Receive: stop relying on grpc server config to set grpc client secure/skipVerify #7219
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
guillaumelecerf
force-pushed
the
bugfix/client-tls-external-termination
branch
6 times, most recently
from
96b6157
to
515cb94
Compare
guillaumelecerf
force-pushed
the
bugfix/client-tls-external-termination
branch
3 times, most recently
from
12861c0
to
2c34e17
Compare
|
Hi, |
guillaumelecerf
force-pushed
the
bugfix/client-tls-external-termination
branch
from
2c34e17
to
ccc77d8
Compare
|
I did not fully understand the TLS setup, at which point in Thanos do you have TLS enabled? |
@fpetkovski : thanks for having a look. In my setup, thanos is never configured with TLS, as the TLS termination is done externally at the listener level in AWS. The problem here is that the code assumes that the gRPC client (used when talking with the other members of the hashring) is using TLS only if the server is configured with TLS. For my use case, these 2 notions must be decoupled, as it is done in query. |
guillaumelecerf
force-pushed
the
bugfix/client-tls-external-termination
branch
from
ccc77d8
to
c026df8
Compare
fpetkovski
previously approved these changes
Apr 9, 2024
guillaumelecerf
force-pushed
the
bugfix/client-tls-external-termination
branch
from
c026df8
to
a347b49
Compare
…/skipVerify Signed-off-by: Guillaume Lecerf <guillaume.lecerf@iziwork.com>
guillaumelecerf
force-pushed
the
bugfix/client-tls-external-termination
branch
from
a347b49
to
9998c9b
Compare
fpetkovski
approved these changes
Apr 22, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes
I'm using a thanos receive HA cluster on ECS Fargate, with 3 endpoints in the hashring, with one dedicated listener + grpc target group per endpoint.
The TLS termination is done at the listener level (so out of thanos). Therefore the thanos receive containers are configured with no TLS.
When testing, I ended up with
error reading server preface: http2: frame too largeerrors.After debugging, I found that the receive grpc client is configured in secure mode only if the receive grpc server has TLS enabled.
This breaks the inter-endpoint communication between our hashring members.
To fix this problem, I introduce 2 new flags
--remote-write.client-tls-secureand--remote-write.client-tls-skip-verifyto mimic what is done in the grpc client configuration of thanos query..Verification
Everything is now working on our cluster.