From 38b154547c2961f8cd41931269c557c2acdb62d2 Mon Sep 17 00:00:00 2001
From: Nicolas <nicolas@mathmast.com>
Date: Wed, 24 Sep 2025 11:20:24 +0800
Subject: [PATCH] refactor(opentelemetry): enhance RBAC and logging
 configuration for OpenTelemetry integration

---
 .../templates/devops/opentelemetry-rbac.yaml  |  39 ++--
 .../templates/devops/opentelemetry.yaml       | 173 +++++++++++-------
 2 files changed, 124 insertions(+), 88 deletions(-)

diff --git a/freeleaps/helm-pkg/devops/templates/devops/opentelemetry-rbac.yaml b/freeleaps/helm-pkg/devops/templates/devops/opentelemetry-rbac.yaml
index 2fe8e00e..dd9a5bf2 100644
--- a/freeleaps/helm-pkg/devops/templates/devops/opentelemetry-rbac.yaml
+++ b/freeleaps/helm-pkg/devops/templates/devops/opentelemetry-rbac.yaml
@@ -1,40 +1,40 @@
+{{- if .Values.logIngest.enabled }}
+---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ .Release.Name }}-otel-collector
   namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-    app.kubernetes.io/name: "{{ .Release.Name }}-otel-collector"
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: {{ .Release.Name }}-otel-collector
-  labels:
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-    app.kubernetes.io/name: "{{ .Release.Name }}-otel-collector"
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
 rules:
   - apiGroups: [""]
-    resources: ["pods", "nodes", "namespaces"]
-    verbs: ["get", "list", "watch"]
+    resources:
+      - pods
+      - namespaces
+      - nodes
+    verbs:
+      - get
+      - watch
+      - list
   - apiGroups: ["apps"]
-    resources: ["deployments", "replicasets"]
-    verbs: ["get", "list", "watch"]
+    resources:
+      - replicasets
+      - deployments
+      - statefulsets
+      - daemonsets
+    verbs:
+      - get
+      - watch
+      - list
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: {{ .Release.Name }}-otel-collector
-  labels:
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-    app.kubernetes.io/name: "{{ .Release.Name }}-otel-collector"
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -43,3 +43,4 @@ subjects:
   - kind: ServiceAccount
     name: {{ .Release.Name }}-otel-collector
     namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/freeleaps/helm-pkg/devops/templates/devops/opentelemetry.yaml b/freeleaps/helm-pkg/devops/templates/devops/opentelemetry.yaml
index 05fbede3..e9449099 100644
--- a/freeleaps/helm-pkg/devops/templates/devops/opentelemetry.yaml
+++ b/freeleaps/helm-pkg/devops/templates/devops/opentelemetry.yaml
@@ -8,73 +8,108 @@ spec:
   mode: sidecar
   image: ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-contrib:latest
   serviceAccount: "{{ .Release.Name }}-otel-collector"
-  config: |
-    config:
-      receivers:
-        filelog:
-          include:
-            - {{ .Values.logIngest.logPathPattern }}
-          start_at: beginning
-          include_file_path: false
-          include_file_name: false
-          operators: []
-        k8s_cluster:
-          auth_type: serviceAccount
-          namespaces: [{{ .Release.Namespace }}]
-      processors:
-        resource:
-          attributes:
-            - action: insert
-              key: k8s.node.name
-              value: ${KUBE_META_NODE_NAME}
-            - action: insert
-              key: k8s.pod.name
-              value: ${KUBE_META_POD_NAME}
-            - action: insert
-              key: k8s.pod.ip
-              value: ${KUBE_META_POD_IP}
-            - action: insert
-              key: k8s.pod.uid
-              value: ${KUBE_META_POD_UID}
-            - action: insert
-              key: k8s.namespace.name
-              value: ${KUBE_META_NAMESPACE}
-            - action: insert
-              key: k8s.deployment.name
-              value: ${KUBE_META_OBJECT_NAME}
-        transform:
-          log_statements:
-            - context: log
-              statements:
-                - set(resource.attributes["application"], "devops")
-                - set(resource.attributes["environment"], "{{ .Values.global.environment | default .Release.Namespace }}")
-                - set(resource.attributes["body_json"], ParseJSON(log.body))
-                - set(resource.attributes["body_json"]["kubernetes"]["pod"], resource.attributes["k8s.pod.name"])
-                - set(resource.attributes["body_json"]["kubernetes"]["namespace"], resource.attributes["k8s.namespace.name"])
-                - set(resource.attributes["body_json"]["kubernetes"]["pod_ip"], resource.attributes["k8s.pod.ip"])
-                - set(resource.attributes["body_json"]["kubernetes"]["pod_uid"], resource.attributes["k8s.pod.uid"])
-                - set(resource.attributes["body_json"]["kubernetes"]["deployment"], resource.attributes["k8s.deployment.name"])
-                - set(resource.attributes["body_json"]["kubernetes"]["node"], resource.attributes["k8s.node.name"])
-                - set(resource.attributes["body_json"]["kubernetes"]["namespace"], resource.attributes["k8s.namespace.name"])
-                - set(log.body, resource.attributes["body_json"])
-                - delete_key(resource.attributes, "body_json")
-        batch:
-          send_batch_size: 1
-          timeout: 1s
-      exporters:
-        otlphttp/logs:
-          endpoint: {{ .Values.logIngest.lokiEndpoint }}/otlp
-          tls:
-            insecure: true
-          headers:
-            X-Scope-OrgID: "devops"
-      service:
-        telemetry:
-          logs:
-            level: info
-        pipelines:
-          logs:
-            receivers: [filelog, k8s_cluster]
-            processors: [resource, transform, batch]
-            exporters: [otlphttp/logs]
+  volumeMounts:
+    - name: app-logs
+      mountPath: {{ .Values.logIngest.logPath }}
+  securityContext:
+    allowPrivilegeEscalation: true
+    privileged: true
+    runAsUser: 0
+    runAsGroup: 0
+  env:
+    - name: KUBE_META_POD_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.name
+    - name: KUBE_META_NAMESPACE
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.namespace
+    - name: KUBE_META_NODE_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.nodeName
+    - name: KUBE_META_POD_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.podIP
+    - name: KUBE_META_POD_UID
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.uid
+    - name: KUBE_META_OBJECT_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.labels['app.kubernetes.io/instance']
+  config:
+    receivers:
+      filelog:
+        include:
+          - {{ .Values.logIngest.logPathPattern }}
+        start_at: end
+        include_file_path: false
+        include_file_name: false
+        operators:
+          - type: json_parser
+            parse_from: body
+            parse_to: attributes
+    processors:
+      resource:
+        attributes:
+          - action: insert
+            key: k8s.node.name
+            value: ${KUBE_META_NODE_NAME}
+          - action: insert
+            key: k8s.pod.name
+            value: ${KUBE_META_POD_NAME}
+          - action: insert
+            key: k8s.pod.ip
+            value: ${KUBE_META_POD_IP}
+          - action: insert
+            key: k8s.pod.uid
+            value: ${KUBE_META_POD_UID}
+          - action: insert
+            key: k8s.namespace.name
+            value: ${KUBE_META_NAMESPACE}
+          - action: insert
+            key: k8s.deployment.name
+            value: ${KUBE_META_OBJECT_NAME}
+      transform:
+        log_statements:
+          - context: log
+            statements:
+              - set(resource.attributes["application"], log.attributes["context"]["app"])
+              - set(resource.attributes["environment"], log.attributes["context"]["env"])
+              - set(resource.attributes["kubernetes_node_name"], resource.attributes["k8s.node.name"])
+              - set(resource.attributes["kubernetes_pod_name"], resource.attributes["k8s.pod.name"])
+              - set(resource.attributes["kubernetes_pod_ip"], resource.attributes["k8s.pod.ip"])
+              - set(resource.attributes["kubernetes_deployment_name"], resource.attributes["k8s.deployment.name"])
+              - set(resource.attributes["kubernetes_namespace"], resource.attributes["k8s.namespace.name"])
+              - set(resource.attributes["body_json"], ParseJSON(log.body))
+              - set(resource.attributes["body_json"]["kubernetes"]["pod"], resource.attributes["k8s.pod.name"])
+              - set(resource.attributes["body_json"]["kubernetes"]["namespace"], resource.attributes["k8s.namespace.name"])
+              - set(resource.attributes["body_json"]["kubernetes"]["pod_ip"], resource.attributes["k8s.pod.ip"])
+              - set(resource.attributes["body_json"]["kubernetes"]["pod_uid"], resource.attributes["k8s.pod.uid"])
+              - set(resource.attributes["body_json"]["kubernetes"]["deployment"], resource.attributes["k8s.deployment.name"])
+              - set(resource.attributes["body_json"]["kubernetes"]["node"], resource.attributes["k8s.node.name"])
+              - set(resource.attributes["body_json"]["kubernetes"]["namespace"], resource.attributes["k8s.namespace.name"])
+              - set(log.body, resource.attributes["body_json"])
+              - delete_key(resource.attributes, "body_json")
+      batch:
+        send_batch_size: 5
+        timeout: 10s  
+    exporters:
+      otlphttp/logs:
+        endpoint: {{ .Values.logIngest.lokiEndpoint }}/otlp
+        tls:
+          insecure: true
+    service:
+      telemetry:
+        logs:
+          level: info
+      pipelines:
+        logs:
+          receivers: [filelog]
+          processors: [resource, transform, batch]
+          exporters: [otlphttp/logs]
 {{- end }}