Add tests for Tempo single tenant oauth

tests/e2e-openshift/monolithic-single-tenant-auth/chainsaw-test.yaml

@@ -0,0 +1,33 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: monolithic-single-tenant-auth
+spec:
+  namespace: chainsaw-mst
+  steps:
+  - name: Create Tempo Monolithic instance
+    try:
+    - apply:
+        file: install-tempo.yaml
+    - assert:
+        file: install-tempo-assert.yaml
+  - name: Generate traces
+    try:
+    - apply:
+        file: generate-traces.yaml
+    - assert:
+        file: generate-traces-assert.yaml
+  - name: Verify traces using Jaeger UI
+    try:
+    - apply:
+        file: verify-traces-jaeger.yaml
+    - assert:
+        file: verify-traces-jaeger-assert.yaml
+  - name: Verify traces from TraceQL
+    try:
+    - apply:
+        file: verify-traces-grafana.yaml
+    - assert:
+        file: verify-traces-grafana-assert.yaml

tests/e2e-openshift/monolithic-single-tenant-auth/generate-traces-assert.yaml

@@ -0,0 +1,9 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: generate-traces
+  namespace: chainsaw-mst
+status:
+  conditions:
+    - status: "True"
+      type: Complete

tests/e2e-openshift/monolithic-single-tenant-auth/generate-traces.yaml

@@ -0,0 +1,18 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: generate-traces
+  namespace: chainsaw-mst
+spec:
+  template:
+    spec:
+      containers:
+      - name: telemetrygen
+        image: ghcr.io/open-telemetry/opentelemetry-collector-contrib/telemetrygen:v0.92.0
+        args:
+        - traces
+        - --otlp-endpoint=tempo-monolithic-st:4317
+        - --otlp-insecure
+        - --traces=10
+      restartPolicy: Never
+  backoffLimit: 4

tests/e2e-openshift/monolithic-single-tenant-auth/install-tempo-assert.yaml

@@ -0,0 +1,136 @@
+apiVersion: tempo.grafana.com/v1alpha1
+kind: TempoMonolithic
+metadata:
+  name: monolithic-st
+  namespace: chainsaw-mst
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  labels:
+    app.kubernetes.io/component: tempo
+    app.kubernetes.io/instance: monolithic-st
+    app.kubernetes.io/managed-by: tempo-operator
+    app.kubernetes.io/name: tempo-monolithic
+  name: tempo-monolithic-st
+  namespace: chainsaw-mst
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: tempo
+      app.kubernetes.io/instance: monolithic-st
+      app.kubernetes.io/managed-by: tempo-operator
+      app.kubernetes.io/name: tempo-monolithic
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: tempo
+        app.kubernetes.io/instance: monolithic-st
+        app.kubernetes.io/managed-by: tempo-operator
+        app.kubernetes.io/name: tempo-monolithic
+    spec:
+      containers:
+      - name: tempo
+      - name: tempo-query
+      - name: oauth-proxy
+        resources:
+          limits:
+            cpu: 200m
+            memory: 512Gi
+          requests:
+            cpu: 100m
+            memory: 256Mi
+status:
+  availableReplicas: 1
+  currentReplicas: 1
+  readyReplicas: 1
+  replicas: 1
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    app.kubernetes.io/component: tempo
+    app.kubernetes.io/instance: monolithic-st
+    app.kubernetes.io/managed-by: tempo-operator
+    app.kubernetes.io/name: tempo-monolithic
+  namespace: chainsaw-mst
+status:
+  containerStatuses:
+  - name: oauth-proxy
+    ready: true
+    started: true
+  - name: tempo
+    ready: true
+    started: true
+  - name: tempo-query
+    ready: true
+    started: true
+  phase: Running
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: tempo
+    app.kubernetes.io/instance: monolithic-st
+    app.kubernetes.io/managed-by: tempo-operator
+    app.kubernetes.io/name: tempo-monolithic
+  name: tempo-monolithic-st
+  namespace: chainsaw-mst
+spec:
+  ipFamilyPolicy: SingleStack
+  ports:
+  - name: http
+    port: 3200
+    protocol: TCP
+    targetPort: http
+  - name: otlp-grpc
+    port: 4317
+    protocol: TCP
+    targetPort: otlp-grpc
+  - name: otlp-http
+    port: 4318
+    protocol: TCP
+    targetPort: otlp-http
+  selector:
+    app.kubernetes.io/component: tempo
+    app.kubernetes.io/instance: monolithic-st
+    app.kubernetes.io/managed-by: tempo-operator
+    app.kubernetes.io/name: tempo-monolithic
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: jaegerui
+    app.kubernetes.io/instance: monolithic-st
+    app.kubernetes.io/managed-by: tempo-operator
+    app.kubernetes.io/name: tempo-monolithic
+  name: tempo-monolithic-st-jaegerui
+  namespace: chainsaw-mst
+spec:
+  ipFamilyPolicy: SingleStack
+  ports:
+  - name: jaeger-grpc
+    port: 16685
+    protocol: TCP
+    targetPort: jaeger-grpc
+  - name: jaeger-ui
+    port: 16686
+    protocol: TCP
+    targetPort: jaeger-ui
+  - name: jaeger-metrics
+    port: 16687
+    protocol: TCP
+    targetPort: jaeger-metrics
+  - name: oauth-proxy
+    port: 8443
+    protocol: TCP
+    targetPort: oauth-proxy
+  selector:
+    app.kubernetes.io/component: tempo
+    app.kubernetes.io/instance: monolithic-st
+    app.kubernetes.io/managed-by: tempo-operator
+    app.kubernetes.io/name: tempo-monolithic

tests/e2e-openshift/monolithic-single-tenant-auth/install-tempo.yaml

@@ -0,0 +1,61 @@
+apiVersion: tempo.grafana.com/v1alpha1
+kind: TempoMonolithic
+metadata:
+  name: monolithic-st
+  namespace: chainsaw-mst
+spec:
+  jaegerui:
+    enabled: true
+    authentication:
+      enabled: true
+      sar: "{\"namespace\": \"chainsaw-mst\", \"resource\": \"pods\", \"verb\": \"get\"}"
+      resources:
+        limits:
+          cpu: 200m
+          memory: 512Gi
+        requests:
+          cpu: 100m
+          memory: 256Mi
+    route:
+      enabled: true
+
+---
+# Grant the default Service Account (used by the verify-traces pod) permission to read traces
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: allow-read-traces-mst
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get"]
+  namespaces: ["chainsaw-mst"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: allow-read-traces-mst
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: allow-read-traces-mst
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: chainsaw-mst
+---
+# Grant the default ServiceAccount (used by the verify-traces pod) view permissions of the chainsaw-monolithic-multitenancy namespace.
+# If the ServiceAccount cannot access any namespaces, every 'get' request will be denied:
+# https://github.com/observatorium/opa-openshift/pull/18/files
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: view
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: view
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: chainsaw-mst

tests/e2e-openshift/monolithic-single-tenant-auth/verify-traces-jaeger-assert.yaml

@@ -0,0 +1,9 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: verify-traces-jaeger
+  namespace: chainsaw-mst
+status:
+  conditions:
+    - status: "True"
+      type: Complete

tests/e2e-openshift/monolithic-single-tenant-auth/verify-traces-jaeger.yaml

@@ -0,0 +1,27 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: verify-traces-jaeger
+  namespace: chainsaw-mst
+spec:
+  template:
+    spec:
+      containers:
+      - name: verify-traces
+        image: ghcr.io/grafana/tempo-operator/test-utils:main
+        command: ["/bin/bash", "-eux", "-c"]
+        args:
+        - |
+          curl -vG \
+            --header "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
+            --cacert /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt \
+            https://tempo-monolithic-st-jaegerui.chainsaw-mst.svc:8443/api/traces \
+            --data-urlencode "service=telemetrygen" \
+            | tee /tmp/jaeger.out
+
+          num_traces=$(jq ".data | length" /tmp/jaeger.out)
+          if [[ "$num_traces" != "10" ]]; then
+            echo && echo "The Jaeger API returned $num_traces instead of 10 traces."
+            exit 1
+          fi
+      restartPolicy: Never

tests/e2e-openshift/monolithic-single-tenant-auth/verify-traces-traceql-assert.yaml

@@ -0,0 +1,9 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: verify-traces-traceql
+  namespace: chainsaw-mst
+status:
+  conditions:
+    - status: "True"
+      type: Complete

tests/e2e-openshift/monolithic-single-tenant-auth/verify-traces-traceql.yaml

@@ -0,0 +1,28 @@
+# Simulate Grafana Dashboard API requests.
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: verify-traces-traceql
+  namespace: chainsaw-mst
+spec:
+  template:
+    spec:
+      containers:
+      - name: verify-traces
+        image: ghcr.io/grafana/tempo-operator/test-utils:main
+        command: ["/bin/bash", "-eux", "-c"]
+        args:
+        - |
+          curl -sS -G \
+            --header "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
+            --cacert /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt \
+            --data-urlencode 'q={ resource.service.name="telemetrygen" }' \
+            https://tempo-monolithic-st-jaegerui.chainsaw-mst.svc:8443/api/search \
+            | tee /tmp/tempo.out
+
+          num_traces=$(jq ".traces | length" /tmp/tempo.out)
+          if [[ "$num_traces" != "10" ]]; then
+            echo && echo "The Tempo API returned $num_traces instead of 10 traces."
+            exit 1
+          fi
+      restartPolicy: Never