Add optional TLS support to /metrics endpoint #7255
Conversation
89c8dbf to
7ac7560
Compare
|
@chrisohaver @SuperQ Would you have time to review? :) |
|
@chrisohaver @SuperQ can you please take a look on this PR? It would be nice to have this PR moving forward |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #7255 +/- ##
==========================================
+ Coverage 55.70% 63.19% +7.49%
==========================================
Files 224 278 +54
Lines 10016 15129 +5113
==========================================
+ Hits 5579 9561 +3982
- Misses 3978 4879 +901
- Partials 459 689 +230 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
It would be really nice to have someone review this and start the discussion rolling |
|
It would be helpful if someone could take a look at this. |
plugin/metrics/metrics.go
Outdated
There was a problem hiding this comment.
Oof, I'm really not a fan of having this write out a templated yaml file like this.
Maybe we first need to refactor the exporter-toolkit slightly so that you can pass the web.Config struct directly instead of having to use the config file only.
There was a problem hiding this comment.
Thank you for commenting, I really appreciate it! Is this a blocker for this PR? If so, I'm willing to provide the refactoring PR in exporter-toolkit if needed :)
There was a problem hiding this comment.
Would the current way be acceptable as an interim solution so as to secure the metrics endpoint with TLS and meanwhile we improve the exporter-toolkit to include the web.Config as a Struct as suggested and eventually use that here?
There was a problem hiding this comment.
@SuperQ Is this as acceptable as an interim solution? Can this get merged?
7ac7560 to
f12b5dd
Compare
|
@jameshartig @miekg @SuperQ @greenpau @Tantalor93 Can I get a review on this? What are the next steps needed to get this merged? |
f12b5dd to
ce041ac
Compare
|
I consider TLS on metric endpoints to be an anti feature |
I understand the desire to minimise complexity—especially on internal metrics endpoints—but in a zero-trust architecture, all network traffic, regardless of source or function, must be both authenticated and encrypted. Tampering with metrics may seem low-impact, but it can lead to unpredictable or harmful behavior. For example:
In multi-tenant or regulated environments where the network is not implicitly trusted, TLS is not an anti-feature—it’s a baseline security control. Even when the content isn’t sensitive, preserving integrity and controlling access are essential. To be clear, the PR does not propose mandatory TLS—it introduces optional support, as indicated in the title: “Add optional TLS support to /metrics endpoint”. Rejecting TLS outright disregards the realities of deployment models built on zero-trust principles. |
ce041ac to
8f81c13
Compare
9239ecc to
2b84a94
Compare
|
I've simplified this TLS implementation quite a bit. It's still using the Prometheus exporter-toolkit but now in the intended way. There is no more creating any temp files (this was the concern brought up in this comment: #7255 (comment)). @jameshartig @miekg @SuperQ @greenpau @Tantalor93 Can I get a review on this? What are the next steps needed to get this merged? |
2b84a94 to
8c5515c
Compare
kashifest
left a comment
There was a problem hiding this comment.
lgtm, it looks ok. It would nice to have someone with review rights have a look into this.
1fbe753 to
cd49281
Compare
|
@johnbelamaric would you please take a look at this one? |
|
@SuperQ any additional feedback on the updated PR? |
…dpoint Signed-off-by: peppi-lotta <[email protected]>
cd49281 to
5c93f42
Compare
1. Why is this pull request needed?
It adds optional TLS support to the CoreDNS metrics endpoint, allowing metrics to be served over HTTPS. This improves security by encrypting metrics traffic. TLS is disabled by default, so existing configurations continue to work.
2. Related issues
#7109
3. Documentation changes
4. Backward compatibility
No breaking changes. TLS is optional and off by default.