From b12c714066c195edbd86696b239aec05ee739526 Mon Sep 17 00:00:00 2001 From: Pavol Loffay Date: Tue, 6 Aug 2024 18:23:51 +0200 Subject: [PATCH] Document use of AWS STS with k8s operator (#3935) --- .../tempo/setup/operator/object-storage.md | 101 ++++++++++++++---- 1 file changed, 78 insertions(+), 23 deletions(-) diff --git a/docs/sources/tempo/setup/operator/object-storage.md b/docs/sources/tempo/setup/operator/object-storage.md index 565f1e0dfb9..af96eb8faf9 100644 --- a/docs/sources/tempo/setup/operator/object-storage.md +++ b/docs/sources/tempo/setup/operator/object-storage.md @@ -17,11 +17,9 @@ Tempo Operator supports [AWS S3](https://aws.amazon.com/), [Azure](https://azure * Create a [bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-overview.html) on AWS. -### Installation - -* Deploy the Tempo Operator to your cluster. +### Static token installation -* Create an Object Storage secret with keys as follows: +1. Create an Object Storage secret with keys as follows: ```console kubectl create secret generic tempostack-dev-s3 \ @@ -33,7 +31,73 @@ Tempo Operator supports [AWS S3](https://aws.amazon.com/), [Azure](https://azure where `tempostack-dev-s3` is the secret name. -* Create an instance of TempoStack by referencing the secret name and type as `s3`: +2. Create an instance of TempoStack by referencing the secret name and type as `s3`: + + ```yaml + spec: + storage: + secret: + name: tempostack-dev-s3 + type: s3 + ``` + +### AWS Security Token Service (STS) installation + +1. Create a custom AWS IAM Role associated with a trust relationship to Tempo's Kubernetes `ServiceAccount`: + + ```yaml + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${OIDC_PROVIDER}" + }, + "Action": "sts:AssumeRoleWithWebIdentity", + "Condition": { + "StringEquals": { + "${OIDC_PROVIDER}:sub": [ + "system:serviceaccount:${TEMPOSTACK_NS}:tempo-${TEMPOSTACK_NAME}", + "system:serviceaccount:${TEMPOSTACK_NS}:tempo-${TEMPOSTACK_NAME}-query-frontend" + ] + } + } + } + ] + } + ``` + +2. Create an AWS IAM role: + + ```yaml + aws iam create-role \ + --role-name "tempo-s3-access" \ + --assume-role-policy-document "file:///tmp/trust.json" \ + --query Role.Arn \ + --output text + ``` + +3. Attach a specific policy to that role: + + ```yaml + aws iam attach-role-policy \ + --role-name "tempo-s3-access" \ + --policy-arn "arn:aws:iam::aws:policy/AmazonS3FullAccess" + ``` + +4. Create an Object Storage secret with keys as follows: + + ```console + kubectl create secret generic tempostack-dev-s3 \ + --from-literal=bucket="" \ + --from-literal=region="" \ + --from-literal=role_arn="" + ``` + +where `tempostack-dev-s3` is the secret name. + +5. Create an instance of TempoStack by referencing the secret name and type as `s3`: ```yaml spec: @@ -51,9 +115,7 @@ Tempo Operator supports [AWS S3](https://aws.amazon.com/), [Azure](https://azure ### Installation -* Deploy the Tempo Operator to your cluster. - -* Create an Object Storage secret with keys as follows: +1. Create an Object Storage secret with keys as follows: ```console kubectl create secret generic tempostack-dev-azure \ @@ -64,7 +126,7 @@ Tempo Operator supports [AWS S3](https://aws.amazon.com/), [Azure](https://azure where `tempostack-dev-azure` is the secret name. -* Create an instance of TempoStack by referencing the secret name and type as `azure`: +2. Create an instance of TempoStack by referencing the secret name and type as `azure`: ```yaml spec: @@ -84,11 +146,8 @@ Tempo Operator supports [AWS S3](https://aws.amazon.com/), [Azure](https://azure ### Installation -* Deploy the Tempo Operator to your cluster. - -* Copy the service account credentials received from GCP into a file name `key.json`. - -* Create an Object Storage secret with keys `bucketname` and `key.json` as follows: +1. Copy the service account credentials received from GCP into a file name `key.json`. +2. Create an Object Storage secret with keys `bucketname` and `key.json` as follows: ```console kubectl create secret generic tempostack-dev-gcs \ @@ -98,7 +157,7 @@ Tempo Operator supports [AWS S3](https://aws.amazon.com/), [Azure](https://azure where `tempostack-dev-gcs` is the secret name, `` is the name of bucket created in requirements step and `` is the file path where the `key.json` was copied to. -* Create an instance of TempoStack by referencing the secret name and type as `gcs`: +3. Create an instance of TempoStack by referencing the secret name and type as `gcs`: ```yaml spec: @@ -118,9 +177,7 @@ Tempo Operator supports [AWS S3](https://aws.amazon.com/), [Azure](https://azure ### Installation -* Deploy the Tempo Operator to your cluster. - -* Create an Object Storage secret with keys as follows: +1. Create an Object Storage secret with keys as follows: ```console kubectl create secret generic tempostack-dev-minio \ @@ -132,7 +189,7 @@ Tempo Operator supports [AWS S3](https://aws.amazon.com/), [Azure](https://azure where `tempostack-dev-minio` is the secret name. -* Create an instance of TempoStack by referencing the secret name and type as `s3`: +2. Create an instance of TempoStack by referencing the secret name and type as `s3`: ```yaml spec: @@ -152,9 +209,7 @@ Tempo Operator supports [AWS S3](https://aws.amazon.com/), [Azure](https://azure ### Installation -* Deploy the Tempo Operator to your cluster. - -* Create an Object Storage secret with keys as follows: +1. Create an Object Storage secret with keys as follows: ```console kubectl create secret generic tempostack-dev-odf \ @@ -166,7 +221,7 @@ Tempo Operator supports [AWS S3](https://aws.amazon.com/), [Azure](https://azure where `tempostack-dev-odf` is the secret name. You can copy the values for `BUCKET_NAME`, `ACCESS_KEY_ID` and `ACCESS_KEY_SECRET` from your ObjectBucketClaim's accompanied secret. -* Create an instance of TempoStack by referencing the secret name and type as `s3`: +2. Create an instance of TempoStack by referencing the secret name and type as `s3`: ```yaml spec: