search

grafana / tempo

Grafana Tempo is a high volume, minimal dependency distributed tracing backend.
https://grafana.com/oss/tempo/
GNU Affero General Public License v3.0
3.88k stars 504 forks source link

Set s3 credentials with command line flags #308

Closed sboschman closed 3 years ago

sboschman commented 3 years ago

Is your feature request related to a problem? Please describe. Currently the s3 credentials (access key and secret) have to be configured in the config file. This makes it hard/impossible to use a vault service which supplies the credentials as a k8s secret.

Describe the solution you'd like Allowing the s3 credentials to be set using command line flags makes it possible to bind the secret as env vars and use the env vars as container args.

E.g.:

env:
- name: S3_ACCESS_KEY_ID
  valueFrom:
     secretKeyRef:
       name: s3-secret
       key: S3_ACCESS_KEY_ID
args:
- "storage.trace.s3.access_key=$(S3_ACCESS_KEY_ID)"
orcr commented 1 year ago

Hi, Could you please add how to use this modification ? I did not find any information related then I triad as the feature request but he values are not picked from the secret

mapno commented 1 year ago

Hi! You can use the flags --storage.trace.s3.access_key and --storage.trace.s3.secret_key when running tempo to configure those secrets. Another option is using --config.expand-env, to use env vars.

orcr commented 1 year ago

Thanks for the information, I did as follows on the values.yaml

  1. Load secrets on extraEnvFrom as follos extraEnvFrom:

    • name: envVarNameId valueFrom: secretKeyRef: name: secretName key: username
    • name: envVarNameKey valueFrom: secretKeyRef: name: secretName key: password

    1. Then load the the values from the var into the configMap like follows

      storage: trace:

      -- The supported storage backends are gcs, s3 and azure, as specified in https://grafana.com/docs/tempo/latest/configuration/#storage

      backend: s3 s3: bucket: bucketName endpoint: s3.eu-west-2.amazonaws.com access_key: $envVarNameId secret_key: $envVarNameKey

gabricc commented 11 months ago

Hi @orcr ! Did you have to do anything additional to make it work? I did exactly the same, but the secrets are not replaces inside tempo.yaml file:

# cat /conf/tempo.yaml | grep trace -A4
      trace:
        backend: s3
        s3:
          access_key: ${AWS_ACCESS_KEY_ID}
          bucket: ***grafana-traces-data
          endpoint: s3.us-east-1.amazonaws.com
          forcepathstyle: true
          insecure: true
          secret_key: ${AWS_SECRET_ACCESS_KEY}

no luck also using the flags in the startup command:

# ps aux
PID   USER     TIME  COMMAND
    1 root      0:04 /tempo -config.file=/conf/tempo.yaml -mem-ballast-size-mbs=1024 --storage.trace.s3.access_key=${AWS_ACCESS_KEY_ID} --storage.trace.s3.secret_key=${AWS_SECRET_ACCESS_KEY}

Thanks!

jameshearttech commented 10 months ago

This is how I put together previous comments to use Rook/Ceph object storage.

Tempo community Helm chart version 1.6.1 values snippet.

tempo:
  storage:
    trace:
      backend: s3
      s3:
        bucket: tempo-bucket
        endpoint: rook-ceph-rgw-ceph-objectstore.rook-ceph.svc
        access_key: ${AWS_ACCESS_KEY_ID}
        secret_key: ${AWS_SECRET_ACCESS_KEY}
        insecure: true
      wal:
        path: /var/tempo/wal
  extraArgs: { config.expand-env=true }
  extraEnv:
  - name: AWS_ACCESS_KEY_ID
    valueFrom:
      secretKeyRef:
        name: tempo-bucket
        key: AWS_ACCESS_KEY_ID
  - name: AWS_SECRET_ACCESS_KEY
    valueFrom:
      secretKeyRef:
        name: tempo-bucket
        key: AWS_SECRET_ACCESS_KEY

Rook ObjectBucketClaim manifest.

apiVersion: objectbucket.io/v1alpha1
kind: ObjectBucketClaim
metadata:
  name: tempo-bucket
spec:
  bucketName: tempo-bucket
  storageClassName: ceph-bucket