Query: Support per endpoint TLS configuration

[Naman-B-Parlecha]

I m still working on this have some edge case and tests to add. Will update description soon.

• I added CHANGELOG entry for this change.
• Change is not relevant to the end user.

• Related to: Add support for mixed TLS and non-TLS endpoints in Query #8586

Changes

Added Per Endpoint TLS configuration for querier. It is backward compatible and in order to make use this feature. users need to add

client_config:
   tls_config:
      enabled: true
      insecure_skip_verify: false
      cert_file: "/path/to/client.crt"
      key_file: "/path/to/client.key"
      ca_file: "/path/to/ca.crt"
    server_name: "store"
    compression: "snappy

More documentation

Verification

Added debug logs to check if switching between global and per endpoint configuration works as intended

./thanos query --log.level=debug --endpoint.sd-config-file=test_per_endpoint.yml

ts=2025-12-20T17:21:32.579477401Z caller=endpointset.go:429 level=debug msg="configured endpoint" addr=localhost:10901 tls=global compression=none
ts=2025-12-20T17:21:32.579526715Z caller=endpointset.go:429 level=debug msg="configured endpoint" addr=localhost:10902 tls="global (fallback)" compression=none
ts=2025-12-20T17:21:32.57954552Z caller=endpointset.go:429 level=debug msg="configured endpoint" addr=localhost:10903 tls="global (fallback)" compression=none
ts=2025-12-20T17:21:32.579550379Z caller=endpointset.go:429 level=debug msg="configured endpoint" addr=localhost:10904 tls=global compression=none
ts=2025-12-20T17:21:32.579554076Z caller=endpointset.go:429 level=debug msg="configured endpoint" addr=localhost:10905 tls=global compression=none
ts=2025-12-20T17:21:32.590883522Z caller=endpointset.go:429 level=debug msg="configured endpoint" addr=localhost:10906 tls=per-endpoint compression=none

[Naman-B-Parlecha]

@MichaHoffmann i have refactored to client_config PTAL!!