cmd: occollector, ocagent: add TLS for OpenCensus receiver

With this change, one can now optionally start either the
occollector or ocagent with TLS credentials pointing to a
certificate file and a key file in the form of:

```yaml
receivers:
  opencensus:
    tls_credentials:
      cert_file: "cert.pem"
      key_file: "key.pem"
```

Despite the code changes for starting the receiver always passing
in `tlsCredsOption`, if no TLS Configuration is parsed, the
OpenCensus receiver Option passed in will be a noop.

Fixes #367

Author: odeke-em

cmd/ocagent/main.go

@@ -102,7 +102,7 @@ func runOCAgent() {
 	commonMetricsSink := exporter.MultiMetricsExporters(metricsExporters...)
 
 	// Add other receivers here as they are implemented
-	ocReceiverDoneFn, err := runOCReceiver(agentConfig, commonSpanSink, commonMetricsSink)
+	ocReceiverDoneFn, err := runOCReceiver(logger, agentConfig, commonSpanSink, commonMetricsSink)
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -189,16 +189,24 @@ func runZPages(port int) func() error {
 	return srv.Close
 }
 
-func runOCReceiver(acfg *config.Config, sr receiver.TraceReceiverSink, mr receiver.MetricsReceiverSink) (doneFn func() error, err error) {
+func runOCReceiver(logger *zap.Logger, acfg *config.Config, sr receiver.TraceReceiverSink, mr receiver.MetricsReceiverSink) (doneFn func() error, err error) {
+	tlsCredsOption, hasTLSCreds, err := acfg.OpenCensusReceiverTLSCredentialsServerOption()
+	if err != nil {
+		return nil, fmt.Errorf("OpenCensus receiver TLS Credentials: %v", err)
+	}
 	addr := acfg.OpenCensusReceiverAddress()
 	corsOrigins := acfg.OpenCensusReceiverCorsAllowedOrigins()
-	ocr, err := opencensusreceiver.New(addr, opencensusreceiver.WithCorsOrigins(corsOrigins))
+	ocr, err := opencensusreceiver.New(addr,
+		tlsCredsOption,
+		opencensusreceiver.WithCorsOrigins(corsOrigins))
+
 	if err != nil {
 		return nil, fmt.Errorf("Failed to create the OpenCensus receiver on address %q: error %v", addr, err)
 	}
 	if err := view.Register(internal.AllViews...); err != nil {
 		return nil, fmt.Errorf("Failed to register internal.AllViews: %v", err)
 	}
+
 	// Temporarily disabling the grpc metrics since they do not provide good data at this moment,
 	// See https://github.com/census-instrumentation/opencensus-service/issues/287
 	// if err := view.Register(ocgrpc.DefaultServerViews...); err != nil {
@@ -227,6 +235,13 @@ func runOCReceiver(acfg *config.Config, sr receiver.TraceReceiverSink, mr receiv
 		log.Printf("Running OpenCensus Metrics receiver as a gRPC service at %q", addr)
 	}
 
+	if hasTLSCreds {
+		tlsCreds := acfg.OpenCensusReceiverTLSServerCredentials()
+		logger.Info("OpenCensus receiver with TLS Credentials",
+			zap.String("cert_file", tlsCreds.CertFile),
+			zap.String("key_file", tlsCreds.KeyFile))
+	}
+
 	doneFn = ocr.Stop
 	return doneFn, nil
 }

cmd/occollector/app/builder/builder.go

@@ -19,6 +19,7 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/census-instrumentation/opencensus-service/internal/config"
 	"github.com/spf13/viper"
 )
 
@@ -102,6 +103,9 @@ func (cfg *JaegerReceiverCfg) InitFromViper(v *viper.Viper) (*JaegerReceiverCfg,
 type OpenCensusReceiverCfg struct {
 	// Port is the port that the receiver will use
 	Port int `mapstructure:"port"`
+
+	// TLSCredentials is a (cert_file, key_file) configuration.
+	TLSCredentials *config.TLSCredentials `mapstructure:"tls_credentials"`
 }
 
 // OpenCensusReceiverEnabled checks if the OpenCensus receiver is enabled, via a command-line flag, environment

internal/collector/opencensus/receiver.go

@@ -37,9 +37,13 @@ func Start(logger *zap.Logger, v *viper.Viper, spanProc processor.SpanProcessor)
 		return nil, err
 	}
 
-	addr := ":" + strconv.FormatInt(int64(rOpts.Port), 10)
+	tlsCredsOption, hasTLSCreds, err := rOpts.TLSCredentials.ToOpenCensusReceiverServerOption()
+	if err != nil {
+		return nil, fmt.Errorf("OpenCensus receiver TLS Credentials: %v", err)
+	}
 
-	ocr, err := opencensusreceiver.New(addr)
+	addr := ":" + strconv.FormatInt(int64(rOpts.Port), 10)
+	ocr, err := opencensusreceiver.New(addr, tlsCredsOption)
 	if err != nil {
 		return nil, fmt.Errorf("Failed to create the OpenCensus trace receiver: %v", err)
 	}
@@ -48,7 +52,15 @@ func Start(logger *zap.Logger, v *viper.Viper, spanProc processor.SpanProcessor)
 		return nil, fmt.Errorf("Cannot bind Opencensus receiver to address %q: %v", addr, err)
 	}
 
-	logger.Info("OpenCensus receiver is running.", zap.Int("port", rOpts.Port))
+	if hasTLSCreds {
+		tlsCreds := rOpts.TLSCredentials
+		logger.Info("OpenCensus receiver is running.",
+			zap.Int("port", rOpts.Port),
+			zap.String("cert_file", tlsCreds.CertFile),
+			zap.String("key_file", tlsCreds.KeyFile))
+	} else {
+		logger.Info("OpenCensus receiver is running.", zap.Int("port", rOpts.Port))
+	}
 
 	return ocr, nil
 }

internal/config/config.go

@@ -23,6 +23,8 @@ import (
 
 	"github.com/spf13/viper"
 	"go.uber.org/zap"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
 	yaml "gopkg.in/yaml.v2"
 
 	"github.com/census-instrumentation/opencensus-service/exporter"
@@ -35,6 +37,7 @@ import (
 	"github.com/census-instrumentation/opencensus-service/exporter/prometheusexporter"
 	"github.com/census-instrumentation/opencensus-service/exporter/stackdriverexporter"
 	"github.com/census-instrumentation/opencensus-service/exporter/zipkinexporter"
+	"github.com/census-instrumentation/opencensus-service/receiver/opencensusreceiver"
 	"github.com/census-instrumentation/opencensus-service/receiver/prometheusreceiver"
 )
 
@@ -131,6 +134,9 @@ type ReceiverConfig struct {
 	DisableTracing bool `yaml:"disable_tracing"`
 	// DisableMetrics disables metrics receiving and is only applicable to metrics receivers.
 	DisableMetrics bool `yaml:"disable_metrics"`
+
+	// TLSCredentials is a (cert_file, key_file) configuration.
+	TLSCredentials *TLSCredentials `yaml:"tls_credentials"`
 }
 
 // ScribeReceiverConfig carries the settings for the Zipkin Scribe receiver.
@@ -191,15 +197,21 @@ func (c *Config) OpenCensusReceiverCorsAllowedOrigins() []string {
 // CanRunOpenCensusTraceReceiver returns true if the configuration
 // permits running the OpenCensus Trace receiver.
 func (c *Config) CanRunOpenCensusTraceReceiver() bool {
-	return c != nil && c.Receivers != nil &&
-		c.Receivers.OpenCensus != nil && !c.Receivers.OpenCensus.DisableTracing
+	return c.openCensusReceiverEnabled() && !c.Receivers.OpenCensus.DisableTracing
 }
 
 // CanRunOpenCensusMetricsReceiver returns true if the configuration
 // permits running the OpenCensus Metrics receiver.
 func (c *Config) CanRunOpenCensusMetricsReceiver() bool {
+	return c.openCensusReceiverEnabled() && !c.Receivers.OpenCensus.DisableMetrics
+}
+
+// openCensusReceiverEnabled returns true if both:
+//    Config.Receivers and Config.Receivers.OpenCensus
+// are non-nil.
+func (c *Config) openCensusReceiverEnabled() bool {
 	return c != nil && c.Receivers != nil &&
-		c.Receivers.OpenCensus != nil && !c.Receivers.OpenCensus.DisableMetrics
+		c.Receivers.OpenCensus != nil
 }
 
 // ZPagesDisabled returns true if zPages have not been enabled.
@@ -316,6 +328,53 @@ func (c *Config) JaegerReceiverPorts() (collectorPort, thriftPort int) {
 	return jc.CollectorHTTPPort, jc.CollectorThriftPort
 }
 
+// HasTLSCredentials returns true if TLSCredentials is non-nil
+func (rCfg *ReceiverConfig) HasTLSCredentials() bool {
+	return rCfg != nil && rCfg.TLSCredentials != nil && rCfg.TLSCredentials.nonEmpty()
+}
+
+// OpenCensusReceiverTLSServerCredentials retrieves the TLS credentials
+// from this Config's OpenCensus receiver if any.
+func (c *Config) OpenCensusReceiverTLSServerCredentials() *TLSCredentials {
+	if !c.openCensusReceiverEnabled() {
+		return nil
+	}
+
+	ocrConfig := c.Receivers.OpenCensus
+	if !ocrConfig.HasTLSCredentials() {
+		return nil
+	}
+	return ocrConfig.TLSCredentials
+}
+
+// ToOpenCensusReceiverServerOption checks if the TLS credentials
+// in the form of a certificate file and a key file. If they aren't,
+// it will return opencensusreceiver.WithNoopOption() and a nil error.
+// Otherwise, it will try to retrieve gRPC transport credentials from the file combinations,
+// and create a option, along with any errors encountered while retrieving the credentials.
+func (tlsCreds *TLSCredentials) ToOpenCensusReceiverServerOption() (opt opencensusreceiver.Option, ok bool, err error) {
+	if tlsCreds == nil {
+		return opencensusreceiver.WithNoopOption(), false, nil
+	}
+
+	transportCreds, err := credentials.NewServerTLSFromFile(tlsCreds.CertFile, tlsCreds.KeyFile)
+	if err != nil {
+		return nil, false, err
+	}
+	gRPCCredsOpt := grpc.Creds(transportCreds)
+	return opencensusreceiver.WithGRPCServerOptions(gRPCCredsOpt), true, nil
+}
+
+// OpenCensusReceiverTLSCredentialsServerOption checks if the OpenCensus receiver's Configuration
+// has TLS credentials in the form of a certificate file and a key file. If it doesn't
+// have any, it will return opencensusreceiver.WithNoopOption() and a nil error.
+// Otherwise, it will try to retrieve gRPC transport credentials from the file combinations,
+// and create a option, along with any errors encountered while retrieving the credentials.
+func (c *Config) OpenCensusReceiverTLSCredentialsServerOption() (opt opencensusreceiver.Option, ok bool, err error) {
+	tlsCreds := c.OpenCensusReceiverTLSServerCredentials()
+	return tlsCreds.ToOpenCensusReceiverServerOption()
+}
+
 // ParseOCAgentConfig unmarshals byte content in the YAML file format
 // to  retrieve the configuration that will be used to run the OpenCensus agent.
 func ParseOCAgentConfig(yamlBlob []byte) (*Config, error) {

internal/config/tls_credentials.go

@@ -0,0 +1,31 @@
+// Copyright 2019, OpenCensus Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package config
+
+// TLSCredentials holds the fields for TLS credentials
+// that are used for starting a server.
+type TLSCredentials struct {
+	// CertFile is the file path containing the TLS certificate.
+	CertFile string `yaml:"cert_file"`
+
+	// KeyFile is the file path containing the TLS key.
+	KeyFile string `yaml:"key_file"`
+}
+
+// nonEmpty returns true if the TLSCredentials are non-nil and
+// if either CertFile or KeyFile is non-empty.
+func (tc *TLSCredentials) nonEmpty() bool {
+	return tc != nil && (tc.CertFile != "" || tc.KeyFile != "")
+}

internal/config/tls_credentials_test.go

@@ -0,0 +1,115 @@
+// Copyright 2019, OpenCensus Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package config
+
+import (
+	"reflect"
+	"testing"
+)
+
+func TestTLSConfigByParsing(t *testing.T) {
+	configYAML := []byte(`
+receivers:
+  opencensus:
+    tls_credentials:
+      cert_file: "foobar.crt"
+      key_file: "foobar.key"
+  `)
+
+	cfg, err := ParseOCAgentConfig(configYAML)
+	if err != nil {
+		t.Fatalf("Failed to parse OCAgent config: %v", err)
+	}
+	if cfg == nil {
+		t.Fatal("Returned nil while parsing config")
+	}
+
+	tlsCreds := cfg.OpenCensusReceiverTLSServerCredentials()
+	if tlsCreds == nil {
+		t.Error("Surprisingly turned out nil TLS credentials")
+	}
+
+	if !tlsCreds.nonEmpty() {
+		t.Error("nonEmpty returned false")
+	}
+
+	want := &TLSCredentials{
+		CertFile: "foobar.crt",
+		KeyFile:  "foobar.key",
+	}
+
+	if !reflect.DeepEqual(tlsCreds, want) {
+		t.Errorf("Got:  %+v\nWant: %+v", cfg, want)
+	}
+}
+
+func TestTLSConfigDereferencing(t *testing.T) {
+	var nilConfig *Config
+	if g := nilConfig.OpenCensusReceiverTLSServerCredentials(); g != nil {
+		t.Errorf("Retrieved non-nil TLSServerCredentials: %+v\n", g)
+	}
+
+	if nilConfig.openCensusReceiverEnabled() {
+		t.Error("Somehow OpenCensus receiver is enabled on a nil Config")
+	}
+}
+
+func TestTLSCredentials_nonEmptyChecks(t *testing.T) {
+	// TLSCredentials are considered "nonEmpty" if at least either
+	// of "cert_file" or "key_file" are non-empty.
+	combinations := []struct {
+		config string
+		want   bool
+	}{
+		{config: ``, want: false},
+		{
+			config: `
+receivers:
+  opencensus:
+    tls_credentials:
+      cert_file: "foo"
+        `, want: true,
+		},
+		{
+			config: `
+receivers:
+  opencensus:
+    tls_credentials:
+      key_file: "foo"
+        `, want: true,
+		},
+		{
+			config: `
+receivers:
+  opencensus:
+    tls_credentials:
+      key_file: ""
+      cert_file: ""
+        `, want: false,
+		},
+	}
+
+	for i, tt := range combinations {
+		cfg, err := ParseOCAgentConfig([]byte(tt.config))
+		if err != nil {
+			t.Errorf("#%d: unexpected parsing error: %v", i, err)
+		}
+		tlsCreds := cfg.OpenCensusReceiverTLSServerCredentials()
+		got, want := tlsCreds.nonEmpty(), tt.want
+		if got != want {
+			t.Errorf("#%d: got=%t want=%t\nConfig:\n%s", i, got, want, tt.config)
+		}
+	}
+}

receiver/opencensusreceiver/opencensus.go

@@ -39,12 +39,13 @@ import (
 
 // Receiver is the type that exposes Trace and Metrics reception.
 type Receiver struct {
-	mu          sync.Mutex
-	ln          net.Listener
-	serverGRPC  *grpc.Server
-	serverHTTP  *http.Server
-	gatewayMux  *gatewayruntime.ServeMux
-	corsOrigins []string
+	mu                sync.Mutex
+	ln                net.Listener
+	serverGRPC        *grpc.Server
+	serverHTTP        *http.Server
+	gatewayMux        *gatewayruntime.ServeMux
+	corsOrigins       []string
+	grpcServerOptions []grpc.ServerOption
 
 	traceReceiverOpts   []octrace.Option
 	metricsReceiverOpts []ocmetrics.Option
@@ -138,7 +139,7 @@ func (ocr *Receiver) grpcServer() *grpc.Server {
 	defer ocr.mu.Unlock()
 
 	if ocr.serverGRPC == nil {
-		ocr.serverGRPC = internal.GRPCServerWithObservabilityEnabled()
+		ocr.serverGRPC = internal.GRPCServerWithObservabilityEnabled(ocr.grpcServerOptions...)
 	}
 
 	return ocr.serverGRPC

receiver/opencensusreceiver/opencensus_test.go

@@ -262,7 +262,7 @@ func runContentTypeTests(addr string, contentTypeDesignation bool, contentType s
 			{
 				TraceId: []byte{
 					0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
-					0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0X10,
+					0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10,
 				},
 			},
 		},