A step-by-step guide to building a secretless observability pipeline on Red Hat OpenShift by integrating OpenTelemetry collectors with a zero trust workload identity manager using SPIFFE/SPIRE. Instead of static API keys or shared secrets, workloads receive short-lived cryptographically verifiable SVID identities. The guide covers deploying ClusterSPIFFEID templates, configuring SPIFFE helper sidecars, setting up client and server OTel collectors with mTLS using dynamic certificates, and validating the chain of trust via the peer.spiffe_id attribute. It also demonstrates JWT SVID bearer token authentication for applications that cannot natively support mTLS, and shows how unauthenticated telemetry signals are actively rejected.
Table of contents
What is zero trust architectureWhat you need for OpenTelemetry zero trust integrationDeploying the OpenTelemetry collectors and identity resourcesVerification: Seeing zero trust in actionConclusionSort: