Skip to content

Add forward proto header configuration for cluster monitoring #729

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 4, 2025
Merged

Add forward proto header configuration for cluster monitoring #729

merged 1 commit into from
Aug 4, 2025

Conversation

@raj-manvar
Copy link
Member

@raj-manvar raj-manvar commented Jul 21, 2025

Description

As documented at https://trino.io/docs/current/security/tls.html#use-a-load-balancer-to-terminate-tls-https, when Trino is behind a loadbalancer or proxy like Trino Gateway, it's common that the TLS is terminated at Trino Gateway.

Correspondingly when Trino Gateway forwards the request to Trino clusters, Gateway adds X-Forwarded-* headers in code here. Relevant documentation is here where users can optionally disable this by setting routing.addXForwardedHeaders to false.

This MR is to add the same Header while making health check calls to get cluster stats like queued queries or running queries. Since it's possible that TLS is terminated at Gateway, a similar header would be required when making the http calls to fetch the cluster stats, for example using the /metrics or /v1/jmx/mbean endpoints

If such a header isn't added, the http call to fetch metrics would fail with an error like:

UnexpectedResponseException{message=Request is missing required keys: 
presto_execution_name_QueryManager_RunningQueries
presto_execution_name_QueryManager_QueuedQueries
trino_metadata_name_DiscoveryNodeManager_ActiveNodeCount
in response: 'Error 403 Forbidden: Authentication over HTTP is not enabled', request=GET http://xxxxxxx/metrics?xxxx

Additional context and related issues

Release notes

( ) This is not user-visible or is docs only, and no release notes are required.
(x) Release notes are required, with the following suggested text:

* Add option to add `X-Forwarded-Proto` when fetching cluster stats.

@cla-bot cla-bot bot added the cla-signed label Jul 21, 2025
@raj-manvar raj-manvar force-pushed the add_forwarded_header_for_metrics_collector branch from 2be12cb to 5b715e9 Compare July 21, 2025 20:15
@Chaho12 Chaho12 requested a review from andythsu July 21, 2025 23:12
Chaho12
Chaho12 reviewed Jul 21, 2025
View reviewed changes
Copy link
Member

@Chaho12 Chaho12 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@andythsu Can you check this?

@raj-manvar raj-manvar force-pushed the add_forwarded_header_for_metrics_collector branch 2 times, most recently from f541a47 to c52f01d Compare July 22, 2025 17:27
vishalya
vishalya approved these changes Jul 22, 2025
View reviewed changes
Copy link
Member

@vishalya vishalya left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@andythsu
Copy link
Member

andythsu commented Jul 22, 2025

On a second thought, is this PR necessary? We are currently using UI_API for healthchecks which calls Trino via HTTPS. We had to turn on ssl for this. How is making calls to /metrics different from UI_API?

@raj-manvar
Copy link
Member Author

raj-manvar commented Jul 22, 2025
edited
Loading

@andythsu https://trino.io/docs/current/security/tls.html#use-a-load-balancer-to-terminate-tls-https has more details, but when a Trino cluster is behind a LoadBalancer/Gateway it usually just doesn't accept https connections ( and only accepts non-secure http connections) . I think in your case, both Gateway and Trino clusters maybe accepting https connections, but that maynot always be the case.
Copy pasting from the above page.

The load balancer or proxy server accepts TLS connections and forwards them to the Trino coordinator, which typically runs with default HTTP configuration on the default port, 8080.

This is because the Trino clusters don't have a certificate which is globally trusted, only the LoadBalancer/Gateway is mounted with a trusted certificate.
For Trino to accept any non-secure http connection with credentials ( via /metrics endpoints or /v1/query) a X-Forwarded-Proto header is required

@raj-manvar
Copy link
Member Author

raj-manvar commented Jul 22, 2025
edited
Loading

We could also consider adding this header by default for all cluster health http calls. For the /v1/statement endpoints this header is added by default here ( unless users specifically set routing.addXForwardedHeaders to false ).
I think having the header maybe harmless incase of secure https connections anyways so we could add it by default

@raj-manvar
Copy link
Member Author

raj-manvar commented Jul 28, 2025

Hello all, is this good to merge now ? Thanks!

@raj-manvar raj-manvar force-pushed the add_forwarded_header_for_metrics_collector branch from c52f01d to 542fa24 Compare August 2, 2025 15:03
ebyhr
ebyhr reviewed Aug 3, 2025
View reviewed changes
@raj-manvar raj-manvar force-pushed the add_forwarded_header_for_metrics_collector branch from 542fa24 to 1b5ce30 Compare August 4, 2025 13:45
@ebyhr ebyhr merged commit fa33312 into trinodb:main Aug 4, 2025
2 checks passed
@github-actions github-actions bot added this to the 16 milestone Aug 4, 2025
@mosabua mosabua mentioned this pull request Aug 22, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Chaho12 Chaho12 Chaho12 left review comments

@ebyhr ebyhr ebyhr approved these changes

@vishalya vishalya vishalya approved these changes

@andythsu andythsu Awaiting requested review from andythsu

Assignees

No one assigned

Labels

cla-signed

Milestone

16

Development

Successfully merging this pull request may close these issues.

5 participants

@raj-manvar @andythsu @ebyhr @vishalya @Chaho12