refactor: transition billing-usage-collector from OTLP push to Kubernetes log tailing via Vector's kubernetes_logs source

Author: JoseSzycho

config/tools/billing-usage-collector/kustomization.yaml

@@ -38,30 +38,46 @@ helmCharts:
             path: "/logs"
             decoding:
               codec: json
-          # Envoy Gateway pushes access logs here via its OpenTelemetry access
-          # log sink (OTLP). The JSON access log fields arrive as OTLP log-record
-          # attributes (i.e. under `.attributes.*`). This is the real ingestion
-          # path for live traffic; the `nso_logs` http_server above is only used
-          # by the e2e test to inject hand-crafted log lines.
+          # Envoy Gateway writes access logs to stdout via its File access log
+          # sink (path: /dev/stdout), exactly as the production downstream
+          # gateway EnvoyProxy does. The node-local Vector agent tails the
+          # container log files through the kubernetes_logs source -- the real,
+          # file-based ingestion path for live traffic. The JSON access log
+          # line arrives as a string in `.message`. The `nso_logs` http_server
+          # above is only used by the e2e test to inject hand-crafted log lines.
           envoy_access_logs:
-            type: opentelemetry
-            grpc:
-              address: "0.0.0.0:4317"
-            http:
-              address: "0.0.0.0:4318"
+            type: kubernetes_logs
+            # Only tail the Envoy proxy pods; their access logs live on the
+            # `envoy` container's stdout. Other namespaces/containers are
+            # ignored so the agent does not parse unrelated cluster logs.
+            extra_field_selector: "metadata.namespace=envoy-gateway-system"
+            # Re-scan for new container log files every 2s instead of the 60s
+            # default so the agent picks up freshly-created Envoy proxy pods
+            # quickly -- the e2e test provisions a gateway and verifies within a
+            # short window.
+            glob_minimum_cooldown_ms: 2000
         transforms:
           parse_nso_logs:
             type: remap
             inputs:
               - nso_logs
-              - envoy_access_logs.logs
+              - envoy_access_logs
             source: |
-              # The OpenTelemetry source (Envoy push) nests the access log fields
-              # under `.attributes`; the http_server source (e2e test injection)
-              # delivers them at the top level. Normalize both to top-level fields
-              # so the rest of this transform is source-agnostic.
-              if exists(.attributes) {
-                . = object(.attributes) ?? .
+              # The kubernetes_logs source (Envoy File sink -> stdout) delivers
+              # the raw access log line as a string in `.message`; parse it as
+              # JSON and lift the fields to the top level. The http_server source
+              # (e2e test injection) already delivers them at the top level.
+              # Normalize both so the rest of this transform is source-agnostic.
+              # Lines that are not JSON (e.g. Envoy startup logs) are dropped.
+              if is_string(.message) {
+                # `.message` is known to be a string inside this guard, so
+                # string!() never actually aborts (hence Vector's harmless
+                # "can't abort infallible function" compile warning).
+                parsed, err = parse_json(string!(.message))
+                if err != null {
+                  abort
+                }
+                . = object(parsed) ?? {}
               }
 
               parsed_route, err = parse_regex(.route_name, r'^httproute/(?P<namespace>[^/]+)/(?P<name>[^/]+)')
@@ -219,7 +235,12 @@ helmCharts:
               mountPath: /var/lib/vector
       podSecurityContext:
         runAsUser: 1000
-        runAsGroup: 1000
+        # Primary GID 0 (root group) so the kubernetes_logs source can read the
+        # Envoy container logs: the kubelet writes them as root:root with
+        # /var/log/pods at 0750 and each 0.log at 0640 -- both group-readable by
+        # the root group only. We keep runAsUser 1000 / runAsNonRoot: true so the
+        # process is still a non-root user; only the supplemental group is root.
+        runAsGroup: 0
         runAsNonRoot: true
       securityContext:
         allowPrivilegeEscalation: false
@@ -243,16 +264,5 @@ helmCharts:
             port: 9881
             protocol: TCP
             targetPort: 9881
-          # OTLP endpoints for Envoy Gateway's OpenTelemetry access log sink.
-          # internalTrafficPolicy: Local keeps each Envoy pod talking to the
-          # Vector agent on its own node.
-          - name: otlp-grpc
-            port: 4317
-            protocol: TCP
-            targetPort: 4317
-          - name: otlp-http
-            port: 4318
-            protocol: TCP
-            targetPort: 4318
       podMonitor:
         enabled: true

test/e2e/billing/chainsaw-test.yaml

@@ -156,20 +156,17 @@ spec:
                   accessLog:
                     settings:
                       - sinks:
-                          # File sink: the test still scrapes stdout to derive the
+                          # File sink only -- identical to the production
+                          # downstream gateway EnvoyProxy. Envoy writes the JSON
+                          # access log to stdout; the node-local Vector agent
+                          # tails the container log file (kubernetes_logs source)
+                          # and emits the CloudEvents. This exercises the real,
+                          # file-based production ingestion path -- no OTLP push.
+                          # The test also scrapes the same stdout to derive the
                           # expected metric values (bytes, duration, project_name).
                           - type: File
                             file:
                               path: /dev/stdout
-                          # OpenTelemetry sink: Envoy pushes the access log to the
-                          # node-local Vector agent automatically, exercising the
-                          # real production ingestion path (no manual forwarding).
-                          - type: OpenTelemetry
-                            openTelemetry:
-                              host: billing-usage-collector-vector.billing-system.svc.cluster.local
-                              port: 4317
-                              resources:
-                                service.name: nso-httproute-signals
                         format:
                           type: JSON
                           json:
@@ -545,10 +542,11 @@ spec:
                 curl -kvf -H \"Host: ${PRIMARY_HOSTNAME}\" -d 'hello world' http://\${GATEWAY_SERVICE_NAME}.\${GATEWAY_SERVICE_NAMESPACE}.svc.cluster.local/delay/2; \
               "
 
-        # Verify Vector emitted the CloudEvents. Envoy pushed the access log to
-        # Vector automatically via its OpenTelemetry sink when the request above
-        # was served, so this step only derives the expected values and polls the
-        # mock billing gateway for the result.
+        # Verify Vector emitted the CloudEvents. Envoy wrote the access log to
+        # stdout via its File sink when the request above was served, and the
+        # node-local Vector agent tailed the container log file (kubernetes_logs
+        # source) automatically, so this step only derives the expected values
+        # and polls the mock billing gateway for the result.
         - script:
             timeout: 45s
             cluster: nso-infra
@@ -559,16 +557,20 @@ spec:
               # =====================================================================
               # Validates the full HTTP metering pipeline, end to end:
               #
-              #   Envoy access log  --(OTLP push)-->  Vector opentelemetry source
-              #        |                                   |
-              #        | (also written to stdout for       | (VRL transform fans the
-              #        |  capturing expected values)       |  log record out into
-              #        v                                   v  CloudEvents)
-              #   captured here (STEP 1-2)          mock-billing-gateway (STEP 4)
+              #   Envoy access log  --(File sink -> stdout)-->  container log file
+              #        |                                            |
+              #        | (captured here for                         | (Vector agent
+              #        |  expected values)                          |  kubernetes_logs
+              #        |                                            |  source tails it,
+              #        |                                            |  VRL transform fans
+              #        v                                            v  it into CloudEvents)
+              #   captured here (STEP 1-2)               mock-billing-gateway (STEP 4)
               #
-              # Envoy pushes the access log to Vector automatically (OpenTelemetry
-              # sink on custom-proxy-config -> billing-usage-collector-vector:4317)
-              # when the request is served -- the test does NOT forward it manually.
+              # Envoy writes the access log to stdout (File sink on
+              # custom-proxy-config, path: /dev/stdout) when the request is
+              # served; the node-local Vector agent tails the container log file
+              # automatically -- the test does NOT forward it manually. This is
+              # the same file-based ingestion path as the production gateway.
               #
               # A single access log line is expected to produce FOUR CloudEvents,
               # one per usage dimension, all sharing the same subject
@@ -627,11 +629,12 @@ spec:
               echo "  - Project name (expected): $PROJECT_NAME"
 
               # --- STEP 3: (no manual forwarding) --------------------------------
-              # The request above already caused Envoy to push this access log to
-              # Vector automatically via its OpenTelemetry sink (custom-proxy-config
-              # -> billing-usage-collector-vector:4317). Vector's VRL transform
-              # parses it and emits the four CloudEvents to the mock-billing-gateway
-              # sink, so there is nothing to POST here -- we just poll for the result.
+              # The request above already caused Envoy to write this access log to
+              # stdout via its File sink (custom-proxy-config, path: /dev/stdout).
+              # The node-local Vector agent tails the Envoy container log file via
+              # its kubernetes_logs source, and Vector's VRL transform parses it
+              # and emits the four CloudEvents to the mock-billing-gateway sink, so
+              # there is nothing to POST here -- we just poll for the result.
 
               # --- STEP 4: verify the CloudEvents the mock billing gateway received
               # Poll the mock gateway's request log (Vector may take a moment to