jaegertracing · yurishkuro · Jan 19, 2021 · Jul 9, 2020 · Jul 9, 2020 · Jul 9, 2020
diff --git a/cmd/query/app/flags.go b/cmd/query/app/flags.go
@@ -48,12 +48,18 @@ const (
 	queryMaxClockSkewAdjust = "query.max-clock-skew-adjustment"
 )
 
-var tlsFlagsConfig = tlscfg.ServerFlagsConfig{
+var tlsGrpcFlagsConfig = tlscfg.ServerFlagsConfig{
 	Prefix:       "query.grpc",
 	ShowEnabled:  true,
 	ShowClientCA: true,
 }
 
+var tlsHttpFlagsConfig = tlscfg.ServerFlagsConfig{
+	Prefix:       "query.http",
+	ShowEnabled:  true,
+	ShowClientCA: true,
+}
+
 // QueryOptions holds configuration for query service
 type QueryOptions struct {
 	// HostPort is the host:port address that the query service listens o n
@@ -66,8 +72,10 @@ type QueryOptions struct {
 	UIConfig string
 	// BearerTokenPropagation activate/deactivate bearer token propagation to storage
 	BearerTokenPropagation bool
-	// TLS configures secure transport
-	TLS tlscfg.Options
+	// TLS configures secure transport (Consumer to Query service gRPC APO)
+	TLSGrpc tlscfg.Options
+	// TLS configures secure transport (Consumer to Query service HTTP API)
+	TLSHttp tlscfg.Options
 	// AdditionalHeaders
 	AdditionalHeaders http.Header
 	// MaxClockSkewAdjust is the maximum duration by which jaeger-query will adjust a span
@@ -93,7 +101,8 @@ func (qOpts *QueryOptions) InitFromViper(v *viper.Viper, logger *zap.Logger) *Qu
 	qOpts.StaticAssets = v.GetString(queryStaticFiles)
 	qOpts.UIConfig = v.GetString(queryUIConfig)
 	qOpts.BearerTokenPropagation = v.GetBool(queryTokenPropagation)
-	qOpts.TLS = tlsFlagsConfig.InitFromViper(v)
+	qOpts.TLSGrpc = tlsGrpcFlagsConfig.InitFromViper(v)
+	qOpts.TLSGrpc = tlsHttpFlagsConfig.InitFromViper(v)
 	qOpts.MaxClockSkewAdjust = v.GetDuration(queryMaxClockSkewAdjust)
 
 	stringSlice := v.GetStringSlice(queryAdditionalHeaders)

diff --git a/cmd/query/app/server.go b/cmd/query/app/server.go
@@ -17,6 +17,7 @@ package app
 import (
 	"net"
 	"net/http"
+	"path/filepath"
 	"strings"
 
 	"github.com/gorilla/handlers"
@@ -54,13 +55,18 @@ func NewServer(logger *zap.Logger, querySvc *querysvc.QueryService, options *Que
 		return nil, err
 	}
 
+	httpServer, err := createHTTPServer(querySvc, options, tracer, logger)
+	if err != nil {
+		return nil, err
+	}
+
 	return &Server{
 		logger:             logger,
 		querySvc:           querySvc,
 		queryOptions:       options,
 		tracer:             tracer,
 		grpcServer:         grpcServer,
-		httpServer:         createHTTPServer(querySvc, options, tracer, logger),
+		httpServer:         httpServer,
 		unavailableChannel: make(chan healthcheck.Status),
 	}, nil
 }
@@ -73,8 +79,8 @@ func (s Server) HealthCheckStatus() chan healthcheck.Status {
 func createGRPCServer(querySvc *querysvc.QueryService, options *QueryOptions, logger *zap.Logger, tracer opentracing.Tracer) (*grpc.Server, error) {
 	var grpcOpts []grpc.ServerOption
 
-	if options.TLS.Enabled {
-		tlsCfg, err := options.TLS.Config()
+	if options.TLSGrpc.Enabled {
+		tlsCfg, err := options.TLSGrpc.Config()
 		if err != nil {
 			return nil, err
 		}
@@ -90,11 +96,19 @@ func createGRPCServer(querySvc *querysvc.QueryService, options *QueryOptions, lo
 	return server, nil
 }
 
-func createHTTPServer(querySvc *querysvc.QueryService, queryOpts *QueryOptions, tracer opentracing.Tracer, logger *zap.Logger) *http.Server {
+func createHTTPServer(querySvc *querysvc.QueryService, queryOpts *QueryOptions, tracer opentracing.Tracer, logger *zap.Logger) (*http.Server, error) {
 	apiHandlerOptions := []HandlerOption{
 		HandlerOptions.Logger(logger),
 		HandlerOptions.Tracer(tracer),
 	}
+
+	if queryOpts.TLSHttp.Enabled {
+		_, err := queryOpts.TLSHttp.Config() // This checks if the certificates are correctly provided
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	apiHandler := NewAPIHandler(
 		querySvc,
 		apiHandlerOptions...)
@@ -114,7 +128,7 @@ func createHTTPServer(querySvc *querysvc.QueryService, queryOpts *QueryOptions,
 	recoveryHandler := recoveryhandler.NewRecoveryHandler(logger, true)
 	return &http.Server{
 		Handler: recoveryHandler(handler),
-	}
+	}, nil
 }
 
 // Start http, GRPC and cmux servers concurrently
@@ -146,13 +160,21 @@ func (s *Server) Start() error {
 
 	go func() {
 		s.logger.Info("Starting HTTP server", zap.Int("port", tcpPort), zap.String("addr", s.queryOptions.HostPort))
+		var err error
+		if s.queryOptions.TLSHttp.Enabled {
+			err = s.httpServer.ServeTLS(httpListener, filepath.Clean(s.queryOptions.TLSHttp.CertPath), filepath.Clean(s.queryOptions.TLSHttp.KeyPath))
 
-		switch err := s.httpServer.Serve(httpListener); err {
+		} else {
+			err = s.httpServer.Serve(httpListener)
+		}
+
+		switch err {
 		case nil, http.ErrServerClosed, cmux.ErrListenerClosed:
 			// normal exit, nothing to do
 		default:
 			s.logger.Error("Could not start HTTP server", zap.Error(err))
 		}
+
 		s.unavailableChannel <- healthcheck.Unavailable
 	}()
 

diff --git a/cmd/query/app/server_test.go b/cmd/query/app/server_test.go
@@ -44,7 +44,7 @@ func TestServerError(t *testing.T) {
 	assert.Error(t, srv.Start())
 }
 
-func TestCreateTLSServerError(t *testing.T) {
+func TestCreateTLSGrpcServerError(t *testing.T) {
 	tlsCfg := tlscfg.Options{
 		Enabled:      true,
 		CertPath:     "invalid/path",
@@ -53,7 +53,20 @@ func TestCreateTLSServerError(t *testing.T) {
 	}
 
 	_, err := NewServer(zap.NewNop(), &querysvc.QueryService{},
-		&QueryOptions{TLS: tlsCfg}, opentracing.NoopTracer{})
+		&QueryOptions{TLSGrpc: tlsCfg}, opentracing.NoopTracer{})
+	assert.NotNil(t, err)
+}
+
+func TestCreateTLSHttpServerError(t *testing.T) {
+	tlsCfg := tlscfg.Options{
+		Enabled:      true,
+		CertPath:     "invalid/path",
+		KeyPath:      "invalid/path",
+		ClientCAPath: "invalid/path",
+	}
+
+	_, err := NewServer(zap.NewNop(), &querysvc.QueryService{},
+		&QueryOptions{TLSHttp: tlsCfg}, opentracing.NoopTracer{})
 	assert.NotNil(t, err)
 }