[ID] httpapi: add https and mTLS support to ingest server #913
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
roobre
changed the title
rubenruizdegauna
previously approved these changes
Feb 14, 2022
brushknight
reviewed
Feb 15, 2022
brushknight
reviewed
Feb 15, 2022
brushknight
changed the title
roobre
force-pushed
the
ingest-mtls
branch
2 times, most recently
from
ddf1ebd
to
f77bed5
Compare
|
Some updates to this PR:
|
| @@ -28,60 +31,73 @@ const ( | |||
| statusAPIPathReady = "/v1/status/ready" | |||
| ingestAPIPath = "/v1/data" | |||
| ingestAPIPathReady = "/v1/data/ready" | |||
| readinessProbeRetryBackoff = 10 * time.Millisecond | |||
| readinessProbeRetryBackoff = 100 * time.Millisecond | |||
There was a problem hiding this comment.
out of curiosity, why increase it?
There was a problem hiding this comment.
It was a bit of a sneaky change, sorry about that! The main motivation was that during tests, the probing mechanism was consuming quite a bunch of CPU. Since we're waiting for network requests to succeed, the 100ms backoff did not seem that much. I can always revert it back to 10ms if you prefer it :)
rubenruizdegauna
previously approved these changes
Mar 3, 2022
|
Tests seem to be entering into some sort of deadlock and timing out :( |
fixup! make serverand status configs not pointers
If URL is https, mTLS might be enabled. For simplicity, readiness checker does not supply TLS certs, so we must ignore a possible 400 Bad Request being ignored by an HTTPs server.
fixup! readiness fixes
change Error to Fatal
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds support for TLS on the Ingest server from the
httpapipackage. Server can be configured to listen in three modes:This feature, provided specific configuration, could allow to safely expose the infra-agent HTTP ingest endpoint in less trusted networks, such as a Kubernetes cluster.
Reviewing
As multiple files have been changed to make this feature available, I suggest to review commit by commit.