feature/tracing-credentials: wiring through Tracing.TLSCertPath from …

…TOML config
smartcontractkit · Nov 14, 2023 · b82377a · b82377a
1 parent 35d7973
commit b82377a
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 7 deletions.
diff --git a/pkg/loop/config.go b/pkg/loop/config.go
@@ -6,6 +6,8 @@ import (
 	"os"
 	"strconv"
 	"strings"
+
+	"google.golang.org/grpc/credentials"
 )
 
 const (
@@ -14,6 +16,7 @@ const (
 	envTracingCollectorTarget = "CL_TRACING_COLLECTOR_TARGET"
 	envTracingSamplingRatio   = "CL_TRACING_SAMPLING_RATIO"
 	envTracingAttribute       = "CL_TRACING_ATTRIBUTE_"
+	envTracingTLSCertPath     = "CL_TRACING_TLS_CERT_PATH"
 )
 
 // EnvConfig is the configuration between the application and the LOOP executable. The values
@@ -24,6 +27,7 @@ type EnvConfig struct {
 	TracingEnabled         bool
 	TracingCollectorTarget string
 	TracingSamplingRatio   float64
+	TracingTLSCertPath     string
 	TracingAttributes      map[string]string
 }
 
@@ -34,6 +38,7 @@ func (e *EnvConfig) AsCmdEnv() (env []string) {
 		envTracingEnabled:         strconv.FormatBool(e.TracingEnabled),
 		envTracingCollectorTarget: e.TracingCollectorTarget,
 		envTracingSamplingRatio:   strconv.FormatFloat(e.TracingSamplingRatio, 'f', -1, 64),
+		envTracingTLSCertPath:     e.TracingTLSCertPath,
 	}
 
 	for k, v := range e.TracingAttributes {
@@ -67,6 +72,10 @@ func (e *EnvConfig) parse() error {
 		}
 		e.TracingAttributes = getTracingAttributes()
 		e.TracingSamplingRatio = getTracingSamplingRatio()
+		e.TracingTLSCertPath, err = getTLSCertPath()
+		if err != nil {
+			return err
+		}
 	}
 	return nil
 }
@@ -114,3 +123,16 @@ func getTracingSamplingRatio() float64 {
 	}
 	return samplingRatio
 }
+
+// getTLSCertPath parses and validates the CL_TRACING_TLS_CERT_PATH environment variable.
+func getTLSCertPath() (string, error) {
+	// empty string is valid; signals to use insecure credentials
+	tracingTLSCertPath := os.Getenv(envTracingTLSCertPath)
+
+	_, err := credentials.NewClientTLSFromFile(tracingTLSCertPath, "")
+	if err != nil {
+		return "", err
+	}
+
+	return tracingTLSCertPath, nil
+}
diff --git a/pkg/loop/config_test.go b/pkg/loop/config_test.go
@@ -18,6 +18,7 @@ func TestEnvConfig_parse(t *testing.T) {
 		expectedTracingEnabled         bool
 		expectedTracingCollectorTarget string
 		expectedTracingSamplingRatio   float64
+		expectedTracingTLSCertPath     string
 	}{
 		{
 			name: "All variables set correctly",
@@ -26,13 +27,15 @@ func TestEnvConfig_parse(t *testing.T) {
 				envTracingEnabled:           "true",
 				envTracingCollectorTarget:   "some:target",
 				envTracingSamplingRatio:     "1.0",
+				envTracingTLSCertPath:       "some/path",
 				envTracingAttribute + "XYZ": "value",
 			},
 			expectError:                    false,
 			expectedPrometheusPort:         8080,
 			expectedTracingEnabled:         true,
 			expectedTracingCollectorTarget: "some:target",
 			expectedTracingSamplingRatio:   1.0,
+			expectedTracingTLSCertPath:     "some/path",
 		},
 		{
 			name: "CL_PROMETHEUS_PORT parse error",
@@ -80,6 +83,9 @@ func TestEnvConfig_parse(t *testing.T) {
 					if config.TracingSamplingRatio != tc.expectedTracingSamplingRatio {
 						t.Errorf("Expected tracingSamplingRatio %f, got %f", tc.expectedTracingSamplingRatio, config.TracingSamplingRatio)
 					}
+					if config.TracingTLSCertPath != tc.expectedTracingTLSCertPath {
+						t.Errorf("Expected tracingTLSCertPath %s, got %s", tc.expectedTracingTLSCertPath, config.TracingTLSCertPath)
+					}
 				}
 			}
 		})
@@ -92,6 +98,7 @@ func TestEnvConfig_AsCmdEnv(t *testing.T) {
 		TracingEnabled:         true,
 		TracingCollectorTarget: "http://localhost:9000",
 		TracingSamplingRatio:   0.1,
+		TracingTLSCertPath:     "some/path",
 		TracingAttributes:      map[string]string{"key": "value"},
 	}
 	got := map[string]string{}
@@ -105,5 +112,6 @@ func TestEnvConfig_AsCmdEnv(t *testing.T) {
 	assert.Equal(t, "true", got[envTracingEnabled])
 	assert.Equal(t, "http://localhost:9000", got[envTracingCollectorTarget])
 	assert.Equal(t, "0.1", got[envTracingSamplingRatio])
+	assert.Equal(t, "some/path", got[envTracingTLSCertPath])
 	assert.Equal(t, "value", got[envTracingAttribute+"key"])
 }
diff --git a/pkg/loop/server.go b/pkg/loop/server.go
@@ -71,9 +71,11 @@ func (s *Server) start() error {
 	if err := SetupTracing(TracingConfig{
 		Enabled:         envCfg.TracingEnabled,
 		CollectorTarget: envCfg.TracingCollectorTarget,
-		NodeAttributes:  envCfg.TracingAttributes,
 		SamplingRatio:   envCfg.TracingSamplingRatio,
-		OnDialError:     func(err error) { s.Logger.Errorw("Failed to dial", "err", err) },
+		TLSCertPath:     envCfg.TracingTLSCertPath,
+		NodeAttributes:  envCfg.TracingAttributes,
+
+		OnDialError: func(err error) { s.Logger.Errorw("Failed to dial", "err", err) },
 	}); err != nil {
 		// non blocking to server start
 		s.Logger.Errorf("Failed to setup tracing: %s", err)

diff --git a/pkg/loop/telem.go b/pkg/loop/telem.go
@@ -19,6 +19,7 @@ import (
 	semconv "go.opentelemetry.io/otel/semconv/v1.17.0"
 	"go.opentelemetry.io/otel/trace"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 
 	"github.com/smartcontractkit/chainlink-relay/pkg/loop/internal"
@@ -39,6 +40,9 @@ type TracingConfig struct {
 	// SamplingRatio is the ratio of traces to sample. 1.0 means sample all traces.
 	SamplingRatio float64
 
+	// TLSCertPath is the path to the TLS certificate to use when connecting to the collector.
+	TLSCertPath string
+
 	// OnDialError is called when the dialer fails, providing an opportunity to log.
 	OnDialError func(error)
 }
@@ -54,9 +58,6 @@ func NewGRPCOpts(registerer prometheus.Registerer) GRPCOpts {
 
 // SetupTracing initializes open telemetry with the provided config.
 // It sets the global trace provider and opens a connection to the configured collector.
-// There is no transport security between the node and OTEL collector.
-// While this is the case, it is recommended to only deploy nodes and the OTEL collector on the same network.
-// TODO: BCF-2703
 func SetupTracing(config TracingConfig) error {
 	if !config.Enabled {
 		return nil
@@ -66,9 +67,16 @@ func SetupTracing(config TracingConfig) error {
 	ctx, cancel := context.WithTimeout(ctx, 5*time.Second)
 	defer cancel()
 
+	var creds credentials.TransportCredentials
+	if config.TLSCertPath != "" {
+		creds, _ = credentials.NewClientTLSFromFile(config.TLSCertPath, "")
+	} else {
+		creds = insecure.NewCredentials()
+	}
+
 	conn, err := grpc.DialContext(ctx, config.CollectorTarget,
-		// Note the use of insecure transport here. TLS is recommended in production.
-		grpc.WithTransportCredentials(insecure.NewCredentials()),
+		// Note the potential use of insecure transport here. TLS is recommended in production.
+		grpc.WithTransportCredentials(creds),
 		grpc.WithContextDialer(func(ctx context.Context, s string) (net.Conn, error) {
 			conn, err := net.Dial("tcp", s)
 			if err != nil {