Merge pull request #79813 from max-cx/OBSDOCS-864

skopacz1 · web-flow · commit 3d4704ab7c45 · 2024-08-27T11:24:35.000-04:00
OBSDOCS-864: Documentation for using OpenShift service CA in Tempo
diff --git a/modules/distr-tracing-tempo-config-receiver-tls-for-tempomonolithic.adoc b/modules/distr-tracing-tempo-config-receiver-tls-for-tempomonolithic.adoc
@@ -0,0 +1,64 @@
+// Module included in the following assemblies:
+//
+// * observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-configuring.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="distr-tracing-tempo-config-receiver-tls-for-tempomonolithic_{context}"]
+= Receiver TLS configuration for a TempoMonolithic instance
+
+You can provide a TLS certificate in a secret or use the service serving certificates that are generated by {product-title}.
+
+* To provide a TLS certificate in a secret, configure it in the `TempoMonolithic` custom resource.
++
+[NOTE]
+====
+This feature is not supported with the enabled Tempo Gateway.
+====
++
+.TLS for receivers and using a user-provided certificate in a secret
+[source,yaml]
+----
+apiVersion: tempo.grafana.com/v1alpha1
+kind:  TempoMonolithic
+# ...
+  spec:
+# ...
+  ingestion:
+    otlp:
+      grpc:
+        tls:
+          enabled: true # <1>
+          certName: <tls_secret> # <2>
+          caName: <ca_name> # <3>
+# ...
+----
+<1> TLS enabled at the Tempo Distributor.
+<2> Secret containing a `tls.key` key and `tls.crt` certificate that you apply in advance.
+<3> Optional: CA in a config map to enable mutual TLS authentication (mTLS).
+
+* Alternatively, you can use the service serving certificates that are generated by {product-title}.
++
+[NOTE]
+====
+Mutual TLS authentication (mTLS) is not supported with this feature.
+====
++
+.TLS for receivers and using the service serving certificates that are generated by {product-title}
+[source,yaml]
+----
+apiVersion: tempo.grafana.com/v1alpha1
+kind:  TempoMonolithic
+# ...
+  spec:
+# ...
+  ingestion:
+    otlp:
+      grpc:
+        tls:
+          enabled: true
+      http:
+        tls:
+          enabled: true # <1>
+# ...
+----
+<1> Minimal configuration for the TLS at the Tempo Distributor.
diff --git a/modules/distr-tracing-tempo-config-receiver-tls-for-tempostack.adoc b/modules/distr-tracing-tempo-config-receiver-tls-for-tempostack.adoc
@@ -0,0 +1,59 @@
+// Module included in the following assemblies:
+//
+// * observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-configuring.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="distr-tracing-tempo-config-receiver-tls-for-tempostack_{context}"]
+= Receiver TLS configuration for a TempoStack instance
+
+You can provide a TLS certificate in a secret or use the service serving certificates that are generated by {product-title}.
+
+* To provide a TLS certificate in a secret, configure it in the `TempoStack` custom resource.
++
+[NOTE]
+====
+This feature is not supported with the enabled Tempo Gateway.
+====
++
+.TLS for receivers and using a user-provided certificate in a secret
+[source,yaml]
+----
+apiVersion: tempo.grafana.com/v1alpha1
+kind:  TempoStack
+# ...
+spec:
+# ...
+  template:
+    distributor:
+      tls:
+        enabled: true # <1>
+        certName: <tls_secret> # <2>
+        caName: <ca_name> # <3>
+# ...
+----
+<1> TLS enabled at the Tempo Distributor.
+<2> Secret containing a `tls.key` key and `tls.crt` certificate that you apply in advance.
+<3> Optional: CA in a config map to enable mutual TLS authentication (mTLS).
+
+* Alternatively, you can use the service serving certificates that are generated by {product-title}.
++
+[NOTE]
+====
+Mutual TLS authentication (mTLS) is not supported with this feature.
+====
++
+.TLS for receivers and using the service serving certificates that are generated by {product-title}
+[source,yaml]
+----
+apiVersion: tempo.grafana.com/v1alpha1
+kind:  TempoStack
+# ...
+spec:
+# ...
+  template:
+    distributor:
+      tls:
+        enabled: true <1>
+# ...
+----
+<1> Sufficient configuration for the TLS at the Tempo Distributor.
diff --git a/observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-configuring.adoc b/observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-configuring.adoc
@@ -30,6 +30,27 @@ include::modules/distr-tracing-tempo-config-query-frontend.adoc[leveloffset=+1]
 
 include::modules/distr-tracing-tempo-config-spanmetrics.adoc[leveloffset=+1]
 
+[id="config-receiver-tls_{context}"]
+== Configuring the receiver TLS
+
+The custom resource of your TempoStack or TempoMonolithic instance supports configuring the TLS for receivers by using user-provided certificates or OpenShift's service serving certificates.
+
+include::modules/distr-tracing-tempo-config-receiver-tls-for-tempostack.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../../security/certificates/service-serving-certificate.adoc#understanding-service-serving_service-serving-certificate[Understanding service serving certificates]
+* xref:../../../security/certificate_types_descriptions/service-ca-certificates.adoc#cert-types-service-ca-certificates[Service CA certificates]
+
+include::modules/distr-tracing-tempo-config-receiver-tls-for-tempomonolithic.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../../security/certificates/service-serving-certificate.adoc#understanding-service-serving_service-serving-certificate[Understanding service serving certificates]
+* xref:../../../security/certificate_types_descriptions/service-ca-certificates.adoc#cert-types-service-ca-certificates[Service CA certificates] 
+
 include::modules/distr-tracing-tempo-config-multitenancy.adoc[leveloffset=+1]
 
 [id="taints-and-tolerations_{context}"]
