Allow use of non-dualstack endpoints for S3 blocks storage

sam-mcbr · sam-mcbr · commit 96905c35a684 · 2025-01-19T08:21:36.000-08:00
Signed-off-by: Sam McBroom &lt;sam.mcbroom@appian.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -61,6 +61,7 @@
 * [ENHANCEMENT] Distributor: Added `cortex_distributor_received_samples_per_labelset_total` metric to calculate ingestion rate per label set. #6443
 * [ENHANCEMENT] Added metric name in limiter per-metric exceeded errors. #6416
 * [ENHANCEMENT] StoreGateway: Added `cortex_bucket_store_indexheader_load_duration_seconds` and `cortex_bucket_store_indexheader_download_duration_seconds` metrics for time of downloading and loading index header files. #6445
+* [ENHANCEMENT] Blocks Storage: Allow use of non-dualstack endpoints for S3 blocks storage via `-blocks-storage.s3.disable-dualstack`. #6522
 * [BUGFIX] Runtime-config: Handle absolute file paths when working directory is not / #6224
 * [BUGFIX] Ruler: Allow rule evaluation to complete during shutdown. #6326
 * [BUGFIX] Ring: update ring with new ip address when instance is lost, rejoins, but heartbeat is disabled.  #6271
diff --git a/docs/blocks-storage/querier.md b/docs/blocks-storage/querier.md
@@ -286,6 +286,10 @@ blocks_storage:
     # CLI flag: -blocks-storage.s3.bucket-name
     [bucket_name: <string> | default = ""]
 
+    # If enabled, S3 endpoint will use the non-dualstack variant.
+    # CLI flag: -blocks-storage.s3.disable-dualstack
+    [disable_dualstack: <boolean> | default = false]
+
     # S3 secret access key
     # CLI flag: -blocks-storage.s3.secret-access-key
     [secret_access_key: <string> | default = ""]
diff --git a/docs/blocks-storage/store-gateway.md b/docs/blocks-storage/store-gateway.md
@@ -390,6 +390,10 @@ blocks_storage:
     # CLI flag: -blocks-storage.s3.bucket-name
     [bucket_name: <string> | default = ""]
 
+    # If enabled, S3 endpoint will use the non-dualstack variant.
+    # CLI flag: -blocks-storage.s3.disable-dualstack
+    [disable_dualstack: <boolean> | default = false]
+
     # S3 secret access key
     # CLI flag: -blocks-storage.s3.secret-access-key
     [secret_access_key: <string> | default = ""]
diff --git a/docs/configuration/config-file-reference.md b/docs/configuration/config-file-reference.md
@@ -541,6 +541,10 @@ s3:
   # CLI flag: -alertmanager-storage.s3.bucket-name
   [bucket_name: <string> | default = ""]
 
+  # If enabled, S3 endpoint will use the non-dualstack variant.
+  # CLI flag: -alertmanager-storage.s3.disable-dualstack
+  [disable_dualstack: <boolean> | default = false]
+
   # S3 secret access key
   # CLI flag: -alertmanager-storage.s3.secret-access-key
   [secret_access_key: <string> | default = ""]
@@ -836,6 +840,10 @@ s3:
   # CLI flag: -blocks-storage.s3.bucket-name
   [bucket_name: <string> | default = ""]
 
+  # If enabled, S3 endpoint will use the non-dualstack variant.
+  # CLI flag: -blocks-storage.s3.disable-dualstack
+  [disable_dualstack: <boolean> | default = false]
+
   # S3 secret access key
   # CLI flag: -blocks-storage.s3.secret-access-key
   [secret_access_key: <string> | default = ""]
@@ -4771,6 +4779,10 @@ s3:
   # CLI flag: -ruler-storage.s3.bucket-name
   [bucket_name: <string> | default = ""]
 
+  # If enabled, S3 endpoint will use the non-dualstack variant.
+  # CLI flag: -ruler-storage.s3.disable-dualstack
+  [disable_dualstack: <boolean> | default = false]
+
   # S3 secret access key
   # CLI flag: -ruler-storage.s3.secret-access-key
   [secret_access_key: <string> | default = ""]
@@ -5074,6 +5086,10 @@ s3:
   # CLI flag: -runtime-config.s3.bucket-name
   [bucket_name: <string> | default = ""]
 
+  # If enabled, S3 endpoint will use the non-dualstack variant.
+  # CLI flag: -runtime-config.s3.disable-dualstack
+  [disable_dualstack: <boolean> | default = false]
+
   # S3 secret access key
   # CLI flag: -runtime-config.s3.secret-access-key
   [secret_access_key: <string> | default = ""]
diff --git a/pkg/storage/bucket/s3/bucket_client.go b/pkg/storage/bucket/s3/bucket_client.go
@@ -83,14 +83,15 @@ func newS3Config(cfg Config) (s3.Config, error) {
 	}
 
 	return s3.Config{
-		Bucket:         cfg.BucketName,
-		Endpoint:       cfg.Endpoint,
-		Region:         cfg.Region,
-		AccessKey:      cfg.AccessKeyID,
-		SecretKey:      cfg.SecretAccessKey.Value,
-		Insecure:       cfg.Insecure,
-		SSEConfig:      sseCfg,
-		SendContentMd5: cfg.SendContentMd5,
+		Bucket:           cfg.BucketName,
+		Endpoint:         cfg.Endpoint,
+		Region:           cfg.Region,
+		DisableDualstack: cfg.DisableDualstack,
+		AccessKey:        cfg.AccessKeyID,
+		SecretKey:        cfg.SecretAccessKey.Value,
+		Insecure:         cfg.Insecure,
+		SSEConfig:        sseCfg,
+		SendContentMd5:   cfg.SendContentMd5,
 		HTTPConfig: s3.HTTPConfig{
 			IdleConnTimeout:       model.Duration(cfg.HTTP.IdleConnTimeout),
 			ResponseHeaderTimeout: model.Duration(cfg.HTTP.ResponseHeaderTimeout),
diff --git a/pkg/storage/bucket/s3/config.go b/pkg/storage/bucket/s3/config.go
@@ -66,6 +66,7 @@ type Config struct {
 	Endpoint           string         `yaml:"endpoint"`
 	Region             string         `yaml:"region"`
 	BucketName         string         `yaml:"bucket_name"`
+	DisableDualstack   bool           `yaml:"disable_dualstack"`
 	SecretAccessKey    flagext.Secret `yaml:"secret_access_key"`
 	AccessKeyID        string         `yaml:"access_key_id"`
 	Insecure           bool           `yaml:"insecure"`
@@ -89,6 +90,7 @@ func (cfg *Config) RegisterFlagsWithPrefix(prefix string, f *flag.FlagSet) {
 	f.Var(&cfg.SecretAccessKey, prefix+"s3.secret-access-key", "S3 secret access key")
 	f.StringVar(&cfg.BucketName, prefix+"s3.bucket-name", "", "S3 bucket name")
 	f.StringVar(&cfg.Region, prefix+"s3.region", "", "S3 region. If unset, the client will issue a S3 GetBucketLocation API call to autodetect it.")
+	f.BoolVar(&cfg.DisableDualstack, prefix+"s3.disable-dualstack", false, "If enabled, S3 endpoint will use the non-dualstack variant.")
 	f.StringVar(&cfg.Endpoint, prefix+"s3.endpoint", "", "The S3 bucket endpoint. It could be an AWS S3 endpoint listed at https://docs.aws.amazon.com/general/latest/gr/s3.html or the address of an S3-compatible service in hostname:port format.")
 	f.BoolVar(&cfg.Insecure, prefix+"s3.insecure", false, "If enabled, use http:// for the S3 endpoint instead of https://. This could be useful in local dev/test environments while using an S3-compatible backend storage, like Minio.")
 	f.StringVar(&cfg.SignatureVersion, prefix+"s3.signature-version", SignatureVersionV4, fmt.Sprintf("The signature version to use for authenticating against S3. Supported values are: %s.", strings.Join(supportedSignatureVersions, ", ")))
diff --git a/pkg/storage/bucket/s3/config_test.go b/pkg/storage/bucket/s3/config_test.go
@@ -51,6 +51,7 @@ func TestConfig(t *testing.T) {
 endpoint: test-endpoint
 region: test-region
 bucket_name: test-bucket-name
+disable_dualstack: true
 secret_access_key: test-secret-access-key
 access_key_id: test-access-key-id
 insecure: true
@@ -74,6 +75,7 @@ http:
 				Endpoint:         "test-endpoint",
 				Region:           "test-region",
 				BucketName:       "test-bucket-name",
+				DisableDualstack: true,
 				SecretAccessKey:  flagext.Secret{Value: "test-secret-access-key"},
 				AccessKeyID:      "test-access-key-id",
 				Insecure:         true,
