adds conditional ability to store tokengen output into k8s secret.

Signed-off-by: Ryan Brady <[email protected]>
grafana · Feb 26, 2025 · b67d631 · b67d631
1 parent 2049e69
commit b67d631
Show file tree

Hide file tree

Showing 6 changed files with 90 additions and 10 deletions.
diff --git a/charts/tempo-distributed/Chart.yaml b/charts/tempo-distributed/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: tempo-distributed
 description: Grafana Tempo in MicroService mode
 type: application
-version: 1.32.2
+version: 1.32.3
 appVersion: 2.7.1
 engine: gotpl
 home: https://grafana.com/docs/tempo/latest/

diff --git a/charts/tempo-distributed/README.md b/charts/tempo-distributed/README.md
@@ -1,6 +1,6 @@
 # tempo-distributed
 
-![Version: 1.32.2](https://img.shields.io/badge/Version-1.32.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.7.1](https://img.shields.io/badge/AppVersion-2.7.1-informational?style=flat-square)
+![Version: 1.32.3](https://img.shields.io/badge/Version-1.32.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.7.1](https://img.shields.io/badge/AppVersion-2.7.1-informational?style=flat-square)
 
 Grafana Tempo in MicroService mode
 
@@ -883,6 +883,7 @@ The memcached default args are removed and should be provided manually. The sett
 | tempo.service.ipFamilies | list | `["IPv4"]` | Configure the IP families for all tempo services See the Service spec for details: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#servicespec-v1-core |
 | tempo.service.ipFamilyPolicy | string | `"SingleStack"` | Configure the IP family policy for all tempo services.  SingleStack, PreferDualStack or RequireDualStack |
 | tempo.structuredConfig | object | `{}` | Structured tempo configuration |
+| tokengenJob.adminTokenSecret | string | `""` | Name of the secret to store the admin token. If not specified, defaults to "<release-name>-admin-token" |
 | tokengenJob.annotations | object | `{}` |  |
 | tokengenJob.containerSecurityContext | object | `{"readOnlyRootFilesystem":true}` | The SecurityContext for tokenjobgen containers |
 | tokengenJob.enable | bool | `true` |  |
@@ -895,6 +896,7 @@ The memcached default args are removed and should be provided manually. The sett
 | tokengenJob.image.repository | string | `nil` | Docker image repository for the tokengenJob image. Overrides `tempo.image.repository` |
 | tokengenJob.image.tag | string | `nil` | Docker image tag for the tokengenJob image. Overrides `tempo.image.tag` |
 | tokengenJob.initContainers | list | `[]` |  |
+| tokengenJob.storeTokenInSecret | bool | `true` |  |
 | traces.jaeger.grpc.enabled | bool | `false` | Enable Tempo to ingest Jaeger GRPC traces |
 | traces.jaeger.grpc.receiverConfig | object | `{}` | Jaeger GRPC receiver config |
 | traces.jaeger.thriftBinary.enabled | bool | `false` | Enable Tempo to ingest Jaeger Thrift Binary traces |

diff --git a/charts/tempo-distributed/templates/tokengen/tokengen-job.yaml b/charts/tempo-distributed/templates/tokengen/tokengen-job.yaml
@@ -1,5 +1,4 @@
-{{- if .Values.enterprise.enabled -}}
-{{ if .Values.tokengenJob.enable }}
+{{- if and .Values.enterprise.enabled .Values.tokengenJob.enable -}}
 {{ $dict := dict "ctx" . "component" "tokengen-job" }}
 apiVersion: batch/v1
 kind: Job
@@ -26,27 +25,34 @@ spec:
         {{- end }}
       namespace: {{ .Release.Namespace | quote }}
     spec:
-      serviceAccountName: {{ template "tempo.serviceAccountName" . }}
+      serviceAccountName: {{ include "tempo.resourceName" (dict "ctx" . "component" "tokengen") }}
       {{- if .Values.tokengenJob.priorityClassName }}
       priorityClassName: {{ .Values.tokengenJob.priorityClassName }}
       {{- end }}
       securityContext:
         {{- toYaml .Values.tokengenJob.securityContext | nindent 8 }}
-      {{- include "tempo.tokengenJobImagePullSecrets" . | nindent 6 -}}
+      {{- if .Values.tempo.image.pullSecrets }}
+      imagePullSecrets:
+        {{- range .Values.tempo.image.pullSecrets }}
+        - name: {{ . }}
+        {{- end }}
+      {{- end }}
       {{- with .Values.tokengenJob.hostAliases }}
       hostAliases:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       initContainers:
+        {{- if .Values.tokengenJob.initContainers }}
         {{- toYaml .Values.tokengenJob.initContainers | nindent 8 }}
-      containers:
+        {{- end }}
         - name: tokengen
           image: "{{ include "tempo.imageReference" $dict }}"
           imagePullPolicy: {{ .Values.tempo.image.pullPolicy }}
           args:
             - "-target=tokengen"
             - "-config.expand-env=true"
             - "-config.file=/conf/tempo.yaml"
+            - "-tokengen.token-file=/shared/admin-token"
             {{- range $key, $value := .Values.tokengenJob.extraArgs }}
             - "-{{ $key }}={{ $value }}"
             {{- end }}
@@ -57,6 +63,8 @@ spec:
               name: runtime-config
             - name: license
               mountPath: /license
+            - name: shared
+              mountPath: /shared
             {{- if .Values.tokengenJob.extraVolumeMounts }}
               {{ toYaml .Values.tokengenJob.extraVolumeMounts | nindent 12 }}
             {{- end }}
@@ -74,8 +82,32 @@ spec:
             {{- with .Values.tokengenJob.extraEnvFrom }}
               {{- toYaml . | nindent 12 }}
             {{- end }}
-          securityContext:
-            {{- toYaml .Values.tokengenJob.containerSecurityContext | nindent 12 }}
+      containers:
+        - name: kubectl
+          image: {{ .Values.kubectlImage.repository }}:{{ .Values.kubectlImage.tag }}
+          imagePullPolicy: {{ .Values.kubectlImage.pullPolicy }}
+          command:
+            - "/bin/sh"
+            - "-c"
+            - |
+              if cat /shared/admin-token; then
+                echo "Admin token generated successfully and is readable"
+                {{- if .Values.tokengenJob.storeTokenInSecret | default true }}
+                # Create or update the secret with the admin token
+                kubectl create secret generic {{ .Values.tokengenJob.adminTokenSecret | default (printf "%s-admin-token" .Release.Name) }} \
+                  --from-file=token=/shared/admin-token \
+                  --dry-run=client -o yaml | kubectl apply -f -
+                echo "Admin token secret created/updated successfully"
+                {{- else }}
+                echo "Skipping secret creation as storeTokenInSecret is disabled"
+                {{- end }}
+              else
+                echo "Error: Admin token file not found or not readable at /shared/admin-token"
+                exit 1
+              fi
+          volumeMounts:
+            - name: shared
+              mountPath: /shared
       restartPolicy: OnFailure
       volumes:
         - name: config
@@ -90,5 +122,6 @@ spec:
             secretName: {{ tpl .Values.license.secretName . }}
         - name: storage
           emptyDir: {}
-{{- end -}}
+        - name: shared
+          emptyDir: {}
 {{- end -}}
diff --git a/charts/tempo-distributed/templates/tokengen/tokengen-rbac.yaml b/charts/tempo-distributed/templates/tokengen/tokengen-rbac.yaml
@@ -0,0 +1,31 @@
+{{- if and .Values.enterprise.enabled .Values.tokengenJob.enable -}}
+{{ $dict := dict "ctx" . "component" "tokengen" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "tempo.resourceName" $dict }}
+  labels:
+    {{- include "tempo.labels" $dict | nindent 4 }}
+  namespace: {{ .Release.Namespace | quote }}
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "create", "update", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "tempo.resourceName" $dict }}
+  labels:
+    {{- include "tempo.labels" $dict | nindent 4 }}
+  namespace: {{ .Release.Namespace | quote }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "tempo.resourceName" $dict }}
+  namespace: {{ .Release.Namespace | quote }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "tempo.resourceName" $dict }}
+{{- end -}}
diff --git a/charts/tempo-distributed/templates/tokengen/tokengen-serviceaccount.yaml b/charts/tempo-distributed/templates/tokengen/tokengen-serviceaccount.yaml
@@ -0,0 +1,10 @@
+{{- if and .Values.enterprise.enabled .Values.tokengenJob.enable -}}
+{{ $dict := dict "ctx" . "component" "tokengen" }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "tempo.resourceName" $dict }}
+  labels:
+    {{- include "tempo.labels" $dict | nindent 4 }}
+  namespace: {{ .Release.Namespace | quote }}
+{{- end -}}
diff --git a/charts/tempo-distributed/values.yaml b/charts/tempo-distributed/values.yaml
@@ -2119,6 +2119,10 @@ tokengenJob:
   env: []
   extraEnvFrom: []
   annotations: {}
+  storeTokenInSecret: true
+  # -- Name of the secret to store the admin token. If not specified, defaults to "<release-name>-admin-token"
+  adminTokenSecret: ""
+
   image:
     # -- The Docker registry for the tokengenJob image. Overrides `tempo.image.registry`
     registry: null