Add TLS support to HTTP/GRPC clients #2502
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Annanay <[email protected]>
Signed-off-by: Annanay <[email protected]>
Signed-off-by: Annanay <[email protected]>
Signed-off-by: Annanay <[email protected]>
Signed-off-by: Annanay <[email protected]>
Signed-off-by: Annanay <[email protected]>
Signed-off-by: Annanay <[email protected]>
Signed-off-by: Annanay <[email protected]>
Signed-off-by: Annanay <[email protected]>
Signed-off-by: Annanay <[email protected]>
Signed-off-by: Annanay <[email protected]>
Signed-off-by: Annanay <[email protected]>
Signed-off-by: Annanay <[email protected]>
Signed-off-by: Annanay <[email protected]>
2 tasks
Signed-off-by: Annanay <[email protected]>
Signed-off-by: Annanay <[email protected]>
Signed-off-by: Annanay <[email protected]>
Signed-off-by: Annanay <[email protected]>
Signed-off-by: Annanay <[email protected]>
Signed-off-by: Annanay <[email protected]>
Signed-off-by: Annanay <[email protected]>
Signed-off-by: Annanay <[email protected]>
Signed-off-by: Annanay <[email protected]>
annanay25
commented
May 6, 2020
annanay25
commented
May 6, 2020
Signed-off-by: Annanay <[email protected]>
annanay25
changed the title
Signed-off-by: Annanay <[email protected]>
Signed-off-by: Marco Pracucci <[email protected]>
pracucci
reviewed
May 8, 2020
There was a problem hiding this comment.
Thanks @annanay25 for working on it! Adding TLS support between Cortex components/services is very neat.
I've some concerns about the generic httpclient.Config struct because this causes you some troubles to keep backward compatibility and also add extra options to clients where such options are not necessarily required. Pretty much the same with gprcclient.Config.
I will reach you offline to further discuss a sligthly different design.
Signed-off-by: Marco Pracucci <[email protected]>
… into add-tls-support Signed-off-by: Annanay <[email protected]>
Signed-off-by: Annanay <[email protected]>
Signed-off-by: Annanay <[email protected]>
Signed-off-by: Annanay <[email protected]>
Signed-off-by: Annanay <[email protected]>
jtlisi
suggested changes
May 11, 2020
Signed-off-by: Annanay <[email protected]>
Signed-off-by: Annanay <[email protected]>
jtlisi
suggested changes
May 12, 2020
jtlisi
suggested changes
May 12, 2020
integration/query_frontend_test.go
Outdated
Comment on lines
101
to
108
| cmd := exec.Command("bash", "certs/genCerts.sh", "certs", "1") | ||
| require.NoError(t, cmd.Run()) | ||
| require.NoError(t, copyFileToSharedDir(s, integrationHomeFolder+clientCertFile, clientCertFile)) | ||
| require.NoError(t, copyFileToSharedDir(s, integrationHomeFolder+clientKeyFile, clientKeyFile)) | ||
| require.NoError(t, copyFileToSharedDir(s, integrationHomeFolder+rootCertFile, rootCertFile)) | ||
| require.NoError(t, copyFileToSharedDir(s, integrationHomeFolder+serverCertFile, serverCertFile)) | ||
| require.NoError(t, copyFileToSharedDir(s, integrationHomeFolder+serverKeyFile, serverKeyFile)) | ||
|
|
There was a problem hiding this comment.
Suggested change
| cmd := exec.Command("bash", "certs/genCerts.sh", "certs", "1") | |
| require.NoError(t, cmd.Run()) | |
| require.NoError(t, copyFileToSharedDir(s, integrationHomeFolder+clientCertFile, clientCertFile)) | |
| require.NoError(t, copyFileToSharedDir(s, integrationHomeFolder+clientKeyFile, clientKeyFile)) | |
| require.NoError(t, copyFileToSharedDir(s, integrationHomeFolder+rootCertFile, rootCertFile)) | |
| require.NoError(t, copyFileToSharedDir(s, integrationHomeFolder+serverCertFile, serverCertFile)) | |
| require.NoError(t, copyFileToSharedDir(s, integrationHomeFolder+serverKeyFile, serverKeyFile)) | |
| cmd := exec.Command("bash", "certs/genCerts.sh", s.SharedDir()+"/certs", "1") | |
| require.NoError(t, cmd.Run()) |
You don't need to mount each file into the env, you can generate the certs directly into the e2e shared directory.
There was a problem hiding this comment.
I would actually suggest to commit certs in the integration/certs and then copy all of them to the shared dir.
There was a problem hiding this comment.
sounds good, better than generating them for every run.
integration/query_frontend_test.go
Outdated
| queryFrontend := e2ecortex.NewQueryFrontendWithConfigFile("query-frontend", configFile, flags, "") | ||
| ingester := e2ecortex.NewIngesterWithConfigFile("ingester", consul.NetworkHTTPEndpoint(), configFile, flags, "") | ||
| distributor := e2ecortex.NewDistributorWithConfigFile("distributor", consul.NetworkHTTPEndpoint(), configFile, flags, "") | ||
| queryFrontend := e2ecortex.NewQueryFrontendWithConfigFile("query-frontend", configFile, mergeFlags(flags, GetServerTLSFlags()), "") |
There was a problem hiding this comment.
When you create the Service you need to ensure that the built in ReadinessCheck supports TLS. Same with any external client that accesses the service.
pracucci
reviewed
May 13, 2020
There was a problem hiding this comment.
Thanks @annanay25 for addressing my initial comments. Much appreciated! This PR looks in a better shape now and I think we're quite close. I left some comments to further polish the config and nits here and there.
| @@ -0,0 +1,100 @@ | |||
|
|
|||
There was a problem hiding this comment.
For each pre-cooked config we provide, we have an integration test in integration/getting_started_single_process_config_test.go. Would be great if you could add a test there for this file (a new test, which can be an existing one you copy, paste and modify as needed).
integration/query_frontend_test.go
Outdated
Comment on lines
101
to
108
| cmd := exec.Command("bash", "certs/genCerts.sh", "certs", "1") | ||
| require.NoError(t, cmd.Run()) | ||
| require.NoError(t, copyFileToSharedDir(s, integrationHomeFolder+clientCertFile, clientCertFile)) | ||
| require.NoError(t, copyFileToSharedDir(s, integrationHomeFolder+clientKeyFile, clientKeyFile)) | ||
| require.NoError(t, copyFileToSharedDir(s, integrationHomeFolder+rootCertFile, rootCertFile)) | ||
| require.NoError(t, copyFileToSharedDir(s, integrationHomeFolder+serverCertFile, serverCertFile)) | ||
| require.NoError(t, copyFileToSharedDir(s, integrationHomeFolder+serverKeyFile, serverKeyFile)) | ||
|
|
There was a problem hiding this comment.
I would actually suggest to commit certs in the integration/certs and then copy all of them to the shared dir.
Signed-off-by: Annanay <[email protected]>
pracucci
reviewed
May 13, 2020
Signed-off-by: Annanay <[email protected]>
pracucci
approved these changes
May 13, 2020
There was a problem hiding this comment.
Thanks @annanay25 for addressing my feedback! LGTM 🎉 (I left one very last nit)
Signed-off-by: Annanay <[email protected]>
Signed-off-by: Annanay <[email protected]>
1 task
tomwilkie
pushed a commit
that referenced
this pull request
Jun 8, 2020
* Checkpoint Signed-off-by: Annanay <[email protected]> * Add tls options to grpc client Signed-off-by: Annanay <[email protected]> * Add new httpclient util package for use in all client configs Signed-off-by: Annanay <[email protected]> * Change all grpc clients to use grpcclient Signed-off-by: Annanay <[email protected]> * Fix build, add docs Signed-off-by: Annanay <[email protected]> * Fix tests Signed-off-by: Annanay <[email protected]> * Fix lint, add tls to store-gw-client Signed-off-by: Annanay <[email protected]> * Rename config parameters Signed-off-by: Annanay <[email protected]> * Lint Signed-off-by: Annanay <[email protected]> * Nit fix Signed-off-by: Annanay <[email protected]> * Checkpoint Signed-off-by: Annanay <[email protected]> * Checkpoint Signed-off-by: Annanay <[email protected]> * Checkpoint Signed-off-by: Annanay <[email protected]> * Add integration tests for TLS Signed-off-by: Annanay <[email protected]> * Correct package names, fix config file reference Signed-off-by: Annanay <[email protected]> * Fix cert paths Signed-off-by: Annanay <[email protected]> * Fix lint, add sample tls config file Signed-off-by: Annanay <[email protected]> * Crash quickly if certs are bad Signed-off-by: Annanay <[email protected]> * Fixed linter and doc generation Signed-off-by: Marco Pracucci <[email protected]> * Cleaned white noise Signed-off-by: Marco Pracucci <[email protected]> * Address review comments Signed-off-by: Annanay <[email protected]> * Fix docs, flags Signed-off-by: Annanay <[email protected]> * Fix test Signed-off-by: Annanay <[email protected]> * Fix lint, docs Signed-off-by: Annanay <[email protected]> * Do not use TLS options with GCP clients Signed-off-by: Annanay <[email protected]> * Add client auth type, go mod tidy/vendor Signed-off-by: Annanay <[email protected]> * Address comments Signed-off-by: Annanay <[email protected]> * Fix lint, add new integration test Signed-off-by: Annanay <[email protected]> * Revert logging level to warn, add CHANGELOG entry Signed-off-by: Annanay <[email protected]> Co-authored-by: Marco Pracucci <[email protected]> Signed-off-by: Jacob Lisi <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this PR does:
go.modupdated to vendor latest commit ofweaveworks/commonwhich adds TLS support to the server.pkg/util/grpcclientupdated to include TLS info.grpcclient.DialOptions()which provides TLS options as well.pkg/util/httpclientcreated with aConfigstruct that stores necessary endpoint, timeout and tls config parameters.Which issue(s) this PR fixes:
Fixes #2350
Checklist
CHANGELOG.mdupdated - the order of entries should be[CHANGE],[FEATURE],[ENHANCEMENT],[BUGFIX]