Add support for query RBAC

.chloggen/query-rbac.yaml

@@ -0,0 +1,28 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. tempostack, tempomonolithic, github action)
+component: tempostack
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Add support for query RBAC when Gateway/multitenancy is used.
+
+# One or more tracking issues related to the change
+issues: [1100]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext: |
+  This feature allows users to apply query RBAC in the multitenancy mode.
+  The RBAC allows filtering span/resource/scope attributes and events based on the namespaces which a user querying the data can access.
+  For instance, a user can only see attributes from namespaces it can access.
+
+  ```yaml
+  spec:
+    template:
+      gateway:
+        enabled: true
+        rbac:
+          enabled: true
+  ```

api/tempo/v1alpha1/tempostack_types.go

@@ -578,6 +578,14 @@ type TempoGatewaySpec struct {
 	// +kubebuilder:validation:Optional
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Jaeger gateway Ingress Settings"
 	Ingress IngressSpec `json:"ingress,omitempty"`
+
+	RBAC RBACSpec `json:"rbac,omitempty"`
+}
+
+// RBACSpec defines RBAC options.
+type RBACSpec struct {
+	// Enabled defines if the query RBAC should be enabled.
+	Enabled bool `json:"enabled"`
 }
 
 // TempoQueryFrontendSpec extends TempoComponentSpec with frontend specific parameters.

bundle/community/manifests/tempo-operator.clusterserviceversion.yaml

@@ -74,7 +74,7 @@ metadata:
     capabilities: Deep Insights
     categories: Logging & Tracing,Monitoring
     containerImage: ghcr.io/grafana/tempo-operator/tempo-operator:v0.14.2
-    createdAt: "2024-12-12T05:29:14Z"
+    createdAt: "2025-01-22T15:42:22Z"
     description: Create and manage deployments of Tempo, a high-scale distributed
       tracing backend.
     operatorframework.io/cluster-monitoring: "true"

bundle/community/manifests/tempo.grafana.com_tempostacks.yaml

@@ -1424,6 +1424,16 @@ spec:
                             - ""
                             type: string
                         type: object
+                      rbac:
+                        description: RBACSpec defines RBAC options.
+                        properties:
+                          enabled:
+                            description: Enabled defines if the query RBAC should
+                              be enabled.
+                            type: boolean
+                        required:
+                        - enabled
+                        type: object
                     required:
                     - enabled
                     type: object

bundle/openshift/manifests/tempo-operator.clusterserviceversion.yaml

@@ -74,7 +74,7 @@ metadata:
     capabilities: Deep Insights
     categories: Logging & Tracing,Monitoring
     containerImage: ghcr.io/grafana/tempo-operator/tempo-operator:v0.14.2
-    createdAt: "2024-12-12T05:29:13Z"
+    createdAt: "2025-01-22T15:42:20Z"
     description: Create and manage deployments of Tempo, a high-scale distributed
       tracing backend.
     operatorframework.io/cluster-monitoring: "true"

bundle/openshift/manifests/tempo.grafana.com_tempostacks.yaml

@@ -1424,6 +1424,16 @@ spec:
                             - ""
                             type: string
                         type: object
+                      rbac:
+                        description: RBACSpec defines RBAC options.
+                        properties:
+                          enabled:
+                            description: Enabled defines if the query RBAC should
+                              be enabled.
+                            type: boolean
+                        required:
+                        - enabled
+                        type: object
                     required:
                     - enabled
                     type: object

config/crd/bases/tempo.grafana.com_tempostacks.yaml

@@ -1420,6 +1420,16 @@ spec:
                             - ""
                             type: string
                         type: object
+                      rbac:
+                        description: RBACSpec defines RBAC options.
+                        properties:
+                          enabled:
+                            description: Enabled defines if the query RBAC should
+                              be enabled.
+                            type: boolean
+                        required:
+                        - enabled
+                        type: object
                     required:
                     - enabled
                     type: object

docs/spec/tempo.grafana.com_tempostacks.yaml

@@ -205,6 +205,8 @@ spec:                                    # TempoStackSpec defines the desired st
         route:                           # Route defines the options for the OpenShift route.
           termination: ""                # Termination defines the termination type. The default is "edge".
         type: ""                         # Type defines the type of Ingress for the Jaeger Query UI. Currently ingress, route and none are supported.
+      rbac:                              # RBACSpec defines RBAC options.
+        enabled: false                   # Enabled defines if the query RBAC should be enabled.
     ingester:                            # Ingester defines the ingester component spec.
       podSecurityContext:                # PodSecurityContext defines security context will be applied to all pods of this component.
         fsGroup: 0                       # A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:  1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw----  If unset, the Kubelet will not modify the ownership and permissions of any volume. Note that this field cannot be set when spec.os.name is windows.

internal/manifests/gateway/gateway.go

@@ -121,6 +121,10 @@ func BuildGateway(params manifestutils.Params) ([]client.Object, error) {
 	if err != nil {
 		return nil, err
 	}
+	dep.Spec.Template, err = patchReadRBAC(params, dep.Spec.Template)
+	if err != nil {
+		return nil, err
+	}
 
 	dep.Spec.Template, err = patchTracing(params.Tempo, dep.Spec.Template)
 	if err != nil {
@@ -357,6 +361,27 @@ func patchTraceReadEndpoint(params manifestutils.Params, pod corev1.PodTemplateS
 	return pod, nil
 }
 
+func patchReadRBAC(params manifestutils.Params, pod corev1.PodTemplateSpec) (corev1.PodTemplateSpec, error) {
+	if !params.Tempo.Spec.Template.Gateway.RBAC.Enabled {
+		return pod, nil
+	}
+
+	container := corev1.Container{
+		Args: []string{"--traces.query-rbac=true"},
+	}
+
+	for i := range pod.Spec.Containers {
+		if pod.Spec.Containers[i].Name != containerNameTempoGateway {
+			continue
+		}
+		if err := mergo.Merge(&pod.Spec.Containers[i], container, mergo.WithAppendSlice); err != nil {
+			return corev1.PodTemplateSpec{}, err
+		}
+	}
+
+	return pod, nil
+}
+
 func patchTracing(tempo v1alpha1.TempoStack, pod corev1.PodTemplateSpec) (corev1.PodTemplateSpec, error) {
 	if tempo.Spec.Observability.Tracing.SamplingFraction == "" {
 		return pod, nil

internal/manifests/gateway/gateway_test.go

@@ -518,6 +518,128 @@ func TestPatchTraceReadEndpoint(t *testing.T) {
 	}
 }
 
+func TestPatchReadRBAC(t *testing.T) {
+	tt := []struct {
+		name        string
+		inputParams manifestutils.Params
+		inputPod    corev1.PodTemplateSpec
+		expectPod   corev1.PodTemplateSpec
+		expectErr   error
+	}{
+		{
+			name: "with read RBAC",
+			inputParams: manifestutils.Params{
+				Tempo: v1alpha1.TempoStack{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "name",
+						Namespace: "default",
+					},
+					Spec: v1alpha1.TempoStackSpec{
+						Template: v1alpha1.TempoTemplateSpec{
+							Gateway: v1alpha1.TempoGatewaySpec{
+								Enabled: true,
+								RBAC: v1alpha1.RBACSpec{
+									Enabled: true,
+								},
+							},
+						},
+					},
+				},
+			},
+			inputPod: corev1.PodTemplateSpec{
+				Spec: corev1.PodSpec{
+					Containers: []corev1.Container{
+						{
+							Name: containerNameTempoGateway,
+							Args: []string{
+								"--abc",
+							},
+						},
+						{
+							Name: "second",
+							Args: []string{
+								"--xyz",
+							},
+						},
+					},
+				},
+			},
+			expectPod: corev1.PodTemplateSpec{
+				Spec: corev1.PodSpec{
+					Containers: []corev1.Container{
+						{
+							Name: containerNameTempoGateway,
+							Args: []string{
+								"--abc",
+								"--traces.query-rbac=true",
+							},
+						},
+						{
+							Name: "second",
+							Args: []string{
+								"--xyz",
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "without trace read RBAC",
+			inputParams: manifestutils.Params{
+				Tempo: v1alpha1.TempoStack{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "name",
+						Namespace: "default",
+					},
+					Spec: v1alpha1.TempoStackSpec{
+						Template: v1alpha1.TempoTemplateSpec{
+							Gateway: v1alpha1.TempoGatewaySpec{
+								Enabled: true,
+								RBAC: v1alpha1.RBACSpec{
+									Enabled: false,
+								},
+							},
+						},
+					},
+				},
+			},
+			inputPod: corev1.PodTemplateSpec{
+				Spec: corev1.PodSpec{
+					Containers: []corev1.Container{
+						{
+							Name: containerNameTempoGateway,
+							Args: []string{
+								"--abc",
+							},
+						},
+					},
+				},
+			},
+			expectPod: corev1.PodTemplateSpec{
+				Spec: corev1.PodSpec{
+					Containers: []corev1.Container{
+						{
+							Name: containerNameTempoGateway,
+							Args: []string{
+								"--abc",
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	for _, tc := range tt {
+		t.Run(tc.name, func(t *testing.T) {
+			pod, err := patchReadRBAC(tc.inputParams, tc.inputPod)
+			require.Equal(t, tc.expectErr, err)
+			assert.Equal(t, tc.expectPod, pod)
+		})
+	}
+}
+
 func TestTLSParameters(t *testing.T) {
 	tempo := v1alpha1.TempoStack{
 		ObjectMeta: metav1.ObjectMeta{

internal/manifests/gateway/openshift.go

@@ -222,6 +222,7 @@ func NewOpaContainer(ctrlConfig configv1alpha1.ProjectConfig, tenants v1alpha1.T
 	var args = []string{
 		"--log.level=warn",
 		"--opa.admin-groups=system:cluster-admins,cluster-admin,dedicated-admin",
+		"--opa.matcher=kubernetes_namespace_name",
 		fmt.Sprintf("--web.listen=:%d", gatewayOPAHTTPPort),
 		fmt.Sprintf("--web.internal.listen=:%d", gatewayOPAInternalPort),
 		fmt.Sprintf("--web.healthchecks.url=http://localhost:%d", gatewayOPAHTTPPort),

internal/manifests/gateway/openshift_test.go

@@ -43,6 +43,7 @@ func TestPatchOPAContainer(t *testing.T) {
 	assert.Equal(t, []string{
 		"--log.level=warn",
 		"--opa.admin-groups=system:cluster-admins,cluster-admin,dedicated-admin",
+		"--opa.matcher=kubernetes_namespace_name",
 		"--web.listen=:8082", "--web.internal.listen=:8083",
 		"--web.healthchecks.url=http://localhost:8082",
 		"--opa.package=tempostack",

internal/manifests/monolithic/statefulset_test.go

@@ -938,6 +938,7 @@ func TestStatefulsetGateway(t *testing.T) {
 		Args: []string{
 			"--log.level=warn",
 			"--opa.admin-groups=system:cluster-admins,cluster-admin,dedicated-admin",
+			"--opa.matcher=kubernetes_namespace_name",
 			"--web.listen=:8082",
 			"--web.internal.listen=:8083",
 			"--web.healthchecks.url=http://localhost:8082",

tests/e2e-openshift/component-replicas/install-tempo-assert.yaml

@@ -233,6 +233,7 @@ spec:
       - args:
         - --log.level=warn
         - --opa.admin-groups=system:cluster-admins,cluster-admin,dedicated-admin
+        - --opa.matcher=kubernetes_namespace_name
         - --web.listen=:8082
         - --web.internal.listen=:8083
         - --web.healthchecks.url=http://localhost:8082

tests/e2e-openshift/component-replicas/scale-tempo-assert.yaml

@@ -233,6 +233,7 @@ spec:
       - args:
         - --log.level=warn
         - --opa.admin-groups=system:cluster-admins,cluster-admin,dedicated-admin
+        - --opa.matcher=kubernetes_namespace_name
         - --web.listen=:8082
         - --web.internal.listen=:8083
         - --web.healthchecks.url=http://localhost:8082

tests/e2e-openshift/multitenancy/01-assert.yaml

@@ -170,6 +170,7 @@ spec:
         - --web.healthchecks.url=https://localhost:8080
         - --tls.client-auth-type=NoClientCert
         - --traces.read.endpoint=https://tempo-simplest-query-frontend.chainsaw-multitenancy.svc.cluster.local:16686
+        - --traces.query-rbac=true
         livenessProbe:
           failureThreshold: 10
           httpGet:
@@ -235,6 +236,7 @@ spec:
       - args:
         - --log.level=warn
         - --opa.admin-groups=system:cluster-admins,cluster-admin,dedicated-admin
+        - --opa.matcher=kubernetes_namespace_name
         - --web.listen=:8082
         - --web.internal.listen=:8083
         - --web.healthchecks.url=http://localhost:8082

tests/e2e-openshift/multitenancy/01-install-tempo.yaml

@@ -25,6 +25,8 @@ spec:
   template:
     gateway:
       enabled: true
+      rbac:
+        enabled: true
     queryFrontend:
       jaegerQuery:
         enabled: true