启用多租户
Tempo 是一个多租户分布式追踪后端。它通过使用请求头 X-Scope-OrgID 来支持多租户。有关更多详细信息,请参阅多租户文档。本文档概述了如何使用 Operator 部署和使用多租户 Tempo。
未启用身份验证的多租户
以下 Kubernetes 自定义资源 (CR) 部署了一个多租户 Tempo 实例。
注意
Jaeger 查询不具备租户感知能力,因此在此配置中不受支持。
apiVersion: tempo.grafana.com/v1alpha1
kind: TempoStack
metadata:
name: simplest
spec:
tenants: {}
storage:
secret:
name: minio-test
type: s3
storageSize: 1Gi
resources:
total:
limits:
memory: 2Gi
cpu: 2000m带有静态 RBAC 的 OIDC 身份验证
在 Kubernetes 上,多租户 Tempo 实例使用 OIDC 身份验证和 CR 中定义的静态 RBAC 授权。该实例应通过服务 tempo-simplest-gateway 访问,该服务处理身份验证和授权。该服务公开了 Jaeger 查询 API 和 OpenTelemetry gRPC (OTLP) 用于追踪摄取。可以通过 http://<暴露的 gateway 服务>:8080/api/traces/v1/<租户名称>/search 访问 Jaeger UI。
apiVersion: tempo.grafana.com/v1alpha1
kind: TempoStack
metadata:
name: simplest
spec:
template:
queryFrontend:
jaegerQuery:
enabled: true
gateway:
enabled: true
storage:
secret:
type: s3
name: minio-test
storageSize: 200M
tenants:
mode: static
authentication:
- tenantName: test-oidc
tenantId: test-oidc
oidc:
issuerURL: http://dex.default.svc.cluster.local:30556/dex
redirectURL: http://tempo-simplest-gateway.default.svc.cluster.local:8080/oidc/test-oidc/callback
usernameClaim: email
secret:
name: oidc-test
authorization:
roleBindings:
- name: "test"
roles:
- read-write
subjects:
- kind: user
name: "admin@example.com"
roles:
- name: read-write
permissions:
- read
- write
resources:
- traces
tenants:
- test-oidc- Secret
oidc-test定义了字段clientID、clientSecret和issuerCAPath。 - RBAC 为租户
test-oidc提供了追踪的读写权限。
OpenShift
在 OpenShift 上,身份验证和授权不需要任何第三方服务依赖。身份验证使用 OpenShift OAuth(用户被重定向到 OpenShift 登录页面),授权通过 SubjectAccessReview (SAR) 处理。
该实例应通过服务 tempo-simplest-gateway 访问,该服务处理身份验证和授权。该服务公开了 Jaeger 查询 API 和 OpenTelemetry gRPC (OTLP) 用于追踪摄取。可以通过 http://<暴露的 gateway 服务>:8080/api/traces/v1/<租户名称>/search 访问 Jaeger UI。
apiVersion: tempo.grafana.com/v1alpha1
kind: TempoStack
metadata:
name: simplest
spec:
storage:
secret:
name: object-storage
type: s3
storageSize: 1Gi
tenants:
mode: openshift
authentication:
- tenantName: dev
tenantId: "1610b0c3-c509-4592-a256-a1871353dbfa"
- tenantName: prod
tenantId: "1610b0c3-c509-4592-a256-a1871353dbfb"
template:
gateway:
enabled: true
queryFrontend:
jaegerQuery:
enabled: true必须创建 ClusterRole 和 ClusterRoleBinding 对象才能启用数据的读写。
数据读取的 RBAC
以下 RBAC 为经过身份验证的用户提供了读取 dev 和 prod 租户追踪数据的权限。
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: tempostack-traces-reader
rules:
- apiGroups:
- 'tempo.grafana.com'
resources:
- dev
- prod
resourceNames:
- traces
verbs:
- 'get'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: tempostack-traces-reader
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: tempostack-traces-reader
subjects:
- kind: Group
apiGroup: rbac.authorization.k8s.io
name: system:authenticated数据写入的 RBAC
以下 RBAC 为服务账号 otel-collector 提供了 dev 租户追踪数据的写入权限。
apiVersion: v1
kind: ServiceAccount
metadata:
name: otel-collector
namespace: otel
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: tempostack-traces-write
rules:
- apiGroups:
- 'tempo.grafana.com'
resources:
- dev
resourceNames:
- traces
verbs:
- 'create'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: tempostack-traces
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: tempostack-traces-write
subjects:
- kind: ServiceAccount
name: otel-collector
namespace: otel带有 dev 租户身份验证的 OpenTelemetry collector CR 配置。
spec:
serviceAccount: otel-collector
config: |
extensions:
bearertokenauth:
filename: "/var/run/secrets/kubernetes.io/serviceaccount/token"
exporters:
# Export the dev tenant traces to a Tempo instance
otlp/dev:
endpoint: tempo-simplest-gateway.tempo.svc.cluster.local:8090
tls:
insecure: false
ca_file: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
auth:
authenticator: bearertokenauth
headers:
X-Scope-OrgID: "dev"
