Allow reading secrets from Vault to configure TLS

CHANGELOG.md

@@ -12,6 +12,31 @@
 * [CHANGE] Ingester: the configuration parameter `-blocks-storage.tsdb.max-tsdb-opening-concurrency-on-startup` has been deprecated and will be removed in Mimir 2.10. #4445
 * [CHANGE] Ingester: the `cortex_ingester_tsdb_wal_replay_duration_seconds` metrics has been removed. #4465
 * [FEATURE] Cache: Introduce experimental support for using Redis for results, chunks, index, and metadata caches. #4371
+* [FEATURE] Vault: Introduce experimental integration with Vault to fetch secrets used to configure TLS for clients. Server TLS secrets will still be read from a file. `tls-ca-path`, `tls-cert-path` and `tls-key-path` will denote the path in Vault for the following CLI flags when `-vault.enabled` is true: #4446.
+  * `-distributor.ha-tracker.etcd.*`
+  * `-distributor.ring.etcd.*`
+  * `-distributor.forwarding.grpc-client.*`
+  * `-querier.store-gateway-client.*`
+  * `-ingester.client.*`
+  * `-ingester.ring.etcd.*`
+  * `-querier.frontend-client.*`
+  * `-query-frontend.grpc-client-config.*`
+  * `-query-frontend.results-cache.redis.*`
+  * `-blocks-storage.bucket-store.index-cache.redis.*`
+  * `-blocks-storage.bucket-store.chunks-cache.redis.*`
+  * `-blocks-storage.bucket-store.metadata-cache.redis.*`
+  * `-compactor.ring.etcd.*`
+  * `-store-gateway.sharding-ring.etcd.*`
+  * `-ruler.client.*`
+  * `-ruler.alertmanager-client.*`
+  * `-ruler.ring.etcd.*`
+  * `-ruler.query-frontend.grpc-client-config.*`
+  * `-alertmanager.sharding-ring.etcd.*`
+  * `-alertmanager.alertmanager-client.*`
+  * `-memberlist.*`
+  * `-query-scheduler.grpc-client-config.*`
+  * `-query-scheduler.ring.etcd.*`
+  * `-overrides-exporter.ring.etcd.*`
 * [ENHANCEMENT] Allow to define service name used for tracing via `JAEGER_SERVICE_NAME` environment variable. #4394
 * [ENHANCEMENT] Querier and query-frontend: add experimental, more performant protobuf query result response format enabled with `-query-frontend.query-result-response-format=protobuf`. #4304 #4318 #4375
 * [ENHANCEMENT] Compactor: added experimental configuration parameter `-compactor.first-level-compaction-wait-period`, to configure how long the compactor should wait before compacting 1st level blocks (uploaded by ingesters). This configuration option allows to reduce the chances compactor begins compacting blocks before all ingesters have uploaded their blocks to the storage. #4401

cmd/mimir/config-descriptor.json

@@ -8438,6 +8438,60 @@
       "fieldValue": null,
       "fieldDefaultValue": null
     },
+    {
+      "kind": "block",
+      "name": "vault",
+      "required": false,
+      "desc": "",
+      "blockEntries": [
+        {
+          "kind": "field",
+          "name": "enabled",
+          "required": false,
+          "desc": "Enables fetching of keys and certificates from Vault",
+          "fieldValue": null,
+          "fieldDefaultValue": false,
+          "fieldFlag": "vault.enabled",
+          "fieldType": "boolean",
+          "fieldCategory": "experimental"
+        },
+        {
+          "kind": "field",
+          "name": "url",
+          "required": false,
+          "desc": "Location of the Vault server",
+          "fieldValue": null,
+          "fieldDefaultValue": "",
+          "fieldFlag": "vault.url",
+          "fieldType": "string",
+          "fieldCategory": "experimental"
+        },
+        {
+          "kind": "field",
+          "name": "token",
+          "required": false,
+          "desc": "Token used to authenticate with Vault",
+          "fieldValue": null,
+          "fieldDefaultValue": "",
+          "fieldFlag": "vault.token",
+          "fieldType": "string",
+          "fieldCategory": "experimental"
+        },
+        {
+          "kind": "field",
+          "name": "mount_path",
+          "required": false,
+          "desc": "Location of secrets engine within Vault",
+          "fieldValue": null,
+          "fieldDefaultValue": "",
+          "fieldFlag": "vault.mount-path",
+          "fieldType": "string",
+          "fieldCategory": "experimental"
+        }
+      ],
+      "fieldValue": null,
+      "fieldDefaultValue": null
+    },
     {
       "kind": "block",
       "name": "ruler",

cmd/mimir/help-all.txt.tmpl

@@ -2289,5 +2289,13 @@ Usage of ./cmd/mimir/mimir:
     	Maximum length accepted for metric metadata. Metadata refers to Metric Name, HELP and UNIT. Longer metadata is dropped except for HELP which is truncated. (default 1024)
   -validation.separate-metrics-group-label string
     	[experimental] Label used to define the group label for metrics separation. For each write request, the group is obtained from the first non-empty group label from the first timeseries in the incoming list of timeseries. Specific distributor and ingester metrics will be further separated adding a 'group' label with group label's value. Currently applies to the following metrics: cortex_discarded_samples_total
+  -vault.enabled
+    	[experimental] Enables fetching of keys and certificates from Vault
+  -vault.mount-path string
+    	[experimental] Location of secrets engine within Vault
+  -vault.token string
+    	[experimental] Token used to authenticate with Vault
+  -vault.url string
+    	[experimental] Location of the Vault server
   -version
     	Print application version and exit.

docs/sources/mimir/configure/about-versioning.md

@@ -116,6 +116,7 @@ The following features are currently experimental:
   - `-query-frontend.query-result-response-format=protobuf`
   - `-ruler.query-frontend.query-result-response-format=protobuf`
 - Per-tenant Results cache TTL (`-query-frontend.results-cache-ttl`, `-query-frontend.results-cache-ttl-for-out-of-order-time-window`)
+- Fetching TLS secrets from Vault for various clients (`-vault.enabled`)
 
 ## Deprecated features
 

docs/sources/mimir/references/configuration-parameters/index.md

@@ -202,6 +202,23 @@ activity_tracker:
   # CLI flag: -activity-tracker.max-entries
   [max_entries: <int> | default = 1024]
 
+vault:
+  # (experimental) Enables fetching of keys and certificates from Vault
+  # CLI flag: -vault.enabled
+  [enabled: <boolean> | default = false]
+
+  # (experimental) Location of the Vault server
+  # CLI flag: -vault.url
+  [url: <string> | default = ""]
+
+  # (experimental) Token used to authenticate with Vault
+  # CLI flag: -vault.token
+  [token: <string> | default = ""]
+
+  # (experimental) Location of secrets engine within Vault
+  # CLI flag: -vault.mount-path
+  [mount_path: <string> | default = ""]
+
 # The ruler block configures the ruler.
 [ruler: <ruler>]
 

go.mod

@@ -25,7 +25,7 @@ require (
 	github.com/oklog/ulid v1.3.1
 	github.com/opentracing-contrib/go-grpc v0.0.0-20210225150812-73cb765af46e
 	github.com/opentracing-contrib/go-stdlib v1.0.0
-	github.com/opentracing/opentracing-go v1.2.0
+	github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/alertmanager v0.25.1-0.20230119163903-f59460bfd4bf
 	github.com/prometheus/client_golang v1.14.0
@@ -59,6 +59,7 @@ require (
 	github.com/google/uuid v1.3.0
 	github.com/grafana-tools/sdk v0.0.0-20211220201350-966b3088eec9
 	github.com/grafana/regexp v0.0.0-20221122212121-6b5c0a4cb7fd
+	github.com/hashicorp/vault/api v1.9.0
 	github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
 	github.com/open-telemetry/opentelemetry-collector-contrib/pkg/translator/prometheusremotewrite v0.69.0
@@ -74,17 +75,31 @@ require (
 	sigs.k8s.io/kustomize/kyaml v0.13.7
 )
 
+require (
+	github.com/Azure/azure-sdk-for-go v67.2.0+incompatible // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.3.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.2.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.1.2 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v0.5.1 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v0.8.1 // indirect
+	github.com/HdrHistogram/hdrhistogram-go v1.1.2 // indirect
+	github.com/cenkalti/backoff/v3 v3.2.2 // indirect
+	github.com/go-test/deep v1.1.0 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.2 // indirect
+	github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7 // indirect
+	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
+	github.com/hashicorp/go-uuid v1.0.3 // indirect
+	github.com/hashicorp/go-version v1.6.0 // indirect
+	github.com/hashicorp/hcl v1.0.1-vault-5 // indirect
+	github.com/ryanuber/go-glob v1.0.0 // indirect
+	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
+)
+
 require (
 	cloud.google.com/go v0.110.0 // indirect
 	cloud.google.com/go/compute v1.18.0 // indirect
 	cloud.google.com/go/compute/metadata v0.2.3 // indirect
 	cloud.google.com/go/iam v0.12.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.2.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.2.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/internal v1.1.1 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v0.5.1 // indirect
-	github.com/AzureAD/microsoft-authentication-library-for-go v0.7.0 // indirect
-	github.com/HdrHistogram/hdrhistogram-go v1.1.2 // indirect
 	github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 // indirect
 	github.com/armon/go-metrics v0.4.1 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
@@ -109,7 +124,7 @@ require (
 	github.com/chromedp/chromedp v0.8.2 // indirect
 	github.com/coreos/go-semver v0.3.0 // indirect
 	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/dlclark/regexp2 v1.4.0 // indirect
 	github.com/dnaeon/go-vcr v1.2.0 // indirect
@@ -120,7 +135,7 @@ require (
 	github.com/facette/natsort v0.0.0-20181210072756-2cd4dd1e2dcb // indirect
 	github.com/fatih/color v1.14.1 // indirect
 	github.com/felixge/httpsnoop v1.0.3 // indirect
-	github.com/go-errors/errors v1.0.1 // indirect
+	github.com/go-errors/errors v1.4.1 // indirect
 	github.com/go-logfmt/logfmt v0.6.0 // indirect
 	github.com/go-logr/logr v1.2.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
@@ -150,7 +165,7 @@ require (
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-hclog v1.4.0 // indirect
 	github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
-	github.com/hashicorp/go-msgpack v0.5.5 // indirect
+	github.com/hashicorp/go-msgpack v1.1.5 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
 	github.com/hashicorp/go-sockaddr v1.0.2 // indirect
@@ -163,7 +178,7 @@ require (
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/jpillora/backoff v1.0.0 // indirect
 	github.com/julienschmidt/httprouter v1.3.0 // indirect
-	github.com/klauspost/compress v1.15.9 // indirect
+	github.com/klauspost/compress v1.15.15 // indirect
 	github.com/klauspost/cpuid/v2 v2.1.1 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect