distributedtracing: export Prometheus metrics via OTLP#8450
distributedtracing: export Prometheus metrics via OTLP#8450sspaink merged 7 commits intoopen-policy-agent:mainfrom
Conversation
|
Also tested manually tested with Local otel stack: docker-compose: services:
# Jaeger for storing traces
jaeger:
image: jaegertracing/jaeger:2.10.0
ports:
- '16686:16686' # Web UI
- '4317' # OTLP gRPC
- '4318' # OTLP HTTP
# Prometheus for storing metrics
prometheus:
image: prom/prometheus:v3.5.0
ports:
- '9090:9090' # Web UI
- '4318' # OTLP HTTP
command:
- --web.enable-otlp-receiver
# Mirror these flags from the Dockerfile, because `command` overwrites the default flags.
# https://github.com/prometheus/prometheus/blob/5b5fee08af4c73230b2dae35964816f7b3c29351/Dockerfile#L23-L24
- --config.file=/etc/prometheus/prometheus.yml
- --storage.tsdb.path=/prometheus
otel-collector:
image: otel/opentelemetry-collector-contrib:0.135.0
volumes:
- ./otel-collector-config.yml:/etc/otelcol-contrib/config.yaml
ports:
- '4318:4318' # OTLP HTTP ( exposed to the host )
- '4317:4317' # OTLP gRPC ( exposed to the host )
depends_on:
- jaeger
- prometheuotel-config receivers:
otlp:
protocols:
grpc:
endpoint: 0.0.0.0:4317
http:
endpoint: 0.0.0.0:4318
exporters:
otlp/jaeger:
endpoint: jaeger:4317
tls:
insecure: true
otlphttp/prometheus:
endpoint: http://prometheus:9090/api/v1/otlp
debug:
verbosity: detailed
# verbosity: normal
processors:
batch:
extensions:
health_check:
pprof:
zpages:
service:
extensions: [pprof, zpages, health_check]
pipelines:
traces:
receivers: [otlp]
exporters:
- otlp/jaeger
# Enable debug exporter to see traces in the logs
#- debug
processors: [batch]
metrics:
receivers:
- otlp
processors: [batch]
exporters:
- otlphttp/prometheus
# Enable debug exporter to see metrics in the logs
- debug
|
✅ Deploy Preview for openpolicyagent ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Munken
force-pushed
the
metrics-via-otlp
branch
3 times, most recently
from
c33a3f6 to
f29dc3c
Compare
docs/docs/configuration.md
Outdated
| service_name: opa | ||
| sample_percentage: 50 | ||
| encryption: "off" | ||
| metrics: false |
There was a problem hiding this comment.
What do you think of changing this to something like metrics_export: "OTLP"? Might be other protocols in the future we could support and using a boolean would force us to add a new config option. Would also be nice if it was more explicit that this config option enables OTLP exporting.
There was a problem hiding this comment.
In that case I would suggest using metrics_export: otlp/grpc or metrics_export: otlp/http. That way it can be enabled without also enabling tracing.
There was a problem hiding this comment.
That seems like a good idea to me 👍
There was a problem hiding this comment.
Found a downside, the type is coupled to the address via the port eg 4317 for grpc and 4318 for http.
So if we want full flexibility to set these independently that it should probably be moved out of the tracing config section.
Alternatively, one could add a metrics_adress but then we are almost there.
There was a problem hiding this comment.
@sspaink I've pushed a new commit that seperates the metrics export from the tracing.
There is some overlap in config though, so I've seperated the shared logic also.
Main downside with this approach is that one has to potentially config TLS twice.
There was a problem hiding this comment.
Having to configure TLS twice isn't great, but I do think this new approach will make it easier to make changes in the future that makes it worth it. Thanks for updating it!
There was a problem hiding this comment.
We could introduce a common section that both inherent from. Would also move the service name there
There was a problem hiding this comment.
Would still need to support the TLS in the tracing section for backwards compatibility though. I don't think it is required for this change so could be in a separate PR. If you are up for the challenge a common section could be helpful.
Add support for pushing OPA's existing Prometheus metrics to an OpenTelemetry collector via OTLP, eliminating the need for a dedicated scraper sidecar. Uses the OTel Prometheus bridge to read from OPA's prometheus.Registry and export through an OTLP metric exporter (gRPC or HTTP), reusing the same address and TLS configuration as traces. New config fields: distributed_tracing.metrics (bool, default false) and distributed_tracing.metrics_export_interval_ms (int, default 60000). Fixes open-policy-agent#7591 Signed-off-by: Michael Munch <mm.munk@gmail.com>
Extract metrics export from distributed_tracing into its own metrics_export config section with independent type (otlp/grpc, otlp/http), address, and TLS settings. This allows exporting Prometheus metrics via OTLP without enabling tracing, and to a different endpoint than traces. - Extract shared TLS helpers into internal/tlsutil - Add MetricsExport field to top-level Config - Create internal/metricsexport package with Init, config parsing - Remove metrics fields from distributedtracing - Update runtime to call metricsexport.Init separately - Move e2e tests to v1/test/e2e/metricsexport - Add Metrics Export section to configuration docs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Michael Munch <mm.munk@gmail.com>
Signed-off-by: Michael Munch <mm.munk@gmail.com>
Modules like containerd, go-sqlbuilder, OpenTelemetry, and golang.org/x/* were at older versions than main after a rebase. Upgrade them to match or exceed main. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Michael Munch <mm.munk@gmail.com>
sspaink
left a comment
sspaink
left a comment
There was a problem hiding this comment.
LGTM, thanks for working on this. Just a nit regarding the copyright headers.
Co-authored-by: Sebastian Spaink <sebastianspaink@gmail.com> Signed-off-by: Michael Munch <mm.munk@gmail.com>
Thanks! I applied the suggestion. |
2 participants
Why the changes in this PR are needed?
Users running OPA as a sidecar alongside an OpenTelemetry collector currently need a
dedicated OTel sidecar just to scrape OPA's Prometheus
/metricsendpoint. This PRlets OPA push its Prometheus metrics directly to an OTel collector via OTLP, eliminating
that extra sidecar and simplifying deployment (see #7591).
What are the changes in this PR?
to read from OPA's existing
prometheus.Registryand export metrics through aperiodic OTLP exporter (gRPC or HTTP), reusing the same
distributed_tracingaddress and TLS configuration as traces.
distributed_tracing:metrics(bool, defaultfalse) — opt-in to push Prometheus metrics via OTLP.metrics_export_interval_ms(int, default60000) — interval between exports.Gatherer()on the Prometheus provider so the registry can be passed to the bridge.MeterProvideron server stop.http_request_duration_secondsarrives.configuration.md.Notes to assist PR review:
metrics: falseby default means zero impact on existing deployments.typeis what enables tracing.existing Prometheus metrics rather than rewriting them with the OTel SDK.
metrics_export_interval_msis validated to be a positive value.Further comments:
and understands all changes per the project's
AI guidelines.