Propagate APM tracing configuration to sub-processes via the control protocol

[joshdover]

The primary goal of this issue is to enabling trace collection on Integrations Server on Cloud by default to send to our internal APM backends. This tracing configuration will be specified in the elastic-agent.yml file on the server side and will not be part of the agent policy retrieved by Fleet.

See the initial discussion in #1969

Requirements

• When tracing is configured in Agent's local configuration, but absent in the Fleet agent policy, the local tracing configuration should take precedence
• APM tracing configuration must be propagated to sub-processes via the control protocol
  • We should not use environment variables since this will not always be possible in some runtimes
• elastic-agent-client should be updated to support this configuration
• We need to prevent any sensitive information from leaking via APM tracing data
  • We should audit existing traces
  • We should propose / consider any additional protections that need to be enabled to avoid leaking sensitive data
  • Areas to focus on: requests to Fleet Server, handling of the agent policy (local and remote from Fleet), gRPC control protocol messages to sub-processes

[joshdover]

APM configuration will be used for more than just sending traces, as applications like Fleet Server and APM Server also use this backend for metrics (and likely one day, logs too).

I think we should change the plan here slightly to start sending down an OTLP endpoint to sub-processes, which can then be used for all of these use cases. In the future, this endpoint may point to something local to the Agent or shipper as a gateway before forwarding to the backend.

As part of this, we'd probably want to change the agent yaml configuration to allow specifying an OTLP destination, but I think we can do that afterwards, since the existing APM server URL for tracing is also an OTLP endpoint.

[cmacknz]

As part of this, we'd probably want to change the agent yaml configuration to allow specifying an OTLP destination, but I think we can do that afterwards, since the existing APM server URL for tracing is also an OTLP endpoint.

We need to define how we model this in the agent policy, considering that there is no OTLP output today and if there were we would likely relying on a dedicated OTLP monitoring output to do this.

The shortest path would be to put something dedicated in the agent.monitoring section:

elastic-agent/elastic-agent.reference.yml

Lines 130 to 136 in 7cb5295

	# agent.monitoring:
	# # enabled turns on monitoring of running processes
	# enabled: false
	# # enables log monitoring
	# logs: false
	# # enables metrics monitoring
	# metrics: false

If we were just going to add traces, I would propose we add a traces configuration object that takes the OTLP destination as a sub-object like traces.otlp or similar. This is easy to do because our tracer always supports OTLP output.

This wouldn't work for metrics though because the agent.monitoring.metrics key isn't an object, and every agent sub-process won't support OTLP metrics output initially. We could add an agent.monitoring.otlp section with the destination configuration and then have separate flags for each data source like agent.monitoring.otlp.metrics: true to use it for specific data types.

For a concrete example we could end up with something like:

agent.monitoring:
  # Enable monitoring.
  enabled: true
  # Collect metrics from processes
  metrics: true
  # Collect logs from processes
  logs: true
  # Collect traces from processes
  traces: true
  # OpenTelemetry protocol configuration
  otlp:
    # OTLP protocol host or IP
    host: xxxx
    # TLS configuration (we use the ssl key for this everywhere else already)
    ssl: xxxx

The only thing I don't like about this is that setting agent.monitoring.otlp.metrics: true might enable otlp metrics, or it might not, because not all inputs would support it and there's no way for a user to know besides turning it on and seeing what happens.

Edit: Ignore this comment, see #2612 (comment) instead.

[joshdover]

Thanks for giving this some additional thought.

The only thing I don't like about this is that setting agent.monitoring.otlp.metrics: true might enable otlp metrics, or it might not, because not all inputs would support it and there's no way for a user to know besides turning it on and seeing what happens.

I would expect that (eventually) the metrics that Agent currently scrapes from input processes also go through OTLP when agent.monitoring.otlp.metrics is enabled. We can do this because we know the data model of our input metrics today and can transform those into OTLP metric records in a straightforward way. Until then, you are right that we need to keep this option experimental.

Longer-term we will probably want to support a dedicated OTLP output type, which agent monitoring should be able to reference. How does that overlap with this? I wasn't able to find an example of how to set the monitoring output to a different destination.

For the scope of this ticket though, I don't think it needs to matter too much. I think in any case the sub-processes need to receive a specific OTLP endpoint for monitoring data, and how it's configured in elastic-agent.yml is something we can iterate on, as long as we keep it experimental for now.

[cmacknz]

I just want to double check there's not a better way to do this, agree that putting everything under agent.monitoring is the easiest path.

There is an agent.monitoring.use_output key that is missing from the reference configuration to set the monitoring destination. It is in the documentation at least https://www.elastic.co/guide/en/fleet/current/elastic-agent-monitoring-configuration.html.

https://github.com/cmacknz/elastic-agent/blob/e56d0bdaf2332a9fa4444af56de877517d73a552/internal/pkg/agent/application/monitoring/v1_monitor.go#L48

agent.monitoring:
  enabled: true
  logs: true
  metrics: true
  # This would be overridden by agent.monitoring.otlp.* if it is present.
  use_output: monitoring

We can just use the agent.monitoring.otlp.* section as an override. The agent has no concept of data type specific routing right now which would be necessary for an OTLP output anyway so we couldn't use the existing agent policy outputs for this even if we wanted to without a lot more work.

[pierrehilbert]

@joshdover / @cmacknz I think this OTLP topic should be addressed as a next step to iterate and avoid to be too ambitious in the next sprint.
For sure we should have in mind the big picture and those information will be useful to @pchila but let's create a followup issue. WDYT?

[jlind23]

@pierrehilbert what do you mean? Starting with OLTP traces within the monitoring section and work on the metrics part in a follow up Pr?

[pierrehilbert]

What I mean is to focus on traces and we will see later for the other parts.
Can we agree on that?

[cmacknz]

We can use traces as the primary implementation and exclude anything else, since our APM tracing library supports OTLP out of the box.

I apparently missed that we have an existing APM configuration section in the agent policy that Josh mentioned in #2612 (comment). This is because it isn't in our reference configuration but it is in the code.

elastic-agent/internal/pkg/core/monitoring/config/config.go

Line 22 in bece71e

APM APMConfig `yaml:"apm,omitempty" config:"apm,omitempty" json:"apm,omitempty"`

elastic-agent/internal/pkg/core/monitoring/config/config.go

Lines 67 to 82 in bece71e

	// APMConfig configures APM Tracing.
	type APMConfig struct {
	Environment string `config:"environment"`
	APIKey string `config:"api_key"`
	SecretToken string `config:"secret_token"`
	Hosts []string `config:"hosts"`
	TLS APMTLS `config:"tls"`
	}
	// APMTLS contains the configuration options necessary for configuring TLS in
	// apm-agent-go.
	type APMTLS struct {
	SkipVerify bool `config:"skip_verify"`
	ServerCertificate string `config:"server_certificate"`
	ServerCA string `config:"server_ca"`
	}

Given that this already exists, I think we can simplify this further:

1. Let's not modify the agent policy at all. Since our existing APM endpoint is also an OTLP endpoint we can keep using it experimentally for this purpose.
2. When we add support for passing this APM configuration to sub-processes, it should be modelled as an OTLP endpoint. This can be as simple as renaming APM to OTLP everywhere, but we should set the expectation for sub-processes that this is a generic OTLP endpoint and not an Elastic APM endpoint specifically to future proof it. We should review https://www.elastic.co/guide/en/apm/guide/current/open-telemetry-direct.html for the configuration needed to forward OTLP traces to APM server. We need to make sure our configuration supports both the HTTP and gRPC formats.

In summary, we should put all of our effort into generalizing the control protocol messages and leave the agent policy alone. The control protocol is much harder to change in the future since it affects teams outside of the Elastic Agent team.

[joshdover]

@cmacknz this matches my thinking as well. I'd prefer to avoid modifying the agent policy configuration at all for now and keep this as undocumented feature while we mature the solution and standardize all of Agent's internal monitoring on OTLP.

One snag is that elastic-apm-go doesn't yet support output as OTLP, which I didn't realize. So if we pass down an OTLP endpoint now, I think we'll need to make a short-term assumption that it actually supports APM intake v2 and OTLP until we can change our applications to adopt the OTel SDK (this is the plan for APM Server already).

I'm personally ok with making that assumption for now as long as it really is short-term. Otherwise, I'd prefer we expose the endpoint as explicitly being an APM endpoint so we can more smoothly phase this out with a pure OTLP endpoint later.