Ukraine flag We stand with our friends and colleagues in Ukraine. To support Ukraine in their time of need visit this page.

Securing Jaeger Installation


This page documents the existing security mechanisms in Jaeger, organized by the pairwise connections between Jaeger components. We ask for community help with implementing additional security measures (see issue-1718external link).

SDK to Collector

OpenTelemetry SDKs can be configured to communicate directly with jaeger-collector via gRPC or HTTP, with optional TLS enabled.

  • ✅ HTTP - TLS with mTLS (client cert authentication) supported.
  • ✅ gRPC - TLS with mTLS (client cert authentication) supported.
    • Covers both span export and sampling configuration querying.

Collector/Ingester/Query-Service to Storage

  • ✅ Cassandra - TLS with mTLS (client cert authentication) supported.
  • ✅ Elasticsearch - TLS with mTLS (client cert authentication) supported; bearer token propagation.
  • ✅ Kafka - TLS with various authentication mechanisms supported (mTLS, Kerberos, plaintext).

Browser to UI

Consumers to Query Service

  • ✅ HTTP - TLS with mTLS (client cert authentication) supported.
  • ✅ gRPC - TLS with mTLS (client cert authentication) supported.