RCA Agent
The RCA (Root Cause Analysis) Agent is an AI-powered component that analyzes logs, metrics, and traces from your OpenChoreo deployments to generate reports with likely root causes of issues. It integrates with Large Language Models (LLMs) to provide intelligent analysis and actionable insights.
AI-generated analysis may contain errors. Always verify the findings before taking action.
Prerequisitesβ
Before enabling the RCA Agent, ensure the following:
- OpenChoreo Observability Plane installed with the OpenSearch Logs Module (and optionally the Prometheus Metrics Module for richer analysis).
- An LLM API key
- Alerting configured for your components with
enableAiRootCauseAnalysisenabled.
Enable automatic RCA only for critical alerts to manage LLM costs. For less critical alerts, you can trigger RCA analysis manually when needed.
LLM Configurationβ
The RCA Agent requires an LLM provider to perform root cause analysis. Configure the model name and API key:
Configuration Parameters:
rca.llm.modelName: LLM model name (e.g.,gpt-5,claude-sonnet-4-5,gemini-2.0-flash)rca.llm.apiKey: API key for the LLM provider
Enabling the RCA Agentβ
To enable the RCA Agent, set rca.enabled=true and configure the LLM and upgrade the Observability Plane. For example, if you followed the local setup guide, run the following command:
helm upgrade --install openchoreo-observability-plane oci://ghcr.io/openchoreo/helm-charts/openchoreo-observability-plane \
--version 0.0.0-latest-dev \
--namespace openchoreo-observability-plane \
--reuse-values \
--set rca.enabled=true \
--set rca.llm.modelName=<model-name> \
--set rca.llm.apiKey=<api-key>
Configure rcaAgentURL in the ObservabilityPlane resource in the control plane. For example, if you followed the local setup guide, run the following command:
kubectl patch observabilityplane default -n default --type=merge -p '{"spec":{"rcaAgentURL":"http://ai-rca-agent.openchoreo-observability-plane.svc.cluster.local:8080"}}'
Authentication and Authorizationβ
By default, OpenChoreo configures Thunder as the identity provider for the RCA Agent with a pre-configured OAuth client for testing purposes. If you are using an external identity provider, follow the steps below to configure both authentication and authorization for the new client.
Authenticationβ
Create an OAuth 2.0 client that supports the client_credentials grant type for service-to-service authentication, and configure the Observability Plane with the client credentials:
security:
oidc:
tokenUrl: "<your-idp-token-url>"
rca:
oauth:
clientId: "<your-client-id>"
clientSecret: "<your-client-secret>"
See Identity Provider Configuration for detailed setup instructions.
Authorizationβ
With authorization enabled by default, the RCA Agent uses the client_credentials grant to authenticate with the OpenChoreo API as a service account. The API matches the sub claim in the issued JWT to identify the caller, so the new client must be granted the rca-agent role via a bootstrap authorization mapping.
Add the following to your Control Plane values override, replacing <your-client-id> with the same client ID used in the authentication configuration above:
openchoreoApi:
config:
security:
authorization:
bootstrap:
mappings:
- name: rca-agent-binding
roleRef:
name: rca-agent
entitlement:
claim: sub
value: "<your-client-id>"
effect: allow
Verifying the Installationβ
Check that the RCA Agent pod is running:
kubectl get pods -n openchoreo-observability-plane -l app.kubernetes.io/component=ai-rca-agent