feat(cmd/agent): add fallback X.509 trusted roots #6340
Conversation
Signed-off-by: hainenber <[email protected]>
Signed-off-by: hainenber <[email protected]>
There was a problem hiding this comment.
Thanks @hainenber, LGTM. I suppose the main worry with this is that those certificates may no longer be trusted one day. If the users update their Agent binary regularly, this shouldn't be a problem.
Also, apparently the GODEBUG env var has to be set for any of this to take effect, so I think we can assume that we won't impact users negatively if they don't use the feature.
cc @clayton-cornell it might be good to document interesting uses of GODEBUG and other Go env vars (such as the ones for proxying). Maybe we can add a new section under Command-line interface? I could raise an issue for this if you'd like me to.
| @@ -87,6 +87,9 @@ Main (unreleased) | |||
|
|
|||
| - Updated docs for MSSQL Integration to show additional authentication capabilities. (@StefanKurek) | |||
|
|
|||
| - `grafana-agent` and `grafana-agent-flow` fallback to default X.509 trusted root certificates | |||
| when the `GODEBUG=x509usefallbackroots=1` environment variable is set. (@hainenber) | |||
There was a problem hiding this comment.
This isn't documented anywhere (that I can find). Is this something we should add to the HTTP or TLS docs?
There was a problem hiding this comment.
In the block configuration we normally only document the arguments which are in the block. I haven't seen documentation about environment variables in block documentation. I think we should make a special page for the env vars and link to it from the block docs.
@jkroepke could you please let us know which Agent components you are using in this case? And why is it not sufficient to use an argument such as ca_pem in the tls config block?
There was a problem hiding this comment.
docs for
GODEBUG=x509usefallbackroots=1
https://pkg.go.dev/crypto/x509#SetFallbackRoots
I'm plan to use it for
- module.http
- remote.http
- prometheus.remote_write
- loki.write
And why is it not sufficient to use an argument such as ca_pem in the tls config block?
The ca_pem block is sufficient. But then I have to ship the whole ca-certificates pem file together with the setup. Using the fallback X.509 trusted roots from go also fits well and would eliminate the requirement of shipping a own ca pem file.
An other benefit is if the root CAs are embedded:
- grafana-agent could run in a
FROM scratchdocker image which reduce the attack surface to a minimum. Since grafana may has very high permissions in a Kubernetes cluster, reducing the dependencies to a minimum would increase the security as well.
Configure the ca_pem, but using the trust ca-certificates sounds silly for first time, but using a custom ca certificates file skips the system verifier. The issue with the system verifier under Windows is that go has no capabilities to configure flags for the Windows Crypto API.
Context: golang/go#63238 (comment)
There was a problem hiding this comment.
@jkroepke Thanks for clarifying - this also confirms what I inferred from the issue so far.
@clayton-cornell If we are to document such env vars, we would also need to document how they could interfere with arguments in the River config, and which one takes precedence. I could raise a separate issue for this? I don't think it's a must for now. In the past, I've seen this issue mostly with the HTTP_PROXY env var.
There was a problem hiding this comment.
@ptodev I'd say drop it into an issue and backlog it for a future doc improvement. It's not critical right now... it's just something I wondered about as I read through the current change, and it would certainly be helpful to have this added at some point.
There was a problem hiding this comment.
@clayton-cornell I created a new issue - #6372
* feat(cmd/agent): add fallback X.509 trusted roots Signed-off-by: hainenber <[email protected]> * chore(doc): add CHANGELOG entry Signed-off-by: hainenber <[email protected]> * Update CHANGELOG.md --------- Signed-off-by: hainenber <[email protected]> Co-authored-by: Paulin Todev <[email protected]>
github-actions
bot
added
the
frozen-due-to-age
PR Description
Add fallback X.509 trusted roots to
grafana-agentandgrafana-agent-flowbinaries.Risk is mild to empty as the functionality is only activated via injecting env var GODEBUG=x509usefallbackroots=1 to the binary during runtime.
Which issue(s) this PR fixes
Implements #6003
Notes to the Reviewer
PR Checklist