feat: add distributed tracing (Jaeger) to local-setup

[crstrn13]

Summary

Implements #907 - Adds complete distributed tracing configuration to make local-setup for debugging control plane (operator) and data plane (gateway) flows locally.

Changes

1. Infrastructure Setup

Tools namespace (make/tools.mk):

• Parameterized namespace with TOOLS_NAMESPACE variable (default: tools)
• Helm install now uses --namespace $(TOOLS_NAMESPACE)
• Single source of truth for tools deployment

Tracing variables (make/vars.mk):

INSTALL_TRACING ?= true                  # Enable by default
TOOLS_NAMESPACE ?= tools                 # Tools deployment namespace
JAEGER_COLLECTOR_ENDPOINT ?= rpc://jaeger-collector.$(TOOLS_NAMESPACE).svc.cluster.local:4317

2. Control Plane Tracing (kuadrant-operator)

New target (make/kuadrant.mk): configure-kuadrant-tracing-operator

• Patches operator deployment with OTEL environment variables:
  • OTEL_EXPORTER_OTLP_ENDPOINT=rpc://jaeger-collector.tools.svc.cluster.local:4317
  • OTEL_EXPORTER_OTLP_INSECURE=true
  • LOG_LEVEL=debug
• Waits for rollout to complete
• Traces reconciliation loops, policy processing, webhook calls

3. Data Plane Tracing (gateway/envoy)

New target (make/kuadrant.mk): configure-kuadrant-tracing-cr

• Patches Kuadrant CR with complete observability configuration:

spec:
  observability:
    enable: true
    dataPlane:
      defaultLevels:
        - debug: 'true'
      httpHeaderIdentifier: x-request-id
    tracing:
      defaultEndpoint: rpc://jaeger-collector.tools.svc.cluster.local:4317
      insecure: true

• Matches production template from helm-charts-olm

4. Istio Observability Configuration

New target (make/istio.mk): configure-istio-tracing

• Patches Istio CR with:
  • JSON access logs to stdout with 17 detailed fields
  • OpenTelemetry extension provider pointing to Jaeger
  • Enable tracing in mesh config
• Creates Telemetry resource with 100% sampling rate
• Matches production template from helm-charts-olm ossm3

Access log format includes:

• Request/response metadata (method, path, protocol, response_code)
• Performance metrics (duration, bytes_sent/received)
• Tracing correlation (request_id, x_forwarded_for)
• Routing information (upstream_host, upstream_cluster, route_name)

5. Deployment Flow

Updated (make/local-setup.mk):

1. Gateway provider install (istio/envoygateway)
2. deploy-testsuite-tools (Jaeger → tools namespace)
3. configure-istio-tracing (if INSTALL_TRACING=true AND Istio)
4. deploy-kuadrant-operator
5. deploy-kuadrant-cr
6. configure-kuadrant-tracing-operator (if INSTALL_TRACING=true)
7. configure-kuadrant-tracing-cr (if INSTALL_TRACING=true)

Key improvement: Tracing configuration happens AFTER Jaeger is deployed (no broken references)

6. Configuration & Documentation

Settings template (config/settings.local.yaml.tpl):

tracing:
  backend: "jaeger"
  collector_url: "rpc://jaeger-collector.tools.svc.cluster.local:4317"
  query_url: "http://jaeger-query.tools.svc.cluster.local:80"

Documentation (CLAUDE.md):

• New "Accessing Jaeger Tracing" section
• How to access Jaeger UI via port-forward
• How to run control plane and data plane tracing tests
• How to disable tracing

Test Plan

Verify OTEL env vars on operator

kubectl get deployment kuadrant-operator-controller-manager \
  -n kuadrant-system \
  -o jsonpath='{.spec.template.spec.containers[0].env[?(@.name=="OTEL_EXPORTER_OTLP_ENDPOINT")].value}'
# Expected: rpc://jaeger-collector.tools.svc.cluster.local:4317

Verify Kuadrant CR tracing config

kubectl get kuadrant kuadrant-sample -n kuadrant-system -o yaml | grep -A 5 "tracing:"
# Expected:
#   tracing:
#     defaultEndpoint: rpc://jaeger-collector.tools.svc.cluster.local:4317
#     insecure: true

Verify Istio tracing config

kubectl get istio default -n istio-system -o yaml | grep -A 5 "extensionProviders"
kubectl get telemetry default-telemetry -n istio-system

Run tracing tests

# Control plane tracing tests (40 tests - currently skipped)
make testsuite/tests/singlecluster/tracing/control_plane/

# Data plane tracing tests (10 tests - currently skipped)
make testsuite/tests/singlecluster/tracing/data_plane_tracing/

# All observability tests
make observability

Access Jaeger UI

kubectl port-forward -n tools svc/jaeger-query 16686:80
# Open http://localhost:16686
# Run tests and verify traces appear for "kuadrant-operator" service

Expected Impact

Before:

• ❌ 40 control plane tracing tests skipped (no OTEL env vars)
• ❌ 10 data plane tracing tests skipped (no Kuadrant CR tracing config)
• ❌ Developers cannot debug reconciliation or request flows

After:

• ✅ ~50 tracing tests pass (not skip)
• ✅ Control plane traces: operator reconciliation loops, policy changes
• ✅ Data plane traces: HTTP requests through gateway/envoy
• ✅ JSON access logs for request debugging
• ✅ Local environment matches production observability setup

Configuration Options

Enable (default):

make local-setup  # Tracing enabled by default

Disable:

INSTALL_TRACING=false make local-setup

Custom tools namespace:

TOOLS_NAMESPACE=my-tools make local-setup

Technical Details

Endpoints:

• Control plane (operator): rpc://jaeger-collector.tools.svc.cluster.local:4317 (OTLP)
• Data plane (gateway): Same endpoint (OTLP)
• Jaeger query UI: http://jaeger-query.tools.svc.cluster.local:80

Tracing components:

• Jaeger collector: Port 4317 (OTLP gRPC)
• Jaeger query: Port 80 (HTTP UI)
• Both deployed via kuadrant-olm/tools-instances Helm chart

Sampling:

• Istio: 100% (randomSamplingPercentage: 100)
• Kuadrant: Configured via CR

Related

• Implements: feat: add tracing configuration to local-setup #907
• Depends on: Jaeger deployed by deploy-testsuite-tools
• Production template: https://github.com/Kuadrant/helm-charts-olm/blob/main/charts/kuadrant-instances/templates/kuadrant/01-kuadrant.yaml
• Istio config: https://github.com/Kuadrant/helm-charts-olm/tree/main/charts/kuadrant-instances/templates/ossm3

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Distributed tracing with Jaeger is deployed and enabled by default during local setup; access the Jaeger UI via kubectl port-forward
  • Tracing can be disabled with INSTALL_TRACING=false
  • Test utilities are deployed into a configurable tools namespace via TOOLS_NAMESPACE

• Documentation

  • Added comprehensive tracing setup guide and a “Tracing (Jaeger)” README section with deployment, access, testing and disable instructions

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

The PR adds configurable Jaeger tracing to the local test environment: new Make variables and conditional logic, an Istio tracing configuration target, Kuadrant operator/CR tracing wiring, reordered local setup sequencing, and user-facing documentation.

Changes

Jaeger Tracing Setup for Kuadrant Test Suite

Layer / File(s)	Summary
Tracing Variables and Configuration Foundation make/vars.mk, config/settings.local.yaml.tpl	Defines TOOLS_NAMESPACE (default tools), INSTALL_TRACING (default true), and JAEGER_COLLECTOR_ENDPOINT; conditionally appends OTEL exporter settings and LOG_LEVEL to KUADRANT_OPERATOR_ENV_VARS when tracing is enabled. Updates the settings template to point the Jaeger query URL to the internal Kubernetes DNS endpoint.
Istio Mesh Tracing Configuration make/istio.mk	Introduces the new configure-istio-tracing Make target. Uses kubectl patch to configure the Istio default mesh for JSON access logging to /dev/stdout and enable tracing with extensionProviders for jaeger-otlp. Applies an Istio Telemetry resource to activate tracing via the jaeger-otlp provider with randomSamplingPercentage: 100.
Kuadrant Operator and CR Tracing Configuration make/kuadrant.mk	Extends deploy-kuadrant-operator to conditionally set OTEL exporter endpoint and insecure settings on the limitador-operator-controller-manager Deployment when INSTALL_TRACING is enabled. Extends deploy-kuadrant-cr to conditionally apply the Kuadrant custom resource with spec.observability (data plane debug defaults, httpHeaderIdentifier: x-request-id, and tracing defaultEndpoint) or an empty spec based on the INSTALL_TRACING flag.
Local Setup Orchestration and Flow Control make/local-setup.mk	Reorders the local-setup target to deploy testsuite tools (into $(TOOLS_NAMESPACE)) immediately after apply-additional-manifests. Conditionally invokes configure-istio-tracing when both INSTALL_TRACING and GATEWAYAPI_PROVIDER=istio are true; removes the previous later-in-sequence tool deployment.
Tracing Documentation README.md, .claude/rules/tracing-setup.md	Adds a "Tracing (Jaeger)" section to the README documenting default deployment, OTLP/gRPC trace destination, UI access via kubectl port-forward, test commands, and the INSTALL_TRACING=false override. Adds a detailed tracing setup guide covering configuration sources, endpoints, and operational commands.

Estimated Code Review Effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 I hop through logs and spans all day,
I follow traces where requests stray,
Jaeger hums and catches the thread,
Kuadrant's paths are neatly led,
The rabbit cheers — observability's in play! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding distributed tracing with Jaeger to the local-setup process.
Description check	✅ Passed	The description is comprehensive and well-structured with clear sections covering changes, test plan, and configuration options, though it deviates slightly from the template structure.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cristu/issues/907

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

make/istio.mk (1)

35-36: Consider extracting the complex JSON patch for maintainability.

The single-line kubectl patch command at line 36 is very long and difficult to read or modify. Consider using a heredoc or external JSON file to improve maintainability.

Suggested refactor using heredoc

 	`@echo` "Configuring Istio for tracing with Jaeger..."
 	@# Patch Istio CR to add tracing extension provider and JSON access logs
-	`@kubectl` patch istio default -n istio-system --type=merge -p '{"spec":{"values":{"meshConfig":{"accessLogFile":"/dev/stdout","accessLogEncoding":"JSON","accessLogFormat":"{\"start_time\":\"%START_TIME%\",\"method\":\"%REQ(:METHOD)%\",\"path\":\"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%\",\"protocol\":\"%PROTOCOL%\",\"response_code\":\"%RESPONSE_CODE%\",\"response_flags\":\"%RESPONSE_FLAGS%\",\"bytes_received\":\"%BYTES_RECEIVED%\",\"bytes_sent\":\"%BYTES_SENT%\",\"duration\":\"%DURATION%\",\"upstream_service_time\":\"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%\",\"x_forwarded_for\":\"%REQ(X-FORWARDED-FOR)%\",\"user_agent\":\"%REQ(USER-AGENT)%\",\"request_id\":\"%REQ(X-REQUEST-ID)%\",\"authority\":\"%REQ(:AUTHORITY)%\",\"upstream_host\":\"%UPSTREAM_HOST%\",\"upstream_cluster\":\"%UPSTREAM_CLUSTER%\",\"route_name\":\"%ROUTE_NAME%\"}","enableTracing":true,"defaultConfig":{"tracing":{}},"extensionProviders":[{"name":"jaeger-otlp","opentelemetry":{"port":4317,"service":"jaeger-collector.$(TOOLS_NAMESPACE).svc.cluster.local"}}]}}}}'
+	`@kubectl` patch istio default -n istio-system --type=merge -p "$$( \
+		cat <<-EOF
+		{
+		  "spec": {
+		    "values": {
+		      "meshConfig": {
+		        "accessLogFile": "/dev/stdout",
+		        "accessLogEncoding": "JSON",
+		        "enableTracing": true,
+		        "defaultConfig": {"tracing": {}},
+		        "extensionProviders": [{
+		          "name": "jaeger-otlp",
+		          "opentelemetry": {
+		            "port": 4317,
+		            "service": "jaeger-collector.$(TOOLS_NAMESPACE).svc.cluster.local"
+		          }
+		        }]
+		      }
+		    }
+		  }
+		}
+		EOF
+	)"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@make/istio.mk` around lines 35 - 36, The long single-line kubectl patch
command (the line invoking "kubectl patch istio default -n istio-system
--type=merge -p") embeds a large JSON payload (including keys like
accessLogFile, accessLogEncoding, accessLogFormat, enableTracing,
defaultConfig.tracing, and extensionProviders) which is hard to read and
maintain; extract that JSON into a separate, well-formatted artifact (either a
checked-in JSON/YAML file or a heredoc block) and update the kubectl invocation
to read the payload from that source (e.g., pass the file contents or heredoc
output into the -p argument), ensuring the accessLogFormat and
extensionProviders JSON remains valid and quoting is preserved.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@CLAUDE.md`:
- Around line 78-81: The docs and implementation disagree on Jaeger OTLP port:
update either the documentation text or the default JAEGER_COLLECTOR_ENDPOINT so
they match; specifically, change the documentation line that claims traces are
sent to port 4318 to reflect port 4317, or change the default value of
JAEGER_COLLECTOR_ENDPOINT (in make/vars.mk) to use 4318 if you intend to use
OTLP/HTTP. Locate the symbol JAEGER_COLLECTOR_ENDPOINT and the doc text
"Operator sends traces to jaeger-collector.tools.svc.cluster.local:4318" and
make them consistent (pick 4317 for OTLP/gRPC or 4318 for OTLP/HTTP) and update
any related README/CLAUDE.md references accordingly.

In `@make/vars.mk`:
- Around line 42-44: The JAEGER_COLLECTOR_ENDPOINT default uses an unsupported
"rpc://" scheme; update the JAEGER_COLLECTOR_ENDPOINT variable to use an http or
https scheme (e.g., change JAEGER_COLLECTOR_ENDPOINT ?= rpc://... to
JAEGER_COLLECTOR_ENDPOINT ?=
http://jaeger-collector.$(TOOLS_NAMESPACE).svc.cluster.local:4317) so the
OpenTelemetry OTLP exporter accepts the endpoint; ensure any related logic that
reads JAEGER_COLLECTOR_ENDPOINT continues to work with the http/https URL.

---

Nitpick comments:
In `@make/istio.mk`:
- Around line 35-36: The long single-line kubectl patch command (the line
invoking "kubectl patch istio default -n istio-system --type=merge -p") embeds a
large JSON payload (including keys like accessLogFile, accessLogEncoding,
accessLogFormat, enableTracing, defaultConfig.tracing, and extensionProviders)
which is hard to read and maintain; extract that JSON into a separate,
well-formatted artifact (either a checked-in JSON/YAML file or a heredoc block)
and update the kubectl invocation to read the payload from that source (e.g.,
pass the file contents or heredoc output into the -p argument), ensuring the
accessLogFormat and extensionProviders JSON remains valid and quoting is
preserved.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0131b018-c2a7-4ee2-8208-4a58fbca094a

📥 Commits

Reviewing files that changed from the base of the PR and between d6450a3 and dd8fb42.

📒 Files selected for processing (7)

• CLAUDE.md
• config/settings.local.yaml.tpl
• make/istio.mk
• make/kuadrant.mk
• make/local-setup.mk
• make/tools.mk
• make/vars.mk

[silvi-t]

The OTEL env vars for the limitador-operator are missing. Without these, the limitador-operator service won't appear in Jaeger. You can check the helm-charts-olm post-install hook in charts/kuadrant-instances/templates/_helpers.tpl to see how it's done there.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

make/vars.mk (1)

42-44: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Use an OTLP-compatible scheme for JAEGER_COLLECTOR_ENDPOINT.

Line 44 sets rpc://..., which is likely unsupported for OTEL_EXPORTER_OTLP_ENDPOINT. Because this value is re-used later (for example Line 47), trace export can fail across multiple components.

🔧 Proposed fix

-JAEGER_COLLECTOR_ENDPOINT ?= rpc://jaeger-collector.$(TOOLS_NAMESPACE).svc.cluster.local:4317
+JAEGER_COLLECTOR_ENDPOINT ?= http://jaeger-collector.$(TOOLS_NAMESPACE).svc.cluster.local:4317

For OpenTelemetry OTLP exporter configuration, what URL schemes are valid for OTEL_EXPORTER_OTLP_ENDPOINT, and is rpc:// supported?

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@make/vars.mk` around lines 42 - 44, The JAEGER_COLLECTOR_ENDPOINT currently
uses an unsupported "rpc://" scheme for OTLP; update JAEGER_COLLECTOR_ENDPOINT
to use an OTLP-compatible URL scheme (e.g., "http://" or "https://") so
OTEL_EXPORTER_OTLP_ENDPOINT and any components that reuse this variable can
successfully export traces; change the value of JAEGER_COLLECTOR_ENDPOINT (and
any references to it) to a proper URL like
"http://jaeger-collector.$(TOOLS_NAMESPACE).svc.cluster.local:4317" or use
"https://" if TLS is required, and ensure INSTALL_TRACING remains unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@make/kuadrant.mk`:
- Around line 35-38: The patch hardcodes the OTEL collector endpoint in the
kubectl env command for deployment/limitador-operator-controller-manager by
setting OTEL_EXPORTER_OTLP_ENDPOINT to the in-cluster URL; change this to use
the JAEGER_COLLECTOR_ENDPOINT variable (with a sensible fallback if needed) so
overrides take effect, i.e., replace the hardcoded URL with
$(JAEGER_COLLECTOR_ENDPOINT) (or
${JAEGER_COLLECTOR_ENDPOINT:-http://jaeger-collector.$(TOOLS_NAMESPACE).svc.cluster.local:4318})
while keeping OTEL_EXPORTER_OTLP_INSECURE intact and still using
KUADRANT_NAMESPACE and TOOLS_NAMESPACE variables.

---

Duplicate comments:
In `@make/vars.mk`:
- Around line 42-44: The JAEGER_COLLECTOR_ENDPOINT currently uses an unsupported
"rpc://" scheme for OTLP; update JAEGER_COLLECTOR_ENDPOINT to use an
OTLP-compatible URL scheme (e.g., "http://" or "https://") so
OTEL_EXPORTER_OTLP_ENDPOINT and any components that reuse this variable can
successfully export traces; change the value of JAEGER_COLLECTOR_ENDPOINT (and
any references to it) to a proper URL like
"http://jaeger-collector.$(TOOLS_NAMESPACE).svc.cluster.local:4317" or use
"https://" if TLS is required, and ensure INSTALL_TRACING remains unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 40a93e88-a354-4ea0-b17e-745d87693c2f

📥 Commits

Reviewing files that changed from the base of the PR and between 0b3d881 and 21c74b1.

📒 Files selected for processing (7)

• .claude/rules/tracing-setup.md
• README.md
• config/settings.local.yaml.tpl
• make/istio.mk
• make/kuadrant.mk
• make/local-setup.mk
• make/vars.mk

✅ Files skipped from review due to trivial changes (3)

• .claude/rules/tracing-setup.md
• README.md
• config/settings.local.yaml.tpl

🚧 Files skipped from review as they are similar to previous changes (1)

• make/istio.mk

[silvi-t]

LGTM