From 5d96eb26a35e74819fe215bbceaef31fa1059594 Mon Sep 17 00:00:00 2001
From: Christian Simon <simon@swine.de>
Date: Thu, 4 Apr 2024 09:03:26 +0100
Subject: [PATCH] feat: Add S3 force-path-style parameter (#3158)

This allows to override the auto detection which lookup method should be
used.
---
 cmd/pyroscope/help-all.txt.tmpl               |  2 +
 .../index.md                                  | 44 ++++++++++---------
 pkg/objstore/providers/s3/bucket_client.go    | 20 ++++++---
 pkg/objstore/providers/s3/config.go           |  2 +
 4 files changed, 41 insertions(+), 27 deletions(-)

diff --git a/cmd/pyroscope/help-all.txt.tmpl b/cmd/pyroscope/help-all.txt.tmpl
index f080d92cfe..8eede47f3c 100644
--- a/cmd/pyroscope/help-all.txt.tmpl
+++ b/cmd/pyroscope/help-all.txt.tmpl
@@ -885,6 +885,8 @@ Usage of ./pyroscope:
     	The S3 bucket endpoint. It could be an AWS S3 endpoint listed at https://docs.aws.amazon.com/general/latest/gr/s3.html or the address of an S3-compatible service in hostname:port format.
   -storage.s3.expect-continue-timeout duration
     	The time to wait for a server's first response headers after fully writing the request headers if the request has an Expect header. 0 to send the request body immediately. (default 1s)
+  -storage.s3.force-path-style
+    	Set this to `true` to force the bucket lookup to be using path-style.
   -storage.s3.http.idle-conn-timeout duration
     	The time an idle connection will remain idle before closing. (default 1m30s)
   -storage.s3.http.insecure-skip-verify
diff --git a/docs/sources/configure-server/reference-configuration-parameters/index.md b/docs/sources/configure-server/reference-configuration-parameters/index.md
index db44ba4163..a318f43a05 100644
--- a/docs/sources/configure-server/reference-configuration-parameters/index.md
+++ b/docs/sources/configure-server/reference-configuration-parameters/index.md
@@ -620,6 +620,10 @@ lifecycler:
         # values:
         # 
         # Secure Ciphers:
+        # - TLS_RSA_WITH_AES_128_CBC_SHA
+        # - TLS_RSA_WITH_AES_256_CBC_SHA
+        # - TLS_RSA_WITH_AES_128_GCM_SHA256
+        # - TLS_RSA_WITH_AES_256_GCM_SHA384
         # - TLS_AES_128_GCM_SHA256
         # - TLS_AES_256_GCM_SHA384
         # - TLS_CHACHA20_POLY1305_SHA256
@@ -637,11 +641,7 @@ lifecycler:
         # Insecure Ciphers:
         # - TLS_RSA_WITH_RC4_128_SHA
         # - TLS_RSA_WITH_3DES_EDE_CBC_SHA
-        # - TLS_RSA_WITH_AES_128_CBC_SHA
-        # - TLS_RSA_WITH_AES_256_CBC_SHA
         # - TLS_RSA_WITH_AES_128_CBC_SHA256
-        # - TLS_RSA_WITH_AES_128_GCM_SHA256
-        # - TLS_RSA_WITH_AES_256_GCM_SHA384
         # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
         # - TLS_ECDHE_RSA_WITH_RC4_128_SHA
         # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
@@ -977,6 +977,10 @@ sharding_ring:
       # values:
       # 
       # Secure Ciphers:
+      # - TLS_RSA_WITH_AES_128_CBC_SHA
+      # - TLS_RSA_WITH_AES_256_CBC_SHA
+      # - TLS_RSA_WITH_AES_128_GCM_SHA256
+      # - TLS_RSA_WITH_AES_256_GCM_SHA384
       # - TLS_AES_128_GCM_SHA256
       # - TLS_AES_256_GCM_SHA384
       # - TLS_CHACHA20_POLY1305_SHA256
@@ -994,11 +998,7 @@ sharding_ring:
       # Insecure Ciphers:
       # - TLS_RSA_WITH_RC4_128_SHA
       # - TLS_RSA_WITH_3DES_EDE_CBC_SHA
-      # - TLS_RSA_WITH_AES_128_CBC_SHA
-      # - TLS_RSA_WITH_AES_256_CBC_SHA
       # - TLS_RSA_WITH_AES_128_CBC_SHA256
-      # - TLS_RSA_WITH_AES_128_GCM_SHA256
-      # - TLS_RSA_WITH_AES_256_GCM_SHA384
       # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
       # - TLS_ECDHE_RSA_WITH_RC4_128_SHA
       # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
@@ -1326,6 +1326,10 @@ sharding_ring:
       # values:
       # 
       # Secure Ciphers:
+      # - TLS_RSA_WITH_AES_128_CBC_SHA
+      # - TLS_RSA_WITH_AES_256_CBC_SHA
+      # - TLS_RSA_WITH_AES_128_GCM_SHA256
+      # - TLS_RSA_WITH_AES_256_GCM_SHA384
       # - TLS_AES_128_GCM_SHA256
       # - TLS_AES_256_GCM_SHA384
       # - TLS_CHACHA20_POLY1305_SHA256
@@ -1343,11 +1347,7 @@ sharding_ring:
       # Insecure Ciphers:
       # - TLS_RSA_WITH_RC4_128_SHA
       # - TLS_RSA_WITH_3DES_EDE_CBC_SHA
-      # - TLS_RSA_WITH_AES_128_CBC_SHA
-      # - TLS_RSA_WITH_AES_256_CBC_SHA
       # - TLS_RSA_WITH_AES_128_CBC_SHA256
-      # - TLS_RSA_WITH_AES_128_GCM_SHA256
-      # - TLS_RSA_WITH_AES_256_GCM_SHA384
       # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
       # - TLS_ECDHE_RSA_WITH_RC4_128_SHA
       # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
@@ -1534,6 +1534,10 @@ backoff_config:
 # Override the default cipher suite list (separated by commas). Allowed values:
 # 
 # Secure Ciphers:
+# - TLS_RSA_WITH_AES_128_CBC_SHA
+# - TLS_RSA_WITH_AES_256_CBC_SHA
+# - TLS_RSA_WITH_AES_128_GCM_SHA256
+# - TLS_RSA_WITH_AES_256_GCM_SHA384
 # - TLS_AES_128_GCM_SHA256
 # - TLS_AES_256_GCM_SHA384
 # - TLS_CHACHA20_POLY1305_SHA256
@@ -1551,11 +1555,7 @@ backoff_config:
 # Insecure Ciphers:
 # - TLS_RSA_WITH_RC4_128_SHA
 # - TLS_RSA_WITH_3DES_EDE_CBC_SHA
-# - TLS_RSA_WITH_AES_128_CBC_SHA
-# - TLS_RSA_WITH_AES_256_CBC_SHA
 # - TLS_RSA_WITH_AES_128_CBC_SHA256
-# - TLS_RSA_WITH_AES_128_GCM_SHA256
-# - TLS_RSA_WITH_AES_256_GCM_SHA384
 # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
 # - TLS_ECDHE_RSA_WITH_RC4_128_SHA
 # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
@@ -1747,6 +1747,10 @@ The `memberlist` block configures the Gossip memberlist.
 # Override the default cipher suite list (separated by commas). Allowed values:
 # 
 # Secure Ciphers:
+# - TLS_RSA_WITH_AES_128_CBC_SHA
+# - TLS_RSA_WITH_AES_256_CBC_SHA
+# - TLS_RSA_WITH_AES_128_GCM_SHA256
+# - TLS_RSA_WITH_AES_256_GCM_SHA384
 # - TLS_AES_128_GCM_SHA256
 # - TLS_AES_256_GCM_SHA384
 # - TLS_CHACHA20_POLY1305_SHA256
@@ -1764,11 +1768,7 @@ The `memberlist` block configures the Gossip memberlist.
 # Insecure Ciphers:
 # - TLS_RSA_WITH_RC4_128_SHA
 # - TLS_RSA_WITH_3DES_EDE_CBC_SHA
-# - TLS_RSA_WITH_AES_128_CBC_SHA
-# - TLS_RSA_WITH_AES_256_CBC_SHA
 # - TLS_RSA_WITH_AES_128_CBC_SHA256
-# - TLS_RSA_WITH_AES_128_GCM_SHA256
-# - TLS_RSA_WITH_AES_256_GCM_SHA384
 # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
 # - TLS_ECDHE_RSA_WITH_RC4_128_SHA
 # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
@@ -2003,6 +2003,10 @@ The s3_backend block configures the connection to Amazon S3 object storage backe
 # CLI flag: -storage.s3.signature-version
 [signature_version: <string> | default = "v4"]
 
+# Set this to `true` to force the bucket lookup to be using path-style.
+# CLI flag: -storage.s3.force-path-style
+[force_path_style: <boolean> | default = false]
+
 sse:
   # Enable AWS Server Side Encryption. Supported values: SSE-KMS, SSE-S3.
   # CLI flag: -storage.s3.sse.type
diff --git a/pkg/objstore/providers/s3/bucket_client.go b/pkg/objstore/providers/s3/bucket_client.go
index b07691d477..05630eddb3 100644
--- a/pkg/objstore/providers/s3/bucket_client.go
+++ b/pkg/objstore/providers/s3/bucket_client.go
@@ -38,14 +38,20 @@ func newS3Config(cfg Config) (s3.Config, error) {
 		return s3.Config{}, err
 	}
 
+	bucketLookupType := s3.AutoLookup
+	if cfg.ForcePathStyle {
+		bucketLookupType = s3.PathLookup
+	}
+
 	return s3.Config{
-		Bucket:    cfg.BucketName,
-		Endpoint:  cfg.Endpoint,
-		Region:    cfg.Region,
-		AccessKey: cfg.AccessKeyID,
-		SecretKey: cfg.SecretAccessKey.String(),
-		Insecure:  cfg.Insecure,
-		SSEConfig: sseCfg,
+		Bucket:           cfg.BucketName,
+		Endpoint:         cfg.Endpoint,
+		Region:           cfg.Region,
+		AccessKey:        cfg.AccessKeyID,
+		SecretKey:        cfg.SecretAccessKey.String(),
+		Insecure:         cfg.Insecure,
+		SSEConfig:        sseCfg,
+		BucketLookupType: bucketLookupType,
 		HTTPConfig: s3.HTTPConfig{
 			IdleConnTimeout:       model.Duration(cfg.HTTP.IdleConnTimeout),
 			ResponseHeaderTimeout: model.Duration(cfg.HTTP.ResponseHeaderTimeout),
diff --git a/pkg/objstore/providers/s3/config.go b/pkg/objstore/providers/s3/config.go
index 75f4cfe2f0..1ef8147087 100644
--- a/pkg/objstore/providers/s3/config.go
+++ b/pkg/objstore/providers/s3/config.go
@@ -77,6 +77,7 @@ type Config struct {
 	AccessKeyID      string         `yaml:"access_key_id"`
 	Insecure         bool           `yaml:"insecure" category:"advanced"`
 	SignatureVersion string         `yaml:"signature_version" category:"advanced"`
+	ForcePathStyle   bool           `yaml:"force_path_style" category:"advanced"`
 
 	SSE  SSEConfig  `yaml:"sse"`
 	HTTP HTTPConfig `yaml:"http"`
@@ -95,6 +96,7 @@ func (cfg *Config) RegisterFlagsWithPrefix(prefix string, f *flag.FlagSet) {
 	f.StringVar(&cfg.Region, prefix+"s3.region", "", "S3 region. If unset, the client will issue a S3 GetBucketLocation API call to autodetect it.")
 	f.StringVar(&cfg.Endpoint, prefix+"s3.endpoint", "", "The S3 bucket endpoint. It could be an AWS S3 endpoint listed at https://docs.aws.amazon.com/general/latest/gr/s3.html or the address of an S3-compatible service in hostname:port format.")
 	f.BoolVar(&cfg.Insecure, prefix+"s3.insecure", false, "If enabled, use http:// for the S3 endpoint instead of https://. This could be useful in local dev/test environments while using an S3-compatible backend storage, like Minio.")
+	f.BoolVar(&cfg.ForcePathStyle, prefix+"s3.force-path-style", false, "Set this to `true` to force the bucket lookup to be using path-style.")
 	f.StringVar(&cfg.SignatureVersion, prefix+"s3.signature-version", SignatureVersionV4, fmt.Sprintf("The signature version to use for authenticating against S3. Supported values are: %s.", strings.Join(supportedSignatureVersions, ", ")))
 	cfg.SSE.RegisterFlagsWithPrefix(prefix+"s3.sse.", f)
 	cfg.HTTP.RegisterFlagsWithPrefix(prefix, f)