generated from TrueCloudLab/basic
[#13] support tls over grpc for otlp_grpc exporter type
All checks were successful
DCO action / DCO (pull_request) Successful in 24s
Tests and linters / Tests (pull_request) Successful in 51s
Tests and linters / Tests with -race (pull_request) Successful in 1m3s
Tests and linters / Staticcheck (pull_request) Successful in 1m15s
Tests and linters / Lint (pull_request) Successful in 1m44s
All checks were successful
DCO action / DCO (pull_request) Successful in 24s
Tests and linters / Tests (pull_request) Successful in 51s
Tests and linters / Tests with -race (pull_request) Successful in 1m3s
Tests and linters / Staticcheck (pull_request) Successful in 1m15s
Tests and linters / Lint (pull_request) Successful in 1m44s
Signed-off-by: Aleksey Savaitan <a.savaitan@yadro.com>
This commit is contained in:
parent
6dd265d949
commit
666d326cc5
8 changed files with 203 additions and 2 deletions
0
testdata/tracing/invalid_empty_root_ca.pem
vendored
Normal file
0
testdata/tracing/invalid_empty_root_ca.pem
vendored
Normal file
1
testdata/tracing/invalid_root_ca.pem
vendored
Normal file
1
testdata/tracing/invalid_root_ca.pem
vendored
Normal file
|
@ -0,0 +1 @@
|
|||
invalid content
|
12
testdata/tracing/valid_google_globalsign_r4_rsa_root_ca.pem
vendored
Normal file
12
testdata/tracing/valid_google_globalsign_r4_rsa_root_ca.pem
vendored
Normal file
|
@ -0,0 +1,12 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIB3DCCAYOgAwIBAgINAgPlfvU/k/2lCSGypjAKBggqhkjOPQQDAjBQMSQwIgYD
|
||||
VQQLExtHbG9iYWxTaWduIEVDQyBSb290IENBIC0gUjQxEzARBgNVBAoTCkdsb2Jh
|
||||
bFNpZ24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMTIxMTEzMDAwMDAwWhcNMzgw
|
||||
MTE5MDMxNDA3WjBQMSQwIgYDVQQLExtHbG9iYWxTaWduIEVDQyBSb290IENBIC0g
|
||||
UjQxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzARBgNVBAMTCkdsb2JhbFNpZ24wWTAT
|
||||
BgcqhkjOPQIBBggqhkjOPQMBBwNCAAS4xnnTj2wlDp8uORkcA6SumuU5BwkWymOx
|
||||
uYb4ilfBV85C+nOh92VC/x7BALJucw7/xyHlGKSq2XE/qNS5zowdo0IwQDAOBgNV
|
||||
HQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUVLB7rUW44kB/
|
||||
+wpu+74zyTyjhNUwCgYIKoZIzj0EAwIDRwAwRAIgIk90crlgr/HmnKAWBVBfw147
|
||||
bmF0774BxL4YSFlhgjICICadVGNA3jdgUM/I2O2dgq43mLyjj0xMqTQrbO/7lZsm
|
||||
-----END CERTIFICATE-----
|
13
testdata/tracing/valid_google_gts_r4_ecdsa_root_ca.pem
vendored
Normal file
13
testdata/tracing/valid_google_gts_r4_ecdsa_root_ca.pem
vendored
Normal file
|
@ -0,0 +1,13 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIICCTCCAY6gAwIBAgINAgPlwGjvYxqccpBQUjAKBggqhkjOPQQDAzBHMQswCQYD
|
||||
VQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEUMBIG
|
||||
A1UEAxMLR1RTIFJvb3QgUjQwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAwMDAw
|
||||
WjBHMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2Vz
|
||||
IExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjQwdjAQBgcqhkjOPQIBBgUrgQQAIgNi
|
||||
AATzdHOnaItgrkO4NcWBMHtLSZ37wWHO5t5GvWvVYRg1rkDdc/eJkTBa6zzuhXyi
|
||||
QHY7qca4R9gq55KRanPpsXI5nymfopjTX15YhmUPoYRlBtHci8nHc8iMai/lxKvR
|
||||
HYqjQjBAMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
|
||||
BBSATNbrdP9JNqPV2Py1PsVq8JQdjDAKBggqhkjOPQQDAwNpADBmAjEA6ED/g94D
|
||||
9J+uHXqnLrmvT/aDHQ4thQEd0dlq7A/Cr8deVl5c1RxYIigL9zC2L7F8AjEA8GE8
|
||||
p/SgguMh1YQdc4acLa/KNJvxn7kjNuK8YAOdgLOaVsjh4rsUecrNIdSUtUlD
|
||||
-----END CERTIFICATE-----
|
|
@ -1,6 +1,9 @@
|
|||
package tracing
|
||||
|
||||
import "fmt"
|
||||
import (
|
||||
"crypto/x509"
|
||||
"fmt"
|
||||
)
|
||||
|
||||
// Exporter is type of tracing target.
|
||||
type Exporter string
|
||||
|
@ -18,6 +21,8 @@ type Config struct {
|
|||
Exporter Exporter
|
||||
// Endpoint is collector endpoint for OTLP exporters.
|
||||
Endpoint string
|
||||
// ServerCaCertPool is cert pool of the remote server CA certificate. Use for TLS setup.
|
||||
ServerCaCertPool *x509.CertPool
|
||||
|
||||
// Service is service name that will be used in tracing.
|
||||
// Mandatory.
|
||||
|
@ -64,6 +69,10 @@ func (c *Config) hasChange(other *Config) bool {
|
|||
return !c.serviceInfoEqual(other)
|
||||
}
|
||||
|
||||
if other.Exporter == OTLPgRPCExporter && !c.ServerCaCertPool.Equal(other.ServerCaCertPool) {
|
||||
return true
|
||||
}
|
||||
|
||||
return c.Exporter != other.Exporter ||
|
||||
c.Endpoint != other.Endpoint ||
|
||||
!c.serviceInfoEqual(other)
|
||||
|
|
|
@ -1,7 +1,11 @@
|
|||
package tracing
|
||||
|
||||
import (
|
||||
"crypto/x509"
|
||||
"os"
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
||||
func TestConfig_validate(t *testing.T) {
|
||||
|
@ -232,6 +236,28 @@ func TestConfig_hasChange(t *testing.T) {
|
|||
Version: "v1.0.0",
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "use tls root ca certificate for grpc",
|
||||
want: true,
|
||||
config: Config{
|
||||
Enabled: true,
|
||||
Exporter: OTLPgRPCExporter,
|
||||
Endpoint: "localhost:4717",
|
||||
Service: "test",
|
||||
InstanceID: "s01",
|
||||
Version: "v1.0.0",
|
||||
ServerCaCertPool: readCertPoolByPath(t, "../testdata/tracing/valid_google_globalsign_r4_rsa_root_ca.pem"),
|
||||
},
|
||||
other: Config{
|
||||
Enabled: true,
|
||||
Exporter: OTLPgRPCExporter,
|
||||
Endpoint: "localhost:4717",
|
||||
Service: "test",
|
||||
InstanceID: "s01",
|
||||
Version: "v1.0.0",
|
||||
ServerCaCertPool: readCertPoolByPath(t, "../testdata/tracing/valid_google_gts_r4_ecdsa_root_ca.pem"),
|
||||
},
|
||||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
|
@ -241,3 +267,12 @@ func TestConfig_hasChange(t *testing.T) {
|
|||
})
|
||||
}
|
||||
}
|
||||
|
||||
func readCertPoolByPath(t *testing.T, path string) *x509.CertPool {
|
||||
ca, err := os.ReadFile(path)
|
||||
require.NoError(t, err)
|
||||
roots := x509.NewCertPool()
|
||||
ok := roots.AppendCertsFromPEM(ca)
|
||||
require.True(t, ok)
|
||||
return roots
|
||||
}
|
||||
|
|
|
@ -2,6 +2,8 @@ package tracing
|
|||
|
||||
import (
|
||||
"context"
|
||||
"crypto/x509"
|
||||
"errors"
|
||||
"fmt"
|
||||
"sync"
|
||||
"sync/atomic"
|
||||
|
@ -15,8 +17,12 @@ import (
|
|||
semconv "go.opentelemetry.io/otel/semconv/v1.17.0"
|
||||
"go.opentelemetry.io/otel/trace"
|
||||
"go.opentelemetry.io/otel/trace/noop"
|
||||
"google.golang.org/grpc/credentials"
|
||||
)
|
||||
|
||||
// ErrEmptyServerRootCaPool indicates that cert pool is empty and does not have any certificates inside.
|
||||
var ErrEmptyServerRootCaPool = errors.New("empty server root ca cert pool")
|
||||
|
||||
var (
|
||||
// tracingLock protects provider, done, config and tracer from concurrent update.
|
||||
// These fields change when the config is updated or the application is shutdown.
|
||||
|
@ -135,7 +141,14 @@ func getExporter(ctx context.Context, cfg *Config) (sdktrace.SpanExporter, error
|
|||
case NoOpExporter:
|
||||
return tracetest.NewNoopExporter(), nil
|
||||
case OTLPgRPCExporter:
|
||||
return otlptracegrpc.New(ctx, otlptracegrpc.WithEndpoint(cfg.Endpoint), otlptracegrpc.WithInsecure())
|
||||
securityOption := otlptracegrpc.WithInsecure()
|
||||
if cfg.ServerCaCertPool != nil {
|
||||
if cfg.ServerCaCertPool.Equal(x509.NewCertPool()) {
|
||||
return nil, fmt.Errorf("failed to setup tracing: %w", ErrEmptyServerRootCaPool)
|
||||
}
|
||||
securityOption = otlptracegrpc.WithTLSCredentials(credentials.NewClientTLSFromCert(cfg.ServerCaCertPool, ""))
|
||||
}
|
||||
return otlptracegrpc.New(ctx, otlptracegrpc.WithEndpoint(cfg.Endpoint), securityOption)
|
||||
}
|
||||
}
|
||||
|
||||
|
|
118
tracing/setup_test.go
Normal file
118
tracing/setup_test.go
Normal file
|
@ -0,0 +1,118 @@
|
|||
package tracing_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/x509"
|
||||
"os"
|
||||
"testing"
|
||||
|
||||
"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
||||
func TestSetup(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
config tracing.Config
|
||||
want bool
|
||||
expErr error
|
||||
}{
|
||||
{
|
||||
name: "setup stdout exporter",
|
||||
config: tracing.Config{
|
||||
Enabled: true,
|
||||
Exporter: tracing.StdoutExporter,
|
||||
Service: "service-name",
|
||||
},
|
||||
want: true,
|
||||
expErr: nil,
|
||||
},
|
||||
{
|
||||
name: "setup noop exporter",
|
||||
config: tracing.Config{
|
||||
Enabled: true,
|
||||
Exporter: tracing.NoOpExporter,
|
||||
Service: "service-name",
|
||||
},
|
||||
|
||||
want: true,
|
||||
expErr: nil,
|
||||
},
|
||||
{
|
||||
name: "setup otlp_grpc insecure exporter",
|
||||
config: tracing.Config{
|
||||
Enabled: true,
|
||||
Exporter: tracing.OTLPgRPCExporter,
|
||||
Service: "service-name",
|
||||
Endpoint: "test-endpoint.com:4317",
|
||||
},
|
||||
want: true,
|
||||
expErr: nil,
|
||||
},
|
||||
{
|
||||
name: "setup otlp_grpc secure exporter with valid rsa root ca certificate",
|
||||
config: tracing.Config{
|
||||
Enabled: true,
|
||||
Exporter: tracing.OTLPgRPCExporter,
|
||||
Service: "service-name",
|
||||
Endpoint: "test-endpoint.com:4317",
|
||||
ServerCaCertPool: readCertPoolByPath(t, "../testdata/tracing/valid_google_globalsign_r4_rsa_root_ca.pem"),
|
||||
},
|
||||
want: true,
|
||||
expErr: nil,
|
||||
},
|
||||
{
|
||||
name: "setup otlp_grpc secure exporter with valid ecdsa root ca certificate",
|
||||
config: tracing.Config{
|
||||
Enabled: true,
|
||||
Exporter: tracing.OTLPgRPCExporter,
|
||||
Service: "service-name",
|
||||
Endpoint: "test-endpoint.com:4317",
|
||||
ServerCaCertPool: readCertPoolByPath(t, "../testdata/tracing/valid_google_gts_r4_ecdsa_root_ca.pem"),
|
||||
},
|
||||
want: true,
|
||||
expErr: nil,
|
||||
},
|
||||
{
|
||||
name: "setup otlp_grpc secure exporter with invalid root ca certificate",
|
||||
config: tracing.Config{
|
||||
Enabled: true,
|
||||
Exporter: tracing.OTLPgRPCExporter,
|
||||
Service: "service-name",
|
||||
Endpoint: "test-endpoint.com:4317",
|
||||
ServerCaCertPool: readCertPoolByPath(t, "../testdata/tracing/invalid_root_ca.pem"),
|
||||
},
|
||||
want: false,
|
||||
expErr: tracing.ErrEmptyServerRootCaPool,
|
||||
},
|
||||
{
|
||||
name: "setup otlp_grpc secure exporter with empty root ca certificate",
|
||||
config: tracing.Config{
|
||||
Enabled: true,
|
||||
Exporter: tracing.OTLPgRPCExporter,
|
||||
Service: "service-name",
|
||||
Endpoint: "test-endpoint.com:4317",
|
||||
ServerCaCertPool: readCertPoolByPath(t, "../testdata/tracing/invalid_empty_root_ca.pem"),
|
||||
},
|
||||
want: false,
|
||||
expErr: tracing.ErrEmptyServerRootCaPool,
|
||||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
got, err := tracing.Setup(context.Background(), tt.config)
|
||||
require.ErrorIs(t, err, tt.expErr)
|
||||
if got != tt.want {
|
||||
t.Errorf("Setup config = %v, want %v", got, tt.want)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func readCertPoolByPath(t *testing.T, path string) *x509.CertPool {
|
||||
ca, err := os.ReadFile(path)
|
||||
require.NoError(t, err)
|
||||
roots := x509.NewCertPool()
|
||||
_ = roots.AppendCertsFromPEM(ca)
|
||||
return roots
|
||||
}
|
Loading…
Reference in a new issue