Support building gRPC TLS channel but CA file is not required (apache…

…#6060)
ichaozai · Dec 23, 2020 · e739ca2 · e739ca2
1 parent 8899930
commit e739ca2
Show file tree

Hide file tree

Showing 6 changed files with 22 additions and 5 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -21,6 +21,7 @@ Release Notes.
 * Fix thrift plugin collects wrong args when the method without parameter.
 * Fix DataCarrier's `org.apache.skywalking.apm.commons.datacarrier.buffer.Buffer` implementation isn't activated in `IF_POSSIBLE` mode.
 * Fix ArrayBlockingQueueBuffer's useless `IF_POSSIBLE` mode list
+* Support building gRPC TLS channel but CA file is not required.
 
 #### OAP-Backend
 * Make meter receiver support MAL.

diff --git a/...niffer/apm-agent-core/src/main/java/org/apache/skywalking/apm/agent/core/conf/Config.java b/...niffer/apm-agent-core/src/main/java/org/apache/skywalking/apm/agent/core/conf/Config.java
@@ -124,6 +124,11 @@ public static class Agent {
          * Keep tracing even the backend is not available.
          */
         public static boolean KEEP_TRACING = false;
+
+        /**
+         * Force open TLS for gRPC channel if true.
+         */
+        public static boolean FORCE_TLS = false;
     }
 
     public static class OsInfo {

diff --git a/...ent-core/src/main/java/org/apache/skywalking/apm/agent/core/remote/TLSChannelBuilder.java b/...ent-core/src/main/java/org/apache/skywalking/apm/agent/core/remote/TLSChannelBuilder.java
@@ -26,6 +26,7 @@
 import javax.net.ssl.SSLException;
 import org.apache.skywalking.apm.agent.core.boot.AgentPackageNotFoundException;
 import org.apache.skywalking.apm.agent.core.boot.AgentPackagePath;
+import org.apache.skywalking.apm.agent.core.conf.Config;
 import org.apache.skywalking.apm.agent.core.conf.Constants;
 
 /**
@@ -38,9 +39,12 @@ public class TLSChannelBuilder implements ChannelBuilder<NettyChannelBuilder> {
     public NettyChannelBuilder build(
         NettyChannelBuilder managedChannelBuilder) throws AgentPackageNotFoundException, SSLException {
         File caFile = new File(AgentPackagePath.getPath(), CA_FILE_NAME);
-        if (caFile.exists() && caFile.isFile()) {
+        boolean isCAFileExist = caFile.exists() && caFile.isFile();
+        if (Config.Agent.FORCE_TLS || isCAFileExist) {
             SslContextBuilder builder = GrpcSslContexts.forClient();
-            builder.trustManager(caFile);
+            if (isCAFileExist) {
+                builder.trustManager(caFile);
+            }
             managedChannelBuilder = managedChannelBuilder.negotiationType(NegotiationType.TLS)
                                                          .sslContext(builder.build());
         }

diff --git a/apm-sniffer/config/agent.config b/apm-sniffer/config/agent.config
@@ -51,6 +51,10 @@ agent.service_name=${SW_AGENT_NAME:Your_ApplicationName}
 # Notice, in the current practice, we don't recommend the length over 190.
 # agent.operation_name_threshold=${SW_AGENT_OPERATION_NAME_THRESHOLD:150}
 
+# The agent use gRPC plain text in default.
+# If true, SkyWalking agent uses TLS even no CA file detected.
+# agent.force_tls=${SW_AGENT_FORCE_TLS:false}
+
 # If true, skywalking agent will enable profile when user create a new profile task. Otherwise disable profile.
 # profile.active=${SW_AGENT_PROFILE_ACTIVE:true}
 

diff --git a/docs/en/setup/service-agent/java-agent/README.md b/docs/en/setup/service-agent/java-agent/README.md
@@ -86,6 +86,7 @@ property key | Description | Default |
 `agent.force_reconnection_period `|Force reconnection period of grpc, based on grpc_channel_check_interval.|`1`|
 `agent.operation_name_threshold `|The operationName max length, setting this value > 190 is not recommended.|`150`|
 `agent.keep_tracing`|Keep tracing even the backend is not available if this value is `true`.|`false`|
+`agent.force_tls`|Force open TLS for gRPC channel if this value is `true`.|`false`|
 `osinfo.ipv4_list_size`| Limit the length of the ipv4 list size. |`10`|
 `collector.grpc_channel_check_interval`|grpc channel status check interval.|`30`|
 `collector.heartbeat_period`|agent heartbeat report period. Unit, second.|`30`|

diff --git a/docs/en/setup/service-agent/java-agent/TLS.md b/docs/en/setup/service-agent/java-agent/TLS.md
@@ -19,6 +19,8 @@ Only support **no mutual auth**.
 ### Agent config
 - Place `ca.crt` into `/ca` folder in agent package. Notice, `/ca` is not created in distribution, please create it by yourself.
 
-Agent open TLS automatically after the `/ca/ca.crt` file detected.
-
-o make sure can't access other ports out of region (VPC), such as firewall, proxy.
+- Agent open TLS automatically after the `/ca/ca.crt` file detected.
+- TLS with no CA mode could be activated by this setting.
+```
+agent.force_tls=${SW_AGENT_FORCE_TLS:false}
+```