feat: add compositionresolver OTel processor to replace EventRouter

Build a custom OTel collector (otelcol-krateo) that includes a
compositionresolver processor.  For each K8s event, the processor
resolves the involvedObject via the K8s API, reads its
krateo.io/composition-id label, and sets it as a LogAttribute —
replicating the lookup that EventRouter performed before forwarding
events to EventSSE.

This allows the /events ClickHouse endpoint to filter by composition
UID directly (LogAttributes['krateo.io/composition-id']), eliminating
the need for EventRouter, EventSSE, and etcd.

New files:
- otel-collector-custom/ — processor source, OCB config, Dockerfile
- .github/workflows/otel-collector.yaml — CI for ghcr.io image

Updated:
- otel-collectors/deployment.yaml — custom image + compositionresolver
  in the logs pipeline, broad RBAC for involvedObject GET
- clickhouse-config/ — /events query filters by LogAttributes
  instead of namespace

Made-with: Cursor

Author: braghettos

.github/workflows/otel-collector.yaml

@@ -0,0 +1,70 @@
+name: OTel Collector – Build & Push
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "otel-collector-custom/**"
+      - ".github/workflows/otel-collector.yaml"
+  pull_request:
+    branches: [main]
+    paths:
+      - "otel-collector-custom/**"
+      - ".github/workflows/otel-collector.yaml"
+  workflow_dispatch: {}
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: braghettos/otelcol-krateo
+
+jobs:
+  build-push:
+    name: Build & push image
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU (multi-arch)
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GHCR
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=sha,prefix=sha-,format=short
+            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: otel-collector-custom
+          file: otel-collector-custom/Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Image digest
+        run: echo "Pushed ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-push.outputs.digest }}"

clickhouse-config/configmap.yaml

@@ -14,16 +14,11 @@ data:
     <clickhouse>
       <http_handlers>
         <!--
-          GET /events?composition_id=<namespace>[&limit=50]
+          GET /events?composition_id=<uid>[&limit=50]
 
-          k8sobjects receiver stores events as raw K8s watch JSON in Body:
-            Body = {"object": {"reason":"...", "message":"...", "type":"Normal|Warning",
-                               "involvedObject": {"name":"...", "namespace":"...",
-                                                  "kind":"...", "uid":"..."},
-                               "eventTime":"...", ...}, "type":"ADDED|MODIFIED"}
-
-          Filter by k8s.namespace.name (set by k8sobjects from event metadata.namespace),
-          which maps to the Krateo composition namespace.
+          The compositionresolver OTel processor enriches each K8s event with
+          LogAttributes['krateo.io/composition-id'] by resolving the involvedObject
+          via the K8s API.  composition_id is the composition resource's UID.
         -->
         <rule>
           <url>/events</url>
@@ -47,7 +42,7 @@ data:
                   ifNull(JSONExtractString(Body, 'object', 'source', 'component'), '')         AS source_component
               FROM otel_logs
               WHERE ResourceAttributes['telemetry.source'] = 'k8s-events'
-                AND ResourceAttributes['k8s.namespace.name'] = {composition_id:String}
+                AND LogAttributes['krateo.io/composition-id'] = {composition_id:String}
                 AND JSONExtractString(Body, 'object', 'reason') != ''
               ORDER BY Timestamp DESC
               LIMIT 50

clickhouse-config/http-handlers.xml

@@ -7,7 +7,7 @@
   main config (which has no <http_handlers>). Built-in hardcoded handlers
   (/ping, /replicas_status, /play, etc.) remain available as fallbacks.
 
-  Endpoint: GET /events?composition_id=<id>[&limit=50]
+  Endpoint: GET /events?composition_id=<uid>[&limit=50]
   Returns:  FORMAT JSON rows; transformed into SSEK8sEvent by the RESTAction
             JQ filter in restaction.composition-events.yaml.
   Mount at: /etc/clickhouse-server/config.d/http-handlers.xml
@@ -21,18 +21,18 @@
 
     <!-- ================================================================
          Custom: Krateo K8s events endpoint
-         GET /events?composition_id=<id>[&limit=50]
-         {composition_id:String} is read from the URL query parameter.
+         GET /events?composition_id=<uid>[&limit=50]
+         {composition_id:String} is the composition resource's UID,
+         matching the value of label krateo.io/composition-id on managed
+         resources.
 
-         k8sobjects receiver stores events as raw Kubernetes watch JSON in Body:
-           Body = {"object": {"reason":"...", "message":"...", "type":"Normal|Warning",
-                              "involvedObject": {"name":"...", "namespace":"...",
-                                                 "kind":"...", "uid":"..."},
-                              "eventTime":"...", ...}, "type":"ADDED|MODIFIED"}
+         The compositionresolver OTel processor enriches each K8s event
+         log record with a LogAttribute "krateo.io/composition-id" by
+         resolving the involvedObject via the K8s API — the same logic
+         the old EventRouter performed.
 
-         We filter by k8s.namespace.name (ResourceAttribute set by the k8sobjects
-         receiver from the event's metadata.namespace), which maps to the Krateo
-         composition namespace. Event fields are extracted with JSONExtractString.
+         Event fields are extracted from the raw K8s watch JSON in Body
+         using JSONExtractString.
          ================================================================ -->
     <rule>
       <url>/events</url>
@@ -56,7 +56,7 @@
               ifNull(JSONExtractString(Body, 'object', 'source', 'component'), '')         AS source_component
           FROM otel_logs
           WHERE ResourceAttributes['telemetry.source'] = 'k8s-events'
-            AND ResourceAttributes['k8s.namespace.name'] = {composition_id:String}
+            AND LogAttributes['krateo.io/composition-id'] = {composition_id:String}
             AND JSONExtractString(Body, 'object', 'reason') != ''
           ORDER BY Timestamp DESC
           LIMIT 50

otel-collector-custom/Dockerfile

@@ -0,0 +1,26 @@
+FROM golang:1.23-alpine AS builder
+
+RUN apk add --no-cache ca-certificates git
+
+# Install OCB (OpenTelemetry Collector Builder)
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    go install go.opentelemetry.io/collector/cmd/builder@v0.117.0
+
+WORKDIR /build
+COPY builder-config.yaml .
+COPY compositionresolver/ compositionresolver/
+
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg/mod \
+    builder --config builder-config.yaml
+
+# ---
+FROM gcr.io/distroless/base-debian12:latest
+
+ARG USER_UID=10001
+USER ${USER_UID}
+
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+COPY --chmod=755 --from=builder /build/otelcol-krateo/otelcol-krateo /otelcol-krateo
+
+ENTRYPOINT ["/otelcol-krateo"]

otel-collector-custom/builder-config.yaml

@@ -0,0 +1,28 @@
+dist:
+  name: otelcol-krateo
+  description: Krateo OTel Collector – contrib + compositionresolver processor
+  output_path: ./otelcol-krateo
+  otelcol_version: 0.117.0
+
+receivers:
+  # K8s events (watch mode) and cluster metrics
+  - gomod: github.com/open-telemetry/opentelemetry-collector-contrib/receiver/k8sobjectsreceiver v0.117.0
+  - gomod: github.com/open-telemetry/opentelemetry-collector-contrib/receiver/k8sclusterreceiver v0.117.0
+
+processors:
+  # Core processors
+  - gomod: go.opentelemetry.io/collector/processor/batchprocessor v0.117.0
+  - gomod: go.opentelemetry.io/collector/processor/memorylimiterprocessor v0.117.0
+  # Contrib processors
+  - gomod: github.com/open-telemetry/opentelemetry-collector-contrib/processor/k8sattributesprocessor v0.117.0
+  - gomod: github.com/open-telemetry/opentelemetry-collector-contrib/processor/resourceprocessor v0.117.0
+  # Custom: resolves krateo.io/composition-id from involvedObject labels
+  - gomod: github.com/braghettos/observability-stack/otel-collector-custom/compositionresolver v0.0.1
+    path: ./compositionresolver
+
+exporters:
+  - gomod: github.com/open-telemetry/opentelemetry-collector-contrib/exporter/clickhouseexporter v0.117.0
+  - gomod: go.opentelemetry.io/collector/exporter/debugexporter v0.117.0
+
+extensions:
+  - gomod: github.com/open-telemetry/opentelemetry-collector-contrib/extension/healthcheckextension v0.117.0

otel-collector-custom/compositionresolver/config.go

@@ -0,0 +1,23 @@
+package compositionresolver
+
+import "time"
+
+type Config struct {
+	// CacheTTL controls how long a resolved composition-id stays cached before
+	// re-querying the K8s API.  A longer TTL reduces API pressure but delays
+	// detection of label changes on the involvedObject.
+	CacheTTL time.Duration `mapstructure:"cache_ttl"`
+
+	// NegativeCacheTTL is the TTL for caching "not found" results (resources
+	// that exist but have no krateo.io/composition-id label, or that could
+	// not be resolved at all). Shorter than CacheTTL so we re-check sooner.
+	NegativeCacheTTL time.Duration `mapstructure:"negative_cache_ttl"`
+
+	// LabelKey is the Kubernetes label on the involvedObject that holds the
+	// composition identifier (the composition resource's UID).
+	LabelKey string `mapstructure:"label_key"`
+}
+
+func (c *Config) Validate() error {
+	return nil
+}

otel-collector-custom/compositionresolver/factory.go

@@ -0,0 +1,45 @@
+package compositionresolver
+
+import (
+	"context"
+	"time"
+
+	"go.opentelemetry.io/collector/component"
+	"go.opentelemetry.io/collector/consumer"
+	"go.opentelemetry.io/collector/processor"
+	"go.opentelemetry.io/collector/processor/processorhelper"
+)
+
+var processorType = component.MustNewType("compositionresolver")
+
+func NewFactory() processor.Factory {
+	return processor.NewFactory(
+		processorType,
+		createDefaultConfig,
+		processor.WithLogs(createLogsProcessor, component.StabilityLevelAlpha),
+	)
+}
+
+func createDefaultConfig() component.Config {
+	return &Config{
+		CacheTTL:         5 * time.Minute,
+		NegativeCacheTTL: 30 * time.Second,
+		LabelKey:         "krateo.io/composition-id",
+	}
+}
+
+func createLogsProcessor(
+	ctx context.Context,
+	set processor.Settings,
+	cfg component.Config,
+	nextConsumer consumer.Logs,
+) (processor.Logs, error) {
+	pCfg := cfg.(*Config)
+	p := newProcessor(set.Logger, pCfg)
+
+	return processorhelper.NewLogs(
+		ctx, set, cfg, nextConsumer, p.processLogs,
+		processorhelper.WithStart(p.start),
+		processorhelper.WithShutdown(p.shutdown),
+	)
+}

otel-collector-custom/compositionresolver/go.mod

@@ -0,0 +1,13 @@
+module github.com/braghettos/observability-stack/otel-collector-custom/compositionresolver
+
+go 1.23.0
+
+require (
+	go.opentelemetry.io/collector/component v0.117.0
+	go.opentelemetry.io/collector/consumer v1.23.0
+	go.opentelemetry.io/collector/pdata v1.23.0
+	go.opentelemetry.io/collector/processor v0.117.0
+	go.uber.org/zap v1.27.0
+	k8s.io/apimachinery v0.32.0
+	k8s.io/client-go v0.32.0
+)