From c1e1f36fd78257f6511ddee13895c7b1be018cf2 Mon Sep 17 00:00:00 2001 From: patrickhuie19 Date: Tue, 14 Nov 2023 01:38:11 -0500 Subject: [PATCH 1/8] feature/tracing-credentials: adding TLS connection between node and OTEL collector for traces --- core/config/docs/core.toml | 8 ++- core/config/toml/types.go | 15 +++++ core/config/toml/types_test.go | 55 +++++++++++++++++++ core/config/tracing_config.go | 3 +- core/services/chainlink/config_test.go | 4 +- core/services/chainlink/config_tracing.go | 12 ++-- .../services/chainlink/config_tracing_test.go | 4 ++ .../testdata/config-empty-effective.toml | 1 + .../chainlink/testdata/config-full.toml | 1 + .../config-multi-chain-effective.toml | 1 + .../testdata/config-empty-effective.toml | 1 + core/web/resolver/testdata/config-full.toml | 1 + .../config-multi-chain-effective.toml | 1 + docs/CONFIG.md | 19 +++++-- plugins/loop_registry.go | 4 +- plugins/loop_registry_test.go | 10 ++-- testdata/scripts/node/validate/default.txtar | 1 + .../disk-based-logging-disabled.txtar | 1 + .../validate/disk-based-logging-no-dir.txtar | 1 + .../node/validate/disk-based-logging.txtar | 1 + testdata/scripts/node/validate/invalid.txtar | 1 + testdata/scripts/node/validate/valid.txtar | 1 + 22 files changed, 126 insertions(+), 20 deletions(-) diff --git a/core/config/docs/core.toml b/core/config/docs/core.toml index 148de90cd95..27193252798 100644 --- a/core/config/docs/core.toml +++ b/core/config/docs/core.toml @@ -587,13 +587,15 @@ DisableRateLimiting = false # Default # Enabled turns trace collection on or off. On requires an OTEL Tracing Collector. Enabled = false # Default # CollectorTarget is the logical address of the OTEL Tracing Collector. -CollectorTarget = "localhost:4317" # Example +CollectorTarget = 'localhost:4317' # Example # NodeID is an unique name for this node relative to any other node traces are collected for. -NodeID = "NodeID" # Example +NodeID = 'NodeID' # Example # SamplingRatio is the ratio of traces to sample for this node. SamplingRatio = 1.0 # Example +# TLSCertPath is the file path to the TLS certificate used for secure communication with an OTEL Tracing Collector. +TLSCertPath = '/path/to/cert.pem' # Example # Tracing.Attributes are user specified key-value pairs to associate in the context of the traces [Tracing.Attributes] # env is an example user specified key-value pair -env = "test" # Example +env = 'test' # Example diff --git a/core/config/toml/types.go b/core/config/toml/types.go index 61962d43e5f..9165b0197f6 100644 --- a/core/config/toml/types.go +++ b/core/config/toml/types.go @@ -1455,6 +1455,7 @@ type Tracing struct { CollectorTarget *string NodeID *string SamplingRatio *float64 + TLSCertPath *string Attributes map[string]string `toml:",omitempty"` } @@ -1474,6 +1475,9 @@ func (t *Tracing) setFrom(f *Tracing) { if v := f.SamplingRatio; v != nil { t.SamplingRatio = f.SamplingRatio } + if v := f.TLSCertPath; v != nil { + t.TLSCertPath = f.TLSCertPath + } } func (t *Tracing) ValidateConfig() (err error) { @@ -1494,6 +1498,13 @@ func (t *Tracing) ValidateConfig() (err error) { } } + if t.TLSCertPath != nil { + ok := isValidFilePath(*t.TLSCertPath) + if !ok { + err = multierr.Append(err, configutils.ErrInvalid{Name: "TLSCertPath", Value: *t.TLSCertPath, Msg: "must be a valid file path"}) + } + } + return err } @@ -1530,3 +1541,7 @@ func isValidURI(uri string) bool { func isValidHostname(hostname string) bool { return hostnameRegex.MatchString(hostname) } + +func isValidFilePath(path string) bool { + return len(path) > 0 && len(path) < 4096 +} diff --git a/core/config/toml/types_test.go b/core/config/toml/types_test.go index 92aaa024304..b7848008ce9 100644 --- a/core/config/toml/types_test.go +++ b/core/config/toml/types_test.go @@ -309,5 +309,60 @@ func TestTracing_ValidateSamplingRatio(t *testing.T) { } } +func TestTracing_ValidateTLSCertPath(t *testing.T) { + tests := []struct { + name string + tlsCertPath *string + wantErr bool + errMsg string + }{ + { + name: "valid file path", + tlsCertPath: ptr("/etc/ssl/certs/cert.pem"), + wantErr: false, + }, + { + name: "relative file path", + tlsCertPath: ptr("certs/cert.pem"), + wantErr: false, + }, + { + name: "excessively long file path", + tlsCertPath: ptr(strings.Repeat("z", 4097)), + wantErr: true, + errMsg: "TLSCertPath: invalid value (" + strings.Repeat("z", 4097) + "): must be a valid file path", + }, + { + name: "empty file path", + tlsCertPath: ptr(""), + wantErr: true, + errMsg: "TLSCertPath: invalid value (): must be a valid file path", + }, + { + name: "nil file path", + tlsCertPath: nil, + wantErr: false, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + tracing := &Tracing{ + TLSCertPath: tt.tlsCertPath, + Enabled: ptr(true), + } + + err := tracing.ValidateConfig() + + if tt.wantErr { + assert.Error(t, err) + assert.Equal(t, tt.errMsg, err.Error()) + } else { + assert.NoError(t, err) + } + }) + } +} + // ptr is a utility function for converting a value to a pointer to the value. func ptr[T any](t T) *T { return &t } diff --git a/core/config/tracing_config.go b/core/config/tracing_config.go index 28584a9cde4..8576b0edc90 100644 --- a/core/config/tracing_config.go +++ b/core/config/tracing_config.go @@ -4,6 +4,7 @@ type Tracing interface { Enabled() bool CollectorTarget() string NodeID() string - Attributes() map[string]string SamplingRatio() float64 + TLSCertPath() string + Attributes() map[string]string } diff --git a/core/services/chainlink/config_test.go b/core/services/chainlink/config_test.go index 891c0a490fb..92a0eaaebdf 100644 --- a/core/services/chainlink/config_test.go +++ b/core/services/chainlink/config_test.go @@ -227,11 +227,12 @@ func TestConfig_Marshal(t *testing.T) { Enabled: ptr(true), CollectorTarget: ptr("localhost:4317"), NodeID: ptr("clc-ocr-sol-devnet-node-1"), + SamplingRatio: ptr(1.0), + TLSCertPath: ptr("path/to/cert.pem"), Attributes: map[string]string{ "test": "load", "env": "dev", }, - SamplingRatio: ptr(1.0), }, }, } @@ -688,6 +689,7 @@ Enabled = true CollectorTarget = 'localhost:4317' NodeID = 'clc-ocr-sol-devnet-node-1' SamplingRatio = 1.0 +TLSCertPath = 'path/to/cert.pem' [Tracing.Attributes] env = 'dev' diff --git a/core/services/chainlink/config_tracing.go b/core/services/chainlink/config_tracing.go index 390645974f1..b455cc3ea8c 100644 --- a/core/services/chainlink/config_tracing.go +++ b/core/services/chainlink/config_tracing.go @@ -18,10 +18,14 @@ func (t tracingConfig) NodeID() string { return *t.s.NodeID } -func (t tracingConfig) Attributes() map[string]string { - return t.s.Attributes -} - func (t tracingConfig) SamplingRatio() float64 { return *t.s.SamplingRatio } + +func (t tracingConfig) TLSCertPath() string { + return *t.s.TLSCertPath +} + +func (t tracingConfig) Attributes() map[string]string { + return t.s.Attributes +} diff --git a/core/services/chainlink/config_tracing_test.go b/core/services/chainlink/config_tracing_test.go index 5968bc306a2..47a055dbe46 100644 --- a/core/services/chainlink/config_tracing_test.go +++ b/core/services/chainlink/config_tracing_test.go @@ -14,12 +14,14 @@ func TestTracing_Config(t *testing.T) { collectorTarget := "http://localhost:9000" nodeID := "Node1" samplingRatio := 0.5 + tlsCertPath := "/path/to/cert.pem" attributes := map[string]string{"key": "value"} tracing := toml.Tracing{ Enabled: &enabled, CollectorTarget: &collectorTarget, NodeID: &nodeID, SamplingRatio: &samplingRatio, + TLSCertPath: &tlsCertPath, Attributes: attributes, } tConfig := tracingConfig{s: tracing} @@ -28,6 +30,7 @@ func TestTracing_Config(t *testing.T) { assert.Equal(t, "http://localhost:9000", tConfig.CollectorTarget()) assert.Equal(t, "Node1", tConfig.NodeID()) assert.Equal(t, 0.5, tConfig.SamplingRatio()) + assert.Equal(t, "/path/to/cert.pem", tConfig.TLSCertPath()) assert.Equal(t, map[string]string{"key": "value"}, tConfig.Attributes()) // Test when all fields are nil @@ -38,5 +41,6 @@ func TestTracing_Config(t *testing.T) { assert.Panics(t, func() { nilConfig.CollectorTarget() }) assert.Panics(t, func() { nilConfig.NodeID() }) assert.Panics(t, func() { nilConfig.SamplingRatio() }) + assert.Panics(t, func() { nilConfig.TLSCertPath() }) assert.Nil(t, nilConfig.Attributes()) } diff --git a/core/services/chainlink/testdata/config-empty-effective.toml b/core/services/chainlink/testdata/config-empty-effective.toml index b897fba7f10..3e1b9edf6dc 100644 --- a/core/services/chainlink/testdata/config-empty-effective.toml +++ b/core/services/chainlink/testdata/config-empty-effective.toml @@ -232,3 +232,4 @@ Enabled = false CollectorTarget = '' NodeID = '' SamplingRatio = 0.0 +TLSCertPath = '' diff --git a/core/services/chainlink/testdata/config-full.toml b/core/services/chainlink/testdata/config-full.toml index 531c98d7344..bfbb2be1432 100644 --- a/core/services/chainlink/testdata/config-full.toml +++ b/core/services/chainlink/testdata/config-full.toml @@ -238,6 +238,7 @@ Enabled = true CollectorTarget = 'localhost:4317' NodeID = 'clc-ocr-sol-devnet-node-1' SamplingRatio = 1.0 +TLSCertPath = '/path/to/cert.pem' [Tracing.Attributes] env = 'dev' diff --git a/core/services/chainlink/testdata/config-multi-chain-effective.toml b/core/services/chainlink/testdata/config-multi-chain-effective.toml index c743601ced8..e4c49b99c35 100644 --- a/core/services/chainlink/testdata/config-multi-chain-effective.toml +++ b/core/services/chainlink/testdata/config-multi-chain-effective.toml @@ -232,6 +232,7 @@ Enabled = false CollectorTarget = '' NodeID = '' SamplingRatio = 0.0 +TLSCertPath = '' [[EVM]] ChainID = '1' diff --git a/core/web/resolver/testdata/config-empty-effective.toml b/core/web/resolver/testdata/config-empty-effective.toml index b897fba7f10..3e1b9edf6dc 100644 --- a/core/web/resolver/testdata/config-empty-effective.toml +++ b/core/web/resolver/testdata/config-empty-effective.toml @@ -232,3 +232,4 @@ Enabled = false CollectorTarget = '' NodeID = '' SamplingRatio = 0.0 +TLSCertPath = '' diff --git a/core/web/resolver/testdata/config-full.toml b/core/web/resolver/testdata/config-full.toml index 6cd6eaabc3c..4ff5dc10253 100644 --- a/core/web/resolver/testdata/config-full.toml +++ b/core/web/resolver/testdata/config-full.toml @@ -238,6 +238,7 @@ Enabled = false CollectorTarget = 'localhost:4317' NodeID = 'NodeID' SamplingRatio = 1.0 +TLSCertPath = '/path/to/cert.pem' [Tracing.Attributes] env = 'dev' diff --git a/core/web/resolver/testdata/config-multi-chain-effective.toml b/core/web/resolver/testdata/config-multi-chain-effective.toml index c743601ced8..e4c49b99c35 100644 --- a/core/web/resolver/testdata/config-multi-chain-effective.toml +++ b/core/web/resolver/testdata/config-multi-chain-effective.toml @@ -232,6 +232,7 @@ Enabled = false CollectorTarget = '' NodeID = '' SamplingRatio = 0.0 +TLSCertPath = '' [[EVM]] ChainID = '1' diff --git a/docs/CONFIG.md b/docs/CONFIG.md index 5b93c7061e8..26ca336a330 100644 --- a/docs/CONFIG.md +++ b/docs/CONFIG.md @@ -1595,9 +1595,10 @@ DisableRateLimiting skips ratelimiting on asset requests. ```toml [Tracing] Enabled = false # Default -CollectorTarget = "localhost:4317" # Example -NodeID = "NodeID" # Example +CollectorTarget = 'localhost:4317' # Example +NodeID = 'NodeID' # Example SamplingRatio = 1.0 # Example +TLSCertPath = '/path/to/cert.pem' # Example ``` @@ -1609,13 +1610,13 @@ Enabled turns trace collection on or off. On requires an OTEL Tracing Collector. ### CollectorTarget ```toml -CollectorTarget = "localhost:4317" # Example +CollectorTarget = 'localhost:4317' # Example ``` CollectorTarget is the logical address of the OTEL Tracing Collector. ### NodeID ```toml -NodeID = "NodeID" # Example +NodeID = 'NodeID' # Example ``` NodeID is an unique name for this node relative to any other node traces are collected for. @@ -1625,16 +1626,22 @@ SamplingRatio = 1.0 # Example ``` SamplingRatio is the ratio of traces to sample for this node. +### TLSCertPath +```toml +TLSCertPath = '/path/to/cert.pem' # Example +``` +TLSCertPath is the file path to the TLS certificate used for secure communication with an OTEL Tracing Collector. + ## Tracing.Attributes ```toml [Tracing.Attributes] -env = "test" # Example +env = 'test' # Example ``` Tracing.Attributes are user specified key-value pairs to associate in the context of the traces ### env ```toml -env = "test" # Example +env = 'test' # Example ``` env is an example user specified key-value pair diff --git a/plugins/loop_registry.go b/plugins/loop_registry.go index 17ad7cba5ad..3e4abaf613c 100644 --- a/plugins/loop_registry.go +++ b/plugins/loop_registry.go @@ -55,8 +55,10 @@ func (m *LoopRegistry) Register(id string) (*RegisteredLoop, error) { if m.cfgTracing != nil { envCfg.TracingEnabled = m.cfgTracing.Enabled() envCfg.TracingCollectorTarget = m.cfgTracing.CollectorTarget() - envCfg.TracingAttributes = m.cfgTracing.Attributes() envCfg.TracingSamplingRatio = m.cfgTracing.SamplingRatio() + envCfg.TracingTLSCertPath = m.cfgTracing.TLSCertPath() + envCfg.TracingAttributes = m.cfgTracing.Attributes() + } m.registry[id] = &RegisteredLoop{Name: id, EnvCfg: envCfg} diff --git a/plugins/loop_registry_test.go b/plugins/loop_registry_test.go index b5da9154b68..8a75e4476f6 100644 --- a/plugins/loop_registry_test.go +++ b/plugins/loop_registry_test.go @@ -29,13 +29,14 @@ func TestPluginPortManager(t *testing.T) { // Mock tracing config type MockCfgTracing struct{} -func (m *MockCfgTracing) Enabled() bool { return true } -func (m *MockCfgTracing) CollectorTarget() string { return "http://localhost:9000" } func (m *MockCfgTracing) Attributes() map[string]string { return map[string]string{"attribute": "value"} } -func (m *MockCfgTracing) SamplingRatio() float64 { return 0.1 } -func (m *MockCfgTracing) NodeID() string { return "" } +func (m *MockCfgTracing) Enabled() bool { return true } +func (m *MockCfgTracing) NodeID() string { return "" } +func (m *MockCfgTracing) CollectorTarget() string { return "http://localhost:9000" } +func (m *MockCfgTracing) SamplingRatio() float64 { return 0.1 } +func (m *MockCfgTracing) TLSCertPath() string { return "path/to/cert.pem" } func TestLoopRegistry_Register(t *testing.T) { mockCfgTracing := &MockCfgTracing{} @@ -56,4 +57,5 @@ func TestLoopRegistry_Register(t *testing.T) { require.Equal(t, "http://localhost:9000", registeredLoop.EnvCfg.TracingCollectorTarget) require.Equal(t, map[string]string{"attribute": "value"}, registeredLoop.EnvCfg.TracingAttributes) require.Equal(t, 0.1, registeredLoop.EnvCfg.TracingSamplingRatio) + require.Equal(t, "path/to/cert.pem", registeredLoop.EnvCfg.TracingTLSCertPath) } diff --git a/testdata/scripts/node/validate/default.txtar b/testdata/scripts/node/validate/default.txtar index 01e96ac944d..4b5cef7a047 100644 --- a/testdata/scripts/node/validate/default.txtar +++ b/testdata/scripts/node/validate/default.txtar @@ -244,6 +244,7 @@ Enabled = false CollectorTarget = '' NodeID = '' SamplingRatio = 0.0 +TLSCertPath = '' Invalid configuration: invalid secrets: 2 errors: - Database.URL: empty: must be provided and non-empty diff --git a/testdata/scripts/node/validate/disk-based-logging-disabled.txtar b/testdata/scripts/node/validate/disk-based-logging-disabled.txtar index 1f6901e9ffd..4e47a7b4339 100644 --- a/testdata/scripts/node/validate/disk-based-logging-disabled.txtar +++ b/testdata/scripts/node/validate/disk-based-logging-disabled.txtar @@ -288,6 +288,7 @@ Enabled = false CollectorTarget = '' NodeID = '' SamplingRatio = 0.0 +TLSCertPath = '' [[EVM]] ChainID = '1' diff --git a/testdata/scripts/node/validate/disk-based-logging-no-dir.txtar b/testdata/scripts/node/validate/disk-based-logging-no-dir.txtar index 4c1a1c75fc3..79d7278e27b 100644 --- a/testdata/scripts/node/validate/disk-based-logging-no-dir.txtar +++ b/testdata/scripts/node/validate/disk-based-logging-no-dir.txtar @@ -288,6 +288,7 @@ Enabled = false CollectorTarget = '' NodeID = '' SamplingRatio = 0.0 +TLSCertPath = '' [[EVM]] ChainID = '1' diff --git a/testdata/scripts/node/validate/disk-based-logging.txtar b/testdata/scripts/node/validate/disk-based-logging.txtar index 536b7d8ac08..a03344f28de 100644 --- a/testdata/scripts/node/validate/disk-based-logging.txtar +++ b/testdata/scripts/node/validate/disk-based-logging.txtar @@ -288,6 +288,7 @@ Enabled = false CollectorTarget = '' NodeID = '' SamplingRatio = 0.0 +TLSCertPath = '' [[EVM]] ChainID = '1' diff --git a/testdata/scripts/node/validate/invalid.txtar b/testdata/scripts/node/validate/invalid.txtar index 89f59574fcc..4e1ea61b75e 100644 --- a/testdata/scripts/node/validate/invalid.txtar +++ b/testdata/scripts/node/validate/invalid.txtar @@ -278,6 +278,7 @@ Enabled = false CollectorTarget = '' NodeID = '' SamplingRatio = 0.0 +TLSCertPath = '' [[EVM]] ChainID = '1' diff --git a/testdata/scripts/node/validate/valid.txtar b/testdata/scripts/node/validate/valid.txtar index 2d32b39a644..63c4991461b 100644 --- a/testdata/scripts/node/validate/valid.txtar +++ b/testdata/scripts/node/validate/valid.txtar @@ -285,6 +285,7 @@ Enabled = false CollectorTarget = '' NodeID = '' SamplingRatio = 0.0 +TLSCertPath = '' [[EVM]] ChainID = '1' From c05175d5f7efd2bb4f75f6c4d0a64ee3e2a91012 Mon Sep 17 00:00:00 2001 From: patrickhuie19 Date: Tue, 14 Nov 2023 18:01:42 -0500 Subject: [PATCH 2/8] feature/tracing-credentials: adding Tracing.Mode to configure insecure credentials explicitly --- GNUmakefile | 8 ++- core/config/docs/core.toml | 2 + core/config/toml/types.go | 22 +++++++ core/config/toml/types_test.go | 63 +++++++++++++++++++ core/config/tracing_config.go | 1 + core/services/chainlink/config_test.go | 6 +- core/services/chainlink/config_tracing.go | 4 ++ .../services/chainlink/config_tracing_test.go | 4 ++ .../testdata/config-empty-effective.toml | 1 + .../chainlink/testdata/config-full.toml | 1 + .../config-multi-chain-effective.toml | 1 + core/utils/config/validate.go | 2 + core/web/assets/index.html | 1 + .../testdata/config-empty-effective.toml | 1 + core/web/resolver/testdata/config-full.toml | 1 + .../config-multi-chain-effective.toml | 1 + docs/CONFIG.md | 7 +++ integration-tests/types/config/node/core.go | 5 +- plugins/loop_registry.go | 1 - plugins/loop_registry_test.go | 5 +- testdata/scripts/node/db/help.txtar | 2 +- testdata/scripts/node/validate/default.txtar | 1 + .../disk-based-logging-disabled.txtar | 1 + .../validate/disk-based-logging-no-dir.txtar | 1 + .../node/validate/disk-based-logging.txtar | 1 + testdata/scripts/node/validate/invalid.txtar | 1 + testdata/scripts/node/validate/valid.txtar | 1 + testdata/scripts/node/validate/warnings.txtar | 2 + 28 files changed, 136 insertions(+), 11 deletions(-) diff --git a/GNUmakefile b/GNUmakefile index 2801f949682..603fd6d0a8c 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -90,15 +90,17 @@ generate: abigen codecgen mockery ## Execute all go:generate commands. go generate -x ./... .PHONY: testscripts -testscripts: chainlink-test ## Install and run testscript against testdata/scripts/* files. +testscripts: install-chainlink ## Install and run testscript against testdata/scripts/* files. go install github.com/rogpeppe/go-internal/cmd/testscript@latest - go run ./tools/txtar/cmd/lstxtardirs -recurse=true | PATH="$(CURDIR):${PATH}" xargs -I % \ - sh -c 'testscript -e COMMIT_SHA=$(COMMIT_SHA) -e HOME="$(TMPDIR)/home" -e VERSION=$(VERSION) $(TS_FLAGS) %/*.txtar' + go run ./tools/txtar/cmd/lstxtardirs -recurse=true | while read -r dir; do \ + testscript -e COMMIT_SHA=$(COMMIT_SHA) -e HOME="$(TMPDIR)/home" -e VERSION=$(VERSION) $(TS_FLAGS) "$$dir"/*.txtar; \ + done .PHONY: testscripts-update testscripts-update: ## Update testdata/scripts/* files via testscript. make testscripts TS_FLAGS="-u" + .PHONY: testdb testdb: ## Prepares the test database. go run . local db preparetest diff --git a/core/config/docs/core.toml b/core/config/docs/core.toml index 27193252798..e6862a35b9e 100644 --- a/core/config/docs/core.toml +++ b/core/config/docs/core.toml @@ -592,6 +592,8 @@ CollectorTarget = 'localhost:4317' # Example NodeID = 'NodeID' # Example # SamplingRatio is the ratio of traces to sample for this node. SamplingRatio = 1.0 # Example +# Mode is a string value. 'secure' or 'insecure' are the only values allowed. If set to 'insecure', TLSCertPath can be unset, meaning traces will be sent over plaintext to the collector. +Mode = 'secure' # Default # TLSCertPath is the file path to the TLS certificate used for secure communication with an OTEL Tracing Collector. TLSCertPath = '/path/to/cert.pem' # Example diff --git a/core/config/toml/types.go b/core/config/toml/types.go index 9165b0197f6..5235deb759a 100644 --- a/core/config/toml/types.go +++ b/core/config/toml/types.go @@ -1455,6 +1455,7 @@ type Tracing struct { CollectorTarget *string NodeID *string SamplingRatio *float64 + Mode *string TLSCertPath *string Attributes map[string]string `toml:",omitempty"` } @@ -1475,6 +1476,9 @@ func (t *Tracing) setFrom(f *Tracing) { if v := f.SamplingRatio; v != nil { t.SamplingRatio = f.SamplingRatio } + if v := f.Mode; v != nil { + t.Mode = f.Mode + } if v := f.TLSCertPath; v != nil { t.TLSCertPath = f.TLSCertPath } @@ -1505,6 +1509,24 @@ func (t *Tracing) ValidateConfig() (err error) { } } + if t.Mode != nil { + switch *t.Mode { + case "secure": + // TLSCertPath must be set + if t.TLSCertPath == nil { + err = multierr.Append(err, configutils.ErrMissing{Name: "TLSCertPath", Msg: "must be set when Tracing.Mode is secure"}) + } + case "insecure": + // TLSCertPath must not be set + if t.TLSCertPath != nil { + err = multierr.Append(err, configutils.ErrIncluded{Name: "TLSCertPath", Msg: "must not be set when Tracing.Mode is insecure"}) + } + default: + // Mode must be either "secure" or "insecure" + err = multierr.Append(err, configutils.ErrInvalid{Name: "Mode", Value: *t.Mode, Msg: "must be either 'secure' or 'insecure'"}) + } + } + return err } diff --git a/core/config/toml/types_test.go b/core/config/toml/types_test.go index b7848008ce9..47e96ab9a73 100644 --- a/core/config/toml/types_test.go +++ b/core/config/toml/types_test.go @@ -364,5 +364,68 @@ func TestTracing_ValidateTLSCertPath(t *testing.T) { } } +func TestTracing_ValidateMode(t *testing.T) { + tests := []struct { + name string + mode *string + tlsCertPath *string + wantErr bool + errMsg string + }{ + { + name: "secure mode with valid TLS path", + mode: ptr("secure"), + tlsCertPath: ptr("/path/to/cert.pem"), + wantErr: false, + }, + { + name: "secure mode without TLS path", + mode: ptr("secure"), + tlsCertPath: nil, + wantErr: true, + errMsg: "TLSCertPath: missing: must be set when Tracing.Mode is secure", + }, + { + name: "insecure mode with TLS path", + mode: ptr("insecure"), + tlsCertPath: ptr("/path/to/cert.pem"), + wantErr: true, + errMsg: "TLSCertPath: included: must not be set when Tracing.Mode is insecure", + }, + { + name: "insecure mode without TLS path", + mode: ptr("insecure"), + tlsCertPath: nil, + wantErr: false, + }, + { + name: "invalid mode", + mode: ptr("unknown"), + tlsCertPath: nil, + wantErr: true, + errMsg: "Mode: invalid value (unknown): must be either 'secure' or 'insecure'", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + tracing := &Tracing{ + Enabled: ptr(true), + Mode: tt.mode, + TLSCertPath: tt.tlsCertPath, + } + + err := tracing.ValidateConfig() + + if tt.wantErr { + assert.Error(t, err) + assert.Equal(t, tt.errMsg, err.Error()) + } else { + assert.NoError(t, err) + } + }) + } +} + // ptr is a utility function for converting a value to a pointer to the value. func ptr[T any](t T) *T { return &t } diff --git a/core/config/tracing_config.go b/core/config/tracing_config.go index 8576b0edc90..307a010c486 100644 --- a/core/config/tracing_config.go +++ b/core/config/tracing_config.go @@ -6,5 +6,6 @@ type Tracing interface { NodeID() string SamplingRatio() float64 TLSCertPath() string + Mode() string Attributes() map[string]string } diff --git a/core/services/chainlink/config_test.go b/core/services/chainlink/config_test.go index 92a0eaaebdf..0c963294c4f 100644 --- a/core/services/chainlink/config_test.go +++ b/core/services/chainlink/config_test.go @@ -228,7 +228,8 @@ func TestConfig_Marshal(t *testing.T) { CollectorTarget: ptr("localhost:4317"), NodeID: ptr("clc-ocr-sol-devnet-node-1"), SamplingRatio: ptr(1.0), - TLSCertPath: ptr("path/to/cert.pem"), + Mode: ptr("secure"), + TLSCertPath: ptr("/path/to/cert.pem"), Attributes: map[string]string{ "test": "load", "env": "dev", @@ -689,7 +690,8 @@ Enabled = true CollectorTarget = 'localhost:4317' NodeID = 'clc-ocr-sol-devnet-node-1' SamplingRatio = 1.0 -TLSCertPath = 'path/to/cert.pem' +Mode = 'secure' +TLSCertPath = '/path/to/cert.pem' [Tracing.Attributes] env = 'dev' diff --git a/core/services/chainlink/config_tracing.go b/core/services/chainlink/config_tracing.go index b455cc3ea8c..36d09ae0564 100644 --- a/core/services/chainlink/config_tracing.go +++ b/core/services/chainlink/config_tracing.go @@ -22,6 +22,10 @@ func (t tracingConfig) SamplingRatio() float64 { return *t.s.SamplingRatio } +func (t tracingConfig) Mode() string { + return *t.s.Mode +} + func (t tracingConfig) TLSCertPath() string { return *t.s.TLSCertPath } diff --git a/core/services/chainlink/config_tracing_test.go b/core/services/chainlink/config_tracing_test.go index 47a055dbe46..61a68a2305c 100644 --- a/core/services/chainlink/config_tracing_test.go +++ b/core/services/chainlink/config_tracing_test.go @@ -14,6 +14,7 @@ func TestTracing_Config(t *testing.T) { collectorTarget := "http://localhost:9000" nodeID := "Node1" samplingRatio := 0.5 + mode := "secure" tlsCertPath := "/path/to/cert.pem" attributes := map[string]string{"key": "value"} tracing := toml.Tracing{ @@ -21,6 +22,7 @@ func TestTracing_Config(t *testing.T) { CollectorTarget: &collectorTarget, NodeID: &nodeID, SamplingRatio: &samplingRatio, + Mode: &mode, TLSCertPath: &tlsCertPath, Attributes: attributes, } @@ -30,6 +32,7 @@ func TestTracing_Config(t *testing.T) { assert.Equal(t, "http://localhost:9000", tConfig.CollectorTarget()) assert.Equal(t, "Node1", tConfig.NodeID()) assert.Equal(t, 0.5, tConfig.SamplingRatio()) + assert.Equal(t, "secure", tConfig.Mode()) assert.Equal(t, "/path/to/cert.pem", tConfig.TLSCertPath()) assert.Equal(t, map[string]string{"key": "value"}, tConfig.Attributes()) @@ -41,6 +44,7 @@ func TestTracing_Config(t *testing.T) { assert.Panics(t, func() { nilConfig.CollectorTarget() }) assert.Panics(t, func() { nilConfig.NodeID() }) assert.Panics(t, func() { nilConfig.SamplingRatio() }) + assert.Panics(t, func() { nilConfig.Mode() }) assert.Panics(t, func() { nilConfig.TLSCertPath() }) assert.Nil(t, nilConfig.Attributes()) } diff --git a/core/services/chainlink/testdata/config-empty-effective.toml b/core/services/chainlink/testdata/config-empty-effective.toml index 3e1b9edf6dc..7b05e8d0d2b 100644 --- a/core/services/chainlink/testdata/config-empty-effective.toml +++ b/core/services/chainlink/testdata/config-empty-effective.toml @@ -232,4 +232,5 @@ Enabled = false CollectorTarget = '' NodeID = '' SamplingRatio = 0.0 +Mode = 'secure' TLSCertPath = '' diff --git a/core/services/chainlink/testdata/config-full.toml b/core/services/chainlink/testdata/config-full.toml index bfbb2be1432..8691954c1b6 100644 --- a/core/services/chainlink/testdata/config-full.toml +++ b/core/services/chainlink/testdata/config-full.toml @@ -238,6 +238,7 @@ Enabled = true CollectorTarget = 'localhost:4317' NodeID = 'clc-ocr-sol-devnet-node-1' SamplingRatio = 1.0 +Mode = 'secure' TLSCertPath = '/path/to/cert.pem' [Tracing.Attributes] diff --git a/core/services/chainlink/testdata/config-multi-chain-effective.toml b/core/services/chainlink/testdata/config-multi-chain-effective.toml index e4c49b99c35..3bfdeaf7c58 100644 --- a/core/services/chainlink/testdata/config-multi-chain-effective.toml +++ b/core/services/chainlink/testdata/config-multi-chain-effective.toml @@ -232,6 +232,7 @@ Enabled = false CollectorTarget = '' NodeID = '' SamplingRatio = 0.0 +Mode = 'secure' TLSCertPath = '' [[EVM]] diff --git a/core/utils/config/validate.go b/core/utils/config/validate.go index 5fbae24ad53..e30d356dade 100644 --- a/core/utils/config/validate.go +++ b/core/utils/config/validate.go @@ -137,6 +137,8 @@ type ErrMissing = config.ErrMissing type ErrEmpty = config.ErrEmpty +type ErrIncluded = config.ErrIncluded + // UniqueStrings is a helper for tracking unique values in string form. type UniqueStrings = config.UniqueStrings diff --git a/core/web/assets/index.html b/core/web/assets/index.html index e69de29bb2d..601453b4eac 100644 --- a/core/web/assets/index.html +++ b/core/web/assets/index.html @@ -0,0 +1 @@ +Operator UIChainlink
\ No newline at end of file diff --git a/core/web/resolver/testdata/config-empty-effective.toml b/core/web/resolver/testdata/config-empty-effective.toml index 3e1b9edf6dc..7b05e8d0d2b 100644 --- a/core/web/resolver/testdata/config-empty-effective.toml +++ b/core/web/resolver/testdata/config-empty-effective.toml @@ -232,4 +232,5 @@ Enabled = false CollectorTarget = '' NodeID = '' SamplingRatio = 0.0 +Mode = 'secure' TLSCertPath = '' diff --git a/core/web/resolver/testdata/config-full.toml b/core/web/resolver/testdata/config-full.toml index 4ff5dc10253..5018c3d3909 100644 --- a/core/web/resolver/testdata/config-full.toml +++ b/core/web/resolver/testdata/config-full.toml @@ -238,6 +238,7 @@ Enabled = false CollectorTarget = 'localhost:4317' NodeID = 'NodeID' SamplingRatio = 1.0 +Mode = 'secure' TLSCertPath = '/path/to/cert.pem' [Tracing.Attributes] diff --git a/core/web/resolver/testdata/config-multi-chain-effective.toml b/core/web/resolver/testdata/config-multi-chain-effective.toml index e4c49b99c35..3bfdeaf7c58 100644 --- a/core/web/resolver/testdata/config-multi-chain-effective.toml +++ b/core/web/resolver/testdata/config-multi-chain-effective.toml @@ -232,6 +232,7 @@ Enabled = false CollectorTarget = '' NodeID = '' SamplingRatio = 0.0 +Mode = 'secure' TLSCertPath = '' [[EVM]] diff --git a/docs/CONFIG.md b/docs/CONFIG.md index 26ca336a330..7cdcd0988e4 100644 --- a/docs/CONFIG.md +++ b/docs/CONFIG.md @@ -1598,6 +1598,7 @@ Enabled = false # Default CollectorTarget = 'localhost:4317' # Example NodeID = 'NodeID' # Example SamplingRatio = 1.0 # Example +Mode = 'secure' # Default TLSCertPath = '/path/to/cert.pem' # Example ``` @@ -1626,6 +1627,12 @@ SamplingRatio = 1.0 # Example ``` SamplingRatio is the ratio of traces to sample for this node. +### Mode +```toml +Mode = 'secure' # Default +``` +Mode is a string value. 'secure' or 'insecure' are the only values allowed. If set to 'insecure', TLSCertPath can be unset, meaning traces will be sent over plaintext to the collector. + ### TLSCertPath ```toml TLSCertPath = '/path/to/cert.pem' # Example diff --git a/integration-tests/types/config/node/core.go b/integration-tests/types/config/node/core.go index ad85506a04c..ae80f143ebd 100644 --- a/integration-tests/types/config/node/core.go +++ b/integration-tests/types/config/node/core.go @@ -138,11 +138,12 @@ func WithTracing() NodeConfigOpt { Enabled: ptr.Ptr(true), CollectorTarget: ptr.Ptr("otel-collector:4317"), // ksortable unique id - NodeID: ptr.Ptr(ksuid.New().String()), + NodeID: ptr.Ptr(ksuid.New().String()), + SamplingRatio: ptr.Ptr(1.0), + Mode: ptr.Ptr("insecure"), Attributes: map[string]string{ "env": "smoke", }, - SamplingRatio: ptr.Ptr(1.0), } } } diff --git a/plugins/loop_registry.go b/plugins/loop_registry.go index 3e4abaf613c..7a5274803d6 100644 --- a/plugins/loop_registry.go +++ b/plugins/loop_registry.go @@ -58,7 +58,6 @@ func (m *LoopRegistry) Register(id string) (*RegisteredLoop, error) { envCfg.TracingSamplingRatio = m.cfgTracing.SamplingRatio() envCfg.TracingTLSCertPath = m.cfgTracing.TLSCertPath() envCfg.TracingAttributes = m.cfgTracing.Attributes() - } m.registry[id] = &RegisteredLoop{Name: id, EnvCfg: envCfg} diff --git a/plugins/loop_registry_test.go b/plugins/loop_registry_test.go index 8a75e4476f6..c096c239321 100644 --- a/plugins/loop_registry_test.go +++ b/plugins/loop_registry_test.go @@ -36,7 +36,8 @@ func (m *MockCfgTracing) Enabled() bool { return true } func (m *MockCfgTracing) NodeID() string { return "" } func (m *MockCfgTracing) CollectorTarget() string { return "http://localhost:9000" } func (m *MockCfgTracing) SamplingRatio() float64 { return 0.1 } -func (m *MockCfgTracing) TLSCertPath() string { return "path/to/cert.pem" } +func (m *MockCfgTracing) TLSCertPath() string { return "/path/to/cert.pem" } +func (m *MockCfgTracing) Mode() string { return "secure" } func TestLoopRegistry_Register(t *testing.T) { mockCfgTracing := &MockCfgTracing{} @@ -57,5 +58,5 @@ func TestLoopRegistry_Register(t *testing.T) { require.Equal(t, "http://localhost:9000", registeredLoop.EnvCfg.TracingCollectorTarget) require.Equal(t, map[string]string{"attribute": "value"}, registeredLoop.EnvCfg.TracingAttributes) require.Equal(t, 0.1, registeredLoop.EnvCfg.TracingSamplingRatio) - require.Equal(t, "path/to/cert.pem", registeredLoop.EnvCfg.TracingTLSCertPath) + require.Equal(t, "/path/to/cert.pem", registeredLoop.EnvCfg.TracingTLSCertPath) } diff --git a/testdata/scripts/node/db/help.txtar b/testdata/scripts/node/db/help.txtar index ccdf3431786..4f2fe3e0767 100644 --- a/testdata/scripts/node/db/help.txtar +++ b/testdata/scripts/node/db/help.txtar @@ -20,4 +20,4 @@ COMMANDS: OPTIONS: --help, -h show help - + \ No newline at end of file diff --git a/testdata/scripts/node/validate/default.txtar b/testdata/scripts/node/validate/default.txtar index 4b5cef7a047..33e7e3208e7 100644 --- a/testdata/scripts/node/validate/default.txtar +++ b/testdata/scripts/node/validate/default.txtar @@ -244,6 +244,7 @@ Enabled = false CollectorTarget = '' NodeID = '' SamplingRatio = 0.0 +Mode = 'secure' TLSCertPath = '' Invalid configuration: invalid secrets: 2 errors: diff --git a/testdata/scripts/node/validate/disk-based-logging-disabled.txtar b/testdata/scripts/node/validate/disk-based-logging-disabled.txtar index 4e47a7b4339..9bbe9e0f5b4 100644 --- a/testdata/scripts/node/validate/disk-based-logging-disabled.txtar +++ b/testdata/scripts/node/validate/disk-based-logging-disabled.txtar @@ -288,6 +288,7 @@ Enabled = false CollectorTarget = '' NodeID = '' SamplingRatio = 0.0 +Mode = 'secure' TLSCertPath = '' [[EVM]] diff --git a/testdata/scripts/node/validate/disk-based-logging-no-dir.txtar b/testdata/scripts/node/validate/disk-based-logging-no-dir.txtar index 79d7278e27b..774881a92b7 100644 --- a/testdata/scripts/node/validate/disk-based-logging-no-dir.txtar +++ b/testdata/scripts/node/validate/disk-based-logging-no-dir.txtar @@ -288,6 +288,7 @@ Enabled = false CollectorTarget = '' NodeID = '' SamplingRatio = 0.0 +Mode = 'secure' TLSCertPath = '' [[EVM]] diff --git a/testdata/scripts/node/validate/disk-based-logging.txtar b/testdata/scripts/node/validate/disk-based-logging.txtar index a03344f28de..7cc32453735 100644 --- a/testdata/scripts/node/validate/disk-based-logging.txtar +++ b/testdata/scripts/node/validate/disk-based-logging.txtar @@ -288,6 +288,7 @@ Enabled = false CollectorTarget = '' NodeID = '' SamplingRatio = 0.0 +Mode = 'secure' TLSCertPath = '' [[EVM]] diff --git a/testdata/scripts/node/validate/invalid.txtar b/testdata/scripts/node/validate/invalid.txtar index 4e1ea61b75e..e510a489e25 100644 --- a/testdata/scripts/node/validate/invalid.txtar +++ b/testdata/scripts/node/validate/invalid.txtar @@ -278,6 +278,7 @@ Enabled = false CollectorTarget = '' NodeID = '' SamplingRatio = 0.0 +Mode = 'secure' TLSCertPath = '' [[EVM]] diff --git a/testdata/scripts/node/validate/valid.txtar b/testdata/scripts/node/validate/valid.txtar index 63c4991461b..27f11e366ac 100644 --- a/testdata/scripts/node/validate/valid.txtar +++ b/testdata/scripts/node/validate/valid.txtar @@ -285,6 +285,7 @@ Enabled = false CollectorTarget = '' NodeID = '' SamplingRatio = 0.0 +Mode = 'secure' TLSCertPath = '' [[EVM]] diff --git a/testdata/scripts/node/validate/warnings.txtar b/testdata/scripts/node/validate/warnings.txtar index e478203e00e..9c7fb8428a8 100644 --- a/testdata/scripts/node/validate/warnings.txtar +++ b/testdata/scripts/node/validate/warnings.txtar @@ -281,6 +281,8 @@ Enabled = false CollectorTarget = '' NodeID = '' SamplingRatio = 0.0 +Mode = 'secure' +TLSCertPath = '' # Configuration warning: 2 errors: From 93b020ef836e61b064863750ee4f4e84f2b0a369 Mon Sep 17 00:00:00 2001 From: patrickhuie19 Date: Wed, 15 Nov 2023 13:02:02 -0500 Subject: [PATCH 3/8] feature/tracing-credentials: relaxing conditions for Tracing.Mode and Tracing.TLSCertPath --- core/config/toml/types.go | 17 +++---- core/config/toml/types_test.go | 56 ++++++++++++++++++++--- core/services/chainlink/config.go | 20 ++++++++ core/services/chainlink/config_general.go | 2 +- core/utils/config/validate.go | 2 - core/web/assets/index.html | 1 - 6 files changed, 77 insertions(+), 21 deletions(-) diff --git a/core/config/toml/types.go b/core/config/toml/types.go index 5235deb759a..887ee732660 100644 --- a/core/config/toml/types.go +++ b/core/config/toml/types.go @@ -1502,25 +1502,20 @@ func (t *Tracing) ValidateConfig() (err error) { } } - if t.TLSCertPath != nil { - ok := isValidFilePath(*t.TLSCertPath) - if !ok { - err = multierr.Append(err, configutils.ErrInvalid{Name: "TLSCertPath", Value: *t.TLSCertPath, Msg: "must be a valid file path"}) - } - } - if t.Mode != nil { switch *t.Mode { case "secure": // TLSCertPath must be set if t.TLSCertPath == nil { err = multierr.Append(err, configutils.ErrMissing{Name: "TLSCertPath", Msg: "must be set when Tracing.Mode is secure"}) + } else { + ok := isValidFilePath(*t.TLSCertPath) + if !ok { + err = multierr.Append(err, configutils.ErrInvalid{Name: "TLSCertPath", Value: *t.TLSCertPath, Msg: "must be a valid file path"}) + } } case "insecure": - // TLSCertPath must not be set - if t.TLSCertPath != nil { - err = multierr.Append(err, configutils.ErrIncluded{Name: "TLSCertPath", Msg: "must not be set when Tracing.Mode is insecure"}) - } + // no-op default: // Mode must be either "secure" or "insecure" err = multierr.Append(err, configutils.ErrInvalid{Name: "Mode", Value: *t.Mode, Msg: "must be either 'secure' or 'insecure'"}) diff --git a/core/config/toml/types_test.go b/core/config/toml/types_test.go index 47e96ab9a73..a9232c5b830 100644 --- a/core/config/toml/types_test.go +++ b/core/config/toml/types_test.go @@ -310,7 +310,8 @@ func TestTracing_ValidateSamplingRatio(t *testing.T) { } func TestTracing_ValidateTLSCertPath(t *testing.T) { - tests := []struct { + // tests for Tracing.Mode = 'secure' + secure_tests := []struct { name string tlsCertPath *string wantErr bool @@ -338,16 +339,60 @@ func TestTracing_ValidateTLSCertPath(t *testing.T) { wantErr: true, errMsg: "TLSCertPath: invalid value (): must be a valid file path", }, + } + + // tests for Tracing.Mode = 'insecure' + insecure_tests := []struct { + name string + tlsCertPath *string + wantErr bool + errMsg string + }{ { - name: "nil file path", - tlsCertPath: nil, + name: "valid file path", + tlsCertPath: ptr("/etc/ssl/certs/cert.pem"), + wantErr: false, + }, + { + name: "relative file path", + tlsCertPath: ptr("certs/cert.pem"), + wantErr: false, + }, + { + name: "excessively long file path", + tlsCertPath: ptr(strings.Repeat("z", 4097)), + wantErr: false, + }, + { + name: "empty file path", + tlsCertPath: ptr(""), wantErr: false, }, } - for _, tt := range tests { + for _, tt := range secure_tests { t.Run(tt.name, func(t *testing.T) { tracing := &Tracing{ + Mode: ptr("secure"), + TLSCertPath: tt.tlsCertPath, + Enabled: ptr(true), + } + + err := tracing.ValidateConfig() + + if tt.wantErr { + assert.Error(t, err) + assert.Equal(t, tt.errMsg, err.Error()) + } else { + assert.NoError(t, err) + } + }) + } + + for _, tt := range insecure_tests { + t.Run(tt.name, func(t *testing.T) { + tracing := &Tracing{ + Mode: ptr("insecure"), TLSCertPath: tt.tlsCertPath, Enabled: ptr(true), } @@ -389,8 +434,7 @@ func TestTracing_ValidateMode(t *testing.T) { name: "insecure mode with TLS path", mode: ptr("insecure"), tlsCertPath: ptr("/path/to/cert.pem"), - wantErr: true, - errMsg: "TLSCertPath: included: must not be set when Tracing.Mode is insecure", + wantErr: false, }, { name: "insecure mode without TLS path", diff --git a/core/services/chainlink/config.go b/core/services/chainlink/config.go index 10598718f97..8c2fa58d44e 100644 --- a/core/services/chainlink/config.go +++ b/core/services/chainlink/config.go @@ -52,6 +52,26 @@ func (c *Config) TOMLString() (string, error) { return string(b), nil } +// warnings aggregates warnings from valueWarnings and deprecationWarnings +func (c *Config) warnings() (err error) { + _, warning := utils.MultiErrorList(c.deprecationWarnings()) + err = c.valueWarnings() + err = multierr.Append(warning, err) + return +} + +// valueWarnings returns an error if the Config contains values that hint at misconfiguration before defaults are applied. +func (c *Config) valueWarnings() (err error) { + if c.Tracing.Enabled != nil && *c.Tracing.Enabled { + if c.Tracing.Mode != nil && *c.Tracing.Mode == "insecure" { + if c.Tracing.TLSCertPath != nil { + err = multierr.Append(err, config.ErrInvalid{Name: "Tracing.TLSCertPath", Value: *c.Tracing.TLSCertPath, Msg: "must be empty when Tracing.Mode is 'insecure'"}) + } + } + } + return +} + // deprecationWarnings returns an error if the Config contains deprecated fields. // This is typically used before defaults have been applied, with input from the user. func (c *Config) deprecationWarnings() (err error) { diff --git a/core/services/chainlink/config_general.go b/core/services/chainlink/config_general.go index 6a835e09c89..fff7822a814 100644 --- a/core/services/chainlink/config_general.go +++ b/core/services/chainlink/config_general.go @@ -137,7 +137,7 @@ func (o GeneralConfigOpts) New() (GeneralConfig, error) { return nil, err } - _, warning := utils.MultiErrorList(o.Config.deprecationWarnings()) + _, warning := utils.MultiErrorList(o.Config.warnings()) o.Config.setDefaults() if !o.SkipEnv { diff --git a/core/utils/config/validate.go b/core/utils/config/validate.go index e30d356dade..5fbae24ad53 100644 --- a/core/utils/config/validate.go +++ b/core/utils/config/validate.go @@ -137,8 +137,6 @@ type ErrMissing = config.ErrMissing type ErrEmpty = config.ErrEmpty -type ErrIncluded = config.ErrIncluded - // UniqueStrings is a helper for tracking unique values in string form. type UniqueStrings = config.UniqueStrings diff --git a/core/web/assets/index.html b/core/web/assets/index.html index 601453b4eac..e69de29bb2d 100644 --- a/core/web/assets/index.html +++ b/core/web/assets/index.html @@ -1 +0,0 @@ -Operator UIChainlink
\ No newline at end of file From 772b229b1a7928cb86fb0c0ef112d19757831725 Mon Sep 17 00:00:00 2001 From: patrickhuie19 Date: Wed, 15 Nov 2023 16:04:31 -0500 Subject: [PATCH 4/8] feature/tracing-credentials: moving make file changes to a separate PR --- GNUmakefile | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/GNUmakefile b/GNUmakefile index 603fd6d0a8c..1201361c4e9 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -90,17 +90,15 @@ generate: abigen codecgen mockery ## Execute all go:generate commands. go generate -x ./... .PHONY: testscripts -testscripts: install-chainlink ## Install and run testscript against testdata/scripts/* files. +testscripts: chainlink-test ## Install and run testscript against testdata/scripts/* files. go install github.com/rogpeppe/go-internal/cmd/testscript@latest - go run ./tools/txtar/cmd/lstxtardirs -recurse=true | while read -r dir; do \ - testscript -e COMMIT_SHA=$(COMMIT_SHA) -e HOME="$(TMPDIR)/home" -e VERSION=$(VERSION) $(TS_FLAGS) "$$dir"/*.txtar; \ - done + go run ./tools/txtar/cmd/lstxtardirs -recurse=true | PATH="$(CURDIR):${PATH}" xargs -I % \ + sh -c 'testscript -e COMMIT_SHA=$(COMMIT_SHA) -e HOME="$(TMPDIR)/home" -e VERSION=$(VERSION) $(TS_FLAGS) %/*.txtar' .PHONY: testscripts-update testscripts-update: ## Update testdata/scripts/* files via testscript. make testscripts TS_FLAGS="-u" - .PHONY: testdb testdb: ## Prepares the test database. go run . local db preparetest @@ -163,4 +161,4 @@ help: @echo " \/ \/ \/ \/ \/ \/" @echo "" @grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | \ - awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' + awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' \ No newline at end of file From 06dcc7913d4786d068bc014129071217dc3be65e Mon Sep 17 00:00:00 2001 From: patrickhuie19 Date: Wed, 15 Nov 2023 17:45:10 -0500 Subject: [PATCH 5/8] feature/tracing-credentials: bumping relay and lint --- core/cmd/cosmos_node_commands_test.go | 4 ++++ core/cmd/solana_node_commands_test.go | 8 ++++++++ core/cmd/starknet_node_commands_test.go | 4 ++++ 3 files changed, 16 insertions(+) diff --git a/core/cmd/cosmos_node_commands_test.go b/core/cmd/cosmos_node_commands_test.go index 728be9396f9..edb44a89f4b 100644 --- a/core/cmd/cosmos_node_commands_test.go +++ b/core/cmd/cosmos_node_commands_test.go @@ -34,7 +34,11 @@ func TestShell_IndexCosmosNodes(t *testing.T) { chainID := cosmostest.RandomChainID() node := coscfg.Node{ Name: ptr("second"), +<<<<<<< HEAD TendermintURL: config.MustParseURL("http://tender.mint.test/bombay-12"), +======= + TendermintURL: relayconfig.MustParseURL("http://tender.mint.test/bombay-12"), +>>>>>>> 34eecf3b1d (feature/tracing-credentials: bumping relay and lint) } chain := coscfg.TOMLConfig{ ChainID: ptr(chainID), diff --git a/core/cmd/solana_node_commands_test.go b/core/cmd/solana_node_commands_test.go index 316cf16212d..ce0a91f2dab 100644 --- a/core/cmd/solana_node_commands_test.go +++ b/core/cmd/solana_node_commands_test.go @@ -35,11 +35,19 @@ func TestShell_IndexSolanaNodes(t *testing.T) { id := solanatest.RandomChainID() node1 := solcfg.Node{ Name: ptr("first"), +<<<<<<< HEAD URL: config.MustParseURL("https://solana1.example"), } node2 := solcfg.Node{ Name: ptr("second"), URL: config.MustParseURL("https://solana2.example"), +======= + URL: relayconfig.MustParseURL("https://solana1.example"), + } + node2 := solcfg.Node{ + Name: ptr("second"), + URL: relayconfig.MustParseURL("https://solana2.example"), +>>>>>>> 34eecf3b1d (feature/tracing-credentials: bumping relay and lint) } chain := solana.TOMLConfig{ ChainID: &id, diff --git a/core/cmd/starknet_node_commands_test.go b/core/cmd/starknet_node_commands_test.go index 0347cdd18f7..4473dfa4eab 100644 --- a/core/cmd/starknet_node_commands_test.go +++ b/core/cmd/starknet_node_commands_test.go @@ -9,7 +9,11 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" +<<<<<<< HEAD commoncfg "github.com/smartcontractkit/chainlink-common/pkg/config" +======= + relayconfig "github.com/smartcontractkit/chainlink-relay/pkg/config" +>>>>>>> 34eecf3b1d (feature/tracing-credentials: bumping relay and lint) "github.com/smartcontractkit/chainlink-starknet/relayer/pkg/chainlink/config" "github.com/smartcontractkit/chainlink/v2/core/cmd" From de6ad7a870efff34198739b7f0699afde9e1595e Mon Sep 17 00:00:00 2001 From: patrickhuie19 Date: Tue, 21 Nov 2023 22:18:42 -0500 Subject: [PATCH 6/8] feature/tracing-credentials: 'secure' --> 'tls' and 'insecure' --> 'unencrypted' --- GNUmakefile | 2 +- core/cmd/cosmos_node_commands_test.go | 4 - core/cmd/solana_node_commands_test.go | 8 -- core/cmd/starknet_node_commands_test.go | 4 - core/config/docs/core.toml | 4 +- core/config/toml/types.go | 47 +++++--- core/config/toml/types_test.go | 104 ++++++++++++++---- core/services/chainlink/config.go | 13 ++- core/services/chainlink/config_test.go | 80 +++++++++++++- .../services/chainlink/config_tracing_test.go | 4 +- .../testdata/config-empty-effective.toml | 2 +- .../chainlink/testdata/config-full.toml | 2 +- .../config-multi-chain-effective.toml | 2 +- .../testdata/config-empty-effective.toml | 2 +- core/web/resolver/testdata/config-full.toml | 2 +- .../config-multi-chain-effective.toml | 2 +- docs/CONFIG.md | 6 +- integration-tests/types/config/node/core.go | 2 +- plugins/loop_registry_test.go | 2 +- testdata/scripts/node/validate/default.txtar | 2 +- .../disk-based-logging-disabled.txtar | 2 +- .../validate/disk-based-logging-no-dir.txtar | 2 +- .../node/validate/disk-based-logging.txtar | 2 +- testdata/scripts/node/validate/invalid.txtar | 2 +- testdata/scripts/node/validate/valid.txtar | 2 +- testdata/scripts/node/validate/warnings.txtar | 23 +++- 26 files changed, 237 insertions(+), 90 deletions(-) diff --git a/GNUmakefile b/GNUmakefile index 1201361c4e9..2801f949682 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -161,4 +161,4 @@ help: @echo " \/ \/ \/ \/ \/ \/" @echo "" @grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | \ - awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' \ No newline at end of file + awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' diff --git a/core/cmd/cosmos_node_commands_test.go b/core/cmd/cosmos_node_commands_test.go index edb44a89f4b..728be9396f9 100644 --- a/core/cmd/cosmos_node_commands_test.go +++ b/core/cmd/cosmos_node_commands_test.go @@ -34,11 +34,7 @@ func TestShell_IndexCosmosNodes(t *testing.T) { chainID := cosmostest.RandomChainID() node := coscfg.Node{ Name: ptr("second"), -<<<<<<< HEAD TendermintURL: config.MustParseURL("http://tender.mint.test/bombay-12"), -======= - TendermintURL: relayconfig.MustParseURL("http://tender.mint.test/bombay-12"), ->>>>>>> 34eecf3b1d (feature/tracing-credentials: bumping relay and lint) } chain := coscfg.TOMLConfig{ ChainID: ptr(chainID), diff --git a/core/cmd/solana_node_commands_test.go b/core/cmd/solana_node_commands_test.go index ce0a91f2dab..316cf16212d 100644 --- a/core/cmd/solana_node_commands_test.go +++ b/core/cmd/solana_node_commands_test.go @@ -35,19 +35,11 @@ func TestShell_IndexSolanaNodes(t *testing.T) { id := solanatest.RandomChainID() node1 := solcfg.Node{ Name: ptr("first"), -<<<<<<< HEAD URL: config.MustParseURL("https://solana1.example"), } node2 := solcfg.Node{ Name: ptr("second"), URL: config.MustParseURL("https://solana2.example"), -======= - URL: relayconfig.MustParseURL("https://solana1.example"), - } - node2 := solcfg.Node{ - Name: ptr("second"), - URL: relayconfig.MustParseURL("https://solana2.example"), ->>>>>>> 34eecf3b1d (feature/tracing-credentials: bumping relay and lint) } chain := solana.TOMLConfig{ ChainID: &id, diff --git a/core/cmd/starknet_node_commands_test.go b/core/cmd/starknet_node_commands_test.go index 4473dfa4eab..0347cdd18f7 100644 --- a/core/cmd/starknet_node_commands_test.go +++ b/core/cmd/starknet_node_commands_test.go @@ -9,11 +9,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" -<<<<<<< HEAD commoncfg "github.com/smartcontractkit/chainlink-common/pkg/config" -======= - relayconfig "github.com/smartcontractkit/chainlink-relay/pkg/config" ->>>>>>> 34eecf3b1d (feature/tracing-credentials: bumping relay and lint) "github.com/smartcontractkit/chainlink-starknet/relayer/pkg/chainlink/config" "github.com/smartcontractkit/chainlink/v2/core/cmd" diff --git a/core/config/docs/core.toml b/core/config/docs/core.toml index e6862a35b9e..dafce15c08d 100644 --- a/core/config/docs/core.toml +++ b/core/config/docs/core.toml @@ -592,8 +592,8 @@ CollectorTarget = 'localhost:4317' # Example NodeID = 'NodeID' # Example # SamplingRatio is the ratio of traces to sample for this node. SamplingRatio = 1.0 # Example -# Mode is a string value. 'secure' or 'insecure' are the only values allowed. If set to 'insecure', TLSCertPath can be unset, meaning traces will be sent over plaintext to the collector. -Mode = 'secure' # Default +# Mode is a string value. 'tls' or 'unencrypted' are the only values allowed. If set to 'unencrypted', TLSCertPath can be unset, meaning traces will be sent over plaintext to the collector. +Mode = 'tls' # Default # TLSCertPath is the file path to the TLS certificate used for secure communication with an OTEL Tracing Collector. TLSCertPath = '/path/to/cert.pem' # Example diff --git a/core/config/toml/types.go b/core/config/toml/types.go index 887ee732660..27c21fcaf1f 100644 --- a/core/config/toml/types.go +++ b/core/config/toml/types.go @@ -1495,30 +1495,39 @@ func (t *Tracing) ValidateConfig() (err error) { } } - if t.CollectorTarget != nil { - ok := isValidURI(*t.CollectorTarget) - if !ok { - err = multierr.Append(err, configutils.ErrInvalid{Name: "CollectorTarget", Value: *t.CollectorTarget, Msg: "must be a valid URI"}) - } - } - if t.Mode != nil { switch *t.Mode { - case "secure": + case "tls": // TLSCertPath must be set if t.TLSCertPath == nil { - err = multierr.Append(err, configutils.ErrMissing{Name: "TLSCertPath", Msg: "must be set when Tracing.Mode is secure"}) + err = multierr.Append(err, configutils.ErrMissing{Name: "TLSCertPath", Msg: "must be set when Tracing.Mode is tls"}) } else { ok := isValidFilePath(*t.TLSCertPath) if !ok { err = multierr.Append(err, configutils.ErrInvalid{Name: "TLSCertPath", Value: *t.TLSCertPath, Msg: "must be a valid file path"}) } } - case "insecure": + case "unencrypted": // no-op default: - // Mode must be either "secure" or "insecure" - err = multierr.Append(err, configutils.ErrInvalid{Name: "Mode", Value: *t.Mode, Msg: "must be either 'secure' or 'insecure'"}) + // Mode must be either "tls" or "unencrypted" + err = multierr.Append(err, configutils.ErrInvalid{Name: "Mode", Value: *t.Mode, Msg: "must be either 'tls' or 'unencrypted'"}) + } + } + + if t.CollectorTarget != nil && t.Mode != nil { + switch *t.Mode { + case "tls": + if !isValidURI(*t.CollectorTarget) { + err = multierr.Append(err, configutils.ErrInvalid{Name: "CollectorTarget", Value: *t.CollectorTarget, Msg: "must be a valid URI"}) + } + case "unencrypted": + // Unencrypted traces can not be sent to external networks + if !isValidLocalURI(*t.CollectorTarget) { + err = multierr.Append(err, configutils.ErrInvalid{Name: "CollectorTarget", Value: *t.CollectorTarget, Msg: "must be a valid local URI"}) + } + default: + // no-op } } @@ -1527,15 +1536,19 @@ func (t *Tracing) ValidateConfig() (err error) { var hostnameRegex = regexp.MustCompile(`^[a-zA-Z0-9-]+(\.[a-zA-Z0-9-]+)*$`) +// Validates uri is valid external or local URI func isValidURI(uri string) bool { if strings.Contains(uri, "://") { - // Standard URI check - _, _ = url.ParseRequestURI(uri) - // TODO: BCF-2703. Handle error. All external addresses currently fail validation until we have secure transport to external networks. - return false + _, err := url.ParseRequestURI(uri) + return err == nil } - // For URIs like "otel-collector:4317" + return isValidLocalURI(uri) +} + +// Validates uri is a valid local URI +// External URIs (e.g. http://) are not valid local URIs, and will return false. +func isValidLocalURI(uri string) bool { parts := strings.Split(uri, ":") if len(parts) == 2 { host, port := parts[0], parts[1] diff --git a/core/config/toml/types_test.go b/core/config/toml/types_test.go index a9232c5b830..e16d3a864da 100644 --- a/core/config/toml/types_test.go +++ b/core/config/toml/types_test.go @@ -185,55 +185,115 @@ func TestTracing_ValidateCollectorTarget(t *testing.T) { tests := []struct { name string collectorTarget *string + mode *string wantErr bool errMsg string }{ { - name: "valid http address", + name: "valid http address in tls mode", + collectorTarget: ptr("https://testing.collector.dev"), + mode: ptr("tls"), + wantErr: false, + }, + { + name: "valid http address in unencrypted mode", collectorTarget: ptr("https://localhost:4317"), - // TODO: BCF-2703. Re-enable when we have secure transport to otel collectors in external networks - wantErr: true, - errMsg: "CollectorTarget: invalid value (https://localhost:4317): must be a valid URI", + mode: ptr("unencrypted"), + wantErr: true, + errMsg: "CollectorTarget: invalid value (https://localhost:4317): must be a valid local URI", }, + // Tracing.Mode = 'tls' { name: "valid localhost address", collectorTarget: ptr("localhost:4317"), + mode: ptr("tls"), wantErr: false, }, { name: "valid docker address", collectorTarget: ptr("otel-collector:4317"), + mode: ptr("tls"), wantErr: false, }, { name: "valid IP address", collectorTarget: ptr("192.168.1.1:4317"), + mode: ptr("tls"), wantErr: false, }, { name: "invalid port", collectorTarget: ptr("localhost:invalid"), wantErr: true, + mode: ptr("tls"), errMsg: "CollectorTarget: invalid value (localhost:invalid): must be a valid URI", }, { name: "invalid address", collectorTarget: ptr("invalid address"), wantErr: true, + mode: ptr("tls"), errMsg: "CollectorTarget: invalid value (invalid address): must be a valid URI", }, { name: "nil CollectorTarget", collectorTarget: ptr(""), wantErr: true, + mode: ptr("tls"), errMsg: "CollectorTarget: invalid value (): must be a valid URI", }, + // Tracing.Mode = 'unencrypted' + { + name: "valid localhost address", + collectorTarget: ptr("localhost:4317"), + mode: ptr("unencrypted"), + wantErr: false, + }, + { + name: "valid docker address", + collectorTarget: ptr("otel-collector:4317"), + mode: ptr("unencrypted"), + wantErr: false, + }, + { + name: "valid IP address", + collectorTarget: ptr("192.168.1.1:4317"), + mode: ptr("unencrypted"), + wantErr: false, + }, + { + name: "invalid port", + collectorTarget: ptr("localhost:invalid"), + wantErr: true, + mode: ptr("unencrypted"), + errMsg: "CollectorTarget: invalid value (localhost:invalid): must be a valid local URI", + }, + { + name: "invalid address", + collectorTarget: ptr("invalid address"), + wantErr: true, + mode: ptr("unencrypted"), + errMsg: "CollectorTarget: invalid value (invalid address): must be a valid local URI", + }, + { + name: "nil CollectorTarget", + collectorTarget: ptr(""), + wantErr: true, + mode: ptr("unencrypted"), + errMsg: "CollectorTarget: invalid value (): must be a valid local URI", + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { + var tlsCertPath string + if *tt.mode == "tls" { + tlsCertPath = "/path/to/cert.pem" + } tracing := &Tracing{ Enabled: ptr(true), + TLSCertPath: &tlsCertPath, + Mode: tt.mode, CollectorTarget: tt.collectorTarget, } @@ -310,8 +370,8 @@ func TestTracing_ValidateSamplingRatio(t *testing.T) { } func TestTracing_ValidateTLSCertPath(t *testing.T) { - // tests for Tracing.Mode = 'secure' - secure_tests := []struct { + // tests for Tracing.Mode = 'tls' + tls_tests := []struct { name string tlsCertPath *string wantErr bool @@ -341,8 +401,8 @@ func TestTracing_ValidateTLSCertPath(t *testing.T) { }, } - // tests for Tracing.Mode = 'insecure' - insecure_tests := []struct { + // tests for Tracing.Mode = 'unencrypted' + unencrypted_tests := []struct { name string tlsCertPath *string wantErr bool @@ -370,10 +430,10 @@ func TestTracing_ValidateTLSCertPath(t *testing.T) { }, } - for _, tt := range secure_tests { + for _, tt := range tls_tests { t.Run(tt.name, func(t *testing.T) { tracing := &Tracing{ - Mode: ptr("secure"), + Mode: ptr("tls"), TLSCertPath: tt.tlsCertPath, Enabled: ptr(true), } @@ -389,10 +449,10 @@ func TestTracing_ValidateTLSCertPath(t *testing.T) { }) } - for _, tt := range insecure_tests { + for _, tt := range unencrypted_tests { t.Run(tt.name, func(t *testing.T) { tracing := &Tracing{ - Mode: ptr("insecure"), + Mode: ptr("unencrypted"), TLSCertPath: tt.tlsCertPath, Enabled: ptr(true), } @@ -418,27 +478,27 @@ func TestTracing_ValidateMode(t *testing.T) { errMsg string }{ { - name: "secure mode with valid TLS path", - mode: ptr("secure"), + name: "tls mode with valid TLS path", + mode: ptr("tls"), tlsCertPath: ptr("/path/to/cert.pem"), wantErr: false, }, { - name: "secure mode without TLS path", - mode: ptr("secure"), + name: "tls mode without TLS path", + mode: ptr("tls"), tlsCertPath: nil, wantErr: true, - errMsg: "TLSCertPath: missing: must be set when Tracing.Mode is secure", + errMsg: "TLSCertPath: missing: must be set when Tracing.Mode is tls", }, { - name: "insecure mode with TLS path", - mode: ptr("insecure"), + name: "unencrypted mode with TLS path", + mode: ptr("unencrypted"), tlsCertPath: ptr("/path/to/cert.pem"), wantErr: false, }, { - name: "insecure mode without TLS path", - mode: ptr("insecure"), + name: "unencrypted mode without TLS path", + mode: ptr("unencrypted"), tlsCertPath: nil, wantErr: false, }, @@ -447,7 +507,7 @@ func TestTracing_ValidateMode(t *testing.T) { mode: ptr("unknown"), tlsCertPath: nil, wantErr: true, - errMsg: "Mode: invalid value (unknown): must be either 'secure' or 'insecure'", + errMsg: "Mode: invalid value (unknown): must be either 'tls' or 'unencrypted'", }, } diff --git a/core/services/chainlink/config.go b/core/services/chainlink/config.go index 8c2fa58d44e..5d8b1019e8c 100644 --- a/core/services/chainlink/config.go +++ b/core/services/chainlink/config.go @@ -54,18 +54,19 @@ func (c *Config) TOMLString() (string, error) { // warnings aggregates warnings from valueWarnings and deprecationWarnings func (c *Config) warnings() (err error) { - _, warning := utils.MultiErrorList(c.deprecationWarnings()) - err = c.valueWarnings() - err = multierr.Append(warning, err) - return + deprecationErr := c.deprecationWarnings() + warningErr := c.valueWarnings() + err = multierr.Append(deprecationErr, warningErr) + _, list := utils.MultiErrorList(err) + return list } // valueWarnings returns an error if the Config contains values that hint at misconfiguration before defaults are applied. func (c *Config) valueWarnings() (err error) { if c.Tracing.Enabled != nil && *c.Tracing.Enabled { - if c.Tracing.Mode != nil && *c.Tracing.Mode == "insecure" { + if c.Tracing.Mode != nil && *c.Tracing.Mode == "unencrypted" { if c.Tracing.TLSCertPath != nil { - err = multierr.Append(err, config.ErrInvalid{Name: "Tracing.TLSCertPath", Value: *c.Tracing.TLSCertPath, Msg: "must be empty when Tracing.Mode is 'insecure'"}) + err = multierr.Append(err, config.ErrInvalid{Name: "Tracing.TLSCertPath", Value: *c.Tracing.TLSCertPath, Msg: "must be empty when Tracing.Mode is 'unencrypted'"}) } } } diff --git a/core/services/chainlink/config_test.go b/core/services/chainlink/config_test.go index 0c963294c4f..33fda221285 100644 --- a/core/services/chainlink/config_test.go +++ b/core/services/chainlink/config_test.go @@ -228,7 +228,7 @@ func TestConfig_Marshal(t *testing.T) { CollectorTarget: ptr("localhost:4317"), NodeID: ptr("clc-ocr-sol-devnet-node-1"), SamplingRatio: ptr(1.0), - Mode: ptr("secure"), + Mode: ptr("tls"), TLSCertPath: ptr("/path/to/cert.pem"), Attributes: map[string]string{ "test": "load", @@ -690,7 +690,7 @@ Enabled = true CollectorTarget = 'localhost:4317' NodeID = 'clc-ocr-sol-devnet-node-1' SamplingRatio = 1.0 -Mode = 'secure' +Mode = 'tls' TLSCertPath = '/path/to/cert.pem' [Tracing.Attributes] @@ -1541,4 +1541,80 @@ func TestConfig_SetFrom(t *testing.T) { } } +func TestConfig_Warnings(t *testing.T) { + tests := []struct { + name string + config Config + expectedErrors []string + }{ + { + name: "No warnings", + config: Config{}, + expectedErrors: nil, + }, + { + name: "Value warning - unencrypted mode with TLS path set", + config: Config{ + Core: toml.Core{ + Tracing: toml.Tracing{ + Enabled: ptr(true), + Mode: ptr("unencrypted"), + TLSCertPath: ptr("/path/to/cert.pem"), + }, + }, + }, + expectedErrors: []string{"Tracing.TLSCertPath: invalid value (/path/to/cert.pem): must be empty when Tracing.Mode is 'unencrypted'"}, + }, + { + name: "Deprecation warning - P2P.V1 fields set", + config: Config{ + Core: toml.Core{ + P2P: toml.P2P{ + V1: toml.P2PV1{ + Enabled: ptr(true), + }, + }, + }, + }, + expectedErrors: []string{ + "P2P.V1: is deprecated and will be removed in a future version", + }, + }, + { + name: "Value warning and deprecation warning", + config: Config{ + Core: toml.Core{ + P2P: toml.P2P{ + V1: toml.P2PV1{ + Enabled: ptr(true), + }, + }, + Tracing: toml.Tracing{ + Enabled: ptr(true), + Mode: ptr("unencrypted"), + TLSCertPath: ptr("/path/to/cert.pem"), + }, + }, + }, + expectedErrors: []string{ + "Tracing.TLSCertPath: invalid value (/path/to/cert.pem): must be empty when Tracing.Mode is 'unencrypted'", + "P2P.V1: is deprecated and will be removed in a future version", + }, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + err := tt.config.warnings() + if len(tt.expectedErrors) == 0 { + assert.NoError(t, err) + } else { + for _, expectedErr := range tt.expectedErrors { + assert.Contains(t, err.Error(), expectedErr) + } + } + }) + } +} + func ptr[T any](t T) *T { return &t } diff --git a/core/services/chainlink/config_tracing_test.go b/core/services/chainlink/config_tracing_test.go index 61a68a2305c..37653729cf3 100644 --- a/core/services/chainlink/config_tracing_test.go +++ b/core/services/chainlink/config_tracing_test.go @@ -14,7 +14,7 @@ func TestTracing_Config(t *testing.T) { collectorTarget := "http://localhost:9000" nodeID := "Node1" samplingRatio := 0.5 - mode := "secure" + mode := "tls" tlsCertPath := "/path/to/cert.pem" attributes := map[string]string{"key": "value"} tracing := toml.Tracing{ @@ -32,7 +32,7 @@ func TestTracing_Config(t *testing.T) { assert.Equal(t, "http://localhost:9000", tConfig.CollectorTarget()) assert.Equal(t, "Node1", tConfig.NodeID()) assert.Equal(t, 0.5, tConfig.SamplingRatio()) - assert.Equal(t, "secure", tConfig.Mode()) + assert.Equal(t, "tls", tConfig.Mode()) assert.Equal(t, "/path/to/cert.pem", tConfig.TLSCertPath()) assert.Equal(t, map[string]string{"key": "value"}, tConfig.Attributes()) diff --git a/core/services/chainlink/testdata/config-empty-effective.toml b/core/services/chainlink/testdata/config-empty-effective.toml index 7b05e8d0d2b..8f3135b34e4 100644 --- a/core/services/chainlink/testdata/config-empty-effective.toml +++ b/core/services/chainlink/testdata/config-empty-effective.toml @@ -232,5 +232,5 @@ Enabled = false CollectorTarget = '' NodeID = '' SamplingRatio = 0.0 -Mode = 'secure' +Mode = 'tls' TLSCertPath = '' diff --git a/core/services/chainlink/testdata/config-full.toml b/core/services/chainlink/testdata/config-full.toml index 8691954c1b6..eca5f6f96d2 100644 --- a/core/services/chainlink/testdata/config-full.toml +++ b/core/services/chainlink/testdata/config-full.toml @@ -238,7 +238,7 @@ Enabled = true CollectorTarget = 'localhost:4317' NodeID = 'clc-ocr-sol-devnet-node-1' SamplingRatio = 1.0 -Mode = 'secure' +Mode = 'tls' TLSCertPath = '/path/to/cert.pem' [Tracing.Attributes] diff --git a/core/services/chainlink/testdata/config-multi-chain-effective.toml b/core/services/chainlink/testdata/config-multi-chain-effective.toml index 3bfdeaf7c58..6a60dfd419a 100644 --- a/core/services/chainlink/testdata/config-multi-chain-effective.toml +++ b/core/services/chainlink/testdata/config-multi-chain-effective.toml @@ -232,7 +232,7 @@ Enabled = false CollectorTarget = '' NodeID = '' SamplingRatio = 0.0 -Mode = 'secure' +Mode = 'tls' TLSCertPath = '' [[EVM]] diff --git a/core/web/resolver/testdata/config-empty-effective.toml b/core/web/resolver/testdata/config-empty-effective.toml index 7b05e8d0d2b..8f3135b34e4 100644 --- a/core/web/resolver/testdata/config-empty-effective.toml +++ b/core/web/resolver/testdata/config-empty-effective.toml @@ -232,5 +232,5 @@ Enabled = false CollectorTarget = '' NodeID = '' SamplingRatio = 0.0 -Mode = 'secure' +Mode = 'tls' TLSCertPath = '' diff --git a/core/web/resolver/testdata/config-full.toml b/core/web/resolver/testdata/config-full.toml index 5018c3d3909..7e9872e9554 100644 --- a/core/web/resolver/testdata/config-full.toml +++ b/core/web/resolver/testdata/config-full.toml @@ -238,7 +238,7 @@ Enabled = false CollectorTarget = 'localhost:4317' NodeID = 'NodeID' SamplingRatio = 1.0 -Mode = 'secure' +Mode = 'tls' TLSCertPath = '/path/to/cert.pem' [Tracing.Attributes] diff --git a/core/web/resolver/testdata/config-multi-chain-effective.toml b/core/web/resolver/testdata/config-multi-chain-effective.toml index 3bfdeaf7c58..6a60dfd419a 100644 --- a/core/web/resolver/testdata/config-multi-chain-effective.toml +++ b/core/web/resolver/testdata/config-multi-chain-effective.toml @@ -232,7 +232,7 @@ Enabled = false CollectorTarget = '' NodeID = '' SamplingRatio = 0.0 -Mode = 'secure' +Mode = 'tls' TLSCertPath = '' [[EVM]] diff --git a/docs/CONFIG.md b/docs/CONFIG.md index 7cdcd0988e4..ad1ff896709 100644 --- a/docs/CONFIG.md +++ b/docs/CONFIG.md @@ -1598,7 +1598,7 @@ Enabled = false # Default CollectorTarget = 'localhost:4317' # Example NodeID = 'NodeID' # Example SamplingRatio = 1.0 # Example -Mode = 'secure' # Default +Mode = 'tls' # Default TLSCertPath = '/path/to/cert.pem' # Example ``` @@ -1629,9 +1629,9 @@ SamplingRatio is the ratio of traces to sample for this node. ### Mode ```toml -Mode = 'secure' # Default +Mode = 'tls' # Default ``` -Mode is a string value. 'secure' or 'insecure' are the only values allowed. If set to 'insecure', TLSCertPath can be unset, meaning traces will be sent over plaintext to the collector. +Mode is a string value. 'tls' or 'unencrypted' are the only values allowed. If set to 'unencrypted', TLSCertPath can be unset, meaning traces will be sent over plaintext to the collector. ### TLSCertPath ```toml diff --git a/integration-tests/types/config/node/core.go b/integration-tests/types/config/node/core.go index ae80f143ebd..b7f2b316aa7 100644 --- a/integration-tests/types/config/node/core.go +++ b/integration-tests/types/config/node/core.go @@ -140,7 +140,7 @@ func WithTracing() NodeConfigOpt { // ksortable unique id NodeID: ptr.Ptr(ksuid.New().String()), SamplingRatio: ptr.Ptr(1.0), - Mode: ptr.Ptr("insecure"), + Mode: ptr.Ptr("unencrypted"), Attributes: map[string]string{ "env": "smoke", }, diff --git a/plugins/loop_registry_test.go b/plugins/loop_registry_test.go index c096c239321..b307469e09b 100644 --- a/plugins/loop_registry_test.go +++ b/plugins/loop_registry_test.go @@ -37,7 +37,7 @@ func (m *MockCfgTracing) NodeID() string { return "" } func (m *MockCfgTracing) CollectorTarget() string { return "http://localhost:9000" } func (m *MockCfgTracing) SamplingRatio() float64 { return 0.1 } func (m *MockCfgTracing) TLSCertPath() string { return "/path/to/cert.pem" } -func (m *MockCfgTracing) Mode() string { return "secure" } +func (m *MockCfgTracing) Mode() string { return "tls" } func TestLoopRegistry_Register(t *testing.T) { mockCfgTracing := &MockCfgTracing{} diff --git a/testdata/scripts/node/validate/default.txtar b/testdata/scripts/node/validate/default.txtar index 33e7e3208e7..267a760f08c 100644 --- a/testdata/scripts/node/validate/default.txtar +++ b/testdata/scripts/node/validate/default.txtar @@ -244,7 +244,7 @@ Enabled = false CollectorTarget = '' NodeID = '' SamplingRatio = 0.0 -Mode = 'secure' +Mode = 'tls' TLSCertPath = '' Invalid configuration: invalid secrets: 2 errors: diff --git a/testdata/scripts/node/validate/disk-based-logging-disabled.txtar b/testdata/scripts/node/validate/disk-based-logging-disabled.txtar index 9bbe9e0f5b4..e6281e8d221 100644 --- a/testdata/scripts/node/validate/disk-based-logging-disabled.txtar +++ b/testdata/scripts/node/validate/disk-based-logging-disabled.txtar @@ -288,7 +288,7 @@ Enabled = false CollectorTarget = '' NodeID = '' SamplingRatio = 0.0 -Mode = 'secure' +Mode = 'tls' TLSCertPath = '' [[EVM]] diff --git a/testdata/scripts/node/validate/disk-based-logging-no-dir.txtar b/testdata/scripts/node/validate/disk-based-logging-no-dir.txtar index 774881a92b7..65d832aa82e 100644 --- a/testdata/scripts/node/validate/disk-based-logging-no-dir.txtar +++ b/testdata/scripts/node/validate/disk-based-logging-no-dir.txtar @@ -288,7 +288,7 @@ Enabled = false CollectorTarget = '' NodeID = '' SamplingRatio = 0.0 -Mode = 'secure' +Mode = 'tls' TLSCertPath = '' [[EVM]] diff --git a/testdata/scripts/node/validate/disk-based-logging.txtar b/testdata/scripts/node/validate/disk-based-logging.txtar index 7cc32453735..6b9e3d56ce6 100644 --- a/testdata/scripts/node/validate/disk-based-logging.txtar +++ b/testdata/scripts/node/validate/disk-based-logging.txtar @@ -288,7 +288,7 @@ Enabled = false CollectorTarget = '' NodeID = '' SamplingRatio = 0.0 -Mode = 'secure' +Mode = 'tls' TLSCertPath = '' [[EVM]] diff --git a/testdata/scripts/node/validate/invalid.txtar b/testdata/scripts/node/validate/invalid.txtar index e510a489e25..aa2036413c7 100644 --- a/testdata/scripts/node/validate/invalid.txtar +++ b/testdata/scripts/node/validate/invalid.txtar @@ -278,7 +278,7 @@ Enabled = false CollectorTarget = '' NodeID = '' SamplingRatio = 0.0 -Mode = 'secure' +Mode = 'tls' TLSCertPath = '' [[EVM]] diff --git a/testdata/scripts/node/validate/valid.txtar b/testdata/scripts/node/validate/valid.txtar index 27f11e366ac..4ceb9d5df35 100644 --- a/testdata/scripts/node/validate/valid.txtar +++ b/testdata/scripts/node/validate/valid.txtar @@ -285,7 +285,7 @@ Enabled = false CollectorTarget = '' NodeID = '' SamplingRatio = 0.0 -Mode = 'secure' +Mode = 'tls' TLSCertPath = '' [[EVM]] diff --git a/testdata/scripts/node/validate/warnings.txtar b/testdata/scripts/node/validate/warnings.txtar index 9c7fb8428a8..e4ff2aa35ea 100644 --- a/testdata/scripts/node/validate/warnings.txtar +++ b/testdata/scripts/node/validate/warnings.txtar @@ -15,6 +15,12 @@ ListenPort = 0 NewStreamTimeout = '10s' PeerstoreWriteInterval = '5m0s' +[Tracing] +Enabled = true +CollectorTarget = 'otel-collector:4317' +TLSCertPath = 'something' +Mode = 'unencrypted' + -- secrets.toml -- [Database] URL = 'postgresql://user:pass1234567890abcd@localhost:5432/dbname?sslmode=disable' @@ -46,6 +52,12 @@ ListenPort = 0 NewStreamTimeout = '10s' PeerstoreWriteInterval = '5m0s' +[Tracing] +Enabled = true +CollectorTarget = 'otel-collector:4317' +Mode = 'unencrypted' +TLSCertPath = 'something' + # Effective Configuration, with defaults applied: InsecureFastScrypt = false RootDir = '~/.chainlink' @@ -277,15 +289,15 @@ InfiniteDepthQueries = false DisableRateLimiting = false [Tracing] -Enabled = false -CollectorTarget = '' +Enabled = true +CollectorTarget = 'otel-collector:4317' NodeID = '' SamplingRatio = 0.0 -Mode = 'secure' -TLSCertPath = '' +Mode = 'unencrypted' +TLSCertPath = 'something' # Configuration warning: -2 errors: +3 errors: - P2P.V1: is deprecated and will be removed in a future version - P2P.V1: 10 errors: - AnnounceIP: is deprecated and will be removed in a future version @@ -298,4 +310,5 @@ TLSCertPath = '' - ListenPort: is deprecated and will be removed in a future version - NewStreamTimeout: is deprecated and will be removed in a future version - PeerstoreWriteInterval: is deprecated and will be removed in a future version + - Tracing.TLSCertPath: invalid value (something): must be empty when Tracing.Mode is 'unencrypted' Valid configuration. From bbebea773e167a20364692a41a9c16f49945998a Mon Sep 17 00:00:00 2001 From: patrickhuie19 Date: Wed, 22 Nov 2023 09:30:31 -0500 Subject: [PATCH 7/8] feature/tracing-credentials: minor docs refactoring --- core/config/docs/core.toml | 2 +- core/config/toml/types.go | 2 +- docs/CONFIG.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/core/config/docs/core.toml b/core/config/docs/core.toml index dafce15c08d..79801c2c52b 100644 --- a/core/config/docs/core.toml +++ b/core/config/docs/core.toml @@ -592,7 +592,7 @@ CollectorTarget = 'localhost:4317' # Example NodeID = 'NodeID' # Example # SamplingRatio is the ratio of traces to sample for this node. SamplingRatio = 1.0 # Example -# Mode is a string value. 'tls' or 'unencrypted' are the only values allowed. If set to 'unencrypted', TLSCertPath can be unset, meaning traces will be sent over plaintext to the collector. +# Mode is a string value. `tls` or `unencrypted` are the only values allowed. If set to `unencrypted`, `TLSCertPath` can be unset, meaning traces will be sent over plaintext to the collector. Mode = 'tls' # Default # TLSCertPath is the file path to the TLS certificate used for secure communication with an OTEL Tracing Collector. TLSCertPath = '/path/to/cert.pem' # Example diff --git a/core/config/toml/types.go b/core/config/toml/types.go index 27c21fcaf1f..31076c1f1de 100644 --- a/core/config/toml/types.go +++ b/core/config/toml/types.go @@ -1546,7 +1546,7 @@ func isValidURI(uri string) bool { return isValidLocalURI(uri) } -// Validates uri is a valid local URI +// isValidLocalURI returns true if uri is a valid local URI // External URIs (e.g. http://) are not valid local URIs, and will return false. func isValidLocalURI(uri string) bool { parts := strings.Split(uri, ":") diff --git a/docs/CONFIG.md b/docs/CONFIG.md index ad1ff896709..63c20bdf4a5 100644 --- a/docs/CONFIG.md +++ b/docs/CONFIG.md @@ -1631,7 +1631,7 @@ SamplingRatio is the ratio of traces to sample for this node. ```toml Mode = 'tls' # Default ``` -Mode is a string value. 'tls' or 'unencrypted' are the only values allowed. If set to 'unencrypted', TLSCertPath can be unset, meaning traces will be sent over plaintext to the collector. +Mode is a string value. `tls` or `unencrypted` are the only values allowed. If set to `unencrypted`, `TLSCertPath` can be unset, meaning traces will be sent over plaintext to the collector. ### TLSCertPath ```toml From 5ae38484e98d9b76810c685f51b362cbcea31557 Mon Sep 17 00:00:00 2001 From: patrickhuie19 Date: Wed, 22 Nov 2023 10:03:01 -0500 Subject: [PATCH 8/8] feature/tracing-credentials: adding changelog --- .github/tracing/README.md | 9 ++++++++- docs/CHANGELOG.md | 1 + 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/tracing/README.md b/.github/tracing/README.md index eb757384295..feba31feb65 100644 --- a/.github/tracing/README.md +++ b/.github/tracing/README.md @@ -30,7 +30,14 @@ Another way to generate traces is by enabling traces for PRs. This will instrume 8. Run `sh replay.sh` to replay those traces to the otel-collector container that was spun up in the last step. 9. navigate to `localhost:3000/explore` in a web browser to query for traces -The artifact is not json encoded - each individual line is a well formed and complete json object. +The artifact is not json encoded - each individual line is a well formed and complete json object. + + +## Production and NOPs environments + +In a production environment, we suggest coupling the lifecycle of nodes and otel-collectors. A best practice is to deploy the otel-collector alongside your node, using infrastructure as code (IAC) to automate deployments and certificate lifecycles. While there are valid use cases for using `Tracing.Mode = unencrypted`, we have set the default encryption setting to `Tracing.Mode = tls`. Externally deployed otel-collectors can not be used with `Tracing.Mode = unencrypted`. i.e. If `Tracing.Mode = unencrypted` and an external URI is detected for `Tracing.CollectorTarget` node configuration will fail to validate and the node will not boot. The node requires a valid encryption mode and collector target to send traces. + +Once traces reach the otel-collector, the rest of the observability pipeline is flexible. We recommend deploying (through automation) centrally managed Grafana Tempo and Grafana UI instances to receive from one or many otel-collector instances. Always use networking best practices and encrypt trace data, especially at network boundaries. ## Configuration This folder contains the following config files: diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index 8e016347c43..265222c8bec 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -11,6 +11,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Added +- Added distributed tracing in the OpenTelemetry trace format to the node, currently focused at the LOOPP Plugin development effort. This includes a new set of `Tracing` TOML configurations. The default for collecting traces is off - you must explicitly enable traces and setup a valid OpenTelemetry collector. Refer to `.github/tracing/README.md` for more details. - Added a new, optional WebServer authentication option that supports LDAP as a user identity provider. This enables user login access and user roles to be managed and provisioned via a centralized remote server that supports the LDAP protocol, which can be helpful when running multiple nodes. See the documentation for more information and config setup instructions. There is a new `[WebServer].AuthenticationMethod` config option, when set to `ldap` requires the new `[WebServer.LDAP]` config section to be defined, see the reference `docs/core.toml`. - New prom metrics for mercury: `mercury_transmit_queue_delete_error_count`