Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support TLS #2350

Closed
jtlisi opened this issue Mar 29, 2020 · 4 comments · Fixed by #2502
Closed

Support TLS #2350

jtlisi opened this issue Mar 29, 2020 · 4 comments · Fixed by #2502
Labels
type/security

Comments

@jtlisi
Copy link
Contributor

jtlisi commented Mar 29, 2020

Cortex as a project does not have many mechanisms in place to secure its messages. As things stand, no security mechanisms exist with cortex and that responsibility is off-loaded to the system that proxies requests to Cortex. As a distributed system with significant traffic between services, I think we should consider adding support for TLS within Cortex. Initially this support could be focuses on GRPC services within Cortex and then expanded to cover its HTTP services.
@jtlisi jtlisi added type/production Issues related to the production use of Cortex, inc. configuration, alerting and operating. type/security and removed type/production Issues related to the production use of Cortex, inc. configuration, alerting and operating. labels Mar 29, 2020
@annanay25
Copy link
Contributor

annanay25 commented Apr 8, 2020
edited
Loading

I'd like to pick this up!

To do this, we can add support for bidirectional (client and server) auth. The supported TLS version could be synced with the prometheus node_exporter https package.

Tracking steps

  • Add HTTPS support to weaveworks/common/server by adding TLSConfig options. The relevant changes are here.
  • Add TLS support to all HTTP/GRPC clients in cortex components that interact with weaveworks/common/server. (Will probably split this off into multiple PRs depending on number of files touched).

@bboreham
Copy link
Contributor

bboreham commented Apr 8, 2020

Ping me if you make a PR in weaveworks/common - I don't always catch the notification.

@annanay25 annanay25 mentioned this issue Apr 9, 2020
Merged
@halcyondude
Copy link
Contributor

Has the approach of relying on a service mesh (e.g. linkerd, or something else) to enable mTLS between services been explored? This might be simpler than baking it into the project itself, and might integrate more cohesively with existing k8s fleets.

@annanay25
Copy link
Contributor

@halcyondude - I have answered on the PR.

This was referenced Apr 22, 2020
Merged
Merged
@simonswine simonswine mentioned this issue Aug 11, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add TLS support to HTTP/GRPC clients annanay25/cortex
4 participants
@halcyondude @jtlisi @bboreham @annanay25