openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 21:46:22 +01:00
Code Issues Releases Activity

OSSM-6958 Correction in Tempo/OTEL chapter about mTLS

Browse Source
This commit is contained in:
Gwynne Monahan
2024-09-13 12:15:20 -05:00
committed by openshift-cherrypick-robot
parent 93c6bcef49
commit a954f693e4
1 changed files with 26 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
modules/ossm-configuring-distr-tracing-tempo.adoc
View File

@@ -33,8 +33,6 @@ kind: OpenTelemetryCollector
metadata:
name: otel
namespace: bookinfo # <1>
annotations:
sidecar.istio.io/inject: 'true' # <2>
spec:
mode: deployment
config: |
@@ -45,7 +43,7 @@ spec:
endpoint: 0.0.0.0:4317
exporters:
otlp:
endpoint: "tempo-sample-distributor.tracing-system.svc.cluster.local:4317" # <3>
endpoint: "tempo-sample-distributor.tracing-system.svc.cluster.local:4317" # <2>
tls:
insecure: true
service:
@@ -56,12 +54,12 @@ spec:
exporters: [otlp]
----
<1> Include the namespace in the `ServiceMeshMemberRoll` member list.
<2> The sidecar injection annotation is only required when you enable the `spec.security.dataPlane` parameter for mTLS encryption in the `ServiceMeshControlPlane` resource.
<3> In this example, a TempoStack instance is running in the `tracing-system` namespace. You do not have to include the TempoStack namespace, such as`tracing-system`, in the `ServiceMeshMemberRoll` member list.
<2> In this example, a TempoStack instance is running in the `tracing-system` namespace. You do not have to include the TempoStack namespace, such as`tracing-system`, in the `ServiceMeshMemberRoll` member list.
+
[NOTE]
====
You only need to create one instance of the OpenTelemetry Collector in one of the `ServiceMeshMemberRoll` member namespaces.
* Create a single instance of the OpenTelemetry Collector in one of the `ServiceMeshMemberRoll` member namespaces.
* You can add an `otel-collector` as a part of the mesh by adding `sidecar.istio.io/inject: 'true'` to the `OpenTelemetryCollector` resource.
====
. Check the `otel-collector` pod log and verify that the pod is running:
@@ -164,6 +162,28 @@ Kiali 1.73 uses the Jaeger Query API, which causes a longer response time depend
. Verify the `istiod` pod logs and the `otel-collector` pod logs.
[id="configuring-otel-collector-mtls-encrypted-namespace_{context}"]
== Configuring the `OpenTelemetryCollector` in a mTLS encrypted Service Mesh member namespace
All traffic is TLS encrypted when you enable Service Mesh `dataPlane` mTLS encryption.
To enable the mesh to communicate with the `OpenTelemetryCollector` service, disable the TLS `trafficPolicy` by applying a `DestinationRule` for the `OpenTelemetryCollector` service:
.Example `DestinationRule` Tempo CR
[source, yaml]
----
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: otel-disable-tls
spec:
host: "otel-collector.bookinfo.svc.cluster.local"
trafficPolicy:
tls:
mode: DISABLE
----
[id="configuring-distr-tracing-tempo-mtls-encrypted-namespace_{context}"]
== Configuring the {TempoName} in a mTLS encrypted Service Mesh member namespace