Run multitenancy tests from Github CI

Makefile

@@ -382,6 +382,7 @@ deploy-minio:
 # generic end-to-tests
 .PHONY: prepare-e2e
 prepare-e2e: chainsaw start-kind cert-manager set-test-image-vars build docker-build load-image-operator deploy
+			 ./hack/install/install-openshift-routes.sh
 
 .PHONY: e2e
 e2e:

tests/e2e/monolithic-multitenancy-openshift/01-assert.yaml

@@ -0,0 +1,50 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: tempo-monolithic-multitenancy-openshift
+status:
+  readyReplicas: 1
+
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: tempo-monolithic-multitenancy-openshift-0
+status:
+  containerStatuses:
+  - name: jaeger-query
+    ready: true
+    started: true
+  - name: tempo
+    ready: true
+    started: true
+  - name: tempo-gateway
+    ready: true
+    started: true
+  - name: tempo-gateway-opa
+    ready: true
+    started: true
+  - name: tempo-query
+    ready: true
+    started: true
+  phase: Running
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: tempo-monolithic-multitenancy-openshift-gateway
+spec:
+  ports:
+  - name: public
+    port: 8080
+    protocol: TCP
+    targetPort: public
+  - name: internal
+    port: 8081
+    protocol: TCP
+    targetPort: internal
+  - name: otlp-grpc
+    port: 4317
+    protocol: TCP
+    targetPort: grpc-public

tests/e2e/monolithic-multitenancy-openshift/01-install-tempo.yaml

@@ -0,0 +1,81 @@
+apiVersion: tempo.grafana.com/v1alpha1
+kind: TempoMonolithic
+metadata:
+  name: monolithic-multitenancy-openshift
+spec:
+  jaegerui:
+    enabled: true
+  multitenancy:
+    enabled: true
+    mode: openshift
+    authentication:
+    - tenantName: dev
+      tenantId: "1610b0c3-c509-4592-a256-a1871353dbfa"
+    - tenantName: prod
+      tenantId: "1610b0c3-c509-4592-a256-a1871353dbfb"
+---
+
+# Grant the dev-collector Service Account permission to write traces to the 'dev' tenant
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: allow-write-traces-dev-tenant
+rules:
+- apiGroups: [tempo.grafana.com]
+  resources: [dev]  # tenantName
+  resourceNames: [traces]
+  verbs: [create]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: allow-write-traces-dev-tenant
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: allow-write-traces-dev-tenant
+subjects:
+- kind: ServiceAccount
+  name: dev-collector
+  namespace: chainsaw-monolithic-multitenancy
+---
+
+# Grant the default Service Account (used by the verify-traces pod) permission to read traces of the 'dev' tenant
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: allow-read-traces-dev-tenant
+rules:
+- apiGroups: [tempo.grafana.com]
+  resources: [dev]  # tenantName
+  resourceNames: [traces]
+  verbs: [get]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: allow-read-traces-dev-tenant
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: allow-read-traces-dev-tenant
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: chainsaw-monolithic-multitenancy
+---
+# Grant the default ServiceAccount (used by the verify-traces pod) view permissions of the chainsaw-monolithic-multitenancy namespace.
+# If the ServiceAccount cannot access any namespaces, every 'get' request will be denied:
+# https://github.com/observatorium/opa-openshift/pull/18/files
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: view
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: view
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: chainsaw-monolithic-multitenancy

tests/e2e/monolithic-multitenancy-openshift/02-assert.yaml

@@ -0,0 +1,31 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: dev-collector
+status:
+  readyReplicas: 1
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: dev-collector
+  namespace: chainsaw-monolithic-multitenancy
+spec:
+  ports:
+  - appProtocol: grpc
+    name: otlp-grpc-grpc
+    port: 4317
+    protocol: TCP
+    targetPort: 4317
+  - appProtocol: http
+    name: otlp-http-http
+    port: 4318
+    protocol: TCP
+    targetPort: 4318
+  selector:
+    app.kubernetes.io/component: opentelemetry-collector
+    app.kubernetes.io/instance: chainsaw-monolithic-multitenancy.dev
+    app.kubernetes.io/managed-by: opentelemetry-operator
+    app.kubernetes.io/part-of: opentelemetry

tests/e2e/monolithic-multitenancy-openshift/02-install-otelcol.yaml

@@ -0,0 +1,50 @@
+apiVersion: opentelemetry.io/v1alpha1
+kind: OpenTelemetryCollector
+metadata:
+  name: dev
+spec:
+  config: |
+    extensions:
+      bearertokenauth:
+        filename: /var/run/secrets/kubernetes.io/serviceaccount/token
+
+    receivers:
+      otlp/grpc:
+        protocols:
+          grpc:
+      otlp/http:
+        protocols:
+          http:
+
+    exporters:
+      otlp:
+        endpoint: tempo-monolithic-multitenancy-openshift-gateway.chainsaw-monolithic-multitenancy.svc.cluster.local:4317
+        tls:
+          ca_file: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
+        auth:
+          authenticator: bearertokenauth
+        headers:
+          X-Scope-OrgID: dev  # tenantName
+      otlphttp:
+        endpoint: https://tempo-monolithic-multitenancy-openshift-gateway.chainsaw-monolithic-multitenancy.svc.cluster.local:8080/api/traces/v1/dev
+        tls:
+          ca_file: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
+        auth:
+          authenticator: bearertokenauth
+        headers:
+          X-Scope-OrgID: dev  # tenantName
+
+    service:
+      telemetry:
+        logs:
+          level: "DEBUG"
+          development: true
+          encoding: "json"
+      extensions: [bearertokenauth]
+      pipelines:
+        traces/grpc:
+          receivers: [otlp/grpc]
+          exporters: [otlp]
+        traces/http:
+          receivers: [otlp/http]
+          exporters: [otlphttp]

tests/e2e/monolithic-multitenancy-openshift/03-assert.yaml

@@ -0,0 +1,17 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: generate-traces-grpc
+status:
+  conditions:
+  - status: "True"
+    type: Complete
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: generate-traces-http
+status:
+  conditions:
+    - status: "True"
+      type: Complete

tests/e2e/monolithic-multitenancy-openshift/03-generate-traces.yaml

@@ -0,0 +1,36 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: generate-traces-grpc
+spec:
+  template:
+    spec:
+      containers:
+      - name: telemetrygen
+        image: ghcr.io/open-telemetry/opentelemetry-collector-contrib/telemetrygen:v0.92.0
+        args:
+        - traces
+        - --otlp-endpoint=dev-collector:4317
+        - --service=grpc
+        - --otlp-insecure
+        - --traces=10
+      restartPolicy: Never
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: generate-traces-http
+spec:
+  template:
+    spec:
+      containers:
+        - name: telemetrygen
+          image: ghcr.io/open-telemetry/opentelemetry-collector-contrib/telemetrygen:v0.92.0
+          args:
+            - traces
+            - --otlp-endpoint=dev-collector:4318
+            - --otlp-http
+            - --otlp-insecure
+            - --service=http
+            - --traces=10
+      restartPolicy: Never

tests/e2e/monolithic-multitenancy-openshift/04-assert.yaml

@@ -0,0 +1,35 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: verify-traces-jaegerui-grpc
+status:
+  conditions:
+  - status: "True"
+    type: Complete
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: verify-traces-traceql-grpc
+status:
+  conditions:
+  - status: "True"
+    type: Complete
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: verify-traces-jaegerui-http
+status:
+  conditions:
+    - status: "True"
+      type: Complete
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: verify-traces-traceql-http
+status:
+  conditions:
+    - status: "True"
+      type: Complete