From 6c35e24267ed6ebf4a69eff9f12513b80184415b Mon Sep 17 00:00:00 2001
From: Zach Leslie <zach.leslie@grafana.com>
Date: Fri, 10 Jun 2022 13:54:33 -0600
Subject: [PATCH] Add s3 config option insecure_skip_verify (#1470)

* Add s3 config option insecure_skip_verify

* Update changelog

* Improve docs from feedback

* Update changelog
---
 CHANGELOG.md                               |  1 +
 docs/tempo/website/configuration/_index.md |  6 +++++-
 tempodb/backend/s3/config.go               | 19 ++++++++++---------
 tempodb/backend/s3/s3.go                   | 14 +++++++++-----
 4 files changed, 25 insertions(+), 15 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 856525ec30a..17ac7380153 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -20,6 +20,7 @@ Additionally, default label `span_status` is renamed to `status_code`.
 * [ENHANCEMENT] metrics-generator: expose max_active_series as a metric [#1471](https://github.com/grafana/tempo/pull/1471) (@kvrhdn)
 * [ENHANCEMENT] Azure Backend: Add support for authentication with Managed Identities. [#1457](https://github.com/grafana/tempo/pull/1457) (@joe-elliott)
 * [ENHANCEMENT] Add metric to track feature enablement [#1459](https://github.com/grafana/tempo/pull/1459) (@zalegrala)
+* [ENHANCEMENT] Added s3 config option `insecure_skip_verify` [#1470](https://github.com/grafana/tempo/pull/1470) (@zalegrala)
 * [BUGFIX] Fix nil pointer panic when the trace by id path errors. [#1441](https://github.com/grafana/tempo/pull/1441) (@joe-elliott)
 * [BUGFIX] Update tempo microservices Helm values example which missed the 'enabled' key for thriftHttp. [#1472](https://github.com/grafana/tempo/pull/1472) (@hajowieland)
 * [BUGFIX] Fix race condition in forwarder overrides loop. [1468](https://github.com/grafana/tempo/pull/1468) (@mapno)
diff --git a/docs/tempo/website/configuration/_index.md b/docs/tempo/website/configuration/_index.md
index dc655626df7..3169b46b766 100644
--- a/docs/tempo/website/configuration/_index.md
+++ b/docs/tempo/website/configuration/_index.md
@@ -532,7 +532,11 @@ storage:
 
             # optional.
             # enable if endpoint is http
-            [insecure: <bool>]          
+            [insecure: <bool>]
+
+            # optional.
+            # Set to true to disable verification of an TLS endpoint.  The default value is false.
+            [insecure_skip_verify: <bool>]
 
             # optional.
             # enable to use path-style requests.
diff --git a/tempodb/backend/s3/config.go b/tempodb/backend/s3/config.go
index 78e09cdc988..db1fe261ca9 100644
--- a/tempodb/backend/s3/config.go
+++ b/tempodb/backend/s3/config.go
@@ -7,15 +7,16 @@ import (
 )
 
 type Config struct {
-	Bucket            string         `yaml:"bucket"`
-	Endpoint          string         `yaml:"endpoint"`
-	Region            string         `yaml:"region"`
-	AccessKey         string         `yaml:"access_key"`
-	SecretKey         flagext.Secret `yaml:"secret_key"`
-	Insecure          bool           `yaml:"insecure"`
-	PartSize          uint64         `yaml:"part_size"`
-	HedgeRequestsAt   time.Duration  `yaml:"hedge_requests_at"`
-	HedgeRequestsUpTo int            `yaml:"hedge_requests_up_to"`
+	Bucket             string         `yaml:"bucket"`
+	Endpoint           string         `yaml:"endpoint"`
+	Region             string         `yaml:"region"`
+	AccessKey          string         `yaml:"access_key"`
+	SecretKey          flagext.Secret `yaml:"secret_key"`
+	Insecure           bool           `yaml:"insecure"`
+	InsecureSkipVerify bool           `yaml:"insecure_skip_verify"`
+	PartSize           uint64         `yaml:"part_size"`
+	HedgeRequestsAt    time.Duration  `yaml:"hedge_requests_at"`
+	HedgeRequestsUpTo  int            `yaml:"hedge_requests_up_to"`
 	// SignatureV2 configures the object storage to use V2 signing instead of V4
 	SignatureV2    bool `yaml:"signature_v2"`
 	ForcePathStyle bool `yaml:"forcepathstyle"`
diff --git a/tempodb/backend/s3/s3.go b/tempodb/backend/s3/s3.go
index d82b9fcd4e9..1841cf9802c 100644
--- a/tempodb/backend/s3/s3.go
+++ b/tempodb/backend/s3/s3.go
@@ -16,9 +16,9 @@ import (
 	gkLog "github.com/go-kit/log"
 	"github.com/go-kit/log/level"
 	"github.com/grafana/tempo/tempodb/backend"
-	"github.com/minio/minio-go/v7"
+	minio "github.com/minio/minio-go/v7"
 	"github.com/minio/minio-go/v7/pkg/credentials"
-	"github.com/opentracing/opentracing-go"
+	opentracing "github.com/opentracing/opentracing-go"
 	"github.com/pkg/errors"
 
 	tempo_io "github.com/grafana/tempo/pkg/io"
@@ -36,14 +36,14 @@ type readerWriter struct {
 // appendTracker is a struct used to track multipart uploads
 type appendTracker struct {
 	uploadID   string
-	partNum    int
-	parts      []minio.ObjectPart
 	objectName string
+	parts      []minio.ObjectPart
+	partNum    int
 }
 
 type overrideSignatureVersion struct {
-	useV2    bool
 	upstream credentials.Provider
+	useV2    bool
 }
 
 func (s *overrideSignatureVersion) Retrieve() (credentials.Value, error) {
@@ -343,6 +343,10 @@ func createCore(cfg *Config, hedge bool) (*minio.Core, error) {
 		return nil, errors.Wrap(err, "create minio.DefaultTransport")
 	}
 
+	if cfg.InsecureSkipVerify {
+		customTransport.TLSClientConfig.InsecureSkipVerify = true
+	}
+
 	// add instrumentation
 	transport := instrumentation.NewS3Transport(customTransport)
 	var stats *hedgedhttp.Stats