This is documentation for the next version of Tempo. For the latest stable release, go to the latest version.

Documentation Grafana Tempo Set up Deploy with operator Object storage

Object storage

Tempo Operator supports AWS S3, Azure, GCS, Minio and OpenShift Data Foundation for TempoStack object storage.

AWS S3

Requirements

• Create a bucket on AWS.

Static token installation

1. Create an Object Storage secret with keys as follows:

   console Copy

   kubectl create secret generic tempostack-dev-s3 \
     --from-literal=bucket="<BUCKET_NAME>" \
     --from-literal=endpoint="<AWS_BUCKET_ENDPOINT>" \
     --from-literal=access_key_id="<AWS_ACCESS_KEY_ID>" \
     --from-literal=access_key_secret="<AWS_ACCESS_KEY_SECRET>"

where tempostack-dev-s3 is the secret name.

2. Create an instance of TempoStack by referencing the secret name and type as s3:

yaml Copy

spec:
  storage:
    secret:
      name: tempostack-dev-s3
      type: s3

AWS Security Token Service (STS) installation

1. Create a custom AWS IAM Role associated with a trust relationship to Tempo’s Kubernetes ServiceAccount:

yaml Copy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${OIDC_PROVIDER}"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "${OIDC_PROVIDER}:sub": [
            "system:serviceaccount:${TEMPOSTACK_NS}:tempo-${TEMPOSTACK_NAME}",
            "system:serviceaccount:${TEMPOSTACK_NS}:tempo-${TEMPOSTACK_NAME}-query-frontend"
         ]
       }
     }
   }
  ]
}

2. Create an AWS IAM role:

yaml Copy

aws iam create-role \
  --role-name "tempo-s3-access" \
  --assume-role-policy-document "file:///tmp/trust.json" \
  --query Role.Arn \
  --output text

3. Attach a specific policy to that role:

yaml Copy

aws iam attach-role-policy \
  --role-name "tempo-s3-access" \
  --policy-arn "arn:aws:iam::aws:policy/AmazonS3FullAccess"

4. Create an Object Storage secret with keys as follows:

   console Copy

   kubectl create secret generic tempostack-dev-s3 \
     --from-literal=bucket="<BUCKET_NAME>" \
     --from-literal=region="<AWS_REGION>" \
     --from-literal=role_arn="<ROLE ARN>"

where tempostack-dev-s3 is the secret name.

5. Create an instance of TempoStack by referencing the secret name and type as s3:

yaml Copy

spec:
  storage:
    secret:
      name: tempostack-dev-s3
      type: s3

Azure

Requirements

• Create a bucket on Azure.

Installation

1. Create an Object Storage secret with keys as follows:

   console Copy

   kubectl create secret generic tempostack-dev-azure \
     --from-literal=container="<AZURE_CONTAINER_NAME>" \
     --from-literal=account_name="<AZURE_ACCOUNT_NAME>" \
     --from-literal=account_key="<AZURE_ACCOUNT_KEY>"

where tempostack-dev-azure is the secret name.

2. Create an instance of TempoStack by referencing the secret name and type as azure:

yaml Copy

spec:
  storage:
    secret:
      name: tempostack-dev-azure
      type: azure

Google Cloud Storage

Requirements

• Create a project on Google Cloud Platform.
• Create a bucket under same project.
• Create a service account under same project for GCP authentication.

Installation

1. Copy the service account credentials received from GCP into a file name key.json.

2. Create an Object Storage secret with keys bucketname and key.json as follows:

   console Copy

   kubectl create secret generic tempostack-dev-gcs \
     --from-literal=bucketname="<BUCKET_NAME>" \
     --from-file=key.json="<PATH/TO/KEY.JSON>"

where tempostack-dev-gcs is the secret name, <BUCKET_NAME> is the name of bucket created in requirements step and <PATH/TO/KEY.JSON> is the file path where the key.json was copied to.

3. Create an instance of TempoStack by referencing the secret name and type as gcs:

yaml Copy

spec:
  storage:
    secret:
      name: tempostack-dev-gcs
      type: gcs

MinIO

Requirements

• Deploy MinIO on your cluster, e.g. using the MinIO Operator or another method.

• Create a bucket on MinIO using the CLI.

Installation

1. Create an Object Storage secret with keys as follows:

   console Copy

   kubectl create secret generic tempostack-dev-minio \
     --from-literal=bucket="<BUCKET_NAME>" \
     --from-literal=endpoint="<MINIO_BUCKET_ENDPOINT>" \
     --from-literal=access_key_id="<MINIO_ACCESS_KEY_ID>" \
     --from-literal=access_key_secret="<MINIO_ACCESS_KEY_SECRET>"

where tempostack-dev-minio is the secret name.

2. Create an instance of TempoStack by referencing the secret name and type as s3:

yaml Copy

spec:
  storage:
    secret:
      name: tempostack-dev-minio
      type: s3

OpenShift Data Foundation

Requirements

• Deploy the OpenShift Data Foundation on your cluster.

• Create a bucket via an ObjectBucketClaim.

Installation

1. Create an Object Storage secret with keys as follows:

   console Copy

   kubectl create secret generic tempostack-dev-odf \
     --from-literal=bucket="<BUCKET_NAME>" \
     --from-literal=endpoint="https://s3.openshift-storage.svc" \
     --from-literal=access_key_id="<ACCESS_KEY_ID>" \
     --from-literal=access_key_secret="<ACCESS_KEY_SECRET>"

where tempostack-dev-odf is the secret name. You can copy the values for BUCKET_NAME, ACCESS_KEY_ID and ACCESS_KEY_SECRET from your ObjectBucketClaim’s accompanied secret.

2. Create an instance of TempoStack by referencing the secret name and type as s3:

yaml Copy

spec:
  storage:
    secret:
      name: tempostack-dev-odf
      type: s3