Update tempo-operator to 0.17 with storage class and pod security context (#64)

christian-stephen · web-flow · commit b433beaf8f5b · 2025-07-07T11:48:13.000-03:00
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -212,7 +212,7 @@ jobs:
             kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.18.0/cert-manager.yaml
             kubectl wait --for=condition=available --timeout=30s deployment/cert-manager-webhook -n cert-manager
 
-            kubectl apply -f https://github.com/grafana/tempo-operator/releases/download/v0.16.0/tempo-operator.yaml
+            kubectl apply -f https://github.com/grafana/tempo-operator/releases/download/v0.17.0/tempo-operator.yaml
             kubectl get cm tempo-operator-manager-config -n tempo-operator-system -o yaml | \
               sed 's/^  *grafanaOperator: false$/      grafanaOperator: true/' | \
               kubectl apply -f -
diff --git a/README.md b/README.md
@@ -76,7 +76,7 @@ For more detailed installation instructions, refer to the [official Tempo Operat
 
 1. Install the Tempo Operator:
 ```bash
-$ kubectl apply -f https://github.com/grafana/tempo-operator/releases/download/v0.16.0/tempo-operator.yaml
+$ kubectl apply -f https://github.com/grafana/tempo-operator/releases/download/v0.17.0/tempo-operator.yaml
 ```
 2. Enable the `grafanaOperator` feature gate (required for integration with Grafana):
 ```bash
@@ -255,14 +255,20 @@ Dashboards are provisioned directly from CRDs, which means any manual edits will
 | prometheusOperator.replicas | int | `1` | Number of Prometheus Operator replicas to deploy. |
 | tempo.customConfig | object | `{}` | Add any custom Tempo configurations you require here. This should be a YAML object of additional settings for Tempo. |
 | tempo.enabled | string | `"-"` | Enable Tempo distributed tracing Requires manual installation of Tempo Operator Set to true to enable, false to disable, "-" to use global default |
+| tempo.podSecurityContext | object | `{"fsGroup":10001,"runAsGroup":10001,"runAsNonRoot":true,"runAsUser":10001}` | Pod security context for Tempo containers |
+| tempo.podSecurityContext.fsGroup | int | `10001` | Filesystem group ID for volume ownership and permissions |
+| tempo.podSecurityContext.runAsGroup | int | `10001` | Group ID to run the container processes |
+| tempo.podSecurityContext.runAsNonRoot | bool | `true` | Run containers as non-root user |
+| tempo.podSecurityContext.runAsUser | int | `10001` | User ID to run the container processes |
 | tempo.resources | object | `{"limits":{"cpu":"1000m","memory":"2Gi"},"requests":{"cpu":"500m","memory":"1Gi"}}` | Resource requirements for Tempo pods Adjust based on your trace volume and cluster capacity |
 | tempo.resources.limits.cpu | string | `"1000m"` | Maximum CPU Tempo pods can use |
 | tempo.resources.limits.memory | string | `"2Gi"` | Maximum memory Tempo pods can use |
 | tempo.resources.requests.cpu | string | `"500m"` | Minimum CPU guaranteed to Tempo pods |
 | tempo.resources.requests.memory | string | `"1Gi"` | Minimum memory guaranteed to Tempo pods |
-| tempo.storage | object | `{"traces":{"backend":"memory","size":"20Gi"}}` | Storage configuration for trace data |
+| tempo.storage | object | `{"traces":{"backend":"memory","size":"20Gi","storageClassName":""}}` | Storage configuration for trace data |
 | tempo.storage.traces.backend | string | `"memory"` | Storage backend for traces Default: in-memory storage (traces lost on pod restart) Suitable for development/testing environments only |
 | tempo.storage.traces.size | string | `"20Gi"` | Storage volume size For memory/pv: actual volume size For cloud backends: size of WAL (Write-Ahead Log) volume Increase for higher trace volumes or longer retention |
+| tempo.storage.traces.storageClassName | string | `""` | Storage class for persistent volume provisioner. Applies to both persistent volume and object storage backends. |
 
 ## Releases
 
diff --git a/README.md.gotmpl b/README.md.gotmpl
@@ -70,7 +70,7 @@ For more detailed installation instructions, refer to the [official Tempo Operat
 
 1. Install the Tempo Operator:
 ```bash
-$ kubectl apply -f https://github.com/grafana/tempo-operator/releases/download/v0.16.0/tempo-operator.yaml
+$ kubectl apply -f https://github.com/grafana/tempo-operator/releases/download/v0.17.0/tempo-operator.yaml
 ```
 2. Enable the `grafanaOperator` feature gate (required for integration with Grafana):
 ```bash
diff --git a/templates/tempo/tempomonolithic.yaml b/templates/tempo/tempomonolithic.yaml
@@ -20,6 +20,9 @@ spec:
     traces:
       backend: {{ .backend }}
       size: {{ .size }}
+      {{- if .storageClassName }}
+      storageClassName: {{ .storageClassName }}
+      {{- end }}
 
       {{- if eq .backend "s3" }}
       s3:
@@ -33,6 +36,11 @@ spec:
       {{- end }}
   {{- end }}
 
+  {{- with .Values.tempo.podSecurityContext }}
+  podSecurityContext:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+
   observability:
     grafana:
       dataSource:
diff --git a/tests/kubeconform/pvc-values.yaml b/tests/kubeconform/pvc-values.yaml
@@ -11,4 +11,5 @@ grafana:
 tempo:
   storage:
     traces:
+      storageClassName: "custom-storage"
       backend: pv
diff --git a/tests/tempo/tempomonolithic_test.yaml b/tests/tempo/tempomonolithic_test.yaml
@@ -86,9 +86,13 @@ tests:
   - it: should configure pv backend
     set:
       tempo.enabled: true
+      tempo.storage.traces.storageClassName: "my-custom-storage"
       tempo.storage.traces.backend: pv
       tempo.storage.traces.size: 50Gi
     asserts:
+      - equal:
+          path: spec.storage.traces.storageClassName
+          value: "my-custom-storage"
       - equal:
           path: spec.storage.traces.backend
           value: pv
diff --git a/values.yaml b/values.yaml
@@ -195,6 +195,19 @@ tempo:
       # For cloud backends: size of WAL (Write-Ahead Log) volume
       # Increase for higher trace volumes or longer retention
       size: 20Gi
+      # -- Storage class for persistent volume provisioner. Applies to both
+      # persistent volume and object storage backends.
+      storageClassName: ""
+  # -- Pod security context for Tempo containers
+  podSecurityContext:
+    # -- Run containers as non-root user
+    runAsNonRoot: true
+    # -- User ID to run the container processes
+    runAsUser: 10001
+    # -- Group ID to run the container processes
+    runAsGroup: 10001
+    # -- Filesystem group ID for volume ownership and permissions
+    fsGroup: 10001
   # -- Add any custom Tempo configurations you require here. This should be a
   # YAML object of additional settings for Tempo.
   customConfig: {}
