refactor(opentelemetry): enhance RBAC and logging configuration for OpenTelemetry integration

2025-09-24 11:20:24 +08:00 · 2025-09-24 11:20:24 +08:00 · 38b154547c
commit 38b154547c
parent 6cd47723bc
2 changed files with 124 additions and 88 deletions
--- a/freeleaps/helm-pkg/devops/templates/devops/opentelemetry-rbac.yaml
+++ b/freeleaps/helm-pkg/devops/templates/devops/opentelemetry-rbac.yaml
@ -1,40 +1,40 @@
 {{- if .Values.logIngest.enabled }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ .Release.Name }}-otel-collector
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
    app.kubernetes.io/name: "{{ .Release.Name }}-otel-collector"
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    app.kubernetes.io/instance: {{ .Release.Name }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: {{ .Release.Name }}-otel-collector
  labels:
    app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
    app.kubernetes.io/name: "{{ .Release.Name }}-otel-collector"
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    app.kubernetes.io/instance: {{ .Release.Name }}
 rules:
  - apiGroups: [""]
-    resources: ["pods", "nodes", "namespaces"]
+    resources:
-    verbs: ["get", "list", "watch"]
+      - pods
      - namespaces
      - nodes
    verbs:
      - get
      - watch
      - list
  - apiGroups: ["apps"]
-    resources: ["deployments", "replicasets"]
+    resources:
-    verbs: ["get", "list", "watch"]
+      - replicasets
      - deployments
      - statefulsets
      - daemonsets
    verbs:
      - get
      - watch
      - list
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: {{ .Release.Name }}-otel-collector
  labels:
    app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
    app.kubernetes.io/name: "{{ .Release.Name }}-otel-collector"
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    app.kubernetes.io/instance: {{ .Release.Name }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
@ -43,3 +43,4 @@ subjects:
  - kind: ServiceAccount
    name: {{ .Release.Name }}-otel-collector
    namespace: {{ .Release.Namespace }}
 {{- end }}
--- a/freeleaps/helm-pkg/devops/templates/devops/opentelemetry.yaml
+++ b/freeleaps/helm-pkg/devops/templates/devops/opentelemetry.yaml
@ -8,73 +8,108 @@ spec:
  mode: sidecar
  image: ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-contrib:latest
  serviceAccount: "{{ .Release.Name }}-otel-collector"
-  config: |
+  volumeMounts:
-    config:
+    - name: app-logs
-      receivers:
+      mountPath: {{ .Values.logIngest.logPath }}
-        filelog:
+  securityContext:
-          include:
+    allowPrivilegeEscalation: true
-            - {{ .Values.logIngest.logPathPattern }}
+    privileged: true
-          start_at: beginning
+    runAsUser: 0
-          include_file_path: false
+    runAsGroup: 0
-          include_file_name: false
+  env:
-          operators: []
+    - name: KUBE_META_POD_NAME
-        k8s_cluster:
+      valueFrom:
-          auth_type: serviceAccount
+        fieldRef:
-          namespaces: [{{ .Release.Namespace }}]
+          fieldPath: metadata.name
-      processors:
+    - name: KUBE_META_NAMESPACE
-        resource:
+      valueFrom:
-          attributes:
+        fieldRef:
-            - action: insert
+          fieldPath: metadata.namespace
-              key: k8s.node.name
+    - name: KUBE_META_NODE_NAME
-              value: ${KUBE_META_NODE_NAME}
+      valueFrom:
-            - action: insert
+        fieldRef:
-              key: k8s.pod.name
+          fieldPath: spec.nodeName
-              value: ${KUBE_META_POD_NAME}
+    - name: KUBE_META_POD_IP
-            - action: insert
+      valueFrom:
-              key: k8s.pod.ip
+        fieldRef:
-              value: ${KUBE_META_POD_IP}
+          fieldPath: status.podIP
-            - action: insert
+    - name: KUBE_META_POD_UID
-              key: k8s.pod.uid
+      valueFrom:
-              value: ${KUBE_META_POD_UID}
+        fieldRef:
-            - action: insert
+          fieldPath: metadata.uid
-              key: k8s.namespace.name
+    - name: KUBE_META_OBJECT_NAME
-              value: ${KUBE_META_NAMESPACE}
+      valueFrom:
-            - action: insert
+        fieldRef:
-              key: k8s.deployment.name
+          fieldPath: metadata.labels['app.kubernetes.io/instance']
-              value: ${KUBE_META_OBJECT_NAME}
+  config:
-        transform:
+    receivers:
-          log_statements:
+      filelog:
-            - context: log
+        include:
-              statements:
+          - {{ .Values.logIngest.logPathPattern }}
-                - set(resource.attributes["application"], "devops")
+        start_at: end
-                - set(resource.attributes["environment"], "{{ .Values.global.environment | default .Release.Namespace }}")
+        include_file_path: false
-                - set(resource.attributes["body_json"], ParseJSON(log.body))
+        include_file_name: false
-                - set(resource.attributes["body_json"]["kubernetes"]["pod"], resource.attributes["k8s.pod.name"])
+        operators:
-                - set(resource.attributes["body_json"]["kubernetes"]["namespace"], resource.attributes["k8s.namespace.name"])
+          - type: json_parser
-                - set(resource.attributes["body_json"]["kubernetes"]["pod_ip"], resource.attributes["k8s.pod.ip"])
+            parse_from: body
-                - set(resource.attributes["body_json"]["kubernetes"]["pod_uid"], resource.attributes["k8s.pod.uid"])
+            parse_to: attributes
-                - set(resource.attributes["body_json"]["kubernetes"]["deployment"], resource.attributes["k8s.deployment.name"])
+    processors:
-                - set(resource.attributes["body_json"]["kubernetes"]["node"], resource.attributes["k8s.node.name"])
+      resource:
-                - set(resource.attributes["body_json"]["kubernetes"]["namespace"], resource.attributes["k8s.namespace.name"])
+        attributes:
-                - set(log.body, resource.attributes["body_json"])
+          - action: insert
-                - delete_key(resource.attributes, "body_json")
+            key: k8s.node.name
-        batch:
+            value: ${KUBE_META_NODE_NAME}
-          send_batch_size: 1
+          - action: insert
-          timeout: 1s
+            key: k8s.pod.name
-      exporters:
+            value: ${KUBE_META_POD_NAME}
-        otlphttp/logs:
+          - action: insert
-          endpoint: {{ .Values.logIngest.lokiEndpoint }}/otlp
+            key: k8s.pod.ip
-          tls:
+            value: ${KUBE_META_POD_IP}
-            insecure: true
+          - action: insert
-          headers:
+            key: k8s.pod.uid
-            X-Scope-OrgID: "devops"
+            value: ${KUBE_META_POD_UID}
-      service:
+          - action: insert
-        telemetry:
+            key: k8s.namespace.name
-          logs:
+            value: ${KUBE_META_NAMESPACE}
-            level: info
+          - action: insert
-        pipelines:
+            key: k8s.deployment.name
-          logs:
+            value: ${KUBE_META_OBJECT_NAME}
-            receivers: [filelog, k8s_cluster]
+      transform:
-            processors: [resource, transform, batch]
+        log_statements:
-            exporters: [otlphttp/logs]
+          - context: log
            statements:
              - set(resource.attributes["application"], log.attributes["context"]["app"])
              - set(resource.attributes["environment"], log.attributes["context"]["env"])
              - set(resource.attributes["kubernetes_node_name"], resource.attributes["k8s.node.name"])
              - set(resource.attributes["kubernetes_pod_name"], resource.attributes["k8s.pod.name"])
              - set(resource.attributes["kubernetes_pod_ip"], resource.attributes["k8s.pod.ip"])
              - set(resource.attributes["kubernetes_deployment_name"], resource.attributes["k8s.deployment.name"])
              - set(resource.attributes["kubernetes_namespace"], resource.attributes["k8s.namespace.name"])
              - set(resource.attributes["body_json"], ParseJSON(log.body))
              - set(resource.attributes["body_json"]["kubernetes"]["pod"], resource.attributes["k8s.pod.name"])
              - set(resource.attributes["body_json"]["kubernetes"]["namespace"], resource.attributes["k8s.namespace.name"])
              - set(resource.attributes["body_json"]["kubernetes"]["pod_ip"], resource.attributes["k8s.pod.ip"])
              - set(resource.attributes["body_json"]["kubernetes"]["pod_uid"], resource.attributes["k8s.pod.uid"])
              - set(resource.attributes["body_json"]["kubernetes"]["deployment"], resource.attributes["k8s.deployment.name"])
              - set(resource.attributes["body_json"]["kubernetes"]["node"], resource.attributes["k8s.node.name"])
              - set(resource.attributes["body_json"]["kubernetes"]["namespace"], resource.attributes["k8s.namespace.name"])
              - set(log.body, resource.attributes["body_json"])
              - delete_key(resource.attributes, "body_json")
      batch:
        send_batch_size: 5
        timeout: 10s  
    exporters:
      otlphttp/logs:
        endpoint: {{ .Values.logIngest.lokiEndpoint }}/otlp
        tls:
          insecure: true
    service:
      telemetry:
        logs:
          level: info
      pipelines:
        logs:
          receivers: [filelog]
          processors: [resource, transform, batch]
          exporters: [otlphttp/logs]
 {{- end }}