From b2d59f8fbe7a26eb2a2220fd224e74ae943f707f Mon Sep 17 00:00:00 2001 From: Joe Elliott Date: Wed, 13 Sep 2023 09:05:45 -0400 Subject: [PATCH] Configure S3's credential chain based on config (#2889) (#2925) * Configure S3's credential chain based on config * Changelog * Update docs (cherry picked from commit 957f1606c2af309d88c456fc7a5fb5737dcbc3a9) Co-authored-by: Mario --- CHANGELOG.md | 41 ++++++++++++++++ docs/sources/tempo/configuration/_index.md | 4 ++ tempodb/backend/s3/config.go | 13 +++--- tempodb/backend/s3/s3.go | 54 +++++++++++++--------- 4 files changed, 84 insertions(+), 28 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 97964a9760d..133f78e3013 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,47 @@ * [ENHANCEMENT] Update /api/metrics/summary to correctly handle missing attributes and improve performance of TraceQL `select()` queries. [#2765](https://github.com/grafana/tempo/pull/2765) (@mdisibio) * [ENHANCEMENT] Add `TempoUserConfigurableOverridesReloadFailing` alert [#2784](https://github.com/grafana/tempo/pull/2784) (@kvrhdn) * [BUGFIX] Fix panic in metrics summary api [#2738](https://github.com/grafana/tempo/pull/2738) (@mdisibio) +* [BUGFIX] Only search ingester blocks that fall within the request time range. [#2783](https://github.com/grafana/tempo/pull/2783) (@joe-elliott) +* [BUGFIX] Align tempo_query_frontend_queries_total and tempo_query_frontend_queries_within_slo_total. [#2840](https://github.com/grafana/tempo/pull/2840) (@joe-elliott) +* [BUGFIX] To support blob storage in Azure Stack Hub as backend. [#2853](https://github.com/grafana/tempo/pull/2853) (@chlislb) + This query will now correctly tell you %age of requests that are within SLO: + ``` + sum(rate(tempo_query_frontend_queries_within_slo_total{}[1m])) by (op) + / + sum(rate(tempo_query_frontend_queries_total{}[1m])) by (op) + ``` + **BREAKING CHANGE** Removed: tempo_query_frontend_queries_total{op="searchtags|metrics"}. +* [BUGFIX] Fix S3 credentials providers configuration [#2889](https://github.com/grafana/tempo/pull/2889) (@mapno) +* [CHANGE] Overrides module refactor [#2688](https://github.com/grafana/tempo/pull/2688) (@mapno) + Added new `defaults` block to the overrides' module. Overrides change to indented syntax. + Old config: +``` +overrides: +ingestion_rate_strategy: local +ingestion_rate_limit_bytes: 12345 +ingestion_burst_size_bytes: 67890 +max_search_duration: 17s +forwarders: ['foo'] +metrics_generator_processors: [service-graphs, span-metrics] +``` +New config: +``` +overrides: +defaults: + ingestion: + rate_strategy: local + rate_limit_bytes: 12345 + burst_size_bytes: 67890 + read: + max_search_duration: 17s + forwarders: ['foo'] + metrics_generator: + processors: [service-graphs, span-metrics] +``` +* [BUGFIX] Moved empty root span substitution from `querier` to `query-frontend`. [#2671](https://github.com/grafana/tempo/issues/2671) (@galalen) + +# v2.2.2 / 2023-08-30 + * [BUGFIX] Fix node role auth IDMSv1 [#2760](https://github.com/grafana/tempo/pull/2760) (@coufalja) * [BUGFIX] Only search ingester blocks that fall within the request time range. [#2783](https://github.com/grafana/tempo/pull/2783) (@joe-elliott) * [BUGFIX] Fix incorrect metrics for index failures [#2781](https://github.com/grafana/tempo/pull/2781) (@zalegrala) diff --git a/docs/sources/tempo/configuration/_index.md b/docs/sources/tempo/configuration/_index.md index cdad359c2a6..8d8bba9e424 100644 --- a/docs/sources/tempo/configuration/_index.md +++ b/docs/sources/tempo/configuration/_index.md @@ -790,6 +790,10 @@ storage: # See the [S3 documentation on object tagging](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-tagging.html) for more detail. [tags: ] + # If enabled, it will use the default authentication methods of + # the AWS SDK for go based on known environment variables and known AWS config files. + [native_aws_auth_enabled: | default = false] + # azure configuration. Will be used only if value of backend is "azure" # EXPERIMENTAL azure: diff --git a/tempodb/backend/s3/config.go b/tempodb/backend/s3/config.go index 5f5985cc453..0022533dcec 100644 --- a/tempodb/backend/s3/config.go +++ b/tempodb/backend/s3/config.go @@ -22,12 +22,13 @@ type Config struct { HedgeRequestsAt time.Duration `yaml:"hedge_requests_at"` HedgeRequestsUpTo int `yaml:"hedge_requests_up_to"` // SignatureV2 configures the object storage to use V2 signing instead of V4 - SignatureV2 bool `yaml:"signature_v2"` - ForcePathStyle bool `yaml:"forcepathstyle"` - BucketLookupType int `yaml:"bucket_lookup_type"` - Tags map[string]string `yaml:"tags"` - StorageClass string `yaml:"storage_class"` - Metadata map[string]string `yaml:"metadata"` + SignatureV2 bool `yaml:"signature_v2"` + ForcePathStyle bool `yaml:"forcepathstyle"` + BucketLookupType int `yaml:"bucket_lookup_type"` + Tags map[string]string `yaml:"tags"` + StorageClass string `yaml:"storage_class"` + Metadata map[string]string `yaml:"metadata"` + NativeAWSAuthEnabled bool `yaml:"native_aws_auth_enabled"` } func (c *Config) PathMatches(other *Config) bool { diff --git a/tempodb/backend/s3/s3.go b/tempodb/backend/s3/s3.go index d1211c190db..e85ef4b355e 100644 --- a/tempodb/backend/s3/s3.go +++ b/tempodb/backend/s3/s3.go @@ -15,9 +15,9 @@ import ( "github.com/cristalhq/hedgedhttp" gkLog "github.com/go-kit/log" "github.com/go-kit/log/level" - minio "github.com/minio/minio-go/v7" + "github.com/minio/minio-go/v7" "github.com/minio/minio-go/v7/pkg/credentials" - opentracing "github.com/opentracing/opentracing-go" + "github.com/opentracing/opentracing-go" "github.com/pkg/errors" tempo_io "github.com/grafana/tempo/pkg/io" @@ -355,25 +355,35 @@ func createCore(cfg *Config, hedge bool) (*minio.Core, error) { return p } - creds := credentials.NewChainCredentials([]credentials.Provider{ - wrapCredentialsProvider(NewAWSSDKAuth(cfg.Region)), - wrapCredentialsProvider(&credentials.EnvAWS{}), - wrapCredentialsProvider(&credentials.Static{ - Value: credentials.Value{ - AccessKeyID: cfg.AccessKey, - SecretAccessKey: cfg.SecretKey.String(), - SessionToken: cfg.SessionToken.String(), - }, - }), - wrapCredentialsProvider(&credentials.EnvMinio{}), - wrapCredentialsProvider(&credentials.FileAWSCredentials{}), - wrapCredentialsProvider(&credentials.FileMinioClient{}), - wrapCredentialsProvider(&credentials.IAM{ - Client: &http.Client{ - Transport: http.DefaultTransport, - }, - }), - }) + var chain []credentials.Provider + + if cfg.NativeAWSAuthEnabled { + chain = []credentials.Provider{ + wrapCredentialsProvider(NewAWSSDKAuth(cfg.Region)), + } + } else if cfg.AccessKey != "" { + chain = []credentials.Provider{ + wrapCredentialsProvider(&credentials.Static{ + Value: credentials.Value{ + AccessKeyID: cfg.AccessKey, + SecretAccessKey: cfg.SecretKey.String(), + SessionToken: cfg.SessionToken.String(), + }, + }), + } + } else { + chain = []credentials.Provider{ + wrapCredentialsProvider(&credentials.EnvAWS{}), + wrapCredentialsProvider(&credentials.EnvMinio{}), + wrapCredentialsProvider(&credentials.FileAWSCredentials{}), + wrapCredentialsProvider(&credentials.FileMinioClient{}), + wrapCredentialsProvider(&credentials.IAM{ + Client: &http.Client{ + Transport: http.DefaultTransport, + }, + }), + } + } customTransport, err := minio.DefaultTransport(!cfg.Insecure) if err != nil { @@ -404,7 +414,7 @@ func createCore(cfg *Config, hedge bool) (*minio.Core, error) { opts := &minio.Options{ Region: cfg.Region, Secure: !cfg.Insecure, - Creds: creds, + Creds: credentials.NewChainCredentials(chain), Transport: transport, }