DocumentationGrafana TempoSet upDeploy with operatorObject storage

Object storage

Tempo Operator supports AWS S3, Azure, GCS, Minio and OpenShift Data Foundation for TempoStack object storage.

AWS S3

Requirements

• Create a bucket on AWS.

Static token installation

1. Create an Object Storage secret with keys as follows:

   console Copy

   kubectl create secret generic tempostack-dev-s3 \
     --from-literal=bucket="<BUCKET_NAME>" \
     --from-literal=endpoint="<AWS_BUCKET_ENDPOINT>" \
     --from-literal=access_key_id="<AWS_ACCESS_KEY_ID>" \
     --from-literal=access_key_secret="<AWS_ACCESS_KEY_SECRET>"

where tempostack-dev-s3 is the secret name.

2. Create an instance of TempoStack by referencing the secret name and type as s3:

yaml Copy

spec:
  storage:
    secret:
      name: tempostack-dev-s3
      type: s3

AWS Security Token Service (STS) installation

1. Create a custom AWS IAM Role associated with a trust relationship to Tempo’s Kubernetes ServiceAccount:

yaml Copy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${OIDC_PROVIDER}"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "${OIDC_PROVIDER}:sub": [
            "system:serviceaccount:${TEMPOSTACK_NS}:tempo-${TEMPOSTACK_NAME}",
            "system:serviceaccount:${TEMPOSTACK_NS}:tempo-${TEMPOSTACK_NAME}-query-frontend"
         ]
       }
     }
   }
  ]
}

2. Create an AWS IAM role:

yaml Copy

aws iam create-role \
  --role-name "tempo-s3-access" \
  --assume-role-policy-document "file:///tmp/trust.json" \
  --query Role.Arn \
  --output text

3. Attach a specific policy to that role:

yaml Copy

aws iam attach-role-policy \
  --role-name "tempo-s3-access" \
  --policy-arn "arn:aws:iam::aws:policy/AmazonS3FullAccess"

4. Create an Object Storage secret with keys as follows:

   console Copy

   kubectl create secret generic tempostack-dev-s3 \
     --from-literal=bucket="<BUCKET_NAME>" \
     --from-literal=region="<AWS_REGION>" \
     --from-literal=role_arn="<ROLE ARN>"

where tempostack-dev-s3 is the secret name.

5. Create an instance of TempoStack by referencing the secret name and type as s3:

yaml Copy

spec:
  storage:
    secret:
      name: tempostack-dev-s3
      type: s3

Azure

Requirements

• Create a bucket on Azure.

Installation

1. Create an Object Storage secret with keys as follows:

   console Copy

   kubectl create secret generic tempostack-dev-azure \
     --from-literal=container="<AZURE_CONTAINER_NAME>" \
     --from-literal=account_name="<AZURE_ACCOUNT_NAME>" \
     --from-literal=account_key="<AZURE_ACCOUNT_KEY>"

where tempostack-dev-azure is the secret name.

2. Create an instance of TempoStack by referencing the secret name and type as azure:

yaml Copy

spec:
  storage:
    secret:
      name: tempostack-dev-azure
      type: azure

Google Cloud Storage

Requirements

• Create a project on Google Cloud Platform.
• Create a bucket under same project.
• Create a service account under same project for GCP authentication.

Installation

1. Copy the service account credentials received from GCP into a file name key.json.

2. Create an Object Storage secret with keys bucketname and key.json as follows:

   console Copy

   kubectl create secret generic tempostack-dev-gcs \
     --from-literal=bucketname="<BUCKET_NAME>" \
     --from-file=key.json="<PATH/TO/KEY.JSON>"

where tempostack-dev-gcs is the secret name, <BUCKET_NAME> is the name of bucket created in requirements step and <PATH/TO/KEY.JSON> is the file path where the key.json was copied to.

3. Create an instance of TempoStack by referencing the secret name and type as gcs:

yaml Copy

spec:
  storage:
    secret:
      name: tempostack-dev-gcs
      type: gcs

MinIO

Requirements

• Deploy MinIO on your cluster, e.g. using the MinIO Operator or another method.

• Create a bucket on MinIO using the CLI.

Installation

1. Create an Object Storage secret with keys as follows:

   console Copy

   kubectl create secret generic tempostack-dev-minio \
     --from-literal=bucket="<BUCKET_NAME>" \
     --from-literal=endpoint="<MINIO_BUCKET_ENDPOINT>" \
     --from-literal=access_key_id="<MINIO_ACCESS_KEY_ID>" \
     --from-literal=access_key_secret="<MINIO_ACCESS_KEY_SECRET>"

where tempostack-dev-minio is the secret name.

2. Create an instance of TempoStack by referencing the secret name and type as s3:

yaml Copy

spec:
  storage:
    secret:
      name: tempostack-dev-minio
      type: s3

OpenShift Data Foundation

Requirements

• Deploy the OpenShift Data Foundation on your cluster.

• Create a bucket via an ObjectBucketClaim.

Installation

1. Create an Object Storage secret with keys as follows:

   console Copy

   kubectl create secret generic tempostack-dev-odf \
     --from-literal=bucket="<BUCKET_NAME>" \
     --from-literal=endpoint="https://s3.openshift-storage.svc" \
     --from-literal=access_key_id="<ACCESS_KEY_ID>" \
     --from-literal=access_key_secret="<ACCESS_KEY_SECRET>"

where tempostack-dev-odf is the secret name. You can copy the values for BUCKET_NAME, ACCESS_KEY_ID and ACCESS_KEY_SECRET from your ObjectBucketClaim’s accompanied secret.

2. Create an instance of TempoStack by referencing the secret name and type as s3:

yaml Copy

spec:
  storage:
    secret:
      name: tempostack-dev-odf
      type: s3