Using OTEL_EXPORTER_OTLP_HEADERS in Open Telemetry Collector to avoid secrets in ConfigMap

8/23/2021

I have a Kubernetes cluster with a pod running an instance of Open Telemetry Collector.

My .Net app inside Kubernetes exports traces to the Collector instance which in turn exports them to Elastic APM server. This work correctly if I use this config (described here) for my Collector instance:

exporters:
  otlp/elastic:
      endpoint: "xxx.elastic-cloud.com:443"
      headers:
          Authorization: "Bearer your-apm-secret-token"

To work in Kubernetes, I set this config in a ConfigMap. This work correctly but the issue is that this requires me to add a secret in the ConfigMap which I would like to avoid.

To avoid this, I saw that you could add an OTEL_EXPORTER_OTLP_HEADERS environment variable which will be used by the exporter. You could then pass the secrets through an environment variable in the container (not a perfect solution, but ok for me). This functionality seems to be implemented by the different OpenTelemetry SDKs (.Net, Java, Python, ...) but it doesn't seem to work with the Collector if I try to use the environment variable trick.

Any idea how I could do this with the Collector? Or any other trick to avoid passing the secret to the ConfigMap?

-- Absolom
apm
elastic-stack
kubernetes
open-telemetry

1 Answer

8/25/2021

An issue was entered for OpenTelemetry Collector that would solve my main concerns of using secrets in environment variables.

Until then, the author of the issue suggest environment variable expansion mechanism as a workaround.

So if you put your token in an environment variable ELASTIC_APM_TOKEN, then you could reference it in your ConfigMap like so:

exporters:
  otlp/elastic:
      endpoint: "xxx.elastic-cloud.com:443"
      headers:
          Authorization: "Bearer $ELASTIC_APM_TOKEN"

The Collector will then replace $ELASTIC_APM_TOKEN with the value in your environment variable before applying the config.

-- Absolom
Source: StackOverflow