Skip to content

Add option to reconcile network policies for operator #1248

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Jul 28, 2025
Merged

Add option to reconcile network policies for operator #1248

merged 8 commits into from
Jul 28, 2025

Conversation

frzifus
Copy link
Collaborator

@frzifus frzifus commented Jul 23, 2025
edited
Loading 

$ k get networkpolicies.networking.k8s.io -n tempo-operator-system
NAME                                 POD-SELECTOR                                                                                                                                                              AGE
tempo-operator-allow-dns             app.kubernetes.io/managed-by=operator-lifecycle-manager,app.kubernetes.io/name=tempo-operator,app.kubernetes.io/part-of=tempo-operator,control-plane=controller-manager   50s
tempo-operator-deny-all              app.kubernetes.io/managed-by=operator-lifecycle-manager,app.kubernetes.io/name=tempo-operator,app.kubernetes.io/part-of=tempo-operator,control-plane=controller-manager   50s
tempo-operator-egress-to-apiserver   app.kubernetes.io/managed-by=operator-lifecycle-manager,app.kubernetes.io/name=tempo-operator,app.kubernetes.io/part-of=tempo-operator,control-plane=controller-manager   50s
tempo-operator-ingress-to-metrics    app.kubernetes.io/managed-by=operator-lifecycle-manager,app.kubernetes.io/name=tempo-operator,app.kubernetes.io/part-of=tempo-operator,control-plane=controller-manager   50s
tempo-operator-ingress-webhook       app.kubernetes.io/managed-by=operator-lifecycle-manager,app.kubernetes.io/name=tempo-operator,app.kubernetes.io/part-of=tempo-operator,control-plane=controller-manager   50s

---

$ k get pods -n tempo-operator-system --show-labels               
NAME                                        READY   STATUS    RESTARTS   AGE   LABELS
tempo-operator-controller-9bc4c455b-qhf82   1/1     Running   0          60s   app.kubernetes.io/managed-by=operator-lifecycle-manager,app.kubernetes.io/name=tempo-operator,app.kubernetes.io/part-of=tempo-operator,control-plane=controller-manager,pod-template-hash=9bc4c455b

@frzifus frzifus force-pushed the networking_operator branch from 30d7b70 to 041ee2c Compare July 23, 2025 14:24
andreasgerstmayr
andreasgerstmayr reviewed Jul 23, 2025
View reviewed changes
@frzifus frzifus force-pushed the networking_operator branch from 041ee2c to eb79693 Compare July 23, 2025 17:40
@frzifus frzifus mentioned this pull request Jul 23, 2025
Draft
@frzifus frzifus force-pushed the networking_operator branch 2 times, most recently from ca64cb9 to 6d6ba02 Compare July 24, 2025 00:23
@frzifus frzifus changed the title Install for operator network policy at startup Add option to reconcile network policies for operator Jul 24, 2025
@frzifus frzifus force-pushed the networking_operator branch from 6d6ba02 to 83b8487 Compare July 24, 2025 00:30
@frzifus frzifus marked this pull request as ready for review July 24, 2025 00:30
@frzifus frzifus requested a review from andreasgerstmayr July 24, 2025 00:31
@codecov-commenter
Copy link

codecov-commenter commented Jul 24, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 93.80531% with 14 lines in your changes missing coverage. Please review.
✅ Project coverage is 58.35%. Comparing base (0b0e615) to head (a518750).
⚠️ Report is 3 commits behind head on main.

Files with missing lines Patch % Lines
internal/controller/tempo/operator_controller.go 53.84% 4 Missing and 2 partials ⚠️
internal/manifests/operator/manifests.go 53.84% 4 Missing and 2 partials ⚠️
cmd/start/main.go 0.00% 2 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1248      +/-   ##
==========================================
+ Coverage   57.64%   58.35%   +0.70%     
==========================================
  Files         121      123       +2     
  Lines       11277    11501     +224     
==========================================
+ Hits         6501     6711     +210     
- Misses       4418     4428      +10     
- Partials      358      362       +4
Flag Coverage Δ
unittests 58.35% <93.80%> (+0.70%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@frzifus frzifus force-pushed the networking_operator branch from 83b8487 to 8fbc64b Compare July 24, 2025 01:06
andreasgerstmayr
andreasgerstmayr reviewed Jul 24, 2025
View reviewed changes
andreasgerstmayr
andreasgerstmayr reviewed Jul 24, 2025
View reviewed changes
@frzifus frzifus force-pushed the networking_operator branch from 8fbc64b to 82d73ed Compare July 24, 2025 09:47
@frzifus frzifus requested a review from andreasgerstmayr July 24, 2025 09:47
@frzifus frzifus force-pushed the networking_operator branch from 82d73ed to 48c24fe Compare July 24, 2025 10:04
@frzifus frzifus force-pushed the networking_operator branch from 48c24fe to 5bf39e4 Compare July 24, 2025 14:09
frzifus added 3 commits July 24, 2025 16:09
@frzifus
Install operator network policy at startup
f85e1c4 
Signed-off-by: Benedikt Bongartz <bongartz@klimlive.de>
@frzifus
consider operator network policy during reconcile
7f42f5c 
Signed-off-by: Benedikt Bongartz <bongartz@klimlive.de>
@frzifus
allow dns traffic to kube-dns in kube-system
30ab1a8 
Signed-off-by: Benedikt Bongartz <bongartz@klimlive.de>
@frzifus frzifus force-pushed the networking_operator branch from 5bf39e4 to d32a3c8 Compare July 24, 2025 14:09
@frzifus
Copy link
Collaborator Author

frzifus commented Jul 24, 2025

cc @IshwarKanse 😄

@IshwarKanse
Copy link
Contributor

@frzifus

On OCP 4.20, the network policies are not being created by the Tempo Operator. The operator logs the following errors:

{"level":"error","ts":"2025-07-25T04:50:22.632842349Z","logger":"operator-reconcile","msg":"failed to configure resource","object_name":"tempo-operator-deny-all","object_kind":"&TypeMeta{Kind:NetworkPolicy,APIVersion:networking.k8s.io/v1,}","error":"missing mutate implementation for resource type","stacktrace":"[github.com/grafana/tempo-operator/internal/controller/tempo.(*OperatorReconciler).Reconcile](https://www.google.com/url?sa=E&source=gmail&q=https://github.com/grafana/tempo-operator/internal/controller/tempo.(*OperatorReconciler).Reconcile)\n\t/workspace/internal/controller/tempo/operator_controller.go:107[ngithub.com/grafana/tempo-operator/cmd/start.addDependencies.func1](https://www.google.com/url?sa=E&source=gmail&q=https://ngithub.com/grafana/tempo-operator/cmd/start.addDependencies.func1)\n\t/workspace/cmd/start/main.go:150\nsigs.k8s.io/controller-runtime/pkg/manager.RunnableFunc.Start\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/manager/manager.go:307\nsigs.k8s.io/controller-runtime/pkg/manager.(*runnableGroup).reconcile.func1\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/manager/runnable_group.go:226"}
{"level":"error","ts":"2025-07-25T04:50:22.632934809Z","logger":"operator-reconcile","msg":"failed to configure resource","object_name":"tempo-operator-ingress-to-metrics","object_kind":"&TypeMeta{Kind:NetworkPolicy,APIVersion:networking.k8s.io/v1,}","error":"missing mutate implementation for resource type","stacktrace":"[github.com/grafana/tempo-operator/internal/controller/tempo.(*OperatorReconciler).Reconcile](https://www.google.com/url?sa=E&source=gmail&q=https://github.com/grafana/tempo-operator/internal/controller/tempo.(*OperatorReconciler).Reconcile)\n\t/workspace/internal/controller/tempo/operator_controller.go:107[ngithub.com/grafana/tempo-operator/cmd/start.addDependencies.func1](https://www.google.com/url?sa=E&source=gmail&q=https://ngithub.com/grafana/tempo-operator/cmd/start.addDependencies.func1)\n\t/workspace/cmd/start/main.go:150\nsigs.k8s.io/controller-runtime/pkg/manager.RunnableFunc.Start\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/manager/manager.go:307\nsigs.k8s.io/controller-runtime/pkg/manager.(*runnableGroup).reconcile.func1\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/manager/runnable_group.go:226"}
{"level":"error","ts":"2025-07-25T04:50:22.632958357Z","logger":"operator-reconcile","msg":"failed to configure resource","object_name":"tempo-operator-allow-dns","object_kind":"&TypeMeta{Kind:NetworkPolicy,APIVersion:networking.k8s.io/v1,}","error":"missing mutate implementation for resource type","stacktrace":"[github.com/grafana/tempo-operator/internal/controller/tempo.(*OperatorReconciler).Reconcile](https://www.google.com/url?sa=E&source=gmail&q=https://github.com/grafana/tempo-operator/internal/controller/tempo.(*OperatorReconciler).Reconcile)\n\t/workspace/internal/controller/tempo/operator_controller.go:107[ngithub.com/grafana/tempo-operator/cmd/start.addDependencies.func1](https://www.google.com/url?sa=E&source=gmail&q=https://ngithub.com/grafana/tempo-operator/cmd/start.addDependencies.func1)\n\t/workspace/cmd/start/main.go:150\nsigs.k8s.io/controller-runtime/pkg/manager.RunnableFunc.Start\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/manager/manager.go:307\nsigs.k8s.io/controller-runtime/pkg/manager.(*runnableGroup).reconcile.func1\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/manager/runnable_group.go:226"}
{"level":"error","ts":"2025-07-25T04:50:22.632976289Z","logger":"operator-reconcile","msg":"failed to configure resource","object_name":"tempo-operator-egress-to-apiserver","object_kind":"&TypeMeta{Kind:NetworkPolicy,APIVersion:networking.k8s.io/v1,}","error":"missing mutate implementation for resource type","stacktrace":"[github.com/grafana/tempo-operator/internal/controller/tempo.(*OperatorReconciler).Reconcile](https://www.google.com/url?sa=E&source=gmail&q=https://github.com/grafana/tempo-operator/internal/controller/tempo.(*OperatorReconciler).Reconcile)\n\t/workspace/internal/controller/tempo/operator_controller.go:107[ngithub.com/grafana/tempo-operator/cmd/start.addDependencies.func1](https://www.google.com/url?sa=E&source=gmail&q=https://ngithub.com/grafana/tempo-operator/cmd/start.addDependencies.func1)\n\t/workspace/cmd/start/main.go:150\nsigs.k8s.io/controller-runtime/pkg/manager.RunnableFunc.Start\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/manager/manager.go:307\nsigs.k8s.io/controller-runtime/pkg/manager.(*runnableGroup).reconcile.func1\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/manager/runnable_group.go:226"}
{"level":"error","ts":"2025-07-25T04:50:22.632995561Z","logger":"operator-reconcile","msg":"failed to configure resource","object_name":"tempo-operator-ingress-webhook","object_kind":"&TypeMeta{Kind:NetworkPolicy,APIVersion:networking.k8s.io/v1,}","error":"missing mutate implementation for resource type","stacktrace":"[github.com/grafana/tempo-operator/internal/controller/tempo.(*OperatorReconciler).Reconcile](https://www.google.com/url?sa=E&source=gmail&q=https://github.com/grafana/tempo-operator/internal/controller/tempo.(*OperatorReconciler).Reconcile)\n\t/workspace/internal/controller/tempo/operator_controller.go:107[ngithub.com/grafana/tempo-operator/cmd/start.addDependencies.func1](https://www.google.com/url?sa=E&source=gmail&q=https://ngithub.com/grafana/tempo-operator/cmd/start.addDependencies.func1)\n\t/workspace/cmd/start/main.go:150\nsigs.k8s.io/controller-runtime/pkg/manager.RunnableFunc.Start\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/manager/manager.go:307\nsigs.k8s.io/controller-runtime/pkg/manager.(*runnableGroup).reconcile.func1\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/manager/runnable_group.go:226"}
{"level":"error","ts":"2025-07-25T04:50:22.655470609Z","logger":"operator-reconcile","msg":"cannot reconcile operator","error":"failed to create objects for operator: missing mutate implementation for resource type\nmissing mutate implementation for resource type\nmissing mutate implementation for resource type\nmissing mutate implementation for resource type\nmissing mutate implementation for resource type","stacktrace":"[github.com/grafana/tempo-operator/cmd/start.addDependencies.func1](https://www.google.com/url?sa=E&source=gmail&q=https://github.com/grafana/tempo-operator/cmd/start.addDependencies.func1)\n\t/workspace/cmd/start/main.go:152\nsigs.k8s.io/controller-runtime/pkg/manager.RunnableFunc.Start\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/manager/manager.go:307\nsigs.k8s.io/controller-runtime/pkg/manager.(*runnableGroup).reconcile.func1\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/manager/runnable_group.go:226"}

Here are the steps to reproduce the issue:

% oc version 
Client Version: 4.19.0
Kustomize Version: v5.5.0
Server Version: 4.20.0-0.nightly-2025-07-20-021531
Kubernetes Version: v1.33.2

% oc create namespace openshift-tempo-operator
namespace/openshift-tempo-operator created

% oc label namespace openshift-tempo-operator openshift.io/cluster-monitoring="true"
namespace/openshift-tempo-operator labeled

% oc project openshift-tempo-operator

% operator-sdk run bundle --timeout=5m --security-context-config=restricted quay.io/rhn_support_ikanse/tempo-operator-bundle:v0.17.1
INFO[0015] Creating a File-Based Catalog of the bundle "quay.io/rhn_support_ikanse/tempo-operator-bundle:v0.17.1" 
INFO[0018] Generated a valid File-Based Catalog          
INFO[0025] Created registry pod: quay-io-rhn-support-ikanse-tempo-operator-bundle-v0-17-1 
INFO[0026] Created CatalogSource: tempo-operator-catalog 
INFO[0026] OperatorGroup "operator-sdk-og" created       
INFO[0027] Created Subscription: tempo-operator-v0-17-1-sub 
INFO[0037] Approved InstallPlan install-4w54d for the Subscription: tempo-operator-v0-17-1-sub 
INFO[0037] Waiting for ClusterServiceVersion "openshift-tempo-operator/tempo-operator.v0.17.1" to reach 'Succeeded' phase 
INFO[0038]   Found ClusterServiceVersion "openshift-tempo-operator/tempo-operator.v0.17.1" phase: Pending 
INFO[0040]   Found ClusterServiceVersion "openshift-tempo-operator/tempo-operator.v0.17.1" phase: InstallReady 
INFO[0041]   Found ClusterServiceVersion "openshift-tempo-operator/tempo-operator.v0.17.1" phase: Installing 
INFO[0053]   Found ClusterServiceVersion "openshift-tempo-operator/tempo-operator.v0.17.1" phase: Succeeded 
INFO[0054] OLM has successfully installed "tempo-operator.v0.17.1" 

% oc get networkpolicies.networking.k8s.io 
No resources found in openshift-tempo-operator namespace.

% oc logs tempo-operator-controller-7f9c475f6-x5zhs | grep -i error
{"level":"error","ts":"2025-07-25T05:00:20.212104549Z","logger":"operator-reconcile","msg":"failed to configure resource","object_name":"tempo-operator-deny-all","object_kind":"&TypeMeta{Kind:NetworkPolicy,APIVersion:networking.k8s.io/v1,}","error":"missing mutate implementation for resource type","stacktrace":"[github.com/grafana/tempo-operator/internal/controller/tempo.(*OperatorReconciler).Reconcile](https://github.com/grafana/tempo-operator/internal/controller/tempo.(*OperatorReconciler).Reconcile)\n\t/workspace/internal/controller/tempo/operator_controller.go:107\[ngithub.com/grafana/tempo-operator/cmd/start.addDependencies.func1](https://ngithub.com/grafana/tempo-operator/cmd/start.addDependencies.func1)\n\t/workspace/cmd/start/main.go:150\nsigs.k8s.io/controller-runtime/pkg/manager.RunnableFunc.Start\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/manager/manager.go:307\nsigs.k8s.io/controller-runtime/pkg/manager.(*runnableGroup).reconcile.func1\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/manager/runnable_group.go:226"}
{"level":"error","ts":"2025-07-25T05:00:20.212184257Z","logger":"operator-reconcile","msg":"failed to configure resource","object_name":"tempo-operator-ingress-to-metrics","object_kind":"&TypeMeta{Kind:NetworkPolicy,APIVersion:networking.k8s.io/v1,}","error":"missing mutate implementation for resource type","stacktrace":"[github.com/grafana/tempo-operator/internal/controller/tempo.(*OperatorReconciler).Reconcile](https://github.com/grafana/tempo-operator/internal/controller/tempo.(*OperatorReconciler).Reconcile)\n\t/workspace/internal/controller/tempo/operator_controller.go:107\[ngithub.com/grafana/tempo-operator/cmd/start.addDependencies.func1](https://ngithub.com/grafana/tempo-operator/cmd/start.addDependencies.func1)\n\t/workspace/cmd/start/main.go:150\nsigs.k8s.io/controller-runtime/pkg/manager.RunnableFunc.Start\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/manager/manager.go:307\nsigs.k8s.io/controller-runtime/pkg/manager.(*runnableGroup).reconcile.func1\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/manager/runnable_group.go:226"}
{"level":"error","ts":"2025-07-25T05:00:20.212221662Z","logger":"operator-reconcile","msg":"failed to configure resource","object_name":"tempo-operator-allow-dns","object_kind":"&TypeMeta{Kind:NetworkPolicy,APIVersion:networking.k8s.io/v1,}","error":"missing mutate implementation for resource type","stacktrace":"[github.com/grafana/tempo-operator/internal/controller/tempo.(*OperatorReconciler).Reconcile](https://github.com/grafana/tempo-operator/internal/controller/tempo.(*OperatorReconciler).Reconcile)\n\t/workspace/internal/controller/tempo/operator_controller.go:107\[ngithub.com/grafana/tempo-operator/cmd/start.addDependencies.func1](https://ngithub.com/grafana/tempo-operator/cmd/start.addDependencies.func1)\n\t/workspace/cmd/start/main.go:150\nsigs.k8s.io/controller-runtime/pkg/manager.RunnableFunc.Start\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/manager/manager.go:307\nsigs.k8s.io/controller-runtime/pkg/manager.(*runnableGroup).reconcile.func1\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/manager/runnable_group.go:226"}
{"level":"error","ts":"2025-07-25T05:00:20.212240731Z","logger":"operator-reconcile","msg":"failed to configure resource","object_name":"tempo-operator-egress-to-apiserver","object_kind":"&TypeMeta{Kind:NetworkPolicy,APIVersion:networking.k8s.io/v1,}","error":"missing mutate implementation for resource type","stacktrace":"[github.com/grafana/tempo-operator/internal/controller/tempo.(*OperatorReconciler).Reconcile](https://github.com/grafana/tempo-operator/internal/controller/tempo.(*OperatorReconciler).Reconcile)\n\t/workspace/internal/controller/tempo/operator_controller.go:107\[ngithub.com/grafana/tempo-operator/cmd/start.addDependencies.func1](https://ngithub.com/grafana/tempo-operator/cmd/start.addDependencies.func1)\n\t/workspace/cmd/start/main.go:150\nsigs.k8s.io/controller-runtime/pkg/manager.RunnableFunc.Start\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/manager/manager.go:307\nsigs.k8s.io/controller-runtime/pkg/manager.(*runnableGroup).reconcile.func1\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/manager/runnable_group.go:226"}
{"level":"error","ts":"2025-07-25T05:00:20.212259814Z","logger":"operator-reconcile","msg":"failed to configure resource","object_name":"tempo-operator-ingress-webhook","object_kind":"&TypeMeta{Kind:NetworkPolicy,APIVersion:networking.k8s.io/v1,}","error":"missing mutate implementation for resource type","stacktrace":"[github.com/grafana/tempo-operator/internal/controller/tempo.(*OperatorReconciler).Reconcile](https://github.com/grafana/tempo-operator/internal/controller/tempo.(*OperatorReconciler).Reconcile)\n\t/workspace/internal/controller/tempo/operator_controller.go:107\[ngithub.com/grafana/tempo-operator/cmd/start.addDependencies.func1](https://ngithub.com/grafana/tempo-operator/cmd/start.addDependencies.func1)\n\t/workspace/cmd/start/main.go:150\nsigs.k8s.io/controller-runtime/pkg/manager.RunnableFunc.Start\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/manager/manager.go:307\nsigs.k8s.io/controller-runtime/pkg/manager.(*runnableGroup).reconcile.func1\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/manager/runnable_group.go:226"}
{"level":"error","ts":"2025-07-25T05:00:20.231621265Z","logger":"operator-reconcile","msg":"cannot reconcile operator","error":"failed to create objects for operator: missing mutate implementation for resource type\nmissing mutate implementation for resource type\nmissing mutate implementation for resource type\nmissing mutate implementation for resource type\nmissing mutate implementation for resource type","stacktrace":"[github.com/grafana/tempo-operator/cmd/start.addDependencies.func1](https://github.com/grafana/tempo-operator/cmd/start.addDependencies.func1)\n\t/workspace/cmd/start/main.go:152\nsigs.k8s.io/controller-runtime/pkg/manager.RunnableFunc.Start\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/manager/manager.go:307\nsigs.k8s.io/controller-runtime/pkg/manager.(*runnableGroup).reconcile.func1\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/manager/runnable_group.go:226"}

@frzifus frzifus force-pushed the networking_operator branch from d32a3c8 to dcd7f9d Compare July 25, 2025 10:44
@frzifus
Copy link
Collaborator Author

frzifus commented Jul 25, 2025
edited
Loading

Thanks @IshwarKanse . Should be fixed with: d093516

$ GOOS=linux GOARCH=amd64 ARCH=amd64 IMG_PREFIX=ghcr.io/frzifus OPERATOR_VERSION=0.17.1 BUNDLE_VARIANT=openshift make bundle docker-build docker-push bundle-build bundle-push
$ operator-sdk run bundle --timeout=5m --security-context-config=restricted ghcr.io/frzifus/tempo-operator-bundle:v0.17.1
INFO[0011] Creating a File-Based Catalog of the bundle "ghcr.io/frzifus/tempo-operator-bundle:v0.17.1" 
INFO[0013] Generated a valid File-Based Catalog         
INFO[0023] Created registry pod: ghcr-io-frzifus-tempo-operator-bundle-v0-17-1 
INFO[0023] Created CatalogSource: tempo-operator-catalog 
INFO[0023] OperatorGroup "operator-sdk-og" created      
INFO[0023] Created Subscription: tempo-operator-v0-17-1-sub 
INFO[0035] Approved InstallPlan install-vmhb8 for the Subscription: tempo-operator-v0-17-1-sub 
INFO[0035] Waiting for ClusterServiceVersion "openshift-tempo-operator/tempo-operator.v0.17.1" to reach 'Succeeded' phase 
INFO[0037]   Found ClusterServiceVersion "openshift-tempo-operator/tempo-operator.v0.17.1" phase: Pending 
INFO[0039]   Found ClusterServiceVersion "openshift-tempo-operator/tempo-operator.v0.17.1" phase: Installing 
INFO[0054]   Found ClusterServiceVersion "openshift-tempo-operator/tempo-operator.v0.17.1" phase: Succeeded 
INFO[0054] OLM has successfully installed "tempo-operator.v0.17.1" 

$ k get networkpolicies.networking.k8s.io -n openshift-tempo-operator
NAME                                 POD-SELECTOR                                                                                                                                                              AGE
tempo-operator-allow-dns             app.kubernetes.io/managed-by=operator-lifecycle-manager,app.kubernetes.io/name=tempo-operator,app.kubernetes.io/part-of=tempo-operator,control-plane=controller-manager   13s
tempo-operator-deny-all              app.kubernetes.io/managed-by=operator-lifecycle-manager,app.kubernetes.io/name=tempo-operator,app.kubernetes.io/part-of=tempo-operator,control-plane=controller-manager   13s
tempo-operator-egress-to-apiserver   app.kubernetes.io/managed-by=operator-lifecycle-manager,app.kubernetes.io/name=tempo-operator,app.kubernetes.io/part-of=tempo-operator,control-plane=controller-manager   13s
tempo-operator-ingress-to-metrics    app.kubernetes.io/managed-by=operator-lifecycle-manager,app.kubernetes.io/name=tempo-operator,app.kubernetes.io/part-of=tempo-operator,control-plane=controller-manager   13s
tempo-operator-ingress-webhook       app.kubernetes.io/managed-by=operator-lifecycle-manager,app.kubernetes.io/name=tempo-operator,app.kubernetes.io/part-of=tempo-operator,control-plane=controller-manager   12s

@IshwarKanse
Copy link
Contributor

@frzifus

The controller pod is crashing after the latest changes.

% oc get pods
NAME                                                              READY   STATUS      RESTARTS       AGE
1478d83beb1e84cdc051a58ffb909178008f599382cb1b664a9f0517f2xwlvq   0/1     Completed   0              5m12s
quay-io-rhn-support-ikanse-tempo-operator-bundle-v0-17-1          1/1     Running     0              5m27s
tempo-operator-controller-7697486f7c-lt7jj                        0/1     Error       5 (2m1s ago)   4m52s

% oc logs tempo-operator-controller-7697486f7c-lt7jj 
{"level":"error","ts":"2025-07-28T05:23:31.137037454Z","logger":"setup","msg":"unable to create controller","controller":"TempoStack","error":"failed to get server groups: Get \"https://172.30.0.1:443/api\": dial tcp 172.30.0.1:443: i/o timeout","stacktrace":"github.com/grafana/tempo-operator/cmd/start.start\n\t/workspace/cmd/start/main.go:72\ngithub.com/spf13/cobra.(*Command).execute\n\t/go/pkg/mod/github.com/spf13/cobra@v1.9.1/command.go:1019\ngithub.com/spf13/cobra.(*Command).ExecuteC\n\t/go/pkg/mod/github.com/spf13/cobra@v1.9.1/command.go:1148\ngithub.com/spf13/cobra.(*Command).Execute\n\t/go/pkg/mod/github.com/spf13/cobra@v1.9.1/command.go:1071\nmain.main\n\t/workspace/cmd/main.go:26\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:272"}

@frzifus
Copy link
Collaborator Author

frzifus commented Jul 28, 2025

mh.. Just in idle?

@frzifus
Copy link
Collaborator Author

frzifus commented Jul 28, 2025

@frzifus

The controller pod is crashing after the latest changes.

% oc get pods
NAME                                                              READY   STATUS      RESTARTS       AGE
1478d83beb1e84cdc051a58ffb909178008f599382cb1b664a9f0517f2xwlvq   0/1     Completed   0              5m12s
quay-io-rhn-support-ikanse-tempo-operator-bundle-v0-17-1          1/1     Running     0              5m27s
tempo-operator-controller-7697486f7c-lt7jj                        0/1     Error       5 (2m1s ago)   4m52s

% oc logs tempo-operator-controller-7697486f7c-lt7jj 
{"level":"error","ts":"2025-07-28T05:23:31.137037454Z","logger":"setup","msg":"unable to create controller","controller":"TempoStack","error":"failed to get server groups: Get \"https://172.30.0.1:443/api\": dial tcp 172.30.0.1:443: i/o timeout","stacktrace":"github.com/grafana/tempo-operator/cmd/start.start\n\t/workspace/cmd/start/main.go:72\ngithub.com/spf13/cobra.(*Command).execute\n\t/go/pkg/mod/github.com/spf13/cobra@v1.9.1/command.go:1019\ngithub.com/spf13/cobra.(*Command).ExecuteC\n\t/go/pkg/mod/github.com/spf13/cobra@v1.9.1/command.go:1148\ngithub.com/spf13/cobra.(*Command).Execute\n\t/go/pkg/mod/github.com/spf13/cobra@v1.9.1/command.go:1071\nmain.main\n\t/workspace/cmd/main.go:26\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:272"}

mh.. Seems there are only 3 ns on that cluster.

$ k get networkpolicies.networking.k8s.io                            
NAME                                POD-SELECTOR                                                                                                                                                              AGE
tempo-operator-allow-dns            app.kubernetes.io/managed-by=operator-lifecycle-manager,app.kubernetes.io/name=tempo-operator,app.kubernetes.io/part-of=tempo-operator,control-plane=controller-manager   103m
tempo-operator-deny-all             app.kubernetes.io/managed-by=operator-lifecycle-manager,app.kubernetes.io/name=tempo-operator,app.kubernetes.io/part-of=tempo-operator,control-plane=controller-manager   103m
tempo-operator-ingress-to-metrics   app.kubernetes.io/managed-by=operator-lifecycle-manager,app.kubernetes.io/name=tempo-operator,app.kubernetes.io/part-of=tempo-operator,control-plane=controller-manager   103m

frzifus added 4 commits July 28, 2025 09:15
@frzifus
reconcile operator network policies on all k8s versions
ed0ccb5 
Only limit the reconcilation on OpenShift

Signed-off-by: Benedikt Bongartz <bongartz@klimlive.de>
@frzifus
Add e2e for operator network policies
ba93e69 
Signed-off-by: Benedikt Bongartz <bongartz@klimlive.de>
@frzifus
support mutating network policy
965ae30 
Signed-off-by: Benedikt Bongartz <bongartz@klimlive.de>
@frzifus
regenerate config api
567e366 
Signed-off-by: Benedikt Bongartz <bongartz@klimlive.de>
@frzifus frzifus force-pushed the networking_operator branch from dcd7f9d to 567e366 Compare July 28, 2025 07:20
@IshwarKanse
Copy link
Contributor

@frzifus

--- PASS: chainsaw (2695.26s)
    --- PASS: chainsaw/ossm-monolithic-otel (329.73s)
    --- PASS: chainsaw/ossm-tempostack (305.60s)
    --- PASS: chainsaw/ossm-tempostack-otel (332.76s)
    --- PASS: chainsaw/otel-tempo-serverless (373.04s)
    --- PASS: chainsaw/tempo-serverless (343.18s)
    --- PASS: chainsaw/monitoring (206.31s)
    --- PASS: chainsaw/monolithic-monitoring (131.74s)
    --- PASS: chainsaw/monolithic-multitenancy-openshift (140.17s)
    --- PASS: chainsaw/multitenancy (200.54s)
    --- PASS: chainsaw/red-metrics (332.19s)
    --- PASS: chainsaw/operator-metrics (23.94s)
    --- PASS: chainsaw/gateway (48.05s)
    --- PASS: chainsaw/monolithic-single-tenant-auth (126.90s)
    --- PASS: chainsaw/monolithic-receivers-tls (112.28s)
    --- PASS: chainsaw/tls-singletenant-monolithic (151.14s)
    --- PASS: chainsaw/custom-ca (160.75s)
    --- PASS: chainsaw/tls-singletenant (172.23s)
    --- PASS: chainsaw/compatibility (178.90s)
    --- PASS: chainsaw/networking (19.69s)
    --- PASS: chainsaw/tempostack-extraconfig (153.95s)
    --- PASS: chainsaw/monolithic-extraconfig (56.94s)
    --- PASS: chainsaw/reconcile (146.75s)
    --- PASS: chainsaw/monolithic-s3-tls (105.67s)
    --- PASS: chainsaw/monolithic-pv (99.13s)
    --- PASS: chainsaw/receivers-tls (180.02s)
    --- PASS: chainsaw/monolithic-memory (120.07s)
    --- PASS: chainsaw/receivers-mtls (172.10s)
    --- PASS: chainsaw/test-monolithic-custom-storage-class (22.57s)
    --- PASS: chainsaw/generate (61.29s)
    --- PASS: chainsaw/monolithic-route (82.40s)
    --- PASS: chainsaw/monolithic-ingestion-mtls (124.60s)
    --- PASS: chainsaw/monolithic-multitenancy-static (132.37s)
    --- PASS: chainsaw/monolithic-multitenancy-rbac (138.02s)
    --- PASS: chainsaw/tempo-single-tenant-auth (180.98s)
    --- PASS: chainsaw/route (162.66s)
    --- PASS: chainsaw/tempostack-resources (219.25s)
    --- PASS: chainsaw/multitenancy-rbac (224.94s)
    --- PASS: chainsaw/component-replicas (266.34s)
    --- PASS: chainsaw/tempostack-retention-global (2888.55s)
PASS
Tests Summary...
- Passed  tests 39
- Failed  tests 0
- Skipped tests 0
Done with failures.

All tests passed, for the networking one, since I installed the operator in openshift-tempo-operator, the assert was failing but after fixing the namespace in the assert that test passed as well.

You can modify the test to find the Tempo Operator namepace during runtime and use it for assert, for example:
https://github.com/grafana/tempo-operator/blob/main/tests/operator-metrics/max-loops/chainsaw-test.yaml#L9
https://github.com/grafana/tempo-operator/blob/main/tests/operator-metrics/max-loops/01-assert-job.yaml#L5

@frzifus
Copy link
Collaborator Author

frzifus commented Jul 28, 2025

Awesome! I will do, thanks!

@frzifus
fix: namespace on networking e2e test
a518750 
Signed-off-by: Benedikt Bongartz <bongartz@klimlive.de>
@frzifus frzifus force-pushed the networking_operator branch from dd3b76d to a518750 Compare July 28, 2025 12:03
@frzifus frzifus enabled auto-merge (squash) July 28, 2025 12:03
@frzifus frzifus merged commit 2c4bb15 into grafana:main Jul 28, 2025
12 of 14 checks passed
@frzifus frzifus deleted the networking_operator branch July 28, 2025 12:08
pavolloffay
pavolloffay reviewed Jul 29, 2025
View reviewed changes
tests/e2e/networking/00-asserts.yaml
- namespaceSelector: {}
podSelector: {}
ports:
- port: metrics
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have realized that if port name is used instead of a number ingress access to all ports is allowed.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this documented somewhere? :octocat:

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I couldn't find it, but I didn't find examples of using port names.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would report a bug if its not working:

// NetworkPolicyPort describes a port to allow traffic on
type NetworkPolicyPort struct {
...
	// port represents the port on the given protocol. This can either be a numerical or named
	// port on a pod. If this field is not provided, this matches all port names and
	// numbers.
	// If present, only traffic on the specified protocol AND port will be matched.
	// +optional
	Port *intstr.IntOrString `json:"port,omitempty" protobuf:"bytes,2,opt,name=port"`

https://github.com/kubernetes/api/blob/a5cc2d7de38d9eabcd3f9fb2051ccb19c63bf34d/networking/v1/types.go#L154-L165

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pavolloffay when I remove the webhook policy, allowing incoming traffic on port 9443 and maintain the %s-ingress-to-metrics policy using the port named metrics I am unable to access 9443.

$ oc version                                                                                                                    
Client Version: 4.17.1
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: 4.19.4
Kubernetes Version: v1.32.6

pavolloffay
pavolloffay reviewed Jul 29, 2025
View reviewed changes
internal/manifests/operator/manifests.go
isOpenShift := featureGates.OpenShift.ServingCertsService

if featureGates.NetworkPolicies && (!isOpenShift || discovered.AtLeast(minimum)) {
manifests = append(manifests, networking.GenerateOperatorPolicies(namespace)...)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

are the NP created when no CR is in the cluster?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They are created when featureGates.NetworkPolicies is set to true and its not OpenShift or the minimum k8s version requierement is met.

(While I think the version reuqierement was a misunderstanding and I will remove it in a followup pr)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pavolloffay pavolloffay pavolloffay left review comments

@andreasgerstmayr andreasgerstmayr andreasgerstmayr approved these changes

@rubenvp8510 rubenvp8510 rubenvp8510 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@frzifus @codecov-commenter @IshwarKanse @andreasgerstmayr @rubenvp8510 @pavolloffay