Support encryption in transit on Memcached cache

[jeroen-nijssen]

Is your feature request related to a problem?

When introducing more an more data into our Tempo environment, we would like to be on-top of the security. One of these items is the encryption in transit, for the Memcached caches. We host the caches externally (cheaper to have AWS manage them).

The current configuration does not give the ability to have these TLS encrypted connections.
Tempo Cache Configuration

Describe the solution you'd like.

With the latest release of Loki v3.0.0 the following configuration elements have been added;

  # Enable connecting to Memcached with TLS.
  # CLI flag: -<prefix>.memcached.tls-enabled
  [tls_enabled: <boolean> | default = false]

  # Path to the client certificate, which will be used for authenticating with
  # the server. Also requires the key path to be configured.
  # CLI flag: -<prefix>.memcached.tls-cert-path
  [tls_cert_path: <string> | default = ""]

  # Path to the key for the client certificate. Also requires the client
  # certificate to be configured.
  # CLI flag: -<prefix>.memcached.tls-key-path
  [tls_key_path: <string> | default = ""]

  # Path to the CA certificates to validate server certificate against. If not
  # set, the host's root CA certificates are used.
  # CLI flag: -<prefix>.memcached.tls-ca-path
  [tls_ca_path: <string> | default = ""]

  # Override the expected name on the server certificate.
  # CLI flag: -<prefix>.memcached.tls-server-name
  [tls_server_name: <string> | default = ""]

  # Skip validating server certificate.
  # CLI flag: -<prefix>.memcached.tls-insecure-skip-verify
  [tls_insecure_skip_verify: <boolean> | default = false]

  # Override the default cipher suite list (separated by commas). Allowed
  # values:
  # 
  # Secure Ciphers:
  # - TLS_RSA_WITH_AES_128_CBC_SHA
  # - TLS_RSA_WITH_AES_256_CBC_SHA
  # - TLS_RSA_WITH_AES_128_GCM_SHA256
  # - TLS_RSA_WITH_AES_256_GCM_SHA384
  # - TLS_AES_128_GCM_SHA256
  # - TLS_AES_256_GCM_SHA384
  # - TLS_CHACHA20_POLY1305_SHA256
  # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  # - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  # - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  # - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  # - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  # 
  # Insecure Ciphers:
  # - TLS_RSA_WITH_RC4_128_SHA
  # - TLS_RSA_WITH_3DES_EDE_CBC_SHA
  # - TLS_RSA_WITH_AES_128_CBC_SHA256
  # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  # - TLS_ECDHE_RSA_WITH_RC4_128_SHA
  # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  # CLI flag: -<prefix>.memcached.tls-cipher-suites
  [tls_cipher_suites: <string> | default = ""]

  # Override the default minimum TLS version. Allowed values: VersionTLS10,
  # VersionTLS11, VersionTLS12, VersionTLS13
  # CLI flag: -<prefix>.memcached.tls-min-version
  [tls_min_version: <string> | default = ""]

This seems to be a perfect solution from my side

Describe alternatives you've considered

Alternatives is to not use TLS for this connection. this is what we are currently doing, and this works perfectly. We are looking into some cost saving (besides the security aspect) and it seems that AWS ElastiCache Memcached Serverless requires the connection to encrypted.

Additional context

`-

[joe-elliott]

Agree this would be a nice feature. For reference the Loki PR is here: grafana/loki#12318

This doesn't seem too terribly difficult to add if someone would like to give it a try. Our memcached client code is here:

tempo/pkg/cache/memcached_client.go

Line 98 in 4c69faf

func NewMemcachedClient(cfg MemcachedClientConfig, name string, r prometheus.Registerer, logger log.Logger) MemcachedClient {

if someone would like to give it a try