Merge pull request #81821 from gwynnemonahan/OSSM-6958

jab-rh · web-flow · commit 027b99a94e0f · 2024-09-24T13:06:19.000-04:00
[DOC] OSSM-6958 Correction in Tempo/OTEL chapter about mTLS
diff --git a/modules/ossm-configuring-distr-tracing-tempo.adoc b/modules/ossm-configuring-distr-tracing-tempo.adoc
@@ -33,8 +33,6 @@ kind: OpenTelemetryCollector
 metadata:
   name: otel
   namespace: bookinfo  # <1>
-  annotations:
-    sidecar.istio.io/inject: 'true' # <2>
 spec:
   mode: deployment
   config: |
@@ -45,7 +43,7 @@ spec:
             endpoint: 0.0.0.0:4317
     exporters:
       otlp:
-        endpoint: "tempo-sample-distributor.tracing-system.svc.cluster.local:4317" # <3>
+        endpoint: "tempo-sample-distributor.tracing-system.svc.cluster.local:4317" # <2>
         tls:
           insecure: true
     service:
@@ -56,12 +54,12 @@ spec:
           exporters: [otlp]
 ----
 <1> Include the namespace in the `ServiceMeshMemberRoll` member list.
-<2> The sidecar injection annotation is only required when you enable the `spec.security.dataPlane` parameter for mTLS encryption in the `ServiceMeshControlPlane` resource.
-<3> In this example, a TempoStack instance is running in the `tracing-system` namespace. You do not have to include the TempoStack namespace, such as`tracing-system`, in the `ServiceMeshMemberRoll` member list.
+<2> In this example, a TempoStack instance is running in the `tracing-system` namespace. You do not have to include the TempoStack namespace, such as`tracing-system`, in the `ServiceMeshMemberRoll` member list.
 +
 [NOTE]
 ====
-You only need to create one instance of the OpenTelemetry Collector in one of the `ServiceMeshMemberRoll` member namespaces.
+* Create a single  instance of the OpenTelemetry Collector in one of the `ServiceMeshMemberRoll` member namespaces.
+* You can add an `otel-collector` as a part of the mesh by adding `sidecar.istio.io/inject: 'true'` to the `OpenTelemetryCollector` resource.
 ====
 
 . Check the `otel-collector` pod log and verify that the pod is running:
@@ -164,6 +162,28 @@ Kiali 1.73 uses the Jaeger Query API, which causes a longer response time depend
 
 . Verify the `istiod` pod logs and the `otel-collector` pod logs.
 
+[id="configuring-otel-collector-mtls-encrypted-namespace_{context}"]
+== Configuring the `OpenTelemetryCollector` in a mTLS encrypted Service Mesh member namespace
+
+All traffic is TLS encrypted when you enable Service Mesh `dataPlane` mTLS encryption.
+
+To enable the mesh to communicate with the `OpenTelemetryCollector` service, disable the TLS `trafficPolicy` by applying a `DestinationRule` for the `OpenTelemetryCollector` service:
+
+.Example `DestinationRule` Tempo CR
+[source, yaml]
+----
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: otel-disable-tls
+spec:
+  host: "otel-collector.bookinfo.svc.cluster.local"
+  trafficPolicy:
+    tls:
+      mode: DISABLE
+----
+
+
 [id="configuring-distr-tracing-tempo-mtls-encrypted-namespace_{context}"]
 == Configuring the {TempoName} in a mTLS encrypted Service Mesh member namespace
 
