Add TLS support to HTTP/GRPC clients

[annanay25]

What this PR does:

• go.mod updated to vendor latest commit of weaveworks/common which adds TLS support to the server.
• Adds TLS support to all HTTP and GRPC clients in cortex.
  • GRPC:
    • pkg/util/grpcclient updated to include TLS info.
    • All GRPC clients updated to use grpcclient.DialOptions() which provides TLS options as well.
  • HTTP:
    • Util package pkg/util/httpclient created with a Config struct that stores necessary endpoint, timeout and tls config parameters.
    • All HTTP clients updated to use this config struct.

Which issue(s) this PR fixes:
Fixes #2350

Checklist

• Tests updated
• Documentation added
• CHANGELOG.md updated - the order of entries should be [CHANGE], [FEATURE], [ENHANCEMENT], [BUGFIX]

[pracucci]

Thanks @annanay25 for working on it! Adding TLS support between Cortex components/services is very neat.

I've some concerns about the generic httpclient.Config struct because this causes you some troubles to keep backward compatibility and also add extra options to clients where such options are not necessarily required. Pretty much the same with gprcclient.Config.

I will reach you offline to further discuss a sligthly different design.

[jtlisi]

This PR looks close to ready. Can you take a look at the GCP clients you configured. I don't think we want to instrument those with support for TLS. It will only confuse the Auth support Google already has.

[jtlisi]

You need to update the clients used by the integration tests to support TLS as well.

[jtlisi]

You need to refactor the integration tests to support TLS. Consider limiting the scope of this PR to add a single TLS integration test that ensures the server and clients work.

Later, other integration tests can be updated to check for TLS.

[jtlisi]

Suggested change

	cmd := exec.Command("bash", "certs/genCerts.sh", "certs", "1")
	require.NoError(t, cmd.Run())
	require.NoError(t, copyFileToSharedDir(s, integrationHomeFolder+clientCertFile, clientCertFile))
	require.NoError(t, copyFileToSharedDir(s, integrationHomeFolder+clientKeyFile, clientKeyFile))
	require.NoError(t, copyFileToSharedDir(s, integrationHomeFolder+rootCertFile, rootCertFile))
	require.NoError(t, copyFileToSharedDir(s, integrationHomeFolder+serverCertFile, serverCertFile))
	require.NoError(t, copyFileToSharedDir(s, integrationHomeFolder+serverKeyFile, serverKeyFile))
	cmd := exec.Command("bash", "certs/genCerts.sh", s.SharedDir()+"/certs", "1")
	require.NoError(t, cmd.Run())

You don't need to mount each file into the env, you can generate the certs directly into the e2e shared directory.

[pracucci]

I would actually suggest to commit certs in the integration/certs and then copy all of them to the shared dir.

[jtlisi]

sounds good, better than generating them for every run.

[jtlisi]

When you create the Service you need to ensure that the built in ReadinessCheck supports TLS. Same with any external client that accesses the service.

[pracucci]

Thanks @annanay25 for addressing my initial comments. Much appreciated! This PR looks in a better shape now and I think we're quite close. I left some comments to further polish the config and nits here and there.

[pracucci]

For each pre-cooked config we provide, we have an integration test in integration/getting_started_single_process_config_test.go. Would be great if you could add a test there for this file (a new test, which can be an existing one you copy, paste and modify as needed).

[pracucci]

I would actually suggest to commit certs in the integration/certs and then copy all of them to the shared dir.

[pracucci]

Could you also add a CHANGELOG entry, please?

[pracucci]

Thanks @annanay25 for addressing my feedback! LGTM 🎉 (I left one very last nit)

[jtlisi]

LGTM