Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[xserver] TLS support added to xserver, aggregator server, and aggregator client #4266

Open
wants to merge 51 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 19 commits
Commits
Show all changes
51 commits
Select commit Hold shift + click to select a range
f252408
Add support of TLS to xserver
roman-mazhut Apr 18, 2024
413d9d3
Add support of TLS to aggregator tcp client
roman-mazhut Apr 18, 2024
a57d5a6
Add TLS configuration to aggregator server config
roman-mazhut Apr 18, 2024
3a206dc
Split xserver options into options and TLS options
roman-mazhut Apr 18, 2024
f32c307
Description added to the IsTLS function
roman-mazhut Apr 23, 2024
92e0920
Pointers replaced with values in client TLS configuration
roman-mazhut Apr 23, 2024
4c798f8
Close a connection before returning an error if an upgrade to TLS failed
roman-mazhut Apr 23, 2024
8c4513a
TLSEnabled renamed to Enabled
roman-mazhut Apr 26, 2024
446d2ef
Integration tests
roman-mazhut May 22, 2024
d992b6f
Cert pool moved to the client struct
roman-mazhut May 28, 2024
74d9e77
Cert pool moved to the server struct
roman-mazhut May 28, 2024
09e549d
Prevent server tests from being looped forever
roman-mazhut May 28, 2024
d841bcf
testPlainTCPServer function added
roman-mazhut May 28, 2024
702563d
maybeUpgradeToTLS refactored
roman-mazhut May 28, 2024
b89c701
SecuredConnection refactored
roman-mazhut May 30, 2024
94a5706
TLS config TTL
roman-mazhut Jun 24, 2024
414711b
Client TLS config cache
roman-mazhut Jun 25, 2024
1ee36de
TLS Config manager factored out into a separate package
roman-mazhut Jul 2, 2024
c450333
Merge branch 'master' into add-support-of-tls-to-tcp-client
roman-mazhut Jul 4, 2024
7997a01
Metric added for upgrade to tls errors
roman-mazhut Jul 8, 2024
8fd3c43
newConfigManagerScope renamed to newConfigManagerMetrics
roman-mazhut Jul 9, 2024
2c78899
Config manager mutex moved to a field
roman-mazhut Jul 9, 2024
19e99e0
Redundant error check removed
roman-mazhut Jul 9, 2024
3068241
Write/read data tests added to secured connection
roman-mazhut Jul 9, 2024
1f1444d
Use tally.TestScope for metrics testing
roman-mazhut Jul 9, 2024
4e05948
Use t.Cleanup to close the tls server
roman-mazhut Jul 9, 2024
ec56885
Waiting for handler calls refactored
roman-mazhut Jul 9, 2024
f2594b2
Early returns refactoring
roman-mazhut Jul 9, 2024
d53144b
Server tests refactored into a table test
roman-mazhut Jul 9, 2024
8582081
bufio.Reader replaced with a peek function
roman-mazhut Jul 11, 2024
89e7e36
Server benchmark
roman-mazhut Jul 12, 2024
161a547
Tests for KeepAlive
roman-mazhut Jul 12, 2024
c4fb2d2
peekedByte pointer replaced with byte and peekedByteIsSet. Mutex removed
roman-mazhut Jul 12, 2024
96aa72c
ServerMode methods generated with enumer
roman-mazhut Jul 25, 2024
cae4342
Merge branch 'master' into add-support-of-tls-to-tcp-client
roman-mazhut Jul 29, 2024
6a44f2e
Linter fixed
roman-mazhut Jul 30, 2024
e848c97
Linter fixed
roman-mazhut Jul 30, 2024
a07157d
Linter fixed
roman-mazhut Jul 30, 2024
001ccb3
Imports fixed
roman-mazhut Jul 30, 2024
2e39e94
Imports fixed
roman-mazhut Jul 30, 2024
ed12ea4
Tests fixed
roman-mazhut Jul 30, 2024
2a2a17e
TLS tests fixed
roman-mazhut Jul 30, 2024
1b3ec54
loadCertPool function fixed
roman-mazhut Jul 30, 2024
5a81da4
Add metrics for time taken to connected to m3db cluster during startu…
pranithraparthi Jul 30, 2024
b582bc5
[buildkite] Fix integration dbnode lru and dbnode recently read tests…
kentzeng12 Jul 31, 2024
8ba3134
[buildkite] Fix Docker and Doc build test in buildkite pipeline (#4282)
kentzeng12 Jul 31, 2024
e8b051c
Master merged
roman-mazhut Aug 15, 2024
f35027c
Linter errors fixed
roman-mazhut Aug 15, 2024
ace2a95
Benchmark test fixed
roman-mazhut Aug 15, 2024
2e9ed48
Linter errors fixed
roman-mazhut Aug 15, 2024
343a770
Merge branch 'master' into add-support-of-tls-to-tcp-client
roman-mazhut Oct 2, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions scripts/docker-integration-tests/aggregator_tls/client.crt
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
-----BEGIN CERTIFICATE-----
MIIDPzCCAicCFFJVDW2T6lamcRZYStsBCQTKicKwMA0GCSqGSIb3DQEBCwUAMFox
CzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl
cm5ldCBXaWRnaXRzIFB0eSBMdGQxEzARBgNVBAMMClRlc3RSb290Q0EwHhcNMjQw
NDE1MTQ0NjEyWhcNMzQwNDEzMTQ0NjEyWjBeMQswCQYDVQQGEwJOTDETMBEGA1UE
CAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk
MRcwFQYDVQQDDA5UZXN0Q2xpZW50Q2VydDCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMXgv5tgZD5iBW3LfTC27jPHTLlsAw8ZlBFLmd7potdS3Hy512Xa
kKOaKRKH/0Yla4BKGNh0ZP+xege15CpTFqwtzDPCRkaRvfSxRW19MukeergRDqqI
tEwURHQ5gfub7XB9e5wuNmW2GGs/xgiWsxxm6UMidXkhA5a2//OmDSm2JdcoxJbk
1m1OUzXUuLKLzCIRAbJFFIM1RpvjWSonxpJ2lsNCVQ+LdItxE9mAI+Y+PaDonyzg
ehfAqkl+wxGRevaDFFJr1defxmnJhaYv40AcEpXOWeetZFlspEtrPF7b/3GifRdx
Mlwq27wn3mk4wF1wa12kRNKiz+HHjZrB7UECAwEAATANBgkqhkiG9w0BAQsFAAOC
AQEAKblZ+C4Pdv5grKiCQcfFt53SbIys8uavxmzJNn9nq1QVgBmR/hX8yG8ULeh5
kKrccwe2WXCBWsIj9cvGCzR+MPMvuIXd3d58yLybmIUBDfJSBC0v5TaNWP2ZdJDG
fH38DfQTeE9XcjpRtCGYtYwReBptSlNiYQlvwkukTNz3mV+0BpvQu/9/R0BNCJAF
9VeLgUcG7T7HC+foCeU7h83Y0xH0OALe33ntcrMPHUclXqImCiC7dl8pb3H7o/xJ
jS3KZxfv6ioxpirvpEbX/EeF+H1HQZUZ8y3+J3K37jMgzNamd/xsaJxEfCq4SE+n
HmgeXgqoNjrM6J0jYAfx1MjbIA==
-----END CERTIFICATE-----
27 changes: 27 additions & 0 deletions scripts/docker-integration-tests/aggregator_tls/client.key
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAxeC/m2BkPmIFbct9MLbuM8dMuWwDDxmUEUuZ3umi11LcfLnX
ZdqQo5opEof/RiVrgEoY2HRk/7F6B7XkKlMWrC3MM8JGRpG99LFFbX0y6R56uBEO
qoi0TBREdDmB+5vtcH17nC42ZbYYaz/GCJazHGbpQyJ1eSEDlrb/86YNKbYl1yjE
luTWbU5TNdS4sovMIhEBskUUgzVGm+NZKifGknaWw0JVD4t0i3ET2YAj5j49oOif
LOB6F8CqSX7DEZF69oMUUmvV15/GacmFpi/jQBwSlc5Z561kWWykS2s8Xtv/caJ9
F3EyXCrbvCfeaTjAXXBrXaRE0qLP4ceNmsHtQQIDAQABAoIBAAtyP8MuJT5SjzvV
rI0317mZCsAjFl42PZFujR0O6MOJ4IU6ftI+fWVpUnzm7wZQvdIy9xL2UK1Vx9hQ
Vj14hvQ4xfosf8IvRgy0gG6f8mT3xWOGYRHOTJemCHuso+85CtgZ+h+DsNPbX7g8
fSkcBopbDZ07jg4OsdVzCoU+kr5Z1/VDe0O0rTDzGVP686tN9I+DmDYv2HlBUaSZ
SyNZrLJFziqFx4ATTIE3aTLd29pzTl09WiCcZSxhlS+ROnN2iW2xDLNgY9SdUo2a
3r8N+xhYDNQz2paxlsv2x/tCRJvrQDoX7S5QZw4P1pVr6wo6xC+BU2UlpVHifo4M
egyDbAECgYEA5Y9+JDOSQF2cvIV4xTMgVnkLig/ngYesS44xz8HYTRR5s1WW6oCX
3j+OosZBbJpXeBlTK31G9Z92+Om2/Cj2uDvff7EJdhZ5sAdMtUy5X7p9rGTEyi5F
ecZDBfmwHH0lFdwpNtlky1uoaUsVd4IS28WMHoHYDGW241IW8xOlmeECgYEA3Ksb
KR7JCbHx21wh5oPVn5BLpdag7D+M1jBFtjPrzLDNhXlsV9zkjn7xETvTXWU2vNlh
OkoRu4VFEAnsgtxh+gT0lo9ZG9IWi2qP99vPpB3AFYuujBu3GA02/iOo5pri/6R0
ZNEEreAaaOcT2z6K9HG0KMQ6QpYgXSlzJW8sf2ECgYEAvn2fMA03bIAB4xJi0EkH
qZoScEOYWQ0rdRsOzJbPlc7K2nzImdmRrFRTWVFo0uUUdk2VjX4Mlx/3ir/uHzsi
2GieowhWkI4/9kloZv2+yegoBxkrj5ZsAov57AhxEoLqdkRWUvR8xp9Nleo/awcd
/Q7loh8fF9KDvAjPkHAaOCECgYA98bZNI7wxgYcwGbvWdrmX8iyaIBbKWsiRM7nN
/OM7cYIv7rbwLyzlp1LKkK2zsP7donP9pd82caHCb9a5oV3LjmqOfSz5d08m0cIa
RNUT79oE8lIMOJd8I/GFA8OdAGuqcaLOzjHvEVK4ke1sBTGCjwyQyQzFtljdbg5J
utyV4QKBgHkSBKwrgaump08MJFfK9uFo5sr5jy692XYWMlBVhc+piPwUsoztjI1O
8cvie0mMj6oofSoSyD4FUg9kFUCRMPC0kga/zlHyL1Y/uILX4XUFMl4P/gMbC7kw
0d6BdEsp5SU8Onc9eV/EW+q2Mz7/t5ZHkUrdDQYGgkIBqRZcXlka
-----END RSA PRIVATE KEY-----
61 changes: 61 additions & 0 deletions scripts/docker-integration-tests/aggregator_tls/docker-compose.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
version: "3.5"
services:
dbnode01:
expose:
- "9000-9004"
- "2379-2380"
- "7201"
ports:
- "0.0.0.0:9000-9004:9000-9004"
- "0.0.0.0:2379-2380:2379-2380"
- "0.0.0.0:7201:7201"
networks:
- backend
image: "m3dbnode_integration:${REVISION}"
m3coordinator01:
expose:
- "7202"
- "7203"
- "7204"
ports:
- "0.0.0.0:7202:7202"
- "0.0.0.0:7203:7203"
- "0.0.0.0:7204:7204"
networks:
- backend
image: "m3coordinator_integration:${REVISION}"
volumes:
- "./m3coordinator.yml:/etc/m3coordinator/m3coordinator.yml"
- "./client.crt:/tmp/client.crt"
- "./client.key:/tmp/client.key"
- "./rootCA.crt:/tmp/rootCA.crt"
m3aggregator01:
expose:
- "6001"
- "6000"
ports:
- "127.0.0.1:6001:6001"
- "127.0.0.1:6000:6000"
networks:
- backend
environment:
- M3AGGREGATOR_HOST_ID=m3aggregator01
image: "m3aggregator_integration:${REVISION}"
volumes:
- "./m3aggregator.yml:/etc/m3aggregator/m3aggregator.yml"
- "./server.crt:/tmp/server.crt"
- "./server.key:/tmp/server.key"
- "./rootCA.crt:/tmp/rootCA.crt"
m3aggregator02:
networks:
- backend
environment:
- M3AGGREGATOR_HOST_ID=m3aggregator02
image: "m3aggregator_integration:${REVISION}"
volumes:
- "./m3aggregator.yml:/etc/m3aggregator/m3aggregator.yml"
- "./server.crt:/tmp/server.crt"
- "./server.key:/tmp/server.key"
- "./rootCA.crt:/tmp/rootCA.crt"
networks:
backend:
262 changes: 262 additions & 0 deletions scripts/docker-integration-tests/aggregator_tls/m3aggregator.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,262 @@
logging:
level: info

metrics:
scope:
prefix: m3aggregator
prometheus:
onError: none
handlerPath: /metrics
sanitization: prometheus
samplingRate: 1.0
extended: none

http:
listenAddress: 0.0.0.0:6001
readTimeout: 60s
writeTimeout: 60s

rawtcp:
listenAddress: 0.0.0.0:6000
keepAliveEnabled: true
keepAlivePeriod: 1m
tls:
mode: enforced
mTLSEnabled: true
certFile: /tmp/server.crt
keyFile: /tmp/server.key
clientCAFile: /tmp/rootCA.crt
retry:
initialBackoff: 5ms
backoffFactor: 2.0
maxBackoff: 1s
forever: true
jitter: true
readBufferSize: 65536
protobufIterator:
initBufferSize: 1440
maxMessageSize: 50000000 # max message size is 50MB
bytesPool:
buckets:
- count: 1024
capacity: 2048
- count: 512
capacity: 4096
- count: 256
capacity: 8192
- count: 128
capacity: 16384
- count: 64
capacity: 32768
- count: 32
capacity: 65536
watermark:
low: 0.001
high: 0.002

kvClient:
etcd:
env: override_test_env
zone: embedded
service: m3aggregator
cacheDir: /var/lib/m3kv
etcdClusters:
- zone: embedded
endpoints:
- dbnode01:2379

runtimeOptions:
kvConfig:
environment: override_test_env
zone: embedded
writeValuesPerMetricLimitPerSecondKey: write-values-per-metric-limit-per-second
writeValuesPerMetricLimitPerSecond: 0
writeNewMetricLimitClusterPerSecondKey: write-new-metric-limit-cluster-per-second
writeNewMetricLimitClusterPerSecond: 0
writeNewMetricNoLimitWarmupDuration: 0

aggregator:
hostID:
resolver: environment
envVarName: M3AGGREGATOR_HOST_ID
instanceID:
type: host_id
metricPrefix: ""
counterPrefix: ""
timerPrefix: ""
gaugePrefix: ""
aggregationTypes:
counterTransformFnType: empty
timerTransformFnType: suffix
gaugeTransformFnType: empty
aggregationTypesPool:
size: 1024
quantilesPool:
buckets:
- count: 256
capacity: 4
- count: 128
capacity: 8
stream:
eps: 0.001
capacity: 32
streamPool:
size: 4096
samplePool:
size: 4096
floatsPool:
buckets:
- count: 4096
capacity: 16
- count: 2048
capacity: 32
- count: 1024
capacity: 64
client:
placementKV:
namespace: /placement
zone: embedded
environment: override_test_env
placementWatcher:
key: m3aggregator
initWatchTimeout: 15s
hashType: murmur32
shardCutoffLingerDuration: 1m
encoder:
initBufferSize: 100
maxMessageSize: 50000000
bytesPool:
buckets:
- capacity: 16
count: 10
- capacity: 32
count: 20
watermark:
low: 0.001
high: 0.01
maxTimerBatchSize: 140
queueSize: 1000
queueDropType: oldest
connection:
connectionTimeout: 1s
connectionKeepAlive: true
writeTimeout: 1s
initReconnectThreshold: 2
maxReconnectThreshold: 5000
reconnectThresholdMultiplier: 2
maxReconnectDuration: 1m
placementManager:
kvConfig:
namespace: /placement
environment: override_test_env
zone: embedded
placementWatcher:
key: m3aggregator
initWatchTimeout: 10s
hashType: murmur32
bufferDurationBeforeShardCutover: 10m
bufferDurationAfterShardCutoff: 10m
resignTimeout: 1m
flushTimesManager:
kvConfig:
environment: override_test_env
zone: embedded
flushTimesKeyFmt: shardset/%d/flush
flushTimesPersistRetrier:
initialBackoff: 100ms
backoffFactor: 2.0
maxBackoff: 2s
maxRetries: 3
electionManager:
election:
leaderTimeout: 10s
resignTimeout: 10s
ttlSeconds: 10
serviceID:
name: m3aggregator
environment: override_test_env
zone: embedded
electionKeyFmt: shardset/%d/lock
campaignRetrier:
initialBackoff: 100ms
backoffFactor: 2.0
maxBackoff: 2s
forever: true
jitter: true
changeRetrier:
initialBackoff: 100ms
backoffFactor: 2.0
maxBackoff: 5s
forever: true
jitter: true
resignRetrier:
initialBackoff: 100ms
backoffFactor: 2.0
maxBackoff: 5s
forever: true
jitter: true
campaignStateCheckInterval: 1s
shardCutoffCheckOffset: 30s
flushManager:
checkEvery: 1s
jitterEnabled: true
maxJitters:
- flushInterval: 5s
maxJitterPercent: 1.0
- flushInterval: 10s
maxJitterPercent: 0.5
- flushInterval: 1m
maxJitterPercent: 0.5
- flushInterval: 10m
maxJitterPercent: 0.5
- flushInterval: 1h
maxJitterPercent: 0.25
numWorkersPerCPU: 0.5
maxBufferSize: 5m
forcedFlushWindowSize: 10s
flush:
handlers:
- dynamicBackend:
name: m3msg
hashType: murmur32
producer:
buffer:
maxBufferSize: 1000000000 # max buffer before m3msg start dropping data.
writer:
topicName: aggregated_metrics
topicServiceOverride:
zone: embedded
environment: override_test_env
messageRetry:
initialBackoff: 1m
maxBackoff: 2m
messageQueueNewWritesScanInterval: 1s
ackErrorRetry:
initialBackoff: 2s
maxBackoff: 10s
connection:
dialTimeout: 5s
writeTimeout: 5s
retry:
initialBackoff: 1s
maxBackoff: 10s
flushInterval: 1s
writeBufferSize: 16384
readBufferSize: 256
forwarding:
maxSingleDelay: 5s
entryTTL: 6h
entryCheckInterval: 10m
maxTimerBatchSizePerWrite: 140
defaultStoragePolicies:
- 10s:2d
maxNumCachedSourceSets: 2
discardNaNAggregatedValues: true
entryPool:
size: 4096
counterElemPool:
size: 4096
timerElemPool:
size: 4096
gaugeElemPool:
size: 4096
Loading