Merge pull request #81253 from openshift/dtotel-docs-3.3

OBSDOCS-1293: Distributed Tracing and OpenTelemetry 3.3 docs

Author: jeana-redhat

modules/distr-tracing-tempo-config-receiver-tls-for-tempomonolithic.adoc

@@ -0,0 +1,64 @@
+// Module included in the following assemblies:
+//
+// * observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-configuring.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="distr-tracing-tempo-config-receiver-tls-for-tempomonolithic_{context}"]
+= Receiver TLS configuration for a TempoMonolithic instance
+
+You can provide a TLS certificate in a secret or use the service serving certificates that are generated by {product-title}.
+
+* To provide a TLS certificate in a secret, configure it in the `TempoMonolithic` custom resource.
++
+[NOTE]
+====
+This feature is not supported with the enabled Tempo Gateway.
+====
++
+.TLS for receivers and using a user-provided certificate in a secret
+[source,yaml]
+----
+apiVersion: tempo.grafana.com/v1alpha1
+kind:  TempoMonolithic
+# ...
+  spec:
+# ...
+  ingestion:
+    otlp:
+      grpc:
+        tls:
+          enabled: true # <1>
+          certName: <tls_secret> # <2>
+          caName: <ca_name> # <3>
+# ...
+----
+<1> TLS enabled at the Tempo Distributor.
+<2> Secret containing a `tls.key` key and `tls.crt` certificate that you apply in advance.
+<3> Optional: CA in a config map to enable mutual TLS authentication (mTLS).
+
+* Alternatively, you can use the service serving certificates that are generated by {product-title}.
++
+[NOTE]
+====
+Mutual TLS authentication (mTLS) is not supported with this feature.
+====
++
+.TLS for receivers and using the service serving certificates that are generated by {product-title}
+[source,yaml]
+----
+apiVersion: tempo.grafana.com/v1alpha1
+kind:  TempoMonolithic
+# ...
+  spec:
+# ...
+  ingestion:
+    otlp:
+      grpc:
+        tls:
+          enabled: true
+      http:
+        tls:
+          enabled: true # <1>
+# ...
+----
+<1> Minimal configuration for the TLS at the Tempo Distributor.

modules/distr-tracing-tempo-config-receiver-tls-for-tempostack.adoc

@@ -0,0 +1,59 @@
+// Module included in the following assemblies:
+//
+// * observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-configuring.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="distr-tracing-tempo-config-receiver-tls-for-tempostack_{context}"]
+= Receiver TLS configuration for a TempoStack instance
+
+You can provide a TLS certificate in a secret or use the service serving certificates that are generated by {product-title}.
+
+* To provide a TLS certificate in a secret, configure it in the `TempoStack` custom resource.
++
+[NOTE]
+====
+This feature is not supported with the enabled Tempo Gateway.
+====
++
+.TLS for receivers and using a user-provided certificate in a secret
+[source,yaml]
+----
+apiVersion: tempo.grafana.com/v1alpha1
+kind:  TempoStack
+# ...
+spec:
+# ...
+  template:
+    distributor:
+      tls:
+        enabled: true # <1>
+        certName: <tls_secret> # <2>
+        caName: <ca_name> # <3>
+# ...
+----
+<1> TLS enabled at the Tempo Distributor.
+<2> Secret containing a `tls.key` key and `tls.crt` certificate that you apply in advance.
+<3> Optional: CA in a config map to enable mutual TLS authentication (mTLS).
+
+* Alternatively, you can use the service serving certificates that are generated by {product-title}.
++
+[NOTE]
+====
+Mutual TLS authentication (mTLS) is not supported with this feature.
+====
++
+.TLS for receivers and using the service serving certificates that are generated by {product-title}
+[source,yaml]
+----
+apiVersion: tempo.grafana.com/v1alpha1
+kind:  TempoStack
+# ...
+spec:
+# ...
+  template:
+    distributor:
+      tls:
+        enabled: true <1>
+# ...
+----
+<1> Sufficient configuration for the TLS at the Tempo Distributor.

modules/distr-tracing-tempo-object-storage-setup-aws-sts-install.adoc

@@ -0,0 +1,83 @@
+// Module included in the following assemblies:
+//
+//* observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-installing.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="distr-tracing-tempo-object-storage-setup-aws-sts-install_{context}"]
+= Setting up the Amazon S3 storage with the Security Token Service
+
+You can set up the Amazon S3 storage with the Security Token Service (STS) by using the AWS Command Line Interface (AWS CLI).
+
+:FeatureName: The Amazon S3 storage with the Security Token Service
+include::snippets/technology-preview.adoc[leveloffset=+1]
+
+.Prerequisites
+
+* You have installed the latest version of the AWS CLI.
+
+.Procedure
+
+. Create an AWS S3 bucket.
+
+. Create the following `trust.json` file for the AWS IAM policy that will set up a trust relationship for the AWS IAM role, created in the next step, with the service account of the TempoStack instance:
++
+[source,yaml]
+----
+{
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Effect": "Allow",
+        "Principal": {
+          "Federated": "arn:aws:iam::${<aws_account_id>}:oidc-provider/${<oidc_provider>}" # <1>
+        },
+        "Action": "sts:AssumeRoleWithWebIdentity",
+        "Condition": {
+          "StringEquals": {
+            "${OIDC_PROVIDER}:sub": [
+              "system:serviceaccount:${<openshift_project_for_tempostack>}:tempo-${<tempostack_cr_name>}" # <2>
+              "system:serviceaccount:${<openshift_project_for_tempostack>}:tempo-${<tempostack_cr_name>}-query-frontend"
+           ]
+         }
+       }
+     }
+    ]
+}
+----
+<1> OIDC provider that you have configured on the {product-title}. You can get the configured OIDC provider value also by running the following command: `$ oc get authentication cluster -o json | jq -r '.spec.serviceAccountIssuer' | sed 's~http[s]*://~~g'`.
+<2> Namespace in which you intend to create the TempoStack instance.
+
+. Create an AWS IAM role by attaching the `trust.json` policy file that you created:
++
+[source,terminal]
+----
+$ aws iam create-role \
+      --role-name "tempo-s3-access" \
+      --assume-role-policy-document "file:///tmp/trust.json" \
+      --query Role.Arn \
+      --output text
+----
+
+. Attach an AWS IAM policy to the created role:
++
+[source,terminal]
+----
+$ aws iam attach-role-policy \
+      --role-name "tempo-s3-access" \
+      --policy-arn "arn:aws:iam::aws:policy/AmazonS3FullAccess"
+----
+
+. In the {product-title}, create an object storage secret with keys as follows:
++
+[source,yaml]
+----
+apiVersion: v1
+kind: Secret
+metadata:
+  name: minio-test
+stringData:
+  bucket: <s3_bucket_name>
+  region: <s3_region>
+  role_arn: <s3_role_arn>
+type: Opaque
+----

observability/distr_tracing/distr-tracing-rn.adoc

@@ -8,10 +8,143 @@ toc::[]
 
 include::modules/distr-tracing-product-overview.adoc[leveloffset=+1]
 
-You can use the {DTShortName} xref:../otel/otel-forwarding.adoc#otel-forwarding-traces[in combination with] the xref:../otel/otel-installing.adoc#install-otel[{OTELName}].
+You can use the {TempoName} xref:../otel/otel-forwarding.adoc#otel-forwarding-traces[in combination with] the xref:../otel/otel-rn.adoc#otel_rn[{OTELName}].
 
 include::snippets/distr-tracing-and-otel-disclaimer-about-docs-for-supported-features-only.adoc[]
 
+[id="distr-tracing_3-3_{context}"]
+== Release notes for {DTProductName} 3.3
+
+This release of the {DTProductName} includes the {TempoName} and the deprecated {JaegerName}.
+
+////
+[id="distr-tracing_3-3_cves_{context}"]
+=== CVEs
+
+This release fixes the following CVEs:
+
+* link:https://access.redhat.com/security/cve/CVE-202?-????/[CVE-202?-????]
+////
+
+[id="distr-tracing_3-3_tempo-release-notes_{context}"]
+=== {TempoName}
+
+The {TempoName} is provided through the {TempoOperator}.
+
+The {TempoName} 3.3 is based on the open source link:https://grafana.com/oss/tempo/[Grafana Tempo] 2.5.0.
+
+////
+[id="distr-tracing_3-3_tempo-release-notes_technology-preview-features_{context}"]
+==== Technology Preview features
+
+This update introduces the following Technology Preview feature:
+
+* ???.
+
+:FeatureName: The Tempo monolithic deployment
+include::snippets/technology-preview.adoc[leveloffset=+1]
+////
+
+[id="distr-tracing_3-3_tempo-release-notes_new-features-and-enhancements_{context}"]
+==== New features and enhancements
+
+This update introduces the following enhancements:
+
+* Support for securing the Jaeger UI and Jaeger APIs with the OpenShift OAuth Proxy. (link:https://issues.redhat.com/browse/TRACING-4108[TRACING-4108])
+* Support for using the service serving certificates, which are generated by {product-title}, on ingestion APIs when multitenancy is disabled. (link:https://issues.redhat.com/browse/TRACING-3954[TRACING-3954])
+* Support for ingesting by using the OTLP/HTTP protocol when multitenancy is enabled. (link:https://issues.redhat.com/browse/TRACING-4171[TRACING-4171])
+* Support for the AWS S3 Secure Token authentication. (link:https://issues.redhat.com/browse/TRACING-4176[TRACING-4176])
+* Support for automatically reloading certificates. (link:https://issues.redhat.com/browse/TRACING-4185[TRACING-4185])
+* Support for configuring the duration for which service names are available for querying. (link:https://issues.redhat.com/browse/TRACING-4214[TRACING-4214])
+
+////
+[id="distr-tracing_3-3_tempo-release-notes_deprecated-functionality_{context}"]
+==== Deprecated functionality
+
+In the {TempoName} 3.3, ???.
+////
+
+////
+[id="distr-tracing_3-3_tempo-release-notes_removal-notice_{context}"]
+==== Removal notice
+
+In the {TempoName} 3.3, the FEATURE has been removed. Bug fixes and support are provided only through the end of the 3.? lifecycle. As an alternative to the FEATURE for USE CASE, you can use the ALTERNATIVE instead.
+////
+
+[id="distr-tracing_3-3_tempo-release-notes_bug-fixes_{context}"]
+==== Bug fixes
+
+This update introduces the following bug fixes:
+
+* Before this update, storage certificate names did not support dots. With this update, storage certificate name can contain dots. (link:https://issues.redhat.com/browse/TRACING-4348[TRACING-4348])
+* Before this update, some users had to select a certificate when accessing the gateway route. With this update, there is no prompt to select a certificate. (link:https://issues.redhat.com/browse/TRACING-4431[TRACING-4431])
+* Before this update, the gateway component was not scalable. With this update, the gateway component is scalable. (link:https://issues.redhat.com/browse/TRACING-4497[TRACING-4497])
+* Before this update the Jaeger UI might fail with the *504 Gateway Time-out* error when accessed via a route. With this update, users can specify route annotations for increasing timeout, such as `haproxy.router.openshift.io/timeout: 3m`, when querying large data sets. (link:https://issues.redhat.com/browse/TRACING-4511[TRACING-4511])
+
+[id="distr-tracing_3-3_tempo-release-notes_known-issues_{context}"]
+==== Known issues
+
+There is currently a known issue:
+
+* Currently, the {TempoShortName} fails on the {ibm-z-title} (`s390x`) architecture. (link:https://issues.redhat.com/browse/TRACING-3545[TRACING-3545])
+
+[id="distr-tracing_3-3_jaeger-release-notes_{context}"]
+=== {JaegerName}
+
+The {JaegerName} is provided through the {JaegerOperator} Operator.
+
+The {JaegerName} 3.3 is based on the open source link:https://www.jaegertracing.io/[Jaeger] release 1.57.0.
+
+[IMPORTANT]
+====
+Jaeger does not use FIPS validated cryptographic modules.
+====
+
+[id="distr-tracing_3-3_jaeger-release-notes_support-for-elasticsearch-operator_{context}"]
+==== Support for the {es-op}
+
+The {JaegerName} 3.3 is supported for use with the {es-op} 5.6, 5.7, and 5.8.
+
+[id="distr-tracing_3-3_jaeger-release-notes_deprecated-functionality_{context}"]
+==== Deprecated functionality
+
+In the {DTProductName} 3.3, Jaeger and support for Elasticsearch remain deprecated, and both are planned to be removed in a future release.
+Red Hat will provide support for these components and fixes for CVEs and bugs with critical and higher severity during the current release lifecycle, but these components will no longer receive feature enhancements.
+The {TempoOperator} and the {OTELName} are the preferred Operators for distributed tracing collection and storage.
+Users must adopt the OpenTelemetry and Tempo distributed tracing stack because it is the stack to be enhanced going forward.
+
+In the {DTProductName} 3.3, the Jaeger agent is deprecated and planned to be removed in the following release.
+Red Hat will provide bug fixes and support for the Jaeger agent during the current release lifecycle, but the Jaeger agent will no longer receive enhancements and will be removed.
+The OpenTelemetry Collector provided by the {OTELName} is the preferred Operator for injecting the trace collector agent.
+
+////
+[id="distr-tracing_3-3_jaeger-release-notes_removal-notice_{context}"]
+==== Removal notice
+
+In the {JaegerName} 3.3, the FEATURE has been removed. Bug fixes and support are provided only through the end of the 3.? lifecycle. As an alternative to the FEATURE for USE CASE, you can use the ALTERNATIVE instead.
+////
+
+////
+[id="distr-tracing_3-3_jaeger-release-notes_bug-fixes_{context}"]
+==== Bug fixes
+
+This update introduces the following bug fixes:
+
+* Before this update, ???. With this update, ???. (link:https://issues.redhat.com/browse/TRACING-????/[TRACING-????])
+////
+
+[id="distr-tracing_3-3_jaeger-release-notes_known-issues_{context}"]
+==== Known issues
+
+There are currently known issues:
+
+* Currently, Apache Spark is not supported.
+
+ifndef::openshift-rosa[]
+
+* Currently, the streaming deployment via AMQ/Kafka is not supported on the {ibm-z-title} and {ibm-power-title} architectures.
+endif::openshift-rosa[]
+
 [id="distr-tracing_3-2-2_{context}"]
 == Release notes for {DTProductName} 3.2.2
 

observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-configuring.adoc

@@ -30,6 +30,27 @@ include::modules/distr-tracing-tempo-config-query-frontend.adoc[leveloffset=+1]
 
 include::modules/distr-tracing-tempo-config-spanmetrics.adoc[leveloffset=+1]
 
+[id="config-receiver-tls_{context}"]
+== Configuring the receiver TLS
+
+The custom resource of your TempoStack or TempoMonolithic instance supports configuring the TLS for receivers by using user-provided certificates or OpenShift's service serving certificates.
+
+include::modules/distr-tracing-tempo-config-receiver-tls-for-tempostack.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../../security/certificates/service-serving-certificate.adoc#understanding-service-serving_service-serving-certificate[Understanding service serving certificates]
+* xref:../../../security/certificate_types_descriptions/service-ca-certificates.adoc#cert-types-service-ca-certificates[Service CA certificates]
+
+include::modules/distr-tracing-tempo-config-receiver-tls-for-tempomonolithic.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../../security/certificates/service-serving-certificate.adoc#understanding-service-serving_service-serving-certificate[Understanding service serving certificates]
+* xref:../../../security/certificate_types_descriptions/service-ca-certificates.adoc#cert-types-service-ca-certificates[Service CA certificates] 
+
 include::modules/distr-tracing-tempo-config-multitenancy.adoc[leveloffset=+1]
 
 [id="taints-and-tolerations_{context}"]

observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-installing.adoc

@@ -61,6 +61,16 @@ include::modules/distr-tracing-tempo-install-tempomonolithic-cli.adoc[leveloffse
 
 include::modules/distr-tracing-tempo-storage-ref.adoc[leveloffset=+1]
 
+include::modules/distr-tracing-tempo-object-storage-setup-aws-sts-install.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+.Additional resources
+
+* link:https://docs.aws.amazon.com/iam/[AWS Identity and Access Management Documentation]
+* link:https://docs.aws.amazon.com/cli/[AWS Command Line Interface Documentation]
+* xref:../../../authentication/identity_providers/configuring-oidc-identity-provider.adoc#configuring-oidc-identity-provider[Configuring an OpenID Connect identity provider]
+* link:https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html[Identify AWS resources with Amazon Resource Names (ARNs)]
+
 [role="_additional-resources"]
 [id="additional-resources_dist-tracing-tempo-installing"]
 == Additional resources