docs: Update Jaeger auth

[bmorelli25]

What does this pull request do?

This PR adds an example and updates the Jaeger auth_tag documentation. I have a couple of questions that I'll add as comments.

I tested this feature with apm-integration-testing:

APM Server:

./scripts/compose.py start 7.7 \
--apm-server-opt apm-server.jaeger.grpc.enabled=true \
--apm-server-opt apm-server.jaeger.grpc.auth_tag=authorization \
--apm-server-opt apm-server.secret_token=qwerty1234

Jaeger Agent:

docker run --rm -it --name jaeger-agent --network apm-integration-testing -p6831:6831/udp \
-e REPORTER_GRPC_HOST_PORT=apm-server:14250 \
-e AGENT_TAGS="authorization=Bearer qwerty1234" \
jaegertracing/jaeger-agent:latest

Jaeger Hotrod demo:

docker run --rm -it --network apm-integration-testing \
-e JAEGER_AGENT_HOST=jaeger-agent \
-e JAEGER_AGENT_PORT=6831 \
-p8080-8083:8080-8083 jaegertracing/example-hotrod:latest all

Documentation preview

http://apm-server_3768.docs-preview.app.elstc.co/diff

Related issues

Closes #3423.

[apmmachine]

💚 Build Succeeded

Expand to view the summary

Build stats

• Build Cause: [Branch indexing]

• Start Time: 2020-05-07T11:50:00.224+0000

• Duration: 3 min 27 sec (206741)

• Commit: e7057e5

[bmorelli25]

Questions:

The yml comments are confusing to me:
https://github.com/elastic/apm-server/pull/3394/files#diff-7400bb261a1bc5bd91499ecf67970098R426-R435

 # Set to the name of a process tag to use for authorizing
 # Jaeger agents.
 #
 # The tag value should have the same format as an HTTP
 # Authorization header, i.e. "Bearer <secret_token>" or
 # "ApiKey <base64(id:key)>".
 #
 # By default (if the auth_tag value is empty), authorization
 # does not apply to Jaeger agents.
 #auth_tag: ""

I was only able to get this feature to work when apm-server.jaeger.grpc.auth_tag is set to authorization. Are there other valid values that can be set? As I understand it, it's the tag value in the Jaeger Agent that needs to have the same format as an HTTP authorization header, e.g., --agent.tags "authorization=Bearer qwerty1234".

---

When Authorization is not correctly configured, I noticed these transactions in the APM app. I'm guessing that because I'm seeing unauthenticated, this this expected?

[axw]

Thanks, this is much clearer.

I was only able to get this feature to work when apm-server.jaeger.grpc.auth_tag is set to authorization. Are there other valid values that can be set? As I understand it, it's the tag value in the Jaeger Agent that needs to have the same format as an HTTP authorization header, e.g., --agent.tags "authorization=Bearer qwerty1234".

The auth_tag value (i.e. after '=') is expected to have the same format as the Authorization header value. It should be possible to configure the server with apm-server.jaeger.grpc.auth_tag=foo, and then run the Jaeger agent with --agent.tags "foo=Bearer <secret_token>". If that doesn't work, it's a bug.

When Authorization is not correctly configured, I noticed these transactions in the APM app. I'm guessing that because I'm seeing unauthenticated, this this expected?

You should see gRPC transactions in the apm-server service even when auth succeeds, so long as apm-server.instrumentation.enabled=true. apm-integration-testing sets that by default.

[bmorelli25]

Thanks for the clarification. No 🐛