Support custom `io/fs.FS` for HTTP clients

[rfratto]

Background

The Grafana Agent team is working on supporting the ServiceMonitor, PodMonitor, and Probe CRDs from Prometheus Operator directly in Grafana Agent.

This works by Grafana Agent discovering those resources in Kubernetes, and configuring an in-memory set of Prometheus components (discovery, scraper) to collect metrics from the corresponding targets.

We're able to map the CRDs to discovery and scraper configs for everything except the TLS configs, where the CA, cert, and key files must come from the local filesystem. As the various CRDs can reference Secrets for these fields, that would currently require Grafana Agent to read and save the contents of those secrets to the local filesystem of the container Grafana Agent is running on. I see this as a security risk.

Proposal

Ideally, we would be able to have an HTTPClientOption which allows us to pass a custom io/fs.FS instance for reading any files configured in the scrape configs. Example usage (from Grafana Agent) would be similar to the following:

scrape.NewManager(&scrape.Options{
  HTTPClientOptions: []config.HTTPClientOptions{
    config.WithFS(someFSInstance),
  },
}, ...)

This would allow us to retain the TLS certificates in-memory after reading them from the Kubernetes API and not have to sync them to the local filesystem.

This would enable using a virtual filesystem for the following configuration fields:

• basic_auth.password_file
• authorization.credentials_file
• oauth2.client_secret_file
• bearer_token_file
• tls_config.ca_file
• tls_config.cert_file
• tls_config.key_file

For the scope of this proposal, I'm suggesting that an HTTPClientOption is initially the only way to provide a custom io/fs.FS implementation; existing public API functions like config.NewTLSConfig would not be changed. The implementation of NewRoundTripperFromConfig will be updated to call new, unexported functions which do support a custom io/fs.FS implementation instead.

If an io/fs.FS instance is not provided, files would continue to be read using ioutil.ReadFile.

Would doing something like this be acceptable as a PR? If yes, I'll start working on it :)

cc @roidelapluie

[roidelapluie]

I would like to use fs.FS in all cases to avoid branches in the code. It would be beneficial to have a version of the agent working with this before merging the changes in common. Additionally, it is important to find a way to ensure that no regressions are introduced in the future when using this approach (that we never read files locally again).

[rfratto]

Sounds good to me, we'll start with a fork and let you know when we've battle tested it. Thanks!

[rfratto]

@roidelapluie A much easier solution for us would be if TLSConfig supported non-YAML options for passing in TLS certificates:

// TLSConfig configures the options for TLS connections.
type TLSConfig struct {
	// Non-YAML options; only settable through code.
	CAText, CertText, KeyText string      

	// The CA cert to use for the targets.
	CAFile string `yaml:"ca_file,omitempty" json:"ca_file,omitempty"`
	// The client cert file for the targets.
	CertFile string `yaml:"cert_file,omitempty" json:"cert_file,omitempty"`
	// The client key file for the targets.
	KeyFile string `yaml:"key_file,omitempty" json:"key_file,omitempty"`
	// Used to verify the hostname for the targets.
	ServerName string `yaml:"server_name,omitempty" json:"server_name,omitempty"`
	// Disable target certificate validation.
	InsecureSkipVerify bool `yaml:"insecure_skip_verify" json:"insecure_skip_verify"`
	// Minimum TLS version.
	MinVersion TLSVersion `yaml:"min_version,omitempty" json:"min_version,omitempty"`
	// Maximum TLS version.
	MaxVersion TLSVersion `yaml:"max_version,omitempty" json:"max_version,omitempty"`
}

I'm trying to identify a easier route for us; I just finished implementing logic to do what we want with a virtual filesystem, but it's a non-trivial amount of code just for being able to specify the CA, Certificate, and TLS keys as a string; everything else is already exposed as both strings and files.

Would this alternative be acceptable? If not, I'll keep going down the io/fs.FS route.

[roidelapluie]

This would remove a lot of the ability of the current system where we read the certificates from files. It would create a lot of dead code which is not good in security paths.

[rfratto]

👍 OK, I'll continue down the io/fs.FS route. Thanks!

[roidelapluie]

mmmh after giving it some thought, I have reconsidered and agree with the request to load certificates from the config file (it was proposed in the past already). If you go for it, I kindly request that you also add appropriate yaml and json and and ensure to test for any possible conflicts between files and inline value.

Regarding your original proposition, it would mean it's a fully supporter feature, and not some dead code. Our users would benefit from it.