TLS support was added to xserver and aggregator client.
The server supports 3 modes: disabled(allows plaintext connections only), permissive(allows both plaintext and TLS connections), and enforced(TLS connections only). Also, mutual TLS can be enabled in the server config.
Special notes for your reviewer:
Does this PR introduce a user-facing and/or backwards incompatible change?:
To enable TLS support for the xserver a new section `tls` should be added to the server config. For instance:
----
rawtcp:
listenAddress: 0.0.0.0:6403
tls:
mode: permissive
mTLSEnabled: true
certFile: /tmp/server.crt
keyFile: /tmp/server.key
clientCAFile: /tmp/rootCA.crt # required for mTLS
certificatesTTL: 1h
----
To enable TLS support for the aggregator client a new section `tls` should be added to the client config.
----
connection:
tls:
enabled: true
insecureSkipVerify: false
serverName: myserver
caFile: /tmp/rootCA.crt
certFile: /tmp/client.crt # required for mTLS
keyFile: /tmp/client.key # required for mTLS
----
Benchmarks:
---
go test -bench=. -benchtime=40s -shuffle on
goos: linux
goarch: amd64
pkg: github.com/m3db/m3/src/x/server
cpu: AMD EPYC 7B13
# Create a connection for every data write
BenchmarkPlainTCPServer-96 641020 202226 ns/op
BenchmarkTLSServer-96 24619 1936240 ns/op
BenchmarkMTLSServer-96 15334 3193834 ns/op
# Use one connection for all data writes
BenchmarkKeepAlivePlainTCPServer-96 10322742 4630 ns/op
BenchmarkKeepAliveMTLSServer-96 12344016 4522 ns/op
BenchmarkKeepAliveTLSServer-96 10149930 4924 ns/op
---
Does this PR require updating code package or user-facing documentation?:
Do we have an end to end integration test of this? I'd like to see aggregator client with TLS enabled talking to aggregator server with TLS enabled.
The test is added
What this PR does / why we need it:
TLS support was added to xserver and aggregator client. The server supports 3 modes: disabled(allows plaintext connections only), permissive(allows both plaintext and TLS connections), and enforced(TLS connections only). Also, mutual TLS can be enabled in the server config.
Special notes for your reviewer:
Does this PR introduce a user-facing and/or backwards incompatible change?:
Does this PR require updating code package or user-facing documentation?: