You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@skywalking.apache.org by wu...@apache.org on 2020/12/23 23:58:27 UTC
[skywalking] branch master updated: Support building gRPC TLS
channel but CA file is not required (#6060)
This is an automated email from the ASF dual-hosted git repository.
wusheng pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/skywalking.git
The following commit(s) were added to refs/heads/master by this push:
new e739ca2 Support building gRPC TLS channel but CA file is not required (#6060)
e739ca2 is described below
commit e739ca22906479ce1cd2a2a99678a20da3be9399
Author: Neal Huang <yo...@gmail.com>
AuthorDate: Thu Dec 24 07:58:00 2020 +0800
Support building gRPC TLS channel but CA file is not required (#6060)
---
CHANGES.md | 1 +
.../java/org/apache/skywalking/apm/agent/core/conf/Config.java | 5 +++++
.../skywalking/apm/agent/core/remote/TLSChannelBuilder.java | 8 ++++++--
apm-sniffer/config/agent.config | 4 ++++
docs/en/setup/service-agent/java-agent/README.md | 1 +
docs/en/setup/service-agent/java-agent/TLS.md | 8 +++++---
6 files changed, 22 insertions(+), 5 deletions(-)
diff --git a/CHANGES.md b/CHANGES.md
index bbb9659..33a9b2b 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -21,6 +21,7 @@ Release Notes.
* Fix thrift plugin collects wrong args when the method without parameter.
* Fix DataCarrier's `org.apache.skywalking.apm.commons.datacarrier.buffer.Buffer` implementation isn't activated in `IF_POSSIBLE` mode.
* Fix ArrayBlockingQueueBuffer's useless `IF_POSSIBLE` mode list
+* Support building gRPC TLS channel but CA file is not required.
#### OAP-Backend
* Make meter receiver support MAL.
diff --git a/apm-sniffer/apm-agent-core/src/main/java/org/apache/skywalking/apm/agent/core/conf/Config.java b/apm-sniffer/apm-agent-core/src/main/java/org/apache/skywalking/apm/agent/core/conf/Config.java
index c2bfe05..36befca 100755
--- a/apm-sniffer/apm-agent-core/src/main/java/org/apache/skywalking/apm/agent/core/conf/Config.java
+++ b/apm-sniffer/apm-agent-core/src/main/java/org/apache/skywalking/apm/agent/core/conf/Config.java
@@ -124,6 +124,11 @@ public class Config {
* Keep tracing even the backend is not available.
*/
public static boolean KEEP_TRACING = false;
+
+ /**
+ * Force open TLS for gRPC channel if true.
+ */
+ public static boolean FORCE_TLS = false;
}
public static class OsInfo {
diff --git a/apm-sniffer/apm-agent-core/src/main/java/org/apache/skywalking/apm/agent/core/remote/TLSChannelBuilder.java b/apm-sniffer/apm-agent-core/src/main/java/org/apache/skywalking/apm/agent/core/remote/TLSChannelBuilder.java
index f272611..5a5e769 100644
--- a/apm-sniffer/apm-agent-core/src/main/java/org/apache/skywalking/apm/agent/core/remote/TLSChannelBuilder.java
+++ b/apm-sniffer/apm-agent-core/src/main/java/org/apache/skywalking/apm/agent/core/remote/TLSChannelBuilder.java
@@ -26,6 +26,7 @@ import java.io.File;
import javax.net.ssl.SSLException;
import org.apache.skywalking.apm.agent.core.boot.AgentPackageNotFoundException;
import org.apache.skywalking.apm.agent.core.boot.AgentPackagePath;
+import org.apache.skywalking.apm.agent.core.conf.Config;
import org.apache.skywalking.apm.agent.core.conf.Constants;
/**
@@ -38,9 +39,12 @@ public class TLSChannelBuilder implements ChannelBuilder<NettyChannelBuilder> {
public NettyChannelBuilder build(
NettyChannelBuilder managedChannelBuilder) throws AgentPackageNotFoundException, SSLException {
File caFile = new File(AgentPackagePath.getPath(), CA_FILE_NAME);
- if (caFile.exists() && caFile.isFile()) {
+ boolean isCAFileExist = caFile.exists() && caFile.isFile();
+ if (Config.Agent.FORCE_TLS || isCAFileExist) {
SslContextBuilder builder = GrpcSslContexts.forClient();
- builder.trustManager(caFile);
+ if (isCAFileExist) {
+ builder.trustManager(caFile);
+ }
managedChannelBuilder = managedChannelBuilder.negotiationType(NegotiationType.TLS)
.sslContext(builder.build());
}
diff --git a/apm-sniffer/config/agent.config b/apm-sniffer/config/agent.config
index 1ee8b86..b85ac3d 100644
--- a/apm-sniffer/config/agent.config
+++ b/apm-sniffer/config/agent.config
@@ -51,6 +51,10 @@ agent.service_name=${SW_AGENT_NAME:Your_ApplicationName}
# Notice, in the current practice, we don't recommend the length over 190.
# agent.operation_name_threshold=${SW_AGENT_OPERATION_NAME_THRESHOLD:150}
+# The agent use gRPC plain text in default.
+# If true, SkyWalking agent uses TLS even no CA file detected.
+# agent.force_tls=${SW_AGENT_FORCE_TLS:false}
+
# If true, skywalking agent will enable profile when user create a new profile task. Otherwise disable profile.
# profile.active=${SW_AGENT_PROFILE_ACTIVE:true}
diff --git a/docs/en/setup/service-agent/java-agent/README.md b/docs/en/setup/service-agent/java-agent/README.md
index 6bb00f0..a383302 100755
--- a/docs/en/setup/service-agent/java-agent/README.md
+++ b/docs/en/setup/service-agent/java-agent/README.md
@@ -86,6 +86,7 @@ property key | Description | Default |
`agent.force_reconnection_period `|Force reconnection period of grpc, based on grpc_channel_check_interval.|`1`|
`agent.operation_name_threshold `|The operationName max length, setting this value > 190 is not recommended.|`150`|
`agent.keep_tracing`|Keep tracing even the backend is not available if this value is `true`.|`false`|
+`agent.force_tls`|Force open TLS for gRPC channel if this value is `true`.|`false`|
`osinfo.ipv4_list_size`| Limit the length of the ipv4 list size. |`10`|
`collector.grpc_channel_check_interval`|grpc channel status check interval.|`30`|
`collector.heartbeat_period`|agent heartbeat report period. Unit, second.|`30`|
diff --git a/docs/en/setup/service-agent/java-agent/TLS.md b/docs/en/setup/service-agent/java-agent/TLS.md
index 1815c3e..d022e15 100644
--- a/docs/en/setup/service-agent/java-agent/TLS.md
+++ b/docs/en/setup/service-agent/java-agent/TLS.md
@@ -19,6 +19,8 @@ Only support **no mutual auth**.
### Agent config
- Place `ca.crt` into `/ca` folder in agent package. Notice, `/ca` is not created in distribution, please create it by yourself.
-Agent open TLS automatically after the `/ca/ca.crt` file detected.
-
-o make sure can't access other ports out of region (VPC), such as firewall, proxy.
\ No newline at end of file
+- Agent open TLS automatically after the `/ca/ca.crt` file detected.
+- TLS with no CA mode could be activated by this setting.
+```
+agent.force_tls=${SW_AGENT_FORCE_TLS:false}
+```