Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support mTLS in gRPC exporters #927

Merged
merged 5 commits into from May 8, 2020
Merged

Support mTLS in gRPC exporters #927

merged 5 commits into from May 8, 2020

Conversation

pavolloffay
Copy link
Member

Description:

Support mutual TLS in gRPC exporters.

Other notable changes:

  • TLS config moved to a separate struct
  • go field CertPemFile renamed to CaCert, the config property wasn't changed.

Link to tracking Issue:

Testing: < Describe what testing was performed and which tests were added.>

Documentation: < Describe the documentation added.>

@pavolloffay
Support mTLS in gRPC exporters
0dc4b73 
Signed-off-by: Pavol Loffay <ploffay@redhat.com>
@pavolloffay
Rename to CaCert
bde618b 
Signed-off-by: Pavol Loffay <ploffay@redhat.com>
@pavolloffay
Add tests
d820d39 
Signed-off-by: Pavol Loffay <ploffay@redhat.com>
@pavolloffay pavolloffay mentioned this pull request May 7, 2020
Closed
@pavolloffay
Fix lint
1038050 
Signed-off-by: Pavol Loffay <ploffay@redhat.com>
pavolloffay
pavolloffay commented May 7, 2020
View reviewed changes
config/configgrpc/configgrpc.go
type TLSConfig struct {
// Root CA certificate file for TLS credentials of gRPC client. Should
// only be used if `secure` is set to true.
CaCert string `mapstructure:"cert_pem_file"`
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The config property name hasn't been changed.

Can we make a breaking change and change it to include ca in name? e.g ca_cert_pem_file? Or just ca_cert?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can probably do that in a separate PR.

This is a breaking change when it comes to the code (not configuration) so you will need to followup with a PR in the collector-contrib where you update otel version (using make, see the rule there) and update all the code. Also need to make a quick announcement on the gitter, so if there are others who depend on this they know about this change.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dmitryax updated OTEL collector in the contrib in PR https://github.com/open-telemetry/opentelemetry-collector-contrib/pull/220/files#diff-993db3ecf423549b9fcb5b7e4d195efeR10.

That corresponds to 80ee563 that landed to master after this PR.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bogdandrutu ping me if there is anything I can do more. The refactoring/unifying of the TLS spec will be done in #933

bogdandrutu
bogdandrutu reviewed May 7, 2020
View reviewed changes
config/configgrpc/configgrpc.go
type TLSConfig struct {
// Root CA certificate file for TLS credentials of gRPC client. Should
// only be used if `secure` is set to true.
CaCert string `mapstructure:"cert_pem_file"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can probably do that in a separate PR.

This is a breaking change when it comes to the code (not configuration) so you will need to followup with a PR in the collector-contrib where you update otel version (using make, see the rule there) and update all the code. Also need to make a quick announcement on the gitter, so if there are others who depend on this they know about this change.

config/configgrpc/configgrpc.go Outdated
@@ -110,3 +125,56 @@ func GrpcSettingsToDialOptions(settings GRPCSettings) ([]grpc.DialOption, error)

return opts, nil
}

// Config loads TLS certificates and returns a TLS Config.
func (c TLSConfig) Config() (*tls.Config, error) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe LoadConfig? or ToCryptoTlsConfig

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like more load as it really loads it.

@pavolloffay
rename load func
924bca0 
Signed-off-by: Pavol Loffay <ploffay@redhat.com>
@pavolloffay
Copy link
Member Author

@bogdandrutu PR updated. Once this is merged I will open a PR to the contrib to update the code there and announce on the gitter channel.

bogdandrutu
bogdandrutu approved these changes May 8, 2020
View reviewed changes
config/configgrpc/configgrpc.go
@@ -62,6 +57,26 @@ type GRPCSettings struct {
WaitForReady bool `mapstructure:"wait_for_ready"`
}

// TLSConfig exposes client TLS configuration.
type TLSConfig struct {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

QQ: should this be moved in a package configtls in order to be shared with other protocols that support tls?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also I feel that we are inconsistent between calling the structs settings vs config. May be done in a separate PR

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 to this request - I'm working on adding mTLS for receivers/exporters that use HTTP.

@bogdandrutu bogdandrutu mentioned this pull request May 8, 2020
Merged
@ccaraman
Copy link
Contributor

ccaraman commented May 8, 2020

One structural question - There are TLS config options under https://github.com/open-telemetry/opentelemetry-collector/blob/master/receiver/securereceiverconfig.go Should all TLS option then fall under config/...

@jrcamp jrcamp mentioned this pull request May 8, 2020
Closed
@bogdandrutu
Copy link
Member

Going to merge this since we have a separate issue to track the merging of configs. #933

@bogdandrutu bogdandrutu merged commit 7956aa7 into open-telemetry:master May 8, 2020
@flands flands added this to the Beta 0.4 milestone Jun 4, 2020
wyTrivail pushed a commit to mxiamxia/opentelemetry-collector that referenced this pull request Jul 13, 2020
@pavolloffay @wyTrivail
Support mTLS in gRPC exporters (open-telemetry#927)
1389ca3 
* Support mTLS in gRPC exporters

Signed-off-by: Pavol Loffay <ploffay@redhat.com>

* Rename to CaCert

Signed-off-by: Pavol Loffay <ploffay@redhat.com>

* Add tests

Signed-off-by: Pavol Loffay <ploffay@redhat.com>

* Fix lint

Signed-off-by: Pavol Loffay <ploffay@redhat.com>

* rename load func

Signed-off-by: Pavol Loffay <ploffay@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bogdandrutu bogdandrutu bogdandrutu approved these changes

@ccaraman ccaraman ccaraman left review comments

@dmitryax dmitryax Awaiting requested review from dmitryax

@flands flands Awaiting requested review from flands

@owais owais Awaiting requested review from owais

@pjanotti pjanotti Awaiting requested review from pjanotti

@rghetia rghetia Awaiting requested review from rghetia

@songy23 songy23 Awaiting requested review from songy23

@tigrannajaryan tigrannajaryan Awaiting requested review from tigrannajaryan

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Beta 0.4
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@pavolloffay @ccaraman @bogdandrutu @flands