secure connections via force_tls

Author: tom-pytel

docs/EnvVars.md

@@ -6,6 +6,7 @@ Environment Variable | Description | Default
 | `SW_AGENT_INSTANCE` | The name of the Python service instance | Randomly generated |
 | `SW_AGENT_NAMESPACE` | The agent namespace of the Python service | unset |
 | `SW_AGENT_COLLECTOR_BACKEND_SERVICES` | The backend OAP server address | `127.0.0.1:11800` |
+| `SW_AGENT_FORCE_TLS` | Use TLS for communication with server (no cert required) | `False` |
 | `SW_AGENT_PROTOCOL` | The protocol to communicate with the backend OAP, `http`, `grpc` or `kafka`, **we highly suggest using `grpc` in production as it's well optimized than `http`**. The `kafka` protocol provides an alternative way to submit data to the backend. | `grpc` |
 | `SW_AGENT_AUTHENTICATION` | The authentication token to verify that the agent is trusted by the backend OAP, as for how to configure the backend, refer to [the yaml](https://github.com/apache/skywalking/blob/4f0f39ffccdc9b41049903cc540b8904f7c9728e/oap-server/server-bootstrap/src/main/resources/application.yml#L155-L158). | unset |
 | `SW_AGENT_LOGGING_LEVEL` | The logging level, could be one of `CRITICAL`, `FATAL`, `ERROR`, `WARN`(`WARNING`), `INFO`, `DEBUG` | `INFO` |
@@ -27,5 +28,5 @@ Environment Variable | Description | Default
 | `SW_KAFKA_REPORTER_TOPIC_SEGMENT` | Specifying Kafka topic name for Tracing data. | `skywalking-segments` |
 | `SW_KAFKA_REPORTER_CONFIG_key` | The configs to init KafkaProducer. it support the basic arguments (whose type is either `str`, `bool`, or `int`) listed [here](https://kafka-python.readthedocs.io/en/master/apidoc/KafkaProducer.html#kafka.KafkaProducer) | unset |
 | `SW_CELERY_PARAMETERS_LENGTH`| The maximum length of `celery` functions parameters, longer than this will be truncated, 0 turns off  | `512` |
-| `SW_AGENT_PROFILE_ACTIVE` | If `True`, Python agent will enable profile when user create a new profile task. Otherwise disable profile. | `False` | 
-| `SW_PROFILE_TASK_QUERY_INTERVAL` | The number of seconds between two profile task query. | `20` | 
+| `SW_AGENT_PROFILE_ACTIVE` | If `True`, Python agent will enable profile when user create a new profile task. Otherwise disable profile. | `False` |
+| `SW_PROFILE_TASK_QUERY_INTERVAL` | The number of seconds between two profile task query. | `20` |

skywalking/agent/protocol/grpc.py

@@ -36,8 +36,15 @@
 class GrpcProtocol(Protocol):
     def __init__(self):
         self.state = None
-        self.channel = grpc.insecure_channel(config.collector_address, options=(('grpc.max_connection_age_grace_ms',
-                                             1000 * config.GRPC_TIMEOUT),))
+
+        if config.force_tls:
+            self.channel = grpc.secure_channel(config.collector_address, grpc.ssl_channel_credentials(),
+                                               options=(('grpc.max_connection_age_grace_ms',
+                                                         1000 * config.GRPC_TIMEOUT),))
+        else:
+            self.channel = grpc.insecure_channel(config.collector_address, options=(('grpc.max_connection_age_grace_ms',
+                                                 1000 * config.GRPC_TIMEOUT),))
+
         if config.authentication:
             self.channel = grpc.intercept_channel(
                 self.channel, header_adder_interceptor('authentication', config.authentication)

skywalking/client/http.py

@@ -25,15 +25,17 @@
 
 class HttpServiceManagementClient(ServiceManagementClient):
     def __init__(self):
+        proto = 'https://' if config.force_tls else 'http://'
+        self.url_instance_props = proto + config.collector_address.rstrip('/') + '/v3/management/reportProperties'
+        self.url_heart_beat = proto + config.collector_address.rstrip('/') + '/v3/management/keepAlive'
         self.session = requests.Session()
 
     def fork_after_in_child(self):
         self.session.close()
         self.session = requests.Session()
 
     def send_instance_props(self):
-        url = 'http://' + config.collector_address.rstrip('/') + '/v3/management/reportProperties'
-        res = self.session.post(url, json={
+        res = self.session.post(self.url_instance_props, json={
             'service': config.service_name,
             'serviceInstance': config.service_instance,
             'properties': [{
@@ -48,8 +50,7 @@ def send_heart_beat(self):
             config.service_name,
             config.service_instance,
         )
-        url = 'http://' + config.collector_address.rstrip('/') + '/v3/management/keepAlive'
-        res = self.session.post(url, json={
+        res = self.session.post(self.url_heart_beat, json={
             'service': config.service_name,
             'serviceInstance': config.service_instance,
         })
@@ -58,16 +59,17 @@ def send_heart_beat(self):
 
 class HttpTraceSegmentReportService(TraceSegmentReportService):
     def __init__(self):
+        proto = 'https://' if config.force_tls else 'http://'
+        self.url_report = proto + config.collector_address.rstrip('/') + '/v3/segment'
         self.session = requests.Session()
 
     def fork_after_in_child(self):
         self.session.close()
         self.session = requests.Session()
 
     def report(self, generator):
-        url = 'http://' + config.collector_address.rstrip('/') + '/v3/segment'
         for segment in generator:
-            res = self.session.post(url, json={
+            res = self.session.post(self.url_report, json={
                 'traceId': str(segment.related_traces[0]),
                 'traceSegmentId': str(segment.segment_id),
                 'service': config.service_name,