jaegertracing · yurishkuro · Nov 27, 2024 · Nov 27, 2024 · Nov 27, 2024
diff --git a/content/docs/next-release-v2/deployment.md b/content/docs/next-release-v2/deployment.md
@@ -10,6 +10,8 @@ children:
   url: kubernetes
 - title: On Windows
   url: windows
+- title: Security
+  url: security
 ---
 
 Jaeger backend is released as a single binary or container image (see [Downloads](../../../download/)). Despite that, it can be configured to operate in different roles, such as all-in-one, collector, query, and ingester (see [Architecture](../architecture/)).

diff --git a/content/docs/next-release-v2/security.md b/content/docs/next-release-v2/security.md
@@ -0,0 +1,33 @@
+---
+title: Securing Jaeger Installation
+hasparent: true
+---
+
+This page documents the existing security mechanisms in Jaeger, organized by the pairwise connections between Jaeger components.
+
+## SDK to Collector
+
+OpenTelemetry SDKs can be configured to communicate directly with Jaeger Collectors via gRPC or HTTP, with optional TLS enabled.
+
+* {{< check_yes >}} HTTP - TLS with mTLS (client cert authentication) supported.
+* {{< check_yes >}} gRPC - TLS with mTLS (client cert authentication) supported.
+  * Covers both span export and sampling configuration querying.
+
+## Collector/Ingester/Query to Storage
+
+* {{< check_yes >}} Cassandra - TLS with mTLS (client cert authentication) supported.
+* {{< check_yes >}} Elasticsearch - TLS with mTLS (client cert authentication) supported; bearer token propagation.
+* {{< check_yes >}} Kafka - TLS with various authentication mechanisms supported (mTLS, Kerberos, plaintext).
+
+## Browser to UI
+
+* {{< check_yes >}} HTTP - TLS and bearer token authentication (pass-through to storage).
+  * Blog post: [Protecting Jaeger UI with an OAuth sidecar Proxy](https://medium.com/jaegertracing/protecting-jaeger-ui-with-an-oauth-sidecar-proxy-34205cca4bb1).
+  * Blog post: [Secure architecture for Jaeger with Apache httpd reverse proxy on OpenShift](https://medium.com/@larsmilland01/secure-architecture-for-jaeger-with-apache-httpd-reverse-proxy-on-openshift-f31983fad400).
+
+## Consumers to Query
+
+* {{< check_yes >}} HTTP - TLS with mTLS (client cert authentication) supported.
+* {{< check_yes >}} gRPC - TLS with mTLS (client cert authentication) supported.
+
+[issue-1718]: https://github.com/jaegertracing/jaeger/issues/1718
diff --git a/content/docs/next-release/security.md b/content/docs/next-release/security.md
@@ -21,7 +21,7 @@ OpenTelemetry SDKs can be configured to communicate directly with **jaeger-colle
 
 ## Browser to UI
 
-* {{< check_no >}} HTTP - no TLS; bearer token authentication (pass-through to storage).
+* {{< check_yes >}} HTTP - TLS and bearer token authentication (pass-through to storage).
   * Blog post: [Protecting Jaeger UI with an OAuth sidecar Proxy](https://medium.com/jaegertracing/protecting-jaeger-ui-with-an-oauth-sidecar-proxy-34205cca4bb1).
   * Blog post: [Secure architecture for Jaeger with Apache httpd reverse proxy on OpenShift](https://medium.com/@larsmilland01/secure-architecture-for-jaeger-with-apache-httpd-reverse-proxy-on-openshift-f31983fad400).