SUSE Cloud Observability

SUSE Cloud Observability is a full-stack Kubernetes observability platform offering metrics, logs, traces, and guided remediation in a single, enterprise-ready SaaS solution.

Overview

What is SUSE Cloud Observability?

SUSE Cloud Observability provides:

• Full-stack visibility: Monitor metrics, logs, events, and traces from a single platform

• Time-travel debugging: Investigate incidents with millisecond precision

• Guided remediation: Get root cause analysis and resolution recommendations

• Multi-environment support: Consistent observability across edge, on-premises, and cloud deployments

• Kubernetes-optimized: Purpose-built for Kubernetes monitoring and troubleshooting

Supported Telemetry Types

This destination supports sending:

• Logs: Application and infrastructure logs

• Metrics: Numerical monitoring data

• Traces: Distributed tracing data for performance analysis

Key Features

• Dual Protocol Support: Both OTLP/gRPC (recommended) and OTLP/HTTP

• Flexible Deployment: Cloud SaaS or self-hosted options

• Authentication: Bearer token authentication via bearertokenauth extension

• Security: Full TLS/mTLS certificate support

• Reliability: Persistent queuing and configurable retry strategies

• Performance: Batch processing and compression options

Prerequisites

SUSE Account

For Cloud Deployments:

• SUSE Cloud Observability subscription

• Instance name (e.g., mycompany for endpoint otlp-mycompany.app.stackstate.io)

• API key for authentication (available in SUSE dashboard)

For Self-Hosted Deployments:

• SUSE Observability self-hosted installation

• Service endpoint configuration (e.g., suse-observability-otel-collector.default.svc.cluster.local)

• Optional: API key (depending on your setup)

Network Requirements

• Outbound Connectivity: Access to SUSE endpoints

  • Cloud gRPC: otlp-<instance>.app.stackstate.io:443

  • Cloud HTTP: https://otlp-http-<instance>.app.stackstate.io

  • Self-Hosted: Kubernetes service or ingress endpoint

• Firewall: Port 443 (or custom ingress port) must be open

• Proxy: Supported for both gRPC and HTTP protocols

BindPlane Requirements

• BindPlane OP Enterprise with latest version

• Network access from BindPlane agents to SUSE endpoints

• bearertokenauth extension available in collector components

Configuration

Basic Setup

The minimum configuration requires three main settings:

1. Environment: Choose between cloud or selfhosted

2. API Key: Bearer token for authentication

3. Protocol: Select grpc (recommended) or http

Cloud Deployment - gRPC (Recommended)

For production SUSE Cloud Observability deployments with gRPC protocol:

apiVersion: bindplane.observiq.com/v1
kind: Destination
metadata:
  name: suse-cloud-grpc
spec:
  destinationType: suse_observability_otlp
  parameters:
    environment: cloud
    suse_observability_instance: mycompany
    protocol: grpc
    api_key: ${env:SUSE_API_KEY}
    enable_tls: true
    telemetry_types:
      - Logs
      - Metrics
      - Traces

Configuration Details:

• environment: cloud: Routes to SUSE Cloud Observability

• suse_observability_instance: Replace with your instance name

• protocol: grpc: Uses gRPC protocol (port 443)

• enable_tls: true: Standard TLS is enabled by default for cloud

• api_key: Reference environment variable containing your API key

Cloud Deployment - HTTP

For cloud deployments requiring HTTP protocol (useful when gRPC is blocked):

apiVersion: bindplane.observiq.com/v1
kind: Destination
metadata:
  name: suse-cloud-http
spec:
  destinationType: suse_observability_otlp
  parameters:
    environment: cloud
    suse_observability_instance: mycompany
    protocol: http
    api_key: ${env:SUSE_API_KEY}
    enable_tls: true
    telemetry_types:
      - Logs
      - Metrics
      - Traces

Configuration Details:

• protocol: http: Uses OTLP HTTP protocol (HTTPS)

• Endpoint: https://otlp-http-<instance>.app.stackstate.io

• All other settings same as gRPC

Self-Hosted Deployment

For self-hosted SUSE Observability in Kubernetes (in-cluster):

apiVersion: bindplane.observiq.com/v1
kind: Destination
metadata:
  name: suse-selfhosted
spec:
  destinationType: suse_observability_otlp
  parameters:
    environment: selfhosted
    selfhosted_endpoint: suse-observability-otel-collector.default.svc.cluster.local
    protocol: http
    api_key: ${env:SUSE_API_KEY}
    enable_tls: false
    telemetry_types:
      - Logs
      - Metrics
      - Traces

Configuration Details:

• environment: selfhosted: Routes to self-hosted instance

• selfhosted_endpoint: Kubernetes service name or ingress hostname

• protocol: http: In-cluster uses plain HTTP

• enable_tls: false: Plain HTTP for in-cluster communication

• Update namespace if SUSE Observability is in different namespace

Cloud Deployment - With mTLS (High Security)

For production deployments requiring mutual TLS authentication:

apiVersion: bindplane.observiq.com/v1
kind: Destination
metadata:
  name: suse-cloud-mtls
spec:
  destinationType: suse_observability_otlp
  parameters:
    environment: cloud
    suse_observability_instance: mycompany
    protocol: grpc
    api_key: ${env:SUSE_API_KEY}
    enable_tls: true
    mutual_tls: true
    cert_file: /etc/ssl/certs/client-cert.pem
    key_file: /etc/ssl/private/client-key.pem
    ca_file: /etc/ssl/certs/ca-cert.pem
    insecure_skip_verify: false
    telemetry_types:
      - Logs
      - Metrics
      - Traces

Configuration Details:

• mutual_tls: true: Enable client certificate authentication

• cert_file: Path to client certificate (PEM format)

• key_file: Path to client private key (PEM format)

• ca_file: Optional custom CA certificate for verification

• insecure_skip_verify: false: Always verify certificates in production

Configuration Options

Required Parameters

Optional Parameters

• TLS Configuration:

  • enable_tls: Enable/disable TLS (default: true for cloud)

  • mutual_tls: Enable mutual TLS (default: false)

  • cert_file: Client certificate path (required if mutual_tls: true)

  • key_file: Client private key path (required if mutual_tls: true)

  • ca_file: Custom CA certificate path

  • insecure_skip_verify: Skip certificate verification (not recommended for production)

  • tls_server_name_override: Override server name in TLS handshake

• Data Selection:

  • telemetry_types: Array of Logs, Metrics, Traces to send

• Performance:

  • batch_enabled: Enable batching (default: true)

  • batch_send_batch_size: Number of items per batch (default: 8192)

  • batch_timeout: Time before sending partial batch (default: 200ms)

  • timeout: Request timeout in seconds (default: 30)

  • grpc_compression: Compression for gRPC (gzip, snappy, zstd, none)

  • http_compression: Compression for HTTP (gzip, deflate, snappy, zlib, zstd)

• Reliability:

  • retry_on_failure_enabled: Enable retry on failures (default: true)

  • retry_on_failure_initial_interval: Initial retry wait (default: 5 seconds)

  • retry_on_failure_max_interval: Maximum retry wait (default: 30 seconds)

  • retry_on_failure_max_elapsed_time: Max total retry time (default: 300 seconds)

  • sending_queue_enabled: Buffer data before sending (default: true)

  • sending_queue_queue_size: Max queued items (default: 5000)

  • persistent_queue_enabled: Persist queue to disk (default: true)

Troubleshooting

Connection Issues

Problem: Cannot connect to SUSE endpoint

Solutions:

1. Verify endpoint connectivity:

   Copy

   # For cloud gRPC
   openssl s_client -connect otlp-mycompany.app.stackstate.io:443
   
   # For cloud HTTP
   curl -I https://otlp-http-mycompany.app.stackstate.io

2. Check firewall rules: Ensure outbound port 443 is open

3. Verify DNS resolution: Ensure endpoint hostname resolves correctly

4. Check proxy configuration: If behind proxy, verify proxy settings

Authentication Failures

Problem: 401 Unauthorized or 403 Forbidden errors

Solutions:

1. Verify API key: Check that api_key is correct and not expired

2. Check environment variable: Ensure ${env:SUSE_API_KEY} is set correctly

3. Verify bearer scheme: Confirm bearertokenauth extension is configured

4. Check instance name: For cloud, verify suse_observability_instance matches SUSE dashboard

Data Not Appearing

Problem: Configuration successful but no data in SUSE

Solutions:

1. Verify telemetry types: Check that telemetry_types includes data you're sending

2. Check sources: Ensure BindPlane sources are configured and running

3. Review batch settings: If batch timeout is too long, data may not appear immediately

4. Check queue status: Monitor queue depth for backpressure issues

5. Enable debug logging: Check BindPlane agent logs for errors

TLS Certificate Errors

Problem: certificate validation failed or similar TLS errors

Solutions:

1. For self-signed certificates (development only):

   Copy

   insecure_skip_verify: true

2. For custom CA certificates:

   • Provide CA certificate path: ca_file: /path/to/ca-cert.pem

   • Ensure certificate is in PEM format

   • Verify certificate is not expired

3. For mutual TLS issues:

   • Verify cert_file and key_file paths are correct

   • Ensure files are readable by BindPlane process

   • Check certificate expiration dates

   • Verify certificate is signed by SUSE CA

4. For hostname verification issues:

   • Use tls_server_name_override if hostname doesn't match certificate

   • Common for self-hosted with internal DNS names

Reference Documentation

• SUSE Observability Documentation: https://documentation.suse.com/cloudnative/suse-observability/latest/

• SUSE OTLP APIs: https://documentation.suse.com/cloudnative/suse-observability/latest/en/setup/otel/otlp-apis.html

• OpenTelemetry Protocol: https://opentelemetry.io/docs/specs/otel/protocol/

• BindPlane OP Documentation: https://docs.bindplane.com/