TrueCloudLab/frostfs-observability
22
0
Fork 10
generated from TrueCloudLab/basic
Code Issues 4 Pull requests 1 Projects Releases Packages Wiki Activity Actions

[#13] support tls over grpc for otlp_grpc exporter type #14

Merged
AlekseySVTN merged 1 commit from AlekseySVTN/frostfs-observability:support-tls-over-grpc-for-otlp-grpc-exporter-type into master 2024-09-09 12:12:33 +00:00
Conversation 3 Commits 1 Files changed 8 +203 -2
AlekseySVTN commented 2024-09-04 11:43:54 +00:00
Member
Copy link

Signed-off-by: Aleksey Savaitan a.savaitan@yadro.com

Signed-off-by: Aleksey Savaitan <a.savaitan@yadro.com>
AlekseySVTN added 1 commit 2024-09-04 11:43:57 +00:00
[#13] support tls over grpc for otlp_grpc exporter type
All checks were successful
DCO action / DCO (pull_request) Successful in 45s
Details
Tests and linters / Tests (1.21) (pull_request) Successful in 1m38s
Details
Tests and linters / Tests (1.22) (pull_request) Successful in 1m38s
Details
Tests and linters / Tests with -race (pull_request) Successful in 1m42s
Details
Tests and linters / Staticcheck (pull_request) Successful in 1m50s
Details
Tests and linters / Lint (pull_request) Successful in 2m0s
Details
db6cf1ea16 
Signed-off-by: Aleksey Savaitan <a.savaitan@yadro.com>
AlekseySVTN reviewed 2024-09-04 11:46:01 +00:00
tracing/setup_test.go Outdated
@ -0,0 +1,121 @@
package tracing_test
AlekseySVTN commented 2024-09-04 11:46:01 +00:00
Author
Member
Copy link

It can be only "tracing" (not tracing_test) package test, if so it can test only unexported "getExporter" function.
Please note me, if it seems to be better.

It can be only "tracing" (not tracing_test) package test, if so it can test only unexported "getExporter" function. Please note me, if it seems to be better.
AlekseySVTN reviewed 2024-09-04 11:47:51 +00:00
testdata/testdata.go Outdated
@ -0,0 +1,25 @@
package testdata
AlekseySVTN commented 2024-09-04 11:47:51 +00:00
Author
Member
Copy link

It is just helper file, it is not very necessary, but helpful.

It is just helper file, it is not very necessary, but helpful.
fyrchik marked this conversation as resolved
fyrchik requested changes 2024-09-05 12:27:47 +00:00
Dismissed
tracing/setup.go Outdated
@ -138,1 +143,3 @@
return otlptracegrpc.New(ctx, otlptracegrpc.WithEndpoint(cfg.Endpoint), otlptracegrpc.WithInsecure())
securityOption := otlptracegrpc.WithInsecure()
if cfg.ServerCaCertPath != "" {
ca, err := os.ReadFile(cfg.ServerCaCertPath)
fyrchik commented 2024-09-05 12:24:18 +00:00
Owner
Copy link

I'd prefer all file reading to be done outside this library, Config should accept raw certificate instead of filepath.

I'd prefer all file reading to be done outside this library, `Config` should accept raw certificate instead of filepath.
👍 1
fyrchik commented 2024-09-05 12:24:41 +00:00
Owner
Copy link

Maybe even accept certpool.

Maybe even accept certpool.
fyrchik commented 2024-09-05 12:31:44 +00:00
Owner
Copy link

Also, this will make hasChange more correct.
Even if the path hasn't change, the certificate under it could.
With certpool we have Equals method.

Also, this will make `hasChange` more correct. Even if the path hasn't change, the certificate under it _could_. With certpool we have `Equals` method.
fyrchik marked this conversation as resolved
fyrchik requested review from storage-core-committers 2024-09-05 12:37:29 +00:00
fyrchik requested review from storage-core-developers 2024-09-05 12:37:30 +00:00
fyrchik requested review from storage-services-developers 2024-09-05 12:37:31 +00:00
fyrchik requested review from storage-services-committers 2024-09-05 12:37:31 +00:00
fyrchik commented 2024-09-05 12:39:44 +00:00
Owner
Copy link

I am OK with the naming from this PR.
On the other hand, we could introduce otlp_grpc/tls or otlp_grpc/mtls or otlp_grpc as the exporter type. Makes code a bit more complicated, though.
WDYT? @dstepanov-yadro @alexvanin

I am OK with the naming from this PR. On the other hand, we could introduce `otlp_grpc/tls` or `otlp_grpc/mtls` or `otlp_grpc` as the exporter type. Makes code a bit more complicated, though. WDYT? @dstepanov-yadro @alexvanin
dstepanov-yadro commented 2024-09-05 15:47:41 +00:00
Member
Copy link

I am OK with the naming from this PR.
On the other hand, we could introduce otlp_grpc/tls or otlp_grpc/mtls or otlp_grpc as the exporter type. Makes code a bit more complicated, though.
WDYT? @dstepanov-yadro @alexvanin

Now we use only otlp_grpc exporter. Jaeger supports also others: https://www.jaegertracing.io/docs/1.60/apis/

So I think it is more convenient to not to store mtls, tls as exporter type.

> I am OK with the naming from this PR. > On the other hand, we could introduce `otlp_grpc/tls` or `otlp_grpc/mtls` or `otlp_grpc` as the exporter type. Makes code a bit more complicated, though. > WDYT? @dstepanov-yadro @alexvanin Now we use only `otlp_grpc` exporter. Jaeger supports also others: https://www.jaegertracing.io/docs/1.60/apis/ So I think it is more convenient to not to store `mtls`, `tls` as exporter type.
AlekseySVTN force-pushed support-tls-over-grpc-for-otlp-grpc-exporter-type from db6cf1ea16 to cb173523f4 2024-09-09 10:02:55 +00:00 Compare
AlekseySVTN force-pushed support-tls-over-grpc-for-otlp-grpc-exporter-type from cb173523f4 to c0c5a9b81d 2024-09-09 10:05:17 +00:00 Compare
AlekseySVTN commented 2024-09-09 10:07:28 +00:00
Author
Member
Copy link

@fyrchik @dstepanov-yadro @alexvanin
I have applied some suggestions. Please, check it again.

@fyrchik @dstepanov-yadro @alexvanin I have applied some suggestions. Please, check it again.
fyrchik requested changes 2024-09-09 10:41:10 +00:00
Dismissed
testdata/testdata.go Outdated
@ -0,0 +16,4 @@
// Path returns the absolute path the given relative file or directory path,
// relative to the frostfs-observability/testdata directory in the user's GOPATH.
// If rel is already absolute, it is returned unmodified.
func Path(rel string) string {
fyrchik commented 2024-09-09 10:40:26 +00:00
Owner
Copy link

Why not just use relative path? You provide it to ReadFile, we should have no problems here.
This file seems redundant.

Why not just use relative path? You provide it to `ReadFile`, we should have no problems here. This file seems redundant.
AlekseySVTN commented 2024-09-09 11:39:38 +00:00
Author
Member
Copy link

Fixed.

Fixed.
fyrchik marked this conversation as resolved
tracing/config.go Outdated
@ -64,6 +69,10 @@ func (c *Config) hasChange(other *Config) bool {
return !c.serviceInfoEqual(other)
}
if other.Exporter == OTLPgRPCExporter && !c.ServerCaCertPool.Equal(other.ServerCaCertPool) {
fyrchik commented 2024-09-09 10:36:39 +00:00
Owner
Copy link

Does Equal check for nil?

Does `Equal` check for `nil`?
AlekseySVTN commented 2024-09-09 11:40:24 +00:00
Author
Member
Copy link

Yes.
image

Yes. ![image](/attachments/d4a57498-bead-4641-a43f-26a5a10f7209)
image.png
29 KiB
👍 1
fyrchik marked this conversation as resolved
tracing/setup.go Outdated
@ -18,2 +19,4 @@
"google.golang.org/grpc/credentials"
)
var ErrEmptyServerRootCaPool = fmt.Errorf("empty server root ca cert pool")
fyrchik commented 2024-09-09 10:37:14 +00:00
Owner
Copy link

Please, add some doc comment to public identifier and use errors.New if there are no % directives.

Please, add some doc comment to public identifier and use `errors.New` if there are no `%` directives.
AlekseySVTN commented 2024-09-09 11:43:35 +00:00
Author
Member
Copy link

Fixed.

Fixed.
fyrchik marked this conversation as resolved
tracing/setup.go Outdated
@ -138,1 +142,3 @@
return otlptracegrpc.New(ctx, otlptracegrpc.WithEndpoint(cfg.Endpoint), otlptracegrpc.WithInsecure())
securityOption := otlptracegrpc.WithInsecure()
if cfg.ServerCaCertPool != nil {
if cfg.ServerCaCertPool.Equal(x509.NewCertPool()) {
fyrchik commented 2024-09-09 10:39:49 +00:00
Owner
Copy link

Why do we have this specific check here, what will happen without it?

Why do we have this specific check here, what will happen without it?
AlekseySVTN commented 2024-09-09 11:52:42 +00:00
Author
Member
Copy link

NewCertPool returns a new, empty CertPool.

When we would like to fill CertPoll we can write:

ok := roots.AppendCertsFromPEM(ca)
ok - can be false, it means that our certPool still has not any certificates inside.
__

So, here we check that our serverCaCertPool is not empty by comparing our cert pool with empty cert pool.
I have not found any other options to do this. But may be you can give me another variants.

Why we shoud check this? Bassicaly - I do not know, what can happend, but it looks like not very good idea to pass empty certPool for grpc connection.

NewCertPool returns a new, empty CertPool. When we would like to fill CertPoll we can write: ok := roots.AppendCertsFromPEM(ca) ok - can be false, it means that our certPool still has not any certificates inside. __ So, here we check that our serverCaCertPool is not empty by comparing our cert pool with empty cert pool. I have not found any other options to do this. But may be you can give me another variants. Why we shoud check this? Bassicaly - I do not know, what can happend, but it looks like not very good idea to pass empty certPool for grpc connection.
fyrchik commented 2024-09-09 11:54:44 +00:00
Owner
Copy link

not very good idea to pass empty certPool for grpc connection.

Yes. My point was that probably we already get an error from some other place, so this line seem redundant.
I don't know, really, see no problem with leaving it as it is.

>not very good idea to pass empty certPool for grpc connection. Yes. My point was that probably we already get an error from some other place, so this line seem redundant. I don't know, really, see no problem with leaving it as it is.
AlekseySVTN commented 2024-09-09 12:02:45 +00:00
Author
Member
Copy link

I have one knowledge, that:

otlptracegrpc.New(ctx, otlptracegrpc.WithEndpoint(cfg.Endpoint), securityOption)

didn't provide an error with an empty certificate pool.
It's possible that we might get an error in the following parts of the code, but it seems unlikely. It seems that this is normal behavior (like insecure connection) for dealing with an empty certificate pool.

So, I can check it more dive, if it seems for you like good idea.

I have one knowledge, that: ``` otlptracegrpc.New(ctx, otlptracegrpc.WithEndpoint(cfg.Endpoint), securityOption) ``` didn't provide an error with an empty certificate pool. It's possible that we might get an error in the following parts of the code, but it seems unlikely. It seems that this is normal behavior (like insecure connection) for dealing with an empty certificate pool. So, I can check it more dive, if it seems for you like good idea.
fyrchik commented 2024-09-09 12:08:45 +00:00
Owner
Copy link

Seems not worth the effort, the proposed solution looks ok.

Seems not worth the effort, the proposed solution looks ok.
👍 1
fyrchik marked this conversation as resolved
AlekseySVTN force-pushed support-tls-over-grpc-for-otlp-grpc-exporter-type from c0c5a9b81d to 666d326cc5 2024-09-09 11:43:25 +00:00 Compare
fyrchik approved these changes 2024-09-09 11:55:45 +00:00
AlekseySVTN merged commit 666d326cc5 into master 2024-09-09 12:12:33 +00:00
AlekseySVTN deleted branch support-tls-over-grpc-for-otlp-grpc-exporter-type 2024-09-09 12:12:34 +00:00
acid-ant approved these changes 2024-09-09 12:13:12 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
fyrchik
acid-ant
TrueCloudLab/storage-core-developers
TrueCloudLab/storage-services-developers
TrueCloudLab/storage-services-committers
Labels
Clear labels
  
Infrastructure

Infrastructure, Automation, CI/CD or DevOps related stuff

  
blocked

The issue or PR is blocked by something

  
bug

Something is not working

  
config

Configuration format update or breaking change

  
discussion

Talking about something in order to reach a decision or to exchange ideas

  
documentation

Documentation related

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
go

Language features adoption

  
help wanted

Extra attention is needed

  
internal

   
invalid

Something is wrong

  
kludge

This is a kludge and we know it

  
observability

Related to metrics, tracing and logs

  
perfomance

Perfomance related

  
question

More information is needed

  
refactoring

Refactoring

  
wontfix

This won't be fixed

No labels
Infrastructure
blocked
bug
config
discussion
documentation
duplicate
enhancement
go
help wanted
internal
invalid
kludge
observability
perfomance
question
refactoring
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
4 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: TrueCloudLab/frostfs-observability#14
No description provided.
Delete branch "AlekseySVTN/frostfs-observability:support-tls-over-grpc-for-otlp-grpc-exporter-type"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?