TLS integration for tempo endpoints and server

canonical / tempo-k8s-operator

This charmed operator automates the operational procedures of running Grafana Tempo, an open-source tracing backend.

https://charmhub.io/tempo-k8s

Apache License 2.0

5 stars 3 forks source link

TLS integration for tempo endpoints and server #98

Closed PietroPasotti closed 1 month ago

PietroPasotti commented 2 months ago

TLS integration support for Tempo charm

In principle ready for review, but it depends on ingress #94

Testing instructions:

juju add-model test-tempo-tls
juju deploy cos-lite --trust
charmcraft pack
jhack deploy
jhack imatrix fill

you should be able to see charm traces in grafana for all the charms. verify that all receiver endpoints are using https:

juju run tempo/0 list-receivers

michaeldmitry commented 2 months ago

if we enable tls for tempo and another charm for charm tracing and then we disable tls on tempo and the other charm without removing the tracing relation, App data will not change (internal_scheme will still remain as https) and that will fail non-tls communication or if its the other way around, communication will also fail as it sees the app data still has http is this a valid scenario to cover?

michaeldmitry commented 2 months ago

@PietroPasotti @mmkay when certificates are pushed into the workload container, its an ephemeral volume so, in case of pod crash and restart, the certificates will be no longer there. Once tempo is back up, it will run as non-tls, but all databags are expected to send to a tls endpoint, so tls is now broken.

prometheus handles that https://github.com/canonical/prometheus-k8s-operator/blob/main/src/charm.py#L546