TT-13680 - feat: add option to get one OpenTelemetry header from a K8s secret

[sym-stiller]

Description

This change allows you to add one Authorization header to the OpenTelemetry traffic in a secure way. A Bearer token is typically secret and should not be exposed in the Helm values file or in the K8s manifest of the Tyk Gateway deployment.

I'm sure this is not the most optimal way to implement this; for example, with my solution you can only use either the headers or headerSecret value, but not both at the same time. This would limit you to exactly one header, if you're using the headerSecret. I just want to start a discussion about a good way to solve the linked issue.

Related Issue

#363

https://tyktech.atlassian.net/browse/TT-13680

Motivation and Context

This change improves the protection of sensitive authorization secrets.

Test Coverage For This Change

I have templated the charts locally and inspected the result manually.

Screenshots (if appropriate)

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Refactoring or add test (improvements in base code or adds test coverage to functionality)
• Documentation updates or improvements.

Checklist

• Make sure you are requesting to pull a topic/feature/bugfix branch (right side). If PRing from your fork, don't come from your master!
• Make sure you are making a pull request against our master branch (left side). Also, it would be best if you started your change off our latest master.
• My change requires a change to the documentation.
  • I have manually updated the README(s)/documentation accordingly.
• I have updated the documentation accordingly.
• I have added tests to cover my changes.
• All new and existing tests passed.

[buraksekili]

Thank you @sym-stiller for this great PR 🙏 I just left a few comments.

[buraksekili]

Let's set headerSecret to a null object by default

Suggested change

	headerSecret:
	name: otel-auth-secret
	key: Authorization
	headerSecret: {}

This prevents any failures during chart upgrades. If headers is being in use, upgrading to the new chart where headerSecret is set by default, can trigger the fail call defined in the values.yaml file.

Additionally, the default value assumes that users already have a Kubernetes secret named otel-auth-secret containing an Authorization key, which may not be the case for everyone.

Please apply this change to all values.yaml files (in tyk-stack, tyk-oss etc)

[buraksekili]

TYK_GW_OPENTELEMETRY_HEADERS environment variable needs to be declared as a comma-separated list of key-value pairs, where each pair is separated by a colon. For instance:

TYK_GW_OPENTELEMETRY_HEADERS: "header_key1:header_value1,header_key2:header_value2"

So, we need to construct the value of the environment variable in this key-value pair format.