From 12861c090d14adcba306b2a6d2c12c206c603863 Mon Sep 17 00:00:00 2001 From: Guillaume Lecerf Date: Wed, 20 Mar 2024 17:05:20 +0100 Subject: [PATCH] Receive: stop relying on grpc server config to set grpc client secure/skipVerify Signed-off-by: Guillaume Lecerf --- CHANGELOG.md | 1 + cmd/thanos/receive.go | 10 ++++++++-- docs/components/receive.md | 6 ++++++ 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ff8f8bdf395..fc5f5033e42 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -30,6 +30,7 @@ We use *breaking :warning:* to mark changes that are not backward compatible (re - [#7199](https://github.com/thanos-io/thanos/pull/7199): Reloader: Add support for watching and decompressing Prometheus configuration directories - [#7200](https://github.com/thanos-io/thanos/pull/7175): Query: Add `--selector.relabel-config` and `--selector.relabel-config-file` flags which allows scoping the Querier to a subset of matched TSDBs. - [#7233](https://github.com/thanos-io/thanos/pull/7233): UI: Showing Block Size Stats +- [#7219](https://github.com/thanos-io/thanos/pull/7219): Receive: add `--remote-write.client-tls-secure` and `--remote-write.client-tls-skip-verify` flags to stop relying on grpc server config to determine grpc client secure/skipVerify. ### Changed diff --git a/cmd/thanos/receive.go b/cmd/thanos/receive.go index 031b82abc62..11f35c98dd3 100644 --- a/cmd/thanos/receive.go +++ b/cmd/thanos/receive.go @@ -144,8 +144,8 @@ func runReceive( logger, reg, tracer, - conf.grpcConfig.tlsSrvCert != "", - conf.grpcConfig.tlsSrvClientCA == "", + conf.rwClientSecure, + conf.rwClientSkipVerify, conf.rwClientCert, conf.rwClientKey, conf.rwClientServerCA, @@ -778,8 +778,10 @@ type receiveConfig struct { rwServerClientCA string rwClientCert string rwClientKey string + rwClientSecure bool rwClientServerCA string rwClientServerName string + rwClientSkipVerify bool dataDir string labelStrs []string @@ -852,6 +854,10 @@ func (rc *receiveConfig) registerFlag(cmd extkingpin.FlagClause) { cmd.Flag("remote-write.client-tls-key", "TLS Key for the client's certificate.").Default("").StringVar(&rc.rwClientKey) + cmd.Flag("remote-write.client-tls-secure", "Use TLS when talking to the other receivers.").Default("false").BoolVar(&rc.rwClientSecure) + + cmd.Flag("remote-write.client-tls-skip-verify", "Disable TLS certificate verification when talking to the other receivers i.e self signed, signed by fake CA.").Default("false").BoolVar(&rc.rwClientSkipVerify) + cmd.Flag("remote-write.client-tls-ca", "TLS CA Certificates to use to verify servers.").Default("").StringVar(&rc.rwClientServerCA) cmd.Flag("remote-write.client-server-name", "Server name to verify the hostname on the returned TLS certificates. See https://tools.ietf.org/html/rfc4366#section-3.1").Default("").StringVar(&rc.rwClientServerName) diff --git a/docs/components/receive.md b/docs/components/receive.md index f9e626d4b6a..fcaa9f57faa 100644 --- a/docs/components/receive.md +++ b/docs/components/receive.md @@ -440,6 +440,12 @@ Flags: to the server. --remote-write.client-tls-key="" TLS Key for the client's certificate. + --remote-write.client-tls-secure + Use TLS when talking to the other receivers. + --remote-write.client-tls-skip-verify + Disable TLS certificate verification when + talking to the other receivers i.e self signed, + signed by fake CA. --remote-write.server-tls-cert="" TLS Certificate for HTTP server, leave blank to disable TLS.