-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add TLS docs #813
base: main
Are you sure you want to change the base?
Add TLS docs #813
Conversation
Signed-off-by: Andreas Gerstmayr <agerstmayr@redhat.com>
f335ddf
to
33b4a44
Compare
docs/tls.md
Outdated
Azure | no | - | | ||
GCP | no | - | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this mean TLS cannot be used for those storages?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tempo doesn't expose any TLS settings for Azure or GCP: https://grafana.com/docs/tempo/latest/configuration/#storage
When using https://
for the endpoint it will use TLS, but it'll use the certificate bundle of the container. I'll clarify that.
Signed-off-by: Andreas Gerstmayr <agerstmayr@redhat.com>
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #813 +/- ##
=======================================
Coverage 75.35% 75.35%
=======================================
Files 89 89
Lines 6383 6383
=======================================
Hits 4810 4810
Misses 1343 1343
Partials 230 230
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
I remember we prevent this when we generate the cofniguration, if the gateway is enabled TLS configuration is ignored., actually I think it will generate a bad configuration. https://github.com/grafana/tempo-operator/blob/main/internal/manifests/config/tempo-config.yaml#L12 I'll test today afternoon. I think if that is the case we need to add some validations to the webhook.
It seems is not :/
I think yes, in the case of self-signed vs custom, you can control this using the feature flags, wondering if we need to control this better on the CRD. |
Added a document with an overview of our server TLS settings for each pod.
@rubenvp8510 is this doc accurate?
Also, a few questions:
spec.template.distributor.tls
if configured?spec.template.distributor.tls
is configured, will it break gateway -> distributor connections?internal
(self-signed by the operator)serving-ca
(generated by OpenShift)?custom
(ConfigMap and Secret)