TRACING-4752: Add OpenTelemetry-Collector as optional sub-package #4281
Conversation
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: copejon The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
packaging/rpm/microshift.spec
Outdated
| Requires: opentelemetry-collector | ||
|
|
||
| %description observability | ||
| Demo otel-col config geared for microshift. Client certificates are generated by microshift on start, then placed in |
There was a problem hiding this comment.
| Demo otel-col config geared for microshift. Client certificates are generated by microshift on start, then placed in | |
| Demo OpenTelemetry configuration geared for MicroShift. MicroShift OpenTelemetry client certificates are copied to /etc/pki/microshift-observability to facilitate OpenTelemetry collector service connection to MicroShift. |
| ca_file: /etc/pki/microshift-opentelemetry-collector-client/client-ca.crt | ||
| key_file: /etc/pki/microshift-opentelemetry-collector-client/client.key | ||
| cert_file: /etc/pki/microshift-opentelemetry-collector-client/client.crt |
There was a problem hiding this comment.
| ca_file: /etc/pki/microshift-opentelemetry-collector-client/client-ca.crt | |
| key_file: /etc/pki/microshift-opentelemetry-collector-client/client.key | |
| cert_file: /etc/pki/microshift-opentelemetry-collector-client/client.crt | |
| ca_file: /etc/pki/microshift-observability/client-ca.crt | |
| key_file: /etc/pki/microshift-observability/client.key | |
| cert_file: /etc/pki/microshift-observability/client.crt |
| # filelog/workload: | ||
| # Path: /…. | ||
| # filelog/kube-system: | ||
| # Path: /…. |
There was a problem hiding this comment.
If we'd like to keep comments in the file, can we add an explanation why?
| journald: | ||
| units: | ||
| - microshift | ||
| - crio |
There was a problem hiding this comment.
Do we need to monitor microshift-etcd unit too?
| @@ -482,6 +492,10 @@ cat assets/optional/gateway-api/kustomization.x86_64.yaml >> %{buildroot}/%{_pre | |||
| mkdir -p -m755 %{buildroot}%{_datadir}/microshift/release | |||
| install -p -m644 assets/optional/gateway-api/release-gateway-api-{x86_64,aarch64}.json %{buildroot}%{_datadir}/microshift/release/ | |||
|
|
|||
| #observability | |||
There was a problem hiding this comment.
| #observability | |
| # observability |
| @@ -645,6 +662,9 @@ fi | |||
| %files gateway-api-release-info | |||
| %{_datadir}/microshift/release/release-gateway-api-{x86_64,aarch64}.json | |||
|
|
|||
| %files observability | |||
| %config %{_sysconfdir}/microshift/opentelemetry-collector.yaml | |||
| %config %{_unitdir}/microshift-observability.service | |||
There was a problem hiding this comment.
How can we undo the certificate file copy on the package removal?
|
|
||
| # It takes a bit for the certs to be created. This service will reach it's burst limit almost immediately, pretty much | ||
| # guaranteeing that it will reach the restart limit before it can possibly succeed. | ||
| RestartSec=200ms |
There was a problem hiding this comment.
We need to optimize this to avoid service failures / restarts. See the unit section comment.
| AssertPathExists=/var/lib/microshift/certs/kube-apiserver-localhost-signer/observability/client.key | ||
| AssertPathExists=/var/lib/microshift/certs/kube-apiserver-localhost-signer/observability/client.crt |
There was a problem hiding this comment.
I'm not sure why this is necessary. We declare the current unit After MicroShift, so it should only start when MicroShift declares it's running, right? This means, certificates are created for sure.
What am I missing?
| @@ -0,0 +1,27 @@ | |||
| [Unit] | |||
| Description=MicroShift Observability | |||
| BindsTo=microshift.service | |||
There was a problem hiding this comment.
Do we want to run the collector even when MicroShift fails?
| ExecStartPre=+/bin/mkdir -p /etc/pki/microshift-observability/ | ||
| ExecStartPre=+/bin/cp /var/lib/microshift/certs/kube-apiserver-localhost-signer/observability/client.key /etc/pki/microshift-observability/ | ||
| ExecStartPre=+/bin/cp /var/lib/microshift/certs/kube-apiserver-localhost-signer/observability/client.key /etc/pki/microshift-observability/ | ||
| ExecStartPre=+/bin/cp /var/lib/microshift/certs/kube-apiserver-localhost-signer/observability/client.crt /etc/pki/microshift-observability/ | ||
| ExecStartPre=+/bin/chown -R observability /etc/pki/microshift-observability | ||
| ExecStartPre=+/bin/chmod -R 600 /etc/pki/microshift-observability/ | ||
| ExecStartPre=+/bin/chmod 755 /etc/pki/microshift-observability |
There was a problem hiding this comment.
| ExecStartPre=+/bin/mkdir -p /etc/pki/microshift-observability/ | |
| ExecStartPre=+/bin/cp /var/lib/microshift/certs/kube-apiserver-localhost-signer/observability/client.key /etc/pki/microshift-observability/ | |
| ExecStartPre=+/bin/cp /var/lib/microshift/certs/kube-apiserver-localhost-signer/observability/client.key /etc/pki/microshift-observability/ | |
| ExecStartPre=+/bin/cp /var/lib/microshift/certs/kube-apiserver-localhost-signer/observability/client.crt /etc/pki/microshift-observability/ | |
| ExecStartPre=+/bin/chown -R observability /etc/pki/microshift-observability | |
| ExecStartPre=+/bin/chmod -R 600 /etc/pki/microshift-observability/ | |
| ExecStartPre=+/bin/chmod 755 /etc/pki/microshift-observability | |
| ExecStartPre=+/bin/mkdir -p -m 755 /etc/pki/microshift-observability/ | |
| ExecStartPre=+/bin/install -o observability -m 600 /var/lib/microshift/certs/kube-apiserver-localhost-signer/observability/client.key /etc/pki/microshift-observability/client.key | |
| ExecStartPre=+/bin/install -o observability -m 600 /var/lib/microshift/certs/kube-apiserver-localhost-signer/observability/client.crt /etc/pki/microshift-observability/client.crt |
|
/retitle NO-ISSUE: OpenTelemetry certificates and service for MicroShift |
openshift-ci
bot
changed the title
openshift-ci-robot
added
the
jira/valid-reference
|
@copejon: This pull request explicitly references no jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@copejon: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
| # specifies how frequently the conditions for compaction are being checked | ||
| check_interval: 5s # Default | ||
|
|
||
| service: |
There was a problem hiding this comment.
Docs for internal collector metrics https://opentelemetry.io/docs/collector/internal-telemetry/#configure-internal-metrics
it would be good to send them as well so users can monitor the collector.
copejon
changed the title
|
@copejon: This pull request references TRACING-4752 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/jira refresh |
|
@copejon: This pull request references TRACING-4752 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
implemented opentelemetry-collector in packaging pipeline. the otel binary is unable to see the cert files, but the config paths are correct and the files exist. file permissions for the observability user have been checked, but are good. WIP Signed-off-by: Jon Cope <[email protected]>
ensure the otelcol process creates necessary dirs added firewall port handling for otel-col exporter Signed-off-by: Jon Cope <[email protected]>
… on the localhost Signed-off-by: Jon Cope <[email protected]>
Signed-off-by: Jon Cope <[email protected]>
… to allow the collection of pod logs from the host filesystem Signed-off-by: Jon Cope <[email protected]>
copejon
force-pushed
the
no-issue-generate-otel-cert
branch
from
fa4f579 to
fede276
Compare
Which issue(s) this PR addresses:
Closes #