diff --git a/index.yaml b/index.yaml index 1d14c13366..317e20601e 100644 --- a/index.yaml +++ b/index.yaml @@ -29010,6 +29010,35 @@ entries: urls: - https://giantswarm.github.io/giantswarm-test-catalog/tempo-0.1.2-909e14b9bdb3f47cf75c536d80690d5a05521770.tgz version: 0.1.2-909e14b9bdb3f47cf75c536d80690d5a05521770 + - annotations: + application.giantswarm.io/metadata: https://giantswarm.github.io/giantswarm-test-catalog/tempo-0.1.2-8727d37316dca88fb6e5d18d4089da2197958125.tgz-meta/main.yaml + application.giantswarm.io/readme: https://giantswarm.github.io/giantswarm-test-catalog/tempo-0.1.2-8727d37316dca88fb6e5d18d4089da2197958125.tgz-meta/README.md + application.giantswarm.io/team: atlas + application.giantswarm.io/values-schema: https://giantswarm.github.io/giantswarm-test-catalog/tempo-0.1.2-8727d37316dca88fb6e5d18d4089da2197958125.tgz-meta/values.schema.json + apiVersion: v2 + appVersion: 2.2.3 + created: "2024-11-27T14:20:23.948634079Z" + dependencies: + - alias: tempo + condition: tempo.enabled + name: tempo-distributed + repository: https://grafana.github.io/helm-charts + version: 1.23.0 + description: Helm chart for Grafana Tempo in microservice mode + digest: fe968a3eab2cdf366f6820ac1c80f2967e0f381c827cab57352b2dfdb07290e3 + home: https://github.com/giantswarm/tempo-app + icon: https://s.giantswarm.io/app-icons/grafana-tempo/1/light.svg + maintainers: + - email: team-atlas@giantswarm.io + name: giantswarm/team-atlas + name: tempo + sources: + - https://github.com/giantswarm/tempo-app + - https://github.com/grafana/helm-charts/blob/main/charts/tempo-distributed + type: application + urls: + - https://giantswarm.github.io/giantswarm-test-catalog/tempo-0.1.2-8727d37316dca88fb6e5d18d4089da2197958125.tgz + version: 0.1.2-8727d37316dca88fb6e5d18d4089da2197958125 - annotations: application.giantswarm.io/metadata: https://giantswarm.github.io/giantswarm-test-catalog/tempo-0.1.2-79124da734de68683ff586a935668d195c62e255.tgz-meta/main.yaml application.giantswarm.io/readme: https://giantswarm.github.io/giantswarm-test-catalog/tempo-0.1.2-79124da734de68683ff586a935668d195c62e255.tgz-meta/README.md @@ -32044,4 +32073,4 @@ entries: urls: - https://giantswarm.github.io/giantswarm-test-catalog/zot-0.0.0-0b141fee021e1ccb5c4b25af6b43fe4fc866a0f1.tgz version: 0.0.0-0b141fee021e1ccb5c4b25af6b43fe4fc866a0f1 -generated: "2024-11-27T13:42:38.824729183Z" +generated: "2024-11-27T14:20:23.936267342Z" diff --git a/tempo-0.1.2-8727d37316dca88fb6e5d18d4089da2197958125.tgz b/tempo-0.1.2-8727d37316dca88fb6e5d18d4089da2197958125.tgz new file mode 100644 index 0000000000..b7063c37d4 Binary files /dev/null and b/tempo-0.1.2-8727d37316dca88fb6e5d18d4089da2197958125.tgz differ diff --git a/tempo-0.1.2-8727d37316dca88fb6e5d18d4089da2197958125.tgz-meta/README.md b/tempo-0.1.2-8727d37316dca88fb6e5d18d4089da2197958125.tgz-meta/README.md new file mode 100644 index 0000000000..76ef74ac2a --- /dev/null +++ b/tempo-0.1.2-8727d37316dca88fb6e5d18d4089da2197958125.tgz-meta/README.md @@ -0,0 +1,294 @@ +# Tempo App + +[![CircleCI](https://circleci.com/gh/giantswarm/tempo-app.svg?style=shield)](https://circleci.com/gh/giantswarm/tempo-app) + +Giant Swarm offers Grafana Tempo as a [managed app](https://docs.giantswarm.io/changes/managed-apps/). This chart provides a distributed tempo setup based on this +[upstream chart](https://github.com/grafana/helm-charts/blob/main/charts/tempo-distributed). +It tunes some options from upstream to make the chart easier to deploy. + +This chart is meant to be used with S3 compatible storage only. Access to the S3 +storage must be ensured for the chart to work. +* Check [below](#deploying-on-aws) to see what configuration you need on the AWS side. +* or [below](#deploying-on-azure) to see what configuration you need on the Azure side. + +**Table of Contents:** + +- [Requirements](#requirements) +- [Install](#install) +- [Upgrading](#upgrading) +- [Configuration](#configuration) +- [Limitations](#limitations) +- [Links](#links) +- [Credit](#credits) + +## Requirements + +* You need to ensure that pods deployed can access S3 storage (as explained above). + +## Install + +There are several ways to install this app onto a workload cluster. + +- [Using GitOps to instantiate the App](https://docs.giantswarm.io/advanced/gitops/#installing-managed-apps) +- [Using our web interface](https://docs.giantswarm.io/ui-api/web/app-platform/#installing-an-app). +- By creating an [App resource](https://docs.giantswarm.io/ui-api/management-api/crd/apps.application.giantswarm.io/) in the management cluster as explained in [Getting started with App Platform](https://docs.giantswarm.io/app-platform/getting-started/). + +## Upgrading + +### Upgrading an existing Release to a new major version + +A major chart version change (like v0.5.0 -> v1.0.0) indicates that there is an incompatible breaking change needing manual actions. + +Versions before v1.0.0 are not stable, and can even have breaking changes between "minor" versions. (like v0.5.0 -> v0.6.0) + +#### Rollback + +You can rollback to your previous Tempo version, and see your old traces. +However, because of multi-tenancy, seeing traces that were stored with the new version may require some config tweaking. + +## Configuration + +As this application is build upon the Grafana tempo upstream chart as a dependency, most of the values to override can be found [here](https://github.com/grafana/helm-charts/blob/main/charts/tempo-distributed/values.yaml). + +Some samples can be found [here](./sample_configs/) + +### General recommendations + +The number of `replicas` in the [default values file](https://github.com/giantswarm/tempo-app/blob/main/helm/tempo/values.yaml) are generally considered safe. +If you reduce the number of `replicas` below the default recommended values, expect undefined behaviour and problems. + +### Prepare config file + +1. Create app config file +Grab the included [sample config file](https://github.com/giantswarm/tempo-app/blob/main/sample_configs/values-gs-aws.yaml) +or [azure sample config file](https://github.com/giantswarm/tempo-app/blob/main/sample_configs/values-gs-azure.yaml), +read the comments for options and adjust to your needs. To check all available +options, please consult the [full `values.yaml` file](https://github.com/giantswarm/tempo-app/blob/main/helm/tempo/values.yaml). + +#### Multi-tenant setup + +TODO: Not ready yet + +### Deploying on AWS + +The recommended deployment mode is using S3 storage mode. Assuming your cluster +has `IRSA` , `cert-manager` and `external-dns` included, you should be good to use +the instructions below to setup S3 bucket and the necessary permissions in your +AWS account. + +Make sure to create this config for the *cluster* where you are deploying Tempo, and not at installation-level. + +#### Prepare AWS S3 storage. + +Create a new private S3 bucket based in the same region +as your instances. Ex. `gs-tempo-storage`. +* consider creating private VPC endpoint for S3 - traffic volume might be + considerable and this might save you some money for the transfer fees, +* it is recommended to use S3 bucket class for frequent access (`S3 standard`), +* create a retention policy for the bucket. +* CLI procedure: +```bash +# prepare environment +export CLUSTER_NAME=zj88t +export REGION=eu-central-1 +export INSTALLATION=gorilla +export BUCKET_NAME=gs-tempo-storage-"$CLUSTER_NAME" # must be globally unique +export AWS_PROFILE=gorilla-atlas # your AWS CLI profile +export TEMPO_POLICY="$BUCKET_NAME"-policy +export TEMPO_ROLE="$BUCKET_NAME"-role + +# create bucket +aws --profile="$AWS_PROFILE" s3 mb s3://"$BUCKET_NAME" --region "$REGION" +``` + +#### Prepare AWS IAM policy. + +Create an IAM Policy in IAM. If you want to use AWS WebUI, copy/paste the contents of `POLICY_DOC` variable. +```bash +# Create policy +POLICY_DOC='{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "VisualEditor0", + "Effect": "Allow", + "Action": [ + "s3:ListBucket", + "s3:PutObject", + "s3:GetObject", + "s3:DeleteObject" ], + "Resource": [ + "arn:aws:s3:::'"$BUCKET_NAME"'", + "arn:aws:s3:::'"$BUCKET_NAME"'/*" + ] + }, + { + "Sid": "VisualEditor1", + "Effect": "Allow", + "Action": [ + "s3:GetAccessPoint", + "s3:GetAccountPublicAccessBlock", + "s3:ListAccessPoints" + ], + "Resource": "*" + } + ] +}' +aws --profile="$AWS_PROFILE" iam create-policy --policy-name "$TEMPO_POLICY" --policy-document "$POLICY_DOC" +``` + +#### Prepare AWS IAM role + +Giant Swarm uses IRSA (Iam Roles for Service Accounts) to allow pods to access S3 buckets' resources. For more details concerning IRSA, you can refer to the [official documentation](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) as well as to the [giant swarm one](https://docs.giantswarm.io/advanced/iam-roles-for-service-accounts). + +This means that the role's `Trust Relationship` will be different that the one used for KIAM (cf above) : +```bash +PRINCIPAL_ARN="$(aws --profile="$AWS_PROFILE" iam get-role --role-name "$CLUSTER_NAME"-IAMManager-Role | sed -n 's/.*Arn.*"\(arn:.*\)".*/\1/p')" +ROLE_DOC='{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Federated": "arn:aws:iam::'$PRINCIPAL_ARN':oidc-provider/irsa.'$CLUSTER_NAME'.k8s.'$INSTALLATION'.'$REGION'.aws.gigantic.io" + }, + "Action": "sts:AssumeRoleWithWebIdentity", + "Condition": { + "StringEquals": { + "irsa.'$CLUSTER_NAME'.k8s.'$INSTALLATION'.'$REGION'.aws.gigantic.io:sub": "system:serviceaccount:tempo:tempo" + } + } + } + ] +}' +``` + +#### Create role + +Everything is now set to create the role : +```bash +aws --profile="$AWS_PROFILE" iam create-role --role-name "$TEMPO_ROLE" --assume-role-policy-document "$ROLE_DOC" +# Attach the policy to the role +TEMPO_POLICY_ARN="${PRINCIPAL_ARN%:role/*}:policy/$TEMPO_POLICY" +aws --profile="$AWS_PROFILE" iam attach-role-policy --policy-arn "$TEMPO_POLICY_ARN" --role-name "$TEMPO_ROLE" +``` + +* Store the role's arn in a variable for the next step : +```bash +TEMPO_ROLE_ARN="${PRINCIPAL_ARN%:role/*}:role/$TEMPO_ROLE" +``` + +#### Link IAM role to Kubernetes + +Since IRSA is relying on the use of service accounts to grant access rights to the pods, you don't have to manually create the `tempo` namespace as you won't have to annotate it. Instead, you'll have to edit the Chart's values under the `tempo` section with the following : +```bash +serviceAccount: + create: true + name: tempo + annotations: + eks.amazonaws.com/role-arn: "$TEMPO_ROLE_ARN" +``` + +This way, all pods using the `tempo` service account will be able to access to the S3 bucket created earlier. + +#### Install the app + +* Fill in the values from previous step in your config (`values.yaml`) file: + * role annotation for S3 + * cluster ID + * node pool ID + * and your custom setup + +* Install the app using your values. + Don't forget to use the same namespace as you prepared above for the installation. + +### Deploying on Azure + +#### Gather data + +Find the 'Subscription name' (usually named after your installation) name and the 'Resource group' of your cluster (usually named after cluster id) inside your 'Azure subscription' +* list subscriptions: +``` +az account list -otable +export SUBSCRIPTION_NAME="your subscription" +``` +* list resource groups: +``` +az group list --subscription "$SUBSCRIPTION_NAME" -otable +export RESOURCE_GROUP="your resource group" +``` + +#### object storage setup +1. Create 'Storage Account' on Azure ([How-to](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-create)) ['Create storage account'](https://portal.azure.com/#create/Microsoft.StorageAccount) + * 'Account kind' should be 'BlobStorage' + * Example with Azure CLI: +``` +# Chose your storage account name +export STORAGE_ACCOUNT_NAME="tempo$RESOURCE_GROUP" +# then create it +az storage account create \ + --subscription "$SUBSCRIPTION_NAME" \ + --name "$STORAGE_ACCOUNT_NAME" \ + --resource-group "$RESOURCE_GROUP" \ + --sku Standard_GRS \ + --encryption-services blob \ + --https-only true \ + --kind BlobStorage \ + --access-tier Hot +``` +(It may be required to set the location using the `--location` flag.) + +2. Create a 'Blob service' 'Container' in your storage account + * Example on how to do it with Powershell in Azure portal: +``` +export CONTAINER_NAME="$STORAGE_ACCOUNT_NAME"container +az storage container create \ + --subscription "$SUBSCRIPTION_NAME" \ + -n "$CONTAINER_NAME" \ + --public-access off \ + --account-name "$STORAGE_ACCOUNT_NAME" +``` + +3. Go to the 'Access keys' page of your 'Storage account' + * Use the 'Storage account name' for `azure_storage.account_name` + * Use the name of the 'Blob service' 'Container' for `azure_storage.blob_container_name` + * Use one of the keys for `azure.storage_key` + * With azure CLI +``` +az storage account keys list \ + --subscription "$SUBSCRIPTION_NAME" \ + --account-name "$STORAGE_ACCOUNT_NAME" \ +| jq -r '.[]|select(.keyName=="key1").value' +``` + +#### Install the app + +* Fill in the values from previous step in your config (`values.yaml`) file: + * cluster ID + * node pool ID + * and your custom setup + +* Install the app using your values. + +### Testing your deployment + +// TODO document this + +#### Ingesting data with ... + +// TODO document this + +## Limitations + +The application and its default values have been tailored to work inside Giant Swarm clusters. +If you want to use it for any other scenario, know that you might need to adjust some values. + +## Links + +TODO: Add useful links + +## Credit + +This application is installing the upstream chart below with defaults to ensure it runs smoothly in Giant Swarm clusters. + +* diff --git a/tempo-0.1.2-8727d37316dca88fb6e5d18d4089da2197958125.tgz-meta/main.yaml b/tempo-0.1.2-8727d37316dca88fb6e5d18d4089da2197958125.tgz-meta/main.yaml new file mode 100644 index 0000000000..8157faab6b --- /dev/null +++ b/tempo-0.1.2-8727d37316dca88fb6e5d18d4089da2197958125.tgz-meta/main.yaml @@ -0,0 +1,13 @@ +annotations: + application.giantswarm.io/metadata: https://giantswarm.github.io/giantswarm-test-catalog/tempo-0.1.2-8727d37316dca88fb6e5d18d4089da2197958125.tgz-meta/main.yaml + application.giantswarm.io/readme: https://giantswarm.github.io/giantswarm-test-catalog/tempo-0.1.2-8727d37316dca88fb6e5d18d4089da2197958125.tgz-meta/README.md + application.giantswarm.io/team: atlas + application.giantswarm.io/values-schema: https://giantswarm.github.io/giantswarm-test-catalog/tempo-0.1.2-8727d37316dca88fb6e5d18d4089da2197958125.tgz-meta/values.schema.json +chartApiVersion: v2 +chartFile: tempo-0.1.2-8727d37316dca88fb6e5d18d4089da2197958125.tgz +dateCreated: '2024-11-27T14:20:15.884575Z' +digest: fe968a3eab2cdf366f6820ac1c80f2967e0f381c827cab57352b2dfdb07290e3 +home: https://github.com/giantswarm/tempo-app +icon: https://s.giantswarm.io/app-icons/grafana-tempo/1/light.svg +restrictions: + namespaceSingleton: true diff --git a/tempo-0.1.2-8727d37316dca88fb6e5d18d4089da2197958125.tgz-meta/values.schema.json b/tempo-0.1.2-8727d37316dca88fb6e5d18d4089da2197958125.tgz-meta/values.schema.json new file mode 100644 index 0000000000..8a72caa448 --- /dev/null +++ b/tempo-0.1.2-8727d37316dca88fb6e5d18d4089da2197958125.tgz-meta/values.schema.json @@ -0,0 +1,337 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "properties": { + "global": { + "type": "object", + "properties": { + "clusterDomain": { + "type": "string" + }, + "dnsNamespace": { + "type": "string" + }, + "dnsService": { + "type": "string" + }, + "image": { + "type": "object", + "properties": { + "pullSecrets": { + "type": "array" + }, + "registry": { + "type": "string" + } + } + }, + "priorityClassName": { + "type": ["string", "null"] + } + } + }, + "tempo": { + "type": "object", + "properties": { + "distributor": { + "type": "object", + "properties": { + "affinity": { + "type": "string" + }, + "autoscaling": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "minReplicas": { + "type": "integer" + }, + "targetCPUUtilizationPercentage": { + "type": "integer" + } + } + } + } + }, + "enabled": { + "type": "boolean" + }, + "gateway": { + "type": "object", + "properties": { + "autoscaling": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "minReplicas": { + "type": "integer" + }, + "targetCPUUtilizationPercentage": { + "type": "integer" + } + } + }, + "enabled": { + "type": "boolean" + }, + "image": { + "type": "object", + "properties": { + "repository": { + "type": "string" + } + } + }, + "resources": { + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "memory": { + "type": "string" + } + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": "string" + }, + "memory": { + "type": "string" + } + } + } + } + } + } + }, + "ingester": { + "type": "object", + "properties": { + "affinity": { + "type": "string" + } + } + }, + "memcached": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "metaMonitoring": { + "type": "object", + "properties": { + "grafanaAgent": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "prometheusRule": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "serviceMonitor": { + "type": "object", + "properties": { + "clusterLabel": { + "type": "string" + }, + "enabled": { + "type": "boolean" + } + } + } + } + }, + "metricsGenerator": { + "type": "object", + "properties": { + "affinity": { + "type": "string" + } + } + }, + "querier": { + "type": "object", + "properties": { + "affinity": { + "type": "string" + } + } + }, + "queryFrontend": { + "type": "object", + "properties": { + "affinity": { + "type": "string" + } + } + }, + "rbac": { + "type": "object", + "properties": { + "pspAnnotations": { + "type": "object", + "properties": { + "seccomp.security.alpha.kubernetes.io/allowedProfileNames": { + "type": "string" + } + } + }, + "pspEnabled": { + "type": "boolean" + } + } + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "automountServiceAccountToken": { + "type": "boolean" + }, + "create": { + "type": "boolean" + }, + "imagePullSecrets": { + "type": "array" + }, + "name": { + "type": "string" + } + } + }, + "tempo": { + "type": "object", + "properties": { + "image": { + "type": "object", + "properties": { + "repository": { + "type": "string" + } + } + }, + "podSecurityContext": { + "type": "object", + "properties": { + "fsGroup": { + "type": "integer" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seccompProfile": { + "type": "object", + "properties": { + "type": { + "type": "string" + } + } + } + } + }, + "securityContext": { + "type": "object", + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "capabilities": { + "type": "object", + "properties": { + "drop": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "readOnlyRootFilesystem": { + "type": "boolean" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seccompProfile": { + "type": "object", + "properties": { + "type": { + "type": "string" + } + } + } + } + } + } + }, + "test": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "traces": { + "type": "object", + "properties": { + "otlp": { + "type": "object", + "properties": { + "grpc": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "http": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + } + } + } + } + } + } + } + } +}