Query: Support per endpoint TLS configuration

[Naman-B-Parlecha]

I m still working on this have some edge case and tests to add. Will update description soon.

• I added CHANGELOG entry for this change.
• Change is not relevant to the end user.

• Related to: Add support for mixed TLS and non-TLS endpoints in Query #8586

Changes

Add per-endpoint and default TLS configuration for the Query component via endpoint.sd-config.

• Each endpoint can now specify its own client_config with TLS settings, server name, and compression
• A default_client_config can be set in the YAML config to apply TLS settings to all endpoints that don't specify their own
• The existing --grpc-client-tls-* CLI flags are deprecated (hidden from --help) and will be removed after v0.43.0
• A deprecation warning is logged when deprecated CLI flags are used

Precedence order

1. Per-endpoint client_config (highest)
2. default_client_config from YAML
3. --grpc-client-tls-* CLI flags (deprecated, lowest)

Example config

default_client_config:
  tls_config:
    enabled: true
    insecure_skip_verify: true
    cert_file: "/path/to/client.crt" 
    key_file: "/path/to/client.key"    
    ca_file: "/path/to/ca.crt"    
    min_version: "1.3"
  compression: "snappy"         
                                           
endpoints:                              
  - address: "store1:10901"
    client_config:                                                                                                                      
      tls_config:
        enabled: true                                                                                                                   
        cert_file: "/path/to/client.crt"                                                                                              
        key_file: "/path/to/client.key"                                                                                               
        ca_file: "/path/to/ca.crt"                                                                                                      
      server_name: "store"
      compression: "snappy"                                                                                                             

More documentation

Verification

Added debug logs to check if switching between global and per endpoint configuration works as intended

./thanos query --log.level=debug --endpoint.sd-config-file=test_per_endpoint.yml

ts=2025-12-20T17:21:32.579477401Z caller=endpointset.go:429 level=debug msg="configured endpoint" addr=localhost:10901 tls=global compression=none
ts=2025-12-20T17:21:32.579526715Z caller=endpointset.go:429 level=debug msg="configured endpoint" addr=localhost:10902 tls="global (fallback)" compression=none
ts=2025-12-20T17:21:32.57954552Z caller=endpointset.go:429 level=debug msg="configured endpoint" addr=localhost:10903 tls="global (fallback)" compression=none
ts=2025-12-20T17:21:32.579550379Z caller=endpointset.go:429 level=debug msg="configured endpoint" addr=localhost:10904 tls=global compression=none
ts=2025-12-20T17:21:32.579554076Z caller=endpointset.go:429 level=debug msg="configured endpoint" addr=localhost:10905 tls=global compression=none
ts=2025-12-20T17:21:32.590883522Z caller=endpointset.go:429 level=debug msg="configured endpoint" addr=localhost:10906 tls=per-endpoint compression=none

[Naman-B-Parlecha]

@MichaHoffmann i have refactored to client_config PTAL!!

[ringerc]

Thanks for this. While I'm not a proper project member, I hope this initial review is helpful. I'll see if I can also test out the change as this is functionality I happen to need.

I note that there is a test failure from CI below, but it appears to be unrelated to this change.

[Naman-B-Parlecha]

Hey @ringerc! Thanks for the review, comment completely make sense i will try and refactor based on your suggestions

[Naman-B-Parlecha]

@ringerc can u signoff your commits for the DCO to pass

[ringerc]

@Naman-B-Parlecha Done and pushed the amended commits to https://github.com/ringerc/thanos-patches/tree/NamanParlecha/PerEndpointTLS

Sorry I forgot to add the sign-off tag.

You can

git remote add ringerc	https://github.com/ringerc/thanos-patches
git fetch ringerc
git reset --hard remotes/ringerc/NamanParlecha/PerEndpointTLS

to replace your current tree entirely with mine; I've only changed the sign-offs and added one commit to fix a docs checker complaint. Otherwise, you can git rebase -i rebase away my 4 patches from your tree, then git am these replacements. (Github is such a pain for working on collaborative PRs.)

• 0001-feat-Set-gRPC-client-min-TLS-vers-in-Receive.patch
• 0002-chore-Function-to-check-if-a-TLS-version-string-is-v.patch
• 0003-feat-support-min_version-in-Redis-TLS-config.patch
• 0004-chore-Set-TLS-min-version-in-TLS-test.patch
• 0005-docs-Update-TLS-config-docs-for-min_version-changes.patch

You'll need to git commit --amend -s your top commit too, to add the sign-off.

[GiedriusS]

Updated to 1.26 here #8717 so we can remove lots of boilerplate.

[Naman-B-Parlecha]

@GiedriusS refactored all changed requested PLAT!! thanks:))

[GiedriusS]

Could we mark --endpoint and other parameters as deprecated in cmd/thanos/query.go in this same PR? In other words, let's only support using files for setting endpoints. In next_version+1 we can remove them entirely.

[Naman-B-Parlecha]

Could we mark --endpoint and other parameters as deprecated in cmd/thanos/query.go in this same PR? In other words, let's only support using files for setting endpoints. In next_version+1 we can remove them entirely.

yes read the slack thread regarding this
will refactor!!

thanks

[ringerc]

This is still waiting. What can we do to progress this to merge?

[ringerc]

@Naman-B-Parlecha This now needs rebase. Sorry it's taking so long, I'm trying to encourage this to get through final review.

[Naman-B-Parlecha]

The docs and unit test failures are not related to pr