fix: Config TFO-Agent & Deploy kubernetes manifest

Author: zeroc0d3

configs/tfo-agent.default.yaml

@@ -374,12 +374,12 @@ exporter:
 
     # Traces export
     traces:
-      enabled: false  # Enable when distributed tracing is needed
+      enabled: true
       # endpoint: ""  # Full URL override (e.g., http://tfo-collector:4318/v2/traces)
 
     # Logs export
     logs:
-      enabled: false  # Enable when log forwarding is needed
+      enabled: true
       # endpoint: ""  # Full URL override (e.g., http://tfo-collector:4318/v2/logs)
 
 # =============================================================================

configs/tfo-agent.yaml

@@ -375,12 +375,12 @@ exporter:
 
     # Traces export
     traces:
-      enabled: false  # Enable when distributed tracing is needed
+      enabled: true
       # endpoint: ""  # Full URL override (e.g., http://tfo-collector:4318/v2/traces)
 
     # Logs export
     logs:
-      enabled: false  # Enable when log forwarding is needed
+      enabled: true
       # endpoint: ""  # Full URL override (e.g., http://tfo-collector:4318/v2/logs)
 
 # =============================================================================

deploy/kubernetes/configmap.yaml

@@ -1,6 +1,7 @@
 ---
-# TFO-Agent ConfigMap
-# Kubernetes-enabled configuration
+# TFO-Agent ConfigMap (Node DaemonSet)
+# Per-node OS metrics: node_exporter ON, kubernetes collector OFF.
+# Auth and endpoint are injected via env vars (TELEMETRYFLOW_API_KEY_ID/SECRET/ENDPOINT).
 
 apiVersion: v1
 kind: ConfigMap
@@ -12,84 +13,138 @@ metadata:
     app.kubernetes.io/component: monitoring
 data:
   tfo-agent.yaml: |
-    telemetryflow:
-      api_key_id: ""
-      api_key_secret: ""
-      endpoint: "tfo-backend.telemetryflow.svc.cluster.local:4317"
-      protocol: grpc
-      tls:
-        enabled: false
-
     agent:
-      name: "TFO-Agent (Kubernetes)"
+      description: "TFO Agent - ${NODE_NAME}"
       tags:
-        environment: production
-        deployment: kubernetes
+        environment: "${ENVIRONMENT}"
+        cluster: "${CLUSTER_NAME}"
 
     heartbeat:
       interval: 60s
+      timeout: 10s
       include_system_info: true
 
     collectors:
-      system:
+      node_exporter:
         enabled: true
         interval: 15s
         cpu: true
         memory: true
-        disk: true
+        disk_io: true
+        filesystem: true
         network: true
+        load_avg: true
+        thermal: false
+        textfile: false
+        conntrack: false
+        psi: false
+        vmstat: false
+        sockstat: false
+
+      # kubernetes is handled by the separate K8s Collector Deployment (tfo-agent-k8s)
+      kubernetes:
+        enabled: false
+
+      ebpf:
+        enabled: false
+
+    prometheus_server:
+      enabled: true
+      port: 8888
+      path: /metrics
+
+    exporter:
+      otlp:
+        enabled: true
+        batch_size: 100
+        flush_interval: 10s
+        compression: gzip
+
+    buffer:
+      enabled: true
+      max_size_mb: 100
+      path: /var/lib/tfo-agent/buffer
+      flush_interval: 30s
+
+    logging:
+      level: info
+      format: json
+
+---
+# TFO-Agent K8s Collector ConfigMap
+# Single-replica Deployment: kubernetes collector ON, node_exporter OFF.
+# Connects to TFO Platform backend REST API (not the OTLP Collector port).
+# Auth and endpoint are injected via env vars.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: tfo-agent-k8s-config
+  namespace: telemetryflow
+  labels:
+    app.kubernetes.io/name: tfo-agent
+    app.kubernetes.io/component: k8s-collector
+data:
+  tfo-agent.yaml: |
+    agent:
+      description: "TFO K8s Collector - ${CLUSTER_NAME}"
+      tags:
+        environment: "${ENVIRONMENT}"
+        cluster: "${CLUSTER_NAME}"
+
+    heartbeat:
+      interval: 60s
+      timeout: 10s
+
+    collectors:
+      node_exporter:
+        enabled: false
 
       kubernetes:
         enabled: true
         interval: 30s
-        kubeconfig: ""
+        kubeconfig: ""   # empty = in-cluster ServiceAccount auto-detection
         context: ""
         namespaces: []
         exclude_namespaces:
           - kube-system
+          - kube-public
+          - kube-node-lease
         nodes: true
         pods: true
         deployments: true
         namespaces_collect: true
         storage: true
         services: true
         workloads: true
-        metrics_api: true
+        events: true
+        resource_counts: true
+        network: true    # Kubelet /stats/summary (requires nodes/proxy RBAC)
+        metrics_api: true  # CPU/Memory usage from metrics-server (set false if not installed)
         sync_to_backend: true
         sync_interval: 60s
-        cluster_name: ""
-        cluster_provider: ""
+        cluster_name: ""     # auto-detected from CLUSTER_NAME env or hostname
+        cluster_provider: "" # auto-detected from env/filesystem heuristics
+        # cluster_id is auto-registered on startup (find-or-create)
+        # Set TELEMETRYFLOW_K8S_CLUSTER_ID env var to skip auto-registration
+
+      ebpf:
+        enabled: false
 
     prometheus_server:
       enabled: true
       port: 8888
       path: /metrics
-      include_go_metrics: true
-      include_process_metrics: true
-      metric_prefix: tfo
-      read_timeout: 10s
-      write_timeout: 10s
 
     exporter:
       otlp:
-        enabled: true
-        endpoint_version: v2
-        batch_size: 100
-        flush_interval: 10s
-        compression: gzip
-        metrics:
-          enabled: true
-        traces:
-          enabled: false
-        logs:
-          enabled: false
+        enabled: false  # K8s state syncs directly to backend REST API, not via OTLP
 
     buffer:
       enabled: true
-      max_size_mb: 100
+      max_size_mb: 50
       path: /var/lib/tfo-agent/buffer
-      max_age: 24h
-      flush_interval: 5s
+      flush_interval: 30s
 
     logging:
       level: info

deploy/kubernetes/daemonset.yaml

@@ -1,6 +1,7 @@
 ---
 # TFO-Agent DaemonSet
-# Runs one agent pod per node for comprehensive monitoring
+# Runs one agent pod per node for per-node OS metrics (node_exporter).
+# Kubernetes cluster state is collected separately by deployment-k8s.yaml.
 
 apiVersion: apps/v1
 kind: DaemonSet
@@ -30,16 +31,40 @@ spec:
         prometheus.io/path: "/metrics"
     spec:
       serviceAccountName: tfo-agent
+      automountServiceAccountToken: true
       terminationGracePeriodSeconds: 30
 
       # Tolerate all taints to run on every node (including control-plane)
       tolerations:
         - operator: Exists
 
-      # Node affinity: prefer Linux nodes
+      # Run on Linux nodes only
       nodeSelector:
         kubernetes.io/os: linux
 
+      # Wait for tfo-backend to be ready before starting the agent.
+      # This prevents heartbeat/auth failures on cluster cold-start when the agent
+      # pod comes up before the backend service is accepting requests.
+      initContainers:
+        - name: wait-for-backend
+          image: busybox:1.36
+          command:
+            - sh
+            - -c
+            - |
+              until wget -qO- http://tfo-backend.telemetryflow.svc.cluster.local:3100/api/v2/health >/dev/null 2>&1; do
+                echo "Waiting for tfo-backend..."; sleep 5
+              done
+              echo "tfo-backend is ready."
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 65534
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+
       containers:
         - name: tfo-agent
           image: telemetryflow/telemetryflow-agent:latest
@@ -56,7 +81,7 @@ spec:
               protocol: TCP
 
           env:
-            # Inject node name and pod info via Downward API
+            # Downward API — node and pod identity
             - name: NODE_NAME
               valueFrom:
                 fieldRef:
@@ -86,19 +111,48 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: status.podIP
-            # API credentials from secret
-            - name: TFAGENT_TELEMETRYFLOW_API_KEY_ID
+
+            # TFO Platform endpoint — must point to backend REST API (NOT the OTLP collector port)
+            # The agent uses this URL for: heartbeat, cluster auto-registration, and K8s state sync.
+            # Format: http://<backend-service>:<port>/api/v2
+            - name: TELEMETRYFLOW_ENDPOINT
+              value: "http://tfo-backend.telemetryflow.svc.cluster.local:3100/api/v2"
+
+            # API credentials from Secret
+            # Create secret: kubectl create secret generic tfo-agent-credentials \
+            #   --from-literal=api-key-id=tfk_xxx \
+            #   --from-literal=api-key-secret=tfs_xxx \
+            #   -n telemetryflow
+            - name: TELEMETRYFLOW_API_KEY_ID
               valueFrom:
                 secretKeyRef:
                   name: tfo-agent-credentials
                   key: api-key-id
-                  optional: true
-            - name: TFAGENT_TELEMETRYFLOW_API_KEY_SECRET
+                  optional: false
+            - name: TELEMETRYFLOW_API_KEY_SECRET
               valueFrom:
                 secretKeyRef:
                   name: tfo-agent-credentials
                   key: api-key-secret
-                  optional: true
+                  optional: false
+
+            # Per-workload collector toggles (override YAML config)
+            - name: TELEMETRYFLOW_NODE_EXPORTER_ENABLED
+              value: "true"
+            - name: TELEMETRYFLOW_K8S_ENABLED
+              value: "false"  # K8s state handled by tfo-agent-k8s Deployment (deployment-k8s.yaml)
+
+            # Prometheus server for liveness/readiness probes
+            - name: TELEMETRYFLOW_PROMETHEUS_ENABLED
+              value: "true"
+            - name: TELEMETRYFLOW_PROMETHEUS_PORT
+              value: "8888"
+
+            # Cluster and environment tags for OTEL resource attributes
+            - name: CLUSTER_NAME
+              value: ""     # override with your cluster name, or auto-detected from hostname
+            - name: ENVIRONMENT
+              value: "production"
 
           resources:
             requests:
@@ -110,27 +164,29 @@ spec:
 
           livenessProbe:
             httpGet:
-              path: /ready
-              port: metrics
+              path: /metrics
+              port: 8888
             initialDelaySeconds: 15
             periodSeconds: 30
             timeoutSeconds: 5
+            failureThreshold: 3
 
           readinessProbe:
             httpGet:
-              path: /ready
-              port: metrics
+              path: /metrics
+              port: 8888
             initialDelaySeconds: 5
             periodSeconds: 10
             timeoutSeconds: 3
+            failureThreshold: 3
 
           volumeMounts:
             - name: config
               mountPath: /etc/tfo-agent
               readOnly: true
             - name: buffer
               mountPath: /var/lib/tfo-agent/buffer
-            # Host filesystem for system metrics
+            # Host filesystem for node_exporter metrics
             - name: proc
               mountPath: /host/proc
               readOnly: true
@@ -143,12 +199,15 @@ spec:
               mountPropagation: HostToContainer
 
           securityContext:
+            runAsUser: 0      # required to read /proc and /sys for node metrics
+            runAsGroup: 0
             readOnlyRootFilesystem: true
-            runAsNonRoot: true
-            runAsUser: 65534
+            allowPrivilegeEscalation: false
             capabilities:
               drop:
                 - ALL
+              add:
+                - SYS_PTRACE  # process inspection for node metrics
 
       volumes:
         - name: config