RHOAIENG-38496 | feat: Add TLS support for Perses-Tempo datasource #2888

dayakar349 · 2025-11-21T06:01:23Z

Description

Adds TLS support for the Perses-Tempo datasource connection

https://issues.redhat.com/browse/RHOAIENG-38496

How Has This Been Tested?

Ran unit tests - all TLS-specific tests passed (TestDetermineTLSEnabled and TestAddTracesTemplateData_TLS)
Verified existing cluster with S3 backend and TLS enabled: Confirmed PersesDatasource was automatically
created with HTTPS endpoint
(https://tempo-data-science-tempostack-gateway.opendatahub.svc.cluster.local:8080)
Validated TLS client configuration in PersesDatasource includes correct CA certificate reference pointing
to Service CA ConfigMap (tempo-service-ca)
Confirmed Service CA ConfigMap has proper injection annotation
(service.beta.openshift.io/inject-cabundle=true) and certificate is populated by OpenShift
Verified TempoStack is Ready and operational with TLS-enabled configuration

Screenshot or short clip

Merge criteria

You have read the contributors guide.
Commit messages are meaningful - have a clear and concise summary and detailed explanation of what was changed and why.
Pull Request contains a description of the solution, a link to the JIRA issue, and to any dependent or related Pull Request.
Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
The developer has manually tested the changes and verified that the changes work
The developer has run the integration test pipeline and verified that it passed successfully

E2E test suite update requirement

When bringing new changes to the operator code, such changes are by default required to be accompanied by extending and/or updating the E2E test suite accordingly.

To opt-out of this requirement:

Please inspect the opt-out guidelines, to determine if the nature of the PR changes allows for skipping this requirement
If opt-out is applicable, provide justification in the dedicated E2E update requirement opt-out justification section below
Check the checkbox below:

Skip requirement to update E2E test suite for this PR

Submit/save these changes to the PR description. This will automatically trigger the check.

E2E update requirement opt-out justification

Summary by CodeRabbit

New Features
- Explicit storage backends (pv, s3, gcs), storage options (backend, size, secret, retention), Tempo multitenancy, a CA ConfigMap template, and TLS-aware Perses Tempo datasource with protocol selection (http/https).
Bug Fixes / Behavior
- Cloud backends now require a non-empty credential secret; TLS is disabled by default and TLS detection no longer falls back to backend type.
Documentation
- Expanded Traces TLS and Storage docs to cover OTLP ingestion and HTTP query APIs and note default TLS behavior.
Tests
- Added unit and e2e TLS tests for endpoint construction and cloud backends (S3/GCS); duplicate test declarations were introduced.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

coderabbitai · 2025-11-21T06:01:34Z

Walkthrough

Adds storage-backend constants and extends TracesStorage with backend/size/secret/retention; centralizes TLS/protocol decision (TLS disabled by default unless explicitly enabled); injects a tempo-service-ca ConfigMap template and constant; updates template-data generation, templates, unit and e2e TLS tests (some duplicates present).

Changes

Cohort / File(s)	Change Summary
API Definitions `api/services/v1alpha1/monitoring_types.go`	Added public storage backend constants (`StorageBackendPV`, `StorageBackendS3`, `StorageBackendGCS`); extended `TracesStorage` with `Backend`, `Size`, `Secret`, `Retention`; enum/default kubebuilder validation for `Backend`; XValidation requires non-empty `Secret` when backend != `pv`; marked `Traces.TLS` as optional and updated docs.
Controller Actions `internal/controller/services/monitoring/monitoring_controller_actions.go`	Added `TempoServiceCAConfigMapTemplate` constant and included the tempo CA ConfigMap template in Perses-related template lists used when deploying PersesDatasource with PersesDashboard.
Controller Support Logic `internal/controller/services/monitoring/monitoring_controller_support.go`	Replaced legacy traces helpers with TLS-aware `addTracesTemplateData`; introduced `determineTLSEnabled` (defaults false unless explicitly enabled); set `TempoTLSEnabled`, protocol (`http`/`https`), TempoQuery/OTLP endpoints, cert/CA template keys; switched to public backend constants; removed deprecated helpers and backend-based TLS fallback.
Controller Support Tests `internal/controller/services/monitoring/monitoring_controller_support_test.go`	Added `TestDetermineTLSEnabled` and `TestAddTracesTemplateData_TLS` to cover TLS decision and template-data endpoint construction for PV/S3/GCS; patch contains duplicated declarations of these tests.
Perses / Tempo Templates `internal/controller/services/monitoring/resources/perses-tempo-datasource.tmpl.yaml` `internal/controller/services/monitoring/resources/tempo-monolithic.tmpl.yaml` `internal/controller/services/monitoring/resources/tempo-service-ca-configmap.tmpl.yaml`	Perses datasource: conditional `client.tls` when `TempoTLSEnabled`; tempo monolithic: multitenancy (openshift) added, renamed TLS template keys (`certificateSecret`→`certName`, `caConfigMap`→`caName`), optional `server.http_tls_config` when `TempoCertificateSecret` provided; added `tempo-service-ca` ConfigMap template with `service.beta.openshift.io/inject-cabundle` annotation.
End-to-End Tests `tests/e2e/monitoring_test.go`	Added e2e TLS tests and helpers for PersesDatasource with S3/GCS backends; tests create backend secrets, enable traces TLS, wait for readiness, and assert Perses proxy TLS configuration/endpoints; adjusted expectations noting TLS is disabled by default; duplicated helper/wrapper definitions present.
Documentation `docs/api-overview.md`	Clarified Traces/TLS descriptions to include OTLP ingestion and HTTP query APIs and explicitly noted TLS is disabled by default; minor wording/formatting tweaks.

Sequence Diagram(s)

sequenceDiagram
    rect rgb(248,249,250)
    participant Controller as Controller
    participant Support as SupportLogic
    participant Renderer as TemplateRenderer
    participant K8s as Kubernetes/Tempo
    end

    Controller->>Support: request traces template data (Traces spec)
    Support->>Support: determineTLSEnabled(traces)  %% defaults false unless explicit
    alt TLS enabled
        Support->>Renderer: TempoTLSEnabled=true, protocol=https, set certName/caName, TempoCertificateSecret
    else TLS disabled
        Support->>Renderer: TempoTLSEnabled=false, protocol=http, clear cert/CA keys
    end
    Note over Support,Renderer: select endpoints using backend constants (pv / s3 / gcs) and include Retention/Size
    Support->>Renderer: provide TempoQueryEndpoint, OtlpEndpoint, Backend, Retention, Size
    Renderer->>K8s: render & apply manifests (includes tempo-service-ca ConfigMap when templated)

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Areas needing extra attention:
- api/services/v1alpha1/monitoring_types.go: CRD XValidation, enum/default, and metav1.Duration handling.
- internal/controller/services/monitoring/monitoring_controller_support.go: determineTLSEnabled semantics and protocol/endpoint construction.
- Template key renames and conditional TLS server config in tempo-monolithic.tmpl.yaml and conditional TLS block in perses-tempo-datasource.tmpl.yaml.
- Duplicate test functions in internal/controller/services/monitoring/monitoring_controller_support_test.go and duplicated helpers/wrappers in tests/e2e/monitoring_test.go — deduplication required.

Poem

🐇 I nibble lines of backend code,
PV, S3, GCS in a row.
TLS snoozes till you wake its ear,
A tiny CA map hops in near.
Hooray — traces snug in burrowed glow.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 20.00% which is insufficient. The required threshold is 80.00%.	You can run `@coderabbitai generate docstrings` to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add TLS support for Perses-Tempo datasource' directly matches the main objective of the PR—enabling TLS for the Perses-Tempo datasource connection. The title is concise, clear, and accurately reflects the primary change.

✨ Finishing touches

📝 Generate docstrings

🧪 Generate unit tests (beta)

Create PR with unit tests
Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

github-actions · 2025-11-21T06:02:49Z

This PR can't be merged just yet 😢

Please run make generate manifests api-docs and commit the changes.

For more info: https://github.com/opendatahub-io/opendatahub-operator/actions/runs/19561569399

coderabbitai

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

api/services/v1alpha1/monitoring_types.go (1)
98-144: Fix TracesStorage XValidation placement and align secret rule with message

+kubebuilder:validation:XValidation for the secret field currently sits above the const block, so it will be associated with the consts (or ignored) rather than with TracesStorage. That means the intended CEL validation for non‑PV backends likely does not apply. Also, the rule only checks has(self.secret) while the message claims “specified and non-empty”.

To ensure the validation is actually enforced and matches the message, move and tighten the rule so it’s directly on the TracesStorage type, e.g.:
-// TracesStorage defines the storage configuration for tracing.
-// +kubebuilder:validation:XValidation:rule="self.backend != 'pv' ? has(self.secret) : true", message="When backend is s3 or gcs, the 'secret' field must be specified and non-empty"
-// Storage backend type constants
-const (
+// Storage backend type constants
+const (
 	// StorageBackendPV represents persistent volume storage backend
 	StorageBackendPV = "pv"
@@
-)
-
-// +kubebuilder:validation:XValidation:rule="self.backend != 'pv' ? !has(self.size) : true", message="Size is supported when backend is pv only"
-type TracesStorage struct {
+)
+
+// TracesStorage defines the storage configuration for tracing.
+// +kubebuilder:validation:XValidation:rule="self.backend != 'pv' ? (has(self.secret) && self.secret != '') : true", message="When backend is s3 or gcs, the 'secret' field must be specified and non-empty"
+// +kubebuilder:validation:XValidation:rule="self.backend != 'pv' ? !has(self.size) : true", message="Size is supported when backend is pv only"
+type TracesStorage struct {
This keeps the new backend constants, enforces that S3/GCS always specify a non‑empty secret, and ensures both CEL rules are actually attached to the CRD schema for TracesStorage.

[scratchpad_end] -->

🧹 Nitpick comments (4)

internal/controller/services/monitoring/monitoring_controller_actions.go (1)

25-49: CA ConfigMap template is correctly wired; consider optional cleanup on traces removal

Adding TempoServiceCAConfigMapTemplate and appending it in deployPersesTempoIntegration ensures the CA ConfigMap is always created next to the Tempo datasource, which is required for the TLS client config.

One minor behavioral note: when Spec.Traces becomes nil, the code deletes the Perses datasource and dashboard but does not remove the tempo-service-ca ConfigMap. That’s harmless but leaves a small orphan. If you want fully symmetric cleanup, you could optionally delete that ConfigMap in the same branch.

Also applies to: 543-552

tests/e2e/monitoring_test.go (1)

1665-1835: End-to-end TLS tests for S3/GCS backends are well-structured; consider a small helper to reduce duplication

Both ValidatePersesDatasourceTLSWithS3Backend and ValidatePersesDatasourceTLSWithGCSBackend:

Ensure PersesDatasource CRD existence and start from a clean monitoring state.

Create a backend-specific secret in the monitoring namespace.

Enable traces with the appropriate backend and .spec.monitoring.traces.tls.enabled = true.

Wait for Monitoring and TempoStack to be ready with the right storage secret.

Assert that the Perses Tempo datasource:

Uses an HTTPS gateway URL on port 8080.

Has client.tls.enable == true and CA config pointing at the tempo-service-ca ConfigMap and service-ca.crt.

Clean up traces config, TempoStack, and secrets.

The logic is solid and matches the intended TLS behavior. The two functions are nearly identical apart from backend/secret names; if you find yourself adding more backends later, you could factor them through a common helper (similar to validateTempoStackCreationWithBackend) to cut duplication.

internal/controller/services/monitoring/monitoring_controller_support_test.go (1)

929-996: TLS unit tests match the new behavior; a couple of tiny polish opportunities

TestDetermineTLSEnabled and TestAddTracesTemplateData_TLS accurately pin down the new TLS semantics:

TLS is true only when traces.TLS is non‑nil and Enabled is true; otherwise false regardless of backend.

addTracesTemplateData sets TempoTLSEnabled, chooses http vs https accordingly, and builds the correct TempoQueryEndpoint for PV (:3200) vs S3 (:8080 gateway), while also ensuring OtlpEndpoint, SampleRatio, Backend, and TracesRetention are present.

Optional nits:

In TestDetermineTLSEnabled, you could use serviceApi.StorageBackendPV/S3/GCS instead of raw "pv"/"s3"/"gcs" strings to keep tests aligned with the exported constants.

In TestAddTracesTemplateData_TLS, the expectedHTTPProtocol field isn’t used; either drop it or assert on the scheme via the endpoint to avoid dead fields.

Functionally, the tests look good.

Also applies to: 998-1107

internal/controller/services/monitoring/monitoring_controller_support.go (1)

208-259: TLS/template data behavior is coherent; consider deduplicating shared trace fields

The refactor around traces template data behaves consistently:

determineTLSEnabled now returns true only if traces.TLS is non‑nil and Enabled is true; otherwise TLS is off, which matches the new “TLS disabled by default” behavior exercised by the unit and e2e tests.

addTracesTemplateData uses that flag to:

Set TempoTLSEnabled.

Pick http vs https and build TempoQueryEndpoint correctly for:

PV → tempo-data-science-tempomonolithic.<ns>.svc.cluster.local:3200

S3/GCS → tempo-data-science-tempostack-gateway.<ns>.svc.cluster.local:8080

setTempoEndpointAndStorageData now switches on serviceApi.StorageBackendPV/S3/GCS, which avoids hard‑coded backend strings.

addTracesData handles TLS secrets (TempoCertificateSecret, TempoCAConfigMap) and always initializes them to "" when TLS is disabled, preventing template key errors.

One minor cleanup opportunity: OtlpEndpoint, SampleRatio, Backend, TempoTLSEnabled, and TracesRetention are now set in both addTracesData and addTracesTemplateData with the same values. It’s harmless (last writer wins with identical content), but you could centralize those assignments in one helper to reduce duplication and make future changes less error‑prone.

Overall, the TLS enablement and endpoint selection logic look correct and align with the new tests.

Also applies to: 536-575, 578-587

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a3211d1 and b609ecb.

📒 Files selected for processing (8)

api/services/v1alpha1/monitoring_types.go (2 hunks)
internal/controller/services/monitoring/monitoring_controller_actions.go (2 hunks)
internal/controller/services/monitoring/monitoring_controller_support.go (3 hunks)
internal/controller/services/monitoring/monitoring_controller_support_test.go (1 hunks)
internal/controller/services/monitoring/resources/perses-tempo-datasource.tmpl.yaml (1 hunks)
internal/controller/services/monitoring/resources/tempo-monolithic.tmpl.yaml (2 hunks)
internal/controller/services/monitoring/resources/tempo-service-ca-configmap.tmpl.yaml (1 hunks)
tests/e2e/monitoring_test.go (4 hunks)

🧰 Additional context used

🧬 Code graph analysis (3)

internal/controller/services/monitoring/monitoring_controller_support_test.go (1)

api/services/v1alpha1/monitoring_types.go (6)

Traces (82-96)

TracesTLS (99-109)

TracesStorage (124-144)

StorageBackendPV (116-116)

StorageBackendS3 (118-118)

StorageBackendGCS (120-120)

internal/controller/services/monitoring/monitoring_controller_support.go (1)

api/services/v1alpha1/monitoring_types.go (4)

StorageBackendPV (116-116)

StorageBackendS3 (118-118)

StorageBackendGCS (120-120)

Traces (82-96)

tests/e2e/monitoring_test.go (7)

tests/e2e/resource_options_test.go (4)

WithCustomErrorMsg (287-291)

WithMinimalObject (155-170)

WithCondition (262-266)

WithEventuallyTimeout (294-298)

pkg/cluster/resources.go (1)

HasCRD (366-368)

pkg/cluster/gvk/gvk.go (3)

PersesDatasource (562-566)

TempoStack (514-518)

Namespace (28-32)

pkg/utils/test/testf/testf_support.go (1)

Transform (78-106)

pkg/utils/test/matchers/jq/jq_matcher.go (1)

Match (11-15)

internal/controller/status/status.go (1)

ConditionTypeReady (74-74)

tests/e2e/controller_test.go (1)

TestTimeouts (100-108)

🪛 YAMLlint (1.37.1)

internal/controller/services/monitoring/resources/perses-tempo-datasource.tmpl.yaml

[error] 20-20: syntax error: could not find expected ':'

(syntax)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

GitHub Check: Build/push catalog image
GitHub Check: golangci-lint
GitHub Check: Run tests and collect coverage on internal and pkg

🔇 Additional comments (4)

internal/controller/services/monitoring/resources/perses-tempo-datasource.tmpl.yaml (1)

19-27: TLS client configuration for Perses Tempo datasource looks sound (yamllint warning is template-related)

The conditional client.tls block keyed off .TempoTLSEnabled is consistent with the template data (TempoQueryEndpoint + TLS flag) and the e2e assertions on spec.config.plugin.spec.proxy.spec.client.tls.*. The use of {{- if ...}} / {{- end }} will render correct YAML; the YAMLlint “expected ':'” error is due to linting the raw Go template, not the rendered manifest.

No changes needed here.

internal/controller/services/monitoring/resources/tempo-service-ca-configmap.tmpl.yaml (1)

1-8: Service CA ConfigMap template is correctly wired for TLS use

The tempo-service-ca ConfigMap with service.beta.openshift.io/inject-cabundle: "true" and empty data is exactly what the Perses datasource TLS block expects (caCert.type=configmap, name=tempo-service-ca, certPath=service-ca.crt). This should integrate cleanly with OpenShift service CA injection.

internal/controller/services/monitoring/resources/tempo-monolithic.tmpl.yaml (1)

15-19: Multitenancy and TLS server wiring look consistent; just verify field names against Tempo CRD

The new multitenancy block (enabled=true, mode=openshift, auth derived from Namespace) and the TLS sections using certName / caName plus optional server.http_tls_config gated by TempoCertificateSecret align with the template data and comments. This should give you OpenShift-style multitenancy and optional explicit HTTP TLS config while still allowing the Tempo operator to use serving certs when no explicit secret is provided.

Please double-check that certName, caName, and server.http_tls_config match the current TempoMonolithic CRD schema to avoid silent no-ops.

Also applies to: 32-37, 42-46, 52-60

tests/e2e/monitoring_test.go (1)

122-123: Perses datasource expectations updated correctly for “TLS disabled by default”

Registering the two new TLS test cases in the monitoring test suite and updating ValidatePersesDatasourceConfiguration to expect an HTTP Tempo endpoint when TLS is not configured matches the new determineTLSEnabled behavior (TLS off unless explicitly enabled). The custom error message now clearly documents this default, which is helpful for future debugging.

Also applies to: 1445-1465

dayakar349 · 2025-11-21T06:29:10Z

/cc @kahowell @StevenTobin @den-rgb @CFSNM

coderabbitai

Actionable comments posted: 0

🧹 Nitpick comments (4)

internal/controller/services/monitoring/monitoring_controller_actions.go (1)

25-53: Tempo service CA ConfigMap template is wired correctly into Perses datasource deployment

The TempoServiceCAConfigMapTemplate constant and its inclusion in deployPersesTempoIntegration cleanly ensure the CA bundle ConfigMap is applied whenever the PersesTempo datasource is managed (and the CRDs exist). If you want to avoid creating this resource when tracing/TLS is entirely unused, you could optionally gate adding this template on monitoring.Spec.Traces (or the TLS flag), but functionally this is fine as-is.

Also applies to: 545-552

internal/controller/services/monitoring/resources/tempo-monolithic.tmpl.yaml (1)

15-60: Confirm TempoMonolithic multitenancy and TLS field names against Tempo operator API

The new multitenancy block (enabled: true, mode: openshift, namespace‑derived tenant mapping) and the TLS updates (certName/caName plus extraConfig.tempo.server.http_tls_config gated on TempoCertificateSecret) look aligned with the intended behavior and the broader TLS changes in this PR.

Because these fields are owned by the external tempo.grafana.com/v1alpha1 API and current e2e coverage for TempoMonolithic only checks storage/retention, please:

Double‑check that multitenancy.*, tls.certName, and tls.caName are the correct field names for the Tempo operator versions you support.

Consider extending ValidateTempoMonolithicCRCreation (or a new test) to assert at least one of the new multitenancy/TLS fields so regressions in this area are caught.

tests/e2e/monitoring_test.go (2)

1446-1465: Clarify wording around default TLS behavior in Perses datasource config test

The test correctly validates the HTTP (non‑TLS) endpoint when traces.tls isn’t enabled. To avoid confusion with the API’s TracesTLS.enabled default, consider rephrasing the comment and error message to something like “when TLS is not enabled” rather than “TLS is disabled by default”.

122-123: New S3/GCS TLS e2e tests for PersesDatasource are thorough and well‑isolated

The added ValidatePersesDatasourceTLSWithS3Backend / ...WithGCSBackend tests:

Properly gate on PersesDatasource CRD presence.

Start from a clean monitoring state, create backend‑specific secrets, enable traces.tls.enabled, and wait for TempoStack Ready.

Assert the expected HTTPS gateway URL and full client.tls config (including tempo-service-ca ConfigMap and service-ca.crt path), then clean up traces, TempoStack, and secrets.

This gives good end‑to‑end coverage of the new TLS behavior. If you want to tighten things further, you could:

Also assert that ConditionPersesTempoDataSourceAvailable is True in Monitoring.status.conditions in these tests.

Extract a small helper (similar to validateTempoStackCreationWithBackend) to reduce duplication between the S3 and GCS flows.

Also applies to: 1665-1835

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b609ecb and cabb1db.

📒 Files selected for processing (9)

api/services/v1alpha1/monitoring_types.go (2 hunks)
docs/api-overview.md (2 hunks)
internal/controller/services/monitoring/monitoring_controller_actions.go (2 hunks)
internal/controller/services/monitoring/monitoring_controller_support.go (3 hunks)
internal/controller/services/monitoring/monitoring_controller_support_test.go (1 hunks)
internal/controller/services/monitoring/resources/perses-tempo-datasource.tmpl.yaml (1 hunks)
internal/controller/services/monitoring/resources/tempo-monolithic.tmpl.yaml (2 hunks)
internal/controller/services/monitoring/resources/tempo-service-ca-configmap.tmpl.yaml (1 hunks)
tests/e2e/monitoring_test.go (4 hunks)

🚧 Files skipped from review as they are similar to previous changes (4)

internal/controller/services/monitoring/monitoring_controller_support.go
api/services/v1alpha1/monitoring_types.go
internal/controller/services/monitoring/resources/tempo-service-ca-configmap.tmpl.yaml
internal/controller/services/monitoring/monitoring_controller_support_test.go

🧰 Additional context used

🧬 Code graph analysis (1)

tests/e2e/monitoring_test.go (7)

tests/e2e/resource_options_test.go (4)

WithCustomErrorMsg (287-291)

WithMinimalObject (155-170)

WithCondition (262-266)

WithEventuallyTimeout (294-298)

pkg/cluster/resources.go (1)

HasCRD (366-368)

pkg/cluster/gvk/gvk.go (4)

PersesDatasource (562-566)

Monitoring (310-314)

TempoStack (514-518)

Namespace (28-32)

pkg/utils/test/testf/testf_support.go (1)

Transform (78-106)

pkg/utils/test/matchers/jq/jq_matcher.go (1)

Match (11-15)

internal/controller/status/status.go (1)

ConditionTypeReady (74-74)

tests/e2e/controller_test.go (1)

TestTimeouts (100-108)

🪛 YAMLlint (1.37.1)

internal/controller/services/monitoring/resources/perses-tempo-datasource.tmpl.yaml

[error] 20-20: syntax error: could not find expected ':'

(syntax)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

GitHub Check: Build/push catalog image
GitHub Check: golangci-lint
GitHub Check: Run tests and collect coverage on internal and pkg

🔇 Additional comments (2)

docs/api-overview.md (1)

2827-2843: TracesTLS documentation matches the new TLS behavior

The updated TracesTLS description and enabled field text correctly reflect TLS covering both OTLP ingestion (gRPC/HTTP) and query APIs (HTTP). No issues from an API-doc perspective.

internal/controller/services/monitoring/resources/perses-tempo-datasource.tmpl.yaml (1)

18-27: TLS client block in Perses Tempo datasource template is consistent and well‑formed

The conditional client.tls block under proxy.spec is correctly indented and matches the S3/GCS TLS e2e expectations (HTTPS endpoint plus tempo-service-ca ConfigMap and service-ca.crt path). The YAMLlint “expected ':'” error is expected on raw Go templates and doesn’t indicate a real syntax issue in the rendered YAML.

dayakar349 · 2025-11-21T13:01:09Z

/retest

coderabbitai

Actionable comments posted: 1

🧹 Nitpick comments (1)

tests/e2e/monitoring_test.go (1)
1665-1750: Well-structured helper function, consider validating the CA ConfigMap.

The helper function is well-designed with:

Proper parameterization for S3/GCS backends

Logical test flow (setup → configure → wait → validate → cleanup)

Comprehensive TLS validation (HTTPS endpoint, TLS enabled, CA cert config)

Extensive logging for debugging

Proper cleanup for test isolation

Consider adding validation that the tempo-service-ca ConfigMap exists and has the expected structure (injection annotation, CA bundle). This would provide more comprehensive coverage of the TLS setup.

Add validation for the tempo-service-ca ConfigMap:
+	// Validate tempo-service-ca ConfigMap exists with correct structure
+	tc.EnsureResourceExists(
+		WithMinimalObject(gvk.ConfigMap, types.NamespacedName{Name: "tempo-service-ca", Namespace: tc.MonitoringNamespace}),
+		WithCondition(
+			And(
+				jq.Match(`.metadata.annotations."service.beta.openshift.io/inject-cabundle" == "true"`),
+				jq.Match(`.data."service-ca.crt" != null`),
+			),
+		),
+		WithCustomErrorMsg("tempo-service-ca ConfigMap should exist with CA injection annotation and certificate"),
+	)
+
 	// This is the critical assertion - proves cloud backend now has TLS

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 47b96b0 and 7c84df2.

📒 Files selected for processing (9)

api/services/v1alpha1/monitoring_types.go (2 hunks)
docs/api-overview.md (3 hunks)
internal/controller/services/monitoring/monitoring_controller_actions.go (2 hunks)
internal/controller/services/monitoring/monitoring_controller_support.go (2 hunks)
internal/controller/services/monitoring/monitoring_controller_support_test.go (1 hunks)
internal/controller/services/monitoring/resources/perses-tempo-datasource.tmpl.yaml (1 hunks)
internal/controller/services/monitoring/resources/tempo-monolithic.tmpl.yaml (2 hunks)
internal/controller/services/monitoring/resources/tempo-service-ca-configmap.tmpl.yaml (1 hunks)
tests/e2e/monitoring_test.go (4 hunks)

🚧 Files skipped from review as they are similar to previous changes (4)

internal/controller/services/monitoring/monitoring_controller_actions.go
internal/controller/services/monitoring/resources/tempo-service-ca-configmap.tmpl.yaml
docs/api-overview.md
internal/controller/services/monitoring/monitoring_controller_support_test.go

🧰 Additional context used

🧬 Code graph analysis (2)

internal/controller/services/monitoring/monitoring_controller_support.go (1)

api/services/v1alpha1/monitoring_types.go (4)

StorageBackendPV (114-114)

StorageBackendS3 (116-116)

StorageBackendGCS (118-118)

Traces (82-96)

tests/e2e/monitoring_test.go (6)

tests/e2e/resource_options_test.go (4)

WithCustomErrorMsg (287-291)

WithMinimalObject (155-170)

WithCondition (262-266)

WithEventuallyTimeout (294-298)

pkg/cluster/resources.go (1)

HasCRD (366-368)

pkg/cluster/gvk/gvk.go (3)

PersesDatasource (562-566)

TempoStack (514-518)

Namespace (28-32)

pkg/utils/test/testf/testf_support.go (1)

Transform (78-106)

internal/controller/status/status.go (1)

ConditionTypeReady (74-74)

tests/e2e/controller_test.go (1)

TestTimeouts (100-108)

🪛 YAMLlint (1.37.1)

internal/controller/services/monitoring/resources/perses-tempo-datasource.tmpl.yaml

[error] 20-20: syntax error: could not find expected ':'

(syntax)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

GitHub Check: Build/push catalog image
GitHub Check: Run tests and collect coverage on internal and pkg
GitHub Check: kube-linter
GitHub Check: golangci-lint

🔇 Additional comments (13)

internal/controller/services/monitoring/resources/perses-tempo-datasource.tmpl.yaml (1)

19-27: LGTM! TLS configuration is correctly structured.

The conditional TLS block properly configures client-side TLS for the Perses datasource when TempoTLSEnabled is true. The CA certificate reference to tempo-service-ca ConfigMap aligns with the new ConfigMap template introduced in this PR.

Note: The YAMLlint syntax error on line 20 is a false positive—YAMLlint cannot parse Go template directives like {{- if .TempoTLSEnabled }}. This is expected for template files.

internal/controller/services/monitoring/resources/tempo-monolithic.tmpl.yaml (2)

48-60: LGTM! Conditional HTTP TLS configuration is well-structured.

The extraConfig block correctly:

Configures explicit HTTP TLS only when TempoCertificateSecret is provided

Falls back to Tempo operator's OpenShift serving certificate service otherwise

Uses standard Kubernetes secret mount paths for certificates

The comment clearly explains the conditional logic.

32-46: TLS field names are correct per Tempo operator documentation.

The field names certName and caName match the official Tempo operator specification for TempoMonolithic CRD TLS configuration. However, verify the upgrade path for any existing TempoMonolithic resources to ensure they transition smoothly to the new field names or are compatible with both old and new naming conventions.

api/services/v1alpha1/monitoring_types.go (3)

98-109: LGTM! TLS documentation improvements clarify scope and defaults.

The updated comments clearly specify:

TLS applies to both ingestion and query APIs

TLS is disabled by default for backward compatibility

The specific protocols covered (OTLP gRPC/HTTP for ingestion, HTTP for query)

111-119: LGTM! Storage backend constants improve code maintainability.

These public constants eliminate magic strings and are properly reused in the controller code (as seen in monitoring_controller_support.go).

121-144: TracesStorage API redesign is sound; no critical migration issues identified.

Verification confirms:

CEL validation messages are clear and user-friendly (e.g., "When backend is s3 or gcs, the 'secret' field must be specified and non-empty")

Backend field default "pv" ensures backwards compatibility for new resources

Retention changed from string to metav1.Duration is type-safe and has sensible default (2160h)

No existing Monitoring CRs with traces configurations found in repo to validate migration paths

Since this is a v1alpha1 API with no prior version in the codebase and no existing deployed instances to upgrade, migration concerns are not applicable. The API design itself is solid.

internal/controller/services/monitoring/monitoring_controller_support.go (4)

216-235: LGTM! TLS configuration logic is well-structured.

The centralized TLS handling correctly:

Determines TLS enablement state via determineTLSEnabled

Sets explicit certificate/CA values when TLS enabled and certs provided

Uses empty strings for fallback to OpenShift serving certificates

Prevents template rendering errors with consistent empty values when TLS disabled

The three-path logic (enabled with certs, enabled without certs, disabled) is clear and well-commented.

237-253: LGTM! Protocol selection and endpoint construction are correct.

The protocol selection logic:

Defaults to http for backward compatibility

Switches to https when TLS is enabled

Applies consistently to both PV (TempoMonolithic) and cloud (TempoStack) query endpoints

244-255: LGTM! Backend-specific logic correctly uses new constants.

The backend handling properly:

Uses constants (serviceApi.StorageBackendPV, StorageBackendS3, StorageBackendGCS) instead of hardcoded strings

Configures appropriate endpoints for each backend (TempoMonolithic for PV, TempoStack gateway for cloud)

Includes backend-specific fields (Size for PV, Secret for cloud backends)

Applies protocol selection based on TLS enablement

552-561: LGTM! determineTLSEnabled correctly implements explicit opt-in.

The function properly:

Defaults to false for backward compatibility

Requires explicit traces.TLS.Enabled = true to enable TLS

Includes clear comments explaining the rationale (avoiding Tempo operator certificate provisioning issues)

tests/e2e/monitoring_test.go (3)

122-123: LGTM! New TLS test cases properly registered.

The test cases are well-named and logically ordered after the existing Perses datasource tests.

1446-1464: LGTM! Comments accurately reflect TLS disabled by default.

The updated comments and error messages correctly document the default TLS disabled behavior, improving test clarity and maintainability.

1752-1762: LGTM! Test functions properly delegate to parameterized helper.

Both test functions are clean wrappers that correctly:

Use t.Helper() for proper test reporting

Delegate to the shared helper with the appropriate backend parameter

coderabbitai · 2025-11-21T17:51:00Z

internal/controller/services/monitoring/resources/tempo-monolithic.tmpl.yaml

  multitenancy:
-    enabled: true  # Required for OpenShift
+    enabled: true
+    mode: openshift  # Required for OpenShift
+    authentication:
+      - tenantId: {{.Namespace}}
+        tenantName: {{.Namespace}}


⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify multitenancy enablement impact on existing deployments.

Multitenancy is now unconditionally enabled with mode: openshift, which represents a behavior change. Ensure:

This doesn't break existing TempoMonolithic deployments without multitenancy

The OpenShift-specific mode is appropriate for all target environments (ODH vs RHOAI)

Existing traces remain accessible after this change

🏁 Script executed:

#!/bin/bash # Verify if multitenancy was previously configurable or disabled by default rg -n "multitenancy" --type yaml -g "tempo*.yaml" -g "tempo*.tmpl.yaml" -C3

Length of output: 743

Let me also search the tempo template for any conditional logic or parameters:

🏁 Script executed:

#!/bin/bash # Find all tempo-related config files to understand the broader context echo "=== All tempo config files ===" fd "tempo" --type f -e yaml -e tmpl.yaml echo -e "\n=== Search for multitenancy-related parameters or conditionals ===" rg -n "multitenancy|tenantId|tenantName" --type yaml -C2 echo -e "\n=== Search for configuration parameters or conditionals ===" rg -n "{{\..*Multitenancy|{{\..*Tenant|if.*multitenancy|if.*tenant" --type yaml -C2

Length of output: 1758

🏁 Script executed:

#!/bin/bash # Check if there's documentation about multitenancy requirements fd "README|CHANGELOG|CONTRIBUTING" --type f | head -20

Length of output: 203

🏁 Script executed:

#!/bin/bash # Examine the full tempo template to understand parameters and conditionals cat internal/controller/services/monitoring/resources/tempo-monolithic.tmpl.yaml | head -100

Length of output: 1646

🏁 Script executed:

#!/bin/bash # Search for parameter definitions and how this template is used echo "=== Search for parameter definitions or configuration structs ===" rg -n "TempoCPURequest|TempoMemoryRequest|Namespace" --type go | grep -E "(type|struct|field)" | head -20 echo -e "\n=== Look for where tempo-monolithic.tmpl.yaml is referenced/instantiated ===" rg -n "tempo-monolithic" --type go -C2 | head -40 echo -e "\n=== Check for multitenancy parameter or flag definitions ===" rg -n "multitenancy|Multitenancy" --type go -C3 | head -40

Length of output: 3442

🏁 Script executed:

#!/bin/bash # Check git history to see if multitenancy is new or changed echo "=== Recent changes to tempo-monolithic.tmpl.yaml ===" git log --oneline -n 20 -- internal/controller/services/monitoring/resources/tempo-monolithic.tmpl.yaml 2>/dev/null || echo "Git history not available" echo -e "\n=== Show the full tempo-monolithic template to see all conditionals ===" cat internal/controller/services/monitoring/resources/tempo-monolithic.tmpl.yaml

Length of output: 2235

🏁 Script executed:

#!/bin/bash # Find the monitoring controller or parameter struct echo "=== Look for TempoMonolithic or monitoring parameters struct ===" rg -n "struct.*Tempo|type.*Tempo" --type go -C4 | head -60 echo -e "\n=== Search for where TempoMonolithicTemplate values are populated ===" rg -n "TempoMonolithicTemplate|tempo-monolithic" --type go -A5 -B5 | head -60

Length of output: 4979

🏁 Script executed:

#!/bin/bash # Check the most recent commit to see what changed echo "=== Show the most recent commit that touched tempo-monolithic ===" git show --stat 7c84df2 -- internal/controller/services/monitoring/resources/tempo-monolithic.tmpl.yaml 2>/dev/null | head -50 echo -e "\n=== Show the commit before that ===" git show 6d581a0 -- internal/controller/services/monitoring/resources/tempo-monolithic.tmpl.yaml 2>/dev/null | head -100

Length of output: 1630

🏁 Script executed:

#!/bin/bash # Search for any mention of multitenancy in the entire repo echo "=== All references to multitenancy in the repo ===" rg -n "multitenancy" --type yaml --type go --type md 2>/dev/null echo -e "\n=== Search for tempo configuration or values files ===" find . -name "*tempo*values*" -o -name "*tempo*config*" | grep -v node_modules

Length of output: 291

Add parameter control for multitenancy configuration to respect environment differences.

Multitenancy is unconditionally enabled with mode: openshift hardcoded in the template. This is a breaking change (added Nov 19) and contradicts the principle of respecting user changes. Unlike other toggles (TLS, storage size), there's no way to disable multitenancy or adjust the mode for non-OpenShift environments (e.g., plain Kubernetes deployments of ODH).

Required actions:

Add template parameters: MultitenancyEnabled and TempoMultitenancyMode

Update template to conditionally render multitenancy block: {{- if .MultitenancyEnabled }}

Update template to use parameterized mode: mode: {{.TempoMultitenancyMode}}

Ensure defaults maintain current behavior while allowing customization

Update documentation on when/why multitenancy should be enabled per deployment type

🤖 Prompt for AI Agents

In internal/controller/services/monitoring/resources/tempo-monolithic.tmpl.yaml around lines 14-19, the multitenancy stanza is hardcoded and always enabled; add two template parameters MultitenancyEnabled (bool, default true) and TempoMultitenancyMode (string, default "openshift"), wrap the multitenancy block in a conditional using {{- if .MultitenancyEnabled }} ... {{- end }}, replace the hardcoded mode with mode: {{.TempoMultitenancyMode}}, and ensure the parameter defaults preserve current behavior while documenting the new parameters and guidance on when to enable/disable multitenancy for different deployment types.

coderabbitai

Actionable comments posted: 0

🧹 Nitpick comments (4)

internal/controller/services/monitoring/resources/perses-tempo-datasource.tmpl.yaml (1)

19-27: TLS client block wiring for Perses Tempo datasource looks correct; linter warning is likely a template false positive

The conditional client.tls block is correctly guarded by TempoTLSEnabled and matches the CA ConfigMap you introduce (tempo-service-ca / service-ca.crt). The rendered YAML when TLS is enabled/disabled will be valid.

If yamllint is part of CI and actually failing on Line 20, you may want to align with whatever pattern other templates in this repo use (e.g., placing {{- if ... }} / {{- end }} at column 0 or wrapping them in comments) so the raw file parses for the linter, but functionally this template is fine.

internal/controller/services/monitoring/monitoring_controller_support_test.go (2)

929-986: Table coverage for determineTLSEnabled is good; consider using backend constants

The test cases exercise explicit true/false and nil TLS across all backends, which matches the intended “opt‑in TLS” behavior.

For consistency with the production code (which now uses serviceApi.StorageBackendPV/S3/GCS), consider using those constants instead of string literals in the test TracesStorage.Backend fields to avoid backend name drift if the enum ever evolves.

998-1107: TLS template data tests are effective; tidy up unused expectations and broaden coverage if desired

The assertions around TempoTLSEnabled, TempoQueryEndpoint, and presence of other fields correctly validate the new TLS/path logic for PV and S3.

Two minor test cleanups you might consider:

The expectedHTTPProtocol field in the table is never used; either drop it or add an assertion on the scheme of TempoQueryEndpoint to make the intent explicit.

Optionally add a GCS backend case with TLS enabled here as well (even though S3/GCS share the same branch), mirroring the e2e coverage for cloud backends.

None of this affects correctness, just test clarity.

tests/e2e/monitoring_test.go (1)

52-56: Cloud-backend TLS e2e coverage is strong; consider small consistency tweaks

The new validatePersesDatasourceTLSWithCloudBackend helper plus S3/GCS wrappers nicely verify the full path:

Monitoring traces configured with a cloud backend and TLS enabled.

TempoStack Ready with the expected secret wiring.

PersesDatasource proxy URL using https://tempo-data-science-tempostack-gateway...:8080 and the client.tls.caCert block pointing at tempo-service-ca/service-ca.crt.

Two minor consistency nits you might consider:

You already define TracesStorageBackendS3 / TracesStorageBackendGCS constants at the top of the file; using those instead of string literals "s3" / "gcs" when calling the helper and in any future assertions will reduce the chance of typos.

If you expect more backends in the future, you could add a small check (or even a switch) inside validatePersesDatasourceTLSWithCloudBackend to fail fast on unsupported backend values, but that’s not strictly necessary today.

Functionally these tests look very solid.

Also applies to: 122-123, 1665-1762

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7c84df2 and 52954ae.

📒 Files selected for processing (9)

api/services/v1alpha1/monitoring_types.go (2 hunks)
docs/api-overview.md (3 hunks)
internal/controller/services/monitoring/monitoring_controller_actions.go (2 hunks)
internal/controller/services/monitoring/monitoring_controller_support.go (2 hunks)
internal/controller/services/monitoring/monitoring_controller_support_test.go (1 hunks)
internal/controller/services/monitoring/resources/perses-tempo-datasource.tmpl.yaml (1 hunks)
internal/controller/services/monitoring/resources/tempo-monolithic.tmpl.yaml (2 hunks)
internal/controller/services/monitoring/resources/tempo-service-ca-configmap.tmpl.yaml (1 hunks)
tests/e2e/monitoring_test.go (4 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

docs/api-overview.md
internal/controller/services/monitoring/resources/tempo-monolithic.tmpl.yaml

🧰 Additional context used

🧬 Code graph analysis (3)

internal/controller/services/monitoring/monitoring_controller_support.go (1)

api/services/v1alpha1/monitoring_types.go (4)

StorageBackendPV (114-114)

StorageBackendS3 (116-116)

StorageBackendGCS (118-118)

Traces (82-96)

internal/controller/services/monitoring/monitoring_controller_support_test.go (1)

api/services/v1alpha1/monitoring_types.go (6)

Traces (82-96)

TracesTLS (99-109)

TracesStorage (124-144)

StorageBackendPV (114-114)

StorageBackendS3 (116-116)

StorageBackendGCS (118-118)

tests/e2e/monitoring_test.go (6)

tests/e2e/resource_options_test.go (4)

WithCustomErrorMsg (287-291)

WithMinimalObject (155-170)

WithCondition (262-266)

WithEventuallyTimeout (294-298)

pkg/cluster/resources.go (1)

HasCRD (366-368)

pkg/cluster/gvk/gvk.go (3)

PersesDatasource (562-566)

TempoStack (514-518)

Namespace (28-32)

pkg/utils/test/testf/testf_support.go (1)

Transform (78-106)

internal/controller/status/status.go (1)

ConditionTypeReady (74-74)

tests/e2e/controller_test.go (1)

TestTimeouts (100-108)

🪛 YAMLlint (1.37.1)

internal/controller/services/monitoring/resources/perses-tempo-datasource.tmpl.yaml

[error] 20-20: syntax error: could not find expected ':'

(syntax)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

GitHub Check: Build/push catalog image
GitHub Check: Run tests and collect coverage on internal and pkg
GitHub Check: golangci-lint

🔇 Additional comments (4)

internal/controller/services/monitoring/resources/tempo-service-ca-configmap.tmpl.yaml (1)

1-8: Service CA ConfigMap template is consistent and minimal

ConfigMap metadata (name/namespace) and inject-cabundle annotation look correct for OpenShift service CA injection, and the empty data: {} is standard for this pattern. No changes needed here.

api/services/v1alpha1/monitoring_types.go (1)

98-144: Traces TLS semantics and backend-driven storage config look consistent with the controller logic

The updated TracesTLS documentation (explicit default-off, covering ingestion + query) and the new StorageBackend* constants align with how the controller now derives Tempo endpoints and TLS behavior.

TracesStorage’s enum/default plus XValidation rules (“secret required when backend != pv”, “size only allowed for pv”) match the usage in addTracesTemplateData and the e2e tests. This is a good tightening of the API surface without obvious backward-compat issues.

internal/controller/services/monitoring/monitoring_controller_actions.go (1)

48-52: Wiring the tempo service CA ConfigMap into Perses–Tempo deployment is sound

Including TempoServiceCAConfigMapTemplate alongside PersesTempoDatasourceTemplate in deployPersesTempoIntegration ensures the CA bundle resource needed by the datasource TLS block is always present in the monitoring namespace, without adding extra conditionals here.

This integration looks correct given the new template and avoids sprinkling the ConfigMap logic across multiple places.

Also applies to: 545-552

internal/controller/services/monitoring/monitoring_controller_support.go (1)

216-255: Centralized TLS and protocol handling for traces looks correct and matches the new API/tests

The addTracesTemplateData changes cleanly encapsulate:

An explicit TempoTLSEnabled flag derived from determineTLSEnabled (respecting traces.TLS.Enabled and defaulting to false).

Consistent population of TempoCertificateSecret and TempoCAConfigMap, with empty-string defaults when TLS is off or certs aren’t specified, which keeps the templates simple.

Backend-aware endpoints using serviceApi.StorageBackendPV/S3/GCS, and an http vs https scheme only on TempoQueryEndpoint, which is exactly what the Perses datasource template consumes.

determineTLSEnabled’s default-false behavior is also aligned with the updated comments and tests, and should avoid unexpected certificate provisioning behavior by requiring an explicit opt-in.

Also applies to: 553-561

coderabbitai

Actionable comments posted: 0

🧹 Nitpick comments (5)

internal/controller/services/monitoring/resources/perses-tempo-datasource.tmpl.yaml (1)

23-26: Consider parameterizing the CA ConfigMap name for Perses TLS.

Right now the CA source is hardcoded to the tempo-service-ca ConfigMap. That matches the new service-CA template, but it means a user-specified traces.tls.caConfigMap (custom CA) cannot be reused for Perses. If supporting custom CAs for Tempo is in scope, consider wiring this to the same value (or exposing a separate parameter) so Perses can trust non-service-CA certificates as well.

internal/controller/services/monitoring/monitoring_controller_actions.go (1)

543-553: Including the tempo-service-ca ConfigMap in the Perses Tempo integration is reasonable.

Appending TempoServiceCAConfigMapTemplate to the templates for deployPersesTempoIntegration ensures the CA ConfigMap exists whenever the Tempo datasource is managed. Creating it even when TLS is disabled is harmless and simplifies the controller logic.

If you later want to tighten this, you could gate the ConfigMap template on traces.tls.enabled in the template data rather than always deploying it.

api/services/v1alpha1/monitoring_types.go (1)

111-119: Backend constants are a good addition; ensure they’re used consistently.

StorageBackendPV, StorageBackendS3, and StorageBackendGCS centralize the backend strings. To avoid drift, it’s worth using these constants in controller logic (e.g., comparisons in deployTracingStack and related helpers) instead of inline "pv", "s3", "gcs" literals.

internal/controller/services/monitoring/monitoring_controller_support.go (1)

225-240: TLS certificate config has an effectively unreachable branch

Given determineTLSEnabled only returns true when traces.TLS != nil && traces.TLS.Enabled (Lines 560-563), the else branch under if tlsEnabled { ... } for the traces.TLS == nil case (Lines 231-235) cannot currently be hit. You could simplify this to reduce confusion, e.g. by dropping the inner else and relying on the !tlsEnabled block to normalize empty values, or by adjusting determineTLSEnabled if you do expect a “TLS on with implicit TLS struct” case in future.

Also applies to: 557-566

tests/e2e/monitoring_test.go (1)

1665-1750: Minor test cleanups: reuse backend constants and consider tightening TLS assertions

The shared helper is well-structured and readable; a couple of small improvements you might consider:

Instead of passing raw "s3"/"gcs" strings, reuse the TracesStorageBackendS3 / TracesStorageBackendGCS constants already defined at the top of the file, to keep tests aligned with other usages and avoid typos if backend identifiers ever change.

(Optional) If you want even stronger validation of the TLS path, you could add an assertion that the tempo-service-ca ConfigMap actually exists and has the expected service-ca.crt key, to ensure the CA material is present in addition to the PersesDatasource spec wiring.

These are niceties only; the current implementation is correct as-is.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 52954ae and 9b3f6a9.

📒 Files selected for processing (9)

api/services/v1alpha1/monitoring_types.go (2 hunks)
docs/api-overview.md (3 hunks)
internal/controller/services/monitoring/monitoring_controller_actions.go (2 hunks)
internal/controller/services/monitoring/monitoring_controller_support.go (2 hunks)
internal/controller/services/monitoring/monitoring_controller_support_test.go (1 hunks)
internal/controller/services/monitoring/resources/perses-tempo-datasource.tmpl.yaml (1 hunks)
internal/controller/services/monitoring/resources/tempo-monolithic.tmpl.yaml (2 hunks)
internal/controller/services/monitoring/resources/tempo-service-ca-configmap.tmpl.yaml (1 hunks)
tests/e2e/monitoring_test.go (4 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

internal/controller/services/monitoring/monitoring_controller_support_test.go
docs/api-overview.md

🧰 Additional context used

🧬 Code graph analysis (2)

internal/controller/services/monitoring/monitoring_controller_support.go (1)

api/services/v1alpha1/monitoring_types.go (4)

StorageBackendPV (114-114)

StorageBackendS3 (116-116)

StorageBackendGCS (118-118)

Traces (82-96)

tests/e2e/monitoring_test.go (7)

tests/e2e/resource_options_test.go (4)

WithCustomErrorMsg (287-291)

WithMinimalObject (155-170)

WithCondition (262-266)

WithEventuallyTimeout (294-298)

pkg/cluster/resources.go (1)

HasCRD (366-368)

pkg/cluster/gvk/gvk.go (4)

PersesDatasource (562-566)

Monitoring (310-314)

TempoStack (514-518)

Namespace (28-32)

pkg/utils/test/testf/testf_support.go (1)

Transform (78-106)

pkg/utils/test/matchers/jq/jq_matcher.go (1)

Match (11-15)

internal/controller/status/status.go (1)

ConditionTypeReady (74-74)

tests/e2e/controller_test.go (1)

TestTimeouts (100-108)

🪛 YAMLlint (1.37.1)

internal/controller/services/monitoring/resources/perses-tempo-datasource.tmpl.yaml

[error] 20-20: syntax error: could not find expected ':'

(syntax)

internal/controller/services/monitoring/resources/tempo-monolithic.tmpl.yaml

[error] 15-15: syntax error: could not find expected ':'

(syntax)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

GitHub Check: Build/push catalog image
GitHub Check: golangci-lint
GitHub Check: kube-linter
GitHub Check: Run tests and collect coverage on internal and pkg

🔇 Additional comments (10)

internal/controller/services/monitoring/resources/tempo-service-ca-configmap.tmpl.yaml (1)

1-8: Service CA ConfigMap template looks correct and aligned with Perses TLS usage.

Name, namespace templating, and the inject-cabundle annotation all look consistent with the Perses datasource TLS block and the expected service-ca.crt key.

internal/controller/services/monitoring/resources/perses-tempo-datasource.tmpl.yaml (1)

19-27: YAML templating: structure is valid post-render; static analysis error is likely a false positive.

The client.tls block is correctly nested under proxy.spec, and the {{- if .TempoTLSEnabled }} guard should render valid YAML when processed. The YAMLlint “expected ':'” error is almost certainly due to the Go template directive itself, not the final manifest. It would be good to validate the rendered PersesDatasource (e.g., from a running cluster or unit test golden) to confirm.

If your CI treats the template as raw YAML, you may need to adjust linting config or add an ignore rule for template directives rather than changing this structure.

internal/controller/services/monitoring/monitoring_controller_actions.go (1)

25-48: New CA ConfigMap template constant is wired correctly.

TempoServiceCAConfigMapTemplate matches the new template path and keeps all resource templates centralized alongside the other monitoring-related templates.

internal/controller/services/monitoring/resources/tempo-monolithic.tmpl.yaml (3)

14-21: Multitenancy block is now correctly parameterized and conditionally rendered.

Wrapping multitenancy in {{- if .MultitenancyEnabled }} with a configurable TempoMultitenancyMode addresses the prior concern about hardcoded multitenancy. The YAMLlint syntax error around this region is expected on raw templates; the rendered YAML structure (with multitenancy: aligned under spec) is valid.

If not already covered, consider adding/keeping a unit test that asserts the multitenancy block is omitted when .MultitenancyEnabled is false.

28-48: TLS field renames under ingestion.otlp look consistent but should be checked against the Tempo CRD.

Switching from certificateSecret/caConfigMap to certName/caName under both gRPC and HTTP TLS blocks is fine as long as these match the TempoMonolithic API fields. The conditional guards with .TempoCertificateSecret and .TempoCAConfigMap are preserved, so behavior should be unchanged apart from the field names.

Please double‑check these names against the Tempo operator CRD (or related tests) to avoid subtle schema mismatches.

54-62: extraConfig.http_tls_config conditional aligns with explicit-certificate behavior.

Tying server.http_tls_config to .TempoCertificateSecret ensures HTTP TLS is only explicitly configured when a dedicated cert is provided, leaving the operator to manage OpenShift serving certs otherwise. The path and filenames (/var/run/tls/http/server/tls.crt/.key) are consistent within the template.

If not already covered, a unit or e2e test that toggles traces.tls.certificateSecret would help ensure the http_tls_config block appears/disappears as expected.

api/services/v1alpha1/monitoring_types.go (2)

98-109: TracesTLS documentation now clearly reflects the TLS scope.

The updated comment explicitly covering both OTLP ingestion and query APIs improves clarity without changing behavior.

121-144: TracesStorage schema and XValidation rules capture key invariants for PV/S3/GCS.

The backend enum + default, secret requirement for non‑PV backends, and “size only for PV” rule together encode the expected constraints well. This should prevent misconfigured cloud-storage setups at admission time.

It would be good to have table‑driven unit tests (or CRD validation tests) covering:

backend unset (default pv),

backend = s3/gcs with/without secret,

backend = pv with/without size,
to guard against regressions in the XValidation expressions.

internal/controller/services/monitoring/monitoring_controller_support.go (1)

216-260: Tempo multitenancy + TLS/query endpoint wiring looks consistent

Unconditionally setting MultitenancyEnabled/TempoMultitenancyMode, driving TempoTLSEnabled via determineTLSEnabled, and using the protocol variable for TempoQueryEndpoint across PV and S3/GCS backends lines up with the intended behaviour (HTTP by default, HTTPS when TLS is enabled) and avoids template key-missing issues by always populating the TLS-related fields. I don’t see correctness issues in this block.

tests/e2e/monitoring_test.go (1)

122-123: Good coverage for default (non‑TLS) and TLS Perses datasource paths

Adding the two TLS-focused test cases to the suite, plus the explicit assertion that the Tempo datasource uses HTTP when TLS is disabled, and the S3/GCS-specific wrappers, gives nice end-to-end coverage of both the default and TLS-enabled behaviours without overcomplicating the tests. The CRD existence guards and cleanup sections also look solid.

Also applies to: 1446-1465, 1752-1762

dayakar349 · 2025-11-22T06:16:36Z

/retest

coderabbitai

Actionable comments posted: 0

🧹 Nitpick comments (6)

internal/controller/services/monitoring/resources/perses-tempo-datasource.tmpl.yaml (1)

19-27: TLS client block for Perses Tempo datasource looks consistent; YAMLlint error is a template false positive

The conditional client.tls section matches the new TempoTLSEnabled / TempoQueryEndpoint data and what the e2e tests assert for S3/GCS TLS. Indentation is correct once the {{- if ... }} / {{- end }} directives are rendered, so the YAMLlint “expected ':'” error on the template line can be safely ignored or suppressed in tooling.

If YAMLlint runs on raw templates in CI, consider configuring it to ignore {{...}} lines to avoid noisy false positives.

internal/controller/services/monitoring/resources/tempo-monolithic.tmpl.yaml (1)

14-21: Multitenancy + TLS wiring for TempoMonolithic looks correct; toggle is prepared but still hardcoded

The new multitenancy and TLS sections line up with the template data:

MultitenancyEnabled / TempoMultitenancyMode correctly gate the multitenancy block and parameterize mode.

OTLP gRPC/HTTP tls.enabled plus certName / caName are wired to the new template vars and match the TempoMonolithic TLS schema.

The extraConfig.tempo.server.http_tls_config block is only emitted when TempoCertificateSecret is set, which avoids interfering with default OpenShift service-serving certs.

Note that MultitenancyEnabled is currently always set true in code, so this is not yet user-configurable, but the template is ready once an API knob is added. The YAMLlint syntax error is a false positive from the {{- if ... }} line and does not reflect a real YAML problem after rendering.

Also applies to: 28-49, 54-62

internal/controller/services/monitoring/monitoring_controller_support_test.go (1)

929-996: TLS unit tests are solid; expectedHTTPProtocol is currently unused

The new tests give good coverage of determineTLSEnabled and addTracesTemplateData for PV vs S3 backends with TLS on/off, and they validate the TempoQueryEndpoint URLs and required template keys.

One small clean-up: the expectedHTTPProtocol field in TestAddTracesTemplateData_TLS is never asserted, so it’s effectively dead test data. Either drop the field or add an explicit assertion on the protocol if you want to keep it.

Also applies to: 998-1107

tests/e2e/monitoring_test.go (1)

122-123: E2E coverage for Perses TLS with S3/GCS backends looks thorough; consider optional ConfigMap assertion

The new suite entries and validatePersesDatasourceTLSWithCloudBackend helper exercise the full path for TLS-enabled cloud backends:

Traces with S3/GCS + TLS enabled

TempoStack Ready with the correct backend secret

PersesDatasource proxy URL switched to HTTPS via the Tempo gateway

HTTP client TLS enabled with the expected caCert configmap and key path

This gives good confidence that the new TLS wiring behaves as intended for both S3 and GCS.

If you want to go one step further in the future, you could also assert that the tempo-service-ca ConfigMap exists in the monitoring namespace with the expected injection annotation and populated service-ca.crt key, but that’s an enhancement rather than a blocker for this PR.

Also applies to: 1446-1447, 1665-1762
api/services/v1alpha1/monitoring_types.go (1)
98-109: Traces TLS/storage API shape looks good; XValidation could be made a bit more defensive

The TracesTLS comment, backend constants, and expanded TracesStorage (Backend/Size/Secret/Retention) align well with how the controller and tests now distinguish PV vs S3/GCS and wire TLS.

For the CEL validations, the current rules:

Enforce a non-empty secret when backend != "pv".

Forbid size when backend != "pv".

are logically correct, assuming backend is reliably set (defaulting to "pv"). To be slightly more future‑proof, you might consider guarding for a missing backend, for example:
// Secret required for non-PV backends
// +kubebuilder:validation:XValidation:rule="!has(self.backend) || self.backend == 'pv' || (has(self.secret) && self.secret != '')",message="When backend is s3 or gcs, the 'secret' field must be specified and non-empty"
// Size only allowed for PV
// +kubebuilder:validation:XValidation:rule="!has(self.backend) || self.backend == 'pv' || !has(self.size)",message="Size is supported when backend is pv only"
Not strictly required for this PR, but it would make validation more robust to defaulting/omission edge cases.

Also applies to: 111-144
internal/controller/services/monitoring/monitoring_controller_support.go (1)

208-260: Centralized TLS/protocol handling for traces looks correct; multitenancy toggle and CA usage are acceptable for now

The refactor in addTracesTemplateData plus determineTLSEnabled does a nice job of:

Making TLS strictly opt‑in via traces.TLS.Enabled, with a safe default of false.

Centralizing HTTP vs HTTPS protocol selection for both TempoMonolithic (port 3200) and TempoStack gateway (port 8080) query endpoints.

Populating TempoTLSEnabled, TempoCertificateSecret, and TempoCAConfigMap consistently for use across templates.

Using the new backend constants to drive TempoEndpoint, TempoQueryEndpoint, Size, and Secret.

Two small notes:

MultitenancyEnabled / TempoMultitenancyMode are now clearly surfaced to the template but still hardcoded (true / "openshift"). That’s fine for current OpenShift‑only targets and future‑proofs the templates once you decide to expose a real knob.

On the client side, the Perses datasource TLS config always trusts the service CA via the fixed tempo-service-ca ConfigMap; custom CA scenarios currently only flow into Tempo itself via TempoCAConfigMap. That’s an acceptable limitation for this PR’s goal (TLS with the OpenShift service CA), but worth keeping in mind if you later add support for user‑supplied CAs end‑to‑end.

Overall, the new logic is consistent with the updated templates and tests.

Also applies to: 557-566

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9b3f6a9 and 895ac1a.

📒 Files selected for processing (9)

api/services/v1alpha1/monitoring_types.go (2 hunks)
docs/api-overview.md (3 hunks)
internal/controller/services/monitoring/monitoring_controller_actions.go (2 hunks)
internal/controller/services/monitoring/monitoring_controller_support.go (2 hunks)
internal/controller/services/monitoring/monitoring_controller_support_test.go (1 hunks)
internal/controller/services/monitoring/resources/perses-tempo-datasource.tmpl.yaml (1 hunks)
internal/controller/services/monitoring/resources/tempo-monolithic.tmpl.yaml (2 hunks)
internal/controller/services/monitoring/resources/tempo-service-ca-configmap.tmpl.yaml (1 hunks)
tests/e2e/monitoring_test.go (4 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

docs/api-overview.md
internal/controller/services/monitoring/monitoring_controller_actions.go
internal/controller/services/monitoring/resources/tempo-service-ca-configmap.tmpl.yaml

🧰 Additional context used

🧬 Code graph analysis (3)

internal/controller/services/monitoring/monitoring_controller_support_test.go (1)

api/services/v1alpha1/monitoring_types.go (6)

Traces (82-96)

TracesTLS (99-109)

TracesStorage (124-144)

StorageBackendPV (114-114)

StorageBackendS3 (116-116)

StorageBackendGCS (118-118)

internal/controller/services/monitoring/monitoring_controller_support.go (1)

api/services/v1alpha1/monitoring_types.go (4)

StorageBackendPV (114-114)

StorageBackendS3 (116-116)

StorageBackendGCS (118-118)

Traces (82-96)

tests/e2e/monitoring_test.go (7)

tests/e2e/resource_options_test.go (4)

WithCustomErrorMsg (287-291)

WithMinimalObject (155-170)

WithCondition (262-266)

WithEventuallyTimeout (294-298)

pkg/cluster/resources.go (1)

HasCRD (366-368)

pkg/cluster/gvk/gvk.go (4)

PersesDatasource (562-566)

Monitoring (310-314)

TempoStack (514-518)

Namespace (28-32)

pkg/utils/test/testf/testf_support.go (1)

Transform (78-106)

pkg/utils/test/matchers/jq/jq_matcher.go (1)

Match (11-15)

internal/controller/status/status.go (1)

ConditionTypeReady (74-74)

tests/e2e/controller_test.go (1)

TestTimeouts (100-108)

🪛 YAMLlint (1.37.1)

internal/controller/services/monitoring/resources/tempo-monolithic.tmpl.yaml

[error] 15-15: syntax error: could not find expected ':'

(syntax)

internal/controller/services/monitoring/resources/perses-tempo-datasource.tmpl.yaml

[error] 20-20: syntax error: could not find expected ':'

(syntax)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

GitHub Check: Build/push catalog image
GitHub Check: golangci-lint
GitHub Check: kube-linter
GitHub Check: Run tests and collect coverage on internal and pkg

coderabbitai

Actionable comments posted: 0

🧹 Nitpick comments (6)

internal/controller/services/monitoring/monitoring_controller_support_test.go (2)

929-996: TLS enablement tests look correct; consider using backend constants and adding a nil-traces case

The table cases exercise the key TLS-on/off and TLS-nil scenarios and match the “TLS disabled by default” contract. For better future-proofing, consider:

Using serviceApi.StorageBackendPV/S3/GCS instead of raw "pv"/"s3"/"gcs" literals to avoid drift if the constants ever change.

Optionally adding a traces == nil case if determineTLSEnabled is expected to be nil-safe, to lock that behavior in tests.

998-1107: Template-data TLS test is solid; clean up unused field and consider GCS coverage

The test correctly checks:

TempoTLSEnabled

TempoQueryEndpoint (including http vs https via the URL)

Presence of the other key template fields.

Two minor nits:

expectedHTTPProtocol is never used; either assert a corresponding template key (if one exists) or drop the field to avoid confusion.

You only cover S3 for the cloud-backend path; adding a GCS case would make this unit test align better with the new e2e TLS tests for S3/GCS.

api/services/v1alpha1/monitoring_types.go (1)

98-144: Backend and storage validation look consistent; tighten comments and keep strings in sync

The new backend constants and TracesStorage XValidation rules look coherent:

Default backend="pv" with enum validation avoids breaking existing CRs.

self.backend != 'pv' ? (has(self.secret) && self.secret != '') : true correctly forces a non-empty secret for S3/GCS while leaving PV unchanged.

self.backend != 'pv' ? !has(self.size) : true enforces PV-only size, which matches the intent.

A couple of small polish items:

The field comment on Traces.TLS still says “TLS configuration for Tempo gRPC connections”, while TracesTLS now documents ingestion (gRPC/HTTP) and query APIs. Consider updating the field-level comment to avoid mixed messaging.

The XValidation rules inline 'pv' while the code exposes StorageBackendPV/S3/GCS constants; if you ever change the constant values, remember to update these CEL expressions to match.

internal/controller/services/monitoring/resources/perses-tempo-datasource.tmpl.yaml (1)

19-27: TLS client block and CA wiring look correct; YAMLlint warning is a template false positive

The conditional client.tls block wired to tempo-service-ca matches the new TLS behavior and is correctly gated on .TempoTLSEnabled. Indentation is consistent with the surrounding HTTPProxy spec and will render valid YAML both when TLS is enabled and when it’s disabled (block omitted).

The YAMLlint “expected ':'” error is coming from the raw {{- if .TempoTLSEnabled }} line, not from the rendered manifest. If lint noise is a problem, you could switch to {{ if .TempoTLSEnabled }} (no left trim) or add a lint ignore for templates, but functionally this template is fine.

internal/controller/services/monitoring/resources/tempo-monolithic.tmpl.yaml (1)

14-62: Multitenancy gating looks good; double‑check TLS field names against TempoMonolithic API

The changes here look directionally right:

Wrapping multitenancy in {{- if .MultitenancyEnabled }} and parameterizing mode: {{.TempoMultitenancyMode}} fixes the previous issue where multitenancy was unconditionally enabled and hardcoded to openshift. This should be much friendlier across environments while allowing defaults to preserve current behavior.

The new extraConfig.tempo.server.http_tls_config block gated on .TempoCertificateSecret is a sensible way to only force HTTP TLS when an explicit cert is provided and otherwise defer to the operator’s serving cert wiring.

Because these stanzas talk directly to the TempoMonolithic CRD, please re-verify the exact field names and shapes:

ingestion.otlp.grpc.tls.certName / caName

ingestion.otlp.http.tls.certName / caName

extraConfig.tempo.server.http_tls_config.{cert_file,key_file}

to ensure they match the current Grafana Tempo operator schema; otherwise these keys may be ignored or rejected at admission time. Existing tests in this file focus on retention and PV backend behavior and don’t appear to assert monolithic TLS, so an extra TLS-on test for the PV path (or manual validation) would be valuable.

The YAMLlint error around the {{- if .MultitenancyEnabled }} line is again a template-vs-lint artifact, not a problem in the rendered YAML.

If you’d like, I can sketch an additional e2e or unit test that exercises TempoMonolithic with TLS enabled on the PV backend to lock this behavior in.

tests/e2e/monitoring_test.go (1)

1665-1762: Cloud-backend TLS helper is well-structured; consider reusing backend constants and optionally asserting the CA ConfigMap

The new validatePersesDatasourceTLSWithCloudBackend helper does a good job of:

Ensuring CRD presence before running.

Starting from a clean slate (ensureMonitoringCleanSlate + secret cleanup).

Creating a backend-specific secret, enabling traces with the chosen backend and tls.enabled = true.

Waiting for TempoStack to be Ready with the correct backend/secret wiring.

Asserting that the PersesDatasource:

uses an HTTPS gateway URL for TempoStack,

turns on client.tls.enable,

and references tempo-service-ca with service-ca.crt.

A few small improvements you might consider:

Use the existing constants (TracesStorageBackendS3 / TracesStorageBackendGCS) when calling this helper and when constructing/validating backends, instead of hardcoding "s3" / "gcs", to keep tests in sync with the API types.

For completeness around the new CA flow, you could also assert that the tempo-service-ca ConfigMap exists and has the injection annotation, similar to what you manually verified on cluster, though that’s more of an enhancement than a requirement for this PR.

Overall, the control flow and cleanup (cleanupTracesConfiguration + cleanupTempoStackAndSecret) look solid and should keep these tests from leaking state into others.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 895ac1a and 0c773eb.

📒 Files selected for processing (9)

api/services/v1alpha1/monitoring_types.go (2 hunks)
docs/api-overview.md (3 hunks)
internal/controller/services/monitoring/monitoring_controller_actions.go (2 hunks)
internal/controller/services/monitoring/monitoring_controller_support.go (2 hunks)
internal/controller/services/monitoring/monitoring_controller_support_test.go (1 hunks)
internal/controller/services/monitoring/resources/perses-tempo-datasource.tmpl.yaml (1 hunks)
internal/controller/services/monitoring/resources/tempo-monolithic.tmpl.yaml (2 hunks)
internal/controller/services/monitoring/resources/tempo-service-ca-configmap.tmpl.yaml (1 hunks)
tests/e2e/monitoring_test.go (4 hunks)

🚧 Files skipped from review as they are similar to previous changes (4)

internal/controller/services/monitoring/resources/tempo-service-ca-configmap.tmpl.yaml
docs/api-overview.md
internal/controller/services/monitoring/monitoring_controller_actions.go
internal/controller/services/monitoring/monitoring_controller_support.go

🧰 Additional context used

🧬 Code graph analysis (2)

internal/controller/services/monitoring/monitoring_controller_support_test.go (1)

api/services/v1alpha1/monitoring_types.go (6)

Traces (82-96)

TracesTLS (99-109)

TracesStorage (124-144)

StorageBackendPV (114-114)

StorageBackendS3 (116-116)

StorageBackendGCS (118-118)

tests/e2e/monitoring_test.go (4)

tests/e2e/resource_options_test.go (2)

WithCustomErrorMsg (287-291)

WithEventuallyTimeout (294-298)

pkg/cluster/resources.go (1)

HasCRD (366-368)

pkg/cluster/gvk/gvk.go (3)

PersesDatasource (574-578)

Monitoring (316-320)

TempoStack (526-530)

pkg/utils/test/testf/testf_witht.go (1)

WithEventuallyTimeout (46-50)

🪛 YAMLlint (1.37.1)

internal/controller/services/monitoring/resources/perses-tempo-datasource.tmpl.yaml

[error] 20-20: syntax error: could not find expected ':'

(syntax)

internal/controller/services/monitoring/resources/tempo-monolithic.tmpl.yaml

[error] 15-15: syntax error: could not find expected ':'

(syntax)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

GitHub Check: Build/push catalog image
GitHub Check: kube-linter
GitHub Check: golangci-lint
GitHub Check: Run tests and collect coverage on internal and pkg

🔇 Additional comments (2)

tests/e2e/monitoring_test.go (2)

122-123: Nice addition of explicit TLS cloud-backend tests into the suite

Registering ValidatePersesDatasourceTLSWithS3Backend and ValidatePersesDatasourceTLSWithGCSBackend in the main monitoring test suite gives good end‑to‑end coverage for the new TLS behavior without changing the structure of the harness.

1446-1465: Perses datasource default HTTP expectation matches “TLS disabled by default” semantics

The updated comment, expectedTempoEndpoint (HTTP), and the custom error message now clearly reflect that traces TLS is off by default and that the baseline Perses Tempo datasource should use an HTTP endpoint unless TLS is explicitly enabled. This keeps the e2e expectation aligned with determineTLSEnabled and the new TLS defaults.

coderabbitai

Actionable comments posted: 0

🧹 Nitpick comments (2)

tests/e2e/monitoring_test.go (2)

52-56: Backend constants improve test readability; consider reusing them consistently.

Defining TracesStorageBackendPV/S3/GCS and TracesStorageSize1Gi in the test file is a good move away from magic strings. There are still a few call sites that pass "pv" directly (e.g. some withMonitoringTraces usages); if you want to tighten things up, you could switch those to these constants as well for consistency, but it’s not strictly necessary.

1665-1762: TLS helper for PersesDatasource with cloud backends is sound and reuses existing utilities.

The validatePersesDatasourceTLSWithCloudBackend flow is well-structured:

Ensures a clean slate and deletes any leftover TempoStack/secret for the given backend.

Creates a backend‑specific dummy secret (reusing createDummySecret).

Configures traces with the chosen backend and traces.tls.enabled = true.

Waits for:

Monitoring CR to show the expected backend

TempoStack to be Ready with matching spec.storage.secret.{type,name}

PersesDatasource to expose the HTTPS gateway endpoint and the expected client.tls ConfigMap CA wiring.

Cleanup via cleanupTracesConfiguration and cleanupTempoStackAndSecret mirrors other tests and should prevent cross‑test contamination. The S3/GCS wrapper methods are thin and clear. If you’d like to tighten coupling with your backend constants, you could pass TracesStorageBackendS3/GCS instead of raw "s3"/"gcs", but the current implementation is correct.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0c773eb and e3da982.

📒 Files selected for processing (9)

api/services/v1alpha1/monitoring_types.go (2 hunks)
docs/api-overview.md (3 hunks)
internal/controller/services/monitoring/monitoring_controller_actions.go (2 hunks)
internal/controller/services/monitoring/monitoring_controller_support.go (2 hunks)
internal/controller/services/monitoring/monitoring_controller_support_test.go (1 hunks)
internal/controller/services/monitoring/resources/perses-tempo-datasource.tmpl.yaml (1 hunks)
internal/controller/services/monitoring/resources/tempo-monolithic.tmpl.yaml (2 hunks)
internal/controller/services/monitoring/resources/tempo-service-ca-configmap.tmpl.yaml (1 hunks)
tests/e2e/monitoring_test.go (4 hunks)

🚧 Files skipped from review as they are similar to previous changes (5)

internal/controller/services/monitoring/monitoring_controller_support.go
internal/controller/services/monitoring/monitoring_controller_actions.go
docs/api-overview.md
internal/controller/services/monitoring/resources/tempo-service-ca-configmap.tmpl.yaml
internal/controller/services/monitoring/monitoring_controller_support_test.go

🧰 Additional context used

🪛 YAMLlint (1.37.1)

internal/controller/services/monitoring/resources/tempo-monolithic.tmpl.yaml

[error] 15-15: syntax error: could not find expected ':'

(syntax)

internal/controller/services/monitoring/resources/perses-tempo-datasource.tmpl.yaml

[error] 20-20: syntax error: could not find expected ':'

(syntax)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

GitHub Check: Build/push catalog image
GitHub Check: Run tests and collect coverage on internal and pkg
GitHub Check: golangci-lint

🔇 Additional comments (6)

internal/controller/services/monitoring/resources/perses-tempo-datasource.tmpl.yaml (1)

19-27: TLS block wiring and indentation look correct; YAMLlint error is expected.

The conditional client.tls block is correctly indented as a sibling of url/headers under proxy.spec, and it cleanly injects the tempo-service-ca bundle when .TempoTLSEnabled is true. The YAMLlint “could not find expected ':'” at Line 20 is just the linter not understanding the {{- if ... }} template control line; the rendered YAML will be valid, so no change is needed here.

api/services/v1alpha1/monitoring_types.go (1)

98-109: Traces TLS semantics and storage XValidations are consistent and enforce the right invariants.

The updated TracesTLS comment now matches the actual behavior: TLS is opt‑in via enabled and applies to both ingestion and query paths, with backward compatibility preserved by the zero value. The new TracesStorage schema plus CEL rules correctly enforce:

secret must be present and non‑empty for non‑PV backends

size is only allowed for the PV backend

This matches the e2e expectations for PV vs S3/GCS paths and should prevent misconfigured CRs from slipping through.

Also applies to: 111-144

internal/controller/services/monitoring/resources/tempo-monolithic.tmpl.yaml (2)

14-21: Multitenancy is now properly parameterized and gated.

Wrapping the multitenancy stanza in {{- if .MultitenancyEnabled }} and driving mode from .TempoMultitenancyMode restores configurability and avoids hard‑coding OpenShift multitenancy for all environments. This addresses the earlier concern about unconditionally enabling multitenancy while preserving current defaults via the parameter values.

28-49: TLS field renames and conditional HTTP TLS config align with the new traces TLS model.

The switch to certName/caName under ingestion.otlp.grpc/http.tls matches the updated controller/template fields and keeps TLS wiring consistent. The extraConfig.tempo.compactor.compaction.block_retention: {{.TracesRetention}} hook plus the guarded server.http_tls_config block (only when .TempoCertificateSecret is set) cleanly separate the explicit‑cert path from the default OpenShift‑serving‑cert behavior. YAMLlint’s complaint on the template if is again just linter noise and doesn’t affect rendered YAML.

Also applies to: 54-62

tests/e2e/monitoring_test.go (2)

122-123: Adding TLS test cases for S3 and GCS completes the e2e coverage matrix.

Registering ValidatePersesDatasourceTLSWithS3Backend and ...WithGCSBackend in the suite ensures TLS behavior is exercised for both cloud storage backends alongside the existing PV/non‑TLS scenarios.

1446-1465: Perses datasource expectations correctly reflect “TLS disabled by default”.

The updated comment and error message, plus the expectedTempoEndpoint using http://tempo-data-science-tempomonolithic...:3200, align with the new API contract where traces TLS is opt‑in. This keeps the baseline configuration test authoritative for the non‑TLS path.

coderabbitai

Actionable comments posted: 0

🧹 Nitpick comments (1)

tests/e2e/monitoring_test.go (1)

51-56: New backend constants and Perses datasource configuration tests align with TLS-off default behavior

Defining TracesStorageBackendPV/S3/GCS and using them in both traces/TempoStack tests and the TLS tests makes the scenarios easier to read, and the updated ValidatePersesDatasourceConfiguration explicitly asserting an HTTP endpoint with a “TLS disabled by default” message matches the controller’s determineTLSEnabled behavior and TempoQueryEndpoint construction. The two new test cases wired into monitoringTestSuite give good coverage over the S3/GCS TLS permutations. If you want to avoid string drift long-term, you could optionally import and use the StorageBackend* constants from the API package in this file instead of redefining them.

Also applies to: 123-124, 1517-1536

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a075073 and e662d87.

📒 Files selected for processing (9)

api/services/v1alpha1/monitoring_types.go (2 hunks)
docs/api-overview.md (3 hunks)
internal/controller/services/monitoring/monitoring_controller_actions.go (2 hunks)
internal/controller/services/monitoring/monitoring_controller_support.go (2 hunks)
internal/controller/services/monitoring/monitoring_controller_support_test.go (1 hunks)
internal/controller/services/monitoring/resources/perses-tempo-datasource.tmpl.yaml (1 hunks)
internal/controller/services/monitoring/resources/tempo-monolithic.tmpl.yaml (2 hunks)
internal/controller/services/monitoring/resources/tempo-service-ca-configmap.tmpl.yaml (1 hunks)
tests/e2e/monitoring_test.go (4 hunks)

🚧 Files skipped from review as they are similar to previous changes (4)

docs/api-overview.md
internal/controller/services/monitoring/monitoring_controller_actions.go
internal/controller/services/monitoring/monitoring_controller_support_test.go
internal/controller/services/monitoring/resources/tempo-service-ca-configmap.tmpl.yaml

🧰 Additional context used

🧬 Code graph analysis (2)

tests/e2e/monitoring_test.go (6)

tests/e2e/resource_options_test.go (3)

WithMinimalObject (155-170)

WithCondition (262-266)

WithEventuallyTimeout (294-298)

pkg/cluster/resources.go (1)

HasCRD (366-368)

api/services/v1alpha1/monitoring_types.go (1)

Monitoring (159-165)

pkg/utils/test/matchers/jq/jq_matcher.go (1)

Match (11-15)

internal/controller/status/status.go (1)

ConditionTypeReady (74-74)

pkg/utils/test/testf/testf_witht.go (1)

WithEventuallyTimeout (46-50)

internal/controller/services/monitoring/monitoring_controller_support.go (1)

api/services/v1alpha1/monitoring_types.go (4)

StorageBackendPV (114-114)

StorageBackendS3 (116-116)

StorageBackendGCS (118-118)

Traces (82-96)

🪛 YAMLlint (1.37.1)

internal/controller/services/monitoring/resources/perses-tempo-datasource.tmpl.yaml

[error] 20-20: syntax error: could not find expected ':'

(syntax)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

GitHub Check: Build/push catalog image
GitHub Check: Run tests and collect coverage on internal and pkg
GitHub Check: golangci-lint

🔇 Additional comments (5)

internal/controller/services/monitoring/resources/perses-tempo-datasource.tmpl.yaml (1)

19-27: TLS client configuration for Perses Tempo datasource looks consistent with controller data and tests

The conditional TLS block correctly switches on .TempoTLSEnabled and wires client.tls to the tempo-service-ca ConfigMap and service-ca.crt path, matching the new controller template data and e2e expectations. The remaining YAMLlint error is almost certainly due to the raw Go template directives rather than the rendered YAML; I’d keep this structure and, if the linter still complains, adjust your linter configuration or exclusions rather than the template.

internal/controller/services/monitoring/resources/tempo-monolithic.tmpl.yaml (1)

15-19: TLS propagation into Tempo ingestion and extraConfig.server HTTP TLS looks coherent

The template wiring matches the controller’s template data:

certName / caName are only emitted when TempoCertificateSecret / TempoCAConfigMap are non-empty, so TLS can rely on OpenShift serving certs when no explicit secret/CA is configured.

TempoTLSEnabled drives enabled: true for both gRPC and HTTP OTLP ingestion and also the HTTPS protocol used on query endpoints.

block_retention bound to .TracesRetention lines up with the new metav1.Duration-backed retention and the e2e assertions.

This all looks consistent with the new TLS semantics and retention handling.

Also applies to: 33-37, 52-60

tests/e2e/monitoring_test.go (1)

1903-2000: Cloud backend TLS helper for PersesDatasource provides solid coverage and cleanup

validatePersesDatasourceTLSWithCloudBackend is structured well: it skips cleanly when the PersesDatasource CRD is absent, ensures a clean slate, creates a backend-specific secret, enables traces with TLS, waits for a Ready TempoStack using that secret, and then verifies that the tempo-datasource PersesDatasource uses an HTTPS gateway URL plus a TLS client pointing at the tempo-service-ca ConfigMap and service-ca.crt. The per-backend wrappers for S3 and GCS reuse this path and the final cleanup via cleanupTracesConfiguration and cleanupTempoStackAndSecret should keep state isolated between tests.

internal/controller/services/monitoring/monitoring_controller_support.go (1)

210-231: TLS enablement and Tempo query endpoint protocol handling are correctly centralized

determineTLSEnabled provides a clear, explicit rule (“TLS only when traces.TLS != nil && traces.TLS.Enabled”), and addTracesTemplateData uses it to:

Set TempoTLSEnabled for templates,

Populate TempoCertificateSecret / TempoCAConfigMap only when TLS is truly enabled, falling back to empty strings otherwise to avoid missing-key issues, and

Compute an http vs https protocol that’s consistently applied to TempoQueryEndpoint for both PV (tempo-monolithic:3200) and S3/GCS (tempostack-gateway:8080) backends.

The switch on StorageBackendPV/S3/GCS matches the new API constants, and this logic lines up with the new templates and e2e tests.

Also applies to: 233-251, 561-570

api/services/v1alpha1/monitoring_types.go (1)

98-144: Traces TLS and storage backend schema changes match controller and template usage

The clarified TracesTLS docs, new StorageBackendPV/S3/GCS constants, and the TracesStorage schema/XValidation rules line up well with how the controller and templates now behave: PV can carry an optional size and no secret, whereas S3/GCS must provide a non-empty secret and omit size, and the backend is constrained to the three supported values with a default of "pv". Using metav1.Duration for Retention dovetails with the controller’s use of Retention.Duration.String() and the e2e assertions on block_retention.

den-rgb · 2025-12-03T15:41:02Z

api/services/v1alpha1/monitoring_types.go

-	// Enabled enables TLS for Tempo gRPC connections
-	// +kubebuilder:default=true
+	// Enabled enables TLS for Tempo OTLP ingestion (gRPC/HTTP) and query APIs (HTTP)
+	// TLS is disabled by default to maintain backward compatibility


At the moment this flag sets both ingestion and querying to false, is this the expected result or would it be better to keep tls for ingestion and perses seperate?
There's currently no e2e test confirming that non-TLS trace ingestion actually works. The PR should add one to validate the tls.insecure: true path functions correctly

other then that lgtm

Thanks for the review @den-rgb, I have added the two tests in ValidateOpenTelemetryCollectorConfigurations that validate both non-TLS (default) and TLS-enabled trace ingestion. Regarding the unified TLS flag, I kept ingestion and querying together for simplicity and consistency.

dayakar349 · 2025-12-04T00:30:47Z

/test opendatahub-operator-e2e-hypershift

den-rgb · 2025-12-04T11:42:23Z

api/services/v1alpha1/monitoring_types.go

 	SampleRatio string `json:"sampleRatio,omitempty"`
 	// TLS configuration for Tempo gRPC connections
+	// +optional
+	// +nullable


np: Don't think the nullable adds any functional value here

You're right, it was redundant. I've removed // +nullable from monitoring_types.go.

I updated the ValidateMonitoringServiceDisabled test to use .spec.ingestion.otlp.grpc.tls.enabled != true. This correctly handles cases where the entire ingestion block is omitted when TLS is disabled.

den-rgb · 2025-12-04T11:48:23Z

test failing on TempoMonolithic should have TLS disabled before deletion

When TempoTLSEnabled is false, the entire ingestion block is omitted, not set to enabled. But the test expects

jq.Match(`.spec.ingestion.otlp.grpc.tls.enabled == false or .spec.ingestion.otlp.grpc.tls.enabled == null`)

coderabbitai

Actionable comments posted: 0

♻️ Duplicate comments (1)

internal/controller/services/monitoring/resources/tempo-monolithic.tmpl.yaml (1)

15-19: Multitenancy hardcoded to OpenShift; confirm this matches support matrix

multitenancy.enabled: true and mode: openshift are now unconditional, with tenant IDs derived from the namespace. That’s fine if this template is only ever used on OpenShift clusters, but it will be rigid for any non‑OpenShift use.

If ODH needs to support other environments, you may eventually want these fields parameterized off API spec or defaults rather than hardcoded.

🧹 Nitpick comments (3)

api/services/v1alpha1/monitoring_types.go (1)

89-104: Nit: align TLS field comment with expanded TracesTLS semantics

The Traces.TLS field comment still says “TLS configuration for Tempo gRPC connections”, but TracesTLS is now documented (and used) for both OTLP ingestion and query HTTP APIs. Consider updating this field comment for consistency with the type’s doc.

tests/e2e/monitoring_test.go (2)

993-1012: Reasonable TLS-disable workaround before monitoring teardown

The pre‑teardown step that forces .spec.monitoring.traces.tls.enabled = false and then waits until .spec.ingestion.otlp.grpc.tls.enabled != true on TempoMonolithic is a pragmatic way to avoid the tempo‑operator cert finalizer race. The WithIgnoreNotFound(true) guard keeps this safe when TempoMonolithic isn’t present.

123-124: Cloud-backend Perses TLS helper and tests comprehensively validate the new flow

validatePersesDatasourceTLSWithCloudBackend does a full end‑to‑end check for both S3 and GCS:

ensures a clean slate (including TempoStack + secret cleanup),

creates backend‑appropriate dummy secrets,

configures traces with TLS enabled and waits for TempoStack Ready with the right secret, and

asserts that PersesDatasource uses an HTTPS gateway URL plus a TLS client config pointing at the tempo-service-ca ConfigMap and service-ca.crt.

The S3/GCS wrapper tests plug this into the main suite cleanly. If you want, you could reuse the TracesStorageBackendS3/GCS constants instead of string literals in the wrappers for consistency, but that’s purely cosmetic.

Also applies to: 1944-2041

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between bccad19 and 944ddf3.

📒 Files selected for processing (9)

api/services/v1alpha1/monitoring_types.go (3 hunks)
docs/api-overview.md (3 hunks)
internal/controller/services/monitoring/monitoring_controller_actions.go (2 hunks)
internal/controller/services/monitoring/monitoring_controller_support.go (2 hunks)
internal/controller/services/monitoring/monitoring_controller_support_test.go (1 hunks)
internal/controller/services/monitoring/resources/perses-tempo-datasource.tmpl.yaml (1 hunks)
internal/controller/services/monitoring/resources/tempo-monolithic.tmpl.yaml (2 hunks)
internal/controller/services/monitoring/resources/tempo-service-ca-configmap.tmpl.yaml (1 hunks)
tests/e2e/monitoring_test.go (6 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

internal/controller/services/monitoring/monitoring_controller_actions.go
docs/api-overview.md
internal/controller/services/monitoring/monitoring_controller_support_test.go

🧰 Additional context used

🧬 Code graph analysis (2)

tests/e2e/monitoring_test.go (6)

pkg/utils/test/matchers/jq/jq_matcher.go (1)

Match (11-15)

tests/e2e/resource_options_test.go (2)

WithMinimalObject (155-170)

WithEventuallyTimeout (294-298)

pkg/cluster/gvk/gvk.go (4)

TempoMonolithic (533-537)

Namespace (29-33)

PersesDatasource (587-591)

TempoStack (539-543)

pkg/cluster/resources.go (1)

HasCRD (366-368)

internal/controller/status/status.go (1)

ConditionTypeReady (74-74)

pkg/utils/test/testf/testf_witht.go (1)

WithEventuallyTimeout (46-50)

internal/controller/services/monitoring/monitoring_controller_support.go (1)

api/services/v1alpha1/monitoring_types.go (4)

StorageBackendPV (115-115)

StorageBackendS3 (117-117)

StorageBackendGCS (119-119)

Traces (82-97)

🪛 YAMLlint (1.37.1)

internal/controller/services/monitoring/resources/perses-tempo-datasource.tmpl.yaml

[error] 20-20: syntax error: could not find expected ':'

(syntax)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

GitHub Check: Build/push catalog image
GitHub Check: golangci-lint
GitHub Check: Run tests and collect coverage on internal and pkg

🔇 Additional comments (7)

internal/controller/services/monitoring/resources/perses-tempo-datasource.tmpl.yaml (1)

19-27: TLS client configuration for Perses datasource looks correct

The conditional TLS block cleanly toggles client TLS based on TempoTLSEnabled and correctly references the tempo-service-ca ConfigMap and service-ca.crt key. This matches the new CA ConfigMap template and should render valid YAML for both TLS and non‑TLS cases.

internal/controller/services/monitoring/resources/tempo-service-ca-configmap.tmpl.yaml (1)

1-8: ConfigMap template correctly wired for service CA injection

The tempo-service-ca ConfigMap matches the Perses TLS reference and uses the correct inject-cabundle annotation; leaving data: {} is fine since service-ca will populate service-ca.crt.

api/services/v1alpha1/monitoring_types.go (1)

99-110: TracesTLS and TracesStorage API/validation look consistent and safe

Using a pointer TLS field with an Enabled flag defaulting to false gives clear, backward‑compatible TLS semantics, and determineTLSEnabled can rely on that without nil‑pointer risk. The new TracesStorage backend enum and XValidation rules correctly enforce that:

non‑pv backends require a non‑empty secret, and

size is only allowed for the pv backend.

The metav1.Duration retention with a default keeps Tempo templates simple via .Retention.Duration.String(). All of this lines up with the controller/template changes.

Also applies to: 112-145

internal/controller/services/monitoring/resources/tempo-monolithic.tmpl.yaml (1)

26-47: TLS ingestion and extraConfig wiring for TempoMonolithic looks correct

The {{- if .TempoTLSEnabled }} gate cleanly omits the ingestion block when TLS is disabled (matching the E2E expectation), and when enabled:

both gRPC and HTTP OTLP ingestion set tls.enabled: true,

certName / caName are only rendered when provided, allowing the Tempo operator to fall back to OpenShift serving certs otherwise, and

extraConfig.tempo.server.http_tls_config is only added when an explicit certificate secret is used.

block_retention: {{.TracesRetention}} also lines up with the new TracesStorage.Retention duration handling.

Also applies to: 52-60

internal/controller/services/monitoring/monitoring_controller_support.go (1)

218-251: TLS templateData wiring and defaulting logic look solid

determineTLSEnabled’s “explicit enable only” behavior (nil TLS → false) pairs well with addTracesTemplateData: you only read traces.TLS.* when TLS is enabled, otherwise you set empty strings and keep TempoTLSEnabled false. The protocol toggle for TempoQueryEndpoint and the backend‑aware endpoints for TempoMonolithic vs TempoStack all look consistent with the templates and new Perses TLS behavior.

Also applies to: 561-570

tests/e2e/monitoring_test.go (2)

52-56: OTel collector TLS/non‑TLS tests nicely pin down expected behavior

The added backend constants plus the two new ValidateOpenTelemetryCollectorConfigurations cases clearly assert:

default non‑TLS ingestion uses otlp/tempo with tls.insecure == true, and

enabling .spec.monitoring.traces.tls.enabled flips to CA‑based TLS and bearer‑token auth.

This gives good coverage for the new TLS behavior without changing existing cases.

Also applies to: 349-385

1558-1577: Perses datasource non‑TLS expectations align with new default TLS semantics

Expecting the Tempo query URL to be HTTP by default and updating the custom error message to mention “TLS disabled by default” matches the controller logic (TLS opt‑in via .spec.monitoring.traces.tls.enabled). The rest of the assertions keep the existing contract intact.

coderabbitai

Actionable comments posted: 0

🧹 Nitpick comments (1)

internal/controller/services/monitoring/monitoring_controller_support_test.go (1)

967-1045: TLS determination and template-data tests are solid; minor test cleanups possible

The new tests correctly pin down that TLS is purely driven by traces.TLS.Enabled (nil → false) and that addTracesTemplateData chooses HTTP vs HTTPS and the appropriate query endpoint per backend. Two small polish suggestions you can take or leave:

Consider using serviceApi.StorageBackendPV/S3/GCS instead of raw "pv", "s3", "gcs" in the test traces to keep tests aligned with the API constants.

Either assert on the protocol embedded in OtlpEndpoint/TempoQueryEndpoint or drop the unused expectedHTTPProtocol field to avoid dead test data.

Also applies to: 1036-1145

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 944ddf3 and 2e5c70b.

📒 Files selected for processing (9)

api/services/v1alpha1/monitoring_types.go (3 hunks)
docs/api-overview.md (3 hunks)
internal/controller/services/monitoring/monitoring_controller_actions.go (2 hunks)
internal/controller/services/monitoring/monitoring_controller_support.go (2 hunks)
internal/controller/services/monitoring/monitoring_controller_support_test.go (1 hunks)
internal/controller/services/monitoring/resources/perses-tempo-datasource.tmpl.yaml (1 hunks)
internal/controller/services/monitoring/resources/tempo-monolithic.tmpl.yaml (2 hunks)
internal/controller/services/monitoring/resources/tempo-service-ca-configmap.tmpl.yaml (1 hunks)
tests/e2e/monitoring_test.go (5 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

internal/controller/services/monitoring/resources/tempo-service-ca-configmap.tmpl.yaml
docs/api-overview.md
internal/controller/services/monitoring/monitoring_controller_actions.go

🧰 Additional context used

🧬 Code graph analysis (2)

internal/controller/services/monitoring/monitoring_controller_support_test.go (1)

api/services/v1alpha1/monitoring_types.go (6)

Traces (82-97)

TracesTLS (100-110)

TracesStorage (125-145)

StorageBackendPV (115-115)

StorageBackendS3 (117-117)

StorageBackendGCS (119-119)

internal/controller/services/monitoring/monitoring_controller_support.go (1)

api/services/v1alpha1/monitoring_types.go (4)

StorageBackendPV (115-115)

StorageBackendS3 (117-117)

StorageBackendGCS (119-119)

Traces (82-97)

🪛 YAMLlint (1.37.1)

internal/controller/services/monitoring/resources/perses-tempo-datasource.tmpl.yaml

[error] 20-20: syntax error: could not find expected ':'

(syntax)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

GitHub Check: Build/push catalog image
GitHub Check: Run tests and collect coverage on internal and pkg
GitHub Check: golangci-lint

🔇 Additional comments (7)

internal/controller/services/monitoring/resources/tempo-monolithic.tmpl.yaml (1)

15-19: TLS and multitenancy template wiring looks consistent

Multitenancy, ingestion TLS, and extraConfig HTTP TLS are wired to the new template data (TempoTLSEnabled, TempoCertificateSecret, TempoCAConfigMap, TracesRetention) and match the controller logic and e2e expectations; no changes needed here.

Also applies to: 33-37, 42-46, 52-59

api/services/v1alpha1/monitoring_types.go (1)

90-110: Traces TLS and storage API shape/validation look correct

TLS being explicitly opt‑in and the TracesStorage enum/XValidation (pv vs s3/gcs with required non‑empty secret and pv‑only size) align well with controller/template usage; this should give good server‑side guarantees without surprising defaults.

Also applies to: 112-145

tests/e2e/monitoring_test.go (3)

123-124: New OTel/TLS tests correctly capture default and enabled behaviors

The added test cases for non‑TLS (tls.insecure == true) and TLS‑enabled (ca_file + bearertokenauth) exporters, plus wiring them into the main suite, accurately exercise the new TLS semantics without over-coupling to implementation details.

Also applies to: 365-384

1537-1555: Perses datasource defaulting to HTTP when TLS is disabled is clearly asserted

Updating the Perses datasource configuration test to expect an HTTP Tempo endpoint (and adjusting the error message) correctly reflects the “TLS disabled by default” behavior and keeps the contract explicit.

1923-2007: Cloud-backend Perses TLS helper is well-structured and aligned with templates

The validatePersesDatasourceTLSWithCloudBackend helper plus S3/GCS wrappers nicely enforce:

clean slate + backend secret creation,

TLS enablement on traces and TempoStack readiness, and

PersesDatasource assertions for HTTPS gateway URL and client.tls config pointing at tempo-service-ca/service-ca.crt.

The cleanup of traces, TempoStack, and secrets at the end should keep tests isolated.

Also applies to: 2010-2020

internal/controller/services/monitoring/resources/perses-tempo-datasource.tmpl.yaml (1)

19-27: Perses TLS client configuration matches CA ConfigMap design

The conditional client.tls block keyed by TempoTLSEnabled correctly sources CA data from the tempo-service-ca ConfigMap (service-ca.crt) and matches the expectations asserted in the new e2e tests; indentation/control-flow also look good.

internal/controller/services/monitoring/monitoring_controller_support.go (1)

218-251: TLS gating and endpoint generation logic are consistent with the new API and tests

determineTLSEnabled now being purely traces.TLS.Enabled (defaulting to false) plus the updated addTracesTemplateData:

always populates TempoTLSEnabled, TempoCertificateSecret, and TempoCAConfigMap (empty when TLS is off), and

cleanly switches query endpoints between HTTP/HTTPS for PV vs S3/GCS backends using the shared protocol variable,

lines up well with the CRD comments and the added unit/e2e coverage. No changes needed here.

Also applies to: 561-570

kahowell · 2025-12-04T14:36:55Z

/lgtm

openshift-ci-robot · 2025-12-04T16:15:38Z

/retest-required

Remaining retests: 0 against base HEAD a098365 and 2 for PR HEAD 2e5c70b in total

openshift-ci-robot · 2025-12-04T18:15:40Z

/retest-required

Remaining retests: 0 against base HEAD 85380bc and 1 for PR HEAD 2e5c70b in total

openshift-ci-robot · 2025-12-04T20:15:40Z

/retest-required

Remaining retests: 0 against base HEAD 886ac63 and 0 for PR HEAD 2e5c70b in total

dayakar349 · 2025-12-04T20:21:30Z

/test opendatahub-operator-e2e-hypershift

openshift-ci-robot · 2025-12-04T21:15:38Z

/hold

Revision 2e5c70b was retested 3 times: holding

openshift-ci · 2025-12-05T05:35:11Z

New changes are detected. LGTM label has been removed.

coderabbitai

Actionable comments posted: 0

🧹 Nitpick comments (4)

internal/controller/services/monitoring/monitoring_controller_actions.go (1)
562-565: Consider conditionally deploying the CA ConfigMap only when TLS is enabled.

The TempoServiceCAConfigMapTemplate is always deployed alongside the datasource template, even when TLS is disabled. While this is harmless (the ConfigMap will be created but unused), it adds unnecessary resources to the cluster.

Consider wrapping the template addition in a TLS check if feasible, or document that this is intentional for simplicity.
 	// Deploy datasource template (always deploy if CRD exists)
 	templates := []odhtypes.TemplateInfo{
 		{
 			FS:   resourcesFS,
 			Path: PersesTempoDatasourceTemplate,
 		},
-		{
-			FS:   resourcesFS,
-			Path: TempoServiceCAConfigMapTemplate,
-		},
 	}
+
+	// Deploy CA ConfigMap template when TLS is enabled
+	if monitoring.Spec.Traces != nil && monitoring.Spec.Traces.TLS != nil && monitoring.Spec.Traces.TLS.Enabled {
+		templates = append(templates, odhtypes.TemplateInfo{
+			FS:   resourcesFS,
+			Path: TempoServiceCAConfigMapTemplate,
+		})
+	}
internal/controller/services/monitoring/monitoring_controller_support_test.go (1)
1036-1145: Consider adding a GCS backend test case for completeness.

The test covers PV and S3 backends with TLS enabled/disabled scenarios, but there's no explicit test case for GCS backend with TLS enabled. While line 1134 handles both S3 and GCS in the assertion, having an explicit GCS test case would improve coverage clarity.

Additionally, the Retention duration uses raw nanoseconds (90 * 24 * 60 * 60 * 1000000000). Consider using time.Hour or time.Duration constants for readability:
-				Retention: metav1.Duration{Duration: 90 * 24 * 60 * 60 * 1000000000}, // 90 days in nanoseconds
+				Retention: metav1.Duration{Duration: 90 * 24 * time.Hour}, // 90 days
tests/e2e/monitoring_test.go (2)

993-1009: TempoMonolithic TLS-disable workaround before monitoring removal is reasonable; keep an eye on potential flakes

The workaround that first forces managementState=Managed, sets .spec.monitoring.traces.tls.enabled = false (when traces exist), and then waits for TempoMonolithic to satisfy .spec.ingestion.otlp.grpc.tls.enabled != true directly targets the deletion issue you were seeing. Using WithIgnoreNotFound(true) also makes this safe when a TempoMonolithic isn’t present.

There is a brief window where monitoring is toggled back to Managed even if it was previously Removed, which could start (re)creating resources just before you flip it to Removed again. If you ever see intermittent flakes around this test, it might be worth tightening the precondition (e.g., only doing this dance when traces/TLS are actually enabled), but as written it’s a pragmatic fix for the current problem.

123-124: Cloud-backend Perses TLS tests look good; consider minor reuse and extra assertion

The new S3/GCS test entries and validatePersesDatasourceTLSWithCloudBackend helper give strong end‑to‑end coverage for the feature this PR is adding:

Clean slate + backend secret creation per backend.

Enabling traces with that backend and TLS.

Waiting for TempoStack to be Ready with the correct spec.storage.secret.

Asserting that tempo-datasource now:

Uses an HTTPS gateway URL on port 8080, and

Has a TLS client config pointing at the tempo-service-ca ConfigMap with the expected key path.

Cleanup via cleanupTracesConfiguration and cleanupTempoStackAndSecret keeps these tests well isolated.

Two small, optional follow‑ups you might consider:

Reuse the TracesStorageBackendS3/TracesStorageBackendGCS constants instead of raw "s3"/"gcs" strings in the wrappers, so test inputs stay in sync with the values you use elsewhere.

Since a key part of the feature is ensuring the tempo-service-ca ConfigMap has the injection annotation, adding an assertion on that ConfigMap (existence + annotation) in this flow would make the e2e coverage fully reflect the PR’s behavior, not just the PersesDatasource reference.

Also applies to: 1941-2038

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b1af5d8 and 8141b11.

📒 Files selected for processing (9)

api/services/v1alpha1/monitoring_types.go (3 hunks)
docs/api-overview.md (3 hunks)
internal/controller/services/monitoring/monitoring_controller_actions.go (2 hunks)
internal/controller/services/monitoring/monitoring_controller_support.go (2 hunks)
internal/controller/services/monitoring/monitoring_controller_support_test.go (1 hunks)
internal/controller/services/monitoring/resources/perses-tempo-datasource.tmpl.yaml (1 hunks)
internal/controller/services/monitoring/resources/tempo-monolithic.tmpl.yaml (2 hunks)
internal/controller/services/monitoring/resources/tempo-service-ca-configmap.tmpl.yaml (1 hunks)
tests/e2e/monitoring_test.go (6 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

internal/controller/services/monitoring/resources/tempo-service-ca-configmap.tmpl.yaml
docs/api-overview.md

🧰 Additional context used

🧬 Code graph analysis (2)

internal/controller/services/monitoring/monitoring_controller_support_test.go (1)

api/services/v1alpha1/monitoring_types.go (6)

Traces (82-97)

TracesTLS (100-110)

TracesStorage (125-145)

StorageBackendPV (115-115)

StorageBackendS3 (117-117)

StorageBackendGCS (119-119)

internal/controller/services/monitoring/monitoring_controller_support.go (1)

api/services/v1alpha1/monitoring_types.go (4)

StorageBackendPV (115-115)

StorageBackendS3 (117-117)

StorageBackendGCS (119-119)

Traces (82-97)

🪛 YAMLlint (1.37.1)

internal/controller/services/monitoring/resources/perses-tempo-datasource.tmpl.yaml

[error] 20-20: syntax error: could not find expected ':'

(syntax)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

GitHub Check: Build/push catalog image
GitHub Check: Run tests and collect coverage on internal and pkg
GitHub Check: kube-linter
GitHub Check: golangci-lint

🔇 Additional comments (13)

api/services/v1alpha1/monitoring_types.go (4)

90-91: LGTM!

The +optional annotation correctly marks the TLS field as optional, aligning with the backward-compatible default of TLS being disabled.

99-103: LGTM!

The updated TracesTLS documentation clearly explains that TLS covers both ingestion and query APIs, and explicitly states TLS is disabled by default for backward compatibility.

112-120: LGTM!

Well-documented storage backend constants that centralize the backend type values, improving maintainability over hardcoded strings.

122-145: LGTM!

The TracesStorage struct with XValidation rules properly enforces:

Secret is required when backend is not "pv"

Size is only valid for "pv" backend

The validation logic and field documentation are clear.

internal/controller/services/monitoring/resources/perses-tempo-datasource.tmpl.yaml (1)

19-27: LGTM!

The TLS conditional block is correctly structured:

Template directives at column 0 to avoid YAMLlint issues in the rendered output

TLS configuration references tempo-service-ca ConfigMap with the standard OpenShift service-ca.crt path

Conditional rendering ensures TLS is only configured when explicitly enabled

The YAMLlint syntax error is a false positive since raw Go templates are not valid YAML, but the rendered output will be correct.

internal/controller/services/monitoring/monitoring_controller_actions.go (1)

49-49: LGTM!

The new constant follows the existing naming convention and correctly references the tempo-service-ca-configmap template.

internal/controller/services/monitoring/monitoring_controller_support_test.go (1)

967-1034: LGTM!

Comprehensive test coverage for determineTLSEnabled covering:

TLS explicitly enabled/disabled

TLS nil with all three storage backends (pv, s3, gcs)

The tests correctly validate that TLS defaults to false for all backends when not explicitly set.

internal/controller/services/monitoring/resources/tempo-monolithic.tmpl.yaml (3)

14-19: LGTM!

The multitenancy configuration is now properly structured with OpenShift mode and namespace-based tenant authentication. This addresses previous review feedback about parameterization.

52-59: LGTM!

The extraConfig section correctly:

Uses TracesRetention template variable for block_retention

Only configures HTTP TLS server settings when an explicit certificate is provided

Includes helpful comments explaining the OpenShift serving certs fallback behavior

33-46: The field names certName and caName are correct per the Tempo Operator CRD specification.

These match the official TempoMonolithic CRD API for configuring OTLP gRPC and HTTP TLS. certName references a Kubernetes Secret containing tls.crt and tls.key, while caName optionally references a ConfigMap for mutual TLS (mTLS). No changes needed.

internal/controller/services/monitoring/monitoring_controller_support.go (1)

218-251: TLS template data and protocol handling look consistent; just confirm PV+TLS query semantics

The new flow where determineTLSEnabled drives TempoTLSEnabled, certificate/CA template keys, and the http/https protocol for TempoQueryEndpoint is clean and predictable. The invariant that tlsEnabled implies traces.TLS != nil is enforced by determineTLSEnabled, and the explicit else‑branch with empty strings guards against missing-key template issues. The “TLS disabled by default, explicitly opt‑in via traces.TLS.Enabled” behavior also aligns with the new unit/e2e coverage.

One thing to double‑check (non‑blocking): when TLS is enabled for a PV/TempoMonolithic backend, we’ll now emit an https://...:3200 query URL as well. If TempoMonolithic’s query port is not actually TLS‑terminated under that configuration, Perses would fail to connect; if it is, then this is exactly what we want. Worth validating against the TempoMonolithic TLS behavior to be sure we’re not over‑promising HTTPS there.

Also applies to: 561-569

tests/e2e/monitoring_test.go (2)

365-384: New OTEL collector TLS/non‑TLS tests give solid coverage of otlp/tempo exporter behavior

The added “Non‑TLS Trace Ingestion (default)” and “TLS Trace Ingestion (enabled)” cases nicely pin down the expected config for the otlp/tempo exporter: tls.insecure == true by default when no TLS is configured, and explicit tls.ca_file/auth.authenticator when .spec.monitoring.traces.tls.enabled = true. This should make regressions in the TLS decision logic very visible while reusing the same withMonitoringTraces setup as the basic traces test.

No changes requested here.

1555-1574: Perses datasource config test correctly reflects “TLS disabled by default” semantics

The comment and expectations here now match the controller semantics: with a PV backend and no TLS stanza, the Perses Tempo datasource should use an HTTP URL pointing at the TempoMonolithic query endpoint and have no TLS client config requirements. The custom error message was also updated to call that out explicitly, which will be helpful when this test fails.

No issues from my side.

dayakar349 · 2025-12-05T17:50:11Z

/retest

coderabbitai

Actionable comments posted: 0

🧹 Nitpick comments (1)

tests/e2e/monitoring_test.go (1)

1927-2024: Consider splitting the TLS validation helper into smaller functions.

The validatePersesDatasourceTLSWithCloudBackend helper (97 lines) orchestrates a complete E2E TLS validation flow. While functional and well-commented, consider extracting sub-steps into smaller helpers for improved maintainability:

setupTLSBackend(backend, secret) - lines 1944-1956

validateTempoStackTLSReady(backend, secret) - lines 1972-1984

validatePersesDatasourceTLSConfig(backend, endpoint) - lines 1987-2005

This would make the test flow easier to follow and the individual validations more reusable.

Current implementation is acceptable - the function is cohesive and correctly validates TLS with cloud backends, including the critical assertions for HTTPS endpoints and CA configuration (lines 1988-2005).

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8141b11 and d64884d.

📒 Files selected for processing (9)

api/services/v1alpha1/monitoring_types.go (3 hunks)
docs/api-overview.md (3 hunks)
internal/controller/services/monitoring/monitoring_controller_actions.go (2 hunks)
internal/controller/services/monitoring/monitoring_controller_support.go (2 hunks)
internal/controller/services/monitoring/monitoring_controller_support_test.go (1 hunks)
internal/controller/services/monitoring/resources/perses-tempo-datasource.tmpl.yaml (1 hunks)
internal/controller/services/monitoring/resources/tempo-monolithic.tmpl.yaml (2 hunks)
internal/controller/services/monitoring/resources/tempo-service-ca-configmap.tmpl.yaml (1 hunks)
tests/e2e/monitoring_test.go (6 hunks)

🚧 Files skipped from review as they are similar to previous changes (4)

internal/controller/services/monitoring/monitoring_controller_actions.go
docs/api-overview.md
internal/controller/services/monitoring/monitoring_controller_support_test.go
internal/controller/services/monitoring/resources/tempo-service-ca-configmap.tmpl.yaml

🧰 Additional context used

🧬 Code graph analysis (1)

internal/controller/services/monitoring/monitoring_controller_support.go (1)

api/services/v1alpha1/monitoring_types.go (4)

StorageBackendPV (115-115)

StorageBackendS3 (117-117)

StorageBackendGCS (119-119)

Traces (82-97)

🪛 YAMLlint (1.37.1)

internal/controller/services/monitoring/resources/perses-tempo-datasource.tmpl.yaml

[error] 20-20: syntax error: could not find expected ':'

(syntax)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

GitHub Check: Build/push catalog image
GitHub Check: Run tests and collect coverage on internal and pkg
GitHub Check: kube-linter
GitHub Check: golangci-lint

🔇 Additional comments (9)

internal/controller/services/monitoring/resources/perses-tempo-datasource.tmpl.yaml (1)

19-27: TLS client block wiring for Perses Tempo datasource looks correct

Conditionally adding client.tls on .TempoTLSEnabled with the tempo-service-ca ConfigMap and service-ca.crt path matches the controller’s TLS flag and CA injection design, and the template directive placement avoids YAMLlint issues.

internal/controller/services/monitoring/resources/tempo-monolithic.tmpl.yaml (2)

14-19: LGTM! Multitenancy configuration is correctly parameterized.

The multitenancy configuration correctly uses template variables (.Namespace) and aligns with OpenShift tenant isolation requirements. Past review concerns about hardcoding have been addressed.

26-60: LGTM! TLS configuration correctly implements conditional TLS with proper field mappings.

The TLS configuration changes are well-structured:

Conditional TLS blocks ensure ingestion TLS only enabled when TempoTLSEnabled is true

Field renames (certName/caName) align with Tempo operator API requirements

Explicit server TLS config (lines 53-59) only emitted when TempoCertificateSecret is provided, with clear fallback documentation for OpenShift serving certs

api/services/v1alpha1/monitoring_types.go (2)

89-110: LGTM! TLS field documentation accurately reflects default-disabled behavior.

The documentation clearly states that TLS covers both ingestion and query APIs and is disabled by default, aligning with the controller logic in determineTLSEnabled. The +optional marker correctly indicates the field is not required.

112-145: LGTM! Storage backend constants and validation rules are well-designed.

Excellent improvements:

Public constants (StorageBackendPV, StorageBackendS3, StorageBackendGCS) centralize backend type strings and prevent typos

CEL validation correctly enforces that cloud backends (S3/GCS) require the secret field

The Backend field has proper enum validation and sensible default ("pv")

This provides a clean, type-safe API for storage configuration.

internal/controller/services/monitoring/monitoring_controller_support.go (2)

210-273: LGTM! TLS configuration logic is correct and well-structured.

The TLS handling in addTracesTemplateData is clean and correct:

determineTLSEnabled centralizes TLS state determination

Template data correctly populated with TLS certificates when enabled, empty strings otherwise

Protocol selection (lines 234-237) properly defaults to http and switches to https only when TLS is enabled

Endpoint generation (lines 241-250) uses the new storage backend constants, eliminating hardcoded strings

Past review concerns about dead code have been resolved

The comment on line 224 correctly documents the invariant that traces.TLS is non-nil when tlsEnabled is true.

561-570: LGTM! TLS determination logic correctly implements explicit opt-in behavior.

The determineTLSEnabled function correctly implements the design requirement that TLS must be explicitly enabled:

Returns false when traces.TLS is nil (default state)

Returns traces.TLS.Enabled when TLS configuration is provided

Clear documentation states TLS is disabled by default

This aligns with the PR objective to avoid Tempo operator certificate provisioning issues by requiring explicit TLS enablement.

tests/e2e/monitoring_test.go (2)

123-124: LGTM! Test coverage correctly validates both TLS-disabled and TLS-enabled scenarios.

The test cases provide comprehensive validation:

Lines 123-124 register new test wrappers for S3/GCS TLS validation

Lines 366-372: "Non-TLS Trace Ingestion (default)" validates the default behavior where tls.insecure == true when TLS is not explicitly enabled

Lines 374-384: "TLS Trace Ingestion (enabled)" validates proper TLS configuration when explicitly enabled

This coverage ensures both the default (TLS-disabled) and opt-in (TLS-enabled) behaviors work correctly.

Also applies to: 365-384

1541-1559: LGTM! Test correctly validates TLS-disabled default behavior.

The test validation correctly expects an HTTP endpoint (line 1542) when TLS is not explicitly enabled, aligning with the controller's determineTLSEnabled function that returns false by default. The comment on line 1541 clearly documents this expectation.

openshift-ci · 2025-12-05T23:16:05Z

@dayakar349: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/opendatahub-operator-e2e-hypershift	`d64884d`	link	false	`/test opendatahub-operator-e2e-hypershift`
ci/prow/opendatahub-operator-e2e	`d64884d`	link	true	`/test opendatahub-operator-e2e`
ci/prow/opendatahub-operator-rhoai-e2e	`d64884d`	link	true	`/test opendatahub-operator-rhoai-e2e`

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

github-project-automation bot added this to ODH Platform Planning Nov 21, 2025

github-project-automation bot moved this to Todo in ODH Platform Planning Nov 21, 2025

openshift-ci bot requested review from carlkyrillos and lphiri November 21, 2025 06:01

coderabbitai bot reviewed Nov 21, 2025

View reviewed changes

dayakar349 force-pushed the RHOAIENG-38496 branch from b609ecb to cabb1db Compare November 21, 2025 06:24

openshift-ci bot requested review from CFSNM, StevenTobin, den-rgb and kahowell November 21, 2025 06:29

coderabbitai bot reviewed Nov 21, 2025

View reviewed changes

dayakar349 force-pushed the RHOAIENG-38496 branch 2 times, most recently from 47b96b0 to 7c84df2 Compare November 21, 2025 17:44

coderabbitai bot reviewed Nov 21, 2025

View reviewed changes

dayakar349 force-pushed the RHOAIENG-38496 branch from 7c84df2 to 52954ae Compare November 21, 2025 17:57

coderabbitai bot reviewed Nov 21, 2025

View reviewed changes

dayakar349 force-pushed the RHOAIENG-38496 branch from 52954ae to 9b3f6a9 Compare November 21, 2025 20:21

coderabbitai bot reviewed Nov 21, 2025

View reviewed changes

dayakar349 force-pushed the RHOAIENG-38496 branch from 9b3f6a9 to 895ac1a Compare November 22, 2025 15:18

coderabbitai bot reviewed Nov 22, 2025

View reviewed changes

dayakar349 force-pushed the RHOAIENG-38496 branch from 895ac1a to 0c773eb Compare November 24, 2025 17:17

coderabbitai bot reviewed Nov 24, 2025

View reviewed changes

dayakar349 force-pushed the RHOAIENG-38496 branch from 0c773eb to e3da982 Compare November 25, 2025 13:53

coderabbitai bot reviewed Nov 25, 2025

View reviewed changes

CFSNM approved these changes Nov 25, 2025

View reviewed changes

coderabbitai bot reviewed Dec 3, 2025

View reviewed changes

den-rgb reviewed Dec 3, 2025

View reviewed changes

dayakar349 force-pushed the RHOAIENG-38496 branch from e662d87 to 30d23a4 Compare December 3, 2025 22:03

dayakar349 force-pushed the RHOAIENG-38496 branch from 30d23a4 to bccad19 Compare December 4, 2025 05:25

den-rgb reviewed Dec 4, 2025

View reviewed changes

dayakar349 force-pushed the RHOAIENG-38496 branch from bccad19 to 944ddf3 Compare December 4, 2025 13:54

coderabbitai bot reviewed Dec 4, 2025

View reviewed changes

dayakar349 force-pushed the RHOAIENG-38496 branch from 944ddf3 to 2e5c70b Compare December 4, 2025 14:10

coderabbitai bot reviewed Dec 4, 2025

View reviewed changes

openshift-ci bot assigned kahowell Dec 4, 2025

openshift-ci bot added the lgtm label Dec 4, 2025

openshift-ci bot added the do-not-merge/hold label Dec 4, 2025

dayakar349 force-pushed the RHOAIENG-38496 branch from 2e5c70b to b1af5d8 Compare December 5, 2025 05:35

openshift-ci bot removed the lgtm label Dec 5, 2025

dayakar349 force-pushed the RHOAIENG-38496 branch from b1af5d8 to 8141b11 Compare December 5, 2025 15:32

coderabbitai bot reviewed Dec 5, 2025

View reviewed changes

feat: Add TLS support for Perses-Tempo datasource

d64884d

dayakar349 force-pushed the RHOAIENG-38496 branch from 8141b11 to d64884d Compare December 5, 2025 20:34

coderabbitai bot reviewed Dec 5, 2025

View reviewed changes

RHOAIENG-38496 | feat: Add TLS support for Perses-Tempo datasource #2888

Are you sure you want to change the base?

RHOAIENG-38496 | feat: Add TLS support for Perses-Tempo datasource #2888

Conversation

dayakar349 commented Nov 21, 2025 • edited by coderabbitai bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

How Has This Been Tested?

Screenshot or short clip

Merge criteria

E2E test suite update requirement

E2E update requirement opt-out justification

Summary by CodeRabbit

Uh oh!

coderabbitai bot commented Nov 21, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Sequence Diagram(s)

Estimated code review effort

Poem

Pre-merge checks and finishing touches

Uh oh!

github-actions bot commented Nov 21, 2025

This PR can't be merged just yet 😢

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

dayakar349 commented Nov 21, 2025

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

dayakar349 commented Nov 21, 2025

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Nov 21, 2025

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

dayakar349 commented Nov 22, 2025

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

den-rgb Dec 3, 2025

Choose a reason for hiding this comment

Uh oh!

den-rgb Dec 3, 2025

Choose a reason for hiding this comment

Uh oh!

dayakar349 Dec 4, 2025

Choose a reason for hiding this comment

Uh oh!

dayakar349 commented Dec 4, 2025

Uh oh!

den-rgb Dec 4, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

dayakar349 Dec 4, 2025

Choose a reason for hiding this comment

Uh oh!

dayakar349 commented Nov 21, 2025 •

edited by coderabbitai bot

Loading

coderabbitai bot commented Nov 21, 2025 •

edited

Loading

den-rgb Dec 4, 2025 •

edited

Loading

den-rgb commented Dec 4, 2025 •

edited

Loading