Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
N
netobserv-ebpf-agent
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Iterations
Wiki
Requirements
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Locked files
Build
Pipelines
Jobs
Pipeline schedules
Test cases
Artifacts
Deploy
Releases
Package registry
Container registry
Model registry
Operate
Environments
Terraform modules
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Code review analytics
Issue analytics
Insights
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
hdacloud
netobserv-ebpf-agent
Commits
764d8d1d
Commit
764d8d1d
authored
3 years ago
by
Joel Takvorian
Browse files
Options
Downloads
Patches
Plain Diff
NETOBSERV-397 Implement TLS for Kafka connection in the agent
parent
83db69e7
Branches
Branches containing commit
No related tags found
No related merge requests found
Changes
4
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
README.md
+6
-0
6 additions, 0 deletions
README.md
pkg/agent/agent.go
+9
-0
9 additions, 0 deletions
pkg/agent/agent.go
pkg/agent/config.go
+10
-0
10 additions, 0 deletions
pkg/agent/config.go
pkg/agent/tls.go
+39
-0
39 additions, 0 deletions
pkg/agent/tls.go
with
64 additions
and
0 deletions
README.md
+
6
−
0
View file @
764d8d1d
...
...
@@ -17,6 +17,12 @@ egress flows on a Linux host (required a Kernel 4.18+ with eBPF enabled).
make build
```
To build the agent image and push it to your Docker / Quay repository, run:
```
bash
IMG
=
quay.io/myaccount/netobserv-ebpf-agent:dev make image-build image-push
```
## How to configure
The eBPF Agent is configured by means of environment variables. Check the
...
...
This diff is collapsed.
Click to expand it.
pkg/agent/agent.go
+
9
−
0
View file @
764d8d1d
...
...
@@ -100,6 +100,14 @@ func FlowsAgent(cfg *Config) (*Flows, error) {
return
nil
,
fmt
.
Errorf
(
"wrong Kafka compression value %s. Admitted values are "
+
"none, gzip, snappy, lz4, zstd: %w"
,
cfg
.
KafkaCompression
,
err
)
}
transport
:=
kafkago
.
Transport
{}
if
cfg
.
KafkaEnableTLS
{
tlsConfig
,
err
:=
buildTLSConfig
(
cfg
)
if
err
!=
nil
{
return
nil
,
err
}
transport
.
TLS
=
tlsConfig
}
exportFunc
=
(
&
exporter
.
KafkaJSON
{
Writer
:
&
kafkago
.
Writer
{
Addr
:
kafkago
.
TCP
(
cfg
.
KafkaBrokers
...
),
...
...
@@ -114,6 +122,7 @@ func FlowsAgent(cfg *Config) (*Flows, error) {
BatchBytes
:
cfg
.
KafkaBatchBytes
,
Async
:
cfg
.
KafkaAsync
,
Compression
:
compression
,
Transport
:
&
transport
,
},
})
.
ExportFlows
default
:
...
...
This diff is collapsed.
Click to expand it.
pkg/agent/config.go
+
10
−
0
View file @
764d8d1d
...
...
@@ -67,6 +67,16 @@ type Config struct {
// KafkaCompression sets the compression codec to be used to compress messages. The accepted
// values are: none (default), gzip, snappy, lz4, zstd.
KafkaCompression
string
`env:"KAFKA_COMPRESSION" envDefault:"none"`
// KafkaEnableTLS set true to enable TLS
KafkaEnableTLS
bool
`env:"KAFKA_ENABLE_TLS" envDefault:"false"`
// KafkaTLSInsecureSkipVerify skips server certificate verification in TLS connections
KafkaTLSInsecureSkipVerify
bool
`env:"KAFKA_TLS_INSECURE_SKIP_VERIFY" envDefault:"false"`
// KafkaTLSCACertPath is the path to the Kafka server certificate for TLS connections
KafkaTLSCACertPath
string
`env:"KAFKA_TLS_CA_CERT_PATH"`
// KafkaTLSUserCertPath is the path to the user (client) certificate for mTLS connections
KafkaTLSUserCertPath
string
`env:"KAFKA_TLS_USER_CERT_PATH"`
// KafkaTLSUserKeyPath is the path to the user (client) private key for mTLS connections
KafkaTLSUserKeyPath
string
`env:"KAFKA_TLS_USER_KEY_PATH"`
// ProfilePort sets the listening port for Go's Pprof tool. If it is not set, profile is disabled
ProfilePort
int
`env:"PROFILE_PORT"`
}
This diff is collapsed.
Click to expand it.
pkg/agent/tls.go
0 → 100644
+
39
−
0
View file @
764d8d1d
package
agent
import
(
"crypto/tls"
"crypto/x509"
"io/ioutil"
)
func
buildTLSConfig
(
cfg
*
Config
)
(
*
tls
.
Config
,
error
)
{
tlsConfig
:=
&
tls
.
Config
{
InsecureSkipVerify
:
cfg
.
KafkaTLSInsecureSkipVerify
,
}
if
cfg
.
KafkaTLSCACertPath
!=
""
{
caCert
,
err
:=
ioutil
.
ReadFile
(
cfg
.
KafkaTLSCACertPath
)
if
err
!=
nil
{
return
nil
,
err
}
tlsConfig
.
RootCAs
=
x509
.
NewCertPool
()
tlsConfig
.
RootCAs
.
AppendCertsFromPEM
(
caCert
)
if
cfg
.
KafkaTLSUserCertPath
!=
""
&&
cfg
.
KafkaTLSUserKeyPath
!=
""
{
userCert
,
err
:=
ioutil
.
ReadFile
(
cfg
.
KafkaTLSUserCertPath
)
if
err
!=
nil
{
return
nil
,
err
}
userKey
,
err
:=
ioutil
.
ReadFile
(
cfg
.
KafkaTLSUserKeyPath
)
if
err
!=
nil
{
return
nil
,
err
}
pair
,
err
:=
tls
.
X509KeyPair
([]
byte
(
userCert
),
[]
byte
(
userKey
))
if
err
!=
nil
{
return
nil
,
err
}
tlsConfig
.
Certificates
=
[]
tls
.
Certificate
{
pair
}
}
return
tlsConfig
,
nil
}
return
nil
,
nil
}
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment