Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

only insecure gRPC connection from agent to collector possible #1310

Closed
ghouscht opened this issue Feb 1, 2019 · 3 comments
Closed

only insecure gRPC connection from agent to collector possible #1310

ghouscht opened this issue Feb 1, 2019 · 3 comments

Comments

@ghouscht
Copy link

ghouscht commented Feb 1, 2019

Requirement - what kind of business use case are you trying to solve?

related to: #458

In our environment jaeger is deployed in k8s behind an nginx-ingress. The nginx-ingress only supports http based traffic (expect when using TCP port mappings which comes with some caveats...). Thats why we setup the agents (some running outside of k8s) to connect to the collector by gRPC over our nginx-ingress. This works as desired as long as we don't use an encrypted (SSL/TLS) connection. Unfortunately for my company this is not an option for production use, as we require a secured connection.

Problem - what in Jaeger blocks you from solving the requirement?

Currently the agent does not support gRPC with TLS as the grpc.Dial method is called with the option WithInsecure() (see collector_proxy.go#L55/collector_proxy.go#L52). As of this we're currently not able to use jaeger in production.

Proposal - what do you suggest to solve the problem or improve the existing situation?

Make it possible to choose whether the agent connects over an insecure or secure connection.

I pached the agent myself to test if the agent would work in our setup:
error handling and sourrounding code omitted, implemented in the NewCollectorProxy method in collector_proxy.go

pool, _:= x509.SystemCertPool()
creds := credentials.NewClientTLSFromCert(pool, "")
conn, _ = grpc.Dial(r.Scheme()+":///round_robin", grpc.WithBalancerName(roundrobin.Name), grpc.WithTransportCredentials(creds))

With this small change I was able to get a connection to the collector over TLS.

Any open questions to address

  • Agent: Implement a flag to enable/disable insecure/secure connection
  • Agent: Flag to pass a public key file to use? Or simply use the system trusts as in my example?
  • Collector: TLS implementation for people who don't use edge termination to setup a secured connection

At first I can implement this in the agent if there is intrest in it. But probably it would be also good to natively support TLS on the server side (collector) for people who don't use edge-termination but want to secure the communication (also happy to help out here if desired).
@ghouscht ghouscht changed the title only insecure gRPC connetion from agent to collector possible only insecure gRPC connection from agent to collector possible Feb 1, 2019
@yurishkuro
Copy link
Member

PRs would be welcome; TLS was always on the roadmap with grpc work, but we haven't gotten to it yet.

See how for Cassandra and Elasticsearch we provide configuration to point to cert files directly. I feel it's better to start with that than to use system trusts, for consistency.

@ghouscht ghouscht mentioned this issue Feb 1, 2019
Closed
@ghouscht
Copy link
Author

ghouscht commented Feb 1, 2019
edited by yurishkuro
Loading

Submitted a first version (#1311) how this could look like in the agent. Waiting on feedback before proceeding further.

@jpkrohling jpkrohling mentioned this issue Feb 28, 2019
Closed
7 tasks
@yurishkuro
Copy link
Member

Fixed by #1391

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@yurishkuro @ghouscht