chore: runtime configuration improvements

[martinothamar]

Description

• Expose a setting that we can flip through our syncroot/runtime when we have an OTel collector in place
• Make /mnt/app-secrets/ JSON files automatically added, so we can extend configuration over time without relying on app-lib changes for every little thing

Related Issue(s)

• N/A

Verification

• Your code builds clean without any errors or warnings
• Manual testing done (required)
• Relevant automated test added (if you find this hard, leave it and we'll help out)
• All tests run green

Documentation

• User documentation is updated with a separate linked PR in altinn-studio-docs. (if applicable)

Summary by CodeRabbit

• New Features

  • Option to route telemetry via an OpenTelemetry collector or Azure Monitor.
  • Load runtime JSON configuration from a secrets directory with ordered override handling.

• Improvements

  • Health-check requests are excluded from telemetry to reduce noise.

• Tests

  • Added unit tests for runtime configuration file loading and ordering.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds runtime secrets JSON loading from a configurable directory and enhances OpenTelemetry setup: new AppSettings properties for runtime directory and collector flag, exporter selection logic (Azure Monitor vs OTLP), and a trace filter excluding /health; includes unit tests for runtime config loading.

Changes

Cohort / File(s)	Summary
OpenTelemetry & AppSettings src/Altinn.App.Api/Extensions/ServiceCollectionExtensions.cs, src/Altinn.App.Core/Configuration/AppSettings.cs	Adds UseOpenTelemetryCollector and RuntimeSecretsDirectory (with DefaultRuntimeSecretsDirectory) to AppSettings. Adjusts OpenTelemetry orchestration: excludes /health from ASP.NET Core instrumentation; if UseOpenTelemetryCollector is false and AppInsights connection string exists, enables Azure Monitor exporters for traces/metrics/logs, otherwise uses OTLP exporters.
Runtime configuration loading src/Altinn.App.Api/Extensions/WebHostBuilderExtensions.cs	Introduces AddRuntimeConfigFiles to load JSON files from a runtime secrets directory (from AppSettings:RuntimeSecretsDirectory, default /mnt/app-secrets), skips loading in Development, preserves ordering (non-override before override), avoids duplicate sources, and enables reloadOnChange via a PhysicalFileProvider.
Tests test/Altinn.App.Api.Tests/Extensions/WebHostBuilderExtensionsTests.cs	Adds unit tests covering Development vs Production behavior, file ordering (non-override before override), and duplicate-prevention when files already exist in configuration; includes test helpers (TestHostEnvironment, TempDirectory).
Public API verification test/Altinn.App.Core.Tests/PublicApiTests.PublicApi_ShouldNotChange_Unintentionally.verified.txt	Updates public API verification to include newly added AppSettings properties RuntimeSecretsDirectory and UseOpenTelemetryCollector.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 11.11% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title 'chore: runtime configuration improvements' is vague and overly generic, using non-descriptive terms that don't convey the specific changes made.	Consider a more specific title that highlights the main changes, such as 'chore: add OpenTelemetry collector toggle and runtime secrets directory support' or 'chore: enable dynamic configuration loading from runtime secrets directory'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into main

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/runtime-config-imp

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mirkoSekulic]

Can we make this path configurable? I feel like this code should be unaware of our infrastructure(mount paths etc). What do you think?

[martinothamar]

Very good point 🫡

[martinothamar]

fixed?

[martinothamar]

maybe a little strange to have a public member for this, could be just some env var as well

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/Altinn.App.Api/Extensions/ServiceCollectionExtensions.cs (1)

262-272: ⚠️ Potential issue | 🟡 Minor

Silent OTLP fallback when neither collector nor AppInsights is configured.

When useOpenTelemetryCollector is false/null and appInsightsConnectionString is empty, the else branch activates the OTLP exporter targeting the default endpoint (localhost:4317). In a non-test environment without an OTel collector running, this will silently fail or produce connection errors.

Consider either:

• Logging a warning when falling back to OTLP without an explicit opt-in, or
• Skipping exporter registration entirely when no backend is configured.

This same pattern applies to metrics (Line 285) and logs (Line 307).

🧹 Nitpick comments (2)

src/Altinn.App.Api/Extensions/WebHostBuilderExtensions.cs (2)

101-143: Two-pass approach for override ordering is clear and correct.

Non-override files load first (sorted), then override files load second (sorted), ensuring overrides always win regardless of alphabetical position. The existingJsonFilePaths check prevents double-loading files already registered (e.g., maskinporten settings). Well structured.

One edge-case note: any file whose name contains the substring "override" anywhere (e.g., no-override-here.json) will be treated as an override file. If this is intentional, consider documenting the naming convention; if not, a stricter check (e.g., suffix .override.json) would be more predictable.

---

68-77: Consider logging when the secrets directory is absent.

When the directory doesn't exist, the method silently returns. A debug/trace-level log here would help operators diagnose misconfigured mounts without adding noise in normal operation.

[sonarqubecloud]

Quality Gate failed

Failed conditions
52.1% Condition Coverage on New Code (required ≥ 65%)

See analysis details on SonarQube Cloud