Add oauth-proxy to monolithic (#921)

* Add oauth-proxy to monolithic Signed-off-by: Ruben Vargas <ruben.vp8510@gmail.com> * Update apis/tempo/v1alpha1/tempomonolithic_types.go Co-authored-by: Andreas Gerstmayr <andreas@gerstmayr.me> * Update apis/tempo/v1alpha1/tempomonolithic_types.go Co-authored-by: Andreas Gerstmayr <andreas@gerstmayr.me> * Address comments Signed-off-by: Ruben Vargas <ruben.vp8510@gmail.com> * Add resources to auth spec Signed-off-by: Ruben Vargas <ruben.vp8510@gmail.com> * refactor conditions for defaults on monolithic Signed-off-by: Ruben Vargas <ruben.vp8510@gmail.com> * Add unit tests to default Signed-off-by: Ruben Vargas <ruben.vp8510@gmail.com> * Add tempo stack default test for oauth Signed-off-by: Ruben Vargas <ruben.vp8510@gmail.com> * Increase coverage Signed-off-by: Ruben Vargas <ruben.vp8510@gmail.com> --------- Signed-off-by: Ruben Vargas <ruben.vp8510@gmail.com> Co-authored-by: Andreas Gerstmayr <andreas@gerstmayr.me>
grafana · May 14, 2024 · 314aea0 · 314aea0
1 parent 380de19
commit 314aea0
Show file tree

Hide file tree

Showing 27 changed files with 1,879 additions and 470 deletions.
diff --git a/.chloggen/monolitic_oauth_proxy.yaml b/.chloggen/monolitic_oauth_proxy.yaml
@@ -0,0 +1,16 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. operator, github action)
+component: operator
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Add oauth-proxy support for tempo monolithic
+
+# One or more tracking issues related to the change
+issues: [922]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:
diff --git a/apis/tempo/v1alpha1/common_types.go b/apis/tempo/v1alpha1/common_types.go
@@ -46,3 +46,27 @@ type ExtraConfigSpec struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Tempo Extra Configurations"
 	Tempo apiextensionsv1.JSON `json:"tempo,omitempty"`
 }
+
+// JaegerQueryAuthenticationSpec defines options applied to proxy sidecar that controls the authentication of the jaeger UI.
+type JaegerQueryAuthenticationSpec struct {
+	// Defines if the authentication will be enabled for jaeger UI.
+	//
+	// +optional
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Enabled",order=1,xDescriptors="urn:alm:descriptor:com.tectonic.ui:booleanSwitch"
+	Enabled bool `json:"enabled"`
+
+	// SAR defines the SAR to be used in the oauth-proxy
+	// default is "{"namespace": "<tempo_stack_namespace>", "resource": "pods", "verb": "get"}
+	//
+	// +optional
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="SAR"
+	SAR string `json:"sar,omitempty"`
+	// Resources defines the compute resource requirements of the OAuth Proxy container.
+	// The OAuth Proxy performs authentication and authorization of incoming requests to Jaeger UI when multi-tenancy is disabled.
+	//
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Resources",xDescriptors="urn:alm:descriptor:com.tectonic.ui:resourceRequirements"
+	Resources *corev1.ResourceRequirements `json:"resources,omitempty"`
+}
diff --git a/apis/tempo/v1alpha1/tempomonolithic_defaults.go b/apis/tempo/v1alpha1/tempomonolithic_defaults.go
@@ -1,6 +1,9 @@
 package v1alpha1
 
 import (
+	"fmt"
+	"strings"
+
 	"k8s.io/apimachinery/pkg/api/resource"
 	"k8s.io/utils/ptr"
 
@@ -53,15 +56,28 @@ func (r *TempoMonolithic) Default(ctrlConfig configv1alpha1.ProjectConfig) {
 			Enabled: true,
 		}
 	}
-
 	if r.Spec.JaegerUI != nil && r.Spec.JaegerUI.Enabled &&
-		r.Spec.JaegerUI.Route != nil && r.Spec.JaegerUI.Route.Enabled &&
-		r.Spec.JaegerUI.Route.Termination == "" {
-		if r.Spec.Multitenancy.IsGatewayEnabled() && ctrlConfig.Gates.OpenShift.ServingCertsService {
-			// gateway uses TLS
-			r.Spec.JaegerUI.Route.Termination = TLSRouteTerminationTypePassthrough
-		} else {
-			r.Spec.JaegerUI.Route.Termination = TLSRouteTerminationTypeEdge
+		r.Spec.JaegerUI.Route != nil && r.Spec.JaegerUI.Route.Enabled {
+
+		if r.Spec.JaegerUI.Route.Termination == "" {
+			if r.Spec.Multitenancy.IsGatewayEnabled() && ctrlConfig.Gates.OpenShift.ServingCertsService {
+				// gateway uses TLS
+				r.Spec.JaegerUI.Route.Termination = TLSRouteTerminationTypePassthrough
+			} else {
+				r.Spec.JaegerUI.Route.Termination = TLSRouteTerminationTypeEdge
+			}
+		}
+
+		if r.Spec.JaegerUI.Authentication == nil {
+			r.Spec.JaegerUI.Authentication = &JaegerQueryAuthenticationSpec{
+				Enabled: ctrlConfig.Gates.OpenShift.OauthProxy.DefaultEnabled,
+			}
+		}
+
+		if len(strings.TrimSpace(r.Spec.JaegerUI.Authentication.SAR)) == 0 {
+			defaultSAR := fmt.Sprintf("{\"namespace\": \"%s\", \"resource\": \"pods\", \"verb\": \"get\"}", r.Namespace)
+			r.Spec.JaegerUI.Authentication.SAR = defaultSAR
 		}
+
 	}
 }
diff --git a/apis/tempo/v1alpha1/tempomonolithic_defaults_test.go b/apis/tempo/v1alpha1/tempomonolithic_defaults_test.go
@@ -5,6 +5,7 @@ import (
 
 	"github.com/stretchr/testify/assert"
 	"k8s.io/apimachinery/pkg/api/resource"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	configv1alpha1 "github.com/grafana/tempo-operator/apis/config/v1alpha1"
 )
@@ -126,6 +127,270 @@ func TestMonolithicDefault(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "enable jaeger ui oauth when feature gate is enabled",
+			ctrlConfig: configv1alpha1.ProjectConfig{
+				Gates: configv1alpha1.FeatureGates{
+					OpenShift: configv1alpha1.OpenShiftFeatureGates{
+						OauthProxy: configv1alpha1.OauthProxyFeatureGates{
+							DefaultEnabled: true,
+						},
+					},
+				},
+			},
+			input: &TempoMonolithic{
+				ObjectMeta: v1.ObjectMeta{
+					Name:      "test",
+					Namespace: "testns",
+				},
+				Spec: TempoMonolithicSpec{
+					Storage: &MonolithicStorageSpec{
+						Traces: MonolithicTracesStorageSpec{
+							Backend: "s3",
+							Size:    &twentyGBQuantity,
+						},
+					},
+					JaegerUI: &MonolithicJaegerUISpec{
+						Enabled: true,
+						Route: &MonolithicJaegerUIRouteSpec{
+							Enabled: true,
+						},
+					},
+				},
+			},
+			expected: &TempoMonolithic{
+				ObjectMeta: v1.ObjectMeta{
+					Name:      "test",
+					Namespace: "testns",
+				},
+				Spec: TempoMonolithicSpec{
+					Storage: &MonolithicStorageSpec{
+						Traces: MonolithicTracesStorageSpec{
+							Backend: "s3",
+							Size:    &twentyGBQuantity,
+						},
+					},
+					Ingestion: &MonolithicIngestionSpec{
+						OTLP: &MonolithicIngestionOTLPSpec{
+							GRPC: &MonolithicIngestionOTLPProtocolsGRPCSpec{
+								Enabled: true,
+							},
+							HTTP: &MonolithicIngestionOTLPProtocolsHTTPSpec{
+								Enabled: true,
+							},
+						},
+					},
+					JaegerUI: &MonolithicJaegerUISpec{
+						Enabled: true,
+						Route: &MonolithicJaegerUIRouteSpec{
+							Enabled:     true,
+							Termination: TLSRouteTerminationTypeEdge,
+						},
+						Authentication: &JaegerQueryAuthenticationSpec{
+							Enabled: true,
+							SAR:     "{\"namespace\": \"testns\", \"resource\": \"pods\", \"verb\": \"get\"}",
+						},
+					},
+					Management: "Managed",
+				},
+			},
+		},
+		{
+			name: "no touch jaeger ui oauth when feature gate is enabled and user specified false value explicit",
+			ctrlConfig: configv1alpha1.ProjectConfig{
+				Gates: configv1alpha1.FeatureGates{
+					OpenShift: configv1alpha1.OpenShiftFeatureGates{
+						OauthProxy: configv1alpha1.OauthProxyFeatureGates{
+							DefaultEnabled: true,
+						},
+					},
+				},
+			},
+			input: &TempoMonolithic{
+				ObjectMeta: v1.ObjectMeta{
+					Name:      "test",
+					Namespace: "testns",
+				},
+				Spec: TempoMonolithicSpec{
+					Storage: &MonolithicStorageSpec{
+						Traces: MonolithicTracesStorageSpec{
+							Backend: "s3",
+							Size:    &twentyGBQuantity,
+						},
+					},
+					JaegerUI: &MonolithicJaegerUISpec{
+						Enabled: true,
+						Route: &MonolithicJaegerUIRouteSpec{
+							Enabled: true,
+						},
+						Authentication: &JaegerQueryAuthenticationSpec{
+							Enabled: false,
+						},
+					},
+				},
+			},
+			expected: &TempoMonolithic{
+				ObjectMeta: v1.ObjectMeta{
+					Name:      "test",
+					Namespace: "testns",
+				},
+				Spec: TempoMonolithicSpec{
+					Storage: &MonolithicStorageSpec{
+						Traces: MonolithicTracesStorageSpec{
+							Backend: "s3",
+							Size:    &twentyGBQuantity,
+						},
+					},
+					Ingestion: &MonolithicIngestionSpec{
+						OTLP: &MonolithicIngestionOTLPSpec{
+							GRPC: &MonolithicIngestionOTLPProtocolsGRPCSpec{
+								Enabled: true,
+							},
+							HTTP: &MonolithicIngestionOTLPProtocolsHTTPSpec{
+								Enabled: true,
+							},
+						},
+					},
+					JaegerUI: &MonolithicJaegerUISpec{
+						Enabled: true,
+						Route: &MonolithicJaegerUIRouteSpec{
+							Enabled:     true,
+							Termination: TLSRouteTerminationTypeEdge,
+						},
+						Authentication: &JaegerQueryAuthenticationSpec{
+							Enabled: false,
+							SAR:     "{\"namespace\": \"testns\", \"resource\": \"pods\", \"verb\": \"get\"}",
+						},
+					},
+					Management: "Managed",
+				},
+			},
+		},
+		{
+			name: "no touch jaeger ui oauth when feature gate is disabled (true case)",
+			input: &TempoMonolithic{
+				ObjectMeta: v1.ObjectMeta{
+					Name:      "test",
+					Namespace: "testns",
+				},
+				Spec: TempoMonolithicSpec{
+					Storage: &MonolithicStorageSpec{
+						Traces: MonolithicTracesStorageSpec{
+							Backend: "s3",
+							Size:    &twentyGBQuantity,
+						},
+					},
+					JaegerUI: &MonolithicJaegerUISpec{
+						Enabled: true,
+						Route: &MonolithicJaegerUIRouteSpec{
+							Enabled: true,
+						},
+						Authentication: &JaegerQueryAuthenticationSpec{
+							Enabled: true,
+							SAR:     "{\"namespace\": \"testns\", \"resource\": \"pods\", \"verb\": \"get\"}",
+						},
+					},
+				},
+			},
+			expected: &TempoMonolithic{
+				ObjectMeta: v1.ObjectMeta{
+					Name:      "test",
+					Namespace: "testns",
+				},
+				Spec: TempoMonolithicSpec{
+					Storage: &MonolithicStorageSpec{
+						Traces: MonolithicTracesStorageSpec{
+							Backend: "s3",
+							Size:    &twentyGBQuantity,
+						},
+					},
+					Ingestion: &MonolithicIngestionSpec{
+						OTLP: &MonolithicIngestionOTLPSpec{
+							GRPC: &MonolithicIngestionOTLPProtocolsGRPCSpec{
+								Enabled: true,
+							},
+							HTTP: &MonolithicIngestionOTLPProtocolsHTTPSpec{
+								Enabled: true,
+							},
+						},
+					},
+					JaegerUI: &MonolithicJaegerUISpec{
+						Enabled: true,
+						Route: &MonolithicJaegerUIRouteSpec{
+							Enabled:     true,
+							Termination: TLSRouteTerminationTypeEdge,
+						},
+						Authentication: &JaegerQueryAuthenticationSpec{
+							Enabled: true,
+							SAR:     "{\"namespace\": \"testns\", \"resource\": \"pods\", \"verb\": \"get\"}",
+						},
+					},
+					Management: "Managed",
+				},
+			},
+		},
+		{
+			name: "no touch jaeger ui oauth when feature gate is disabled (false case)",
+			input: &TempoMonolithic{
+				ObjectMeta: v1.ObjectMeta{
+					Name:      "test",
+					Namespace: "testns",
+				},
+				Spec: TempoMonolithicSpec{
+					Storage: &MonolithicStorageSpec{
+						Traces: MonolithicTracesStorageSpec{
+							Backend: "s3",
+							Size:    &twentyGBQuantity,
+						},
+					},
+					JaegerUI: &MonolithicJaegerUISpec{
+						Enabled: true,
+						Route: &MonolithicJaegerUIRouteSpec{
+							Enabled: true,
+						},
+						Authentication: &JaegerQueryAuthenticationSpec{
+							Enabled: false,
+						},
+					},
+				},
+			},
+			expected: &TempoMonolithic{
+				ObjectMeta: v1.ObjectMeta{
+					Name:      "test",
+					Namespace: "testns",
+				},
+				Spec: TempoMonolithicSpec{
+					Storage: &MonolithicStorageSpec{
+						Traces: MonolithicTracesStorageSpec{
+							Backend: "s3",
+							Size:    &twentyGBQuantity,
+						},
+					},
+					Ingestion: &MonolithicIngestionSpec{
+						OTLP: &MonolithicIngestionOTLPSpec{
+							GRPC: &MonolithicIngestionOTLPProtocolsGRPCSpec{
+								Enabled: true,
+							},
+							HTTP: &MonolithicIngestionOTLPProtocolsHTTPSpec{
+								Enabled: true,
+							},
+						},
+					},
+					JaegerUI: &MonolithicJaegerUISpec{
+						Enabled: true,
+						Route: &MonolithicJaegerUIRouteSpec{
+							Enabled:     true,
+							Termination: TLSRouteTerminationTypeEdge,
+						},
+						Authentication: &JaegerQueryAuthenticationSpec{
+							Enabled: false,
+							SAR:     "{\"namespace\": \"testns\", \"resource\": \"pods\", \"verb\": \"get\"}",
+						},
+					},
+					Management: "Managed",
+				},
+			},
+		},
 	}
 
 	for _, test := range tests {

diff --git a/apis/tempo/v1alpha1/tempomonolithic_types.go b/apis/tempo/v1alpha1/tempomonolithic_types.go
@@ -237,6 +237,13 @@ type MonolithicJaegerUISpec struct {
 	// +kubebuilder:validation:Optional
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Route",order=4
 	Route *MonolithicJaegerUIRouteSpec `json:"route,omitempty"`
+
+	// Authentication defines the options for the oauth proxy used to protect jaeger UI
+	//
+	// +optional
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Jaeger UI authentication configuration",order=5
+	Authentication *JaegerQueryAuthenticationSpec `json:"authentication,omitempty"`
 }
 
 // MonolithicJaegerUIIngressSpec defines the settings for the Jaeger UI ingress.