-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
None
-
Quality / Stability / Reliability
-
False
-
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description:
Summary:
The observability operator incorrectly sets the region field to the role ARN value in the tempo secret for S3STS configurations. This causes Tempo to generate a malformed S3 endpoint that includes the role ARN instead of the AWS region.
Steps to Reproduce:
1. Create ObservabilityInstaller with S3STS configuration:
spec: capabilities: tracing: storage: objectStorage: s3STS: bucket: "my-bucket" region: "us-east-2" roleARN: "arn:aws:iam::123456789:role/my-role"
2. Check tempo configuration: oc get cm tempo-<name> -o yaml
Expected Result:
storage: trace: s3: endpoint: s3.us-east-2.amazonaws.com
Actual Result:
storage: trace: s3: endpoint: s3.arn:aws:iam::123456789:role/my-role.amazonaws.com
Error: Tempo pods crash with: invalid port ":role" after host
Root Cause:
File: pkg/controllers/observability/tempo_components.goLine: 193
Current code incorrectly uses role ARN as region:
tempoSecret.Data = map[string][]byte { "bucket": []byte(objectStorageSpec.S3STS.Bucket), "role_arn": []byte(objectStorageSpec.S3STS.RoleARN), "region": []byte(objectStorageSpec.S3STS.RoleARN), // ❌ BUG: should be .Region }
Fix:
Change line 193 to use the actual region field:
"region": []byte(objectStorageSpec.S3STS.Region),
