From a954f693e4c19c27cc22fd29523137b178b83095 Mon Sep 17 00:00:00 2001 From: Gwynne Monahan Date: Fri, 13 Sep 2024 12:15:20 -0500 Subject: [PATCH] OSSM-6958 Correction in Tempo/OTEL chapter about mTLS --- .../ossm-configuring-distr-tracing-tempo.adoc | 32 +++++++++++++++---- 1 file changed, 26 insertions(+), 6 deletions(-) diff --git a/modules/ossm-configuring-distr-tracing-tempo.adoc b/modules/ossm-configuring-distr-tracing-tempo.adoc index 984bf6b785..930d1c9e58 100644 --- a/modules/ossm-configuring-distr-tracing-tempo.adoc +++ b/modules/ossm-configuring-distr-tracing-tempo.adoc @@ -33,8 +33,6 @@ kind: OpenTelemetryCollector metadata: name: otel namespace: bookinfo # <1> - annotations: - sidecar.istio.io/inject: 'true' # <2> spec: mode: deployment config: | @@ -45,7 +43,7 @@ spec: endpoint: 0.0.0.0:4317 exporters: otlp: - endpoint: "tempo-sample-distributor.tracing-system.svc.cluster.local:4317" # <3> + endpoint: "tempo-sample-distributor.tracing-system.svc.cluster.local:4317" # <2> tls: insecure: true service: @@ -56,12 +54,12 @@ spec: exporters: [otlp] ---- <1> Include the namespace in the `ServiceMeshMemberRoll` member list. -<2> The sidecar injection annotation is only required when you enable the `spec.security.dataPlane` parameter for mTLS encryption in the `ServiceMeshControlPlane` resource. -<3> In this example, a TempoStack instance is running in the `tracing-system` namespace. You do not have to include the TempoStack namespace, such as`tracing-system`, in the `ServiceMeshMemberRoll` member list. +<2> In this example, a TempoStack instance is running in the `tracing-system` namespace. You do not have to include the TempoStack namespace, such as`tracing-system`, in the `ServiceMeshMemberRoll` member list. + [NOTE] ==== -You only need to create one instance of the OpenTelemetry Collector in one of the `ServiceMeshMemberRoll` member namespaces. +* Create a single instance of the OpenTelemetry Collector in one of the `ServiceMeshMemberRoll` member namespaces. +* You can add an `otel-collector` as a part of the mesh by adding `sidecar.istio.io/inject: 'true'` to the `OpenTelemetryCollector` resource. ==== . Check the `otel-collector` pod log and verify that the pod is running: @@ -164,6 +162,28 @@ Kiali 1.73 uses the Jaeger Query API, which causes a longer response time depend . Verify the `istiod` pod logs and the `otel-collector` pod logs. +[id="configuring-otel-collector-mtls-encrypted-namespace_{context}"] +== Configuring the `OpenTelemetryCollector` in a mTLS encrypted Service Mesh member namespace + +All traffic is TLS encrypted when you enable Service Mesh `dataPlane` mTLS encryption. + +To enable the mesh to communicate with the `OpenTelemetryCollector` service, disable the TLS `trafficPolicy` by applying a `DestinationRule` for the `OpenTelemetryCollector` service: + +.Example `DestinationRule` Tempo CR +[source, yaml] +---- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: otel-disable-tls +spec: + host: "otel-collector.bookinfo.svc.cluster.local" + trafficPolicy: + tls: + mode: DISABLE +---- + + [id="configuring-distr-tracing-tempo-mtls-encrypted-namespace_{context}"] == Configuring the {TempoName} in a mTLS encrypted Service Mesh member namespace