Add RBAC support for k8s_leader_elector extension (#4802)

Author: gyanranjanpanda

.chloggen/issue_4802.yaml

@@ -0,0 +1,17 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. collector, target allocator, auto-instrumentation, opamp, github action)
+component: collector
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: "Support RBAC generation for `k8s_leader_elector` extension"
+
+# One or more tracking issues related to the change
+issues: [4802]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext: |
+  Automatically generates a ClusterRole with permissions to manage `leases` in the `coordination.k8s.io` API group for leader election among multiple collector replicas.

config/rbac/role.yaml

@@ -106,9 +106,12 @@ rules:
   - leases
   verbs:
   - create
+  - delete
   - get
   - list
+  - patch
   - update
+  - watch
 - apiGroups:
   - discovery.k8s.io
   resources:

internal/components/extensions/helpers.go

@@ -26,6 +26,10 @@ var registry = map[string]components.Parser{
 		MustBuild(),
 	"jaeger_query": NewJaegerQueryExtensionParserBuilder().
 		MustBuild(),
+	"k8s_leader_elector": components.NewBuilder[any]().
+		WithName("k8s_leader_elector").
+		WithRbacGen(generatek8sleaderelectorRbacRules).
+		MustBuild(),
 	"k8s_observer": components.NewBuilder[k8sobserverConfig]().
 		WithName("k8s_observer").
 		WithRbacGen(generatek8sobserverRbacRules).

internal/components/extensions/helpers_test.go

@@ -44,6 +44,7 @@ func TestExtensionsComponentParsers(t *testing.T) {
 		defaultPort  int32
 	}{
 		{"health_check", "__health_check", 13133},
+		{"k8s_leader_elector", "__k8s_leader_elector", 0},
 	} {
 		t.Run(tt.exporterName, func(t *testing.T) {
 			t.Run("is registered", func(t *testing.T) {

internal/components/extensions/k8sleaderelector.go

@@ -0,0 +1,34 @@
+// Copyright The OpenTelemetry Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package extensions
+
+import (
+	"github.com/go-logr/logr"
+	rbacv1 "k8s.io/api/rbac/v1"
+)
+
+// generatek8sleaderelectorRbacRules returns the RBAC policy rules required by the
+// k8s_leader_elector extension.
+//
+// The extension uses Kubernetes Lease objects from the coordination.k8s.io
+// API group for leader election among multiple collector replicas, enabling
+// HA deployments of receivers that should only run on a single instance
+// (e.g. k8sclusterreceiver, k8seventsreceiver).
+//
+// All seven verbs are required:
+//   - get/list/watch: observe existing leases and detect leader changes
+//   - create: create a new Lease if one doesn't yet exist
+//   - update/patch: renew the lease (heartbeat) while holding leadership
+//   - delete: release/clean up leases
+//
+// Ref: https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/extension/k8sleaderelector
+func generatek8sleaderelectorRbacRules(_ logr.Logger, _ any) ([]rbacv1.PolicyRule, error) {
+	return []rbacv1.PolicyRule{
+		{
+			APIGroups: []string{"coordination.k8s.io"},
+			Resources: []string{"leases"},
+			Verbs:     []string{"get", "list", "watch", "create", "update", "patch", "delete"},
+		},
+	}, nil
+}

internal/components/extensions/k8sleaderelector_test.go

@@ -0,0 +1,50 @@
+// Copyright The OpenTelemetry Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package extensions
+
+import (
+	"testing"
+
+	"github.com/go-logr/logr"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	rbacv1 "k8s.io/api/rbac/v1"
+)
+
+func TestK8sLeaderElectorRBACRules(t *testing.T) {
+	rules, err := generatek8sleaderelectorRbacRules(logr.Discard(), nil)
+	require.NoError(t, err)
+
+	require.Len(t, rules, 1, "should return exactly one policy rule")
+
+	rule := rules[0]
+
+	assert.Equal(t, []string{"coordination.k8s.io"}, rule.APIGroups,
+		"should target the coordination.k8s.io API group")
+	assert.Equal(t, []string{"leases"}, rule.Resources,
+		"should target the leases resource")
+	assert.Equal(t,
+		[]string{"get", "list", "watch", "create", "update", "patch", "delete"},
+		rule.Verbs,
+		"should include all required verbs for leader election",
+	)
+}
+
+func TestK8sLeaderElectorRBACRulesMatchUpstreamDocs(t *testing.T) {
+	// Validates the RBAC rules exactly match the upstream k8s_leader_elector
+	// extension documentation:
+	// https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/extension/k8sleaderelector
+	rules, err := generatek8sleaderelectorRbacRules(logr.Discard(), nil)
+	require.NoError(t, err)
+
+	expected := []rbacv1.PolicyRule{
+		{
+			APIGroups: []string{"coordination.k8s.io"},
+			Resources: []string{"leases"},
+			Verbs:     []string{"get", "list", "watch", "create", "update", "patch", "delete"},
+		},
+	}
+
+	assert.Equal(t, expected, rules)
+}

internal/controllers/opentelemetrycollector_controller.go

@@ -212,7 +212,7 @@ func NewReconciler(p Params) *OpenTelemetryCollectorReconciler {
 // +kubebuilder:rbac:groups=apps,resources=daemonsets;deployments;statefulsets,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=autoscaling,resources=horizontalpodautoscalers,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=policy,resources=poddisruptionbudgets,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get;list;create;update
+// +kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=discovery.k8s.io,resources=endpointslices,verbs=get;list
 // +kubebuilder:rbac:groups=monitoring.coreos.com,resources=servicemonitors;podmonitors,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=networking.k8s.io,resources=ingresses,verbs=get;list;watch;create;update;patch;delete

internal/manifests/collector/rbac_test.go

@@ -79,6 +79,17 @@ func TestDesiredClusterRoles(t *testing.T) {
 				},
 			},
 		},
+		{
+			desc:       "k8s_leader_elector extension",
+			configPath: "testdata/rbac_k8sleaderelector_extension.yaml",
+			expectedRules: []rbacv1.PolicyRule{
+				{
+					APIGroups: []string{"coordination.k8s.io"},
+					Resources: []string{"leases"},
+					Verbs:     []string{"get", "list", "watch", "create", "update", "patch", "delete"},
+				},
+			},
+		},
 		{
 			desc:       "k8sattributes processor - service.name metadata",
 			configPath: "testdata/rbac_k8sattributes_service_name.yaml",

internal/manifests/collector/testdata/rbac_k8sleaderelector_extension.yaml

@@ -0,0 +1,17 @@
+extensions:
+  k8s_leader_elector:
+receivers:
+  receiver_creator/logs:
+    watch_observers: []
+    discovery:
+      enabled: true
+processors: {}
+exporters:
+  debug:
+    verbosity: basic
+service:
+  pipelines:
+    logs:
+      receivers: [receiver_creator/logs]
+      exporters: [debug]
+  extensions: [k8s_leader_elector]

tests/e2e-automatic-rbac/k8s-leader-elector/00-install.yaml

@@ -0,0 +1,33 @@
+# =============================================================================
+# File: tests/e2e-automatic-rbac/k8s-leader-elector/00-install.yaml
+# =============================================================================
+# This e2e test validates that the operator automatically generates the
+# correct RBAC rules when the k8s_leader_elector extension is configured
+# in the OpenTelemetryCollector CR.
+
+apiVersion: opentelemetry.io/v1beta1
+kind: OpenTelemetryCollector
+metadata:
+  name: k8s-leader-elector-test
+spec:
+  mode: deployment
+  replicas: 2
+  config:
+    extensions:
+      k8s_leader_elector:
+        auth_type: serviceAccount
+        lease_name: otel-leader
+        lease_namespace: default
+    receivers:
+      otlp:
+        protocols:
+          grpc:
+            endpoint: 0.0.0.0:4317
+    exporters:
+      debug: {}
+    service:
+      extensions: [k8s_leader_elector]
+      pipelines:
+        traces:
+          receivers: [otlp]
+          exporters: [debug]