[xserver] TLS support added to xserver, aggregator server, and aggregator client #4283

roman-mazhut · 2024-07-29T09:35:59Z

What this PR does / why we need it:

TLS support was added to xserver and aggregator client.
The server supports 3 modes: disabled(allows plaintext connections only), permissive(allows both plaintext and TLS connections), and enforced(TLS connections only). Also, mutual TLS can be enabled in the server config.

Special notes for your reviewer:

Does this PR introduce a user-facing and/or backwards incompatible change?:

To enable TLS support for the xserver a new section `tls` should be added to the server config. For instance:
----
rawtcp:
  listenAddress: 0.0.0.0:6403
  tls:
    mode: permissive
    mTLSEnabled: true
    certFile: /tmp/server.crt
    keyFile: /tmp/server.key
    clientCAFile: /tmp/rootCA.crt  # required for mTLS
    certificatesTTL: 1h
----

To enable TLS support for the aggregator client a new section `tls` should be added to the client config.
----
connection:
  tls:
    enabled: true
    insecureSkipVerify: false
    serverName: myserver
    caFile: /tmp/rootCA.crt
    certFile: /tmp/client.crt  # required for mTLS
    keyFile: /tmp/client.key  # required for mTLS
----

Benchmarks:
---
go test -bench=. -benchtime=40s -shuffle on
goos: linux
goarch: amd64
pkg: github.com/m3db/m3/src/x/server
cpu: AMD EPYC 7B13

# Create a connection for every data write
BenchmarkPlainTCPServer-96                           641020          202226 ns/op
BenchmarkTLSServer-96                                   24619             1936240 ns/op
BenchmarkMTLSServer-96                                15334            3193834 ns/op

# Use one connection for all data writes
BenchmarkKeepAlivePlainTCPServer-96          10322742      4630 ns/op
BenchmarkKeepAliveMTLSServer-96               12344016      4522 ns/op
BenchmarkKeepAliveTLSServer-96                   10149930      4924 ns/op
---

Does this PR require updating code package or user-facing documentation?:

NONE

from securedconn

#4267)

… in buildkite pipeline (#4284) * uncomment test * comment out TestGraphiteFindSequential * do not skip TestGraphiteFindParallel * skip TestGraphiteFindSequential * uncomment dbnode read test

* uncomment last test * uncomment second command * add common step * add another command * switch order of commands * fix typo * test1 * uncomment rest of passing pipeline tests

roman-mazhut and others added 30 commits April 18, 2024 12:16

Add support of TLS to xserver

f252408

Add support of TLS to aggregator tcp client

413d9d3

Add TLS configuration to aggregator server config

a57d5a6

Split xserver options into options and TLS options

3a206dc

Description added to the IsTLS function

f32c307

Pointers replaced with values in client TLS configuration

92e0920

Close a connection before returning an error if an upgrade to TLS failed

4c798f8

TLSEnabled renamed to Enabled

8c4513a

Integration tests

446d2ef

Cert pool moved to the client struct

d992b6f

Cert pool moved to the server struct

74d9e77

Prevent server tests from being looped forever

09e549d

testPlainTCPServer function added

d841bcf

maybeUpgradeToTLS refactored

702563d

SecuredConnection refactored

b89c701

TLS config TTL

94a5706

Client TLS config cache

414711b

TLS Config manager factored out into a separate package

1ee36de

Merge branch 'master' into add-support-of-tls-to-tcp-client

c450333

Metric added for upgrade to tls errors

7997a01

newConfigManagerScope renamed to newConfigManagerMetrics

8fd3c43

Config manager mutex moved to a field

2c78899

Redundant error check removed

19e99e0

Write/read data tests added to secured connection

3068241

Use tally.TestScope for metrics testing

1f1444d

Use t.Cleanup to close the tls server

4e05948

Waiting for handler calls refactored

ec56885

Early returns refactoring

f2594b2

Server tests refactored into a table test

d53144b

bufio.Reader replaced with a peek function

8582081

roman-mazhut added 4 commits July 12, 2024 12:30

Server benchmark

89e7e36

Tests for KeepAlive

161a547

peekedByte pointer replaced with byte and peekedByteIsSet. Mutex removed

c4fb2d2

from securedconn

ServerMode methods generated with enumer

96aa72c

roman-mazhut requested review from prateek, andrewmains12, shaan420 and rahultejwani July 29, 2024 09:35

roman-mazhut and others added 16 commits July 29, 2024 12:13

Merge branch 'master' into add-support-of-tls-to-tcp-client

cae4342

Linter fixed

6a44f2e

Linter fixed

e848c97

Linter fixed

a07157d

Imports fixed

001ccb3

Imports fixed

2e39e94

Tests fixed

ed12ea4

TLS tests fixed

2a2a17e

loadCertPool function fixed

1b3ec54

Add metrics for time taken to connected to m3db cluster during startup (

5a81da4

#4267)

[buildkite] Fix integration dbnode lru and dbnode recently read tests…

b582bc5

… in buildkite pipeline (#4284) * uncomment test * comment out TestGraphiteFindSequential * do not skip TestGraphiteFindParallel * skip TestGraphiteFindSequential * uncomment dbnode read test

[buildkite] Fix Docker and Doc build test in buildkite pipeline (#4282)

8ba3134

* uncomment last test * uncomment second command * add common step * add another command * switch order of commands * fix typo * test1 * uncomment rest of passing pipeline tests

Master merged

e8b051c

Linter errors fixed

f35027c

Benchmark test fixed

ace2a95

Linter errors fixed

2e9ed48

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[xserver] TLS support added to xserver, aggregator server, and aggregator client #4283

[xserver] TLS support added to xserver, aggregator server, and aggregator client #4283

roman-mazhut commented Jul 29, 2024

[xserver] TLS support added to xserver, aggregator server, and aggregator client #4283

Are you sure you want to change the base?

[xserver] TLS support added to xserver, aggregator server, and aggregator client #4283

Conversation

roman-mazhut commented Jul 29, 2024