Object storage
Tempo Operator supports AWS S3, Azure, GCS, Minio and OpenShift Data Foundation for TempoStack object storage.
AWS S3
Requirements
- Create a bucket on AWS.
Static token installation
Create an Object Storage secret with keys as follows:
kubectl create secret generic tempostack-dev-s3 \ --from-literal=bucket="<BUCKET_NAME>" \ --from-literal=endpoint="<AWS_BUCKET_ENDPOINT>" \ --from-literal=access_key_id="<AWS_ACCESS_KEY_ID>" \ --from-literal=access_key_secret="<AWS_ACCESS_KEY_SECRET>"
where tempostack-dev-s3
is the secret name.
- Create an instance of TempoStack by referencing the secret name and type as
s3
:
spec:
storage:
secret:
name: tempostack-dev-s3
type: s3
AWS Security Token Service (STS) installation
- Create a custom AWS IAM Role associated with a trust relationship to Tempo’s Kubernetes
ServiceAccount
:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${OIDC_PROVIDER}"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"${OIDC_PROVIDER}:sub": [
"system:serviceaccount:${TEMPOSTACK_NS}:tempo-${TEMPOSTACK_NAME}",
"system:serviceaccount:${TEMPOSTACK_NS}:tempo-${TEMPOSTACK_NAME}-query-frontend"
]
}
}
}
]
}
- Create an AWS IAM role:
aws iam create-role \
--role-name "tempo-s3-access" \
--assume-role-policy-document "file:///tmp/trust.json" \
--query Role.Arn \
--output text
- Attach a specific policy to that role:
aws iam attach-role-policy \
--role-name "tempo-s3-access" \
--policy-arn "arn:aws:iam::aws:policy/AmazonS3FullAccess"
Create an Object Storage secret with keys as follows:
kubectl create secret generic tempostack-dev-s3 \ --from-literal=bucket="<BUCKET_NAME>" \ --from-literal=region="<AWS_REGION>" \ --from-literal=role_arn="<ROLE ARN>"
where tempostack-dev-s3
is the secret name.
- Create an instance of TempoStack by referencing the secret name and type as
s3
:
spec:
storage:
secret:
name: tempostack-dev-s3
type: s3
Azure
Requirements
- Create a bucket on Azure.
Installation
Create an Object Storage secret with keys as follows:
kubectl create secret generic tempostack-dev-azure \ --from-literal=container="<AZURE_CONTAINER_NAME>" \ --from-literal=account_name="<AZURE_ACCOUNT_NAME>" \ --from-literal=account_key="<AZURE_ACCOUNT_KEY>"
where tempostack-dev-azure
is the secret name.
- Create an instance of TempoStack by referencing the secret name and type as
azure
:
spec:
storage:
secret:
name: tempostack-dev-azure
type: azure
Google Cloud Storage
Requirements
- Create a project on Google Cloud Platform.
- Create a bucket under same project.
- Create a service account under same project for GCP authentication.
Installation
Copy the service account credentials received from GCP into a file name
key.json
.Create an Object Storage secret with keys
bucketname
andkey.json
as follows:kubectl create secret generic tempostack-dev-gcs \ --from-literal=bucketname="<BUCKET_NAME>" \ --from-file=key.json="<PATH/TO/KEY.JSON>"
where tempostack-dev-gcs
is the secret name, <BUCKET_NAME>
is the name of bucket created in requirements step and <PATH/TO/KEY.JSON>
is the file path where the key.json
was copied to.
- Create an instance of TempoStack by referencing the secret name and type as
gcs
:
spec:
storage:
secret:
name: tempostack-dev-gcs
type: gcs
MinIO
Requirements
Deploy MinIO on your cluster, e.g. using the MinIO Operator or another method.
Create a bucket on MinIO using the CLI.
Installation
Create an Object Storage secret with keys as follows:
kubectl create secret generic tempostack-dev-minio \ --from-literal=bucket="<BUCKET_NAME>" \ --from-literal=endpoint="<MINIO_BUCKET_ENDPOINT>" \ --from-literal=access_key_id="<MINIO_ACCESS_KEY_ID>" \ --from-literal=access_key_secret="<MINIO_ACCESS_KEY_SECRET>"
where tempostack-dev-minio
is the secret name.
- Create an instance of TempoStack by referencing the secret name and type as
s3
:
spec:
storage:
secret:
name: tempostack-dev-minio
type: s3
OpenShift Data Foundation
Requirements
Deploy the OpenShift Data Foundation on your cluster.
Create a bucket via an ObjectBucketClaim.
Installation
Create an Object Storage secret with keys as follows:
kubectl create secret generic tempostack-dev-odf \ --from-literal=bucket="<BUCKET_NAME>" \ --from-literal=endpoint="https://s3.openshift-storage.svc" \ --from-literal=access_key_id="<ACCESS_KEY_ID>" \ --from-literal=access_key_secret="<ACCESS_KEY_SECRET>"
where tempostack-dev-odf
is the secret name. You can copy the values for BUCKET_NAME
, ACCESS_KEY_ID
and ACCESS_KEY_SECRET
from your ObjectBucketClaim’s accompanied secret.
- Create an instance of TempoStack by referencing the secret name and type as
s3
:
spec:
storage:
secret:
name: tempostack-dev-odf
type: s3