Menu
Documentationbreadcrumb arrow Grafana Tempobreadcrumb arrow Set upbreadcrumb arrow Deploy with operatorbreadcrumb arrow Object storage
Open source

Object storage

Tempo Operator supports AWS S3, Azure, GCS, Minio and OpenShift Data Foundation for TempoStack object storage.

AWS S3

Requirements

Static token installation

  1. Create an Object Storage secret with keys as follows:

    console 
    kubectl create secret generic tempostack-dev-s3 \
  --from-literal=bucket="<BUCKET_NAME>" \
  --from-literal=endpoint="<AWS_BUCKET_ENDPOINT>" \
  --from-literal=access_key_id="<AWS_ACCESS_KEY_ID>" \
  --from-literal=access_key_secret="<AWS_ACCESS_KEY_SECRET>"

where tempostack-dev-s3 is the secret name.

  1. Create an instance of TempoStack by referencing the secret name and type as s3:
yaml 
spec:
  storage:
    secret:
      name: tempostack-dev-s3
      type: s3

AWS Security Token Service (STS) installation

  1. Create a custom AWS IAM Role associated with a trust relationship to Tempo’s Kubernetes ServiceAccount:
yaml 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${OIDC_PROVIDER}"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "${OIDC_PROVIDER}:sub": [
            "system:serviceaccount:${TEMPOSTACK_NS}:tempo-${TEMPOSTACK_NAME}",
            "system:serviceaccount:${TEMPOSTACK_NS}:tempo-${TEMPOSTACK_NAME}-query-frontend"
         ]
       }
     }
   }
  ]
}
  1. Create an AWS IAM role:
yaml 
aws iam create-role \
  --role-name "tempo-s3-access" \
  --assume-role-policy-document "file:///tmp/trust.json" \
  --query Role.Arn \
  --output text
  1. Attach a specific policy to that role:
yaml 
aws iam attach-role-policy \
  --role-name "tempo-s3-access" \
  --policy-arn "arn:aws:iam::aws:policy/AmazonS3FullAccess"

  1. Create an Object Storage secret with keys as follows:

    console 
    kubectl create secret generic tempostack-dev-s3 \
  --from-literal=bucket="<BUCKET_NAME>" \
  --from-literal=region="<AWS_REGION>" \
  --from-literal=role_arn="<ROLE ARN>"

where tempostack-dev-s3 is the secret name.

  1. Create an instance of TempoStack by referencing the secret name and type as s3:
yaml 
spec:
  storage:
    secret:
      name: tempostack-dev-s3
      type: s3

Azure

Requirements

Installation

  1. Create an Object Storage secret with keys as follows:

    console 
    kubectl create secret generic tempostack-dev-azure \
  --from-literal=container="<AZURE_CONTAINER_NAME>" \
  --from-literal=account_name="<AZURE_ACCOUNT_NAME>" \
  --from-literal=account_key="<AZURE_ACCOUNT_KEY>"

where tempostack-dev-azure is the secret name.

  1. Create an instance of TempoStack by referencing the secret name and type as azure:
yaml 
spec:
  storage:
    secret:
      name: tempostack-dev-azure
      type: azure

Google Cloud Storage

Requirements

  • Create a project on Google Cloud Platform.
  • Create a bucket under same project.
  • Create a service account under same project for GCP authentication.

Installation

  1. Copy the service account credentials received from GCP into a file name key.json.

  2. Create an Object Storage secret with keys bucketname and key.json as follows:

    console 
    kubectl create secret generic tempostack-dev-gcs \
  --from-literal=bucketname="<BUCKET_NAME>" \
  --from-file=key.json="<PATH/TO/KEY.JSON>"

where tempostack-dev-gcs is the secret name, <BUCKET_NAME> is the name of bucket created in requirements step and <PATH/TO/KEY.JSON> is the file path where the key.json was copied to.

  1. Create an instance of TempoStack by referencing the secret name and type as gcs:
yaml 
spec:
  storage:
    secret:
      name: tempostack-dev-gcs
      type: gcs

MinIO

Requirements

  • Deploy MinIO on your cluster, e.g. using the MinIO Operator or another method.

  • Create a bucket on MinIO using the CLI.

Installation

  1. Create an Object Storage secret with keys as follows:

    console 
    kubectl create secret generic tempostack-dev-minio \
  --from-literal=bucket="<BUCKET_NAME>" \
  --from-literal=endpoint="<MINIO_BUCKET_ENDPOINT>" \
  --from-literal=access_key_id="<MINIO_ACCESS_KEY_ID>" \
  --from-literal=access_key_secret="<MINIO_ACCESS_KEY_SECRET>"

where tempostack-dev-minio is the secret name.

  1. Create an instance of TempoStack by referencing the secret name and type as s3:
yaml 
spec:
  storage:
    secret:
      name: tempostack-dev-minio
      type: s3

OpenShift Data Foundation

Requirements

Installation

  1. Create an Object Storage secret with keys as follows:

    console 
    kubectl create secret generic tempostack-dev-odf \
  --from-literal=bucket="<BUCKET_NAME>" \
  --from-literal=endpoint="https://s3.openshift-storage.svc" \
  --from-literal=access_key_id="<ACCESS_KEY_ID>" \
  --from-literal=access_key_secret="<ACCESS_KEY_SECRET>"

where tempostack-dev-odf is the secret name. You can copy the values for BUCKET_NAME, ACCESS_KEY_ID and ACCESS_KEY_SECRET from your ObjectBucketClaim’s accompanied secret.

  1. Create an instance of TempoStack by referencing the secret name and type as s3:
yaml 
spec:
  storage:
    secret:
      name: tempostack-dev-odf
      type: s3