This is documentation for the next version of Tempo. For the latest stable release, go to the latest version.
Object storage
Tempo Operator supports AWS S3, Azure, GCS, Minio and OpenShift Data Foundation for TempoStack object storage.
AWS S3
Requirements
- Create a bucket on AWS.
Static token installation
Create an Object Storage secret with keys as follows:
kubectl create secret generic tempostack-dev-s3 \ --from-literal=bucket="<BUCKET_NAME>" \ --from-literal=endpoint="<AWS_BUCKET_ENDPOINT>" \ --from-literal=access_key_id="<AWS_ACCESS_KEY_ID>" \ --from-literal=access_key_secret="<AWS_ACCESS_KEY_SECRET>"
where tempostack-dev-s3
is the secret name.
- Create an instance of TempoStack by referencing the secret name and type as
s3
:
spec:
storage:
secret:
name: tempostack-dev-s3
type: s3
AWS Security Token Service (STS) installation
- Create a custom AWS IAM Role associated with a trust relationship to Tempo’s Kubernetes
ServiceAccount
:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${OIDC_PROVIDER}"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"${OIDC_PROVIDER}:sub": [
"system:serviceaccount:${TEMPOSTACK_NS}:tempo-${TEMPOSTACK_NAME}",
"system:serviceaccount:${TEMPOSTACK_NS}:tempo-${TEMPOSTACK_NAME}-query-frontend"
]
}
}
}
]
}
- Create an AWS IAM role:
aws iam create-role \
--role-name "tempo-s3-access" \
--assume-role-policy-document "file:///tmp/trust.json" \
--query Role.Arn \
--output text
- Attach a specific policy to that role:
aws iam attach-role-policy \
--role-name "tempo-s3-access" \
--policy-arn "arn:aws:iam::aws:policy/AmazonS3FullAccess"
Create an Object Storage secret with keys as follows:
kubectl create secret generic tempostack-dev-s3 \ --from-literal=bucket="<BUCKET_NAME>" \ --from-literal=region="<AWS_REGION>" \ --from-literal=role_arn="<ROLE ARN>"
where tempostack-dev-s3
is the secret name.
- Create an instance of TempoStack by referencing the secret name and type as
s3
:
spec:
storage:
secret:
name: tempostack-dev-s3
type: s3
Azure
Requirements
- Create a bucket on Azure.
Installation
Create an Object Storage secret with keys as follows:
kubectl create secret generic tempostack-dev-azure \ --from-literal=container="<AZURE_CONTAINER_NAME>" \ --from-literal=account_name="<AZURE_ACCOUNT_NAME>" \ --from-literal=account_key="<AZURE_ACCOUNT_KEY>"
where tempostack-dev-azure
is the secret name.
- Create an instance of TempoStack by referencing the secret name and type as
azure
:
spec:
storage:
secret:
name: tempostack-dev-azure
type: azure
Google Cloud Storage
Requirements
- Create a project on Google Cloud Platform.
- Create a bucket under same project.
- Create a service account under same project for GCP authentication.
Installation
Copy the service account credentials received from GCP into a file name
key.json
.Create an Object Storage secret with keys
bucketname
andkey.json
as follows:kubectl create secret generic tempostack-dev-gcs \ --from-literal=bucketname="<BUCKET_NAME>" \ --from-file=key.json="<PATH/TO/KEY.JSON>"
where tempostack-dev-gcs
is the secret name, <BUCKET_NAME>
is the name of bucket created in requirements step and <PATH/TO/KEY.JSON>
is the file path where the key.json
was copied to.
- Create an instance of TempoStack by referencing the secret name and type as
gcs
:
spec:
storage:
secret:
name: tempostack-dev-gcs
type: gcs
MinIO
Requirements
Deploy MinIO on your cluster, e.g. using the MinIO Operator or another method.
Create a bucket on MinIO using the CLI.
Installation
Create an Object Storage secret with keys as follows:
kubectl create secret generic tempostack-dev-minio \ --from-literal=bucket="<BUCKET_NAME>" \ --from-literal=endpoint="<MINIO_BUCKET_ENDPOINT>" \ --from-literal=access_key_id="<MINIO_ACCESS_KEY_ID>" \ --from-literal=access_key_secret="<MINIO_ACCESS_KEY_SECRET>"
where tempostack-dev-minio
is the secret name.
- Create an instance of TempoStack by referencing the secret name and type as
s3
:
spec:
storage:
secret:
name: tempostack-dev-minio
type: s3
OpenShift Data Foundation
Requirements
Deploy the OpenShift Data Foundation on your cluster.
Create a bucket via an ObjectBucketClaim.
Installation
Create an Object Storage secret with keys as follows:
kubectl create secret generic tempostack-dev-odf \ --from-literal=bucket="<BUCKET_NAME>" \ --from-literal=endpoint="https://s3.openshift-storage.svc" \ --from-literal=access_key_id="<ACCESS_KEY_ID>" \ --from-literal=access_key_secret="<ACCESS_KEY_SECRET>"
where tempostack-dev-odf
is the secret name. You can copy the values for BUCKET_NAME
, ACCESS_KEY_ID
and ACCESS_KEY_SECRET
from your ObjectBucketClaim’s accompanied secret.
- Create an instance of TempoStack by referencing the secret name and type as
s3
:
spec:
storage:
secret:
name: tempostack-dev-odf
type: s3