[LFXV2-612] Add OpenTelemetry tracing support

charts/lfx-v2-access-check/Chart.yaml

@@ -5,5 +5,5 @@ apiVersion: v2
 name: lfx-v2-access-check
 description: LFX Platform V2 Access Check Service chart
 type: application
-version: 0.2.5
+version: 0.2.6
 appVersion: "0.1.0"

charts/lfx-v2-access-check/templates/deployment.yaml

@@ -38,6 +38,49 @@ spec:
               value: "{{ .Values.nats.url }}"
             - name: JWKS_URL
               value: "{{ .Values.heimdall.jwks_url }}"
+            {{- with .Values.app.extraEnv }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+            {{- if .Values.app.otel.serviceName }}
+            - name: OTEL_SERVICE_NAME
+              value: {{ .Values.app.otel.serviceName | quote }}
+            {{- end }}
+            {{- if .Values.app.otel.serviceVersion }}
+            - name: OTEL_SERVICE_VERSION
+              value: {{ .Values.app.otel.serviceVersion | quote }}
+            {{- end }}
+            {{- if .Values.app.otel.endpoint }}
+            - name: OTEL_EXPORTER_OTLP_ENDPOINT
+              value: {{ .Values.app.otel.endpoint | quote }}
+            {{- end }}
+            {{- if .Values.app.otel.protocol }}
+            - name: OTEL_EXPORTER_OTLP_PROTOCOL
+              value: {{ .Values.app.otel.protocol | quote }}
+            {{- end }}
+            {{- if .Values.app.otel.insecure }}
+            - name: OTEL_EXPORTER_OTLP_INSECURE
+              value: {{ .Values.app.otel.insecure | quote }}
+            {{- end }}
+            {{- if .Values.app.otel.tracesExporter }}
+            - name: OTEL_TRACES_EXPORTER
+              value: {{ .Values.app.otel.tracesExporter | quote }}
+            {{- end }}
+            {{- if .Values.app.otel.tracesSampleRatio }}
+            - name: OTEL_TRACES_SAMPLE_RATIO
+              value: {{ .Values.app.otel.tracesSampleRatio | quote }}
+            {{- end }}
+            {{- if .Values.app.otel.metricsExporter }}
+            - name: OTEL_METRICS_EXPORTER
+              value: {{ .Values.app.otel.metricsExporter | quote }}
+            {{- end }}
+            {{- if .Values.app.otel.logsExporter }}
+            - name: OTEL_LOGS_EXPORTER
+              value: {{ .Values.app.otel.logsExporter | quote }}
+            {{- end }}
+            {{- if .Values.app.otel.propagators }}
+            - name: OTEL_PROPAGATORS
+              value: {{ .Values.app.otel.propagators | quote }}
+            {{- end }}
           {{- if .Values.app.resources }}
           resources:
             {{- toYaml .Values.app.resources | nindent 12 }}

charts/lfx-v2-access-check/values.yaml

@@ -33,6 +33,46 @@ app:
       cpu: 100m
       memory: 128Mi
 
+  # extraEnv allows injecting additional environment variables into the container.
+  # Supports both simple key-value pairs and Kubernetes field references.
+  # These are rendered BEFORE OTEL variables, allowing use in OTEL configuration.
+  extraEnv: []
+
+  # otel is the configuration for OpenTelemetry tracing
+  otel:
+    # serviceName is the service name for OpenTelemetry resource identification
+    # (default: "lfx-v2-access-check")
+    serviceName: ""
+    # serviceVersion is the service version for OpenTelemetry resource identification
+    # (default: "1.0.0")
+    serviceVersion: ""
+    # protocol specifies the OTLP protocol: "grpc" or "http"
+    # (default: "grpc")
+    protocol: "grpc"
+    # endpoint is the OTLP collector endpoint
+    # For gRPC: typically "host:4317", for HTTP: typically "host:4318"
+    endpoint: ""
+    # insecure disables TLS for the OTLP connection
+    # Set to "true" for in-cluster communication without TLS
+    insecure: "false"
+    # tracesExporter specifies the traces exporter: "otlp" or "none"
+    # (default: "none")
+    tracesExporter: "none"
+    # tracesSampleRatio specifies the sampling ratio for traces (0.0 to 1.0)
+    # A value of 1.0 means all traces are sampled, 0.5 means 50% are sampled
+    # (default: "1.0")
+    tracesSampleRatio: "1.0"
+    # metricsExporter specifies the metrics exporter: "otlp" or "none"
+    # (default: "none")
+    metricsExporter: "none"
+    # logsExporter specifies the logs exporter: "otlp" or "none"
+    # (default: "none")
+    logsExporter: "none"
+    # propagators specifies the context propagators to use
+    # Comma-separated list: "tracecontext", "baggage", "jaeger"
+    # (default: "tracecontext,baggage")
+    propagators: "tracecontext,baggage,jaeger"
+
 # HTTP routing configuration
 traefik:
   enabled: true

cmd/lfx-access-check/main.go

@@ -13,6 +13,7 @@ import (
 
 	"github.com/linuxfoundation/lfx-v2-access-check/internal/infrastructure/config"
 	"github.com/linuxfoundation/lfx-v2-access-check/pkg/log"
+	"github.com/linuxfoundation/lfx-v2-access-check/pkg/utils"
 )
 
 func init() {
@@ -24,11 +25,25 @@ func main() {
 	// Load configuration with CLI flags and environment variables
 	cfg := config.LoadConfig()
 
+	// Set up OpenTelemetry SDK.
+	ctx := context.Background()
+	otelConfig := utils.OTelConfigFromEnv()
+	otelShutdown, err := utils.SetupOTelSDKWithConfig(ctx, otelConfig)
+	if err != nil {
+		slog.Error("error setting up OpenTelemetry SDK", "error", err)
+		os.Exit(1)
+	}
+	defer func() {
+		if shutdownErr := otelShutdown(context.Background()); shutdownErr != nil {
+			slog.Error("error shutting down OpenTelemetry SDK", "error", shutdownErr)
+		}
+	}()
+
 	// Setup signal handling for graceful shutdown
 	sigChan := make(chan os.Signal, 1)
 	signal.Notify(sigChan, syscall.SIGINT, syscall.SIGTERM)
 
-	ctx, cancel := context.WithCancel(context.Background())
+	ctx, cancel := context.WithCancel(ctx)
 	defer cancel()
 
 	go func() {

cmd/lfx-access-check/server.go

@@ -18,6 +18,7 @@ import (
 	"github.com/linuxfoundation/lfx-v2-access-check/internal/middleware"
 	"github.com/linuxfoundation/lfx-v2-access-check/pkg/constants"
 
+	"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
 	"goa.design/clue/debug"
 	goahttp "goa.design/goa/v3/http"
 )
@@ -97,6 +98,9 @@ func handleHTTPServer(ctx context.Context, cfg *config.Config, endpoints *access
 		if cfg.Debug {
 			handler = debug.HTTP()(handler)
 		}
+
+		// Wrap the handler with OpenTelemetry instrumentation
+		handler = otelhttp.NewHandler(handler, "access-check")
 	}
 
 	// Create HTTP server

go.mod

@@ -8,22 +8,42 @@ go 1.24.0
 require (
 	github.com/auth0/go-jwt-middleware/v2 v2.2.2
 	github.com/nats-io/nats.go v1.37.0
+	github.com/remychantenay/slog-otel v1.3.4
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0
+	go.opentelemetry.io/contrib/propagators/jaeger v1.39.0
+	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.15.0
+	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.15.0
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.36.0
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.36.0
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.35.0
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0
+	go.opentelemetry.io/otel/log v0.15.0
+	go.opentelemetry.io/otel/sdk v1.39.0
+	go.opentelemetry.io/otel/sdk/log v0.15.0
+	go.opentelemetry.io/otel/sdk/metric v1.39.0
 	goa.design/goa/v3 v3.21.5
 )
 
+require (
+	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
+	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.36.0 // indirect
+	go.opentelemetry.io/otel/metric v1.39.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.9.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 // indirect
+)
+
 require (
 	github.com/aws/smithy-go v1.22.3 // indirect
-	github.com/go-logr/logr v1.4.3 // indirect
-	go.opentelemetry.io/otel v1.36.0 // indirect
-	go.opentelemetry.io/otel/trace v1.36.0 // indirect
-	golang.org/x/net v0.41.0 // indirect
-	golang.org/x/term v0.32.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237 // indirect
-	google.golang.org/grpc v1.73.0 // indirect
-	google.golang.org/protobuf v1.36.6 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dimfeld/httppath v0.0.0-20170720192232-ee938bf73598 // indirect
 	github.com/go-chi/chi/v5 v5.2.2 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/gohugoio/hashstructure v0.5.0 // indirect
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/websocket v1.5.3 // indirect
@@ -32,14 +52,21 @@ require (
 	github.com/nats-io/nkeys v0.4.7 // indirect
 	github.com/nats-io/nuid v1.0.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/stretchr/testify v1.10.0
+	github.com/stretchr/testify v1.11.1
+	go.opentelemetry.io/otel v1.39.0
+	go.opentelemetry.io/otel/trace v1.39.0
 	goa.design/clue v1.2.1
-	golang.org/x/crypto v0.39.0 // indirect
-	golang.org/x/mod v0.25.0 // indirect
-	golang.org/x/sync v0.15.0 // indirect
-	golang.org/x/sys v0.33.0 // indirect
-	golang.org/x/text v0.26.0 // indirect
-	golang.org/x/tools v0.34.0 // indirect
+	golang.org/x/crypto v0.44.0 // indirect
+	golang.org/x/mod v0.29.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/sync v0.18.0 // indirect
+	golang.org/x/sys v0.39.0 // indirect
+	golang.org/x/term v0.37.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
+	golang.org/x/tools v0.38.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect
+	google.golang.org/grpc v1.77.0 // indirect
+	google.golang.org/protobuf v1.36.10 // indirect
 	gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )