-
Notifications
You must be signed in to change notification settings - Fork 526
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update dskit and add TLS cipher suites and minimum version support for clients #3070
Changes from all commits
5373ad0
2a51144
1ffecfa
e026582
5b3332d
b9fa514
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Large diffs are not rendered by default.
Large diffs are not rendered by default.
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -894,6 +894,45 @@ store_gateway_client: | |||||
# CLI flag: -querier.store-gateway-client.tls-insecure-skip-verify | ||||||
[tls_insecure_skip_verify: <boolean> | default = false] | ||||||
|
||||||
# (advanced) Override the default cipher suite list (separated by commas). | ||||||
# Allowed values: | ||||||
# | ||||||
# Secure Ciphers: | ||||||
# - TLS_RSA_WITH_AES_128_CBC_SHA | ||||||
# - TLS_RSA_WITH_AES_256_CBC_SHA | ||||||
# - TLS_RSA_WITH_AES_128_GCM_SHA256 | ||||||
# - TLS_RSA_WITH_AES_256_GCM_SHA384 | ||||||
# - TLS_AES_128_GCM_SHA256 | ||||||
# - TLS_AES_256_GCM_SHA384 | ||||||
# - TLS_CHACHA20_POLY1305_SHA256 | ||||||
# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | ||||||
# - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | ||||||
# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | ||||||
# - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | ||||||
# - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | ||||||
# - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | ||||||
# - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | ||||||
# - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | ||||||
# - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | ||||||
# - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 | ||||||
# | ||||||
# Insecure Ciphers: | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. These are auto-generated from code in another library. I will change it there. |
||||||
# - TLS_RSA_WITH_RC4_128_SHA | ||||||
# - TLS_RSA_WITH_3DES_EDE_CBC_SHA | ||||||
# - TLS_RSA_WITH_AES_128_CBC_SHA256 | ||||||
# - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA | ||||||
# - TLS_ECDHE_RSA_WITH_RC4_128_SHA | ||||||
# - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA | ||||||
# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | ||||||
# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | ||||||
# CLI flag: -querier.store-gateway-client.tls-cipher-suites | ||||||
[tls_cipher_suites: <string> | default = ""] | ||||||
|
||||||
# (advanced) Override the default minimum TLS version. Allowed values: | ||||||
# VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13 | ||||||
# CLI flag: -querier.store-gateway-client.tls-min-version | ||||||
[tls_min_version: <string> | default = ""] | ||||||
|
||||||
# (advanced) Fetch in-memory series from the minimum set of required ingesters, | ||||||
# selecting only ingesters which may have received series since | ||||||
# -querier.query-ingesters-within. If this setting is false or | ||||||
|
@@ -1229,6 +1268,45 @@ alertmanager_client: | |||||
# CLI flag: -ruler.alertmanager-client.tls-insecure-skip-verify | ||||||
[tls_insecure_skip_verify: <boolean> | default = false] | ||||||
|
||||||
# (advanced) Override the default cipher suite list (separated by commas). | ||||||
# Allowed values: | ||||||
# | ||||||
# Secure Ciphers: | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
# - TLS_RSA_WITH_AES_128_CBC_SHA | ||||||
# - TLS_RSA_WITH_AES_256_CBC_SHA | ||||||
# - TLS_RSA_WITH_AES_128_GCM_SHA256 | ||||||
# - TLS_RSA_WITH_AES_256_GCM_SHA384 | ||||||
# - TLS_AES_128_GCM_SHA256 | ||||||
# - TLS_AES_256_GCM_SHA384 | ||||||
# - TLS_CHACHA20_POLY1305_SHA256 | ||||||
# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | ||||||
# - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | ||||||
# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | ||||||
# - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | ||||||
# - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | ||||||
# - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | ||||||
# - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | ||||||
# - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | ||||||
# - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | ||||||
# - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 | ||||||
# | ||||||
# Insecure Ciphers: | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
# - TLS_RSA_WITH_RC4_128_SHA | ||||||
# - TLS_RSA_WITH_3DES_EDE_CBC_SHA | ||||||
# - TLS_RSA_WITH_AES_128_CBC_SHA256 | ||||||
# - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA | ||||||
# - TLS_ECDHE_RSA_WITH_RC4_128_SHA | ||||||
# - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA | ||||||
# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | ||||||
# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | ||||||
# CLI flag: -ruler.alertmanager-client.tls-cipher-suites | ||||||
[tls_cipher_suites: <string> | default = ""] | ||||||
|
||||||
# (advanced) Override the default minimum TLS version. Allowed values: | ||||||
# VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13 | ||||||
# CLI flag: -ruler.alertmanager-client.tls-min-version | ||||||
[tls_min_version: <string> | default = ""] | ||||||
|
||||||
# HTTP Basic authentication username. It overrides the username set in the URL | ||||||
# (if any). | ||||||
# CLI flag: -ruler.alertmanager-client.basic-auth-username | ||||||
|
@@ -1615,6 +1693,45 @@ alertmanager_client: | |||||
# CLI flag: -alertmanager.alertmanager-client.tls-insecure-skip-verify | ||||||
[tls_insecure_skip_verify: <boolean> | default = false] | ||||||
|
||||||
# (advanced) Override the default cipher suite list (separated by commas). | ||||||
# Allowed values: | ||||||
# | ||||||
# Secure Ciphers: | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
# - TLS_RSA_WITH_AES_128_CBC_SHA | ||||||
# - TLS_RSA_WITH_AES_256_CBC_SHA | ||||||
# - TLS_RSA_WITH_AES_128_GCM_SHA256 | ||||||
# - TLS_RSA_WITH_AES_256_GCM_SHA384 | ||||||
# - TLS_AES_128_GCM_SHA256 | ||||||
# - TLS_AES_256_GCM_SHA384 | ||||||
# - TLS_CHACHA20_POLY1305_SHA256 | ||||||
# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | ||||||
# - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | ||||||
# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | ||||||
# - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | ||||||
# - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | ||||||
# - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | ||||||
# - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | ||||||
# - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | ||||||
# - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | ||||||
# - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 | ||||||
# | ||||||
# Insecure Ciphers: | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
# - TLS_RSA_WITH_RC4_128_SHA | ||||||
# - TLS_RSA_WITH_3DES_EDE_CBC_SHA | ||||||
# - TLS_RSA_WITH_AES_128_CBC_SHA256 | ||||||
# - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA | ||||||
# - TLS_ECDHE_RSA_WITH_RC4_128_SHA | ||||||
# - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA | ||||||
# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | ||||||
# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | ||||||
# CLI flag: -alertmanager.alertmanager-client.tls-cipher-suites | ||||||
[tls_cipher_suites: <string> | default = ""] | ||||||
|
||||||
# (advanced) Override the default minimum TLS version. Allowed values: | ||||||
# VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13 | ||||||
# CLI flag: -alertmanager.alertmanager-client.tls-min-version | ||||||
[tls_min_version: <string> | default = ""] | ||||||
|
||||||
# (advanced) The interval between persisting the current alertmanager state | ||||||
# (notification log and silences) to object storage. This is only used when | ||||||
# sharding is enabled. This state is read when all replicas for a shard can not | ||||||
|
@@ -1774,6 +1891,45 @@ backoff_config: | |||||
# (advanced) Skip validating server certificate. | ||||||
# CLI flag: -<prefix>.tls-insecure-skip-verify | ||||||
[tls_insecure_skip_verify: <boolean> | default = false] | ||||||
|
||||||
# (advanced) Override the default cipher suite list (separated by commas). | ||||||
# Allowed values: | ||||||
# | ||||||
# Secure Ciphers: | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
# - TLS_RSA_WITH_AES_128_CBC_SHA | ||||||
# - TLS_RSA_WITH_AES_256_CBC_SHA | ||||||
# - TLS_RSA_WITH_AES_128_GCM_SHA256 | ||||||
# - TLS_RSA_WITH_AES_256_GCM_SHA384 | ||||||
# - TLS_AES_128_GCM_SHA256 | ||||||
# - TLS_AES_256_GCM_SHA384 | ||||||
# - TLS_CHACHA20_POLY1305_SHA256 | ||||||
# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | ||||||
# - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | ||||||
# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | ||||||
# - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | ||||||
# - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | ||||||
# - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | ||||||
# - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | ||||||
# - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | ||||||
# - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | ||||||
# - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 | ||||||
# | ||||||
# Insecure Ciphers: | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
# - TLS_RSA_WITH_RC4_128_SHA | ||||||
# - TLS_RSA_WITH_3DES_EDE_CBC_SHA | ||||||
# - TLS_RSA_WITH_AES_128_CBC_SHA256 | ||||||
# - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA | ||||||
# - TLS_ECDHE_RSA_WITH_RC4_128_SHA | ||||||
# - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA | ||||||
# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | ||||||
# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | ||||||
# CLI flag: -<prefix>.tls-cipher-suites | ||||||
[tls_cipher_suites: <string> | default = ""] | ||||||
|
||||||
# (advanced) Override the default minimum TLS version. Allowed values: | ||||||
# VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13 | ||||||
# CLI flag: -<prefix>.tls-min-version | ||||||
[tls_min_version: <string> | default = ""] | ||||||
``` | ||||||
|
||||||
### frontend_worker | ||||||
|
@@ -1866,6 +2022,45 @@ The `etcd` block configures the etcd client. The supported CLI flags `<prefix>` | |||||
# CLI flag: -<prefix>.etcd.tls-insecure-skip-verify | ||||||
[tls_insecure_skip_verify: <boolean> | default = false] | ||||||
|
||||||
# (advanced) Override the default cipher suite list (separated by commas). | ||||||
# Allowed values: | ||||||
# | ||||||
# Secure Ciphers: | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
# - TLS_RSA_WITH_AES_128_CBC_SHA | ||||||
# - TLS_RSA_WITH_AES_256_CBC_SHA | ||||||
# - TLS_RSA_WITH_AES_128_GCM_SHA256 | ||||||
# - TLS_RSA_WITH_AES_256_GCM_SHA384 | ||||||
# - TLS_AES_128_GCM_SHA256 | ||||||
# - TLS_AES_256_GCM_SHA384 | ||||||
# - TLS_CHACHA20_POLY1305_SHA256 | ||||||
# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | ||||||
# - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | ||||||
# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | ||||||
# - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | ||||||
# - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | ||||||
# - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | ||||||
# - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | ||||||
# - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | ||||||
# - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | ||||||
# - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 | ||||||
# | ||||||
# Insecure Ciphers: | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
# - TLS_RSA_WITH_RC4_128_SHA | ||||||
# - TLS_RSA_WITH_3DES_EDE_CBC_SHA | ||||||
# - TLS_RSA_WITH_AES_128_CBC_SHA256 | ||||||
# - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA | ||||||
# - TLS_ECDHE_RSA_WITH_RC4_128_SHA | ||||||
# - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA | ||||||
# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | ||||||
# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | ||||||
# CLI flag: -<prefix>.etcd.tls-cipher-suites | ||||||
[tls_cipher_suites: <string> | default = ""] | ||||||
|
||||||
# (advanced) Override the default minimum TLS version. Allowed values: | ||||||
# VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13 | ||||||
# CLI flag: -<prefix>.etcd.tls-min-version | ||||||
[tls_min_version: <string> | default = ""] | ||||||
|
||||||
# Etcd username. | ||||||
# CLI flag: -<prefix>.etcd.username | ||||||
[username: <string> | default = ""] | ||||||
|
@@ -2082,6 +2277,45 @@ The `memberlist` block configures the Gossip memberlist. | |||||
# (advanced) Skip validating server certificate. | ||||||
# CLI flag: -memberlist.tls-insecure-skip-verify | ||||||
[tls_insecure_skip_verify: <boolean> | default = false] | ||||||
|
||||||
# (advanced) Override the default cipher suite list (separated by commas). | ||||||
# Allowed values: | ||||||
# | ||||||
# Secure Ciphers: | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
# - TLS_RSA_WITH_AES_128_CBC_SHA | ||||||
# - TLS_RSA_WITH_AES_256_CBC_SHA | ||||||
# - TLS_RSA_WITH_AES_128_GCM_SHA256 | ||||||
# - TLS_RSA_WITH_AES_256_GCM_SHA384 | ||||||
# - TLS_AES_128_GCM_SHA256 | ||||||
# - TLS_AES_256_GCM_SHA384 | ||||||
# - TLS_CHACHA20_POLY1305_SHA256 | ||||||
# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | ||||||
# - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | ||||||
# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | ||||||
# - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | ||||||
# - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | ||||||
# - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | ||||||
# - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | ||||||
# - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | ||||||
# - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | ||||||
# - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 | ||||||
# | ||||||
# Insecure Ciphers: | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
# - TLS_RSA_WITH_RC4_128_SHA | ||||||
# - TLS_RSA_WITH_3DES_EDE_CBC_SHA | ||||||
# - TLS_RSA_WITH_AES_128_CBC_SHA256 | ||||||
# - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA | ||||||
# - TLS_ECDHE_RSA_WITH_RC4_128_SHA | ||||||
# - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA | ||||||
# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | ||||||
# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | ||||||
# CLI flag: -memberlist.tls-cipher-suites | ||||||
[tls_cipher_suites: <string> | default = ""] | ||||||
|
||||||
# (advanced) Override the default minimum TLS version. Allowed values: | ||||||
# VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13 | ||||||
# CLI flag: -memberlist.tls-min-version | ||||||
[tls_min_version: <string> | default = ""] | ||||||
``` | ||||||
|
||||||
### limits | ||||||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.