Skip to content

Send instance name as x-api-key to the OTLP relay#316

Draft
archandatta wants to merge 1 commit into
archand/kernel-1213/otel-exportfrom
archand/kernel-1612/otlp-exporter-contract
Draft

Send instance name as x-api-key to the OTLP relay#316
archandatta wants to merge 1 commit into
archand/kernel-1213/otel-exportfrom
archand/kernel-1612/otlp-exporter-contract

Conversation

@archandatta

Copy link
Copy Markdown
Contributor

Summary

Aligns the in-VM OTLP exporter to the metro-api relay's auth contract. The relay authenticates a VM by its instance name checked against active sessions (the same model as the capmonster/hcaptcha relays), so the exporter now sends INST_NAME as the x-api-key header instead of the instance JWT as a bearer token. The now-unused KERNEL_INSTANCE_JWT exporter config is dropped (the env still exists for the envoy wrapper — the exporter just no longer reads it).

Companion to the metro-api relay PR (kernel/kernel#2763). Wire contract: x-api-key: <instance_name> + POST to BTEL_OTLP_PATH (set to /otlp-relay/v1/logs by provisioning when pointing a VM at the relay).

Why

The relay decides which org's destination + credentials to use from the instance identity. Verifying an instance JWT signature would require plumbing XDS_JWT_SECRET into metro-api (which has no such secret today and verifies no instance-JWT signatures) and would make the relay the odd one out among sibling relays. Instance names are unguessable cuid2 pairs gated on an active session, so x-api-key is the consistent, sufficient credential.

Changes

  • server/cmd/api/main.go: Authorization: Bearer <InstanceJWT>x-api-key: <InstanceName>.
  • server/cmd/config/config.go: remove the InstanceJWT field and its LogValue redaction.

Test plan

  • go build ./... and go test ./cmd/config ./lib/events green.
  • Full relay round-trip validated separately (see kernel/kernel#2763 test plan / Tier-1 relay test).

Notes

  • Base: opened against the exporter branch (archand/kernel-1213/otel-export, Add in-VM OTLP telemetry export sink #308) since that isn't merged yet; retarget to main once Add in-VM OTLP telemetry export sink #308 lands.
  • Deploy ordering: this and the relay PR must both be deployed before a real session exports through the relay; neither blocks the other's review.
  • Follow-up (not in this PR): under always-inject provisioning, un-bound instances get 401/403/404 from the relay as a normal steady state. A later change can quiet those specific statuses in loggingExporter (needs confirming the status is cleanly extractable from the otlploghttp error) so they don't inflate the failure counter/logs.

The metro-api OTLP relay authenticates a VM by its instance name checked
against active sessions (mirroring the capmonster/hcaptcha relays), so
send INST_NAME as x-api-key instead of the instance JWT as a bearer
token. Drop the now-unused KERNEL_INSTANCE_JWT exporter config (the env
still exists for the envoy wrapper; the exporter just no longer reads it).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant