feat(ibmcloud): add otelcol-contrib filelog collector to IBM Power and IBM Z

Installs and configures the OpenTelemetry Collector contrib distribution
on both IBM Power (ppc64le) and IBM Z (s390x) instances when --otel-app-code,
--otel-auth-token, and --otel-index are all provided.

Collector configuration:
- Three filelog receivers: syslog, secure/auth, and audit logs
- Operators: move log.file.path to _sourceName, remove log.file.name,
  timestamp parsing for syslog/secure receivers
- Splunk routing attributes per receiver: index, _sourceCategory, _sourceHost
- Resource processor: appcode, arch (hardcoded per platform), auth token,
  and optional extra attributes via --otel-extra-attrs
- Auth token isolated in a 0600 EnvironmentFile; config.yaml is 0640
- IBM Z user_data wrapped in MIME multipart for cloud-init compatibility

Other fixes folded in:
- Remove deprecated otelcol metrics.address field
- Remove redhat.com from NO_PROXY
- Harden waitForInstance: return error on timeout, use mCtx.Context()
  for cancellation, replace fmt.Println with logging.Infof
- Extract shared NewSecurityGroupWithSSH and NewFloatingIP helpers into
  the network package; remove unused constants package
- Fix SA4004 staticcheck: replace unconditionally-terminated loop in
  power.New() with explicit empty-check and index access

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: adrianriobo

.golangci.yml

@@ -5,8 +5,6 @@ run:
   skip-dirs:
     - vendor
     - tools/vendor
-  skip-files:
-    - pkg/provider/ibmcloud/action/powervs/powervs.go
   concurrency: 1
 
 linters:

Makefile

@@ -12,6 +12,8 @@ CIRRUS_CLI ?= v0.165.2
 GITHUB_RUNNER ?= 2.334.0
 # renovate: datasource=gitlab-releases depName=gitlab-org/gitlab-runner
 GITLAB_RUNNER ?= 18.11.3
+# renovate: datasource=github-releases depName=open-telemetry/opentelemetry-collector-releases
+OTELCOL_VERSION ?= 0.151.0
 
 # Go and compilation related variables
 GOPATH ?= $(shell go env GOPATH)
@@ -25,7 +27,9 @@ MODULEPATH = $(ORG)/mapt
 VERSION_VARIABLES := -X $(MODULEPATH)/pkg/manager/context.OCI=$(IMG) \
 	-X $(MODULEPATH)/pkg/integrations/cirrus.version=$(CIRRUS_CLI) \
 	-X $(MODULEPATH)/pkg/integrations/github.runnerVersion=$(GITHUB_RUNNER) \
-	-X $(MODULEPATH)/pkg/integrations/gitlab.version=$(GITLAB_RUNNER)
+	-X $(MODULEPATH)/pkg/integrations/gitlab.version=$(GITLAB_RUNNER) \
+	-X $(MODULEPATH)/pkg/provider/ibmcloud/action/ibm-power.otelColVersion=$(OTELCOL_VERSION) \
+	-X $(MODULEPATH)/pkg/provider/ibmcloud/action/ibm-z.otelColVersion=$(OTELCOL_VERSION)
 LDFLAGS := $(VERSION_VARIABLES) ${GO_EXTRA_LDFLAGS}
 GCFLAGS := all=-N -l
 GOOS := $(shell go env GOOS)

cmd/mapt/cmd/ibmcloud/hosts/ibm-power.go

@@ -58,6 +58,11 @@ func ibmPowerCreate() *cobra.Command {
 					PIPrivateSubnetID: viper.GetString(params.PIPrivateSubnetID),
 					WorkspaceID:       viper.GetString(params.WorkspaceID),
 					VPCPublicSubnetID: viper.GetString(params.VPCPublicSubnetID),
+					OtelAppCode:       viper.GetString(params.OtelAppCode),
+					OtelAuthToken:     viper.GetString(params.OtelAuthToken),
+					OtelEndpoint:      viper.GetString(params.OtelEndpoint),
+					OtelIndex:          viper.GetString(params.OtelIndex),
+					OtelExtraAttrs:     viper.GetStringMapString(params.OtelExtraAttrs),
 				})
 		},
 	}
@@ -67,6 +72,11 @@ func ibmPowerCreate() *cobra.Command {
 	flagSet.StringP(params.PIPrivateSubnetID, "", "", params.PIPrivateSubnetIDDesc)
 	flagSet.StringP(params.WorkspaceID, "", "", params.WorkspaceIDDesc)
 	flagSet.StringP(params.VPCPublicSubnetID, "", "", params.VPCPublicSubnetIDDesc)
+	flagSet.StringP(params.OtelAppCode, "", "", params.OtelAppCodeDesc)
+	flagSet.StringP(params.OtelAuthToken, "", "", params.OtelAuthTokenDesc)
+	flagSet.StringP(params.OtelEndpoint, "", "https://otel-input.corp.redhat.com", params.OtelEndpointDesc)
+	flagSet.StringP(params.OtelIndex, "", "", params.OtelIndexDesc)
+	flagSet.StringToStringP(params.OtelExtraAttrs, "", nil, params.OtelExtraAttrsDesc)
 	params.AddGHActionsFlags(flagSet)
 	params.AddCirrusFlags(flagSet)
 	c.PersistentFlags().AddFlagSet(flagSet)

cmd/mapt/cmd/ibmcloud/hosts/ibm-z.go

@@ -55,14 +55,24 @@ func ibmZCreate() *cobra.Command {
 					Tags:          viper.GetStringMapString(params.Tags),
 				},
 				&ibmz.ZArgs{
-					SubnetID: viper.GetString(params.SubnetID),
+					SubnetID:      viper.GetString(params.SubnetID),
+					OtelAppCode:   viper.GetString(params.OtelAppCode),
+					OtelAuthToken: viper.GetString(params.OtelAuthToken),
+					OtelEndpoint:  viper.GetString(params.OtelEndpoint),
+					OtelIndex:      viper.GetString(params.OtelIndex),
+					OtelExtraAttrs: viper.GetStringMapString(params.OtelExtraAttrs),
 				})
 		},
 	}
 	flagSet := pflag.NewFlagSet(params.CreateCmdName, pflag.ExitOnError)
 	flagSet.StringP(params.ConnectionDetailsOutput, "", "", params.ConnectionDetailsOutputDesc)
 	flagSet.StringToStringP(params.Tags, "", nil, params.TagsDesc)
 	flagSet.StringP(params.SubnetID, "", "", params.SubnetIDDesc)
+	flagSet.StringP(params.OtelAppCode, "", "", params.OtelAppCodeDesc)
+	flagSet.StringP(params.OtelAuthToken, "", "", params.OtelAuthTokenDesc)
+	flagSet.StringP(params.OtelEndpoint, "", "https://otel-input.corp.redhat.com", params.OtelEndpointDesc)
+	flagSet.StringP(params.OtelIndex, "", "", params.OtelIndexDesc)
+	flagSet.StringToStringP(params.OtelExtraAttrs, "", nil, params.OtelExtraAttrsDesc)
 	params.AddGHActionsFlags(flagSet)
 	params.AddCirrusFlags(flagSet)
 	c.PersistentFlags().AddFlagSet(flagSet)

cmd/mapt/cmd/params/params.go

@@ -134,6 +134,17 @@ const (
 	VPCPublicSubnetID     string = "vpc-public-subnet-id"
 	VPCPublicSubnetIDDesc string = "ID of an existing VPC subnet (with public gateway, connected to Transit Gateway) for the SSH bastion"
 
+	OtelAppCode       string = "otel-app-code"
+	OtelAppCodeDesc   string = "OpenTelemetry appcode identifier (e.g. MAPT-001); when set together with --otel-auth-token, installs the otelcol-contrib filelog collector on the instance"
+	OtelAuthToken     string = "otel-auth-token"
+	OtelAuthTokenDesc string = "OpenTelemetry authentication token (UUID) used to authenticate against the OTLP endpoint"
+	OtelEndpoint      string = "otel-endpoint"
+	OtelEndpointDesc  string = "OTLP HTTP endpoint to export logs to"
+	OtelIndex          string = "otel-index"
+	OtelIndexDesc      string = "Splunk index name for log routing (e.g. rh_linux)"
+	OtelExtraAttrs     string = "otel-extra-attrs"
+	OtelExtraAttrsDesc string = "Additional resource attributes to attach to all otelcol log records (key=value pairs)"
+
 	// Kind
 	KindCmd                   = "kind"
 	KindCmdDesc               = "Manage a Kind cluster. This is not intended for production use"

docs/ibmcloud/ibm-power.md

@@ -21,6 +21,7 @@ On first boot, cloud-init automatically configures the PowerVS instance for on-p
 
 | Variable | Required | Description |
 |---|---|---|
+| `IBMCLOUD_ACCOUNT` | yes | IBM Cloud account ID |
 | `IBMCLOUD_API_KEY` | yes | IBM Cloud API key |
 | `IC_REGION` | yes | IBM Cloud region (e.g. `us-south`, `us-east`) |
 
@@ -41,6 +42,9 @@ Flags:
   -h, --help                                 help for create
       --it-cirrus-pw-labels stringToString   additional labels to use on the persistent worker (--it-cirrus-pw-labels key1=value1,key2=value2) (default [])
       --it-cirrus-pw-token string            Add mapt target as a cirrus persistent worker. The value will hold a valid token to be used by cirrus cli to join the project.
+      --otel-app-code string                 OpenTelemetry appcode identifier (e.g. MAPT-001); when set together with --otel-auth-token, installs the otelcol-contrib filelog collector on the instance
+      --otel-auth-token string               OpenTelemetry authentication token (UUID) used to authenticate against the OTLP endpoint
+      --otel-endpoint string                 OTLP HTTP endpoint to export logs to (default "https://otel-input.corp.redhat.com")
       --pi-private-subnet-id string          ID of an existing Power VS private subnet to attach the instance to
       --tags stringToString                  tags to add on each resource (--tags name1=value1,name2=value2) (default [])
       --vpc-public-subnet-id string          ID of an existing VPC subnet (with public gateway, connected to Transit Gateway) for the SSH bastion
@@ -110,6 +114,26 @@ podman run -d --name ibm-power \
             --pi-private-subnet-id <private-subnet-id>
 ```
 
+## OpenTelemetry log collection
+
+When both `--otel-app-code` and `--otel-auth-token` are provided, cloud-init installs `otelcol-contrib` on the PowerVS instance at first boot and configures it to ship `/var/log/messages` and `/var/log/secure` to the OTLP endpoint.
+
+```bash
+podman run -d --name ibm-power \
+        -v ${PWD}:/workspace:z \
+        -e IBMCLOUD_API_KEY=XXX \
+        -e IC_REGION=us-south \
+        quay.io/redhat-developer/mapt:v0.8.0 ibmcloud ibm-power create \
+            --project-name ibm-power \
+            --backed-url file:///workspace \
+            --conn-details-output /workspace \
+            --workspace-id <workspace-id> \
+            --pi-private-subnet-id <private-subnet-id> \
+            --vpc-public-subnet-id <vpc-subnet-id> \
+            --otel-app-code MAPT-001 \
+            --otel-auth-token <uuid-token>
+```
+
 ## Destroy
 
 ```bash

docs/ibmcloud/ibm-z.md

@@ -11,6 +11,7 @@ Two networking modes are supported:
 
 | Variable | Required | Description |
 |---|---|---|
+| `IBMCLOUD_ACCOUNT` | yes | IBM Cloud account ID |
 | `IBMCLOUD_API_KEY` | yes | IBM Cloud API key |
 | `IC_REGION` | yes | IBM Cloud region (e.g. `us-south`, `us-east`) |
 | `IC_ZONE` | only without `--subnet-id` | Availability zone (e.g. `us-south-2`) |
@@ -32,6 +33,9 @@ Flags:
   -h, --help                                 help for create
       --it-cirrus-pw-labels stringToString   additional labels to use on the persistent worker (--it-cirrus-pw-labels key1=value1,key2=value2) (default [])
       --it-cirrus-pw-token string            Add mapt target as a cirrus persistent worker. The value will hold a valid token to be used by cirrus cli to join the project.
+      --otel-app-code string                 OpenTelemetry appcode identifier (e.g. MAPT-001); when set together with --otel-auth-token, installs the otelcol-contrib filelog collector on the instance
+      --otel-auth-token string               OpenTelemetry authentication token (UUID) used to authenticate against the OTLP endpoint
+      --otel-endpoint string                 OTLP HTTP endpoint to export logs to (default "https://otel-input.corp.redhat.com")
       --subnet-id string                     ID of an existing VPC subnet to deploy the instance into (optional)
       --tags stringToString                  tags to add on each resource (--tags name1=value1,name2=value2) (default [])
 
@@ -90,6 +94,24 @@ podman run -d --name ibm-z \
             --conn-details-output /workspace
 ```
 
+## OpenTelemetry log collection
+
+When both `--otel-app-code` and `--otel-auth-token` are provided, cloud-init installs `otelcol-contrib` on the instance at first boot and configures it to ship `/var/log/syslog` and `/var/log/auth.log` to the OTLP endpoint.
+
+```bash
+podman run -d --name ibm-z \
+        -v ${PWD}:/workspace:z \
+        -e IBMCLOUD_API_KEY=XXX \
+        -e IC_REGION=us-south \
+        quay.io/redhat-developer/mapt:v0.8.0 ibmcloud ibm-z create \
+            --project-name ibm-z \
+            --backed-url file:///workspace \
+            --conn-details-output /workspace \
+            --subnet-id <subnet-id> \
+            --otel-app-code MAPT-001 \
+            --otel-auth-token <uuid-token>
+```
+
 ## Destroy
 
 ```bash

pkg/provider/ibmcloud/action/ibm-power/cloud-config

@@ -1,6 +1,149 @@
 #cloud-config
+{{- if and .AppCode .OtelAuthToken .OtelIndex}}
+write_files:
+  - path: /etc/otelcol-contrib/config.yaml
+    permissions: '0640'
+    content: |
+      receivers:
+        filelog/syslog:
+          include:
+          - /var/log/messages
+          start_at: end
+          include_file_path: true
+          include_file_name: true
+          exclude_older_than: 24h
+          operators:
+          - type: move
+            id: move_to_source_name
+            from: attributes["log.file.path"]
+            to: attributes["_sourceName"]
+          - type: remove
+            id: remove_file_name
+            field: attributes["log.file.name"]
+          - type: time_parser
+            id: parse_timestamp
+            layout: '%b %e %H:%M:%S'
+            parse_from: body
+            on_error: send
+          attributes:
+            index: "{{.OtelIndex}}"
+            _sourceCategory: syslog
+            _sourceHost: ${env:HOSTNAME}
+        filelog/secure:
+          include:
+          - /var/log/secure
+          start_at: end
+          include_file_path: true
+          include_file_name: true
+          exclude_older_than: 24h
+          operators:
+          - type: move
+            id: move_to_source_name
+            from: attributes["log.file.path"]
+            to: attributes["_sourceName"]
+          - type: remove
+            id: remove_file_name
+            field: attributes["log.file.name"]
+          - type: time_parser
+            id: parse_timestamp
+            layout: '%b %e %H:%M:%S'
+            parse_from: body
+            on_error: send
+          attributes:
+            index: "{{.OtelIndex}}"
+            _sourceCategory: secure
+            _sourceHost: ${env:HOSTNAME}
+        filelog/audit:
+          include:
+          - /var/log/audit/audit.log
+          start_at: end
+          include_file_path: true
+          include_file_name: true
+          exclude_older_than: 24h
+          operators:
+          - type: move
+            id: move_to_source_name
+            from: attributes["log.file.path"]
+            to: attributes["_sourceName"]
+          - type: remove
+            id: remove_file_name
+            field: attributes["log.file.name"]
+          attributes:
+            index: "{{.OtelIndex}}"
+            _sourceCategory: audit
+            _sourceHost: ${env:HOSTNAME}
+      processors:
+        filter/drop_null_bytes:
+          logs:
+            log_record:
+              - 'IsMatch(body, "^\x00+$")'
+        batch:
+          timeout: "1s"
+          send_batch_size: 1024
+        resource:
+          attributes:
+            - key: appcode
+              value: "{{.AppCode}}"
+              action: upsert
+            - key: com.redhat.otel.auth_token
+              value: "${env:OTEL_AUTH_TOKEN}"
+              action: upsert
+            - key: arch
+              value: "{{.OtelArch}}"
+              action: upsert
+{{- range $k, $v := .OtelExtraAttrs}}
+            - key: {{$k}}
+              value: "{{$v}}"
+              action: upsert
+{{- end}}
+      exporters:
+        otlphttp:
+          endpoint: "{{.OtelEndpoint}}"
+          tls:
+            insecure_skip_verify: true
+      service:
+        telemetry:
+          logs:
+            level: "fatal"
+          metrics:
+            level: "basic"
+        pipelines:
+          logs:
+            receivers: [filelog/syslog, filelog/secure, filelog/audit]
+            processors: [filter/drop_null_bytes, resource, batch]
+            exporters: [otlphttp]
+  - path: /etc/otelcol-contrib/auth_token
+    permissions: '0600'
+    content: |
+      OTEL_AUTH_TOKEN={{.OtelAuthToken}}
+  - path: /etc/systemd/system/otelcol-contrib.service.d/capabilities.conf
+    permissions: '0644'
+    content: |
+      [Service]
+      AmbientCapabilities=CAP_DAC_READ_SEARCH
+      Environment="HOSTNAME=%H"
+      EnvironmentFile=/etc/otelcol-contrib/auth_token
+{{- end}}
 runcmd:
   - |
     IFACE=$(ip route show default | awk '/default/ {print $5; exit}')
     ip route add 10.0.0.0/8 via {{.Gateway}} dev "$IFACE" 2>/dev/null || true
     echo "10.0.0.0/8 via {{.Gateway}}" > "/etc/sysconfig/network-scripts/route-$IFACE"
+{{- if and .AppCode .OtelAuthToken .OtelIndex}}
+  - |
+    PROXY_URL=""
+    if ! curl -sf --connect-timeout 5 --head {{.OtelEndpoint}} > /dev/null 2>&1; then
+      PROXY_URL="http://squid.corp.redhat.com:3128"
+    fi
+    RPM_URL="https://github.com/open-telemetry/opentelemetry-collector-releases/releases/download/v{{.OtelColVersion}}/otelcol-contrib_{{.OtelColVersion}}_linux_ppc64le.rpm"
+    HTTPS_PROXY="$PROXY_URL" curl -fsSL -o /tmp/otelcol-contrib.rpm "$RPM_URL"
+    rpm -i /tmp/otelcol-contrib.rpm
+    rm -f /tmp/otelcol-contrib.rpm
+    chown -R otelcol-contrib:otelcol-contrib /etc/otelcol-contrib
+    if [ -n "$PROXY_URL" ]; then
+      printf '[Service]\nEnvironment="HTTPS_PROXY=%s/"\nEnvironment="NO_PROXY=10.*,192.168.*,localhost,127.0.0.1"\n' "$PROXY_URL" \
+        > /etc/systemd/system/otelcol-contrib.service.d/proxy.conf
+    fi
+    systemctl daemon-reload
+    systemctl enable --now otelcol-contrib
+{{- end}}