Add client TLS auth to gRPC reporter #1591
Conversation
tcolgate
requested review from
black-adder,
jpkrohling,
objectiser,
pavolloffay,
tiffon,
vprithvi and
yurishkuro
as code owners
|
The option names in the agent probably aren't optimal. Need docs too I guess. |
|
Is it possible to add tests? I think we already have tests for TLS & certificates in other parts of the code |
|
yep, the existing tests should make this reasonably easy I think, I'll get started. I'll need to update the docs too. |
Codecov Report
@@ Coverage Diff @@
## master #1591 +/- ##
==========================================
- Coverage 98.71% 98.49% -0.23%
==========================================
Files 193 193
Lines 9243 9284 +41
==========================================
+ Hits 9124 9144 +20
- Misses 91 111 +20
- Partials 28 29 +1
Continue to review full report at Codecov.
|
|
@yurishkuro added tests that check the various combinations of agent/client TLS misconfiguration |
tcolgate
force-pushed
the
tlsclientauth
branch
3 times, most recently
from
09ff05f
to
6afc5d4
Compare
|
I'm not sure why the CI tests failed there, I don't think it's related to my PR. |
|
@yurishkuro any more thoughts on this PR? |
|
Why not take an optional tls.Config when tls configuration is required? |
@freeformz I'm not sure what you are suggesting, do you mean have a tls.Config in a user configurable config object? (I don't think that could work, most of that type is not configurable by literals, and none of the fields have the appropirate annotations). |
cmd/agent/app/reporter/grpc/flags.go
Outdated
| @@ -39,6 +41,8 @@ func AddFlags(flags *flag.FlagSet) { | |||
| flags.Bool(collectorTLS, false, "Enable TLS.") | |||
| flags.String(collectorTLSCA, "", "Path to a TLS CA file. (default use the systems truststore)") | |||
| flags.String(collectorTLSServerName, "", "Override the TLS server name.") | |||
| flags.String(agentCert, "", "Path to a TLS client certificate file.") | |||
| flags.String(agentKey, "", "Path to a TLS client key file.") | |||
There was a problem hiding this comment.
Could you please expand the flag descriptions (starting from --tls) to explain in more details what they enable? For example, what collectorTLS means after this PR, etc. Pretend someone is reading https://www.jaegertracing.io/docs/1.13/cli/#jaeger-collector-cassandra, is there enough information to understand what's going to happen with various combinations of the flags?
cmd/collector/main.go
Outdated
| opts.CollectorGRPCKey, | ||
| ) | ||
|
|
||
| tlsCfg := &tls.Config{ |
There was a problem hiding this comment.
this code should not be in main, but somewhere in the server factory, maybe similar to grpcserver.StartGRPCCollector() function. Right now it appears that similar code is repeated in the unit tests. Can you move it to grpcserver and reuse in unit tests so that it's also tested? We can't really test main()
|
@yurishkuro rebased, squashed, updated args, and moved the TLS setup. |
tcolgate
force-pushed
the
tlsclientauth
branch
2 times, most recently
from
f73750e
to
cfc2a8e
Compare
Signed-off-by: Tristan Colgate <tristan@qubit.com>
|
@yurishkuro pushed fixes |
pavolloffay
changed the title
pavolloffay
changed the title
No description provided.