Merge pull request envoyproxy#144 from bianpengyuan/relesae-1-5-envoy…

…-tracer Use sts for call credential when STS_PORT is provided in node metadata
JimmyCYJ · Feb 10, 2020 · 0ff001d · 0ff001d
2 parents 5c68a90 + 86ffbbe
commit 0ff001d
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/source/extensions/tracers/opencensus/opencensus_tracer_impl.cc b/source/extensions/tracers/opencensus/opencensus_tracer_impl.cc
@@ -244,13 +244,33 @@ Driver::Driver(const envoy::config::trace::v3::OpenCensusConfig& oc_config,
   if (oc_config.stdout_exporter_enabled()) {
     ::opencensus::exporters::trace::StdoutExporter::Register();
   }
+  auto node_metadata = localinfo.node().metadata();
+  std::string sts_port;
+  auto port_iter = node_metadata.fields().find("STS_PORT");
+  if (port_iter != node_metadata.fields().end()) {
+    sts_port = port_iter->second.string_value();
+  }
   if (oc_config.stackdriver_exporter_enabled()) {
     ::opencensus::exporters::trace::StackdriverOptions opts;
     opts.project_id = oc_config.stackdriver_project_id();
     if (!oc_config.stackdriver_address().empty()) {
       auto channel =
           grpc::CreateChannel(oc_config.stackdriver_address(), grpc::InsecureChannelCredentials());
       opts.trace_service_stub = ::google::devtools::cloudtrace::v2::TraceService::NewStub(channel);
+    } else if (!sts_port.empty()) {
+      ::grpc::experimental::StsCredentialsOptions sts_options;
+      sts_options.token_exchange_service_uri = "http://localhost:" + sts_port + "/token";
+      sts_options.subject_token_path = "/var/run/secrets/tokens/istio-token";
+      sts_options.subject_token_type = "urn:ietf:params:oauth:token-type:jwt";
+      sts_options.scope = "https://www.googleapis.com/auth/cloud-platform";
+      auto call_creds = grpc::experimental::StsCredentials(sts_options);
+      auto ssl_creds_options = grpc::SslCredentialsOptions();
+      ssl_creds_options.pem_root_certs = "/etc/ssl/certs/ca-certificates.crt";
+      auto channel_creds = grpc::SslCredentials(ssl_creds_options);
+      auto channel =
+          ::grpc::CreateChannel("cloudtrace.googleapis.com",
+                                grpc::CompositeChannelCredentials(channel_creds, call_creds));
+      opts.trace_service_stub = ::google::devtools::cloudtrace::v2::TraceService::NewStub(channel);
     }
     ::opencensus::exporters::trace::StackdriverExporter::Register(std::move(opts));
   }