Enhance README clarity and remove unused OpenTelemetry config (#182)

matteogastaldello · web-flow · commit 562005d95e4c · 2026-04-29T11:24:15.000+02:00
* docs: update README to enhance clarity and structure of CDC documentation

* chore: remove unused resource detection and attributes processors from OpenTelemetry config

* docs: enhance README with detailed key features and security design
diff --git a/README.md b/README.md
@@ -1,287 +1,20 @@
-# Composition Dynamic Controller
-The composition-dynamic-controller is an operator that is instantiated by the [core-provider](https://github.com/krateoplatformops/core-provider) to manage the Custom Resources whose Custom Resource Definition is generated by the core-provider.
+# Composition Dynamic Controller (CDC)
 
-## Summary
+The **Composition Dynamic Controller (CDC)** is the execution engine of Krateo. It is a specialized operator that manages the full lifecycle of Helm-based services by watching and reconciling `Composition` resources.
 
-- [Composition Dynamic Controller](#composition-dynamic-controller)
-  - [Summary](#summary)
-  - [Architecture](#architecture)
-  - [Workflow](#workflow)
-    - [Composition Dynamic Controller (CDC) \& Chart Inspector: Secure Helm Lifecycle Management](#composition-dynamic-controller-cdc--chart-inspector-secure-helm-lifecycle-management)
-      - [Core CDC Workflow (with Chart Inspector Integration)](#core-cdc-workflow-with-chart-inspector-integration)
-    - [Key Capabilities Enabled by This Collaboration](#key-capabilities-enabled-by-this-collaboration)
-    - [Why This Architecture Matters](#why-this-architecture-matters)
-    - [Real-World Example: Handling a Breaking Chart Change](#real-world-example-handling-a-breaking-chart-change)
-  - [Helm Release Name Logic](#helm-release-name-logic)
-    - [Prior Versions (\<= 0.19.9)](#prior-versions--0199)
-    - [Subsequent Versions (\>= 0.20.0)](#subsequent-versions--0200)
-  - [Composition Dynamic Controller Values Injection](#composition-dynamic-controller-values-injection)
-    - [About the `gracefullyPaused` value](#about-the-gracefullypaused-value)
-  - [Configuration](#configuration)
-    - [Operator Env Vars](#operator-env-vars)
+## Key Features
 
-  
+- **Lifecycle Orchestration**: Manages the end-to-end deployment, updates, and deletion of services based on Helm charts.
+- **Dynamic Reconciliation**: Automatically reconciles resource states, ensuring the live cluster matches the desired state defined in the `Composition`.
+- **Chart Inspector Integration**: Leverages the Krateo Chart Inspector for secure dry-runs, ensuring chart validity and resource safety before application.
 
-## Architecture
+## Security & Operational Design
 
-![composition-dynamic-controller architecture](_diagrams/architecture.png "composition-dynamic-controller Architecture")
+- **RBAC Enforcement**: Provisions specific, fine-grained RBAC policies for each managed composition, enforcing least-privilege principles at the instance level.
+- **Graceful Lifecycle Management**: Supports advanced management features like service pausing/resuming and controlled Helm release versioning.
+- **Observability**: Built-in support for OpenTelemetry to monitor reconciliation health and performance metrics.
 
-## Workflow
+## Documentation
 
-![composition-dynamic-controller State Diagram](_diagrams/composition-dynamic-controller-flow.png "composition-dynamic-controller  State Diagram")
-
-### Composition Dynamic Controller (CDC) & Chart Inspector: Secure Helm Lifecycle Management
-
-The **Composition Dynamic Controller (CDC)** is a specialized Kubernetes operator that orchestrates the end-to-end lifecycle of Krateo compositions. Acting as the reconciliation engine for Composition custom resources, it bridges declarative application definitions with Helm’s packaging system through intelligent automation. The **Chart Inspector** serves as its "safety advisor," enabling proactive decision-making via dry-run analysis.
-
-#### Core CDC Workflow (with Chart Inspector Integration)
-1. **Reconciliation Trigger**  
-   - Watches for changes to `Composition` CRs or Helm chart versions.  
-   - Invokes the **Chart Inspector** to simulate installations/upgrades *before* execution.
-
-2. **Dry-Run Analysis Phase** (*Chart Inspector*)  
-   ```bash
-   helm install --dry-run=server <chart> --version <ver>  # Returns:
-   ```
-   - **Resource Manifest List**: All Kubernetes objects (Deployments, CRDs, etc.) the chart would create along with filename to .  
-   - **Dependency Graph**: Order of operations (e.g., CRDs before custom resources).
-
-3. **RBAC Auto-Provisioning** (*CDC*)  
-   - Dynamically generates **least-privilege** Roles/ClusterRoles based on the Inspector’s output.  
-   - Ensures the CDC’s service account has *exactly* the permissions needed—no more, no less.
-
-4. **Atomic Execution** (*CDC*)  
-   - Proceeds with `helm install/upgrade` *only* after successful dry-run and RBAC setup.  
-
----
-
-### Key Capabilities Enabled by This Collaboration
-
-| **Feature**                | **CDC’s Role**                          | **Chart Inspector’s Contribution**                  |
-|----------------------------|-----------------------------------------|----------------------------------------------------|
-| **Version-Sensitive Reconciliation** | Detects chart version drift; rolls forward/back. | Identifies version-specific resource changes during dry-run. |
-| **Atomic Upgrades**         | Ensures all-or-nothing upgrades.        | Pre-flights resource compatibility (e.g., CRD schema changes). |
-| **Self-Healing**            | Corrects configuration drift.           | Provides baseline "desired state" for comparison.   |
-| **Declarative Enforcement** | Continuously reconciles actual vs. desired state. | Supplies the desired state *before* cluster changes. |
-| **Secure RBAC**             | Generates minimal required permissions. | Audits chart manifests for required API operations. |
-
----
-
-### Why This Architecture Matters
-1. **Safety Net**  
-   - The Chart Inspector’s dry-run prevents "helm surprises" (e.g., undeclared CRD creations or namespace pollution).  
-   - Example: Blocks a chart upgrade if the new version requires a `ClusterRole` the CDC isn’t authorized to manage.
-
-2. **GitOps Compliance**  
-   - The CDC enforces *declarative intent* by reconciling against the dry-run’s output, not just Helm’s last-applied state.  
-   - Self-healing kicks in if manual changes violate the composition’s definition.
-
-3. **Multi-Tenancy Ready**  
-   - RBAC is scoped per-composition, isolating teams/projects.  
-   - The Inspector’s resource listing ensures no cross-tenant leakage (e.g., a composition can’t create resources in forbidden namespaces).
-
----
-
-### Real-World Example: Handling a Breaking Chart Change
-1. **Scenario**: A Helm chart v1.2.0 introduces a new `CustomResourceDefinition` (CRD).  
-2. **CDC+Inspector Flow**:  
-   - **Dry-run** detects the new CRD and its required API group permissions.  
-   - **CDC** creates a `ClusterRole` granting `create/get/list` for the CRD.  
-   - **Upgrade** proceeds *only after* the CRD and RBAC are confirmed active.  
-3. **Result**: Zero downtime; no "helm upgrade failed: CRD missing" errors.
-
-
----
-
-## Helm Release Name Logic
-
-The logic used by the **`composition-dynamic-controller`** to determine the Helm release name has evolved to better handle multi-tenancy and character limits.
-
----
-
-### Prior Versions (<= 0.19.9)
-
-In these versions, the release name was determined by:
-
-1. The value of the **label** `krateo.io/release-name` (if set).
-2. The **Composition resource name** (as a fallback).
-
----
-
-### Versions 0.20.0 to 0.20.2
-
-Starting with v0.20.0, the logic shifted to ensure uniqueness across different namespaces:
-
-1. If the **annotation** `krateo.io/release-name` is set, its value is used.
-2. Otherwise, the name is generated as: `{composition.metadata.name}-{composition.metadata.uid[:8]}`.
-
-> [!IMPORTANT]
-> Because the UID suffix adds 9 characters (hyphen + 8-char UID) and Helm limits release names to **53 characters**, the `metadata.name` of a Composition cannot exceed **44 characters**.
-
----
-
-### Versions 0.20.3+ (Configurable Logic)
-
-Starting from **v0.20.3**, the environment variable `COMPOSITION_CONTROLLER_SAFE_RELEASE_NAME` allows you to toggle between modern and legacy naming conventions.
-
-#### Default Behavior (`true`)
-
-The controller appends the **UID suffix** to ensure uniqueness across namespaces. This is the recommended setting to prevent Helm naming collisions when identical Composition names exist in different namespaces.
-
-#### Legacy Behavior (`false`)
-
-The controller reverts to the logic used prior to v0.20.0. The release name is determined by:
-
-1. The value of the `krateo.io/release-name` **annotation** (if set).
-2. The **Composition resource name**.
-
-> [!CAUTION]
-> **Disabling this option is highly discouraged.** While it provides backward compatibility for charts with strict character length limits, it removes the uniqueness guarantee. Creating Compositions with the same name in different namespaces will cause release name collisions and failed Helm operations. It's up to the administrator to enforce a policy between users of composition name uniqueness to mitigate the risk.
-
----
-
-### Comparison Summary (v0.20.3+)
-
-| `SAFE_RELEASE_NAME` | Source | UID Suffix | Collision Risk | Max Name Length |
-| --- | --- | --- | --- | --- |
-| **`true` (Default)** | Name + UID | Included | Negligible | 44 Characters |
-| **`false`** | Annotation/Name | Excluded | **High** | 53 Characters |
-
----
-
-
-## Composition Dynamic Controller Values Injection
-
-The composition-dynamic-controller inject labels and values into the installed resources and in the helm chart release values. This values contains informations about the composition resource associated with the helm release.
-The values are injected in the following way:
-
-| Helm Chart Release Values | Installed Resources Labels | Description |
-|:--------------------------|:---------------------------|:------------|
-| `global.compositionId`    | `krateo.io/composition-id` | The composition resource uid |
-| `global.compositionName`  | `krateo.io/composition-name` | The composition resource name |
-| `global.compositionNamespace` | `krateo.io/composition-namespace` | The composition resource namespace |
-| `global.compositionInstalledVersion` | `krateo.io/composition-installed-version` | The version of the composition resource installed. This value changes if the chart version is upgraded |
-| `global.compositionApiVersion` | not injected | The api version of the composition resource. This values is deprecated but is mainteined for backward compatibility. |
-| `global.compositionGroup` | `krateo.io/composition-group` | The group of the composition resource. |
-| `global.compositionResource` | `krateo.io/composition-resource` | The plural name of the composition resource. |
-| `global.compositionKind` | `krateo.io/composition-kind` | The kind of the composition resource. |
-| `global.krateoNamespace` | `krateo.io/krateo-namespace` | The namespace where Krateo is installed. This value is used to identify the Krateo resources in the cluster. |
-| `global.gracefullyPaused`| not injected | This value is set to `true` if the annotation `krateo.io/gracefully-paused` is set on the composition resource. This value is used to pause the reconciliation of the composition resource only after the value is injected in the helm release values with a successful helm upgrade. Read the [paragraph below](#about-the-gracefullypaused-value) for more details. |
-
-### About the `gracefullyPaused` value
-
-The `global.gracefullyPaused` value provides a way to gracefully pause both the composition resource and all Krateo resources within its Helm chart.
-
-#### How it works:
-1. **Trigger**: Set the annotation `krateo.io/gracefully-paused` on the composition resource
-2. **Activation**: The pause takes effect only after the next successful Helm upgrade injects this value into the chart
-3. **Scope**: Pauses both the composition reconciliation AND any Krateo resources in the chart that respect the `krateo.io/paused` annotation
-
-#### Use cases:
-- **Graceful pause**: Temporarily halt all composition-related activity without resource deletion
-- **Coordinated pause**: Ensure both the composition and its managed resources pause simultaneously
-- **Safe maintenance**: Pause operations during maintenance windows
-
-#### Comparison with `krateo.io/paused`:
-
-| Annotation | Scope | When it takes effect |
-|------------|-------|---------------------|
-| `krateo.io/gracefully-paused` | Composition + chart resources | After next Helm upgrade |
-| `krateo.io/paused` | Composition only | Immediately |
-
-**Example**: Use `krateo.io/gracefully-paused` when you need to pause an entire application stack, or `krateo.io/paused` for immediate composition-only pausing.
-
-#### How to include the pause in a resource included in the chart
-
-##### For Krateo resources that support pausing via the `krateo.io/paused` annotation:
-
-To include the pause in a resource included in the chart, you can use the `krateo.io/paused` annotation on the resource. This will ensure that the resource is paused when the composition is paused.
-
-```yaml
-apiVersion: git.krateo.io/v1alpha1
-kind: Repo
-metadata:
-  name: {{ include "fireworks-app.fullname" . }}-repo
-  labels:
-    {{- include "fireworks-app.labels" . | nindent 4 }}
-  annotations:
-    krateo.io/paused: "{{ default false (and .Values.global .Values.global.gracefullyPaused) }}"
-spec:
-...
-```
-
-##### For non-Krateo resources:
-> **NOTE:** Operators implemented without the Krateo runtime may handle "pause" semantics differently (different annotation keys, immediate vs. delayed behavior, or custom fields). Before templating a pause for a non‑Krateo controller, review that operator's API and controller behavior and adapt the Helm template to map `global.gracefullyPaused` to the operator's expected pause mechanism.
-
-
-This is an example of how to include the pause in a non-Krateo resource included in the chart. In this case, we use an ArgoCD Application as an example.
-
-```yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: {{ .Release.Name }}
-  namespace: {{ .Values.argocd.namespace }}
-  labels:
-    {{- include "github-scaffolding.labels" . | nindent 4 }}
-spec:
-  project: {{ .Values.argocd.application.project | default "default" }}
-  source:
-    repoURL: {{ include "github-scaffolding.toRepoUrl" . }}
-    targetRevision: {{ .Values.git.toRepo.branch }}
-    path: {{ .Values.argocd.application.source.path }}
-  destination:
-    server: {{ .Values.argocd.application.destination.server }}
-    namespace: {{ .Values.argocd.application.destination.namespace }}
-
-  {{- /* Normalize flags */ -}}
-  {{- $hasPaused   := and .Values.global (hasKey .Values.global "gracefullyPaused") -}}
-  {{- $paused      := and $hasPaused (eq (toString .Values.global.gracefullyPaused) "true") -}}
-  {{- $syncEnabled := default false .Values.argocd.application.syncEnabled -}}
-
-  {{- if $paused }}
-  syncPolicy: {}
-  {{- else if $syncEnabled }}
-  syncPolicy:
-    automated:
-      prune: {{ default false .Values.argocd.application.syncPolicy.automated.prune }}
-      selfHeal: {{ default false .Values.argocd.application.syncPolicy.automated.selfHeal }}
-    syncOptions:
-      - CreateNamespace=true
-  {{- else }}
-  syncPolicy: {}
-  {{- end }}
-```
-The composition-dynamic-controller injects a `global.gracefullyPaused` boolean into Helm release values after a successful upgrade. When `true`, chart templates can use this flag to disable automated behavior for non‑Krateo resources (for example emit `syncPolicy: {}` in an Argo CD Application) and to set `krateo.io/paused` on Krateo resources, ensuring a coordinated pause across the composition and all included resources.
-
-
-
-## Configuration
-
-### Operator Env Vars
-
-These enviroment varibles can be changed in the Deployment of the composition-dynamic-controller we need to tweak.
-
-| Name                                   | Description                | Default Value | Notes         |
-|:---------------------------------------|:---------------------------|:--------------|:--------------|
-| COMPOSITION_CONTROLLER_DEBUG           | dump verbose output        | false         |               |
-| COMPOSITION_CONTROLLER_WORKERS         | number of workers          | 1             |               |
-| COMPOSITION_CONTROLLER_RESYNC_INTERVAL | resync interval            | 3m            |               |               
-| COMPOSITION_CONTROLLER_GROUP           | resource api group         |               | populated by `core-provider` |
-| COMPOSITION_CONTROLLER_VERSION         | resource api version       |               | populated by `core-provider` |
-| COMPOSITION_CONTROLLER_RESOURCE        | resource plural name       |               | populated by `core-provider` |
-| COMPOSITION_CONTROLLER_SA_NAME         | cdc deployment ServiceAccount name |  | populated by `core-provider` |
-| COMPOSITION_CONTROLLER_SA_NAMESPACE        | cdc deployment ServiceAccount namespace | |populated by `core-provider` |
-| URL_PLURALS                            | NOT USED from version 0.17.1 - URL to krateo pluraliser service | `http://snowplow.krateo-system.svc.cluster.local:8081/api-info/names` | Ignored from version 0.17.1 |
-| URL_CHART_INSPECTOR                    | url to chart inspector   |  `http://chart-inspector.krateo-system.svc.cluster.local:8081/`             |   
-| KRATEO_NAMESPACE                       | namespace where krateo is installed       |  krateo-system |
-| HELM_REGISTRY_CONFIG_PATH | NOT USED from version '1.0.0' - default helm config path | /tmp |
-| HELM_MAX_HISTORY | Max Helm History | 3 |
-| COMPOSITION_CONTROLLER_MAX_ERROR_RETRY_INTERVAL | The maximum interval between retries when an error occurs. This should be less than the half of the poll interval. |  60s |
-| COMPOSITION_CONTROLLER_MIN_ERROR_RETRY_INTERVAL | The minimum interval between retries when an error occurs. This should be less than max-error-retry-interval. | 1s |
-| COMPOSITION_CONTROLLER_MAX_ERROR_RETRIES | The maximum number of retries when an error occurs. Set to 0 to disable retries. | 5 |
-| COMPOSITION_CONTROLLER_METRICS_SERVER_PORT | The port where the metrics server will be listening. If not set, the metrics server is disabled. |  |
-| COMPOSITION_CONTROLLER_SAFE_RELEASE_NAME | If disabled the randmom suffix is not appended in the Helm release name. This can be useful for avoid having problems with complex helm charts. The use of this option is highly discouraged, as it can lead to release name collisions. | true |
-| OTEL_ENABLED | Enable OpenTelemetry metrics export | false |
-| OTEL_EXPORTER_OTLP_ENDPOINT | OTLP HTTP endpoint where metrics are sent | `http://localhost:4318` |
-| OTEL_EXPORT_INTERVAL | Interval at which metrics are exported | 30s |
+For detailed guides, architecture diagrams, and full reference, visit the official documentation:
+👉 **[https://docs.krateo.io](https://docs.krateo.io/key-concepts/kco/cdc/overview)**
diff --git a/telemetry/otelcol-values.yaml b/telemetry/otelcol-values.yaml
@@ -11,37 +11,14 @@ config:
           endpoint: 0.0.0.0:4318
   processors:
     batch: {}
-    resourcedetection:
-      detectors: [k8s, env]
-      timeout: 2s
-      override: true
-    attributes:
-      actions:
-        - key: k8s_pod_name
-          from_attribute: k8s.pod.name
-          action: upsert
-        - key: k8s_namespace_name
-          from_attribute: k8s.namespace.name
-          action: upsert
-        - key: k8s_deployment_name
-          from_attribute: k8s.deployment.name
-          action: upsert
-        - key: k8s_statefulset_name
-          from_attribute: k8s.statefulset.name
-          action: upsert
-    resource:
-      attributes:
-        - key: deployment.environment
-          value: production
-          action: insert
   exporters:
     prometheus:
       endpoint: 0.0.0.0:9464
   service:
     pipelines:
       metrics:
         receivers: [otlp]
-        processors: [resourcedetection, attributes, batch, resource]
+        processors: [batch]
         exporters: [prometheus]
 
 ports:
@@ -54,13 +31,4 @@ ports:
     enabled: true
     containerPort: 9464
     servicePort: 9464
-    protocol: TCP
-
-serviceMonitor:
-  enabled: true
-  metricsEndpoints:
-    - port: prom-metrics
-      interval: 30s
-      scrapeTimeout: 10s
-  extraLabels:
-    release: monitoring-stack
+    protocol: TCP
