Menu
Tempo documentation Manage Grafana Tempo data source
Open source

Grafana Tempo data source

You can configure the TempoStack to send data to Grafana and configure the Tempo data source.

You can choose to either use Tempo Operator’s gateway or not:

  • If the TempoStack is deployed using the gateway, you’ll need to provide authentication information to Grafana, along with the URL of the tenant from which you expect to see the traces.

  • If the gateway is not used, then you need to make sure Grafana can access the query-frontend endpoints.

For more information, refer to the Tempo data source for Grafana,

Use with gateway

The gateway, an optional component deployed as part of Tempo Operator, provides secure access to Tempo’s distributor (for example, for pushing spans) and query-frontend (for example, for querying traces) via consulting an OAuth/OIDC endpoint for the request subject.

The OIDC configuration expects clientID and clientSecret. They should be provided via a Kubernetes secret that the TempoStack admin provides upfront.

The gateway exposes all Tempo query endpoints, so you can use the endpoint as a Tempo data source for Grafana.

If Grafana is configured with some OAuth provider, such as generic OAuth, the TempoStack with the gateway should be deployed using the same clientID and clientSecret:

yaml
apiVersion: v1
kind: Secret
metadata:
 name: oidc-test
stringData:
 clientID: <clientID used for grafana authentication>
 clientSecret: <clientSecret used for grafana authentication>
type: Opaque

Then deploy TempoStack with gateway enabled:

yaml
spec:
 template:
  gateway:
   enabled: true
 tenants:
  mode: static
  authentication:
    - tenantName: test-oidc
      tenantId: test-oidc
      oidc:
      issuerURL: http://dex:30556/dex
      redirectURL: http://tempo-foo-gateway:8080/oidc/test-oidc/callback
      usernameClaim: email
      secret:
       name: oidc-test

Set the data source URL parameter to http://<HOST>:<PORT>/api/traces/v1/{tenant}/tempo/, where {tenant} is the name of the tenant.

To use it as a data source, set the Authentication Method to Forward Oauth Identify using the same clientID and clientSecret for gateway and for the OAuth configuration. This will forward the access_token to the gateway so it can authenticate the client.

Tempo data source configured for the gateway forwarding OAuth access token

If you prefer to set the Bearer token directly and not use the Forward Oauth Identify, you can add it to the “Authorization” Header.

Tempo data source configured for the gateway using Bearer token

Without the gateway

If you are not using the gateway, make sure your Grafana can access to the query-frontend endpoints, you can do this by creating an ingress or a route in OpenShift.

Once you have the endpoint, you can set it as URL when you create the Tempo data source.