You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When introducing more an more data into our Tempo environment, we would like to be on-top of the security. One of these items is the encryption in transit, for the Memcached caches. We host the caches externally (cheaper to have AWS manage them).
The current configuration does not give the ability to have these TLS encrypted connections. Tempo Cache Configuration
Describe the solution you'd like.
With the latest release of Loki v3.0.0 the following configuration elements have been added;
# Enable connecting to Memcached with TLS.# CLI flag: -<prefix>.memcached.tls-enabled[tls_enabled: <boolean> | default = false]# Path to the client certificate, which will be used for authenticating with# the server. Also requires the key path to be configured.# CLI flag: -<prefix>.memcached.tls-cert-path[tls_cert_path: <string> | default = ""]# Path to the key for the client certificate. Also requires the client# certificate to be configured.# CLI flag: -<prefix>.memcached.tls-key-path[tls_key_path: <string> | default = ""]# Path to the CA certificates to validate server certificate against. If not# set, the host's root CA certificates are used.# CLI flag: -<prefix>.memcached.tls-ca-path[tls_ca_path: <string> | default = ""]# Override the expected name on the server certificate.# CLI flag: -<prefix>.memcached.tls-server-name[tls_server_name: <string> | default = ""]# Skip validating server certificate.# CLI flag: -<prefix>.memcached.tls-insecure-skip-verify[tls_insecure_skip_verify: <boolean> | default = false]# Override the default cipher suite list (separated by commas). Allowed# values:## Secure Ciphers:# - TLS_RSA_WITH_AES_128_CBC_SHA# - TLS_RSA_WITH_AES_256_CBC_SHA# - TLS_RSA_WITH_AES_128_GCM_SHA256# - TLS_RSA_WITH_AES_256_GCM_SHA384# - TLS_AES_128_GCM_SHA256# - TLS_AES_256_GCM_SHA384# - TLS_CHACHA20_POLY1305_SHA256# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA# - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA# - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA# - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256# - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384# - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256# - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384# - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256# - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256## Insecure Ciphers:# - TLS_RSA_WITH_RC4_128_SHA# - TLS_RSA_WITH_3DES_EDE_CBC_SHA# - TLS_RSA_WITH_AES_128_CBC_SHA256# - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA# - TLS_ECDHE_RSA_WITH_RC4_128_SHA# - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256# CLI flag: -<prefix>.memcached.tls-cipher-suites[tls_cipher_suites: <string> | default = ""]# Override the default minimum TLS version. Allowed values: VersionTLS10,# VersionTLS11, VersionTLS12, VersionTLS13# CLI flag: -<prefix>.memcached.tls-min-version[tls_min_version: <string> | default = ""]
This seems to be a perfect solution from my side
Describe alternatives you've considered
Alternatives is to not use TLS for this connection. this is what we are currently doing, and this works perfectly. We are looking into some cost saving (besides the security aspect) and it seems that AWS ElastiCache Memcached Serverless requires the connection to encrypted.
Additional context
`-
The text was updated successfully, but these errors were encountered:
Is your feature request related to a problem?
When introducing more an more data into our Tempo environment, we would like to be on-top of the security. One of these items is the encryption in transit, for the Memcached caches. We host the caches externally (cheaper to have AWS manage them).
The current configuration does not give the ability to have these TLS encrypted connections.
Tempo Cache Configuration
Describe the solution you'd like.
With the latest release of Loki v3.0.0 the following configuration elements have been added;
This seems to be a perfect solution from my side
Describe alternatives you've considered
Alternatives is to not use TLS for this connection. this is what we are currently doing, and this works perfectly. We are looking into some cost saving (besides the security aspect) and it seems that AWS ElastiCache Memcached Serverless requires the connection to encrypted.
Additional context
`-
The text was updated successfully, but these errors were encountered: