Support TLS.

.github/workflows/rust.yml

@@ -30,7 +30,7 @@ env:
   RUSTFLAGS: "-D warnings"
   LLVM_CONFIG_PATH: llvm-config-10
   RUST_STABLE_TOOLCHAIN: "1.65"
-  RUST_NIGHTLY_TOOLCHAIN: "nightly-2023-01-11"
+  RUST_NIGHTLY_TOOLCHAIN: "nightly-2023-01-28"
 
 jobs:
   required:

.rustfmt.toml

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-fn_args_layout = "Compressed"
+fn_params_layout = "Compressed"
 format_code_in_doc_comments = true
 format_macro_bodies = true
 format_macro_matchers = true

Cargo.toml

@@ -52,7 +52,7 @@ systemstat = "0.2.2"
 thiserror = "1.0.38"
 tokio = { version = "1.24.1", features = ["full"] }
 tokio-stream = "0.1.11"
-tonic = "0.8.3"
+tonic = { version = "0.8.3", features = ["tls"] }
 tracing = { version = "0.1.37", features = ["attributes"] }
 tracing-appender = "0.2.2"
 tracing-subscriber = "0.3.16"

docs/en/setup/service-agent/php-agent/README.md

@@ -68,7 +68,7 @@ skywalking_agent.log_file = /tmp/skywalking-agent.log
 skywalking_agent.log_level = INFO
 
 ; Address of skywalking oap server.
-skywalking_agent.server_addr = http://0.0.0.0:11800
+skywalking_agent.server_addr = 127.0.0.1:11800
 
 ; Application service name.
 skywalking_agent.service_name = hello-skywalking
@@ -84,4 +84,16 @@ skywalking_agent.skywalking_version = 8
 
 ; Skywalking agent runtime directory, default is /tmp/skywalking-agent.
 ; skywalking_agent.runtime_dir = /tmp/skywalking-agent
+
+; Wether to enable tls for gPRC, default is false.
+; skywalking_agent.enable_tls = Off
+
+; The gRPC SSL trusted ca file.
+; skywalking_agent.ssl_trusted_ca_path =
+
+; The private key file. Enable mTLS when ssl_key_path and ssl_cert_chain_path exist.
+; skywalking_agent.ssl_key_path =
+
+; The certificate file. Enable mTLS when ssl_key_path and ssl_cert_chain_path exist.
+; skywalking_agent.ssl_cert_chain_path =
 ```

src/lib.rs

@@ -60,6 +60,20 @@ const SKYWALKING_AGENT_RUNTIME_DIR: &str = "skywalking_agent.runtime_dir";
 /// Skywalking agent authentication token.
 const SKYWALKING_AGENT_AUTHENTICATION: &str = "skywalking_agent.authentication";
 
+/// Wether to enable tls for gPRC.
+const SKYWALKING_AGENT_ENABLE_TLS: &str = "skywalking_agent.enable_tls";
+
+/// The gRPC SSL trusted ca file.
+const SKYWALKING_AGENT_SSL_TRUSTED_CA_PATH: &str = "skywalking_agent.ssl_trusted_ca_path";
+
+/// The private key file. Enable mTLS when ssl_key_path and ssl_cert_chain_path
+/// exist.
+const SKYWALKING_AGENT_SSL_KEY_PATH: &str = "skywalking_agent.ssl_key_path";
+
+/// The certificate file. Enable mTLS when ssl_key_path and ssl_cert_chain_path
+/// exist.
+const SKYWALKING_AGENT_SSL_CERT_CHAIN_PATH: &str = "skywalking_agent.ssl_cert_chain_path";
+
 #[php_get_module]
 pub fn get_module() -> Module {
     let mut module = Module::new(
@@ -73,7 +87,7 @@ pub fn get_module() -> Module {
     module.add_ini(SKYWALKING_AGENT_SKYWALKING_VERSION, 8i64, Policy::System);
     module.add_ini(
         SKYWALKING_AGENT_SERVER_ADDR,
-        "http://127.0.0.1:11800".to_string(),
+        "127.0.0.1:11800".to_string(),
         Policy::System,
     );
     module.add_ini(
@@ -102,6 +116,22 @@ pub fn get_module() -> Module {
         "".to_string(),
         Policy::System,
     );
+    module.add_ini(SKYWALKING_AGENT_ENABLE_TLS, false, Policy::System);
+    module.add_ini(
+        SKYWALKING_AGENT_SSL_TRUSTED_CA_PATH,
+        "".to_string(),
+        Policy::System,
+    );
+    module.add_ini(
+        SKYWALKING_AGENT_SSL_KEY_PATH,
+        "".to_string(),
+        Policy::System,
+    );
+    module.add_ini(
+        SKYWALKING_AGENT_SSL_CERT_CHAIN_PATH,
+        "".to_string(),
+        Policy::System,
+    );
 
     // Hooks.
     module.on_module_init(module::init);

src/module.rs

@@ -18,9 +18,11 @@ use crate::{
     execute::register_execute_functions,
     util::{get_sapi_module_name, IPS},
     worker::init_worker,
-    SKYWALKING_AGENT_AUTHENTICATION, SKYWALKING_AGENT_ENABLE, SKYWALKING_AGENT_LOG_FILE,
-    SKYWALKING_AGENT_LOG_LEVEL, SKYWALKING_AGENT_RUNTIME_DIR, SKYWALKING_AGENT_SERVICE_NAME,
-    SKYWALKING_AGENT_SKYWALKING_VERSION,
+    SKYWALKING_AGENT_AUTHENTICATION, SKYWALKING_AGENT_ENABLE, SKYWALKING_AGENT_ENABLE_TLS,
+    SKYWALKING_AGENT_LOG_FILE, SKYWALKING_AGENT_LOG_LEVEL, SKYWALKING_AGENT_RUNTIME_DIR,
+    SKYWALKING_AGENT_SERVICE_NAME, SKYWALKING_AGENT_SKYWALKING_VERSION,
+    SKYWALKING_AGENT_SSL_CERT_CHAIN_PATH, SKYWALKING_AGENT_SSL_KEY_PATH,
+    SKYWALKING_AGENT_SSL_TRUSTED_CA_PATH,
 };
 use once_cell::sync::Lazy;
 use phper::{arrays::ZArr, ini::ini_get, sys};
@@ -37,7 +39,7 @@ use std::{
     str::FromStr,
     time::SystemTime,
 };
-use tracing::{error, info, metadata::LevelFilter};
+use tracing::{debug, error, info, metadata::LevelFilter};
 use tracing_subscriber::FmtSubscriber;
 
 pub static SERVICE_NAME: Lazy<String> = Lazy::new(|| {
@@ -84,13 +86,37 @@ pub static AUTHENTICATION: Lazy<String> = Lazy::new(|| {
         .unwrap_or_default()
 });
 
+pub static ENABLE_TLS: Lazy<bool> = Lazy::new(|| ini_get::<bool>(SKYWALKING_AGENT_ENABLE_TLS));
+
+pub static SSL_TRUSTED_CA_PATH: Lazy<String> = Lazy::new(|| {
+    ini_get::<Option<&CStr>>(SKYWALKING_AGENT_SSL_TRUSTED_CA_PATH)
+        .and_then(|s| s.to_str().ok())
+        .map(ToOwned::to_owned)
+        .unwrap_or_default()
+});
+
+pub static SSL_KEY_PATH: Lazy<String> = Lazy::new(|| {
+    ini_get::<Option<&CStr>>(SKYWALKING_AGENT_SSL_KEY_PATH)
+        .and_then(|s| s.to_str().ok())
+        .map(ToOwned::to_owned)
+        .unwrap_or_default()
+});
+
+pub static SSL_CERT_CHAIN_PATH: Lazy<String> = Lazy::new(|| {
+    ini_get::<Option<&CStr>>(SKYWALKING_AGENT_SSL_CERT_CHAIN_PATH)
+        .and_then(|s| s.to_str().ok())
+        .map(ToOwned::to_owned)
+        .unwrap_or_default()
+});
+
 pub fn init() {
     if !is_enable() {
         return;
     }
 
     init_logger();
 
+    // Skywalking agent info.
     let service_name = Lazy::force(&SERVICE_NAME);
     let service_instance = Lazy::force(&SERVICE_INSTANCE);
     let skywalking_version = Lazy::force(&SKYWALKING_VERSION);
@@ -100,7 +126,7 @@ pub fn init() {
         service_instance, skywalking_version, authentication, "Starting skywalking agent"
     );
 
-    // Skywalking version check
+    // Skywalking version check.
     if *skywalking_version < 8 {
         error!(
             skywalking_version,
@@ -109,6 +135,17 @@ pub fn init() {
         return;
     }
 
+    // Initialize TLS if enabled.
+    let enable_tls = Lazy::force(&ENABLE_TLS);
+    let ssl_trusted_ca_path = Lazy::force(&SSL_TRUSTED_CA_PATH);
+    let ssl_key_path = Lazy::force(&SSL_KEY_PATH);
+    let ssl_cert_chain_path = Lazy::force(&SSL_CERT_CHAIN_PATH);
+    debug!(
+        enable_tls,
+        ssl_trusted_ca_path, ssl_key_path, ssl_cert_chain_path, "Skywalking TLS info"
+    );
+
+    // Initialize runtime directory.
     if RUNTIME_DIR.as_os_str().is_empty() {
         error!("The skywalking agent runtime directory must not be empty");
         return;
@@ -118,6 +155,7 @@ pub fn init() {
         return;
     }
 
+    // Initialize Agent worker.
     Lazy::force(&SOCKET_FILE_PATH);
     init_worker();
 
@@ -127,6 +165,7 @@ pub fn init() {
         Reporter::new(&*SOCKET_FILE_PATH),
     ));
 
+    // Hook functions.
     register_execute_functions();
 }