feat: add OpenTelemetry operator service

- Add OpenTelemetry operator v0.98.0 to observability namespace
- Include security-hardened configuration with:
  - High availability (2 replicas with PDB)
  - Non-root execution and read-only root filesystem
  - Resource limits and security contexts
  - cert-manager integration for webhook TLS
  - Prometheus monitoring enabled
- Follow openCenter GitOps standards and patterns
- Update main README.md with service documentation
- Add comprehensive service-specific README

Resolves: OpenTelemetry operator deployment for auto-instrumentation

Author: devx

README.md

@@ -29,6 +29,7 @@ applications/
 | **kube-prometheus-stack** | Core Service | `observability` | Complete monitoring and alerting stack |
 | **metallb** | Core Service | `metallb-system` | Bare metal load balancer |
 | **olm** | Core Service | `olm` | Operator Lifecycle Manager |
+| **opentelemetry-operator** | Core Service | `observability` | OpenTelemetry operator for auto-instrumentation |
 | **sealed-secrets** | Core Service | `sealed-secrets` | Encrypted secrets management |
 | **velero** | Core Service | `velero` | Cluster backup and disaster recovery |
 | **alert-proxy** | Managed Service | `rackspace` | Rackspace alert aggregation |
@@ -103,6 +104,17 @@ applications/
   - Dependency resolution
   - Automatic updates
 
+#### **opentelemetry-operator**
+- **Purpose**: OpenTelemetry operator for auto-instrumentation and collector management
+- **Source**: OpenTelemetry Helm repository (`https://open-telemetry.github.io/opentelemetry-helm-charts`)
+- **Namespace**: `observability`
+- **Features**:
+  - Automatic OpenTelemetry instrumentation injection
+  - OpenTelemetry Collector deployment and management
+  - Custom resource definitions for OpenTelemetry configuration
+  - Webhook-based sidecar injection
+  - Multi-language auto-instrumentation support (Java, Node.js, Python, .NET, Go)
+
 #### **sealed-secrets**
 - **Purpose**: Encrypted secrets management
 - **Namespace**: `sealed-secrets`

applications/base/services/opentelemetry-operator/README.md

@@ -0,0 +1,119 @@
+# OpenTelemetry Operator
+
+The OpenTelemetry Operator is a Kubernetes operator that manages OpenTelemetry Collector instances and auto-instrumentation of workloads using OpenTelemetry instrumentation libraries.
+
+## Overview
+
+This service deploys the OpenTelemetry Operator in the `observability` namespace with security hardening and high availability configuration.
+
+## Features
+
+- **Auto-instrumentation**: Automatically inject OpenTelemetry instrumentation into applications
+- **Collector Management**: Deploy and manage OpenTelemetry Collector instances
+- **CRD Management**: Provides custom resources for OpenTelemetry configuration
+- **Webhook Support**: Admission webhooks for sidecar injection and validation
+
+## Configuration
+
+### Chart Information
+- **Chart**: `opentelemetry/opentelemetry-operator`
+- **Version**: `0.98.0`
+- **App Version**: `0.137.0`
+- **Repository**: https://open-telemetry.github.io/opentelemetry-helm-charts
+
+### Security Hardening
+
+The deployment includes the following security measures:
+
+- **Non-root execution**: All containers run as non-root user (65532)
+- **Read-only root filesystem**: Containers use read-only root filesystems
+- **Dropped capabilities**: All Linux capabilities are dropped
+- **Security profiles**: Uses RuntimeDefault seccomp profile
+- **Resource limits**: CPU and memory limits configured for all containers
+
+### High Availability
+
+- **Replica count**: 2 replicas for high availability
+- **Pod Disruption Budget**: Ensures minimum availability during disruptions
+- **Leader election**: Enabled to prevent split-brain scenarios
+- **Anti-affinity**: Distributes pods across nodes (when configured)
+
+### Monitoring
+
+- **ServiceMonitor**: Enabled for Prometheus metrics collection
+- **Metrics endpoint**: Exposes metrics on port 8080
+- **Health checks**: Readiness and liveness probes configured
+
+## Custom Resources
+
+The operator provides the following custom resources:
+
+- **OpenTelemetryCollector**: Manages collector deployments
+- **Instrumentation**: Configures auto-instrumentation for applications
+- **OpAMPBridge**: Manages OpAMP bridge instances
+
+## Dependencies
+
+- **cert-manager**: Required for TLS certificate management of admission webhooks
+- **Prometheus Operator**: Optional, for ServiceMonitor support
+
+## Usage
+
+After deployment, you can create OpenTelemetry resources:
+
+```yaml
+apiVersion: opentelemetry.io/v1alpha1
+kind: OpenTelemetryCollector
+metadata:
+  name: otel-collector
+  namespace: observability
+spec:
+  config: |
+    receivers:
+      otlp:
+        protocols:
+          grpc:
+            endpoint: 0.0.0.0:4317
+    processors:
+      batch:
+    exporters:
+      logging:
+        loglevel: debug
+    service:
+      pipelines:
+        traces:
+          receivers: [otlp]
+          processors: [batch]
+          exporters: [logging]
+```
+
+## Troubleshooting
+
+### Common Issues
+
+1. **Webhook failures**: Ensure cert-manager is deployed and healthy
+2. **CRD conflicts**: Check for existing OpenTelemetry CRDs if upgrading
+3. **RBAC issues**: Verify cluster-admin permissions during installation
+
+### Useful Commands
+
+```bash
+# Check operator status
+kubectl get pods -n observability -l app.kubernetes.io/name=opentelemetry-operator
+
+# View operator logs
+kubectl logs -n observability -l app.kubernetes.io/name=opentelemetry-operator
+
+# Check CRDs
+kubectl get crd | grep opentelemetry
+
+# Verify webhooks
+kubectl get validatingwebhookconfiguration | grep opentelemetry
+kubectl get mutatingwebhookconfiguration | grep opentelemetry
+```
+
+## References
+
+- [OpenTelemetry Operator Documentation](https://opentelemetry.io/docs/kubernetes/operator/)
+- [Helm Chart Repository](https://github.com/open-telemetry/opentelemetry-helm-charts)
+- [OpenTelemetry Specification](https://opentelemetry.io/docs/specs/)

applications/base/services/opentelemetry-operator/helm-values/hardened-values-v0.98.0.yaml

@@ -0,0 +1,163 @@
+# Hardened values for OpenTelemetry Operator v0.98.0
+# Security-focused configuration following openCenter standards
+
+# High availability configuration
+replicaCount: 2
+
+# Pod Disruption Budget for high availability
+pdb:
+  create: true
+  minAvailable: 1
+
+# Manager configuration with security hardening
+manager:
+  image:
+    repository: ghcr.io/open-telemetry/opentelemetry-operator/opentelemetry-operator
+    imagePullPolicy: IfNotPresent
+  
+  # Collector image configuration
+  collectorImage:
+    repository: ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-k8s
+    tag: 0.137.0
+
+  # Resource limits for production workloads
+  resources:
+    limits:
+      cpu: 200m
+      memory: 256Mi
+      ephemeral-storage: 100Mi
+    requests:
+      cpu: 100m
+      memory: 128Mi
+      ephemeral-storage: 50Mi
+
+  # Environment variables
+  env:
+    ENABLE_WEBHOOKS: "true"
+
+  # ServiceAccount configuration
+  serviceAccount:
+    create: true
+    annotations: {}
+
+  # Enable Prometheus monitoring
+  serviceMonitor:
+    enabled: true
+    extraLabels: {}
+    annotations: {}
+    metricsEndpoints:
+      - port: metrics
+
+  # Enable leader election for HA
+  leaderElection:
+    enabled: true
+
+  # Security context - hardened configuration
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - ALL
+    runAsNonRoot: true
+    readOnlyRootFilesystem: true
+    seccompProfile:
+      type: RuntimeDefault
+
+# Kube RBAC Proxy configuration
+kubeRBACProxy:
+  enabled: true
+  image:
+    repository: quay.io/brancz/kube-rbac-proxy
+    tag: v0.19.1
+  
+  # Resource limits
+  resources:
+    limits:
+      cpu: 100m
+      memory: 128Mi
+    requests:
+      cpu: 10m
+      memory: 64Mi
+
+  # Security context - hardened configuration
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - ALL
+    runAsNonRoot: true
+    readOnlyRootFilesystem: true
+    seccompProfile:
+      type: RuntimeDefault
+
+# Admission webhooks configuration
+admissionWebhooks:
+  create: true
+  servicePort: 443
+  failurePolicy: Fail
+  
+  # Pod injection policy
+  pods:
+    failurePolicy: Ignore
+  
+  # Webhook timeout
+  timeoutSeconds: 10
+
+  # Use cert-manager for TLS certificates
+  certManager:
+    enabled: true
+    certificateAnnotations: {}
+    issuerAnnotations: {}
+
+  # Disable auto-generated certificates since we use cert-manager
+  autoGenerateCert:
+    enabled: false
+
+# CRDs management
+crds:
+  create: true
+
+# RBAC configuration
+role:
+  create: true
+
+clusterRole:
+  create: true
+
+# Node scheduling - Linux nodes only
+nodeSelector:
+  kubernetes.io/os: linux
+
+# Pod-level security context
+securityContext:
+  runAsGroup: 65532
+  runAsNonRoot: true
+  runAsUser: 65532
+  fsGroup: 65532
+
+# Service account token mounting
+automountServiceAccountToken: true
+
+# Test framework security hardening
+testFramework:
+  image:
+    repository: busybox
+    tag: latest
+  
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - ALL
+    runAsNonRoot: true
+    readOnlyRootFilesystem: true
+    seccompProfile:
+      type: RuntimeDefault
+  
+  resources:
+    limits:
+      cpu: 100m
+      memory: 128Mi
+    requests:
+      cpu: 10m
+      memory: 64Mi

applications/base/services/opentelemetry-operator/helmrelease.yaml

@@ -0,0 +1,37 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: opentelemetry-operator
+  namespace: observability
+spec:
+  releaseName: opentelemetry-operator
+  interval: 5m
+  timeout: 10m
+  driftDetection:
+    mode: enabled
+  install:
+    remediation:
+      retries: 3
+      remediateLastFailure: true
+  upgrade:
+    remediation:
+      retries: 0
+      remediateLastFailure: false
+  targetNamespace: observability
+  chart:
+    spec:
+      chart: opentelemetry-operator
+      version: 0.98.0
+      sourceRef:
+        kind: HelmRepository
+        name: opentelemetry
+        namespace: observability
+  valuesFrom:
+    - kind: Secret
+      name: opentelemetry-operator-values-base
+      valuesKey: hardened.yaml
+    - kind: Secret
+      name: opentelemetry-operator-values-override
+      valuesKey: override.yaml
+      optional: true

applications/base/services/opentelemetry-operator/kustomization.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - "namespace.yaml"
+  - "source.yaml"
+  - "helmrelease.yaml"
+secretGenerator:
+  - name: opentelemetry-operator-values-base
+    type: Opaque
+    files:
+      - hardened.yaml=helm-values/hardened-values-v0.98.0.yaml
+    options:
+      disableNameSuffixHash: true

applications/base/services/opentelemetry-operator/namespace.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: observability

applications/base/services/opentelemetry-operator/source.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: opentelemetry
+spec:
+  url: https://open-telemetry.github.io/opentelemetry-helm-charts
+  interval: 1h