From b95d6f5f5ed1f9a8973938e93ef7a908075b729f Mon Sep 17 00:00:00 2001 From: Dmytro Kozlov Date: Thu, 11 Jan 2024 14:04:32 +0100 Subject: [PATCH] app/vmctl: add insecure skip verify flags for source and destination addresses for native protocol (#5606) https://github.com/VictoriaMetrics/VictoriaMetrics/issues/5595 --- app/vmctl/flags.go | 32 ++++++++++++++++++++++---------- app/vmctl/main.go | 13 +++++++++++-- docs/CHANGELOG.md | 1 + 3 files changed, 34 insertions(+), 12 deletions(-) diff --git a/app/vmctl/flags.go b/app/vmctl/flags.go index 1b34f2d12c..4ec4322642 100644 --- a/app/vmctl/flags.go +++ b/app/vmctl/flags.go @@ -330,17 +330,19 @@ const ( vmNativeDisableHTTPKeepAlive = "vm-native-disable-http-keep-alive" vmNativeDisablePerMetricMigration = "vm-native-disable-per-metric-migration" - vmNativeSrcAddr = "vm-native-src-addr" - vmNativeSrcUser = "vm-native-src-user" - vmNativeSrcPassword = "vm-native-src-password" - vmNativeSrcHeaders = "vm-native-src-headers" - vmNativeSrcBearerToken = "vm-native-src-bearer-token" + vmNativeSrcAddr = "vm-native-src-addr" + vmNativeSrcUser = "vm-native-src-user" + vmNativeSrcPassword = "vm-native-src-password" + vmNativeSrcHeaders = "vm-native-src-headers" + vmNativeSrcBearerToken = "vm-native-src-bearer-token" + vmNativeSrcInsecureSkipVerify = "vm-native-src-insecure-skip-verify" - vmNativeDstAddr = "vm-native-dst-addr" - vmNativeDstUser = "vm-native-dst-user" - vmNativeDstPassword = "vm-native-dst-password" - vmNativeDstHeaders = "vm-native-dst-headers" - vmNativeDstBearerToken = "vm-native-dst-bearer-token" + vmNativeDstAddr = "vm-native-dst-addr" + vmNativeDstUser = "vm-native-dst-user" + vmNativeDstPassword = "vm-native-dst-password" + vmNativeDstHeaders = "vm-native-dst-headers" + vmNativeDstBearerToken = "vm-native-dst-bearer-token" + vmNativeDstInsecureSkipVerify = "vm-native-dst-insecure-skip-verify" ) var ( @@ -466,6 +468,16 @@ var ( "Non-binary export/import API is less efficient, but supports deduplication if it is configured on vm-native-src-addr side.", Value: false, }, + &cli.BoolFlag{ + Name: vmNativeSrcInsecureSkipVerify, + Usage: "Whether to skip TLS certificate verification when connecting to the source address", + Value: true, + }, + &cli.BoolFlag{ + Name: vmNativeDstInsecureSkipVerify, + Usage: "Whether to skip TLS certificate verification when connecting to the destination address", + Value: true, + }, } ) diff --git a/app/vmctl/main.go b/app/vmctl/main.go index 95743081fc..de283da3dc 100644 --- a/app/vmctl/main.go +++ b/app/vmctl/main.go @@ -2,6 +2,7 @@ package main import ( "context" + "crypto/tls" "fmt" "log" "net/http" @@ -212,6 +213,7 @@ func main() { var srcExtraLabels []string srcAddr := strings.Trim(c.String(vmNativeSrcAddr), "/") + srcInsecureSkipVerify := c.Bool(vmNativeSrcInsecureSkipVerify) srcAuthConfig, err := auth.Generate( auth.WithBasicAuth(c.String(vmNativeSrcUser), c.String(vmNativeSrcPassword)), auth.WithBearer(c.String(vmNativeSrcBearerToken)), @@ -219,10 +221,14 @@ func main() { if err != nil { return fmt.Errorf("error initilize auth config for source: %s", srcAddr) } - srcHTTPClient := &http.Client{Transport: &http.Transport{DisableKeepAlives: disableKeepAlive}} + srcHTTPClient := &http.Client{Transport: &http.Transport{ + DisableKeepAlives: disableKeepAlive, + TLSClientConfig: &tls.Config{InsecureSkipVerify: srcInsecureSkipVerify}, + }} dstAddr := strings.Trim(c.String(vmNativeDstAddr), "/") dstExtraLabels := c.StringSlice(vmExtraLabel) + dstInsecureSkipVerify := c.Bool(vmNativeDstInsecureSkipVerify) dstAuthConfig, err := auth.Generate( auth.WithBasicAuth(c.String(vmNativeDstUser), c.String(vmNativeDstPassword)), auth.WithBearer(c.String(vmNativeDstBearerToken)), @@ -230,7 +236,10 @@ func main() { if err != nil { return fmt.Errorf("error initilize auth config for destination: %s", dstAddr) } - dstHTTPClient := &http.Client{Transport: &http.Transport{DisableKeepAlives: disableKeepAlive}} + dstHTTPClient := &http.Client{Transport: &http.Transport{ + DisableKeepAlives: disableKeepAlive, + TLSClientConfig: &tls.Config{InsecureSkipVerify: dstInsecureSkipVerify}, + }} p := vmNativeProcessor{ rateLimit: c.Int64(vmRateLimit), diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index 7fd23788d6..a545f897f6 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -41,6 +41,7 @@ The sandbox cluster installation is running under the constant load generated by * FEATURE: all VictoriaMetrics components: add `-metrics.exposeMetadata` command-line flag, which allows displaying `TYPE` and `HELP` metadata at `/metrics` page exposed at `-httpListenAddr`. This may be needed when the `/metrics` page is scraped by collector, which requires the `TYPE` and `HELP` metadata such as [Google Cloud Managed Prometheus](https://cloud.google.com/stackdriver/docs/managed-prometheus/troubleshooting#missing-metric-type). * FEATURE: dashboards/cluster: add panels for detailed visualization of traffic usage between vmstorage, vminsert, vmselect components and their clients. New panels are available in the rows dedicated to specific components. * FEATURE: dashboards/cluster: update "Slow Queries" panel to show percentage of the slow queries to the total number of read queries served by vmselect. The percentage value should make it more clear for users whether there is a service degradation. +* FEATURE [vmctl](https://docs.victoriametrics.com/vmctl.html): add `-vm-native-src-insecure-skip-verify` and `-vm-native-dst-insecure-skip-verify` command-line flags for native protocol. It can be used for skipping TLS certificate verification when connecting to the source or destination addresses. * BUGFIX: [VictoriaMetrics cluster](https://docs.victoriametrics.com/Cluster-VictoriaMetrics.html): properly return full results when `-search.skipSlowReplicas` command-line flag is passed to `vmselect` and when [vmstorage groups](https://docs.victoriametrics.com/Cluster-VictoriaMetrics.html#vmstorage-groups-at-vmselect) are in use. Previously partial results could be returned in this case. * BUGFIX: `vminsert`: properly accept samples via [OpenTelemetry data ingestion protocol](https://docs.victoriametrics.com/#sending-data-via-opentelemetry) when these samples have no [resource attributes](https://opentelemetry.io/docs/instrumentation/go/resources/). Previously such samples were silently skipped.