Expose pod security context per component

Signed-off-by: Ruben Vargas <[email protected]>
grafana · Sep 10, 2024 · c5fbc3f · c5fbc3f
1 parent 36805bb
commit c5fbc3f
Show file tree

Hide file tree

Showing 16 changed files with 3,440 additions and 0 deletions.
diff --git a/.chloggen/add_pod_security_context.yaml b/.chloggen/add_pod_security_context.yaml
@@ -0,0 +1,16 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. tempostack, tempomonolithic, github action)
+component: tempostack
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Expose a way to set a PodSecurityContext on each component
+
+# One or more tracking issues related to the change
+issues: [996]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:
diff --git a/apis/tempo/v1alpha1/tempostack_types.go b/apis/tempo/v1alpha1/tempostack_types.go
@@ -523,6 +523,12 @@ type TempoComponentSpec struct {
 	// +optional
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Resources"
 	Resources *corev1.ResourceRequirements `json:"resources,omitempty"`
+
+	// SecurityContext defines security context will be applied to all pods of this component.
+	//
+	// +optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="SecurityContext"
+	SecurityContext *corev1.PodSecurityContext `json:"SecurityContext,omitempty"`
 }
 
 // TempoGatewaySpec extends TempoComponentSpec with gateway parameters.

diff --git a/apis/tempo/v1alpha1/zz_generated.deepcopy.go b/apis/tempo/v1alpha1/zz_generated.deepcopy.go
diff --git a/bundle/community/manifests/tempo-operator.clusterserviceversion.yaml b/bundle/community/manifests/tempo-operator.clusterserviceversion.yaml
@@ -828,6 +828,10 @@ spec:
       - description: Compactor defines the tempo compactor component spec.
         displayName: Compactor pods
         path: template.compactor
+      - description: SecurityContext defines security context will be applied to all
+          pods of this component.
+        displayName: SecurityContext
+        path: template.compactor.SecurityContext
       - description: NodeSelector defines the simple form of the node-selection constraint.
         displayName: Node Selector
         path: template.compactor.nodeSelector
@@ -845,6 +849,10 @@ spec:
       - description: Distributor defines the distributor component spec.
         displayName: Distributor pods
         path: template.distributor
+      - description: SecurityContext defines security context will be applied to all
+          pods of this component.
+        displayName: SecurityContext
+        path: template.distributor.SecurityContext
       - description: NodeSelector defines the simple form of the node-selection constraint.
         displayName: Node Selector
         path: template.distributor.nodeSelector
@@ -884,6 +892,10 @@ spec:
       - description: Gateway defines the tempo gateway spec.
         displayName: Gateway pods
         path: template.gateway
+      - description: SecurityContext defines security context will be applied to all
+          pods of this component.
+        displayName: SecurityContext
+        path: template.gateway.SecurityContext
       - displayName: Enabled
         path: template.gateway.enabled
         x-descriptors:
@@ -924,6 +936,10 @@ spec:
       - description: Ingester defines the ingester component spec.
         displayName: Ingester pods
         path: template.ingester
+      - description: SecurityContext defines security context will be applied to all
+          pods of this component.
+        displayName: SecurityContext
+        path: template.ingester.SecurityContext
       - description: NodeSelector defines the simple form of the node-selection constraint.
         displayName: Node Selector
         path: template.ingester.nodeSelector
@@ -941,6 +957,10 @@ spec:
       - description: Querier defines the querier component spec.
         displayName: Querier pods
         path: template.querier
+      - description: SecurityContext defines security context will be applied to all
+          pods of this component.
+        displayName: SecurityContext
+        path: template.querier.SecurityContext
       - description: NodeSelector defines the simple form of the node-selection constraint.
         displayName: Node Selector
         path: template.querier.nodeSelector
@@ -958,6 +978,10 @@ spec:
       - description: TempoQueryFrontendSpec defines the query frontend spec.
         displayName: Query Frontend pods
         path: template.queryFrontend
+      - description: SecurityContext defines security context will be applied to all
+          pods of this component.
+        displayName: SecurityContext
+        path: template.queryFrontend.SecurityContext
       - description: JaegerQuery defines options specific to the Jaeger Query component.
         displayName: Jaeger Query Settings
         path: template.queryFrontend.jaegerQuery