*: add CLI arguments to configure TLS ciphers for gRPC servers + remote-write receiver's server (#8730)

simonpasquier · web-flow · commit d90e7d32f5e5 · 2026-04-14T08:45:40.000+01:00
* Support ciphers configuration for server TLS

Signed-off-by: Simon Pasquier &lt;spasquie@redhat.com&gt;

* Add grpc-server-tls-ciphers argument to Thanos components

Signed-off-by: Simon Pasquier &lt;spasquie@redhat.com&gt;

* Add remote-write.server-tls-ciphers argument to Receive

Signed-off-by: Simon Pasquier &lt;spasquie@redhat.com&gt;

* Update docs

Signed-off-by: Simon Pasquier &lt;spasquie@redhat.com&gt;

* Add TestGRPCServerTLSCiphersAndVersions

This commit adds an end-to-end test ensuring correct behaviour
when a client establishes a TLS connection to a server.

Signed-off-by: Simon Pasquier &lt;spasquie@redhat.com&gt;

* Update CHANGELOG.md

Signed-off-by: Simon Pasquier &lt;spasquie@redhat.com&gt;

---------

Signed-off-by: Simon Pasquier &lt;spasquie@redhat.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -22,6 +22,8 @@ It is recommend to upgrade the storage components first (Receive, Store, etc.) a
 ### Added
 
 - [#8691](https://github.com/thanos-io/thanos/pull/8691): Compactor: remove the directory marker objects for some s3 compatible object stores
+- [#8730](https://github.com/thanos-io/thanos/pull/8730): *: add `--grpc-server-tls-ciphers` to configure cipher suites for gRPC servers.
+- [#8730](https://github.com/thanos-io/thanos/pull/8730): Receive: add `--remote-write.server-tls-ciphers` to configure cipher suites for the HTTP server.
 
 ### Changed
 
diff --git a/cmd/thanos/config.go b/cmd/thanos/config.go
@@ -35,6 +35,7 @@ type grpcConfig struct {
 	tlsSrvKey        string
 	tlsSrvClientCA   string
 	tlsMinVersion    string
+	tlsCiphers       []string
 	gracePeriod      time.Duration
 	maxConnectionAge time.Duration
 }
@@ -55,6 +56,9 @@ func (gc *grpcConfig) registerFlag(cmd extkingpin.FlagClause) *grpcConfig {
 	cmd.Flag("grpc-server-tls-min-version",
 		"TLS supported minimum version for gRPC server. If no version is specified, it'll default to 1.3. Allowed values: [\"1.0\", \"1.1\", \"1.2\", \"1.3\"]").
 		Default("1.3").StringVar(&gc.tlsMinVersion)
+	cmd.Flag("grpc-server-tls-ciphers",
+		"TLS cipher suites for gRPC server (repeatable). If not specified, the default Go cipher suites are used. See https://pkg.go.dev/crypto/tls#pkg-constants for valid values.").
+		StringsVar(&gc.tlsCiphers)
 	cmd.Flag("grpc-server-max-connection-age", "The grpc server max connection age. This controls how often to re-establish connections and redo TLS handshakes.").
 		Default("60m").DurationVar(&gc.maxConnectionAge)
 	cmd.Flag("grpc-grace-period",
diff --git a/cmd/thanos/query.go b/cmd/thanos/query.go
@@ -595,7 +595,7 @@ func runQuery(
 	}
 	// Start query (proxy) gRPC StoreAPI.
 	{
-		tlsCfg, err := tls.NewServerConfig(log.With(logger, "protocol", "gRPC"), grpcServerConfig.tlsSrvCert, grpcServerConfig.tlsSrvKey, grpcServerConfig.tlsSrvClientCA, grpcServerConfig.tlsMinVersion)
+		tlsCfg, err := tls.NewServerConfig(log.With(logger, "protocol", "gRPC"), grpcServerConfig.tlsSrvCert, grpcServerConfig.tlsSrvKey, grpcServerConfig.tlsSrvClientCA, grpcServerConfig.tlsMinVersion, grpcServerConfig.tlsCiphers)
 		if err != nil {
 			return errors.Wrap(err, "setup gRPC server")
 		}
diff --git a/cmd/thanos/receive.go b/cmd/thanos/receive.go
@@ -153,7 +153,7 @@ func runReceive(
 		}
 	}
 
-	rwTLSConfig, err := tls.NewServerConfig(log.With(logger, "protocol", "HTTP"), conf.rwServerCert, conf.rwServerKey, conf.rwServerClientCA, conf.rwServerTlsMinVersion)
+	rwTLSConfig, err := tls.NewServerConfig(log.With(logger, "protocol", "HTTP"), conf.rwServerCert, conf.rwServerKey, conf.rwServerClientCA, conf.rwServerTlsMinVersion, conf.rwServerTlsCiphers)
 	if err != nil {
 		return err
 	}
@@ -346,7 +346,7 @@ func runReceive(
 
 	level.Debug(logger).Log("msg", "setting up gRPC server")
 	{
-		tlsCfg, err := tls.NewServerConfig(log.With(logger, "protocol", "gRPC"), conf.grpcConfig.tlsSrvCert, conf.grpcConfig.tlsSrvKey, conf.grpcConfig.tlsSrvClientCA, conf.grpcConfig.tlsMinVersion)
+		tlsCfg, err := tls.NewServerConfig(log.With(logger, "protocol", "gRPC"), conf.grpcConfig.tlsSrvCert, conf.grpcConfig.tlsSrvKey, conf.grpcConfig.tlsSrvClientCA, conf.grpcConfig.tlsMinVersion, conf.grpcConfig.tlsCiphers)
 		if err != nil {
 			return errors.Wrap(err, "setup gRPC server")
 		}
@@ -851,6 +851,7 @@ type receiveConfig struct {
 	rwClientServerName    string
 	rwClientSkipVerify    bool
 	rwServerTlsMinVersion string
+	rwServerTlsCiphers    []string
 
 	dataDir   string
 	labelStrs []string
@@ -935,7 +936,9 @@ func (rc *receiveConfig) registerFlag(cmd extkingpin.FlagClause) {
 
 	cmd.Flag("remote-write.server-tls-client-ca", "TLS CA to verify clients against. If no client CA is specified, there is no client verification on server side. (tls.NoClientCert)").Default("").StringVar(&rc.rwServerClientCA)
 
-	cmd.Flag("remote-write.server-tls-min-version", "TLS version for the gRPC server, leave blank to default to TLS 1.3, allow values: [\"1.0\", \"1.1\", \"1.2\", \"1.3\"]").Default("1.3").StringVar(&rc.rwServerTlsMinVersion)
+	cmd.Flag("remote-write.server-tls-min-version", "TLS version for the HTTP server, leave blank to default to TLS 1.3, allow values: [\"1.0\", \"1.1\", \"1.2\", \"1.3\"]").Default("1.3").StringVar(&rc.rwServerTlsMinVersion)
+
+	cmd.Flag("remote-write.server-tls-ciphers", "TLS cipher suites for the HTTP server (repeatable). If not specified, the default Go cipher suites are used. See https://pkg.go.dev/crypto/tls#pkg-constants for valid values.").StringsVar(&rc.rwServerTlsCiphers)
 
 	cmd.Flag("remote-write.client-tls-cert", "TLS Certificates to use to identify this client to the server.").Default("").StringVar(&rc.rwClientCert)
 
diff --git a/cmd/thanos/rule.go b/cmd/thanos/rule.go
@@ -735,7 +735,7 @@ func runRule(
 	)
 
 	// Start gRPC server.
-	tlsCfg, err := tls.NewServerConfig(log.With(logger, "protocol", "gRPC"), conf.grpc.tlsSrvCert, conf.grpc.tlsSrvKey, conf.grpc.tlsSrvClientCA, conf.grpc.tlsMinVersion)
+	tlsCfg, err := tls.NewServerConfig(log.With(logger, "protocol", "gRPC"), conf.grpc.tlsSrvCert, conf.grpc.tlsSrvKey, conf.grpc.tlsSrvClientCA, conf.grpc.tlsMinVersion, conf.grpc.tlsCiphers)
 	if err != nil {
 		return errors.Wrap(err, "setup gRPC server")
 	}
diff --git a/cmd/thanos/sidecar.go b/cmd/thanos/sidecar.go
@@ -317,7 +317,7 @@ func runSidecar(
 		}
 
 		tlsCfg, err := tls.NewServerConfig(log.With(logger, "protocol", "gRPC"),
-			conf.grpc.tlsSrvCert, conf.grpc.tlsSrvKey, conf.grpc.tlsSrvClientCA, conf.grpc.tlsMinVersion)
+			conf.grpc.tlsSrvCert, conf.grpc.tlsSrvKey, conf.grpc.tlsSrvClientCA, conf.grpc.tlsMinVersion, conf.grpc.tlsCiphers)
 		if err != nil {
 			return errors.Wrap(err, "setup gRPC server")
 		}
diff --git a/cmd/thanos/store.go b/cmd/thanos/store.go
@@ -555,7 +555,7 @@ func runStore(
 
 	// Start query (proxy) gRPC StoreAPI.
 	{
-		tlsCfg, err := tls.NewServerConfig(log.With(logger, "protocol", "gRPC"), conf.grpcConfig.tlsSrvCert, conf.grpcConfig.tlsSrvKey, conf.grpcConfig.tlsSrvClientCA, conf.grpcConfig.tlsMinVersion)
+		tlsCfg, err := tls.NewServerConfig(log.With(logger, "protocol", "gRPC"), conf.grpcConfig.tlsSrvCert, conf.grpcConfig.tlsSrvKey, conf.grpcConfig.tlsSrvClientCA, conf.grpcConfig.tlsMinVersion, conf.grpcConfig.tlsCiphers)
 		if err != nil {
 			return errors.Wrap(err, "setup gRPC server")
 		}
diff --git a/docs/components/query.md b/docs/components/query.md
@@ -346,6 +346,12 @@ Flags:
                                  If no version is specified, it'll default to
                                  1.3. Allowed values: ["1.0", "1.1", "1.2",
                                  "1.3"]
+      --grpc-server-tls-ciphers=GRPC-SERVER-TLS-CIPHERS ...
+                                 TLS cipher suites for gRPC server
+                                 (repeatable). If not specified,
+                                 the default Go cipher suites are used.
+                                 See https://pkg.go.dev/crypto/tls#pkg-constants
+                                 for valid values.
       --grpc-server-max-connection-age=60m
                                  The grpc server max connection age. This
                                  controls how often to re-establish connections
diff --git a/docs/components/receive.md b/docs/components/receive.md
@@ -373,7 +373,6 @@ Please see the metric `thanos_receive_forward_delay_seconds` to see if you need
 The following formula is used for calculating quorum:
 
 ```go mdox-exec="sed -n '1068,1078p' pkg/receive/handler.go"
-// writeQuorum returns minimum number of replicas that has to confirm write success before claiming replication success.
 func (h *Handler) writeQuorum() int {
 	// NOTE(GiedriusS): this is here because otherwise RF=2 doesn't make sense as all writes
 	// would need to succeed all the time. Another way to think about it is when migrating
@@ -384,6 +383,7 @@ func (h *Handler) writeQuorum() int {
 	}
 	return int((h.options.ReplicationFactor / 2) + 1)
 }
+
 ```
 
 So, if the replication factor is 2 then at least one write must succeed. With RF=3, two writes must succeed, and so on.
@@ -442,6 +442,12 @@ Flags:
                                  If no version is specified, it'll default to
                                  1.3. Allowed values: ["1.0", "1.1", "1.2",
                                  "1.3"]
+      --grpc-server-tls-ciphers=GRPC-SERVER-TLS-CIPHERS ...
+                                 TLS cipher suites for gRPC server
+                                 (repeatable). If not specified,
+                                 the default Go cipher suites are used.
+                                 See https://pkg.go.dev/crypto/tls#pkg-constants
+                                 for valid values.
       --grpc-server-max-connection-age=60m
                                  The grpc server max connection age. This
                                  controls how often to re-establish connections
@@ -472,9 +478,15 @@ Flags:
                                  client CA is specified, there is no client
                                  verification on server side. (tls.NoClientCert)
       --remote-write.server-tls-min-version="1.3"
-                                 TLS version for the gRPC server, leave blank
+                                 TLS version for the HTTP server, leave blank
                                  to default to TLS 1.3, allow values: ["1.0",
                                  "1.1", "1.2", "1.3"]
+      --remote-write.server-tls-ciphers=REMOTE-WRITE.SERVER-TLS-CIPHERS ...
+                                 TLS cipher suites for the HTTP server
+                                 (repeatable). If not specified,
+                                 the default Go cipher suites are used.
+                                 See https://pkg.go.dev/crypto/tls#pkg-constants
+                                 for valid values.
       --remote-write.client-tls-cert=""
                                  TLS Certificates to use to identify this client
                                  to the server.
diff --git a/docs/components/rule.md b/docs/components/rule.md
@@ -316,6 +316,12 @@ Flags:
                                  If no version is specified, it'll default to
                                  1.3. Allowed values: ["1.0", "1.1", "1.2",
                                  "1.3"]
+      --grpc-server-tls-ciphers=GRPC-SERVER-TLS-CIPHERS ...
+                                 TLS cipher suites for gRPC server
+                                 (repeatable). If not specified,
+                                 the default Go cipher suites are used.
+                                 See https://pkg.go.dev/crypto/tls#pkg-constants
+                                 for valid values.
       --grpc-server-max-connection-age=60m
                                  The grpc server max connection age. This
                                  controls how often to re-establish connections
diff --git a/docs/components/sidecar.md b/docs/components/sidecar.md
@@ -142,6 +142,12 @@ Flags:
                                  If no version is specified, it'll default to
                                  1.3. Allowed values: ["1.0", "1.1", "1.2",
                                  "1.3"]
+      --grpc-server-tls-ciphers=GRPC-SERVER-TLS-CIPHERS ...
+                                 TLS cipher suites for gRPC server
+                                 (repeatable). If not specified,
+                                 the default Go cipher suites are used.
+                                 See https://pkg.go.dev/crypto/tls#pkg-constants
+                                 for valid values.
       --grpc-server-max-connection-age=60m
                                  The grpc server max connection age. This
                                  controls how often to re-establish connections
diff --git a/docs/components/store.md b/docs/components/store.md
@@ -95,6 +95,12 @@ Flags:
                                  If no version is specified, it'll default to
                                  1.3. Allowed values: ["1.0", "1.1", "1.2",
                                  "1.3"]
+      --grpc-server-tls-ciphers=GRPC-SERVER-TLS-CIPHERS ...
+                                 TLS cipher suites for gRPC server
+                                 (repeatable). If not specified,
+                                 the default Go cipher suites are used.
+                                 See https://pkg.go.dev/crypto/tls#pkg-constants
+                                 for valid values.
       --grpc-server-max-connection-age=60m
                                  The grpc server max connection age. This
                                  controls how often to re-establish connections
diff --git a/pkg/tls/options.go b/pkg/tls/options.go
@@ -20,7 +20,7 @@ import (
 )
 
 // NewServerConfig provides new server TLS configuration.
-func NewServerConfig(logger log.Logger, certPath, keyPath, clientCA, tlsMinVersion string) (*tls.Config, error) {
+func NewServerConfig(logger log.Logger, certPath, keyPath, clientCA, tlsMinVersion string, ciphers []string) (*tls.Config, error) {
 	if keyPath == "" && certPath == "" {
 		if clientCA != "" {
 			return nil, errors.New("when a client CA is used a server key and certificate must also be provided")
@@ -44,6 +44,13 @@ func NewServerConfig(logger log.Logger, certPath, keyPath, clientCA, tlsMinVersi
 	tlsCfg := &tls.Config{
 		MinVersion: minTlsVersion,
 	}
+
+	cipherSuiteIDs, err := getCipherSuiteIDs(ciphers)
+	if err != nil {
+		return nil, err
+	}
+	tlsCfg.CipherSuites = cipherSuiteIDs
+
 	// Certificate is loaded during server startup to check for any errors.
 	certificate, err := tls.LoadX509KeyPair(certPath, keyPath)
 	if err != nil {
@@ -213,8 +220,34 @@ func (validOption validOption) joinString() string {
 	return strings.Join(keys, ", ")
 }
 
-func getTlsVersion(tlsMinVersion string) (uint16, error) {
+func getCipherSuiteIDs(ciphers []string) ([]uint16, error) {
+	if len(ciphers) == 0 {
+		return nil, nil
+	}
 
+	supported := tls.CipherSuites()
+	cipherMap := make(map[string]uint16, len(supported))
+	for _, cs := range supported {
+		cipherMap[cs.Name] = cs.ID
+	}
+
+	ids := make([]uint16, 0, len(ciphers))
+	for _, name := range ciphers {
+		id, ok := cipherMap[name]
+		if !ok {
+			validNames := make([]string, 0, len(cipherMap))
+			for n := range cipherMap {
+				validNames = append(validNames, n)
+			}
+			sort.Strings(validNames)
+			return nil, errors.New(fmt.Sprintf("invalid cipher suite: %s, valid values are %s", name, strings.Join(validNames, ", ")))
+		}
+		ids = append(ids, id)
+	}
+	return ids, nil
+}
+
+func getTlsVersion(tlsMinVersion string) (uint16, error) {
 	validOption := validOption{
 		tlsOption: map[string]uint16{
 			"1.0": tls.VersionTLS10,
diff --git a/pkg/tls/options_test.go b/pkg/tls/options_test.go
@@ -11,6 +11,79 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
+func TestGetCipherSuiteIDs(t *testing.T) {
+	supported := tls.CipherSuites()
+	require.NotEmpty(t, supported, "tls.CipherSuites() must return at least one suite")
+
+	first := supported[0]
+	second := supported[1]
+
+	tests := []struct {
+		name        string
+		input       []string
+		wantIDs     []uint16
+		wantErr     bool
+		errContains string
+	}{
+		{
+			name:    "empty input returns nil",
+			input:   []string{},
+			wantIDs: nil,
+		},
+		{
+			name:    "nil input returns nil",
+			input:   nil,
+			wantIDs: nil,
+		},
+		{
+			name:    "single valid cipher",
+			input:   []string{first.Name},
+			wantIDs: []uint16{first.ID},
+		},
+		{
+			name:    "multiple valid ciphers preserves order",
+			input:   []string{second.Name, first.Name},
+			wantIDs: []uint16{second.ID, first.ID},
+		},
+		{
+			name:    "duplicate cipher returns duplicate IDs",
+			input:   []string{first.Name, first.Name},
+			wantIDs: []uint16{first.ID, first.ID},
+		},
+		{
+			name:        "unknown cipher returns error",
+			input:       []string{"INVALID_CIPHER"},
+			wantErr:     true,
+			errContains: "INVALID_CIPHER",
+		},
+		{
+			name:        "error message contains valid cipher names",
+			input:       []string{"BAD_CIPHER"},
+			wantErr:     true,
+			errContains: first.Name,
+		},
+		{
+			name:        "valid cipher followed by invalid returns error",
+			input:       []string{first.Name, "UNKNOWN"},
+			wantErr:     true,
+			errContains: "UNKNOWN",
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			ids, err := getCipherSuiteIDs(tc.input)
+			if tc.wantErr {
+				require.Error(t, err)
+				assert.Contains(t, err.Error(), tc.errContains)
+				return
+			}
+			require.NoError(t, err)
+			assert.Equal(t, tc.wantIDs, ids)
+		})
+	}
+}
+
 func TestTlsOptions(t *testing.T) {
 	var tests = []struct {
 		input  string
diff --git a/test/e2e/tls_test.go b/test/e2e/tls_test.go

Original file line number	Diff line number	Diff line change
`@@ -595,7 +595,7 @@ func runQuery(`
`595`	`595`	`}`
`596`	`596`	`// Start query (proxy) gRPC StoreAPI.`
`597`	`597`	`{`
`598`		`- tlsCfg, err := tls.NewServerConfig(log.With(logger, "protocol", "gRPC"), grpcServerConfig.tlsSrvCert, grpcServerConfig.tlsSrvKey, grpcServerConfig.tlsSrvClientCA, grpcServerConfig.tlsMinVersion)`
	`598`	`+ tlsCfg, err := tls.NewServerConfig(log.With(logger, "protocol", "gRPC"), grpcServerConfig.tlsSrvCert, grpcServerConfig.tlsSrvKey, grpcServerConfig.tlsSrvClientCA, grpcServerConfig.tlsMinVersion, grpcServerConfig.tlsCiphers)`
`599`	`599`	`if err != nil {`
`600`	`600`	`return errors.Wrap(err, "setup gRPC server")`
`601`	`601`	`}`
Original file line number	Diff line number	Diff line change
`@@ -153,7 +153,7 @@ func runReceive(`
`153`	`153`	`}`
`154`	`154`	`}`
`155`	`155`
`156`		`- rwTLSConfig, err := tls.NewServerConfig(log.With(logger, "protocol", "HTTP"), conf.rwServerCert, conf.rwServerKey, conf.rwServerClientCA, conf.rwServerTlsMinVersion)`
	`156`	`+ rwTLSConfig, err := tls.NewServerConfig(log.With(logger, "protocol", "HTTP"), conf.rwServerCert, conf.rwServerKey, conf.rwServerClientCA, conf.rwServerTlsMinVersion, conf.rwServerTlsCiphers)`
`157`	`157`	`if err != nil {`
`158`	`158`	`return err`
`159`	`159`	`}`
`@@ -346,7 +346,7 @@ func runReceive(`
`346`	`346`
`347`	`347`	`level.Debug(logger).Log("msg", "setting up gRPC server")`
`348`	`348`	`{`
`349`		`- tlsCfg, err := tls.NewServerConfig(log.With(logger, "protocol", "gRPC"), conf.grpcConfig.tlsSrvCert, conf.grpcConfig.tlsSrvKey, conf.grpcConfig.tlsSrvClientCA, conf.grpcConfig.tlsMinVersion)`
	`349`	`+ tlsCfg, err := tls.NewServerConfig(log.With(logger, "protocol", "gRPC"), conf.grpcConfig.tlsSrvCert, conf.grpcConfig.tlsSrvKey, conf.grpcConfig.tlsSrvClientCA, conf.grpcConfig.tlsMinVersion, conf.grpcConfig.tlsCiphers)`
`350`	`350`	`if err != nil {`
`351`	`351`	`return errors.Wrap(err, "setup gRPC server")`
`352`	`352`	`}`
`@@ -851,6 +851,7 @@ type receiveConfig struct {`
`851`	`851`	`rwClientServerName string`
`852`	`852`	`rwClientSkipVerify bool`
`853`	`853`	`rwServerTlsMinVersion string`
	`854`	`+ rwServerTlsCiphers []string`
`854`	`855`
`855`	`856`	`dataDir string`
`856`	`857`	`labelStrs []string`
`@@ -935,7 +936,9 @@ func (rc *receiveConfig) registerFlag(cmd extkingpin.FlagClause) {`
`935`	`936`
`936`	`937`	`cmd.Flag("remote-write.server-tls-client-ca", "TLS CA to verify clients against. If no client CA is specified, there is no client verification on server side. (tls.NoClientCert)").Default("").StringVar(&rc.rwServerClientCA)`
`937`	`938`
`938`		`- cmd.Flag("remote-write.server-tls-min-version", "TLS version for the gRPC server, leave blank to default to TLS 1.3, allow values: [\"1.0\", \"1.1\", \"1.2\", \"1.3\"]").Default("1.3").StringVar(&rc.rwServerTlsMinVersion)`
	`939`	`+ cmd.Flag("remote-write.server-tls-min-version", "TLS version for the HTTP server, leave blank to default to TLS 1.3, allow values: [\"1.0\", \"1.1\", \"1.2\", \"1.3\"]").Default("1.3").StringVar(&rc.rwServerTlsMinVersion)`
	`940`	`+`
	`941`	`+ cmd.Flag("remote-write.server-tls-ciphers", "TLS cipher suites for the HTTP server (repeatable). If not specified, the default Go cipher suites are used. See https://pkg.go.dev/crypto/tls#pkg-constants for valid values.").StringsVar(&rc.rwServerTlsCiphers)`
`939`	`942`
`940`	`943`	`cmd.Flag("remote-write.client-tls-cert", "TLS Certificates to use to identify this client to the server.").Default("").StringVar(&rc.rwClientCert)`
`941`	`944`
Original file line number	Diff line number	Diff line change
`@@ -735,7 +735,7 @@ func runRule(`
`735`	`735`	`)`
`736`	`736`
`737`	`737`	`// Start gRPC server.`
`738`		`- tlsCfg, err := tls.NewServerConfig(log.With(logger, "protocol", "gRPC"), conf.grpc.tlsSrvCert, conf.grpc.tlsSrvKey, conf.grpc.tlsSrvClientCA, conf.grpc.tlsMinVersion)`
	`738`	`+ tlsCfg, err := tls.NewServerConfig(log.With(logger, "protocol", "gRPC"), conf.grpc.tlsSrvCert, conf.grpc.tlsSrvKey, conf.grpc.tlsSrvClientCA, conf.grpc.tlsMinVersion, conf.grpc.tlsCiphers)`
`739`	`739`	`if err != nil {`
`740`	`740`	`return errors.Wrap(err, "setup gRPC server")`
`741`	`741`	`}`
Original file line number	Diff line number	Diff line change
`@@ -317,7 +317,7 @@ func runSidecar(`
`317`	`317`	`}`
`318`	`318`
`319`	`319`	`tlsCfg, err := tls.NewServerConfig(log.With(logger, "protocol", "gRPC"),`
`320`		`- conf.grpc.tlsSrvCert, conf.grpc.tlsSrvKey, conf.grpc.tlsSrvClientCA, conf.grpc.tlsMinVersion)`
	`320`	`+ conf.grpc.tlsSrvCert, conf.grpc.tlsSrvKey, conf.grpc.tlsSrvClientCA, conf.grpc.tlsMinVersion, conf.grpc.tlsCiphers)`
`321`	`321`	`if err != nil {`
`322`	`322`	`return errors.Wrap(err, "setup gRPC server")`
`323`	`323`	`}`
Original file line number	Diff line number	Diff line change
`@@ -555,7 +555,7 @@ func runStore(`
`555`	`555`
`556`	`556`	`// Start query (proxy) gRPC StoreAPI.`
`557`	`557`	`{`
`558`		`- tlsCfg, err := tls.NewServerConfig(log.With(logger, "protocol", "gRPC"), conf.grpcConfig.tlsSrvCert, conf.grpcConfig.tlsSrvKey, conf.grpcConfig.tlsSrvClientCA, conf.grpcConfig.tlsMinVersion)`
	`558`	`+ tlsCfg, err := tls.NewServerConfig(log.With(logger, "protocol", "gRPC"), conf.grpcConfig.tlsSrvCert, conf.grpcConfig.tlsSrvKey, conf.grpcConfig.tlsSrvClientCA, conf.grpcConfig.tlsMinVersion, conf.grpcConfig.tlsCiphers)`
`559`	`559`	`if err != nil {`
`560`	`560`	`return errors.Wrap(err, "setup gRPC server")`
`561`	`561`	`}`