 	defer span.End()
 
-	authenticationResponse, err := auth.sendAuthenticationRequest(spanCtx, tr)
+	authenticationResponse, err := auth.sendAuthenticationRequest(ctx, tr)
 	if err != nil {
 		span.RecordErrorAndSetStatus(err)
-		span.End()
 		return err
 	}
 
 	err = auth.accessToken.Write(authenticationResponse)
 	if err != nil {
 		span.RecordErrorAndSetStatus(err)
-		span.End()
 		return err
 	}
 

pkg/authenticator/jwt/tests/authenticator_test.go

@@ -2,17 +2,18 @@ package tests
 
 import (
 	"bytes"
-	"context"
 	"encoding/pem"
-	"github.com/stretchr/testify/assert"
 	"path/filepath"
 	"strings"
 	"testing"
 
+	"github.com/stretchr/testify/assert"
+
 	"github.com/cyberark/conjur-authn-k8s-client/pkg/access_token/memory"
 	"github.com/cyberark/conjur-authn-k8s-client/pkg/authenticator/common"
 	"github.com/cyberark/conjur-authn-k8s-client/pkg/authenticator/jwt"
 	"github.com/cyberark/conjur-authn-k8s-client/pkg/log"
+	"github.com/cyberark/conjur-opentelemetry-tracer/pkg/trace"
 )
 
 const tmpJwtTokenPath = "good_jwt.token"
@@ -119,8 +120,15 @@ func TestAuthenticator_Authenticate(t *testing.T) {
 			var logTxt bytes.Buffer
 			log.ErrorLogger.SetOutput(&logTxt)
 
+			// Run tests with No-op tracer and its context
+			ctx, noopTracer, cleanup, _ := trace.Create(
+				trace.NoopProviderType,
+				trace.TracerProviderConfig{},
+			)
+
 			// Call the main method of the authenticator. This is where most of the internal implementation happens
-			err = authn.AuthenticateWithContext(context.Background())
+			err = authn.AuthenticateWithContext(ctx, noopTracer)
+			cleanup(ctx)
 
 			// ASSERT
 			tc.assert(t, authn, err)

pkg/authenticator/k8s/authenticator.go

@@ -18,7 +18,6 @@ import (
 	"time"
 
 	"github.com/fullsailor/pkcs7"
-	"go.opentelemetry.io/otel"
 
 	"github.com/cyberark/conjur-authn-k8s-client/pkg/access_token"
 	"github.com/cyberark/conjur-authn-k8s-client/pkg/authenticator/common"
@@ -77,34 +76,39 @@ func (auth *Authenticator) GetAccessToken() access_token.AccessToken {
 // certificates.
 // @deprecated Use AuthenticateWithContext instead
 func (auth *Authenticator) Authenticate() error {
-	return auth.AuthenticateWithContext(context.TODO())
+	ctx, tracer, cleanup, err := trace.Create(
+		trace.NoopProviderType,
+		trace.TracerProviderConfig{},
+	)
+	if err != nil {
+		return err
+	}
+	defer cleanup(ctx)
+
+	return auth.AuthenticateWithContext(ctx, tracer)
 }
 
-func (auth *Authenticator) AuthenticateWithContext(ctx context.Context) error {
+func (auth *Authenticator) AuthenticateWithContext(ctx context.Context, tracer trace.Tracer) error {
 	log.Info(log.CAKC040, auth.config.Common.Username)
 
-	tr := trace.NewOtelTracer(otel.Tracer("conjur-authn-k8s-client"))
-	spanCtx, span := tr.Start(ctx, "Authenticate")
+	ctx, span := tracer.Start(ctx, "Authenticate")
 	defer span.End()
 
-	err := auth.loginIfNeeded(spanCtx, tr)
+	err := auth.loginIfNeeded(ctx, tracer)
 	if err != nil {
 		span.RecordErrorAndSetStatus(err)
-		span.End()
 		return err
 	}
 
-	authenticationResponse, err := auth.sendAuthenticationRequest(spanCtx, tr)
+	authenticationResponse, err := auth.sendAuthenticationRequest(ctx, tracer)
 	if err != nil {
 		span.RecordErrorAndSetStatus(err)
-		span.End()
 		return err
 	}
 
-	parsedResponse, err := auth.parseAuthenticationResponse(spanCtx, tr, authenticationResponse)
+	parsedResponse, err := auth.parseAuthenticationResponse(ctx, tracer, authenticationResponse)
 	if err != nil {
 		span.RecordErrorAndSetStatus(err)
-		span.End()
 		return err
 	}
 

pkg/authenticator/k8s/tests/authenticator_test.go

@@ -16,6 +16,7 @@ import (
 	"github.com/cyberark/conjur-authn-k8s-client/pkg/authenticator/common"
 	"github.com/cyberark/conjur-authn-k8s-client/pkg/authenticator/k8s"
 	"github.com/cyberark/conjur-authn-k8s-client/pkg/log"
+	"github.com/cyberark/conjur-opentelemetry-tracer/pkg/trace"
 )
 
 type assertFunc func(t *testing.T,
@@ -24,6 +25,8 @@ type assertFunc func(t *testing.T,
 	loginCsr *x509.CertificateRequest,
 	loginCsrErr error,
 	logTxt string,
+	ctx context.Context,
+	tr trace.Tracer,
 )
 
 func TestAuthenticator_Authenticate(t *testing.T) {
@@ -38,7 +41,7 @@ func TestAuthenticator_Authenticate(t *testing.T) {
 			name:         "happy path",
 			podName:      "testPodName",
 			podNamespace: "testPodNamespace",
-			assert: func(t *testing.T, authn *k8s.Authenticator, err error, loginCsr *x509.CertificateRequest, loginCsrErr error, _ string) {
+			assert: func(t *testing.T, authn *k8s.Authenticator, err error, loginCsr *x509.CertificateRequest, loginCsrErr error, _ string, _ context.Context, _ trace.Tracer) {
 				assert.NoError(t, err)
 
 				// Check the CSR
@@ -69,7 +72,7 @@ func TestAuthenticator_Authenticate(t *testing.T) {
 			name:         "empty podname",
 			podName:      "",
 			podNamespace: "",
-			assert: func(t *testing.T, authn *k8s.Authenticator, err error, loginCsr *x509.CertificateRequest, _ error, _ string) {
+			assert: func(t *testing.T, authn *k8s.Authenticator, err error, loginCsr *x509.CertificateRequest, _ error, _ string, _ context.Context, _ trace.Tracer) {
 				assert.NoError(t, err)
 
 				// Assert empty spiffe
@@ -84,12 +87,12 @@ func TestAuthenticator_Authenticate(t *testing.T) {
 			name:         "expired cert",
 			podName:      "testPodName",
 			podNamespace: "testPodNamespace",
-			assert: func(t *testing.T, authn *k8s.Authenticator, err error, _ *x509.CertificateRequest, _ error, _ string) {
+			assert: func(t *testing.T, authn *k8s.Authenticator, err error, _ *x509.CertificateRequest, _ error, _ string, ctx context.Context, tr trace.Tracer) {
 				assert.NoError(t, err)
 				// Set the expiration date to now, and try to authenticate again
 				// This will cause the authenticator to try to refresh the cert
 				authn.PublicCert.NotAfter = time.Now()
-				err = authn.AuthenticateWithContext(context.Background())
+				err = authn.AuthenticateWithContext(ctx, tr)
 				assert.NoError(t, err)
 
 				// Check that the cert was renewed
@@ -101,7 +104,7 @@ func TestAuthenticator_Authenticate(t *testing.T) {
 			podName:            "testPodName",
 			podNamespace:       "testPodNamespace",
 			skipWritingCSRFile: true,
-			assert: func(t *testing.T, _ *k8s.Authenticator, err error, _ *x509.CertificateRequest, _ error, logTxt string) {
+			assert: func(t *testing.T, _ *k8s.Authenticator, err error, _ *x509.CertificateRequest, _ error, logTxt string, _ context.Context, _ trace.Tracer) {
 				assert.Error(t, err)
 				// Check logs for the expected error
 				assert.Contains(t, logTxt, "error writing csr file")
@@ -163,11 +166,18 @@ func TestAuthenticator_Authenticate(t *testing.T) {
 			var logTxt bytes.Buffer
 			log.ErrorLogger.SetOutput(&logTxt)
 
+			// Run tests with No-op tracer and its context
+			ctx, noopTracer, cleanup, _ := trace.Create(
+				trace.NoopProviderType,
+				trace.TracerProviderConfig{},
+			)
+
 			// Call the main method of the authenticator. This is where most of the internal implementation happens
-			err = authn.AuthenticateWithContext(context.Background())
+			err = authn.AuthenticateWithContext(ctx, noopTracer)
+			cleanup(ctx)
 
 			// ASSERT
-			tc.assert(t, authn, err, loginCsr, loginCsrErr, logTxt.String())
+			tc.assert(t, authn, err, loginCsr, loginCsrErr, logTxt.String(), ctx, noopTracer)
 		})
 	}
 }