Expose Collector via fully qualified domain name (FQDN) & TLS

Question

Expose Collector via fully qualified domain name (FQDN) & TLS

naveenkumarthangaraj opened this issue 2 years ago · comments

naveenkumarthangaraj commented 2 years ago

Discussed in #5540

^{Originally posted by naveenkumarthangaraj June 15, 2022}
HI Team,

We are in process of the setting up the centralized collector for application push the traces. We had tested it with IP Address & TLS and it worked fine without any issues.

Now, we are planning to move these changes to Testing then to production. As per standard of our Organization, Security and Network team wants to us FQDN and TLS 1.2 with 443 or 8443 as port exposed outside our K8S Clusters.

Can you please guide with documentation or steps to setup in clusters?

We had reviewed the below documentation from OpeTel but it not help. can you please help here?

https://github.com/open-telemetry/opentelemetry-collector/blob/main/config/configtls/README.md

Above steps for the mTLS but does it expose with QDN and TLS 1.2?

Thanks,
Naveen T

Juraci Paixão Kröhling · Answer 1 · Tue Jul 05 2022 01:29:56 GMT+0800 (China Standard Time)

The FQDN is solely a DNS configuration from the perspective of the collector: all the collector has to do is bind to the IP that will respond to that domain name. Your Kubernetes configuration will take care of the hostname (service? external load balancer?). For TLS, the link you sent is not only for mTLS: specify the cert_file and key_file and TLS will be set accordingly. Use the min_version to specify that you want at least TLS 1.2.

The port can be set as part of the endpoint property.