Skip to content

chore(function-autoscaler): add TimeseriesDB mTLS support#215

Open
borao wants to merge 1 commit into
mainfrom
chore/function-autoscaler/timeseries-db-mtls
Open

chore(function-autoscaler): add TimeseriesDB mTLS support#215
borao wants to merge 1 commit into
mainfrom
chore/function-autoscaler/timeseries-db-mtls

Conversation

@borao

@borao borao commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

TL;DR

Adds mTLS support for function autoscaler TimeseriesDB queries while preserving the existing token and local auth modes.

Additional Details (optional for docs, build, test, refactor, ci, chore, style, and revert PRs)

  • Adds an explicit auth_mode setting with legacy disable_auth compatibility.
  • Loads a native TLS client identity from configured certificate and private key paths for mtls.
  • Uses the Prometheus /api/v1/query_range path for direct/local modes and keeps the legacy /v1/query_range path for token auth.
  • Validates mTLS identity inputs and covers key mismatch, expired certs, malformed keys, URL shape, and query path selection.

For the Reviewer

  • Start with timeseries_db_client.rs for the client setup and request path behavior.
  • Please sanity-check the config compatibility in effective_auth_mode.

For QA (optional for docs, build, test, refactor, ci, chore, style, and revert PRs)

cargo test -p rs-autoscaler

Result: 116 passed, 0 failed, 11 ignored.

Issues

NO-REF

Checklist

  • I am familiar with the Contributing Guidelines.
  • I have signed off my commits for Developer Certificate of Origin (DCO) compliance.
  • New or existing tests cover these changes.
  • The documentation is up to date with these changes.

Signed-off-by: Bora Oztekin <boztekin@nvidia.com>
@borao
borao marked this pull request as ready for review July 17, 2026 18:35
@borao
borao requested a review from a team as a code owner July 17, 2026 18:35
@borao
borao requested a review from dmikhaylovnv July 17, 2026 18:36
Ok(base_url)
}

fn mtls_identity(config: &TimeseriesDbSettings, base_url: &Url) -> Result<Identity> {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume the Identity secret is never rotating and we don't need to use SecretFileWatcher

@dmikhaylovnv dmikhaylovnv left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Over all LGTM, left minor comment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants