Add support for query RBAC

.chloggen/query-rbac.yaml

@@ -0,0 +1,28 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. tempostack, tempomonolithic, github action)
+component: tempostack
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Add support for query RBAC when Gateway/multitenancy is used.
+
+# One or more tracking issues related to the change
+issues: [1100]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext: |
+  This feature allows users to apply query RBAC in the multitenancy mode.
+  The RBAC allows filtering span/resource/scope attributes and events based on the namespaces which a user querying the data can access.
+  For instance, a user can only see attributes from namespaces it can access.
+
+  ```yaml
+  spec:
+    template:
+      gateway:
+        enabled: true
+        rbac:
+          enabled: true
+  ```

Makefile

@@ -3,7 +3,7 @@ OPERATOR_VERSION ?= 0.14.2
 TEMPO_VERSION ?= 2.7.0
 JAEGER_QUERY_VERSION ?= 1.62.0
 TEMPO_QUERY_VERSION ?= 2.7.0
-TEMPO_GATEWAY_VERSION ?= main-2024-11-05-28e4c83
+TEMPO_GATEWAY_VERSION ?= main-2025-02-12-0636771
 TEMPO_GATEWAY_OPA_VERSION ?= main-2024-10-09-7237863
 OAUTH_PROXY_VERSION=4.14
 

api/tempo/v1alpha1/tempostack_types.go

@@ -589,8 +589,25 @@ type TempoGatewaySpec struct {
 	//
 	// +optional
 	// +kubebuilder:validation:Optional
-	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Jaeger gateway Ingress Settings"
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Gateway Ingress Settings"
 	Ingress IngressSpec `json:"ingress,omitempty"`
+
+	// RBAC defines RBAC options.
+	//
+	// +optional
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Query RBAC Settings"
+	RBAC RBACSpec `json:"rbac,omitempty"`
+}
+
+// RBACSpec defines RBAC options.
+type RBACSpec struct {
+	// Enabled defines if the query RBAC should be enabled.
+	//
+	// +optional
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Query RBAC Enabled"
+	Enabled bool `json:"enabled"`
 }
 
 // TempoQueryFrontendSpec extends TempoComponentSpec with frontend specific parameters.

bundle/community/manifests/tempo-operator.clusterserviceversion.yaml

@@ -74,7 +74,7 @@ metadata:
     capabilities: Deep Insights
     categories: Logging & Tracing,Monitoring
     containerImage: ghcr.io/grafana/tempo-operator/tempo-operator:v0.14.2
-    createdAt: "2025-02-05T16:29:10Z"
+    createdAt: "2025-02-14T12:37:26Z"
     description: Create and manage deployments of Tempo, a high-scale distributed
       tracing backend.
     operatorframework.io/cluster-monitoring: "true"
@@ -967,7 +967,7 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
       - description: Ingress defines gateway Ingress options.
-        displayName: Jaeger gateway Ingress Settings
+        displayName: Gateway Ingress Settings
         path: template.gateway.ingress
       - description: Annotations defines the annotations of the Ingress object.
         displayName: Annotations
@@ -995,6 +995,12 @@ spec:
           all pods of this component.
         displayName: PodSecurityContext
         path: template.gateway.podSecurityContext
+      - description: RBAC defines RBAC options.
+        displayName: Query RBAC Settings
+        path: template.gateway.rbac
+      - description: Enabled defines if the query RBAC should be enabled.
+        displayName: Query RBAC Enabled
+        path: template.gateway.rbac.enabled
       - description: Replicas defines the number of replicas to be created for this
           component.
         displayName: Component Replicas
@@ -1508,7 +1514,7 @@ spec:
                 - name: RELATED_IMAGE_TEMPO_QUERY
                   value: docker.io/grafana/tempo-query:2.7.0
                 - name: RELATED_IMAGE_TEMPO_GATEWAY
-                  value: quay.io/observatorium/api:main-2024-11-05-28e4c83
+                  value: quay.io/observatorium/api:main-2025-02-12-0636771
                 - name: RELATED_IMAGE_TEMPO_GATEWAY_OPA
                   value: quay.io/observatorium/opa-openshift:main-2024-10-09-7237863
                 - name: RELATED_IMAGE_OAUTH_PROXY
@@ -1637,7 +1643,7 @@ spec:
     name: jaeger-query
   - image: docker.io/grafana/tempo-query:2.7.0
     name: tempo-query
-  - image: quay.io/observatorium/api:main-2024-11-05-28e4c83
+  - image: quay.io/observatorium/api:main-2025-02-12-0636771
     name: tempo-gateway
   - image: quay.io/observatorium/opa-openshift:main-2024-10-09-7237863
     name: tempo-gateway-opa

bundle/community/manifests/tempo.grafana.com_tempostacks.yaml

@@ -1434,6 +1434,14 @@ spec:
                             - ""
                             type: string
                         type: object
+                      rbac:
+                        description: RBAC defines RBAC options.
+                        properties:
+                          enabled:
+                            description: Enabled defines if the query RBAC should
+                              be enabled.
+                            type: boolean
+                        type: object
                     required:
                     - enabled
                     type: object

bundle/openshift/manifests/tempo-operator.clusterserviceversion.yaml

@@ -74,7 +74,7 @@ metadata:
     capabilities: Deep Insights
     categories: Logging & Tracing,Monitoring
     containerImage: ghcr.io/grafana/tempo-operator/tempo-operator:v0.14.2
-    createdAt: "2025-02-05T16:29:09Z"
+    createdAt: "2025-02-14T12:37:25Z"
     description: Create and manage deployments of Tempo, a high-scale distributed
       tracing backend.
     operatorframework.io/cluster-monitoring: "true"
@@ -967,7 +967,7 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
       - description: Ingress defines gateway Ingress options.
-        displayName: Jaeger gateway Ingress Settings
+        displayName: Gateway Ingress Settings
         path: template.gateway.ingress
       - description: Annotations defines the annotations of the Ingress object.
         displayName: Annotations
@@ -995,6 +995,12 @@ spec:
           all pods of this component.
         displayName: PodSecurityContext
         path: template.gateway.podSecurityContext
+      - description: RBAC defines RBAC options.
+        displayName: Query RBAC Settings
+        path: template.gateway.rbac
+      - description: Enabled defines if the query RBAC should be enabled.
+        displayName: Query RBAC Enabled
+        path: template.gateway.rbac.enabled
       - description: Replicas defines the number of replicas to be created for this
           component.
         displayName: Component Replicas
@@ -1520,7 +1526,7 @@ spec:
                 - name: RELATED_IMAGE_TEMPO_QUERY
                   value: docker.io/grafana/tempo-query:2.7.0
                 - name: RELATED_IMAGE_TEMPO_GATEWAY
-                  value: quay.io/observatorium/api:main-2024-11-05-28e4c83
+                  value: quay.io/observatorium/api:main-2025-02-12-0636771
                 - name: RELATED_IMAGE_TEMPO_GATEWAY_OPA
                   value: quay.io/observatorium/opa-openshift:main-2024-10-09-7237863
                 - name: RELATED_IMAGE_OAUTH_PROXY
@@ -1655,7 +1661,7 @@ spec:
     name: jaeger-query
   - image: docker.io/grafana/tempo-query:2.7.0
     name: tempo-query
-  - image: quay.io/observatorium/api:main-2024-11-05-28e4c83
+  - image: quay.io/observatorium/api:main-2025-02-12-0636771
     name: tempo-gateway
   - image: quay.io/observatorium/opa-openshift:main-2024-10-09-7237863
     name: tempo-gateway-opa

bundle/openshift/manifests/tempo.grafana.com_tempostacks.yaml

@@ -1434,6 +1434,14 @@ spec:
                             - ""
                             type: string
                         type: object
+                      rbac:
+                        description: RBAC defines RBAC options.
+                        properties:
+                          enabled:
+                            description: Enabled defines if the query RBAC should
+                              be enabled.
+                            type: boolean
+                        type: object
                     required:
                     - enabled
                     type: object

config/crd/bases/tempo.grafana.com_tempostacks.yaml

@@ -1430,6 +1430,14 @@ spec:
                             - ""
                             type: string
                         type: object
+                      rbac:
+                        description: RBAC defines RBAC options.
+                        properties:
+                          enabled:
+                            description: Enabled defines if the query RBAC should
+                              be enabled.
+                            type: boolean
+                        type: object
                     required:
                     - enabled
                     type: object

config/manager/manager.yaml

@@ -46,7 +46,7 @@ spec:
         - name: RELATED_IMAGE_TEMPO_QUERY
           value: docker.io/grafana/tempo-query:2.7.0
         - name: RELATED_IMAGE_TEMPO_GATEWAY
-          value: quay.io/observatorium/api:main-2024-11-05-28e4c83
+          value: quay.io/observatorium/api:main-2025-02-12-0636771
         - name: RELATED_IMAGE_TEMPO_GATEWAY_OPA
           value: quay.io/observatorium/opa-openshift:main-2024-10-09-7237863
         - name: RELATED_IMAGE_OAUTH_PROXY

config/manifests/community/bases/tempo-operator.clusterserviceversion.yaml

@@ -896,7 +896,7 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
       - description: Ingress defines gateway Ingress options.
-        displayName: Jaeger gateway Ingress Settings
+        displayName: Gateway Ingress Settings
         path: template.gateway.ingress
       - description: Annotations defines the annotations of the Ingress object.
         displayName: Annotations
@@ -924,6 +924,12 @@ spec:
           all pods of this component.
         displayName: PodSecurityContext
         path: template.gateway.podSecurityContext
+      - description: RBAC defines RBAC options.
+        displayName: Query RBAC Settings
+        path: template.gateway.rbac
+      - description: Enabled defines if the query RBAC should be enabled.
+        displayName: Query RBAC Enabled
+        path: template.gateway.rbac.enabled
       - description: Replicas defines the number of replicas to be created for this
           component.
         displayName: Component Replicas

config/manifests/openshift/bases/tempo-operator.clusterserviceversion.yaml

@@ -896,7 +896,7 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
       - description: Ingress defines gateway Ingress options.
-        displayName: Jaeger gateway Ingress Settings
+        displayName: Gateway Ingress Settings
         path: template.gateway.ingress
       - description: Annotations defines the annotations of the Ingress object.
         displayName: Annotations
@@ -924,6 +924,12 @@ spec:
           all pods of this component.
         displayName: PodSecurityContext
         path: template.gateway.podSecurityContext
+      - description: RBAC defines RBAC options.
+        displayName: Query RBAC Settings
+        path: template.gateway.rbac
+      - description: Enabled defines if the query RBAC should be enabled.
+        displayName: Query RBAC Enabled
+        path: template.gateway.rbac.enabled
       - description: Replicas defines the number of replicas to be created for this
           component.
         displayName: Component Replicas

docs/spec/tempo.grafana.com_tempostacks.yaml

@@ -206,6 +206,8 @@ spec:                                    # TempoStackSpec defines the desired st
         route:                           # Route defines the options for the OpenShift route.
           termination: ""                # Termination defines the termination type. The default is "edge".
         type: ""                         # Type defines the type of Ingress for the Jaeger Query UI. Currently ingress, route and none are supported.
+      rbac:                              # RBAC defines RBAC options.
+        enabled: false                   # Enabled defines if the query RBAC should be enabled.
     ingester:                            # Ingester defines the ingester component spec.
       podSecurityContext:                # PodSecurityContext defines security context will be applied to all pods of this component.
         fsGroup: 0                       # A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:  1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw----  If unset, the Kubelet will not modify the ownership and permissions of any volume. Note that this field cannot be set when spec.os.name is windows.

internal/manifests/gateway/gateway.go

@@ -121,6 +121,10 @@ func BuildGateway(params manifestutils.Params) ([]client.Object, error) {
 	if err != nil {
 		return nil, err
 	}
+	dep.Spec.Template, err = patchReadRBAC(params, dep.Spec.Template)
+	if err != nil {
+		return nil, err
+	}
 
 	dep.Spec.Template, err = patchTracing(params.Tempo, dep.Spec.Template)
 	if err != nil {
@@ -357,6 +361,27 @@ func patchTraceReadEndpoint(params manifestutils.Params, pod corev1.PodTemplateS
 	return pod, nil
 }
 
+func patchReadRBAC(params manifestutils.Params, pod corev1.PodTemplateSpec) (corev1.PodTemplateSpec, error) {
+	if !params.Tempo.Spec.Template.Gateway.RBAC.Enabled {
+		return pod, nil
+	}
+
+	container := corev1.Container{
+		Args: []string{"--traces.query-rbac=true"},
+	}
+
+	for i := range pod.Spec.Containers {
+		if pod.Spec.Containers[i].Name != containerNameTempoGateway {
+			continue
+		}
+		if err := mergo.Merge(&pod.Spec.Containers[i], container, mergo.WithAppendSlice); err != nil {
+			return corev1.PodTemplateSpec{}, err
+		}
+	}
+
+	return pod, nil
+}
+
 func patchTracing(tempo v1alpha1.TempoStack, pod corev1.PodTemplateSpec) (corev1.PodTemplateSpec, error) {
 	if tempo.Spec.Observability.Tracing.SamplingFraction == "" {
 		return pod, nil