From c67647856700e99437159f777c6392ab04cf5c48 Mon Sep 17 00:00:00 2001 From: Dmitry Shmulevich Date: Wed, 7 Oct 2020 23:30:47 -0700 Subject: [PATCH 1/5] Redis cache: added parameter to disable SSL certificate verification Signed-off-by: Dmitry Shmulevich --- CHANGELOG.md | 1 + docs/configuration/config-file-reference.md | 8 ++++-- docs/production/caching.md | 4 ++- pkg/chunk/cache/redis_client.go | 28 +++++++++++---------- 4 files changed, 25 insertions(+), 16 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8ee7c42851a..745817d2f77 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -72,6 +72,7 @@ * [ENHANCEMENT] Added shuffle sharding support to ruler. Added new metric `cortex_ruler_sync_rules_total`. #3235 * [ENHANCEMENT] Return an explicit error when the store-gateway is explicitly requested without a blocks storage engine. #3287 * [ENHANCEMENT] Ruler: only load rules that belong to the ruler. Improves rules synching performances when ruler sharding is enabled. #3269 +* [ENHANCEMENT] Added `redis.tls-skip-verify` flag. Renamed `redis.enable-tls` to `redis.tls-enabled`. * [BUGFIX] No-longer-needed ingester operations for queries triggered by queriers and rulers are now canceled. #3178 * [BUGFIX] Ruler: directories in the configured `rules-path` will be removed on startup and shutdown in order to ensure they don't persist between runs. #3195 * [BUGFIX] Handle hash-collisions in the query path. #3192 diff --git a/docs/configuration/config-file-reference.md b/docs/configuration/config-file-reference.md index 975ffbe75f9..05c3f09ddf5 100644 --- a/docs/configuration/config-file-reference.md +++ b/docs/configuration/config-file-reference.md @@ -2944,8 +2944,12 @@ The `redis_config` configures the Redis backend cache. The supported CLI flags ` [password: | default = ""] # Enables connecting to redis with TLS. -# CLI flag: -.redis.enable-tls -[enable_tls: | default = false] +# CLI flag: -.redis.tls-enabled +[tls_enabled: | default = false] + +# Disables SSL certificate verification. +# CLI flag: -.redis.tls-skip-verify +[tls_skip_verify: | default = false] # Close connections after remaining idle for this duration. If the value is # zero, then idle connections are not closed. diff --git a/docs/production/caching.md b/docs/production/caching.md index 3f8d64dd2fe..a8b36ef3693 100644 --- a/docs/production/caching.md +++ b/docs/production/caching.md @@ -103,8 +103,10 @@ You can also use [Redis](https://redis.io/) for out-of-process caching; this is -.redis.master-name Redis Sentinel master group name. An empty string for Redis Server or Redis Cluster --.redis.enable-tls +-.redis.tls-enabled Enables connecting to redis with TLS. +-.redis.tls-skip-verify + Disables SSL certificate verification. -.redis.expiration duration How long keys stay in the redis. -.redis.db int diff --git a/pkg/chunk/cache/redis_client.go b/pkg/chunk/cache/redis_client.go index df4ad5aadb3..d0b9fb80de1 100644 --- a/pkg/chunk/cache/redis_client.go +++ b/pkg/chunk/cache/redis_client.go @@ -16,16 +16,17 @@ import ( // RedisConfig defines how a RedisCache should be constructed. type RedisConfig struct { - Endpoint string `yaml:"endpoint"` - MasterName string `yaml:"master_name"` - Timeout time.Duration `yaml:"timeout"` - Expiration time.Duration `yaml:"expiration"` - DB int `yaml:"db"` - PoolSize int `yaml:"pool_size"` - Password flagext.Secret `yaml:"password"` - EnableTLS bool `yaml:"enable_tls"` - IdleTimeout time.Duration `yaml:"idle_timeout"` - MaxConnAge time.Duration `yaml:"max_connection_age"` + Endpoint string `yaml:"endpoint"` + MasterName string `yaml:"master_name"` + Timeout time.Duration `yaml:"timeout"` + Expiration time.Duration `yaml:"expiration"` + DB int `yaml:"db"` + PoolSize int `yaml:"pool_size"` + Password flagext.Secret `yaml:"password"` + TLSEnabled bool `yaml:"tls_enabled"` + TLSSkipVerify bool `yaml:"tls_skip_verify"` + IdleTimeout time.Duration `yaml:"idle_timeout"` + MaxConnAge time.Duration `yaml:"max_connection_age"` } // RegisterFlagsWithPrefix adds the flags required to config this to the given FlagSet @@ -37,7 +38,8 @@ func (cfg *RedisConfig) RegisterFlagsWithPrefix(prefix, description string, f *f f.IntVar(&cfg.DB, prefix+"redis.db", 0, description+"Database index.") f.IntVar(&cfg.PoolSize, prefix+"redis.pool-size", 0, description+"Maximum number of connections in the pool.") f.Var(&cfg.Password, prefix+"redis.password", description+"Password to use when connecting to redis.") - f.BoolVar(&cfg.EnableTLS, prefix+"redis.enable-tls", false, description+"Enables connecting to redis with TLS.") + f.BoolVar(&cfg.TLSEnabled, prefix+"redis.tls-enabled", false, description+"Enables connecting to redis with TLS.") + f.BoolVar(&cfg.TLSSkipVerify, prefix+"redis.tls-skip-verify", false, description+"Disables SSL certificate verification.") f.DurationVar(&cfg.IdleTimeout, prefix+"redis.idle-timeout", 0, description+"Close connections after remaining idle for this duration. If the value is zero, then idle connections are not closed.") f.DurationVar(&cfg.MaxConnAge, prefix+"redis.max-connection-age", 0, description+"Close connections older than this duration. If the value is zero, then the pool does not close connections based on age.") } @@ -59,8 +61,8 @@ func NewRedisClient(cfg *RedisConfig) *RedisClient { IdleTimeout: cfg.IdleTimeout, MaxConnAge: cfg.MaxConnAge, } - if cfg.EnableTLS { - opt.TLSConfig = &tls.Config{} + if cfg.TLSEnabled { + opt.TLSConfig = &tls.Config{InsecureSkipVerify: cfg.TLSSkipVerify} } return &RedisClient{ expiration: cfg.Expiration, From ca7c82f203e4eb11e01f380e7f2174c444cd110b Mon Sep 17 00:00:00 2001 From: Marco Pracucci Date: Thu, 8 Oct 2020 10:32:50 +0200 Subject: [PATCH 2/5] Update CHANGELOG.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Marco Pracucci Co-authored-by: Peter Štibraný --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 745817d2f77..62e6e900d3f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -72,7 +72,7 @@ * [ENHANCEMENT] Added shuffle sharding support to ruler. Added new metric `cortex_ruler_sync_rules_total`. #3235 * [ENHANCEMENT] Return an explicit error when the store-gateway is explicitly requested without a blocks storage engine. #3287 * [ENHANCEMENT] Ruler: only load rules that belong to the ruler. Improves rules synching performances when ruler sharding is enabled. #3269 -* [ENHANCEMENT] Added `redis.tls-skip-verify` flag. Renamed `redis.enable-tls` to `redis.tls-enabled`. +* [ENHANCEMENT] Added `redis.tls-skip-verify` flag. Renamed `redis.enable-tls` to `redis.tls-enabled`. #3298 * [BUGFIX] No-longer-needed ingester operations for queries triggered by queriers and rulers are now canceled. #3178 * [BUGFIX] Ruler: directories in the configured `rules-path` will be removed on startup and shutdown in order to ensure they don't persist between runs. #3195 * [BUGFIX] Handle hash-collisions in the query path. #3192 From 06f0c1d30741644daf280923dbed30c1befdebee Mon Sep 17 00:00:00 2001 From: Marco Pracucci Date: Thu, 8 Oct 2020 10:34:13 +0200 Subject: [PATCH 3/5] Update CHANGELOG.md Signed-off-by: Marco Pracucci --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 62e6e900d3f..3437ac605ec 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -72,7 +72,8 @@ * [ENHANCEMENT] Added shuffle sharding support to ruler. Added new metric `cortex_ruler_sync_rules_total`. #3235 * [ENHANCEMENT] Return an explicit error when the store-gateway is explicitly requested without a blocks storage engine. #3287 * [ENHANCEMENT] Ruler: only load rules that belong to the ruler. Improves rules synching performances when ruler sharding is enabled. #3269 -* [ENHANCEMENT] Added `redis.tls-skip-verify` flag. Renamed `redis.enable-tls` to `redis.tls-enabled`. #3298 +* [CHANGE] Renamed `-redis.enable-tls` CLI flag to `-redis.tls-enabled`. #3298 +* [ENHANCEMENT] Added `-redis.tls-skip-verify` flag. #3298 * [BUGFIX] No-longer-needed ingester operations for queries triggered by queriers and rulers are now canceled. #3178 * [BUGFIX] Ruler: directories in the configured `rules-path` will be removed on startup and shutdown in order to ensure they don't persist between runs. #3195 * [BUGFIX] Handle hash-collisions in the query path. #3192 From d1bc64ba6c75ba474a3b8b184941fc4358214a7c Mon Sep 17 00:00:00 2001 From: Marco Pracucci Date: Thu, 8 Oct 2020 10:35:03 +0200 Subject: [PATCH 4/5] Update CHANGELOG.md Signed-off-by: Marco Pracucci --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3437ac605ec..bc0700b8b95 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -72,7 +72,7 @@ * [ENHANCEMENT] Added shuffle sharding support to ruler. Added new metric `cortex_ruler_sync_rules_total`. #3235 * [ENHANCEMENT] Return an explicit error when the store-gateway is explicitly requested without a blocks storage engine. #3287 * [ENHANCEMENT] Ruler: only load rules that belong to the ruler. Improves rules synching performances when ruler sharding is enabled. #3269 -* [CHANGE] Renamed `-redis.enable-tls` CLI flag to `-redis.tls-enabled`. #3298 +* [CHANGE] Renamed `-redis.enable-tls` CLI flag to `-redis.tls-enabled`, and its respective YAML config option from `enable_tls` to `tls_enabled`. #3298 * [ENHANCEMENT] Added `-redis.tls-skip-verify` flag. #3298 * [BUGFIX] No-longer-needed ingester operations for queries triggered by queriers and rulers are now canceled. #3178 * [BUGFIX] Ruler: directories in the configured `rules-path` will be removed on startup and shutdown in order to ensure they don't persist between runs. #3195 From 00501c2cc6f3c73e6ceb82ec79132a24f7a56443 Mon Sep 17 00:00:00 2001 From: Dmitry Shmulevich Date: Thu, 8 Oct 2020 05:07:27 -0700 Subject: [PATCH 5/5] addressed comments Signed-off-by: Dmitry Shmulevich --- CHANGELOG.md | 4 +-- docs/configuration/config-file-reference.md | 8 +++--- docs/production/caching.md | 6 ++--- pkg/chunk/cache/redis_client.go | 30 ++++++++++----------- 4 files changed, 24 insertions(+), 24 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bc0700b8b95..f8d119f35d4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -45,6 +45,7 @@ - `-store-gateway.sharding-ring.instance-interface` renamed to `-store-gateway.sharding-ring.instance-interface-names` - `-distributor.ring.instance-interface` renamed to `-distributor.ring.instance-interface-names` - `-ruler.ring.instance-interface` renamed to `-ruler.ring.instance-interface-names` +* [CHANGE] Renamed `-redis.enable-tls` CLI flag to `-redis.tls-enabled`, and its respective YAML config option from `enable_tls` to `tls_enabled`. #3298 * [FEATURE] Added support for shuffle-sharding queriers in the query-frontend. When configured (`-frontend.max-queriers-per-tenant` globally, or using per-tenant limit `max_queriers_per_tenant`), each tenants's requests will be handled by different set of queriers. #3113 #3257 * [FEATURE] Query-frontend: added `compression` config to support results cache with compression. #3217 * [ENHANCEMENT] Expose additional HTTP configs for the S3 backend client. New flag are listed below: #3244 @@ -72,8 +73,7 @@ * [ENHANCEMENT] Added shuffle sharding support to ruler. Added new metric `cortex_ruler_sync_rules_total`. #3235 * [ENHANCEMENT] Return an explicit error when the store-gateway is explicitly requested without a blocks storage engine. #3287 * [ENHANCEMENT] Ruler: only load rules that belong to the ruler. Improves rules synching performances when ruler sharding is enabled. #3269 -* [CHANGE] Renamed `-redis.enable-tls` CLI flag to `-redis.tls-enabled`, and its respective YAML config option from `enable_tls` to `tls_enabled`. #3298 -* [ENHANCEMENT] Added `-redis.tls-skip-verify` flag. #3298 +* [ENHANCEMENT] Added `-redis.tls-insecure-skip-verify` flag. #3298 * [BUGFIX] No-longer-needed ingester operations for queries triggered by queriers and rulers are now canceled. #3178 * [BUGFIX] Ruler: directories in the configured `rules-path` will be removed on startup and shutdown in order to ensure they don't persist between runs. #3195 * [BUGFIX] Handle hash-collisions in the query path. #3192 diff --git a/docs/configuration/config-file-reference.md b/docs/configuration/config-file-reference.md index 05c3f09ddf5..bc6bfdd2a08 100644 --- a/docs/configuration/config-file-reference.md +++ b/docs/configuration/config-file-reference.md @@ -2943,13 +2943,13 @@ The `redis_config` configures the Redis backend cache. The supported CLI flags ` # CLI flag: -.redis.password [password: | default = ""] -# Enables connecting to redis with TLS. +# Enable connecting to redis with TLS. # CLI flag: -.redis.tls-enabled [tls_enabled: | default = false] -# Disables SSL certificate verification. -# CLI flag: -.redis.tls-skip-verify -[tls_skip_verify: | default = false] +# Skip validating server certificate. +# CLI flag: -.redis.tls-insecure-skip-verify +[tls_insecure_skip_verify: | default = false] # Close connections after remaining idle for this duration. If the value is # zero, then idle connections are not closed. diff --git a/docs/production/caching.md b/docs/production/caching.md index a8b36ef3693..ca7b1e1a416 100644 --- a/docs/production/caching.md +++ b/docs/production/caching.md @@ -104,9 +104,9 @@ You can also use [Redis](https://redis.io/) for out-of-process caching; this is Redis Sentinel master group name. An empty string for Redis Server or Redis Cluster -.redis.tls-enabled - Enables connecting to redis with TLS. --.redis.tls-skip-verify - Disables SSL certificate verification. + Enable connecting to redis with TLS. +-.redis.tls-insecure-skip-verify + Skip validating server certificate. -.redis.expiration duration How long keys stay in the redis. -.redis.db int diff --git a/pkg/chunk/cache/redis_client.go b/pkg/chunk/cache/redis_client.go index d0b9fb80de1..9ed059cc70b 100644 --- a/pkg/chunk/cache/redis_client.go +++ b/pkg/chunk/cache/redis_client.go @@ -16,17 +16,17 @@ import ( // RedisConfig defines how a RedisCache should be constructed. type RedisConfig struct { - Endpoint string `yaml:"endpoint"` - MasterName string `yaml:"master_name"` - Timeout time.Duration `yaml:"timeout"` - Expiration time.Duration `yaml:"expiration"` - DB int `yaml:"db"` - PoolSize int `yaml:"pool_size"` - Password flagext.Secret `yaml:"password"` - TLSEnabled bool `yaml:"tls_enabled"` - TLSSkipVerify bool `yaml:"tls_skip_verify"` - IdleTimeout time.Duration `yaml:"idle_timeout"` - MaxConnAge time.Duration `yaml:"max_connection_age"` + Endpoint string `yaml:"endpoint"` + MasterName string `yaml:"master_name"` + Timeout time.Duration `yaml:"timeout"` + Expiration time.Duration `yaml:"expiration"` + DB int `yaml:"db"` + PoolSize int `yaml:"pool_size"` + Password flagext.Secret `yaml:"password"` + EnableTLS bool `yaml:"tls_enabled"` + InsecureSkipVerify bool `yaml:"tls_insecure_skip_verify"` + IdleTimeout time.Duration `yaml:"idle_timeout"` + MaxConnAge time.Duration `yaml:"max_connection_age"` } // RegisterFlagsWithPrefix adds the flags required to config this to the given FlagSet @@ -38,8 +38,8 @@ func (cfg *RedisConfig) RegisterFlagsWithPrefix(prefix, description string, f *f f.IntVar(&cfg.DB, prefix+"redis.db", 0, description+"Database index.") f.IntVar(&cfg.PoolSize, prefix+"redis.pool-size", 0, description+"Maximum number of connections in the pool.") f.Var(&cfg.Password, prefix+"redis.password", description+"Password to use when connecting to redis.") - f.BoolVar(&cfg.TLSEnabled, prefix+"redis.tls-enabled", false, description+"Enables connecting to redis with TLS.") - f.BoolVar(&cfg.TLSSkipVerify, prefix+"redis.tls-skip-verify", false, description+"Disables SSL certificate verification.") + f.BoolVar(&cfg.EnableTLS, prefix+"redis.tls-enabled", false, description+"Enable connecting to redis with TLS.") + f.BoolVar(&cfg.InsecureSkipVerify, prefix+"redis.tls-insecure-skip-verify", false, description+"Skip validating server certificate.") f.DurationVar(&cfg.IdleTimeout, prefix+"redis.idle-timeout", 0, description+"Close connections after remaining idle for this duration. If the value is zero, then idle connections are not closed.") f.DurationVar(&cfg.MaxConnAge, prefix+"redis.max-connection-age", 0, description+"Close connections older than this duration. If the value is zero, then the pool does not close connections based on age.") } @@ -61,8 +61,8 @@ func NewRedisClient(cfg *RedisConfig) *RedisClient { IdleTimeout: cfg.IdleTimeout, MaxConnAge: cfg.MaxConnAge, } - if cfg.TLSEnabled { - opt.TLSConfig = &tls.Config{InsecureSkipVerify: cfg.TLSSkipVerify} + if cfg.EnableTLS { + opt.TLSConfig = &tls.Config{InsecureSkipVerify: cfg.InsecureSkipVerify} } return &RedisClient{ expiration: cfg.Expiration,