Support building gRPC TLS channel but CA file is not required (#6060)

e739ca22 · Neal Huang · GitHub · 88999300 · e739ca22 · e739ca22
6 changed file
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -21,6 +21,7 @@ Release Notes.
 * Fix thrift plugin collects wrong args when the method without parameter.
 * Fix DataCarrier's `org.apache.skywalking.apm.commons.datacarrier.buffer.Buffer` implementation isn't activated in `IF_POSSIBLE` mode.
 * Fix ArrayBlockingQueueBuffer's useless `IF_POSSIBLE` mode list
+* Support building gRPC TLS channel but CA file is not required.

 #### OAP-Backend
 * Make meter receiver support MAL.

--- a/apm-sniffer/apm-agent-core/src/main/java/org/apache/skywalking/apm/agent/core/conf/Config.java
+++ b/apm-sniffer/apm-agent-core/src/main/java/org/apache/skywalking/apm/agent/core/conf/Config.java
@@ -124,6 +124,11 @@ public class Config {
         * Keep tracing even the backend is not available.
         */
        public static boolean KEEP_TRACING = false;
+
+        /**
+         * Force open TLS for gRPC channel if true.
+         */
+        public static boolean FORCE_TLS = false;
    }

    public static class OsInfo {

--- a/apm-sniffer/apm-agent-core/src/main/java/org/apache/skywalking/apm/agent/core/remote/TLSChannelBuilder.java
+++ b/apm-sniffer/apm-agent-core/src/main/java/org/apache/skywalking/apm/agent/core/remote/TLSChannelBuilder.java
@@ -26,6 +26,7 @@ import java.io.File;
 import javax.net.ssl.SSLException;
 import org.apache.skywalking.apm.agent.core.boot.AgentPackageNotFoundException;
 import org.apache.skywalking.apm.agent.core.boot.AgentPackagePath;
+import org.apache.skywalking.apm.agent.core.conf.Config;
 import org.apache.skywalking.apm.agent.core.conf.Constants;

 /**
@@ -38,9 +39,12 @@ public class TLSChannelBuilder implements ChannelBuilder<NettyChannelBuilder> {
    public NettyChannelBuilder build(
        NettyChannelBuilder managedChannelBuilder) throws AgentPackageNotFoundException, SSLException {
        File caFile = new File(AgentPackagePath.getPath(), CA_FILE_NAME);
-        if (caFile.exists() && caFile.isFile()) {
+        boolean isCAFileExist = caFile.exists() && caFile.isFile();
+        if (Config.Agent.FORCE_TLS || isCAFileExist) {
            SslContextBuilder builder = GrpcSslContexts.forClient();
-            builder.trustManager(caFile);
+            if (isCAFileExist) {
+                builder.trustManager(caFile);
+            }
            managedChannelBuilder = managedChannelBuilder.negotiationType(NegotiationType.TLS)
                                                         .sslContext(builder.build());
        }

--- a/apm-sniffer/config/agent.config
+++ b/apm-sniffer/config/agent.config
@@ -51,6 +51,10 @@ agent.service_name=${SW_AGENT_NAME:Your_ApplicationName}
 # Notice, in the current practice, we don't recommend the length over 190.
 # agent.operation_name_threshold=${SW_AGENT_OPERATION_NAME_THRESHOLD:150}

+# The agent use gRPC plain text in default.
+# If true, SkyWalking agent uses TLS even no CA file detected.
+# agent.force_tls=${SW_AGENT_FORCE_TLS:false}
+
 # If true, skywalking agent will enable profile when user create a new profile task. Otherwise disable profile.
 # profile.active=${SW_AGENT_PROFILE_ACTIVE:true}


--- a/docs/en/setup/service-agent/java-agent/README.md
+++ b/docs/en/setup/service-agent/java-agent/README.md
@@ -86,6 +86,7 @@ property key | Description | Default |
 `agent.force_reconnection_period `|Force reconnection period of grpc, based on grpc_channel_check_interval.|`1`|
 `agent.operation_name_threshold `|The operationName max length, setting this value > 190 is not recommended.|`150`|
 `agent.keep_tracing`|Keep tracing even the backend is not available if this value is `true`.|`false`|
+`agent.force_tls`|Force open TLS for gRPC channel if this value is `true`.|`false`|
 `osinfo.ipv4_list_size`| Limit the length of the ipv4 list size. |`10`|
 `collector.grpc_channel_check_interval`|grpc channel status check interval.|`30`|
 `collector.heartbeat_period`|agent heartbeat report period. Unit, second.|`30`|

--- a/docs/en/setup/service-agent/java-agent/TLS.md
+++ b/docs/en/setup/service-agent/java-agent/TLS.md
@@ -19,6 +19,8 @@ Only support **no mutual auth**.
 ### Agent config
 - Place `ca.crt` into `/ca` folder in agent package. Notice, `/ca` is not created in distribution, please create it by yourself.

-Agent open TLS automatically after the `/ca/ca.crt` file detected.
-
-o make sure can't access other ports out of region (VPC), such as firewall, proxy.
\ No newline at end of file
+- Agent open TLS automatically after the `/ca/ca.crt` file detected.
+- TLS with no CA mode could be activated by this setting.
+```
+agent.force_tls=${SW_AGENT_FORCE_TLS:false}
+```