Securing Jaeger Installation — Jaeger documentation

Securing Jaeger Installation

Version next-release-v2 Preview Go to the latest 2.x version Go to the latest 1.x version

This page documents the existing security mechanisms in Jaeger, organized by the pairwise connections between Jaeger components.

SDK to Collector

OpenTelemetry SDKs can be configured to communicate directly with Jaeger Collectors via gRPC or HTTP, with optional TLS enabled.

✅ HTTP - TLS with mTLS (client cert authentication) supported.
✅ gRPC - TLS with mTLS (client cert authentication) supported.
- Covers both span export and sampling configuration querying.

Collector/Ingester/Query to Storage

✅ Cassandra - TLS with mTLS (client cert authentication) supported.
✅ Elasticsearch - TLS with mTLS (client cert authentication) supported; bearer token propagation.
✅ Kafka - TLS with various authentication mechanisms supported (mTLS, Kerberos, plaintext).
✅ Prometheus (for SPM) - TLS with mTLS (client cert authentication) supported, as long as you’ve configured your Prometheus server correctly.

Browser to UI

✅ HTTP - TLS and bearer token authentication (pass-through to storage).
- Blog post: Protecting Jaeger UI with an OAuth sidecar Proxy .
- Blog post: Secure architecture for Jaeger with Apache httpd reverse proxy on OpenShift .

Consumers to Query

✅ HTTP - TLS with mTLS (client cert authentication) supported.
✅ gRPC - TLS with mTLS (client cert authentication) supported.