Install on Google Cloud Run (Sidecar)
This topic guides you through deploying the Observe Agent with a configuration file, updating your Google Cloud Run service to use it, and finally running it as a service to collect metrics, traces, and logs from your Google Cloud Run Services. The majority of this guide was taken from the official Google docs.
Prerequisites
Before you proceed, verify that the following requirements are met:
- You have an application running in Google Cloud Run and administrative access to its parent Project.
- You have the Google Cloud CLI installed and configured.
- The Project has the following Google APIs enabled:
run.googleapis.com- Cloud Run Admin Apiiam.googleapis.com- Identity and Access Management (IAM) APIiamcredentials.googleapis.com- IAM Service Account Credentials APIsecretmanager.googleapis.com- Secret Manager API
Configure the Observe Agent
Your next step is to create and upload your observe-agent.yaml file to the my-config-bucket S3 bucket so that your service can download and use it.
Create the observe-agent.yaml configuration file
observe-agent.yaml configuration fileNOTE: You will want to replace
<ingest_token>,<tenant>,<service_name>,<service_version>, and<environment>with your tenant- and application-specific values.
# # Observe data token (ex: a1b2c3d4e5f6g7h8i9k0:l1m2n3o4p5q6r7s8t9u0v1w2x3y4z5a6)
token: "<ingress_token>"
# # Target Observe collection url (ex: https://123456789012.collect.observeinc.com/)
observe_url: "https://<tenant>.collect.observeinc.com/"
host_monitoring:
enabled: true
logs:
enabled: true
include:
- /mnt/shared/<path_to_logfile>
forwarding:
enabled: true
metrics:
output_format: otel
endpoints:
grpc: 0.0.0.0:4317
http: 0.0.0.0:4318
resource_attributes:
service.name: <service-name> # e.g. "my-app"
service.version: <service-version> # e.g. "v.1.0"
deployment.environment.name: <environment> # e.g. "dev"
otel_config_overrides:
receivers:
filelog/host_monitoring:
operators:
- type: json_parser
timestamp:
parse_from: attributes.asctime
layout: "%Y-%m-%d %H:%M:%S,%f"
processors:
resourcedetection/gcp:
detectors: [env, gcp]
timeout: 2s
override: false
service:
pipelines:
traces/gcp:
receivers: [otlp]
processors: [memory_limiter, resourcedetection, resourcedetection/gcp, batch]
exporters: [otlphttp/observe]
metrics/gcp:
receivers: [otlp]
processors: [memory_limiter, resourcedetection, resourcedetection/gcp, batch]
exporters: [otlphttp/observemetrics] NOTE: The block below is specific to this application and will likely need to be modified for your structured log output. See the OTel filelogreceiver documentation for more information.
filelog/host_monitoring: operators: - type: json_parser timestamp: parse_from: attributes.asctime layout: '%Y-%m-%d %H:%M:%S,%f'
Google Infrastructure Setup
Perform the tasks in this section to create a Google Secret, Service Account, and Policy update.
Create a Google Secret and upload your configuration
Next, create a Google Secret and upload the contents of the observe-agent.yaml file to it.
export PROJECT_ID=$(gcloud config get-value project --format="json"| tr -d '"')
export SECRET_NAME="observe-config"
gcloud secrets create ${SECRET_NAME} --data-file=observe-config.yaml --project=${PROJECT_ID}Create an IAM Role and grant it access to the created secret
export SERVICE_ACCOUNT_NAME=my-app-sa2
gcloud iam service-accounts create ${SERVICE_ACCOUNT_NAME} --display-name="My Service Account"
export SERVICE_ACCOUNT=$(gcloud iam service-accounts describe ${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com --format=json | jq '.email')
gcloud secrets add-iam-policy-binding ${SECRET_NAME} --member="serviceAccount:${SERVICE_ACCOUNT}" --role="roles/secretmanager.secretAccessor"
Update your Google Cloud Run Service manifest
This section will show you how to update your GCR Service manifest with the created serviceAccountName, annotations, volumes, and the new observe-agent sidecar container.
NOTE: You will need to replace
<PROJECT_ID>,<SECRET_NAME>,<SERVICE_ACCOUNT_NAME>,<IMAGE_URL>,<PORT>and<APP_NAME>with the values of the resources you created above.
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
name: my-app
spec:
template:
metadata:
annotations:
run.googleapis.com/secrets: 'OBSERVE:projects/<PROJECT_ID>/secrets/<SECRET_NAME>'
spec:
serviceAccountName: # SA(e.g. ${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com)
containers:
# -------- App (ingress container) --------
- name: <APP_NAME>
image: <IMAGE_URL>
ports:
- containerPort: <PORT>
env:
- name: LOGS_DIR
value: "/mnt/shared/logs"
# Internal observe-agent OTLP endpoints (localhost because sidecar)
- name: OTEL_EXPORTER_OTLP_ENDPOINT
value: "http://localhost:4318/v1/traces"
- name: OTEL_EXPORTER_OTLP_TRACES_ENDPOINT
value: "http://localhost:4318/v1/traces"
volumeMounts:
- name: shared-logs
mountPath: /mnt/shared/logs
# -------- Observe Agent sidecar --------
- name: observe-agent
image: observeinc/observe-agent:2.9.1
args:
- --observe-config
- /mnt/observe-agent/observe-agent.yaml
- start
# Mount the config file into the container
volumeMounts:
- name: shared-config
mountPath: /mnt/observe-agent/
- name: shared-logs
mountPath: /mnt/shared/logs
volumes:
# create the shared-logs volume
- name: shared-logs
emptyDir: {}
# create the shared-config volume
- name: shared-config
secret:
secretName: 'OBSERVE'
items:
# If you make updates to your observe-config secret, this will need to be incremented.
- key: "1"
path: observe-agent.yaml
NOTE: This configuration pulls the
observeinc/observe-agentimage directly from DockerHub without any authentication or proxy configuration, meaning that this approach has the potential to be rate-limited by DockerHub if abused. For production installations, you should authenticate GCR to DockerHub , or configure an ECR pull through cache.
Apply the updated manifest
gcloud run services replace service.yaml --region us-west1At this point you should be receiving metrics, traces, and logs in your Observe tenant.
Updated about 2 hours ago