Verify export via TLS (#12).

Co-authored-by: Pavel Pautov <p.pautov@f5.com>
2024-12-20 17:24:27 -08:00 · 2024-12-20 17:24:27 -08:00 · 38cae30841
commit 38cae30841
parent 0aec04198c
3 changed files with 44 additions and 15 deletions
--- a/tests/conftest.py
+++ b/tests/conftest.py
@ -19,7 +19,7 @@ def pytest_addoption(parser):
    parser.addoption("--globals", default="")


-def self_signed_cert(test_dir, name):
+def self_signed_cert(name):
    k = crypto.PKey()
    k.generate_key(crypto.TYPE_RSA, 2048)
    cert = crypto.X509()
@ -29,11 +29,9 @@ def self_signed_cert(test_dir, name):
    cert.gmtime_adj_notAfter(365 * 86400)  # 365 days
    cert.set_pubkey(k)
    cert.sign(k, "sha512")
-    (test_dir / f"{name}.key").write_text(
-        crypto.dump_privatekey(crypto.FILETYPE_PEM, k).decode("utf-8")
-    )
-    (test_dir / f"{name}.crt").write_text(
-        crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode("utf-8")
+    return (
+        crypto.dump_privatekey(crypto.FILETYPE_PEM, k),
+        crypto.dump_certificate(crypto.FILETYPE_PEM, cert),
    )


@ -66,7 +64,7 @@ def nginx_config(request, pytestconfig, testdir, logger):


@pytest.fixture(scope="module")
-def nginx(testdir, pytestconfig, nginx_config, certs, logger, otelcol):
+def nginx(testdir, pytestconfig, nginx_config, cert, logger, otelcol):
    (testdir / "nginx.conf").write_text(nginx_config)
    logger.info("Starting nginx...")
    proc = subprocess.Popen(
@ -96,5 +94,8 @@ def nginx(testdir, pytestconfig, nginx_config, certs, logger, otelcol):


@pytest.fixture(scope="module")
-def certs(testdir):
-    self_signed_cert(testdir, "localhost")
+def cert(testdir):
+    key, cert = self_signed_cert("localhost")
+    (testdir / "localhost.key").write_text(key.decode("utf-8"))
+    (testdir / "localhost.crt").write_text(cert.decode("utf-8"))
+    yield (key, cert)
--- a/tests/test_otel.py
+++ b/tests/test_otel.py
@ -21,7 +21,7 @@ http {
    ssl_certificate_key localhost.key;

    otel_exporter {
-        endpoint {{ scheme }}127.0.0.1:14317;
+        endpoint {{ endpoint or "127.0.0.1:14317" }};
        interval {{ interval or "1ms" }};
        batch_size 3;
        batch_count 3;
@ -242,7 +242,7 @@ def test_context(client, trace_service, parent, path):

@pytest.mark.parametrize(
    "nginx_config",
-    [{"interval": "200ms", "scheme": "http://"}],
+    [{"interval": "200ms", "endpoint": "http://127.0.0.1:14317"}],
    indirect=True,
 )
@pytest.mark.parametrize("batch_count", [1, 3])
@ -313,3 +313,19 @@ def test_exporter_headers(client, trace_service):
    headers = dict(trace_service.last_metadata)
    assert headers["x-api-token"] == "api.value"
    assert headers["authorization"] == "Basic value"
+
+
+@pytest.mark.parametrize(
+    "nginx_config",
+    [
+        {
+            "endpoint": "https://localhost:14318",
+            "exporter_opts": "trusted_certificate localhost.crt;",
+        }
+    ],
+    indirect=True,
+)
+def test_tls_export(client, trace_service):
+    assert client.get("http://127.0.0.1:18080/ok").status_code == 200
+
+    assert trace_service.get_span().name == "/ok"
--- a/tests/trace_service.py
+++ b/tests/trace_service.py
@ -32,7 +32,7 @@ class TraceService(trace_service_pb2_grpc.TraceServiceServicer):


@pytest.fixture(scope="module")
-def trace_service(request, pytestconfig, logger):
+def trace_service(request, pytestconfig, logger, cert):
    server = grpc.server(concurrent.futures.ThreadPoolExecutor())
    trace_service = TraceService()
    trace_service_pb2_grpc.add_TraceServiceServicer_to_server(
@ -44,6 +44,10 @@ def trace_service(request, pytestconfig, logger):
    )
    listen_addr = f"127.0.0.1:{24317 if trace_service.use_otelcol else 14317}"
    server.add_insecure_port(listen_addr)
+    if not trace_service.use_otelcol:
+        creds = grpc.ssl_server_credentials([cert])
+        server.add_secure_port("127.0.0.1:14318", creds)
+        listen_addr += " and 127.0.0.1:14318"
    logger.info(f"Starting trace service at {listen_addr}...")
    server.start()
    yield trace_service
@ -52,18 +56,26 @@ def trace_service(request, pytestconfig, logger):


@pytest.fixture(scope="module")
-def otelcol(pytestconfig, testdir, logger, trace_service):
+def otelcol(pytestconfig, testdir, logger, trace_service, cert):
    if not trace_service.use_otelcol:
        yield
        return

    (testdir / "otel-config.yaml").write_text(
-        """receivers:
+        f"""receivers:
  otlp:
    protocols:
      grpc:
        endpoint: 127.0.0.1:14317

+  otlp/tls:
+    protocols:
+      grpc:
+        endpoint: 127.0.0.1:14318
+        tls:
+          cert_file: {testdir}/localhost.crt
+          key_file: {testdir}/localhost.key
+
 exporters:
  otlp:
    endpoint: 127.0.0.1:24317
@ -73,7 +85,7 @@ exporters:
 service:
  pipelines:
    traces:
-      receivers: [otlp]
+      receivers: [otlp, otlp/tls]
      exporters: [otlp]
  telemetry:
    metrics: