Issue with client certificate reload #7081
Replies: 3 comments 2 replies
-
|
I found a similar unsolved discussion regarding client certificate reloads in Jaeger: Jaeger is not reloading the renewed certificates from filesystem even during connection setup [1]. Currently, there are no specific CLI flags or configuration options in Jaeger for reloading client certificates used for Elasticsearch connections. The available reload-interval flags you mentioned are for server certificates, and there is no equivalent for client certificates in the context of Elasticsearch connections [2]. To continue talking to Dosu, mention @dosu. Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other |
Beta Was this translation helpful? Give feedback.
-
|
You will have to reload the collector, this is the same for Jaeger v2 |
Beta Was this translation helpful? Give feedback.
-
|
both jaeger v1 and v2 are using OTEL's implementation of HTTP client which supports cert reloading However, it's correct that in v1 there is no CLI option to control the reload interval. In v2 it is part of the standard config. We strongly advise migrating to jaeger-v2. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks @yurishkuro for the quick response. We have just started migration Jaeger V1 to V2, this migration will take couple of months for us, so as it is security related issue we would like to fix as soon as possible, it seems as per your comment cert reload support is there for V1 also but do not have CLI flag, can you please share any idea, how can we fix this issue? We could see 'Config' structure of 'ClientConfig' has Reload Interval support. TLS configtls.ClientConfig `mapstructure:"tls" |
Beta Was this translation helpful? Give feedback.
-
<
8000
svg aria-label="Loading content..." style="box-sizing: content-box; color: var(--color-icon-primary);" width="32" height="32" viewBox="0 0 16 16" fill="none" role="img" data-view-component="true" class="m-2 anim-rotate">
-
|
the flag needs to be added here jaeger/internal/config/tlscfg/flags.go Line 42 in 1e691d5 |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi,
We use backend as elastic search, when we send spans client(collector) to server(es) observed that, client certificate reload not happening after certificate renewal, reload is happening only once during startup.
how client certificate (which used to connect elastic search engine) reload happens in Jaeger. And we did not find any cli flags for client cert reload, but we found only server certificates reload reload-interval flags.
we have below cli flags but do not have reload-interval flag for certificate reload.
--es.tls.ca
--es.tls.cert
--es.tls.key
Currently for different interfaces, server certificates getting loaded using below CLI flags,
--collector.otlp.grpc.tls.reload-interval
--collector.otlp.http.tls.reload-interval
--collector.zipkin.tls.reload-interval
--collector.grpc.tls.reload-interval
--collector.http.tls.reload-interval
Is client certificate reload support there? Please provide your opinion.
Beta Was this translation helpful? Give feedback.
All reactions