TRACING-5814 | RHOSDT 3.9 Document google managed prometheus #104286
Conversation
Signed-off-by: Pavol Loffay <p.loffay@gmail.com>
|
Skipping CI for Draft Pull Request. |
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
/test all |
openshift-ci
bot
added
the
size/M
Signed-off-by: Pavol Loffay <p.loffay@gmail.com>
Signed-off-by: Pavol Loffay <p.loffay@gmail.com>
|
@pavolloffay Should we also document the authentication bits using GCP SA and WIF ? |
|
/test all |
| exporters: [otlphttp] | ||
| # ... | ||
| ---- | ||
| <1> The `subtract_initial_point` strategy is stateful, requiring the Collector to run as a sidecar to maintain per-pod state. Alternative strategies available; choose the one that best fits your use case. |
There was a problem hiding this comment.
🤖 [error] AsciiDocDITA.CalloutList: Callouts are not supported in DITA.
There was a problem hiding this comment.
🤖 [error] AsciiDocDITA.ShortDescription: Assign [role="_abstract"] to a paragraph to use it as in DITA.
| mode: sidecar | ||
| config: | ||
| extensions: | ||
| googleclientauth: {} |
There was a problem hiding this comment.
@IshwarKanse the enxtension has a project parameter
project - The Google Cloud Project telemetry is sent to if the gcp.project.id resource attribute is not set. If unspecified, this is determined using application default credentials.
If unspecified, this is determined using application default credentials.
what do they mean by this? In OCP context, can it be only specified in GOOGLE_APPLICATION_CREDENTIALS?
There was a problem hiding this comment.
The Application Default Credentials (ADC) is Google's credential discovery mechanism that searches for credentials in this order:
- GOOGLE_APPLICATION_CREDENTIALS environment variable (pointing to a credential JSON file)
- Local ADC file at ~/.config/gcloud/application_default_credentials.json (created by gcloud auth application-default login)
- GCP metadata server (for workloads running on Google Cloud infrastructure)
In the OpenShift/Kubernetes context, GOOGLE_APPLICATION_CREDENTIALS is the standard approach, even when running on Google Cloud, because:
- It provides explicit control over which credentials the collector uses
- It's portable across different environments (on-prem, AWS, Azure, GCP, etc.)
- The local ADC file option (Added client tools install topics #2) is meant for local development, not production containers
- While the metadata server (Initial build system #3) would work for OpenShift clusters running on GCP, explicitly mounting credentials is the Kubernetes best practice
The GOOGLE_APPLICATION_CREDENTIALS env var should point to one of these credential types:
- Service Account Key JSON:
env:
- name: GOOGLE_APPLICATION_CREDENTIALS
value: "/etc/google-cloud-sa/sa-key.json" - Workload Identity Federation config JSON:
env:
- name: GOOGLE_APPLICATION_CREDENTIALS
value: "/etc/workload-identity/credential-configuration.json"
About the project parameter
When we set project in the extension config, it's actually optional because:
- ADC will automatically extract the project ID from the credential file
- It only serves as a fallback when the gcp.project.id resource attribute isn't set
- In my referenced config in the previous comment, we are already setting gcp.project_id via the resource processor, so the extension's project parameter is somewhat redundant
For the documentation, I'd suggest making the project parameter optional and explaining that users can omit it if they're already setting the resource attribute or if they want ADC to auto-detect it from the credentials.
Signed-off-by: Pavol Loffay <p.loffay@gmail.com>
openshift-ci
bot
added
size/L
|
/test all |
| # ... | ||
| ---- | ||
|
|
||
| <1> The Google Cloud Project telemetry is sent to if the `gcp.project.id` resource attribute is not set. If unspecified, this is determined using application default credentials. |
There was a problem hiding this comment.
🤖 [error] AsciiDocDITA.CalloutList: Callouts are not supported in DITA.
|
/test all |
| exporters: [otlphttp] | ||
| # ... | ||
| ---- | ||
| <1> The environment variable `GOOGLE_APPLICATION_CREDENTIALS` can be configured to use the traditional secret or use the workload identity federation (WIF). This specific example uses WIF. |
There was a problem hiding this comment.
🤖 [error] AsciiDocDITA.CalloutList: Callouts are not supported in DITA.
|
@pavolloffay: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
4 participants
Version(s):
RHOSDT 3.9
OCP 4.12-4.21 (all supported OCP versions at the merge time)
Issue:
https://issues.redhat.com/browse/TRACING-5814
Link to docs preview:
QE review:
Additional information:
OTELcol 0.142.0
https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/CHANGELOG.md#-breaking-changes-