chore: harden deployment and tracing

Author: haasonsaas

.github/workflows/ci.yml

@@ -22,11 +22,13 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version: ${{ env.GO_VERSION }}
+          cache: true
 
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
           python-version: ${{ env.PYTHON_VERSION }}
+          cache: 'pip'
 
       - name: Install Go tools
         run: |
@@ -35,6 +37,7 @@ jobs:
 
       - name: Install Python tools
         run: |
+          pip install --upgrade pip
           pip install black flake8 isort mypy
 
       - name: Check Go formatting
@@ -84,14 +87,17 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version: ${{ env.GO_VERSION }}
+          cache: true
 
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
           python-version: ${{ env.PYTHON_VERSION }}
+          cache: 'pip'
 
       - name: Install Python dependencies
         run: |
+          pip install --upgrade pip
           pip install -r app/requirements.txt
           pip install pytest pytest-cov
 

cmd/inventory/main.go

@@ -7,6 +7,7 @@ import (
 	"time"
 
 	"github.com/EvalOps/keep/pkg/secrets"
+	"github.com/EvalOps/keep/pkg/telemetry"
 	serverpkg "github.com/EvalOps/keep/services/inventory/server"
 )
 
@@ -33,12 +34,22 @@ func main() {
 		RequireMTLS: envOrDefault("INVENTORY_REQUIRE_MTLS", "false") == "true",
 	}
 
+	ctx := context.Background()
+	if err := telemetry.Init(ctx, telemetry.Config{
+		Endpoint:    os.Getenv("OTEL_EXPORTER_OTLP_ENDPOINT"),
+		Insecure:    os.Getenv("OTEL_EXPORTER_OTLP_INSECURE") == "true",
+		ServiceName: "inventory",
+		Environment: envOrDefault("APP_ENV", "development"),
+	}); err != nil {
+		log.Printf("telemetry init failed: %v", err)
+	}
+
 	srv, err := serverpkg.NewServer(cfg)
 	if err != nil {
 		log.Fatalf("init inventory: %v", err)
 	}
 
-	if err := srv.Start(context.Background()); err != nil {
+	if err := srv.Start(ctx); err != nil {
 		log.Fatalf("inventory exit: %v", err)
 	}
 }

deploy/kubernetes/app-deployment.yaml

@@ -15,5 +15,32 @@ spec:
       containers:
         - name: keep-app
           image: ghcr.io/example/app:latest
+          env:
+            - name: APP_ENV
+              valueFrom:
+                configMapKeyRef:
+                  name: keep-config
+                  key: APP_ENV
+            - name: OTEL_EXPORTER_OTLP_ENDPOINT
+              value: "http://otel-collector:4318"
           ports:
             - containerPort: 5000
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: 5000
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: 5000
+            initialDelaySeconds: 15
+            periodSeconds: 20
+          resources:
+            requests:
+              cpu: "100m"
+              memory: "64Mi"
+            limits:
+              cpu: "250m"
+              memory: "128Mi"

deploy/kubernetes/authz-deployment.yaml

@@ -15,5 +15,42 @@ spec:
       containers:
         - name: authz
           image: ghcr.io/example/authz:latest
+          env:
+            - name: OPA_URL
+              valueFrom:
+                configMapKeyRef:
+                  name: keep-config
+                  key: OPA_URL
+            - name: INVENTORY_API
+              valueFrom:
+                configMapKeyRef:
+                  name: keep-config
+                  key: INVENTORY_API
+            - name: GOOGLE_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: keep-secrets
+                  key: google_client_id
           ports:
             - containerPort: 8443
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: 8443
+            scheme: HTTPS
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: 8443
+            scheme: HTTPS
+            initialDelaySeconds: 15
+            periodSeconds: 20
+          resources:
+            requests:
+              cpu: "150m"
+              memory: "128Mi"
+            limits:
+              cpu: "400m"
+              memory: "256Mi"

deploy/kubernetes/configmap.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: keep-config
+data:
+  OPA_URL: http://opa:8181
+  INVENTORY_API: http://inventory:8080
+  APP_ENV: production

deploy/kubernetes/inventory-deployment.yaml

@@ -15,5 +15,32 @@ spec:
       containers:
         - name: inventory
           image: ghcr.io/example/inventory:latest
+          env:
+            - name: INVENTORY_ADDR
+              value: ":8080"
+            - name: APP_ENV
+              valueFrom:
+                configMapKeyRef:
+                  name: keep-config
+                  key: APP_ENV
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: 8080
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: 8080
+            initialDelaySeconds: 15
+            periodSeconds: 20
+          resources:
+            requests:
+              cpu: "100m"
+              memory: "128Mi"
+            limits:
+              cpu: "300m"
+              memory: "256Mi"
           ports:
             - containerPort: 8080

deploy/kubernetes/kustomization.yaml

@@ -2,3 +2,5 @@ resources:
   - authz-deployment.yaml
   - inventory-deployment.yaml
   - app-deployment.yaml
+  - configmap.yaml
+  - secret.yaml

deploy/kubernetes/secret.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keep-secrets
+type: Opaque
+stringData:
+  google_client_id: ""

go.mod

@@ -17,6 +17,8 @@ require (
 	github.com/jackc/pgx/v5 v5.7.6
 	github.com/prometheus/client_golang v1.23.2
 	github.com/rs/zerolog v1.34.0
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.51.0
+	go.opentelemetry.io/otel v1.38.0
 	tailscale.com v1.68.0
 )
 

pkg/telemetry/http.go

@@ -4,13 +4,16 @@ import (
 	"net/http"
 
 	"github.com/go-chi/chi/v5"
-	ogchi "go.opentelemetry.io/contrib/instrumentation/github.com/go-chi/chi/otelchi"
 	"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
+	"go.opentelemetry.io/otel"
+	"go.opentelemetry.io/otel/propagation"
 )
 
 // InstrumentRouter attaches otel middleware to chi routers.
 func InstrumentRouter(r chi.Router, service string) {
-	r.Use(ogchi.Middleware(service, ogchi.WithChiRoutes(true)))
+	r.Use(func(next http.Handler) http.Handler {
+		return otelhttp.NewHandler(next, service, otelhttp.WithTracerProvider(otel.GetTracerProvider()), otelhttp.WithPropagators(globalPropagator()))
+	})
 }
 
 // WrapClient ensures outgoing requests are traced.
@@ -22,6 +25,10 @@ func WrapClient(c *http.Client) *http.Client {
 	if base == nil {
 		base = http.DefaultTransport
 	}
-	c.Transport = otelhttp.NewTransport(base)
+	c.Transport = otelhttp.NewTransport(base, otelhttp.WithTracerProvider(otel.GetTracerProvider()), otelhttp.WithPropagators(globalPropagator()))
 	return c
 }
+
+func globalPropagator() propagation.TextMapPropagator {
+	return otel.GetTextMapPropagator()
+}