Auth for exporting traces #1226
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ken on trace export
Comment on lines
+9
to
+11
| type clientAuthenticator struct { | ||
| token string | ||
| } |
There was a problem hiding this comment.
This makes sense to me, but I think it would benefit from the addition of SetNewToken(token string)
That would allow the token to be updated, without create a new exporter.
There was a problem hiding this comment.
I suspect it would be super clean to create one, and register it with knapsack.RegisterChangeObserver
Maybe pull that into New(k knapsack)? Not sure...
There was a problem hiding this comment.
Yes, definitely cleaner! I'll update
There was a problem hiding this comment.
This is updated -- I ended up making TraceExporter subscribe to the ingest updates, and swap in the token when pinged.
RebeccaMahany
commented
Jun 14, 2023
RebeccaMahany
force-pushed
the
becca/auth-for-export
branch
from
31d1d55
to
3d72ca1
Compare
RebeccaMahany
force-pushed
the
becca/auth-for-export
branch
from
0a1059b
to
d6e025e
Compare
James-Pickett
approved these changes
Jun 15, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds a gRPC wrapper that adds a bearer auth header to all outgoing trace exports. Also allows the ingest server URL and the export traces flag to be set by the control server.
sequenceDiagram Participant Control server Box Launcher Participant Control service Participant Agent flags subsystem Participant Auth token subsystem Participant Traces exporter end Participant Agent collector loop Config generation Control server ->> Control server: Generate JWT with TTL of 24 hours Control service ->> Control server: Perform regular check to see if subsystem data has changed Control server ->> Control service: Return config, including JWT end opt Ingest URL update Control service ->> Agent flags subsystem: Perform update Agent flags subsystem ->> Traces exporter: Notify that URL has changed Traces exporter ->> Traces exporter: Init new exporter using new ingest URL end opt Token update Control service ->> Auth token subsystem: Perform update Auth token subsystem ->> Auth token subsystem: Store new token Control service ->> Traces exporter: Ping Traces exporter ->> Auth token subsystem: Fetch new token Traces exporter ->> Traces exporter: Replace token used for export end Traces exporter ->> Agent collector: Send traces with bearer auth header to stored ingest URL Agent collector ->> Agent collector: Validate JWT Agent collector ->> Agent collector: Process and store traces