Support multi-tenancy in TempoMonolithic CR

Signed-off-by: Andreas Gerstmayr <agerstmayr@redhat.com>
grafana · Feb 22, 2024 · 3f1a6d0 · 3f1a6d0
1 parent 10f1c2b
commit 3f1a6d0
Show file tree

Hide file tree

Showing 65 changed files with 2,774 additions and 392 deletions.
diff --git a/.chloggen/monolithic_multitenancy.yaml b/.chloggen/monolithic_multitenancy.yaml
@@ -0,0 +1,16 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. operator, github action)
+component: operator
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Support multi-tenancy in TempoMonolithic CR
+
+# One or more tracking issues related to the change
+issues: [816]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:
diff --git a/Makefile b/Makefile
@@ -150,7 +150,7 @@ run: manifests generate ## Run a controller from your host.
 	RELATED_IMAGE_TEMPO_QUERY=$(TEMPO_QUERY_IMAGE) \
 	RELATED_IMAGE_TEMPO_GATEWAY=$(TEMPO_GATEWAY_IMAGE) \
 	RELATED_IMAGE_TEMPO_GATEWAY_OPA=$(TEMPO_GATEWAY_OPA_IMAGE) \
-	go run ./main.go --zap-log-level=info start
+	go run ./main.go --zap-log-level=info start --config=.vscode/controller_manager_config.yaml
 
 .PHONY: docker-build
 docker-build: ## Build docker image with the manager.

diff --git a/apis/tempo/v1alpha1/common_types.go b/apis/tempo/v1alpha1/common_types.go
@@ -1,6 +1,9 @@
 package v1alpha1
 
-import corev1 "k8s.io/api/core/v1"
+import (
+	corev1 "k8s.io/api/core/v1"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+)
 
 // PodStatusMap defines the type for mapping pod status to pod name.
 type PodStatusMap map[corev1.PodPhase][]string
@@ -33,3 +36,13 @@ type TLSSpec struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Min TLS Version"
 	MinVersion string `json:"minVersion,omitempty"`
 }
+
+// ExtraConfigSpec defines extra configurations for tempo that will be merged with the operator generated, configurations defined here
+// has precedence and could override generated config.
+type ExtraConfigSpec struct {
+	// Tempo defines any extra Tempo configuration, which will be merged with the operator's generated Tempo configuration
+	//
+	// +optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Tempo Extra Configurations"
+	Tempo apiextensionsv1.JSON `json:"tempo,omitempty"`
+}
diff --git a/apis/tempo/v1alpha1/tempomonolithic_defaults.go b/apis/tempo/v1alpha1/tempomonolithic_defaults.go
@@ -40,7 +40,8 @@ func (r *TempoMonolithic) Default() {
 			Enabled: true,
 		}
 	}
-	if r.Spec.Ingestion.OTLP.HTTP == nil {
+	// the gateway only supports OTLP/gRPC
+	if r.Spec.Ingestion.OTLP.HTTP == nil && !r.Spec.Multitenancy.IsGatewayEnabled() {
 		r.Spec.Ingestion.OTLP.HTTP = &MonolithicIngestionOTLPProtocolsHTTPSpec{
 			Enabled: true,
 		}

diff --git a/apis/tempo/v1alpha1/tempomonolithic_types.go b/apis/tempo/v1alpha1/tempomonolithic_types.go
@@ -26,6 +26,12 @@ type TempoMonolithicSpec struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Jaeger UI",order=3
 	JaegerUI *MonolithicJaegerUISpec `json:"jaegerui,omitempty"`
 
+	// Multitenancy defines the multi-tenancy configuration.
+	//
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Multi-Tenancy"
+	Multitenancy *MonolithicMultitenancySpec `json:"multitenancy,omitempty"`
+
 	// Observability defines the observability configuration of the Tempo deployment.
 	//
 	// +kubebuilder:validation:Optional
@@ -285,6 +291,30 @@ type MonolithicJaegerUIRouteSpec struct {
 	Termination TLSRouteTerminationType `json:"termination,omitempty"`
 }
 
+// MonolithicMultitenancySpec defines the multi-tenancy settings for Tempo.
+type MonolithicMultitenancySpec struct {
+	// Enabled defines if multi-tenancy is enabled.
+	//
+	// +kubebuilder:validation:Required
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Enabled",xDescriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch"
+	Enabled bool `json:"enabled"`
+
+	TenantsSpec `json:",inline"`
+
+	// Resources defines the compute resource requirements of the gateway container.
+	//
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Resources",xDescriptors="urn:alm:descriptor:com.tectonic.ui:resourceRequirements"
+	Resources *corev1.ResourceRequirements `json:"resources,omitempty"`
+}
+
+// IsGatewayEnabled checks if the gateway component should be enabled.
+func (m *MonolithicMultitenancySpec) IsGatewayEnabled() bool {
+	// if multi-tenancy is enabled but no tenant is configured,
+	// enable multi-tenancy in Tempo but do not enable the gateway component
+	return m != nil && m.Enabled && len(m.Authentication) > 0
+}
+
 // MonolithicSchedulerSpec defines schedule settings for Tempo.
 type MonolithicSchedulerSpec struct {
 	// NodeSelector defines which labels are required by a node to schedule the pod onto it.
@@ -409,7 +439,7 @@ type TempoMonolithicStatus struct {
 
 // TempoMonolithic manages a Tempo deployment in monolithic mode.
 //
-// +operator-sdk:csv:customresourcedefinitions:displayName="TempoMonolithic",resources={{ConfigMap,v1},{Service,v1},{StatefulSet,v1},{Ingress,v1},{Route,v1}}
+// +operator-sdk:csv:customresourcedefinitions:displayName="TempoMonolithic",resources={{ConfigMap,v1},{ServiceAccount,v1},{Service,v1},{Secret,v1},{StatefulSet,v1},{Ingress,v1},{Route,v1}}
 //
 //nolint:godot
 type TempoMonolithic struct {

diff --git a/apis/tempo/v1alpha1/tempostack_types.go b/apis/tempo/v1alpha1/tempostack_types.go
@@ -2,7 +2,6 @@ package v1alpha1
 
 import (
 	corev1 "k8s.io/api/core/v1"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
@@ -130,16 +129,6 @@ type TempoStackSpec struct {
 	ExtraConfig *ExtraConfigSpec `json:"extraConfig,omitempty"`
 }
 
-// ExtraConfigSpec defines extra configurations for tempo that will be merged with the operator generated, configurations defined here
-// has precedence and could override generated config.
-type ExtraConfigSpec struct {
-	// Tempo defines any extra Tempo configuration, which will be merged with the operator's generated Tempo configuration
-	//
-	// +optional
-	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Tempo Extra Configurations"
-	Tempo apiextensionsv1.JSON `json:"tempo,omitempty"`
-}
-
 // ObservabilitySpec defines how telemetry data gets handled.
 type ObservabilitySpec struct {
 	// Metrics defines the metrics configuration for operands.

diff --git a/apis/tempo/v1alpha1/zz_generated.deepcopy.go b/apis/tempo/v1alpha1/zz_generated.deepcopy.go
diff --git a/bundle/community/manifests/tempo-operator.clusterserviceversion.yaml b/bundle/community/manifests/tempo-operator.clusterserviceversion.yaml
@@ -74,7 +74,7 @@ metadata:
     capabilities: Deep Insights
     categories: Logging & Tracing,Monitoring
     containerImage: ghcr.io/grafana/tempo-operator/tempo-operator:v0.8.0
-    createdAt: "2024-02-16T13:13:15Z"
+    createdAt: "2024-02-21T18:06:27Z"
     description: Create and manage deployments of Tempo, a high-scale distributed
       tracing backend.
     operatorframework.io/cluster-monitoring: "true"
@@ -103,9 +103,15 @@ spec:
       - kind: Route
         name: ""
         version: v1
+      - kind: Secret
+        name: ""
+        version: v1
       - kind: Service
         name: ""
         version: v1
+      - kind: ServiceAccount
+        name: ""
+        version: v1
       - kind: StatefulSet
         name: ""
         version: v1
@@ -300,6 +306,70 @@ spec:
         path: management
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
+      - description: Multitenancy defines the multi-tenancy configuration.
+        displayName: Multi-Tenancy
+        path: multitenancy
+      - description: Authentication defines the tempo-gateway component authentication
+          configuration spec per tenant.
+        displayName: Authentication
+        path: multitenancy.authentication
+      - description: OIDC defines the spec for the OIDC tenant's authentication.
+        displayName: OIDC Configuration
+        path: multitenancy.authentication[0].oidc
+      - description: IssuerURL defines the URL for issuer.
+        displayName: Issuer URL
+        path: multitenancy.authentication[0].oidc.issuerURL
+      - description: RedirectURL defines the URL for redirect.
+        displayName: Redirect URL
+        path: multitenancy.authentication[0].oidc.redirectURL
+      - description: Secret defines the spec for the clientID, clientSecret and issuerCAPath
+          for tenant's authentication.
+        displayName: Tenant Secret
+        path: multitenancy.authentication[0].oidc.secret
+      - description: Name of a secret in the namespace configured for tenant secrets.
+        displayName: Tenant Secret Name
+        path: multitenancy.authentication[0].oidc.secret.name
+        x-descriptors:
+        - urn:alm:descriptor:io.kubernetes:Secret
+      - description: TenantID defines a universally unique identifier of the tenant.
+          Unlike the tenantName, which must be unique at a given time, the tenantId
+          must be unique over the entire lifetime of the Tempo deployment. Tempo uses
+          this ID to prefix objects in the object storage.
+        displayName: Tenant ID
+        path: multitenancy.authentication[0].tenantId
+      - description: TenantName defines a human readable, unique name of the tenant.
+          The value of this field must be specified in the X-Scope-OrgID header and
+          in the resources field of a ClusterRole to identify the tenant.
+        displayName: Tenant Name
+        path: multitenancy.authentication[0].tenantName
+      - description: Authorization defines the tempo-gateway component authorization
+          configuration spec per tenant.
+        displayName: Authorization
+        path: multitenancy.authorization
+      - description: RoleBindings defines configuration to bind a set of roles to
+          a set of subjects.
+        displayName: Static Role Bindings
+        path: multitenancy.authorization.roleBindings
+      - description: Roles defines a set of permissions to interact with a tenant.
+        displayName: Static Roles
+        path: multitenancy.authorization.roles
+      - description: Enabled defines if multi-tenancy is enabled.
+        displayName: Enabled
+        path: multitenancy.enabled
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
+      - description: Mode defines the multitenancy mode.
+        displayName: Mode
+        path: multitenancy.mode
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:select:static
+        - urn:alm:descriptor:com.tectonic.ui:select:openshift
+      - description: Resources defines the compute resource requirements of the gateway
+          container.
+        displayName: Resources
+        path: multitenancy.resources
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:resourceRequirements
       - description: NodeSelector defines which labels are required by a node to schedule
           the pod onto it.
         displayName: Node Selector