Support PaaS Cassandra - TLS with known CAs

[MarianZoll]

Requirement - what kind of business use case are you trying to solve?

Connect to a cloud-provider managed Cassandra to reduce the operational overhead on the databases. SSL has to be provided for the connections. Quite often, the certs used are issued by known CAs such as LetsEncrypt or digicerts.

Additional context is available here #2467

Problem - what in Jaeger blocks you from solving the requirement?

• TLS certs need to be provided via files.
• The TLS certificates are not mounted to the create schema container image.

Proposal - what do you suggest to solve the problem or improve the existing situation?

For K8s based deployments its not very convenient to create a config map and mount it to the pod. Therefore, I'd like to discuss whether we should introduce a config flag that would use well-known CAs to be added automatically on demand.

Its a similar situation that RedHat for instances using for Quarkus by running a ca-certificates installation: https://github.com/quarkusio/quarkus-quickstarts/blob/master/security-jwt-quickstart/src/main/docker/Dockerfile.jvm#L26

This would allow an easier installation and operations on K8s.

Any open questions to address

Maybe we can start to discuss the approach.

[Git-Jiro]

As far as I can see the base for the Jaeger docker images is Alpine Linux. The Alpine Linux image seems to have a root-ca-bundle at /etc/ssl/certs/ca-certificates.crt

[yurishkuro]

I believe we already have support to provide custom CA.