Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TLS support for HTTP API of Query server #2337

Merged
merged 39 commits into from
Jan 19, 2021
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
39 commits
Select commit Hold shift + click to select a range
92d363c
Added TLS for HTTP (consumer-query) server
rjs211 Jul 9, 2020
3bf0746
Add testcase of error in TLS HTTP server creation
rjs211 Jul 9, 2020
abe4ff5
Merge branch 'master' of github.com:jaegertracing/jaeger into dev-add…
rjs211 Jul 9, 2020
050fb62
Minor refactoring of properties and vars
rjs211 Jul 9, 2020
d02d85f
Exposing flags for HTTP and GRPC with TLS config
rjs211 Jul 9, 2020
e135064
minor refactoring of comments
rjs211 Jul 11, 2020
657e0b4
Changed TLS server to use tlsCfg instead of injection
rjs211 Jul 11, 2020
0f67d15
Create test for HTTP server with TLS and MTLS
rjs211 Jul 11, 2020
73867a5
Removing checks to avoid race condition
rjs211 Jul 11, 2020
3e000a7
Merge branch 'master' of github.com:jaegertracing/jaeger into dev-add…
rjs211 Jul 13, 2020
a763d9e
Adding testdata of certificates and keys of CA, server & client
rjs211 Jul 14, 2020
024b179
Merge branch 'master' of github.com:jaegertracing/jaeger into dev-add…
rjs211 Jul 14, 2020
0a88eb5
Changing the names of keys and certificates
rjs211 Jul 14, 2020
691ffea
Coverage increase and cleanup
rjs211 Jul 15, 2020
2278e6e
Merge branch 'master' of github.com:jaegertracing/jaeger into dev-add…
rjs211 Jul 15, 2020
5cdf944
removing redundant certif/keys set and using previously available set
rjs211 Jul 15, 2020
cca70e9
Added helper function to serve HTTP server
rjs211 Jul 15, 2020
fea7e14
Modify cmux and tests for secure HTTP and GRPC
rjs211 Jul 16, 2020
4cb348e
Merge branch 'master' of github.com:jaegertracing/jaeger into dev-add…
rjs211 Jul 17, 2020
31b31e7
Fixing testscases for safe re-use
rjs211 Jul 17, 2020
9c8cfdf
Merge branch 'master' of github.com:jaegertracing/jaeger into dev-add…
rjs211 Jul 17, 2020
affb566
Use common certificate flags for GRPC and HTTP
rjs211 Jul 17, 2020
5def2de
Use common certificate flags for GRPC and HTTP
rjs211 Jul 17, 2020
1d8133e
tempCommit
rjs211 Jul 18, 2020
3c0b23c
Using same tlsCfg structure for server
rjs211 Jul 18, 2020
7d9e18f
Removing reduntant code, added comments, using correct port for testing
rjs211 Jul 30, 2020
17bd199
Using separate ports in case of TLS
rjs211 Sep 11, 2020
e45614f
Merge branch 'master' of https://github.com/jaegertracing/jaeger into…
rjs211 Sep 11, 2020
0ceb4e5
modified test-cases for dedicated ports with TLS
rjs211 Sep 11, 2020
0119c1e
remove redundant test, created error var
rjs211 Sep 14, 2020
da5d790
Merge branch 'master' of https://github.com/jaegertracing/jaeger into…
rjs211 Sep 14, 2020
601c269
remove redundant test, created error var
rjs211 Sep 14, 2020
186184f
Split long conditional
rjs211 Oct 15, 2020
a964218
Merge branch 'master' into dev-addTLS-rjs211
rjs211 Oct 22, 2020
f4eb8f6
Merge branch 'master' of https://github.com/jaegertracing/jaeger into…
rjs211 Nov 10, 2020
f0ac83e
removed code repitition, added comment
rjs211 Nov 10, 2020
c53af21
added table-based tests for QueryOptions port allocation
rjs211 Nov 10, 2020
d3edb98
Merge branch 'dev-addTLS-rjs211' of https://github.com/rjs211/jaeger …
rjs211 Nov 10, 2020
1bee20f
Merge branch 'master' into dev-addTLS-rjs211
rjs211 Jan 7, 2021
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Modify cmux and tests for secure HTTP and GRPC
Signed-off-by: rjs211 <srivatsa211@gmail.com>
  • Loading branch information
rjs211 committed Jul 17, 2020
commit fea7e14b50f6ecf198ab8a1659446d4fa312085b
112 changes: 82 additions & 30 deletions cmd/query/app/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,18 +17,21 @@ package app
import (
"crypto/rand"
"crypto/tls"
"fmt"
"io/ioutil"
"net"
"net/http"
"path/filepath"
"strings"

"github.com/gorilla/handlers"
"github.com/opentracing/opentracing-go"
"github.com/soheilhy/cmux"
"go.uber.org/zap"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials"

"github.com/jaegertracing/jaeger/cmd/query/app/querysvc"
"github.com/jaegertracing/jaeger/pkg/config/tlscfg"
"github.com/jaegertracing/jaeger/pkg/healthcheck"
"github.com/jaegertracing/jaeger/pkg/netutils"
"github.com/jaegertracing/jaeger/pkg/recoveryhandler"
Expand Down Expand Up @@ -78,19 +81,15 @@ func (s Server) HealthCheckStatus() chan healthcheck.Status {
}

func createGRPCServer(querySvc *querysvc.QueryService, options *QueryOptions, logger *zap.Logger, tracer opentracing.Tracer) (*grpc.Server, error) {
var grpcOpts []grpc.ServerOption

if options.TLSGRPC.Enabled {
tlsCfg, err := options.TLSGRPC.Config()
_, err := options.TLSGRPC.Config()
if err != nil {
return nil, err
}
creds := credentials.NewTLS(tlsCfg)

grpcOpts = append(grpcOpts, grpc.Creds(creds))
}

server := grpc.NewServer(grpcOpts...)
server := grpc.NewServer()

handler := NewGRPCHandler(querySvc, logger, tracer)
api_v2.RegisterQueryServiceServer(server, handler)
Expand Down Expand Up @@ -132,32 +131,93 @@ func createHTTPServer(querySvc *querysvc.QueryService, queryOpts *QueryOptions,
}, nil
}

func (s *Server) serveHTTP(httpListener net.Listener) error {
var err error
if s.queryOptions.TLSHTTP.Enabled {
tlsCfg, err1 := s.queryOptions.TLSHTTP.Config()
if err1 == nil {
tlsCfg.Rand = rand.Reader
tlsHTTPListener := tls.NewListener(httpListener, tlsCfg)
func getTLSListener(listener net.Listener, tlsOptions tlscfg.Options, otherCA string) (net.Listener, error) { // takes otherCA so that the certPool will have the CA of both GRPC and HTTP clients.
tlsCfg, err := tlsOptions.Config()
if err != nil {
return nil, err
}
if otherCA != "" {
caPEM, err := ioutil.ReadFile(filepath.Clean(otherCA))
if err != nil {
return nil, fmt.Errorf("failed to load CA %s: %w", otherCA, err)
}
if !tlsCfg.ClientCAs.AppendCertsFromPEM(caPEM) {
return nil, fmt.Errorf("failed to parse CA %s", otherCA)
}
}
tlsCfg.Rand = rand.Reader
tlsListener := tls.NewListener(listener, tlsCfg)
return tlsListener, err

}

func (s *Server) getCmux() (cmux.CMux, net.Listener, net.Listener, error) {
var httpListener net.Listener
var grpcListener net.Listener
var cmux1 cmux.CMux
rjs211 marked this conversation as resolved.
Show resolved Hide resolved
// var cmux2 cmux.CMux
var tlsOptions tlscfg.Options
conn, err := net.Listen("tcp", s.queryOptions.HostPort)
s.conn = conn

if err != nil {
return nil, nil, nil, err
}

if s.queryOptions.TLSHTTP.Enabled != s.queryOptions.TLSGRPC.Enabled {
cmux1 = cmux.New(conn)

if !s.queryOptions.TLSHTTP.Enabled {
httpListener = cmux1.Match(cmux.HTTP1Fast())
rjs211 marked this conversation as resolved.
Show resolved Hide resolved
tlsOptions = s.queryOptions.TLSGRPC
} else {
grpcListener = cmux1.MatchWithWriters(
cmux.HTTP2MatchHeaderFieldSendSettings("content-type", "application/grpc"),
cmux.HTTP2MatchHeaderFieldSendSettings("content-type", "application/grpc+proto"),
)
tlsOptions = s.queryOptions.TLSHTTP
}
tlsListener := cmux1.Match(cmux.Any())
tlsListener, err = getTLSListener(tlsListener, tlsOptions, "")
if err != nil {
return nil, nil, nil, err
rjs211 marked this conversation as resolved.
Show resolved Hide resolved
}

err = s.httpServer.Serve(tlsHTTPListener)
// cmux2 = cmux.New(tlsListener)
if s.queryOptions.TLSHTTP.Enabled {
httpListener = tlsListener
} else {
err = err1
grpcListener = tlsListener
}

} else {
err = s.httpServer.Serve(httpListener)
var muxListener net.Listener
if s.queryOptions.TLSHTTP.Enabled {
muxListener, err = getTLSListener(conn, s.queryOptions.TLSHTTP, s.queryOptions.TLSGRPC.ClientCAPath)
if err != nil {
return nil, nil, nil, err
}

} else {
muxListener = conn
}
cmux1 = cmux.New(muxListener)
grpcListener = cmux1.MatchWithWriters(
cmux.HTTP2MatchHeaderFieldSendSettings("content-type", "application/grpc"),
cmux.HTTP2MatchHeaderFieldSendSettings("content-type", "application/grpc+proto"),
)
httpListener = cmux1.Match(cmux.Any())
}
return err

return cmux1, httpListener, grpcListener, err
}

// Start http, GRPC and cmux servers concurrently
func (s *Server) Start() error {
conn, err := net.Listen("tcp", s.queryOptions.HostPort)
cmuxServer, httpListener, grpcListener, err := s.getCmux()
if err != nil {
return err
}
s.conn = conn

var tcpPort int
if port, err := netutils.GetPort(s.conn.Addr()); err == nil {
Expand All @@ -169,19 +229,11 @@ func (s *Server) Start() error {
zap.Int("port", tcpPort),
zap.String("addr", s.queryOptions.HostPort))

// cmux server acts as a reverse-proxy between HTTP and GRPC backends.
cmuxServer := cmux.New(s.conn)

grpcListener := cmuxServer.MatchWithWriters(
cmux.HTTP2MatchHeaderFieldSendSettings("content-type", "application/grpc"),
cmux.HTTP2MatchHeaderFieldSendSettings("content-type", "application/grpc+proto"),
)
httpListener := cmuxServer.Match(cmux.Any())

go func() {
s.logger.Info("Starting HTTP server", zap.Int("port", tcpPort), zap.String("addr", s.queryOptions.HostPort))
// s.serveHTTP(httpListener);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

left over?


switch err := s.serveHTTP(httpListener); err {
switch err := s.httpServer.Serve(httpListener); err {
case nil, http.ErrServerClosed, cmux.ErrListenerClosed:
// normal exit, nothing to do
default:
Expand Down
Loading