Skip to content

Commit 0c066a2

Browse files
IshwarKanseandreasgerstmayr
IshwarKanse
and
andreasgerstmayr
authored
Update RBAC tests to verify traces using cluster-admin (#1229)
Assisted-by: Cursor IDE using claude-4-sonnet Co-authored-by: Andreas Gerstmayr <[email protected]>
1 parent c70d4bf commit 0c066a2

8 files changed

+487
-1
lines changed

tests/e2e-openshift/monolithic-multitenancy-rbac/assert-kubeadmin-traces-verify.yaml

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
apiVersion: batch/v1
2+
kind: Job
3+
metadata:
4+
name: verify-traces-kubeadmin-grpc
5+
namespace: chainsaw-mmo-rbac
6+
status:
7+
succeeded: 1
8+
---
9+
apiVersion: batch/v1
10+
kind: Job
11+
metadata:
12+
name: verify-traces-kubeadmin-http
13+
namespace: chainsaw-mmo-rbac
14+
status:
15+
succeeded: 1

tests/e2e-openshift/monolithic-multitenancy-rbac/chainsaw-test.yaml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -41,3 +41,9 @@ spec:
4141
file: tempo-rbac-sa-1-traces-verify.yaml
4242
- assert:
4343
file: assert-tempo-rbac-sa-1-traces-verify.yaml
44+
- name: Verify kubeadmin can view traces from all projects
45+
try:
46+
- apply:
47+
file: kubeadmin-traces-verify.yaml
48+
- assert:
49+
file: assert-kubeadmin-traces-verify.yaml

tests/e2e-openshift/monolithic-multitenancy-rbac/create-SAs-with-namespace-access.yaml

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,13 @@ metadata:
2525
name: tempo-rbac-sa-2
2626
namespace: chainsaw-mono-rbac-2
2727

28+
---
29+
apiVersion: v1
30+
kind: ServiceAccount
31+
metadata:
32+
name: tempo-rbac-cluster-admin
33+
namespace: chainsaw-mmo-rbac
34+
2835
---
2936
kind: RoleBinding
3037
apiVersion: rbac.authorization.k8s.io/v1
@@ -55,6 +62,20 @@ roleRef:
5562
kind: ClusterRole
5663
name: admin
5764

65+
---
66+
kind: ClusterRoleBinding
67+
apiVersion: rbac.authorization.k8s.io/v1
68+
metadata:
69+
name: tempo-rbac-cluster-admin-binding-monolithic
70+
subjects:
71+
- kind: ServiceAccount
72+
name: tempo-rbac-cluster-admin
73+
namespace: chainsaw-mmo-rbac
74+
roleRef:
75+
apiGroup: rbac.authorization.k8s.io
76+
kind: ClusterRole
77+
name: cluster-admin
78+
5879
---
5980
kind: RoleBinding
6081
apiVersion: rbac.authorization.k8s.io/v1

tests/e2e-openshift/monolithic-multitenancy-rbac/kubeadmin-traces-verify.yaml

Lines changed: 201 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,201 @@
1+
apiVersion: batch/v1
2+
kind: Job
3+
metadata:
4+
name: verify-traces-kubeadmin-grpc
5+
namespace: chainsaw-mmo-rbac
6+
spec:
7+
template:
8+
spec:
9+
serviceAccountName: tempo-rbac-cluster-admin
10+
containers:
11+
- name: verify-traces
12+
image: ghcr.io/grafana/tempo-operator/test-utils:main
13+
command:
14+
- /bin/bash
15+
- -eux
16+
- -c
17+
args:
18+
- |
19+
# Get the cluster-admin service account token
20+
token=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
21+
22+
# First, verify traces from chainsaw-mono-rbac-1 (grpc-rbac-1 service)
23+
curl \
24+
-G \
25+
--header "Authorization: Bearer $token" \
26+
--cacert /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt \
27+
https://tempo-mmo-rbac-gateway.chainsaw-mmo-rbac.svc:8080/api/traces/v1/dev/tempo/api/search \
28+
--data-urlencode 'q={ resource.service.name="grpc-rbac-1" }' \
29+
| tee /tmp/jaeger-rbac-1.out
30+
num_traces=$(jq ".traces | length" /tmp/jaeger-rbac-1.out)
31+
if [[ "$num_traces" != "2" ]]; then
32+
echo && echo "The Jaeger API returned $num_traces instead of 2 traces for grpc-rbac-1."
33+
exit 1
34+
fi
35+
36+
echo "Fetch the first trace ID and store it in a variable"
37+
traceID=$(curl -G --header "Authorization: Bearer $token" \
38+
--cacert /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt \
39+
https://tempo-mmo-rbac-gateway.chainsaw-mmo-rbac.svc:8080/api/traces/v1/dev/tempo/api/search \
40+
--data-urlencode 'q={ resource.service.name="grpc-rbac-1" }' | jq -r '.traces[0].traceID')
41+
42+
echo "Use the trace ID to fetch the complete trace"
43+
traceOutput=$(curl -G --header "Authorization: Bearer $token" \
44+
--cacert /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt \
45+
https://tempo-mmo-rbac-gateway.chainsaw-mmo-rbac.svc:8080/api/traces/v1/dev/tempo/api/traces/$traceID)
46+
47+
echo "Check for the strings in the trace output - cluster-admin should see complete traces"
48+
stringsToSearch=(
49+
"\"key\":\"net.peer.ip\""
50+
"\"stringValue\":\"1.2.3.4\""
51+
"\"key\":\"peer.service\""
52+
"\"stringValue\":\"telemetrygen-client\""
53+
"\"key\":\"k8s.pod.ip\""
54+
"\"key\":\"k8s.container.name\""
55+
)
56+
for searchString in "${stringsToSearch[@]}"; do
57+
if echo "$traceOutput" | grep -q "$searchString"; then
58+
echo "Cluster-admin: Trace output for service grpc-rbac-1 contains: $searchString"
59+
else
60+
echo "Cluster-admin: Trace output for service grpc-rbac-1 does not contain: $searchString"
61+
exit 1
62+
fi
63+
done
64+
65+
# Now verify traces from chainsaw-mono-rbac-2 (grpc-rbac-2 service)
66+
# cluster-admin should be able to see complete traces from this project too
67+
curl \
68+
-G \
69+
--header "Authorization: Bearer $token" \
70+
--cacert /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt \
71+
https://tempo-mmo-rbac-gateway.chainsaw-mmo-rbac.svc:8080/api/traces/v1/dev/tempo/api/search \
72+
--data-urlencode 'q={ resource.service.name="grpc-rbac-2" }' \
73+
| tee /tmp/jaeger-rbac-2.out
74+
num_traces=$(jq ".traces | length" /tmp/jaeger-rbac-2.out)
75+
if [[ "$num_traces" != "2" ]]; then
76+
echo && echo "The Jaeger API returned $num_traces instead of 2 traces for grpc-rbac-2."
77+
exit 1
78+
fi
79+
80+
echo "Fetch the first trace ID and store it in a variable"
81+
traceID=$(curl -G --header "Authorization: Bearer $token" \
82+
--cacert /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt \
83+
https://tempo-mmo-rbac-gateway.chainsaw-mmo-rbac.svc:8080/api/traces/v1/dev/tempo/api/search \
84+
--data-urlencode 'q={ resource.service.name="grpc-rbac-2" }' | jq -r '.traces[0].traceID')
85+
86+
echo "Use the trace ID to fetch the complete trace"
87+
traceOutput=$(curl -G --header "Authorization: Bearer $token" \
88+
--cacert /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt \
89+
https://tempo-mmo-rbac-gateway.chainsaw-mmo-rbac.svc:8080/api/traces/v1/dev/tempo/api/traces/$traceID)
90+
91+
echo "Check for the strings in the trace output - cluster-admin should see complete traces"
92+
for searchString in "${stringsToSearch[@]}"; do
93+
if echo "$traceOutput" | grep -q "$searchString"; then
94+
echo "Cluster-admin: Trace output for service grpc-rbac-2 contains: $searchString"
95+
else
96+
echo "Cluster-admin: Trace output for service grpc-rbac-2 does not contain: $searchString"
97+
exit 1
98+
fi
99+
done
100+
restartPolicy: Never
101+
---
102+
apiVersion: batch/v1
103+
kind: Job
104+
metadata:
105+
name: verify-traces-kubeadmin-http
106+
namespace: chainsaw-mmo-rbac
107+
spec:
108+
template:
109+
spec:
110+
serviceAccountName: tempo-rbac-cluster-admin
111+
containers:
112+
- name: verify-traces
113+
image: ghcr.io/grafana/tempo-operator/test-utils:main
114+
command:
115+
- /bin/bash
116+
- -eux
117+
- -c
118+
args:
119+
- |
120+
# Get the cluster-admin service account token
121+
token=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
122+
123+
# First, verify traces from chainsaw-mono-rbac-1 (http-rbac-1 service)
124+
curl \
125+
-G \
126+
--header "Authorization: Bearer $token" \
127+
--cacert /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt \
128+
https://tempo-mmo-rbac-gateway.chainsaw-mmo-rbac.svc:8080/api/traces/v1/dev/tempo/api/search \
129+
--data-urlencode 'q={ resource.service.name="http-rbac-1" }' \
130+
| tee /tmp/jaeger-rbac-1.out
131+
num_traces=$(jq ".traces | length" /tmp/jaeger-rbac-1.out)
132+
if [[ "$num_traces" != "2" ]]; then
133+
echo && echo "The Jaeger API returned $num_traces instead of 2 traces for http-rbac-1."
134+
exit 1
135+
fi
136+
137+
echo "Fetch the first trace ID and store it in a variable"
138+
traceID=$(curl -G --header "Authorization: Bearer $token" \
139+
--cacert /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt \
140+
https://tempo-mmo-rbac-gateway.chainsaw-mmo-rbac.svc:8080/api/traces/v1/dev/tempo/api/search \
141+
--data-urlencode 'q={ resource.service.name="http-rbac-1" }' | jq -r '.traces[0].traceID')
142+
143+
echo "Use the trace ID to fetch the complete trace"
144+
traceOutput=$(curl -G --header "Authorization: Bearer $token" \
145+
--cacert /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt \
146+
https://tempo-mmo-rbac-gateway.chainsaw-mmo-rbac.svc:8080/api/traces/v1/dev/tempo/api/traces/$traceID)
147+
148+
echo "Check for the strings in the trace output - cluster-admin should see complete traces"
149+
stringsToSearch=(
150+
"\"key\":\"net.peer.ip\""
151+
"\"stringValue\":\"1.2.3.4\""
152+
"\"key\":\"peer.service\""
153+
"\"stringValue\":\"telemetrygen-client\""
154+
"\"key\":\"k8s.pod.ip\""
155+
"\"key\":\"k8s.container.name\""
156+
)
157+
for searchString in "${stringsToSearch[@]}"; do
158+
if echo "$traceOutput" | grep -q "$searchString"; then
159+
echo "Cluster-admin: Trace output for service http-rbac-1 contains: $searchString"
160+
else
161+
echo "Cluster-admin: Trace output for service http-rbac-1 does not contain: $searchString"
162+
exit 1
163+
fi
164+
done
165+
166+
# Now verify traces from chainsaw-mono-rbac-2 (http-rbac-2 service)
167+
# cluster-admin should be able to see complete traces from this project too
168+
curl \
169+
-G \
170+
--header "Authorization: Bearer $token" \
171+
--cacert /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt \
172+
https://tempo-mmo-rbac-gateway.chainsaw-mmo-rbac.svc:8080/api/traces/v1/dev/tempo/api/search \
173+
--data-urlencode 'q={ resource.service.name="http-rbac-2" }' \
174+
| tee /tmp/jaeger-rbac-2.out
175+
num_traces=$(jq ".traces | length" /tmp/jaeger-rbac-2.out)
176+
if [[ "$num_traces" != "2" ]]; then
177+
echo && echo "The Jaeger API returned $num_traces instead of 2 traces for http-rbac-2."
178+
exit 1
179+
fi
180+
181+
echo "Fetch the first trace ID and store it in a variable"
182+
traceID=$(curl -G --header "Authorization: Bearer $token" \
183+
--cacert /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt \
184+
https://tempo-mmo-rbac-gateway.chainsaw-mmo-rbac.svc:8080/api/traces/v1/dev/tempo/api/search \
185+
--data-urlencode 'q={ resource.service.name="http-rbac-2" }' | jq -r '.traces[0].traceID')
186+
187+
echo "Use the trace ID to fetch the complete trace"
188+
traceOutput=$(curl -G --header "Authorization: Bearer $token" \
189+
--cacert /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt \
190+
https://tempo-mmo-rbac-gateway.chainsaw-mmo-rbac.svc:8080/api/traces/v1/dev/tempo/api/traces/$traceID)
191+
192+
echo "Check for the strings in the trace output - cluster-admin should see complete traces"
193+
for searchString in "${stringsToSearch[@]}"; do
194+
if echo "$traceOutput" | grep -q "$searchString"; then
195+
echo "Cluster-admin: Trace output for service http-rbac-2 contains: $searchString"
196+
else
197+
echo "Cluster-admin: Trace output for service http-rbac-2 does not contain: $searchString"
198+
exit 1
199+
fi
200+
done
201+
restartPolicy: Never

tests/e2e-openshift/multitenancy-rbac/assert-kubeadmin-traces-verify.yaml

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
apiVersion: batch/v1
2+
kind: Job
3+
metadata:
4+
name: verify-traces-kubeadmin-grpc
5+
namespace: chainsaw-rbac
6+
status:
7+
succeeded: 1
8+
---
9+
apiVersion: batch/v1
10+
kind: Job
11+
metadata:
12+
name: verify-traces-kubeadmin-http
13+
namespace: chainsaw-rbac
14+
status:
15+
succeeded: 1

tests/e2e-openshift/multitenancy-rbac/chainsaw-test.yaml

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -46,4 +46,10 @@ spec:
4646
- apply:
4747
file: tempo-rbac-sa-1-traces-verify.yaml
4848
- assert:
49-
file: assert-tempo-rbac-sa-1-traces-verify.yaml
49+
file: assert-tempo-rbac-sa-1-traces-verify.yaml
50+
- name: Verify kubeadmin can view traces from all projects
51+
try:
52+
- apply:
53+
file: kubeadmin-traces-verify.yaml
54+
- assert:
55+
file: assert-kubeadmin-traces-verify.yaml

tests/e2e-openshift/multitenancy-rbac/create-SAs-with-namespace-access.yaml

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,13 @@ metadata:
2525
name: tempo-rbac-sa-2
2626
namespace: chainsaw-test-rbac-2
2727

28+
---
29+
apiVersion: v1
30+
kind: ServiceAccount
31+
metadata:
32+
name: tempo-rbac-cluster-admin
33+
namespace: chainsaw-rbac
34+
2835
---
2936
kind: RoleBinding
3037
apiVersion: rbac.authorization.k8s.io/v1
@@ -55,6 +62,20 @@ roleRef:
5562
kind: ClusterRole
5663
name: admin
5764

65+
---
66+
kind: ClusterRoleBinding
67+
apiVersion: rbac.authorization.k8s.io/v1
68+
metadata:
69+
name: tempo-rbac-cluster-admin-binding
70+
subjects:
71+
- kind: ServiceAccount
72+
name: tempo-rbac-cluster-admin
73+
namespace: chainsaw-rbac
74+
roleRef:
75+
apiGroup: rbac.authorization.k8s.io
76+
kind: ClusterRole
77+
name: cluster-admin
78+
5879
---
5980
kind: RoleBinding
6081
apiVersion: rbac.authorization.k8s.io/v1

0 commit comments

Comments
 (0)