From a72be05b96a9a9fda3cfbf07851be0072caf34e2 Mon Sep 17 00:00:00 2001 From: Pavol Loffay Date: Wed, 22 Jan 2025 11:18:34 +0100 Subject: [PATCH 1/4] Add support for query RBAC Signed-off-by: Pavol Loffay --- .chloggen/query-rbac.yaml | 28 ++++ api/tempo/v1alpha1/tempostack_types.go | 8 ++ api/tempo/v1alpha1/zz_generated.deepcopy.go | 16 +++ .../tempo-operator.clusterserviceversion.yaml | 2 +- .../tempo.grafana.com_tempostacks.yaml | 10 ++ .../tempo-operator.clusterserviceversion.yaml | 2 +- .../tempo.grafana.com_tempostacks.yaml | 10 ++ .../bases/tempo.grafana.com_tempostacks.yaml | 10 ++ docs/spec/tempo.grafana.com_tempostacks.yaml | 2 + internal/manifests/gateway/gateway.go | 25 ++++ internal/manifests/gateway/gateway_test.go | 122 ++++++++++++++++++ internal/manifests/gateway/openshift.go | 1 + internal/manifests/gateway/openshift_test.go | 1 + .../manifests/monolithic/statefulset_test.go | 1 + .../install-tempo-assert.yaml | 1 + .../scale-tempo-assert.yaml | 1 + .../e2e-openshift/multitenancy/01-assert.yaml | 2 + .../multitenancy/01-install-tempo.yaml | 2 + 18 files changed, 242 insertions(+), 2 deletions(-) create mode 100755 .chloggen/query-rbac.yaml diff --git a/.chloggen/query-rbac.yaml b/.chloggen/query-rbac.yaml new file mode 100755 index 000000000..7a737a631 --- /dev/null +++ b/.chloggen/query-rbac.yaml @@ -0,0 +1,28 @@ +# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix' +change_type: enhancement + +# The name of the component, or a single word describing the area of concern, (e.g. tempostack, tempomonolithic, github action) +component: tempostack + +# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`). +note: Add support for query RBAC when Gateway/multitenancy is used. + +# One or more tracking issues related to the change +issues: [1100] + +# (Optional) One or more lines of additional information to render under the primary note. +# These lines will be padded with 2 spaces and then inserted directly into the document. +# Use pipe (|) for multiline entries. +subtext: | + This feature allows users to apply query RBAC in the multitenancy mode. + The RBAC allows filtering span/resource/scope attributes and events based on the namespaces which a user querying the data can access. + For instance, a user can only see attributes from namespaces it can access. + + ```yaml + spec: + template: + gateway: + enabled: true + rbac: + enabled: true + ``` diff --git a/api/tempo/v1alpha1/tempostack_types.go b/api/tempo/v1alpha1/tempostack_types.go index c673a2f5b..dcd6a2a0e 100644 --- a/api/tempo/v1alpha1/tempostack_types.go +++ b/api/tempo/v1alpha1/tempostack_types.go @@ -591,6 +591,14 @@ type TempoGatewaySpec struct { // +kubebuilder:validation:Optional // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Jaeger gateway Ingress Settings" Ingress IngressSpec `json:"ingress,omitempty"` + + RBAC RBACSpec `json:"rbac,omitempty"` +} + +// RBACSpec defines RBAC options. +type RBACSpec struct { + // Enabled defines if the query RBAC should be enabled. + Enabled bool `json:"enabled"` } // TempoQueryFrontendSpec extends TempoComponentSpec with frontend specific parameters. diff --git a/api/tempo/v1alpha1/zz_generated.deepcopy.go b/api/tempo/v1alpha1/zz_generated.deepcopy.go index d9a80f782..033ffd25a 100644 --- a/api/tempo/v1alpha1/zz_generated.deepcopy.go +++ b/api/tempo/v1alpha1/zz_generated.deepcopy.go @@ -1005,6 +1005,21 @@ func (in *QueryLimit) DeepCopy() *QueryLimit { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RBACSpec) DeepCopyInto(out *RBACSpec) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RBACSpec. +func (in *RBACSpec) DeepCopy() *RBACSpec { + if in == nil { + return nil + } + out := new(RBACSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *RateLimitSpec) DeepCopyInto(out *RateLimitSpec) { *out = *in @@ -1268,6 +1283,7 @@ func (in *TempoGatewaySpec) DeepCopyInto(out *TempoGatewaySpec) { *out = *in in.TempoComponentSpec.DeepCopyInto(&out.TempoComponentSpec) in.Ingress.DeepCopyInto(&out.Ingress) + out.RBAC = in.RBAC } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TempoGatewaySpec. diff --git a/bundle/community/manifests/tempo-operator.clusterserviceversion.yaml b/bundle/community/manifests/tempo-operator.clusterserviceversion.yaml index d4d88ff24..c4be3543e 100644 --- a/bundle/community/manifests/tempo-operator.clusterserviceversion.yaml +++ b/bundle/community/manifests/tempo-operator.clusterserviceversion.yaml @@ -74,7 +74,7 @@ metadata: capabilities: Deep Insights categories: Logging & Tracing,Monitoring containerImage: ghcr.io/grafana/tempo-operator/tempo-operator:v0.14.2 - createdAt: "2025-02-05T16:29:10Z" + createdAt: "2025-02-10T10:08:24Z" description: Create and manage deployments of Tempo, a high-scale distributed tracing backend. operatorframework.io/cluster-monitoring: "true" diff --git a/bundle/community/manifests/tempo.grafana.com_tempostacks.yaml b/bundle/community/manifests/tempo.grafana.com_tempostacks.yaml index 1918f1b5d..e592a5aaa 100644 --- a/bundle/community/manifests/tempo.grafana.com_tempostacks.yaml +++ b/bundle/community/manifests/tempo.grafana.com_tempostacks.yaml @@ -1434,6 +1434,16 @@ spec: - "" type: string type: object + rbac: + description: RBACSpec defines RBAC options. + properties: + enabled: + description: Enabled defines if the query RBAC should + be enabled. + type: boolean + required: + - enabled + type: object required: - enabled type: object diff --git a/bundle/openshift/manifests/tempo-operator.clusterserviceversion.yaml b/bundle/openshift/manifests/tempo-operator.clusterserviceversion.yaml index 54f7f1942..c26f203ed 100644 --- a/bundle/openshift/manifests/tempo-operator.clusterserviceversion.yaml +++ b/bundle/openshift/manifests/tempo-operator.clusterserviceversion.yaml @@ -74,7 +74,7 @@ metadata: capabilities: Deep Insights categories: Logging & Tracing,Monitoring containerImage: ghcr.io/grafana/tempo-operator/tempo-operator:v0.14.2 - createdAt: "2025-02-05T16:29:09Z" + createdAt: "2025-02-10T10:08:23Z" description: Create and manage deployments of Tempo, a high-scale distributed tracing backend. operatorframework.io/cluster-monitoring: "true" diff --git a/bundle/openshift/manifests/tempo.grafana.com_tempostacks.yaml b/bundle/openshift/manifests/tempo.grafana.com_tempostacks.yaml index 1918f1b5d..e592a5aaa 100644 --- a/bundle/openshift/manifests/tempo.grafana.com_tempostacks.yaml +++ b/bundle/openshift/manifests/tempo.grafana.com_tempostacks.yaml @@ -1434,6 +1434,16 @@ spec: - "" type: string type: object + rbac: + description: RBACSpec defines RBAC options. + properties: + enabled: + description: Enabled defines if the query RBAC should + be enabled. + type: boolean + required: + - enabled + type: object required: - enabled type: object diff --git a/config/crd/bases/tempo.grafana.com_tempostacks.yaml b/config/crd/bases/tempo.grafana.com_tempostacks.yaml index 76e2a2eed..e63a1d503 100644 --- a/config/crd/bases/tempo.grafana.com_tempostacks.yaml +++ b/config/crd/bases/tempo.grafana.com_tempostacks.yaml @@ -1430,6 +1430,16 @@ spec: - "" type: string type: object + rbac: + description: RBACSpec defines RBAC options. + properties: + enabled: + description: Enabled defines if the query RBAC should + be enabled. + type: boolean + required: + - enabled + type: object required: - enabled type: object diff --git a/docs/spec/tempo.grafana.com_tempostacks.yaml b/docs/spec/tempo.grafana.com_tempostacks.yaml index 46863a7dd..12a561316 100644 --- a/docs/spec/tempo.grafana.com_tempostacks.yaml +++ b/docs/spec/tempo.grafana.com_tempostacks.yaml @@ -206,6 +206,8 @@ spec: # TempoStackSpec defines the desired st route: # Route defines the options for the OpenShift route. termination: "" # Termination defines the termination type. The default is "edge". type: "" # Type defines the type of Ingress for the Jaeger Query UI. Currently ingress, route and none are supported. + rbac: # RBACSpec defines RBAC options. + enabled: false # Enabled defines if the query RBAC should be enabled. ingester: # Ingester defines the ingester component spec. podSecurityContext: # PodSecurityContext defines security context will be applied to all pods of this component. fsGroup: 0 # A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod: 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw---- If unset, the Kubelet will not modify the ownership and permissions of any volume. Note that this field cannot be set when spec.os.name is windows. diff --git a/internal/manifests/gateway/gateway.go b/internal/manifests/gateway/gateway.go index 5a7c94452..856feb374 100644 --- a/internal/manifests/gateway/gateway.go +++ b/internal/manifests/gateway/gateway.go @@ -121,6 +121,10 @@ func BuildGateway(params manifestutils.Params) ([]client.Object, error) { if err != nil { return nil, err } + dep.Spec.Template, err = patchReadRBAC(params, dep.Spec.Template) + if err != nil { + return nil, err + } dep.Spec.Template, err = patchTracing(params.Tempo, dep.Spec.Template) if err != nil { @@ -357,6 +361,27 @@ func patchTraceReadEndpoint(params manifestutils.Params, pod corev1.PodTemplateS return pod, nil } +func patchReadRBAC(params manifestutils.Params, pod corev1.PodTemplateSpec) (corev1.PodTemplateSpec, error) { + if !params.Tempo.Spec.Template.Gateway.RBAC.Enabled { + return pod, nil + } + + container := corev1.Container{ + Args: []string{"--traces.query-rbac=true"}, + } + + for i := range pod.Spec.Containers { + if pod.Spec.Containers[i].Name != containerNameTempoGateway { + continue + } + if err := mergo.Merge(&pod.Spec.Containers[i], container, mergo.WithAppendSlice); err != nil { + return corev1.PodTemplateSpec{}, err + } + } + + return pod, nil +} + func patchTracing(tempo v1alpha1.TempoStack, pod corev1.PodTemplateSpec) (corev1.PodTemplateSpec, error) { if tempo.Spec.Observability.Tracing.SamplingFraction == "" { return pod, nil diff --git a/internal/manifests/gateway/gateway_test.go b/internal/manifests/gateway/gateway_test.go index f48c9178f..5058d7f0d 100644 --- a/internal/manifests/gateway/gateway_test.go +++ b/internal/manifests/gateway/gateway_test.go @@ -515,6 +515,128 @@ func TestPatchTraceReadEndpoint(t *testing.T) { } } +func TestPatchReadRBAC(t *testing.T) { + tt := []struct { + name string + inputParams manifestutils.Params + inputPod corev1.PodTemplateSpec + expectPod corev1.PodTemplateSpec + expectErr error + }{ + { + name: "with read RBAC", + inputParams: manifestutils.Params{ + Tempo: v1alpha1.TempoStack{ + ObjectMeta: metav1.ObjectMeta{ + Name: "name", + Namespace: "default", + }, + Spec: v1alpha1.TempoStackSpec{ + Template: v1alpha1.TempoTemplateSpec{ + Gateway: v1alpha1.TempoGatewaySpec{ + Enabled: true, + RBAC: v1alpha1.RBACSpec{ + Enabled: true, + }, + }, + }, + }, + }, + }, + inputPod: corev1.PodTemplateSpec{ + Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + { + Name: containerNameTempoGateway, + Args: []string{ + "--abc", + }, + }, + { + Name: "second", + Args: []string{ + "--xyz", + }, + }, + }, + }, + }, + expectPod: corev1.PodTemplateSpec{ + Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + { + Name: containerNameTempoGateway, + Args: []string{ + "--abc", + "--traces.query-rbac=true", + }, + }, + { + Name: "second", + Args: []string{ + "--xyz", + }, + }, + }, + }, + }, + }, + { + name: "without trace read RBAC", + inputParams: manifestutils.Params{ + Tempo: v1alpha1.TempoStack{ + ObjectMeta: metav1.ObjectMeta{ + Name: "name", + Namespace: "default", + }, + Spec: v1alpha1.TempoStackSpec{ + Template: v1alpha1.TempoTemplateSpec{ + Gateway: v1alpha1.TempoGatewaySpec{ + Enabled: true, + RBAC: v1alpha1.RBACSpec{ + Enabled: false, + }, + }, + }, + }, + }, + }, + inputPod: corev1.PodTemplateSpec{ + Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + { + Name: containerNameTempoGateway, + Args: []string{ + "--abc", + }, + }, + }, + }, + }, + expectPod: corev1.PodTemplateSpec{ + Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + { + Name: containerNameTempoGateway, + Args: []string{ + "--abc", + }, + }, + }, + }, + }, + }, + } + + for _, tc := range tt { + t.Run(tc.name, func(t *testing.T) { + pod, err := patchReadRBAC(tc.inputParams, tc.inputPod) + require.Equal(t, tc.expectErr, err) + assert.Equal(t, tc.expectPod, pod) + }) + } +} + func TestTLSParameters(t *testing.T) { tempo := v1alpha1.TempoStack{ ObjectMeta: metav1.ObjectMeta{ diff --git a/internal/manifests/gateway/openshift.go b/internal/manifests/gateway/openshift.go index 9946d9304..278f3f0c2 100644 --- a/internal/manifests/gateway/openshift.go +++ b/internal/manifests/gateway/openshift.go @@ -222,6 +222,7 @@ func NewOpaContainer(ctrlConfig configv1alpha1.ProjectConfig, tenants v1alpha1.T var args = []string{ "--log.level=warn", "--opa.admin-groups=system:cluster-admins,cluster-admin,dedicated-admin", + "--opa.matcher=kubernetes_namespace_name", fmt.Sprintf("--web.listen=:%d", gatewayOPAHTTPPort), fmt.Sprintf("--web.internal.listen=:%d", gatewayOPAInternalPort), fmt.Sprintf("--web.healthchecks.url=http://localhost:%d", gatewayOPAHTTPPort), diff --git a/internal/manifests/gateway/openshift_test.go b/internal/manifests/gateway/openshift_test.go index 90cc7062c..346b741b2 100644 --- a/internal/manifests/gateway/openshift_test.go +++ b/internal/manifests/gateway/openshift_test.go @@ -43,6 +43,7 @@ func TestPatchOPAContainer(t *testing.T) { assert.Equal(t, []string{ "--log.level=warn", "--opa.admin-groups=system:cluster-admins,cluster-admin,dedicated-admin", + "--opa.matcher=kubernetes_namespace_name", "--web.listen=:8082", "--web.internal.listen=:8083", "--web.healthchecks.url=http://localhost:8082", "--opa.package=tempostack", diff --git a/internal/manifests/monolithic/statefulset_test.go b/internal/manifests/monolithic/statefulset_test.go index 618a5eeda..3de1df570 100644 --- a/internal/manifests/monolithic/statefulset_test.go +++ b/internal/manifests/monolithic/statefulset_test.go @@ -938,6 +938,7 @@ func TestStatefulsetGateway(t *testing.T) { Args: []string{ "--log.level=warn", "--opa.admin-groups=system:cluster-admins,cluster-admin,dedicated-admin", + "--opa.matcher=kubernetes_namespace_name", "--web.listen=:8082", "--web.internal.listen=:8083", "--web.healthchecks.url=http://localhost:8082", diff --git a/tests/e2e-openshift/component-replicas/install-tempo-assert.yaml b/tests/e2e-openshift/component-replicas/install-tempo-assert.yaml index d306e7429..ae19ae97c 100644 --- a/tests/e2e-openshift/component-replicas/install-tempo-assert.yaml +++ b/tests/e2e-openshift/component-replicas/install-tempo-assert.yaml @@ -233,6 +233,7 @@ spec: - args: - --log.level=warn - --opa.admin-groups=system:cluster-admins,cluster-admin,dedicated-admin + - --opa.matcher=kubernetes_namespace_name - --web.listen=:8082 - --web.internal.listen=:8083 - --web.healthchecks.url=http://localhost:8082 diff --git a/tests/e2e-openshift/component-replicas/scale-tempo-assert.yaml b/tests/e2e-openshift/component-replicas/scale-tempo-assert.yaml index 9f0b9accb..25c1a2edc 100644 --- a/tests/e2e-openshift/component-replicas/scale-tempo-assert.yaml +++ b/tests/e2e-openshift/component-replicas/scale-tempo-assert.yaml @@ -233,6 +233,7 @@ spec: - args: - --log.level=warn - --opa.admin-groups=system:cluster-admins,cluster-admin,dedicated-admin + - --opa.matcher=kubernetes_namespace_name - --web.listen=:8082 - --web.internal.listen=:8083 - --web.healthchecks.url=http://localhost:8082 diff --git a/tests/e2e-openshift/multitenancy/01-assert.yaml b/tests/e2e-openshift/multitenancy/01-assert.yaml index 22581acd0..cb2aa1f2a 100644 --- a/tests/e2e-openshift/multitenancy/01-assert.yaml +++ b/tests/e2e-openshift/multitenancy/01-assert.yaml @@ -170,6 +170,7 @@ spec: - --web.healthchecks.url=https://localhost:8080 - --tls.client-auth-type=NoClientCert - --traces.read.endpoint=https://tempo-simplest-query-frontend.chainsaw-multitenancy.svc.cluster.local:16686 + - --traces.query-rbac=true livenessProbe: failureThreshold: 10 httpGet: @@ -235,6 +236,7 @@ spec: - args: - --log.level=warn - --opa.admin-groups=system:cluster-admins,cluster-admin,dedicated-admin + - --opa.matcher=kubernetes_namespace_name - --web.listen=:8082 - --web.internal.listen=:8083 - --web.healthchecks.url=http://localhost:8082 diff --git a/tests/e2e-openshift/multitenancy/01-install-tempo.yaml b/tests/e2e-openshift/multitenancy/01-install-tempo.yaml index d45a4d5b9..6b84cd2c4 100644 --- a/tests/e2e-openshift/multitenancy/01-install-tempo.yaml +++ b/tests/e2e-openshift/multitenancy/01-install-tempo.yaml @@ -25,6 +25,8 @@ spec: template: gateway: enabled: true + rbac: + enabled: true queryFrontend: jaegerQuery: enabled: true From 070fb5820db6b832e5037f8970c07058c676d3df Mon Sep 17 00:00:00 2001 From: Pavol Loffay Date: Mon, 10 Feb 2025 18:23:13 +0100 Subject: [PATCH 2/4] Add webhook validation Signed-off-by: Pavol Loffay --- api/tempo/v1alpha1/tempostack_types.go | 7 +++++- .../tempo-operator.clusterserviceversion.yaml | 7 ++++-- .../tempo.grafana.com_tempostacks.yaml | 2 +- .../tempo-operator.clusterserviceversion.yaml | 7 ++++-- .../tempo.grafana.com_tempostacks.yaml | 2 +- .../bases/tempo.grafana.com_tempostacks.yaml | 2 +- .../tempo-operator.clusterserviceversion.yaml | 5 +++- .../tempo-operator.clusterserviceversion.yaml | 5 +++- docs/spec/tempo.grafana.com_tempostacks.yaml | 2 +- internal/webhooks/tempostack_webhook.go | 6 +++++ internal/webhooks/tempostack_webhook_test.go | 25 +++++++++++++++++++ 11 files changed, 59 insertions(+), 11 deletions(-) diff --git a/api/tempo/v1alpha1/tempostack_types.go b/api/tempo/v1alpha1/tempostack_types.go index dcd6a2a0e..f8810fbe9 100644 --- a/api/tempo/v1alpha1/tempostack_types.go +++ b/api/tempo/v1alpha1/tempostack_types.go @@ -589,9 +589,14 @@ type TempoGatewaySpec struct { // // +optional // +kubebuilder:validation:Optional - // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Jaeger gateway Ingress Settings" + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Gateway Ingress Settings" Ingress IngressSpec `json:"ingress,omitempty"` + // RBAC defines RBAC options. + // + // +optional + // +kubebuilder:validation:Optional + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Query RBAC Settings" RBAC RBACSpec `json:"rbac,omitempty"` } diff --git a/bundle/community/manifests/tempo-operator.clusterserviceversion.yaml b/bundle/community/manifests/tempo-operator.clusterserviceversion.yaml index c4be3543e..4b48a8d50 100644 --- a/bundle/community/manifests/tempo-operator.clusterserviceversion.yaml +++ b/bundle/community/manifests/tempo-operator.clusterserviceversion.yaml @@ -74,7 +74,7 @@ metadata: capabilities: Deep Insights categories: Logging & Tracing,Monitoring containerImage: ghcr.io/grafana/tempo-operator/tempo-operator:v0.14.2 - createdAt: "2025-02-10T10:08:24Z" + createdAt: "2025-02-10T17:22:36Z" description: Create and manage deployments of Tempo, a high-scale distributed tracing backend. operatorframework.io/cluster-monitoring: "true" @@ -967,7 +967,7 @@ spec: x-descriptors: - urn:alm:descriptor:com.tectonic.ui:booleanSwitch - description: Ingress defines gateway Ingress options. - displayName: Jaeger gateway Ingress Settings + displayName: Gateway Ingress Settings path: template.gateway.ingress - description: Annotations defines the annotations of the Ingress object. displayName: Annotations @@ -995,6 +995,9 @@ spec: all pods of this component. displayName: PodSecurityContext path: template.gateway.podSecurityContext + - description: RBAC defines RBAC options. + displayName: Query RBAC Settings + path: template.gateway.rbac - description: Replicas defines the number of replicas to be created for this component. displayName: Component Replicas diff --git a/bundle/community/manifests/tempo.grafana.com_tempostacks.yaml b/bundle/community/manifests/tempo.grafana.com_tempostacks.yaml index e592a5aaa..8f9bf47b1 100644 --- a/bundle/community/manifests/tempo.grafana.com_tempostacks.yaml +++ b/bundle/community/manifests/tempo.grafana.com_tempostacks.yaml @@ -1435,7 +1435,7 @@ spec: type: string type: object rbac: - description: RBACSpec defines RBAC options. + description: RBAC defines RBAC options. properties: enabled: description: Enabled defines if the query RBAC should diff --git a/bundle/openshift/manifests/tempo-operator.clusterserviceversion.yaml b/bundle/openshift/manifests/tempo-operator.clusterserviceversion.yaml index c26f203ed..cfd39bd96 100644 --- a/bundle/openshift/manifests/tempo-operator.clusterserviceversion.yaml +++ b/bundle/openshift/manifests/tempo-operator.clusterserviceversion.yaml @@ -74,7 +74,7 @@ metadata: capabilities: Deep Insights categories: Logging & Tracing,Monitoring containerImage: ghcr.io/grafana/tempo-operator/tempo-operator:v0.14.2 - createdAt: "2025-02-10T10:08:23Z" + createdAt: "2025-02-10T17:22:35Z" description: Create and manage deployments of Tempo, a high-scale distributed tracing backend. operatorframework.io/cluster-monitoring: "true" @@ -967,7 +967,7 @@ spec: x-descriptors: - urn:alm:descriptor:com.tectonic.ui:booleanSwitch - description: Ingress defines gateway Ingress options. - displayName: Jaeger gateway Ingress Settings + displayName: Gateway Ingress Settings path: template.gateway.ingress - description: Annotations defines the annotations of the Ingress object. displayName: Annotations @@ -995,6 +995,9 @@ spec: all pods of this component. displayName: PodSecurityContext path: template.gateway.podSecurityContext + - description: RBAC defines RBAC options. + displayName: Query RBAC Settings + path: template.gateway.rbac - description: Replicas defines the number of replicas to be created for this component. displayName: Component Replicas diff --git a/bundle/openshift/manifests/tempo.grafana.com_tempostacks.yaml b/bundle/openshift/manifests/tempo.grafana.com_tempostacks.yaml index e592a5aaa..8f9bf47b1 100644 --- a/bundle/openshift/manifests/tempo.grafana.com_tempostacks.yaml +++ b/bundle/openshift/manifests/tempo.grafana.com_tempostacks.yaml @@ -1435,7 +1435,7 @@ spec: type: string type: object rbac: - description: RBACSpec defines RBAC options. + description: RBAC defines RBAC options. properties: enabled: description: Enabled defines if the query RBAC should diff --git a/config/crd/bases/tempo.grafana.com_tempostacks.yaml b/config/crd/bases/tempo.grafana.com_tempostacks.yaml index e63a1d503..2704d236c 100644 --- a/config/crd/bases/tempo.grafana.com_tempostacks.yaml +++ b/config/crd/bases/tempo.grafana.com_tempostacks.yaml @@ -1431,7 +1431,7 @@ spec: type: string type: object rbac: - description: RBACSpec defines RBAC options. + description: RBAC defines RBAC options. properties: enabled: description: Enabled defines if the query RBAC should diff --git a/config/manifests/community/bases/tempo-operator.clusterserviceversion.yaml b/config/manifests/community/bases/tempo-operator.clusterserviceversion.yaml index 50e7fafc1..18eaf6347 100644 --- a/config/manifests/community/bases/tempo-operator.clusterserviceversion.yaml +++ b/config/manifests/community/bases/tempo-operator.clusterserviceversion.yaml @@ -896,7 +896,7 @@ spec: x-descriptors: - urn:alm:descriptor:com.tectonic.ui:booleanSwitch - description: Ingress defines gateway Ingress options. - displayName: Jaeger gateway Ingress Settings + displayName: Gateway Ingress Settings path: template.gateway.ingress - description: Annotations defines the annotations of the Ingress object. displayName: Annotations @@ -924,6 +924,9 @@ spec: all pods of this component. displayName: PodSecurityContext path: template.gateway.podSecurityContext + - description: RBAC defines RBAC options. + displayName: Query RBAC Settings + path: template.gateway.rbac - description: Replicas defines the number of replicas to be created for this component. displayName: Component Replicas diff --git a/config/manifests/openshift/bases/tempo-operator.clusterserviceversion.yaml b/config/manifests/openshift/bases/tempo-operator.clusterserviceversion.yaml index c029487c5..9afb0e0a6 100644 --- a/config/manifests/openshift/bases/tempo-operator.clusterserviceversion.yaml +++ b/config/manifests/openshift/bases/tempo-operator.clusterserviceversion.yaml @@ -896,7 +896,7 @@ spec: x-descriptors: - urn:alm:descriptor:com.tectonic.ui:booleanSwitch - description: Ingress defines gateway Ingress options. - displayName: Jaeger gateway Ingress Settings + displayName: Gateway Ingress Settings path: template.gateway.ingress - description: Annotations defines the annotations of the Ingress object. displayName: Annotations @@ -924,6 +924,9 @@ spec: all pods of this component. displayName: PodSecurityContext path: template.gateway.podSecurityContext + - description: RBAC defines RBAC options. + displayName: Query RBAC Settings + path: template.gateway.rbac - description: Replicas defines the number of replicas to be created for this component. displayName: Component Replicas diff --git a/docs/spec/tempo.grafana.com_tempostacks.yaml b/docs/spec/tempo.grafana.com_tempostacks.yaml index 12a561316..7811f68b9 100644 --- a/docs/spec/tempo.grafana.com_tempostacks.yaml +++ b/docs/spec/tempo.grafana.com_tempostacks.yaml @@ -206,7 +206,7 @@ spec: # TempoStackSpec defines the desired st route: # Route defines the options for the OpenShift route. termination: "" # Termination defines the termination type. The default is "edge". type: "" # Type defines the type of Ingress for the Jaeger Query UI. Currently ingress, route and none are supported. - rbac: # RBACSpec defines RBAC options. + rbac: # RBAC defines RBAC options. enabled: false # Enabled defines if the query RBAC should be enabled. ingester: # Ingester defines the ingester component spec. podSecurityContext: # PodSecurityContext defines security context will be applied to all pods of this component. diff --git a/internal/webhooks/tempostack_webhook.go b/internal/webhooks/tempostack_webhook.go index 12970ec8c..2699b3aeb 100644 --- a/internal/webhooks/tempostack_webhook.go +++ b/internal/webhooks/tempostack_webhook.go @@ -292,6 +292,12 @@ func (v *validator) validateGateway(tempo v1alpha1.TempoStack) field.ErrorList { "cannot enable gateway and jaeger query ingress at the same time, please use the Jaeger UI from the gateway", )} } + if tempo.Spec.Template.Gateway.RBAC.Enabled && tempo.Spec.Template.QueryFrontend.JaegerQuery.Enabled { + return field.ErrorList{ + field.Invalid(path, tempo.Spec.Template.Gateway.RBAC.Enabled, + "cannot enable gateway and jaeger query at the same time. The Jaeger UI does not support query RBAC", + )} + } if tempo.Spec.Tenants == nil { return field.ErrorList{ diff --git a/internal/webhooks/tempostack_webhook_test.go b/internal/webhooks/tempostack_webhook_test.go index 45aedb7f7..8e8900f15 100644 --- a/internal/webhooks/tempostack_webhook_test.go +++ b/internal/webhooks/tempostack_webhook_test.go @@ -1401,6 +1401,31 @@ func TestValidateGatewayAndJaegerQuery(t *testing.T) { ), }, }, + { + name: "invalid configuration, rbac and jaeger ui enabled", + input: v1alpha1.TempoStack{ + Spec: v1alpha1.TempoStackSpec{ + Template: v1alpha1.TempoTemplateSpec{ + QueryFrontend: v1alpha1.TempoQueryFrontendSpec{ + JaegerQuery: v1alpha1.JaegerQuerySpec{ + Enabled: true, + }, + }, + Gateway: v1alpha1.TempoGatewaySpec{ + Enabled: true, + RBAC: v1alpha1.RBACSpec{ + Enabled: true, + }, + }, + }, + }, + }, + expected: field.ErrorList{ + field.Invalid(path, true, + "cannot enable gateway and jaeger query at the same time. The Jaeger UI does not support query RBAC", + ), + }, + }, } for _, test := range tests { From f4f5bfa9f9f581a53d7d0cc3f97fbdb5f8bfa5a4 Mon Sep 17 00:00:00 2001 From: Pavol Loffay Date: Fri, 14 Feb 2025 13:35:22 +0100 Subject: [PATCH 3/4] Update gateway Signed-off-by: Pavol Loffay --- Makefile | 2 +- .../manifests/tempo-operator.clusterserviceversion.yaml | 6 +++--- .../manifests/tempo-operator.clusterserviceversion.yaml | 6 +++--- config/manager/manager.yaml | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/Makefile b/Makefile index 1674a60c4..566151d11 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,7 @@ OPERATOR_VERSION ?= 0.14.2 TEMPO_VERSION ?= 2.7.0 JAEGER_QUERY_VERSION ?= 1.62.0 TEMPO_QUERY_VERSION ?= 2.7.0 -TEMPO_GATEWAY_VERSION ?= main-2024-11-05-28e4c83 +TEMPO_GATEWAY_VERSION ?= main-2025-02-12-0636771 TEMPO_GATEWAY_OPA_VERSION ?= main-2024-10-09-7237863 OAUTH_PROXY_VERSION=4.14 diff --git a/bundle/community/manifests/tempo-operator.clusterserviceversion.yaml b/bundle/community/manifests/tempo-operator.clusterserviceversion.yaml index 4b48a8d50..079de4a27 100644 --- a/bundle/community/manifests/tempo-operator.clusterserviceversion.yaml +++ b/bundle/community/manifests/tempo-operator.clusterserviceversion.yaml @@ -74,7 +74,7 @@ metadata: capabilities: Deep Insights categories: Logging & Tracing,Monitoring containerImage: ghcr.io/grafana/tempo-operator/tempo-operator:v0.14.2 - createdAt: "2025-02-10T17:22:36Z" + createdAt: "2025-02-14T12:34:58Z" description: Create and manage deployments of Tempo, a high-scale distributed tracing backend. operatorframework.io/cluster-monitoring: "true" @@ -1511,7 +1511,7 @@ spec: - name: RELATED_IMAGE_TEMPO_QUERY value: docker.io/grafana/tempo-query:2.7.0 - name: RELATED_IMAGE_TEMPO_GATEWAY - value: quay.io/observatorium/api:main-2024-11-05-28e4c83 + value: quay.io/observatorium/api:main-2025-02-12-0636771 - name: RELATED_IMAGE_TEMPO_GATEWAY_OPA value: quay.io/observatorium/opa-openshift:main-2024-10-09-7237863 - name: RELATED_IMAGE_OAUTH_PROXY @@ -1640,7 +1640,7 @@ spec: name: jaeger-query - image: docker.io/grafana/tempo-query:2.7.0 name: tempo-query - - image: quay.io/observatorium/api:main-2024-11-05-28e4c83 + - image: quay.io/observatorium/api:main-2025-02-12-0636771 name: tempo-gateway - image: quay.io/observatorium/opa-openshift:main-2024-10-09-7237863 name: tempo-gateway-opa diff --git a/bundle/openshift/manifests/tempo-operator.clusterserviceversion.yaml b/bundle/openshift/manifests/tempo-operator.clusterserviceversion.yaml index cfd39bd96..3b99e29c9 100644 --- a/bundle/openshift/manifests/tempo-operator.clusterserviceversion.yaml +++ b/bundle/openshift/manifests/tempo-operator.clusterserviceversion.yaml @@ -74,7 +74,7 @@ metadata: capabilities: Deep Insights categories: Logging & Tracing,Monitoring containerImage: ghcr.io/grafana/tempo-operator/tempo-operator:v0.14.2 - createdAt: "2025-02-10T17:22:35Z" + createdAt: "2025-02-14T12:34:57Z" description: Create and manage deployments of Tempo, a high-scale distributed tracing backend. operatorframework.io/cluster-monitoring: "true" @@ -1523,7 +1523,7 @@ spec: - name: RELATED_IMAGE_TEMPO_QUERY value: docker.io/grafana/tempo-query:2.7.0 - name: RELATED_IMAGE_TEMPO_GATEWAY - value: quay.io/observatorium/api:main-2024-11-05-28e4c83 + value: quay.io/observatorium/api:main-2025-02-12-0636771 - name: RELATED_IMAGE_TEMPO_GATEWAY_OPA value: quay.io/observatorium/opa-openshift:main-2024-10-09-7237863 - name: RELATED_IMAGE_OAUTH_PROXY @@ -1658,7 +1658,7 @@ spec: name: jaeger-query - image: docker.io/grafana/tempo-query:2.7.0 name: tempo-query - - image: quay.io/observatorium/api:main-2024-11-05-28e4c83 + - image: quay.io/observatorium/api:main-2025-02-12-0636771 name: tempo-gateway - image: quay.io/observatorium/opa-openshift:main-2024-10-09-7237863 name: tempo-gateway-opa diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 800ec3749..4b7ca179d 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -46,7 +46,7 @@ spec: - name: RELATED_IMAGE_TEMPO_QUERY value: docker.io/grafana/tempo-query:2.7.0 - name: RELATED_IMAGE_TEMPO_GATEWAY - value: quay.io/observatorium/api:main-2024-11-05-28e4c83 + value: quay.io/observatorium/api:main-2025-02-12-0636771 - name: RELATED_IMAGE_TEMPO_GATEWAY_OPA value: quay.io/observatorium/opa-openshift:main-2024-10-09-7237863 - name: RELATED_IMAGE_OAUTH_PROXY From c5e38a83692d4e8166619f55e7f595bc8066cf54 Mon Sep 17 00:00:00 2001 From: Pavol Loffay Date: Fri, 14 Feb 2025 15:18:13 +0100 Subject: [PATCH 4/4] Fix Signed-off-by: Pavol Loffay --- api/tempo/v1alpha1/tempostack_types.go | 4 ++++ .../manifests/tempo-operator.clusterserviceversion.yaml | 5 ++++- .../community/manifests/tempo.grafana.com_tempostacks.yaml | 2 -- .../manifests/tempo-operator.clusterserviceversion.yaml | 5 ++++- .../openshift/manifests/tempo.grafana.com_tempostacks.yaml | 2 -- config/crd/bases/tempo.grafana.com_tempostacks.yaml | 2 -- .../bases/tempo-operator.clusterserviceversion.yaml | 3 +++ .../bases/tempo-operator.clusterserviceversion.yaml | 3 +++ 8 files changed, 18 insertions(+), 8 deletions(-) diff --git a/api/tempo/v1alpha1/tempostack_types.go b/api/tempo/v1alpha1/tempostack_types.go index f8810fbe9..97b1c4f91 100644 --- a/api/tempo/v1alpha1/tempostack_types.go +++ b/api/tempo/v1alpha1/tempostack_types.go @@ -603,6 +603,10 @@ type TempoGatewaySpec struct { // RBACSpec defines RBAC options. type RBACSpec struct { // Enabled defines if the query RBAC should be enabled. + // + // +optional + // +kubebuilder:validation:Optional + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Query RBAC Enabled" Enabled bool `json:"enabled"` } diff --git a/bundle/community/manifests/tempo-operator.clusterserviceversion.yaml b/bundle/community/manifests/tempo-operator.clusterserviceversion.yaml index 079de4a27..cac3d803d 100644 --- a/bundle/community/manifests/tempo-operator.clusterserviceversion.yaml +++ b/bundle/community/manifests/tempo-operator.clusterserviceversion.yaml @@ -74,7 +74,7 @@ metadata: capabilities: Deep Insights categories: Logging & Tracing,Monitoring containerImage: ghcr.io/grafana/tempo-operator/tempo-operator:v0.14.2 - createdAt: "2025-02-14T12:34:58Z" + createdAt: "2025-02-14T12:37:26Z" description: Create and manage deployments of Tempo, a high-scale distributed tracing backend. operatorframework.io/cluster-monitoring: "true" @@ -998,6 +998,9 @@ spec: - description: RBAC defines RBAC options. displayName: Query RBAC Settings path: template.gateway.rbac + - description: Enabled defines if the query RBAC should be enabled. + displayName: Query RBAC Enabled + path: template.gateway.rbac.enabled - description: Replicas defines the number of replicas to be created for this component. displayName: Component Replicas diff --git a/bundle/community/manifests/tempo.grafana.com_tempostacks.yaml b/bundle/community/manifests/tempo.grafana.com_tempostacks.yaml index 8f9bf47b1..62e18a445 100644 --- a/bundle/community/manifests/tempo.grafana.com_tempostacks.yaml +++ b/bundle/community/manifests/tempo.grafana.com_tempostacks.yaml @@ -1441,8 +1441,6 @@ spec: description: Enabled defines if the query RBAC should be enabled. type: boolean - required: - - enabled type: object required: - enabled diff --git a/bundle/openshift/manifests/tempo-operator.clusterserviceversion.yaml b/bundle/openshift/manifests/tempo-operator.clusterserviceversion.yaml index 3b99e29c9..bc8491e3e 100644 --- a/bundle/openshift/manifests/tempo-operator.clusterserviceversion.yaml +++ b/bundle/openshift/manifests/tempo-operator.clusterserviceversion.yaml @@ -74,7 +74,7 @@ metadata: capabilities: Deep Insights categories: Logging & Tracing,Monitoring containerImage: ghcr.io/grafana/tempo-operator/tempo-operator:v0.14.2 - createdAt: "2025-02-14T12:34:57Z" + createdAt: "2025-02-14T12:37:25Z" description: Create and manage deployments of Tempo, a high-scale distributed tracing backend. operatorframework.io/cluster-monitoring: "true" @@ -998,6 +998,9 @@ spec: - description: RBAC defines RBAC options. displayName: Query RBAC Settings path: template.gateway.rbac + - description: Enabled defines if the query RBAC should be enabled. + displayName: Query RBAC Enabled + path: template.gateway.rbac.enabled - description: Replicas defines the number of replicas to be created for this component. displayName: Component Replicas diff --git a/bundle/openshift/manifests/tempo.grafana.com_tempostacks.yaml b/bundle/openshift/manifests/tempo.grafana.com_tempostacks.yaml index 8f9bf47b1..62e18a445 100644 --- a/bundle/openshift/manifests/tempo.grafana.com_tempostacks.yaml +++ b/bundle/openshift/manifests/tempo.grafana.com_tempostacks.yaml @@ -1441,8 +1441,6 @@ spec: description: Enabled defines if the query RBAC should be enabled. type: boolean - required: - - enabled type: object required: - enabled diff --git a/config/crd/bases/tempo.grafana.com_tempostacks.yaml b/config/crd/bases/tempo.grafana.com_tempostacks.yaml index 2704d236c..a0d8b7da1 100644 --- a/config/crd/bases/tempo.grafana.com_tempostacks.yaml +++ b/config/crd/bases/tempo.grafana.com_tempostacks.yaml @@ -1437,8 +1437,6 @@ spec: description: Enabled defines if the query RBAC should be enabled. type: boolean - required: - - enabled type: object required: - enabled diff --git a/config/manifests/community/bases/tempo-operator.clusterserviceversion.yaml b/config/manifests/community/bases/tempo-operator.clusterserviceversion.yaml index 18eaf6347..63536aedf 100644 --- a/config/manifests/community/bases/tempo-operator.clusterserviceversion.yaml +++ b/config/manifests/community/bases/tempo-operator.clusterserviceversion.yaml @@ -927,6 +927,9 @@ spec: - description: RBAC defines RBAC options. displayName: Query RBAC Settings path: template.gateway.rbac + - description: Enabled defines if the query RBAC should be enabled. + displayName: Query RBAC Enabled + path: template.gateway.rbac.enabled - description: Replicas defines the number of replicas to be created for this component. displayName: Component Replicas diff --git a/config/manifests/openshift/bases/tempo-operator.clusterserviceversion.yaml b/config/manifests/openshift/bases/tempo-operator.clusterserviceversion.yaml index 9afb0e0a6..c9c8a61a9 100644 --- a/config/manifests/openshift/bases/tempo-operator.clusterserviceversion.yaml +++ b/config/manifests/openshift/bases/tempo-operator.clusterserviceversion.yaml @@ -927,6 +927,9 @@ spec: - description: RBAC defines RBAC options. displayName: Query RBAC Settings path: template.gateway.rbac + - description: Enabled defines if the query RBAC should be enabled. + displayName: Query RBAC Enabled + path: template.gateway.rbac.enabled - description: Replicas defines the number of replicas to be created for this component. displayName: Component Replicas