Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[query-frontend] TLS configarion for downstream query backend #6674

Closed
twiden opened this issue Aug 28, 2023 · 2 comments · Fixed by #6760
Closed

[query-frontend] TLS configarion for downstream query backend #6674

twiden opened this issue Aug 28, 2023 · 2 comments · Fixed by #6760
Labels
component: query-frontend difficulty: easy feature request/improvement good first issue

Comments

@twiden
Copy link

twiden commented Aug 28, 2023
edited
Loading

Is your proposal related to a problem?

I'm setting up Thanos in an environment where Istio enforces strict mTLS. Each pod, including thanos frontend, runs a sidecar that exposes the application through a TLS enabled port with self signed certificates generated by Istio.

Most Thanos and Prometheus components lets me configure the application to use ca, cert and key from a file on disk. This is very conventient because the Istio sidecar can provide a volume with these files.

But I can't find a way to pass this configuration to query-frontend. It seems like the binary simply does not take any argument for this. We have --query-frontend.downstream-tripper-config and --query-frontend.downstream-tripper-config-file but these only provide a subset of the config that the transport go library can handle.

Describe the solution you'd like

I would like to pass a TLSConfig to Thanos query-frontend pointing out the caFile, certFile and keyFile on disk as well as the ability to skip hostname check. These could be provided through --query-frontend.downstream-tripper-config and --query-frontend.downstream-tripper-config-file

For Ruler I can accomplish this with a query_config:

  - http_config:
      tls_config:
        ca_file: "/etc/certs/root-cert.pem"
        cert_file: "/etc/certs/cert-chain.pem"
        key_file: "/etc/certs/key.pem"
        insecure_skip_verify: true

Describe alternatives you've considered

The only way around this that I have found is to add pod annotations so that istio ignores traffic on the incoming http port of thanos query backend and on the outgoing port on query frontend. But this affects other services such as Grafana who also communcates with query backend. Grafana can handle these tls settings but I have to make the same hacky workaround on the Grafana pod anyway since I've had to bypass it on the datasource.
@GiedriusS
Copy link
Member

Makes sense, I think we can add this to the same downstream tripper config.

@WYGIN
Copy link

WYGIN commented Sep 24, 2023

hi , i am willing to contribute to this pr, & it would be helpful if you point me to some resources which explains to test changes made locally

@Player256 Player256 mentioned this issue Sep 25, 2023
Closed
@bazooka3000 bazooka3000 mentioned this issue Sep 30, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component: query-frontend difficulty: easy feature request/improvement good first issue
Projects
None yet
Milestone
No milestone
3 participants
@GiedriusS @twiden @WYGIN