Add mTLS support for forwarding metrics to veneur-proxy. (stripe#1034)

clockwisehq · Feb 7, 2023 · f5307f3 · f5307f3
1 parent 42e03f6
commit f5307f3
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 2 deletions.
diff --git a/config.go b/config.go
@@ -6,6 +6,7 @@ import (
 
 	"github.com/stripe/veneur/v14/util"
 	"github.com/stripe/veneur/v14/util/matcher"
+	"github.com/stripe/veneur/v14/util/tls"
 )
 
 type Config struct {
@@ -50,6 +51,7 @@ type Config struct {
 	TLSAuthorityCertificate     string              `yaml:"tls_authority_certificate"`
 	TLSCertificate              string              `yaml:"tls_certificate"`
 	TLSKey                      util.StringSecret   `yaml:"tls_key"`
+	Tls                         tls.Tls             `yaml:"tls"`
 	TraceMaxLengthBytes         int                 `yaml:"trace_max_length_bytes"`
 	VeneurMetricsAdditionalTags []string            `yaml:"veneur_metrics_additional_tags"`
 	VeneurMetricsScopes         struct {

diff --git a/server.go b/server.go
@@ -28,6 +28,7 @@ import (
 	"github.com/zenazn/goji/bind"
 	"github.com/zenazn/goji/graceful"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
 
 	"github.com/pkg/profile"
 
@@ -807,8 +808,17 @@ func (s *Server) Start() {
 	}
 
 	// Initialize a gRPC connection for forwarding
-	var err error
-	s.grpcForwardConn, err = grpc.Dial(s.ForwardAddr, grpc.WithInsecure())
+	tlsConfig, err := s.Config.Tls.GetTlsConfig()
+	if err != nil {
+		s.logger.WithError(err).Fatal("failed to parse tls config")
+	}
+	if tlsConfig != nil {
+		s.grpcForwardConn, err = grpc.Dial(
+			s.ForwardAddr,
+			grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)))
+	} else {
+		s.grpcForwardConn, err = grpc.Dial(s.ForwardAddr, grpc.WithInsecure())
+	}
 	if err != nil {
 		s.logger.WithError(err).WithFields(logrus.Fields{
 			"forwardAddr": s.ForwardAddr,

diff --git a/testdata/http_test_config.json b/testdata/http_test_config.json
@@ -53,6 +53,7 @@
   "TLSAuthorityCertificate": "",
   "TLSCertificate": "",
   "TLSKey": "",
+  "Tls": {},
   "TraceMaxLengthBytes": 0,
   "VeneurMetricsAdditionalTags": null,
   "VeneurMetricsScopes": {

diff --git a/testdata/http_test_config.yaml b/testdata/http_test_config.yaml
@@ -48,6 +48,8 @@ tags_exclude: []
 tls_authority_certificate: ""
 tls_certificate: ""
 tls_key: ""
+tls:
+  config: null
 trace_max_length_bytes: 0
 veneur_metrics_additional_tags: []
 veneur_metrics_scopes: