LogoLogo
StackState.comDownloadSupportExplore playground
SUSE Observability
SUSE Observability
  • SUSE Observability docs!
  • Docs for all SUSE Observability products
  • 🚀Get started
    • Quick start guide
    • SUSE Observability walk-through
    • SUSE Rancher Prime
      • Air-gapped
      • Agent Air-gapped
    • SUSE Cloud Observability
  • 🦮Guided troubleshooting
    • What is guided troubleshooting?
    • YAML Configuration
    • Changes
    • Logs
  • 🚨Monitors and alerts
    • Monitors
    • Out of the box monitors for Kubernetes
    • Notifications
      • Configure notifications
      • Notification channels
        • Slack
        • Teams
        • Webhook
        • Opsgenie
      • Troubleshooting
    • Customize
      • Add a monitor using the CLI
      • Derived State monitor
      • Dynamic Threshold monitor
      • Override monitor arguments
      • Write a remediation guide
  • 📈Metrics
    • Explore Metrics
    • Custom charts
      • Adding custom charts to components
      • Writing PromQL queries for representative charts
      • Troubleshooting custom charts
    • Advanced Metrics
      • Grafana Datasource
      • Prometheus remote_write
      • OpenMetrics
  • 📑Logs
    • Explore Logs
    • Log Shipping
  • 🔭Traces
    • Explore Traces
  • 📖Health
    • Health synchronization
    • Send health data over HTTP
      • Send health data
      • Repeat Snapshots JSON
      • Transactional Increments JSON
    • Debug health synchronization
  • 🔍Views
    • Kubernetes views
    • Custom views
    • Component views
    • Explore views
    • View structure
      • Overview perspective
      • Highlights perspective
      • Topology perspective
      • Events perspective
      • Metrics perspective
      • Traces perspective
      • Filters
      • Keyboard shortcuts
    • Timeline and time travel
  • 🕵️Agent
    • Network configuration
      • Proxy Configuration
    • Using a custom registry
    • Custom Secret Management
      • Custom Secret Management (Deprecated)
    • Request tracing
      • Certificates for sidecar injection
  • 🔭Open Telemetry
    • Overview
    • Getting started
      • Concepts
      • Kubernetes
      • Kubernetes Operator
      • Linux
      • AWS Lambda
    • Open telemetry collector
      • Sampling
      • SUSE Observability OTLP APIs
    • Instrumentation
      • Java
      • Node.js
        • Auto-instrumentation of Lambdas
      • .NET
      • SDK Exporter configuration
    • Troubleshooting
  • CLI
    • SUSE Observability CLI
  • 🚀Self-hosted setup
    • Install SUSE Observability
      • Requirements
      • Kubernetes / OpenShift
        • Kubernetes install
        • OpenShift install
        • Alibaba Cloud ACK install
        • Required Permissions
        • Override default configuration
        • Configure storage
        • Exposing SUSE Observability outside of the cluster
      • Initial run guide
      • Troubleshooting
        • Advanced Troubleshooting
        • Support Package (Logs)
    • Configure SUSE Observability
      • Slack notifications
      • E-mail notifications
      • Stackpacks
      • Advanced
        • Analytics
    • Release Notes
      • v2.0.0 - 11/Sep/2024
      • v2.0.1 - 18/Sep/2024
      • v2.0.2 - 01/Oct/2024
      • v2.1.0 - 29/Oct/2024
      • v2.2.0 - 09/Dec/2024
      • v2.2.1 - 10/Dec/2024
      • v2.3.0 - 30/Jan/2025
      • v2.3.1 - 17/Mar/2025
      • v2.3.2 - 22/Apr/2025
      • v2.3.3 - 07/May/2025
    • Upgrade SUSE Observability
      • Migration from StackState
      • Steps to upgrade
      • Version-specific upgrade instructions
    • Uninstall SUSE Observability
    • Air-gapped
      • SUSE Observability air-gapped
      • SUSE Observability Kubernetes Agent air-gapped
    • Data management
      • Backup and Restore
        • Kubernetes backup
        • Configuration backup
      • Data retention
      • Clear stored data
    • Security
      • Authentication
        • Authentication options
        • Single password
        • File-based
        • LDAP
        • Open ID Connect (OIDC)
          • Microsoft Entra ID
        • KeyCloak
        • Service tokens
        • Troubleshooting
      • RBAC
        • Role-based Access Control
        • Permissions
        • Roles
        • Scopes
      • Self-signed certificates
      • External secrets
  • 🔐Security
    • Service Tokens
    • API Keys
  • ☁️SaaS
    • User Management
  • Reference
    • SUSE Observability Query Language (STQL)
    • Chart units
    • Topology Identifiers
Powered by GitBook
LogoLogo

Legal notices

  • Privacy
  • Cookies
  • Responsible disclosure
  • SOC 2/SOC 3
On this page
  • Overview
  • Configure ingress via the SUSE Observability Helm chart
  • Configure Ingress Rule for Open Telemetry
  • Configure via external tools
  • Agents in the same cluster
  • See also
  1. Self-hosted setup
  2. Install SUSE Observability
  3. Kubernetes / OpenShift

Exposing SUSE Observability outside of the cluster

SUSE Observability Self-hosted

PreviousConfigure storageNextInitial run guide

Last updated 23 days ago

Overview

SUSE Observability can be exposed with a Kubernetes Ingress resource. The example on this page shows how to configure an nginx-ingress controller using . This page also documents which service/port combination to expose when using a different method of configuring ingress traffic.

When observing the cluster that also hosts SUSE Observability, the agent traffic can be kept entirely within the cluster itself by during agent installation.

Configure ingress via the SUSE Observability Helm chart

The SUSE Observability Helm chart exposes an ingress section in its values. This is disabled by default. The example below shows how to use the Helm chart to configure an nginx-ingress controller with TLS encryption enabled. Note that setting up the controller itself and the certificates is beyond the scope of this document.

To configure the ingress for SUSE Observability, create a file ingress_values.yaml with contents like below. Replace MY_DOMAIN with your own domain (that's linked with your ingress controller) and set the correct name for the tls-secret. Consult the documentation of your ingress controller for the correct annotations to set. All fields below are optional, for example, if no TLS will be used, omit that section but be aware that SUSE Observability also doesn't encrypt the traffic.

Note that setting up TLS is required for the use of the rancher UI extension.

ingress:
  enabled: true
  ingressClassName: nginx
  annotations:
    nginx.ingress.kubernetes.io/proxy-body-size: "50m"
  hosts:
    - host: stackstate.MY_DOMAIN
  tls:
    - hosts:
        - stackstate.MY_DOMAIN
      secretName: tls-secret

What stands out in this file is the Nginx annotation to increase the allowed proxy-body-size to 50m (larger than any expected request). By default, Nginx allows body sizes of maximum 1m. SUSE Observability Agents and other data providers can sometimes send much larger requests. For this reason, you should make sure that the allowed body size is large enough, regardless of whether you are using Nginx or another ingress controller. Make sure to update the baseUrl in the values file generated during initial installation, it will be used by SUSE Observability to generate convenient installation instructions for the agent.

Include the ingress_values.yaml file when you run the helm upgrade command to deploy SUSE Observability:

helm upgrade --install \
  --namespace "suse-observability" \
  --values "ingress_values.yaml" \
  --values $VALUES_DIR/suse-observability-values/templates/baseConfig_values.yaml \
  --values $VALUES_DIR/suse-observability-values/templates/sizing_values.yaml \
suse-observability \
suse-observability/suse-observability

Configure Ingress Rule for Open Telemetry

The SUSE Observability Helm chart exposes an opentelemetry-collector service in its values where a dedicated ingress can be created. This is disabled by default. The ingress needed for opentelemetry-collector purposed needs to support GRPC protocol. The example below shows how to use the Helm chart to configure an nginx-ingress controller with GRPC and TLS encryption enabled. Note that setting up the controller itself and the certificates is beyond the scope of this document.

To configure the opentelemetry-collector ingress for SUSE Observability, create a file ingress_otel_values.yaml with contents like below. Replace MY_DOMAIN with your own domain (that's linked with your ingress controller) and set the correct name for the otlp-tls-secret. Consult the documentation of your ingress controller for the correct annotations to set. All fields below are optional, for example, if no TLS will be used, omit that section but be aware that SUSE Observability also doesn't encrypt the traffic.

opentelemetry-collector:
  ingress:
    enabled: true
    ingressClassName: nginx
    annotations:
      nginx.ingress.kubernetes.io/proxy-body-size: "50m"
      nginx.ingress.kubernetes.io/backend-protocol: GRPC
    hosts:
      - host: otlp-stackstate.MY_DOMAIN
        paths:
          - path: /
            pathType: Prefix
            port: 4317
    tls:
      - hosts:
          - otlp-stackstate.MY_DOMAIN
        secretName: otlp-tls-secret
    additionalIngresses:
      - name: otlp-http
        annotations:
          nginx.ingress.kubernetes.io/proxy-body-size: "50m"
        hosts:
          - host: otlp-http-stackstate.MY_DOMAIN        
            paths:
              - path: /
                pathType: Prefix
                port: 4318
        tls:
          - hosts:
              - otlp-http-stackstate.MY_DOMAIN        
            secretName: otlp-http-tls-secret        

What stands out in this file is the Nginx annotation to increase the allowed proxy-body-size to 50m (larger than any expected request). By default, Nginx allows body sizes of maximum 1m. SUSE Observability Agents and other data providers can sometimes send much larger requests. For this reason, you should make sure that the allowed body size is large enough, regardless of whether you are using Nginx or another ingress controller. Make sure to update the baseUrl in the values file generated during initial installation, it will be used by SUSE Observability to generate convenient installation instructions for the agent.

Include the ingress_otel_values.yaml file when you run the helm upgrade command to deploy SUSE Observability:

helm upgrade \
  --install \
  --namespace "suse-observability" \
  --values "ingress_otel_values.yaml" \
  --values $VALUES_DIR/suse-observability-values/templates/baseConfig_values.yaml \
  --values $VALUES_DIR/suse-observability-values/templates/sizing_values.yaml \
suse-observability \
suse-observability/suse-observability

Configure via external tools

To make SUSE Observability accessible outside of the Kubernetes cluster it's installed in, it's enough to route traffic to port 8080 of the <namespace>-stackstate-k8s-router service. The UI of SUSE Observability can be accessed directly under the root path of that service (i.e. http://<namespace>-stackstate-k8s-router:8080) while agents will use the /receiver path (http://<namespace>-stackstate-k8s-router:8080/receiver).

Make sure to update the baseUrl in the values file generated during initial installation, it will be used by SUSE Observability to generate convenient installation instructions for the agent.

When manually configuring an Nginx or similar HTTP server as reverse proxy make sure that it can proxy websockets as well. For Nginx this can be configured by including the following directives in the location directive:

proxy_set_header Upgrade                 $http_upgrade;
proxy_set_header Connection              "Upgrade";

SUSE Observability itself doesn't use TLS encrypted traffic, TLS encryption is expected to be handled by the ingress controller or external load balancers.

Agents in the same cluster

See also

The example uses the ingressClassName field to specify the instead of the deprecated kubernetes.io/ingress.class annotation. If your cluster has a default ingress class defined the ingerss class name field can be omitted.

This step assummes that was already executed.

The example uses the ingressClassName field to specify the instead of the deprecated kubernetes.io/ingress.class annotation. If your cluster has a default ingress class defined the ingerss class name field can be omitted.

This step assummes that was already executed.

Agents that are deployed to the same cluster as SUSE Observability can of course use the external URL on which SUSE Observability is exposed, but it's also possible to configure the agent to directly connect to the SUSE Observability instance via the Kubernetes internal network only. To do that replace the value of the 'stackstate.url' in the helm install command from the with the internal cluster URL for the router service (see also above): http://<namespace>-suse-observability-router.<namespace>.svc.cluster.local:8080/receiver/stsAgent (the <namespace> sections need to be replaced with the namespace of SUSE Observability).

(not using nginx)

(using nginx)

🚀
ingress class
ingress
Agent Kubernetes installation
AKS (learn.microsoft.com)
EKS Official docs
EKS blog post
Helm for SUSE Observability running on Kubernetes
changing the agent configuration
Generate baseConfig_values.yaml and sizing_values.yaml
Generate baseConfig_values.yaml and sizing_values.yaml