From 078c53e645cf561dcb465721609d52056b6403d0 Mon Sep 17 00:00:00 2001 From: Farid Mammadov Date: Fri, 1 Nov 2024 14:10:41 +0400 Subject: [PATCH 1/3] add option to skip s3 certificate verification --- CHANGELOG.md | 1 + cmd/tempo-cli/main.go | 10 +++++++--- docs/sources/tempo/operations/tempo_cli.md | 1 + 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a9b8bbb742b..425d1d03345 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -47,6 +47,7 @@ * [ENHANCEMENT] Add disk caching in ingester SearchTagValuesV2 for completed blocks [#4069](https://github.com/grafana/tempo/pull/4069) (@electron0zero) * [ENHANCEMENT] Add a max flush attempts and metric to the metrics generator [#4254](https://github.com/grafana/tempo/pull/4254) (@joe-elliott) * [ENHANCEMENT] Collection of query-frontend changes to reduce allocs. [#4242]https://github.com/grafana/tempo/pull/4242 (@joe-elliott) +* [ENHANCEMENT] Added `insecure-skip-verify` option in tempo-cli to skip SSL certificate validation when connecting to the S3 backend. [#44236](https://github.com/grafana/tempo/pull/4259) (@faridtmammadov) * [BUGFIX] Replace hedged requests roundtrips total with a counter. [#4063](https://github.com/grafana/tempo/pull/4063) [#4078](https://github.com/grafana/tempo/pull/4078) (@galalen) * [BUGFIX] Metrics generators: Correctly drop from the ring before stopping ingestion to reduce drops during a rollout. [#4101](https://github.com/grafana/tempo/pull/4101) (@joe-elliott) * [BUGFIX] Correctly handle 400 Bad Request and 404 Not Found in gRPC streaming [#4144](https://github.com/grafana/tempo/pull/4144) (@mapno) diff --git a/cmd/tempo-cli/main.go b/cmd/tempo-cli/main.go index 3d046e79dd5..586a2ce2cec 100644 --- a/cmd/tempo-cli/main.go +++ b/cmd/tempo-cli/main.go @@ -30,9 +30,10 @@ type backendOptions struct { Backend string `help:"backend to connect to (s3/gcs/local/azure), optional, overrides backend in config file" enum:",s3,gcs,local,azure" default:""` Bucket string `help:"bucket (or path on local backend) to scan, optional, overrides bucket in config file"` - S3Endpoint string `name:"s3-endpoint" help:"s3 endpoint (s3.dualstack.us-east-2.amazonaws.com), optional, overrides endpoint in config file"` - S3User string `name:"s3-user" help:"s3 username, optional, overrides username in config file"` - S3Pass string `name:"s3-pass" help:"s3 password, optional, overrides password in config file"` + S3Endpoint string `name:"s3-endpoint" help:"s3 endpoint (s3.dualstack.us-east-2.amazonaws.com), optional, overrides endpoint in config file"` + S3User string `name:"s3-user" help:"s3 username, optional, overrides username in config file"` + S3Pass string `name:"s3-pass" help:"s3 password, optional, overrides password in config file"` + InsecureSkipVerify bool `name:"insecure-skip-verify" help:"skip TLS verification, only applies to S3 and GCS" default:"false"` } var cli struct { @@ -131,6 +132,9 @@ func loadBackend(b *backendOptions, g *globalOptions) (backend.Reader, backend.W cfg.StorageConfig.Trace.Azure.ContainerName = b.Bucket } + cfg.StorageConfig.Trace.S3.InsecureSkipVerify = b.InsecureSkipVerify + cfg.StorageConfig.Trace.GCS.Insecure = b.InsecureSkipVerify + if b.S3Endpoint != "" { cfg.StorageConfig.Trace.S3.Endpoint = b.S3Endpoint } diff --git a/docs/sources/tempo/operations/tempo_cli.md b/docs/sources/tempo/operations/tempo_cli.md index 695583d0715..fc810b3ba26 100644 --- a/docs/sources/tempo/operations/tempo_cli.md +++ b/docs/sources/tempo/operations/tempo_cli.md @@ -53,6 +53,7 @@ The backend can be configured in a few ways: * `--s3-endpoint ` The S3 API endpoint (i.e. s3.dualstack.us-east-2.amazonaws.com). * `--s3-user `, `--s3-password ` The S3 user name and password (or access key and secret key). Optional, as Tempo CLI supports the same authentication mechanisms as Tempo. See [S3 permissions documentation]({{< relref "../configuration/hosted-storage/s3" >}}) for more information. + * `--insecure-skip-verify` skip TLS verification, only applies to S3 and GCS. Each option applies only to the command in which it is used. For example, `--backend ` does not permanently change where Tempo stores data. It only changes it for command in which you apply the option. From 96b2708114f057f51e0db8cfbfd7ce88b3616d3d Mon Sep 17 00:00:00 2001 From: Farid Mammadov Date: Fri, 1 Nov 2024 14:11:45 +0400 Subject: [PATCH 2/3] use S3User and S3Pass parameters in tempo-cli --- CHANGELOG.md | 1 + cmd/tempo-cli/main.go | 9 +++++++++ docs/sources/tempo/operations/tempo_cli.md | 2 +- 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 425d1d03345..0807efbbfb1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -55,6 +55,7 @@ * [BUGFIX] Fix counter samples being downsampled by backdate to the previous minute the initial sample when the series is new [#44236](https://github.com/grafana/tempo/pull/4236) (@javiermolinar) * [BUGFIX] Skip computing exemplars for instant queries. [#4204](https://github.com/grafana/tempo/pull/4204) (@javiermolinar) * [BUGFIX] Gave context to orphaned spans related to various maintenance processes. [#4260](https://github.com/grafana/tempo/pull/4260) (@joe-elliott) +* [BUGFIX] Utilize S3Pass and S3User parameters in tempo-cli options, which were previously unused in the code. [#44236](https://github.com/grafana/tempo/pull/4259) (@faridtmammadov) # v2.6.1 diff --git a/cmd/tempo-cli/main.go b/cmd/tempo-cli/main.go index 586a2ce2cec..255c107cbce 100644 --- a/cmd/tempo-cli/main.go +++ b/cmd/tempo-cli/main.go @@ -3,6 +3,7 @@ package main import ( "flag" "fmt" + "github.com/grafana/dskit/flagext" "os" "github.com/alecthomas/kong" @@ -135,6 +136,14 @@ func loadBackend(b *backendOptions, g *globalOptions) (backend.Reader, backend.W cfg.StorageConfig.Trace.S3.InsecureSkipVerify = b.InsecureSkipVerify cfg.StorageConfig.Trace.GCS.Insecure = b.InsecureSkipVerify + if b.S3User != "" { + cfg.StorageConfig.Trace.S3.AccessKey = b.S3User + } + + if b.S3Pass != "" { + cfg.StorageConfig.Trace.S3.SecretKey = flagext.SecretWithValue(b.S3Pass) + } + if b.S3Endpoint != "" { cfg.StorageConfig.Trace.S3.Endpoint = b.S3Endpoint } diff --git a/docs/sources/tempo/operations/tempo_cli.md b/docs/sources/tempo/operations/tempo_cli.md index fc810b3ba26..60d56e6221b 100644 --- a/docs/sources/tempo/operations/tempo_cli.md +++ b/docs/sources/tempo/operations/tempo_cli.md @@ -51,7 +51,7 @@ The backend can be configured in a few ways: * `--backend ` The storage backend type, one of `s3`, `gcs`, `azure`, and `local`. * `--bucket ` The bucket name. The meaning of this value is backend-specific. Refer to [Configuration]({{< relref "../configuration" >}}) documentation for more information. * `--s3-endpoint ` The S3 API endpoint (i.e. s3.dualstack.us-east-2.amazonaws.com). - * `--s3-user `, `--s3-password ` The S3 user name and password (or access key and secret key). + * `--s3-user `, `--s3-pass ` The S3 user name and password (or access key and secret key). Optional, as Tempo CLI supports the same authentication mechanisms as Tempo. See [S3 permissions documentation]({{< relref "../configuration/hosted-storage/s3" >}}) for more information. * `--insecure-skip-verify` skip TLS verification, only applies to S3 and GCS. From 60e19d29a8844335c9cd0afd1d9f04c913a5fad5 Mon Sep 17 00:00:00 2001 From: Joe Elliott Date: Fri, 1 Nov 2024 14:57:12 -0400 Subject: [PATCH 3/3] lint Signed-off-by: Joe Elliott --- cmd/tempo-cli/main.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cmd/tempo-cli/main.go b/cmd/tempo-cli/main.go index 255c107cbce..0a8e8105096 100644 --- a/cmd/tempo-cli/main.go +++ b/cmd/tempo-cli/main.go @@ -3,9 +3,10 @@ package main import ( "flag" "fmt" - "github.com/grafana/dskit/flagext" "os" + "github.com/grafana/dskit/flagext" + "github.com/alecthomas/kong" "gopkg.in/yaml.v2"