Skip to content

Commit

Permalink
Document use of AWS STS with k8s operator (grafana#3935)
Browse files Browse the repository at this point in the history
  • Loading branch information
@pavolloffay
pavolloffay authored Aug 6, 2024
1 parent 334ad1c commit b12c714
Showing 1 changed file with 78 additions and 23 deletions.
101 changes: 78 additions & 23 deletions docs/sources/tempo/setup/operator/object-storage.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,11 +17,9 @@ Tempo Operator supports [AWS S3](https://aws.amazon.com/), [Azure](https://azure

* Create a [bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-overview.html) on AWS.

### Installation

* Deploy the Tempo Operator to your cluster.
### Static token installation

* Create an Object Storage secret with keys as follows:
1. Create an Object Storage secret with keys as follows:

```console
kubectl create secret generic tempostack-dev-s3 \
Expand All @@ -33,7 +31,73 @@ Tempo Operator supports [AWS S3](https://aws.amazon.com/), [Azure](https://azure

where `tempostack-dev-s3` is the secret name.

* Create an instance of TempoStack by referencing the secret name and type as `s3`:
2. Create an instance of TempoStack by referencing the secret name and type as `s3`:

```yaml
spec:
storage:
secret:
name: tempostack-dev-s3
type: s3
```

### AWS Security Token Service (STS) installation

1. Create a custom AWS IAM Role associated with a trust relationship to Tempo's Kubernetes `ServiceAccount`:

```yaml
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${OIDC_PROVIDER}"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"${OIDC_PROVIDER}:sub": [
"system:serviceaccount:${TEMPOSTACK_NS}:tempo-${TEMPOSTACK_NAME}",
"system:serviceaccount:${TEMPOSTACK_NS}:tempo-${TEMPOSTACK_NAME}-query-frontend"
]
}
}
}
]
}
```

2. Create an AWS IAM role:

```yaml
aws iam create-role \
--role-name "tempo-s3-access" \
--assume-role-policy-document "file:///tmp/trust.json" \
--query Role.Arn \
--output text
```

3. Attach a specific policy to that role:

```yaml
aws iam attach-role-policy \
--role-name "tempo-s3-access" \
--policy-arn "arn:aws:iam::aws:policy/AmazonS3FullAccess"
```

4. Create an Object Storage secret with keys as follows:

```console
kubectl create secret generic tempostack-dev-s3 \
--from-literal=bucket="<BUCKET_NAME>" \
--from-literal=region="<AWS_REGION>" \
--from-literal=role_arn="<ROLE ARN>"
```

where `tempostack-dev-s3` is the secret name.

5. Create an instance of TempoStack by referencing the secret name and type as `s3`:

```yaml
spec:
Expand All @@ -51,9 +115,7 @@ Tempo Operator supports [AWS S3](https://aws.amazon.com/), [Azure](https://azure

### Installation

* Deploy the Tempo Operator to your cluster.

* Create an Object Storage secret with keys as follows:
1. Create an Object Storage secret with keys as follows:

```console
kubectl create secret generic tempostack-dev-azure \
Expand All @@ -64,7 +126,7 @@ Tempo Operator supports [AWS S3](https://aws.amazon.com/), [Azure](https://azure

where `tempostack-dev-azure` is the secret name.

* Create an instance of TempoStack by referencing the secret name and type as `azure`:
2. Create an instance of TempoStack by referencing the secret name and type as `azure`:

```yaml
spec:
Expand All @@ -84,11 +146,8 @@ Tempo Operator supports [AWS S3](https://aws.amazon.com/), [Azure](https://azure

### Installation

* Deploy the Tempo Operator to your cluster.

* Copy the service account credentials received from GCP into a file name `key.json`.

* Create an Object Storage secret with keys `bucketname` and `key.json` as follows:
1. Copy the service account credentials received from GCP into a file name `key.json`.
2. Create an Object Storage secret with keys `bucketname` and `key.json` as follows:

```console
kubectl create secret generic tempostack-dev-gcs \
Expand All @@ -98,7 +157,7 @@ Tempo Operator supports [AWS S3](https://aws.amazon.com/), [Azure](https://azure

where `tempostack-dev-gcs` is the secret name, `<BUCKET_NAME>` is the name of bucket created in requirements step and `<PATH/TO/KEY.JSON>` is the file path where the `key.json` was copied to.

* Create an instance of TempoStack by referencing the secret name and type as `gcs`:
3. Create an instance of TempoStack by referencing the secret name and type as `gcs`:

```yaml
spec:
Expand All @@ -118,9 +177,7 @@ Tempo Operator supports [AWS S3](https://aws.amazon.com/), [Azure](https://azure

### Installation

* Deploy the Tempo Operator to your cluster.

* Create an Object Storage secret with keys as follows:
1. Create an Object Storage secret with keys as follows:

```console
kubectl create secret generic tempostack-dev-minio \
Expand All @@ -132,7 +189,7 @@ Tempo Operator supports [AWS S3](https://aws.amazon.com/), [Azure](https://azure

where `tempostack-dev-minio` is the secret name.

* Create an instance of TempoStack by referencing the secret name and type as `s3`:
2. Create an instance of TempoStack by referencing the secret name and type as `s3`:

```yaml
spec:
Expand All @@ -152,9 +209,7 @@ Tempo Operator supports [AWS S3](https://aws.amazon.com/), [Azure](https://azure

### Installation

* Deploy the Tempo Operator to your cluster.

* Create an Object Storage secret with keys as follows:
1. Create an Object Storage secret with keys as follows:

```console
kubectl create secret generic tempostack-dev-odf \
Expand All @@ -166,7 +221,7 @@ Tempo Operator supports [AWS S3](https://aws.amazon.com/), [Azure](https://azure

where `tempostack-dev-odf` is the secret name. You can copy the values for `BUCKET_NAME`, `ACCESS_KEY_ID` and `ACCESS_KEY_SECRET` from your ObjectBucketClaim's accompanied secret.

* Create an instance of TempoStack by referencing the secret name and type as `s3`:
2. Create an instance of TempoStack by referencing the secret name and type as `s3`:

```yaml
spec:
Expand Down

0 comments on commit b12c714

Please sign in to comment.