search

canonical / tempo-k8s-operator

This charmed operator automates the operational procedures of running Grafana Tempo, an open-source tracing backend.
https://charmhub.io/tempo-k8s
Apache License 2.0
5 stars 3 forks source link

[charm-tracing] Allow disabling certificate verification #150

Open mmkay opened 1 month ago

mmkay commented 1 month ago

Enhancement Proposal

Our current charm_tracing setup assumes that for sending traces to a TLS-enabled Tempo, a certificate file needs to be present. This is caused by our use of OTLPSpanExporter that allows only a certificate file path, not a whole certificate content. They're using requests.post(... under the hood that also accepts only a certificate path.

There are charms that don't operate on certificate files such as self-signed-certificates-operator and therefore they can't use SSL-enabled tempo without doing modifications to store their CA on the disk. With self-signed-certificates it's even more peculiar as tempo is also using it as the certificate provider so relating it on bothcertificatesandtracing` causes self-signed-certificates to go into error state.

In requests.post(... that OTLPSpanExporter is using there is an option to disable certificate verification by providing verify=False to the method call instead of the certificate path. Setting an environment variable to False could also disable certificate validation. We should consider if we want to expose disabling certificate verification in @charm_tracing API for these special cases.

mmkay commented 1 month ago

We should discuss it further on the security perspective.

mmkay commented 3 weeks ago

The environment variable won't work because we can't set the variable to False in a way that would work.