Add support for query RBAC (#1100)

* Add support for query RBAC

Signed-off-by: Pavol Loffay <[email protected]>

* Add webhook validation

Signed-off-by: Pavol Loffay <[email protected]>

* Update gateway

Signed-off-by: Pavol Loffay <[email protected]>

* Fix

Signed-off-by: Pavol Loffay <[email protected]>

---------

Signed-off-by: Pavol Loffay <[email protected]>

Author: pavolloffay

.chloggen/query-rbac.yaml

@@ -0,0 +1,28 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. tempostack, tempomonolithic, github action)
+component: tempostack
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Add support for query RBAC when Gateway/multitenancy is used.
+
+# One or more tracking issues related to the change
+issues: [1100]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext: |
+  This feature allows users to apply query RBAC in the multitenancy mode.
+  The RBAC allows filtering span/resource/scope attributes and events based on the namespaces which a user querying the data can access.
+  For instance, a user can only see attributes from namespaces it can access.
+  
+  ```yaml
+  spec:
+    template:
+      gateway:
+        enabled: true
+        rbac:
+          enabled: true
+  ```

Makefile

@@ -3,7 +3,7 @@ OPERATOR_VERSION ?= 0.14.2
 TEMPO_VERSION ?= 2.7.0
 JAEGER_QUERY_VERSION ?= 1.62.0
 TEMPO_QUERY_VERSION ?= 2.7.0
-TEMPO_GATEWAY_VERSION ?= main-2024-11-05-28e4c83
+TEMPO_GATEWAY_VERSION ?= main-2025-02-12-0636771
 TEMPO_GATEWAY_OPA_VERSION ?= main-2024-10-09-7237863
 OAUTH_PROXY_VERSION=4.14
 

api/tempo/v1alpha1/tempostack_types.go

@@ -589,8 +589,25 @@ type TempoGatewaySpec struct {
 	//
 	// +optional
 	// +kubebuilder:validation:Optional
-	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Jaeger gateway Ingress Settings"
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Gateway Ingress Settings"
 	Ingress IngressSpec `json:"ingress,omitempty"`
+
+	// RBAC defines RBAC options.
+	//
+	// +optional
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Query RBAC Settings"
+	RBAC RBACSpec `json:"rbac,omitempty"`
+}
+
+// RBACSpec defines RBAC options.
+type RBACSpec struct {
+	// Enabled defines if the query RBAC should be enabled.
+	//
+	// +optional
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Query RBAC Enabled"
+	Enabled bool `json:"enabled"`
 }
 
 // TempoQueryFrontendSpec extends TempoComponentSpec with frontend specific parameters.

api/tempo/v1alpha1/zz_generated.deepcopy.go

@@ -74,7 +74,7 @@ metadata:
     capabilities: Deep Insights
     categories: Logging & Tracing,Monitoring
     containerImage: ghcr.io/grafana/tempo-operator/tempo-operator:v0.14.2
-    createdAt: "2025-02-05T16:29:10Z"
+    createdAt: "2025-02-14T12:37:26Z"
     description: Create and manage deployments of Tempo, a high-scale distributed
       tracing backend.
     operatorframework.io/cluster-monitoring: "true"
@@ -967,7 +967,7 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
       - description: Ingress defines gateway Ingress options.
-        displayName: Jaeger gateway Ingress Settings
+        displayName: Gateway Ingress Settings
         path: template.gateway.ingress
       - description: Annotations defines the annotations of the Ingress object.
         displayName: Annotations
@@ -995,6 +995,12 @@ spec:
           all pods of this component.
         displayName: PodSecurityContext
         path: template.gateway.podSecurityContext
+      - description: RBAC defines RBAC options.
+        displayName: Query RBAC Settings
+        path: template.gateway.rbac
+      - description: Enabled defines if the query RBAC should be enabled.
+        displayName: Query RBAC Enabled
+        path: template.gateway.rbac.enabled
       - description: Replicas defines the number of replicas to be created for this
           component.
         displayName: Component Replicas
@@ -1508,7 +1514,7 @@ spec:
                 - name: RELATED_IMAGE_TEMPO_QUERY
                   value: docker.io/grafana/tempo-query:2.7.0
                 - name: RELATED_IMAGE_TEMPO_GATEWAY
-                  value: quay.io/observatorium/api:main-2024-11-05-28e4c83
+                  value: quay.io/observatorium/api:main-2025-02-12-0636771
                 - name: RELATED_IMAGE_TEMPO_GATEWAY_OPA
                   value: quay.io/observatorium/opa-openshift:main-2024-10-09-7237863
                 - name: RELATED_IMAGE_OAUTH_PROXY
@@ -1637,7 +1643,7 @@ spec:
     name: jaeger-query
   - image: docker.io/grafana/tempo-query:2.7.0
     name: tempo-query
-  - image: quay.io/observatorium/api:main-2024-11-05-28e4c83
+  - image: quay.io/observatorium/api:main-2025-02-12-0636771
     name: tempo-gateway
   - image: quay.io/observatorium/opa-openshift:main-2024-10-09-7237863
     name: tempo-gateway-opa

bundle/community/manifests/tempo-operator.clusterserviceversion.yaml

@@ -1434,6 +1434,14 @@ spec:
                             - ""
                             type: string
                         type: object
+                      rbac:
+                        description: RBAC defines RBAC options.
+                        properties:
+                          enabled:
+                            description: Enabled defines if the query RBAC should
+                              be enabled.
+                            type: boolean
+                        type: object
                     required:
                     - enabled
                     type: object

bundle/community/manifests/tempo.grafana.com_tempostacks.yaml

@@ -74,7 +74,7 @@ metadata:
     capabilities: Deep Insights
     categories: Logging & Tracing,Monitoring
     containerImage: ghcr.io/grafana/tempo-operator/tempo-operator:v0.14.2
-    createdAt: "2025-02-05T16:29:09Z"
+    createdAt: "2025-02-14T12:37:25Z"
     description: Create and manage deployments of Tempo, a high-scale distributed
       tracing backend.
     operatorframework.io/cluster-monitoring: "true"
@@ -967,7 +967,7 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
       - description: Ingress defines gateway Ingress options.
-        displayName: Jaeger gateway Ingress Settings
+        displayName: Gateway Ingress Settings
         path: template.gateway.ingress
       - description: Annotations defines the annotations of the Ingress object.
         displayName: Annotations
@@ -995,6 +995,12 @@ spec:
           all pods of this component.
         displayName: PodSecurityContext
         path: template.gateway.podSecurityContext
+      - description: RBAC defines RBAC options.
+        displayName: Query RBAC Settings
+        path: template.gateway.rbac
+      - description: Enabled defines if the query RBAC should be enabled.
+        displayName: Query RBAC Enabled
+        path: template.gateway.rbac.enabled
       - description: Replicas defines the number of replicas to be created for this
           component.
         displayName: Component Replicas
@@ -1520,7 +1526,7 @@ spec:
                 - name: RELATED_IMAGE_TEMPO_QUERY
                   value: docker.io/grafana/tempo-query:2.7.0
                 - name: RELATED_IMAGE_TEMPO_GATEWAY
-                  value: quay.io/observatorium/api:main-2024-11-05-28e4c83
+                  value: quay.io/observatorium/api:main-2025-02-12-0636771
                 - name: RELATED_IMAGE_TEMPO_GATEWAY_OPA
                   value: quay.io/observatorium/opa-openshift:main-2024-10-09-7237863
                 - name: RELATED_IMAGE_OAUTH_PROXY
@@ -1655,7 +1661,7 @@ spec:
     name: jaeger-query
   - image: docker.io/grafana/tempo-query:2.7.0
     name: tempo-query
-  - image: quay.io/observatorium/api:main-2024-11-05-28e4c83
+  - image: quay.io/observatorium/api:main-2025-02-12-0636771
     name: tempo-gateway
   - image: quay.io/observatorium/opa-openshift:main-2024-10-09-7237863
     name: tempo-gateway-opa

bundle/openshift/manifests/tempo-operator.clusterserviceversion.yaml

@@ -1434,6 +1434,14 @@ spec:
                             - ""
                             type: string
                         type: object
+                      rbac:
+                        description: RBAC defines RBAC options.
+                        properties:
+                          enabled:
+                            description: Enabled defines if the query RBAC should
+                              be enabled.
+                            type: boolean
+                        type: object
                     required:
                     - enabled
                     type: object

bundle/openshift/manifests/tempo.grafana.com_tempostacks.yaml

@@ -1430,6 +1430,14 @@ spec:
                             - ""
                             type: string
                         type: object
+                      rbac:
+                        description: RBAC defines RBAC options.
+                        properties:
+                          enabled:
+                            description: Enabled defines if the query RBAC should
+                              be enabled.
+                            type: boolean
+                        type: object
                     required:
                     - enabled
                     type: object

config/crd/bases/tempo.grafana.com_tempostacks.yaml

@@ -46,7 +46,7 @@ spec:
         - name: RELATED_IMAGE_TEMPO_QUERY
           value: docker.io/grafana/tempo-query:2.7.0
         - name: RELATED_IMAGE_TEMPO_GATEWAY
-          value: quay.io/observatorium/api:main-2024-11-05-28e4c83
+          value: quay.io/observatorium/api:main-2025-02-12-0636771
         - name: RELATED_IMAGE_TEMPO_GATEWAY_OPA
           value: quay.io/observatorium/opa-openshift:main-2024-10-09-7237863
         - name: RELATED_IMAGE_OAUTH_PROXY