Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS certificates #143

Merged
merged 16 commits into from
Sep 25, 2023
Merged

TLS certificates #143

merged 16 commits into from
Sep 25, 2023

Conversation

codebien
Copy link
Contributor

@codebien codebien commented Sep 21, 2023
edited
Loading

It adds mTLS support. It continues #90 (rebase + polish).

@codebien codebien self-assigned this Sep 21, 2023
@codebien codebien marked this pull request as ready for review September 21, 2023 10:11
@codebien codebien requested a review from a team as a code owner September 21, 2023 10:11
@codebien codebien requested review from mstoykov and olegbespalov and removed request for a team September 21, 2023 10:11
@codebien codebien mentioned this pull request Sep 21, 2023
Closed
olegbespalov
olegbespalov requested changes Sep 21, 2023
View reviewed changes
pkg/remotewrite/config.go Outdated Show resolved Hide resolved
pkg/remotewrite/config.go Show resolved Hide resolved
codebien
codebien commented Sep 22, 2023
View reviewed changes
pkg/remotewrite/config.go
@@ -229,6 +255,14 @@ func parseEnvs(env map[string]string) (Config, error) {
c.Password = null.StringFrom(password)
}

if clientCertificate, certDefined := env["K6_PROMETHEUS_RW_CLIENT_CERTIFICATE"]; certDefined {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if clientCertificate, certDefined := env["K6_PROMETHEUS_RW_CLIENT_CERTIFICATE"]; certDefined {
if clientCertificate, certDefined := env["K6_PROMETHEUS_RW_TLS_CLIENT_CERTIFICATE"]; certDefined {

Do you think we should be more specific about the naming?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Both fine fro me 🤷

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there something else that we can have a client certificate for ?

If not I am also 🤷 - if yes , then I would prefer to have mtls even.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not really, or at least I didn't find it. At the moment, if we mention client certificates then they should set automatically the context for TLS, but I can't guarantee for the future.

Copy link
Contributor Author

@codebien codebien Sep 25, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are doing mostly the same with Username and Password where we aren't specifying that is for BasicAuth.

olegbespalov
olegbespalov approved these changes Sep 22, 2023
View reviewed changes
Copy link
Contributor

@olegbespalov olegbespalov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

pkg/remotewrite/config.go
@@ -229,6 +255,14 @@ func parseEnvs(env map[string]string) (Config, error) {
c.Password = null.StringFrom(password)
}

if clientCertificate, certDefined := env["K6_PROMETHEUS_RW_CLIENT_CERTIFICATE"]; certDefined {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Both fine fro me 🤷

pkg/remotewrite/config.go
@@ -41,6 +41,16 @@ type Config struct {
// Password is the Password for the Basic Auth.
Password null.String `json:"password"`

// ClientCertificate is the public key of the SSL certificate.
// It is expected the path of the certificate on the file system.
// If it is required a dedicated Certifacate Authority then it should be added
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It theory we could also provide the way to add the CA like it's implemented in k6, but not sure if it's under the scope of this PR

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would prefer if we get an explicit request from users for it. The demand for mTLS feature seems to be not so high in general.

mstoykov
mstoykov approved these changes Sep 25, 2023
View reviewed changes
Copy link
Contributor

@mstoykov mstoykov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@codebien codebien merged commit dc4b04f into main Sep 25, 2023
10 checks passed
@codebien codebien deleted the topicusonderwijs-main branch September 25, 2023 13:48
@heitortsergent heitortsergent mentioned this pull request Oct 4, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mstoykov mstoykov mstoykov approved these changes

@olegbespalov olegbespalov olegbespalov approved these changes

Assignees

@codebien codebien

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@codebien @mstoykov @olegbespalov @raoel