Configure S3's credential chain based on config (#2889) (#2925)

joe-elliott · mapno · web-flow · commit b2d59f8fbe7a · 2023-09-13T09:05:45.000-04:00
* Configure S3's credential chain based on config * Changelog * Update docs (cherry picked from commit 957f160) Co-authored-by: Mario <mariorvinas@gmail.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,47 @@
 * [ENHANCEMENT] Update /api/metrics/summary to correctly handle missing attributes and improve performance of TraceQL `select()` queries. [#2765](https://github.com/grafana/tempo/pull/2765) (@mdisibio)
 * [ENHANCEMENT] Add `TempoUserConfigurableOverridesReloadFailing` alert [#2784](https://github.com/grafana/tempo/pull/2784) (@kvrhdn)
 * [BUGFIX] Fix panic in metrics summary api [#2738](https://github.com/grafana/tempo/pull/2738) (@mdisibio)
+* [BUGFIX] Only search ingester blocks that fall within the request time range. [#2783](https://github.com/grafana/tempo/pull/2783) (@joe-elliott)
+* [BUGFIX] Align tempo_query_frontend_queries_total and tempo_query_frontend_queries_within_slo_total. [#2840](https://github.com/grafana/tempo/pull/2840) (@joe-elliott)
+* [BUGFIX] To support blob storage in Azure Stack Hub as backend. [#2853](https://github.com/grafana/tempo/pull/2853) (@chlislb)
+  This query will now correctly tell you %age of requests that are within SLO:
+  ```
+  sum(rate(tempo_query_frontend_queries_within_slo_total{}[1m])) by (op) 
+  /
+  sum(rate(tempo_query_frontend_queries_total{}[1m])) by (op)
+  ```
+  **BREAKING CHANGE** Removed: tempo_query_frontend_queries_total{op="searchtags|metrics"}. 
+* [BUGFIX] Fix S3 credentials providers configuration [#2889](https://github.com/grafana/tempo/pull/2889) (@mapno)
+* [CHANGE] Overrides module refactor [#2688](https://github.com/grafana/tempo/pull/2688) (@mapno)
+    Added new `defaults` block to the overrides' module. Overrides change to indented syntax.
+    Old config:
+```
+overrides:
+ingestion_rate_strategy: local
+ingestion_rate_limit_bytes: 12345
+ingestion_burst_size_bytes: 67890
+max_search_duration: 17s
+forwarders: ['foo']
+metrics_generator_processors: [service-graphs, span-metrics]
+```
+New config:
+```
+overrides:
+defaults:
+  ingestion:
+    rate_strategy: local
+    rate_limit_bytes: 12345
+    burst_size_bytes: 67890
+  read:
+    max_search_duration: 17s
+  forwarders: ['foo']
+  metrics_generator:
+    processors: [service-graphs, span-metrics]
+```  
+* [BUGFIX] Moved empty root span substitution from `querier` to `query-frontend`. [#2671](https://github.com/grafana/tempo/issues/2671) (@galalen)
+
+# v2.2.2 / 2023-08-30
+
 * [BUGFIX] Fix node role auth IDMSv1 [#2760](https://github.com/grafana/tempo/pull/2760) (@coufalja)
 * [BUGFIX] Only search ingester blocks that fall within the request time range. [#2783](https://github.com/grafana/tempo/pull/2783) (@joe-elliott)
 * [BUGFIX] Fix incorrect metrics for index failures [#2781](https://github.com/grafana/tempo/pull/2781) (@zalegrala)
diff --git a/docs/sources/tempo/configuration/_index.md b/docs/sources/tempo/configuration/_index.md
@@ -790,6 +790,10 @@ storage:
             # See the [S3 documentation on object tagging](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-tagging.html) for more detail.
             [tags: <map[string]string>]
 
+            # If enabled, it will use the default authentication methods of
+            # the AWS SDK for go based on known environment variables and known AWS config files.
+            [native_aws_auth_enabled: <boolean> | default = false]
+
         # azure configuration. Will be used only if value of backend is "azure"
         # EXPERIMENTAL
         azure:
diff --git a/tempodb/backend/s3/config.go b/tempodb/backend/s3/config.go
@@ -22,12 +22,13 @@ type Config struct {
 	HedgeRequestsAt   time.Duration  `yaml:"hedge_requests_at"`
 	HedgeRequestsUpTo int            `yaml:"hedge_requests_up_to"`
 	// SignatureV2 configures the object storage to use V2 signing instead of V4
-	SignatureV2      bool              `yaml:"signature_v2"`
-	ForcePathStyle   bool              `yaml:"forcepathstyle"`
-	BucketLookupType int               `yaml:"bucket_lookup_type"`
-	Tags             map[string]string `yaml:"tags"`
-	StorageClass     string            `yaml:"storage_class"`
-	Metadata         map[string]string `yaml:"metadata"`
+	SignatureV2          bool              `yaml:"signature_v2"`
+	ForcePathStyle       bool              `yaml:"forcepathstyle"`
+	BucketLookupType     int               `yaml:"bucket_lookup_type"`
+	Tags                 map[string]string `yaml:"tags"`
+	StorageClass         string            `yaml:"storage_class"`
+	Metadata             map[string]string `yaml:"metadata"`
+	NativeAWSAuthEnabled bool              `yaml:"native_aws_auth_enabled"`
 }
 
 func (c *Config) PathMatches(other *Config) bool {
diff --git a/tempodb/backend/s3/s3.go b/tempodb/backend/s3/s3.go
@@ -15,9 +15,9 @@ import (
 	"github.com/cristalhq/hedgedhttp"
 	gkLog "github.com/go-kit/log"
 	"github.com/go-kit/log/level"
-	minio "github.com/minio/minio-go/v7"
+	"github.com/minio/minio-go/v7"
 	"github.com/minio/minio-go/v7/pkg/credentials"
-	opentracing "github.com/opentracing/opentracing-go"
+	"github.com/opentracing/opentracing-go"
 	"github.com/pkg/errors"
 
 	tempo_io "github.com/grafana/tempo/pkg/io"
@@ -355,25 +355,35 @@ func createCore(cfg *Config, hedge bool) (*minio.Core, error) {
 		return p
 	}
 
-	creds := credentials.NewChainCredentials([]credentials.Provider{
-		wrapCredentialsProvider(NewAWSSDKAuth(cfg.Region)),
-		wrapCredentialsProvider(&credentials.EnvAWS{}),
-		wrapCredentialsProvider(&credentials.Static{
-			Value: credentials.Value{
-				AccessKeyID:     cfg.AccessKey,
-				SecretAccessKey: cfg.SecretKey.String(),
-				SessionToken:    cfg.SessionToken.String(),
-			},
-		}),
-		wrapCredentialsProvider(&credentials.EnvMinio{}),
-		wrapCredentialsProvider(&credentials.FileAWSCredentials{}),
-		wrapCredentialsProvider(&credentials.FileMinioClient{}),
-		wrapCredentialsProvider(&credentials.IAM{
-			Client: &http.Client{
-				Transport: http.DefaultTransport,
-			},
-		}),
-	})
+	var chain []credentials.Provider
+
+	if cfg.NativeAWSAuthEnabled {
+		chain = []credentials.Provider{
+			wrapCredentialsProvider(NewAWSSDKAuth(cfg.Region)),
+		}
+	} else if cfg.AccessKey != "" {
+		chain = []credentials.Provider{
+			wrapCredentialsProvider(&credentials.Static{
+				Value: credentials.Value{
+					AccessKeyID:     cfg.AccessKey,
+					SecretAccessKey: cfg.SecretKey.String(),
+					SessionToken:    cfg.SessionToken.String(),
+				},
+			}),
+		}
+	} else {
+		chain = []credentials.Provider{
+			wrapCredentialsProvider(&credentials.EnvAWS{}),
+			wrapCredentialsProvider(&credentials.EnvMinio{}),
+			wrapCredentialsProvider(&credentials.FileAWSCredentials{}),
+			wrapCredentialsProvider(&credentials.FileMinioClient{}),
+			wrapCredentialsProvider(&credentials.IAM{
+				Client: &http.Client{
+					Transport: http.DefaultTransport,
+				},
+			}),
+		}
+	}
 
 	customTransport, err := minio.DefaultTransport(!cfg.Insecure)
 	if err != nil {
@@ -404,7 +414,7 @@ func createCore(cfg *Config, hedge bool) (*minio.Core, error) {
 	opts := &minio.Options{
 		Region:    cfg.Region,
 		Secure:    !cfg.Insecure,
-		Creds:     creds,
+		Creds:     credentials.NewChainCredentials(chain),
 		Transport: transport,
 	}
 
