Add TLS config to query frontend (grafana#6444)

* added tls config to query frontend

* changelog

* remove commented code

* lint

Author: Mohamed-Amine Bouqsimi

CHANGELOG.md

@@ -1,5 +1,6 @@
 ## Main
 
+* [6444](https://github.com/grafana/loki/pull/6444) **aminesnow** Add TLS config to query frontend.
 * [6415](https://github.com/grafana/loki/pull/6415) **salvacorts** Evenly spread queriers across kubernetes nodes.
 * [6410](https://github.com/grafana/loki/pull/6410) **MichelHollands**: Add support for per tenant delete API access enabling.
 * [6372](https://github.com/grafana/loki/pull/6372) **splitice**: Add support for numbers in JSON fields.

docs/sources/configuration/_index.md

@@ -399,6 +399,27 @@ The `frontend` block configures the Loki query-frontend.
 # CLI flag: -frontend.tail-proxy-url
 [tail_proxy_url: <string> | default = ""]
 
+tail_tls_config:
+  # Path to the client certificate file, which will be used for authenticating
+  # with the server. Also requires the key path to be configured.
+  # CLI flag: -frontend.tail-tls-config.tls-cert-path
+  [tls_cert_path: <string> | default = ""]
+
+  # Path to the key file for the client certificate. Also requires the client
+  # certificate to be configured.
+  # CLI flag: -frontend.tail-tls-config.tls-key-path
+  [tls_key_path: <string> | default = ""]
+
+  # Path to the CA certificates file to validate server certificate against. If
+  # not set, the host's root CA certificates are used.
+  # CLI flag: -frontend.tail-tls-config.tls-ca-path
+  [tls_ca_path: <string> | default = ""]
+
+  # Skip validating server certificate.
+  # CLI flag: -frontend.tail-tls-config.tls-insecure-skip-verify
+  [tls_insecure_skip_verify: <boolean> | default = false]
+
+
 # DNS hostname used for finding query-schedulers.
 # CLI flag: -frontend.scheduler-address
 [scheduler_address: <string> | default = ""]

pkg/loki/modules.go

@@ -666,6 +666,15 @@ func (t *Loki) initQueryFrontend() (_ services.Service, err error) {
 		}
 		tp := httputil.NewSingleHostReverseProxy(tailURL)
 
+		cfg, err := t.Cfg.Frontend.TLS.GetTLSConfig()
+		if err != nil {
+			return nil, err
+		}
+
+		tp.Transport = &http.Transport{
+			TLSClientConfig: cfg,
+		}
+
 		director := tp.Director
 		tp.Director = func(req *http.Request) {
 			director(req)

pkg/lokifrontend/config.go

@@ -3,6 +3,8 @@ package lokifrontend
 import (
 	"flag"
 
+	"github.com/grafana/dskit/crypto/tls"
+
 	"github.com/grafana/loki/pkg/lokifrontend/frontend/transport"
 	v1 "github.com/grafana/loki/pkg/lokifrontend/frontend/v1"
 	v2 "github.com/grafana/loki/pkg/lokifrontend/frontend/v2"
@@ -16,14 +18,16 @@ type Config struct {
 	CompressResponses bool   `yaml:"compress_responses"`
 	DownstreamURL     string `yaml:"downstream_url"`
 
-	TailProxyURL string `yaml:"tail_proxy_url"`
+	TailProxyURL string           `yaml:"tail_proxy_url"`
+	TLS          tls.ClientConfig `yaml:"tail_tls_config"`
 }
 
 // RegisterFlags adds the flags required to config this to the given FlagSet.
 func (cfg *Config) RegisterFlags(f *flag.FlagSet) {
 	cfg.Handler.RegisterFlags(f)
 	cfg.FrontendV1.RegisterFlags(f)
 	cfg.FrontendV2.RegisterFlags(f)
+	cfg.TLS.RegisterFlagsWithPrefix("frontend.tail-tls-config", f)
 
 	f.BoolVar(&cfg.CompressResponses, "querier.compress-http-responses", false, "Compress HTTP responses.")
 	f.StringVar(&cfg.DownstreamURL, "frontend.downstream-url", "", "URL of downstream Prometheus.")