feat: implement pod mutation observability metrics

[Arpit529Srivastava]

Description:

adds observability to the pod mutation webhook by introducing a new prometheus counter opentelemetry_operator_pod_mutations_total. this allows operators to track success, failure and skip rates for both sidecar injection and auto-instrumentation across the cluster. the metric includes detailed labels such as status, reason, type, language, and namespace, making it easier to distinguish between cases like configuration errors, disabled feature gates, or missing resources.

Link to tracking Issue(s):

• Resolves: Improve Operator Pod Mutation Observability #3702

Testing:
new unit test added at internal/webhook/podmutation/metrics_test.go to verify that the counter increments correctly with the expected label set.

integration checks confirm that both the sidecar and instrumentation mutators invoke the metrics recorder at all critical decision points.

existing unit tests were updated to ensure there are no regressions in the mutator logic.

Documentation:

[Arpit529Srivastava]

/cc @swiatekm @iblancasa PTAL.
thanks.

[iblancasa]

Maybe we should add a new option to enable/disable recording these metrics.
I also miss some E2E tests to ensure the feature works properly.

[iblancasa]

I think this can happen for tests, right? How about creating an interface and have a noopMetrics type for the tests?

[iblancasa]

I'm not sure about this... because of cardinality

[Arpit529Srivastava]

i recommend/think keeping it since it’s critical for debugging and has bounded cardinality. with the addition of the --enable-webhook-metrics flag, this is now opt-in and minimizes risk. happy to discuss other options.

[iblancasa]

I think we should define some constants:

  const (
      StatusSuccess  = "success"
      StatusSkipped  = "skipped"
      StatusRejected = "rejected"
      StatusError    = "error"

      ReasonAlreadyInstrumented = "already_instrumented"
      ReasonFeatureDisabled     = "feature_disabled"
      ReasonLookupFailed        = "lookup_failed"
  )

[iblancasa]

Can we use semantic conventions package for those attributes that are already there? Like k8s.namespace.name

[iblancasa]

Can you explain here what metrics this PR is adding and other stuff?

[iblancasa]

Instead of repeating here for each language.. maybe we can do something more table-driven

[iblancasa]

Since we continue, it can happen meterProvider is nil. And that cause a panic later if methods using meterProvider. Can you add checks to avoid that?

[Arpit529Srivastava]

fixed by adding a check for meterProvider != nil before initializing metrics and using the noop metrics pattern to prevent panics in other code paths.

[github-actions]

E2E Test Results

 36 files  +2  229 suites  +2   2h 3m 54s ⏱️ +35s
 91 tests +1   90 ✅ ±0  0 💤 ±0  1 ❌ +1 
233 runs  +2  231 ✅ ±0  0 💤 ±0  2 ❌ +2 

For more details on these failures, see this check.

Results for commit d9935fd. ± Comparison against base commit 36d6c75.

♻️ This comment has been updated with latest results.

[Arpit529Srivastava]

@iblancasa
i’m running into issues verifying webhook metrics in the e2e tests due to auth and permission constraints in the test environment. i’ve tried a few common approaches, but each one hits a blocker:

1. service/pod proxy (kubectl get --raw)
   tried using the api server proxy to fetch metrics (for example, /api/v1/namespaces/.../pods/https:${POD_NAME}:8443/proxy/metrics).
   result: fails with error: you must be logged in to the server.
   reason: the test runner’s serviceaccount appears to be missing permissions for the pods/proxy or services/proxy subresources.

2. port-forward (kubectl port-forward + curl) tried bypassing the api server by port-forwarding locally and curling the endpoint. result: returns 401 unauthorized. reason: the operator runs with --metrics-secure=true` by default, so the metrics endpoint rejects unauthenticated requests.

what’s the recommended way to verify secured metrics in this e2e environment? should the test disable secure metrics (--metrics-secure=false), or is there a supported way (token / auth mechanism) to authenticate against the metrics endpoint?

[Arpit529Srivastava]

@iblancasa a gentle ping, thanks :)