query: allow multiple TLS server names

[adrien-f]

Signed-off-by: Adrien Fillon adrien.fillon@cdiscount.com

Alright, I managed to spent a bit of time working on this. As I learned in golang/go#22836 the same feature doesn't exist on the client side apparently so we can't just add a hook and be done. I had to wrap the TLS handshake to send the right server name based on the hostname.

I'm happy with this change though I wonder if I should split the transport wrapper to another file ?

Changes

• query: remove --grpc-client-server-name flag
• query: add --grpc-client-server-name-map multi-flag that can look like thanos-.*=thanos-prometheus.local to match against any hostname starting with thanos- to send thanos-prometheus.local as server name for TLS handshake.

Verification

Added a few tests and deployed it live 😄 I have different certificates for my stores and for my sidecars, both now work.

[adrien-f]

TODO: Document this change and the flag format.

[adrien-f]

After discussing it on Slack. This issue is not as simple as it appears. In the case of DNS with Kube, you'll get a list of pods resolved that you cannot match against just a regex.

One solution would be to do that work in the FileSD config and have labels such as __tls_server_name__ to override TLS config. That's a lot of work under the hood.

[bwplotka]

One solution would be to do that work in the FileSD config and have labels such as tls_server_name to override TLS config. That's a lot of work under the hood.

Hmm. I don't think it will that much (:

[bwplotka]

Can we at least start some GH issue with rough design for some one to take work on this?