CORE-554: Add TLS settings to Clickhouse destination + Update collector/otel to 141 + Remove deprecated components + Bump k8s min version to 1.21

[damemi]

The clickhouse exporter supports TLS settings similar to otlp: https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/945e5a71ef31793ff3280b28c1425086ea5332b6/exporter/clickhouseexporter/README.md#tls

Some users need this to connect to clickhouse, adding them as options in the destination here

This adds:

• insecure_skip_verify
• ca_file (using the k8sconfig interface to mount the secret as a file, similar to how the GCP exporter supports application default credentials)

The direct string fields (such as CAPem, CertPem, KeyPem) aren't yet supported in the clickhouse exporter, so it has to be a mounted file. See open-telemetry/opentelemetry-collector-contrib#43911 (comment)

---

To do this, it required bumping the collector/otel deps to 136 when TLS config support was added to clickhouse. This required the following changes:

This actually needs collector v0.136.0 for these settings from open-telemetry/opentelemetry-collector-contrib#42581 (open-telemetry/opentelemetry-collector-contrib@d9769f7)

Also needs to remove loki exporter (removed in 131) for 136 🙃 open-telemetry/opentelemetry-collector-contrib#41413, see https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/v0.130.0/exporter/lokiexporter#deprecation-notice it's replaced with just otlp. The only destination that actually looks like it's using the loki exporter is OpsVerse

As well as the opencensus exporter, removed in 133 upstream by open-telemetry/opentelemetry-collector-contrib#42239

Also routing processor open-telemetry/opentelemetry-collector-contrib#36616

See previous attempt #3669 (reverted in #3734)

---

Then, it turns out that 136 was bugged and did not have full support for TLS settings like insecure_skip_verify. This was fixed in 141, which required the following extra changes:

Actually needs collector v141 due to this bug in clickhouse not handling all tls settings: open-telemetry/opentelemetry-collector-contrib#43911 fixed in open-telemetry/opentelemetry-collector-contrib#44093

Remove deprecated carbon exporter support (unmaintained upstream) open-telemetry/opentelemetry-collector-contrib#44532

another upstream breaking change giving go mod trouble open-telemetry/opentelemetry-collector#13948

configgrpc update: open-telemetry/opentelemetry-collector#13996

and now metadata.yaml metrics require stablity levels open-telemetry/opentelemetry-collector#13756

Error: failed loading /app/collector/receivers/odigosebpfreceiver/metadata.yaml: decoding failed due to the following error(s):

'telemetry.metrics[ebpf_memory_pressure_wait_time_total]' missing required field: `stability`
'telemetry.metrics[ebpf_total_bytes_read]' missing required field: `stability`
'telemetry.metrics[ebpf_lost_samples]' missing required field: `stability`
Error: failed loading /app/collector/receivers/odigosebpfreceiver/metadata.yaml: decoding failed due to the following error(s):

'telemetry.metrics[ebpf_memory_pressure_wait_time_total]' missing required field: `stability`
'telemetry.metrics[ebpf_total_bytes_read]' missing required field: `stability`
'telemetry.metrics[ebpf_lost_samples]' missing required field: `stability`
Error: metadata.yaml ordering check failed: [telemetry metrics] keys are not sorted: [odigos_log_data_size odigos_metric_data_size odigos_trace_data_size odigos_accepted_spans odigos_accepted_metric_points odigos_accepted_log_records]
Error: metadata.yaml ordering check failed: [telemetry metrics] keys are not sorted: [odigos_log_data_size odigos_metric_data_size odigos_trace_data_size odigos_accepted_spans odigos_accepted_metric_points odigos_accepted_log_records]

This bump also required adding the endpointslices permission to the odiglet service account for the data-collection collector

---

Finally, endpointslices was not GA in k8s 1.20. This PR bumps our minimum supported k8s version to 1.21. Enterprise update in https://github.com/odigos-io/odigos-enterprise/pull/2117

[natyharary]

Tiny thing.

[natyharary]

I see we check if clickhouseTlsEnabled is true, but we don't check that all keys exist. Isn't it prone to misconfiguration?

[damemi]

Good point you don't need to set all of the keys (just having tls=true is enough for the minimum) but from what I could find it sounds like certPem and keyPem always need to be provided together if they are used for mTLS. updated

[damemi]

This actually needs collector v0.136.0 for these settings from open-telemetry/opentelemetry-collector-contrib#42581 (open-telemetry/opentelemetry-collector-contrib@d9769f7)

Also needs to remove loki exporter (removed in 131) for 136 🙃 open-telemetry/opentelemetry-collector-contrib#41413, see https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/v0.130.0/exporter/lokiexporter#deprecation-notice it's replaced with just otlp. The only destination that actually looks like it's using the loki exporter is OpsVerse

As well as the opencensus exporter, removed in 133 upstream by open-telemetry/opentelemetry-collector-contrib#42239

Also routing processor open-telemetry/opentelemetry-collector-contrib#36616

See previous attempt #3669 (reverted in #3734)

[RonFed]

If we are bumping the collector I'd consider bumping to a newer version.

[damemi]

If we are bumping the collector I'd consider bumping to a newer version.

@RonFed for this I'm just trying to bump it to the minimum for the feature I need. We can do more incremental bumps this way and have fewer huge PRs with lots of changes. wdyt about that approach?

[RonFed]

If we are bumping the collector I'd consider bumping to a newer version.

@RonFed for this I'm just trying to bump it to the minimum for the feature I need. We can do more incremental bumps this way and have fewer huge PRs with lots of changes. wdyt about that approach?

That makes sense. On the other side, since this is quite a pain to do, if we have the opportunity - maybe it is something worth to consider. There are also performance improvements that we can gain that are not necessarily related to new features.

[RonFed]

should be rendered only when there is a certificate? or should be the opposite?

[damemi]

@RonFed wdym? This is the same as the otlphttp skip verify setting

odigos/destinations/data/otlphttp.yaml

Lines 183 to 190 in 0c278ae

	- name: OTLP_HTTP_INSECURE_SKIP_VERIFY
	displayName: Insecure Skip Verify
	componentType: checkbox
	initialValue: false
	componentProps:
	required: false
	tooltip: 'Skip TLS certificate verification'
	renderCondition: ['OTLP_HTTP_TLS_ENABLED', '==', 'true']

(they actually both use the upstream commmon TLS config structs)

[damemi]

@RonFed ah I think I get what you mean. Only show the insecure skip verify if no cert is provided? Yeah I would like to do that, but from what I can tell right now the render conditions don't allow multiple conditionals which would be nice. Talked to Ben about that and we could use that in some other destinations too, but for now I think it's fine

[RonFed]

should we validate the ca format here to be a valid one?

[damemi]

added a function to validate the ca format

[damemi]

Actually needs collector v141 due to this bug in clickhouse not handling all tls settings: open-telemetry/opentelemetry-collector-contrib#43911 fixed in open-telemetry/opentelemetry-collector-contrib#44093

Remove deprecated carbon exporter support (unmaintained upstream) open-telemetry/opentelemetry-collector-contrib#44532

another upstream breaking change giving go mod trouble open-telemetry/opentelemetry-collector#13948

configgrpc update: open-telemetry/opentelemetry-collector#13996

and now metadata.yaml metrics require stablity levels open-telemetry/opentelemetry-collector#13756

Error: failed loading /app/collector/receivers/odigosebpfreceiver/metadata.yaml: decoding failed due to the following error(s):

'telemetry.metrics[ebpf_memory_pressure_wait_time_total]' missing required field: `stability`
'telemetry.metrics[ebpf_total_bytes_read]' missing required field: `stability`
'telemetry.metrics[ebpf_lost_samples]' missing required field: `stability`
Error: failed loading /app/collector/receivers/odigosebpfreceiver/metadata.yaml: decoding failed due to the following error(s):

'telemetry.metrics[ebpf_memory_pressure_wait_time_total]' missing required field: `stability`
'telemetry.metrics[ebpf_total_bytes_read]' missing required field: `stability`
'telemetry.metrics[ebpf_lost_samples]' missing required field: `stability`
Error: metadata.yaml ordering check failed: [telemetry metrics] keys are not sorted: [odigos_log_data_size odigos_metric_data_size odigos_trace_data_size odigos_accepted_spans odigos_accepted_metric_points odigos_accepted_log_records]
Error: metadata.yaml ordering check failed: [telemetry metrics] keys are not sorted: [odigos_log_data_size odigos_metric_data_size odigos_trace_data_size odigos_accepted_spans odigos_accepted_metric_points odigos_accepted_log_records]

[RonFed]

Since all the k8s v1.20 tests are failing I guess something in the 141 bump caused issues in that version.
Looking at the EndpointSlice docs it seems it became stable on v1.21 - I guess this might have something to do with the tests failures.

@damemi Do you know which component has this requirement? this open-telemetry/opentelemetry-collector-contrib#44079 seems like one case that might cause this

[damemi]

• E2E Tests / kubernetes-test (1.20.15, source) (pull_request)

Looking at the parent issue (open-telemetry/opentelemetry-collector-contrib#43891) it seems like

• loadbalancing exporter
• k8sattributes processor
• k8sobjects receiver
• and internal/aws

if that's the case then it might be a problem either blocking us from updating otel or forcing us to drop 1.20. looking into it

if endpointslices were stable in 1.21 then they should have at least been beta (on by default) in 1.20 🤔

[damemi]

@RonFed it does seem to be the issue (ran 1.20 test locally):

$ kubectl logs pod/odiglet-rxlpd -c data-collection -n odigos-test
2026-01-26T13:55:27.058Z	info	odigostrafficmetrics@v0.141.0/processor.go:38	Odigos traffic metrics processor is enabled with the following configuration	{"resource": {"k8s.node.name": "kind-control-plane", "k8s.pod.name": "odiglet-rxlpd", "service.instance.id": "aac4957b-c6a6-49c2-970d-cc6abe000a25"}, "otelcol.component.id": "odigostrafficmetrics", "otelcol.component.kind": "processor", "otelcol.pipeline.id": "traces", "otelcol.signal": "traces", "sampling_ratio": "1.000000", "inverse_sampling_ratio": "1"}
2026-01-26T13:55:27.059Z	info	memorylimiter@v0.141.0/memorylimiter.go:71	Memory limiter configured	{"resource": {"k8s.node.name": "kind-control-plane", "k8s.pod.name": "odiglet-rxlpd", "service.instance.id": "aac4957b-c6a6-49c2-970d-cc6abe000a25"}, "otelcol.component.kind": "processor", "limit_mib": 450, "spike_limit_mib": 90, "check_interval": 0.5}
2026-01-26T13:55:27.041Z	info	odigosk8scmprovider@v0.141.0/provider.go:152	configuration retrieved from ConfigMap	{"resource": {"k8s.node.name": "kind-control-plane", "k8s.pod.name": "odiglet-rxlpd", "service.instance.id": "aac4957b-c6a6-49c2-970d-cc6abe000a25"}, "name": "odigos-data-collection", "namespace": "odigos-test"}
2026-01-26T13:55:27.062Z	info	service@v0.141.0/service.go:224	Starting odigosotelcol...	{"resource": {"k8s.node.name": "kind-control-plane", "k8s.pod.name": "odiglet-rxlpd", "service.instance.id": "aac4957b-c6a6-49c2-970d-cc6abe000a25"}, "Version": "0.141.0", "NumCPU": 12}
2026-01-26T13:55:27.062Z	info	extensions/extensions.go:40	Starting extensions...	{"resource": {"k8s.node.name": "kind-control-plane", "k8s.pod.name": "odiglet-rxlpd", "service.instance.id": "aac4957b-c6a6-49c2-970d-cc6abe000a25"}}
2026-01-26T13:55:27.062Z	info	extensions/extensions.go:44	Extension is starting...	{"resource": {"k8s.node.name": "kind-control-plane", "k8s.pod.name": "odiglet-rxlpd", "service.instance.id": "aac4957b-c6a6-49c2-970d-cc6abe000a25"}, "otelcol.component.id": "pprof", "otelcol.component.kind": "extension"}
2026-01-26T13:55:27.062Z	info	pprofextension@v0.141.0/pprofextension.go:61	Starting net/http/pprof server	{"resource": {"k8s.node.name": "kind-control-plane", "k8s.pod.name": "odiglet-rxlpd", "service.instance.id": "aac4957b-c6a6-49c2-970d-cc6abe000a25"}, "otelcol.component.id": "pprof", "otelcol.component.kind": "extension", "config": {"TCPAddr":{"Endpoint":"0.0.0.0:1777","DialerConfig":{"Timeout":0}},"BlockProfileFraction":0,"MutexProfileFraction":0,"SaveToFile":""}}
2026-01-26T13:55:27.062Z	info	extensions/extensions.go:61	Extension started.	{"resource": {"k8s.node.name": "kind-control-plane", "k8s.pod.name": "odiglet-rxlpd", "service.instance.id": "aac4957b-c6a6-49c2-970d-cc6abe000a25"}, "otelcol.component.id": "pprof", "otelcol.component.kind": "extension"}
2026-01-26T13:55:27.062Z	info	extensions/extensions.go:44	Extension is starting...	{"resource": {"k8s.node.name": "kind-control-plane", "k8s.pod.name": "odiglet-rxlpd", "service.instance.id": "aac4957b-c6a6-49c2-970d-cc6abe000a25"}, "otelcol.component.id": "health_check", "otelcol.component.kind": "extension"}
2026-01-26T13:55:27.062Z	info	healthcheckextension@v0.141.0/healthcheckextension.go:32	Starting health_check extension	{"resource": {"k8s.node.name": "kind-control-plane", "k8s.pod.name": "odiglet-rxlpd", "service.instance.id": "aac4957b-c6a6-49c2-970d-cc6abe000a25"}, "otelcol.component.id": "health_check", "otelcol.component.kind": "extension", "config": {"Endpoint":"0.0.0.0:13133","TLS":{},"CORS":{},"Auth":{},"MaxRequestBodySize":0,"IncludeMetadata":false,"ResponseHeaders":null,"CompressionAlgorithms":null,"ReadTimeout":0,"ReadHeaderTimeout":0,"WriteTimeout":0,"IdleTimeout":0,"Middlewares":null,"KeepAlivesEnabled":false,"Path":"/","ResponseBody":null,"CheckCollectorPipeline":{"Enabled":false,"Interval":"5m","ExporterFailureThreshold":5}}}
2026-01-26T13:55:27.063Z	info	extensions/extensions.go:61	Extension started.	{"resource": {"k8s.node.name": "kind-control-plane", "k8s.pod.name": "odiglet-rxlpd", "service.instance.id": "aac4957b-c6a6-49c2-970d-cc6abe000a25"}, "otelcol.component.id": "health_check", "otelcol.component.kind": "extension"}
E0126 13:55:27.068275    5151 reflector.go:205] "Failed to watch" err="failed to list *v1.EndpointSlice: the server could not find the requested resource" logger="UnhandledError" reflector="k8s.io/client-go@v0.34.2/tools/cache/reflector.go:290" type="*v1.EndpointSlice"
E0126 13:55:28.248412    5151 reflector.go:205] "Failed to watch" err="failed to list *v1.EndpointSlice: the server could not find the requested resource" logger="UnhandledError" reflector="k8s.io/client-go@v0.34.2/tools/cache/reflector.go:290" type="*v1.EndpointSlice"
E0126 13:55:30.755185    5151 reflector.go:205] "Failed to watch" err="failed to list *v1.EndpointSlice: the server could not find the requested resource" logger="UnhandledError" reflector="k8s.io/client-go@v0.34.2/tools/cache/reflector.go:290" type="*v1.EndpointSlice"
E0126 13:55:35.209142    5151 reflector.go:205] "Failed to watch" err="failed to list *v1.EndpointSlice: the server could not find the requested resource" logger="UnhandledError" reflector="k8s.io/client-go@v0.34.2/tools/cache/reflector.go:290" type="*v1.EndpointSlice"
E0126 13:55:42.914484    5151 reflector.go:205] "Failed to watch" err="failed to list *v1.EndpointSlice: the server could not find the requested resource" logger="UnhandledError" reflector="k8s.io/client-go@v0.34.2/tools/cache/reflector.go:290" type="*v1.EndpointSlice"

[RonFed]

the changes lgtm, seems like all the 1.21 tests are failing though