This is an automated email from the ASF dual-hosted git repository.
kezhenxu94 pushed a commit to branch main
in repository
https://gitbox.apache.org/repos/asf/skywalking-kubernetes-event-exporter.git
The following commit(s) were added to refs/heads/main by this push:
new 7c7e2bd Support tls for SkyWalking client (#11)
7c7e2bd is described below
commit 7c7e2bd9bc2b341f5d4be48e23b93523bb7a8337
Author: Daming <[email protected]>
AuthorDate: Mon Sep 27 21:01:30 2021 +0800
Support tls for SkyWalking client (#11)
---
deployments/dev/config/config.yaml | 5 ++
deployments/dev/kustomization.yaml | 7 +++
deployments/release/config/config.yaml | 5 ++
deployments/secure/certs/.gitignore | 1 +
deployments/{dev => secure}/config/config.yaml | 5 ++
.../config/config.yaml => secure/deployment.yaml} | 27 +++++-----
deployments/{dev => secure}/kustomization.yaml | 17 +++++++
pkg/exporter/skywalking.go | 59 ++++++++++++++++++++--
8 files changed, 107 insertions(+), 19 deletions(-)
diff --git a/deployments/dev/config/config.yaml
b/deployments/dev/config/config.yaml
index 98b122c..fc121cc 100644
--- a/deployments/dev/config/config.yaml
+++ b/deployments/dev/config/config.yaml
@@ -31,3 +31,8 @@ exporters:
endpoint: ""
message: "{{ .Event.Message }}" # this is default, just to demonstrate
the context
address: "skywalking-oap.istio-system:11800"
+ enableTLS: false
+ insecureSkipVerify: true
+ trustedCertPath: "/certs/ca.crt"
+ clientCertPath: "/certs/tls.crt"
+ clientKeyPath: "/certs/tls.key"
diff --git a/deployments/dev/kustomization.yaml
b/deployments/dev/kustomization.yaml
index cbd8085..43d1c82 100644
--- a/deployments/dev/kustomization.yaml
+++ b/deployments/dev/kustomization.yaml
@@ -35,3 +35,10 @@ images:
- name: skywalking-event-exporter
newName: kezhenxu94/skywalking-kubernetes-event-exporter
newTag: 58c1342
+
+patches:
+ - path: ./deployment.yaml
+ target:
+ group: apps
+ version: v1
+ kind: Deployment
diff --git a/deployments/release/config/config.yaml
b/deployments/release/config/config.yaml
index d44ba59..0f6f8a8 100644
--- a/deployments/release/config/config.yaml
+++ b/deployments/release/config/config.yaml
@@ -31,3 +31,8 @@ exporters:
endpoint: ""
message: "{{ .Event.Message }}"
address: "skywalking-oap.istio-system:11800"
+ enableTLS: false
+ insecureSkipVerify: true
+ trustedCertPath: "/certs/ca.crt"
+ clientCertPath: "/certs/tls.crt"
+ clientKeyPath: "/certs/tls.key"
\ No newline at end of file
diff --git a/deployments/secure/certs/.gitignore
b/deployments/secure/certs/.gitignore
new file mode 100644
index 0000000..f59ec20
--- /dev/null
+++ b/deployments/secure/certs/.gitignore
@@ -0,0 +1 @@
+*
\ No newline at end of file
diff --git a/deployments/dev/config/config.yaml
b/deployments/secure/config/config.yaml
similarity index 87%
copy from deployments/dev/config/config.yaml
copy to deployments/secure/config/config.yaml
index 98b122c..981ad91 100644
--- a/deployments/dev/config/config.yaml
+++ b/deployments/secure/config/config.yaml
@@ -31,3 +31,8 @@ exporters:
endpoint: ""
message: "{{ .Event.Message }}" # this is default, just to demonstrate
the context
address: "skywalking-oap.istio-system:11800"
+ enableTLS: true
+ insecureSkipVerify: true
+ trustedCertPath: "/certs/ca.crt"
+ clientCertPath: "/certs/tls.crt"
+ clientKeyPath: "/certs/tls.key"
diff --git a/deployments/release/config/config.yaml
b/deployments/secure/deployment.yaml
similarity index 71%
copy from deployments/release/config/config.yaml
copy to deployments/secure/deployment.yaml
index d44ba59..33cce1a 100644
--- a/deployments/release/config/config.yaml
+++ b/deployments/secure/deployment.yaml
@@ -15,19 +15,16 @@
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
-#
-
-filters:
- - namespace: istio-system
- exporters:
- - skywalking
-exporters:
- skywalking:
- template:
- source:
- service: "{{ .Service.Name }}"
- serviceInstance: "{{ .Pod.Name }}"
- endpoint: ""
- message: "{{ .Event.Message }}"
- address: "skywalking-oap.istio-system:11800"
+- op: add
+ path: /spec/template/spec/volumes/0
+ value:
+ name: skywalking-tls-volume
+ secret:
+ secretName: skywalking-tls
+- op: add
+ path: /spec/template/spec/containers/0/volumeMounts/0
+ value:
+ name: skywalking-tls-volume
+ mountPath: /certs
+ readOnly: true
diff --git a/deployments/dev/kustomization.yaml
b/deployments/secure/kustomization.yaml
similarity index 78%
copy from deployments/dev/kustomization.yaml
copy to deployments/secure/kustomization.yaml
index cbd8085..bdd9c61 100644
--- a/deployments/dev/kustomization.yaml
+++ b/deployments/secure/kustomization.yaml
@@ -35,3 +35,20 @@ images:
- name: skywalking-event-exporter
newName: kezhenxu94/skywalking-kubernetes-event-exporter
newTag: 58c1342
+
+secretGenerator:
+- files:
+ - ca.crt=./certs/root.crt
+ - tls.crt=./certs/skywalking.crt
+ - tls.key=./certs/skywalking.key
+ name: skywalking-tls
+ options:
+ disableNameSuffixHash: true
+ type: kubernetes.io/tls
+
+patches:
+ - path: ./deployment.yaml
+ target:
+ group: apps
+ version: v1
+ kind: Deployment
diff --git a/pkg/exporter/skywalking.go b/pkg/exporter/skywalking.go
index aaf49fe..65f09a1 100644
--- a/pkg/exporter/skywalking.go
+++ b/pkg/exporter/skywalking.go
@@ -21,10 +21,16 @@ package exporter
import (
"context"
+ "crypto/tls"
+ "crypto/x509"
"encoding/json"
"fmt"
+ "io/ioutil"
+ "os"
"time"
+ "google.golang.org/grpc/credentials"
+
"github.com/sirupsen/logrus"
sw "skywalking.apache.org/repo/goapi/collect/event/v3"
@@ -43,8 +49,13 @@ type SkyWalking struct {
}
type SkyWalkingConfig struct {
- Address string `mapstructure:"address"`
- Template *EventTemplate `mapstructure:"template"`
+ Address string `mapstructure:"address"`
+ Template *EventTemplate `mapstructure:"template"`
+ EnableTLS bool `mapstructure:"enableTLS"`
+ ClientCertPath string `mapstructure:"clientCertPath"`
+ ClientKeyPath string `mapstructure:"clientKeyPath"`
+ TrustedCertPath string `mapstructure:"trustedCertPath"`
+ InsecureSkipVerify bool `mapstructure:"insecureSkipVerify"`
}
func init() {
@@ -67,7 +78,37 @@ func (exporter *SkyWalking) Init(ctx context.Context) error {
return err
}
- conn, err := grpc.Dial(config.Address, grpc.WithInsecure())
+ var dialOption grpc.DialOption
+ if config.EnableTLS {
+ if isFileExisted(config.ClientCertPath) &&
isFileExisted(config.ClientKeyPath) {
+ clientCert, err :=
tls.LoadX509KeyPair(config.ClientCertPath, config.ClientKeyPath)
+ if err != nil {
+ return err
+ }
+ trustedCert, err :=
ioutil.ReadFile(config.TrustedCertPath)
+ if err != nil {
+ return err
+ }
+ certPool := x509.NewCertPool()
+ certPool.AppendCertsFromPEM(trustedCert)
+
+ tlsConfig := &tls.Config{
+ Certificates: []tls.Certificate{clientCert},
+ RootCAs: certPool,
+ MinVersion: tls.VersionTLS13,
+ MaxVersion: tls.VersionTLS13,
+ }
+ tlsConfig.InsecureSkipVerify = config.InsecureSkipVerify
+ dialOption =
grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig))
+ } else {
+ cred, _ :=
credentials.NewClientTLSFromFile(config.TrustedCertPath, "")
+ dialOption = grpc.WithTransportCredentials(cred)
+ }
+ } else {
+ dialOption = grpc.WithInsecure()
+ }
+
+ conn, err := grpc.Dial(config.Address, dialOption)
if err != nil {
return err
}
@@ -86,6 +127,16 @@ func (exporter *SkyWalking) Init(ctx context.Context) error
{
return nil
}
+// checkTLSFile checks the TLS files.
+func isFileExisted(path string) bool {
+ file, err := os.Open(path)
+ if err != nil {
+ return false
+ }
+ _, err = file.Stat()
+ return err == nil
+}
+
func (exporter *SkyWalking) Name() string {
return "skywalking"
}
@@ -156,7 +207,7 @@ func (exporter *SkyWalking) Export(ctx context.Context,
events chan *k8score.Eve
}
}
-func (exporter SkyWalking) export(stream sw.EventService_CollectClient,
swEvent *sw.Event) {
+func (exporter *SkyWalking) export(stream sw.EventService_CollectClient,
swEvent *sw.Event) {
if err := stream.Send(swEvent); err != nil {
logger.Log.Errorf("failed to send event to %+v. %+v",
exporter.Name(), err)
}
