AWS Distro for OpenTelemetry

EKS add-ons Advanced Configuration for ADOT: Collector Deployment (<v0.88.0-eksbuild.1)

EKS add-ons Advanced Configuration for ADOT: Collector Deployment (<v0.88.0-eksbuild.1)

As discussed in the section Add-on Advanced Configuration (<v0.88.0-eksbuild.1), EKS add-ons now provides the ability to configure ADOT during installation time of the add-on. With this functionality, an ADOT Collector can also be deployed during an installation, provided that add-on version v0.62.1-eksbuild.1 or higher is being used.

For more information on Collector configuration, and to learn about Amazon Managed Service for Prometheus (AMP), Amazon CloudWatch (CW), and AWS X-Ray as telemetry destinations, see the Collector configuration introduction section.

Below is a list of configurable values EKS add-ons provides for ADOT, specifically to enable Collector deployment.

ValueDescriptionDefaultExample
collector.modeSpecifies what mode to deploy the Collector in. Modes are deployment, daemonset, statefulset, and sidecar.deployment"{"collector":{"mode":"deployment"}}"
collector.replicasSpecifies how many replicas of the Collector to deploy.1"{"collector":{"replicas":1}}"
collector.resources.limits.cpuModifies the cpu resource limit for the ADOT Collector pod.*256m"{"collector":{"resource":{"limits":{"cpu":"256m"}}}}"
collector.resources.limits.memoryModifies the memory resource limit for the ADOT Collector pod.*512Mi"{"collector":{"resource":{"limits":{"memory":"512Mi"}}}}"
collector.resources.requests.cpuModifies the cpu resource request for the ADOT Collector pod.*64m"{"collector":{"resource":{"requests":{"cpu":"64m"}}}}"
collector.resources.requests.memoryModifies the memory resource request for the ADOT Collector pod.*128Mi"{"collector":{"resource":{"requests":{"memory":"128Mi"}}}}"
collector.serviceAccount.createSpecify whether or not to create a service account for use with Collector deployment.true"{"collector":{"serviceAccount":{"create":true}}}"
collector.serviceAccount.nameSpecify a name for a service account for use with Collector deployment, either to create or a pre-existing service account.aws-otel-collector"{"collector":{"serviceAccount":{"name":"aws-otel-collector"}}}"
collector.serviceAccount.annotations**Specifies annotations for a service account for use with Collector deployment.N/A"{"collector":{"serviceAccount":{"annotations":{"eks.amazonaws.com/role-arn":"arn:aws:iam::000000000000:role/adot-collector"}}}}}"
collector.amp.enabledSpecify whether or not to enable AMP as a destination for Collector deployment.false"{"collector":{"amp":{"enabled":true}}}"
collector.amp.remoteWriteEndpointSpecify a remote write endpoint for AMP. Required if collector.amp.enabled is true.N/A"{"collector":{"amp":{"remoteWriteEndpoint":"https://aps-workspaces.us-west-2.amazonaws.com/workspaces/ws-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/api/v1/remote_write"}}}"
collector.cloudwatch.enabledSpecify whether or not to enable CW as a destination for Collector deployment.false"{"collector":{"cloudwatch":{"enabled":true}}}"
collector.xray.enabledSpecify whether or not to enable X-Ray as a destination for Collector deployment.false"{"collector":{"xray":{"enabled":true}}}"

*Note that in Fargate, resource requests and limits must be equal, see this troubleshooting guide for more information.

**The collector.serviceAccount.annotations configuration value can be used to annotate your service account and associate it with an IAM role for the IAM Roles for Service Accounts (IRSA). As an alternative to using this configuration value for IRSA, you can use the --service-account-role-arn flag when creating or updating the add-on. This flag will annotate service accounts created by the add-on with the role ARN you provide. The equivalent to the example provided for collector.serviceAccount.annotations is --service-account-role-arn arn:aws:iam::000000000000:role/adot-collector.

Use your IAM role to launch the ADOT Collector

You can associate your IAM role to your EKS service account using IAM Roles for Service Accounts (IRSA). Your service account can then provide AWS permissions to the containers you run in any pod that use that service account. You must use this command for each cluster where you're installing ADOT to grant your AWS service account permissions. Follow these steps to associate your IAM role to your EKS service account using IRSA:

  1. Create an IAM OpenID Connect (OIDC) provider for your cluster by following the steps in the link below:
  2. Create your service account and IAM role. In this command, you must have values for the following flags:
    • For the --name flag, add the name of the service account you want to create; for this example we will name it adot-collector.
    • For the --namespace flag, use the namespace your service account will reside in; for our example we will use the default namespace.
    • For the --cluster flag, use the name of your cluster.
    • The three --attach-policy-arn values are the policies to be attached. These three policies are the policies needed for each service we want to export to. If you only plan on using 1 or 2 of the services, you only need to attach the policies for that service:
      • arn:aws:iam::aws:policy/AmazonPrometheusRemoteWriteAccess grants write access to the Prometheus service.
      • arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess grants write access to the AWS X-Ray service.
      • arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy grants access to write the CloudWatch service.
    • The --override-existing-serviceaccounts flag is for if you have a service account already created in the cluster without an IAM Role. You can exclude this if that is not the case.
eksctl create iamserviceaccount \
--name adot-collector \
--namespace default \
--cluster <your_cluster_name> \
--attach-policy-arn arn:aws:iam::aws:policy/AmazonPrometheusRemoteWriteAccess \
--attach-policy-arn arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess \
--attach-policy-arn arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy \
--approve \
--override-existing-serviceaccounts

We can see in the above table that one of the configurable values is collector.serviceAccount. We will utilize this field by adding the serviceAccount: { name: adot-collector } field to our collector configuration to use IRSA.

An example of how to use EKS add-ons to install ADOT, with a Collector deployment to AMP using a pre-existing service account for IRSA, can be seen in the command below

aws eks create-addon \
--cluster-name <YOUR-EKS-CLUSTER-NAME> \
--addon-name adot \
--addon-version v0.62.1-eksbuild.1 \
--configuration-values file://configuration-values.json
// configuration-values.json
{
"collector": {
"serviceAccount": {
"create": false,
"name": "<YOUR-SERVICE-ACCOUNT-NAME>"
},
"amp": {
"enabled": true,
"remoteWriteEndpoint": "https://aps-workspaces.us-west-2.amazonaws.com/workspaces/ws-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/api/v1/remote_write"
}
}
}

Note that collector may take 2-3 minutes to create and show up in your cluster.

Previous Topic: Add-on Advanced Configuration (<v0.88.0-eksbuild.1)

Next Topic: Updating and Cleanup