Support other TLS modes than mutual auth in Client

[simonswine]

This is a follow-up on findings in PR #3030 (comment).

Currently we are only enabling TLS, if either a client certificate or a ca certificate is enabled: https://github.com/cortexproject/cortex/blob/master/pkg/util/tls/tls.go#L38

We should also support TLS without those flags, for example for

I propose:

• Adding a flag tls-enable to manually enable TLS. The flag will be implicitly set to true by specifying any of the other TLS flags)
• Add test coverage for those operational modes

[pstibrany]

As discussed in #3030, we only need tls-enable for gRPC. (Now, given that gRPC uses HTTP/2 which is HTTPS-first, perhaps we need a flag to disable it instead, and default to disabled to avoid breaking existing setups?)

For HTTP, TLS is enabled by using https scheme in the URL.

[pracucci]

perhaps we need a flag to disable it instead, and default to disabled to avoid breaking existing setups?

I think having a flag to enable it would be more clear. I think @simonswine proposal to keep it disabled by default but enabling it if certs are provided may be a good compromise to keep backward compatibility. With appropriate config doc, looks easy to understand.

[stale]

This issue has been automatically marked as stale because it has not had any activity in the past 60 days. It will be closed in 15 days if no further activity occurs. Thank you for your contributions.

[pracucci]

@simonswine Gentle reminder: could you address coments in #3156 so we can move forward, please?

[simonswine]

@simonswine Gentle reminder: could you address coments in #3156 so we can move forward, please?

Sorry for my delay, I was dragging it around in my TODO list for too long and thanks for the reminder. I have just updated it...

[stale]

This issue has been automatically marked as stale because it has not had any activity in the past 60 days. It will be closed in 15 days if no further activity occurs. Thank you for your contributions.