Add TLS and basic auth #4211
Add TLS and basic auth #4211
Conversation
cmd/thanos/config.go
Outdated
| @@ -54,6 +55,10 @@ func (hc *httpConfig) registerFlag(cmd extkingpin.FlagClause) *httpConfig { | |||
| cmd.Flag("http-grace-period", | |||
| "Time to wait after an interrupt received for HTTP Server."). | |||
| Default("2m").SetValue(&hc.gracePeriod) | |||
| cmd.Flag( | |||
| "http-tls-config", | |||
| "[EXPERIMENTAL] Path to configuration file that can enable TLS or authentication.", | |||
There was a problem hiding this comment.
| "[EXPERIMENTAL] Path to configuration file that can enable TLS or authentication.", | |
| "[EXPERIMENTAL] Path to the configuration file that can enable TLS or authentication for all HTTP endpoints.", |
| @@ -54,6 +55,10 @@ func (hc *httpConfig) registerFlag(cmd extkingpin.FlagClause) *httpConfig { | |||
| cmd.Flag("http-grace-period", | |||
| "Time to wait after an interrupt received for HTTP Server."). | |||
| Default("2m").SetValue(&hc.gracePeriod) | |||
| cmd.Flag( | |||
There was a problem hiding this comment.
What about doing pathorcontent flag? 🤔
There was a problem hiding this comment.
Sure. Will add that in!
There was a problem hiding this comment.
| httpBindAddr = cmd.Flag("http-address", "Listen host:port for HTTP endpoints.").Default("0.0.0.0:10902").String() | ||
| httpGracePeriod = ModelDuration(cmd.Flag("http-grace-period", "Time to wait after an interrupt received for HTTP Server.").Default("2m")) // by default it's the same as query.timeout. | ||
|
|
||
| return httpBindAddr, httpGracePeriod | ||
| httpTLSConfig = cmd.Flag( |
pkg/server/http/http.go
Outdated
| err := toolkit_web.Validate(s.opts.tlsConfigPath) | ||
| if err != nil { | ||
| level.Error(s.logger).Log("msg", "server could not be started", "err", err) | ||
| return errors.Wrap(err, "server could not be started") | ||
| } |
There was a problem hiding this comment.
| err := toolkit_web.Validate(s.opts.tlsConfigPath) | |
| if err != nil { | |
| level.Error(s.logger).Log("msg", "server could not be started", "err", err) | |
| return errors.Wrap(err, "server could not be started") | |
| } | |
| if err := toolkit_web.Validate(s.opts.tlsConfigPath); err != nil { | |
| return errors.Wrap(err, "server could not be started") | |
| } |
Let's make sure to avoid handling the same error twice.
pkg/extkingpin/flags.go
Outdated
|
|
||
| return httpBindAddr, httpGracePeriod | ||
| httpTLSConfig = cmd.Flag( | ||
| "http-tls-config", |
There was a problem hiding this comment.
One nit, I heard from @roidelapluie that Prometheus flag is called web.config.file and not tls-config.file for a good reason: It's not only TLS. I think it's good idea to change it to http.config maybe? Also we can expand (contribute) to exporter toolking to support passing parsed configuration too if we want pathorcontent flag (up to us)
There was a problem hiding this comment.
http.config sounds nice, will change it to that. I'll try to add the passing configuration functionality to exporter-toolkit, but once merged they would probably need to release that. Once it's released with configuration, we can switch over to pathorcontent flag(will make it a separate PR). WDYT? @bwplotka
There was a problem hiding this comment.
From what I understand you do not need changes in the downstream exporter toolkit to achieve what you want.
You could probably do all of this in thanos. --http-config={file} or --http-config=/path:{file} could be supported without upstream changes.
There was a problem hiding this comment.
You could probably do all of this in thanos. --http-config={file} or --http-config=/path:{file} could be supported without upstream changes.
Currently we are doing this, i.e, taking a file path string. But if we try to use the pathorcontent flag that would return the content of the file in byte[] which we can't pass to any of the toolkit methods. Wouldn't that require some changes? @roidelapluie
There was a problem hiding this comment.
Maybe I do not understand the change. Are you trying to use basic auth on certain paths only? Or am I misunderstanding?
There was a problem hiding this comment.
I'm trying to add TLS and basic auth in all HTTP endpoints. This PR currently adds a flag(http-tls-config which I'll change tohttp.config), which like Prometheus takes in the path of the file containing TLS/auth config. If we use the pathorcontent method for this flag, user can pass path of the config file or directly pass the content of the file. Either way pathorcontent will return the content of the config file. But then we can't pass it to exporter-toolkit since the methods only take in path. So, I think the change needs to be made in toolkit...
There was a problem hiding this comment.
There is a reason why we take a path. The file is read on every request to make sure that the TLS certificate and the users are up to date.
There was a problem hiding this comment.
Oh, okay. Then I guess using pathorcontent isn't suitable and the normal Flag method would be better. Also, no change is needed in exporter or Thanos then. Thanks a lot for explaining! 🙂
Signed-off-by: Saswata Mukherjee <saswataminsta@yahoo.com>
Signed-off-by: Saswata Mukherjee <saswataminsta@yahoo.com>
Signed-off-by: Saswata Mukherjee <saswataminsta@yahoo.com>
Changes
This PR adds in TLS and basic auth to Thanos HTTP APIs using exporter-toolkit. Configuration follows a similar pattern to Prometheus, where a file containing TLS configuration is provided using
http-tls-configflag.Addresses issue #4168
Verification
Tested locally.