Alerting: Add options to configure TLS for HA using Redis #87567
Conversation
| # The maximum number of simultaneous redis connections. | ||
| # ha_redis_max_conns = 5 |
There was a problem hiding this comment.
Not related to this change but added it in to make it consistent with defaults.ini
fayzal-g
changed the title
fayzal-g
force-pushed
the
alerting-redis-tls
branch
from
4a04b2f
to
18de77c
Compare
fayzal-g
requested review from
rwwiv,
JacobsonMT,
yuri-tceretian,
grobinson-grafana,
JohnnyQQQQ,
alexweav and
stevesg
and removed request for
a team
| ha_redis_tls_enabled = false | ||
|
|
||
| # Path to the PEM-encoded TLS client certificate file used to authenticate with the redis server. | ||
| ha_redis_tls_cert_path = |
There was a problem hiding this comment.
Are these required, or can you leave them blank and the client will use the certificates installed in the OS?
Whichever the answer is, might be worth noting in the doc comment
There was a problem hiding this comment.
Yup, they're required if TLS is enabled. Will update the docs to make this clear.
| CertPath: certPaths.clientCert, | ||
| KeyPath: certPaths.clientKey, | ||
| CAPath: certPaths.ca, | ||
| ServerName: "localhost", |
There was a problem hiding this comment.
Just curious, will miniredis retry on randomized ports if the default redis port is already taken on the host? Just wondering about test portability, because without port retry this could fail on a dev machine with an unrelated redis running.
I don't expect us to add dynamic ports as part of this PR, we could just implement it in the future if someone complains - just curious if it already works or not.
There was a problem hiding this comment.
I don't believe there is port retry, from what I can see it will try a random port on localhost and error if it is already in use.
| "github.com/stretchr/testify/require" | ||
| ) | ||
|
|
||
| func TestNewRedisPeerWithTLS(t *testing.T) { |
There was a problem hiding this comment.
this is a very cool test 👍
| @@ -66,6 +66,7 @@ database for HA and cannot support the meshing of all Grafana servers. | |||
| 1. Set `ha_redis_address` to the Redis server address Grafana should connect to. | |||
| 1. [Optional] Set the username and password if authentication is enabled on the redis server using `ha_redis_username` and `ha_redis_password`. | |||
| 1. [Optional] Set `ha_redis_prefix` to something unique if you plan to share the redis server with multiple Grafana instances. | |||
| 1. [Optional] Set `ha_redis_tls_enabled` to `true` and configure the corresponding `ha_redis_tls_*` fields to secure communications between Grafana and redis with TLS. | |||
There was a problem hiding this comment.
| 1. [Optional] Set `ha_redis_tls_enabled` to `true` and configure the corresponding `ha_redis_tls_*` fields to secure communications between Grafana and redis with TLS. | |
| 1. [Optional] Set `ha_redis_tls_enabled` to `true` and configure the corresponding `ha_redis_tls_*` fields to secure communications between Grafana and Redis with Transport Layer Security (TLS). |
| @@ -66,6 +66,7 @@ database for HA and cannot support the meshing of all Grafana servers. | |||
| 1. Set `ha_redis_address` to the Redis server address Grafana should connect to. | |||
| 1. [Optional] Set the username and password if authentication is enabled on the redis server using `ha_redis_username` and `ha_redis_password`. | |||
| 1. [Optional] Set `ha_redis_prefix` to something unique if you plan to share the redis server with multiple Grafana instances. | |||
There was a problem hiding this comment.
| 1. [Optional] Set `ha_redis_prefix` to something unique if you plan to share the redis server with multiple Grafana instances. | |
| 1. [Optional] Set `ha_redis_prefix` to something unique if you plan to share the Redis server with multiple Grafana instances. |
| @@ -66,6 +66,7 @@ database for HA and cannot support the meshing of all Grafana servers. | |||
| 1. Set `ha_redis_address` to the Redis server address Grafana should connect to. | |||
| 1. [Optional] Set the username and password if authentication is enabled on the redis server using `ha_redis_username` and `ha_redis_password`. | |||
There was a problem hiding this comment.
| 1. [Optional] Set the username and password if authentication is enabled on the redis server using `ha_redis_username` and `ha_redis_password`. | |
| 1. [Optional] Set the username and password if authentication is enabled on the Redis server using `ha_redis_username` and `ha_redis_password`. |
| if cfg.tlsEnabled { | ||
| tlsClientConfig, err := cfg.tls.GetTLSConfig() | ||
| if err != nil { | ||
| logger.Error("Failed to get TLS config", "err", err) |
There was a problem hiding this comment.
I would return the error here, a quick skim at the errors from GetTLSConfig shows they are mostly configuration issues and are likely unrecoverable. I believe the argument for not failing on a failed Ping lower down the code, is because the failure is transient and could resolve after startup.
| logger.Error("Failed to get TLS config", "err", err) | |
| logger.Error("Failed to get TLS config", "err", err) | |
| return nil, err |
| HARedisTLSEnabled bool | ||
| HARedisTLSCertPath string | ||
| HARedisTLSKeyPath string | ||
| HARedisTLSCAPath string | ||
| HARedisTLSServerName string | ||
| HARedisTLSInsecureSkipVerify bool | ||
| HARedisTLSCipherSuites string | ||
| HARedisTLSMinVersion string |
There was a problem hiding this comment.
[nit] We could use dstls.ClientConfig here, would save an instance of re-listing the options (here)
|
Error building instance: Contact #proj-ephemeral-hg-instances if it is not a compile error. Logs Error messagehandling pull request closed event: deleting instance by slug: unexpected response status: status=502 responseBody= <title>502 Server Error</title>Error: Server ErrorThe server encountered a temporary error and could not complete your request.Please try again in 30 seconds. |
What is this feature?
Updates the
unified_alertingconfiguration with additional fields to configure TLS on the Redis client when enabling alerting high availability using Redis.The following fields have been added:
ha_redis_tls_enabledha_redis_tls_cert_pathha_redis_tls_key_pathha_redis_tls_ca_pathha_redis_tls_server_nameha_redis_tls_insecure_skip_verifyha_redis_tls_cipher_suitesha_redis_tls_min_versionWhy do we need this feature?
Some users may have an instance of Redis that is only able to accept communications with TLS but it is currently not possible to configure client-side TLS on the Grafana side
Special notes for your reviewer:
Please check that: