Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support PaaS Cassandra - TLS with known CAs #2470

Closed
MarianZoll opened this issue Sep 11, 2020 · 2 comments
Closed

Support PaaS Cassandra - TLS with known CAs #2470

MarianZoll opened this issue Sep 11, 2020 · 2 comments

Comments

@MarianZoll
Copy link
Contributor

Requirement - what kind of business use case are you trying to solve?

Connect to a cloud-provider managed Cassandra to reduce the operational overhead on the databases. SSL has to be provided for the connections. Quite often, the certs used are issued by known CAs such as LetsEncrypt or digicerts.

Additional context is available here #2467

Problem - what in Jaeger blocks you from solving the requirement?

  • TLS certs need to be provided via files.
  • The TLS certificates are not mounted to the create schema container image.

Proposal - what do you suggest to solve the problem or improve the existing situation?

For K8s based deployments its not very convenient to create a config map and mount it to the pod. Therefore, I'd like to discuss whether we should introduce a config flag that would use well-known CAs to be added automatically on demand.

Its a similar situation that RedHat for instances using for Quarkus by running a ca-certificates installation: https://github.com/quarkusio/quarkus-quickstarts/blob/master/security-jwt-quickstart/src/main/docker/Dockerfile.jvm#L26

This would allow an easier installation and operations on K8s.

Any open questions to address

Maybe we can start to discuss the approach.

@Git-Jiro
Copy link
Contributor

Git-Jiro commented Oct 9, 2021

As far as I can see the base for the Jaeger docker images is Alpine Linux. The Alpine Linux image seems to have a root-ca-bundle at /etc/ssl/certs/ca-certificates.crt

@yurishkuro
Copy link
Member

I believe we already have support to provide custom CA.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants