In proxy.go
(ctx context.Context, opts agent.ProxyOptions)
| 1001 | |
| 1002 | // In proxy.go |
| 1003 | func (p *Proxy) StartProxy(ctx context.Context, opts agent.ProxyOptions) error { |
| 1004 | |
| 1005 | // Skip the TCP listener if configured. DNS + parsers + session still run. |
| 1006 | if agent.SkipProxyListener { |
| 1007 | p.skipListener = true |
| 1008 | } |
| 1009 | |
| 1010 | //first initialize the integrations |
| 1011 | err := p.InitIntegrations(ctx) |
| 1012 | if err != nil { |
| 1013 | utils.LogError(p.logger, err, "failed to initialize the integrations") |
| 1014 | return err |
| 1015 | } |
| 1016 | |
| 1017 | // Start the continuous error drain so the error channel never fills up. |
| 1018 | // This must happen before any connections are handled. |
| 1019 | p.StartErrorDrain(ctx) |
| 1020 | |
| 1021 | // set up the CA for tls connections. |
| 1022 | // |
| 1023 | // On failure we record the terminal error via MarkCAFailed so the |
| 1024 | // /agent/ready handler can return a clear "CA setup failed" |
| 1025 | // diagnostic instead of an indefinite "not yet ready". We still |
| 1026 | // continue starting the proxy — the proxy can serve non-TLS |
| 1027 | // traffic and surfacing the error to readiness probes is a better |
| 1028 | // signal to operators than hard-aborting the agent here. |
| 1029 | // Use the PID-aware SetupCAForApp so the Java truststore import |
| 1030 | // (installJavaCAForHome) targets the JDK the instrumented app is |
| 1031 | // actually running with. On non-Java workloads / shared-volume |
| 1032 | // mode / appPID==0 these extra args are harmless — SetupCAForApp |
| 1033 | // falls back to the legacy PATH-keytool behaviour. See |
| 1034 | // pkg/agent/proxy/tls/java_detect.go for the resolution order. |
| 1035 | err = pTls.SetupCAForApp(ctx, p.logger, p.IsDocker, int(p.appPID), p.caJavaHome) |
| 1036 | if err != nil { |
| 1037 | // Terminal: the CA cannot be installed in this process and |
| 1038 | // Keploy-proxied TLS will fail cert-verify for every workload |
| 1039 | // that gets routed through the proxy. Log at Error (not Warn) |
| 1040 | // to match the severity, and include a next_step so operators |
| 1041 | // see the likely fix without grepping source. |
| 1042 | p.logger.Error( |
| 1043 | "SetupCA failed — Keploy-proxied TLS will fail cert-verify. "+ |
| 1044 | "The /agent/ready endpoint will return 503 with this error "+ |
| 1045 | "so dependents don't wait forever for a readiness that "+ |
| 1046 | "will never come.", |
| 1047 | zap.Error(err), |
| 1048 | zap.String("next_step", |
| 1049 | "Verify the agent container has write access to the "+ |
| 1050 | "shared /tmp/keploy-tls volume (docker/k8s mode) or "+ |
| 1051 | "to the host's CA trust store under /usr/local/share/"+ |
| 1052 | "ca-certificates or /etc/pki/ca-trust/source/anchors "+ |
| 1053 | "(native mode). Restart the agent after fixing."), |
| 1054 | ) |
| 1055 | pTls.MarkCAFailed(err) |
| 1056 | } |
| 1057 | |
| 1058 | // Channel-binding shim: now that appPID is known, walk the app's |
| 1059 | // process tree, register every visible descendant in the BPF |
| 1060 | // allowlist, attach uprobes to whatever libcryptos they map, and |
nothing calls this directly
no test coverage detected