search

m3db / m3

M3 monorepo - Distributed TSDB, Aggregator and Query Engine, Prometheus Sidecar, Graphite Compatible, Metrics Platform
https://m3db.io/
Apache License 2.0
4.74k stars 452 forks source link

[xserver] TLS support added to xserver, aggregator server, and aggregator client #4266

Open roman-mazhut opened 5 months ago

roman-mazhut commented 5 months ago

What this PR does / why we need it:

TLS support was added to xserver and aggregator client. The server supports 3 modes: disabled(allows plaintext connections only), permissive(allows both plaintext and TLS connections), and enforced(TLS connections only). Also, mutual TLS can be enabled in the server config.

Special notes for your reviewer:

Does this PR introduce a user-facing and/or backwards incompatible change?:

To enable TLS support for the xserver a new section `tls` should be added to the server config. For instance:
----
rawtcp:
  listenAddress: 0.0.0.0:6403
  tls:
    mode: permissive
    mTLSEnabled: true
    certFile: /tmp/server.crt
    keyFile: /tmp/server.key
    clientCAFile: /tmp/rootCA.crt  # required for mTLS
    certificatesTTL: 1h
----

To enable TLS support for the aggregator client a new section `tls` should be added to the client config.
----
connection:
  tls:
    enabled: true
    insecureSkipVerify: false
    serverName: myserver
    caFile: /tmp/rootCA.crt
    certFile: /tmp/client.crt  # required for mTLS
    keyFile: /tmp/client.key  # required for mTLS
----

Benchmarks:
---
go test -bench=. -benchtime=40s -shuffle on
goos: linux
goarch: amd64
pkg: github.com/m3db/m3/src/x/server
cpu: AMD EPYC 7B13

# Create a connection for every data write
BenchmarkPlainTCPServer-96                           641020          202226 ns/op
BenchmarkTLSServer-96                                   24619             1936240 ns/op
BenchmarkMTLSServer-96                                15334            3193834 ns/op

# Use one connection for all data writes
BenchmarkKeepAlivePlainTCPServer-96          10322742      4630 ns/op
BenchmarkKeepAliveMTLSServer-96               12344016      4522 ns/op
BenchmarkKeepAliveTLSServer-96                   10149930      4924 ns/op
---

Does this PR require updating code package or user-facing documentation?:

NONE
CLAassistant commented 5 months ago

CLA assistant check
All committers have signed the CLA.

roman-mazhut commented 4 months ago

Do we have an end to end integration test of this? I'd like to see aggregator client with TLS enabled talking to aggregator server with TLS enabled. The test is added