backport Add TLS config to query frontend grafana#6444

aminesnow · Jun 21, 2022 · 77cee21 · 77cee21
1 parent bcc4379
commit 77cee21
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 1 deletion.
diff --git a/docs/sources/configuration/_index.md b/docs/sources/configuration/_index.md
@@ -374,6 +374,27 @@ The `frontend` block configures the Loki query-frontend.
 # CLI flag: -frontend.tail-proxy-url
 [tail_proxy_url: <string> | default = ""]
 
+tail_tls_config:
+  # Path to the client certificate file, which will be used for authenticating
+  # with the server. Also requires the key path to be configured.
+  # CLI flag: -frontend.tail-tls-config.tls-cert-path
+  [tls_cert_path: <string> | default = ""]
+  
+  # Path to the key file for the client certificate. Also requires the client
+  # certificate to be configured.
+  # CLI flag: -frontend.tail-tls-config.tls-key-path
+  [tls_key_path: <string> | default = ""]
+
+  # Path to the CA certificates file to validate server certificate against. If
+  # not set, the host's root CA certificates are used.
+  # CLI flag: -frontend.tail-tls-config.tls-ca-path
+  [tls_ca_path: <string> | default = ""]
+
+  # Skip validating server certificate.
+  # CLI flag: -frontend.tail-tls-config.tls-insecure-skip-verify
+  [tls_insecure_skip_verify: <boolean> | default = false]
+  
+
 # DNS hostname used for finding query-schedulers.
 # CLI flag: -frontend.scheduler-address
 [scheduler_address: <string> | default = ""]

diff --git a/pkg/loki/modules.go b/pkg/loki/modules.go
@@ -533,6 +533,15 @@ func (t *Loki) initQueryFrontend() (_ services.Service, err error) {
 		}
 		tp := httputil.NewSingleHostReverseProxy(tailURL)
 
+		cfg, err := t.Cfg.Frontend.TLS.GetTLSConfig()
+		if err != nil {
+			return nil, err
+		}
+
+		tp.Transport = &http.Transport{
+			TLSClientConfig: cfg,
+		}
+
 		director := tp.Director
 		tp.Director = func(req *http.Request) {
 			director(req)

diff --git a/pkg/lokifrontend/config.go b/pkg/lokifrontend/config.go
@@ -3,6 +3,8 @@ package lokifrontend
 import (
 	"flag"
 
+	"github.com/grafana/dskit/crypto/tls"
+
 	"github.com/grafana/loki/pkg/lokifrontend/frontend/transport"
 	v1 "github.com/grafana/loki/pkg/lokifrontend/frontend/v1"
 	v2 "github.com/grafana/loki/pkg/lokifrontend/frontend/v2"
@@ -16,14 +18,16 @@ type Config struct {
 	CompressResponses bool   `yaml:"compress_responses"`
 	DownstreamURL     string `yaml:"downstream_url"`
 
-	TailProxyURL string `yaml:"tail_proxy_url"`
+	TailProxyURL string           `yaml:"tail_proxy_url"`
+	TLS          tls.ClientConfig `yaml:"tail_tls_config"`
 }
 
 // RegisterFlags adds the flags required to config this to the given FlagSet.
 func (cfg *Config) RegisterFlags(f *flag.FlagSet) {
 	cfg.Handler.RegisterFlags(f)
 	cfg.FrontendV1.RegisterFlags(f)
 	cfg.FrontendV2.RegisterFlags(f)
+	cfg.TLS.RegisterFlagsWithPrefix("frontend.tail-tls-config", f)
 
 	f.BoolVar(&cfg.CompressResponses, "querier.compress-http-responses", false, "Compress HTTP responses.")
 	f.StringVar(&cfg.DownstreamURL, "frontend.downstream-url", "", "URL of downstream Prometheus.")