Add support for query RBAC to tempomonolithic

Signed-off-by: Pavol Loffay <[email protected]>

Author: pavolloffay

.chloggen/rbac-monolithic.yaml

@@ -0,0 +1,26 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enahancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. tempostack, tempomonolithic, github action)
+component: tempomonolithic
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Add support for query RBAC
+
+# One or more tracking issues related to the change
+issues: []
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext: | 
+  This feature allows users to apply query RBAC in the multitenancy mode.
+  The RBAC allows filtering span/resource/scope attributes and events based on the namespaces which a user querying the data can access.
+  For instance, a user can only see attributes from namespaces it can access.
+  
+  ```yaml
+  spec:
+    query:
+      rbac:
+        enabled: true
+  ```

api/tempo/v1alpha1/tempomonolithic_types.go

@@ -68,9 +68,26 @@ type TempoMonolithicSpec struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Extra Configuration",xDescriptors="urn:alm:descriptor:com.tectonic.ui:advanced"
 	ExtraConfig *ExtraConfigSpec `json:"extraConfig,omitempty"`
 
+	// Query defines query configuration.
+	//
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Query Configuration",xDescriptors="urn:alm:descriptor:com.tectonic.ui:advanced"
+	Query MonolithicQuerySpec `json:"query,omitempty"`
+
 	MonolithicSchedulerSpec `json:",inline"`
 }
 
+// MonolithicQuerySpec defines the query configuration.
+type MonolithicQuerySpec struct {
+	// RBAC defines query RBAC options.
+	// This option can be used only with multi-tenancy.
+	//
+	// +optional
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Query RBAC Settings"
+	RBAC RBACSpec `json:"rbac,omitempty"`
+}
+
 // MonolithicStorageSpec defines the storage for the Tempo deployment.
 type MonolithicStorageSpec struct {
 	// Traces defines the storage configuration for traces.

api/tempo/v1alpha1/tempostack_types.go

@@ -592,7 +592,7 @@ type TempoGatewaySpec struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Gateway Ingress Settings"
 	Ingress IngressSpec `json:"ingress,omitempty"`
 
-	// RBAC defines RBAC options.
+	// RBAC defines query RBAC options.
 	//
 	// +optional
 	// +kubebuilder:validation:Optional

api/tempo/v1alpha1/zz_generated.deepcopy.go

@@ -74,7 +74,7 @@ metadata:
     capabilities: Deep Insights
     categories: Logging & Tracing,Monitoring
     containerImage: ghcr.io/grafana/tempo-operator/tempo-operator:v0.15.1
-    createdAt: "2025-02-17T13:21:50Z"
+    createdAt: "2025-02-20T16:35:44Z"
     description: Create and manage deployments of Tempo, a high-scale distributed
       tracing backend.
     operatorframework.io/cluster-monitoring: "true"
@@ -459,6 +459,14 @@ spec:
       - description: ServiceMonitors defines the ServiceMonitor configuration.
         displayName: Service Monitors
         path: observability.metrics.serviceMonitors
+      - description: |-
+          RBAC defines query RBAC options.
+          This option can be used only with multi-tenancy.
+        displayName: Query RBAC Settings
+        path: rbac
+      - description: Enabled defines if the query RBAC should be enabled.
+        displayName: Query RBAC Enabled
+        path: rbac.enabled
       - description: ServiceAccount defines the Service Account to use for all Tempo
           components.
         displayName: Service Account
@@ -995,7 +1003,7 @@ spec:
           all pods of this component.
         displayName: PodSecurityContext
         path: template.gateway.podSecurityContext
-      - description: RBAC defines RBAC options.
+      - description: RBAC defines query RBAC options.
         displayName: Query RBAC Settings
         path: template.gateway.rbac
       - description: Enabled defines if the query RBAC should be enabled.

bundle/community/manifests/tempo-operator.clusterserviceversion.yaml

@@ -1531,6 +1531,15 @@ spec:
                         type: object
                     type: object
                 type: object
+              rbac:
+                description: |-
+                  RBAC defines query RBAC options.
+                  This option can be used only with multi-tenancy.
+                properties:
+                  enabled:
+                    description: Enabled defines if the query RBAC should be enabled.
+                    type: boolean
+                type: object
               resources:
                 description: Resources defines the compute resource requirements of
                   the Tempo container.

bundle/community/manifests/tempo.grafana.com_tempomonolithics.yaml

@@ -1435,7 +1435,7 @@ spec:
                             type: string
                         type: object
                       rbac:
-                        description: RBAC defines RBAC options.
+                        description: RBAC defines query RBAC options.
                         properties:
                           enabled:
                             description: Enabled defines if the query RBAC should

bundle/community/manifests/tempo.grafana.com_tempostacks.yaml

@@ -74,7 +74,7 @@ metadata:
     capabilities: Deep Insights
     categories: Logging & Tracing,Monitoring
     containerImage: ghcr.io/grafana/tempo-operator/tempo-operator:v0.15.1
-    createdAt: "2025-02-17T13:21:48Z"
+    createdAt: "2025-02-20T16:35:43Z"
     description: Create and manage deployments of Tempo, a high-scale distributed
       tracing backend.
     operatorframework.io/cluster-monitoring: "true"
@@ -459,6 +459,14 @@ spec:
       - description: ServiceMonitors defines the ServiceMonitor configuration.
         displayName: Service Monitors
         path: observability.metrics.serviceMonitors
+      - description: |-
+          RBAC defines query RBAC options.
+          This option can be used only with multi-tenancy.
+        displayName: Query RBAC Settings
+        path: rbac
+      - description: Enabled defines if the query RBAC should be enabled.
+        displayName: Query RBAC Enabled
+        path: rbac.enabled
       - description: ServiceAccount defines the Service Account to use for all Tempo
           components.
         displayName: Service Account
@@ -995,7 +1003,7 @@ spec:
           all pods of this component.
         displayName: PodSecurityContext
         path: template.gateway.podSecurityContext
-      - description: RBAC defines RBAC options.
+      - description: RBAC defines query RBAC options.
         displayName: Query RBAC Settings
         path: template.gateway.rbac
       - description: Enabled defines if the query RBAC should be enabled.

bundle/openshift/manifests/tempo-operator.clusterserviceversion.yaml

@@ -1531,6 +1531,15 @@ spec:
                         type: object
                     type: object
                 type: object
+              rbac:
+                description: |-
+                  RBAC defines query RBAC options.
+                  This option can be used only with multi-tenancy.
+                properties:
+                  enabled:
+                    description: Enabled defines if the query RBAC should be enabled.
+                    type: boolean
+                type: object
               resources:
                 description: Resources defines the compute resource requirements of
                   the Tempo container.

bundle/openshift/manifests/tempo.grafana.com_tempomonolithics.yaml

@@ -1435,7 +1435,7 @@ spec:
                             type: string
                         type: object
                       rbac:
-                        description: RBAC defines RBAC options.
+                        description: RBAC defines query RBAC options.
                         properties:
                           enabled:
                             description: Enabled defines if the query RBAC should

bundle/openshift/manifests/tempo.grafana.com_tempostacks.yaml

@@ -1527,6 +1527,19 @@ spec:
                         type: object
                     type: object
                 type: object
+              query:
+                description: Query defines query configuration.
+                properties:
+                  rbac:
+                    description: |-
+                      RBAC defines query RBAC options.
+                      This option can be used only with multi-tenancy.
+                    properties:
+                      enabled:
+                        description: Enabled defines if the query RBAC should be enabled.
+                        type: boolean
+                    type: object
+                type: object
               resources:
                 description: Resources defines the compute resource requirements of
                   the Tempo container.

config/crd/bases/tempo.grafana.com_tempomonolithics.yaml

@@ -1431,7 +1431,7 @@ spec:
                             type: string
                         type: object
                       rbac:
-                        description: RBAC defines RBAC options.
+                        description: RBAC defines query RBAC options.
                         properties:
                           enabled:
                             description: Enabled defines if the query RBAC should

config/crd/bases/tempo.grafana.com_tempostacks.yaml

@@ -388,6 +388,14 @@ spec:
       - description: ServiceMonitors defines the ServiceMonitor configuration.
         displayName: Service Monitors
         path: observability.metrics.serviceMonitors
+      - description: |-
+          RBAC defines query RBAC options.
+          This option can be used only with multi-tenancy.
+        displayName: Query RBAC Settings
+        path: rbac
+      - description: Enabled defines if the query RBAC should be enabled.
+        displayName: Query RBAC Enabled
+        path: rbac.enabled
       - description: ServiceAccount defines the Service Account to use for all Tempo
           components.
         displayName: Service Account
@@ -924,7 +932,7 @@ spec:
           all pods of this component.
         displayName: PodSecurityContext
         path: template.gateway.podSecurityContext
-      - description: RBAC defines RBAC options.
+      - description: RBAC defines query RBAC options.
         displayName: Query RBAC Settings
         path: template.gateway.rbac
       - description: Enabled defines if the query RBAC should be enabled.

config/manifests/community/bases/tempo-operator.clusterserviceversion.yaml

@@ -388,6 +388,14 @@ spec:
       - description: ServiceMonitors defines the ServiceMonitor configuration.
         displayName: Service Monitors
         path: observability.metrics.serviceMonitors
+      - description: |-
+          RBAC defines query RBAC options.
+          This option can be used only with multi-tenancy.
+        displayName: Query RBAC Settings
+        path: rbac
+      - description: Enabled defines if the query RBAC should be enabled.
+        displayName: Query RBAC Enabled
+        path: rbac.enabled
       - description: ServiceAccount defines the Service Account to use for all Tempo
           components.
         displayName: Service Account
@@ -924,7 +932,7 @@ spec:
           all pods of this component.
         displayName: PodSecurityContext
         path: template.gateway.podSecurityContext
-      - description: RBAC defines RBAC options.
+      - description: RBAC defines query RBAC options.
         displayName: Query RBAC Settings
         path: template.gateway.rbac
       - description: Enabled defines if the query RBAC should be enabled.

config/manifests/openshift/bases/tempo-operator.clusterserviceversion.yaml

@@ -111,6 +111,8 @@ spec:                                    # TempoMonolithicSpec defines the desir
         enabled: false                   # Enabled defines if PrometheusRule objects should be created for this Tempo deployment.
       serviceMonitors:                   # ServiceMonitors defines the ServiceMonitor configuration.
         enabled: false                   # Enabled defines if ServiceMonitor objects should be created for this Tempo deployment.
+  rbac:                                  # RBAC defines query RBAC options. This option can be used only with multi-tenancy.
+    enabled: false                       # Enabled defines if the query RBAC should be enabled.
   serviceAccount: ""                     # ServiceAccount defines the Service Account to use for all Tempo components.
   storage:                               # Storage defines the storage configuration.
     traces:                              # Traces defines the storage configuration for traces.

docs/spec/tempo.grafana.com_tempomonolithics.yaml

@@ -206,7 +206,7 @@ spec:                                    # TempoStackSpec defines the desired st
         route:                           # Route defines the options for the OpenShift route.
           termination: ""                # Termination defines the termination type. The default is "edge".
         type: ""                         # Type defines the type of Ingress for the Jaeger Query UI. Currently ingress, route and none are supported.
-      rbac:                              # RBAC defines RBAC options.
+      rbac:                              # RBAC defines query RBAC options.
         enabled: false                   # Enabled defines if the query RBAC should be enabled.
     ingester:                            # Ingester defines the ingester component spec.
       podSecurityContext:                # PodSecurityContext defines security context will be applied to all pods of this component.

docs/spec/tempo.grafana.com_tempostacks.yaml

@@ -431,6 +431,10 @@ func configureGateway(opts Options, sts *appsv1.StatefulSet) error {
 		args = append(args, fmt.Sprintf("--traces.read.endpoint=http://localhost:%d", manifestutils.PortJaegerQuery)) // Jaeger UI upstream
 	}
 
+	if tempo.Spec.Query.RBAC.Enabled {
+		args = append(args, "--traces.query-rbac=true")
+	}
+
 	if opts.CtrlConfig.Gates.OpenShift.ServingCertsService {
 		args = append(args, []string{
 			fmt.Sprintf("--tls.server.cert-file=%s", path.Join(servingCertDir, "tls.crt")), // TLS of public HTTP (8080) and gRPC (8090) server