Skip to content

[enterprise-4.17] OBSDOCS-1976: Document support for GCP, Azure, and AWS STP tokens #95172

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,150 @@
// Module included in the following assemblies:
//
//* observability/distr_tracing/distr-tracing-tempo-installing.adoc

:_mod-docs-content-type: PROCEDURE
[id="setting-up-amazon-s3-storage-with-security-token-service_{context}"]
= Setting up the Amazon S3 storage with the Security Token Service

You can set up the Amazon S3 storage with the Security Token Service (STS) and AWS Command Line Interface (AWS CLI). Optionally, you can also use the Cloud Credential Operator (CCO).

:FeatureName: Using the {TempoShortName} with the Amazon S3 storage and STS
include::snippets/technology-preview.adoc[leveloffset=+1]

.Prerequisites

* You have installed the latest version of the AWS CLI.
* If you intend to use the CCO, you have installed and configured the CCO in your cluster.

.Procedure

. Create an AWS S3 bucket.

. Create the following `trust.json` file for the AWS Identity and Access Management (AWS IAM) policy for the purpose of setting up a trust relationship between the AWS IAM role, which you will create in the next step, and the service account of either the `TempoStack` or `TempoMonolithic` instance:
+
.`trust.json`
[source,yaml]
----
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<aws_account_id>:oidc-provider/<oidc_provider>" # <1>
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"<oidc_provider>:sub": [
"system:serviceaccount:<openshift_project_for_tempo>:tempo-<tempo_custom_resource_name>" # <2>
"system:serviceaccount:<openshift_project_for_tempo>:tempo-<tempo_custom_resource_name>-query-frontend"
]
}
}
}
]
}
----
<1> The OpenID Connect (OIDC) provider that you have configured on the {product-title}.
<2> The namespace in which you intend to create either a `TempoStack` or `TempoMonolithic` instance. Replace `<tempo_custom_resource_name>` with the `metadata` name that you define in your `TempoStack` or `TempoMonolithic` custom resource.
+
[TIP]
====
You can also get the value for the OIDC provider by running the following command:

[source,terminal]
----
$ oc get authentication cluster -o json | jq -r '.spec.serviceAccountIssuer' | sed 's~http[s]*://~~g'
----
====

. Create an AWS IAM role by attaching the created `trust.json` policy file. You can do this by running the following command:
+
[source,terminal]
----
$ aws iam create-role \
--role-name "tempo-s3-access" \
--assume-role-policy-document "file:///tmp/trust.json" \
--query Role.Arn \
--output text
----

. Attach an AWS IAM policy to the created AWS IAM role. You can do this by running the following command:
+
[source,terminal]
----
$ aws iam attach-role-policy \
--role-name "tempo-s3-access" \
--policy-arn "arn:aws:iam::aws:policy/AmazonS3FullAccess"
----

. If you are not using the CCO, skip this step. If you are using the CCO, configure the cloud provider environment for the {TempoOperator}. You can do this by running the following command:
+
[source,terminal]
----
$ oc patch subscription <tempo_operator_sub> \ # <1>
-n <tempo_operator_namespace> \ # <2>
--type='merge' -p '{"spec": {"config": {"env": [{"name": "ROLEARN", "value": "'"<role_arn>"'"}]}}}' # <3>
----
<1> The name of the {TempoOperator} subscription.
<2> The namespace of the {TempoOperator}.
<3> The AWS STS requires adding the `ROLEARN` environment variable to the {TempoOperator} subcription. As the `<role_arn>` value, add the Amazon Resource Name (ARN) of the AWS IAM role that you created in step 3.

. In the {product-title}, create an object storage secret with keys as follows:
+
[source,yaml]
----
apiVersion: v1
kind: Secret
metadata:
name: <secret_name>
stringData:
bucket: <s3_bucket_name>
region: <s3_region>
role_arn: <s3_role_arn>
type: Opaque
----

. When the object storage secret is created, update the relevant custom resource of the {TempoShortName} instance as follows:
+
.Example `TempoStack` custom resource
[source,yaml]
----
apiVersion: tempo.grafana.com/v1alpha1
kind: TempoStack
metadata:
name: <name>
namespace: <namespace>
spec:
# ...
storage:
secret: # <1>
name: <secret_name>
type: s3
credentialMode: token-cco # <2>
# ...
----
<1> The secret that you created in the previous step.
<2> If you are not using the CCO, omit this line. If you are using the CCO, add this parameter with the `token-cco` value.
+
.Example `TempoMonolithic` custom resource
[source,yaml]
----
apiVersion: tempo.grafana.com/v1alpha1
kind: TempoMonolithic
metadata:
name: <name>
namespace: <namespace>
spec:
# ...
storage:
traces:
backend: s3
s3:
secret: <secret_name> # <1>
credentialMode: token-cco # <2>
# ...
----
<1> The secret that you created in the previous step.
<2> If you are not using the CCO, omit this line. If you are using the CCO, add this parameter with the `token-cco` value.

This file was deleted.

Original file line number Diff line number Diff line change
@@ -0,0 +1,165 @@
// Module included in the following assemblies:
//
//* observability/distr_tracing/distr-tracing-tempo-installing.adoc

:_mod-docs-content-type: PROCEDURE
[id="setting-up-azure-storage-with-security-token-service_{context}"]
= Setting up the Azure storage with the Security Token Service

You can set up the Azure storage with the Security Token Service (STS) by using the Azure Command Line Interface (Azure CLI).

:FeatureName: Using the {TempoShortName} with the Azure storage and STS
include::snippets/technology-preview.adoc[leveloffset=+1]

.Prerequisites

* You have installed the latest version of the Azure CLI.
* You have created an Azure storage account.
* You have created an Azure blob storage container.
.Procedure

. Create an Azure managed identity by running the following command:
+
[source,terminal]
----
$ az identity create \
--name <identity_name> \ # <1>
--resource-group <resource_group> \ # <2>
--location <region> \ # <3>
--subscription <subscription_id> # <4>
----
<1> The name you have chosen for the managed identity.
<2> The Azure resource group where you want the identity to be created.
<3> The Azure region, which must be the same region as for the resource group.
<4> The Azure subscription ID.

. Create a federated identity credential for the {product-title} service account for use by all components of the {TempoShortName} except the Query Frontend. You can do this by running the following command:
+
[source,terminal]
----
$ az identity federated-credential create \ # <1>
--name <credential_name> \ # <2>
--identity-name <identity_name> \
--resource-group <resource_group> \
--issuer <oidc_provider> \ # <3>
--subject <tempo_service_account_subject> \ # <4>
--audiences <audience> # <5>
----
<1> Federated identity credentials allow {product-title} service accounts to authenticate as an Azure managed identity without storing secrets or using an Azure service principal identity.
<2> The name you have chosen for the federated credential.
<3> The URL of the OpenID Connect (OIDC) provider for your cluster.
<4> The service account subject for your cluster in the following format: `system:serviceaccount:<namespace>:tempo-<tempostack_instance_name>`.
<5> The expected audience, which is to be used for validating the issued tokens for the federated identity credential. This is commonly set to `api://AzureADTokenExchange`.
+
[TIP]
====
You can get the URL of the OpenID Connect (OIDC) issuer for your cluster by running the following command:
----
$ oc get authentication cluster -o json | jq -r .spec.serviceAccountIssuer
----
====
. Create a federated identity credential for the {product-title} service account for use by the Query Frontend component of the {TempoShortName}. You can do this by running the following command:
+
[source,terminal]
----
$ az identity federated-credential create \ # <1>
--name <credential_name>-frontend \ # <2>
--identity-name <identity_name> \
--resource-group <resource_group> \
--issuer <cluster_issuer> \
--subject <tempo_service_account_query_frontend_subject> \ # <3>
--audiences <audience> | jq
----
<1> Federated identity credentials allow {product-title} service accounts to authenticate as an Azure managed identity without storing secrets or using an Azure service principal identity.
<2> The name you have chosen for the frontend federated identity credential.
<3> The service account subject for your cluster in the following format: `system:serviceaccount:<namespace>:tempo-<tempostack_instance_name>`.
. Assign the Storage Blob Data Contributor role to the Azure service principal identity of the created Azure managed identity. You can do this by running the following command:
+
[source,terminal]
----
$ az role assignment create \
--assignee <assignee_name> \ # <1>
--role "Storage Blob Data Contributor" \
--scope "/subscriptions/<subscription_id>
----
<1> The Azure service principal identity of the Azure managed identity that you created in step 1.
+
[TIP]
====
You can get the `<assignee_name>` value by running the following command:
----
$ az ad sp list --all --filter "servicePrincipalType eq 'ManagedIdentity'" | jq -r --arg idName <identity_name> '.[] | select(.displayName == $idName) | .appId'`
----
====
. Fetch the client ID of the Azure managed identity that you created in step 1:
+
[source,bash]
----
CLIENT_ID=$(az identity show \
--name <identity_name> \ # <1>
--resource-group <resource_group> \ # <2>
--query clientId \
-o tsv)
----
<1> Copy and paste the `<identity_name>` value from step 1.
<2> Copy and paste the `<resource_group>` value from step 1.
. Create an {product-title} secret for the Azure workload identity federation (WIF). You can do this by running the following command:
+
[source,terminal]
----
$ oc create -n <tempo_namespace> secret generic azure-secret \
--from-literal=container=<azure_storage_azure_container> \ # <1>
--from-literal=account_name=<azure_storage_azure_accountname> \ # <2>
--from-literal=client_id=<client_id> \ # <3>
--from-literal=audience=<audience> \ # <4>
--from-literal=tenant_id=<tenant_id> # <5>
----
<1> The name of the Azure Blob Storage container.
<2> The name of the Azure Storage account.
<3> The client ID of the managed identity that you fetched in the previous step.
<4> Optional: Defaults to `api://AzureADTokenExchange`.
<5> Azure Tenant ID.
. When the object storage secret is created, update the relevant custom resource of the {TempoShortName} instance as follows:
+
.Example `TempoStack` custom resource
[source,yaml]
----
apiVersion: tempo.grafana.com/v1alpha1
kind: TempoStack
metadata:
name: <name>
namespace: <namespace>
spec:
# ...
storage:
secret: # <1>
name: <secret_name>
type: azure
# ...
----
<1> The secret that you created in the previous step.
+
.Example `TempoMonolithic` custom resource
[source,yaml]
----
apiVersion: tempo.grafana.com/v1alpha1
kind: TempoMonolithic
metadata:
name: <name>
namespace: <namespace>
spec:
# ...
storage:
traces:
backend: azure
azure:
secret: <secret_name> # <1>
# ...
----
<1> The secret that you created in the previous step.
147 changes: 147 additions & 0 deletions modules/distr-tracing-tempo-object-storage-setup-gcp-sts-install.adoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,147 @@
// Module included in the following assemblies:
//
//* observability/distr_tracing/distr-tracing-tempo-installing.adoc

:_mod-docs-content-type: PROCEDURE
[id="setting-up-google-cloud-storage-with-security-token-service_{context}"]
= Setting up the Google Cloud storage with the Security Token Service

You can set up the Google Cloud Storage (GCS) with the Security Token Service (STS) by using the Google Cloud CLI.

:FeatureName: Using the {TempoShortName} with the GCS and STS
include::snippets/technology-preview.adoc[leveloffset=+1]

.Prerequisites

* You have installed the latest version of the Google Cloud CLI.
.Procedure

. Create a GCS bucket on the Google Cloud Platform (GCP).

. Create or reuse a service account with Google's Identity and Access Management (IAM):
+
[source,bash]
----
SERVICE_ACCOUNT_EMAIL=$(gcloud iam service-accounts create <iam_service_account_name> \ # <1>
--display-name="Tempo Account" \
--project <project_id> \ # <2>
--format='value(email)' \
--quiet)
----
<1> The name of the service account on the GCP.
<2> The project ID of the service account on the GCP.

. Bind the required GCP roles to the created service account at the project level. You can do this by running the following command:
+
[source,terminal]
----
$ gcloud projects add-iam-policy-binding <project_id> \
--member "serviceAccount:$SERVICE_ACCOUNT_EMAIL" \
--role "roles/storage.objectAdmin"
----

. Retrieve the `POOL_ID` value of the Google Cloud Workload Identity Pool that is associated with the cluster. How you can retrieve this value depends on your environment, so the following command is only an example:
+
[source,terminal]
----
$ OIDC_ISSUER=$(oc get authentication.config cluster -o jsonpath='{.spec.serviceAccountIssuer}') \
&&
POOL_ID=$(echo "$OIDC_ISSUER" | awk -F'/' '{print $NF}' | sed 's/-oidc$//')
----

. Add the IAM policy bindings. You can do this by running the following commands:
+
[source,terminal]
----
$ gcloud iam service-accounts add-iam-policy-binding "$SERVICE_ACCOUNT_EMAIL" \ # <1>
--role="roles/iam.workloadIdentityUser" \
--member="principal://iam.googleapis.com/projects/<project_number>/locations/global/workloadIdentityPools/<pool_id>/subject/system:serviceaccount:<tempo_namespace>:tempo-<tempo_name>" \
--project=<project_id> \
--quiet \
&&
gcloud iam service-accounts add-iam-policy-binding "$SERVICE_ACCOUNT_EMAIL" \
--role="roles/iam.workloadIdentityUser" \
--member="principal://iam.googleapis.com/projects/<project_number>/locations/global/workloadIdentityPools/<pool_id>/subject/system:serviceaccount:<tempo_namespace>:tempo-<tempo_name>-query-frontend" \
--project=<project_id> \
--quiet
&&
gcloud storage buckets add-iam-policy-binding "gs://$BUCKET_NAME" \
--role="roles/storage.admin" \
--member="serviceAccount:$SERVICE_ACCOUNT_EMAIL" \
--condition=None
----
<1> The `$SERVICE_ACCOUNT_EMAIL` is the output of the command in step 2.

. Create a credential file for the `key.json` key of the storage secret for use by the `TempoStack` custom resource. You can do this by running the following command:
+
[source,terminal]
----
$ gcloud iam workload-identity-pools create-cred-config \
"projects/<project_number>/locations/global/workloadIdentityPools/<pool_id>/providers/<provider_id>" \
--service-account="$SERVICE_ACCOUNT_EMAIL" \
--credential-source-file=/var/run/secrets/storage/serviceaccount/token \ # <1>
--credential-source-type=text \
--output-file=<output_file_path> # <2>
----
<1> The `credential-source-file` parameter must always point to the `/var/run/secrets/storage/serviceaccount/token` path because the Operator mounts the token from this path.
<2> The path for saving the output file.

. Get the correct audience by running the following command:
+
[source,terminal]
----
$ gcloud iam workload-identity-pools providers describe "$PROVIDER_NAME" --format='value(oidc.allowedAudiences[0])'
----

. Create a storage secret for the {TempoShortName} by running the following command.
+
[source,terminal]
----
$ oc -n <tempo_namespace> create secret generic gcs-secret \
--from-literal=bucketname="<bucket_name>" \ # <1>
--from-literal=audience="<audience>" \ # <2>
--from-file=key.json=<output_file_path> # <3>
----
<1> The bucket name of the Google Cloud Storage.
<2> The audience that you got in the previous step.
<3> The credential file that you created in step 6.

. When the object storage secret is created, update the relevant custom resource of the {TempoShortName} instance as follows:
+
.Example `TempoStack` custom resource
[source,yaml]
----
apiVersion: tempo.grafana.com/v1alpha1
kind: TempoStack
metadata:
name: <name>
namespace: <namespace>
spec:
# ...
storage:
secret: # <1>
name: <secret_name>
type: gcs
# ...
----
<1> The secret that you created in the previous step.
+
.Example `TempoMonolithic` custom resource
[source,yaml]
----
apiVersion: tempo.grafana.com/v1alpha1
kind: TempoMonolithic
metadata:
name: <name>
namespace: <namespace>
spec:
# ...
storage:
traces:
backend: gcs
gcs:
secret: <secret_name> # <1>
# ...
----
<1> The secret that you created in the previous step.
17 changes: 16 additions & 1 deletion observability/distr_tracing/distr-tracing-tempo-installing.adoc
Original file line number Diff line number Diff line change
@@ -36,7 +36,7 @@ include::modules/distr-tracing-tempo-install-cli.adoc[leveloffset=+2]

include::modules/distr-tracing-tempo-storage-ref.adoc[leveloffset=+1]

include::modules/distr-tracing-tempo-object-storage-setup-aws-sts-install.adoc[leveloffset=+2]
include::modules/distr-tracing-tempo-object-storage-setup-aws-sts-cco-install.adoc[leveloffset=+2]

[role="_additional-resources"]
.Additional resources
@@ -46,6 +46,21 @@ include::modules/distr-tracing-tempo-object-storage-setup-aws-sts-install.adoc[l
* xref:../../authentication/identity_providers/configuring-oidc-identity-provider.adoc#configuring-oidc-identity-provider[Configuring an OpenID Connect identity provider]
* link:https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html[Identify AWS resources with Amazon Resource Names (ARNs)] (AWS documentation)

include::modules/distr-tracing-tempo-object-storage-setup-azure-sts-install.adoc[leveloffset=+2]

[role="_additional-resources"]
.Additional resources

* link:https://learn.microsoft.com/en-us/cli/azure/install-azure-cli-linux[Install the Azure CLI on Linux] (Azure documentation)

include::modules/distr-tracing-tempo-object-storage-setup-gcp-sts-install.adoc[leveloffset=+2]

[role="_additional-resources"]
.Additional resources

* link:https://cloud.google.com/sdk/docs/install[Install the gcloud CLI] (Google Cloud Documentation)
* link:https://cloud.google.com/iam/docs/service-account-overview[Service accounts overview] (Google Cloud Documentation)

include::modules/distr-tracing-tempo-object-storage-setup-ibm-storage.adoc[leveloffset=+2]

[role="_additional-resources"]