fix(tracing): direct OTel SDK setup for chain-coherent sampling

[ci-operator]

📝 Description of the Change

PR #2605 ran PaC's tracing through Knative's config-observability flat
tracing-sampling-rate. At fractional rates each service in the chain rolls
independently — PaC can drop a trace while Tekton keeps it, leaving execution
spans whose parent_spanID points at nothing.

This PR switches to the OTel SDK directly. OTEL_TRACES_SAMPLER opens the
parentbased_* family, which honors the root span's sample decision in the
W3C traceparent flag bit so the whole chain is kept or dropped together.

Controller and watcher call tracing.New() at startup; tracing is opt-in
(both OTEL_EXPORTER_OTLP_ENDPOINT and OTEL_TRACES_SAMPLER must be set).
The tracing-* keys are dropped from the _example ConfigMap block since
they no longer apply. Resource service.name is pipelines-as-code.
Propagator is W3C TraceContext only; Baggage is intentionally not honored
per Konflux-CI ADR 0061.

🔗 Linked GitHub Issue

Fixes #

🧪 Testing Strategy

• Unit tests
• Integration tests
• End-to-end tests
• Manual testing
• Not Applicable

🤖 AI Assistance

AI assistance can be used for various tasks, such as code generation,
documentation, or testing.

Please indicate whether you have used AI assistance
for this PR and provide details if applicable.

• I have not used any AI assistance for this PR.
• I have used AI assistance for this PR.

Important

Slop will be simply rejected, if you are using AI assistance you need to make sure you
understand the code generated and that it meets the project's standards. you
need at least know how to run the code and deploy it (if needed). See
startpaac to make it easy
to deploy and test your code changes.

If the majority of the code in this PR was generated by an AI, please add a Co-authored-by trailer to your commit message.
For example:

Co-authored-by: Claude noreply@anthropic.com

✅ Submitter Checklist

• 📝 My commit messages are clear, informative, and follow the project's How to write a git commit message guide. The Gitlint linter ensures in CI it's properly validated
• ✨ I have ensured my commit message prefix (e.g., fix:, feat:) matches the "Type of Change" I selected above.
• ♽ I have run make test and make lint locally to check for and fix any
  issues. For an efficient workflow, I have considered installing
  pre-commit and running pre-commit install to
  automate these checks.
• 📖 I have added or updated documentation for any user-facing changes.
• 🧪 I have added sufficient unit tests for my code changes.
• 🎁 I have added end-to-end tests where feasible. See README for more details.
• 🔎 I have addressed any CI test flakiness or provided a clear reason to bypass it.
• If adding a provider feature, I have filled in the following and updated the provider documentation:
  • GitHub App
  • GitHub Webhook
  • Gitea/Forgejo
  • GitLab
  • Bitbucket Cloud
  • Bitbucket Data Center

[gemini-code-assist]

Code Review

This pull request transitions Pipelines-as-Code tracing configuration from a custom ConfigMap to standard OpenTelemetry environment variables (such as OTEL_EXPORTER_OTLP_ENDPOINT and OTEL_TRACES_SAMPLER). It introduces a new tracing package to initialize and manage the tracer provider lifecycle, updating both the controller and adapter to initialize and shut down the provider correctly. A critical issue was identified in pkg/tracing/provider.go where passing the application's cancellation context to the OTLP exporter prevents final spans from being flushed during shutdown; using context.Background() is recommended instead.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

Passing the application's cancellation context (ctx) to the OTLP exporter creation means that when the application context is cancelled to initiate shutdown, the exporter's connection/client is also cancelled immediately. This prevents the final flush of spans during tp.Shutdown(shutdownCtx) from succeeding, leading to lost spans. Using context.Background() ensures the exporter remains functional during the shutdown flush.

Suggested change

	exporter, err := newExporter(ctx, logger)
	exporter, err := newExporter(context.Background(), logger)

[ci-operator]

newExporter uses context.Background() so the exporter's connection stays open through tp.Shutdown(shutdownCtx) and queued spans flush. The ctx parameter on tracing.New is dropped since nothing else used it.

[theakshaypant]

While the configmap keys are removed, I see no change in controller. Does that mean the configmap based tracing continue to work even with these changes?

[ci-operator]

The Knative tracing wrapper that consumed these _example keys is replaced; the new tracer in pkg/tracing/provider.go reads the OTel-standard env vars directly. The _example block was just documentation for keys nothing reads anymore.

This is not the same ConfigMap as pipelines-as-code (the main one), which holds the tracing-label-action|application|component operator label-name mappings.

On the "no change in controller" observation - we verified end-to-end that with neither OTEL_EXPORTER_OTLP_ENDPOINT nor OTEL_TRACES_SAMPLER set, PaC falls back to a noop tracer and emits no spans. If you're seeing tracing behavior unchanged from the pre-PR state, could you share how to reproduce so we can dig in?

[theakshaypant]

By changes in controller, I intended to ask if the knative base (eventing/adapter) that pac uses, reads these observability configmap keys for any arbitrary configuration/operations. Ref.

[ci-operator]

Yes - the Knative eventing-adapter still consumes config-observability for non-tracing observability (metrics/profiling/etc. via evadapter.NewObservabilityConfiguratorFromConfigMap() at the line you linked, logging is read from config-logging separately). What this PR changes is specifically the tracing portion: PaC's old Knative tracing wrapper (added in bd9f468) read tracing-protocol / tracing-endpoint / tracing-sampling-rate from this ConfigMap; the new pkg/tracing/provider.go reads the OTel-standard env vars directly and that wrapper is gone, so those three keys went with the _example block. The Knative-base reads for non-tracing observability are unchanged.

[zakisk]

@ci-operator as it looks breaking change and @theakshaypant is considerate about, can't we introduce env based configuration as fallback to configmap so that we're keeping both, considering other users may want to use configmap?

[theakshaypant]

We should not link a downstream project's design doc in PaC's documentation.

[zakisk]

is github.com/konflux-ci considered downstream?? I think NO it's another open source repository.

[theakshaypant]

Downstream would be anything that builds on or utilizes PaC and if a change here is affecting konflux-ci, then it does qualify as a downstream project.
Even so, point still stands. We should not link a design doc from another project.

[chmouel]

yes please remove konflux references, we are not a dep on this

[ci-operator]

Removed the konflux link entirely. Rewrote the Baggage paragraph to stand on its own (every emission point already has the attributes it needs from the local PipelineRun and webhook event, so no cross-service propagation channel is needed). Also corrected a stale tracing-endpoint reference further down the file - the OTel SDK reads OTEL_EXPORTER_OTLP_ENDPOINT automatically, so the docs just needed to point at the standard env var name.

[theakshaypant]

[nit] redundant protocolFromEnv call

[ci-operator]

Fixed. Hoisted to a local.

[zakisk]

/ok-to-test

[codecov-commenter]

Codecov Report

❌ Patch coverage is 70.29703% with 30 lines in your changes missing coverage. Please review.
✅ Project coverage is 59.78%. Comparing base (cc818de) to head (6820cf1).

Files with missing lines	Patch %	Lines
pkg/tracing/provider.go	80.68%	13 Missing and 4 partials ⚠️
pkg/reconciler/controller.go	0.00%	7 Missing ⚠️
pkg/adapter/adapter.go	0.00%	6 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2756      +/-   ##
==========================================
+ Coverage   59.73%   59.78%   +0.05%     
==========================================
  Files         210      211       +1     
  Lines       21117    21218     +101     
==========================================
+ Hits        12615    12686      +71     
- Misses       7707     7733      +26     
- Partials      795      799       +4     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[chmouel]

This feelds vibe coded, have you tested this properly? have you properly reviewed it?

[ci-operator]

Sorry for the churn here. A number of findings surfaced while working through the integration-service and release-service side of this work, and the OTel SDK swap in this PR turned out to be necessary to avoid a fractional-sampling fragmentation bug (Knative's tracing wrapper made per-service sampling decisions independently of the root span). The unrelated cleanups landed in the same commit, but the overall behavior is functionally identical to what shipped in #2605 (#2605): same spans, same attribute schema, same opt-in env vars, just plumbed through the OTel SDK directly so parentbased_* samplers behave coherently across the delivery chain. Let me know if this needs greater alignment with your code conventions.

The PR was validated end-to-end across more than a dozen scenarios covering each fix and each error class it mitigates:

• Chain-coherency under fractional sampling (per-service-independent sample decisions fragmenting chains - the failure mode the PR exists to fix).
• Dual opt-in: noop fallback when either ENDPOINT or SAMPLER is unset.
• All sampler families plus the ratio-arg defaulting path.
• Transport selection between gRPC and HTTP/protobuf.
• W3C TraceContext only; Baggage explicitly suppressed.
• Resource attribute resolution (no unknown_service fallbacks).
• Concurrent webhook handling.
• BSP flush behavior under graceful and abrupt controller termination.

[theakshaypant]

[warning/docs] Remaining Konflux-specific service references

The earlier reviewer feedback asked to remove Konflux references. The ADR link was removed, but "integration-service" and "release-service" on this line are Konflux-CI-specific service names that leaked through. PaC is upstream and shouldn't assume a specific deployment topology in its docs.

Consider generalizing:

Suggested change

The `parentbased_*` sampler family honors the parent span's sample decision carried in the W3C `traceparent` flag bit. When PaC, Tekton, integration-service, and release-service all use parent-based samplers, the root span's sampling decision propagates through the whole delivery chain: every service either keeps its spans or drops them based on what the root chose. Flat-rate samplers (`traceidratio` without parent-based) cause each service to roll independently, which at fractional sampling fragments the chain into orphaned spans whose `parent_spanID` references a span that was dropped. `parentbased_always_on` keeps everything; `parentbased_traceidratio` with a numeric argument samples a coherent fraction.

The `parentbased_*` sampler family honors the parent span's sample decision carried in the W3C `traceparent` flag bit. When every service in the delivery chain uses parent-based samplers, the root span's sampling decision propagates end to end: each service either keeps its spans or drops them based on what the root chose. Flat-rate samplers (`traceidratio` without parent-based) cause each service to roll independently, which at fractional sampling fragments the chain into orphaned spans whose `parent_spanID` references a span that was dropped. `parentbased_always_on` keeps everything; `parentbased_traceidratio` with a numeric argument samples a coherent fraction.

[ci-operator]

Right, I missed those alongside the ADR link. Reworded the sentence to be topology-neutral.

[theakshaypant]

[nit/code-quality] Redundant protocolFromEnv() — acknowledged but not yet pushed

This was flagged by a prior reviewer, and you replied "Fixed. Hoisted to a local." — but the fix hasn't been pushed yet. protocolFromEnv() is called here (line 70) and again inside newExporter() (line 91). No functional impact (env vars don't change mid-process), just redundant work.

To hoist: add proto := protocolFromEnv() before the newExporter call, pass it into newExporter as a parameter, and use the local proto in this log line.

[ci-operator]

Sorry, I was on wrong branch and never actually pushed it. Pulled proto := protocolFromEnv() up before the log line and pass it into newExporter so it only runs once.

[theakshaypant]

[AI-assisted review]
Solid work — well-structured, correct, and good test coverage. Two minor items inline.

What this does: Replaces Knative's config-observability ConfigMap-based tracing (which uses a flat tracing-sampling-rate causing per-service independent sampling) with direct OTel SDK initialization. This enables parentbased_* samplers that honor the root span's W3C traceparent flag bit, keeping the entire trace chain coherent.

What's good:

• Clean self-contained tracing package with a clear New() / Shutdown() lifecycle
• Correct use of context.Background() for the exporter — the gRPC/HTTP connection survives context cancellation so the BatchSpanProcessor can flush during shutdown
• Dual opt-in guard (both OTEL_EXPORTER_OTLP_ENDPOINT and OTEL_TRACES_SAMPLER must be set) with clear log messages on the noop fallback path
• Thorough test suite: all 6 sampler families, noop fallback paths, protocol precedence, shutdown idempotency. The saveGlobalProvider helper properly restores global OTel state
• Uses gotest.tools/v3/assert and table-driven tests per project conventions
• samplerFromEnv logs a helpful warning when a ratio sampler is selected without OTEL_TRACES_SAMPLER_ARG (defaults to 0%)

Findings (1 warning, 1 nit):

• docs/content/docs/operations/tracing.md:23 — warning/docs: "integration-service" and "release-service" are Konflux-specific service names that survived the earlier Konflux-reference cleanup. Suggest generalizing to "every service in the delivery chain."
• pkg/tracing/provider.go:70 — nit/code-quality: Redundant protocolFromEnv() call was acknowledged by the author as fixed ("Hoisted to a local.") but the fix hasn't been pushed yet.

Prior review feedback status:

• ✅ Gemini's context.Background() for exporter creation — fixed
• ✅ Konflux ADR link removed, Baggage paragraph rewritten
• ✅ ConfigMap clarification — Knative base still reads non-tracing keys
• ⚠️ Redundant protocolFromEnv() — acknowledged but not yet pushed

[zakisk]

/ok-to-test

[theakshaypant]

/ok-to-test

[theakshaypant]

/ok-to-test

[theakshaypant]

Please run make lint and make test locally to avoid CI failures.

[ci-operator]

Suppressed gosec false positive on OTel shutdown goroutine where Background is needed; lint and test pass now.

[ci-operator]

Pushed gosec suppression on OTel shutdown goroutine and a small cleanup.

[theakshaypant]

Since the configmap based tracing would no longer work, can we add a callout for any existing users.
Something like this.

[zakisk]

shouldn't we log the shutdown error?

[zakisk]

as per some AI review, does timeout handling needed here??

[zakisk]

@ci-operator the whole point to emit traces via OTEL Sdk and drop the knative configmap is to use parentbased_* field and disable traces emitted from knative??

[zakisk]

@ci-operator the whole point to emit traces via OTEL Sdk and drop the knative configmap is to use parentbased_* field and disable traces emitted from knative??

If yes, so then AFAIK, hierarchy of services is PaC controller -> Tekon Controller -> PaC watcher (please correct if I am wrong...). and I think tektoncd/pipeline still uses knative based tracing and using tracing-sampling-rate for sampling so it wouldn't be using parentbased_* sampling.