Skip to content

Run otel collector on gateway VMSS#4876

Merged
hlipsig merged 17 commits into
masterfrom
tsatam/run-otel-collector-on-gateway
Jun 11, 2026
Merged

Run otel collector on gateway VMSS#4876
hlipsig merged 17 commits into
masterfrom
tsatam/run-otel-collector-on-gateway

Conversation

@tsatam

@tsatam tsatam commented Jun 8, 2026

Copy link
Copy Markdown
Member

Which issue this PR addresses:

Fixes no Jira

What this PR does / why we need it:

Updates the Gateway VMSS deployment to run an instance of the otel-collector, set up to ingest logs from ARO clusters and forward to MDSD.

Test plan for issue:

  • Existing unit and E2E tests continue to pass
  • Deployment in int has been validated to work successfully before merge and cause no regressions
  • Further validation post-merge in staging environment deployments

Is there any documentation that needs to be updated for this PR?

Yes, will be in a future change

How do you know this will function as expected in production?

Above testing and validation

@openshift-ci

openshift-ci Bot commented Jun 8, 2026

Copy link
Copy Markdown

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

otlp/cluster-mdsd:
endpoint: localhost:2020
tls:
insecure: true

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

intentional insecure?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This communication is between the otel and mdsd containers running directly on the VMSS instance, over localhost. We can enable TLS for this communication but it will require additional configuration of all components.

Comment thread pkg/env/env.go
@@ -64,8 +64,10 @@ const (
PortalServerClientSecretName = "portal-client"

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

want to add these to devconfig as well? We don't really maintain it, but might be useful.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The full-service env will likely require an alternative implementation of this (e.g. forwarding logs directly into an Azure Monitor workspace). Since that env is currently non-functional I'll leave this for a follow-up action.

protocols:
grpc:
endpoint: 0.0.0.0:4317
middlewares:

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The receivers.otlp.protocols.grpc block includes middlewares and auth.authenticator fields that belong on the service pipeline or extension config, not the receiver; this will likely fail collector config validation.

@tsatam tsatam marked this pull request as ready for review June 10, 2026 20:12
Copilot AI review requested due to automatic review settings June 10, 2026 20:12

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the Gateway VMSS deployment pipeline to run an OpenTelemetry (OTel) Collector on gateway instances, ingest cluster logs over OTLP, and forward them to a colocated “cluster-mdsd” (GIG bridge mode) for Geneva/MDSD forwarding.

Changes:

  • Adds new gateway deployment/config parameters for cluster MDSD (account/namespace/config version) and the gateway OTel collector image.
  • Extends gateway VMSS bootstrap to pull/run new containers (gateway-otel-collector, cluster-mdsd), open required ports, and refresh TLS credentials from Key Vault.
  • Updates gateway ARM resources to expose OTLP (4317) via the internal load balancer and add an OTel health probe.

Reviewed changes

Copilot reviewed 8 out of 10 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
pkg/env/env.go Adds constants for the gateway OTel TLS secret name and key vault suffix.
pkg/deploy/generator/templates_gateway.go Registers new gateway template parameters needed to deploy the OTel collector + cluster-mdsd.
pkg/deploy/generator/scripts/util-services.sh Adds systemd+podman service definitions for gateway-otel-collector and cluster-mdsd, plus cert refresh/watch logic for gateway-otel.
pkg/deploy/generator/scripts/gatewayVMSS.sh Extends gateway VMSS bootstrap to pull/run the new containers, open ports, and provide OTel + cluster-mdsd config.
pkg/deploy/generator/resources_gateway.go Adds LB rule for OTLP 4317 and an HTTP probe for the OTel collector health endpoint.
pkg/deploy/devconfig.go Extends dev config to include the new otelClusterMdsdConfigVersion value.
pkg/deploy/config.go Adds required deploy config fields for gateway OTel collector image and cluster-mdsd config versioning.
pkg/deploy/assets/gateway-production.json Updates the generated gateway production ARM template to include new params and LB resources.
pkg/deploy/assets/gateway-production-parameters.json Updates the parameters file with the new required parameters.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread pkg/deploy/generator/scripts/gatewayVMSS.sh Outdated
Comment thread pkg/deploy/devconfig.go
Comment thread pkg/deploy/generator/resources_gateway.go
Comment thread pkg/deploy/generator/scripts/gatewayVMSS.sh

@hlipsig hlipsig left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@hlipsig hlipsig merged commit d535a38 into master Jun 11, 2026
31 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants