FEAT(otel): enable Target Allocator for metrics

- Enable Target Allocator with consistent-hashing strategy
- Configure prometheus receiver to use Target Allocator
- Add RBAC permissions for secrets and events
- Use prometheusCR for ServiceMonitor/PodMonitor discovery

opentelemetry-collector/manifests/collector.yaml

@@ -3,9 +3,9 @@
 #
 # Architecture:
 # - DaemonSet mode: one collector per node for log collection
-# - Target Allocator: distributes scrape targets across collectors
+# - Target Allocator (consistent-hashing): distributes scrape targets across collectors
 # - Filelog receiver for container logs
-# - Prometheus receiver with Target Allocator for metrics
+# - Prometheus receiver with Target Allocator for metrics (replaces Prometheus scraping)
 # - Exports to: Tempo (traces), Prometheus (metrics), Loki (logs)
 apiVersion: opentelemetry.io/v1beta1
 kind: OpenTelemetryCollector
@@ -17,8 +17,25 @@ spec:
   image: otel/opentelemetry-collector-contrib:0.113.0
   serviceAccount: otel-collector
 
-  # Target Allocator disabled - metrics collected by Prometheus directly
+  # Target Allocator - distributes Prometheus scrape targets across collectors
-  # OTel handles logs (filelog) and traces (otlp) only
+  # Using consistent-hashing strategy (not per-node due to collector-node mapping bug)
+  targetAllocator:
+    enabled: true
+    serviceAccount: otel-collector-targetallocator
+    image: ghcr.io/open-telemetry/opentelemetry-operator/target-allocator:0.113.0
+    allocationStrategy: consistent-hashing
+    filterStrategy: relabel-config
+    prometheusCR:
+      enabled: true
+      serviceMonitorSelector: {}
+      podMonitorSelector: {}
+      scrapeInterval: 30s
+    resources:
+      requests:
+        cpu: 10m
+        memory: 64Mi
+      limits:
+        memory: 128Mi
 
   resources:
     requests:
@@ -143,14 +160,15 @@ spec:
             from: attributes.log
             to: body
 
-      # Prometheus receiver - self metrics only
+      # Prometheus receiver - uses Target Allocator for ServiceMonitor/PodMonitor discovery
       prometheus:
         config:
-          scrape_configs:
+          global:
-            - job_name: otel-collector
             scrape_interval: 60s
-              static_configs:
+        target_allocator:
-                - targets: ['${env:K8S_POD_IP}:8888']
+          endpoint: http://otel-collector-targetallocator:80
+          interval: 30s
+          collector_id: ${env:K8S_POD_NAME}
 
     processors:
       batch:

opentelemetry-collector/manifests/rbac.yaml

@@ -59,6 +59,14 @@ rules:
   - apiGroups: [""]
     resources: ["pods", "nodes", "services", "endpoints", "namespaces"]
     verbs: ["get", "watch", "list"]
+  # Secrets for TLS certificates referenced by ServiceMonitors
+  - apiGroups: [""]
+    resources: ["secrets", "configmaps"]
+    verbs: ["get", "watch", "list"]
+  # Events for status reporting
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "patch"]
   - apiGroups: ["discovery.k8s.io"]
     resources: ["endpointslices"]
     verbs: ["get", "watch", "list"]