From f30de7bba38f399048ed9ee51a91cb12b655c999 Mon Sep 17 00:00:00 2001
From: Victor Lyuboslavsky <2685025+getvictor@users.noreply.github.com>
Date: Fri, 3 Apr 2026 11:04:18 -0500
Subject: [PATCH] Add a couple OTEL spans for key ACME operations (#42978)

<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #31289
---
 server/mdm/acme/internal/service/account_order.go | 6 ++++++
 server/mdm/acme/internal/service/challenge.go     | 3 +++
 server/mdm/acme/internal/service/service.go       | 4 ++++
 3 files changed, 13 insertions(+)

diff --git a/server/mdm/acme/internal/service/account_order.go b/server/mdm/acme/internal/service/account_order.go
index f96ca7c613..eb399cd137 100644
--- a/server/mdm/acme/internal/service/account_order.go
+++ b/server/mdm/acme/internal/service/account_order.go
@@ -49,6 +49,9 @@ func (s *Service) CreateAccount(ctx context.Context, pathIdentifier string, enro
 }
 
 func (s *Service) CreateOrder(ctx context.Context, enrollment *types.Enrollment, account *types.Account, partialOrder *types.Order) (*types.OrderResponse, error) {
+	ctx, span := tracer.Start(ctx, "acme.service.CreateOrder")
+	defer span.End()
+
 	// authorization is checked in the endpoint implementation for JWS-protected endpoints
 
 	if err := partialOrder.ValidateOrderCreation(enrollment); err != nil {
@@ -130,6 +133,9 @@ func (s *Service) createOrderResponse(
 }
 
 func (s *Service) FinalizeOrder(ctx context.Context, enrollment *types.Enrollment, account *types.Account, orderID uint, csr string) (*types.OrderResponse, error) {
+	ctx, span := tracer.Start(ctx, "acme.service.FinalizeOrder")
+	defer span.End()
+
 	order, authorizations, err := s.store.GetOrderByID(ctx, account.ID, orderID)
 	if err != nil {
 		return nil, ctxerr.Wrap(ctx, err, "getting order from datastore")
diff --git a/server/mdm/acme/internal/service/challenge.go b/server/mdm/acme/internal/service/challenge.go
index a0c178f9e7..39933dc6a5 100644
--- a/server/mdm/acme/internal/service/challenge.go
+++ b/server/mdm/acme/internal/service/challenge.go
@@ -37,6 +37,9 @@ var (
 )
 
 func (s *Service) ValidateChallenge(ctx context.Context, enrollment *types.Enrollment, account *types.Account, challengeID uint, payload string) (*types.ChallengeResponse, error) {
+	ctx, span := tracer.Start(ctx, "acme.service.ValidateChallenge")
+	defer span.End()
+
 	challenge, err := s.store.GetChallengeByID(ctx, account.ID, challengeID)
 	if err != nil {
 		return nil, ctxerr.Wrap(ctx, err, "getting challenge by ID")
diff --git a/server/mdm/acme/internal/service/service.go b/server/mdm/acme/internal/service/service.go
index 74f36dc02e..a69bdde210 100644
--- a/server/mdm/acme/internal/service/service.go
+++ b/server/mdm/acme/internal/service/service.go
@@ -13,8 +13,12 @@ import (
 	"github.com/fleetdm/fleet/v4/server/mdm/acme/internal/redis_nonces_store"
 	"github.com/fleetdm/fleet/v4/server/mdm/acme/internal/types"
 	"github.com/fleetdm/fleet/v4/server/mdm/internal/commonmdm"
+	"go.opentelemetry.io/otel"
 )
 
+// tracer is an OTEL tracer. It has no-op behavior when OTEL is not enabled.
+var tracer = otel.Tracer("github.com/fleetdm/fleet/v4/server/mdm/acme/internal/service")
+
 // Service is the ACME bounded context service implementation.
 type Service struct {
 	store     types.Datastore