This is an automated email from the ASF dual-hosted git repository. liuhan pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/skywalking.git
The following commit(s) were added to refs/heads/master by this push: new 88f38a41e5 Support to analysis the ztunnel mTLS security policy (#12656) 88f38a41e5 is described below commit 88f38a41e5d8df0b3974d952507eee0c4f8aa29f Author: mrproliu <741550...@qq.com> AuthorDate: Fri Sep 27 16:09:40 2024 +0800 Support to analysis the ztunnel mTLS security policy (#12656) --- apm-protocol/apm-network/src/main/proto | 2 +- docs/en/changes/changes.md | 2 +- .../provider/handler/AccessLogServiceHandler.java | 50 +++++++++++++--------- 3 files changed, 32 insertions(+), 22 deletions(-) diff --git a/apm-protocol/apm-network/src/main/proto b/apm-protocol/apm-network/src/main/proto index 4f3b17e1b0..5be4278b70 160000 --- a/apm-protocol/apm-network/src/main/proto +++ b/apm-protocol/apm-network/src/main/proto @@ -1 +1 @@ -Subproject commit 4f3b17e1b0b3c3dcc0e1ed3da86efaac785ea157 +Subproject commit 5be4278b70f61423b481c17af9caa808e178eec3 diff --git a/docs/en/changes/changes.md b/docs/en/changes/changes.md index 937ef19c45..5ec1eff672 100644 --- a/docs/en/changes/changes.md +++ b/docs/en/changes/changes.md @@ -69,7 +69,7 @@ * Fix query `getGlobalTopology` throw exception when didn't find any services by the given Layer. * Fix the previous analysis result missing in the ALS `k8s-mesh` analyzer. * Fix `findEndpoint` query requires `keyword` when using BanyanDB. -* Support to analysis the ztunnel mapped IP address in eBPF Access Log Receiver. +* Support to analysis the ztunnel mapped IP address and mTLS mode in eBPF Access Log Receiver. * Adapt BanyanDB Java Client 0.7.0. * Add SkyWalking Java Agent self observability dashboard. * Add Component ID(5022) for the GoFrame framework. diff --git a/oap-server/server-receiver-plugin/skywalking-ebpf-receiver-plugin/src/main/java/org/apache/skywalking/oap/server/receiver/ebpf/provider/handler/AccessLogServiceHandler.java b/oap-server/server-receiver-plugin/skywalking-ebpf-receiver-plugin/src/main/java/org/apache/skywalking/oap/server/receiver/ebpf/provider/handler/AccessLogServiceHandler.java index 602f68a268..66f277719a 100644 --- a/oap-server/server-receiver-plugin/skywalking-ebpf-receiver-plugin/src/main/java/org/apache/skywalking/oap/server/receiver/ebpf/provider/handler/AccessLogServiceHandler.java +++ b/oap-server/server-receiver-plugin/skywalking-ebpf-receiver-plugin/src/main/java/org/apache/skywalking/oap/server/receiver/ebpf/provider/handler/AccessLogServiceHandler.java @@ -46,6 +46,7 @@ import org.apache.skywalking.apm.network.ebpf.accesslog.v3.EBPFTimestamp; import org.apache.skywalking.apm.network.ebpf.accesslog.v3.IPAddress; import org.apache.skywalking.apm.network.ebpf.accesslog.v3.KubernetesProcessAddress; import org.apache.skywalking.apm.network.ebpf.accesslog.v3.ZTunnelAttachmentEnvironment; +import org.apache.skywalking.apm.network.ebpf.accesslog.v3.ZTunnelAttachmentSecurityPolicy; import org.apache.skywalking.library.kubernetes.ObjectID; import org.apache.skywalking.oap.meter.analyzer.k8s.K8sInfoRegistry; import org.apache.skywalking.oap.server.core.Const; @@ -530,6 +531,34 @@ public class AccessLogServiceHandler extends EBPFAccessLogServiceGrpc.EBPFAccess .build(); } + protected int buildConnectionComponentId(ConnectionInfo connectionInfo) { + final AccessLogConnection originalConnection = connectionInfo.getOriginalConnection(); + if (originalConnection.hasAttachment() && originalConnection.getAttachment().hasZTunnel() && + ZTunnelAttachmentSecurityPolicy.MTLS.equals(originalConnection.getAttachment().getZTunnel().getSecurityPolicy())) { + return 142; // mTLS + } + return buildProtocolComponentID(connectionInfo); + } + + protected int buildProtocolComponentID(ConnectionInfo connectionInfo) { + boolean isTLS = connectionInfo.getTlsMode() == AccessLogConnectionTLSMode.TLS; + switch (connectionInfo.getProtocolType()) { + case HTTP_1: + case HTTP_2: + if (isTLS) { + return 129; // https + } + return 49; // http + case TCP: + if (isTLS) { + return 130; // tls + } + return 110; // tcp + } + return 0; + } + + @Getter public class ConnectionInfo { private final AccessLogConnection originalConnection; private final NamingControl namingControl; @@ -539,7 +568,6 @@ public class AccessLogServiceHandler extends EBPFAccessLogServiceGrpc.EBPFAccess private final AccessLogConnectionTLSMode tlsMode; private final AccessLogProtocolType protocolType; private final NodeInfo nodeInfo; - @Getter private final boolean valid; public ConnectionInfo(NamingControl namingControl, NodeInfo nodeInfo, AccessLogConnection connection) { @@ -623,7 +651,7 @@ public class AccessLogServiceHandler extends EBPFAccessLogServiceGrpc.EBPFAccess serviceRelation.setSourceLayer(Layer.K8S_SERVICE); serviceRelation.setDetectPoint(parseToSourceRole()); - serviceRelation.setComponentId(buildComponentId()); + serviceRelation.setComponentId(buildConnectionComponentId(this)); serviceRelation.setTlsMode(tlsMode); serviceRelation.setDestServiceName(destServiceName); @@ -682,24 +710,6 @@ public class AccessLogServiceHandler extends EBPFAccessLogServiceGrpc.EBPFAccess return endpoint; } - public int buildComponentId() { - boolean isTLS = tlsMode == AccessLogConnectionTLSMode.TLS; - switch (protocolType) { - case HTTP_1: - case HTTP_2: - if (isTLS) { - return 129; // https - } - return 49; // http - case TCP: - if (isTLS) { - return 130; // tls - } - return 110; // tcp - } - return 0; - } - public org.apache.skywalking.oap.server.core.source.DetectPoint parseToSourceRole() { switch (role) { case server: