[release-1.4] Use sts for call credential when STS_PORT is provided i…

…n node metadata istio#144 (istio#148) * use sts for call credential when STS_PORT is provided Signed-off-by: Pengyuan Bian <bianpengyuan@google.com> * use channel credential Signed-off-by: Pengyuan Bian <bianpengyuan@google.com>
duderino · Feb 13, 2020 · 7081e43 · 7081e43
1 parent 03ecfad
commit 7081e43
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/source/extensions/tracers/opencensus/opencensus_tracer_impl.cc b/source/extensions/tracers/opencensus/opencensus_tracer_impl.cc
@@ -243,13 +243,33 @@ Driver::Driver(const envoy::config::trace::v2::OpenCensusConfig& oc_config,
   if (oc_config.stdout_exporter_enabled()) {
     ::opencensus::exporters::trace::StdoutExporter::Register();
   }
+  auto node_metadata = localinfo.node().metadata();
+  std::string sts_port;
+  auto port_iter = node_metadata.fields().find("STS_PORT");
+  if (port_iter != node_metadata.fields().end()) {
+    sts_port = port_iter->second.string_value();
+  }
   if (oc_config.stackdriver_exporter_enabled()) {
     ::opencensus::exporters::trace::StackdriverOptions opts;
     opts.project_id = oc_config.stackdriver_project_id();
     if (!oc_config.stackdriver_address().empty()) {
       auto channel =
           grpc::CreateChannel(oc_config.stackdriver_address(), grpc::InsecureChannelCredentials());
       opts.trace_service_stub = ::google::devtools::cloudtrace::v2::TraceService::NewStub(channel);
+    } else if (!sts_port.empty()) {
+      ::grpc::experimental::StsCredentialsOptions sts_options;
+      sts_options.token_exchange_service_uri = "http://localhost:" + sts_port + "/token";
+      sts_options.subject_token_path = "/var/run/secrets/tokens/istio-token";
+      sts_options.subject_token_type = "urn:ietf:params:oauth:token-type:jwt";
+      sts_options.scope = "https://www.googleapis.com/auth/cloud-platform";
+      auto call_creds = grpc::experimental::StsCredentials(sts_options);
+      auto ssl_creds_options = grpc::SslCredentialsOptions();
+      ssl_creds_options.pem_root_certs = "/etc/ssl/certs/ca-certificates.crt";
+      auto channel_creds = grpc::SslCredentials(ssl_creds_options);
+      auto channel =
+          ::grpc::CreateChannel("cloudtrace.googleapis.com",
+                                grpc::CompositeChannelCredentials(channel_creds, call_creds));
+      opts.trace_service_stub = ::google::devtools::cloudtrace::v2::TraceService::NewStub(channel);
     }
     ::opencensus::exporters::trace::StackdriverExporter::Register(std::move(opts));
   }