Integrated bb-common
General MR
Summary
- Integrated bb-common to replace static resources for network policies, authorization policies, and peer authentications
- Removed legacy configuration settings and docs related to Tempo's UI functionality which no longer exists
- Updated gluon
Relevant logs/screenshots
Tested using tempo-bb-common-integration BB branch
Commands and results prior to integration
kubectl get netpol -n tempo
NAME POD-SELECTOR AGE
allow-in-ns-tempo-tempo <none> 10m
allow-istiod-egress <none> 10m
allow-sidecar-scraping <none> 10m
default-deny-all-tempo-tempo <none> 10m
egress-dns <none> 10m
egress-external-services app.kubernetes.io/name=tempo 10m
egress-tempo-authservice <none> 10m
egress-tempo-prometheus <none> 10m
ingress-allow-kiali <none> 10m
ingress-alloy app.kubernetes.io/name=tempo 10m
ingress-grafana <none> 10m
ingress-tempo-prometheus-operator-metrics app.kubernetes.io/instance=tempo-tempo,app.kubernetes.io/name=tempo 10m
ingress-tempo-zipkin app.kubernetes.io/name=tempo 10m
test-tempo-allow-egress helm-test=enabled 10mkubectl get ap -n tempo
NAME ACTION AGE
allow-tempo-authz ALLOW 10m
kiali-tempo-authz-policy ALLOW 10mkubectl get se -n tempo
NAME HOSTS LOCATION RESOLUTION AGE
cypress-service-entries-tempo ["registry.npmjs.org","download.cypress.io","cdn.cypress.io","repo1.dso.mil","tempo.dev.bigbang.mil","grafana.dev.bigbang.mil","grafana.com"] MESH_EXTERNAL DNS 10mkubectl get pa -n tempo
NAME MODE AGE
default-tempo-tempo STRICT 10mCommands and results post bb-common integration
kubectl get netpol -n tempo
NAME POD-SELECTOR AGE
allow-egress-from-tempo-to-ns-monitoring-pod-prometheus-tcp-port-9090 app.kubernetes.io/name=tempo 2m38s
allow-ingress-to-tempo-tcp-port-3200-from-ns-kiali-pod-kiali app.kubernetes.io/name=tempo 2m38s
allow-ingress-to-tempo-tcp-port-3200-from-ns-monitoring-pod-grafana app.kubernetes.io/name=tempo 2m38s
allow-ingress-to-tempo-tcp-port-3200-from-ns-monitoring-pod-prometheus app.kubernetes.io/name=tempo 2m38s
allow-ingress-to-tempo-tcp-port-4317-from-ns-alloy-pod-alloy app.kubernetes.io/name=tempo 2m38s
allow-ingress-to-tempo-tcp-port-4317-from-ns-alloy-pod-alloy-logs app.kubernetes.io/name=tempo 2m38s
allow-ingress-to-tempo-tcp-port-9411-from-any-ns-any-pod app.kubernetes.io/name=tempo 2m38s
default-egress-allow-all-in-ns <none> 2m38s
default-egress-allow-istiod <none> 2m38s
default-egress-allow-kube-dns <none> 2m38s
default-egress-deny-all <none> 2m38s
default-ingress-allow-all-in-ns <none> 2m38s
default-ingress-allow-prometheus-to-istio-sidecar <none> 2m38s
default-ingress-deny-all <none> 2m38skubectl get ap -n tempo
NAME ACTION AGE
allow-ingress-to-tempo-tcp-port-3200-from-ns-kiali-with-identity-kiali-service-account ALLOW 2m44s
allow-ingress-to-tempo-tcp-port-3200-from-ns-monitoring-with-identity-monitoring-grafana ALLOW 2m43s
allow-ingress-to-tempo-tcp-port-3200-from-ns-monitoring-with-identity-monitoring-monitoring-kube-prometheus ALLOW 2m43s
allow-ingress-to-tempo-tcp-port-4317-from-ns-alloy-with-identity-alloy-alloy-logs ALLOW 2m43s
allow-ingress-to-tempo-tcp-port-4317-from-ns-alloy-with-identity-alloy-alloy-operator ALLOW 2m43s
allow-ingress-to-tempo-tcp-port-9411-from-ns-any ALLOW 2m43s
default-authz-allow-all-in-ns ALLOW 2m44s
default-authz-allow-nothing 2m44skubectl get se -n tempo
NAME HOSTS LOCATION RESOLUTION AGE
cypress-service-entries-tempo ["repo1.dso.mil","tempo.dev.bigbang.mil","grafana.dev.bigbang.mil","grafana.com"] MESH_EXTERNAL DNS 21mkubectl get pa -n tempo
NAME MODE AGE
default-peer-auth STRICT 2m59sNote
Netpols for helm test now deploy as part of the helm test operation and get deleted upon completion.
The egress storage netpol has been moved into the umbrella template and can be validated by installing with the following settings:
tempo:
values:
upstream:
tempo:
storage:
trace:
backend: s3Since there is no actual s3 Tempo will not come up, but it validates the network policy gets created as expected
Linked Issue
Upgrade Notices
Tempo is now leveraging our bb-common integration for network policies and istio-related resources. Please refer to this blog post for additional information on the integration. During this process the network policy allowing access to Authservice has been removed as it is no longer needed. A previously undiscovered bug that was allowing all TCP traffic from Grafana to Tempo has also been fixed so it now only allows traffic from Grafana to Tempo on TCP port 3200. There is also a new reusable rule that has been created in the umbrella template for storage-subnets that allows users to configure access to external storage via the values.yaml file.