Skip to content

Commit 7472337

Browse files
max-cxmax-cx
committed
Max's edit
1 parent 849b977 commit 7472337

File tree

1 file changed

+44
-41
lines changed

1 file changed

+44
-41
lines changed

modules/distr-tracing-tempo-object-storage-setup-gcp-sts-install.adoc

Lines changed: 44 additions & 41 deletions
Original file line numberDiff line numberDiff line change
@@ -17,88 +17,91 @@ include::snippets/technology-preview.adoc[leveloffset=+1]
1717
1818
.Procedure
1919

20-
. Create a GCS bucket.
20+
. Create a GCS bucket on the Google Cloud Platform (GCP).
2121

2222
. Create or reuse a service account with Google's Identity and Access Management (IAM):
2323
+
24-
[source,terminal]
24+
[source,bash]
2525
----
26-
SERVICE_ACCOUNT_EMAIL=$(gcloud iam service-accounts create <IAM_SA_NAME> \ # <1>
26+
SERVICE_ACCOUNT_EMAIL=$(gcloud iam service-accounts create <iam_service_account_name> \ # <1>
2727
--display-name="Tempo Account" \
28-
--project <PROJECT_ID> \ # <2>
28+
--project <project_id> \ # <2>
2929
--format='value(email)' \
3030
--quiet)
3131
----
32-
<1> Name of the service account in Google Cloud.
33-
<2> Project ID of the service account in Google Cloud.
32+
<1> The name of the service account on the GCP.
33+
<2> The project ID of the service account on the GCP.
3434

35-
. Bind the required GCP roles to the created SA at the project level:
35+
. Bind the required GCP roles to the created service account at the project level:
3636
+
3737
[source,terminal]
3838
----
39-
$ gcloud projects add-iam-policy-binding <PROJECT_ID> \
39+
$ gcloud projects add-iam-policy-binding <project_id> \
4040
--member "serviceAccount:$SERVICE_ACCOUNT_EMAIL" \
41-
--role="roles/iam.workloadIdentityUser"
42-
43-
$ gcloud projects add-iam-policy-binding <PROJECT_ID> \
41+
--role="roles/iam.workloadIdentityUser" \
42+
&&
43+
gcloud projects add-iam-policy-binding <project_id> \
4444
--member "serviceAccount:$SERVICE_ACCOUNT_EMAIL" \
4545
--role "roles/storage.objectAdmin"
46-
4746
----
48-
. Retrieve the `POOL_ID` of the Google Cloud Workload Identity Pool associated with the OpenShift cluster.
47+
48+
. Retrieve the `POOL_ID` value of the Google Cloud Workload Identity Pool that is associated with the cluster:
4949
+
5050
[source,terminal]
5151
----
52-
$ OIDC_ISSUER=$(oc get authentication.config cluster -o jsonpath='{.spec.serviceAccountIssuer}')
53-
54-
$ POOL_ID=$(echo "$OIDC_ISSUER" | awk -F'/' '{print $NF}' | sed 's/-oidc$//')
52+
$ OIDC_ISSUER=$(oc get authentication.config cluster -o jsonpath='{.spec.serviceAccountIssuer}') \
53+
&&
54+
POOL_ID=$(echo "$OIDC_ISSUER" | awk -F'/' '{print $NF}' | sed 's/-oidc$//')
5555
----
56-
. Allow Kubernetes Service Accounts to impersonate the Google Service Account, SERVICE_ACCOUNT_EMAIL is the output of the commant used to created the service account in the step 2.
56+
57+
. Permit the Kubernetes Service Accounts to impersonate the Google Service Account:
5758
+
5859
[source,terminal]
5960
----
60-
$ gcloud iam service-accounts add-iam-policy-binding "$SERVICE_ACCOUNT_EMAIL" \
61+
$ gcloud iam service-accounts add-iam-policy-binding "$SERVICE_ACCOUNT_EMAIL" \ # <1>
6162
--role="roles/iam.workloadIdentityUser" \
62-
--member="principal://iam.googleapis.com/projects/<PROJECT_NUMBER>/locations/global/workloadIdentityPools/<POOL_ID>/subject/system:serviceaccount:<TEMPO_NAMESPACE>:tempo-<TEMPO_NAME>" \
63-
--project=<PROJECT_ID> \
64-
--quiet
65-
66-
$ gcloud iam service-accounts add-iam-policy-binding "$SERVICE_ACCOUNT_EMAIL" \
63+
--member="principal://iam.googleapis.com/projects/<project_number>/locations/global/workloadIdentityPools/<pool_id>/subject/system:serviceaccount:<tempo_namespace>:tempo-<tempo_name>" \
64+
--project=<project_id> \
65+
--quiet \
66+
&&
67+
gcloud iam service-accounts add-iam-policy-binding "$SERVICE_ACCOUNT_EMAIL" \
6768
--role="roles/iam.workloadIdentityUser" \
68-
--member="principal://iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_ID/subject/system:serviceaccount:${TEMPO_NAMESPACE}:tempo-${TEMPO_NAME}-query-frontend" \
69-
--project="$PROJECT_ID" \
69+
--member="principal://iam.googleapis.com/projects/<project_number>/locations/global/workloadIdentityPools/<pool_id>/subject/system:serviceaccount:<tempo_namespace>:tempo-<tempo_name>-query-frontend" \
70+
--project=<project_id> \
7071
--quiet
7172
----
72-
. Create credential file used by Tempo Stack, this will be in the key.json key in the storage secret:
73+
<1> The `$SERVICE_ACCOUNT_EMAIL` is the output of the command in step 2.
74+
75+
. Create a credential file for the `key.json` key of the storage secret for use by the `TempoStack` custom resource:
7376
+
7477
[source,terminal]
7578
----
7679
$ gcloud iam workload-identity-pools create-cred-config \
77-
"projects/<PROJECT_NUMBER>/locations/global/workloadIdentityPools/$POOL_ID/providers/<PROVIDER_ID>" \
80+
"projects/<project_number>/locations/global/workloadIdentityPools/<pool_id>/providers/<provider_id>" \
7881
--service-account="$SERVICE_ACCOUNT_EMAIL" \
79-
--credential-source-file=/var/run/secrets/storage/serviceaccount/token \
82+
--credential-source-file=/var/run/secrets/storage/serviceaccount/token \ # <1>
8083
--credential-source-type=text \
81-
--output-file=<OUTPUT_FILE_PATH> #<1>
84+
--output-file=<output_file_path> # <2>
8285
----
83-
<1> Path where the file will be writed
84-
+
85-
Note: credential-source-file should be always point to /var/run/secrets/storage/serviceaccount/token, this is where the operator will mount the token
86+
<1> The `credential-source-file` parameter must always point to the `/var/run/secrets/storage/serviceaccount/token` path because the Operator mounts the token from this path.
87+
<2> The path for saving the output file.
88+
8689
. Get the correct audience as follows:
8790
+
8891
[source,terminal]
8992
----
9093
gcloud iam workload-identity-pools providers describe "$PROVIDER_NAME" --format='value(oidc.allowedAudiences[0])'
9194
----
92-
+
93-
. Create storage secret to be used by Tempo.
95+
96+
. Create a storage secret for the {TempoShortName}.
9497
+
9598
[source,terminal]
9699
----
97-
kubectl -n <TEMPO_NAMESPACE> create secret generic gcs-secret \
98-
--from-literal=bucketname="<BUCKET_NAME> \ #<1>
99-
--from-literal=audience="<AUDIENCE> \ #<2>
100-
--from-file=key.json=<OUTPUT_FILE_PATH> #<3>
100+
kubectl -n <tempo_namespace> create secret generic gcs-secret \
101+
--from-literal=bucketname="<bucket_name> \ # <1>
102+
--from-literal=audience="<audience> \ # <2>
103+
--from-file=key.json=<output_file_path> # <3>
101104
----
102-
<1> Bucket name of the Google Cloud Storage
103-
<2> Audience we get in the previous step
104-
<3> This is the file we created with gcloud iam workload-identity-pools create-cred-config command.
105+
<1> The bucket name of the Google Cloud Storage.
106+
<2> The audience that you got in the previous step.
107+
<3> The credential file that you created in step 6.

0 commit comments

Comments
 (0)