Ingester: allow only POST method on /ingester/shutdown

[kevinmingtarja]

What this PR does

Previously, we allow both POST and GET /ingester/shutdown, which makes it too easy to accidentally trigger, i.e. internal scanners that traverse links can trigger shutdown of ingester just by visiting the link.

This PR makes that less likely to happen by only allowing POST requests on /ingester/shutdown. At the same time, if users still want to opt in to the existing behavior, we allow that by adding a new -ingester.get-request-for-shutdown-enabled flag (defaults to false). But this flag is also temporary and will be removed after two Mimir releases (2.15).

Which issue(s) this PR fixes or relates to

Fixes #7623

Checklist

• Tests updated.
• Documentation added.
• CHANGELOG.md updated - the order of entries should be [CHANGE], [FEATURE], [ENHANCEMENT], [BUGFIX].
• about-versioning.md updated with experimental features.

[CLAassistant]

All committers have signed the CLA.

[jhesketh]

Thank you for your contribution!

There are a few tools and docs that will need updating to use POST:

https://github.com/grafana/mimir/blob/main/tools/migrate-ingester-statefulsets.sh#L46

https://github.com/grafana/mimir/blob/main/docs/sources/mimir/manage/run-production-environment/scaling-out.md?plain=1 (where it says invoke it should probably say POST).

https://github.com/grafana/mimir/blob/main/docs/sources/mimir/references/http-api/index.md?plain=1#L51 (and L412)

It would also be good to see a test to make sure GET is disabled unless the config flag is set.

[pstibrany]

Thank you for working on this!

[kevinmingtarja]

Hi @jhesketh, @pstibrany, thank you as well for the comments!

I have updated the docs/tools that I missed, and addressed the comments in a follow-up commit. Please let me know if this is okay.

[pstibrany]

Thank you very much for working on this! I've left few minor comments.

[jdbaldry]

docs changes LGTM

[pstibrany]

Thank you very much!

[jhesketh]

Thank you for the improvements!

[jhesketh]

I think this will fix the unit test

[jhesketh]

.

[jhesketh]

On re-review, this should probably be:

Suggested change

	f.BoolVar(&cfg.GETRequestForIngesterShutdownEnabled, "get-request-for-ingester-shutdown-enabled", false, "Enable GET requests to the /ingester/shutdown endpoint to trigger an ingester shutdown. This is a potentially dangerous operation and should only be enabled consciously.")
	f.BoolVar(&cfg.GETRequestForIngesterShutdownEnabled, "ingester.get-request-for-shutdown-enabled", false, "Enable GET requests to the /ingester/shutdown endpoint to trigger an ingester shutdown. This is a potentially dangerous operation and should only be enabled consciously.")

And the corresponding changes to the docs.

[kevinmingtarja]

Got it, should the yaml field name stay the same though?

Right now it's get_request_for_ingester_shutdown_enabled

[kevinmingtarja]

Actually, initially I did as you suggested, but then Peter suggested to make it consistent so I changed it: #7707 (comment)

[jhesketh]

Oh right, I missed that conversation sorry. Looking at the distributor.enable-otlp-metadata-storage flag (just above) it exists as both distributor.enable-otlp-metadata-storage as the flag and enable_otel_metadata_translation as the yaml. @pstibrany Just want to double check your opinion here please.

[pstibrany]

I'm sorry for confusion here. The problem here comes from the fact that config option is defined in api config block in YAML, but we're trying to use ingester. prefix for CLI flag. At the same time, we're triyng to make CLI flag and yaml field name consistent (this was goal of my previous comment, without realizing it's causing more confusion).

I think we should settle on:

• -api.get-request-for-ingester-shutdown-enabled for CLI flag
• get_request_for_ingester_shutdown_enabled as YAML field name (it's already under api section)

WDYT?

If we want to use -ingester. prefix for CLI flag, then we should put this into ingester config struct.

Unfortunately I think enable_otel_metadata_translation was a mistake, as it doesn't follow our practices. ("enabled" suffix, consistent CLI and YAML names)

[pstibrany]

@jhesketh thanks for catching this. My suggestion was not to remove -ingester. prefix (only to add ingester in the middle of the name), and I missed that this is what happened. 🤦

[kevinmingtarja]

Ah sorry for the misunderstanding too. So should we keep going with the -ingester. prefix or -api. instead? As you mentioned, I think the latter makes more sense as it's already under the api section in the yaml.

[pstibrany]

Hi Kevin, with Josh we agreed to go with -api.get-request-for-ingester-shutdown-enabled CLI flag and get_request_for_ingester_shutdown_enabled YAML field name. Thank you very much for your patience with us!

[kevinmingtarja]

Hi Peter, no worries! Let me quickly do that

[kevinmingtarja]

Done!

[jhesketh]

LGTM! Thank you for persisting with our miss on the naming :-). Will leave it for Peter to do final look+merge.

[kevinmingtarja]

Hang on did i miss something, somehow one of the test fails with this, even though (default false) is there in help-all.txt.tmpl.

Diff:
            	            	--- Expected
            	            	+++ Actual
            	            	@@ -282,3 +282,3 @@
            	            	   -api.get-request-for-ingester-shutdown-enabled
            	            	-    	[deprecated] Enable GET requests to the /ingester/shutdown endpoint to trigger an ingester shutdown. This is a potentially dangerous operation and should only be enabled consciously. (default false)
            	            	+    	[deprecated] Enable GET requests to the /ingester/shutdown endpoint to trigger an ingester shutdown. This is a potentially dangerous operation and should only be enabled consciously.
            	            	   -api.skip-label-name-validation-header-enabled
            	Test:       	TestHelp/all
            	Messages:   	./cmd/mimir/mimir -help-all output changed; try `make reference-help`

[pstibrany]

Thank you very much for your contribution and patience with us!

[pstibrany]

Hang on did i miss something, somehow one of the test fails with this, even though (default false) is there in help-all.txt.tmpl.

I've regenerated help (using make reference-help) and pushed that change to resolve this problem.

[kevinmingtarja]

No worries, thanks as well for the review Peter and Joshua!