TRACING-4752: Add OpenTelemetry-Collector as optional sub-package

assets/optional/observability/00-namespace.yaml

@@ -0,0 +1,4 @@
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: openshift-observability

assets/optional/observability/01-service-account.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: openshift-observability
+  name: openshift-observability-client

assets/optional/observability/02-cluster-role.yaml

@@ -0,0 +1,66 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: openshift-observability-client
+rules:
+  # OpenTelemetry Component: kubeletstats receiver
+  - apiGroups: [""]
+    resources: ["nodes/stats"]
+    verbs: ["get"]
+  # OpenTelemetry Component: k8s_event receiver
+  - apiGroups:
+    - ""
+    resources:
+    - events
+    - namespaces
+    - namespaces/status
+    - nodes
+    - nodes/spec
+    - pods
+    - pods/status
+    - replicationcontrollers
+    - replicationcontrollers/status
+    - resourcequotas
+    - services
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - apps
+    resources:
+    - daemonsets
+    - deployments
+    - replicasets
+    - statefulsets
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - extensions
+    resources:
+    - daemonsets
+    - deployments
+    - replicasets
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - batch
+    resources:
+    - jobs
+    - cronjobs
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+      - autoscaling
+    resources:
+      - horizontalpodautoscalers
+    verbs:
+      - get
+      - list
+      - watch

assets/optional/observability/03-cluster-role-binding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: openshift-observability-client
+  namespace: openshift-observability
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: openshift-observability-client
+subjects:
+  - kind: User
+    name: openshift-observability-client

assets/optional/observability/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - 00-namespace.yaml
+  - 01-service-account.yaml
+  - 02-cluster-role.yaml
+  - 03-cluster-role-binding.yaml

packaging/observability/90-enable-microshift-observability.preset

@@ -0,0 +1 @@
+enable microshift-observability.service

packaging/observability/microshift-observability.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=MicroShift Observability
+After=microshift.service
+PartOf=microshift.service
+AssertPathExists=/var/lib/microshift/resources/observability-client/kubeconfig
+
+[Service]
+Environment=KUBECONFIG=/var/lib/microshift/resources/observability-client/kubeconfig
+Environment=K8S_NODE_NAME="%l"
+ExecStart=/usr/bin/opentelemetry-collector --config=/etc/microshift/opentelemetry-collector.yaml
+Restart=always
+User=root
+
+[Install]
+RequiredBy=microshift.service

packaging/observability/opentelemetry-collector.yaml

@@ -0,0 +1,97 @@
+# Opentelemetry-collector.yaml provides a minimal set of metrics and logs for monitoring system, node, and
+# workload resource usage for CPU, Memory, Disk, and Network. Included also are all cluster events of "Warning" type.
+
+# This configuration exports:
+# - Container, Pod, and Node metrics
+# - Kubernetes Events (Warnings only)
+# - Host's CPU, Mem, Disk, and Network Metrics
+# - System journals for selected MicroShift services and dependencies, priority < Info
+
+receivers:
+  kubeletstats:
+    auth_type: tls
+    ca_file: /var/lib/microshift/certs/ca-bundle/client-ca.crt
+    key_file: /var/lib/microshift/certs/admin-kubeconfig-signer/openshift-observability-client/client.key
+    cert_file: /var/lib/microshift/certs/admin-kubeconfig-signer/openshift-observability-client/client.crt
+    insecure_skip_verify: true
+    collection_interval: 20s
+    endpoint: "${env:K8S_NODE_NAME}:10250"
+    node: ${env:K8S_NODE_NAME}
+    k8s_api_config:
+      auth_type: kubeConfig
+  k8s_events:
+    auth_type: kubeConfig
+  hostmetrics:
+    root_path: /
+    collection_interval: 10s
+    scrapers:
+      cpu:
+      memory:
+      network:
+      disk:
+      filesystem:
+  journald:
+    units:
+      - microshift
+      - microshift-observability
+      - microshift-etcd
+      - crio
+      - openvswitch.service
+      - ovsdb-server.service
+      - ovs-vswitchd.service
+processors:
+  batch:
+  resourcedetection/system:
+    detectors: [ "system" ]
+    system:
+      hostname_sources: [ "os" ]
+
+exporters:
+  otlp:
+    sending_queue:
+      storage: file_storage
+    # Endpoint must point to an ip or hostname and port of an otlp service. Here, the K8S_NODE_NAME is used because it
+    # will be resolved to the local node's hostname automatically. An unreachable endpoint will reported in the logs
+    # of the microshift-observability service.
+    endpoint: ${env:K8S_NODE_NAME}:4317
+    tls:
+      insecure: true
+
+extensions:
+  file_storage:
+    directory: /var/lib/microshift-observability
+
+service:
+  extensions: [ file_storage ]
+  pipelines:
+    metrics/kubeletstats:
+      receivers: [ kubeletstats ]
+      processors: [ batch ]
+      exporters: [ otlp ]
+    metrics/hostmetrics:
+      receivers: [ hostmetrics ]
+      processors: [ resourcedetection/system, batch ]
+      exporters: [ otlp ]
+    logs/kube_events:
+      receivers: [ k8s_events ]
+      processors: [ resourcedetection/system, batch ]
+      exporters: [ otlp ]
+    logs/host:
+      receivers: [ hostmetrics ]
+      processors: [ resourcedetection/system ]
+      exporters: [ otlp ]
+    logs/journald:
+      receivers: [ journald ]
+      processors: [ resourcedetection/system ]
+      exporters: [ otlp ]
+  telemetry:
+    metrics:
+      readers:
+        - periodic:
+            exporter:
+              otlp:
+                # Endpoint must point to an ip or hostname and port of an otlp service. Here, the K8S_NODE_NAME is used
+                # because it will be resolved to the local node's hostname automatically. An unreachable endpoint will
+                # reported in the logs of the microshift-observability service.
+                protocol: http/protobuf
+                endpoint: http://${env:K8S_NODE_NAME}:4318

packaging/rpm/microshift.spec

@@ -238,6 +238,17 @@ The microshift-ai-model-serving-release-info package provides release informatio
 release. These files contain the list of container image references used by Model Serving
 and can be used to embed those images into osbuilder blueprints or bootc containerfiles.
 
+%package observability
+Summary: OpenTelemetry-Collector configured for MicroShift
+BuildArch: noarch
+Requires: microshift = %{version}
+Requires: opentelemetry-collector
+
+%description observability
+Deploys the Red Hat build of OpenTelemetry-Collector as a systemd service on host. MicroShift provides client
+certificates to permit access to the kube-apiserver metrics endpoints. If a user-defined OpenTelemetry-Collector exists
+at /etc/microshift/opentelemetry-collector.yaml, this config is used. Otherwise, a default config is provided.
+
 %prep
 # Dynamic detection of the available golang version also works for non-RPM golang packages
 golang_detected=$(go version | awk '{print $3}' | tr -d '[a-z]' | cut -f1-2 -d.)
@@ -553,6 +564,15 @@ cat assets/optional/ai-model-serving/runtimes/kustomization.x86_64.yaml >> %{bui
 mkdir -p -m755 %{buildroot}%{_datadir}/microshift/release
 install -p -m644 assets/optional/ai-model-serving/release-ai-model-serving-x86_64.json %{buildroot}%{_datadir}/microshift/release/
 
+#observability
+install -d -m755 %{buildroot}%{_presetdir}
+install -d -m755 %{buildroot}%{_sharedstatedir}/microshift-observability
+install -p -m644 packaging/observability/opentelemetry-collector.yaml -D %{buildroot}%{_sysconfdir}/microshift/opentelemetry-collector.yaml
+install -p -m644 packaging/observability/microshift-observability.service %{buildroot}%{_unitdir}/
+install -p -m644 packaging/observability/90-enable-microshift-observability.preset %{buildroot}%{_presetdir}/
+install -d -m755 %{buildroot}/%{_prefix}/lib/microshift/manifests.d/003-microshift-observability/
+install -p -m644 assets/optional/observability/*.yaml %{buildroot}/%{_prefix}/lib/microshift/manifests.d/003-microshift-observability/
+
 %pre networking
 
 getent group hugetlbfs >/dev/null || groupadd -r hugetlbfs
@@ -610,6 +630,12 @@ if [ $1 -eq 1 ]; then
 	systemctl is-active --quiet crio && systemctl restart --quiet crio || true
 fi
 
+%post observability
+%systemd_post microshift-observability.service
+
+%preun observability
+%systemd_preun microshift-observability.service
+
 %files
 %license LICENSE
 %{_bindir}/microshift
@@ -727,10 +753,21 @@ fi
 %files ai-model-serving-release-info
 %{_datadir}/microshift/release/release-ai-model-serving-x86_64.json
 
+%files observability
+%dir %{_prefix}/lib/microshift/manifests.d/003-microshift-observability
+%dir %{_sharedstatedir}/microshift-observability
+%{_unitdir}/microshift-observability.service
+%{_presetdir}/90-enable-microshift-observability.preset
+%{_sysconfdir}/microshift/opentelemetry-collector.yaml
+%{_prefix}/lib/microshift/manifests.d/003-microshift-observability/*
+
 
 # Use Git command to generate the log and replace the VERSION string
 # LANG=C git log --date="format:%a %b %d %Y" --pretty="tformat:* %cd %an <%ae> VERSION%n- %s%n" packaging/rpm/microshift.spec
 %changelog
+* Mon Mar 17 2025 Jon Cope <[email protected]> 4.19.0
+- Add an optional microshift-oservability RPM to enable OpenTelemetry collector preconfigured for MicroShift
+
 * Thu Feb 13 2025 Patryk Matuszak <[email protected]> 4.19.0
 - Add new RPM with AI Model Serving for MicroShift
 

pkg/cmd/init.go

@@ -154,7 +154,15 @@ func certSetup(cfg *config.Config) (*certchains.CertificateChains, error) {
 					ValidityDays: cryptomaterial.LongLivedCertificateValidityDays,
 				},
 				UserInfo: &user.DefaultInfo{Name: "system:admin", Groups: []string{"system:masters"}},
-			}),
+			}).WithClientCertificates(
+			&certchains.ClientCertificateSigningRequestInfo{
+				CSRMeta: certchains.CSRMeta{
+					Name:         "openshift-observability-client",
+					ValidityDays: cryptomaterial.ShortLivedCertificateValidityDays,
+				},
+				UserInfo: &user.DefaultInfo{Name: "openshift-observability-client", Groups: []string{""}},
+			},
+		),
 
 		// kubelet + CSR signing chain
 		certchains.NewCertificateSigner(
@@ -536,6 +544,18 @@ func initKubeconfigs(
 	); err != nil {
 		return err
 	}
+	observabilityClientCertPEM, observabilityClientKeyPEM, err := certChains.GetCertKey("admin-kubeconfig-signer", "openshift-observability-client")
+	if err != nil {
+		return err
+	}
+	if err := util.KubeConfigWithClientCerts(
+		cfg.KubeConfigPath(config.ObservabilityClient),
+		cfg.ApiServer.URL,
+		internalTrustPEM,
+		observabilityClientCertPEM, observabilityClientKeyPEM,
+	); err != nil {
+		return err
+	}
 	return nil
 }
 

pkg/config/kubeconfig.go

@@ -12,6 +12,7 @@ const (
 	Kubelet                 KubeConfigID = "kubelet"
 	ClusterPolicyController KubeConfigID = "cluster-policy-controller"
 	RouteControllerManager  KubeConfigID = "route-controller-manager"
+	ObservabilityClient     KubeConfigID = "observability-client"
 )
 
 // KubeConfigPath returns the path to the specified kubeconfig file.

scripts/auto-rebase/assets.yaml

@@ -294,3 +294,12 @@ assets:
       - file: 05-daemonset.yaml
       - file: release-kube-proxy-aarch64.json
       - file: release-kube-proxy-x86_64.json
+
+  - dir: optional/observability/
+    ignore: "they don't exist in upstream repository - only in microshift"
+    files:
+      - file: 00-namespace.yaml
+      - file: 01-service-account.yaml
+      - file: 02-cluster-role.yaml
+      - file: 03-cluster-role-binding.yaml
+      - file: kustomization.yaml

test/image-blueprints-bootc/layer2-source/group2/rhel96-bootc-source-optionals.containerfile

@@ -21,7 +21,8 @@ RUN dnf repoinfo --enabled && \
         "microshift-ai-model-serving-{{ .Env.SOURCE_VERSION }}" \
         "microshift-ai-model-serving-release-info-{{ .Env.SOURCE_VERSION }}" \
 # {{- end }}
-        "microshift-gateway-api-{{ .Env.SOURCE_VERSION }}" && \
+        "microshift-gateway-api-{{ .Env.SOURCE_VERSION }}" \
+        "microshift-observability-{{ .Env.SOURCE_VERSION }}" && \
     rm -vf /etc/yum.repos.d/microshift-*.repo && \
     rm -rvf $USHIFT_RPM_REPO_PATH && \
     dnf clean all

test/image-blueprints-bootc/layer2-source/group3/cos9-bootc-source-optionals.containerfile

@@ -16,7 +16,8 @@ COPY ./bootc-images/$USHIFT_RPM_REPO_NAME.repo ./bootc-images/microshift-centos9
 RUN dnf repoinfo --enabled && \
     dnf install -y "microshift-olm-{{ .Env.SOURCE_VERSION }}" \
         "microshift-multus-{{ .Env.SOURCE_VERSION }}" \
-        "microshift-gateway-api-{{ .Env.SOURCE_VERSION }}" && \
+        "microshift-gateway-api-{{ .Env.SOURCE_VERSION }}" \
+        "microshift-observability-{{ .Env.SOURCE_VERSION }}" && \
     rm -vf /etc/yum.repos.d/microshift-*.repo && \
     rm -rvf $USHIFT_RPM_REPO_PATH && \
     dnf clean all