You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@skywalking.apache.org by wu...@apache.org on 2020/12/23 23:58:27 UTC

[skywalking] branch master updated: Support building gRPC TLS channel but CA file is not required (#6060)

This is an automated email from the ASF dual-hosted git repository.

wusheng pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/skywalking.git


The following commit(s) were added to refs/heads/master by this push:
     new e739ca2  Support building gRPC TLS channel but CA file is not required (#6060)
e739ca2 is described below

commit e739ca22906479ce1cd2a2a99678a20da3be9399
Author: Neal Huang <yo...@gmail.com>
AuthorDate: Thu Dec 24 07:58:00 2020 +0800

    Support building gRPC TLS channel but CA file is not required (#6060)
---
 CHANGES.md                                                        | 1 +
 .../java/org/apache/skywalking/apm/agent/core/conf/Config.java    | 5 +++++
 .../skywalking/apm/agent/core/remote/TLSChannelBuilder.java       | 8 ++++++--
 apm-sniffer/config/agent.config                                   | 4 ++++
 docs/en/setup/service-agent/java-agent/README.md                  | 1 +
 docs/en/setup/service-agent/java-agent/TLS.md                     | 8 +++++---
 6 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/CHANGES.md b/CHANGES.md
index bbb9659..33a9b2b 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -21,6 +21,7 @@ Release Notes.
 * Fix thrift plugin collects wrong args when the method without parameter.
 * Fix DataCarrier's `org.apache.skywalking.apm.commons.datacarrier.buffer.Buffer` implementation isn't activated in `IF_POSSIBLE` mode.
 * Fix ArrayBlockingQueueBuffer's useless `IF_POSSIBLE` mode list
+* Support building gRPC TLS channel but CA file is not required.
 
 #### OAP-Backend
 * Make meter receiver support MAL.
diff --git a/apm-sniffer/apm-agent-core/src/main/java/org/apache/skywalking/apm/agent/core/conf/Config.java b/apm-sniffer/apm-agent-core/src/main/java/org/apache/skywalking/apm/agent/core/conf/Config.java
index c2bfe05..36befca 100755
--- a/apm-sniffer/apm-agent-core/src/main/java/org/apache/skywalking/apm/agent/core/conf/Config.java
+++ b/apm-sniffer/apm-agent-core/src/main/java/org/apache/skywalking/apm/agent/core/conf/Config.java
@@ -124,6 +124,11 @@ public class Config {
          * Keep tracing even the backend is not available.
          */
         public static boolean KEEP_TRACING = false;
+
+        /**
+         * Force open TLS for gRPC channel if true.
+         */
+        public static boolean FORCE_TLS = false;
     }
 
     public static class OsInfo {
diff --git a/apm-sniffer/apm-agent-core/src/main/java/org/apache/skywalking/apm/agent/core/remote/TLSChannelBuilder.java b/apm-sniffer/apm-agent-core/src/main/java/org/apache/skywalking/apm/agent/core/remote/TLSChannelBuilder.java
index f272611..5a5e769 100644
--- a/apm-sniffer/apm-agent-core/src/main/java/org/apache/skywalking/apm/agent/core/remote/TLSChannelBuilder.java
+++ b/apm-sniffer/apm-agent-core/src/main/java/org/apache/skywalking/apm/agent/core/remote/TLSChannelBuilder.java
@@ -26,6 +26,7 @@ import java.io.File;
 import javax.net.ssl.SSLException;
 import org.apache.skywalking.apm.agent.core.boot.AgentPackageNotFoundException;
 import org.apache.skywalking.apm.agent.core.boot.AgentPackagePath;
+import org.apache.skywalking.apm.agent.core.conf.Config;
 import org.apache.skywalking.apm.agent.core.conf.Constants;
 
 /**
@@ -38,9 +39,12 @@ public class TLSChannelBuilder implements ChannelBuilder<NettyChannelBuilder> {
     public NettyChannelBuilder build(
         NettyChannelBuilder managedChannelBuilder) throws AgentPackageNotFoundException, SSLException {
         File caFile = new File(AgentPackagePath.getPath(), CA_FILE_NAME);
-        if (caFile.exists() && caFile.isFile()) {
+        boolean isCAFileExist = caFile.exists() && caFile.isFile();
+        if (Config.Agent.FORCE_TLS || isCAFileExist) {
             SslContextBuilder builder = GrpcSslContexts.forClient();
-            builder.trustManager(caFile);
+            if (isCAFileExist) {
+                builder.trustManager(caFile);
+            }
             managedChannelBuilder = managedChannelBuilder.negotiationType(NegotiationType.TLS)
                                                          .sslContext(builder.build());
         }
diff --git a/apm-sniffer/config/agent.config b/apm-sniffer/config/agent.config
index 1ee8b86..b85ac3d 100644
--- a/apm-sniffer/config/agent.config
+++ b/apm-sniffer/config/agent.config
@@ -51,6 +51,10 @@ agent.service_name=${SW_AGENT_NAME:Your_ApplicationName}
 # Notice, in the current practice, we don't recommend the length over 190.
 # agent.operation_name_threshold=${SW_AGENT_OPERATION_NAME_THRESHOLD:150}
 
+# The agent use gRPC plain text in default.
+# If true, SkyWalking agent uses TLS even no CA file detected.
+# agent.force_tls=${SW_AGENT_FORCE_TLS:false}
+
 # If true, skywalking agent will enable profile when user create a new profile task. Otherwise disable profile.
 # profile.active=${SW_AGENT_PROFILE_ACTIVE:true}
 
diff --git a/docs/en/setup/service-agent/java-agent/README.md b/docs/en/setup/service-agent/java-agent/README.md
index 6bb00f0..a383302 100755
--- a/docs/en/setup/service-agent/java-agent/README.md
+++ b/docs/en/setup/service-agent/java-agent/README.md
@@ -86,6 +86,7 @@ property key | Description | Default |
 `agent.force_reconnection_period `|Force reconnection period of grpc, based on grpc_channel_check_interval.|`1`|
 `agent.operation_name_threshold `|The operationName max length, setting this value > 190 is not recommended.|`150`|
 `agent.keep_tracing`|Keep tracing even the backend is not available if this value is `true`.|`false`|
+`agent.force_tls`|Force open TLS for gRPC channel if this value is `true`.|`false`|
 `osinfo.ipv4_list_size`| Limit the length of the ipv4 list size. |`10`|
 `collector.grpc_channel_check_interval`|grpc channel status check interval.|`30`|
 `collector.heartbeat_period`|agent heartbeat report period. Unit, second.|`30`|
diff --git a/docs/en/setup/service-agent/java-agent/TLS.md b/docs/en/setup/service-agent/java-agent/TLS.md
index 1815c3e..d022e15 100644
--- a/docs/en/setup/service-agent/java-agent/TLS.md
+++ b/docs/en/setup/service-agent/java-agent/TLS.md
@@ -19,6 +19,8 @@ Only support **no mutual auth**.
 ### Agent config
 - Place `ca.crt` into `/ca` folder in agent package. Notice, `/ca` is not created in distribution, please create it by yourself.
 
-Agent open TLS automatically after the `/ca/ca.crt` file detected.
-
-o make sure can't access other ports out of region (VPC), such as firewall, proxy.
\ No newline at end of file
+- Agent open TLS automatically after the `/ca/ca.crt` file detected.
+- TLS with no CA mode could be activated by this setting.
+```
+agent.force_tls=${SW_AGENT_FORCE_TLS:false}
+```