Mirrors
/
flux2
mirror of https://github.com/fluxcd/flux2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
release/v2.6.x
main
dependabot/github_actions/ci-3649212e03
conform-k8s-1.33
rfc-external-artifact
release/v2.5.x
release/v2.4.x
remove-notation-validation
release/v2.3.x
release/v2.2.x
RFC
fix-commit-log
flux-audit
release/v2.1.x
context-ns
ksm-dashboard
rfc-passwordless-git-auth
release/v2.0.x
rfc-gating
release/v0.27.4
rfc-0003
rfc-0002
rfc-0001
prompt-for-tokens
encrypt-init-cmd
v2.6.1
v2.6.0
v2.5.1
v2.5.0
v2.4.0
v2.3.0
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.2
v2.1.1
v2.1.0
v2.0.1
v2.0.0
v2.0.0-rc.5
v2.0.0-rc.4
v2.0.0-rc.3
v2.0.0-rc.2
v2.0.0-rc.1
v0.41.2
v0.40.0
v0.39.0
v0.38.2
v0.38.1
v0.38.0
v0.37.0
v0.36.0
v0.35.0
v0.34.0
v0.33.0
v0.32.0
v0.31.3
v0.31.2
v0.31.1
v0.31.0
v0.30.1
v0.28.2
v0.27.2
v0.27.1
v0.27.0
v0.26.3
v0.26.2
v0.26.1
v0.26.0
v0.25.3
v0.0.1
v0.0.1-alpha.1
v0.0.1-beta.1
v0.0.1-beta.2
v0.0.1-beta.3
v0.0.1-beta.4
v0.0.10
v0.0.11
v0.0.12
v0.0.13
v0.0.14
v0.0.15
v0.0.16
v0.0.17
v0.0.18
v0.0.19
v0.0.2
v0.0.20
v0.0.21
v0.0.22
v0.0.23
v0.0.24
v0.0.25
v0.0.26
v0.0.27
v0.0.28
v0.0.3
v0.0.4
v0.0.5
v0.0.6
v0.0.7
v0.0.8
v0.0.9
v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.1.7
v0.1.8
v0.10.0
v0.11.0
v0.12.0
v0.12.1
v0.12.2
v0.12.3
v0.13.0
v0.13.1
v0.13.2
v0.13.3
v0.13.4
v0.14.0
v0.14.1
v0.14.2
v0.15.0
v0.15.1
v0.15.2
v0.15.3
v0.16.0
v0.16.1
v0.16.2
v0.17.0
v0.17.1
v0.17.2
v0.18.0
v0.18.1
v0.18.2
v0.18.3
v0.19.0
v0.19.1
v0.2.0
v0.2.1
v0.2.2
v0.2.3
v0.2.4
v0.2.5
v0.2.6
v0.20.0
v0.20.1
v0.21.0
v0.21.1
v0.22.0
v0.22.1
v0.23.0
v0.24.0
v0.24.1
v0.25.0
v0.25.1
v0.25.2
v0.27.3
v0.27.4
v0.28.0
v0.28.1
v0.28.3
v0.28.4
v0.28.5
v0.29.0
v0.29.1
v0.29.2
v0.29.3
v0.29.4
v0.29.5
v0.3.0
v0.30.0
v0.30.2
v0.31.4
v0.31.5
v0.38.3
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.40.1
v0.40.2
v0.41.0
v0.41.1
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7
v0.5.8
v0.5.9
v0.6.0
v0.6.1
v0.6.2
v0.6.3
v0.7.0
v0.7.1
v0.7.2
v0.7.3
v0.7.4
v0.7.5
v0.7.6
v0.7.7
v0.8.0
v0.8.1
v0.8.2
v0.9.0
v0.9.1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'a4cf8ed61d'
${ noResults }
flux2/rfcs/0011-opentelemetry-tracing/README.md

10 KiB
Raw Blame History Unescape Escape

RFC-0011: OpenTelemetry Tracing

Status: provisional

Creation date: 2025-04-24

Last update: YYYY-MM-DD

Summary

The aim is to collect traces via OpenTelemetry across all Flux related objects, such as HelmReleases, Kustomizations and among others. These may be sent towards a tracing provider where are going to be stored and visualized. Thereby, this may involve a new API definition obj called Trace, which may be capable of linking all the EventSources and send them out to a reusable tracing Provider. In this way, it could facilitate the observability and monitoring of Flux related objects.

Motivation

This RFC was born out of a need for end-to-end visibility into Fluxs multi-controller GitOps workflow. At the time Flux was one monolithic controller; it has since split into several specialized controllers (source-, kustomize-, helm-, notification-, etc.), which makes tracing the path of a single “Git change → applied resource → notification” much harder.

Correlate a Git commit with all downstream actions. You want one single trace that shows:

  • The Source Controller pulling and applying the new YAML.
  • Any Kustomize or Helm reconciliations that ran.
  • Events emitted and notifications sent by the Notification Controller.

On top of this, can be built custom UIs that surface trace timelines alongside Git commit or Docker image tags, so operators can say “what exactly happened when I tagged v1.2.3?” in a single pane of glass.

By extending Fluxs CRD objects, users can manage tracing settings (sampling rates, backends, object filters). Therefore, users may not have to implement tools/sidecars around to maintain.

Goals

  • End-to-end GitOps traceability: Capture the traces that follows a Git change through all Flux controllers for simply debugging and root-cause analysis.
  • Declarative, CRD-drive configuration: Reuse the concept of Provider and a similar definition as Alerts to build a new API/CR called Trace. Therefore, users can link EventSources and Provider where trace will be sent. Additionally, other setting can be set as sampling rates.
  • Notification Controller as the trace-collector: Leverage the notification-controller's existing event watching pipeline to ingest reconciliation events and turn me into OpenTelemetry spans, being forwarwed to an OLTP-compatible backend - Provider.
  • Cross-controller span correlation: Ensure spans are emitted from multiple, stateless controller can be stiched together into a single trace by using Flux "revision" annotation (GitRepository sync to a downstream Kustomization/HelmRelease reconciliations).

Non-Goals

  • Not a full-tracing backend: We won't build or bundle a storage/visualization system. Users may have to still rely on a external collector for long-term retention, querying and UI.
  • Not automatic instrumentation of user workloads: This integration only captures FluxCd controller events (Source, Kustomize, Helm, etc.). It won't auto-inject spans into your application pods or third-party controllers running in the same cluster.
  • Not a replacement for metrics or logs: Flux's existing Prometheus metrics and structural logging remain the primary way to monitor performance and errors. Tracing is purely for request-flow visibility, not for time-series monitoring or log aggregation.
  • No deep-code lelve spans beyond CRUD events: Will emit spans around high-level reconciliation steps (e.g. "reconcile GitRepository", "dispatch Notification"), but we're not aiming to instrument every internal function call or library method within each controller.
  • Not a service mesh integration: It's not plan of the scope tieing this into Istio, Linkerd, or other mesh-sidecar approaches. It's strictly a controller-drive, CRD-based model.
  • No per-span custom enrichment beyond basic metadata: While Trace CRD will let you filter which Flux object kinds to trace (EventSources), it won't support (at least initially) complex span attributes or tag-enrichment rules. You may have to handle those in your downstream collector/processor if needed.
  • Not a replacement for user-driven OpenTelemetry SDKs: If you already have a Go-based operator that embed OpenTelemetry's SDK directly, this feature won't override or duplicate that. Think about it as a complementary, declrartive layer for flux controllers.

Proposal

Add a new Trace custom definition in Flux's notification-controller. Under this, there is a conjuntion of: EventSources Flux's related objects to get the traces on and Provider external system where all the traces are going to be sent towards.

Additionally, as part of the Provider, we may have to onboard new type(s) to tackle OLTP compliant systems.

User Stories

Story 1

As a cluster administrator, I want to see everything that happened since a git change occurred in a single trace. All the applied yaml files in Source Controller, notifications that went out to Notifications Controller, all the HelmReleases that were applied in Helm-Controller, Kustomize Controller, etc...

For instance, having the following setup:

apiVersion: notification.toolkit.fluxcd.io/v1beta1
kind: Provider
metadata:
  name: jaeger
  namespace: default
spec:
  type: jaeger
  address: http://jaeger-collector.jaeger-system.svc.cluster.local:9411
  secretRef:
    name: jaeger-secret
---
apiVersion: notification.toolkit.fluxcd.io/v1beta1
kind: Trace
metadata:
  name: webapp
  namespace: default
spec:
  providerRef: 
    name: jaeger
  eventSources:
    - kind: Kustomization
      name: webapp-backend
    - kind: HelmRelease
      name: webapp-frontend

Story 2

I want to build a UI using trace data to track release changes and integrate deeply with a Git commit/tag, a Docker image tag, and the GOTK flow of operations

Alternatives

  • Addition of a new Provider type to "onboard" OLTP-compliant systems. Could be adressed in generic way, just adding a new type to tackle them all or adding specific integrations for the most relevant ones: Jaeger & Zipkin.

Design Details

Adding a new API Trace on Flux to manage the link between Provider (where the traces are going to be sent) and EventSources (Flux's related objects part of the "tracing chain").

Example of Trace customresource alongside the Provider:

apiVersion: notification.toolkit.fluxcd.io/v1
kind: Trace
metadata:
  name: webapp
  namespace: default
spec:
  providerRef: 
    name: jaeger
  eventSources:
    - kind: Kustomization
      name: webapp-backend
    - kind: HelmRelease
      name: webapp-frontend
---
apiVersion: notification.toolkit.fluxcd.io/v1
kind: Provider
metadata:
  name: jaeger
  namespace: default
spec:
  type: jaeger
  address: http://jaeger-collector.jaeger-system.svc.cluster.local:9411
  secretRef:
    name: jaeger-secret

The user will be able to define a Flux Trace custom resource and deploy it to the cluster. The trace may rely on revision annotation as the correlation key due to every Flux reconciliation writes the same source.toolkit.fluxcd.io/reconcile-revision annotation onto the object (and is emitted on its Event). That revision string (e.g. a Git commit SHA) is your trace ID surrogate. Therefore, if Source Controller emits an event for GitRepository with revision = SHA123, later on Kustomize Controller will emit another event for Kustomization with the same revision = SHA123.

In this way, rather than trying to carry a live span context through controller A -> API server -> controller B:

  1. Watch Flux Events.
  2. Group them by event.objectRef.kind + revision. Hence, based on EventSources field:
    • First time you see GitRepository@SHA123, spawn a root span with traceID = hash(SHA123).
    • When you see Kustomization@SHA123, spawn a child span (parent = root) in that same trace.
    • And so on for HelmRelease@SHA123, Notification@SHA123, etc.
  3. Subsequently, it may generate the following parent/child relationship:
root span:      “reconcile GitRepository SHA123”      (spanID = H1)
  ↳ child span: “reconcile Kustomization foo”        (spanID = H2, parent = H1)
      ↳ child span: “reconcile HelmRelease bar”     (spanID = H3, parent = H2)

However, in order to make this design work, we need to ensure each controller:

  • Emits its normal Kubernetes Event with the revision annotation (already built-in).
  • Optionally tags the Event with flux.event.type and timestamp (they already do).

About sending the traces, Provider customresource is going to be reused as the target external system where all the traces are going to be sent towards, based on each Trace customresource definition. Thus, as most of the already existing providers are non-OLTP compliant, there is an open point about either add a new generic type to handle all OLTP's external systems or add a specific ones for the most relevant ones. Anyhow, the user should be completely agnostic about this point, because Provider customresource definition may not differ much from the already existing ones.

Implementation History