You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@skywalking.apache.org by ha...@apache.org on 2020/03/09 09:14:05 UTC
[skywalking] branch oap-ssl created (now 156196d)
This is an automated email from the ASF dual-hosted git repository.
hanahmily pushed a change to branch oap-ssl
in repository https://gitbox.apache.org/repos/asf/skywalking.git.
at 156196d Enable OAP gRPC SSL transportation
This branch includes the following new commits:
new 156196d Enable OAP gRPC SSL transportation
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
[skywalking] 01/01: Enable OAP gRPC SSL transportation
Posted by ha...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
hanahmily pushed a commit to branch oap-ssl
in repository https://gitbox.apache.org/repos/asf/skywalking.git
commit 156196dd8ef3ef432f8e849a9f828e235a6a9b82
Author: Gao Hongtao <ha...@gmail.com>
AuthorDate: Mon Mar 9 17:07:19 2020 +0800
Enable OAP gRPC SSL transportation
Porting to OpenSSL to enable SSL transportation. The server private
key is in the format of PCKS#8, certificates is x509 though.
Signed-off-by: Gao Hongtao <ha...@gmail.com>
---
dist-material/application.yml | 3 ++
docker/oap-es7/docker-entrypoint.sh | 3 ++
docker/oap/docker-entrypoint.sh | 3 ++
docs/en/setup/backend/grpc-ssl.md | 33 ++++++++++++++++++++++
oap-server/pom.xml | 2 +-
.../src/main/resources/application.yml | 3 ++
.../oap/server/core/CoreModuleConfig.java | 6 ++++
.../oap/server/core/CoreModuleProvider.java | 9 +++++-
.../oap/server/library/server/grpc/GRPCServer.java | 3 +-
pom.xml | 2 +-
10 files changed, 62 insertions(+), 5 deletions(-)
diff --git a/dist-material/application.yml b/dist-material/application.yml
index 4067fef..9f021bf 100644
--- a/dist-material/application.yml
+++ b/dist-material/application.yml
@@ -59,6 +59,9 @@ core:
restContextPath: ${SW_CORE_REST_CONTEXT_PATH:/}
gRPCHost: ${SW_CORE_GRPC_HOST:0.0.0.0}
gRPCPort: ${SW_CORE_GRPC_PORT:11800}
+ gRPCSslEnabled: ${SW_CORE_GRPC_SSL_ENABLED:false}
+ gRPCSslKeyPath: ${SW_CORE_GRPC_SSL_KEY_PATH:""}
+ gRPCSslCertChainPath: ${SW_CORE_GRPC_SSL_CERT_CHAIN_PATH:""}
downsampling:
- Hour
- Day
diff --git a/docker/oap-es7/docker-entrypoint.sh b/docker/oap-es7/docker-entrypoint.sh
index 54f508a..5f7427d 100755
--- a/docker/oap-es7/docker-entrypoint.sh
+++ b/docker/oap-es7/docker-entrypoint.sh
@@ -332,6 +332,9 @@ core:
restContextPath: \${SW_CORE_REST_CONTEXT_PATH:/}
gRPCHost: \${SW_CORE_GRPC_HOST:0.0.0.0}
gRPCPort: \${SW_CORE_GRPC_PORT:11800}
+ gRPCSslEnabled: \${SW_CORE_GRPC_SSL_ENABLED:false}
+ gRPCSslKeyPath: \${SW_CORE_GRPC_SSL_KEY_PATH:""}
+ gRPCSslCertChainPath: \${SW_CORE_GRPC_SSL_CERT_CHAIN_PATH:""}
downsampling:
- Hour
- Day
diff --git a/docker/oap/docker-entrypoint.sh b/docker/oap/docker-entrypoint.sh
index 8e46901..2338aa9 100755
--- a/docker/oap/docker-entrypoint.sh
+++ b/docker/oap/docker-entrypoint.sh
@@ -333,6 +333,9 @@ core:
restContextPath: \${SW_CORE_REST_CONTEXT_PATH:/}
gRPCHost: \${SW_CORE_GRPC_HOST:0.0.0.0}
gRPCPort: \${SW_CORE_GRPC_PORT:11800}
+ gRPCSslEnabled: \${SW_CORE_GRPC_SSL_ENABLED:false}
+ gRPCSslKeyPath: \${SW_CORE_GRPC_SSL_KEY_PATH:""}
+ gRPCSslCertChainPath: \${SW_CORE_GRPC_SSL_CERT_CHAIN_PATH:""}
downsampling:
- Hour
- Day
diff --git a/docs/en/setup/backend/grpc-ssl.md b/docs/en/setup/backend/grpc-ssl.md
new file mode 100644
index 0000000..d6f58d3
--- /dev/null
+++ b/docs/en/setup/backend/grpc-ssl.md
@@ -0,0 +1,33 @@
+#Support gRPC SSL transportation for OAP server
+
+For OAP communication we are currently using gRPC, a multi-platform RPC framework that uses protocol buffers for
+message serialization. The nice part about gRPC is that it promotes the use of SSL/TLS to authenticate and encrypt
+exchanges. Now OAP support to enable SSL transportation for gRPC receivers.
+
+You can follow below steps to enable this feature
+
+## Creating SSL/TLS Certificates
+
+It seems like step one is to generate certificates and key files for encrypting communication. I thought this would be
+fairly straightforward using `openssl` from the command line, However, it may be simpler to use
+[certstrap](https://github.com/square/certstrap), a simple certificate manager written in Go by the folks at Square.
+The app avoids dealing with `openssl`, but has a very simple workflow: create a certificate authority, sign certificates
+with it.
+
+After signing the certificates of OAP server, we should convert private key to a PKCS8 format before placing it into the host.
+
+```
+$ openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in server.key -out server-key.pem
+```
+
+## Config OAP server
+
+You can enable gRPC SSL by add following lines to `application.yml/core/default`.
+```json
+gRPCSslEnabled: true
+gRPCSslKeyPath: /path/to/server-key.pem
+gRPCSslCertChainPath: /path/to/server.crt
+```
+
+If you port to java agent, refer to [TLS.md](../service-agent/java-agent/TLS.md) to config java agent to enable TLS.
+
diff --git a/oap-server/pom.xml b/oap-server/pom.xml
index 88562cb..9dcb66f 100755
--- a/oap-server/pom.xml
+++ b/oap-server/pom.xml
@@ -58,7 +58,7 @@
<graphql-java-tools.version>5.2.3</graphql-java-tools.version>
<graphql-java.version>8.0</graphql-java.version>
<zookeeper.version>3.4.10</zookeeper.version>
- <netty-tcnative-boringssl-static.version>2.0.7.Final</netty-tcnative-boringssl-static.version>
+ <netty-tcnative-boringssl-static.version>2.0.26.Final</netty-tcnative-boringssl-static.version>
<jetty.version>9.4.2.v20170220</jetty.version>
<h2.version>1.4.196</h2.version>
<commons-dbcp.version>1.4</commons-dbcp.version>
diff --git a/oap-server/server-bootstrap/src/main/resources/application.yml b/oap-server/server-bootstrap/src/main/resources/application.yml
index 3d87b3e..82200e0 100755
--- a/oap-server/server-bootstrap/src/main/resources/application.yml
+++ b/oap-server/server-bootstrap/src/main/resources/application.yml
@@ -58,6 +58,9 @@ core:
restContextPath: ${SW_CORE_REST_CONTEXT_PATH:/}
gRPCHost: ${SW_CORE_GRPC_HOST:0.0.0.0}
gRPCPort: ${SW_CORE_GRPC_PORT:11800}
+ gRPCSslEnabled: ${SW_CORE_GRPC_SSL_ENABLED:false}
+ gRPCSslKeyPath: ${SW_CORE_GRPC_SSL_KEY_PATH:""}
+ gRPCSslCertChainPath: ${SW_CORE_GRPC_SSL_CERT_CHAIN_PATH:""}
downsampling:
- Hour
- Day
diff --git a/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/CoreModuleConfig.java b/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/CoreModuleConfig.java
index 5a08d62..35db625 100644
--- a/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/CoreModuleConfig.java
+++ b/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/CoreModuleConfig.java
@@ -44,6 +44,12 @@ public class CoreModuleConfig extends ModuleConfig {
@Setter
private int gRPCPort;
@Setter
+ private boolean gRPCSslEnabled = false;
+ @Setter
+ private String gRPCSslKeyPath;
+ @Setter
+ private String gRPCSslCertChainPath;
+ @Setter
private int maxConcurrentCallsPerConnection;
@Setter
private int maxMessageSize;
diff --git a/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/CoreModuleProvider.java b/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/CoreModuleProvider.java
index 4175877..15293b2 100755
--- a/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/CoreModuleProvider.java
+++ b/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/CoreModuleProvider.java
@@ -19,6 +19,7 @@
package org.apache.skywalking.oap.server.core;
import java.io.IOException;
+import java.nio.file.Paths;
import org.apache.skywalking.oap.server.configuration.api.ConfigurationModule;
import org.apache.skywalking.oap.server.configuration.api.DynamicConfigurationService;
import org.apache.skywalking.oap.server.core.analysis.ApdexThresholdConfig;
@@ -166,7 +167,13 @@ public class CoreModuleProvider extends ModuleProvider {
throw new ModuleStartException(e.getMessage(), e);
}
- grpcServer = new GRPCServer(moduleConfig.getGRPCHost(), moduleConfig.getGRPCPort());
+ if (moduleConfig.isGRPCSslEnabled()) {
+ grpcServer = new GRPCServer(moduleConfig.getGRPCHost(), moduleConfig.getGRPCPort(),
+ Paths.get(moduleConfig.getGRPCSslCertChainPath()).toFile(),
+ Paths.get(moduleConfig.getGRPCSslKeyPath()).toFile());
+ } else {
+ grpcServer = new GRPCServer(moduleConfig.getGRPCHost(), moduleConfig.getGRPCPort());
+ }
if (moduleConfig.getMaxConcurrentCallsPerConnection() > 0) {
grpcServer.setMaxConcurrentCallsPerConnection(moduleConfig.getMaxConcurrentCallsPerConnection());
}
diff --git a/oap-server/server-library/library-server/src/main/java/org/apache/skywalking/oap/server/library/server/grpc/GRPCServer.java b/oap-server/server-library/library-server/src/main/java/org/apache/skywalking/oap/server/library/server/grpc/GRPCServer.java
index 031b2aa..452484f 100644
--- a/oap-server/server-library/library-server/src/main/java/org/apache/skywalking/oap/server/library/server/grpc/GRPCServer.java
+++ b/oap-server/server-library/library-server/src/main/java/org/apache/skywalking/oap/server/library/server/grpc/GRPCServer.java
@@ -84,8 +84,7 @@ public class GRPCServer implements Server {
* @param privateKeyFile `server.pem` file
*/
public GRPCServer(String host, int port, File certChainFile, File privateKeyFile) {
- this.host = host;
- this.port = port;
+ this(host, port);
this.certChainFile = certChainFile;
this.privateKeyFile = privateKeyFile;
this.sslContextBuilder = SslContextBuilder.forServer(certChainFile, privateKeyFile);
diff --git a/pom.xml b/pom.xml
index 2cd9fcc..0cc76ca 100755
--- a/pom.xml
+++ b/pom.xml
@@ -195,7 +195,7 @@
<protobuf-maven-plugin.version>0.6.1</protobuf-maven-plugin.version>
<com.google.protobuf.protoc.version>3.3.0</com.google.protobuf.protoc.version>
<protoc-gen-grpc-java.plugin.version>1.8.0</protoc-gen-grpc-java.plugin.version>
- <netty-tcnative-boringssl-static.version>2.0.25.Final</netty-tcnative-boringssl-static.version>
+ <netty-tcnative-boringssl-static.version>2.0.26.Final</netty-tcnative-boringssl-static.version>
<!-- Plugin versions -->
<docker.plugin.version>0.4.13</docker.plugin.version>