You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@skywalking.apache.org by ha...@apache.org on 2020/03/09 09:14:06 UTC
[skywalking] 01/01: Enable OAP gRPC SSL transportation
This is an automated email from the ASF dual-hosted git repository.
hanahmily pushed a commit to branch oap-ssl
in repository https://gitbox.apache.org/repos/asf/skywalking.git
commit 156196dd8ef3ef432f8e849a9f828e235a6a9b82
Author: Gao Hongtao <ha...@gmail.com>
AuthorDate: Mon Mar 9 17:07:19 2020 +0800
Enable OAP gRPC SSL transportation
Porting to OpenSSL to enable SSL transportation. The server private
key is in the format of PCKS#8, certificates is x509 though.
Signed-off-by: Gao Hongtao <ha...@gmail.com>
---
dist-material/application.yml | 3 ++
docker/oap-es7/docker-entrypoint.sh | 3 ++
docker/oap/docker-entrypoint.sh | 3 ++
docs/en/setup/backend/grpc-ssl.md | 33 ++++++++++++++++++++++
oap-server/pom.xml | 2 +-
.../src/main/resources/application.yml | 3 ++
.../oap/server/core/CoreModuleConfig.java | 6 ++++
.../oap/server/core/CoreModuleProvider.java | 9 +++++-
.../oap/server/library/server/grpc/GRPCServer.java | 3 +-
pom.xml | 2 +-
10 files changed, 62 insertions(+), 5 deletions(-)
diff --git a/dist-material/application.yml b/dist-material/application.yml
index 4067fef..9f021bf 100644
--- a/dist-material/application.yml
+++ b/dist-material/application.yml
@@ -59,6 +59,9 @@ core:
restContextPath: ${SW_CORE_REST_CONTEXT_PATH:/}
gRPCHost: ${SW_CORE_GRPC_HOST:0.0.0.0}
gRPCPort: ${SW_CORE_GRPC_PORT:11800}
+ gRPCSslEnabled: ${SW_CORE_GRPC_SSL_ENABLED:false}
+ gRPCSslKeyPath: ${SW_CORE_GRPC_SSL_KEY_PATH:""}
+ gRPCSslCertChainPath: ${SW_CORE_GRPC_SSL_CERT_CHAIN_PATH:""}
downsampling:
- Hour
- Day
diff --git a/docker/oap-es7/docker-entrypoint.sh b/docker/oap-es7/docker-entrypoint.sh
index 54f508a..5f7427d 100755
--- a/docker/oap-es7/docker-entrypoint.sh
+++ b/docker/oap-es7/docker-entrypoint.sh
@@ -332,6 +332,9 @@ core:
restContextPath: \${SW_CORE_REST_CONTEXT_PATH:/}
gRPCHost: \${SW_CORE_GRPC_HOST:0.0.0.0}
gRPCPort: \${SW_CORE_GRPC_PORT:11800}
+ gRPCSslEnabled: \${SW_CORE_GRPC_SSL_ENABLED:false}
+ gRPCSslKeyPath: \${SW_CORE_GRPC_SSL_KEY_PATH:""}
+ gRPCSslCertChainPath: \${SW_CORE_GRPC_SSL_CERT_CHAIN_PATH:""}
downsampling:
- Hour
- Day
diff --git a/docker/oap/docker-entrypoint.sh b/docker/oap/docker-entrypoint.sh
index 8e46901..2338aa9 100755
--- a/docker/oap/docker-entrypoint.sh
+++ b/docker/oap/docker-entrypoint.sh
@@ -333,6 +333,9 @@ core:
restContextPath: \${SW_CORE_REST_CONTEXT_PATH:/}
gRPCHost: \${SW_CORE_GRPC_HOST:0.0.0.0}
gRPCPort: \${SW_CORE_GRPC_PORT:11800}
+ gRPCSslEnabled: \${SW_CORE_GRPC_SSL_ENABLED:false}
+ gRPCSslKeyPath: \${SW_CORE_GRPC_SSL_KEY_PATH:""}
+ gRPCSslCertChainPath: \${SW_CORE_GRPC_SSL_CERT_CHAIN_PATH:""}
downsampling:
- Hour
- Day
diff --git a/docs/en/setup/backend/grpc-ssl.md b/docs/en/setup/backend/grpc-ssl.md
new file mode 100644
index 0000000..d6f58d3
--- /dev/null
+++ b/docs/en/setup/backend/grpc-ssl.md
@@ -0,0 +1,33 @@
+#Support gRPC SSL transportation for OAP server
+
+For OAP communication we are currently using gRPC, a multi-platform RPC framework that uses protocol buffers for
+message serialization. The nice part about gRPC is that it promotes the use of SSL/TLS to authenticate and encrypt
+exchanges. Now OAP support to enable SSL transportation for gRPC receivers.
+
+You can follow below steps to enable this feature
+
+## Creating SSL/TLS Certificates
+
+It seems like step one is to generate certificates and key files for encrypting communication. I thought this would be
+fairly straightforward using `openssl` from the command line, However, it may be simpler to use
+[certstrap](https://github.com/square/certstrap), a simple certificate manager written in Go by the folks at Square.
+The app avoids dealing with `openssl`, but has a very simple workflow: create a certificate authority, sign certificates
+with it.
+
+After signing the certificates of OAP server, we should convert private key to a PKCS8 format before placing it into the host.
+
+```
+$ openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in server.key -out server-key.pem
+```
+
+## Config OAP server
+
+You can enable gRPC SSL by add following lines to `application.yml/core/default`.
+```json
+gRPCSslEnabled: true
+gRPCSslKeyPath: /path/to/server-key.pem
+gRPCSslCertChainPath: /path/to/server.crt
+```
+
+If you port to java agent, refer to [TLS.md](../service-agent/java-agent/TLS.md) to config java agent to enable TLS.
+
diff --git a/oap-server/pom.xml b/oap-server/pom.xml
index 88562cb..9dcb66f 100755
--- a/oap-server/pom.xml
+++ b/oap-server/pom.xml
@@ -58,7 +58,7 @@
<graphql-java-tools.version>5.2.3</graphql-java-tools.version>
<graphql-java.version>8.0</graphql-java.version>
<zookeeper.version>3.4.10</zookeeper.version>
- <netty-tcnative-boringssl-static.version>2.0.7.Final</netty-tcnative-boringssl-static.version>
+ <netty-tcnative-boringssl-static.version>2.0.26.Final</netty-tcnative-boringssl-static.version>
<jetty.version>9.4.2.v20170220</jetty.version>
<h2.version>1.4.196</h2.version>
<commons-dbcp.version>1.4</commons-dbcp.version>
diff --git a/oap-server/server-bootstrap/src/main/resources/application.yml b/oap-server/server-bootstrap/src/main/resources/application.yml
index 3d87b3e..82200e0 100755
--- a/oap-server/server-bootstrap/src/main/resources/application.yml
+++ b/oap-server/server-bootstrap/src/main/resources/application.yml
@@ -58,6 +58,9 @@ core:
restContextPath: ${SW_CORE_REST_CONTEXT_PATH:/}
gRPCHost: ${SW_CORE_GRPC_HOST:0.0.0.0}
gRPCPort: ${SW_CORE_GRPC_PORT:11800}
+ gRPCSslEnabled: ${SW_CORE_GRPC_SSL_ENABLED:false}
+ gRPCSslKeyPath: ${SW_CORE_GRPC_SSL_KEY_PATH:""}
+ gRPCSslCertChainPath: ${SW_CORE_GRPC_SSL_CERT_CHAIN_PATH:""}
downsampling:
- Hour
- Day
diff --git a/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/CoreModuleConfig.java b/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/CoreModuleConfig.java
index 5a08d62..35db625 100644
--- a/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/CoreModuleConfig.java
+++ b/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/CoreModuleConfig.java
@@ -44,6 +44,12 @@ public class CoreModuleConfig extends ModuleConfig {
@Setter
private int gRPCPort;
@Setter
+ private boolean gRPCSslEnabled = false;
+ @Setter
+ private String gRPCSslKeyPath;
+ @Setter
+ private String gRPCSslCertChainPath;
+ @Setter
private int maxConcurrentCallsPerConnection;
@Setter
private int maxMessageSize;
diff --git a/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/CoreModuleProvider.java b/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/CoreModuleProvider.java
index 4175877..15293b2 100755
--- a/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/CoreModuleProvider.java
+++ b/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/CoreModuleProvider.java
@@ -19,6 +19,7 @@
package org.apache.skywalking.oap.server.core;
import java.io.IOException;
+import java.nio.file.Paths;
import org.apache.skywalking.oap.server.configuration.api.ConfigurationModule;
import org.apache.skywalking.oap.server.configuration.api.DynamicConfigurationService;
import org.apache.skywalking.oap.server.core.analysis.ApdexThresholdConfig;
@@ -166,7 +167,13 @@ public class CoreModuleProvider extends ModuleProvider {
throw new ModuleStartException(e.getMessage(), e);
}
- grpcServer = new GRPCServer(moduleConfig.getGRPCHost(), moduleConfig.getGRPCPort());
+ if (moduleConfig.isGRPCSslEnabled()) {
+ grpcServer = new GRPCServer(moduleConfig.getGRPCHost(), moduleConfig.getGRPCPort(),
+ Paths.get(moduleConfig.getGRPCSslCertChainPath()).toFile(),
+ Paths.get(moduleConfig.getGRPCSslKeyPath()).toFile());
+ } else {
+ grpcServer = new GRPCServer(moduleConfig.getGRPCHost(), moduleConfig.getGRPCPort());
+ }
if (moduleConfig.getMaxConcurrentCallsPerConnection() > 0) {
grpcServer.setMaxConcurrentCallsPerConnection(moduleConfig.getMaxConcurrentCallsPerConnection());
}
diff --git a/oap-server/server-library/library-server/src/main/java/org/apache/skywalking/oap/server/library/server/grpc/GRPCServer.java b/oap-server/server-library/library-server/src/main/java/org/apache/skywalking/oap/server/library/server/grpc/GRPCServer.java
index 031b2aa..452484f 100644
--- a/oap-server/server-library/library-server/src/main/java/org/apache/skywalking/oap/server/library/server/grpc/GRPCServer.java
+++ b/oap-server/server-library/library-server/src/main/java/org/apache/skywalking/oap/server/library/server/grpc/GRPCServer.java
@@ -84,8 +84,7 @@ public class GRPCServer implements Server {
* @param privateKeyFile `server.pem` file
*/
public GRPCServer(String host, int port, File certChainFile, File privateKeyFile) {
- this.host = host;
- this.port = port;
+ this(host, port);
this.certChainFile = certChainFile;
this.privateKeyFile = privateKeyFile;
this.sslContextBuilder = SslContextBuilder.forServer(certChainFile, privateKeyFile);
diff --git a/pom.xml b/pom.xml
index 2cd9fcc..0cc76ca 100755
--- a/pom.xml
+++ b/pom.xml
@@ -195,7 +195,7 @@
<protobuf-maven-plugin.version>0.6.1</protobuf-maven-plugin.version>
<com.google.protobuf.protoc.version>3.3.0</com.google.protobuf.protoc.version>
<protoc-gen-grpc-java.plugin.version>1.8.0</protoc-gen-grpc-java.plugin.version>
- <netty-tcnative-boringssl-static.version>2.0.25.Final</netty-tcnative-boringssl-static.version>
+ <netty-tcnative-boringssl-static.version>2.0.26.Final</netty-tcnative-boringssl-static.version>
<!-- Plugin versions -->
<docker.plugin.version>0.4.13</docker.plugin.version>