Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use tempo service account for accessing user-workload monitoring stack #526

Closed
pavolloffay opened this issue Jul 26, 2023 · 0 comments · Fixed by #592
Closed

Use tempo service account for accessing user-workload monitoring stack #526

pavolloffay opened this issue Jul 26, 2023 · 0 comments · Fixed by #592
Labels
enhancement New feature or request

Comments

@pavolloffay
Copy link
Collaborator

The #470 adds support for the monitor tab and on OpenShift it uses thanos-query as the metrics store.

On OpenShift the #470 requires that a user creates ClusterRoleBinding to give user permission to query metrics from Thanos e.g. The user token is sent to Thanos (instead of tempo-query SA) because --query.bearer-token-propagation=true is set on tempo-query.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: jaeger-cluster-monitoring-view
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-monitoring-view
subjects:
  - kind: Group
    apiGroup: rbac.authorization.k8s.io
    name: system:authenticated
  - kind: Group
    apiGroup: rbac.authorization.k8s.io
    name: system:unauthenticated

The proposal is to send tempo SA as token to Thanos and let the operator to create the binding:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: tempo-cluster-monitoring-view
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-monitoring-view
subjects:
  - kind: ServiceAccount
    name: tempo-simplest
    namespace: ploffay

This will as well require change on Jaeger codebase to make sure Tempo token is set even when --query.bearer-token-propagation=true is set - see https://github.com/jaegertracing/jaeger/blob/9c787fca2dfcbe4182de85d34f36ba6cd18bbb7e/plugin/metrics/prometheus/metricsstore/reader.go#L323
@pavolloffay pavolloffay added the enhancement New feature or request label Jul 26, 2023
This was referenced Sep 5, 2023
Merged
Merged
yurishkuro added a commit to jaegertracing/jaeger that referenced this issue Sep 6, 2023
@pavolloffay @yurishkuro
Allow disabling brearer token override from request in metrics store (#…
5742846 
…4726)

Relates to grafana/tempo-operator#526

---------

Signed-off-by: Pavol Loffay <p.loffay@gmail.com>
Co-authored-by: Yuri Shkuro <yurishkuro@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use tempo SA to query RED metrics from OpenShift monitoring stack pavolloffay/tempo-operator
1 participant
@pavolloffay