signalfx · jvoravong · Mar 3, 2025 · Jan 29, 2025 · Jan 29, 2025 · Feb 13, 2025
@@ -64,9 +64,6 @@ jobs:
       - name: Update dependencies
         run: |
           make dep-update
-      - name: Deploy cert-manager
-        run: |
-          make cert-manager
       - name: run functional tests
         id: run-functional-tests
         env:
@@ -124,9 +121,6 @@ jobs:
       - name: Update dependencies
         run: |
           make dep-update
-      - name: Deploy cert-manager
-        run: |
-          make cert-manager
       - name: run functional tests
         env:
           HOST_ENDPOINT: 0.0.0.0
@@ -178,19 +172,13 @@ jobs:
       - name: Update dependencies
         run: |
           cd base && make dep-update
-      - name: Deploy cert-manager
-        run: |
-          cd base && make cert-manager
       - name: Deploy previous version of the chart
         run: |
           helm list | grep -q "^sock$" && echo "Found previous 'sock' release. Deleting..." && helm delete sock
           cd base && helm install sock helm-charts/splunk-otel-collector --set cloudProvider=aws --set distribution=eks --set splunkObservability.realm=us0 --set splunkObservability.accessToken=xxxxx
       - name: Update dependencies
         run: |
           make dep-update
-      - name: Deploy cert-manager
-        run: |
-          make cert-manager
       - name: run functional tests
         env:
           HOST_ENDPOINT: 0.0.0.0
@@ -232,19 +220,13 @@ jobs:
       - name: Update dependencies
         run: |
           cd base && make dep-update
-      - name: Deploy cert-manager
-        run: |
-          cd base && make cert-manager
       - name: Deploy previous version of the chart
         run: |
           helm list | grep -q "^sock$" && echo "Found previous 'sock' release. Deleting..." && helm delete sock
           cd base && helm install sock helm-charts/splunk-otel-collector --set cloudProvider=aws --set distribution=eks --set splunkObservability.realm=us0 --set splunkObservability.accessToken=xxxxx --set operator.enabled=true --set environment=dev
       - name: Update dependencies
         run: |
           make dep-update
-      - name: Deploy cert-manager
-        run: |
-          make cert-manager
       - name: run functional tests
         env:
           HOST_ENDPOINT: 0.0.0.0

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -17,7 +17,6 @@ repos:
       exclude: "^examples|^test"
     - id: check-yaml
       # Can't check source yaml since it has go templates in it.
-      # Can't check operator-webhook.yaml due to redacted TLS certificate information causing yaml format issues.
       exclude: "^helm-charts|operator-webhook.yaml"
       args: [ --allow-multiple-documents ]
     - id: check-added-large-files
@@ -68,10 +68,6 @@ these frameworks often have pre-built instrumentation capabilities already avail
         - [partially enable profiling](../examples/enable-operator-and-auto-instrumentation/instrumentation/instrumentation-enable-profiling-partially.yaml).
 
 ```bash
-# Check if cert-manager is already installed, don't deploy a second cert-manager.
-kubectl get pods -l app=cert-manager --all-namespaces
-
-# If cert-manager is not deployed, make sure to add certmanager.enabled=true to the list of values to set
 helm install splunk-otel-collector -f ./my_values.yaml --set operatorcrds.install=true,operator.enabled=true,environment=dev splunk-otel-collector-chart/splunk-otel-collector
 ```
 
@@ -533,10 +529,93 @@ kubectl get certificates
 # splunk-otel-collector-operator-serving-cert   True    splunk-otel-collector-operator-controller-manager-service-cert   5m
 ```
 
-##### Using a Self-Signed Certificate for the Webhook
+#### TLS Certificate Requirement for Kubernetes Operator Webhooks
+
+In Kubernetes, the API server communicates with operator webhook components over HTTPS, which requires a valid TLS certificate that the API server trusts. The operator supports several methods for configuring the required certificate, each with different levels of complexity and security.
+
+---
+
+##### 1. **Using a Self-Signed Certificate Generated by the Chart**
+
+This is the default and simplest method for generating a TLS certificate. It automatically creates a self-signed certificate for the webhook. It is suitable for internal environments or testing purposes but may not be trusted by clients outside your cluster.
+
+**Configuration:**
+- Set `admissionWebhooks.certManager.enabled` to `false` and `admissionWebhooks.autoGenerateCert.enabled` to `true`.
+- Helm generates a self-signed certificate, valid for 10 years, and creates a secret for the webhook.
+- The certificate is automatically recreated on every Helm upgrade.
+
+This is the easiest setup for users and does not require additional configuration.
+
+**Note**: Self-signed certificates are not trusted by default by clients, so this option is generally best for internal or testing scenarios.
+
+---
+
+##### 2. **Using a cert-manager Certificate**
+
+Using `cert-manager` offers more control over certificate management and is more suitable for production environments. However, due to Helm’s install/upgrade order of operations, cert-manager CRDs and certificates cannot be installed within the same Helm operation. To work around this limitation, you can choose one of the following options:
+
+###### Option 1: **Pre-deploy cert-manager**
+
+If `cert-manager` is already deployed in your cluster, you can configure the operator to use it without enabling certificate generation by Helm.
+
+**Configuration:**
+```yaml
+operator:
+  admissionWebhooks:
+    certManager:
+      enabled: true
+    autoGenerateCert:
+      enabled: false
+```
+
+###### Option 2: **Deploy cert-manager and the operator together**
+
+If you need to install `cert-manager` along with the operator, use a Helm post-install or post-upgrade hook to ensure that the certificate is created after cert-manager CRDs are installed.
+
+**Configuration:**
+```yaml
+operator:
+  admissionWebhooks:
+    certManager:
+      enabled: true
+      certificateAnnotations:
+        "helm.sh/hook": post-install,post-upgrade
+        "helm.sh/hook-weight": "1"
+      issuerAnnotations:
+        "helm.sh/hook": post-install,post-upgrade
+        "helm.sh/hook-weight": "1"
+certmanager:
+  enabled: true
+  installCRDs: true
+```
+
+This method is useful when installing `cert-manager` as a subchart or as part of a larger Helm chart installation.
+
+---
+
+##### 3. **Using a Custom Externally Generated Certificate**
+
+For full control, you can use an externally generated certificate. This is suitable if you already have a certificate issued by a trusted CA or have specific security requirements.
+
+**Configuration:**
+- Set both `operator.admissionWebhooks.certManager.enabled` and `operator.admissionWebhooks.autoGenerateCert.enabled` to `false`.
+- Provide the paths to your certificate (`certFile`), private key (`keyFile`), and CA certificate (`caFile`) in the values.
+
+**Example:**
+```yaml
+operator:
+  admissionWebhooks:
+    certManager:
+      enabled: false
+    autoGenerateCert:
+      enabled: false
+    certFile: /path/to/cert.crt
+    keyFile: /path/to/cert.key
+    caFile: /path/to/ca.crt
+```
+
+This method allows you to use a certificate that is trusted by external systems, such as certificates issued by a corporate CA.
 
-The operator supports various methods for managing TLS certificates for the webhook. Below are the options available through the operator, with a brief description for each. For detailed configurations and specific use cases, please refer to the operator’s
-[official Helm chart documentation](https://github.com/open-telemetry/opentelemetry-helm-charts/blob/main/charts/opentelemetry-operator/values.yaml)
+---
 
-**Note**: While using a self-signed certificate offers a quicker and simpler setup, it has limitations, such as not being trusted by default by clients.
-This may be acceptable for testing purposes or internal environments. For complete configurations and additional guidance, please refer to the provided link to the Helm chart documentation.
+For more advanced use cases, refer to the [official Helm chart documentation](https://github.com/open-telemetry/opentelemetry-helm-charts/blob/main/charts/opentelemetry-operator/values.yaml) for detailed configuration options and scenarios.
@@ -21,6 +21,15 @@ This example demonstrates how to:
 - **Single App Focus:** Explore trace-related performance of a single instrumented NodeJS application in the APM console.
 - **Simplified Use Case:** Although relations between applications will not be showcased in the APM console, this demo offers a simplified setup suitable for understanding basic instrumentation and trace visualization.
 
+## [Simple Webserver - .NET Instrumentation](./otel-demo-nodejs.md)
+This example demonstrates how to:
+- Deploy the chart to the current namespace and the demo to the `dotnet-demo` namespace.
+- Instrument a single .NET application.
+
+**Highlights:**
+- **Single App Focus:** Explore trace-related performance of a single instrumented .NET application in the APM console.
+- **Simplified Use Case:** Although relations between applications will not be showcased in the APM console, this demo offers a simplified setup suitable for understanding basic instrumentation and trace visualization.
+
 ## Exploring Traces and Applications in APM Console
 The examples provide practical insights into using the APM console for exploring application relations and traces.
 Whether dealing with multiple applications interacting with each other or focusing on a single application, you will gain hands-on experience in visualizing trace data using Splunk Observability APM.

@@ -11,6 +11,4 @@ operatorcrds:
   install: true
 operator:
   enabled: true
-certmanager:
-  enabled: true
 
@@ -24,14 +24,10 @@ curl https://raw.githubusercontent.com/signalfx/splunk-otel-collector-chart/main
 #### 2.1 Deploy the Helm Chart with the Operator enabled
 
 To install the chart with operator in an existing cluster, make sure you have cert-manager installed and available.
-Both the cert-manager and operator are subcharts of this chart and can be enabled with `--set operatorcrds.install=true,operator.enabled=true,certmanager.enabled=true`.
+Both the cert-manager and operator are subcharts of this chart and can be enabled with `--set operatorcrds.install=true,operator.enabled=true`.
 These helm install commands will deploy the chart to the current namespace for this example.
 
 ```bash
-# Check if a cert-manager is already installed by looking for cert-manager pods.
-kubectl get pods -l app=cert-manager --all-namespaces
-
-# If cert-manager is deployed, make sure to remove certmanager.enabled=true to the list of values to set
 helm install splunk-otel-collector -f ./my_values.yaml --set operatorcrds.install=true,operator.enabled=true,certmanager.enabled=true,environment=dev splunk-otel-collector-chart/splunk-otel-collector
 ```
 
@@ -46,15 +42,16 @@ kubectl get pods
 # splunk-otel-collector-agent-2mtfn                               2/2     Running            0                5m
 # splunk-otel-collector-agent-k4gc8                               2/2     Running            0                5m
 # splunk-otel-collector-agent-wjt98                               2/2     Running            0                5m
-# splunk-otel-collector-certmanager-69b98cc84d-2vzl7              1/1     Running            0                5m
-# splunk-otel-collector-certmanager-cainjector-76db6dcbbf-4625c   1/1     Running            0                5m
-# splunk-otel-collector-certmanager-webhook-bc68cd487-dctrf       1/1     Running            0                5m
 # splunk-otel-collector-k8s-cluster-receiver-8449bfdc8-hhbvz      1/1     Running            0                5m
 # splunk-otel-collector-operator-754c9d78f8-9ztwg                 2/2     Running            0                5m
 
 kubectl get mutatingwebhookconfiguration.admissionregistration.k8s.io
 # NAME                                      WEBHOOKS   AGE
-# splunk-otel-collector-certmanager-webhook 1          8m
+# splunk-otel-collector-operator-mutation   3          2m
+
+# TODO: Validate these inputs andoutput
+kubectl get validatingwebhookconfiguration.admissionregistration.k8s.io
+# NAME                                      WEBHOOKS   AGE
 # splunk-otel-collector-operator-mutation   3          2m
 
 kubectl get otelinst

@@ -20,15 +20,11 @@ curl https://raw.githubusercontent.com/signalfx/splunk-otel-collector-chart/main
 #### 2.1 Deploy the Helm Chart with the Operator enabled
 
 To install the chart with operator in an existing cluster, make sure you have cert-manager installed and available.
-Both the cert-manager and operator are subcharts of this chart and can be enabled with `--set operatorcrds.install=true,operator.enabled=true,certmanager.enabled=true`.
+Both the cert-manager and operator are subcharts of this chart and can be enabled with `--set operatorcrds.install=true,operator.enabled=true`.
 These helm install commands will deploy the chart to the current namespace for this example.
 
 ```bash
-# Check if a cert-manager is already installed by looking for cert-manager pods.
-kubectl get pods -l app=cert-manager --all-namespaces
-
-# If cert-manager is deployed, make sure to remove certmanager.enabled=true to the list of values to set
-helm install splunk-otel-collector -f ./my_values.yaml --set operatorcrds.install=true,operator.enabled=true,certmanager.enabled=true,environment=dev splunk-otel-collector-chart/splunk-otel-collector
+helm install splunk-otel-collector -f ./my_values.yaml --set operatorcrds.install=true,operator.enabled=true,environment=dev splunk-otel-collector-chart/splunk-otel-collector
 ```
 
 #### 2.2 Verify all the OpenTelemetry resources (collector, operator, webhook, instrumentation) are deployed successfully
@@ -42,15 +38,16 @@ kubectl get pods
 # splunk-otel-collector-agent-2mtfn                               2/2     Running            0                5m
 # splunk-otel-collector-agent-k4gc8                               2/2     Running            0                5m
 # splunk-otel-collector-agent-wjt98                               2/2     Running            0                5m
-# splunk-otel-collector-certmanager-69b98cc84d-2vzl7              1/1     Running            0                5m
-# splunk-otel-collector-certmanager-cainjector-76db6dcbbf-4625c   1/1     Running            0                5m
-# splunk-otel-collector-certmanager-webhook-bc68cd487-dctrf       1/1     Running            0                5m
 # splunk-otel-collector-k8s-cluster-receiver-8449bfdc8-hhbvz      1/1     Running            0                5m
 # splunk-otel-collector-operator-754c9d78f8-9ztwg                 2/2     Running            0                5m
 
 kubectl get mutatingwebhookconfiguration.admissionregistration.k8s.io
 # NAME                                      WEBHOOKS   AGE
-# splunk-otel-collector-certmanager-webhooh 1          8m
+# splunk-otel-collector-operator-mutation   3          2m
+
+# TODO: Validate these inputs andoutput
+kubectl get validatingwebhookconfiguration.admissionregistration.k8s.io
+# NAME                                      WEBHOOKS   AGE
 # splunk-otel-collector-operator-mutation   3          2m
 
 kubectl get otelinst