[jaeger] Cassandra TLS broken

[naseemkullah]

Please skip to #15 (comment)

Original issue has taken a different road.

[arpitjindal97]

While storing TLS credentials in Secret. They are stored in tls format.

If your certificates are self-signed, kubernetes will not accept it and you have to pass --insecure-skip-tls-verify flag while creating secret. In this mode, secret will only hold two files i.e. tls.crt and tls.key.

But, if you see at Jaeger's configuration. It requires CA certificate also. This file will not be there in secret if it self-signed. So, we can't go with the idea of storing TLS credentials in secret.

Correct me, If I'm wrong anywhere :)

[naseemkullah]

You can create a secret with key,crt and ca. Or if you prefer one secret for server key and crt, and another for the ca cert.

Please see https://github.com/kubernetes/ingress-nginx/blob/master/docs/examples/auth/client-certs/README.md#creating-certificate-secrets for further instructions.

[naseemkullah]

One thing is for sure you will want tls.key in a secret, as for the certs, if you want them in a separate configmap, that is your call.

[arpitjindal97]

Okay, we can go with secrets. We can maintain 2 secrets. This will be good

[mmpetarpeshev]

I'm getting the following error , when enables tls , my secret is encoded with base64 and the contents is as from the example in the docs.(the secret is created with the correct name)

Error: release dealing-tiger failed: Deployment.apps "cassandra-collector" is invalid: [spec.template.spec.containers[0].volumeMounts[0].name: Not found: "cassandra-tls-secret", spec.template.spec.containers[0].volumeMounts[1].name: Not found: "cassandra-tls-secret", spec.template.spec.containers[0].volumeMounts[2].name: Not found: "cassandra-tls-secret"]

[arpitjindal97]

Provide your values.yaml and relevant commands you used to deploy secret and helm chart

[mmpetarpeshev]

I saw that I'm writing in the wrong issue , my case is with cassandra as storage , we can move the conversation or I can create new one.

values.txt

Here is my secret as the content is base64 encoded :

apiVersion: v1
kind: Secret
metadata:
name: cassandra-tls-secret
namespace: jaeger
data:
commonName: base64
ca-cert.pem: |
base64 blqblq
client-cert.pem: |
base64 blqblqb

client-key.pem: |
base64 bqlblq
cqlshrc: |
base64 ssl section and same as the example from the doc .

###############

The chart is installed in the same namespace as the secret "jaeger".

[arpitjindal97]

okay, I figured out the problem. It's with the chart.

I will create PR to fix

After the fix, you will need to add the config at collector.extraSecretMounts in your values.yaml to mount the cassandra secret with pod. It will not get mounted automatically

example:

extraSecretMounts: 
  - name: cassandra-tls-secret
    mountPath: /cassandra-tls
    subPath: ""
    secretName: cassandra-tls-secret
    readOnly: true

same goes for query also, you will need to add config.

[mmpetarpeshev]

Great , thanks , let me know , when the fix is merged and ready to use.

[mmpetarpeshev]

I think the schema job also needs to be fixed.

[naseemkullah]

Sorry you are experiencing this @mmpetarpeshev and thanks for looking into this @arpitjindal97.

Hi @Pehesi97 As the last contributor to work on the Cassandra TLS feature, could you please comment? Does this work for you?

[arpitjindal97]

@naseemkullah

cassandra schema job doesn't have TLS support

https://github.com/jaegertracing/jaeger/blob/master/plugin/storage/cassandra/schema/create.sh

How should we proceed ? I'm confused

[naseemkullah]

@arpitjindal97 according to: https://www.jaegertracing.io/docs/1.17/deployment/#tls-support

cqlshrc file should contain:

[ssl]
certfile = ~/.cassandra/ca-cert
userkey = ~/.cassandra/client-key
usercert = ~/.cassandra/client-cert

And in the chart it's here:

helm-charts/charts/jaeger/templates/cassandra-schema-job.yaml

Lines 83 to 86 in 2ed907e

	- name: {{ .Values.storage.cassandra.tls.secretName }}
	mountPath: "/root/.cassandra/cqlshrc"
	subPath: "cqlshrc"
	readOnly: true

[mmpetarpeshev]

Any update on the PR approval or the issue ? I tried to run the chart with changes from the PR and if I'm not in mistake with configurations or values, there is still issue with the mounts and secrets.

[naseemkullah]

Looks like #145 should fix the issue @mmpetarpeshev @arpitjindal97 PTAL

[sshah90]

I am getting the same error shown in comment.

is it a bug in Jaeger's helm chart? I don't see volumes code if tls enable.

Schema Job missing volumes block if tls enable

Same with Query, Ingester, and Collector.