Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TLS support for HTTP Endpoint of Collector server #2798

Merged
merged 9 commits into from
Feb 8, 2021
20 changes: 15 additions & 5 deletions cmd/collector/app/builder_flags.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,12 +40,18 @@ const (
collectorZipkinAllowedHeaders = "collector.zipkin.allowed-headers"
)

var tlsFlagsConfig = tlscfg.ServerFlagsConfig{
var tlsGRPCFlagsConfig = tlscfg.ServerFlagsConfig{
Prefix: "collector.grpc",
ShowEnabled: true,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps we should remove this option, it is never false

$ grx 'ShowEnabled: ' .
./cmd/collector/app/builder_flags.go:45:	ShowEnabled:  true,
./cmd/agent/app/reporter/grpc/flags.go:36:	ShowEnabled:    true,
./cmd/query/app/flags.go:52:	ShowEnabled:  true,
./cmd/query/app/flags.go:58:	ShowEnabled:  true,
./plugin/storage/cassandra/options.go:250:		ShowEnabled:    true,
./plugin/storage/es/options.go:139:		ShowEnabled:    true,
./pkg/config/tlscfg/flags_test.go:51:				ShowEnabled:    true,
./pkg/config/tlscfg/flags_test.go:98:				ShowEnabled:  true,
./pkg/kafka/auth/config.go:94:		ShowEnabled:    true,
./pkg/kafka/auth/options.go:113:		ShowEnabled:    true,

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you want me to do this as a part of the same PR?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

up to you

ShowClientCA: true,
}

var tlsHTTPFlagsConfig = tlscfg.ServerFlagsConfig{
Prefix: "collector.http",
ShowEnabled: true,
ShowClientCA: true,
}

// CollectorOptions holds configuration for collector
type CollectorOptions struct {
// DynQueueSizeMemory determines how much memory to use for the queue
Expand All @@ -58,8 +64,10 @@ type CollectorOptions struct {
CollectorHTTPHostPort string
// CollectorGRPCHostPort is the host:port address that the collector service listens in on for gRPC requests
CollectorGRPCHostPort string
// TLS configures secure transport
TLS tlscfg.Options
// TLSGRPC configures secure transport for gRPC endpoint to collect spans
TLSGRPC tlscfg.Options
// TLSHTTP configures secure transport for HTTP endpoint to collect spans
TLSHTTP tlscfg.Options
// CollectorTags is the string representing collector tags to append to each and every span
CollectorTags map[string]string
// CollectorZipkinHTTPHostPort is the host:port address that the Zipkin collector service listens in on for http requests
Expand All @@ -86,7 +94,8 @@ func AddFlags(flags *flag.FlagSet) {
func AddOTELJaegerFlags(flags *flag.FlagSet) {
flags.String(CollectorHTTPHostPort, ports.PortToHostPort(ports.CollectorHTTP), "The host:port (e.g. 127.0.0.1:14268 or :14268) of the collector's HTTP server")
flags.String(CollectorGRPCHostPort, ports.PortToHostPort(ports.CollectorGRPC), "The host:port (e.g. 127.0.0.1:14250 or :14250) of the collector's GRPC server")
tlsFlagsConfig.AddFlags(flags)
tlsGRPCFlagsConfig.AddFlags(flags)
tlsHTTPFlagsConfig.AddFlags(flags)
}

// AddOTELZipkinFlags adds flag that are exposed by OTEL Zipkin receiver
Expand All @@ -105,7 +114,8 @@ func (cOpts *CollectorOptions) InitFromViper(v *viper.Viper) *CollectorOptions {
cOpts.CollectorTags = flags.ParseJaegerTags(v.GetString(collectorTags))
cOpts.CollectorZipkinAllowedOrigins = v.GetString(collectorZipkinAllowedOrigins)
cOpts.CollectorZipkinAllowedHeaders = v.GetString(collectorZipkinAllowedHeaders)
cOpts.TLS = tlsFlagsConfig.InitFromViper(v)
cOpts.TLSGRPC = tlsHTTPFlagsConfig.InitFromViper(v)
cOpts.TLSHTTP = tlsGRPCFlagsConfig.InitFromViper(v)

return cOpts
}
23 changes: 15 additions & 8 deletions cmd/collector/app/collector.go
Original file line number Diff line number Diff line change
Expand Up @@ -45,10 +45,11 @@ type Collector struct {
spanHandlers *SpanHandlers

// state, read only
hServer *http.Server
zkServer *http.Server
grpcServer *grpc.Server
tlsCloser io.Closer
hServer *http.Server
zkServer *http.Server
grpcServer *grpc.Server
TLSGRPCCloser io.Closer
TLSHTTPCloser io.Closer
rjs211 marked this conversation as resolved.
Show resolved Hide resolved
}

// CollectorParams to construct a new Jaeger Collector.
Expand Down Expand Up @@ -88,7 +89,7 @@ func (c *Collector) Start(builderOpts *CollectorOptions) error {
grpcServer, err := server.StartGRPCServer(&server.GRPCServerParams{
HostPort: builderOpts.CollectorGRPCHostPort,
Handler: c.spanHandlers.GRPCHandler,
TLSConfig: builderOpts.TLS,
TLSConfig: builderOpts.TLSGRPC,
SamplingStore: c.strategyStore,
Logger: c.logger,
})
Expand All @@ -100,6 +101,7 @@ func (c *Collector) Start(builderOpts *CollectorOptions) error {
httpServer, err := server.StartHTTPServer(&server.HTTPServerParams{
HostPort: builderOpts.CollectorHTTPHostPort,
Handler: c.spanHandlers.JaegerBatchesHandler,
TLSConfig: builderOpts.TLSHTTP,
HealthCheck: c.hCheck,
MetricsFactory: c.metricsFactory,
SamplingStore: c.strategyStore,
Expand All @@ -110,7 +112,8 @@ func (c *Collector) Start(builderOpts *CollectorOptions) error {
}
c.hServer = httpServer

c.tlsCloser = &builderOpts.TLS
c.TLSGRPCCloser = &builderOpts.TLSGRPC
c.TLSHTTPCloser = &builderOpts.TLSHTTP
zkServer, err := server.StartZipkinServer(&server.ZipkinServerParams{
HostPort: builderOpts.CollectorZipkinHTTPHostPort,
Handler: c.spanHandlers.ZipkinSpansHandler,
Expand Down Expand Up @@ -165,8 +168,12 @@ func (c *Collector) Close() error {
c.logger.Error("failed to close span processor.", zap.Error(err))
}

if err := c.tlsCloser.Close(); err != nil {
c.logger.Error("failed to close TLS certificate watcher", zap.Error(err))
if err := c.TLSGRPCCloser.Close(); err != nil {
c.logger.Error("failed to close gRPC TLS certificate watcher", zap.Error(err))
}

if err := c.TLSHTTPCloser.Close(); err != nil {
c.logger.Error("failed to close HTTP TLS certificate watcher", zap.Error(err))
}

return nil
Expand Down
17 changes: 16 additions & 1 deletion cmd/collector/app/server/http.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,13 +25,15 @@ import (
"github.com/jaegertracing/jaeger/cmd/collector/app/handler"
"github.com/jaegertracing/jaeger/cmd/collector/app/sampling/strategystore"
clientcfgHandler "github.com/jaegertracing/jaeger/pkg/clientcfg/clientcfghttp"
"github.com/jaegertracing/jaeger/pkg/config/tlscfg"
"github.com/jaegertracing/jaeger/pkg/healthcheck"
"github.com/jaegertracing/jaeger/pkg/httpmetrics"
"github.com/jaegertracing/jaeger/pkg/recoveryhandler"
)

// HTTPServerParams to construct a new Jaeger Collector HTTP Server
type HTTPServerParams struct {
TLSConfig tlscfg.Options
HostPort string
Handler handler.JaegerBatchesHandler
SamplingStore strategystore.StrategyStore
Expand All @@ -50,6 +52,13 @@ func StartHTTPServer(params *HTTPServerParams) (*http.Server, error) {
}

server := &http.Server{Addr: params.HostPort}
if params.TLSConfig.Enabled {
tlsCfg, err := params.TLSConfig.Config(params.Logger) // This checks if the certificates are correctly provided
if err != nil {
return nil, err
}
server.TLSConfig = tlsCfg
}
serveHTTP(server, listener, params)

return server, nil
Expand All @@ -74,7 +83,13 @@ func serveHTTP(server *http.Server, listener net.Listener, params *HTTPServerPar
recoveryHandler := recoveryhandler.NewRecoveryHandler(params.Logger, true)
server.Handler = httpmetrics.Wrap(recoveryHandler(r), params.MetricsFactory)
go func() {
if err := server.Serve(listener); err != nil {
var err error
if params.TLSConfig.Enabled {
err = server.ServeTLS(listener, "", "")
} else {
err = server.Serve(listener)
}
if err != nil {
if err != http.ErrServerClosed {
params.Logger.Error("Could not start HTTP collector", zap.Error(err))
}
Expand Down