Allow to disable the ssl cert validation on the S3 API

[ntimo]

Is your feature request related to a problem? Please describe.
Currently its not possible to deploy tempo in a way where the a self hosted S3 e.g. a minio instance is secured with a certificate form a private CA. This is problematic for enterprises that use on private CAs that are then used to secure private minio instances over https.

Describe the solution you'd like
A config flag to disable the ssl cert validation

[trexx]

You can use some Golang environment variables to override where the application looks for its ca bundles.
SSL_CERT_FILE and SSL_CERT_DIR can be used to add your private CA.

Eg: SSL_CERT_FILE=/etc/tempo/ca/ca-bundle.pem

Or merge / replace the OS trusted ca bundle.

[zalegrala]

It looks like this is currently possible when using minio/s3.

https://github.com/grafana/tempo/blob/main/tempodb/backend/s3/config.go#L15

Though, if you have TLS enabled on the server side and also have the capability to inject the CA cert into the environment as @trexx suggests, that might be a better alternative.

Does the configuration option work for your situation here?

[trexx]

I've just tried this, and the flag in fact disables https entirely and forces http. It does not just disable certificate verification.
It still maybe necessary to use the env var or mount a ca-bundle over /etc/ssl/certs/ca-certificates.crt

https://github.com/grafana/tempo/blob/v1.3.0/tempodb/backend/s3/s3.go
https://github.com/minio/minio-go/blob/master/transport.go

[mdisibio]

Fixed in a duplicate issue: #1466