Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP: Add support for validating cluster verification label in HTTP/gRPC requests #641

Draft
wants to merge 46 commits into
base: main
Choose a base branch
from
Draft

WIP: Add support for validating cluster verification label in HTTP/gRPC requests #641

wants to merge 46 commits into from
+1,148 −89

Conversation

aknuds1
Copy link
Collaborator

@aknuds1 aknuds1 commented Jan 30, 2025
edited
Loading

What this PR does:

Which issue(s) this PR fixes:

TODO:

  • Reject with HTTP 5xx instead of 400

Checklist

  • Tests updated
  • CHANGELOG.md updated - the order of entries should be [CHANGE], [FEATURE], [ENHANCEMENT], [BUGFIX]

Sorry, something went wrong.

aknuds1 and others added 9 commits January 29, 2025 10:30
@aknuds1
Add -server.cluster flag

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode
3238ed1 
Signed-off-by: Arve Knudsen <[email protected]>
@aknuds1
Add httpgrpc.FromHTTPRequestWithCluster
ae29c87 
Signed-off-by: Arve Knudsen <[email protected]>
@aknuds1
Move cluster middleware
18931b9 
Signed-off-by: Arve Knudsen <[email protected]>
@aknuds1
Log more
09b2967 
Signed-off-by: Arve Knudsen <[email protected]>
@aknuds1
Don't validate auxiliary paths
Loading
Loading status checks…
2f8c95c 
Signed-off-by: Arve Knudsen <[email protected]>
@duricanikolic
Inject ClusterUnaryServerInterceptor when -server.cluster is set
465dcfc 
Signed-off-by: Yuri Nikolic <[email protected]>
@duricanikolic
Merge remote-tracking branch 'origin/main' into yuri/grpc-cluster
Loading
Loading status checks…
9c2dbac
@aknuds1
middleware: Add rollout operator webhooks to allowlist
Loading
Loading status checks…
f3e9480 
Signed-off-by: Arve Knudsen <[email protected]>
@duricanikolic
Adding request_invalid_clusters_total metrics
Loading
Loading status checks…
db4b6bb 
Signed-off-by: Yuri Nikolic <[email protected]>
@duricanikolic duricanikolic force-pushed the arve/validate-cluster-name branch 2 times, most recently from ad74ad7 to eca96aa Compare January 31, 2025 17:59
@duricanikolic
Introduce grpcutil.ErrorDetails
Loading
Loading status checks…
890ab6c 
Signed-off-by: Yuri Nikolic <[email protected]>
@duricanikolic duricanikolic force-pushed the arve/validate-cluster-name branch 2 times, most recently from 6c26bcf to 890ab6c Compare January 31, 2025 18:17
@duricanikolic duricanikolic deleted the arve/validate-cluster-name branch February 2, 2025 08:34
@aknuds1 aknuds1 restored the arve/validate-cluster-name branch February 2, 2025 10:29
@aknuds1 aknuds1 reopened this Feb 3, 2025
@duricanikolic
Exclude requests to grpc health server
Loading
Loading status checks…
2447c47 
Signed-off-by: Yuri Nikolic <[email protected]>
@duricanikolic duricanikolic force-pushed the arve/validate-cluster-name branch 2 times, most recently from 78f96ff to 2447c47 Compare February 6, 2025 13:59
duricanikolic and others added 5 commits February 6, 2025 17:42
@duricanikolic
Add clusterutil package for context and http request managing
Loading
Loading status checks…
03f491f 
Signed-off-by: Yuri Nikolic <[email protected]>
@duricanikolic
Adding X-Cluster header to httpgrpc server requests
Loading
Loading status checks…
2f94ffc 
Signed-off-by: Yuri Nikolic <[email protected]>
@duricanikolic
Separately enable http and grpc cluster checks
Loading
Loading status checks…
e055ed5 
Signed-off-by: Yuri Nikolic <[email protected]>
@duricanikolic
Revert "Adding X-Cluster header to httpgrpc server requests"
Loading
Loading status checks…
8720926 
This reverts commit 2f94ffc.
@aknuds1
FromHTTPRequestWithCluster: Emit metric
Loading
Loading status checks…
06dcdd8 
Signed-off-by: Arve Knudsen <[email protected]>
aknuds1
aknuds1 commented Feb 10, 2025
View reviewed changes
aknuds1
aknuds1 commented Feb 10, 2025
View reviewed changes
aknuds1
aknuds1 commented Feb 10, 2025
View reviewed changes
@aknuds1
Improve flag help
Loading
Loading status checks…
7e9a6fc 
Signed-off-by: Arve Knudsen <[email protected]>
@aknuds1
Make ClusterCheckEnum public
Loading
Loading status checks…
458aadd 
Signed-off-by: Arve Knudsen <[email protected]>
@aknuds1
Fix test
Loading
Loading status checks…
b464a96 
Signed-off-by: Arve Knudsen <[email protected]>
@aknuds1 aknuds1 force-pushed the arve/validate-cluster-name branch from 84927aa to b464a96 Compare February 10, 2025 16:04
@aknuds1
Fix test
a3c8184 
Signed-off-by: Arve Knudsen <[email protected]>
@aknuds1
Add tests
Loading
Loading status checks…
efafe33 
Signed-off-by: Arve Knudsen <[email protected]>
@aknuds1
Fix comment
Loading
Loading status checks…
e526716 
Signed-off-by: Arve Knudsen <[email protected]>
@aknuds1
Remove TODO
Loading
Loading status checks…
d1cf021 
Signed-off-by: Arve Knudsen <[email protected]>
@aknuds1
ClusterCheckEnum: Handle empty value
Loading
Loading status checks…
7a32160 
Signed-off-by: Arve Knudsen <[email protected]>
@aknuds1
Rename metric label for consistency
Loading
Loading status checks…
0537296 
Signed-off-by: Arve Knudsen <[email protected]>
@aknuds1
Rename TestClusterMiddleware to TestClusterValidationMiddleware
Loading
Loading status checks…
8b177e9 
Signed-off-by: Arve Knudsen <[email protected]>
@aknuds1
Reject with HTTP 511 instead of 400
Loading
Loading status checks…
2c432af 
Signed-off-by: Arve Knudsen <[email protected]>
colega
colega reviewed Feb 12, 2025
View reviewed changes
middleware/cluster.go
Comment on lines +19 to +20
// Allow for a potential path prefix being configured.
reB.WriteString(".*/(metrics|debug/pprof.*|ready")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this MUST be configurable. Each downstream will have some paths that may not need the cluster verification, for example the admin frontend for Mimir.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe that's what auxPaths is? I think this method needs more docs.

Copy link
Collaborator Author

@aknuds1 aknuds1 Feb 12, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

auxPaths is for additional paths, yes. I kept a base set of hard-coded paths here since they are common (/metrics, /debug/pprof, /ready). That decision is of course up for discussion.

colega
colega reviewed Feb 12, 2025
View reviewed changes
middleware/cluster.go
reB.WriteString("|" + regexp.QuoteMeta(p))
}
reB.WriteString(")")
reAuxPath := regexp.MustCompile(reB.String())
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that regular expression aren't anchored to start/end of line by default, so you probably need to do that here.

Right now this matches the endpoint /api/v1/metrics/query, but I don't think that's intended.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, I missed the anchoring. This is a WIP after all :)

colega
colega reviewed Feb 12, 2025
View reviewed changes
@aknuds1 @colega
Update middleware/cluster.go
Loading
Loading status checks…
c043276 
Co-authored-by: Oleg Zaytsev <[email protected]>
colega
colega reviewed Feb 12, 2025
View reviewed changes
middleware/cluster.go Outdated
"cluster_verification_label", cluster, "request_cluster_verification_label", reqCluster,
"header", clusterutil.ClusterVerificationLabelHeader, "url", r.URL, "path", r.URL.Path)
if invalidClusters != nil {
invalidClusters.WithLabelValues("http", r.URL.Path, reqCluster).Inc()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is very fragile, the's no contract on which labels invalidClusters has, and if those change, this will panic when it should fail the request. I would suggest passing here a closure that would increment the correct metric (and let the caller pass an empty closure, not nil), so the responsibility of declaring labels and using them would stay on the initialization side.

Shameless plug, this is why I wrote cabify/gotoprom 5 years ago :D

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting, will look into this when I have more time.

@duricanikolic
Allow ClusterUnaryClientInterceptor to track and log wrong cluster er…
Loading
Loading status checks…
7b63ad9 
…rors

Signed-off-by: Yuri Nikolic <[email protected]>
@duricanikolic
Merge remote-tracking branch 'origin/main' into yuri/grpc-cluster
5ffd3b3
@duricanikolic
Add failure label to the client metrics
f30dfac 
Signed-off-by: Yuri Nikolic <[email protected]>
@duricanikolic
Refactoring in grpc_cluster
Loading
Loading status checks…
2d3b8e2 
Signed-off-by: Yuri Nikolic <[email protected]>
@duricanikolic
Add NewRequestInvalidClusterVerficationLabelsTotalCounter
Loading
Loading status checks…
5935930 
Signed-off-by: Yuri Nikolic <[email protected]>
@duricanikolic
Improve logging in grpc_cluster
Loading
Loading status checks…
5c5576d 
Signed-off-by: Yuri Nikolic <[email protected]>
@duricanikolic
Sending wrong cluster errors with codes.Internal code
Loading
Loading status checks…
22ac17e 
Signed-off-by: Yuri Nikolic <[email protected]>
@duricanikolic duricanikolic force-pushed the arve/validate-cluster-name branch from f339af6 to 22ac17e Compare February 17, 2025 16:44
@duricanikolic
Exclude the health check from the cluster client interceptor
Loading
Loading status checks…
5083330 
Signed-off-by: Yuri Nikolic <[email protected]>
@duricanikolic
Refactor gRPC cluster interceptors
Loading
Loading status checks…
9d59232 
Signed-off-by: Yuri Nikolic <[email protected]>
@duricanikolic
Fixing gRPC cluster server interceptor error messages
Loading
Loading status checks…
6ba8b0e 
Signed-off-by: Yuri Nikolic <[email protected]>
@duricanikolic
Remove redundant labels from the metrics
Loading
Loading status checks…
522ed6b 
Signed-off-by: Yuri Nikolic <[email protected]>
@duricanikolic
Remove server invalid cluster metrics
Loading
Loading status checks…
69c5fff 
Signed-off-by: Yuri Nikolic <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@colega colega

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@aknuds1 @colega @duricanikolic