未验证 提交 e739ca22 编写于 作者: N Neal Huang 提交者: GitHub

Support building gRPC TLS channel but CA file is not required (#6060)

上级 88999300
......@@ -21,6 +21,7 @@ Release Notes.
* Fix thrift plugin collects wrong args when the method without parameter.
* Fix DataCarrier's `org.apache.skywalking.apm.commons.datacarrier.buffer.Buffer` implementation isn't activated in `IF_POSSIBLE` mode.
* Fix ArrayBlockingQueueBuffer's useless `IF_POSSIBLE` mode list
* Support building gRPC TLS channel but CA file is not required.
#### OAP-Backend
* Make meter receiver support MAL.
......
......@@ -124,6 +124,11 @@ public class Config {
* Keep tracing even the backend is not available.
*/
public static boolean KEEP_TRACING = false;
/**
* Force open TLS for gRPC channel if true.
*/
public static boolean FORCE_TLS = false;
}
public static class OsInfo {
......
......@@ -26,6 +26,7 @@ import java.io.File;
import javax.net.ssl.SSLException;
import org.apache.skywalking.apm.agent.core.boot.AgentPackageNotFoundException;
import org.apache.skywalking.apm.agent.core.boot.AgentPackagePath;
import org.apache.skywalking.apm.agent.core.conf.Config;
import org.apache.skywalking.apm.agent.core.conf.Constants;
/**
......@@ -38,9 +39,12 @@ public class TLSChannelBuilder implements ChannelBuilder<NettyChannelBuilder> {
public NettyChannelBuilder build(
NettyChannelBuilder managedChannelBuilder) throws AgentPackageNotFoundException, SSLException {
File caFile = new File(AgentPackagePath.getPath(), CA_FILE_NAME);
if (caFile.exists() && caFile.isFile()) {
boolean isCAFileExist = caFile.exists() && caFile.isFile();
if (Config.Agent.FORCE_TLS || isCAFileExist) {
SslContextBuilder builder = GrpcSslContexts.forClient();
builder.trustManager(caFile);
if (isCAFileExist) {
builder.trustManager(caFile);
}
managedChannelBuilder = managedChannelBuilder.negotiationType(NegotiationType.TLS)
.sslContext(builder.build());
}
......
......@@ -51,6 +51,10 @@ agent.service_name=${SW_AGENT_NAME:Your_ApplicationName}
# Notice, in the current practice, we don't recommend the length over 190.
# agent.operation_name_threshold=${SW_AGENT_OPERATION_NAME_THRESHOLD:150}
# The agent use gRPC plain text in default.
# If true, SkyWalking agent uses TLS even no CA file detected.
# agent.force_tls=${SW_AGENT_FORCE_TLS:false}
# If true, skywalking agent will enable profile when user create a new profile task. Otherwise disable profile.
# profile.active=${SW_AGENT_PROFILE_ACTIVE:true}
......
......@@ -86,6 +86,7 @@ property key | Description | Default |
`agent.force_reconnection_period `|Force reconnection period of grpc, based on grpc_channel_check_interval.|`1`|
`agent.operation_name_threshold `|The operationName max length, setting this value > 190 is not recommended.|`150`|
`agent.keep_tracing`|Keep tracing even the backend is not available if this value is `true`.|`false`|
`agent.force_tls`|Force open TLS for gRPC channel if this value is `true`.|`false`|
`osinfo.ipv4_list_size`| Limit the length of the ipv4 list size. |`10`|
`collector.grpc_channel_check_interval`|grpc channel status check interval.|`30`|
`collector.heartbeat_period`|agent heartbeat report period. Unit, second.|`30`|
......
......@@ -19,6 +19,8 @@ Only support **no mutual auth**.
### Agent config
- Place `ca.crt` into `/ca` folder in agent package. Notice, `/ca` is not created in distribution, please create it by yourself.
Agent open TLS automatically after the `/ca/ca.crt` file detected.
o make sure can't access other ports out of region (VPC), such as firewall, proxy.
\ No newline at end of file
- Agent open TLS automatically after the `/ca/ca.crt` file detected.
- TLS with no CA mode could be activated by this setting.
```
agent.force_tls=${SW_AGENT_FORCE_TLS:false}
```
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册