Add option for TLS sniffing for Elasticsearch (#2263)

* Expose option to enable TLS when sniffing an Elasticsearch Cluster Jaeger uses the default scheme set by the olivere client (which is http) when sniffing an Elasticsearch cluster without the option to change it. This makes it impossible to use sniffing with a TLS Elasticsearch cluster. The scheme can be set using SetScheme client option https://pkg.go.dev/github.com/olivere/elatic/v7\?tab\=doc\#SetScheme This change exposes that client option as a boolean command line option: --es.sniffer-tls-enabled Signed-off-by: nilsenj <jennynilsen@rentalcars.com> * Removing default options and correcting lint failures Signed-off-by: nilsenj <jennynilsen@rentalcars.com>
jaegertracing · Jun 12, 2020 · b46738c · b46738c
1 parent 6929183
commit b46738c
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 1 deletion.
diff --git a/pkg/es/config/config.go b/pkg/es/config/config.go
@@ -45,7 +45,8 @@ type Configuration struct {
 	Password              string         `mapstructure:"password"`
 	TokenFilePath         string         `mapstructure:"token_file"`
 	AllowTokenFromContext bool           `mapstructure:"-"`
-	Sniffer               bool           `mapstructure:"sniffer"`               // /~https://github.com/olivere/elastic/wiki/Sniffing
+	Sniffer               bool           `mapstructure:"sniffer"` // /~https://github.com/olivere/elastic/wiki/Sniffing
+	SnifferTLSEnabled     bool           `mapstructure:"sniffer_tls_enabled"`
 	MaxNumSpans           int            `mapstructure:"-"`                     // defines maximum number of spans to fetch from storage per query
 	MaxSpanAge            time.Duration  `yaml:"max_span_age" mapstructure:"-"` // configures the maximum lookback on span reads
 	NumShards             int64          `yaml:"shards" mapstructure:"num_shards"`
@@ -212,6 +213,9 @@ func (c *Configuration) ApplyDefaults(source *Configuration) {
 	if c.BulkFlushInterval == 0 {
 		c.BulkFlushInterval = source.BulkFlushInterval
 	}
+	if !c.SnifferTLSEnabled {
+		c.SnifferTLSEnabled = source.SnifferTLSEnabled
+	}
 }
 
 // GetNumShards returns number of shards from Configuration
@@ -288,6 +292,9 @@ func (c *Configuration) getConfigOptions(logger *zap.Logger) ([]elastic.ClientOp
 		// we don' have a valid token to do the check ad if we don't disable the check the service that
 		// uses this won't start.
 		elastic.SetHealthcheck(!c.AllowTokenFromContext)}
+	if c.SnifferTLSEnabled {
+		options = append(options, elastic.SetScheme("https"))
+	}
 	httpClient := &http.Client{
 		Timeout: c.Timeout,
 	}

diff --git a/plugin/storage/es/options.go b/plugin/storage/es/options.go
@@ -31,6 +31,7 @@ const (
 	suffixUsername            = ".username"
 	suffixPassword            = ".password"
 	suffixSniffer             = ".sniffer"
+	suffixSnifferTLSEnabled   = ".sniffer-tls-enabled"
 	suffixTokenPath           = ".token-file"
 	suffixServerURLs          = ".server-urls"
 	suffixMaxSpanAge          = ".max-span-age"
@@ -227,6 +228,10 @@ func addFlags(flagSet *flag.FlagSet, nsConfig *namespaceConfig) {
 		nsConfig.namespace+suffixVersion,
 		0,
 		"The major Elasticsearch version. If not specified, the value will be auto-detected from Elasticsearch.")
+	flagSet.Bool(
+		nsConfig.namespace+suffixSnifferTLSEnabled,
+		nsConfig.SnifferTLSEnabled,
+		"Option to enable TLS when sniffing an Elasticsearch Cluster ; client uses sniffing process to find all nodes automatically, disabled by default")
 	if nsConfig.namespace == archiveNamespace {
 		flagSet.Bool(
 			nsConfig.namespace+suffixEnabled,
@@ -249,6 +254,7 @@ func initFromViper(cfg *namespaceConfig, v *viper.Viper) {
 	cfg.Password = v.GetString(cfg.namespace + suffixPassword)
 	cfg.TokenFilePath = v.GetString(cfg.namespace + suffixTokenPath)
 	cfg.Sniffer = v.GetBool(cfg.namespace + suffixSniffer)
+	cfg.SnifferTLSEnabled = v.GetBool(cfg.namespace + suffixSnifferTLSEnabled)
 	cfg.Servers = strings.Split(stripWhiteSpace(v.GetString(cfg.namespace+suffixServerURLs)), ",")
 	cfg.MaxSpanAge = v.GetDuration(cfg.namespace + suffixMaxSpanAge)
 	cfg.MaxNumSpans = v.GetInt(cfg.namespace + suffixMaxNumSpans)

diff --git a/plugin/storage/es/options_test.go b/plugin/storage/es/options_test.go
@@ -34,6 +34,7 @@ func TestOptions(t *testing.T) {
 	assert.Equal(t, int64(1), primary.NumReplicas)
 	assert.Equal(t, 72*time.Hour, primary.MaxSpanAge)
 	assert.False(t, primary.Sniffer)
+	assert.False(t, primary.SnifferTLSEnabled)
 
 	aux := opts.Get("archive")
 	assert.Equal(t, primary.Username, aux.Username)
@@ -50,6 +51,7 @@ func TestOptionsWithFlags(t *testing.T) {
 		"--es.password=world",
 		"--es.token-file=/foo/bar",
 		"--es.sniffer=true",
+		"--es.sniffer-tls-enabled=true",
 		"--es.max-span-age=48h",
 		"--es.num-shards=20",
 		"--es.num-replicas=10",
@@ -68,6 +70,7 @@ func TestOptionsWithFlags(t *testing.T) {
 	assert.Equal(t, []string{"1.1.1.1", "2.2.2.2"}, primary.Servers)
 	assert.Equal(t, 48*time.Hour, primary.MaxSpanAge)
 	assert.True(t, primary.Sniffer)
+	assert.True(t, primary.SnifferTLSEnabled)
 	assert.Equal(t, true, primary.TLS.Enabled)
 	assert.Equal(t, true, primary.TLS.SkipHostVerify)