Ukraine flag We stand with our friends and colleagues in Ukraine. To support Ukraine in their time of need visit this page.

Securing Jaeger Installation

Version  next-release Preview

This page documents the existing security mechanisms in Jaeger, organized by the pairwise connections between Jaeger components. We ask for community help with implementing additional security measures (see issue-1718external link ).

SDK to Agent

jaeger-agent is deprecatedexternal link . The OpenTelemetry data can be sent from the OpenTelemetry SDKs (equiped with OTLP exporters) directly to jaeger-collector. Alternatively, use the OpenTelemetry Collector as a local agent.

Deployments that involve jaeger-agent are meant for trusted environments where the agent is run as a sidecar within the container’s network namespace, or as a host agent. Therefore, there is currently no support for traffic encryption between clients and agents.

  • ❌ Sending trace data over UDP - no TLS/authentication.
  • ❌ Retrieving sampling configuration via HTTP - no TLS/authentication.

SDK to Collector

OpenTelemetry SDKs can be configured to communicate directly with jaeger-collector via gRPC or HTTP, with optional TLS enabled.

  • ✅ HTTP - TLS with mTLS (client cert authentication) supported.
  • ✅ gRPC - TLS with mTLS (client cert authentication) supported.
    • Covers boths span export and sampling configuration querying.

Agent to Collector

  • ✅ gRPC - TLS with client cert authentication supported.

Collector/Ingester/Query-Service to Storage

  • ✅ Cassandra - TLS with mTLS (client cert authentication) supported.
  • ✅ Elasticsearch - TLS with mTLS (client cert authentication) supported; bearer token propagation.
  • ✅ Kafka - TLS with various authentication mechanisms supported (mTLS, Kerberos, plaintext).

Browser to UI

Consumers to Query Service

  • ✅ HTTP - TLS with mTLS (client cert authentication) supported.
  • ✅ gRPC - TLS with mTLS (client cert authentication) supported.