feat(observability): add gateway OTLP traces and Helm monitoring surface

[TaylorMutch]

Summary

Adds opt-in OpenTelemetry trace export to the gateway and a Prometheus ServiceMonitor to the Helm chart. Both surfaces are independent from the existing /metrics endpoint and the OCSF sandbox log fan-out, default off, and configured via standard OTEL_* env vars or chart values.

Changes

Gateway (crates/openshell-server)

• Pin OTel 0.29 / tracing-opentelemetry 0.30 (the latest set compatible with the workspace's tonic 0.12 + prost 0.13).
• TracingLogBus::install_subscriber now optionally appends a tracing-opentelemetry layer when an OTLP endpoint is configured. The existing tower_http::trace::TraceLayer per-request span automatically becomes the OTLP root — no #[instrument] rewrites required.
• New OtlpTracingConfig::resolve honors OTEL_EXPORTER_OTLP_TRACES_ENDPOINT → OTEL_EXPORTER_OTLP_ENDPOINT → --otlp-endpoint precedence.
• Sampler reads OTEL_TRACES_SAMPLER / OTEL_TRACES_SAMPLER_ARG; default parent_based_traceidratio(1.0).
• New shutdown() flushes the BatchSpanProcessor from the gateway shutdown path on SIGTERM.

Helm chart

• New monitoring.serviceMonitor.* and monitoring.tracing.* blocks in values.yaml (off by default).
• New templates/servicemonitor.yaml (gated, scrapes the existing named metrics port).
• StatefulSet projects OTEL_* env vars when tracing is enabled, including merged OTEL_RESOURCE_ATTRIBUTES.
• New ci/values-monitoring.yaml overlay and commented-in kube-prometheus-stack + jaeger Helm releases in skaffold.yaml.
• New Monitoring section in deploy/helm/openshell/README.md.

Tooling

• New tasks/observability.toml exposing observability:k8s:setup, observability:k8s:teardown, and observability:port-forward.
• New scripts under tasks/scripts/ mirroring the existing keycloak-k8s-setup.sh shape: install slim kube-prometheus-stack + Jaeger all-in-one, idempotent re-runs.

Docs / agent skills

• New docs/kubernetes/monitoring.mdx (operator + local-dev guide).
• Cross-links from docs/observability/overview.mdx and a new "Observability surface" subsection in architecture/gateway.md.
• helm-dev-environment and debug-openshell-cluster skills updated.

Testing

• mise run pre-commit passes (lint, format, license headers, clippy, helm-lint matrix, full workspace tests).
• Unit tests added for OtlpTracingConfig::resolve and sampler_from_env.
• End-to-end on local k3d: created cluster, ran observability:k8s:setup, deployed gateway with ci/values-monitoring.yaml, drove 5 ListSandboxes + 3 Health gRPC calls. Verified:
  • Prometheus target up{job=\"openshell\"} == 1; openshell_server_grpc_requests_total totals match driven traffic (8).
  • Jaeger registers openshell-gateway service; 8 request spans with correct method, path, request_id attributes; resource attributes include service.namespace=openshell, service.version=0.0.0, deployment.environment=dev, telemetry.sdk.version=0.29.0.
• No new e2e runtime test in CI for OTLP — unit tests + manual validation are sufficient for v1; standing up Jaeger in CI is disproportionate.

Out of scope (follow-ups)

• OTLP log export (Loki / Collector logs receiver). OCSF JSONL remains the canonical log story.
• In-process OTLP metrics push exporter — Prometheus pull is sufficient.
• HTTP/protobuf OTLP transport — gateway currently only supports gRPC; chart accepts protocol: grpc.
• Pre-built Grafana dashboards as ConfigMaps.
• Per-handler #[tracing::instrument] annotations on gRPC handlers.

Checklist

• Follows Conventional Commits
• Commits are signed off (DCO)
• Architecture docs updated

[copy-pr-bot]

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

[github-actions]

🌿 Preview your docs: https://nvidia-preview-pr-1270.docs.buildwithfern.com/openshell