feat: support reading headers from Kubernetes Secrets (#375)

Add support for reading opentelemetry header values from k8s secrets while maintaining backward compatibility with direct header values. This enables secure management of sensitive header values like authentication tokens. Changes: - Headers can now be specified either as direct string values or references to Secret values - Support mixing both direct values and Secret references in the same headers map - Updated values.yaml documentation with examples of both approaches - Headers continue to be formatted as "key1:value1,key2:value2" in final output Example: ``` headers: X-Custom-Header: "direct-value" Authorization: fromSecret: name: "auth-secret" key: "auth-token" ``` Signed-off-by: Burak Sekili <[email protected]>
TykTechnologies · Jan 8, 2025 · 7c47ea1 · 7c47ea1
1 parent 8bb78e8
commit 7c47ea1
Show file tree

Hide file tree

Showing 6 changed files with 150 additions and 10 deletions.
diff --git a/components/tyk-gateway/templates/_helpers.tpl b/components/tyk-gateway/templates/_helpers.tpl
@@ -96,12 +96,22 @@ redisPass
 {{- end -}}
 
 {{- define "otel-headers" -}}
-{{ if (.Values.gateway.opentelemetry).headers }}
-        {{- $list := list -}}
-        {{- range $k, $v := .Values.gateway.opentelemetry.headers  -}}
-        {{- $list = append $list (printf "%s:%s" $k $v) -}}
+{{- $headersList := list -}}
+
+{{- range $key, $value := .Values.gateway.opentelemetry.headers -}}
+    {{- if kindIs "string" $value -}}
+        {{- $headersList = append $headersList (printf "%s:%s" $key $value) -}}
+    {{- else if (and (kindIs "map" $value) (hasKey $value "fromSecret")) -}}
+        {{- $secret := lookup "v1" "Secret" $.Release.Namespace $value.fromSecret.name -}}
+        {{- if $secret -}}
+            {{- $secretValue := index $secret.data $value.fromSecret.key | b64dec -}}
+            {{- $headersList = append $headersList (printf "%s:%s" $key $secretValue) -}}
         {{- end -}}
-        {{ join "," $list }}
+    {{- end -}}
+{{- end -}}
+
+{{- if $headersList -}}
+    {{- join "," $headersList -}}
 {{- end -}}
 {{- end -}}
 

diff --git a/components/tyk-gateway/values.yaml b/components/tyk-gateway/values.yaml
@@ -508,7 +508,33 @@ gateway:
     # endpoint defines OpenTelemetry collector endpoint to connect to.
     endpoint: localhost:4317
     # A map of headers that will be sent with HTTP requests to the collector.
-    # It should be set to map of string to string
+    # The headers can be specified in two ways:
+    #
+    # 1. Direct string values:
+    #    headers:
+    #      X-Custom-Header: "my-value"
+    #      Another-Header: "another-value"
+    #
+    #   The headers will be formatted as "Another-Header:another-value,X-Custom-Header:my-value"
+    #
+    # 2. Values from Kubernetes Secrets:
+    #    headers:
+    #      Authorization:
+    #        fromSecret:
+    #          name: "my-secret-name"    # Name of the Kubernetes Secret
+    #          key: "my-secret-key"      # Key in the Secret containing the value
+    #
+    #   The headers will be formatted as "Authorization:<YOURTOKENHERE>"
+    #
+    # 3. You can mix both approaches in the same headers map:
+    #    headers:
+    #      X-Custom-Header: "direct-value"
+    #      Authorization:
+    #        fromSecret:
+    #          name: "auth-secret"
+    #          key: "auth-token"
+    #
+    # The headers will be formatted as "Authorization:<YOURTOKENHERE>,X-Custom-Header:direct-value" in the final output
     headers: {}
     # Timeout for establishing a connection to the collector
     connectionTimeout: 1

diff --git a/tyk-control-plane/values.yaml b/tyk-control-plane/values.yaml
@@ -509,7 +509,33 @@ tyk-gateway:
       # endpoint defines OpenTelemetry collector endpoint to connect to.
       endpoint: localhost:4317
       # A map of headers that will be sent with HTTP requests to the collector.
-      # It should be set to map of string to string
+      # The headers can be specified in two ways:
+      #
+      # 1. Direct string values:
+      #    headers:
+      #      X-Custom-Header: "my-value"
+      #      Another-Header: "another-value"
+      #
+      #   The headers will be formatted as "Another-Header:another-value,X-Custom-Header:my-value"
+      #
+      # 2. Values from Kubernetes Secrets:
+      #    headers:
+      #      Authorization:
+      #        fromSecret:
+      #          name: "my-secret-name"    # Name of the Kubernetes Secret
+      #          key: "my-secret-key"      # Key in the Secret containing the value
+      #
+      #   The headers will be formatted as "Authorization:<YOURTOKENHERE>"
+      #
+      # 3. You can mix both approaches in the same headers map:
+      #    headers:
+      #      X-Custom-Header: "direct-value"
+      #      Authorization:
+      #        fromSecret:
+      #          name: "auth-secret"
+      #          key: "auth-token"
+      #
+      # The headers will be formatted as "Authorization:<YOURTOKENHERE>,X-Custom-Header:direct-value" in the final output
       headers: {}
       # Timeout for establishing a connection to the collector
       connectionTimeout: 1

diff --git a/tyk-data-plane/values.yaml b/tyk-data-plane/values.yaml
@@ -486,7 +486,33 @@ tyk-gateway:
       # endpoint defines OpenTelemetry collector endpoint to connect to.
       endpoint: localhost:4317
       # A map of headers that will be sent with HTTP requests to the collector.
-      # It should be set to map of string to string
+      # The headers can be specified in two ways:
+      #
+      # 1. Direct string values:
+      #    headers:
+      #      X-Custom-Header: "my-value"
+      #      Another-Header: "another-value"
+      #
+      #   The headers will be formatted as "Another-Header:another-value,X-Custom-Header:my-value"
+      #
+      # 2. Values from Kubernetes Secrets:
+      #    headers:
+      #      Authorization:
+      #        fromSecret:
+      #          name: "my-secret-name"    # Name of the Kubernetes Secret
+      #          key: "my-secret-key"      # Key in the Secret containing the value
+      #
+      #   The headers will be formatted as "Authorization:<YOURTOKENHERE>"
+      #
+      # 3. You can mix both approaches in the same headers map:
+      #    headers:
+      #      X-Custom-Header: "direct-value"
+      #      Authorization:
+      #        fromSecret:
+      #          name: "auth-secret"
+      #          key: "auth-token"
+      #
+      # The headers will be formatted as "Authorization:<YOURTOKENHERE>,X-Custom-Header:direct-value" in the final output
       headers: {}
       # Timeout for establishing a connection to the collector
       connectionTimeout: 1

diff --git a/tyk-oss/values.yaml b/tyk-oss/values.yaml
@@ -442,7 +442,33 @@ tyk-gateway:
       # endpoint defines OpenTelemetry collector endpoint to connect to.
       endpoint: localhost:4317
       # A map of headers that will be sent with HTTP requests to the collector.
-      # It should be set to map of string to string
+      # The headers can be specified in two ways:
+      #
+      # 1. Direct string values:
+      #    headers:
+      #      X-Custom-Header: "my-value"
+      #      Another-Header: "another-value"
+      #
+      #   The headers will be formatted as "Another-Header:another-value,X-Custom-Header:my-value"
+      #
+      # 2. Values from Kubernetes Secrets:
+      #    headers:
+      #      Authorization:
+      #        fromSecret:
+      #          name: "my-secret-name"    # Name of the Kubernetes Secret
+      #          key: "my-secret-key"      # Key in the Secret containing the value
+      #
+      #   The headers will be formatted as "Authorization:<YOURTOKENHERE>"
+      #
+      # 3. You can mix both approaches in the same headers map:
+      #    headers:
+      #      X-Custom-Header: "direct-value"
+      #      Authorization:
+      #        fromSecret:
+      #          name: "auth-secret"
+      #          key: "auth-token"
+      #
+      # The headers will be formatted as "Authorization:<YOURTOKENHERE>,X-Custom-Header:direct-value" in the final output
       headers: {}
       # Timeout for establishing a connection to the collector
       connectionTimeout: 1

diff --git a/tyk-stack/values.yaml b/tyk-stack/values.yaml
@@ -536,7 +536,33 @@ tyk-gateway:
       # endpoint defines OpenTelemetry collector endpoint to connect to.
       endpoint: localhost:4317
       # A map of headers that will be sent with HTTP requests to the collector.
-      # It should be set to map of string to string
+      # The headers can be specified in two ways:
+      #
+      # 1. Direct string values:
+      #    headers:
+      #      X-Custom-Header: "my-value"
+      #      Another-Header: "another-value"
+      #
+      #   The headers will be formatted as "Another-Header:another-value,X-Custom-Header:my-value"
+      #
+      # 2. Values from Kubernetes Secrets:
+      #    headers:
+      #      Authorization:
+      #        fromSecret:
+      #          name: "my-secret-name"    # Name of the Kubernetes Secret
+      #          key: "my-secret-key"      # Key in the Secret containing the value
+      #
+      #   The headers will be formatted as "Authorization:<YOURTOKENHERE>"
+      #
+      # 3. You can mix both approaches in the same headers map:
+      #    headers:
+      #      X-Custom-Header: "direct-value"
+      #      Authorization:
+      #        fromSecret:
+      #          name: "auth-secret"
+      #          key: "auth-token"
+      #
+      # The headers will be formatted as "Authorization:<YOURTOKENHERE>,X-Custom-Header:direct-value" in the final output
       headers: {}
       # Timeout for establishing a connection to the collector
       connectionTimeout: 1