Configuring OpenTelemetry via tyk-stack Helm chart exposes Authorization token

[sym-stiller]

Hi!

I'm currently trying to set up the OpenTelemetry integration with Elasticsearch (according to this tutorial). We're using the tyk-stack Helm chart, and a managed Elasticsearch service.

Our OTel Collector requires clients to send an Authorization header with a secret Bearer token. The only way to configure this in the tyk-stack Helm chart is to supply the header via the tyk-gateway.gateway.opentelemetry.headers value:

tyk-gateway:
  gateway:
    opentelemetry:
      headers:
        Authorization: "Bearer supersecrettoken"

Our issue with this approach is that the Bearer token is now visible to anyone that has either access to our values.yaml, or to anyone who has sufficient permissions to inspect the deployment via K8s API. It would be much better if we could supply the Bearer token via a K8s secret. This way, the Tyk gateway deployment could source the token from that secret, which could look something like this:

spec:
  containers:
    - name: gateway
       env:
          - name: TYK_GW_OPENTELEMETRY_HEADERS
            valueFrom:
              secretKeyRef:
                name: otel-auth-secret
                key: Authorization

I'll prepare a pull request with a possible solution to discuss.

[buraksekili]

Thanks @sym-stiller for raising this issue. The feature request is merged into the main branch now and it'll be available in the upcoming release. thank you!