Skip to content

Commit

Permalink
Update
Browse files Browse the repository at this point in the history
  • Loading branch information
Tristan Colgate committed Jul 16, 2019
1 parent a890cba commit ffd30f7
Show file tree
Hide file tree
Showing 5 changed files with 58 additions and 64 deletions.
29 changes: 5 additions & 24 deletions cmd/agent/app/reporter/grpc/builder_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,10 +14,7 @@
package grpc

import (
"crypto/tls"
"crypto/x509"
"errors"
"io/ioutil"
"net"
"strings"
"testing"
Expand All @@ -32,6 +29,7 @@ import (
"google.golang.org/grpc/credentials"
yaml "gopkg.in/yaml.v2"

"github.com/jaegertracing/jaeger/cmd/collector/app/grpcserver"
"github.com/jaegertracing/jaeger/pkg/discovery"
"github.com/jaegertracing/jaeger/proto-gen/api_v2"
"github.com/jaegertracing/jaeger/thrift-gen/jaeger"
Expand Down Expand Up @@ -318,31 +316,14 @@ func TestProxyClientTLS(t *testing.T) {
t.Run(test.name, func(t *testing.T) {
var opts []grpc.ServerOption
if test.serverTLS {
tlsCfg := &tls.Config{
MinVersion: tls.VersionTLS12,
}

tlsCert, err := tls.LoadX509KeyPair(test.serverTLSCert, test.serverTLSKey)
tlsCfg, err := grpcserver.TLSConfig(
test.serverTLSCert,
test.serverTLSKey,
test.serverTLSClientCA)
if err != nil {
require.NoError(t, err)
}

tlsCfg.Certificates = []tls.Certificate{tlsCert}

if test.serverTLSClientCA != "" {
caPEM, err := ioutil.ReadFile(test.serverTLSClientCA)
if err != nil {
require.NoError(t, err)
}

certPool := x509.NewCertPool()
if !certPool.AppendCertsFromPEM(caPEM) {
require.NoError(t, err)
}
tlsCfg.ClientCAs = certPool
tlsCfg.ClientAuth = tls.RequireAndVerifyClientCert
}

opts = []grpc.ServerOption{grpc.Creds(credentials.NewTLS(tlsCfg))}
}

Expand Down
14 changes: 7 additions & 7 deletions cmd/agent/app/reporter/grpc/flags.go
Original file line number Diff line number Diff line change
Expand Up @@ -36,13 +36,13 @@ const (

// AddFlags adds flags for Options.
func AddFlags(flags *flag.FlagSet) {
flags.String(collectorHostPort, "", "Comma-separated string representing host:port of a static list of collectors to connect to directly.")
flags.Uint(retry, defaultMaxRetry, "Sets the maximum number of retries for a call.")
flags.Bool(collectorTLS, false, "Enable TLS.")
flags.String(collectorTLSCA, "", "Path to a TLS CA file. (default use the systems truststore)")
flags.String(collectorTLSServerName, "", "Override the TLS server name.")
flags.String(agentCert, "", "Path to a TLS client certificate file.")
flags.String(agentKey, "", "Path to a TLS client key file.")
flags.String(collectorHostPort, "", "Comma-separated string representing host:port of a static list of collectors to connect to directly")
flags.Uint(retry, defaultMaxRetry, "Sets the maximum number of retries for a call")
flags.Bool(collectorTLS, false, "Use TLS when talking to the remote collector")
flags.String(collectorTLSCA, "", "Path to a TLS CA file used to verify the remote server. (default use the systems truststore)")
flags.String(collectorTLSServerName, "", "Override the TLS server name we expected in the remote certificate")
flags.String(agentCert, "", "Path to a TLS client certificate file, used to identify this agent to the collector")
flags.String(agentKey, "", "Path to the TLS client key for the client certificate")
flags.Int(discoveryMinPeers, 3, "Max number of collectors to which the agent will try to connect at any given time")
}

Expand Down
8 changes: 4 additions & 4 deletions cmd/collector/app/builder/builder_flags.go
Original file line number Diff line number Diff line change
Expand Up @@ -74,10 +74,10 @@ func AddFlags(flags *flag.FlagSet) {
flags.Int(collectorHTTPPort, ports.CollectorHTTP, "The HTTP port for the collector service")
flags.Int(collectorGRPCPort, ports.CollectorGRPC, "The gRPC port for the collector service")
flags.Int(collectorZipkinHTTPort, 0, "The HTTP port for the Zipkin collector service e.g. 9411")
flags.Bool(collectorGRPCTLS, false, "Enable TLS")
flags.String(collectorGRPCCert, "", "Path to TLS certificate file")
flags.String(collectorGRPCKey, "", "Path to TLS key file")
flags.String(collectorGRPCClientCA, "", "Path to TLS certificates for authenticating clients")
flags.Bool(collectorGRPCTLS, false, "Enable TLS for the gRPC collector port")
flags.String(collectorGRPCCert, "", "Path to TLS certificate or the gRPC collector TLS service")
flags.String(collectorGRPCKey, "", "Path to TLS key for the gRPC collector TLS cert")
flags.String(collectorGRPCClientCA, "", "Path to a TLS CA to verify certificates presented by clients against (if unset, all clients are permitted)")
flags.String(collectorZipkinAllowedOrigins, "*", "Allowed origins for the Zipkin collector service, default accepts all")
flags.String(collectorZipkinAllowedHeaders, "content-type", "Allowed headers for the Zipkin collector service, default content-type")
}
Expand Down
37 changes: 37 additions & 0 deletions cmd/collector/app/grpcserver/grpc_server.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@
package grpcserver

import (
"crypto/tls"
"crypto/x509"
"fmt"
"io/ioutil"
"net"
"os"
Expand All @@ -31,6 +34,40 @@ import (
"github.com/jaegertracing/jaeger/proto-gen/api_v2"
)

// TLSConfig creates a *tls.Config from the user specified file paths.
func TLSConfig(cert, key, clientCA string) (*tls.Config, error) {
if cert == "" || key == "" {
return nil, fmt.Errorf("you requested TLS but configuration does not include a path to cert and/or key")
}

tlsCfg := &tls.Config{
MinVersion: tls.VersionTLS12,
}

tlsCert, err := tls.LoadX509KeyPair(cert, key)
if err != nil {
return nil, fmt.Errorf("could not load server TLS cert and key, %v", err)
}

tlsCfg.Certificates = []tls.Certificate{tlsCert}

if clientCA != "" {
caPEM, err := ioutil.ReadFile(clientCA)
if err != nil {
return nil, fmt.Errorf("load TLS client CA, %v", err)
}

certPool := x509.NewCertPool()
if !certPool.AppendCertsFromPEM(caPEM) {
return nil, fmt.Errorf("building TLS client CA, %v", err)
}
tlsCfg.ClientCAs = certPool
tlsCfg.ClientAuth = tls.RequireAndVerifyClientCert
}

return tlsCfg, nil
}

// StartGRPCCollector configures and starts gRPC endpoints exposed by collector.
func StartGRPCCollector(
port int,
Expand Down
34 changes: 5 additions & 29 deletions cmd/collector/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,8 @@
package main

import (
"crypto/tls"
"crypto/x509"
"fmt"
"io"
"io/ioutil"
"log"
"net"
"net/http"
Expand Down Expand Up @@ -195,33 +192,12 @@ func startGRPCServer(
var server *grpc.Server

if opts.CollectorGRPCTLS { // user requested a server with TLS, setup creds
if opts.CollectorGRPCCert == "" || opts.CollectorGRPCKey == "" {
return nil, fmt.Errorf("you requested TLS but configuration does not include a path to cert and/or key")
}

tlsCfg := &tls.Config{
MinVersion: tls.VersionTLS12,
}

tlsCert, err := tls.LoadX509KeyPair(opts.CollectorGRPCCert, opts.CollectorGRPCKey)
tlsCfg, err := grpcserver.TLSConfig(
opts.CollectorGRPCCert,
opts.CollectorGRPCKey,
opts.CollectorGRPCClientCA)
if err != nil {
return nil, fmt.Errorf("could not load server TLS cert and key, %v", err)
}

tlsCfg.Certificates = []tls.Certificate{tlsCert}

if opts.CollectorGRPCClientCA != "" {
caPEM, err := ioutil.ReadFile(opts.CollectorGRPCClientCA)
if err != nil {
return nil, fmt.Errorf("load TLS client CA, %v", err)
}

certPool := x509.NewCertPool()
if !certPool.AppendCertsFromPEM(caPEM) {
return nil, fmt.Errorf("building TLS client CA, %v", err)
}
tlsCfg.ClientCAs = certPool
tlsCfg.ClientAuth = tls.RequireAndVerifyClientCert
return nil, err
}

creds := credentials.NewTLS(tlsCfg)
Expand Down

0 comments on commit ffd30f7

Please sign in to comment.