Add test cases for using GCP WIF with Tempo (#1208)

Author: IshwarKanse

tests/e2e-openshift-object-stores/gcp-wif-monolithic/chainsaw-test.yaml

@@ -0,0 +1,44 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: gcp-wif-monolithic
+  labels:
+    type: gcp-wif
+spec:
+  description: Test TempoStack support for GCP WIF using STS.
+  namespace: chainsaw-gcpwif-mono
+  steps:
+  - name: Create AWS S3 bucket, IAM policy and role required for STS
+    try:
+    - script:
+        timeout: 2m
+        content: ./gcp-wif-create.sh
+    - assert:
+        file: gcp-wif-create-assert.yaml
+  - name: Install Tempo Monolithic
+    try:
+    - apply:
+        file: install-monolithic.yaml
+    - assert:
+        file: install-monolithic-assert.yaml
+  - name: Wait for the TempoStack to be ready
+    try:
+    - script:
+        timeout: 5m
+        content: oc get --namespace chainsaw-gcpwif-mono tempomonolithic gcpwifmn -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}' | grep True
+  - name: Generate traces
+    try:
+    - apply:
+        file: generate-traces.yaml
+    - assert:
+        file: generate-traces-assert.yaml
+  - name: Verify traces
+    try:
+    - apply:
+        file: verify-traces.yaml
+    - assert:
+        file: verify-traces-assert.yaml
+    cleanup:
+    - script:
+        timeout: 2m
+        content: ./gcp-wif-delete.sh

tests/e2e-openshift-object-stores/gcp-wif-monolithic/gcp-wif-create-assert.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gcs-secret
+  namespace: chainsaw-gcpwif-mono
+type: Opaque

tests/e2e-openshift-object-stores/gcp-wif-monolithic/gcp-wif-create.sh

@@ -0,0 +1,125 @@
+#!/bin/bash
+set -euo pipefail
+
+PROJECT_ID=$(gcloud config get-value project)
+SERVICE_ACCOUNT_NAME="ikanse-gcp-wif-mono-sa"
+GCS_KEY_FILE="/tmp/gcp-wif-mono.json"
+BUCKET_NAME="ikanse-gcp-wif-mono"
+
+# Create GCP service account
+SERVICE_ACCOUNT_EMAIL=$(gcloud iam service-accounts create "$SERVICE_ACCOUNT_NAME" \
+    --display-name="TempoMonolithic Account" \
+    --project "$PROJECT_ID" \
+    --format='value(email)' \
+    --quiet)
+
+# Wait for the service account to be ready
+echo "Waiting for service account $SERVICE_ACCOUNT_EMAIL to be ready..."
+MAX_RETRIES=10
+RETRY_COUNT=0
+while ! gcloud iam service-accounts describe "$SERVICE_ACCOUNT_EMAIL" --project "$PROJECT_ID" &> /dev/null; do
+    if [ $RETRY_COUNT -ge $MAX_RETRIES ]; then
+        echo "Error: Service account $SERVICE_ACCOUNT_EMAIL not found after $MAX_RETRIES retries. Exiting."
+        exit 1
+    fi
+    echo "Service account not yet available. Retrying in 5 seconds..."
+    sleep 5
+    RETRY_COUNT=$((RETRY_COUNT + 1))
+done
+echo "Service account $SERVICE_ACCOUNT_EMAIL is ready."
+
+# Set the GCP and TempoStack vars
+TEMPO_NAME="gcpwifmn"
+TEMPO_NAMESPACE="chainsaw-gcpwif-mono"
+PROJECT_NUMBER=$(gcloud projects describe "$PROJECT_ID" --format='value(projectNumber)')
+OIDC_ISSUER=$(oc get authentication.config cluster -o jsonpath='{.spec.serviceAccountIssuer}')
+POOL_ID=$(echo "$OIDC_ISSUER" | awk -F'/' '{print $NF}' | sed 's/-oidc$//')
+
+# Bind the required GCP roles to the created SA at the project level
+gcloud projects add-iam-policy-binding "$PROJECT_ID" \
+  --member="serviceAccount:$SERVICE_ACCOUNT_EMAIL" \
+  --role="roles/storage.objectAdmin" \
+  --format=none \
+  --quiet
+
+# Workload Identity Bindings: Allow Kubernetes Service Accounts to impersonate the Google Service Account
+gcloud iam service-accounts add-iam-policy-binding "$SERVICE_ACCOUNT_EMAIL" \
+  --role="roles/iam.workloadIdentityUser" \
+  --member="principal://iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_ID/subject/system:serviceaccount:${TEMPO_NAMESPACE}:tempo-${TEMPO_NAME}" \
+  --project="$PROJECT_ID" \
+  --quiet
+
+gcloud iam service-accounts add-iam-policy-binding "$SERVICE_ACCOUNT_EMAIL" \
+  --role="roles/iam.workloadIdentityUser" \
+  --member="principal://iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_ID/subject/system:serviceaccount:${TEMPO_NAMESPACE}:tempo-${TEMPO_NAME}-query-frontend" \
+  --project="$PROJECT_ID" \
+  --quiet
+
+# Get provider ID from GCP
+PROVIDER_ID=$(gcloud iam workload-identity-pools providers list \
+  --project="$PROJECT_ID" \
+  --location="global" \
+  --workload-identity-pool="$POOL_ID" \
+  --filter="displayName:$POOL_ID" \
+  --format="value(name)" | awk -F'/' '{print $NF}')
+
+# Create a credentials configuration file for the managed identity to be used by TempoStack
+gcloud iam workload-identity-pools create-cred-config \
+    "projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_ID/providers/$PROVIDER_ID" \
+    --service-account="$SERVICE_ACCOUNT_EMAIL" \
+    --credential-source-file=/var/run/secrets/storage/serviceaccount/token \
+    --credential-source-type=text \
+    --output-file="$GCS_KEY_FILE"
+
+echo "Checking if bucket $BUCKET_NAME exists..."
+if gsutil ls "gs://$BUCKET_NAME" > /dev/null 2>&1; then
+    echo "Bucket $BUCKET_NAME found. Attempting to remove..."
+    gcloud alpha storage rm --recursive "gs://$BUCKET_NAME"
+    if [ $? -ne 0 ]; then
+        echo "Failed to remove bucket $BUCKET_NAME."
+        exit 1
+    fi
+    echo "Bucket $BUCKET_NAME removed successfully."
+else
+    echo "Bucket $BUCKET_NAME does not exist (as expected). Proceeding to create."
+fi
+
+echo "Waiting for the bucket to be confirmed deleted (if it was removed)."
+BUCKET_DELETION_RETRIES=6
+DELETE_RETRY_COUNT=0
+while gsutil ls "gs://$BUCKET_NAME" > /dev/null 2>&1 && [ $DELETE_RETRY_COUNT -lt $BUCKET_DELETION_RETRIES ]; do
+  echo "Bucket $BUCKET_NAME still detected. Waiting 5 seconds for deletion..."
+  sleep 5
+  DELETE_RETRY_COUNT=$((DELETE_RETRY_COUNT + 1))
+done
+
+if [ $DELETE_RETRY_COUNT -ge $BUCKET_DELETION_RETRIES ]; then
+    echo "Warning: Bucket $BUCKET_NAME still exists after waiting period. This might cause issues for creation."
+fi
+
+echo "Attempting to create a new bucket: gs://$BUCKET_NAME in us-central1..."
+gsutil mb -l us-central1 -p "$PROJECT_ID" "gs://$BUCKET_NAME"
+if [ $? -ne 0 ]; then
+    echo "Failed to create bucket $BUCKET_NAME."
+    exit 1
+fi
+echo "Bucket $BUCKET_NAME created successfully."
+
+echo "Grant access to the bucket by service account."
+gcloud storage buckets add-iam-policy-binding "gs://$BUCKET_NAME" \
+    --role="roles/storage.admin" \
+    --member="serviceAccount:$SERVICE_ACCOUNT_EMAIL" \
+    --condition=None
+
+PROVIDER_NAME="projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_ID/providers/$PROVIDER_ID"
+AUDIENCE=$(gcloud iam workload-identity-pools providers describe "$PROVIDER_NAME" --format='value(oidc.allowedAudiences[0])')
+
+# Create Kubernetes secret to be used with TempoStack
+kubectl -n "$TEMPO_NAMESPACE" create secret generic gcs-secret \
+  --from-literal=bucketname="$BUCKET_NAME" \
+  --from-literal=audience="$AUDIENCE" \
+  --from-file=key.json="$GCS_KEY_FILE"
+if [ $? -ne 0 ]; then
+  echo "Failed to create secret"
+  exit 1
+fi

tests/e2e-openshift-object-stores/gcp-wif-monolithic/gcp-wif-delete.sh

@@ -0,0 +1,90 @@
+#!/bin/bash
+set -uo pipefail
+
+PROJECT_ID=$(gcloud config get-value project)
+SERVICE_ACCOUNT_NAME="ikanse-gcp-wif-mono-sa"
+TEMPO_NAME="gcpwifmn"
+TEMPO_NAMESPACE="chainsaw-gcpwif-mono"
+PROJECT_NUMBER=$(gcloud projects describe "$PROJECT_ID" --format='value(projectNumber)')
+OIDC_ISSUER=$(oc get authentication.config cluster -o jsonpath='{.spec.serviceAccountIssuer}')
+POOL_ID=$(echo "$OIDC_ISSUER" | awk -F'/' '{print $NF}' | sed 's/-oidc$//')
+BUCKET_NAME="ikanse-gcp-wif-mono"
+GCS_KEY_FILE="/tmp/gcp-wif-mono.json"
+
+# Fetch the service account email using the name
+SERVICE_ACCOUNT_EMAIL=$(gcloud iam service-accounts list \
+  --project="$PROJECT_ID" \
+  --filter="displayName:TempoMonolithic Account" \
+  --format='value(email)')
+
+if [ -z "$SERVICE_ACCOUNT_EMAIL" ]; then
+  echo "Error: Service account with display name 'TempoStack Account' not found. Cannot proceed with cleanup."
+  exit 1
+fi
+
+echo "Starting cleanup (excluding Workload Identity Pool Provider)..."
+echo "Target Service Account Email: **$SERVICE_ACCOUNT_EMAIL**"
+
+echo "Removing bucket-level IAM policy binding for service account '**$SERVICE_ACCOUNT_EMAIL**' on bucket '**$BUCKET_NAME**'..."
+gcloud storage buckets remove-iam-policy-binding "gs://$BUCKET_NAME" \
+    --role="roles/storage.admin" \
+    --member="serviceAccount:$SERVICE_ACCOUNT_EMAIL" \
+    --quiet
+echo "Bucket-level IAM policy binding removed."
+
+# Remove IAM policy bindings for the created service account (project level)
+echo "Removing project-level IAM policy bindings for service account '**$SERVICE_ACCOUNT_EMAIL**'..."
+gcloud projects remove-iam-policy-binding "$PROJECT_ID" \
+  --member="serviceAccount:$SERVICE_ACCOUNT_EMAIL" \
+  --role="roles/storage.objectAdmin" --quiet
+echo "Project-level IAM policy bindings for service account '**$SERVICE_ACCOUNT_EMAIL**' removed."
+
+# Remove IAM policy bindings for TempoStack service accounts (Workload Identity Principals)
+# These were added directly to the Google Service Account's IAM policy
+echo "Removing Workload Identity bindings from Google Service Account '**$SERVICE_ACCOUNT_EMAIL**'..."
+
+# tempo-${TEMPO_NAME} bindings
+gcloud iam service-accounts remove-iam-policy-binding "$SERVICE_ACCOUNT_EMAIL" \
+  --role="roles/iam.workloadIdentityUser" \
+  --member="principal://iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_ID/subject/system:serviceaccount:${TEMPO_NAMESPACE}:tempo-${TEMPO_NAME}" \
+  --project="$PROJECT_ID" \
+  --quiet
+
+# tempo-${TEMPO_NAME}-query-frontend bindings
+gcloud iam service-accounts remove-iam-policy-binding "$SERVICE_ACCOUNT_EMAIL" \
+  --role="roles/iam.workloadIdentityUser" \
+  --member="principal://iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_ID/subject/system:serviceaccount:${TEMPO_NAMESPACE}:tempo-${TEMPO_NAME}-query-frontend" \
+  --project="$PROJECT_ID" \
+  --quiet
+echo "Workload Identity bindings removed from Google Service Account '**$SERVICE_ACCOUNT_EMAIL**'."
+
+# Delete the GCP service account
+echo "Deleting service account '**$SERVICE_ACCOUNT_EMAIL**'..."
+gcloud iam service-accounts delete "$SERVICE_ACCOUNT_EMAIL" --quiet
+if [ $? -eq 0 ]; then
+  echo "Service account '**$SERVICE_ACCOUNT_EMAIL**' deleted successfully."
+else
+  echo "Failed to delete service account '**$SERVICE_ACCOUNT_EMAIL**'."
+fi
+
+# Remove GCS bucket
+echo "Deleting GCS bucket '**$BUCKET_NAME**'..."
+gcloud alpha storage rm --recursive gs://"$BUCKET_NAME" --quiet
+if [ $? -eq 0 ]; then
+  echo "GCS bucket '**$BUCKET_NAME**' deleted successfully."
+else
+  echo "Failed to delete GCS bucket '**$BUCKET_NAME**'."
+fi
+
+echo "Deleting **gcs-secret** Kubernetes secret..."
+if kubectl get secret gcs-secret -n "$TEMPO_NAMESPACE" &> /dev/null; then
+  kubectl delete secret gcs-secret -n "$TEMPO_NAMESPACE" --ignore-not-found=true
+  echo "Kubernetes secret '**gcs-secret**' deleted."
+else
+  echo "Kubernetes secret '**gcs-secret**' not found in namespace '**$TEMPO_NAMESPACE**'. Skipping deletion."
+fi
+
+echo "Delete the GCS keyfile"
+rm "$GCS_KEY_FILE"
+
+echo "Cleanup completed."

tests/e2e-openshift-object-stores/gcp-wif-monolithic/generate-traces-assert.yaml

@@ -0,0 +1,7 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: generate-traces
+  namespace: chainsaw-gcpwif-mono
+status:
+  succeeded: 1

tests/e2e-openshift-object-stores/gcp-wif-monolithic/generate-traces.yaml

@@ -0,0 +1,18 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: generate-traces
+  namespace: chainsaw-gcpwif-mono
+spec:
+  template:
+    spec:
+      containers:
+      - name: telemetrygen
+        image: ghcr.io/open-telemetry/opentelemetry-collector-contrib/telemetrygen:v0.92.0
+        args:
+        - traces
+        - --otlp-endpoint=tempo-gcpwifmn.chainsaw-gcpwif-mono.svc:4317
+        - --otlp-insecure
+        - --traces=10
+      restartPolicy: Never
+  backoffLimit: 4