Securing Jaeger Installation
This page documents the existing security mechanisms in Jaeger, organized by the pairwise connections between Jaeger components. We ask for community help with implementing additional security measures (see issue-1718 ).
SDK to Collector
OpenTelemetry SDKs can be configured to communicate directly with jaeger-collector via gRPC or HTTP, with optional TLS enabled.
- ✅ HTTP - TLS with mTLS (client cert authentication) supported.
- ✅
gRPC - TLS with mTLS (client cert authentication) supported.
- Covers both span export and sampling configuration querying.
Collector/Ingester/Query-Service to Storage
- ✅ Cassandra - TLS with mTLS (client cert authentication) supported.
- ✅ Elasticsearch - TLS with mTLS (client cert authentication) supported; bearer token propagation.
- ✅ Kafka - TLS with various authentication mechanisms supported (mTLS, Kerberos, plaintext).
Browser to UI
- ✅ HTTP - TLS and bearer token authentication (pass-through to storage).
Consumers to Query Service
- ✅ HTTP - TLS with mTLS (client cert authentication) supported.
- ✅ gRPC - TLS with mTLS (client cert authentication) supported.