Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Query frontend should not be protected with mTLS when gateway is disabled #552

Closed
vdurante opened this issue Aug 11, 2023 · 8 comments · Fixed by #560
Closed

Query frontend should not be protected with mTLS when gateway is disabled #552

vdurante opened this issue Aug 11, 2023 · 8 comments · Fixed by #560
Assignees
@rubenvp8510
Labels
bug Something isn't working

Comments

@vdurante
Copy link

vdurante commented Aug 11, 2023
edited

Hello! Not sure if this is the right place to open this issue...

I recently followed the docs here on how to get started with tempo on k8s using the operator.

I followed some other articles from grafana (I can share the urls if necessary), and all guides show how to connect grafana to tempo through HTTP using the url on port 3200 (something like http://query-frontend.default.svc.cluster.local:3200).

I tried that, but the endpoint was failing with the message: Client sent an HTTP request to an HTTPS server. Checking the logs on tempo, I was getting the following error: 20:55:28 http: TLS handshake error from 127.0.0.1:40728: tls: client didn't provide a certificate

I then found on the Release changelog that mTLS is enabled by default now, which makes me believe it is related to the error.

To solve the issue, I had to manually disable httpEncryption and grpcEncryption to false.

Would be cool if the quick start guide had an explanation on how to set mTLS up, or how to disable it.

As a complete newbie to docker and kubernetes, it would have helped me a lot if the quick start simply worked out of the box with the default settings.
@frzifus
Copy link
Collaborator

frzifus commented Aug 12, 2023

cc @rubenvp8510 @andreasgerstmayr

@andreasgerstmayr
Copy link
Collaborator

@rubenvp8510 can we disable mTLS on the query-frontend?

@rubenvp8510
Copy link
Collaborator

Yes i think we can. Ill take a look at this to see how can we disable it

@pavolloffay
Copy link
Collaborator

@vdurante are you on OpenShift or Kubernetes. I think the mTLS should be disabled on Kubernetes

@pavolloffay
Copy link
Collaborator

It seems that internal mTLS is enabled on Kubernetes as well.

@rubenvp8510 the query frontend should not use mTLS if the gateway is not deployed. @vdurante could you please share your Tempo configuration?

@pavolloffay pavolloffay changed the title Quick start guide doesn't work anymore, probably due to mTLS Query frontend should not be protected with mTLS when gateway is disabled Aug 14, 2023
@pavolloffay pavolloffay added the bug Something isn't working label Aug 14, 2023
@vdurante
Copy link
Author

vdurante commented Aug 14, 2023
edited

Hey, I can share whatever you need. Just let me know if I shared the wrong thing, since I am still a beginner on k8s.

I basically applied the tempo-operator using this command:

kubectl apply -f https://github.com/grafana/tempo-operator/releases/latest/download/tempo-operator.yaml

And then I booted it with the following command:

apiVersion: tempo.grafana.com/v1alpha1
kind: TempoStack
metadata:
  name: simplest
spec:
  storage:
    secret:
      name: minio-test
      type: s3
  storageSize: 1Gi
  resources:
    total:
      limits:
        memory: 2Gi
        cpu: 2000m
  template:
    queryFrontend:
      jaegerQuery:
        enabled: true

To fix it, I have a feeling I had to change something on this TempoStack yaml, but I wasn't able to do that, so what I did instead was download the tempo-operator.yaml and modify lines 1426 and 1427 to the following:

      httpEncryption: false
      grpcEncryption: false

@rubenvp8510
Copy link
Collaborator

I cannot find a way to only disable tls on the query-frontend, I'm looking to see if there is anything, any flag or something else.

There are a couple of solutions

  • Use other configmap for the component with the server TLS configuration disabled. TBH I don't like this one.
  • Disable all HTTP mTLS, looking at the HTTP endpoints, mostly of them are from the query-frontend, and there are others for health and debug. metrics, and status. Not sure how bad is to have those unprotected. (https://grafana.com/docs/tempo/latest/api_docs/)

@rubenvp8510 rubenvp8510 self-assigned this Aug 16, 2023
andreasgerstmayr added a commit to andreasgerstmayr/tempo-operator that referenced this issue Aug 16, 2023
@andreasgerstmayr
Disable mTLS by default, to allow connections from Grafana to the que…
e12913c 
…ry-frontend component

Resolves: grafana#552
Signed-off-by: Andreas Gerstmayr <agerstmayr@redhat.com>
@andreasgerstmayr andreasgerstmayr mentioned this issue Aug 16, 2023
Merged
andreasgerstmayr added a commit that referenced this issue Aug 16, 2023
@andreasgerstmayr
Disable mTLS by default, to allow connections from Grafana to the que…
6364f84 
…ry-frontend component (#560)

Resolves: #552

Signed-off-by: Andreas Gerstmayr <agerstmayr@redhat.com>
@andreasgerstmayr andreasgerstmayr mentioned this issue Aug 16, 2023
Closed
@andreasgerstmayr
Copy link
Collaborator

Fixed for now by disabling mTLS by default. We'll look for a way to (partially) enable it again in the future (#561).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rubenvp8510 rubenvp8510

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
5 participants
@andreasgerstmayr @rubenvp8510 @vdurante @pavolloffay @frzifus