Skip to content

Add telemetry-to-caas kind for CaaS (Collector as a Service) support#436

Open
vkozyura wants to merge 14 commits into
mainfrom
feature/caas-support
Open

Add telemetry-to-caas kind for CaaS (Collector as a Service) support#436
vkozyura wants to merge 14 commits into
mainfrom
feature/caas-support

Conversation

@vkozyura

Copy link
Copy Markdown
Contributor
  • Add telemetry-to-caas kind definition in package.json
  • Add getCredsForCaaS() to extract credentials from caas-service binding
  • Add augmentCaaSCreds() to configure OTLP endpoint URL
  • Handle CaaS in tracing and metrics exporters

Note: CaaS requires mTLS authentication with SAP-signed certificates. The certificate must be obtained separately via BTP Certificate Service.

- Add telemetry-to-caas kind definition in package.json
- Add getCredsForCaaS() to extract credentials from caas-service binding
- Add augmentCaaSCreds() to configure OTLP endpoint URL
- Handle CaaS in tracing and metrics exporters

Note: CaaS requires mTLS authentication with SAP-signed certificates.
The certificate must be obtained separately via BTP Certificate Service.

@hyperspace-insights hyperspace-insights Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR is generally well-structured, but has one logic bug: when only a gRPC OTLP endpoint is present in the CaaS binding, credentials.url is set to undefined (the falsy http value), silently breaking the exporter. Please address the flagged issues before merging.

PR Bot Information

Version: 1.26.5

  • Event Trigger: pull_request.opened
  • LLM: anthropic--claude-4.6-sonnet
  • Correlation ID: be7942dc-b11a-457c-a83d-2aafac5eb2c3
  • File Content Strategy: Full file content

Comment thread lib/utils.js
Comment thread lib/utils.js
Comment thread lib/tracing/index.js Outdated
Comment thread lib/utils.js Fixed
Comment thread lib/utils.js Fixed
Comment thread lib/utils.js Fixed
This file should not be committed to the feature branch.
- Pass httpAgentOptions to OTLP exporter config as agentOptions
- Add debug logging to verify cert is being passed
- Remove monkey-patching of https.request (didn't work due to OTEL instrumentation)
The OTLP HTTP exporter expects 'httpAgentOptions' in the config,
not 'agentOptions'. This was causing the cert/key to be ignored.
When config.url is provided, OTLP exporter uses it as-is without
appending the signal resource path. CaaS binding provides base URL
without path, so we need to append /v1/traces and /v1/metrics.
@vkozyura vkozyura marked this pull request as ready for review June 30, 2026 12:41
@vkozyura vkozyura requested a review from sjvans June 30, 2026 12:41
@hyperspace-insights

Copy link
Copy Markdown
Contributor

Summary

The following content is AI-generated and provides a summary of the pull request:


Add telemetry-to-caas Kind for CaaS (Collector as a Service) Support

New Features

✨ Introduces a new telemetry-to-caas predefined kind that enables exporting traces and metrics to CaaS (Collector as a Service) — a managed OpenTelemetry Collector that can route telemetry to downstream backends like SAP Cloud Logging. The integration uses OTLP HTTP/protobuf and supports mTLS authentication with SAP-signed certificates.

Changes

  • package.json: Added the telemetry-to-caas kind definition with caas-service VCAP binding label, mtls_service_pattern default (caas-mtls|caas-cert), and OTLP protobuf exporters for both traces and metrics.
  • lib/utils.js: Added getCredsForCaaSMtls() to locate mTLS credentials from a user-provided VCAP service matching the configured pattern, and augmentCaaSCreds() to extract the OTLP HTTP endpoint and configure httpAgentOptions (cert/key) for mTLS. Both functions are exported.
  • lib/tracing/index.js: Imported augmentCaaSCreds and added a to-caas handler that applies CaaS credentials, sets OTEL_EXPORTER_OTLP_ENDPOINT, and configures the trace exporter URL (/v1/traces) with mTLS agent options.
  • lib/metrics/index.js: Imported augmentCaaSCreds and added a to-caas handler that applies CaaS credentials, sets OTEL_EXPORTER_OTLP_ENDPOINT, and configures the metrics exporter URL (/v1/metrics) with mTLS agent options.
  • README.md: Added telemetry-to-caas to the table of contents, updated predefined kinds count to six, and added a dedicated section documenting setup steps including mTLS certificate binding and user-provided service configuration.
  • CHANGELOG.md: Added entry for telemetry-to-caas kind support.
  • test/caas.test.js: Added unit tests for augmentCaaSCreds covering URL extraction, mTLS option setup, error on missing OTLP endpoint, idempotency guard, and missing mTLS credentials scenario.

  • 🔄 Regenerate and Update Summary
  • ✏️ Insert as PR Description (deletes this comment)
  • 🗑️ Delete comment
PR Bot Information

Version: 1.26.11

  • Event Trigger: pull_request.ready_for_review
  • Output Template: Default Template
  • Correlation ID: 66d6ae55-ae8a-46ec-9f81-f076100fcf4a
  • LLM: anthropic--claude-4.6-sonnet
  • Summary Prompt: Default Prompt
  • File Content Strategy: Full file content

@hyperspace-insights hyperspace-insights Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR adds the telemetry-to-caas kind with reasonable structure, but there are several correctness issues that need attention: the shared OTEL_EXPORTER_OTLP_ENDPOINT env var is clobbered by both signal exporters (traces and metrics overwrite each other), invalid base64 mTLS data is silently accepted before failing at TLS handshake time, and an unsanitised user-provided regex pattern can crash the process at startup.

PR Bot Information

Version: 1.26.11

  • LLM: anthropic--claude-4.6-sonnet
  • Event Trigger: pull_request.ready_for_review
  • Correlation ID: 66d6ae55-ae8a-46ec-9f81-f076100fcf4a
  • File Content Strategy: Full file content

Comment thread lib/utils.js
Comment on lines +168 to +181
try {
const cert = Buffer.from(mtlsCreds.cert, 'base64').toString('utf-8')
const key = Buffer.from(mtlsCreds.key, 'base64').toString('utf-8')

// Store the mTLS options for the exporter's httpAgentOptions
// The OTLP HTTP exporter will create an https.Agent with these options
credentials.httpAgentOptions = {
cert: cert,
key: key,
keepAlive: true
}
} catch (err) {
LOG._error && LOG.error('Failed to configure CaaS mTLS:', err.message)
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Buffer.from(..., 'base64').toString('utf-8') does not throw on invalid base64 input — it silently produces garbage bytes. If the mTLS setup error is then swallowed by the catch, the exporter will be configured with a corrupt certificate and will fail at connection time with a cryptic TLS error instead of a clear startup message.

Suggested change
try {
const cert = Buffer.from(mtlsCreds.cert, 'base64').toString('utf-8')
const key = Buffer.from(mtlsCreds.key, 'base64').toString('utf-8')
// Store the mTLS options for the exporter's httpAgentOptions
// The OTLP HTTP exporter will create an https.Agent with these options
credentials.httpAgentOptions = {
cert: cert,
key: key,
keepAlive: true
}
} catch (err) {
LOG._error && LOG.error('Failed to configure CaaS mTLS:', err.message)
}
const certRaw = Buffer.from(mtlsCreds.cert, 'base64').toString('utf-8')
const keyRaw = Buffer.from(mtlsCreds.key, 'base64').toString('utf-8')
if (!certRaw.includes('-----BEGIN') || !keyRaw.includes('-----BEGIN')) {
throw new Error('Decoded mTLS cert or key does not appear to be valid PEM data')
}
// Store the mTLS options for the exporter's httpAgentOptions
// The OTLP HTTP exporter will create an https.Agent with these options
credentials.httpAgentOptions = {
cert: certRaw,
key: keyRaw,
keepAlive: true
}
} catch (err) {
LOG._error && LOG.error('Failed to configure CaaS mTLS:', err.message)

Double-check suggestion before committing. Edit this comment for amendments.


Please provide feedback on the review comment by checking the appropriate box:

  • 🌟 Awesome comment, a human might have missed that.
  • ✅ Helpful comment
  • 🤷 Neutral
  • ❌ This comment is not helpful

Comment thread lib/tracing/index.js
if (!credentials) throw new Error('No CaaS credentials found. Make sure the app is bound to a caas-service instance.')
augmentCaaSCreds(credentials)
// Set OTLP env vars to binding credentials (prevents stale env values from taking precedence)
process.env.OTEL_EXPORTER_OTLP_ENDPOINT = credentials.baseUrl

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: process.env.OTEL_EXPORTER_OTLP_ENDPOINT is set to credentials.baseUrl (the path-less base URL) even though config.url is immediately set to the full /v1/traces URL. This env var mutation persists for the entire process lifetime and will be read by any subsequently initialised OTLP exporter (e.g. the metrics exporter called right after this), overwriting it again with the metrics-scoped base URL and potentially causing both exporters to send to the wrong endpoint. Consider removing this process.env mutation, or at minimum using the signal-specific env var (OTEL_EXPORTER_OTLP_TRACES_ENDPOINT).

Suggested change
process.env.OTEL_EXPORTER_OTLP_ENDPOINT = credentials.baseUrl
process.env.OTEL_EXPORTER_OTLP_TRACES_ENDPOINT = credentials.baseUrl + '/v1/traces'

Double-check suggestion before committing. Edit this comment for amendments.


Please provide feedback on the review comment by checking the appropriate box:

  • 🌟 Awesome comment, a human might have missed that.
  • ✅ Helpful comment
  • 🤷 Neutral
  • ❌ This comment is not helpful

Comment thread lib/metrics/index.js
if (!credentials) throw new Error('No CaaS credentials found. Make sure the app is bound to a caas-service instance.')
augmentCaaSCreds(credentials)
// Set OTLP env vars to binding credentials (prevents stale env values from taking precedence)
process.env.OTEL_EXPORTER_OTLP_ENDPOINT = credentials.baseUrl

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Same process-wide env var mutation as in tracing/index.jsOTEL_EXPORTER_OTLP_ENDPOINT is set to the base URL without a signal-specific path, which conflicts with the value set by the tracing exporter (or vice-versa depending on initialisation order). Use OTEL_EXPORTER_OTLP_METRICS_ENDPOINT instead.

Suggested change
process.env.OTEL_EXPORTER_OTLP_ENDPOINT = credentials.baseUrl
process.env.OTEL_EXPORTER_OTLP_METRICS_ENDPOINT = credentials.baseUrl + '/v1/metrics'

Double-check suggestion before committing. Edit this comment for amendments.


Please provide feedback on the review comment by checking the appropriate box:

  • 🌟 Awesome comment, a human might have missed that.
  • ✅ Helpful comment
  • 🤷 Neutral
  • ❌ This comment is not helpful

Comment thread lib/utils.js
const vcap = JSON.parse(process.env.VCAP_SERVICES)
// Look for user-provided service with name matching configured pattern
const { mtls_service_pattern } = cds.env.requires.telemetry
if (!mtls_service_pattern) return

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Logic Error: getCredsForCaaSMtls() reads cds.env.requires.telemetry.mtls_service_pattern but getCredsForCaaSMtls is only reached via augmentCaaSCreds, which is only called when kind matches to-caas. At that point cds.env.requires.telemetry is the merged kind config, so mtls_service_pattern should be present — but if for any reason the property is absent (e.g. user overrides the kind config without it), the function silently returns undefined and the else branch only logs a warning. The mTLS credentials silently become unconfigured rather than raising a clear error.

Suggested change
if (!mtls_service_pattern) return
if (!mtls_service_pattern) {
LOG._warn && LOG.warn('CaaS: mtls_service_pattern is not configured; cannot locate mTLS credentials.')
return
}

Double-check suggestion before committing. Edit this comment for amendments.


Please provide feedback on the review comment by checking the appropriate box:

  • 🌟 Awesome comment, a human might have missed that.
  • ✅ Helpful comment
  • 🤷 Neutral
  • ❌ This comment is not helpful

Comment thread lib/utils.js
// Look for user-provided service with name matching configured pattern
const { mtls_service_pattern } = cds.env.requires.telemetry
if (!mtls_service_pattern) return
const pattern = new RegExp(mtls_service_pattern, 'i')

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: mtls_service_pattern is taken verbatim from user-supplied configuration and passed directly into new RegExp(...) without any escaping. A malformed pattern (e.g. "caas-mtls(") will throw a SyntaxError that propagates up uncaught and crashes the process during startup.

Suggested change
const pattern = new RegExp(mtls_service_pattern, 'i')
let pattern
try {
pattern = new RegExp(mtls_service_pattern, 'i')
} catch (e) {
LOG._error && LOG.error(`CaaS: Invalid mtls_service_pattern "${mtls_service_pattern}":`, e.message)
return
}

Double-check suggestion before committing. Edit this comment for amendments.


Please provide feedback on the review comment by checking the appropriate box:

  • 🌟 Awesome comment, a human might have missed that.
  • ✅ Helpful comment
  • 🤷 Neutral
  • ❌ This comment is not helpful

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants