From 82763ed9c55982f4d4373be8acda9b58ade066a2 Mon Sep 17 00:00:00 2001 From: Ruben Vargas Date: Wed, 5 Feb 2025 17:02:25 -0600 Subject: [PATCH] OBSDOCS-1676: Tempo-OTel Multitenancy documentation improvements Signed-off-by: Ruben Vargas --- ...str-tracing-tempo-config-multitenancy.adoc | 179 ------------------ ...istr-tracing-tempo-config-spanmetrics.adoc | 82 ++++---- ...empo-install-gateway-read-permissions.adoc | 80 ++++++++ ...mpo-install-gateway-write-permissions.adoc | 131 +++++++++++++ ...ing-tempo-install-tempomonolithic-cli.adoc | 4 + ...o-install-tempomonolithic-web-console.adoc | 4 + ...-tracing-tempo-install-tempostack-cli.adoc | 36 +--- ...-tempo-install-tempostack-web-console.adoc | 33 +--- modules/distr-tracing-tempo-storage-ref.adoc | 5 + modules/otel-forwarding-traces.adoc | 4 +- .../distr-tracing-architecture.adoc | 2 +- .../distr-tracing-jaeger-installing.adoc | 2 +- .../distr-tracing-jaeger-removing.adoc | 2 +- .../distr-tracing-jaeger-updating.adoc | 2 +- .../distr-tracing-tempo-configuring.adoc | 10 +- .../distr-tracing-tempo-installing.adoc | 111 +++++++---- .../distr-tracing-tempo-removing.adoc | 4 +- .../distr-tracing-tempo-updating.adoc | 2 +- .../otel-collector-connectors.adoc | 4 +- .../otel-collector-exporters.adoc | 4 +- .../otel-collector-extensions.adoc | 4 +- .../otel-collector-processors.adoc | 4 +- .../otel-collector-receivers.adoc | 4 +- ...figuring-metrics-for-monitoring-stack.adoc | 3 +- observability/otel/otel-installing.adoc | 2 +- observability/otel/otel-removing.adoc | 2 +- observability/otel/otel-updating.adoc | 2 +- ...tempo-tempomonolithic-custom-resource.adoc | 59 +++--- ...cing-tempo-tempostack-custom-resource.adoc | 65 ++++--- 29 files changed, 454 insertions(+), 392 deletions(-) delete mode 100644 modules/distr-tracing-tempo-config-multitenancy.adoc create mode 100644 modules/distr-tracing-tempo-install-gateway-read-permissions.adoc create mode 100644 modules/distr-tracing-tempo-install-gateway-write-permissions.adoc diff --git a/modules/distr-tracing-tempo-config-multitenancy.adoc b/modules/distr-tracing-tempo-config-multitenancy.adoc deleted file mode 100644 index c1fd7c3d7d39..000000000000 --- a/modules/distr-tracing-tempo-config-multitenancy.adoc +++ /dev/null @@ -1,179 +0,0 @@ -// Module included in the following assemblies: -// -// * observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-configuring.adoc - -:_mod-docs-content-type: REFERENCE -[id="distr-tracing-tempo-config-multitenancy_{context}"] -= Multitenancy - -Multitenancy with authentication and authorization is provided in the Tempo Gateway service. -The authentication uses OpenShift OAuth and the Kubernetes `TokenReview` API. The authorization uses the Kubernetes `SubjectAccessReview` API. - -[NOTE] -==== -The Tempo Gateway service supports ingestion of traces only via the OTLP/gRPC. The OTLP/HTTP is not supported. -==== - -.Sample Tempo CR with two tenants, `dev` and `prod` -[source,yaml] ----- -apiVersion: tempo.grafana.com/v1alpha1 -kind: TempoStack -metadata: - name: simplest - namespace: chainsaw-multitenancy -spec: - storage: - secret: - name: minio - type: s3 - storageSize: 1Gi - resources: - total: - limits: - memory: 2Gi - cpu: 2000m - tenants: - mode: openshift # <1> - authentication: # <2> - - tenantName: dev # <3> - tenantId: "1610b0c3-c509-4592-a256-a1871353dbfa" # <4> - - tenantName: prod - tenantId: "1610b0c3-c509-4592-a256-a1871353dbfb" - template: - gateway: - enabled: true # <5> - queryFrontend: - jaegerQuery: - enabled: true ----- - -<1> Must be set to `openshift`. -<2> The list of tenants. -<3> The tenant name. Must be provided in the `X-Scope-OrgId` header when ingesting the data. -<4> A unique tenant ID. -<5> Enables a gateway that performs authentication and authorization. The Jaeger UI is exposed at `http:///api/traces/v1//search`. - -The authorization configuration uses the `ClusterRole` and `ClusterRoleBinding` of the Kubernetes Role-Based Access Control (RBAC). By default, no users have read or write permissions. - -.Sample of the read RBAC configuration that allows authenticated users to read the trace data of the `dev` and `prod` tenants -[source,yaml] ----- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: tempostack-traces-reader -rules: - - apiGroups: - - 'tempo.grafana.com' - resources: # <1> - - dev - - prod - resourceNames: - - traces - verbs: - - 'get' # <2> ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: tempostack-traces-reader -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: tempostack-traces-reader -subjects: - - kind: Group - apiGroup: rbac.authorization.k8s.io - name: system:authenticated # <3> ----- - -<1> Lists the tenants. -<2> The `get` value enables the read operation. -<3> Grants all authenticated users the read permissions for trace data. - -.Sample of the write RBAC configuration that allows the `otel-collector` service account to write the trace data for the `dev` tenant -[source,yaml] ----- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: otel-collector # <1> - namespace: otel ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: tempostack-traces-write -rules: - - apiGroups: - - 'tempo.grafana.com' - resources: # <2> - - dev - resourceNames: - - traces - verbs: - - 'create' # <3> ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: tempostack-traces -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: tempostack-traces-write -subjects: - - kind: ServiceAccount - name: otel-collector - namespace: otel ----- -<1> The service account name for the client to use when exporting trace data. The client must send the service account token, `/var/run/secrets/kubernetes.io/serviceaccount/token`, as the bearer token header. -<2> Lists the tenants. -<3> The `create` value enables the write operation. - -Trace data can be sent to the Tempo instance from the OpenTelemetry Collector that uses the service account with RBAC for writing the data. - -.Sample OpenTelemetry CR configuration -[source,yaml] ----- -apiVersion: opentelemetry.io/v1alpha1 -kind: OpenTelemetryCollector -metadata: - name: cluster-collector - namespace: tracing-system -spec: - mode: deployment - serviceAccount: otel-collector - config: | - extensions: - bearertokenauth: - filename: "/var/run/secrets/kubernetes.io/serviceaccount/token" - exporters: - otlp/dev: # <1> - endpoint: tempo-simplest-gateway.tempo.svc.cluster.local:8090 - tls: - insecure: false - ca_file: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt" - auth: - authenticator: bearertokenauth - headers: - X-Scope-OrgID: "dev" - otlphttp/dev: # <2> - endpoint: https://tempo-simplest-gateway.chainsaw-multitenancy.svc.cluster.local:8080/api/traces/v1/dev - tls: - insecure: false - ca_file: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt" - auth: - authenticator: bearertokenauth - headers: - X-Scope-OrgID: "dev" - service: - extensions: [bearertokenauth] - pipelines: - traces: - exporters: [otlp/dev] # <3> ----- -<1> OTLP gRPC Exporter. -<2> OTLP HTTP Exporter. -<3> You can specify `otlp/dev` for the OTLP gRPC Exporter or `otlphttp/dev` for the OTLP HTTP Exporter. diff --git a/modules/distr-tracing-tempo-config-spanmetrics.adoc b/modules/distr-tracing-tempo-config-spanmetrics.adoc index 0ef9d37058f5..dc9624cf03bd 100644 --- a/modules/distr-tracing-tempo-config-spanmetrics.adoc +++ b/modules/distr-tracing-tempo-config-spanmetrics.adoc @@ -2,27 +2,25 @@ // // * observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-configuring.adoc -:_mod-docs-content-type: REFERENCE +:_mod-docs-content-type: PROCEDURE [id="distr-tracing-tempo-config-spanmetrics_{context}"] -= Configuration of the monitor tab in Jaeger UI += Configuring the Monitor tab in Jaeger UI -Trace data contains rich information, and the data is normalized across instrumented languages and frameworks. -Therefore, request rate, error, and duration (RED) metrics can be extracted from traces. -The metrics can be visualized in Jaeger console in the *Monitor* tab. +You can have the request rate, error, and duration (RED) metrics extracted from traces and visualized through the Jaeger Console in the *Monitor* tab of the {product-title} web console. The metrics are derived from spans in the OpenTelemetry Collector that are scraped from the Collector by Prometheus, which you can deploy in your user-workload monitoring stack. The Jaeger UI queries these metrics from the Prometheus endpoint and visualizes them. -The metrics are derived from spans in the OpenTelemetry Collector that are scraped from the Collector by the Prometheus deployed in the user-workload monitoring stack. -The Jaeger UI queries these metrics from the Prometheus endpoint and visualizes them. +.Prerequisites -[id="distr-tracing-tempo-config-spanmetrics_opentelemetry-collector-configuration_{context}"] -== OpenTelemetry Collector configuration +* You have configured the permissions and tenants for the {TempoShortName}. For more information, see "Configuring the permissions and tenants". -The OpenTelemetry Collector requires configuration of the `spanmetrics` connector that derives metrics from traces and exports the metrics in the Prometheus format. +.Procedure -.OpenTelemetry Collector custom resource for span RED +. In the `OpenTelemetryCollector` custom resource of the OpenTelemetry Collector, enable the Spanmetrics Connector (`spanmetrics`), which derives metrics from traces and exports the metrics in the Prometheus format. ++ +.Example `OpenTelemetryCollector` custom resource for span RED [source,yaml] ---- +apiVersion: opentelemetry.io/v1beta1 kind: OpenTelemetryCollector -apiVersion: opentelemetry.io/v1alpha1 metadata: name: otel spec: @@ -46,35 +44,46 @@ spec: endpoint: 0.0.0.0:8889 add_metric_suffixes: false resource_to_telemetry_conversion: - enabled: true # by default resource attributes are dropped + enabled: true # <5> otlp: - endpoint: "tempo-simplest-distributor:4317" + auth: + authenticator: bearertokenauth + endpoint: tempo-redmetrics-gateway.mynamespace.svc.cluster.local:8090 + headers: + X-Scope-OrgID: dev tls: - insecure: true + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt + insecure: false + + extensions: + bearertokenauth: + filename: /var/run/secrets/kubernetes.io/serviceaccount/token service: + extensions: + - bearertokenauth pipelines: traces: receivers: [otlp] - exporters: [otlp, spanmetrics] # <5> + exporters: [otlp, spanmetrics] # <6> metrics: - receivers: [spanmetrics] # <6> + receivers: [spanmetrics] # <7> exporters: [prometheus] + +# ... ---- <1> Creates the `ServiceMonitor` custom resource to enable scraping of the Prometheus exporter. <2> The Spanmetrics connector receives traces and exports metrics. <3> The OTLP receiver to receive spans in the OpenTelemetry protocol. <4> The Prometheus exporter is used to export metrics in the Prometheus format. -<5> The Spanmetrics connector is configured as exporter in traces pipeline. -<6> The Spanmetrics connector is configured as receiver in metrics pipeline. - -[id="distr-tracing-tempo-config-spanmetrics_tempo-configuration_{context}"] -== Tempo configuration - -The `TempoStack` custom resource must specify the following: the *Monitor* tab is enabled, and the Prometheus endpoint is set to the Thanos querier service to query the data from the user-defined monitoring stack. +<5> The resource attributes are dropped by default. +<6> The Spanmetrics connector is configured as exporter in traces pipeline. +<7> The Spanmetrics connector is configured as receiver in metrics pipeline. -.TempoStack custom resource with the enabled Monitor tab +. In the `TempoStack` custom resource, enable the *Monitor* tab and set the Prometheus endpoint to the Thanos querier service to query the data from your user-defined monitoring stack. ++ +.Example `TempoStack` custom resource with the enabled Monitor tab [source,yaml] ---- apiVersion: tempo.grafana.com/v1alpha1 @@ -87,28 +96,29 @@ spec: name: minio-test type: s3 storageSize: 1Gi + tenants: + mode: openshift + authentication: + - tenantName: dev + tenantId: "1610b0c3-c509-4592-a256-a1871353dbfa" template: gateway: - enabled: false + enabled: true queryFrontend: jaegerQuery: - enabled: true monitorTab: enabled: true # <1> prometheusEndpoint: https://thanos-querier.openshift-monitoring.svc.cluster.local:9092 # <2> redMetricsNamespace: "" <3> - ingress: - type: route + +# ... ---- <1> Enables the monitoring tab in the Jaeger console. <2> The service name for Thanos Querier from user-workload monitoring. <3> Optional: The metrics namespace on which the Jaeger query retrieves the Prometheus metrics. Include this line only if you are using an OpenTelemetry Collector version earlier than 0.109.0. If you are using an OpenTelemetry Collector version 0.109.0 or later, omit this line. -[id="distr-tracing-tempo-config-spanmetrics_span-red-metrics-and-alerting-rules_{context}"] -== Span RED metrics and alerting rules - -The metrics generated by the `spanmetrics` connector are usable with alerting rules. For example, for alerts about a slow service or to define service level objectives (SLOs), the connector creates a `duration_bucket` histogram and the `calls` counter metric. These metrics have labels that identify the service, API name, operation type, and other attributes. - +. Optional: Use the span RED metrics generated by the `spanmetrics` connector with alerting rules. For example, for alerts about a slow service or to define service level objectives (SLOs), the connector creates a `duration_bucket` histogram and the `calls` counter metric. These metrics have labels that identify the service, API name, operation type, and other attributes. ++ .Labels of the metrics created in the `spanmetrics` connector [options="header"] [cols="a, a, a"] @@ -135,8 +145,8 @@ The metrics generated by the `spanmetrics` connector are usable with alerting ru * `SPAN_KIND_INTERNAL` |=== - -.Example `PrometheusRule` CR that defines an alerting rule for SLO when not serving 95% of requests within 2000ms on the front-end service ++ +.Example `PrometheusRule` custom resource that defines an alerting rule for SLO when not serving 95% of requests within 2000ms on the front-end service [source,yaml] ---- apiVersion: monitoring.coreos.com/v1 diff --git a/modules/distr-tracing-tempo-install-gateway-read-permissions.adoc b/modules/distr-tracing-tempo-install-gateway-read-permissions.adoc new file mode 100644 index 000000000000..cda3591332fe --- /dev/null +++ b/modules/distr-tracing-tempo-install-gateway-read-permissions.adoc @@ -0,0 +1,80 @@ +// Module included in the following assemblies: +// +// * observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-installing.adoc + +:_mod-docs-content-type: PROCEDURE +[id="distr-tracing-tempo-install-gateway-read-permissions_{context}"] += Configuring the read permissions for tenants + +You can configure the read permissions for tenants from the *Administrator* view of the web console or from the command line. + +.Prerequisites + +* You are logged in to the {product-title} web console as a cluster administrator with the `cluster-admin` role. +* For {product-dedicated}, you must be logged in using an account with the `dedicated-admin` role. + +.Procedure + +. Define the tenants by adding the `tenantName` and `tenantId` parameters with your values of choice to the `TempoStack` custom resource (CR): ++ +.Tenant example in a `TempoStack` CR +[source,yaml] +---- +apiVersion: tempo.grafana.com/v1alpha1 +kind: TempoStack +metadata: + name: redmetrics +spec: +# ... + tenants: + mode: openshift + authentication: + - tenantName: dev # <1> + tenantId: "1610b0c3-c509-4592-a256-a1871353dbfa" # <2> +# ... +---- +<1> A `tenantName` value of the user's choice. +<2> A `tenantId` value of the user's choice. + +. Add the tenants to a cluster role with the read (`get`) permissions to read traces. ++ +.Example RBAC configuration in a `ClusterRole` resource +[source,yaml] +---- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: tempostack-traces-reader +rules: + - apiGroups: + - 'tempo.grafana.com' + resources: # <1> + - dev + - prod + resourceNames: + - traces + verbs: + - 'get' # <2> +---- +<1> Lists the tenants, `dev` and `prod` in this example, which are defined by using the `tenantName` parameter in the previous step. +<2> Enables the read operation for the listed tenants. + +. Grant authenticated users the read permissions for trace data by defining a cluster role binding for the cluster role from the previous step. ++ +.Example RBAC configuration in a `ClusterRoleBinding` resource +[source,yaml] +---- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: tempostack-traces-reader +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: tempostack-traces-reader +subjects: + - kind: Group + apiGroup: rbac.authorization.k8s.io + name: system:authenticated # <1> +---- +<1> Grants all authenticated users the read permissions for trace data. diff --git a/modules/distr-tracing-tempo-install-gateway-write-permissions.adoc b/modules/distr-tracing-tempo-install-gateway-write-permissions.adoc new file mode 100644 index 000000000000..33a26843b8fa --- /dev/null +++ b/modules/distr-tracing-tempo-install-gateway-write-permissions.adoc @@ -0,0 +1,131 @@ +// Module included in the following assemblies: +// +// * observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-installing.adoc + +:_mod-docs-content-type: PROCEDURE +[id="distr-tracing-tempo-install-gateway-write-permissions_{context}"] += Configuring the write permissions for tenants + +You can configure the write permissions for tenants from the *Administrator* view of the web console or from the command line. + +.Prerequisites + +* You are logged in to the {product-title} web console as a cluster administrator with the `cluster-admin` role. + +* For {product-dedicated}, you must be logged in using an account with the `dedicated-admin` role. + +* You have installed the OpenTelemetry Collector and configured it to use an authorized service account with permissions. For more information, see "Creating the required RBAC resources automatically" in the {OTELName} documentation. + +.Procedure + +. Create a service account for use with OpenTelemetry Collector. ++ +[source,yaml] +---- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: otel-collector + namespace: +---- + +. Add the tenants to a cluster role with the write (`create`) permissions to write traces. ++ +.Example RBAC configuration in a `ClusterRole` resource +[source,yaml] +---- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: tempostack-traces-write +rules: + - apiGroups: + - 'tempo.grafana.com' + resources: # <1> + - dev + resourceNames: + - traces + verbs: + - 'create' # <2> +---- +<1> Lists the tenants. +<2> Enables the write operation. + +. Grant the OpenTelemetry Collector the write permissions by defining a cluster role binding to attach the OpenTelemetry Collector service account. ++ +.Example RBAC configuration in a `ClusterRoleBinding` resource +[source,yaml] +---- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: tempostack-traces +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: tempostack-traces-write +subjects: + - kind: ServiceAccount + name: otel-collector # <1> + namespace: otel +---- +<1> The service account that you created in a previous step. The client uses it when exporting trace data. + +. Configure the `OpenTelemetryCollector` custom resource as follows: + + ** Add the `bearertokenauth` extension and a valid token to the tracing pipeline service. + + ** Add the tenant name in the `otlp/otlphttp` exporters as the `X-Scope-OrgID` headers. + + ** Enable TLS with a valid certificate authority file. ++ +.Sample OpenTelemetry CR configuration +[source,yaml] +---- +apiVersion: opentelemetry.io/v1beta1 +kind: OpenTelemetryCollector +metadata: + name: cluster-collector + namespace: +spec: + mode: deployment + serviceAccount: otel-collector # <1> + config: | + extensions: + bearertokenauth: # <2> + filename: "/var/run/secrets/kubernetes.io/serviceaccount/token" <3> + exporters: + otlp/dev: # <4> + endpoint: sample-gateway.tempo.svc.cluster.local:8090 + tls: + insecure: false + ca_file: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt" # <5> + auth: + authenticator: bearertokenauth + headers: + X-Scope-OrgID: "dev" # <6> + otlphttp/dev: # <7> + endpoint: https://sample-gateway..svc.cluster.local:8080/api/traces/v1/dev + tls: + insecure: false + ca_file: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt" + auth: + authenticator: bearertokenauth + headers: + X-Scope-OrgID: "dev" + service: + extensions: [bearertokenauth] + pipelines: + traces: + exporters: [otlp/dev] # <8> + +# ... +---- +<1> Service account configured with write permissions. +<2> Bearer Token extension to use service account token. +<3> The service account token. The client sends the token to the tracing pipeline service as the bearer token header. +<4> Specify either the OTLP gRPC Exporter (`otlp/dev`) or the OTLP HTTP Exporter (`otlphttp/dev`). +<5> Enabled TLS with a valid service CA file. +<6> Header with tenant name. +<7> Specify either the OTLP gRPC Exporter (`otlp/dev`) or the OTLP HTTP Exporter (`otlphttp/dev`). +<8> The exporter you specified in `exporters` section of the CR. diff --git a/modules/distr-tracing-tempo-install-tempomonolithic-cli.adoc b/modules/distr-tracing-tempo-install-tempomonolithic-cli.adoc index 34b27da6424d..306db2b658da 100644 --- a/modules/distr-tracing-tempo-install-tempomonolithic-cli.adoc +++ b/modules/distr-tracing-tempo-install-tempomonolithic-cli.adoc @@ -27,6 +27,8 @@ $ oc login --username= ---- ==== +* You have defined one or more tenants and configured the read and write permissions. For more information, see "Configuring the read permissions for tenants" and "Configuring the write permissions for tenants". + .Procedure . Run the following command to create a project of your choice for the TempoMonolithic instance that you will create in a subsequent step: @@ -73,7 +75,9 @@ You can create multiple TempoMonolithic instances in separate projects on the sa .. Customize the `TempoMonolithic` custom resource (CR). + +-- include::snippets/distr-tracing-tempo-tempomonolithic-custom-resource.adoc[] +-- .. Apply the customized CR by running the following command: + diff --git a/modules/distr-tracing-tempo-install-tempomonolithic-web-console.adoc b/modules/distr-tracing-tempo-install-tempomonolithic-web-console.adoc index 6542e4037a28..5055d47b94b2 100644 --- a/modules/distr-tracing-tempo-install-tempomonolithic-web-console.adoc +++ b/modules/distr-tracing-tempo-install-tempomonolithic-web-console.adoc @@ -17,6 +17,8 @@ You can install a TempoMonolithic instance from the *Administrator* view of the * For {product-dedicated}, you must be logged in using an account with the `dedicated-admin` role. +* You have defined one or more tenants and configured the read and write permissions. For more information, see "Configuring the read permissions for tenants" and "Configuring the write permissions for tenants". + .Procedure . Go to *Home* -> *Projects* -> *Create Project* to create a project of your choice for the *TempoMonolithic* instance that you will create in a subsequent step. @@ -49,7 +51,9 @@ You can create multiple *TempoMonolithic* instances in separate projects on the .. In the *YAML view*, customize the `TempoMonolithic` custom resource (CR). + +-- include::snippets/distr-tracing-tempo-tempomonolithic-custom-resource.adoc[] +-- .. Select *Create*. diff --git a/modules/distr-tracing-tempo-install-tempostack-cli.adoc b/modules/distr-tracing-tempo-install-tempostack-cli.adoc index 3994a99cc633..0118b76c6c3a 100644 --- a/modules/distr-tracing-tempo-install-tempostack-cli.adoc +++ b/modules/distr-tracing-tempo-install-tempostack-cli.adoc @@ -31,6 +31,8 @@ $ oc login --username= Object storage is required and not included with the {TempoShortName}. You must choose and set up object storage by a supported provider before installing the {TempoShortName}. ==== +* You have defined one or more tenants and configured the read and write permissions. For more information, see "Configuring the read permissions for tenants" and "Configuring the write permissions for tenants". + .Procedure . Run the following command to create a project of your choice for the TempoStack instance that you will create in a subsequent step: @@ -66,43 +68,12 @@ include::snippets/distr-tracing-tempo-secret-example.adoc[] ==== You can create multiple TempoStack instances in separate projects on the same cluster. ==== -+ + .. Customize the `TempoStack` custom resource (CR): + -- include::snippets/distr-tracing-tempo-tempostack-custom-resource.adoc[] -- -+ -.Example of a `TempoStack` CR for AWS S3 and MinIO storage -[source,yaml] ----- -apiVersion: tempo.grafana.com/v1alpha1 -kind: TempoStack -metadata: - name: simplest - namespace: -spec: - storageSize: 1Gi - storage: # <1> - secret: - name: minio-test - type: s3 - resources: - total: - limits: - memory: 2Gi - cpu: 2000m - template: - queryFrontend: - jaegerQuery: # <2> - enabled: true - ingress: - route: - termination: edge - type: route ----- -<1> In this example, the object storage was set up as one of the prerequisites, and the object storage secret was created in step 2. -<2> The stack deployed in this example is configured to receive Jaeger Thrift over HTTP and OpenTelemetry Protocol (OTLP), which permits visualizing the data with the Jaeger UI. .. Apply the customized CR by running the following command: + @@ -113,7 +84,6 @@ $ oc apply -f - << EOF EOF ---- - .Verification . Verify that the `status` of all TempoStack `components` is `Running` and the `conditions` are `type: Ready` by running the following command: diff --git a/modules/distr-tracing-tempo-install-tempostack-web-console.adoc b/modules/distr-tracing-tempo-install-tempostack-web-console.adoc index 6e7e3f2b42cf..47a84836cf42 100644 --- a/modules/distr-tracing-tempo-install-tempostack-web-console.adoc +++ b/modules/distr-tracing-tempo-install-tempostack-web-console.adoc @@ -21,6 +21,8 @@ You can install a TempoStack instance from the *Administrator* view of the web c Object storage is required and not included with the {TempoShortName}. You must choose and set up object storage by a supported provider before installing the {TempoShortName}. ==== +* You have defined one or more tenants and configured the read and write permissions. For more information, see "Configuring the read permissions for tenants" and "Configuring the write permissions for tenants". + .Procedure . Go to *Home* -> *Projects* -> *Create Project* to create a project of your choice for the TempoStack instance that you will create in a subsequent step. @@ -47,37 +49,6 @@ You can create multiple TempoStack instances in separate projects on the same cl -- include::snippets/distr-tracing-tempo-tempostack-custom-resource.adoc[] -- -+ -.Example of a `TempoStack` CR for AWS S3 and MinIO storage -[source,yaml] ----- -apiVersion: tempo.grafana.com/v1alpha1 -kind: TempoStack -metadata: - name: simplest - namespace: -spec: - storageSize: 1Gi - storage: # <1> - secret: - name: minio-test - type: s3 - resources: - total: - limits: - memory: 2Gi - cpu: 2000m - template: - queryFrontend: - jaegerQuery: # <2> - enabled: true - ingress: - route: - termination: edge - type: route ----- -<1> In this example, the object storage was set up as one of the prerequisites, and the object storage secret was created in step 2. -<2> The stack deployed in this example is configured to receive Jaeger Thrift over HTTP and OpenTelemetry Protocol (OTLP), which permits visualizing the data with the Jaeger UI. .. Select *Create*. diff --git a/modules/distr-tracing-tempo-storage-ref.adoc b/modules/distr-tracing-tempo-storage-ref.adoc index 595c23232259..a7f33bd726ad 100644 --- a/modules/distr-tracing-tempo-storage-ref.adoc +++ b/modules/distr-tracing-tempo-storage-ref.adoc @@ -8,6 +8,11 @@ You can use the following configuration parameters when setting up a supported object storage. +[IMPORTANT] +==== +Using object storage requires setting up a supported object store and creating a secret for the object store credentials before deploying a `TempoStack` or `TempoMonolithic` instance. +==== + -- include::snippets/distr-tracing-tempo-required-secret-parameters.adoc[] -- diff --git a/modules/otel-forwarding-traces.adoc b/modules/otel-forwarding-traces.adoc index 170136c91852..924150ca9dd4 100644 --- a/modules/otel-forwarding-traces.adoc +++ b/modules/otel-forwarding-traces.adoc @@ -149,5 +149,5 @@ spec: [role="_additional-resources"] .Additional resources -* link:https://opentelemetry.io/docs/collector/[OpenTelemetry Collector documentation] -* link:https://github.com/os-observability/redhat-rhosdt-samples[Deployment examples on GitHub] +* link:https://opentelemetry.io/docs/collector/[OpenTelemetry Collector] (OpenTelemetry Documentation) +* link:https://github.com/os-observability/redhat-rhosdt-samples[Deployment examples on GitHub] (GitHub) diff --git a/observability/distr_tracing/distr_tracing_arch/distr-tracing-architecture.adoc b/observability/distr_tracing/distr_tracing_arch/distr-tracing-architecture.adoc index c76867b73994..debad7e41e15 100644 --- a/observability/distr_tracing/distr_tracing_arch/distr-tracing-architecture.adoc +++ b/observability/distr_tracing/distr_tracing_arch/distr-tracing-architecture.adoc @@ -24,7 +24,7 @@ include::modules/distr-tracing-features.adoc[leveloffset=+1] include::modules/distr-tracing-architecture.adoc[leveloffset=+1] [role="_additional-resources"] -[id="additional-resources_distributed-tracing-architecture"] +[id="additional-resources_{context}"] == Additional resources // xreffing to the installation page until further notice because OTEL content is currently planned for internal restructuring across pages that is likely to result in renamed page files diff --git a/observability/distr_tracing/distr_tracing_jaeger/distr-tracing-jaeger-installing.adoc b/observability/distr_tracing/distr_tracing_jaeger/distr-tracing-jaeger-installing.adoc index 5a71245a0117..85771bd3fb0b 100644 --- a/observability/distr_tracing/distr_tracing_jaeger/distr-tracing-jaeger-installing.adoc +++ b/observability/distr_tracing/distr_tracing_jaeger/distr-tracing-jaeger-installing.adoc @@ -14,7 +14,7 @@ You can install {DTProductName} on {product-title} in either of two ways: * If you do not want to install a service mesh, you can use the {DTProductName} Operators to install {DTShortName} by itself. To install {DTProductName} without a service mesh, use the following instructions. -[id="prerequisites"] +[id="prerequisites_{context}"] == Prerequisites Before you can install {DTProductName}, review the installation activities, and ensure that you meet the prerequisites: diff --git a/observability/distr_tracing/distr_tracing_jaeger/distr-tracing-jaeger-removing.adoc b/observability/distr_tracing/distr_tracing_jaeger/distr-tracing-jaeger-removing.adoc index 4a3d1f7d4a69..7aa43e266347 100644 --- a/observability/distr_tracing/distr_tracing_jaeger/distr-tracing-jaeger-removing.adoc +++ b/observability/distr_tracing/distr_tracing_jaeger/distr-tracing-jaeger-removing.adoc @@ -19,7 +19,7 @@ include::modules/distr-tracing-removing-instance.adoc[leveloffset=+1] include::modules/distr-tracing-removing-instance-cli.adoc[leveloffset=+1] -[id="removing-distributed-tracing-operators"] +[id="removing-distributed-tracing-operators_{context}"] == Removing the {DTProductName} Operators .Procedure diff --git a/observability/distr_tracing/distr_tracing_jaeger/distr-tracing-jaeger-updating.adoc b/observability/distr_tracing/distr_tracing_jaeger/distr-tracing-jaeger-updating.adoc index 8be9f5a069d8..bb8693b2acfb 100644 --- a/observability/distr_tracing/distr_tracing_jaeger/distr-tracing-jaeger-updating.adoc +++ b/observability/distr_tracing/distr_tracing_jaeger/distr-tracing-jaeger-updating.adoc @@ -19,7 +19,7 @@ If you have not already updated your {es-op} as described in xref:../../../obser ==== [role="_additional-resources"] -[id="additional-resources_dist-tracing-jaeger-updating"] +[id="additional-resources_{context}"] == Additional resources * xref:../../../operators/understanding/olm/olm-understanding-olm.adoc#olm-understanding-olm[Operator Lifecycle Manager concepts and resources] diff --git a/observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-configuring.adoc b/observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-configuring.adoc index 85ffc53b57c3..9ee00f7655a1 100644 --- a/observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-configuring.adoc +++ b/observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-configuring.adoc @@ -19,8 +19,8 @@ include::modules/distr-tracing-tempo-config-default.adoc[leveloffset=+1] [role="_additional-resources"] .Additional resources -* xref:../../../observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-installing.adoc#installing-a-tempostack-instance[Installing a TempoStack instance] -* xref:../../../observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-installing.adoc#installing-a-tempomonolithic-instance[Installing a TempoMonolithic instance] +* xref:../../../observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-installing.adoc#dist-tracing-tempo-installing[Installing a TempoStack instance] +* xref:../../../observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-installing.adoc#dist-tracing-tempo-installing[Installing a TempoMonolithic instance] include::modules/distr-tracing-tempo-config-query-frontend.adoc[leveloffset=+1] @@ -30,6 +30,10 @@ include::modules/distr-tracing-tempo-config-query-frontend.adoc[leveloffset=+1] include::modules/distr-tracing-tempo-config-spanmetrics.adoc[leveloffset=+1] +[role="_additional-resources"] +.Additional resources +* xref:../../../observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-installing.adoc#dist-tracing-tempo-installing[Configuring the permissions and tenants] + [id="config-receiver-tls_{context}"] == Configuring the receiver TLS @@ -51,8 +55,6 @@ include::modules/distr-tracing-tempo-config-receiver-tls-for-tempomonolithic.ado * xref:../../../security/certificates/service-serving-certificate.adoc#understanding-service-serving_service-serving-certificate[Understanding service serving certificates] * xref:../../../security/certificate_types_descriptions/service-ca-certificates.adoc#cert-types-service-ca-certificates[Service CA certificates] -include::modules/distr-tracing-tempo-config-multitenancy.adoc[leveloffset=+1] - [id="taints-and-tolerations_{context}"] == Using taints and tolerations diff --git a/observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-installing.adoc b/observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-installing.adoc index 7c87e7731734..80a9ea235878 100644 --- a/observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-installing.adoc +++ b/observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-installing.adoc @@ -6,17 +6,21 @@ include::_attributes/common-attributes.adoc[] toc::[] -Installing the {TempoShortName} requires the {TempoOperator} and choosing which type of deployment is best for your use case: +Installing the {TempoShortName} involves the following steps: -* For microservices mode, deploy a TempoStack instance in a dedicated OpenShift project. -* For monolithic mode, deploy a TempoMonolithic instance in a dedicated OpenShift project. +. Installing the {TempoOperator}. -[IMPORTANT] -==== -Using object storage requires setting up a supported object store and creating a secret for the object store credentials before deploying a TempoStack or TempoMonolithic instance. -==== +. Setting up a supported object store and creating a secret for the object store credentials. + +. Configuring the permissions and tenants. + +. Depending on your use case, installing your choice of deployment: -[id="installing-the-tempo-operator"] +** Microservices-mode `TempoStack` instance + +** Monolithic-mode `TempoMonolithic` instance + +[id="installing-the-tempo-operator_{context}"] == Installing the {TempoOperator} You can install the {TempoOperator} by using the web console or the command line. @@ -25,22 +29,81 @@ include::modules/distr-tracing-tempo-install-web-console.adoc[leveloffset=+2] include::modules/distr-tracing-tempo-install-cli.adoc[leveloffset=+2] -[id="installing-a-tempostack-instance"] +include::modules/distr-tracing-tempo-storage-ref.adoc[leveloffset=+1] + +include::modules/distr-tracing-tempo-object-storage-setup-aws-sts-install.adoc[leveloffset=+2] + +[role="_additional-resources"] +.Additional resources + +* link:https://docs.aws.amazon.com/iam/[AWS Identity and Access Management Documentation] (AWS documentation) +* link:https://docs.aws.amazon.com/cli/[AWS Command Line Interface Documentation] (AWS documentation) +* xref:../../../authentication/identity_providers/configuring-oidc-identity-provider.adoc#configuring-oidc-identity-provider[Configuring an OpenID Connect identity provider] +* link:https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html[Identify AWS resources with Amazon Resource Names (ARNs)] (AWS documentation) + +include::modules/distr-tracing-tempo-object-storage-setup-ibm-storage.adoc[leveloffset=+2] + +[role="_additional-resources"] +.Additional resources + +* xref:../../../cli_reference/openshift_cli/getting-started-cli.adoc#cli-getting-started[Getting started with the OpenShift CLI] +* link:https://cloud.ibm.com/docs/cli?topic=cli-getting-started[Getting started with the {ibm-cloud-title} CLI] ({ibm-cloud-title} Docs) +* link:https://cloud.ibm.com/docs/cloud-object-storage?topic=cloud-object-storage-provision[Choosing a plan and creating an instance] ({ibm-cloud-title} Docs) +* link:https://cloud.ibm.com/docs/cloud-object-storage?topic=cloud-object-storage-getting-started-cloud-object-storage&q=credential&tags=cloud-object-storage&offset=10#getting-started[Getting started with {ibm-cloud-title} Object Storage: Before you begin] ({ibm-cloud-title} Docs) + +[id="configuring-permissions-and-tenants_{context}"] +== Configuring the permissions and tenants + +Before installing a `TempoStack` or `TempoMonolithic` instance, you must define one or more tenants and configure their read and write access. You can configure such an authorization setup by using a cluster role and cluster role binding for the Kubernetes Role-Based Access Control (RBAC). By default, no users are granted read or write permissions. For more information, see "Configuring the read permissions for tenants" and "Configuring the write permissions for tenants". + +[NOTE] +==== +The OpenTelemetry Collector of the {OTELName} can send trace data to a `TempoStack` or `TempoMonolithic` instance by using the service account with RBAC for writing the data. +==== + +.Authentication and authorization +|=== +| Component | Tempo Gateway service | OpenShift OAuth | `TokenReview` API | `SubjectAccessReview` API + +|Authentication +|X +|X +|X +| + +|Authorization +|X +| +| +|X + +|=== + +include::modules/distr-tracing-tempo-install-gateway-read-permissions.adoc[leveloffset=+2] + +include::modules/distr-tracing-tempo-install-gateway-write-permissions.adoc[leveloffset=+2] + +[role="_additional-resources"] +.Additional resources + +* xref:../../../observability/otel/otel-installing.adoc#install-otel[Creating the required RBAC resources automatically] + +[id="installing-a-tempostack-instance_{context}"] == Installing a TempoStack instance -You can install a TempoStack instance by using the web console or the command line. +You can install a TempoStack instance by using the web console or command line. include::modules/distr-tracing-tempo-install-tempostack-web-console.adoc[leveloffset=+2] include::modules/distr-tracing-tempo-install-tempostack-cli.adoc[leveloffset=+2] -[id="installing-a-tempomonolithic-instance"] +[id="installing-a-tempomonolithic-instance_{context}"] == Installing a TempoMonolithic instance :FeatureName: The TempoMonolithic instance include::snippets/technology-preview.adoc[] -You can install a TempoMonolithic instance by using the web console or the command line. +You can install a TempoMonolithic instance by using the web console or command line. The `TempoMonolithic` custom resource (CR) creates a Tempo deployment in monolithic mode. All components of the Tempo deployment, such as the compactor, distributor, ingester, querier, and query frontend, are contained in a single container. @@ -59,30 +122,8 @@ include::modules/distr-tracing-tempo-install-tempomonolithic-web-console.adoc[le include::modules/distr-tracing-tempo-install-tempomonolithic-cli.adoc[leveloffset=+2] -include::modules/distr-tracing-tempo-storage-ref.adoc[leveloffset=+1] - -include::modules/distr-tracing-tempo-object-storage-setup-aws-sts-install.adoc[leveloffset=+2] - -[role="_additional-resources"] -.Additional resources - -* link:https://docs.aws.amazon.com/iam/[AWS Identity and Access Management Documentation] -* link:https://docs.aws.amazon.com/cli/[AWS Command Line Interface Documentation] -* xref:../../../authentication/identity_providers/configuring-oidc-identity-provider.adoc#configuring-oidc-identity-provider[Configuring an OpenID Connect identity provider] -* link:https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html[Identify AWS resources with Amazon Resource Names (ARNs)] - -include::modules/distr-tracing-tempo-object-storage-setup-ibm-storage.adoc[leveloffset=+2] - -[role="_additional-resources"] -.Additional resources - -* xref:../../../cli_reference/openshift_cli/getting-started-cli.adoc#cli-getting-started[Getting started with the OpenShift CLI] -* link:https://cloud.ibm.com/docs/cli?topic=cli-getting-started[Getting started with the {ibm-cloud-title} CLI] ({ibm-cloud-title} Docs) -* link:https://cloud.ibm.com/docs/cloud-object-storage?topic=cloud-object-storage-provision[Choosing a plan and creating an instance] ({ibm-cloud-title} Docs) -* link:https://cloud.ibm.com/docs/cloud-object-storage?topic=cloud-object-storage-getting-started-cloud-object-storage&q=credential&tags=cloud-object-storage&offset=10#getting-started[Getting started with {ibm-cloud-title} Object Storage: Before you begin] ({ibm-cloud-title} Docs) - [role="_additional-resources"] -[id="additional-resources_dist-tracing-tempo-installing"] +[id="additional-resources_{context}"] == Additional resources * xref:../../../post_installation_configuration/preparing-for-users.adoc#creating-cluster-admin_post-install-preparing-for-users[Creating a cluster admin] * link:https://operatorhub.io/[OperatorHub.io] diff --git a/observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-removing.adoc b/observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-removing.adoc index 26ea86d27263..e53d2afb90bf 100644 --- a/observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-removing.adoc +++ b/observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-removing.adoc @@ -17,8 +17,8 @@ include::modules/distr-tracing-tempo-remove-web-console.adoc[leveloffset=+1] include::modules/distr-tracing-tempo-remove-cli.adoc[leveloffset=+1] [role="_additional-resources"] -[id="additional-resources_dist-tracing-tempo-removing"] +[id="additional-resources_{context}"] == Additional resources * xref:../../../operators/admin/olm-deleting-operators-from-cluster.adoc#olm-deleting-operators-from-a-cluster[Deleting Operators from a cluster] -* xref:../../../cli_reference/openshift_cli/getting-started-cli.adoc#getting-started-cli[Getting started with the OpenShift CLI] \ No newline at end of file +* xref:../../../cli_reference/openshift_cli/getting-started-cli.adoc#getting-started-cli[Getting started with the OpenShift CLI] diff --git a/observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-updating.adoc b/observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-updating.adoc index 9c0d2e6949be..3e29748ec757 100644 --- a/observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-updating.adoc +++ b/observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-updating.adoc @@ -12,7 +12,7 @@ The OLM runs in the {product-title} by default. The OLM queries for available Op When the {TempoOperator} is upgraded to the new version, it scans for running TempoStack instances that it manages and upgrades them to the version corresponding to the Operator's new version. [role="_additional-resources"] -[id="additional-resources_dist-tracing-tempo-updating"] +[id="additional-resources_{context}"] == Additional resources * xref:../../../operators/understanding/olm/olm-understanding-olm.adoc#olm-understanding-olm[Operator Lifecycle Manager concepts and resources] diff --git a/observability/otel/otel-collector/otel-collector-connectors.adoc b/observability/otel/otel-collector/otel-collector-connectors.adoc index 0a97550e81ea..178dbd5b4d37 100644 --- a/observability/otel/otel-collector/otel-collector-connectors.adoc +++ b/observability/otel/otel-collector/otel-collector-connectors.adoc @@ -226,6 +226,6 @@ The Spanmetrics Connector aggregates Request, Error, and Duration (R.E.D) OpenTe <1> Defines the flush interval of the generated metrics. Defaults to `15s`. [role="_additional-resources"] -[id="additional-resources_otel-collector-connectors_{context}"] +[id="additional-resources_{context}"] == Additional resources -* link:https://opentelemetry.io/docs/specs/otlp/[OpenTelemetry Protocol (OTLP) documentation] +* link:https://opentelemetry.io/docs/specs/otlp/[OpenTelemetry Protocol (OTLP)] (OpenTelemetry Documentation) diff --git a/observability/otel/otel-collector/otel-collector-exporters.adoc b/observability/otel/otel-collector/otel-collector-exporters.adoc index 5fe546f00d09..3c916bfdc292 100644 --- a/observability/otel/otel-collector/otel-collector-exporters.adoc +++ b/observability/otel/otel-collector/otel-collector-exporters.adoc @@ -485,6 +485,6 @@ include::snippets/technology-preview.adoc[] <9> The time interval between flushes. A value without a unit is set in nanoseconds. This setting is ignored when file rotation is enabled through the `rotation` settings. [role="_additional-resources"] -[id="additional-resources_otel-collector-exporters_{context}"] +[id="additional-resources_{context}"] == Additional resources -* link:https://opentelemetry.io/docs/specs/otlp/[OpenTelemetry Protocol (OTLP) documentation] +* link:https://opentelemetry.io/docs/specs/otlp/[OpenTelemetry Protocol (OTLP)] (OpenTelemetry Documentation) diff --git a/observability/otel/otel-collector/otel-collector-extensions.adoc b/observability/otel/otel-collector/otel-collector-extensions.adoc index f079e5d31bdc..ac022de81527 100644 --- a/observability/otel/otel-collector/otel-collector-extensions.adoc +++ b/observability/otel/otel-collector/otel-collector-extensions.adoc @@ -448,6 +448,6 @@ The Collector provides the following zPages for diagnostics: *TraceZ*:: Shows spans categorized by latency. Available time ranges include 0 µs, 10 µs, 100 µs, 1 ms, 10 ms, 100 ms, 1 s, 10 s, 1 m. This page also allows for quick inspection of error samples. An example of this page's URL is `http://localhost:55679/debug/tracez`. [role="_additional-resources"] -[id="additional-resources_otel-collector-extensions_{context}"] +[id="additional-resources_{context}"] == Additional resources -* link:https://opentelemetry.io/docs/specs/otlp/[OpenTelemetry Protocol (OTLP) documentation] +* link:https://opentelemetry.io/docs/specs/otlp/[OpenTelemetry Protocol (OTLP)] (OpenTelemetry Documentation) diff --git a/observability/otel/otel-collector/otel-collector-processors.adoc b/observability/otel/otel-collector/otel-collector-processors.adoc index f04484344986..cdc2c1fcb25a 100644 --- a/observability/otel/otel-collector/otel-collector-processors.adoc +++ b/observability/otel/otel-collector/otel-collector-processors.adoc @@ -575,6 +575,6 @@ config: |=== [role="_additional-resources"] -[id="additional-resources_otel-collector-processors_{context}"] +[id="additional-resources_{context}"] == Additional resources -* link:https://opentelemetry.io/docs/specs/otlp/[OpenTelemetry Protocol (OTLP) documentation] +* link:https://opentelemetry.io/docs/specs/otlp/[OpenTelemetry Protocol (OTLP)] (OpenTelemetry Documentation) diff --git a/observability/otel/otel-collector/otel-collector-receivers.adoc b/observability/otel/otel-collector/otel-collector-receivers.adoc index b3d04a9395a6..eab4b7a0515e 100644 --- a/observability/otel/otel-collector/otel-collector-receivers.adoc +++ b/observability/otel/otel-collector/otel-collector-receivers.adoc @@ -859,6 +859,6 @@ rules: <2> The list of namespaces to collect events from. The default value is empty, which means that all namespaces are collected. [role="_additional-resources"] -[id="additional-resources_otel-collector-receivers_{context}"] +[id="additional-resources_{context}"] == Additional resources -* link:https://opentelemetry.io/docs/specs/otlp/[OpenTelemetry Protocol (OTLP) documentation] +* link:https://opentelemetry.io/docs/specs/otlp/[OpenTelemetry Protocol (OTLP)] (OpenTelemetry Documentation) diff --git a/observability/otel/otel-configuring-metrics-for-monitoring-stack.adoc b/observability/otel/otel-configuring-metrics-for-monitoring-stack.adoc index a92af420e5b0..9fe947cd7df9 100644 --- a/observability/otel/otel-configuring-metrics-for-monitoring-stack.adoc +++ b/observability/otel/otel-configuring-metrics-for-monitoring-stack.adoc @@ -15,7 +15,8 @@ As a cluster administrator, you can configure the OpenTelemetry Collector custom include::modules/otel-config-send-metrics-monitoring-stack.adoc[leveloffset=+1] include::modules/otel-config-receive-metrics-monitoring-stack.adoc[leveloffset=+1] -[id="additional-resources_otel-configuring-metrics-for-monitoring-stack"] +[role="_additional-resources"] +[id="additional-resources_{context}"] == Additional resources * xref:../../observability/monitoring/accessing-metrics/accessing-monitoring-apis-by-using-the-cli.adoc#monitoring-querying-metrics-by-using-the-federation-endpoint-for-prometheus_accessing-monitoring-apis-by-using-the-cli[Querying metrics by using the federation endpoint for Prometheus] diff --git a/observability/otel/otel-installing.adoc b/observability/otel/otel-installing.adoc index 3a3bacef4730..71d67bf540a1 100644 --- a/observability/otel/otel-installing.adoc +++ b/observability/otel/otel-installing.adoc @@ -24,7 +24,7 @@ To schedule the OpenTelemetry pods on dedicated nodes, see link:https://access.r include::modules/otel-creating-required-RBAC-resources-automatically.adoc[leveloffset=+1] [role="_additional-resources"] -[id="additional-resources_otel-installing_{context}"] +[id="additional-resources_{context}"] == Additional resources * xref:../../post_installation_configuration/preparing-for-users.adoc#creating-cluster-admin_post-install-preparing-for-users[Creating a cluster admin] * link:https://operatorhub.io/[OperatorHub.io] diff --git a/observability/otel/otel-removing.adoc b/observability/otel/otel-removing.adoc index 4e65d491363f..bc775701bac9 100644 --- a/observability/otel/otel-removing.adoc +++ b/observability/otel/otel-removing.adoc @@ -17,7 +17,7 @@ include::modules/otel-remove-web-console.adoc[leveloffset=+1] include::modules/otel-remove-cli.adoc[leveloffset=+1] [role="_additional-resources"] -[id="additional-resources_dist-tracing-otel-removing"] +[id="additional-resources_{context}"] == Additional resources * xref:../../operators/admin/olm-deleting-operators-from-cluster.adoc#olm-deleting-operators-from-a-cluster[Deleting Operators from a cluster] diff --git a/observability/otel/otel-updating.adoc b/observability/otel/otel-updating.adoc index d161b2ccec27..7e884fc13d71 100644 --- a/observability/otel/otel-updating.adoc +++ b/observability/otel/otel-updating.adoc @@ -13,7 +13,7 @@ The OLM runs in the {product-title} by default. The OLM queries for available Op When the {OTELOperator} is upgraded to the new version, it scans for running OpenTelemetry Collector instances that it manages and upgrades them to the version corresponding to the Operator's new version. [role="_additional-resources"] -[id="additional-resources_dist-tracing-otel-updating"] +[id="additional-resources_{context}"] == Additional resources * xref:../../operators/understanding/olm/olm-understanding-olm.adoc#olm-understanding-olm[Operator Lifecycle Manager concepts and resources] diff --git a/snippets/distr-tracing-tempo-tempomonolithic-custom-resource.adoc b/snippets/distr-tracing-tempo-tempomonolithic-custom-resource.adoc index 391c23391921..35754b401691 100644 --- a/snippets/distr-tracing-tempo-tempomonolithic-custom-resource.adoc +++ b/snippets/distr-tracing-tempo-tempomonolithic-custom-resource.adoc @@ -3,41 +3,54 @@ // // * modules/distr-tracing-tempo-install-tempomonolithic-web-console.adoc // * modules/distr-tracing-tempo-install-tempomonolithic-cli.adoc -The following `TempoMonolithic` CR creates a TempoMonolithic deployment with trace ingestion over OTLP/gRPC and OTLP/HTTP, storing traces in a supported type of storage and exposing Jaeger UI via a route: -+ +.Example `TempoMonolithic` CR [source,yaml] ---- apiVersion: tempo.grafana.com/v1alpha1 -kind: TempoMonolithic +kind: TempoMonolithic # <1> metadata: name: - namespace: + namespace: # <2> spec: - storage: + storage: # <3> traces: - backend: # <1> - size: Gi # <2> - s3: # <3> - secret: # <4> - tls: # <5> + backend: # <4> + size: Gi # <5> + s3: # <6> + secret: # <7> + tls: # <8> enabled: true - caName: # <6> + caName: # <9> jaegerui: - enabled: true # <7> + enabled: true # <10> route: - enabled: true # <8> - resources: # <9> + enabled: true # <11> + resources: # <12> total: limits: memory: Gi cpu: m + multitenancy: + enabled: true + mode: openshift + authentication: # <13> + - tenantName: dev # <14> + tenantId: "1610b0c3-c509-4592-a256-a1871353dbfa" # <15> + - tenantName: prod + tenantId: "1610b0c3-c509-4592-a256-a1871353dbfb" ---- -<1> Type of storage for storing traces: in-memory storage, a persistent volume, or object storage. The value for a persistent volume is `pv`. The accepted values for object storage are `s3`, `gcs`, or `azure`, depending on the used object store type. The default value is `memory` for the `tmpfs` in-memory storage, which is only appropriate for development, testing, demonstrations, and proof-of-concept environments because the data does not persist when the pod is shut down. -<2> Memory size: For in-memory storage, this means the size of the `tmpfs` volume, where the default is `2Gi`. For a persistent volume, this means the size of the persistent volume claim, where the default is `10Gi`. For object storage, this means the size of the persistent volume claim for the Tempo WAL, where the default is `10Gi`. -<3> Optional: For object storage, the type of object storage. The accepted values are `s3`, `gcs`, and `azure`, depending on the used object store type. -<4> Optional: For object storage, the value of the `name` in the `metadata` of the storage secret. The storage secret must be in the same namespace as the TempoMonolithic instance and contain the fields specified in "Table 1. Required secret parameters" in the section "Object storage setup". -<5> Optional. -<6> Optional: Name of a `ConfigMap` object that contains a CA certificate. -<7> Enables the Jaeger UI. -<8> Enables creation of a route for the Jaeger UI. -<9> Optional. +<1> This CR creates a TempoMonolithic deployment with trace ingestion in the OTLP protocol. +<2> The namespace that you have chosen for the TempoMonolithic deployment. +<3> Specifies the storage for storing traces. +<4> Type of storage for storing traces: in-memory storage, a persistent volume, or object storage. The value for a persistent volume is `pv`. The accepted values for object storage are `s3`, `gcs`, or `azure`, depending on the used object store type. The default value is `memory` for the `tmpfs` in-memory storage, which is only appropriate for development, testing, demonstrations, and proof-of-concept environments because the data does not persist when the pod is shut down. +<5> Memory size: For in-memory storage, this means the size of the `tmpfs` volume, where the default is `2Gi`. For a persistent volume, this means the size of the persistent volume claim, where the default is `10Gi`. For object storage, this means the size of the persistent volume claim for the Tempo Write-Ahead Logging (WAL), where the default is `10Gi`. +<6> Optional: For object storage, the type of object storage. The accepted values are `s3`, `gcs`, and `azure`, depending on the used object store type. +<7> Optional: For object storage, the value of the `name` in the `metadata` of the storage secret. The storage secret must be in the same namespace as the TempoMonolithic instance and contain the fields specified in "Table 1. Required secret parameters" in the section "Object storage setup". +<8> Optional. +<9> Optional: Name of a `ConfigMap` object that contains a CA certificate. +<10> Exposes the Jaeger UI, which visualizes the data, via a route. +<11> Enables creation of a route for the Jaeger UI. +<12> Optional. +<13> Lists the tenants. +<14> The tenant name from the `X-Scope-OrgId` header when ingesting the data. +<15> The unique identifier of the tenant. Must be unique throughout the lifecycle of the TempoMonolithic deployment. This ID will be added as a prefix to the objects in the object storage. You can reuse the value of the UUID or `tempoName` field. diff --git a/snippets/distr-tracing-tempo-tempostack-custom-resource.adoc b/snippets/distr-tracing-tempo-tempostack-custom-resource.adoc index 365ecf195a5c..a51b232e082e 100644 --- a/snippets/distr-tracing-tempo-tempostack-custom-resource.adoc +++ b/snippets/distr-tracing-tempo-tempostack-custom-resource.adoc @@ -4,40 +4,49 @@ // * modules/distr-tracing-tempo-install-tempostack-web-console.adoc // * modules/distr-tracing-tempo-install-tempostack-cli.adoc +.Example `TempoStack` CR for AWS S3 and MinIO storage and two tenants [source,yaml] ---- apiVersion: tempo.grafana.com/v1alpha1 -kind: TempoStack +kind: TempoStack # <1> metadata: - name: sample - namespace: + name: simplest + namespace: # <2> spec: - storageSize: Gi # <1> - storage: - secret: # <2> - name: # <3> - type: # <4> - tls: # <5> - enabled: true - caName: # <6> + storage: # <3> + secret: # <4> + name: # <5> + type: # <6> + storageSize: Gi # <7> + resources: + total: + limits: + memory: 2Gi + cpu: 2000m + tenants: + mode: openshift # <8> + authentication: # <9> + - tenantName: dev # <10> + tenantId: "1610b0c3-c509-4592-a256-a1871353dbfa" # <11> + - tenantName: prod + tenantId: "1610b0c3-c509-4592-a256-a1871353dbfb" template: + gateway: + enabled: true # <12> queryFrontend: jaegerQuery: - enabled: true - ingress: - route: - termination: edge - type: route - resources: # <7> - total: - limits: - memory: Gi - cpu: m + enabled: true # <13> ---- -<1> Size of the persistent volume claim for the Tempo WAL. The default is `10Gi`. -<2> Secret you created in step 2 for the object storage that had been set up as one of the prerequisites. -<3> Value of the `name` in the `metadata` of the secret. -<4> Accepted values are `azure` for Azure Blob Storage; `gcs` for Google Cloud Storage; and `s3` for Amazon S3, MinIO, or {odf-full}. -<5> Optional. -<6> Optional: Name of a `ConfigMap` object that contains a CA certificate. -<7> Optional. +<1> This CR creates a TempoStack deployment, which is configured to receive Jaeger Thrift over the HTTP and OpenTelemetry Protocol (OTLP).` +<2> The namespace that you have chosen for the TempoStack deployment. +<3> Specifies the storage for storing traces. +<4> The secret you created in step 2 for the object storage that had been set up as one of the prerequisites. +<5> The value of the `name` field in the `metadata` section of the secret. For example: `minio`. +<6> The accepted values are `azure` for Azure Blob Storage; `gcs` for Google Cloud Storage; and `s3` for Amazon S3, MinIO, or {odf-full}. For example: `s3`. +<7> The size of the persistent volume claim for the Tempo Write-Ahead Logging (WAL). The default is `10Gi`. For example: `1Gi`. +<8> The value must be `openshift`. +<9> The list of tenants. +<10> The tenant name, which is to be provided in the `X-Scope-OrgId` header when ingesting the data. +<11> The unique identifier of the tenant. Must be unique throughout the lifecycle of the TempoStack deployment. The {TempoShortName} uses this ID to prefix objects in the object storage. You can reuse the value of the UUID or `tempoName` field. +<12> Enables a gateway that performs authentication and authorization. The Jaeger UI is exposed at `+http:///api/traces/v1//search+`. +<13> Exposes the Jaeger UI, which visualizes the data, via a route.