---
title: "otelcol.extension.jaeger_remote_sampling | Grafana Alloy documentation"
description: "Learn about otelcol.extension.jaeger_remote_sampling"
---

# `otelcol.extension.jaeger_remote_sampling`

`otelcol.extension.jaeger_remote_sampling` serves a specified Jaeger remote sampling document.

> Note
> 
> `otelcol.extension.jaeger_remote_sampling` is a wrapper over the upstream OpenTelemetry Collector [`jaegerremotesampling`](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/v0.147.0/extension/jaegerremotesampling) extension. Bug reports or feature requests will be redirected to the upstream repository, if necessary.

You can specify multiple `otelcol.extension.jaeger_remote_sampling` components by giving them different labels.

## Usage

Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```alloy
otelcol.extension.jaeger_remote_sampling "<LABEL>" {
  source {
  }
}
```

## Arguments

The `otelcol.extension.jaeger_remote_sampling` component doesn’t support any arguments. You can configure this component with blocks.

## Blocks

You can use the following blocks with `otelcol.extension.jaeger_remote_sampling`:

No valid configuration blocks found.

### `source`

Required

The `source` block configures the method of retrieving the Jaeger remote sampling document that’s served by the servers specified in the `grpc` and `http` blocks.

The following arguments are supported:

Expand table

| Name              | Type       | Description                                                                     | Default | Required |
|-------------------|------------|---------------------------------------------------------------------------------|---------|----------|
| `content`         | `string`   | A string containing the Jaeger remote sampling contents directly.               | `""`    | no       |
| `file`            | `string`   | A local file containing a Jaeger remote sampling document.                      | `""`    | no       |
| `reload_interval` | `duration` | The interval at which to reload the specified file. Leave at 0 to never reload. | `"0"`   | no       |

Exactly one of the `file` argument, `content` argument or `remote` block must be specified.

### `remote`

The `remote` block configures the gRPC client used by the component.

The following arguments are supported:

Expand table

| Name                | Type                       | Description                                                                      | Default    | Required |
|---------------------|----------------------------|----------------------------------------------------------------------------------|------------|----------|
| `endpoint`          | `string`                   | `host:port` to send telemetry data to.                                           |            | yes      |
| `auth`              | `capsule(otelcol.Handler)` | Handler from an `otelcol.auth` component to use for authenticating requests.     |            | no       |
| `authority`         | `string`                   | Overrides the default `:authority` header in gRPC requests from the gRPC client. |            | no       |
| `compression`       | `string`                   | Compression mechanism to use for requests.                                       | `"gzip"`   | no       |
| `headers`           | `map(string)`              | Additional headers to send with the request.                                     | `{}`       | no       |
| `read_buffer_size`  | `string`                   | Size of the read buffer the gRPC client to use for reading server responses.     |            | no       |
| `wait_for_ready`    | `bool`                     | Waits for gRPC connection to be in the `READY` state before sending data.        | `false`    | no       |
| `write_buffer_size` | `string`                   | Size of the write buffer the gRPC client to use for writing requests.            | `"512KiB"` | no       |

By default, requests are compressed with Gzip. The `compression` argument controls which compression mechanism to use. Supported strings are:

- `"gzip"`
- `"zlib"`
- `"deflate"`
- `"snappy"`
- `"zstd"`

If you set `compression` to `"none"` or an empty string `""`, the requests aren’t compressed.

The supported values for `balancer_name` are listed in the gRPC documentation on [Load balancing](https://github.com/grpc/grpc-go/blob/master/examples/features/load_balancing/README.md):

- `pick_first`: Tries to connect to the first address. It uses the address for all RPCs if it connects, or if it fails, it tries the next address and keeps trying until one connection is successful. Because of this, all the RPCs are sent to the same backend.
- `round_robin`: Connects to all the addresses it sees and sends an RPC to each backend one at a time in order. For example, the first RPC is sent to backend-1, the second RPC is sent to backend-2, and the third RPC is sent to backend-1.

The `:authority` header in gRPC specifies the host to which the request is being sent. It’s similar to the `Host` [header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Host) in HTTP requests. By default, the value for `:authority` is derived from the endpoint URL used for the gRPC call. Overriding `:authority` could be useful when routing traffic using a proxy like Envoy, which [makes routing decisions](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/route_matching) based on the value of the `:authority` header.

An HTTP proxy can be configured through the following environment variables:

- `HTTPS_PROXY`
- `NO_PROXY`

The `HTTPS_PROXY` environment variable specifies a URL to use for proxying requests. Connections to the proxy are established via [the `HTTP CONNECT` method](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/CONNECT).

The `NO_PROXY` environment variable is an optional list of comma-separated hostnames for which the HTTPS proxy should *not* be used. Each hostname can be provided as an IP address (`1.2.3.4`), an IP address in CIDR notation (`1.2.3.4/8`), a domain name (`example.com`), or `*`. A domain name matches that domain and all subdomains. A domain name with a leading “.” (`.example.com`) matches subdomains only. `NO_PROXY` is only read when `HTTPS_PROXY` is set.

Because `otelcol.extension.jaeger_remote_sampling` uses gRPC, the configured proxy server must be able to handle and proxy HTTP/2 traffic.

### `keepalive` client

This `keepalive` block configures keepalive settings for gRPC client connections.

The following arguments are supported:

Expand table

| Name                    | Type       | Description                                                                               | Default | Required |
|-------------------------|------------|-------------------------------------------------------------------------------------------|---------|----------|
| `ping_wait`             | `duration` | How often to ping the server after no activity.                                           |         | no       |
| `ping_response_timeout` | `duration` | Time to wait before closing inactive connections if the server doesn’t respond to a ping. |         | no       |
| `ping_without_stream`   | `boolean`  | Send pings even if there is no active stream request.                                     |         | no       |

### `tls` client

This `tls` block configures TLS settings used for the connection to the gRPC server.

The following arguments are supported:

Expand table

| Name                           | Type           | Description                                                                                  | Default     | Required |
|--------------------------------|----------------|----------------------------------------------------------------------------------------------|-------------|----------|
| `ca_file`                      | `string`       | Path to the CA file.                                                                         |             | no       |
| `ca_pem`                       | `string`       | CA PEM-encoded text to validate the server with.                                             |             | no       |
| `cert_file`                    | `string`       | Path to the TLS certificate.                                                                 |             | no       |
| `cert_pem`                     | `string`       | Certificate PEM-encoded text for client authentication.                                      |             | no       |
| `cipher_suites`                | `list(string)` | A list of TLS cipher suites that the TLS transport can use.                                  | `[]`        | no       |
| `curve_preferences`            | `list(string)` | Set of elliptic curves to use in a handshake.                                                | `[]`        | no       |
| `include_system_ca_certs_pool` | `boolean`      | Whether to load the system certificate authorities pool alongside the certificate authority. | `false`     | no       |
| `insecure_skip_verify`         | `boolean`      | Ignores insecure server TLS certificates.                                                    |             | no       |
| `insecure`                     | `boolean`      | Disables TLS when connecting to the configured server.                                       |             | no       |
| `key_file`                     | `string`       | Path to the TLS certificate key.                                                             |             | no       |
| `key_pem`                      | `secret`       | Key PEM-encoded text for client authentication.                                              |             | no       |
| `max_version`                  | `string`       | Maximum acceptable TLS version for connections.                                              | `"TLS 1.3"` | no       |
| `min_version`                  | `string`       | Minimum acceptable TLS version for connections.                                              | `"TLS 1.2"` | no       |
| `reload_interval`              | `duration`     | The duration after which the certificate is reloaded.                                        | `"0s"`      | no       |
| `server_name`                  | `string`       | Verifies the hostname of server certificates when set.                                       |             | no       |

If the server doesn’t support TLS, you must set the `insecure` argument to `true`.

To disable `tls` for connections to the server, set the `insecure` argument to `true`.

If you set `reload_interval` to `"0s"`, the certificate never reloaded.

The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:

- `ca_pem` and `ca_file`
- `cert_pem` and `cert_file`
- `key_pem` and `key_file`

If `cipher_suites` is left blank, a safe default list is used. Refer to the [Go TLS documentation](https://go.dev/src/crypto/tls/cipher_suites.go) for a list of supported cipher suites.

The `curve_preferences` argument determines the set of [elliptic curves](https://go.dev/src/crypto/tls/common.go#L138) to prefer during a handshake in preference order. If not provided, a default list is used. The set of elliptic curves available are `X25519`, `P521`, `P256`, and `P384`.

### `tpm`

The `tpm` block configures retrieving the TLS `key_file` from a trusted device.

The following arguments are supported:

Expand table

| Name         | Type     | Description                                                        | Default | Required |
|--------------|----------|--------------------------------------------------------------------|---------|----------|
| `auth`       | `string` | The authorization value used to authenticate the TPM device.       | `""`    | no       |
| `enabled`    | `bool`   | Load the `tls.key_file` from TPM.                                  | `false` | no       |
| `owner_auth` | `string` | The owner authorization value used to authenticate the TPM device. | `""`    | no       |
| `path`       | `string` | Path to the TPM device or Unix domain socket.                      | `""`    | no       |

The [trusted platform module](https://trustedcomputinggroup.org/resource/trusted-platform-module-tpm-summary/) (TPM) configuration can be used for loading TLS key from TPM. Currently only TSS2 format is supported.

The `path` attribute is not supported on Windows.

In the following example, the private key `my-tss2-key.key` in TSS2 format is loaded from the TPM device `/dev/tmprm0`:

Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```alloy
otelcol.example.component "<LABEL>" {
    ...
    tls {
        ...
        key_file = "my-tss2-key.key"
        tpm {
            enabled = true
            path = "/dev/tpmrm0"
        }
    }
}
```

### `http`

The `http` block configures an HTTP server which serves the Jaeger remote sampling document.

The following arguments are supported:

Expand table

| Name                     | Type                       | Description                                                                  | Default                                                    | Required |
|--------------------------|----------------------------|------------------------------------------------------------------------------|------------------------------------------------------------|----------|
| `auth`                   | `capsule(otelcol.Handler)` | Handler from an `otelcol.auth` component to use for authenticating requests. |                                                            | no       |
| `compression_algorithms` | `list(string)`             | A list of compression algorithms the server can accept.                      | `["", "gzip", "zstd", "zlib", "snappy", "deflate", "lz4"]` | no       |
| `endpoint`               | `string`                   | `host:port` to listen for traffic on.                                        | `"0.0.0.0:5778"`                                           | no       |
| `include_metadata`       | `boolean`                  | Propagate incoming connection metadata to downstream consumers.              |                                                            | no       |
| `keep_alives_enabled`    | `boolean`                  | Whether or not HTTP keep-alives are enabled                                  | `true`                                                     | no       |
| `max_request_body_size`  | `string`                   | Maximum request body size the server will allow.                             | `"20MiB"`                                                  | no       |

### `cors`

The `cors` block configures CORS settings for an HTTP server.

The following arguments are supported:

Expand table

| Name              | Type           | Description                                              | Default                | Required |
|-------------------|----------------|----------------------------------------------------------|------------------------|----------|
| `allowed_headers` | `list(string)` | Accepted headers from CORS requests.                     | `["X-Requested-With"]` | no       |
| `allowed_origins` | `list(string)` | Allowed values for the `Origin` header.                  |                        | no       |
| `max_age`         | `number`       | Configures the `Access-Control-Max-Age` response header. |                        | no       |

The `allowed_headers` specifies which headers are acceptable from a CORS request. The following headers are always implicitly allowed:

- `Accept`
- `Accept-Language`
- `Content-Type`
- `Content-Language`

If `allowed_headers` includes `"*"`, all headers will be permitted.

### `tls`

The `tls` block configures TLS settings used for a server. If the `tls` block isn’t provided, TLS won’t be used for connections to the server.

The following arguments are supported:

Expand table

| Name                           | Type           | Description                                                                                  | Default     | Required |
|--------------------------------|----------------|----------------------------------------------------------------------------------------------|-------------|----------|
| `ca_file`                      | `string`       | Path to the CA file.                                                                         |             | no       |
| `ca_pem`                       | `string`       | CA PEM-encoded text to validate the server with.                                             |             | no       |
| `cert_file`                    | `string`       | Path to the TLS certificate.                                                                 |             | no       |
| `cert_pem`                     | `string`       | Certificate PEM-encoded text for client authentication.                                      |             | no       |
| `cipher_suites`                | `list(string)` | A list of TLS cipher suites that the TLS transport can use.                                  | `[]`        | no       |
| `client_ca_file`               | `string`       | Path to the TLS cert to use by the server to verify a client certificate.                    |             | no       |
| `curve_preferences`            | `list(string)` | Set of elliptic curves to use in a handshake.                                                | `[]`        | no       |
| `include_system_ca_certs_pool` | `boolean`      | Whether to load the system certificate authorities pool alongside the certificate authority. | `false`     | no       |
| `key_file`                     | `string`       | Path to the TLS certificate key.                                                             |             | no       |
| `key_pem`                      | `secret`       | Key PEM-encoded text for client authentication.                                              |             | no       |
| `max_version`                  | `string`       | Maximum acceptable TLS version for connections.                                              | `"TLS 1.3"` | no       |
| `min_version`                  | `string`       | Minimum acceptable TLS version for connections.                                              | `"TLS 1.2"` | no       |
| `reload_interval`              | `duration`     | The duration after which the certificate is reloaded.                                        | `"0s"`      | no       |

If `reload_interval` is set to `"0s"`, the certificate never reloaded.

The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:

- `ca_pem` and `ca_file`
- `cert_pem` and `cert_file`
- `key_pem` and `key_file`

If `cipher_suites` is left blank, a safe default list is used. Refer to the [Go Cipher Suites documentation](https://go.dev/src/crypto/tls/cipher_suites.go) for a list of supported cipher suites.

`client_ca_file` sets the `ClientCA` and `ClientAuth` to `RequireAndVerifyClientCert` in the `TLSConfig`. Refer to the [Go TLS documentation](https://godoc.org/crypto/tls#Config) for more information.

The `curve_preferences` argument determines the set of elliptic curves to prefer during a handshake in preference order. If not provided, a default list is used. The set of elliptic curves available are `X25519`, `P521`, `P256`, and `P384`.

### `tpm`

The `tpm` block configures retrieving the TLS `key_file` from a trusted device.

The following arguments are supported:

Expand table

| Name         | Type     | Description                                                        | Default | Required |
|--------------|----------|--------------------------------------------------------------------|---------|----------|
| `auth`       | `string` | The authorization value used to authenticate the TPM device.       | `""`    | no       |
| `enabled`    | `bool`   | Load the `tls.key_file` from TPM.                                  | `false` | no       |
| `owner_auth` | `string` | The owner authorization value used to authenticate the TPM device. | `""`    | no       |
| `path`       | `string` | Path to the TPM device or Unix domain socket.                      | `""`    | no       |

The [trusted platform module](https://trustedcomputinggroup.org/resource/trusted-platform-module-tpm-summary/) (TPM) configuration can be used for loading TLS key from TPM. Currently only TSS2 format is supported.

The `path` attribute is not supported on Windows.

In the following example, the private key `my-tss2-key.key` in TSS2 format is loaded from the TPM device `/dev/tmprm0`:

Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```alloy
otelcol.example.component "<LABEL>" {
    ...
    tls {
        ...
        key_file = "my-tss2-key.key"
        tpm {
            enabled = true
            path = "/dev/tpmrm0"
        }
    }
}
```

### `grpc`

The `grpc` block configures a gRPC server which serves the Jaeger remote sampling document.

The following arguments are supported:

Expand table

| Name                     | Type                       | Description                                                                  | Default           | Required |
|--------------------------|----------------------------|------------------------------------------------------------------------------|-------------------|----------|
| `auth`                   | `capsule(otelcol.Handler)` | Handler from an `otelcol.auth` component to use for authenticating requests. |                   | no       |
| `endpoint`               | `string`                   | `host:port` to listen for traffic on.                                        | `"0.0.0.0:14250"` | no       |
| `include_metadata`       | `boolean`                  | Propagate incoming connection metadata to downstream consumers.              |                   | no       |
| `max_concurrent_streams` | `number`                   | Limit the number of concurrent streaming RPC calls.                          |                   | no       |
| `max_recv_msg_size`      | `string`                   | Maximum size of messages the server will accept.                             | `"4MiB"`          | no       |
| `read_buffer_size`       | `string`                   | Size of the read buffer the gRPC server will use for reading from clients.   | `"512KiB"`        | no       |
| `transport`              | `string`                   | Transport to use for the gRPC server.                                        | `"tcp"`           | no       |
| `write_buffer_size`      | `string`                   | Size of the write buffer the gRPC server will use for writing to clients.    |                   | no       |

### `keepalive`

The `keepalive` block configures keepalive settings for connections to a gRPC server.

`keepalive` doesn’t support any arguments and is configured fully through inner blocks.

### `enforcement_policy`

The `enforcement_policy` block configures the keepalive enforcement policy for gRPC servers. The server will close connections from clients that violate the configured policy.

The following arguments are supported:

Expand table

| Name                    | Type       | Description                                                             | Default | Required |
|-------------------------|------------|-------------------------------------------------------------------------|---------|----------|
| `min_time`              | `duration` | Minimum time clients should wait before sending a keepalive ping.       | `"5m"`  | no       |
| `permit_without_stream` | `boolean`  | Allow clients to send keepalive pings when there are no active streams. | `false` | no       |

### `server_parameters`

The `server_parameters` block controls keepalive and maximum age settings for gRPC servers.

The following arguments are supported:

Expand table

| Name                       | Type       | Description                                                                         | Default      | Required |
|----------------------------|------------|-------------------------------------------------------------------------------------|--------------|----------|
| `max_connection_age_grace` | `duration` | Time to wait before forcibly closing connections.                                   | `"infinity"` | no       |
| `max_connection_age`       | `duration` | Maximum age for non-idle connections.                                               | `"infinity"` | no       |
| `max_connection_idle`      | `duration` | Maximum age for idle connections.                                                   | `"infinity"` | no       |
| `time`                     | `duration` | How often to ping inactive clients to check for liveness.                           | `"2h"`       | no       |
| `timeout`                  | `duration` | Time to wait before closing inactive clients that don’t respond to liveness checks. | `"20s"`      | no       |

### `debug_metrics`

The `debug_metrics` block configures the metrics that this component generates to monitor its state.

The following arguments are supported:

Expand table

| Name                               | Type      | Description                                          | Default | Required |
|------------------------------------|-----------|------------------------------------------------------|---------|----------|
| `disable_high_cardinality_metrics` | `boolean` | Whether to disable certain high cardinality metrics. | `true`  | no       |

`disable_high_cardinality_metrics` is the Alloy equivalent to the `telemetry.disableHighCardinalityMetrics` feature gate in the OpenTelemetry Collector. It removes attributes that could cause high cardinality metrics. For example, attributes with IP addresses and port numbers in metrics about HTTP and gRPC connections are removed.

> Note
> 
> If configured, `disable_high_cardinality_metrics` only applies to `otelcol.exporter.*` and `otelcol.receiver.*` components.

## Component health

`otelcol.extension.jaeger_remote_sampling` is only reported as unhealthy if given an invalid configuration.

## Debug information

`otelcol.extension.jaeger_remote_sampling` doesn’t expose any component-specific debug information.

## Examples

### Serve from a file

This example configures the Jaeger remote sampling extension to load a local JSON document and serve it over the default HTTP port of 5778. Currently this configuration style exists for consistency with upstream OpenTelemetry Collector components and may be removed.

Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```alloy
otelcol.extension.jaeger_remote_sampling "example" {
  http {
  }
  source {
    file             = "/path/to/jaeger-sampling.json"
    reload_interval  = "10s"
  }
}
```

### Serve from another component

This example uses the output of a component to determine what sampling rules to serve:

Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```alloy
local.file "sampling" {
  filename  = "/path/to/jaeger-sampling.json"
}

otelcol.extension.jaeger_remote_sampling "example" {
  http {
  }
  source {
    content = local.file.sampling.content
  }
}
```

## Enable authentication

You can use `jaeger_remote_sampling` to authenticate requests. This allows you to limit access to the sampling document.

> Note
> 
> Not all OpenTelemetry Collector authentication plugins support receiver authentication. Refer to the [documentation](/docs/alloy/latest/reference/components/otelcol/) for each `otelcol.auth.*` component to determine its compatibility.

Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```alloy
otelcol.extension.jaeger_remote_sampling "default" {
  http {
    auth = otelcol.auth.basic.creds.handler
  }
  grpc {
     auth = otelcol.auth.basic.creds.handler
  }
}

otelcol.auth.basic "creds" {
    username = sys.env("USERNAME")
    password = sys.env("PASSWORD")
}
```