You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Requirement - what kind of business use case are you trying to solve?
Allow applications configure a remote k8s cluster running with jaeger operator using ES for the storage mode on a remote ES cluster where the cert may not match the host name
Problem - what in Jaeger blocks you from solving the requirement?
The current ES options config struct does not include InsecureSkipVerify bool for tls host verification, some users and env may not have certs matching host names etc so the client from jaeger collector cannot connect to the remote ES cluster when having declared your serverurls like in the jaeger operator
example error if you doing some test to a ES ip like https://10.10.10.1:9200 x509: cannot validate certificate for https://10.10.10.1:9200 because it doesn't contain any IP SANs:
Proposal - what do you suggest to solve the problem or improve the existing situation?
I started this working on committing changes to those files in my fork but wanted to open the issue in the mean time in case the maintaining team had any issue with adding in support for this. If an existing contributor can close this out more efficiently great, otherwise i'll keep working on it as a test...I came across this by trying to deploy jaeger operator on EKS today and found it's all good except I don't have a way to skip the host/cert verification needed to run properly with a tls storage back end of ES that doesn't match the host name on the cert.
The text was updated successfully, but these errors were encountered:
Requirement - what kind of business use case are you trying to solve?
Allow applications configure a remote k8s cluster running with jaeger operator using ES for the storage mode on a remote ES cluster where the cert may not match the host name
Problem - what in Jaeger blocks you from solving the requirement?
The current ES options config struct does not include InsecureSkipVerify bool for tls host verification, some users and env may not have certs matching host names etc so the client from jaeger collector cannot connect to the remote ES cluster when having declared your serverurls like in the jaeger operator
example error if you doing some test to a ES ip like https://10.10.10.1:9200
x509: cannot validate certificate for https://10.10.10.1:9200 because it doesn't contain any IP SANs:Proposal - what do you suggest to solve the problem or improve the existing situation?
Add in the es config option to include insecureskipverify for host name checking... the cassandra storage option has this already in the options and most popular client implementations like fluentd have this as a es client option also
Seems to me it will need modifications for InsecureSkipVerify bool in these files
https://github.com/jaegertracing/jaeger/blob/master/pkg/es/config/config.go
https://github.com/jaegertracing/jaeger/blob/master/plugin/storage/es/options.go
and then of course your tests.
Any open questions to address
I started this working on committing changes to those files in my fork but wanted to open the issue in the mean time in case the maintaining team had any issue with adding in support for this. If an existing contributor can close this out more efficiently great, otherwise i'll keep working on it as a test...I came across this by trying to deploy jaeger operator on EKS today and found it's all good except I don't have a way to skip the host/cert verification needed to run properly with a tls storage back end of ES that doesn't match the host name on the cert.
The text was updated successfully, but these errors were encountered: