feat: add OpenTelemetry tracing for tool calls

[priyank766]

Description

Adds optional OpenTelemetry tracing for tool calls in Kubeflow MCP Server.

• Adds core/telemetry.py with setup_tracing() and get_tracer() plus safe no-op fallback when OTel deps are unavailable.
• Instruments core.server._audit_wrap to create one span per tool invocation, set tool/persona/duration/success attributes, attach correlation_id, and record
  exceptions.
• Wires tracing config through CLI/env/config:
  • --otel-endpoint
  • KUBEFLOW_MCP_OTEL_ENDPOINT
  • observability.otel_endpoint
• Adds unit tests for no-op path, provider setup/reuse, endpoint validation, and span behavior.
• Updates README with an Observability section.

Important compatibility note: correlation_id semantics are preserved and exposed as a span attribute; it is not remapped to OTel trace ID.

Type of Change

• feat: New feature

Checklist

• Tests pass locally (make test-python)
• Linting passes (make verify)
• Documentation updated (if applicable)
• Commit messages follow conventional format

Related Issues

Fixes #18

[abhijeet-dhumal]

Hey @priyank766 , this looks great 🚀
Thanks for working on this !

[abhijeet-dhumal]

Suggested change

	"opentelemetry-exporter-otlp>=1.25.0",
	"opentelemetry-exporter-otlp-proto-http>=1.25.0",

this avoids installation of unnecessary GRPC subpackage

[priyank766]

Thanks for the Suggestion
I will change the package as well

[abhijeet-dhumal]

I tried it just now and it seems span name "tool_call" makes it hard to filter by tool in tracing UIs, Maybe we can consider naming it after the tool: f"tool:{tool_name}" or even just tool_name. The attribute tool.name is still good to keep for structured querying, but the name gives context at a glance.
wdyt?

[priyank766]

Thanks for Reviewing @abhijeet-dhumal
I will push both changes and then you can review it later whenever you get time
Yes I think this naming scheme is much better I will change it .. 👍🏻

[Copilot]

Pull request overview

Adds optional OpenTelemetry tracing for Kubeflow MCP tool calls, wiring tracing through configuration, CLI, runtime instrumentation, tests, and docs.

Changes:

• Adds telemetry setup/no-op helpers and an otel optional dependency extra.
• Instruments _audit_wrap spans with tool/persona/correlation/success/duration attributes.
• Wires --otel-endpoint, config/env loading, startup logging, tests, and README documentation.

Reviewed changes

Copilot reviewed 9 out of 10 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
kubeflow_mcp/core/telemetry.py	Adds OpenTelemetry setup, validation, provider reuse, and no-op fallback helpers.
kubeflow_mcp/core/server.py	Adds span creation and attributes around audited tool calls.
kubeflow_mcp/cli.py	Adds --otel-endpoint and invokes tracing setup during server startup.
kubeflow_mcp/core/config.py	Adds observability.otel_endpoint config/env support.
kubeflow_mcp/core/logging.py	Includes tracing_enabled in structured startup logs.
tests/unit/core/test_telemetry.py	Adds telemetry helper and span attribute tests.
kubeflow_mcp/cli_test.py	Adds CLI tracing setup wiring tests.
README.md	Documents optional tracing setup and span attributes.
pyproject.toml	Adds the otel optional dependency extra.
uv.lock	Locks OpenTelemetry optional dependencies and related resolution changes.

Comments suppressed due to low confidence (1)

kubeflow_mcp/core/server.py:126

• The circuit-open early-return tracing path is not covered by the new span behavior tests. Add coverage for a breaker with can_execute() == False so the tool.success=false and duration attributes remain verified for this failure mode.

            if not breaker.can_execute():
                duration_ms = int((time.monotonic() - start) * 1000)
                span.set_attribute("tool.success", False)
                span.set_attribute("tool.duration_ms", duration_ms)
                logger.warning("circuit_open", extra={"tool": tool_name})
                return {
                    "error": f"Circuit breaker open for '{tool_name}' — K8s API may be degraded. Retries automatically after recovery timeout.",
                    "error_code": ErrorCode.CIRCUIT_OPEN,
                }

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[abhijeet-dhumal]

@priyank766 can we add span.set_status(StatusCode.ERROR) on exception here ?
span.set_status(Status(StatusCode.ERROR, str(exc)))

[abhijeet-dhumal]

this will make sure to spot failures easily in the trace list, wdyt?

[abhijeet-dhumal]

@priyank766 can you move this outside wrapper closure?
get_tracer is cheap but calling it per-invocation seems semantically wrong, wdyt?

[abhijeet-dhumal]

@priyank766 thinking can we use SpanKind.CLIENT for tool spans here?
Tool calls invoke an external service i.e. K8s API. SpanKind.CLIENT is semantically correct and enables better Jaeger dependency graph rendering..

[abhijeet-dhumal]

_NoopTracer should accept **kwargs here
Future callers passing kind=SpanKind.CLIENT will otherwise get a TypeError in no-op mode.

[priyank766]

Thanks for the review @abhijeet-dhumal All suggestions have been addressed. Please take another look when you get a chance.

[abhijeet-dhumal]

Suggested change

	export KUBEFLOW_MCP_OTEL_ENDPOINT=http://localhost:4318/v1/traces
	export OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4318/v1/traces

[abhijeet-dhumal]

Suggested change

	"KUBEFLOW_MCP_OTEL_ENDPOINT",
	"OTEL_EXPORTER_OTLP_ENDPOINT",

[abhijeet-dhumal]

Suggested change

	"Falls back to KUBEFLOW_MCP_OTEL_ENDPOINT env var, config file.",
	"Falls back to OTEL_EXPORTER_OTLP_ENDPOINT env var, config file.",

[abhijeet-dhumal]

Minor nit: would be great to also surface user.id and mcp.session_id on these spans for per-session/per-user filtering in Jaeger. That will need identity propagation middleware (ContextVars populated from the MCP request context) as a prerequisite..

[abhijeet-dhumal]

happy to follow up with a separate PR for that once this lands. Marking as a non-blocking suggestion.

[priyank766]

Makes sense, having user.id and session_id on the spans would definitely help with debugging. Happy to take a crack at it once this lands, just let me know.

[abhijeet-dhumal]

Hey @priyank766 , I tried this out locally against OTel collector stack, works cleanly end-to-end.
Spans show up in Jaeger with the right service name, tool: prefix naming is much better for filtering.
Thanks you for being consistent and addressing all the previous feedback so promptly. 🚀 🙌

putting few nits otherwise lgtm..

[abhijeet-dhumal]

Missing atexit.register(provider.shutdown) here. Without it, in-flight spans in the BatchSpanProcessor queue get silently dropped on server shutdown, and the background thread can deadlock if the collector is unreachable. One line:

import atexit
atexit.register(provider.shutdown)

[abhijeet-dhumal]

Can we also add tool.args_preview here? Without it you can't reconstruct what parameters caused a failure from Jaeger alone.. you'd have to cross-reference the audit log. Something like:

import json
span.set_attribute("tool.args_preview", json.dumps(mask_sensitive_data(kwargs), default=str)[:300])

[abhijeet-dhumal]

This path sets tool.success=False on the span but there's no test covering it.
Worth adding a test with _FakeBreaker(can_execute=False) asserting the attributes are set before the early return.

[abhijeet-dhumal]

Heads up: setup_tracing() auto-appends /v1/traces to whatever is passed, so the example in the README produces http://localhost:4318/v1/traces/v1/traces — double path. Either change the README example to the base URL (http://localhost:4318) or stop auto-appending in code and accept the full path as-is. The latter is less surprising.

[abhijeet-dhumal]

Worth a one-liner noting that kubeflow-mcp agent --otel-endpoint ... emits a separate kubeflow-mcp-agent service in Jaeger. Without this, users running the agent will wonder why they only see server-side spans and think tracing is broken.

[priyank766]

I've addressed all the nits in the latest commit. Let me know if everything looks good!!
Thanks for testing it out and for the kind words ! 🚀
@abhijeet-dhumal

[abhijeet-dhumal]

CurrentContext() DI on sync wrapper may not inject reliably.. prefer AuditIdentityMiddleware + ContextVars for user.id / mcp.session.id fallback

[abhijeet-dhumal]

Add user.id from middleware identity bridge

[abhijeet-dhumal]

we can add Add middleware (core/middleware.py - AuditIdentityMiddleware) to bridge FastMCP async context to sync _audit_wrap

[abhijeet-dhumal]

@priyank766 Maybe you also need to re-sign commits to fix DCO pr check

[abhijeet-dhumal]

/ok-to-test

[abhijeet-dhumal]

Thanks @priyank766 for the quick turnaround. It looks great !
LGTM .. just need to resolve pr checks : Can you Rebase on latest main and run ruff format to pass pr checks ?

[abhijeet-dhumal]

This is amazing work 🚀
Thanks a lot @priyank766 for your patience!!
/lgtm

[abhijeet-dhumal]

/approve
/hold in case @andreyvelich @jaiakash @Krishna-kg732 has additional comments.

[google-oss-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: abhijeet-dhumal

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [abhijeet-dhumal]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[google-oss-prow]

New changes are detected. LGTM label has been removed.