[LFXv2-608] Add OpenTelemetry tracing support

.github/workflows/ko-build-branch.yaml

@@ -35,7 +35,14 @@ jobs:
           container_tag=$(echo "$HEAD_REF" | sed 's/[^_0-9a-zA-Z]/-/g' | cut -c -127)
           echo tag="$container_tag" >> "$GITHUB_OUTPUT"
       - name: Build auth-service for PR
+        env:
+          VERSION: ${{ steps.container_tag.outputs.tag }}
+          GIT_COMMIT: ${{ github.sha }}
         run: |
+          BUILD_TIME=$(date -u '+%Y-%m-%d_%H:%M:%S')
+          export BUILD_TIME
+          GIT_COMMIT=${GIT_COMMIT:0:7}
+          export GIT_COMMIT
           ko build github.com/linuxfoundation/lfx-v2-auth-service/cmd/server \
             -B \
             --platform linux/amd64,linux/arm64 \

.github/workflows/ko-build-main.yaml

@@ -27,7 +27,15 @@ jobs:
       - uses: ko-build/setup-ko@v0.8
         with:
           version: v0.17.1
-      - run: |
+      - name: Build and publish auth-service image
+        env:
+          VERSION: development
+          GIT_COMMIT: ${{ github.sha }}
+        run: |
+          BUILD_TIME=$(date -u '+%Y-%m-%d_%H:%M:%S')
+          export BUILD_TIME
+          GIT_COMMIT=${GIT_COMMIT:0:7}
+          export GIT_COMMIT
           ko build github.com/linuxfoundation/lfx-v2-auth-service/cmd/server \
             -B \
             --platform linux/amd64,linux/arm64 \

.github/workflows/ko-build-tag.yaml

@@ -54,7 +54,14 @@ jobs:
           version: v0.17.1
 
       - name: Build and publish auth-service image
+        env:
+          VERSION: ${{ steps.prepare.outputs.app_version }}
+          GIT_COMMIT: ${{ github.sha }}
         run: |
+          BUILD_TIME=$(date -u '+%Y-%m-%d_%H:%M:%S')
+          export BUILD_TIME
+          GIT_COMMIT=${GIT_COMMIT:0:7}
+          export GIT_COMMIT
           ko build github.com/linuxfoundation/lfx-v2-auth-service/cmd/server \
             -B \
             --platform linux/amd64,linux/arm64 \

.ko.yaml

@@ -0,0 +1,9 @@
+# Copyright The Linux Foundation and each contributor to LFX.
+# SPDX-License-Identifier: MIT
+builds:
+  - id: server
+    dir: ./cmd/server
+    ldflags:
+      - -X=main.Version={{.Env.VERSION}}
+      - -X=main.BuildTime={{.Env.BUILD_TIME}}
+      - -X=main.GitCommit={{.Env.GIT_COMMIT}}

charts/lfx-v2-auth-service/Chart.yaml

@@ -5,5 +5,5 @@ apiVersion: v2
 name: lfx-v2-auth-service
 description: LFX Platform V2 Auth Service chart
 type: application
-version: 0.3.4
+version: 0.3.5
 appVersion: "latest"

charts/lfx-v2-auth-service/templates/deployment.yaml

@@ -35,6 +35,59 @@ spec:
               {{- toYaml $config.valueFrom | nindent 14 }}
             {{- end }}
           {{- end }}
+          {{- with .Values.app.extraEnv }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+          {{- $otelServiceName := .Values.app.otel.serviceName | toString | trim }}
+          {{- if ne $otelServiceName "" }}
+          - name: OTEL_SERVICE_NAME
+            value: {{ $otelServiceName | quote }}
+          {{- end }}
+          {{- $otelServiceVersion := .Values.app.otel.serviceVersion | toString | trim }}
+          {{- if ne $otelServiceVersion "" }}
+          - name: OTEL_SERVICE_VERSION
+            value: {{ $otelServiceVersion | quote }}
+          {{- end }}
+          {{- $otelEndpoint := .Values.app.otel.endpoint | toString | trim }}
+          {{- if ne $otelEndpoint "" }}
+          - name: OTEL_EXPORTER_OTLP_ENDPOINT
+            value: {{ $otelEndpoint | quote }}
+          {{- end }}
+          {{- $otelProtocol := .Values.app.otel.protocol | toString | trim }}
+          {{- if ne $otelProtocol "" }}
+          - name: OTEL_EXPORTER_OTLP_PROTOCOL
+            value: {{ $otelProtocol | quote }}
+          {{- end }}
+          {{- $otelInsecure := .Values.app.otel.insecure | toString | trim }}
+          {{- if ne $otelInsecure "" }}
+          - name: OTEL_EXPORTER_OTLP_INSECURE
+            value: {{ $otelInsecure | quote }}
+          {{- end }}
+          {{- $otelTracesExporter := .Values.app.otel.tracesExporter | toString | trim }}
+          {{- if ne $otelTracesExporter "" }}
+          - name: OTEL_TRACES_EXPORTER
+            value: {{ $otelTracesExporter | quote }}
+          {{- end }}
+          {{- $otelTracesSampleRatio := .Values.app.otel.tracesSampleRatio | toString | trim }}
+          {{- if ne $otelTracesSampleRatio "" }}
+          - name: OTEL_TRACES_SAMPLE_RATIO
+            value: {{ $otelTracesSampleRatio | quote }}
+          {{- end }}
+          {{- $otelMetricsExporter := .Values.app.otel.metricsExporter | toString | trim }}
+          {{- if ne $otelMetricsExporter "" }}
+          - name: OTEL_METRICS_EXPORTER
+            value: {{ $otelMetricsExporter | quote }}
+          {{- end }}
+          {{- $otelLogsExporter := .Values.app.otel.logsExporter | toString | trim }}
+          {{- if ne $otelLogsExporter "" }}
+          - name: OTEL_LOGS_EXPORTER
+            value: {{ $otelLogsExporter | quote }}
+          {{- end }}
+          {{- $otelPropagators := .Values.app.otel.propagators | toString | trim }}
+          {{- if ne $otelPropagators "" }}
+          - name: OTEL_PROPAGATORS
+            value: {{ $otelPropagators | quote }}
+          {{- end }}
           ports:
             - containerPort: {{ .Values.service.port }}
               name: web

charts/lfx-v2-auth-service/values.yaml

@@ -138,3 +138,41 @@ app:
       value: authelia-users
     AUTHELIA_OIDC_USERINFO_URL:
       value: https://auth.k8s.orb.local/api/oidc/userinfo
+  # extraEnv allows injecting additional environment variables before
+  # other configurations
+  extraEnv: []
+  # otel is the configuration for OpenTelemetry tracing
+  otel:
+    # serviceName is the service name for OpenTelemetry resource identification
+    # (default: "lfx-v2-auth-service")
+    serviceName: ""
+    # serviceVersion is the service version for OpenTelemetry resource
+    # identification
+    # (default: "1.0.0")
+    serviceVersion: ""
+    # protocol specifies the OTLP protocol: "grpc" or "http"
+    # (default: "grpc")
+    protocol: "grpc"
+    # endpoint is the OTLP collector endpoint
+    # For gRPC: typically "host:4317", for HTTP: typically "host:4318"
+    endpoint: ""
+    # insecure disables TLS for the OTLP connection
+    # Set to "true" for in-cluster communication without TLS
+    insecure: "false"
+    # tracesExporter specifies the traces exporter: "otlp" or "none"
+    # (default: "none")
+    tracesExporter: "none"
+    # tracesSampleRatio specifies the sampling ratio for traces (0.0 to 1.0)
+    # A value of 1.0 means all traces are sampled, 0.5 means 50% are sampled
+    # (default: "1.0")
+    tracesSampleRatio: "1.0"
+    # metricsExporter specifies the metrics exporter: "otlp" or "none"
+    # (default: "none")
+    metricsExporter: "none"
+    # logsExporter specifies the logs exporter: "otlp" or "none"
+    # (default: "none")
+    logsExporter: "none"
+    # propagators specifies the propagators to use, comma-separated
+    # Supported values: "tracecontext", "baggage", "jaeger"
+    # (default: "tracecontext,baggage")
+    propagators: "tracecontext,baggage,jaeger"

cmd/server/http.go

@@ -13,6 +13,7 @@ import (
 	authservice "github.com/linuxfoundation/lfx-v2-auth-service/gen/auth_service"
 	authserver "github.com/linuxfoundation/lfx-v2-auth-service/gen/http/auth_service/server"
 
+	"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
 	"goa.design/clue/debug"
 	goahttp "goa.design/goa/v3/http"
 )
@@ -60,6 +61,8 @@ func handleHTTPServer(ctx context.Context, host string, authEndpoints *authservi
 		// Log query and response bodies if debug logs are enabled.
 		handler = debug.HTTP()(handler)
 	}
+	// Wrap the handler with OpenTelemetry instrumentation
+	handler = otelhttp.NewHandler(handler, "auth-service")
 
 	// Start HTTP server using default configuration, change the code to
 	// configure the server as required by your service.

cmd/server/main.go

@@ -18,6 +18,14 @@ import (
 
 	authservice "github.com/linuxfoundation/lfx-v2-auth-service/gen/auth_service"
 	logging "github.com/linuxfoundation/lfx-v2-auth-service/pkg/log"
+	"github.com/linuxfoundation/lfx-v2-auth-service/pkg/utils"
+)
+
+// Build-time variables set via ldflags
+var (
+	Version   = "dev"
+	BuildTime = "unknown"
+	GitCommit = "unknown"
 )
 
 const (
@@ -47,6 +55,28 @@ func main() {
 	flag.Parse()
 
 	ctx := context.Background()
+
+	// Set up OpenTelemetry SDK.
+	// Command-line/environment OTEL_SERVICE_VERSION takes precedence over
+	// the build-time Version variable.
+	otelConfig := utils.OTelConfigFromEnv()
+	if otelConfig.ServiceVersion == "" {
+		otelConfig.ServiceVersion = Version
+	}
+	otelShutdown, err := utils.SetupOTelSDKWithConfig(ctx, otelConfig)
+	if err != nil {
+		slog.ErrorContext(ctx, "error setting up OpenTelemetry SDK", "error", err)
+		os.Exit(1)
+	}
+	// Handle shutdown properly so nothing leaks.
+	defer func() {
+		shutdownCtx, cancel := context.WithTimeout(context.Background(), gracefulShutdownSeconds*time.Second)
+		defer cancel()
+		if shutdownErr := otelShutdown(shutdownCtx); shutdownErr != nil {
+			slog.ErrorContext(ctx, "error shutting down OpenTelemetry SDK", "error", shutdownErr)
+		}
+	}()
+
 	slog.InfoContext(ctx, "Starting auth service",
 		"bind", *bind,
 		"http-port", *port,

go.mod

@@ -11,13 +11,27 @@ require (
 	github.com/google/uuid v1.6.0
 	github.com/lestrrat-go/jwx/v2 v2.1.6
 	github.com/nats-io/nats.go v1.45.0
+	github.com/remychantenay/slog-otel v1.3.4
 	github.com/stretchr/testify v1.11.1
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0
+	go.opentelemetry.io/contrib/propagators/jaeger v1.39.0
+	go.opentelemetry.io/otel v1.40.0
+	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.16.0
+	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.16.0
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.40.0
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.40.0
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.40.0
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.40.0
+	go.opentelemetry.io/otel/log v0.16.0
+	go.opentelemetry.io/otel/sdk v1.40.0
+	go.opentelemetry.io/otel/sdk/log v0.16.0
+	go.opentelemetry.io/otel/sdk/metric v1.40.0
 	go.yaml.in/yaml/v2 v2.4.2
 	goa.design/clue v1.2.3
 	goa.design/goa/v3 v3.23.3
-	golang.org/x/crypto v0.45.0
-	golang.org/x/oauth2 v0.32.0
-	golang.org/x/sync v0.18.0
+	golang.org/x/crypto v0.47.0
+	golang.org/x/oauth2 v0.34.0
+	golang.org/x/sync v0.19.0
 	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/apimachinery v0.34.1
 	k8s.io/client-go v0.34.1
@@ -26,13 +40,17 @@ require (
 require (
 	github.com/PuerkitoBio/rehttp v1.4.0 // indirect
 	github.com/aws/smithy-go v1.23.0 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect
 	github.com/dimfeld/httppath v0.0.0-20170720192232-ee938bf73598 // indirect
 	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
 	github.com/go-chi/chi/v5 v5.2.3 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
@@ -41,6 +59,7 @@ require (
 	github.com/gohugoio/hashstructure v0.6.0 // indirect
 	github.com/google/gnostic-models v0.7.0 // indirect
 	github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.7 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
@@ -57,24 +76,29 @@ require (
 	github.com/nats-io/nkeys v0.4.11 // indirect
 	github.com/nats-io/nuid v1.0.1 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/segmentio/asm v1.2.0 // indirect
 	github.com/spf13/pflag v1.0.6 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	go.devnw.com/structs v1.0.0 // indirect
-	go.opentelemetry.io/otel v1.38.0 // indirect
-	go.opentelemetry.io/otel/trace v1.38.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.40.0 // indirect
+	go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.40.0 // indirect
+	go.opentelemetry.io/otel/metric v1.40.0 // indirect
+	go.opentelemetry.io/otel/trace v1.40.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.9.0 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/mod v0.30.0 // indirect
-	golang.org/x/net v0.47.0 // indirect
-	golang.org/x/sys v0.38.0 // indirect
-	golang.org/x/term v0.37.0 // indirect
-	golang.org/x/text v0.31.0 // indirect
-	golang.org/x/time v0.9.0 // indirect
-	golang.org/x/tools v0.39.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20251124214823-79d6a2a48846 // indirect
-	google.golang.org/grpc v1.77.0 // indirect
-	google.golang.org/protobuf v1.36.10 // indirect
+	golang.org/x/mod v0.31.0 // indirect
+	golang.org/x/net v0.49.0 // indirect
+	golang.org/x/sys v0.40.0 // indirect
+	golang.org/x/term v0.39.0 // indirect
+	golang.org/x/text v0.33.0 // indirect
+	golang.org/x/time v0.12.0 // indirect
+	golang.org/x/tools v0.40.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409 // indirect
+	google.golang.org/grpc v1.78.0 // indirect
+	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	k8s.io/api v0.34.1 // indirect