Skip to content

OLS-3509: Redesign audit CRD and wire app-server OTEL to collector#1830

Merged
openshift-merge-bot[bot] merged 1 commit into
openshift:mainfrom
blublinsky:audit-crd-operator
Jul 15, 2026
Merged

OLS-3509: Redesign audit CRD and wire app-server OTEL to collector#1830
openshift-merge-bot[bot] merged 1 commit into
openshift:mainfrom
blublinsky:audit-crd-operator

Conversation

@blublinsky

@blublinsky blublinsky commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Description

Summary
Redesigns OLSConfig audit configuration for the OTEL Collector epic (OLS-3505) and wires lightspeed-service audit settings accordingly.

  • CRD (spec.audit) — collector-only: logging (*bool, default true) and optional tracingEndpoint. Removes the old service-oriented audit.logging enum and audit.otel block.
  • CRD (spec.ols.auditEventsEnabled) — new *bool field (default true) for stdout compliance audit JSON.
  • CRD (spec.ols.deployment.otelCollector) — deployment overrides for the collector operand (consumed in OLS-3510).
  • App serverbuildServiceAuditConfig maps auditEventsEnabledolsconfig.yaml audit.logging; always sets OTLP export to lightspeed-otel-collector.<ns>.svc:4317 with TLS Secure. Does not read spec.audit.
  • Operator prep — adds --otel-collector-image flag and GetOtelCollectorImage() plumbing for the collector reconciler (OLS-3510).
  • Docs — updates .ai/spec/what/templog.md, audit-logging.md, and crd-api.md.

Out of scope (follow-up PRs)

  • Bundle PRmake bundle, CSV descriptors, related_images.json otel entry, deployment --otel-collector-image
  • OLS-3510+ — collector Deployment/Service/ConfigMap reconciler
  • OLS-3511 — Postgres templogs bootstrap
  • OLS-3512 — agentic pod OTLP log wiring

Type of change

  • Refactor
  • [ x] New feature
  • Bug fix
  • CVE fix
  • Optimization
  • Documentation Update
  • Configuration Update
  • Bump-up dependent library

Related Tickets & Documents

Checklist before requesting a review

  • I have performed a self-review of my code.
  • PR has passed all pre-merge test jobs.
  • If it is a core feature, I have added thorough tests.

Testing

  • Please provide detailed steps to perform tests related to this code change.
  • How were the fix/results from this change verified? Please provide relevant screenshots or results.

Summary by CodeRabbit

  • New Features

    • Added configurable OpenTelemetry Collector deployment settings, including its container image.
    • Added ols.auditEventsEnabled to control structured audit events on service stdout independently of collector behavior.
    • Added support for external trace forwarding via audit.tracingEndpoint, routed through the collector; in-cluster trace export is always configured.
  • Breaking Changes

    • Removed the previous service-era audit.logging/audit.otel configuration blocks and the spec.templog option.
    • Updated the audit config model (stdout audit vs collector behavior) and corresponding defaults/mapping behavior.

@openshift-ci openshift-ci Bot requested review from bparees and joshuawilson July 14, 2026 12:51
@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown
📝 Walkthrough

Walkthrough

The PR separates service audit settings from collector configuration, updates the audit CRD contract and generated OLS configuration, documents always-on collector behavior, and adds OTEL collector image configuration through operator and reconciler wiring.

Changes

Audit and OTEL collector configuration

Layer / File(s) Summary
Audit API contract and serialization
.ai/spec/what/crd-api.md, api/v1alpha1/olsconfig_types.go, api/v1alpha1/olsconfig_types_test.go
Audit configuration uses pointer-based logging, tracing endpoints, service audit event controls, and OTEL collector deployment settings; removed OTEL types and JSON behavior are covered by updated tests.
Service audit configuration generation
.ai/spec/what/audit-logging.md, .ai/spec/what/templog.md, internal/controller/appserver/*
Service audit YAML derives logging from spec.ols.auditEventsEnabled and always uses a secure in-cluster OTEL collector endpoint.
Always-on collector behavior
.ai/spec/what/templog.md
Collector deployment, PostgreSQL bootstrap, pipelines, agentic OTLP wiring, configuration surfaces, and constraints now describe the always-on model.
Collector image and reconciler wiring
cmd/main.go, internal/controller/olsconfig_helpers.go, internal/controller/reconciler/interface.go, internal/controller/utils/*
Collector image defaults, CLI overrides, reconciler propagation, accessors, and related tests are added.

Estimated code review effort: 3 (Moderate) | ~30 minutes

Sequence Diagram(s)

sequenceDiagram
  participant OLSConfig
  participant buildServiceAuditConfig
  participant olsconfigYaml
  participant OTELCollector
  OLSConfig->>buildServiceAuditConfig: auditEventsEnabled
  buildServiceAuditConfig->>olsconfigYaml: audit.logging and secure OTLP endpoint
  olsconfigYaml->>OTELCollector: OTLP traces
Loading

Suggested reviewers: bparees, joshuawilson

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 62.50% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: redesigning the audit CRD and wiring OTEL export to the collector.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.ai/spec/what/crd-api.md:
- Around line 224-226: Continue renumbering all subsequent rules after the
quotaHandlersConfig entries to avoid duplicate rule numbers, including shifting
the existing period-pattern and storage rules and every later rule as needed.
Update rule 5’s regex reference to point unambiguously to the renumbered
limitersConfig rule, and preserve sequential numbering throughout the document.
- Around line 38-43: Update rule 54 in .ai/spec/what/crd-api.md to state that
spec.audit always serializes as at least an empty object {} rather than being
omitted; in api/v1alpha1/olsconfig_types.go, update the Audit field’s JSON tag
to remove the inert omitempty while keeping AuditConfig as a value type.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: ef1c07a1-40cb-47d5-ab4c-84e037c7f88b

📥 Commits

Reviewing files that changed from the base of the PR and between a2d9a77 and 7a5b9ba.

⛔ Files ignored due to path filters (2)
  • api/v1alpha1/zz_generated.deepcopy.go is excluded by !**/zz_generated.deepcopy.go
  • config/crd/bases/ols.openshift.io_olsconfigs.yaml is excluded by !config/crd/bases/**
📒 Files selected for processing (14)
  • .ai/spec/what/audit-logging.md
  • .ai/spec/what/crd-api.md
  • .ai/spec/what/templog.md
  • api/v1alpha1/olsconfig_types.go
  • api/v1alpha1/olsconfig_types_test.go
  • cmd/main.go
  • internal/controller/appserver/assets.go
  • internal/controller/appserver/assets_test.go
  • internal/controller/olsconfig_helpers.go
  • internal/controller/reconciler/interface.go
  • internal/controller/utils/constants.go
  • internal/controller/utils/resource_defaults_test.go
  • internal/controller/utils/testing.go
  • internal/controller/utils/types.go

Comment thread .ai/spec/what/crd-api.md
Comment thread .ai/spec/what/crd-api.md

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.ai/spec/what/crd-api.md:
- Around line 40-43: Make behavioral-rule numbering globally unique in
.ai/spec/what/crd-api.md: retain audit rules 54–57 at the anchor range 40-43,
renumber the status rules at sibling range 332-336 to continue after rule 57,
and update every dependent reference to the renumbered status rules.
- Around line 313-314: Update the configuration-surface entry near the MCP rule
reference to point to validation rules 51–52 instead of 49–50, leaving the
surrounding validation descriptions unchanged.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: dc192671-c35c-4475-b2cf-fe20ae1b5a3d

📥 Commits

Reviewing files that changed from the base of the PR and between 7a5b9ba and 5035337.

📒 Files selected for processing (2)
  • .ai/spec/what/crd-api.md
  • api/v1alpha1/olsconfig_types.go
🚧 Files skipped from review as they are similar to previous changes (1)
  • api/v1alpha1/olsconfig_types.go

Comment thread .ai/spec/what/crd-api.md
Comment thread .ai/spec/what/crd-api.md
@blublinsky blublinsky force-pushed the audit-crd-operator branch from 5035337 to 364c3b1 Compare July 14, 2026 13:59
@vimalk78

Copy link
Copy Markdown
Contributor

/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jul 14, 2026

@vimalk78 vimalk78 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review: OLS-3509 — pass (8/8 AC met)

Score: 100/100 | Mode: jira | Round 1

All acceptance criteria verified against the diff:

# Criterion Status
1 spec.audit redesigned (logging *bool, tracingEndpoint); old types/helpers removed PASS
2 spec.ols.auditEventsEnabled added PASS
3 spec.ols.deployment.otelCollector added PASS
4 make manifests / make generate update CRD and deepcopy PASS
5 App server always emits collector OTLP endpoint; stdout audit from auditEventsEnabled PASS
6 --otel-collector-image flag wired through reconciler interface PASS
7 Unit tests pass PASS
8 Design docs updated (templog.md, audit-logging.md, crd-api.md) PASS

Code quality: No issues found. Clean separation between collector-only spec.audit and service-only spec.ols.auditEventsEnabled. buildServiceAuditConfig() correctly hardwires the in-cluster collector endpoint with TLS. Image flag plumbing complete through the full reconciler interface chain.

@blublinsky

Copy link
Copy Markdown
Contributor Author

/override "ci/prow/bundle-e2e-4-21"
version mismatch

/approve

@openshift-ci

openshift-ci Bot commented Jul 14, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: blublinsky

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 14, 2026
@openshift-ci

openshift-ci Bot commented Jul 14, 2026

Copy link
Copy Markdown

@blublinsky: Overrode contexts on behalf of blublinsky: ci/prow/bundle-e2e-4-21

Details

In response to this:

/override "ci/prow/bundle-e2e-4-21"
version mismatch

/approve

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@blublinsky blublinsky changed the title OLS-3509 Redesign audit CRD and wire app-server OTEL to collector OLS-3509: Redesign audit CRD and wire app-server OTEL to collector Jul 14, 2026
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jul 14, 2026
@openshift-ci-robot

openshift-ci-robot commented Jul 14, 2026

Copy link
Copy Markdown

@blublinsky: This pull request references OLS-3509 which is a valid jira issue.

Details

In response to this:

Description

Summary
Redesigns OLSConfig audit configuration for the OTEL Collector epic (OLS-3505) and wires lightspeed-service audit settings accordingly.

  • CRD (spec.audit) — collector-only: logging (*bool, default true) and optional tracingEndpoint. Removes the old service-oriented audit.logging enum and audit.otel block.
  • CRD (spec.ols.auditEventsEnabled) — new *bool field (default true) for stdout compliance audit JSON.
  • CRD (spec.ols.deployment.otelCollector) — deployment overrides for the collector operand (consumed in OLS-3510).
  • App serverbuildServiceAuditConfig maps auditEventsEnabledolsconfig.yaml audit.logging; always sets OTLP export to lightspeed-otel-collector.<ns>.svc:4317 with TLS Secure. Does not read spec.audit.
  • Operator prep — adds --otel-collector-image flag and GetOtelCollectorImage() plumbing for the collector reconciler (OLS-3510).
  • Docs — updates .ai/spec/what/templog.md, audit-logging.md, and crd-api.md.

Out of scope (follow-up PRs)

  • Bundle PRmake bundle, CSV descriptors, related_images.json otel entry, deployment --otel-collector-image
  • OLS-3510+ — collector Deployment/Service/ConfigMap reconciler
  • OLS-3511 — Postgres templogs bootstrap
  • OLS-3512 — agentic pod OTLP log wiring

Type of change

  • Refactor
  • [ x] New feature
  • Bug fix
  • CVE fix
  • Optimization
  • Documentation Update
  • Configuration Update
  • Bump-up dependent library

Related Tickets & Documents

Checklist before requesting a review

  • I have performed a self-review of my code.
  • PR has passed all pre-merge test jobs.
  • If it is a core feature, I have added thorough tests.

Testing

  • Please provide detailed steps to perform tests related to this code change.
  • How were the fix/results from this change verified? Please provide relevant screenshots or results.

Summary by CodeRabbit

  • New Features

  • Added configurable OpenTelemetry Collector deployment settings, including its container image.

  • Added ols.auditEventsEnabled to control structured audit events on service stdout independently of collector behavior.

  • Added support for external trace forwarding via audit.tracingEndpoint, routed through the collector; in-cluster trace export is always configured.

  • Breaking Changes

  • Removed the previous service-era audit.logging/audit.otel configuration blocks and the spec.templog option.

  • Updated the audit config model (stdout audit vs collector behavior) and corresponding defaults/mapping behavior.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

/retest-required

Remaining retests: 0 against base HEAD ef7f277 and 2 for PR HEAD 364c3b1 in total

@blublinsky

Copy link
Copy Markdown
Contributor Author

/override "ci/prow/bundle-e2e-4-21"
version mismatch

@openshift-ci

openshift-ci Bot commented Jul 15, 2026

Copy link
Copy Markdown

@blublinsky: Overrode contexts on behalf of blublinsky: ci/prow/bundle-e2e-4-21

Details

In response to this:

/override "ci/prow/bundle-e2e-4-21"
version mismatch

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci

openshift-ci Bot commented Jul 15, 2026

Copy link
Copy Markdown

@blublinsky: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-merge-bot openshift-merge-bot Bot merged commit 3d2f911 into openshift:main Jul 15, 2026
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants