cmd/thanos/receive: fix dialopts TLS heuristic

Currently, the Thanos receive gRPC dialopts are configured to use TLS when the remote-write HTTP server is configured with a TLS certificate. This heuristic is not correct: just because the remote-write HTTP server is exposed over TLS does not mean that the hashring gRPC server is using TLS. This commit fixes the heuristic for enabling TLS in the gRPC client for forwarding remote-write requests internally within a hashring. Fixes: #4382. Signed-off-by: Lucas Servén Marín <[email protected]>
thanos-io · Jun 30, 2021 · 8b66ca9 · 8b66ca9
1 parent e53a1f7
commit 8b66ca9
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -21,6 +21,7 @@ We use *breaking :warning:* to mark changes that are not backward compatible (re
 ### Fixed
 
 - [#4342](https://github.com/thanos-io/thanos/pull/4342) ThanosSidecarUnhealthy doesn't fire if the sidecar is never healthy
+- [#4388](https://github.com/thanos-io/thanos/pull/4388) Receive: fix bug in forwarding remote-write requests within the hashring via gRPC when TLS is enabled on the HTTP server but not on the gRPC server.
 
 ### Changed
 

diff --git a/cmd/thanos/receive.go b/cmd/thanos/receive.go
@@ -124,8 +124,8 @@ func runReceive(
 		logger,
 		reg,
 		tracer,
-		conf.rwServerCert != "",
-		conf.rwServerClientCA == "",
+		conf.grpcCert != "",
+		conf.grpcClientCA == "",
 		conf.rwClientCert,
 		conf.rwClientKey,
 		conf.rwClientServerCA,