Comments (16)
arpitjindal97
commented on July 17, 2024
While storing TLS credentials in Secret. They are stored in tls format.
If your certificates are self-signed, kubernetes will not accept it and you have to pass --insecure-skip-tls-verify flag while creating secret. In this mode, secret will only hold two files i.e. tls.crt and tls.key.
But, if you see at Jaeger's configuration. It requires CA certificate also. This file will not be there in secret if it self-signed. So, we can't go with the idea of storing TLS credentials in secret.
Correct me, If I'm wrong anywhere :)
from helm-charts.
naseemkullah
commented on July 17, 2024
You can create a secret with key,crt and ca. Or if you prefer one secret for server key and crt, and another for the ca cert.
Please see https://github.com/kubernetes/ingress-nginx/blob/master/docs/examples/auth/client-certs/README.md#creating-certificate-secrets for further instructions.
from helm-charts.
naseemkullah
commented on July 17, 2024
One thing is for sure you will want tls.key in a secret, as for the certs, if you want them in a separate configmap, that is your call.
from helm-charts.
arpitjindal97
commented on July 17, 2024
Okay, we can go with secrets. We can maintain 2 secrets. This will be good
from helm-charts.
mmpetarpeshev
commented on July 17, 2024
I'm getting the following error , when enables tls , my secret is encoded with base64 and the contents is as from the example in the docs.(the secret is created with the correct name)
Error: release dealing-tiger failed: Deployment.apps "cassandra-collector" is invalid: [spec.template.spec.containers[0].volumeMounts[0].name: Not found: "cassandra-tls-secret", spec.template.spec.containers[0].volumeMounts[1].name: Not found: "cassandra-tls-secret", spec.template.spec.containers[0].volumeMounts[2].name: Not found: "cassandra-tls-secret"]
from helm-charts.
arpitjindal97
commented on July 17, 2024
Provide your values.yaml and relevant commands you used to deploy secret and helm chart
from helm-charts.
mmpetarpeshev
commented on July 17, 2024
I saw that I'm writing in the wrong issue , my case is with cassandra as storage , we can move the conversation or I can create new one.
Here is my secret as the content is base64 encoded :
apiVersion: v1
kind: Secret
metadata:
name: cassandra-tls-secret
namespace: jaeger
data:
commonName: base64
ca-cert.pem: |
base64 blqblq
client-cert.pem: |
base64 blqblqb
client-key.pem: |
base64 bqlblq
cqlshrc: |
base64 ssl section and same as the example from the doc .
###############
The chart is installed in the same namespace as the secret "jaeger".
from helm-charts.
arpitjindal97
commented on July 17, 2024
okay, I figured out the problem. It's with the chart.
I will create PR to fix
After the fix, you will need to add the config at collector.extraSecretMounts in your values.yaml to mount the cassandra secret with pod. It will not get mounted automatically
example:
extraSecretMounts:
- name: cassandra-tls-secret
mountPath: /cassandra-tls
subPath: ""
secretName: cassandra-tls-secret
readOnly: true
same goes for query also, you will need to add config.
from helm-charts.
mmpetarpeshev
commented on July 17, 2024
Great , thanks , let me know , when the fix is merged and ready to use.
from helm-charts.
mmpetarpeshev
commented on July 17, 2024
I think the schema job also needs to be fixed.
from helm-charts.
naseemkullah
commented on July 17, 2024
Sorry you are experiencing this @mmpetarpeshev and thanks for looking into this @arpitjindal97.
Hi @Pehesi97 As the last contributor to work on the Cassandra TLS feature, could you please comment? Does this work for you?
from helm-charts.
arpitjindal97
commented on July 17, 2024
cassandra schema job doesn't have TLS support
https://github.com/jaegertracing/jaeger/blob/master/plugin/storage/cassandra/schema/create.sh
How should we proceed ? I'm confused
from helm-charts.
naseemkullah
commented on July 17, 2024
@arpitjindal97 according to: https://www.jaegertracing.io/docs/1.17/deployment/#tls-support
cqlshrc file should contain:
[ssl]
certfile = ~/.cassandra/ca-cert
userkey = ~/.cassandra/client-key
usercert = ~/.cassandra/client-cert
And in the chart it's here:
helm-charts/charts/jaeger/templates/cassandra-schema-job.yaml
Lines 83 to 86 in 2ed907e
from helm-charts.
mmpetarpeshev
commented on July 17, 2024
Any update on the PR approval or the issue ? I tried to run the chart with changes from the PR and if I'm not in mistake with configurations or values, there is still issue with the mounts and secrets.
from helm-charts.
naseemkullah
commented on July 17, 2024
Looks like #145 should fix the issue @mmpetarpeshev @arpitjindal97 PTAL
from helm-charts.
sshah90
commented on July 17, 2024
I am getting the same error shown in comment.
is it a bug in Jaeger's helm chart? I don't see volumes code if tls enable.
Schema Job missing volumes block if tls enable
Same with Query, Ingester, and Collector.
from helm-charts.
Related Issues (20)
- [Feature]: Allow setting annotations on the allinone Service Account
- [Feature]: Manage cluster role rules for jaeger-operator Service Account
- [Bug]: jaeger-chart: does not exist .Values.storage.elasticsearch.tls in es-rollover-hook.yml
- [Bug]: jaeger query oauth2-proxy sidecar issues with config HOT 1
- [Feature]: Chart should use versioned jaeger jaegertracing/all-in-one image, instead of latest HOT 1
- [Bug]: jaeger chart incompatible with recent bitnami charts HOT 2
- [Feature]: Update helm-chart to use elasticsearch 8+ HOT 8
- [Feature]: set the 'number_of_replicas' in elasticsearch to a variable HOT 3
- [Feature]: Support Jaeger-v2 HOT 3
- [Bug]: Jaeger Operator image tag is lagging behind
- [Bug]: extraObjects accepts only string as templates HOT 1
- [Feature]: Add appProtocol
- [Bug]: helm chart is not working with kafka . Both (kafka and exisitng kafka).
- [Feature]: Add toleration to cassandra-schema-job manifest file
- [Feature]: global.PullSecerts HOT 1
- [Bug]: failed to list v1.IngressClass is forbidden HOT 1
- [Bug]: Unstable Jaeger Deployment with Cassandra ; Cassandra STS is failing HOT 4
- [Bug]: Indents for imagePullSecrets in indexer and lookback cronjobs
- [Bug]: esRollover configured via Helm chart not working correctly
- [Bug]: Using ingress host starting with wildcard causes YAML parse error
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from helm-charts.