Set s3 credentials with command line flags

[sboschman]

Is your feature request related to a problem? Please describe.
Currently the s3 credentials (access key and secret) have to be configured in the config file. This makes it hard/impossible to use a vault service which supplies the credentials as a k8s secret.

Describe the solution you'd like
Allowing the s3 credentials to be set using command line flags makes it possible to bind the secret as env vars and use the env vars as container args.

E.g.:

env:
- name: S3_ACCESS_KEY_ID
  valueFrom:
     secretKeyRef:
       name: s3-secret
       key: S3_ACCESS_KEY_ID
args:
- "storage.trace.s3.access_key=$(S3_ACCESS_KEY_ID)"

[orcr]

Hi,
Could you please add how to use this modification ? I did not find any information related then I triad as the feature request but he values are not picked from the secret

[mapno]

Hi! You can use the flags --storage.trace.s3.access_key and --storage.trace.s3.secret_key when running tempo to configure those secrets. Another option is using --config.expand-env, to use env vars.

[orcr]

Thanks for the information, I did as follows on the values.yaml

1. Load secrets on extraEnvFrom as follos
   extraEnvFrom:

   • name: envVarNameId
     valueFrom:
     secretKeyRef:
     name: secretName
     key: username
   • name: envVarNameKey
     valueFrom:
     secretKeyRef:
     name: secretName
     key: password

2. Then load the the values from the var into the configMap like follows

   storage:
   trace:
   # -- The supported storage backends are gcs, s3 and azure, as specified in https://grafana.com/docs/tempo/latest/configuration/#storage
   backend: s3
   s3:
   bucket: bucketName
   endpoint: s3.eu-west-2.amazonaws.com
   access_key: $envVarNameId
   secret_key: $envVarNameKey

[gabricc]

Hi @orcr !
Did you have to do anything additional to make it work? I did exactly the same, but the secrets are not replaces inside tempo.yaml file:

# cat /conf/tempo.yaml | grep trace -A4
      trace:
        backend: s3
        s3:
          access_key: ${AWS_ACCESS_KEY_ID}
          bucket: ***grafana-traces-data
          endpoint: s3.us-east-1.amazonaws.com
          forcepathstyle: true
          insecure: true
          secret_key: ${AWS_SECRET_ACCESS_KEY}

no luck also using the flags in the startup command:

# ps aux
PID   USER     TIME  COMMAND
    1 root      0:04 /tempo -config.file=/conf/tempo.yaml -mem-ballast-size-mbs=1024 --storage.trace.s3.access_key=${AWS_ACCESS_KEY_ID} --storage.trace.s3.secret_key=${AWS_SECRET_ACCESS_KEY}

Thanks!

[jameshearttech]

This is how I put together previous comments to use Rook/Ceph object storage.

Tempo community Helm chart version 1.6.1 values snippet.

tempo:
  storage:
    trace:
      backend: s3
      s3:
        bucket: tempo-bucket
        endpoint: rook-ceph-rgw-ceph-objectstore.rook-ceph.svc
        access_key: ${AWS_ACCESS_KEY_ID}
        secret_key: ${AWS_SECRET_ACCESS_KEY}
        insecure: true
      wal:
        path: /var/tempo/wal
  extraArgs: { config.expand-env=true }
  extraEnv:
  - name: AWS_ACCESS_KEY_ID
    valueFrom:
      secretKeyRef:
        name: tempo-bucket
        key: AWS_ACCESS_KEY_ID
  - name: AWS_SECRET_ACCESS_KEY
    valueFrom:
      secretKeyRef:
        name: tempo-bucket
        key: AWS_SECRET_ACCESS_KEY

Rook ObjectBucketClaim manifest.

apiVersion: objectbucket.io/v1alpha1
kind: ObjectBucketClaim
metadata:
  name: tempo-bucket
spec:
  bucketName: tempo-bucket
  storageClassName: ceph-bucket