Skip to content

o11y: universal profiling self-hosted TLS input #970

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Mar 31, 2025
Merged

o11y: universal profiling self-hosted TLS input #970

Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
af305a6
o11y: universal profiling self-hosted TLs input
inge4pres Mar 28, 2025
1b92535
better wording
inge4pres Mar 28, 2025
d89d220
Merge branch 'main' into profiling/5296
inge4pres Mar 31, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions solutions/observability/infra-and-hosts/operate-universal-profiling-backend.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -298,6 +298,39 @@ ingress:

For symbolizer, the connection routing should be configured to use the HTTP protocol. There is usually no need to customize annotations for this type of service, but the chart provides similar configuration options.

### Input TLS configuration [_input_tls_configuration]

Currently, terminating the TLS connection is not supported at the application level, even if the `pf-elastic-collector` or `pf-elastic-symbolizer` configurations do have an `ssl` section.
An ingress-controller should be used to terminate TLS connections and forward the unencrypted traffic to the backend services.

The `ingress` resource shown in the previous section should be configured with the `tls` section to enable TLS termination.
To do so, the collector and symbolizer Helm charts have a `ingress.tls` section that can be used to configure the TLS secret name and the hosts that the TLS certificate should be used for.

It is recommended to use a certificate manager like cert-manager to automatically provision and renew certificates for the ingress resources.

Refer to the [Kubernetes Ingress documentation](https://kubernetes.github.io/ingress-nginx/user-guide/tls/#tlshttps) as an example on how to configure TLS termination with NGINX ingress controller.

In general, the steps are:

1. Store a TLS certificate in a Kubernetes secret in the same namespace running collector and/or symbolizer.

```bash
kubectl -n universal-profiling create secret tls my-tls-secret --cert=path/to/cert.pem --key=path/to/key.pem
```

2. Configure the `ingress.tls` section in the Helm values file used to run the backend applications, for example:

```yaml
ingress:
<other configs...>
tls:
- secretName: my-tls-secret
hosts:
- my-host.com
```

3. Deploy the charts using `helm upgrade` and passing in the updated values files.


### Output TLS configuration [_output_tls_configuration]

Expand Down
Loading