Secure cluster traffic via mutual TLS

[hooten]

Co-authored-by: Sharad Gaur sharadgaur@gmail.com
Signed-off-by: Dustin Hooten dustinhooten@gmail.com

This pull request makes it possible to use mutual TLS for cluster communications.

By adding the path to a TLS configuration file using the command line flag --cluster.tls-config, TLS will be used for inter-peer gossip.

Mutual TLS is achieved by configuring Memberlist to use a TLS implementation of the memberlist.Transport interface. This approach has been submitted in a design doc and implemented as a proof-of-concept in #1819. This pull request continues that work.

Closes #1322

Updates December 30, 2020: TLS server config uses common code from prometheus/exporter-toolkit.
Updates January 2021: TLS config also allows client config using code from prometheus/common.

[brian-brazil]

This PR should not be considered for merging until the tls code is in common, it is not planned to ever have more than 1 copy of that code.

[hooten]

Happy to have the rest of it reviewed. We can clean up the TLS-Config code before merging.

[mxinden]

Great that this is happening!

I added two comments inline.

In my proof-of-concept I extracted the memberlist specific logic to a separate project for other memberlist users to reuse. What do you think about doing the same here? Is the additional complexity worth the effort?

[mxinden]

To future-proof this protocol what do you think of sending a version number down the wire?

Protobuf would do length delimiting and versioning. Do you think that would be overkill?

[hooten]

Great idea!

[hooten]

We made a change to use protobuf for this. Any thoughts? Are there ways we could improve it? Thanks!

[mxinden]

Do I understand correctly, that this is opening up a new TCP connection for each packet to send? What do you think of something along the lines of a connection pool?

[sharadgaur]

It adds additional complexity as we need to manage the lifecycle of the connection and the Memberlist does not provide any good way to handle it. I would not recommend using a connection pool in this case.
In our testing, we did not see any issues yet. If you like we can run additional load tests.

[brian-brazil]

What sort of network latency did the testing have?

[sharadgaur]

An individual request is taking less than 3 mill seconds. Here are the benchmark results
goos: darwin
goarch: amd64
pkg: github.com/prometheus/alertmanager/cluster
BenchmarkWriteTo-12 1000000000 0.00243 ns/op 0 B/op 0 allocs/op
PASS
ok github.com/prometheus/alertmanager/cluster 0.111s
Success: Benchmarks passed.

[brian-brazil]

The question isn't about how long things take over localhost, it's how many round trips may be required over a 200ms+ connection.

[sharadgaur]

Oh got it. I will run a test against remotely deployed Alertmanger next week. If we see any issue we will implement a connection pool.
Thank you.

[hooten]

We've added a connection pool :)

[csmarchbanks]

In my proof-of-concept I extracted the memberlist specific logic to a separate project for other memberlist users to reuse. What do you think about doing the same here? Is the additional complexity worth the effort?

We already moved tsdb back inside of Prometheus to avoid dealing with version upgrades and such across projects. It is up to the maintainers of Alertmanager, but I would keep the lessons of tsdb in mind.

[hooten]

I've made the requested updates. I'd appreciate another review @brian-brazil @mxinden @csmarchbanks. Thanks!

[hooten]

@csmarchbanks I updated this to use an lru cache. I removed the mutex from this file because the cache provides locking. However, I'm wondering if I still need it between the pool.cache.Get and the pool.cache.Add. Thoughts?

[csmarchbanks]

I think yes as two concurrent operations could each dial a TLS connection and then add the connection for the same key?

[csmarchbanks]

You might be able to use PeekOrAdd to avoid a mutex, but it would also have a bit of extra complexity. Basically:

1. Do the get
2. If not found, dial a TLS connection
3. Use PeekOrAdd
4. If found, use the "old" connection returned by PeekOrAdd, if added use the created connection.

Whichever way looks cleaner is fine by me.

[hooten]

I tried both ways. In the end, the mutex ended looking cleaner.

The PeekOrAdd would have been nice if I didn't always need to check whether the connection is alive when I get it back from the cache.

[csmarchbanks]

Re-ran the tests and they pass now, looks like a flaky acceptance test. 👍 from me, I will wait for Monday to see if any comments/concerns come through and will then plan to merge this!

[hooten]

🎉 Thanks @csmarchbanks @gotjosh @beorn7 @mxinden @brian-brazil @sharadgaur !

[csmarchbanks]

Thanks @hooten for all your work and commitment on this PR!

[markmsmith]

+100, this is awesome, thank you!
Now that this has landed, is there a release planned soon, or are there any other blocking issues?

[osipov-vadim]

Hello! Thanks a lot for adding this feature, seems like a very great thing!

I have a few questions;

1. What format would TLS Config file be? I tried to follow up with few formats, and it doesn't seem that those are the right ones.
2. Considering question above , when I pass --cluster.tls-config flag down to AM, it fails to start. Error is: level=error ts=2022-03-04T21:21:25.340Z caller=coordinator.go:118 component=configuration msg="Loading configuration file failed" file=alertmanager.yml err="open alertmanager.yml: no such file or directory" Where file=alertmanager.yml is not the path that was specified by a line to start it. Would that be because config file possibly wrong?
3. Is this feature enabled in by default in Alertmanager, or I need to download additional libraries? Not entirely clear.

I would highly appreciate advice

[Scrin]

1. An example TLS config file can be found here
2. The main config file (typically alertmanager.yml, provided via --config.file) is different form the TLS config file, make sure you are not mixing them up or missing the main config file. Something like:
   /bin/alertmanager --config.file=/etc/alertmanager/alertmanager.yml --cluster.tls-config=/etc/alertmanager/tls.yml (and any other cli flags) should work
3. I believe it should be enabled by default in AM if you provide a valid configuration, at least on the docker image the config is all you need

[osipov-vadim]

@Scrin Thanks a lot for reply!
Yeah, seems that I totally did not see the document there. Though was googling and searching for the tls config file example. Exactly what I needed!

I am not using a ready made docker image, I'm building my own. At this point I get an error alertmanager: error: unknown long flag '--cluster.tls-config', try --help where --help does not list --cluster.tls-config flag at all. Alertmanager version 0.23.0

Maybe I've missed a step in installation process?

Update:
Also tried passing the --cluster.tls-config to this image:
docker run --name alertmanager -d -p 127.0.0.1:9093:9093 quay.io/prometheus/alertmanager
seem to get exactly same thing, AM doesn't know about --cluster.tls-config flag.

[Scrin]

0.23.0 was released before this was merged, so it's not available in that version yet, and the next version doesn't seem to be released yet. If you build AM from the main branch (instead of the v0.23.0 tag) you should get this feature (Docker users can use quay.io/prometheus/alertmanager:main or prom/alertmanager:main docker image for that)

[dswarbrick]

Such a test is not very packager-friendly. Most distros will run unit tests in clean room environment when packaging, which can often mean a host with only a loopback interface (with 127.0.0.1 and usually [::1] configured), and no default route.

On Debian buildbots, and presumably other distros with similar clean room package building policy, this fails with:

=== RUN   TestFinalAdvertiseAddr
    tls_transport_test.go:89: 
        	Error Trace:	/<<PKGBUILDDIR>>/build/src/github.com/prometheus/alertmanager/cluster/tls_transport_test.go:89
        	Error:      	Expected nil, but got: &errors.errorString{s:"no private IP address found, and explicit IP not provided"}
        	Test:       	TestFinalAdvertiseAddr
--- FAIL: TestFinalAdvertiseAddr (0.00s)

This is due to the bindAddr being "0.0.0.0" and the inputIp being empty.

I see that TestClusterJoinAndReconnect in cluster/cluster_test.go at least checks first whether a private IP exists, and skips the test if none is found. Perhaps it makes sense to omit this particular test case in such a scenario also.

[simonpasquier]

I see that TestClusterJoinAndReconnect in cluster/cluster_test.go at least checks first whether a private IP exists, and skips the test if none is found. Perhaps it makes sense to omit this particular test case in such a scenario also.

I agree and the skip in cluster_test.go exists exactly for the same constraint (#1445).