Skip to content

[xserver] TLS support added to xserver, aggregator server, and aggregator client #4283

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
roman-mazhut merged 52 commits into from
Oct 16, 2024
Merged

[xserver] TLS support added to xserver, aggregator server, and aggregator client #4283

roman-mazhut merged 52 commits into from
Oct 16, 2024

Conversation

@roman-mazhut
Copy link
Contributor

@roman-mazhut roman-mazhut commented Jul 29, 2024

What this PR does / why we need it:

TLS support was added to xserver and aggregator client.
The server supports 3 modes: disabled(allows plaintext connections only), permissive(allows both plaintext and TLS connections), and enforced(TLS connections only). Also, mutual TLS can be enabled in the server config.

Special notes for your reviewer:

Does this PR introduce a user-facing and/or backwards incompatible change?:

To enable TLS support for the xserver a new section `tls` should be added to the server config. For instance:
----
rawtcp:
  listenAddress: 0.0.0.0:6403
  tls:
    mode: permissive
    mTLSEnabled: true
    certFile: /tmp/server.crt
    keyFile: /tmp/server.key
    clientCAFile: /tmp/rootCA.crt  # required for mTLS
    certificatesTTL: 1h
----

To enable TLS support for the aggregator client a new section `tls` should be added to the client config.
----
connection:
  tls:
    enabled: true
    insecureSkipVerify: false
    serverName: myserver
    caFile: /tmp/rootCA.crt
    certFile: /tmp/client.crt  # required for mTLS
    keyFile: /tmp/client.key  # required for mTLS
----

Benchmarks:
---
go test -bench=. -benchtime=40s -shuffle on
goos: linux
goarch: amd64
pkg: github.com/m3db/m3/src/x/server
cpu: AMD EPYC 7B13

# Create a connection for every data write
BenchmarkPlainTCPServer-96                           641020          202226 ns/op
BenchmarkTLSServer-96                                   24619             1936240 ns/op
BenchmarkMTLSServer-96                                15334            3193834 ns/op

# Use one connection for all data writes
BenchmarkKeepAlivePlainTCPServer-96          10322742      4630 ns/op
BenchmarkKeepAliveMTLSServer-96               12344016      4522 ns/op
BenchmarkKeepAliveTLSServer-96                   10149930      4924 ns/op
---

Does this PR require updating code package or user-facing documentation?:

NONE

roman-mazhut and others added 30 commits April 18, 2024 12:16
@roman-mazhut
Add support of TLS to xserver
f252408
@roman-mazhut
Add support of TLS to aggregator tcp client
413d9d3
@roman-mazhut
Add TLS configuration to aggregator server config
a57d5a6
@roman-mazhut
Split xserver options into options and TLS options
3a206dc
@roman-mazhut
Description added to the IsTLS function
f32c307
@roman-mazhut
Pointers replaced with values in client TLS configuration
92e0920
@roman-mazhut
Close a connection before returning an error if an upgrade to TLS failed
4c798f8
@roman-mazhut
TLSEnabled renamed to Enabled
8c4513a
@roman-mazhut
Integration tests
446d2ef
@roman-mazhut
Cert pool moved to the client struct
d992b6f
@roman-mazhut
Cert pool moved to the server struct
74d9e77
@roman-mazhut
Prevent server tests from being looped forever
09e549d
@roman-mazhut
testPlainTCPServer function added
d841bcf
@roman-mazhut
maybeUpgradeToTLS refactored
702563d
@roman-mazhut
SecuredConnection refactored
b89c701
@roman-mazhut
TLS config TTL
94a5706
@roman-mazhut
Client TLS config cache
414711b
@roman-mazhut
TLS Config manager factored out into a separate package
1ee36de
@roman-mazhut
Merge branch 'master' into add-support-of-tls-to-tcp-client
c450333
@roman-mazhut
Metric added for upgrade to tls errors
7997a01
@roman-mazhut
newConfigManagerScope renamed to newConfigManagerMetrics
8fd3c43
@roman-mazhut
Config manager mutex moved to a field
2c78899
@roman-mazhut
Redundant error check removed
19e99e0
@roman-mazhut
Write/read data tests added to secured connection
3068241
@roman-mazhut
Use tally.TestScope for metrics testing
1f1444d
@roman-mazhut
Use t.Cleanup to close the tls server
4e05948
@roman-mazhut
Waiting for handler calls refactored
ec56885
@roman-mazhut
Early returns refactoring
f2594b2
@roman-mazhut
Server tests refactored into a table test
d53144b
@roman-mazhut
bufio.Reader replaced with a peek function
8582081
roman-mazhut and others added 17 commits July 29, 2024 12:13
@roman-mazhut
Merge branch 'master' into add-support-of-tls-to-tcp-client
cae4342
@roman-mazhut
Linter fixed
6a44f2e
@roman-mazhut
Linter fixed
e848c97
@roman-mazhut
Linter fixed
a07157d
@roman-mazhut
Imports fixed
001ccb3
@roman-mazhut
Imports fixed
2e39e94
@roman-mazhut
Tests fixed
ed12ea4
@roman-mazhut
TLS tests fixed
2a2a17e
@roman-mazhut
loadCertPool function fixed
1b3ec54
@pranithraparthi @roman-mazhut
Add metrics for time taken to connected to m3db cluster during startup (
5a81da4 
#4267)
@kentzeng12 @roman-mazhut
[buildkite] Fix integration dbnode lru and dbnode recently read tests…
b582bc5 
… in buildkite pipeline (#4284)

* uncomment test

* comment out TestGraphiteFindSequential

* do not skip TestGraphiteFindParallel

* skip TestGraphiteFindSequential

* uncomment dbnode read test
@kentzeng12 @roman-mazhut
[buildkite] Fix Docker and Doc build test in buildkite pipeline (#4282)
8ba3134 
* uncomment last test

* uncomment second command

* add common step

* add another command

* switch order of commands

* fix typo

* test1

* uncomment rest of passing pipeline tests
@roman-mazhut
Master merged
e8b051c
@roman-mazhut
Linter errors fixed
f35027c
@roman-mazhut
Benchmark test fixed
ace2a95
@roman-mazhut
Linter errors fixed
2e9ed48
@roman-mazhut
Merge branch 'master' into add-support-of-tls-to-tcp-client
19b6315
andrewmains12
andrewmains12 approved these changes Oct 15, 2024
View reviewed changes
Copy link
Contributor

@andrewmains12 andrewmains12 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving based on review on #4266

@roman-mazhut roman-mazhut merged commit d39979b into master Oct 16, 2024
@roman-mazhut roman-mazhut deleted the add-support-of-tls-to-tcp-client branch October 16, 2024 14:05
adamjeanlaurent pushed a commit that referenced this pull request Aug 24, 2025
@roman-mazhut @adamjeanlaurent
[xserver] TLS support added to xserver, aggregator server, and aggreg…
6679ea3 
…ator client (#4283)

TLS support was added to xserver and aggregator client.
The server supports three modes: disabled(allows plaintext connections only), permissive(allows both plaintext and TLS connections), and enforced(allows TLS connections only). Mutual TLS can also be enabled in the server config.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andrewmains12 andrewmains12 andrewmains12 approved these changes

@rahultejwani rahultejwani rahultejwani approved these changes

@shaan420 shaan420 shaan420 approved these changes

@prateek prateek Awaiting requested review from prateek

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@roman-mazhut @andrewmains12 @rahultejwani @shaan420 @pranithraparthi @kentzeng12