Add HTTPS option to prometheus endpoint #1652
Conversation
|
Hi @soneillf5 The implementation looks good. However, I think we can make it more integrated with Kubernetes and add some usability. The issue I see is how the admin will propagate the cert and key to the file system of the pod? Also consider our three installation methods: manifests, helm chart and the operator. A good approach that would work well for all installation methods is for the admin to create a Secret with a TLS cert and key and pass its name as an Ingress Controller parameter. This would be similar to the Could we have a similar If it is set, the TLS will be enabled for Prometheus metrics and the IC will use the TLS cert and key from the referenced Secret. If the secret doesn't exist or it is invalid, the IC will fail to start with an error. An extra feature here - supporting updating that secret - if the Secret is updated, the IC will start using the new version. This is something that we support for the default and the wildcard secrets. However, supporting updating will be more involved, and we can start with a simple implementation without it. Regarding different installation methods:
Regarding documentation - we will need to document all new cli args, helm parameters, etc. It makes sense to mention that you can secure the Prometheus endpoint with TLS here https://docs.nginx.com/nginx-ingress-controller/logging-and-monitoring/prometheus/ Not tested, but we might need to add While the operator lives in a separate repo and requires a separate PR, I mentioned it here for completeness. |
d706f25 to
d7616e2
Compare
|
@pleshakov I've updated to use a Kubernetes Secret resource for the TLS cert data, I still need to add an automated test for it, but I've confirmed it works locally. I'll update the operator/helm/docs in the next few days too. |
d7616e2 to
ddd22fe
Compare
f642202 to
a25151c
Compare
There was a problem hiding this comment.
Hi @soneillf5
Could we also update this part https://docs.nginx.com/nginx-ingress-controller/logging-and-monitoring/prometheus/#enabling-metrics ? For example, you can make the second step there like this:
2. To enable TLS for the Prometheus endpoint, configure the -prometheus-tls-secret cli argument with the namespace and name of a TLS Secret.
Also, the prometheus.io/scheme: https annotation is required by the Prometheus to use TLS, we need to mention it the step 3 there.
| @@ -310,3 +310,6 @@ prometheus: | |||
|
|
|||
| ## Configures the port to scrape the metrics. | |||
| port: 9113 | |||
|
|
|||
| ## Specifies the namespace/name of a Kubernetes TLS Secret which will be used to protect the Prometheus endpoint. | |||
| secret: "" | |||
There was a problem hiding this comment.
could we add the ability to configure the secret values? this is handy, as it allows the admins to define every part of the Ingress Controller installation through a helm chart.
For Helm chart, we can add parameters similar to the parameters for the default server secret and the wildcard secret ( see
controller.wildcardTLS.*). There is no need to provide the default value of the cert and key. Note that we already haveprometheus.*parameter, so it makes sense to extend them. For example, prometheus.tls.cert, prometheus.tls.key and prometheus.tls.secret. If the prometheus.tls.secret, helm will configure the IC args to use the referenced secret. Ifprometheus.tls.certandprometheus.tls.keyare set, helm will create a Secret with those values and configure the IC args to use it.
From #1652 (comment)
There was a problem hiding this comment.
I don't know much about helm, but putting the value of secrets into values.yaml doesn't seem like a good idea.
I only had a quick look around online a few blogs on the topic, so I'm not very knowledgable about it. it did seem like values.yaml is committed to version control, so that's one reason why it's not a good idea.
What do you think?
There was a problem hiding this comment.
there are a few ways I see to keep those values protected:
- a plugin to encrypt secret values https://itnext.io/helm-3-secrets-management-4f23041f05c3
- have a separate values files only for secrets (helm install can take multiple values , for examle,
helm install .. -f a.yaml -f b.yaml -f c.yaml) and not store it in the source control, but generate it during deployment - you can also configure all or some helm parameters via cli args, so helm can take the values for those parameters from env variables.
Allowing configuring secret values in the helm chart allows the admin to use the chart as a single source of truth -- so to install the Ingress Controller, you only need to run helm install ... and nothing else.
I think it is important to provide an alternative, so that secrets could be managed separately. That's why the secret parameter makes sense.
There was a problem hiding this comment.
I understand there are mitigations, such as additional values files and encryption and cli-args.
I still think it's not a good idea and I won't be adding secret values to this PR. If you'd like to block this PR based on this, let me know so we can do something to resolve it. @pleshakov
|
Hi @soneillf5 the changes look good There are few remaining comments: |
79c98c3 to
dc847c6
Compare
dc847c6 to
ea183ef
Compare
Proposed changes
This change adds https as an option of the prometheus endpoint.
Checklist
Before creating a PR, run through this checklist and mark each as complete.