Adding TLS to node exporter. Server Auth only. #1198
Conversation
…nd key via flag Signed-off-by: Andrew Chiu <andrew.chiu2@baesystems.com>
Signed-off-by: Andrew Chiu <andrew.chiu2@baesystems.com>
|
Nice, thanks for getting this started. First question, how does this handle cert rotation? |
|
Hi, thanks for responding :) There is no certificate rotation handling in place so when a new cert is generated then it still maintains new connections with the old cert unless the server is restarted, pointing to the new file. |
|
Yes, auto-reloading when a new cert file is written would be Ideal. I don't consider it a blocker. We're probably going to factor some of this code out into a library |
|
Thanks for the link, that seems helpful. |
|
I think if we want to handle this consistent across all prometheus project, it should be implemented as it's own package. Maybe in common? Maybe in client_golang? |
|
I would not like to see this in client_golang. I have started to do fairly regular releases there, ramping up to the planned 1.0.0 release. The more independent components we have in this repo, the more problematic releases are. We already have two completely independent things in there: the exposition client and the API client. Releases are mostly driven by changes in the exposition client. Syncing them with the API client is already mildly problematic. prometheus/common might be the right place, as it is a mixed bag anyway. Not having versioning tags there is, however, also seen as problematic by now, especially given the rise of Go modules with the increased significance of semver tags. I think we should find a consensus in the community what the common repo should be used for and how it should be handled. Based on that, we can come up with a decision for TLS tooling. |
The plan of record is that we'll get it working here, and then move it out once it's stable and we want to use it elsewhere. I'd presume to common.
It's more that noone has asked for them yet. |
That makes sense. In that case though I would suggest implementing this as it's own package within this repo, e.g |
Signed-off-by: ksherryBAE <kieran.sherry@baesystems.com>
|
I would like to see this merged... |
|
Hello, I've been working with @achiuBAE on this. |
|
@ksherryBAE So it would check if the file changed on each request? Not sure, might be fine for the node-exporter case but not necessary for others where we would like to use this. Maybe just don't do reload in the first take on this. I think it's more important to figure out the interface of the module so it will work for other parts of the prometheus project too. |
Signed-off-by: ksherryBAE <kieran.sherry@baesystems.com>
Signed-off-by: ksherryBAE <kieran.sherry@baesystems.com>
…into tls-server-auth
|
@discordianfish The current method reloads the certs and keys on receiving a client hello. Only one hello is received per connection so it will not reload every time a scrape occurs. |
Signed-off-by: ksherryBAE <kieran.sherry@baesystems.com>
Signed-off-by: ksherryBAE <kieran.sherry@baesystems.com>
Signed-off-by: ksherryBAE <kieran.sherry@baesystems.com>
|
The tests currently fail due to path issues. I belive this pull request will fix it: #1245 |
…into tls-server-auth
Signed-off-by: ksherryBAE <kieran.sherry@baesystems.com>
Signed-off-by: ksherryBAE <kieran.sherry@baesystems.com>
Signed-off-by: ksherryBAE <kieran.sherry@baesystems.com>
Signed-off-by: ksherryBAE <kieran.sherry@baesystems.com>
…http.Server) Signed-off-by: James Ritchie <james.g.ritchie@baesystems.com>
Signed-off-by: James Ritchie <james.g.ritchie@baesystems.com>
Signed-off-by: James Ritchie <james.g.ritchie@baesystems.com>
Signed-off-by: James Ritchie <james.g.ritchie@baesystems.com>
Signed-off-by: ksherryBAE <kieran.sherry@baesystems.com>
https/tls-config.yml
Outdated
| # Boolean value - TLS insecure if true so should only be set as true for testing | ||
| insecureSkipVerify : ~ | ||
|
|
||
| #Array of uint16 supported cipher suites |
There was a problem hiding this comment.
The plan of record is not to offer anything below this line, just to stick with Go defaults.
There was a problem hiding this comment.
@brian-brazil not quite sure I follow your comment. Are you saying a user should not be able to configure cipher suites or prefered cipher suites? Given that Golang supports many insecure ones I think we should expose these options to the users, e.g. to have them prevent down-grade attacks, ... What do you think?
There was a problem hiding this comment.
Yes, that's what I'm saying. The Go defaults are sane, if someone has a more advanced use case they're free to use a reverse proxy. This was what was agreed at the last dev summit.
|
@brian-brazil That has been removed |
|
Having this as a shared library sounds great. I would like to reuse this for securing the cluster traffic of Alertmanager in the long run (see prometheus/alertmanager#1763). I agree with @beorn7 to not put it in Reloading the certificate files on each TLS dial sounds expensive. Could we either listen on filesystem changes or trigger a reload via sighups or an http endpoint? In regards to the current state of this patch: I am happy to help out reviewing the code. Would you @achiuBAE and @ksherryBAE mind squashing the 66 commits into a reasonable amount of commits? It seems like you included patches not related to this pull request as well. |
|
@mxinden Any specific commit you want it squashed from? Also if the patching you're on about is the vendor fixes - the ci and tests wouldn't pass without it. |
I think you're confusing this with the http tls client code we have. |
|
what happened to this PR? 304 file changes.. |
|
Might it be worth taking the https file and creating a PR in common now, then create a new PR in here that implements that package from common and ditch this PR? |
|
We want to release here first, fix any big issues that arise, and then move over to common. |
|
Do we want to use go 1.12 and TLS 1.3 ? ( https://github.com/containous/traefik/blob/fb617044e0221b7f9f0665d4c8adaa3736335cf4/cmd/traefik/traefik.go#L46-L52 ) |
|
We'll use whatever the Go defaults are for the version we're compiled with. |
|
The Go defaults currently to TLS 1.2, that's what has been implemented. |
|
Squash them in whatever way you think will be easiest to do/review. I think you need to rebase from master also. |
…ng and imports for CI Signed-off-by: ksherryBAE <kieran.sherry@baesystems.com>
|
@brian-brazil I've merged master in and have squashed the final commits, the rebasing was giving me a bit of grief because of the earlier merging. |
|
The PR doesn't look right, there's other changes there from master that aren't yours. |
|
Yeah, that's probably the work of earlier merges, would it be better if we put the code changes in a new PR referencing this one on a new branch with only our changes. It would have the added benefit of being far easier to review. |
|
Whatever is easier for you. |
|
Closing in favour of #1277 |
Following on from: https://groups.google.com/forum/#!topic/prometheus-developers/8sez091EtzY
Added a TLS listener to node exporter. Server authentication only (no client auth... for now?).
Certificate and private key .pem file passed in via flags:
--web.tls-cert="[path to pem]"
--web.tls-private-key="[path to pem]"
If certificate and private key is concatinated into a single pem, pass in via the --web.tls-cert flag.
If no flags passed, http listener starts up as normal.
http.Server struct used for future potential change to configure the TLS e.g. specifying the cipher suites.
@SuperQ