From 5bb63c268348fbd7df7c1a9f48287f356e382b6c Mon Sep 17 00:00:00 2001
From: Christian Simon <simon@swine.de>
Date: Thu, 19 Nov 2020 10:40:42 +0000
Subject: [PATCH] feat: add option to S3 backend for V2 signatures

Currently we don't expose any ability to select the signature version
used for our S3 backend.

Signed-off-by: Christian Simon <simon@swine.de>
---
 tempodb/backend/s3/config.go |  2 ++
 tempodb/backend/s3/s3.go     | 46 +++++++++++++++++++++++++++++-------
 2 files changed, 40 insertions(+), 8 deletions(-)

diff --git a/tempodb/backend/s3/config.go b/tempodb/backend/s3/config.go
index 980736ba633..e9335a2d047 100644
--- a/tempodb/backend/s3/config.go
+++ b/tempodb/backend/s3/config.go
@@ -8,4 +8,6 @@ type Config struct {
 	SecretKey string `yaml:"secret_key"`
 	Insecure  bool   `yaml:"insecure"`
 	PartSize  uint64 `yaml:"part_size"`
+	// SignatureV2 configures the object storage to use V2 signing instead of V4
+	SignatureV2 bool `yaml:"signature_v2"`
 }
diff --git a/tempodb/backend/s3/s3.go b/tempodb/backend/s3/s3.go
index 62ab4582a44..560f05cc56c 100644
--- a/tempodb/backend/s3/s3.go
+++ b/tempodb/backend/s3/s3.go
@@ -32,24 +32,54 @@ type readerWriter struct {
 	core   *minio.Core
 }
 
+type overrideSignatureVersion struct {
+	useV2    bool
+	upstream credentials.Provider
+}
+
+func (s *overrideSignatureVersion) Retrieve() (credentials.Value, error) {
+	v, err := s.upstream.Retrieve()
+	if err != nil {
+		return v, err
+	}
+
+	if s.useV2 && !v.SignerType.IsAnonymous() {
+		v.SignerType = credentials.SignatureV2
+	}
+
+	return v, nil
+}
+
+func (s *overrideSignatureVersion) IsExpired() bool {
+	return s.upstream.IsExpired()
+}
+
 func New(cfg *Config) (backend.Reader, backend.Writer, backend.Compactor, error) {
 	l := log_util.Logger
+
+	wrapCredentialsProvider := func(p credentials.Provider) credentials.Provider {
+		if cfg.SignatureV2 {
+			return &overrideSignatureVersion{useV2: cfg.SignatureV2, upstream: p}
+		}
+		return p
+	}
+
 	creds := credentials.NewChainCredentials([]credentials.Provider{
-		&credentials.EnvAWS{},
-		&credentials.Static{
+		wrapCredentialsProvider(&credentials.EnvAWS{}),
+		wrapCredentialsProvider(&credentials.Static{
 			Value: credentials.Value{
 				AccessKeyID:     cfg.AccessKey,
 				SecretAccessKey: cfg.SecretKey,
 			},
-		},
-		&credentials.EnvMinio{},
-		&credentials.FileAWSCredentials{},
-		&credentials.FileMinioClient{},
-		&credentials.IAM{
+		}),
+		wrapCredentialsProvider(&credentials.EnvMinio{}),
+		wrapCredentialsProvider(&credentials.FileAWSCredentials{}),
+		wrapCredentialsProvider(&credentials.FileMinioClient{}),
+		wrapCredentialsProvider(&credentials.IAM{
 			Client: &http.Client{
 				Transport: http.DefaultTransport,
 			},
-		},
+		}),
 	})
 	opts := &minio.Options{
 		Secure: !cfg.Insecure,