From 33b4a4489a8ce9fae49f176b3ace7f06a3da56ba Mon Sep 17 00:00:00 2001 From: Andreas Gerstmayr Date: Wed, 21 Feb 2024 18:24:50 +0100 Subject: [PATCH 1/2] Add TLS docs Signed-off-by: Andreas Gerstmayr --- docs/tls.md | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 docs/tls.md diff --git a/docs/tls.md b/docs/tls.md new file mode 100644 index 000000000..e583fe5f6 --- /dev/null +++ b/docs/tls.md @@ -0,0 +1,42 @@ +# TLS Overview + +## compactor, ingester, querier +Port | Service | TLS Enabled | TLS Certificate | Verify Client Cert +----- | --------------------- | ------------------------------- | ------------------- | ------------------ +3200 | Tempo API (HTTP) | `featureGates.httpEncryption` | internal | yes +3101 | Tempo Internal (HTTP) | `featureGates.httpEncryption` | internal | no + +## distributor +Port | Service | TLS Enabled | TLS Certificate | Verify Client Cert +----- | --------------------- | ------------------------------- | ------------------- | ------------------ +3200 | Tempo API (HTTP) | `featureGates.httpEncryption` | internal | yes +3101 | Tempo Internal (HTTP) | `featureGates.httpEncryption` | internal | no +4317 | OTLP/gRPC | `spec.template.distributor.tls` | custom | no +4318 | OTLP/HTTP | `spec.template.distributor.tls` | custom | no +14268 | jaeger/thrift http | `spec.template.distributor.tls` | custom | no +6831 | jaeger/thrift compact | no | - | - +6832 | jaeger/thrift binary | no | - | - +14250 | jaeger/grpc | `spec.template.distributor.tls` | custom | no +9411 | zipkin | `spec.template.distributor.tls` | custom | no + +## query-frontend +Port | Service | TLS Enabled | TLS Certificate | Verify Client Cert +----- | --------------------- | ------------------------------- | ------------------- | ------------------ +3200 | Tempo API (HTTP) | if `httpEncryption` and gateway | internal | yes +3101 | Tempo Internal (HTTP) | `featureGates.httpEncryption` | internal | no +16686 | Jaeger UI (HTTP) | if `httpEncryption` and gateway | internal | yes +16685 | Jaeger UI (gRPC) | if `httpEncryption` and gateway | internal | yes + +## gateway +Port | Service | TLS Enabled | TLS Certificate | Verify Client Cert +----- | --------------------- | ------------------------------- | ------------------- | ------------------ +8080 | public (HTTP) | `servingCertsService` | service-ca-operator | no +8090 | public (gRPC) | `servingCertsService` | service-ca-operator | no +8081 | internal (HTTP) | `featureGates.httpEncryption` | internal | no + +## TLS Clients +Client | TLS Enabled | TLS Certificate | Notes +------ | ------------------ | --------------- | ----- +S3 | `spec.storage.tls` | custom | only custom CA is supported +Azure | no | - | +GCP | no | - | From 287e4469a38d8f2027feb0068d9560a7815d3a26 Mon Sep 17 00:00:00 2001 From: Andreas Gerstmayr Date: Wed, 28 Feb 2024 17:11:44 +0100 Subject: [PATCH 2/2] clarify Azure and GCP TLS settings Signed-off-by: Andreas Gerstmayr --- docs/tls.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/tls.md b/docs/tls.md index e583fe5f6..aad093dfe 100644 --- a/docs/tls.md +++ b/docs/tls.md @@ -35,8 +35,8 @@ Port | Service | TLS Enabled | TLS Certificat 8081 | internal (HTTP) | `featureGates.httpEncryption` | internal | no ## TLS Clients -Client | TLS Enabled | TLS Certificate | Notes +Client | TLS Settings | TLS Certificate | Notes ------ | ------------------ | --------------- | ----- S3 | `spec.storage.tls` | custom | only custom CA is supported -Azure | no | - | -GCP | no | - | +Azure | - | - | custom TLS settings are not supported +GCP | - | - | custom TLS settings are not supported