From ec285083e64230deae77e8e4e75d1486e48d94d1 Mon Sep 17 00:00:00 2001 From: Tristan Colgate Date: Fri, 7 Sep 2018 10:18:12 +0100 Subject: [PATCH] Allow specifying simple gRPC transport credentials --- Gopkg.lock | 236 +++++-------------------------------- cmd/thanos/flags.go | 20 +++- cmd/thanos/main.go | 45 ++++++- cmd/thanos/query.go | 90 +++++++++++++- cmd/thanos/rule.go | 14 ++- cmd/thanos/sidecar.go | 14 ++- cmd/thanos/store.go | 15 ++- docs/components/query.md | 12 ++ docs/components/rule.md | 130 ++++++++++---------- docs/components/sidecar.md | 6 + docs/components/store.md | 106 +++++++++-------- 11 files changed, 350 insertions(+), 338 deletions(-) diff --git a/Gopkg.lock b/Gopkg.lock index ea1a54da777..087a5c05714 100644 --- a/Gopkg.lock +++ b/Gopkg.lock @@ -2,7 +2,6 @@ [[projects]] - digest = "1:dba68f7bbe24869618a68a59d21e8df281430aa38aaf6179aca3ae33e46ff328" name = "cloud.google.com/go" packages = [ "compute/metadata", @@ -11,147 +10,115 @@ "internal/optional", "internal/version", "storage", - "trace/apiv1", + "trace/apiv1" ] - pruneopts = "" revision = "2d3a6656c17a60b0815b7e06ab0be04eacb6e613" version = "v0.16.0" [[projects]] - digest = "1:27225d855b839ce9c20e1a2291e4447f744effb952f9eb69ef1a313bf7acb458" name = "contrib.go.opencensus.io/exporter/stackdriver" packages = ["propagation"] - pruneopts = "" revision = "2b93072101d466aa4120b3c23c2e1b08af01541c" version = "v0.6.0" [[projects]] - digest = "1:b0fe84bcee1d0c3579d855029ccd3a76deea187412da2976985e4946289dbb2c" name = "github.com/NYTimes/gziphandler" packages = ["."] - pruneopts = "" revision = "2600fb119af974220d3916a5916d6e31176aac1b" version = "v1.0.1" [[projects]] branch = "master" - digest = "1:1399282ad03ac819f0e8a747c888407c5c98bb497d33821a7047c7bae667ede0" name = "github.com/alecthomas/template" packages = [ ".", - "parse", + "parse" ] - pruneopts = "" revision = "a0175ee3bccc567396460bf5acd36800cb10c49c" [[projects]] branch = "master" - digest = "1:8483994d21404c8a1d489f6be756e25bfccd3b45d65821f25695577791a08e68" name = "github.com/alecthomas/units" packages = ["."] - pruneopts = "" revision = "2efee857e7cfd4f3d0138cc3cbb1b4966962b93a" [[projects]] branch = "master" - digest = "1:d64110a78451e373c5a952d2625323dbbe3bfe41c67f9652ea9668a6ceb4f645" name = "github.com/armon/go-metrics" packages = [ ".", - "prometheus", + "prometheus" ] - pruneopts = "" revision = "3c58d8115a78a6879e5df75ae900846768d36895" [[projects]] branch = "master" - digest = "1:fca298802a2ab834d6eb0e284788ae037ebc324c0f325ff92c5eea592d189cc5" name = "github.com/beorn7/perks" packages = ["quantile"] - pruneopts = "" revision = "3a771d992973f24aa725d07868b467d1ddfceafb" [[projects]] - digest = "1:1660bb2e30cca08494f29b5593e387c6090fbe8936970ba947185b0ca000aec0" name = "github.com/cespare/xxhash" packages = ["."] - pruneopts = "" revision = "5c37fe3735342a2e0d01c87a907579987c8936cc" version = "v1.0.0" [[projects]] branch = "master" - digest = "1:c367c68b4bf22ef91069ae442422025da1a3a57049b370252a7b4a895c3fdd6b" name = "github.com/dustin/go-humanize" packages = ["."] - pruneopts = "" revision = "9f541cc9db5d55bce703bd99987c9d5cb8eea45e" [[projects]] - digest = "1:e5c807ac3b60699ccec9263f6eec756251b17e78582eb149f90ac345d9e58327" name = "github.com/fortytw2/leaktest" packages = ["."] - pruneopts = "" revision = "a5ef70473c97b71626b9abeda80ee92ba2a7de9e" version = "v1.2.0" [[projects]] - digest = "1:b2106f1668ea5efc1ecc480f7e922a093adb9563fd9ce58585292871f0d0f229" name = "github.com/fsnotify/fsnotify" packages = ["."] - pruneopts = "" revision = "c2828203cd70a50dcccfb2761f8b1f8ceef9a8e9" version = "v1.4.7" [[projects]] - digest = "1:4d5221853226d8d4be594d52d885ddde38170d2e3159b82ed92ecde4dded2304" name = "github.com/go-ini/ini" packages = ["."] - pruneopts = "" revision = "5cf292cae48347c2490ac1a58fe36735fb78df7e" version = "v1.38.2" [[projects]] - digest = "1:8bde347c11c0df9cb474b5927a7cdab415adb841247e5e8404adbd12249efb22" name = "github.com/go-kit/kit" packages = [ "log", - "log/level", + "log/level" ] - pruneopts = "" revision = "4dc7be5d2d12881735283bcab7352178e190fc71" version = "v0.6.0" [[projects]] - digest = "1:6a4a01d58b227c4b6b11111b9f172ec5c17682b82724e58e6daf3f19f4faccd8" name = "github.com/go-logfmt/logfmt" packages = ["."] - pruneopts = "" revision = "390ab7935ee28ec6b286364bba9b4dd6410cb3d5" version = "v0.3.0" [[projects]] - digest = "1:a01080d20c45c031c13f3828c56e58f4f51d926a482ad10cc0316225097eb7ea" name = "github.com/go-stack/stack" packages = ["."] - pruneopts = "" revision = "2fee6af1a9795aafbe0253a0cfbdf668e1fb8a9a" version = "v1.8.0" [[projects]] - digest = "1:673df1d02ca0c6f51458fe94bbb6fae0b05e54084a31db2288f1c4321255c2da" name = "github.com/gogo/protobuf" packages = [ "gogoproto", "proto", - "protoc-gen-gogo/descriptor", + "protoc-gen-gogo/descriptor" ] - pruneopts = "" revision = "636bf0302bc95575d69441b25a2603156ffdddf1" version = "v1.1.1" [[projects]] - digest = "1:815d45503dceeca8ffecce0081d7edeae5e75b126107ef763d1c617154d72359" name = "github.com/golang/protobuf" packages = [ "proto", @@ -160,148 +127,114 @@ "ptypes/any", "ptypes/duration", "ptypes/empty", - "ptypes/timestamp", + "ptypes/timestamp" ] - pruneopts = "" revision = "aa810b61a9c79d51363740d207bb46cf8e620ed5" version = "v1.2.0" [[projects]] branch = "master" - digest = "1:075128b9fc42e6d99067da1a2e6c0a634a6043b5a60abe6909c51f5ecad37b6d" name = "github.com/golang/snappy" packages = ["."] - pruneopts = "" revision = "2e65f85255dbc3072edf28d6b5b8efc472979f5a" [[projects]] - digest = "1:e097a364f4e8d8d91b9b9eeafb992d3796a41fde3eb548c1a87eb9d9f60725cf" name = "github.com/googleapis/gax-go" packages = ["."] - pruneopts = "" revision = "317e0006254c44a0ac427cc52a0e083ff0b9622f" version = "v2.0.0" [[projects]] - digest = "1:0bf81a189b23434fc792317c9276abfe7aee4eb3f85d3c3659a2e0f21acafe97" name = "github.com/grpc-ecosystem/go-grpc-middleware" packages = [ ".", "recovery", "tags", "tracing/opentracing", - "util/metautils", + "util/metautils" ] - pruneopts = "" revision = "c250d6563d4d4c20252cd865923440e829844f4e" version = "v1.0.0" [[projects]] branch = "master" - digest = "1:ab673e7646a69f9f295248d41b54641b66644d92eb3b863dfd56fae2a2a55de6" name = "github.com/grpc-ecosystem/go-grpc-prometheus" packages = ["."] - pruneopts = "" revision = "93bf4626fba73b751b0f3cdf2649be4ce0c420cd" [[projects]] - digest = "1:8e3bd93036b4a925fe2250d3e4f38f21cadb8ef623561cd80c3c50c114b13201" name = "github.com/hashicorp/errwrap" packages = ["."] - pruneopts = "" revision = "8a6fb523712970c966eefc6b39ed2c5e74880354" version = "v1.0.0" [[projects]] - digest = "1:c5466dfad4c14bf8e52a34b0eb98f1301acc1e304e0f0ff2c51c356ca1b86747" name = "github.com/hashicorp/go-immutable-radix" packages = ["."] - pruneopts = "" revision = "27df80928bb34bb1b0d6d0e01b9e679902e7a6b5" version = "v1.0.0" [[projects]] branch = "master" - digest = "1:6a611e691e739173805cb54019b5c39bb9d46455526dff31e0e6fe3aaca52776" name = "github.com/hashicorp/go-msgpack" packages = ["codec"] - pruneopts = "" revision = "fa3f63826f7c23912c15263591e65d54d080b458" [[projects]] - digest = "1:72308fdd6d5ef61106a95be7ca72349a5565809042b6426a3cfb61d99483b824" name = "github.com/hashicorp/go-multierror" packages = ["."] - pruneopts = "" revision = "886a7fbe3eb1c874d46f623bfa70af45f425b3d1" version = "v1.0.0" [[projects]] branch = "master" - digest = "1:74f54e6ef2339f1de1e8c4b6674442118bd89e619b2fbd949ef2337330067994" name = "github.com/hashicorp/go-sockaddr" packages = ["."] - pruneopts = "" revision = "6d291a969b86c4b633730bfc6b8b9d64c3aafed9" [[projects]] - digest = "1:3313a63031ae281e5f6fd7b0bbca733dfa04d2429df86519e3b4d4c016ccb836" name = "github.com/hashicorp/golang-lru" packages = ["simplelru"] - pruneopts = "" revision = "20f1fb78b0740ba8c3cb143a61e86ba5c8669768" version = "v0.5.0" [[projects]] - digest = "1:d7ce65372f495908f80fc1f80f4dab5d763d9a1de544abd95aa719e4262d0dd5" name = "github.com/hashicorp/memberlist" packages = ["."] - pruneopts = "" revision = "ce8abaa0c60c2d6bee7219f5ddf500e0a1457b28" version = "v0.1.0" [[projects]] - digest = "1:3c818dada3e41bdb0f509f78e6775610f1bb179449ec8c4c86a45fae35460f3f" name = "github.com/julienschmidt/httprouter" packages = ["."] - pruneopts = "" revision = "8c199fb6259ffc1af525cc3ad52ee60ba8359669" version = "v1.1" [[projects]] branch = "master" - digest = "1:1ed9eeebdf24aadfbca57eb50e6455bd1d2474525e0f0d4454de8c8e9bc7ee9a" name = "github.com/kr/logfmt" packages = ["."] - pruneopts = "" revision = "b84e30acd515aadc4b783ad4ff83aff3299bdfe0" [[projects]] - digest = "1:b7a85bb1d9cf6e6cf5f2a2b69808ad5bece173e390dcf857786a4804606d7e7e" name = "github.com/lovoo/gcloud-opentracing" packages = ["."] - pruneopts = "" revision = "9a3ba70d6a016bafc680df855bd7ed25b81fad5f" version = "v0.3.0" [[projects]] - digest = "1:49a8b01a6cd6558d504b65608214ca40a78000e1b343ed0da5c6a9ccd83d6d30" name = "github.com/matttproud/golang_protobuf_extensions" packages = ["pbutil"] - pruneopts = "" revision = "c12348ce28de40eed0136aa2b644d0ee0650e56c" version = "v1.0.1" [[projects]] - digest = "1:f0bad0fece0fb73c6ea249c18d8e80ffbe86be0457715b04463068f04686cf39" name = "github.com/miekg/dns" packages = ["."] - pruneopts = "" revision = "5a2b9fab83ff0f8bfc99684bd5f43a37abe560f1" version = "v1.0.8" [[projects]] - digest = "1:a513d21165a0cc81a2e443ba65f992bd1b0a5b2f0c0fe27a58642d915557f966" name = "github.com/minio/minio-go" packages = [ ".", @@ -309,123 +242,99 @@ "pkg/encrypt", "pkg/s3signer", "pkg/s3utils", - "pkg/set", + "pkg/set" ] - pruneopts = "" revision = "70799fe8dae6ecfb6c7d7e9e048fce27f23a1992" version = "v6.0.5" [[projects]] - digest = "1:096a8a9182648da3d00ff243b88407838902b6703fc12657f76890e08d1899bf" name = "github.com/mitchellh/go-homedir" packages = ["."] - pruneopts = "" revision = "ae18d6b8b3205b561c79e8e5f69bff09736185f4" version = "v1.0.0" [[projects]] branch = "master" - digest = "1:3adc46876d4d0e4d5bbcfcc44c2116b95d7a5c966e2ee92a219488547fd453f2" name = "github.com/nightlyone/lockfile" packages = ["."] - pruneopts = "" revision = "0ad87eef1443f64d3d8c50da647e2b1552851124" [[projects]] - digest = "1:94e9081cc450d2cdf4e6886fc2c06c07272f86477df2d74ee5931951fa3d2577" name = "github.com/oklog/run" packages = ["."] - pruneopts = "" revision = "4dadeb3030eda0273a12382bb2348ffc7c9d1a39" version = "v1.0.0" [[projects]] - digest = "1:ef57aecdf87b09455aeab4413d7e2cd15a0021fddfaa654ffb74cf266068788b" name = "github.com/oklog/ulid" packages = ["."] - pruneopts = "" revision = "d311cb43c92434ec4072dfbbda3400741d0a6337" version = "v0.3.0" [[projects]] - digest = "1:171ac7b583c9e4f28dfd3c310fdef0802a9db6afa066ab71e2134ff2cfb646d7" name = "github.com/opentracing/basictracer-go" packages = [ ".", - "wire", + "wire" ] - pruneopts = "" revision = "1b32af207119a14b1b231d451df3ed04a72efebf" version = "v1.0.0" [[projects]] - digest = "1:bba12aa4747b212f75db3e7fee73fe1b66d303cb3ff0c1984b7f2ad20e8bd2bc" name = "github.com/opentracing/opentracing-go" packages = [ ".", "ext", - "log", + "log" ] - pruneopts = "" revision = "1949ddbfd147afd4d964a9f00b24eb291e0e7c38" version = "v1.0.2" [[projects]] - digest = "1:7365acd48986e205ccb8652cc746f09c8b7876030d53710ea6ef7d0bd0dcd7ca" name = "github.com/pkg/errors" packages = ["."] - pruneopts = "" revision = "645ef00459ed84a119197bfb8d8205042c6df63d" version = "v0.8.0" [[projects]] - digest = "1:6b845cb63c34fc6ed0f4eb2d5ff1f5834c76f133c17b680fc36ad7c5021a8011" name = "github.com/prometheus/client_golang" packages = [ "prometheus", "prometheus/internal", - "prometheus/promhttp", + "prometheus/promhttp" ] - pruneopts = "" revision = "e637cec7d9c8990247098639ebc6d43dd34ddd49" [[projects]] branch = "master" - digest = "1:562d53e436b244a9bb5c1ff43bcaf4882e007575d34ec37717b15751c65cc63a" name = "github.com/prometheus/client_model" packages = ["go"] - pruneopts = "" revision = "5c3871d89910bfb32f5fcab2aa4b9ec68e65a99f" [[projects]] branch = "master" - digest = "1:8a871dca636f82a927daffe10e9866fee6aa97a215905d56e97ecc73c07d5d44" name = "github.com/prometheus/common" packages = [ "expfmt", "internal/bitbucket.org/ww/goautoneg", "model", "route", - "version", + "version" ] - pruneopts = "" revision = "c7de2306084e37d54b8be01f3541a8464345e9a5" [[projects]] branch = "master" - digest = "1:7f298639cea3d8fe88aeefe6a7af1d642bca295cd125e172d320f57064c956c2" name = "github.com/prometheus/procfs" packages = [ ".", "internal/util", "nfs", - "xfs", + "xfs" ] - pruneopts = "" revision = "05ee40e3a273f7245e8777337fc7b46e533a9a92" [[projects]] - digest = "1:b5ff9852eabe841003da4b0a4b742a2878c722dda6481003432344f633a814fc" name = "github.com/prometheus/prometheus" packages = [ "pkg/labels", @@ -440,14 +349,12 @@ "template", "util/stats", "util/strutil", - "util/testutil", + "util/testutil" ] - pruneopts = "" revision = "71af5e29e815795e9dd14742ee7725682fa14b7b" version = "v2.3.2" [[projects]] - digest = "1:216dcf26fbfb3f36f286ca3306882a157c51648e4b5d4f3a9e9c719faea6ea58" name = "github.com/prometheus/tsdb" packages = [ ".", @@ -455,29 +362,23 @@ "chunks", "fileutil", "index", - "labels", + "labels" ] - pruneopts = "" revision = "bd832fc8274e8fe63999ac749daaaff9d881241f" [[projects]] branch = "master" - digest = "1:6ee36f2cea425916d81fdaaf983469fc18f91b3cf090cfe90fa0a9d85b8bfab7" name = "github.com/sean-/seed" packages = ["."] - pruneopts = "" revision = "e2103e2c35297fb7e17febb81e49b312087a2372" [[projects]] - digest = "1:2c38661f5fb038bfb95197e0e5bc7a8f050d1f992c5ddaa01945e58fe2ef00de" name = "github.com/sirupsen/logrus" packages = ["."] - pruneopts = "" revision = "3e01752db0189b9157070a0e1668a620f9a85da2" version = "v1.0.6" [[projects]] - digest = "1:081bd218a5f06b96c08d91530c185dd1b579584be4c96ea70a17438e44fd59d0" name = "go.opencensus.io" packages = [ ".", @@ -492,29 +393,25 @@ "tag", "trace", "trace/internal", - "trace/propagation", + "trace/propagation" ] - pruneopts = "" revision = "7b558058b7cc960667590e5413ef55157b06652e" version = "v0.15.0" [[projects]] branch = "master" - digest = "1:3a2cd3e4815469d0a8fad881966023406563b791d9807709de28d04f9d5ed40f" name = "golang.org/x/crypto" packages = [ "argon2", "blake2b", "ed25519", "ed25519/internal/edwards25519", - "ssh/terminal", + "ssh/terminal" ] - pruneopts = "" revision = "182538f80094b6a8efaade63a8fd8e0d9d5843dd" [[projects]] branch = "master" - digest = "1:6a5a7b24df8b4d0263fb5d02ad2ddac16c73745fae60a56f4230175bf7162be5" name = "golang.org/x/net" packages = [ "bpf", @@ -529,50 +426,42 @@ "internal/timeseries", "ipv4", "ipv6", - "trace", + "trace" ] - pruneopts = "" revision = "8a410e7b638dca158bf9e766925842f6651ff828" [[projects]] branch = "master" - digest = "1:ae181e046572bff397421c415715120190004207493745fec4b385925dc13f6d" name = "golang.org/x/oauth2" packages = [ ".", "google", "internal", "jws", - "jwt", + "jwt" ] - pruneopts = "" revision = "d2e6202438beef2727060aa7cabdd924d92ebfd9" [[projects]] branch = "master" - digest = "1:d84d0f563cc649de4c9a8272a0395f75b11952202d18d4d927e933cc91493062" name = "golang.org/x/sync" packages = [ "errgroup", - "semaphore", + "semaphore" ] - pruneopts = "" revision = "1d60e4601c6fd243af51cc01ddf169918a5407ca" [[projects]] branch = "master" - digest = "1:649f2e24b22ef65ea110a3ce82f327019aec48f625586ea9716e53152e013a88" name = "golang.org/x/sys" packages = [ "cpu", "unix", - "windows", + "windows" ] - pruneopts = "" revision = "fa5fdf94c78965f1aa8423f0cc50b8b8d728b05a" [[projects]] - digest = "1:af9bfca4298ef7502c52b1459df274eed401a4f5498b900e9a92d28d3d87ac5a" name = "golang.org/x/text" packages = [ "collate", @@ -588,15 +477,13 @@ "unicode/bidi", "unicode/cldr", "unicode/norm", - "unicode/rangetable", + "unicode/rangetable" ] - pruneopts = "" revision = "f21a4dfb5e38f5895301dc265a8def02365cc3d0" version = "v0.3.0" [[projects]] branch = "master" - digest = "1:4c11fda7ef44f31a6cb30fc84d186dcf6a3a7c320f61980bb90ccefa92f02216" name = "google.golang.org/api" packages = [ "gensupport", @@ -610,13 +497,11 @@ "support/bundler", "transport", "transport/grpc", - "transport/http", + "transport/http" ] - pruneopts = "" revision = "b810576d88a056b90ef18a0b5328544c9c074c68" [[projects]] - digest = "1:eede11c81b63c8f6fd06ef24ba0a640dc077196ec9b7a58ecde03c82eee2f151" name = "google.golang.org/appengine" packages = [ ".", @@ -630,27 +515,23 @@ "internal/socket", "internal/urlfetch", "socket", - "urlfetch", + "urlfetch" ] - pruneopts = "" revision = "b1f26356af11148e710935ed1ac8a7f5702c7612" version = "v1.1.0" [[projects]] branch = "master" - digest = "1:c8aa249fb74a455a901ef97b28dd8225a3f65a5af0b2127d7ac3f54924866086" name = "google.golang.org/genproto" packages = [ "googleapis/api/annotations", "googleapis/devtools/cloudtrace/v1", "googleapis/iam/v1", - "googleapis/rpc/status", + "googleapis/rpc/status" ] - pruneopts = "" revision = "c66870c02cf823ceb633bcd05be3c7cda29976f4" [[projects]] - digest = "1:cb1330030248de97a11d9f9664f3944fce0df947e5ed94dbbd9cb6e77068bd46" name = "google.golang.org/grpc" packages = [ ".", @@ -679,89 +560,26 @@ "resolver/passthrough", "stats", "status", - "tap", + "tap" ] - pruneopts = "" revision = "32fb0ac620c32ba40a4626ddf94d90d12cce3455" version = "v1.14.0" [[projects]] - digest = "1:2840683aa0e9980689f85bf48b2a56ec7a108fd089f12af8ea7d98c172819589" name = "gopkg.in/alecthomas/kingpin.v2" packages = ["."] - pruneopts = "" revision = "947dcec5ba9c011838740e680966fd7087a71d0d" version = "v2.2.6" [[projects]] branch = "v2" - digest = "1:f0620375dd1f6251d9973b5f2596228cc8042e887cd7f827e4220bc1ce8c30e2" name = "gopkg.in/yaml.v2" packages = ["."] - pruneopts = "" revision = "5420a8b6744d3b0345ab293f6fcba19c978f1183" [solve-meta] analyzer-name = "dep" analyzer-version = 1 - input-imports = [ - "cloud.google.com/go/storage", - "cloud.google.com/go/trace/apiv1", - "github.com/NYTimes/gziphandler", - "github.com/armon/go-metrics", - "github.com/armon/go-metrics/prometheus", - "github.com/fortytw2/leaktest", - "github.com/fsnotify/fsnotify", - "github.com/go-kit/kit/log", - "github.com/go-kit/kit/log/level", - "github.com/gogo/protobuf/gogoproto", - "github.com/gogo/protobuf/proto", - "github.com/golang/snappy", - "github.com/grpc-ecosystem/go-grpc-middleware", - "github.com/grpc-ecosystem/go-grpc-middleware/recovery", - "github.com/grpc-ecosystem/go-grpc-middleware/tracing/opentracing", - "github.com/grpc-ecosystem/go-grpc-prometheus", - "github.com/hashicorp/go-sockaddr", - "github.com/hashicorp/golang-lru/simplelru", - "github.com/hashicorp/memberlist", - "github.com/lovoo/gcloud-opentracing", - "github.com/minio/minio-go", - "github.com/minio/minio-go/pkg/credentials", - "github.com/minio/minio-go/pkg/encrypt", - "github.com/oklog/run", - "github.com/oklog/ulid", - "github.com/opentracing/basictracer-go", - "github.com/opentracing/opentracing-go", - "github.com/opentracing/opentracing-go/ext", - "github.com/pkg/errors", - "github.com/prometheus/client_golang/prometheus", - "github.com/prometheus/client_golang/prometheus/promhttp", - "github.com/prometheus/common/model", - "github.com/prometheus/common/route", - "github.com/prometheus/common/version", - "github.com/prometheus/prometheus/pkg/labels", - "github.com/prometheus/prometheus/pkg/timestamp", - "github.com/prometheus/prometheus/pkg/value", - "github.com/prometheus/prometheus/promql", - "github.com/prometheus/prometheus/rules", - "github.com/prometheus/prometheus/storage", - "github.com/prometheus/prometheus/storage/tsdb", - "github.com/prometheus/prometheus/util/strutil", - "github.com/prometheus/tsdb", - "github.com/prometheus/tsdb/chunkenc", - "github.com/prometheus/tsdb/chunks", - "github.com/prometheus/tsdb/fileutil", - "github.com/prometheus/tsdb/index", - "github.com/prometheus/tsdb/labels", - "golang.org/x/net/context", - "golang.org/x/sync/errgroup", - "google.golang.org/api/iterator", - "google.golang.org/api/option", - "google.golang.org/grpc", - "google.golang.org/grpc/codes", - "google.golang.org/grpc/status", - "gopkg.in/alecthomas/kingpin.v2", - "gopkg.in/yaml.v2", - ] + inputs-digest = "f7208166a3697fa858357ffe898babb33dda56905674bdcf7fc3e7696d942e2a" solver-name = "gps-cdcl" solver-version = 1 diff --git a/cmd/thanos/flags.go b/cmd/thanos/flags.go index 30d21875511..d325e24c3f4 100644 --- a/cmd/thanos/flags.go +++ b/cmd/thanos/flags.go @@ -16,14 +16,25 @@ import ( "gopkg.in/alecthomas/kingpin.v2" ) -func regCommonServerFlags(cmd *kingpin.CmdClause) (*string, *string, func(log.Logger, *prometheus.Registry, bool, string, bool) (*cluster.Peer, error)) { - grpcBindAddr := cmd.Flag("grpc-address", "Listen ip:port address for gRPC endpoints (StoreAPI). Make sure this address is routable from other components if you use gossip, 'grpc-advertise-address' is empty and you require cross-node connection."). +func regCommonServerFlags(cmd *kingpin.CmdClause) ( + grpcBindAddr *string, + httpBindAddr *string, + grpcTLSSrvCert *string, + grpcTLSSrvKey *string, + grpcTLSSrvClientCA *string, + peerFunc func(log.Logger, *prometheus.Registry, bool, string, bool) (*cluster.Peer, error)) { + + grpcBindAddr = cmd.Flag("grpc-address", "Listen ip:port address for gRPC endpoints (StoreAPI). Make sure this address is routable from other components if you use gossip, 'grpc-advertise-address' is empty and you require cross-node connection."). Default("0.0.0.0:10901").String() grpcAdvertiseAddr := cmd.Flag("grpc-advertise-address", "Explicit (external) host:port address to advertise for gRPC StoreAPI in gossip cluster. If empty, 'grpc-address' will be used."). String() - httpBindAddr := regHTTPAddrFlag(cmd) + grpcTLSSrvKey = cmd.Flag("grpc-server-tls-key", "TLS Key for the gRPC server, leave blank to disable TLS").Default("").String() + grpcTLSSrvCert = cmd.Flag("grpc-server-tls-cert", "TLS Certificate for gRPC server, leave blank to disable TLS").Default("").String() + grpcTLSSrvClientCA = cmd.Flag("grpc-server-tls-client-ca", "TLS CA to verify clients against").Default("").String() + + httpBindAddr = regHTTPAddrFlag(cmd) clusterBindAddr := cmd.Flag("cluster.address", "Listen ip:port address for gossip cluster."). Default("0.0.0.0:10900").String() @@ -53,6 +64,9 @@ func regCommonServerFlags(cmd *kingpin.CmdClause) (*string, *string, func(log.Lo return grpcBindAddr, httpBindAddr, + grpcTLSSrvCert, + grpcTLSSrvKey, + grpcTLSSrvClientCA, func(logger log.Logger, reg *prometheus.Registry, waitIfEmpty bool, httpAdvertiseAddr string, queryAPIEnabled bool) (*cluster.Peer, error) { host, port, err := cluster.CalculateAdvertiseAddress(*grpcBindAddr, *grpcAdvertiseAddr) if err != nil { diff --git a/cmd/thanos/main.go b/cmd/thanos/main.go index cadbe53e590..c530a7ba9b4 100644 --- a/cmd/thanos/main.go +++ b/cmd/thanos/main.go @@ -2,7 +2,10 @@ package main import ( "context" + "crypto/tls" + "crypto/x509" "fmt" + "io/ioutil" "math" "net" "net/http" @@ -32,6 +35,7 @@ import ( "github.com/prometheus/common/version" "google.golang.org/grpc" "google.golang.org/grpc/codes" + "google.golang.org/grpc/credentials" "google.golang.org/grpc/status" kingpin "gopkg.in/alecthomas/kingpin.v2" ) @@ -196,7 +200,7 @@ func registerMetrics(mux *http.ServeMux, g prometheus.Gatherer) { // - request histogram // - tracing // - panic recovery with panic counter -func defaultGRPCServerOpts(logger log.Logger, reg *prometheus.Registry, tracer opentracing.Tracer) []grpc.ServerOption { +func defaultGRPCServerOpts(logger log.Logger, reg *prometheus.Registry, tracer opentracing.Tracer, cert, key, clientCA string) ([]grpc.ServerOption, error) { met := grpc_prometheus.NewServerMetrics() met.EnableHandlingTimeHistogram( grpc_prometheus.WithHistogramBuckets([]float64{ @@ -214,7 +218,7 @@ func defaultGRPCServerOpts(logger log.Logger, reg *prometheus.Registry, tracer o return status.Errorf(codes.Internal, "%s", p) } reg.MustRegister(met, panicsTotal) - return []grpc.ServerOption{ + opts := []grpc.ServerOption{ grpc.MaxSendMsgSize(math.MaxInt32), grpc_middleware.WithUnaryServerChain( met.UnaryServerInterceptor(), @@ -227,6 +231,43 @@ func defaultGRPCServerOpts(logger log.Logger, reg *prometheus.Registry, tracer o grpc_recovery.StreamServerInterceptor(grpc_recovery.WithRecoveryHandler(grpcPanicRecoveryHandler)), ), } + + if key == "" || cert == "" { + level.Info(logger).Log("msg", "disabled TLS, key and cert must be set to enable") + return opts, nil + } + + tlsCfg := &tls.Config{} + + tlsCert, err := tls.LoadX509KeyPair(cert, key) + if err != nil { + return nil, errors.Wrap(err, "server credentials") + } + + level.Info(logger).Log("msg", "enabled gRPC server side TLS") + + tlsCfg.Certificates = []tls.Certificate{tlsCert} + + if clientCA != "" { + caPEM, err := ioutil.ReadFile(clientCA) + if err != nil { + return nil, errors.Wrap(err, "reading client CA") + } + + certPool := x509.NewCertPool() + if !certPool.AppendCertsFromPEM(caPEM) { + return nil, errors.Wrap(err, "building client CA") + } + tlsCfg.ClientCAs = certPool + tlsCfg.ClientAuth = tls.RequireAndVerifyClientCert + + level.Info(logger).Log("msg", "gRPC server TLS client verification enabled") + } + + creds := credentials.NewTLS(tlsCfg) + opts = append(opts, grpc.Creds(creds)) + + return opts, nil } // metricHTTPListenGroup is a run.Group that servers HTTP endpoint with only Prometheus metrics. diff --git a/cmd/thanos/query.go b/cmd/thanos/query.go index ec887f92af8..a33cdb63678 100644 --- a/cmd/thanos/query.go +++ b/cmd/thanos/query.go @@ -2,7 +2,10 @@ package main import ( "context" + "crypto/tls" + "crypto/x509" "fmt" + "io/ioutil" "math" "net" "net/http" @@ -28,6 +31,7 @@ import ( "github.com/prometheus/prometheus/promql" "github.com/prometheus/tsdb/labels" "google.golang.org/grpc" + "google.golang.org/grpc/credentials" "gopkg.in/alecthomas/kingpin.v2" ) @@ -35,11 +39,16 @@ import ( func registerQuery(m map[string]setupFunc, app *kingpin.Application, name string) { cmd := app.Command(name, "query node exposing PromQL enabled Query API with data retrieved from multiple store nodes") - grpcBindAddr, httpBindAddr, newPeerFn := regCommonServerFlags(cmd) + grpcBindAddr, httpBindAddr, srvCert, srvKey, srvClientCA, newPeerFn := regCommonServerFlags(cmd) httpAdvertiseAddr := cmd.Flag("http-advertise-address", "Explicit (external) host:port address to advertise for HTTP QueryAPI in gossip cluster. If empty, 'http-address' will be used."). String() + secure := cmd.Flag("grpc-client-tls-secure", "Use TLS when talking to the gRPC server").Default("false").Bool() + cert := cmd.Flag("grpc-client-tls-cert", "TLS Certificates to use to identify this client to the server").Default("").String() + key := cmd.Flag("grpc-client-tls-key", "TLS Key for the client's certificate").Default("").String() + caCert := cmd.Flag("grpc-client-tls-ca", "TLS CA Certificates to use to verify gRPC servers").Default("").String() + queryTimeout := modelDuration(cmd.Flag("query.timeout", "Maximum time to process query by query node."). Default("2m")) @@ -83,6 +92,13 @@ func registerQuery(m map[string]setupFunc, app *kingpin.Application, name string reg, tracer, *grpcBindAddr, + *srvCert, + *srvKey, + *srvClientCA, + *secure, + *cert, + *key, + *caCert, *httpBindAddr, *maxConcurrentQueries, time.Duration(*queryTimeout), @@ -95,7 +111,7 @@ func registerQuery(m map[string]setupFunc, app *kingpin.Application, name string } } -func storeClientGRPCOpts(reg *prometheus.Registry, tracer opentracing.Tracer) []grpc.DialOption { +func storeClientGRPCOpts(logger log.Logger, reg *prometheus.Registry, tracer opentracing.Tracer, secure bool, cert, key, caCert string) ([]grpc.DialOption, error) { grpcMets := grpc_prometheus.NewClientMetrics() grpcMets.EnableClientHandlingTimeHistogram( grpc_prometheus.WithHistogramBuckets([]float64{ @@ -108,7 +124,6 @@ func storeClientGRPCOpts(reg *prometheus.Registry, tracer opentracing.Tracer) [] // Current limit is ~2GB. // TODO(bplotka): Split sent chunks on store node per max 4MB chunks if needed. grpc.WithDefaultCallOptions(grpc.MaxCallRecvMsgSize(math.MaxInt32)), - grpc.WithInsecure(), grpc.WithUnaryInterceptor( grpc_middleware.ChainUnaryClient( grpcMets.UnaryClientInterceptor(), @@ -127,7 +142,52 @@ func storeClientGRPCOpts(reg *prometheus.Registry, tracer opentracing.Tracer) [] reg.MustRegister(grpcMets) } - return dialOpts + if !secure { + dialOpts = append(dialOpts, grpc.WithInsecure()) + return dialOpts, nil + } + + level.Info(logger).Log("msg", "Enabling client to server TLS") + + var certPool *x509.CertPool + + if caCert != "" { + caPEM, err := ioutil.ReadFile(caCert) + if err != nil { + return nil, errors.Wrap(err, "reading client CA") + } + + certPool = x509.NewCertPool() + if !certPool.AppendCertsFromPEM(caPEM) { + return nil, errors.Wrap(err, "building client CA") + } + level.Info(logger).Log("msg", "TLS Client using provided certificate pool") + } else { + var err error + certPool, err = x509.SystemCertPool() + if err != nil { + return nil, errors.Wrap(err, "reading system certificate pool") + } + level.Info(logger).Log("msg", "TLS Client using system certificate pool") + } + + tlsCfg := &tls.Config{ + RootCAs: certPool, + } + + if cert != "" { + cert, err := tls.LoadX509KeyPair(cert, key) + if err != nil { + return nil, errors.Wrap(err, "client credentials") + } + tlsCfg.Certificates = []tls.Certificate{cert} + level.Info(logger).Log("msg", "TLS Client authentication enabled") + } + + creds := credentials.NewTLS(tlsCfg) + dialOpts = append(dialOpts, grpc.WithTransportCredentials(creds)) + + return dialOpts, nil } // runQuery starts a server that exposes PromQL Query API. It is responsible for querying configured @@ -138,6 +198,13 @@ func runQuery( reg *prometheus.Registry, tracer opentracing.Tracer, grpcBindAddr string, + srvCert string, + srvKey string, + srvClientCA string, + secure bool, + cert string, + key string, + caCert string, httpBindAddr string, maxConcurrentQueries int, queryTimeout time.Duration, @@ -155,6 +222,12 @@ func runQuery( staticSpecs = append(staticSpecs, query.NewGRPCStoreSpec(addr)) } + + dialOpts, err := storeClientGRPCOpts(logger, reg, tracer, secure, cert, key, caCert) + if err != nil { + return errors.Wrap(err, "building gRPC client") + } + var ( stores = query.NewStoreSet( logger, @@ -172,7 +245,7 @@ func runQuery( } return specs }, - storeClientGRPCOpts(reg, tracer), + dialOpts, ) proxy = store.NewProxyStore(logger, func(context.Context) ([]store.Client, error) { return stores.Get(), nil @@ -241,7 +314,12 @@ func runQuery( } logger := log.With(logger, "component", "query") - s := grpc.NewServer(defaultGRPCServerOpts(logger, reg, tracer)...) + opts, err := defaultGRPCServerOpts(logger, reg, tracer, srvCert, srvKey, srvClientCA) + if err != nil { + return errors.Wrapf(err, "build gRPC server") + } + + s := grpc.NewServer(opts...) storepb.RegisterStoreServer(s, proxy) g.Add(func() error { diff --git a/cmd/thanos/rule.go b/cmd/thanos/rule.go index dd85b0630cd..0319caea1b8 100644 --- a/cmd/thanos/rule.go +++ b/cmd/thanos/rule.go @@ -51,7 +51,7 @@ import ( func registerRule(m map[string]setupFunc, app *kingpin.Application, name string) { cmd := app.Command(name, "ruler evaluating Prometheus rules against given Query nodes, exposing Store API and storing old blocks in bucket") - grpcBindAddr, httpBindAddr, newPeerFn := regCommonServerFlags(cmd) + grpcBindAddr, httpBindAddr, cert, key, clientCA, newPeerFn := regCommonServerFlags(cmd) labelStrs := cmd.Flag("label", "Labels to be applied to all generated metrics (repeated)."). PlaceHolder("=\"\"").Strings() @@ -104,6 +104,9 @@ func registerRule(m map[string]setupFunc, app *kingpin.Application, name string) lset, *alertmgrs, *grpcBindAddr, + *cert, + *key, + *clientCA, *httpBindAddr, time.Duration(*evalInterval), *dataDir, @@ -127,6 +130,9 @@ func runRule( lset labels.Labels, alertmgrURLs []string, grpcBindAddr string, + cert string, + key string, + clientCA string, httpBindAddr string, evalInterval time.Duration, dataDir string, @@ -369,7 +375,11 @@ func runRule( store := store.NewTSDBStore(logger, reg, db, lset) - s := grpc.NewServer(defaultGRPCServerOpts(logger, reg, tracer)...) + opts, err := defaultGRPCServerOpts(logger, reg, tracer, cert, key, clientCA) + if err != nil { + return errors.Wrap(err, "setup gRPC options") + } + s := grpc.NewServer(opts...) storepb.RegisterStoreServer(s, store) g.Add(func() error { diff --git a/cmd/thanos/sidecar.go b/cmd/thanos/sidecar.go index 3c78f03597d..c9d24f7cae4 100644 --- a/cmd/thanos/sidecar.go +++ b/cmd/thanos/sidecar.go @@ -34,7 +34,7 @@ import ( func registerSidecar(m map[string]setupFunc, app *kingpin.Application, name string) { cmd := app.Command(name, "sidecar for Prometheus server") - grpcBindAddr, httpBindAddr, newPeerFn := regCommonServerFlags(cmd) + grpcBindAddr, httpBindAddr, cert, key, clientCA, newPeerFn := regCommonServerFlags(cmd) promURL := cmd.Flag("prometheus.url", "URL at which to reach Prometheus's API. For better performance use local network."). Default("http://localhost:9090").URL() @@ -71,6 +71,9 @@ func registerSidecar(m map[string]setupFunc, app *kingpin.Application, name stri reg, tracer, *grpcBindAddr, + *cert, + *key, + *clientCA, *httpBindAddr, *promURL, *dataDir, @@ -88,6 +91,9 @@ func runSidecar( reg *prometheus.Registry, tracer opentracing.Tracer, grpcBindAddr string, + cert string, + key string, + clientCA string, httpBindAddr string, promURL *url.URL, dataDir string, @@ -203,7 +209,11 @@ func runSidecar( return errors.Wrap(err, "create Prometheus store") } - s := grpc.NewServer(defaultGRPCServerOpts(logger, reg, tracer)...) + opts, err := defaultGRPCServerOpts(logger, reg, tracer, cert, key, clientCA) + if err != nil { + return errors.Wrap(err, "setup gRPC server") + } + s := grpc.NewServer(opts...) storepb.RegisterStoreServer(s, promStore) g.Add(func() error { diff --git a/cmd/thanos/store.go b/cmd/thanos/store.go index 4110736e787..3f6dd29f094 100644 --- a/cmd/thanos/store.go +++ b/cmd/thanos/store.go @@ -25,7 +25,7 @@ import ( func registerStore(m map[string]setupFunc, app *kingpin.Application, name string) { cmd := app.Command(name, "store node giving access to blocks in a bucket provider. Now supported GCS / S3.") - grpcBindAddr, httpBindAddr, newPeerFn := regCommonServerFlags(cmd) + grpcBindAddr, httpBindAddr, cert, key, clientCA, newPeerFn := regCommonServerFlags(cmd) dataDir := cmd.Flag("data-dir", "Data directory in which to cache remote blocks."). Default("./data").String() @@ -51,6 +51,9 @@ func registerStore(m map[string]setupFunc, app *kingpin.Application, name string *bucketConfFile, *dataDir, *grpcBindAddr, + *cert, + *key, + *clientCA, *httpBindAddr, peer, uint64(*indexCacheSize), @@ -70,6 +73,9 @@ func runStore( bucketConfFile string, dataDir string, grpcBindAddr string, + cert string, + key string, + clientCA string, httpBindAddr string, peer *cluster.Peer, indexCacheSizeBytes uint64, @@ -133,7 +139,12 @@ func runStore( return errors.Wrap(err, "listen API address") } - s := grpc.NewServer(defaultGRPCServerOpts(logger, reg, tracer)...) + opts, err := defaultGRPCServerOpts(logger, reg, tracer, cert, key, clientCA) + if err != nil { + return errors.Wrap(err, "grpc server options") + } + + s := grpc.NewServer(opts...) storepb.RegisterStoreServer(s, bs) g.Add(func() error { diff --git a/docs/components/query.md b/docs/components/query.md index 5d9fa25ea15..ff84d368aa6 100644 --- a/docs/components/query.md +++ b/docs/components/query.md @@ -58,6 +58,12 @@ Flags: Explicit (external) host:port address to advertise for gRPC StoreAPI in gossip cluster. If empty, 'grpc-address' will be used. + --grpc-server-tls-key="" TLS Key for the gRPC server, leave blank to + disable TLS + --grpc-server-tls-cert="" TLS Certificate for gRPC server, leave blank to + disable TLS + --grpc-server-tls-client-ca="" + TLS CA to verify clients against --http-address="0.0.0.0:10902" Listen host:port for HTTP endpoints. --cluster.address="0.0.0.0:10900" @@ -98,6 +104,12 @@ Flags: Explicit (external) host:port address to advertise for HTTP QueryAPI in gossip cluster. If empty, 'http-address' will be used. + --grpc-client-tls-secure Use TLS when talking to the gRPC server + --grpc-client-tls-cert="" TLS Certificates to use to identify this client + to the server + --grpc-client-tls-key="" TLS Key for the client's certificate + --grpc-client-tls-ca="" TLS CA Certificates to use to verify gRPC + servers --query.timeout=2m Maximum time to process query by query node. --query.max-concurrent=20 Maximum number of queries processed concurrently by query node. diff --git a/docs/components/rule.md b/docs/components/rule.md index 02378123974..3063f696f2d 100644 --- a/docs/components/rule.md +++ b/docs/components/rule.md @@ -42,84 +42,90 @@ ruler evaluating Prometheus rules against given Query nodes, exposing Store API and storing old blocks in bucket Flags: - -h, --help Show context-sensitive help (also try - --help-long and --help-man). - --version Show application version. - --log.level=info Log filtering level. + -h, --help Show context-sensitive help (also try + --help-long and --help-man). + --version Show application version. + --log.level=info Log filtering level. --gcloudtrace.project=GCLOUDTRACE.PROJECT - GCP project to send Google Cloud Trace tracings - to. If empty, tracing will be disabled. + GCP project to send Google Cloud Trace tracings + to. If empty, tracing will be disabled. --gcloudtrace.sample-factor=1 - How often we send traces (1/). If - 0 no trace will be sent periodically, unless - forced by baggage item. See - `pkg/tracing/tracing.go` for details. + How often we send traces (1/). + If 0 no trace will be sent periodically, unless + forced by baggage item. See + `pkg/tracing/tracing.go` for details. --grpc-address="0.0.0.0:10901" - Listen ip:port address for gRPC endpoints - (StoreAPI). Make sure this address is routable - from other components if you use gossip, - 'grpc-advertise-address' is empty and you - require cross-node connection. + Listen ip:port address for gRPC endpoints + (StoreAPI). Make sure this address is routable + from other components if you use gossip, + 'grpc-advertise-address' is empty and you + require cross-node connection. --grpc-advertise-address=GRPC-ADVERTISE-ADDRESS - Explicit (external) host:port address to - advertise for gRPC StoreAPI in gossip cluster. - If empty, 'grpc-address' will be used. + Explicit (external) host:port address to + advertise for gRPC StoreAPI in gossip cluster. + If empty, 'grpc-address' will be used. + --grpc-server-tls-key="" TLS Key for the gRPC server, leave blank to + disable TLS + --grpc-server-tls-cert="" TLS Certificate for gRPC server, leave blank to + disable TLS + --grpc-server-tls-client-ca="" + TLS CA to verify clients against --http-address="0.0.0.0:10902" - Listen host:port for HTTP endpoints. + Listen host:port for HTTP endpoints. --cluster.address="0.0.0.0:10900" - Listen ip:port address for gossip cluster. + Listen ip:port address for gossip cluster. --cluster.advertise-address=CLUSTER.ADVERTISE-ADDRESS - Explicit (external) ip:port address to advertise - for gossip in gossip cluster. Used internally - for membership only. + Explicit (external) ip:port address to + advertise for gossip in gossip cluster. Used + internally for membership only. --cluster.peers=CLUSTER.PEERS ... - Initial peers to join the cluster. It can be - either , or . A lookup - resolution is done only at the startup. + Initial peers to join the cluster. It can be + either , or . A lookup + resolution is done only at the startup. --cluster.gossip-interval= - Interval between sending gossip messages. By - lowering this value (more frequent) gossip - messages are propagated across the cluster more - quickly at the expense of increased bandwidth. - Default is used from a specified network-type. + Interval between sending gossip messages. By + lowering this value (more frequent) gossip + messages are propagated across the cluster more + quickly at the expense of increased bandwidth. + Default is used from a specified network-type. --cluster.pushpull-interval= - Interval for gossip state syncs. Setting this - interval lower (more frequent) will increase - convergence speeds across larger clusters at the - expense of increased bandwidth usage. Default is - used from a specified network-type. + Interval for gossip state syncs. Setting this + interval lower (more frequent) will increase + convergence speeds across larger clusters at + the expense of increased bandwidth usage. + Default is used from a specified network-type. --cluster.refresh-interval=1m - Interval for membership to refresh cluster.peers - state, 0 disables refresh. + Interval for membership to refresh + cluster.peers state, 0 disables refresh. --cluster.secret-key=CLUSTER.SECRET-KEY - Initial secret key to encrypt cluster gossip. - Can be one of AES-128, AES-192, or AES-256 in - hexadecimal format. + Initial secret key to encrypt cluster gossip. + Can be one of AES-128, AES-192, or AES-256 in + hexadecimal format. --cluster.network-type=lan - Network type with predefined peers - configurations. Sets of configurations - accounting the latency differences between - network types: local, lan, wan. + Network type with predefined peers + configurations. Sets of configurations + accounting the latency differences between + network types: local, lan, wan. --label=="" ... - Labels to be applied to all generated metrics - (repeated). - --data-dir="data/" data directory - --rule-file=rules/ ... Rule files that should be used by rule manager. - Can be in glob format (repeated). - --eval-interval=30s The default evaluation interval to use. - --tsdb.block-duration=2h Block duration for TSDB block. - --tsdb.retention=48h Block retention time on local disk. + Labels to be applied to all generated metrics + (repeated). + --data-dir="data/" data directory + --rule-file=rules/ ... Rule files that should be used by rule manager. + Can be in glob format (repeated). + --eval-interval=30s The default evaluation interval to use. + --tsdb.block-duration=2h Block duration for TSDB block. + --tsdb.retention=48h Block retention time on local disk. --alertmanagers.url=ALERTMANAGERS.URL ... - Alertmanager URLs to push firing alerts to. The - scheme may be prefixed with 'dns+' or 'dnssrv+' - to detect Alertmanager IPs through respective - DNS lookups. The port defaults to 9093 or the - SRV record's value. The URL path is used as a - prefix for the regular Alertmanager API path. + Alertmanager URLs to push firing alerts to. The + scheme may be prefixed with 'dns+' or 'dnssrv+' + to detect Alertmanager IPs through respective + DNS lookups. The port defaults to 9093 or the + SRV record's value. The URL path is used as a + prefix for the regular Alertmanager API path. --alert.query-url=ALERT.QUERY-URL - The external Thanos Query URL that would be set - in all alerts 'Source' field + The external Thanos Query URL that would be set + in all alerts 'Source' field --objstore.config-file= - The object store configuration file path. + The object store configuration file path. ``` diff --git a/docs/components/sidecar.md b/docs/components/sidecar.md index dbd92bc0880..eba9abc67c4 100644 --- a/docs/components/sidecar.md +++ b/docs/components/sidecar.md @@ -60,6 +60,12 @@ Flags: Explicit (external) host:port address to advertise for gRPC StoreAPI in gossip cluster. If empty, 'grpc-address' will be used. + --grpc-server-tls-key="" TLS Key for the gRPC server, leave blank to + disable TLS + --grpc-server-tls-cert="" TLS Certificate for gRPC server, leave blank to + disable TLS + --grpc-server-tls-client-ca="" + TLS CA to verify clients against --http-address="0.0.0.0:10902" Listen host:port for HTTP endpoints. --cluster.address="0.0.0.0:10900" diff --git a/docs/components/store.md b/docs/components/store.md index eae9af5437c..fe50c834a38 100644 --- a/docs/components/store.md +++ b/docs/components/store.md @@ -30,69 +30,75 @@ usage: thanos store --objstore.config-file= [] store node giving access to blocks in a bucket provider. Now supported GCS / S3. Flags: - -h, --help Show context-sensitive help (also try - --help-long and --help-man). - --version Show application version. - --log.level=info Log filtering level. + -h, --help Show context-sensitive help (also try + --help-long and --help-man). + --version Show application version. + --log.level=info Log filtering level. --gcloudtrace.project=GCLOUDTRACE.PROJECT - GCP project to send Google Cloud Trace tracings - to. If empty, tracing will be disabled. + GCP project to send Google Cloud Trace tracings + to. If empty, tracing will be disabled. --gcloudtrace.sample-factor=1 - How often we send traces (1/). If - 0 no trace will be sent periodically, unless - forced by baggage item. See - `pkg/tracing/tracing.go` for details. + How often we send traces (1/). + If 0 no trace will be sent periodically, unless + forced by baggage item. See + `pkg/tracing/tracing.go` for details. --grpc-address="0.0.0.0:10901" - Listen ip:port address for gRPC endpoints - (StoreAPI). Make sure this address is routable - from other components if you use gossip, - 'grpc-advertise-address' is empty and you - require cross-node connection. + Listen ip:port address for gRPC endpoints + (StoreAPI). Make sure this address is routable + from other components if you use gossip, + 'grpc-advertise-address' is empty and you + require cross-node connection. --grpc-advertise-address=GRPC-ADVERTISE-ADDRESS - Explicit (external) host:port address to - advertise for gRPC StoreAPI in gossip cluster. - If empty, 'grpc-address' will be used. + Explicit (external) host:port address to + advertise for gRPC StoreAPI in gossip cluster. + If empty, 'grpc-address' will be used. + --grpc-server-tls-key="" TLS Key for the gRPC server, leave blank to + disable TLS + --grpc-server-tls-cert="" TLS Certificate for gRPC server, leave blank to + disable TLS + --grpc-server-tls-client-ca="" + TLS CA to verify clients against --http-address="0.0.0.0:10902" - Listen host:port for HTTP endpoints. + Listen host:port for HTTP endpoints. --cluster.address="0.0.0.0:10900" - Listen ip:port address for gossip cluster. + Listen ip:port address for gossip cluster. --cluster.advertise-address=CLUSTER.ADVERTISE-ADDRESS - Explicit (external) ip:port address to advertise - for gossip in gossip cluster. Used internally - for membership only. + Explicit (external) ip:port address to + advertise for gossip in gossip cluster. Used + internally for membership only. --cluster.peers=CLUSTER.PEERS ... - Initial peers to join the cluster. It can be - either , or . A lookup - resolution is done only at the startup. + Initial peers to join the cluster. It can be + either , or . A lookup + resolution is done only at the startup. --cluster.gossip-interval= - Interval between sending gossip messages. By - lowering this value (more frequent) gossip - messages are propagated across the cluster more - quickly at the expense of increased bandwidth. - Default is used from a specified network-type. + Interval between sending gossip messages. By + lowering this value (more frequent) gossip + messages are propagated across the cluster more + quickly at the expense of increased bandwidth. + Default is used from a specified network-type. --cluster.pushpull-interval= - Interval for gossip state syncs. Setting this - interval lower (more frequent) will increase - convergence speeds across larger clusters at the - expense of increased bandwidth usage. Default is - used from a specified network-type. + Interval for gossip state syncs. Setting this + interval lower (more frequent) will increase + convergence speeds across larger clusters at + the expense of increased bandwidth usage. + Default is used from a specified network-type. --cluster.refresh-interval=1m - Interval for membership to refresh cluster.peers - state, 0 disables refresh. + Interval for membership to refresh + cluster.peers state, 0 disables refresh. --cluster.secret-key=CLUSTER.SECRET-KEY - Initial secret key to encrypt cluster gossip. - Can be one of AES-128, AES-192, or AES-256 in - hexadecimal format. + Initial secret key to encrypt cluster gossip. + Can be one of AES-128, AES-192, or AES-256 in + hexadecimal format. --cluster.network-type=lan - Network type with predefined peers - configurations. Sets of configurations - accounting the latency differences between - network types: local, lan, wan. - --data-dir="./data" Data directory in which to cache remote blocks. + Network type with predefined peers + configurations. Sets of configurations + accounting the latency differences between + network types: local, lan, wan. + --data-dir="./data" Data directory in which to cache remote blocks. --objstore.config-file= - The object store configuration file path. - --index-cache-size=250MB Maximum size of items held in the index cache. - --chunk-pool-size=2GB Maximum size of concurrently allocatable bytes - for chunks. + The object store configuration file path. + --index-cache-size=250MB Maximum size of items held in the index cache. + --chunk-pool-size=2GB Maximum size of concurrently allocatable bytes + for chunks. ```