Update

jaegertracing · Jul 16, 2019 · ffd30f7 · ffd30f7
1 parent a890cba
commit ffd30f7
Show file tree

Hide file tree

Showing 5 changed files with 58 additions and 64 deletions.
diff --git a/cmd/agent/app/reporter/grpc/builder_test.go b/cmd/agent/app/reporter/grpc/builder_test.go
@@ -14,10 +14,7 @@
 package grpc
 
 import (
-	"crypto/tls"
-	"crypto/x509"
 	"errors"
-	"io/ioutil"
 	"net"
 	"strings"
 	"testing"
@@ -32,6 +29,7 @@ import (
 	"google.golang.org/grpc/credentials"
 	yaml "gopkg.in/yaml.v2"
 
+	"github.com/jaegertracing/jaeger/cmd/collector/app/grpcserver"
 	"github.com/jaegertracing/jaeger/pkg/discovery"
 	"github.com/jaegertracing/jaeger/proto-gen/api_v2"
 	"github.com/jaegertracing/jaeger/thrift-gen/jaeger"
@@ -318,31 +316,14 @@ func TestProxyClientTLS(t *testing.T) {
 		t.Run(test.name, func(t *testing.T) {
 			var opts []grpc.ServerOption
 			if test.serverTLS {
-				tlsCfg := &tls.Config{
-					MinVersion: tls.VersionTLS12,
-				}
-
-				tlsCert, err := tls.LoadX509KeyPair(test.serverTLSCert, test.serverTLSKey)
+				tlsCfg, err := grpcserver.TLSConfig(
+					test.serverTLSCert,
+					test.serverTLSKey,
+					test.serverTLSClientCA)
 				if err != nil {
 					require.NoError(t, err)
 				}
 
-				tlsCfg.Certificates = []tls.Certificate{tlsCert}
-
-				if test.serverTLSClientCA != "" {
-					caPEM, err := ioutil.ReadFile(test.serverTLSClientCA)
-					if err != nil {
-						require.NoError(t, err)
-					}
-
-					certPool := x509.NewCertPool()
-					if !certPool.AppendCertsFromPEM(caPEM) {
-						require.NoError(t, err)
-					}
-					tlsCfg.ClientCAs = certPool
-					tlsCfg.ClientAuth = tls.RequireAndVerifyClientCert
-				}
-
 				opts = []grpc.ServerOption{grpc.Creds(credentials.NewTLS(tlsCfg))}
 			}
 

diff --git a/cmd/agent/app/reporter/grpc/flags.go b/cmd/agent/app/reporter/grpc/flags.go
@@ -36,13 +36,13 @@ const (
 
 // AddFlags adds flags for Options.
 func AddFlags(flags *flag.FlagSet) {
-	flags.String(collectorHostPort, "", "Comma-separated string representing host:port of a static list of collectors to connect to directly.")
-	flags.Uint(retry, defaultMaxRetry, "Sets the maximum number of retries for a call.")
-	flags.Bool(collectorTLS, false, "Enable TLS.")
-	flags.String(collectorTLSCA, "", "Path to a TLS CA file. (default use the systems truststore)")
-	flags.String(collectorTLSServerName, "", "Override the TLS server name.")
-	flags.String(agentCert, "", "Path to a TLS client certificate file.")
-	flags.String(agentKey, "", "Path to a TLS client key file.")
+	flags.String(collectorHostPort, "", "Comma-separated string representing host:port of a static list of collectors to connect to directly")
+	flags.Uint(retry, defaultMaxRetry, "Sets the maximum number of retries for a call")
+	flags.Bool(collectorTLS, false, "Use TLS when talking to the remote collector")
+	flags.String(collectorTLSCA, "", "Path to a TLS CA file used to verify the remote server. (default use the systems truststore)")
+	flags.String(collectorTLSServerName, "", "Override the TLS server name we expected in the remote certificate")
+	flags.String(agentCert, "", "Path to a TLS client certificate file, used to identify this agent to the collector")
+	flags.String(agentKey, "", "Path to the TLS client key for the client certificate")
 	flags.Int(discoveryMinPeers, 3, "Max number of collectors to which the agent will try to connect at any given time")
 }
 

diff --git a/cmd/collector/app/builder/builder_flags.go b/cmd/collector/app/builder/builder_flags.go
@@ -74,10 +74,10 @@ func AddFlags(flags *flag.FlagSet) {
 	flags.Int(collectorHTTPPort, ports.CollectorHTTP, "The HTTP port for the collector service")
 	flags.Int(collectorGRPCPort, ports.CollectorGRPC, "The gRPC port for the collector service")
 	flags.Int(collectorZipkinHTTPort, 0, "The HTTP port for the Zipkin collector service e.g. 9411")
-	flags.Bool(collectorGRPCTLS, false, "Enable TLS")
-	flags.String(collectorGRPCCert, "", "Path to TLS certificate file")
-	flags.String(collectorGRPCKey, "", "Path to TLS key file")
-	flags.String(collectorGRPCClientCA, "", "Path to TLS certificates for authenticating clients")
+	flags.Bool(collectorGRPCTLS, false, "Enable TLS for the gRPC collector port")
+	flags.String(collectorGRPCCert, "", "Path to TLS certificate or the gRPC collector TLS service")
+	flags.String(collectorGRPCKey, "", "Path to TLS key for the gRPC collector TLS cert")
+	flags.String(collectorGRPCClientCA, "", "Path to a TLS CA to verify certificates presented by clients against (if unset, all clients are permitted)")
 	flags.String(collectorZipkinAllowedOrigins, "*", "Allowed origins for the Zipkin collector service, default accepts all")
 	flags.String(collectorZipkinAllowedHeaders, "content-type", "Allowed headers for the Zipkin collector service, default content-type")
 }

diff --git a/cmd/collector/app/grpcserver/grpc_server.go b/cmd/collector/app/grpcserver/grpc_server.go
@@ -15,6 +15,9 @@
 package grpcserver
 
 import (
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
 	"io/ioutil"
 	"net"
 	"os"
@@ -31,6 +34,40 @@ import (
 	"github.com/jaegertracing/jaeger/proto-gen/api_v2"
 )
 
+// TLSConfig creates a *tls.Config from the user specified file paths.
+func TLSConfig(cert, key, clientCA string) (*tls.Config, error) {
+	if cert == "" || key == "" {
+		return nil, fmt.Errorf("you requested TLS but configuration does not include a path to cert and/or key")
+	}
+
+	tlsCfg := &tls.Config{
+		MinVersion: tls.VersionTLS12,
+	}
+
+	tlsCert, err := tls.LoadX509KeyPair(cert, key)
+	if err != nil {
+		return nil, fmt.Errorf("could not load server TLS cert and key, %v", err)
+	}
+
+	tlsCfg.Certificates = []tls.Certificate{tlsCert}
+
+	if clientCA != "" {
+		caPEM, err := ioutil.ReadFile(clientCA)
+		if err != nil {
+			return nil, fmt.Errorf("load TLS client CA, %v", err)
+		}
+
+		certPool := x509.NewCertPool()
+		if !certPool.AppendCertsFromPEM(caPEM) {
+			return nil, fmt.Errorf("building TLS client CA, %v", err)
+		}
+		tlsCfg.ClientCAs = certPool
+		tlsCfg.ClientAuth = tls.RequireAndVerifyClientCert
+	}
+
+	return tlsCfg, nil
+}
+
 // StartGRPCCollector configures and starts gRPC endpoints exposed by collector.
 func StartGRPCCollector(
 	port int,

diff --git a/cmd/collector/main.go b/cmd/collector/main.go
@@ -15,11 +15,8 @@
 package main
 
 import (
-	"crypto/tls"
-	"crypto/x509"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"log"
 	"net"
 	"net/http"
@@ -195,33 +192,12 @@ func startGRPCServer(
 	var server *grpc.Server
 
 	if opts.CollectorGRPCTLS { // user requested a server with TLS, setup creds
-		if opts.CollectorGRPCCert == "" || opts.CollectorGRPCKey == "" {
-			return nil, fmt.Errorf("you requested TLS but configuration does not include a path to cert and/or key")
-		}
-
-		tlsCfg := &tls.Config{
-			MinVersion: tls.VersionTLS12,
-		}
-
-		tlsCert, err := tls.LoadX509KeyPair(opts.CollectorGRPCCert, opts.CollectorGRPCKey)
+		tlsCfg, err := grpcserver.TLSConfig(
+			opts.CollectorGRPCCert,
+			opts.CollectorGRPCKey,
+			opts.CollectorGRPCClientCA)
 		if err != nil {
-			return nil, fmt.Errorf("could not load server TLS cert and key, %v", err)
-		}
-
-		tlsCfg.Certificates = []tls.Certificate{tlsCert}
-
-		if opts.CollectorGRPCClientCA != "" {
-			caPEM, err := ioutil.ReadFile(opts.CollectorGRPCClientCA)
-			if err != nil {
-				return nil, fmt.Errorf("load TLS client CA, %v", err)
-			}
-
-			certPool := x509.NewCertPool()
-			if !certPool.AppendCertsFromPEM(caPEM) {
-				return nil, fmt.Errorf("building TLS client CA, %v", err)
-			}
-			tlsCfg.ClientCAs = certPool
-			tlsCfg.ClientAuth = tls.RequireAndVerifyClientCert
+			return nil, err
 		}
 
 		creds := credentials.NewTLS(tlsCfg)