Allow specifying simple gRPC transport credentials #508
Conversation
|
This is a preliminary PR to see if you are interested in this, if so I'll fix up the tests. |
tcolgate
changed the title
There was a problem hiding this comment.
I feel like we should differentiate between server certs and client certs. What if that is different? Also you state that in description that those flags are for incoming request and then you use it for store client connections.
Also, what if each storeAPI will required different key?
cmd/thanos/flags.go
Outdated
| grpcBindAddr := cmd.Flag("grpc-address", "Listen ip:port address for gRPC endpoints (StoreAPI). Make sure this address is routable from other components if you use gossip, 'grpc-advertise-address' is empty and you require cross-node connection."). | ||
| Default("0.0.0.0:10901").String() | ||
|
|
||
| grpcAdvertiseAddr := cmd.Flag("grpc-advertise-address", "Explicit (external) host:port address to advertise for gRPC StoreAPI in gossip cluster. If empty, 'grpc-address' will be used."). | ||
| String() | ||
|
|
||
| grpcTLSInsecure := cmd.Flag("grpc-tls-insecure", "Do not use gRPC transport credentials to verify connections").Default("true").Bool() |
There was a problem hiding this comment.
Let's make sure in the name to be clear that this touches incoming requests.
Just note that only thanos query calls those grpc Requests. Rest is only serving those.
|
For the first stab I went for the simplest setup, but TBH this isn't what I'd do for production services (this is how the gRPC examples set things up). Ideally we'd have:
Unfortunately this ends up amounting to an awful lot of cli flags. grpc-server-cert Thoughts? |
tcolgate
force-pushed
the
grpccreds
branch
2 times, most recently
from
fb740ea to
25678f5
Compare
|
@Bplotka updated the arg names, they still aren't very pretty. If you have specific ideas, please do say. (personally I'd have something like --query.tls.caCert , --grpc.tls.cert --grpc.tls.key, some of the existing args seem to follow that kind of format, but I've not been able to discern a pattern to them. opted for creds rather than tlsCreds, it's a little more accurate, and matches the functions they are then used with. |
|
Mostly note to self. Will add client key/cert and server client verification CA. Need this (or actual per roc auth cress) for minimal secure use case |
|
@Bplotka updated to provide full client cert and server side verification. |
cmd/thanos/query.go
Outdated
| *insecure, | ||
| *srvcert, | ||
| *srvkey, | ||
| *srvclientca, |
There was a problem hiding this comment.
let's make it camelCase everywhere: srvKey srvClientCA etc
tcolgate
force-pushed
the
grpccreds
branch
3 times, most recently
from
b448646 to
0c41c21
Compare
|
Can we have some rebase? |
|
@Bplotka opened a whole can of rebase! |
|
@Bplotka fixed my dep woes, docs and deps updated. |
tcolgate
force-pushed
the
grpccreds
branch
4 times, most recently
from
00622b2 to
113a71e
Compare
|
@bwplotka we're running this locally with seeming success. Have yet to confirm query -> multiple store gateways over a WAN, but single query to single gateway in cluster is fine. |
|
Let's change the |
tcolgate
changed the title
|
@bwplotka rebased on master, not quite sure what is going on with the Gopkg.lock, possible my version of dep is too old/new? |
|
what do you use for deps? Can you use reset your changes on |
|
@bwplotka reset it and |
|
finally some tooling work paid off 😅 |
cmd/thanos/main.go
Outdated
| @@ -227,6 +231,43 @@ func defaultGRPCServerOpts(logger log.Logger, reg *prometheus.Registry, tracer o | |||
| grpc_recovery.StreamServerInterceptor(grpc_recovery.WithRecoveryHandler(grpcPanicRecoveryHandler)), | |||
| ), | |||
| } | |||
|
|
|||
| if key == "" || cert == "" { | |||
There was a problem hiding this comment.
I think we need error if any of this is filled but not all. Also if clientCA is filled but those keys not.
There was a problem hiding this comment.
not sure if you want a log and an error, or just an error, and is returning an errors.New OK?
cmd/thanos/query.go
Outdated
| creds := credentials.NewTLS(tlsCfg) | ||
| dialOpts = append(dialOpts, grpc.WithTransportCredentials(creds)) | ||
|
|
||
| return dialOpts, nil |
There was a problem hiding this comment.
ditto, we can just inline this.
cmd/thanos/main.go
Outdated
| level.Info(logger).Log("msg", "gRPC server TLS client verification enabled") | ||
| } | ||
|
|
||
| creds := credentials.NewTLS(tlsCfg) |
There was a problem hiding this comment.
i don't think you need creds variable
So our thinking in Thanos is - if you do a variable it means that you need this in more places than just one. Otherwise just inline (: Do you agree with this?
| @@ -28,18 +31,24 @@ import ( | |||
| "github.com/prometheus/prometheus/promql" | |||
| "github.com/prometheus/tsdb/labels" | |||
| "google.golang.org/grpc" | |||
| "google.golang.org/grpc/credentials" | |||
| "gopkg.in/alecthomas/kingpin.v2" | |||
| ) | |||
|
|
|||
| // registerQuery registers a query command. | |||
There was a problem hiding this comment.
BTW what happened to GitHub - coloring for golang sucks ... now there is some red mark on go comments??
There was a problem hiding this comment.
It's doing it for me too, I've no idea what is going on there.
|
No, review is completely cool, very important to match the project style (it's also a better patch for it) |
|
Thanks! That is epic addition. |
No description provided.