en›Guides›Observability›Telemetry

Centralize your observability stack with OpenTelemetry

OpenTelemetry (opens in a new tab) (OTel) is an open-source observability framework designed to provide consistent and reliable ways to collect telemetry data across distributed systems. It is a project under the Cloud Native Computing Foundation (CNCF) (opens in a new tab) as an incubating project. Its goal is to provide a unified standard and toolset for instrumenting, generating, and exporting telemetry data from modern applications, making it easier to monitor, debug, and understand complex services.

The goal of NQRust-Identity is to support OpenTelemetry Logs, Metrics, and Traces to create a centralized observability stack without any additional deployment overhead.

General options

NQRust-Identity provides support for global settings of telemetry data export. It means that you can configure connection parameters to a single OpenTelemetry collector (opens in a new tab) that will be used for all supported components.

In order to have OpenTelemetry enabled, at least one component needs to be turned on, for example Traces.

The OpenTelemetry feature is enabled by default. Disable the feature in order to disable OpenTelemetry components.

Endpoint

You can configure the OpenTelemetry collector’s global endpoint that is shared across all components by using the telemetry-endpoint option. The default value is http://localhost:4317.

You can change the endpoint via CLI as follows:

bin/kc.[sh|bat] start --telemetry-endpoint=http://my-otel-endpoint:4317

Service name

You can configure the global OpenTelemetry service name used for identifying the exporter of the telemetry data. The default service name is keycloak, specified via the telemetry-service-name property, which takes precedence over service.name defined in the telemetry-resource-attributes property.

You can change the service name via CLI as follows:

bin/kc.[sh|bat] start --telemetry-service-name=my-keycloak-iam

Protocol

You can configure the global OpenTelemetry transport protocol used as a communication channel between NQRust-Identity and the OpenTelemetry collector. The default value is grpc.

NQRust-Identity supports these communication protocols:

grpc (default)
http/protobuf

You can change the protocol via CLI as follows:

bin/kc.[sh|bat] start --telemetry-protocol=http/protobuf

Request headers

You can configure custom request headers that will be sent when exporting telemetry data to the OpenTelemetry collector. This is useful for providing authentication tokens or other custom headers required by your telemetry backend.

Use the telemetry-header-<header> option to set headers for all telemetry components (logs, metrics, and traces).

Replace <header> with your custom header name in the option name.

bin/kc.[sh|bat] start --telemetry-header-Authorization='Bearer my-token' --telemetry-header-X-Custom-Header=custom-value

Component-specific headers take precedence over general headers for their respective components.

Configuration via NQRust-Identity CR (Operator)

The NQRust-Identity CR has first-class citizen configuration options for telemetry. These may be configured under the spec.telemtry stanza as follows:

apiVersion: k8s.keycloak.org/v2beta1
kind: Keycloak
metadata:
  name: example-kc
spec:
  telemetry:
    endpoint: http://my-telemetry:4317          # default 'http://localhost:4317'
    serviceName: my-best-keycloak-telemetry     # default 'keycloak'
    protocol: http/protobuf                     # default 'grpc'
    resourceAttributes:
      service.namespace: keycloak-namespace-telemetry

These fields should reflect a 1:1 association with telemetry-* server options.

Enable all OpenTelemetry components

To enable OpenTelemetry metrics, logs, and traces, you can configure the NQRust-Identity CR as follows:

⚠️

OpenTelemetry Logs and Metrics are preview/experimental features.

apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
  name: example-kc
spec:
  features:
    enabled:
      - opentelemetry-logs
      - opentelemetry-metrics
  telemetry:
    endpoint: http://my-telemetry:4317
    serviceName: my-best-keycloak-telemetry
    protocol: grpc
  tracing:
    enabled: true
  additionalOptions:
    - name: telemetry-logs-enabled
      value: "true"
    - name: telemetry-metrics-enabled
      value: "true"
    - name: metrics-enabled
      value: "true"

Traces

See the Root cause analysis with tracing guide.

You can override the global OpenTelemetry settings via the Tracing options if you want to export traces to a different OpenTelemetry collector.

Logs

OpenTelemetry Logs support is Preview and is not fully supported. This feature is disabled by default.

To enable start the server with --features=preview or --features=opentelemetry-logs

The OpenTelemetry feature (opentelemetry) needs to be turned on (by default).

It is possible to export NQRust-Identity’s logs to the OpenTelemetry collector and be managed by various logging backends that support OpenTelemetry.

Enable Logs

You can enable OpenTelemetry Logs via CLI as follows:

bin/kc.[sh|bat] start --features=opentelemetry-logs --telemetry-logs-enabled=true

For more information on how to set up logging, see the Configuring Logging guide.

Log level

By default, all log levels are exported by NQRust-Identity. You can optionally configure the most verbose log level to be exported via the telemetry-logs-level option.

The telemetry-logs-level option filters which logs are exported to OpenTelemetry, while log-level and log-level-<category> control which logs NQRust-Identity generates.

The telemetry filter is applied to already-generated logs, so setting telemetry-logs-level=DEBUG will not export DEBUG logs if log-level=WARN.

For example, if you want only to export WARN and ERROR logs, you can change the log level via the CLI as follows:

bin/kc.[sh|bat] start --telemetry-logs-level=WARN

Request headers

As stated for the general configuration of headers, you can configure custom request headers that will be used when exporting logs.

bin/kc.[sh|bat] start --telemetry-logs-header-Authorization='Bearer logs-token'

Metrics

⚠️

The OpenTelemetry Metrics feature is currently experimental, and it is not recommended for use in production.

In order for the Metrics feature to function, the OpenTelemetry feature opentelemetry cannot be disabled.

For integrating OpenTelemetry Metrics, NQRust-Identity uses the Micrometer-to-OpenTelemetry bridge (opens in a new tab), which provides the functionality to export metrics created by Micrometer to the OpenTelemetry Collector. This means that all metrics created via Micrometer or OpenTelemetry metrics will be exported to the OpenTelemetry.

There are some API, and Semantic convention differences (opens in a new tab) for Micrometer vs OTel Metrics, so you should check if all required metrics are exported.

Enable Metrics

You can enable the OpenTelemetry Metrics via CLI as follows:

bin/kc.[sh|bat] start --features=opentelemetry-metrics --telemetry-metrics-enabled=true --metrics-enabled=true

Metrics (metrics-enabled) needs to be enabled as well

For more information on how to set up metrics, see the configuration options below or visit the Gaining insights with metrics guide.

Request headers

As stated for the general configuration of headers, you can configure custom request headers that will be used when exporting metrics.

bin/kc.[sh|bat] start --telemetry-metrics-header-Authorization='Bearer metrics-token'

Development setup

For development purposes, you can use the Grafana OTel-LGTM service (opens in a new tab), containing OpenTelemetry Collector and backends for logs (Loki), metrics (Prometheus), and traces (Tempo).

grafana otel lgtm

You can start the service by using Docker/Podman as follows:

docker run -p 3000:3000 -p 4317:4317 -p 4318:4318 --rm -ti grafana/otel-lgtm

Then, you can navigate to Grafana UI by accessing localhost:3000 and then you can explore all the data sent to OpenTelemetry Collector.

Relevant options

Option	Type or Values	Default
`telemetry-endpoint` OpenTelemetry endpoint to connect to. CLI: `--telemetry-endpoint` Env: `KC_TELEMETRY_ENDPOINT`	String	`http://localhost:4317`
`telemetry-header-<header>` General OpenTelemetry header that will be part of the exporter request (mainly useful for providing Authorization header). Check the documentation on how to set environment variables for headers containing special characters or custom case-sensitive headers. CLI: `--telemetry-header-<header>` Env: `KC_TELEMETRY_HEADER_<HEADER>`	String
`telemetry-protocol` OpenTelemetry protocol used for the communication between server and OpenTelemetry collector. CLI: `--telemetry-protocol` Env: `KC_TELEMETRY_PROTOCOL`	`grpc`, `http/protobuf`	`grpc`
`telemetry-resource-attributes` OpenTelemetry resource attributes characterize the telemetry producer. Values in format `key1=val1,key2=val2`. CLI: `--telemetry-resource-attributes` Env: `KC_TELEMETRY_RESOURCE_ATTRIBUTES`	List
`telemetry-service-name` OpenTelemetry service name. Takes precedence over `service.name` defined in the `telemetry-resource-attributes` property. CLI: `--telemetry-service-name` Env: `KC_TELEMETRY_SERVICE_NAME`	String	`keycloak`

Traces

Option	Type or Values	Default
`tracing-enabled` Enables the OpenTelemetry tracing. CLI: `--tracing-enabled` Env: `KC_TRACING_ENABLED`	`true`, `false`	`false`
`tracing-endpoint` OpenTelemetry endpoint to connect to for traces. If not given, the value is inherited from the `telemetry-endpoint` option. CLI: `--tracing-endpoint` Env: `KC_TRACING_ENDPOINT`	String	`http://localhost:4317`
`tracing-protocol` OpenTelemetry protocol used for the telemetry data. If not given, the value is inherited from the `telemetry-protocol` option. CLI: `--tracing-protocol` Env: `KC_TRACING_PROTOCOL`	`grpc`, `http/protobuf`	`grpc`
`tracing-resource-attributes` OpenTelemetry resource attributes present in the exported trace to characterize the telemetry producer. Values in format `key1=val1,key2=val2`. If not given, the value is inherited from the `telemetry-resource-attributes` option. For more information, check the Tracing guide. CLI: `--tracing-resource-attributes` Env: `KC_TRACING_RESOURCE_ATTRIBUTES`	List
`tracing-service-name` OpenTelemetry service name. Takes precedence over `service.name` defined in the `tracing-resource-attributes` property. If not given, the value is inherited from the `telemetry-service-name` option. CLI: `--tracing-service-name` Env: `KC_TRACING_SERVICE_NAME`	String	`keycloak`

Logs

Option	Type or Values	Default
`telemetry-logs-enabled` Enables exporting logs to a destination handling OpenTelemetry logs. CLI: `--telemetry-logs-enabled` Env: `KC_TELEMETRY_LOGS_ENABLED`	`true`, `false`	`false`
`telemetry-logs-endpoint` OpenTelemetry endpoint to export logs to. If not given, the value is inherited from the `telemetry-endpoint` option. CLI: `--telemetry-logs-endpoint` Env: `KC_TELEMETRY_LOGS_ENDPOINT`	String
`telemetry-logs-header-<header>` OpenTelemetry header that will be part of the log exporter request (mainly useful for providing Authorization header). Check the documentation on how to set environment variables for headers containing special characters or custom case-sensitive headers. CLI: `--telemetry-logs-header-<header>` Env: `KC_TELEMETRY_LOGS_HEADER_<HEADER>`	String
`telemetry-logs-level` The most verbose log level exported to the telemetry endpoint. For more information, check the Telemetry guide. CLI: `--telemetry-logs-level` Env: `KC_TELEMETRY_LOGS_LEVEL`	`off`, `fatal`, `error`, `warn`, `info`, `debug`, `trace`, `all`	`all`
`telemetry-logs-protocol` OpenTelemetry protocol used for exporting logs. If not given, the value is inherited from the `telemetry-protocol` option. CLI: `--telemetry-logs-protocol` Env: `KC_TELEMETRY_LOGS_PROTOCOL`	`grpc`, `http/protobuf`

Metrics

Option	Type or Values	Default
`metrics-enabled` If the server should expose metrics. If enabled, metrics are available at the `/metrics` endpoint. CLI: `--metrics-enabled` Env: `KC_METRICS_ENABLED`	`true`, `false`	`false`
`telemetry-metrics-enabled` Enables exporting metrics to a destination handling OpenTelemetry metrics. CLI: `--telemetry-metrics-enabled` Env: `KC_TELEMETRY_METRICS_ENABLED`	`true`, `false`	`false`
`telemetry-metrics-endpoint` OpenTelemetry endpoint to connect to for Metrics. If not given, the value is inherited from the `telemetry-endpoint` option. CLI: `--telemetry-metrics-endpoint` Env: `KC_TELEMETRY_METRICS_ENDPOINT`	String
`telemetry-metrics-header-<header>` OpenTelemetry header that will be part of the metrics exporter request (mainly useful for providing Authorization header). Check the documentation on how to set environment variables for headers containing special characters or custom case-sensitive headers. CLI: `--telemetry-metrics-header-<header>` Env: `KC_TELEMETRY_METRICS_HEADER_<HEADER>`	String
`telemetry-metrics-interval` The interval between the start of two metric export attempts to the destination handling OpenTelemetry metrics data. It accepts simplified format for time units as java.time.Duration (like 5000ms, 30s, 5m, 1h). If the value is only a number, it represents time in seconds. CLI: `--telemetry-metrics-interval` Env: `KC_TELEMETRY_METRICS_INTERVAL`	String	`60s`
`telemetry-metrics-protocol` OpenTelemetry protocol used for the metrics telemetry data. If not given, the value is inherited from the `telemetry-protocol` option. CLI: `--telemetry-metrics-protocol` Env: `KC_TELEMETRY_METRICS_PROTOCOL`	`grpc`, `http/protobuf`

All provider configuration Tracking instance status with health checks