From 2aff842f8a1d6e4ca82eb3fbac24c6008cab648c Mon Sep 17 00:00:00 2001 From: Ali Mukadam Date: Wed, 30 Nov 2022 13:34:39 +1100 Subject: [PATCH] docs: Updated documentation for OCI Object Storage, added link to blog post Signed-off-by: Ali Mukadam --- docs/getting-started.md | 2 +- docs/storage.md | 26 ++++++++++++++++++++++---- 2 files changed, 23 insertions(+), 5 deletions(-) diff --git a/docs/getting-started.md b/docs/getting-started.md index 38dda21708..3113bd0e3d 100644 --- a/docs/getting-started.md +++ b/docs/getting-started.md @@ -102,7 +102,7 @@ See up to date [jsonnet mixins](https://github.com/thanos-io/thanos/tree/main/mi ## Blog posts * 2022: - + * [Deploy Thanos Receive with native OCI Object Storage on Oracle Kubernetes Engine](https://medium.com/@lmukadam/deploy-thanos-receive-with-native-oci-object-storage-on-kubernetes-829326ea0bc6) * [Leveraging Consul for Thanos Query Discovery](https://nicolastakashi.medium.com/leveraging-consul-for-thanos-query-discovery-34212d496c88) * 2021: diff --git a/docs/storage.md b/docs/storage.md index 301f538814..4b67bf5af3 100644 --- a/docs/storage.md +++ b/docs/storage.md @@ -513,11 +513,11 @@ config: prefix: "" ``` -### Oracle Cloud Infrastructure Object Storage +#### Oracle Cloud Infrastructure Object Storage To configure Oracle Cloud Infrastructure (OCI) Object Storage as Thanos Object Store, you need to provide appropriate authentication credentials to your OCI tenancy. The OCI object storage client implementation for Thanos supports either the default keypair or instance principal authentication. -#### API Signing Key +##### API Signing Key The default API signing key authentication provider leverages same [configuration as the OCI CLI](https://docs.oracle.com/en-us/iaas/Content/API/Concepts/cliconcepts.htm) which is usually stored in at `$HOME/.oci/config` or via variable names starting with the string `OCI_CLI`. If the same configuration is found in multiple places the provider will prefer the first one. @@ -545,7 +545,7 @@ config: client_timeout: 90s // Optional time limit for requests made by the HTTP Client. ``` -#### Instance Principal Provider +##### Instance Principal Provider For Example: @@ -559,7 +559,7 @@ config: You can also include any of the optional configuration just like the example in `Default Provider`. -#### Raw Provider +##### Raw Provider For Example: @@ -579,6 +579,24 @@ config: You can also include any of the optional configuration just like the example in `Default Provider`. +##### OCI Policies + +Regardless of the method you use for authentication (raw, instance-principal), you need the following 2 policies in order for Thanos (sidecar or receive) to be able to write TSDB to OCI object storage. The difference lies in whom you are giving the permissions. + +For using instance-principal and dynamic group: + +``` +Allow dynamic-group thanos to read buckets in compartment id ocid1.compartment.oc1..a +Allow dynamic-group thanos to manage objects in compartment id ocid1.compartment.oc1..a +``` + +For using raw provider and an IAM group: + +``` +Allow group thanos to read buckets in compartment id ocid1.compartment.oc1..a +Allow group thanos to manage objects in compartment id ocid1.compartment.oc1..a +``` + ### How to add a new client to Thanos? objstore.go