-
Notifications
You must be signed in to change notification settings - Fork 487
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(cmd/agent): add fallback X.509 trusted roots #6340
Merged
Merged
Changes from all commits
Commits
Show all changes
4 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This isn't documented anywhere (that I can find). Is this something we should add to the HTTP or TLS docs?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the block configuration we normally only document the arguments which are in the block. I haven't seen documentation about environment variables in block documentation. I think we should make a special page for the env vars and link to it from the block docs.
@jkroepke could you please let us know which Agent components you are using in this case? And why is it not sufficient to use an argument such as
ca_pemin the tls config block?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
docs for
https://pkg.go.dev/crypto/x509#SetFallbackRoots
I'm plan to use it for
The
ca_pemblock is sufficient. But then I have to ship the whole ca-certificates pem file together with the setup. Using the fallback X.509 trusted roots from go also fits well and would eliminate the requirement of shipping a own ca pem file.An other benefit is if the root CAs are embedded:
FROM scratchdocker image which reduce the attack surface to a minimum. Since grafana may has very high permissions in a Kubernetes cluster, reducing the dependencies to a minimum would increase the security as well.Configure the
ca_pem, but using the trust ca-certificates sounds silly for first time, but using a custom ca certificates file skips the system verifier. The issue with the system verifier under Windows is that go has no capabilities to configure flags for the Windows Crypto API.Context: golang/go#63238 (comment)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jkroepke Thanks for clarifying - this also confirms what I inferred from the issue so far.
@clayton-cornell If we are to document such env vars, we would also need to document how they could interfere with arguments in the River config, and which one takes precedence. I could raise a separate issue for this? I don't think it's a must for now. In the past, I've seen this issue mostly with the
HTTP_PROXYenv var.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ptodev I'd say drop it into an issue and backlog it for a future doc improvement. It's not critical right now... it's just something I wondered about as I read through the current change, and it would certainly be helpful to have this added at some point.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@clayton-cornell I created a new issue - #6372