config-reloader: allows to configure tls client

It's useful for mTLS configuration at reload-url target. #1033 Signed-off-by: f41gh7 <[email protected]>
VictoriaMetrics · Aug 14, 2024 · f3efa3f · f3efa3f
1 parent 332e5a0
commit f3efa3f
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 2 deletions.
diff --git a/cmd/config-reloader/main.go b/cmd/config-reloader/main.go
@@ -5,6 +5,7 @@ import (
 	"compress/gzip"
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"flag"
 	"fmt"
 	"io"
@@ -54,6 +55,12 @@ var (
 		"resync-interval", 0, "interval for force resync of the last configuration")
 	webhookMethod = flag.String(
 		"webhook-method", "GET", "the HTTP method url to use to send the webhook")
+
+	tlsCaFile             = flag.String("tlsCAFile", "", "Optional path to client-side TLS CA file to use when connecting to -reload-url")
+	tlsCertFile           = flag.String("tlsCertFile", "", "Optional path to client-side TLS certificate file to use when connecting to -reload-url")
+	tlsKeyFile            = flag.String("tlsKeyFile", "", "Optional path to client-side TLS key file to use when connecting to -reload-url")
+	tlsServerName         = flag.String("tlsServerName", "", "Optional TLS server name to use for connections to -realod-url.")
+	tlsInsecureSkipVerify = flag.Bool("tlsInsecureSkipVerify", true, "Whether to skip tls verification when connecting to -reload-url")
 )
 
 var (
@@ -125,7 +132,30 @@ func buildHTTPClient() *http.Client {
 		Timeout: connTimeout,
 	}
 	t.TLSClientConfig = &tls.Config{
-		InsecureSkipVerify: true,
+		InsecureSkipVerify: *tlsInsecureSkipVerify,
+		ServerName:         *tlsServerName,
+	}
+	if *tlsCertFile != "" {
+		cert, err := tls.LoadX509KeyPair(*tlsCertFile, *tlsKeyFile)
+		if err != nil {
+			panic(fmt.Sprintf("cannot load TLS certificate from `cert_file`=%q, `key_file`=%q: %s", *tlsCertFile, *tlsKeyFile, err))
+		}
+
+		t.TLSClientConfig.Certificates = []tls.Certificate{cert}
+	}
+
+	var rootCAs *x509.CertPool
+	if *tlsCaFile != "" {
+		pem, err := os.ReadFile(*tlsCaFile)
+		if err != nil {
+			panic(fmt.Sprintf("cannot read `ca_file` %q: %s", *tlsCaFile, err))
+		}
+
+		rootCAs = x509.NewCertPool()
+		if !rootCAs.AppendCertsFromPEM(pem) {
+			panic(fmt.Sprintf("cannot parse data from `ca_file` %q", *tlsCaFile))
+		}
+		t.TLSClientConfig.RootCAs = rootCAs
 	}
 	t.DialContext = func(ctx context.Context, network, addr string) (net.Conn, error) {
 		conn, err := d.Dial(network, addr)

diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
@@ -17,11 +17,12 @@ aliases:
 - **Update note 2: removed deprecated `mute_time_intervals` from `VMAlertmanagerConfig.spec`. Use `VMAlertmanagerConfig.spec.time_intervals` instead.**
 - **Update note 3: operator adds `blackhole` as default route for `VMalertmanager` if root route receiver is empty. Previously it added a first VMAlertmanagerConfig receiver. Update global VMalertmanager configuration with proper route receiver if needed**
 
-- [operator](./README.md): adds `tls_config` and `authKey` settings to auto-created `VMServiceScrape` for CRD objects from `extraArgs`. See [this](https://github.com/VictoriaMetrics/operator/issues/1033) issue for details.
+- [config-reloader](./README.md): adds new flags `tlsCaFile`, `tlsCertFile`,`tlsKeyFile`,`tlsServerName`,`tlsInsecureSkipVerify`. It allows to configure `tls` for reload endpoint. Related [issue](https://github.com/VictoriaMetrics/operator/issues/1033).
 - [vmuser](https://docs.victoriametrics.com/operator/resources/vmuser/):  adds `status.lastSyncError` field, adds server-side validation for `spec.targetRefs.crd.kind`. Adds small refactoring.
 - [vmuser](https://docs.victoriametrics.com/operator/resources/vmuser/): allows to skip `VMUser` from `VMAuth` config generation if it has misconfigured fields. Such as references to non-exist `CRD` objects or missing fields. It's highly recommended to enable `Validation` webhook for `VMUsers`, it should reduce surface of potential misconfiguration. See this [issue](https://github.com/VictoriaMetrics/operator/issues/1047) for details.
 - [operator](./README.md): properly release `PodDisruptionBudget` object finalizer. Previously it could be kept due to typo. See this [issue](https://github.com/VictoriaMetrics/operator/issues/1036) for details.
 - [operator](./README.md): refactors finalizers usage. Simplifies finalizer manipulation with helper functions
+- [operator](./README.md): adds `tls_config` and `authKey` settings to auto-created `VMServiceScrape` for CRD objects from `extraArgs`. See [this](https://github.com/VictoriaMetrics/operator/issues/1033) issue for details.
 - [vmalertmanagerconfig](./api.md#vmalertmanagerconfig): Improves config validation. Now it properly tracks required fields and provides better feedback for misconfiguration. Adds new `status` fields - `status` and `lastSyncError`. Related [issue](https://github.com/VictoriaMetrics/operator/issues/825).
 - [vmalertmanager](./api.md#vmalertmanager): adds `webConfig` that simplifies tls configuration for alertmanager and allows to properly build probes and access urls for alertmanager. See this [issue](https://github.com/VictoriaMetrics/operator/issues/994) for details.
 - [vmalertmanager](./api.md#vmalertmanager): adds `gossipConfig` to setup client and server TLS configuration for alertmanager.