From b46738c68a906f7330e5e1a5ba6937b58e52b9dc Mon Sep 17 00:00:00 2001 From: Jenny Nilsen <44649100+jennynilsen@users.noreply.github.com> Date: Fri, 12 Jun 2020 16:43:31 +0100 Subject: [PATCH] Add option for TLS sniffing for Elasticsearch (#2263) * Expose option to enable TLS when sniffing an Elasticsearch Cluster Jaeger uses the default scheme set by the olivere client (which is http) when sniffing an Elasticsearch cluster without the option to change it. This makes it impossible to use sniffing with a TLS Elasticsearch cluster. The scheme can be set using SetScheme client option https://pkg.go.dev/github.com/olivere/elatic/v7\?tab\=doc\#SetScheme This change exposes that client option as a boolean command line option: --es.sniffer-tls-enabled Signed-off-by: nilsenj * Removing default options and correcting lint failures Signed-off-by: nilsenj --- pkg/es/config/config.go | 9 ++++++++- plugin/storage/es/options.go | 6 ++++++ plugin/storage/es/options_test.go | 3 +++ 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/pkg/es/config/config.go b/pkg/es/config/config.go index c6b5be9526c..3da07659d00 100644 --- a/pkg/es/config/config.go +++ b/pkg/es/config/config.go @@ -45,7 +45,8 @@ type Configuration struct { Password string `mapstructure:"password"` TokenFilePath string `mapstructure:"token_file"` AllowTokenFromContext bool `mapstructure:"-"` - Sniffer bool `mapstructure:"sniffer"` // /~https://github.com/olivere/elastic/wiki/Sniffing + Sniffer bool `mapstructure:"sniffer"` // /~https://github.com/olivere/elastic/wiki/Sniffing + SnifferTLSEnabled bool `mapstructure:"sniffer_tls_enabled"` MaxNumSpans int `mapstructure:"-"` // defines maximum number of spans to fetch from storage per query MaxSpanAge time.Duration `yaml:"max_span_age" mapstructure:"-"` // configures the maximum lookback on span reads NumShards int64 `yaml:"shards" mapstructure:"num_shards"` @@ -212,6 +213,9 @@ func (c *Configuration) ApplyDefaults(source *Configuration) { if c.BulkFlushInterval == 0 { c.BulkFlushInterval = source.BulkFlushInterval } + if !c.SnifferTLSEnabled { + c.SnifferTLSEnabled = source.SnifferTLSEnabled + } } // GetNumShards returns number of shards from Configuration @@ -288,6 +292,9 @@ func (c *Configuration) getConfigOptions(logger *zap.Logger) ([]elastic.ClientOp // we don' have a valid token to do the check ad if we don't disable the check the service that // uses this won't start. elastic.SetHealthcheck(!c.AllowTokenFromContext)} + if c.SnifferTLSEnabled { + options = append(options, elastic.SetScheme("https")) + } httpClient := &http.Client{ Timeout: c.Timeout, } diff --git a/plugin/storage/es/options.go b/plugin/storage/es/options.go index 6d89a368d86..695abb9d167 100644 --- a/plugin/storage/es/options.go +++ b/plugin/storage/es/options.go @@ -31,6 +31,7 @@ const ( suffixUsername = ".username" suffixPassword = ".password" suffixSniffer = ".sniffer" + suffixSnifferTLSEnabled = ".sniffer-tls-enabled" suffixTokenPath = ".token-file" suffixServerURLs = ".server-urls" suffixMaxSpanAge = ".max-span-age" @@ -227,6 +228,10 @@ func addFlags(flagSet *flag.FlagSet, nsConfig *namespaceConfig) { nsConfig.namespace+suffixVersion, 0, "The major Elasticsearch version. If not specified, the value will be auto-detected from Elasticsearch.") + flagSet.Bool( + nsConfig.namespace+suffixSnifferTLSEnabled, + nsConfig.SnifferTLSEnabled, + "Option to enable TLS when sniffing an Elasticsearch Cluster ; client uses sniffing process to find all nodes automatically, disabled by default") if nsConfig.namespace == archiveNamespace { flagSet.Bool( nsConfig.namespace+suffixEnabled, @@ -249,6 +254,7 @@ func initFromViper(cfg *namespaceConfig, v *viper.Viper) { cfg.Password = v.GetString(cfg.namespace + suffixPassword) cfg.TokenFilePath = v.GetString(cfg.namespace + suffixTokenPath) cfg.Sniffer = v.GetBool(cfg.namespace + suffixSniffer) + cfg.SnifferTLSEnabled = v.GetBool(cfg.namespace + suffixSnifferTLSEnabled) cfg.Servers = strings.Split(stripWhiteSpace(v.GetString(cfg.namespace+suffixServerURLs)), ",") cfg.MaxSpanAge = v.GetDuration(cfg.namespace + suffixMaxSpanAge) cfg.MaxNumSpans = v.GetInt(cfg.namespace + suffixMaxNumSpans) diff --git a/plugin/storage/es/options_test.go b/plugin/storage/es/options_test.go index 8e71c2f266f..1157b4081da 100644 --- a/plugin/storage/es/options_test.go +++ b/plugin/storage/es/options_test.go @@ -34,6 +34,7 @@ func TestOptions(t *testing.T) { assert.Equal(t, int64(1), primary.NumReplicas) assert.Equal(t, 72*time.Hour, primary.MaxSpanAge) assert.False(t, primary.Sniffer) + assert.False(t, primary.SnifferTLSEnabled) aux := opts.Get("archive") assert.Equal(t, primary.Username, aux.Username) @@ -50,6 +51,7 @@ func TestOptionsWithFlags(t *testing.T) { "--es.password=world", "--es.token-file=/foo/bar", "--es.sniffer=true", + "--es.sniffer-tls-enabled=true", "--es.max-span-age=48h", "--es.num-shards=20", "--es.num-replicas=10", @@ -68,6 +70,7 @@ func TestOptionsWithFlags(t *testing.T) { assert.Equal(t, []string{"1.1.1.1", "2.2.2.2"}, primary.Servers) assert.Equal(t, 48*time.Hour, primary.MaxSpanAge) assert.True(t, primary.Sniffer) + assert.True(t, primary.SnifferTLSEnabled) assert.Equal(t, true, primary.TLS.Enabled) assert.Equal(t, true, primary.TLS.SkipHostVerify)