Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add memberlist TLS configuration options #4046

Merged
merged 8 commits into from
Apr 9, 2021
Merged

Add memberlist TLS configuration options #4046

merged 8 commits into from
Apr 9, 2021

Conversation

jtlisi
Copy link
Contributor

@jtlisi jtlisi commented Apr 2, 2021

What this PR does:

  • Adds TLS configuration options for the memberlist transport layer.
  • Add an integration test to verify memberlist when TLS is configured.

Which issue(s) this PR fixes:

Fixes #4045

Checklist

  • Tests updated
  • Documentation added
  • CHANGELOG.md updated - the order of entries should be [CHANGE], [FEATURE], [ENHANCEMENT], [BUGFIX]

@jtlisi jtlisi changed the title 2021w13 memberlist tls Add memberlist TLS configuration options Apr 2, 2021
56quarters
56quarters approved these changes Apr 2, 2021
View reviewed changes
Copy link
Contributor

@56quarters 56quarters left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Small nit about error formatting

pkg/ring/kv/memberlist/tcp_transport.go Outdated
if config.TLSEnabled {
tcpLn, err = tls.Listen("tcp", tcpAddr.String(), t.tlsConfig)
if err != nil {
return nil, fmt.Errorf("failed to start tls TCP listener on %q port %d: %v", addr, port, err)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should these be %w for the error?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yea, I think this would be a good fit for that formatting directive.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree on %w but, doing a step forward, what if we move to errors.Wrapf() like we're currently doing everywhere? This looks material for a follow up PR, not to be done in this one.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

Copy link
Contributor

@pstibrany pstibrany Apr 9, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

%w/%v makes no difference, until we want to unwrap the errors and work with them. If we just log them, it doesn't matter. (Agree on using errors.Wrap, when we get to fixing this)

simonswine
simonswine approved these changes Apr 6, 2021
View reviewed changes
Copy link
Contributor

@simonswine simonswine left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM (after addressing the comments)

integration/integration_memberlist_single_binary_test.go Outdated
Comment on lines 66 to 68
cortex1 = newSingleBinary("cortex-1", networkName+"-cortex-1", "")
cortex2 = newSingleBinary("cortex-2", networkName+"-cortex-2", networkName+"-cortex-1:8000")
cortex3 = newSingleBinary("cortex-3", networkName+"-cortex-3", networkName+"-cortex-1:8000")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This maybe a bit misleading. The TLSServerName should be set to a name required on the certificate of the peer (you are setting the name to ourselves).

So in the case of cortex1 (line 66), I would expect it to be set to cortex-2 and cortex-3.

Probably the best is only have a single DNS name on the certificate as otherwise we would need to set it independently depending on which peer we are connecting to.

pracucci
pracucci approved these changes Apr 8, 2021
View reviewed changes
Copy link
Contributor

@pracucci pracucci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM (modulo a couple of nits). Thanks!

pkg/ring/kv/memberlist/tcp_transport.go Outdated
if config.TLSEnabled {
tcpLn, err = tls.Listen("tcp", tcpAddr.String(), t.tlsConfig)
if err != nil {
return nil, fmt.Errorf("failed to start tls TCP listener on %q port %d: %v", addr, port, err)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree on %w but, doing a step forward, what if we move to errors.Wrapf() like we're currently doing everywhere? This looks material for a follow up PR, not to be done in this one.

pracucci
pracucci approved these changes Apr 9, 2021
View reviewed changes
Copy link
Contributor

@pracucci pracucci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Jacob for taking my feedback in consideration. Let's rebuild the generated config and should be good to go!

@jtlisi jtlisi force-pushed the 2021w13_memberlist_tls branch from 511594f to cdf53d4 Compare April 9, 2021 17:43
@jtlisi jtlisi merged commit 56a5c6a into master Apr 9, 2021
@jtlisi jtlisi deleted the 2021w13_memberlist_tls branch April 9, 2021 19:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pstibrany pstibrany pstibrany left review comments

@simonswine simonswine simonswine approved these changes

@56quarters 56quarters 56quarters approved these changes

@pracucci pracucci pracucci approved these changes

Assignees
No one assigned
Labels
size/L
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

TLS Memberlist
5 participants
@jtlisi @simonswine @pstibrany @56quarters @pracucci