Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authc/z: Enable grpc_client_config to allow mTLS #4176

Merged
merged 2 commits into from
Aug 24, 2021
Merged

Authc/z: Enable grpc_client_config to allow mTLS #4176

merged 2 commits into from
Aug 24, 2021

Conversation

sokoide
Copy link
Contributor

@sokoide sokoide commented Aug 17, 2021

What this PR does / why we need it:
Loki can be protected by mTLS. However, if you configure grpc_tls_config, internal grpc clients (e.g. distributor/querier to ingester) fails to connect because the client cert option is not supported.
The fix allows it.

Which issue(s) this PR fixes:
Fixes #3252

Special notes for your reviewer:
This has been tested with the following Loki config.

server:
  http_listen_port: 13101
  grpc_listen_port: 18931
  log_level: debug
  http_tls_config:
    key_file: /path/to/key.pem
    cert_file: /path/to/cert.pem
    client_ca_file: /path/to/ca.pem
    client_auth_type: VerifyClientCertIfGiven
  grpc_tls_config:
    key_file: /path/to/key.pem
    cert_file: /path/to/cert.pem
    client_ca_file: /path/to/ca.pem
    client_auth_type: VerifyClientCertIfGiven

ingester_client:
  grpc_client_config:
    tls_enabled: true
    tls_cert_path: path/to/cert.pem
    tls_key_path:  path/to/key.pem
    tls_ca_path: path/to/ca.pem
...

Checklist

  • Documentation added
  • Tests updated

@sokoide sokoide requested a review from a team as a code owner August 17, 2021 03:11
@CLAassistant
Copy link

CLAassistant commented Aug 17, 2021
edited
Loading

CLA assistant check
All committers have signed the CLA.

sandy2008
sandy2008 approved these changes Aug 17, 2021
View reviewed changes
Copy link
Contributor

@sandy2008 sandy2008 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@sokoide sokoide marked this pull request as draft August 18, 2021 04:57
@owen-d
Copy link
Member

owen-d commented Aug 18, 2021

Hey, this is a great draft! Removing this explicit call to WithInsecure is definitely a good idea, as it's already conditionally applied in the configuration. I've also created an issue to track handling mTLS via grpc in a consistent way across our code base/configuration.

If you're ready, please unmark this as draft and I think we can merge it :) .

@owen-d owen-d mentioned this pull request Aug 18, 2021
Open
owen-d
owen-d reviewed Aug 18, 2021
View reviewed changes
Copy link
Member

@owen-d owen-d left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM once we remove this block.

It's handled in the configuration chain:
https://github.com/cortexproject/cortex/blob/master/pkg/util/grpcclient/grpcclient.go#L78
https://github.com/cortexproject/cortex/blob/master/pkg/util/tls/tls.go#L78

pkg/ingester/client/client.go Outdated Show resolved Hide resolved
@sokoide sokoide marked this pull request as ready for review August 23, 2021 23:59
@owen-d owen-d merged commit b72d8ab into grafana:main Aug 24, 2021
@sokoide sokoide deleted the sokoide-authcz branch August 26, 2021 01:09
@sokoide sokoide mentioned this pull request Aug 27, 2021
Closed
sokoide added a commit to sokoide/loki that referenced this pull request Aug 28, 2021
@sokoide
fix: merge grafana#4176
3ab24e1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sandy2008 sandy2008 sandy2008 approved these changes

@owen-d owen-d owen-d approved these changes

Assignees
No one assigned
Labels
size/XS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

The "query frontend" service does not support the grpc_client_config settings
4 participants
@sokoide @CLAassistant @owen-d @sandy2008