From e5ecce19bf93bccf6ee74f8adb62232d3f7f5a5e Mon Sep 17 00:00:00 2001
From: Ruben Vargas <ruben.vp8510@gmail.com>
Date: Sat, 1 Feb 2025 01:29:04 -0600
Subject: [PATCH] Include insecure option and tls options when STS S3 token is
 enabled

Signed-off-by: Ruben Vargas <ruben.vp8510@gmail.com>
---
 .chloggen/render_tls_options_sts.yaml       |  16 +++
 internal/manifests/config/build_test.go     | 117 ++++++++++++++++++++
 internal/manifests/config/tempo-config.yaml |  12 ++
 3 files changed, 145 insertions(+)
 create mode 100755 .chloggen/render_tls_options_sts.yaml

diff --git a/.chloggen/render_tls_options_sts.yaml b/.chloggen/render_tls_options_sts.yaml
new file mode 100755
index 000000000..4117a9a4e
--- /dev/null
+++ b/.chloggen/render_tls_options_sts.yaml
@@ -0,0 +1,16 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: bug_fix
+
+# The name of the component, or a single word describing the area of concern, (e.g. tempostack, tempomonolithic, github action)
+component: tempostack
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Include insecure option and tls options when STS S3 token is enabled
+
+# One or more tracking issues related to the change
+issues: [1109]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:
diff --git a/internal/manifests/config/build_test.go b/internal/manifests/config/build_test.go
index 5ba6166dc..b7cb9d112 100644
--- a/internal/manifests/config/build_test.go
+++ b/internal/manifests/config/build_test.go
@@ -2486,6 +2486,122 @@ storage:
     s3:
       bucket: tempo
       endpoint: "s3.us-east-2.amazonaws.com"
+      insecure: true
+    wal:
+      path: /var/tempo/wal
+usage_report:
+  reporting_enabled: false
+query_frontend:
+  search:
+    concurrent_jobs: 2000
+    max_duration: 0s
+`
+	cfg, err := buildConfiguration(manifestutils.Params{
+		Tempo: v1alpha1.TempoStack{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "test",
+			},
+			Spec: v1alpha1.TempoStackSpec{
+				Timeout: metav1.Duration{Duration: time.Minute * 3},
+				Storage: v1alpha1.ObjectStorageSpec{
+					Secret: v1alpha1.ObjectStorageSecretSpec{
+						Type: v1alpha1.ObjectStorageSecretS3,
+					},
+				},
+				ReplicationFactor: 1,
+				Retention: v1alpha1.RetentionSpec{
+					Global: v1alpha1.RetentionConfig{
+						Traces: metav1.Duration{Duration: 48 * time.Hour},
+					},
+				},
+			},
+		},
+		StorageParams: manifestutils.StorageParams{
+			S3: &manifestutils.S3{
+				Insecure: true,
+				ShortLived: &manifestutils.S3ShortLived{
+					Bucket: "tempo",
+					Region: "us-east-2",
+				},
+			},
+		},
+		TLSProfile: tlsprofile.TLSProfileOptions{
+			MinTLSVersion: string(openshiftconfigv1.VersionTLS13),
+		},
+	})
+	require.NoError(t, err)
+	require.YAMLEq(t, expCfg, string(cfg))
+}
+
+func TestBuildConfiguration_S3_short_livedSecure(t *testing.T) {
+	expCfg := `
+---
+compactor:
+  compaction:
+    block_retention: 48h0m0s
+  ring:
+    kvstore:
+      store: memberlist
+distributor:
+  receivers:
+    jaeger:
+      protocols:
+        thrift_http:
+          endpoint: 0.0.0.0:14268
+        thrift_binary:
+          endpoint: 0.0.0.0:6832
+        thrift_compact:
+          endpoint: 0.0.0.0:6831
+        grpc:
+          endpoint: 0.0.0.0:14250
+    zipkin:
+    otlp:
+      protocols:
+        grpc:
+          endpoint: "0.0.0.0:4317"
+        http:
+          endpoint: "0.0.0.0:4318"
+  ring:
+    kvstore:
+      store: memberlist
+ingester:
+  lifecycler:
+    ring:
+      kvstore:
+        store: memberlist
+      replication_factor: 1
+    tokens_file_path: /var/tempo/tokens.json
+  max_block_duration: 10m
+memberlist:
+  abort_if_cluster_join_fails: false
+  join_members:
+    - tempo-test-gossip-ring
+multitenancy_enabled: false
+querier:
+  max_concurrent_queries: 20
+  search:
+    external_hedge_requests_at: 8s
+    external_hedge_requests_up_to: 2
+  frontend_worker:
+    frontend_address: "tempo-test-query-frontend-discovery:9095"
+server:
+  grpc_server_max_recv_msg_size: 4194304
+  grpc_server_max_send_msg_size: 4194304
+  http_listen_port: 3200
+  http_server_read_timeout: 3m0s
+  http_server_write_timeout: 3m0s
+  log_format: logfmt
+storage:
+  trace:
+    backend: s3
+    blocklist_poll: 5m
+    cache: none
+    local:
+      path: /var/tempo/traces
+    s3:
+      bucket: tempo
+      endpoint: "s3.us-east-2.amazonaws.com"
+      insecure: false
     wal:
       path: /var/tempo/wal
 usage_report:
@@ -2517,6 +2633,7 @@ query_frontend:
 		},
 		StorageParams: manifestutils.StorageParams{
 			S3: &manifestutils.S3{
+				Insecure: false,
 				ShortLived: &manifestutils.S3ShortLived{
 					Bucket: "tempo",
 					Region: "us-east-2",
diff --git a/internal/manifests/config/tempo-config.yaml b/internal/manifests/config/tempo-config.yaml
index 2f93a63ce..a7471746b 100644
--- a/internal/manifests/config/tempo-config.yaml
+++ b/internal/manifests/config/tempo-config.yaml
@@ -248,7 +248,19 @@ storage:
     s3:
       bucket: {{ .StorageParams.S3.ShortLived.Bucket }}
       endpoint: s3.{{ .StorageParams.S3.ShortLived.Region }}.amazonaws.com
+      insecure: {{ .StorageParams.S3.Insecure }}
+    {{- if .S3StorageTLS.Enabled }}
+    {{- if .S3StorageTLS.CA }}
+      tls_ca_path: {{ .S3StorageTLS.CA }}
+    {{- end }}
+    {{- if .S3StorageTLS.Certificate }}
+      tls_cert_path: {{ .S3StorageTLS.Certificate }}
+    {{- end }}
+    {{- if and .S3StorageTLS.Key }}
+      tls_key_path: {{ .S3StorageTLS.Key }}
+    {{- end }}
     {{- end }}
+  {{- end }}
     local:
       path: /var/tempo/traces
     wal: