Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TLS support for HTTP API of Query server #2337

Merged
merged 39 commits into from
Jan 19, 2021
Merged
Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
39 commits
Select commit Hold shift + click to select a range
92d363c
Added TLS for HTTP (consumer-query) server
rjs211 Jul 9, 2020
3bf0746
Add testcase of error in TLS HTTP server creation
rjs211 Jul 9, 2020
abe4ff5
Merge branch 'master' of github.com:jaegertracing/jaeger into dev-add…
rjs211 Jul 9, 2020
050fb62
Minor refactoring of properties and vars
rjs211 Jul 9, 2020
d02d85f
Exposing flags for HTTP and GRPC with TLS config
rjs211 Jul 9, 2020
e135064
minor refactoring of comments
rjs211 Jul 11, 2020
657e0b4
Changed TLS server to use tlsCfg instead of injection
rjs211 Jul 11, 2020
0f67d15
Create test for HTTP server with TLS and MTLS
rjs211 Jul 11, 2020
73867a5
Removing checks to avoid race condition
rjs211 Jul 11, 2020
3e000a7
Merge branch 'master' of github.com:jaegertracing/jaeger into dev-add…
rjs211 Jul 13, 2020
a763d9e
Adding testdata of certificates and keys of CA, server & client
rjs211 Jul 14, 2020
024b179
Merge branch 'master' of github.com:jaegertracing/jaeger into dev-add…
rjs211 Jul 14, 2020
0a88eb5
Changing the names of keys and certificates
rjs211 Jul 14, 2020
691ffea
Coverage increase and cleanup
rjs211 Jul 15, 2020
2278e6e
Merge branch 'master' of github.com:jaegertracing/jaeger into dev-add…
rjs211 Jul 15, 2020
5cdf944
removing redundant certif/keys set and using previously available set
rjs211 Jul 15, 2020
cca70e9
Added helper function to serve HTTP server
rjs211 Jul 15, 2020
fea7e14
Modify cmux and tests for secure HTTP and GRPC
rjs211 Jul 16, 2020
4cb348e
Merge branch 'master' of github.com:jaegertracing/jaeger into dev-add…
rjs211 Jul 17, 2020
31b31e7
Fixing testscases for safe re-use
rjs211 Jul 17, 2020
9c8cfdf
Merge branch 'master' of github.com:jaegertracing/jaeger into dev-add…
rjs211 Jul 17, 2020
affb566
Use common certificate flags for GRPC and HTTP
rjs211 Jul 17, 2020
5def2de
Use common certificate flags for GRPC and HTTP
rjs211 Jul 17, 2020
1d8133e
tempCommit
rjs211 Jul 18, 2020
3c0b23c
Using same tlsCfg structure for server
rjs211 Jul 18, 2020
7d9e18f
Removing reduntant code, added comments, using correct port for testing
rjs211 Jul 30, 2020
17bd199
Using separate ports in case of TLS
rjs211 Sep 11, 2020
e45614f
Merge branch 'master' of https://github.com/jaegertracing/jaeger into…
rjs211 Sep 11, 2020
0ceb4e5
modified test-cases for dedicated ports with TLS
rjs211 Sep 11, 2020
0119c1e
remove redundant test, created error var
rjs211 Sep 14, 2020
da5d790
Merge branch 'master' of https://github.com/jaegertracing/jaeger into…
rjs211 Sep 14, 2020
601c269
remove redundant test, created error var
rjs211 Sep 14, 2020
186184f
Split long conditional
rjs211 Oct 15, 2020
a964218
Merge branch 'master' into dev-addTLS-rjs211
rjs211 Oct 22, 2020
f4eb8f6
Merge branch 'master' of https://github.com/jaegertracing/jaeger into…
rjs211 Nov 10, 2020
f0ac83e
removed code repitition, added comment
rjs211 Nov 10, 2020
c53af21
added table-based tests for QueryOptions port allocation
rjs211 Nov 10, 2020
d3edb98
Merge branch 'dev-addTLS-rjs211' of https://github.com/rjs211/jaeger …
rjs211 Nov 10, 2020
1bee20f
Merge branch 'master' into dev-addTLS-rjs211
rjs211 Jan 7, 2021
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 13 additions & 4 deletions cmd/query/app/flags.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,12 +48,18 @@ const (
queryMaxClockSkewAdjust = "query.max-clock-skew-adjustment"
)

var tlsFlagsConfig = tlscfg.ServerFlagsConfig{
var tlsGrpcFlagsConfig = tlscfg.ServerFlagsConfig{
rjs211 marked this conversation as resolved.
Show resolved Hide resolved
Prefix: "query.grpc",
ShowEnabled: true,
ShowClientCA: true,
}

var tlsHttpFlagsConfig = tlscfg.ServerFlagsConfig{
rjs211 marked this conversation as resolved.
Show resolved Hide resolved
Prefix: "query.http",
ShowEnabled: true,
ShowClientCA: true,
}

// QueryOptions holds configuration for query service
type QueryOptions struct {
// HostPort is the host:port address that the query service listens o n
Expand All @@ -66,8 +72,10 @@ type QueryOptions struct {
UIConfig string
// BearerTokenPropagation activate/deactivate bearer token propagation to storage
BearerTokenPropagation bool
// TLS configures secure transport
TLS tlscfg.Options
// TLS configures secure transport (Consumer to Query service gRPC APO)
rjs211 marked this conversation as resolved.
Show resolved Hide resolved
TLSGrpc tlscfg.Options
rjs211 marked this conversation as resolved.
Show resolved Hide resolved
// TLS configures secure transport (Consumer to Query service HTTP API)
TLSHttp tlscfg.Options
rjs211 marked this conversation as resolved.
Show resolved Hide resolved
// AdditionalHeaders
AdditionalHeaders http.Header
// MaxClockSkewAdjust is the maximum duration by which jaeger-query will adjust a span
Expand All @@ -93,7 +101,8 @@ func (qOpts *QueryOptions) InitFromViper(v *viper.Viper, logger *zap.Logger) *Qu
qOpts.StaticAssets = v.GetString(queryStaticFiles)
qOpts.UIConfig = v.GetString(queryUIConfig)
qOpts.BearerTokenPropagation = v.GetBool(queryTokenPropagation)
qOpts.TLS = tlsFlagsConfig.InitFromViper(v)
qOpts.TLSGrpc = tlsGrpcFlagsConfig.InitFromViper(v)
qOpts.TLSGrpc = tlsHttpFlagsConfig.InitFromViper(v)
qOpts.MaxClockSkewAdjust = v.GetDuration(queryMaxClockSkewAdjust)

stringSlice := v.GetStringSlice(queryAdditionalHeaders)
Expand Down
34 changes: 28 additions & 6 deletions cmd/query/app/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ package app
import (
"net"
"net/http"
"path/filepath"
"strings"

"github.com/gorilla/handlers"
Expand Down Expand Up @@ -54,13 +55,18 @@ func NewServer(logger *zap.Logger, querySvc *querysvc.QueryService, options *Que
return nil, err
}

httpServer, err := createHTTPServer(querySvc, options, tracer, logger)
if err != nil {
return nil, err
}

return &Server{
logger: logger,
querySvc: querySvc,
queryOptions: options,
tracer: tracer,
grpcServer: grpcServer,
httpServer: createHTTPServer(querySvc, options, tracer, logger),
httpServer: httpServer,
unavailableChannel: make(chan healthcheck.Status),
}, nil
}
Expand All @@ -73,8 +79,8 @@ func (s Server) HealthCheckStatus() chan healthcheck.Status {
func createGRPCServer(querySvc *querysvc.QueryService, options *QueryOptions, logger *zap.Logger, tracer opentracing.Tracer) (*grpc.Server, error) {
var grpcOpts []grpc.ServerOption

if options.TLS.Enabled {
tlsCfg, err := options.TLS.Config()
if options.TLSGrpc.Enabled {
tlsCfg, err := options.TLSGrpc.Config()
if err != nil {
return nil, err
}
Expand All @@ -90,11 +96,19 @@ func createGRPCServer(querySvc *querysvc.QueryService, options *QueryOptions, lo
return server, nil
}

func createHTTPServer(querySvc *querysvc.QueryService, queryOpts *QueryOptions, tracer opentracing.Tracer, logger *zap.Logger) *http.Server {
func createHTTPServer(querySvc *querysvc.QueryService, queryOpts *QueryOptions, tracer opentracing.Tracer, logger *zap.Logger) (*http.Server, error) {
apiHandlerOptions := []HandlerOption{
HandlerOptions.Logger(logger),
HandlerOptions.Tracer(tracer),
}

if queryOpts.TLSHttp.Enabled {
_, err := queryOpts.TLSHttp.Config() // This checks if the certificates are correctly provided
if err != nil {
return nil, err
}
}

apiHandler := NewAPIHandler(
querySvc,
apiHandlerOptions...)
Expand All @@ -114,7 +128,7 @@ func createHTTPServer(querySvc *querysvc.QueryService, queryOpts *QueryOptions,
recoveryHandler := recoveryhandler.NewRecoveryHandler(logger, true)
return &http.Server{
Handler: recoveryHandler(handler),
}
}, nil
}

// Start http, GRPC and cmux servers concurrently
Expand Down Expand Up @@ -146,13 +160,21 @@ func (s *Server) Start() error {

go func() {
s.logger.Info("Starting HTTP server", zap.Int("port", tcpPort), zap.String("addr", s.queryOptions.HostPort))
var err error
rjs211 marked this conversation as resolved.
Show resolved Hide resolved
if s.queryOptions.TLSHttp.Enabled {
err = s.httpServer.ServeTLS(httpListener, filepath.Clean(s.queryOptions.TLSHttp.CertPath), filepath.Clean(s.queryOptions.TLSHttp.KeyPath))

switch err := s.httpServer.Serve(httpListener); err {
} else {
err = s.httpServer.Serve(httpListener)
}

switch err {
case nil, http.ErrServerClosed, cmux.ErrListenerClosed:
// normal exit, nothing to do
default:
s.logger.Error("Could not start HTTP server", zap.Error(err))
}

s.unavailableChannel <- healthcheck.Unavailable
}()

Expand Down
17 changes: 15 additions & 2 deletions cmd/query/app/server_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ func TestServerError(t *testing.T) {
assert.Error(t, srv.Start())
}

func TestCreateTLSServerError(t *testing.T) {
func TestCreateTLSGrpcServerError(t *testing.T) {
rjs211 marked this conversation as resolved.
Show resolved Hide resolved
tlsCfg := tlscfg.Options{
Enabled: true,
CertPath: "invalid/path",
Expand All @@ -53,7 +53,20 @@ func TestCreateTLSServerError(t *testing.T) {
}

_, err := NewServer(zap.NewNop(), &querysvc.QueryService{},
&QueryOptions{TLS: tlsCfg}, opentracing.NoopTracer{})
&QueryOptions{TLSGrpc: tlsCfg}, opentracing.NoopTracer{})
assert.NotNil(t, err)
}

func TestCreateTLSHttpServerError(t *testing.T) {
rjs211 marked this conversation as resolved.
Show resolved Hide resolved
tlsCfg := tlscfg.Options{
Enabled: true,
CertPath: "invalid/path",
KeyPath: "invalid/path",
ClientCAPath: "invalid/path",
}

_, err := NewServer(zap.NewNop(), &querysvc.QueryService{},
rjs211 marked this conversation as resolved.
Show resolved Hide resolved
&QueryOptions{TLSHttp: tlsCfg}, opentracing.NoopTracer{})
assert.NotNil(t, err)
}

Expand Down