diff --git a/docs/sources/configuration/_index.md b/docs/sources/configuration/_index.md index ea08d3d6888b9..02f1be7996a7f 100644 --- a/docs/sources/configuration/_index.md +++ b/docs/sources/configuration/_index.md @@ -374,6 +374,27 @@ The `frontend` block configures the Loki query-frontend. # CLI flag: -frontend.tail-proxy-url [tail_proxy_url: | default = ""] +tail_tls_config: + # Path to the client certificate file, which will be used for authenticating + # with the server. Also requires the key path to be configured. + # CLI flag: -frontend.tail-tls-config.tls-cert-path + [tls_cert_path: | default = ""] + + # Path to the key file for the client certificate. Also requires the client + # certificate to be configured. + # CLI flag: -frontend.tail-tls-config.tls-key-path + [tls_key_path: | default = ""] + + # Path to the CA certificates file to validate server certificate against. If + # not set, the host's root CA certificates are used. + # CLI flag: -frontend.tail-tls-config.tls-ca-path + [tls_ca_path: | default = ""] + + # Skip validating server certificate. + # CLI flag: -frontend.tail-tls-config.tls-insecure-skip-verify + [tls_insecure_skip_verify: | default = false] + + # DNS hostname used for finding query-schedulers. # CLI flag: -frontend.scheduler-address [scheduler_address: | default = ""] diff --git a/pkg/loki/modules.go b/pkg/loki/modules.go index c17486dd41c4f..7b2398e5b87ae 100644 --- a/pkg/loki/modules.go +++ b/pkg/loki/modules.go @@ -533,6 +533,15 @@ func (t *Loki) initQueryFrontend() (_ services.Service, err error) { } tp := httputil.NewSingleHostReverseProxy(tailURL) + cfg, err := t.Cfg.Frontend.TLS.GetTLSConfig() + if err != nil { + return nil, err + } + + tp.Transport = &http.Transport{ + TLSClientConfig: cfg, + } + director := tp.Director tp.Director = func(req *http.Request) { director(req) diff --git a/pkg/lokifrontend/config.go b/pkg/lokifrontend/config.go index f4764ff6b4153..90f16493222af 100644 --- a/pkg/lokifrontend/config.go +++ b/pkg/lokifrontend/config.go @@ -3,6 +3,8 @@ package lokifrontend import ( "flag" + "github.com/grafana/dskit/crypto/tls" + "github.com/grafana/loki/pkg/lokifrontend/frontend/transport" v1 "github.com/grafana/loki/pkg/lokifrontend/frontend/v1" v2 "github.com/grafana/loki/pkg/lokifrontend/frontend/v2" @@ -16,7 +18,8 @@ type Config struct { CompressResponses bool `yaml:"compress_responses"` DownstreamURL string `yaml:"downstream_url"` - TailProxyURL string `yaml:"tail_proxy_url"` + TailProxyURL string `yaml:"tail_proxy_url"` + TLS tls.ClientConfig `yaml:"tail_tls_config"` } // RegisterFlags adds the flags required to config this to the given FlagSet. @@ -24,6 +27,7 @@ func (cfg *Config) RegisterFlags(f *flag.FlagSet) { cfg.Handler.RegisterFlags(f) cfg.FrontendV1.RegisterFlags(f) cfg.FrontendV2.RegisterFlags(f) + cfg.TLS.RegisterFlagsWithPrefix("frontend.tail-tls-config", f) f.BoolVar(&cfg.CompressResponses, "querier.compress-http-responses", false, "Compress HTTP responses.") f.StringVar(&cfg.DownstreamURL, "frontend.downstream-url", "", "URL of downstream Prometheus.")