Update ghcr.io/open-telemetry/opentelemetry-operator/target-allocator Docker tag to v0.153.0

[gardener-ci-robot]

This PR contains the following updates:

Package	Update	Change
ghcr.io/open-telemetry/opentelemetry-operator/target-allocator	minor	v0.151.0 → v0.153.0

---

Release Notes

open-telemetry/opentelemetry-operator (ghcr.io/open-telemetry/opentelemetry-operator/target-allocator)

v0.153.0

Compare Source

0.153.0

🛑 Breaking changes 🛑

• api: Move apis package to a separate sub-module (#​4362)

  • Yaml standalone functions in internal/otelconfig is moved to a methods on *Config (package apis/v1beta1)
  • Move CheckTargetAllocatorPrometheusCRPolicyRules from apis/v1beta1/targetallocator_rbac.go to internal/webhook/targetallocator_rbac.go + rename it to checkTargetAllocatorPrometheusCRPolicyRules.
  • OpenTelemetryCollector is not implementing the Convertible interface from sigs.k8s.io/controller-runtime/pkg/conversion, but implements 2 helper function the achieve the same functionality:
    • OtelColConvertTo(otc *OpenTelemetryCollector, dstRaw any) error
    • OtelColConvertFrom(otc *OpenTelemetryCollector, srcRaw any) error
  • Move apis package to a dedicated sub-module.

• target allocator: The operator.targetallocator.mtls feature gate has been removed. mTLS is now configured per-CR via spec.mtls.enabled on the TargetAllocator or Collector resource. (#​5136)
  Set spec.mtls.useCertManager: false to provide your own TLS secrets instead of having cert-manager provision them.

💡 Enhancements 💡

• collector: Add optional spec.command to OpenTelemetryCollector to override the collector container entrypoint (#​3188)
  spec.command is a []string matching Pod.spec.containers[].command.

• target allocator: Add allowInsecureAuthSecrets option to serve auth secret values over plain HTTP without mTLS (#​3746)
  Adds a new allowInsecureAuthSecrets field to both the TargetAllocator CRD and the
  embedded TargetAllocator in the OpenTelemetryCollector CRD. When enabled, auth secret
  values (e.g. basicAuth passwords) are served over plain HTTP instead of being masked.
  This is useful when transport security is handled by a service mesh or equivalent.

🧰 Bug fixes 🧰

• must-gather: Fix must-gather output to produce omc-compatible directory layout and correct YAML serialization (#​4965)
  Previously collected files used a per-collector directory with kind-prefixed filenames (e.g. namespaces/<ns>/<collector-name>/deployment-<name>.yaml),
  which omc cannot parse. Output now follows the standard omc layout (namespaces/<ns>/<api-group>/<resource-plural>/<name>.yaml).
  Also fixes missing apiVersion/kind fields in serialized YAML, incorrect default output directory, and adds collection of CRDs and OpAMPBridge resources.

• opamp: Skip OpenTelemetryCollector instances with a non-nil DeletionTimestamp when building EffectiveConfig (#​5170)
  ListInstances returns objects with DeletionTimestamp set until finalizers complete.
  Reporting them as effective races with the bridge's own Delete calls in applyRemoteConfig.

• collector: Fix Service reconciliation to propagate trafficDistribution, internalTrafficPolicy, ipFamilies, and ipFamilyPolicy changes (#​5141)

Components

• OpenTelemetry Collector - v0.153.0
• OpenTelemetry Contrib - v0.153.0
• Java auto-instrumentation - v2.28.1
• .NET auto-instrumentation - v1.15.0
• Node.JS - v0.76.0
• Python - v0.63b1
• Go - v0.24.0
• ApacheHTTPD - 1.0.4
• Nginx - 1.0.4

v0.153.0

Compare Source

🛑 Breaking changes 🛑

• api: Move apis package to a separate sub-module (#​4362)

  • Yaml standalone functions in internal/otelconfig is moved to a methods on *Config (package apis/v1beta1)
  • Move CheckTargetAllocatorPrometheusCRPolicyRules from apis/v1beta1/targetallocator_rbac.go to internal/webhook/targetallocator_rbac.go + rename it to checkTargetAllocatorPrometheusCRPolicyRules.
  • OpenTelemetryCollector is not implementing the Convertible interface from sigs.k8s.io/controller-runtime/pkg/conversion, but implements 2 helper function the achieve the same functionality:
    • OtelColConvertTo(otc *OpenTelemetryCollector, dstRaw any) error
    • OtelColConvertFrom(otc *OpenTelemetryCollector, srcRaw any) error
  • Move apis package to a dedicated sub-module.

• target allocator: The operator.targetallocator.mtls feature gate has been removed. mTLS is now configured per-CR via spec.mtls.enabled on the TargetAllocator or Collector resource. (#​5136)
  Set spec.mtls.useCertManager: false to provide your own TLS secrets instead of having cert-manager provision them.

💡 Enhancements 💡

• collector: Add optional spec.command to OpenTelemetryCollector to override the collector container entrypoint (#​3188)
  spec.command is a []string matching Pod.spec.containers[].command.

• target allocator: Add allowInsecureAuthSecrets option to serve auth secret values over plain HTTP without mTLS (#​3746)
  Adds a new allowInsecureAuthSecrets field to both the TargetAllocator CRD and the
  embedded TargetAllocator in the OpenTelemetryCollector CRD. When enabled, auth secret
  values (e.g. basicAuth passwords) are served over plain HTTP instead of being masked.
  This is useful when transport security is handled by a service mesh or equivalent.

🧰 Bug fixes 🧰

• must-gather: Fix must-gather output to produce omc-compatible directory layout and correct YAML serialization (#​4965)
  Previously collected files used a per-collector directory with kind-prefixed filenames (e.g. namespaces/<ns>/<collector-name>/deployment-<name>.yaml),
  which omc cannot parse. Output now follows the standard omc layout (namespaces/<ns>/<api-group>/<resource-plural>/<name>.yaml).
  Also fixes missing apiVersion/kind fields in serialized YAML, incorrect default output directory, and adds collection of CRDs and OpAMPBridge resources.

• opamp: Skip OpenTelemetryCollector instances with a non-nil DeletionTimestamp when building EffectiveConfig (#​5170)
  ListInstances returns objects with DeletionTimestamp set until finalizers complete.
  Reporting them as effective races with the bridge's own Delete calls in applyRemoteConfig.

• collector: Fix Service reconciliation to propagate trafficDistribution, internalTrafficPolicy, ipFamilies, and ipFamilyPolicy changes (#​5141)

Components

• OpenTelemetry Collector - v0.153.0
• OpenTelemetry Contrib - v0.153.0
• Java auto-instrumentation - v2.28.1
• .NET auto-instrumentation - v1.15.0
• Node.JS - v0.76.0
• Python - v0.63b1
• Go - v0.24.0
• ApacheHTTPD - 1.0.4
• Nginx - 1.0.4

v0.152.0

Compare Source

0.152.0

🛑 Breaking changes 🛑

• api: Move config parsing and CRD metrics from apis to internal package (#​4362)
  • Methods on *Config (package apis/v1beta1) converted to standalone functions in internal/otelconfig, now taking *v1beta1.Config as the first parameter:
    • GetEnabledComponents, GetReceiverPorts, GetExporterPorts, GetExtensionPorts, GetReceiverAndExporterPorts, GetAllPorts, GetEnvironmentVariables, GetAllRbacRules, ApplyDefaults, GetLivenessProbe, GetReadinessProbe, GetStartupProbe, Yaml, NullObjects
  • Methods on *Service converted to functions in internal/otelconfig:
    • MetricsEndpoint, GetTelemetry
    • ApplyDefaults → renamed to ServiceApplyDefaults
  • Method on *Telemetry converted to function:
    • ToAnyConfig → renamed to TelemetryToAnyConfig
  • Functions moved from apis/v1beta1 to internal/metrics with renames:
    • BootstrapMetrics → Bootstrap
    • NewMetrics(prv, ctx, cl) → New(ctx, prv, cl) (parameter reorder: ctx now first)
  • Types moved out of apis/v1beta1:
    • MetricsConfig, Telemetry → internal/otelconfig
    • Metrics → internal/metrics

💡 Enhancements 💡

• target allocator: Add support for dropping ServiceMonitor/PodMonitor endpoints that reference arbitrary files (#​5104)

• auto-instrumentation: Allow to run the mutating webhook using static configuration, without the need for CRDs. (#​4201)

  With this change, you can deploy the manager as a mutating webhook without setting up a v1alpha1.Instrumentation custom resource
  or the v1alpha1.Instrumentation CRD.

  Instead, you can now set up instrumentation by configuring the manager via its config file with these settings:

    ignore-missing-collector-crds: true 
    enable-instrumentation-crds: false # Ignore that the CRD is not registered.
    enable-multi-instrumentation: false
    instrumentations: # Static configuration for our instrumentation
      spec:
        exporter:
          endpoint: http://collector.default.svc:4318
        propagators:
          - tracecontext
          - baggage
          - b3
        java:
          image: "java-autoinstrumentation:dev"

• target allocator: Improve the error message when the target allocator is enabled but the Prometheus receiver is not named exactly "prometheus". (#​5017)

  When only named instances such as "prometheus/otelcol" are present, the error now lists them and explains that a receiver named exactly "prometheus" is required.

🧰 Bug fixes 🧰

• collector: Remove unnecessary RBAC permissions from the events receiver. (#​5073)

• collector: Fix when configuring a gRPC port for the jaeger_query extension, the collector-extension Service only generates an HTTP port and is missing the gRPC port. (#​4912)

• collector: Explicitly set without_type_suffix, without_units, and without_scope_info to false on the operator-injected Prometheus telemetry reader. (#​5075)

  Preserves historical metric names. Without this, users upgrading to a collector containing open-telemetry/opentelemetry-collector#15027 would see operator-managed collector metric names silently change shape. Added alpha feature gate operator.collector.usedefaulttelemetryshape (off by default) to opt into collector defaults instead. The gate will be promoted to beta (on by default) in a future release.

• target allocator: Fix scrapeClass tlsConfig fields being silently dropped in target allocator config. (#​5101)

  scrapeClasses with tlsConfig like the following had their TLS fields silently dropped
  when passed to the target allocator:
  scrapeClasses:
  - name: tls-config
  tlsConfig:
  caFile: /scrapeclass-ca.pem
  insecureSkipVerify: true

• collector: Restrict automatic RBAC from users without the necessary permissions (#​5105)

  If the operator has permission to create ClusterRoles and ClusterRoleBindings, it sets up RBAC
  for collectors automatically based on their configuration.
  If a user tries to create an OpenTelemetryCollector whose permissions would be automatically
  generated this way, and the user doesn't have the permissions themselves, it will be rejected.
  If the collector tries to use an existing ServiceAccount, only the permissions missing from
  that ServiceAccount are checked this way.

• collector: Skip provisioning Services, Ingress, NetworkPolicy, and HPA for sidecar mode collectors since the operator does not control the Pod lifecycle in that mode. PodMonitors are still provisioned when metrics are enabled. (#​4934)

Components

• OpenTelemetry Collector - v0.152.0
• OpenTelemetry Contrib - v0.152.0
• Java auto-instrumentation - v2.28.1
• .NET auto-instrumentation - v1.15.0
• Node.JS - v0.76.0
• Python - v0.63b1
• Go - v0.24.0
• ApacheHTTPD - 1.0.4
• Nginx - 1.0.4

v0.152.0

Compare Source

🛑 Breaking changes 🛑

• api: Move config parsing and CRD metrics from apis to internal package (#​4362)
  • Methods on *Config (package apis/v1beta1) converted to standalone functions in internal/otelconfig, now taking *v1beta1.Config as the first parameter:
    • GetEnabledComponents, GetReceiverPorts, GetExporterPorts, GetExtensionPorts, GetReceiverAndExporterPorts, GetAllPorts, GetEnvironmentVariables, GetAllRbacRules, ApplyDefaults, GetLivenessProbe, GetReadinessProbe, GetStartupProbe, Yaml, NullObjects
  • Methods on *Service converted to functions in internal/otelconfig:
    • MetricsEndpoint, GetTelemetry
    • ApplyDefaults → renamed to ServiceApplyDefaults
  • Method on *Telemetry converted to function:
    • ToAnyConfig → renamed to TelemetryToAnyConfig
  • Functions moved from apis/v1beta1 to internal/metrics with renames:
    • BootstrapMetrics → Bootstrap
    • NewMetrics(prv, ctx, cl) → New(ctx, prv, cl) (parameter reorder: ctx now first)
  • Types moved out of apis/v1beta1:
    • MetricsConfig, Telemetry → internal/otelconfig
    • Metrics → internal/metrics

💡 Enhancements 💡

• target allocator: Add support for dropping ServiceMonitor/PodMonitor endpoints that reference arbitrary files (#​5104)

• auto-instrumentation: Allow to run the mutating webhook using static configuration, without the need for CRDs. (#​4201)

  With this change, you can deploy the manager as a mutating webhook without setting up a v1alpha1.Instrumentation custom resource
  or the v1alpha1.Instrumentation CRD.

  Instead, you can now set up instrumentation by configuring the manager via its config file with these settings:

    ignore-missing-collector-crds: true 
    enable-instrumentation-crds: false # Ignore that the CRD is not registered.
    enable-multi-instrumentation: false
    instrumentations: # Static configuration for our instrumentation
      spec:
        exporter:
          endpoint: http://collector.default.svc:4318
        propagators:
          - tracecontext
          - baggage
          - b3
        java:
          image: "java-autoinstrumentation:dev"

• target allocator: Improve the error message when the target allocator is enabled but the Prometheus receiver is not named exactly "prometheus". (#​5017)

  When only named instances such as "prometheus/otelcol" are present, the error now lists them and explains that a receiver named exactly "prometheus" is required.

🧰 Bug fixes 🧰

• collector: Remove unnecessary RBAC permissions from the events receiver. (#​5073)

• collector: Fix when configuring a gRPC port for the jaeger_query extension, the collector-extension Service only generates an HTTP port and is missing the gRPC port. (#​4912)

• collector: Explicitly set without_type_suffix, without_units, and without_scope_info to false on the operator-injected Prometheus telemetry reader. (#​5075)

  Preserves historical metric names. Without this, users upgrading to a collector containing open-telemetry/opentelemetry-collector#15027 would see operator-managed collector metric names silently change shape. Added alpha feature gate operator.collector.usedefaulttelemetryshape (off by default) to opt into collector defaults instead. The gate will be promoted to beta (on by default) in a future release.

• target allocator: Fix scrapeClass tlsConfig fields being silently dropped in target allocator config. (#​5101)

  scrapeClasses with tlsConfig like the following had their TLS fields silently dropped
  when passed to the target allocator:
  scrapeClasses:
  - name: tls-config
  tlsConfig:
  caFile: /scrapeclass-ca.pem
  insecureSkipVerify: true

• collector: Restrict automatic RBAC from users without the necessary permissions (#​5105)

  If the operator has permission to create ClusterRoles and ClusterRoleBindings, it sets up RBAC
  for collectors automatically based on their configuration.
  If a user tries to create an OpenTelemetryCollector whose permissions would be automatically
  generated this way, and the user doesn't have the permissions themselves, it will be rejected.
  If the collector tries to use an existing ServiceAccount, only the permissions missing from
  that ServiceAccount are checked this way.

• collector: Skip provisioning Services, Ingress, NetworkPolicy, and HPA for sidecar mode collectors since the operator does not control the Pod lifecycle in that mode. PodMonitors are still provisioned when metrics are enabled. (#​4934)

Components

• OpenTelemetry Collector - v0.152.0
• OpenTelemetry Contrib - v0.152.0
• Java auto-instrumentation - v2.28.1
• .NET auto-instrumentation - v1.15.0
• Node.JS - v0.76.0
• Python - v0.63b1
• Go - v0.24.0
• ApacheHTTPD - 1.0.4
• Nginx - 1.0.4

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

[gardener-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign lucabernstein for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment