Add support for query RBAC to tempomonolithic (grafana#1131)

Signed-off-by: Pavol Loffay <[email protected]>
tempooperatorbot · Feb 25, 2025 · 5edc23a · 5edc23a
1 parent 27104b5
commit 5edc23a
Show file tree

Hide file tree

Showing 22 changed files with 601 additions and 11 deletions.
diff --git a/.chloggen/rbac-monolithic.yaml b/.chloggen/rbac-monolithic.yaml
@@ -0,0 +1,26 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. tempostack, tempomonolithic, github action)
+component: tempomonolithic
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Add support for query RBAC
+
+# One or more tracking issues related to the change
+issues: [1131]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext: | 
+  This feature allows users to apply query RBAC in the multitenancy mode.
+  The RBAC allows filtering span/resource/scope attributes and events based on the namespaces which a user querying the data can access.
+  For instance, a user can only see attributes from namespaces it can access.
+  
+  ```yaml
+  spec:
+    query:
+      rbac:
+        enabled: true
+  ```
diff --git a/api/tempo/v1alpha1/tempomonolithic_defaults.go b/api/tempo/v1alpha1/tempomonolithic_defaults.go
@@ -102,4 +102,7 @@ func (r *TempoMonolithic) Default(ctrlConfig configv1alpha1.ProjectConfig) {
 	if r.Spec.Timeout.Duration == 0 {
 		r.Spec.Timeout = defaultTimeout
 	}
+	if r.Spec.Query == nil {
+		r.Spec.Query = &MonolithicQuerySpec{}
+	}
 }
diff --git a/api/tempo/v1alpha1/tempomonolithic_defaults_test.go b/api/tempo/v1alpha1/tempomonolithic_defaults_test.go
@@ -49,6 +49,7 @@ func TestMonolithicDefault(t *testing.T) {
 					},
 					Management: "Managed",
 					Timeout:    metav1.Duration{Duration: time.Second * 30},
+					Query:      &MonolithicQuerySpec{},
 				},
 			},
 		},
@@ -83,6 +84,7 @@ func TestMonolithicDefault(t *testing.T) {
 					},
 					Management: "Managed",
 					Timeout:    metav1.Duration{Duration: time.Second * 30},
+					Query:      &MonolithicQuerySpec{},
 				},
 			},
 		},
@@ -109,6 +111,7 @@ func TestMonolithicDefault(t *testing.T) {
 					},
 					Management: "Unmanaged",
 					Timeout:    metav1.Duration{Duration: time.Second * 30},
+					Query:      &MonolithicQuerySpec{},
 				},
 			},
 			expected: &TempoMonolithic{
@@ -131,6 +134,7 @@ func TestMonolithicDefault(t *testing.T) {
 					},
 					Management: "Unmanaged",
 					Timeout:    metav1.Duration{Duration: time.Second * 30},
+					Query:      &MonolithicQuerySpec{},
 				},
 			},
 		},
@@ -203,6 +207,7 @@ func TestMonolithicDefault(t *testing.T) {
 					},
 					Management: "Managed",
 					Timeout:    metav1.Duration{Duration: time.Second * 30},
+					Query:      &MonolithicQuerySpec{},
 				},
 			},
 		},
@@ -278,6 +283,7 @@ func TestMonolithicDefault(t *testing.T) {
 					},
 					Management: "Managed",
 					Timeout:    metav1.Duration{Duration: time.Second * 30},
+					Query:      &MonolithicQuerySpec{},
 				},
 			},
 		},
@@ -345,6 +351,7 @@ func TestMonolithicDefault(t *testing.T) {
 					},
 					Management: "Managed",
 					Timeout:    metav1.Duration{Duration: time.Second * 30},
+					Query:      &MonolithicQuerySpec{},
 				},
 			},
 		},
@@ -412,6 +419,7 @@ func TestMonolithicDefault(t *testing.T) {
 					},
 					Management: "Managed",
 					Timeout:    metav1.Duration{Duration: time.Second * 30},
+					Query:      &MonolithicQuerySpec{},
 				},
 			},
 		},
@@ -478,6 +486,60 @@ func TestMonolithicDefault(t *testing.T) {
 					},
 					Management: "Managed",
 					Timeout:    metav1.Duration{Duration: time.Hour},
+					Query:      &MonolithicQuerySpec{},
+				},
+			},
+		},
+		{
+			name: "query defined",
+			input: &TempoMonolithic{
+				ObjectMeta: v1.ObjectMeta{
+					Name:      "test",
+					Namespace: "testns",
+				},
+				Spec: TempoMonolithicSpec{
+					Storage: &MonolithicStorageSpec{
+						Traces: MonolithicTracesStorageSpec{
+							Backend: "memory",
+							Size:    &twoGBQuantity,
+						},
+					},
+					Query: &MonolithicQuerySpec{
+						RBAC: RBACSpec{
+							Enabled: true,
+						},
+					},
+				},
+			},
+			expected: &TempoMonolithic{
+				ObjectMeta: v1.ObjectMeta{
+					Name:      "test",
+					Namespace: "testns",
+				},
+				Spec: TempoMonolithicSpec{
+					Ingestion: &MonolithicIngestionSpec{
+						OTLP: &MonolithicIngestionOTLPSpec{
+							GRPC: &MonolithicIngestionOTLPProtocolsGRPCSpec{
+								Enabled: true,
+							},
+							HTTP: &MonolithicIngestionOTLPProtocolsHTTPSpec{
+								Enabled: true,
+							},
+						},
+					},
+					Storage: &MonolithicStorageSpec{
+						Traces: MonolithicTracesStorageSpec{
+							Backend: "memory",
+							Size:    &twoGBQuantity,
+						},
+					},
+					Management: "Managed",
+					Timeout:    metav1.Duration{Duration: time.Second * 30},
+					Query: &MonolithicQuerySpec{
+						RBAC: RBACSpec{
+							Enabled: true,
+						},
+					},
 				},
 			},
 		},

diff --git a/api/tempo/v1alpha1/tempomonolithic_types.go b/api/tempo/v1alpha1/tempomonolithic_types.go
@@ -68,9 +68,26 @@ type TempoMonolithicSpec struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Extra Configuration",xDescriptors="urn:alm:descriptor:com.tectonic.ui:advanced"
 	ExtraConfig *ExtraConfigSpec `json:"extraConfig,omitempty"`
 
+	// Query defines query configuration.
+	//
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Query Configuration",xDescriptors="urn:alm:descriptor:com.tectonic.ui:advanced"
+	Query *MonolithicQuerySpec `json:"query,omitempty"`
+
 	MonolithicSchedulerSpec `json:",inline"`
 }
 
+// MonolithicQuerySpec defines the query configuration.
+type MonolithicQuerySpec struct {
+	// RBAC defines query RBAC options.
+	// This option can be used only with multi-tenancy.
+	//
+	// +optional
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Query RBAC Settings"
+	RBAC RBACSpec `json:"rbac,omitempty"`
+}
+
 // MonolithicStorageSpec defines the storage for the Tempo deployment.
 type MonolithicStorageSpec struct {
 	// Traces defines the storage configuration for traces.

diff --git a/api/tempo/v1alpha1/tempostack_types.go b/api/tempo/v1alpha1/tempostack_types.go
@@ -592,7 +592,7 @@ type TempoGatewaySpec struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Gateway Ingress Settings"
 	Ingress IngressSpec `json:"ingress,omitempty"`
 
-	// RBAC defines RBAC options.
+	// RBAC defines query RBAC options.
 	//
 	// +optional
 	// +kubebuilder:validation:Optional

diff --git a/api/tempo/v1alpha1/zz_generated.deepcopy.go b/api/tempo/v1alpha1/zz_generated.deepcopy.go
diff --git a/bundle/community/manifests/tempo-operator.clusterserviceversion.yaml b/bundle/community/manifests/tempo-operator.clusterserviceversion.yaml
@@ -74,7 +74,7 @@ metadata:
     capabilities: Deep Insights
     categories: Logging & Tracing,Monitoring
     containerImage: ghcr.io/grafana/tempo-operator/tempo-operator:v0.15.2
-    createdAt: "2025-02-24T14:25:33Z"
+    createdAt: "2025-02-25T15:15:23Z"
     description: Create and manage deployments of Tempo, a high-scale distributed
       tracing backend.
     operatorframework.io/cluster-monitoring: "true"
@@ -459,6 +459,19 @@ spec:
       - description: ServiceMonitors defines the ServiceMonitor configuration.
         displayName: Service Monitors
         path: observability.metrics.serviceMonitors
+      - description: Query defines query configuration.
+        displayName: Query Configuration
+        path: query
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+      - description: |-
+          RBAC defines query RBAC options.
+          This option can be used only with multi-tenancy.
+        displayName: Query RBAC Settings
+        path: query.rbac
+      - description: Enabled defines if the query RBAC should be enabled.
+        displayName: Query RBAC Enabled
+        path: query.rbac.enabled
       - description: ServiceAccount defines the Service Account to use for all Tempo
           components.
         displayName: Service Account
@@ -995,7 +1008,7 @@ spec:
           all pods of this component.
         displayName: PodSecurityContext
         path: template.gateway.podSecurityContext
-      - description: RBAC defines RBAC options.
+      - description: RBAC defines query RBAC options.
         displayName: Query RBAC Settings
         path: template.gateway.rbac
       - description: Enabled defines if the query RBAC should be enabled.

diff --git a/bundle/community/manifests/tempo.grafana.com_tempomonolithics.yaml b/bundle/community/manifests/tempo.grafana.com_tempomonolithics.yaml
@@ -1531,6 +1531,19 @@ spec:
                         type: object
                     type: object
                 type: object
+              query:
+                description: Query defines query configuration.
+                properties:
+                  rbac:
+                    description: |-
+                      RBAC defines query RBAC options.
+                      This option can be used only with multi-tenancy.
+                    properties:
+                      enabled:
+                        description: Enabled defines if the query RBAC should be enabled.
+                        type: boolean
+                    type: object
+                type: object
               resources:
                 description: Resources defines the compute resource requirements of
                   the Tempo container.

diff --git a/bundle/community/manifests/tempo.grafana.com_tempostacks.yaml b/bundle/community/manifests/tempo.grafana.com_tempostacks.yaml
@@ -1435,7 +1435,7 @@ spec:
                             type: string
                         type: object
                       rbac:
-                        description: RBAC defines RBAC options.
+                        description: RBAC defines query RBAC options.
                         properties:
                           enabled:
                             description: Enabled defines if the query RBAC should

diff --git a/bundle/openshift/manifests/tempo-operator.clusterserviceversion.yaml b/bundle/openshift/manifests/tempo-operator.clusterserviceversion.yaml
@@ -74,7 +74,7 @@ metadata:
     capabilities: Deep Insights
     categories: Logging & Tracing,Monitoring
     containerImage: ghcr.io/grafana/tempo-operator/tempo-operator:v0.15.2
-    createdAt: "2025-02-24T14:25:31Z"
+    createdAt: "2025-02-25T15:15:22Z"
     description: Create and manage deployments of Tempo, a high-scale distributed
       tracing backend.
     operatorframework.io/cluster-monitoring: "true"
@@ -459,6 +459,19 @@ spec:
       - description: ServiceMonitors defines the ServiceMonitor configuration.
         displayName: Service Monitors
         path: observability.metrics.serviceMonitors
+      - description: Query defines query configuration.
+        displayName: Query Configuration
+        path: query
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+      - description: |-
+          RBAC defines query RBAC options.
+          This option can be used only with multi-tenancy.
+        displayName: Query RBAC Settings
+        path: query.rbac
+      - description: Enabled defines if the query RBAC should be enabled.
+        displayName: Query RBAC Enabled
+        path: query.rbac.enabled
       - description: ServiceAccount defines the Service Account to use for all Tempo
           components.
         displayName: Service Account
@@ -995,7 +1008,7 @@ spec:
           all pods of this component.
         displayName: PodSecurityContext
         path: template.gateway.podSecurityContext
-      - description: RBAC defines RBAC options.
+      - description: RBAC defines query RBAC options.
         displayName: Query RBAC Settings
         path: template.gateway.rbac
       - description: Enabled defines if the query RBAC should be enabled.

diff --git a/bundle/openshift/manifests/tempo.grafana.com_tempomonolithics.yaml b/bundle/openshift/manifests/tempo.grafana.com_tempomonolithics.yaml
@@ -1531,6 +1531,19 @@ spec:
                         type: object
                     type: object
                 type: object
+              query:
+                description: Query defines query configuration.
+                properties:
+                  rbac:
+                    description: |-
+                      RBAC defines query RBAC options.
+                      This option can be used only with multi-tenancy.
+                    properties:
+                      enabled:
+                        description: Enabled defines if the query RBAC should be enabled.
+                        type: boolean
+                    type: object
+                type: object
               resources:
                 description: Resources defines the compute resource requirements of
                   the Tempo container.

diff --git a/bundle/openshift/manifests/tempo.grafana.com_tempostacks.yaml b/bundle/openshift/manifests/tempo.grafana.com_tempostacks.yaml
@@ -1435,7 +1435,7 @@ spec:
                             type: string
                         type: object
                       rbac:
-                        description: RBAC defines RBAC options.
+                        description: RBAC defines query RBAC options.
                         properties:
                           enabled:
                             description: Enabled defines if the query RBAC should

diff --git a/config/crd/bases/tempo.grafana.com_tempomonolithics.yaml b/config/crd/bases/tempo.grafana.com_tempomonolithics.yaml
@@ -1527,6 +1527,19 @@ spec:
                         type: object
                     type: object
                 type: object
+              query:
+                description: Query defines query configuration.
+                properties:
+                  rbac:
+                    description: |-
+                      RBAC defines query RBAC options.
+                      This option can be used only with multi-tenancy.
+                    properties:
+                      enabled:
+                        description: Enabled defines if the query RBAC should be enabled.
+                        type: boolean
+                    type: object
+                type: object
               resources:
                 description: Resources defines the compute resource requirements of
                   the Tempo container.

diff --git a/config/crd/bases/tempo.grafana.com_tempostacks.yaml b/config/crd/bases/tempo.grafana.com_tempostacks.yaml
@@ -1431,7 +1431,7 @@ spec:
                             type: string
                         type: object
                       rbac:
-                        description: RBAC defines RBAC options.
+                        description: RBAC defines query RBAC options.
                         properties:
                           enabled:
                             description: Enabled defines if the query RBAC should