exposing trident metrics through https

Author: Utkarshjh

cli/cmd/images.go

@@ -1,4 +1,4 @@
-// Copyright 2023 NetApp, Inc. All Rights Reserved.
+// Copyright 2025 NetApp, Inc. All Rights Reserved.
 
 package cmd
 
@@ -149,6 +149,7 @@ func getInstallYaml(semVersion *versionutils.Version) (string, error) {
 		Version:                 semVersion,
 		HTTPRequestTimeout:      tridentconfig.HTTPTimeoutString,
 		ServiceAccountName:      getControllerRBACResourceName(),
+		HTTPSMetrics:            false,
 	}
 	// Get Deployment and Daemonset YAML and collect the names of the container images Trident needs to run.
 	yaml := k8sclient.GetCSIDeploymentYAML(deploymentArgs)

cli/cmd/install.go

@@ -123,6 +123,7 @@ var (
 	httpRequestTimeout       time.Duration
 	acpImage                 string // TODO: Remove after 26.04.
 	enableACP                bool   // TODO: Remove after 26.04.
+	httpsMetrics             bool
 	cloudProvider            string
 	cloudIdentity            string
 	iscsiSelfHealingInterval time.Duration
@@ -240,7 +241,7 @@ func init() {
 	installCmd.Flags().DurationVar(&k8sTimeout, "k8s-timeout", 180*time.Second,
 		"The timeout for all Kubernetes operations.")
 	installCmd.Flags().DurationVar(&httpRequestTimeout, "http-request-timeout", tridentconfig.HTTPTimeout,
-		"Override the HTTP request timeout for Trident controller’s REST API")
+		"Override the HTTP request timeout for Trident controller's REST API")
 	installCmd.Flags().DurationVar(&iscsiSelfHealingInterval, "iscsi-self-healing-interval", tridentconfig.IscsiSelfHealingInterval,
 		"Override the default iSCSI self-healing interval.")
 	installCmd.Flags().DurationVar(&iscsiSelfHealingWaitTime, "iscsi-self-healing-wait-time", tridentconfig.ISCSISelfHealingWaitTime,
@@ -250,6 +251,8 @@ func init() {
 	installCmd.Flags().StringVar(&acpImage, "acp-image", "",
 		"Override the default trident-acp container image (obsolete).")
 
+	installCmd.Flags().BoolVar(&httpsMetrics, "https-metrics", false, "Enable HTTPS metrics endpoint for Trident controller.")
+
 	installCmd.Flags().StringVar(&cloudProvider, "cloud-provider", "", "Name of the cloud provider")
 	installCmd.Flags().StringVar(&cloudIdentity, "cloud-identity", "", "Cloud identity to be set on service account")
 
@@ -695,6 +698,7 @@ func prepareYAMLFiles() error {
 		IdentityLabel:           identityLabel,
 		K8sAPIQPS:               k8sAPIQPS,
 		EnableConcurrency:       enableConcurrency,
+		HTTPSMetrics:            httpsMetrics,
 	}
 	deploymentYAML := k8sclient.GetCSIDeploymentYAML(deploymentArgs)
 	if err = writeFile(deploymentPath, deploymentYAML); err != nil {
@@ -1067,6 +1071,7 @@ func installTrident() (returnError error) {
 			IdentityLabel:           identityLabel,
 			K8sAPIQPS:               k8sAPIQPS,
 			EnableConcurrency:       enableConcurrency,
+			HTTPSMetrics:            httpsMetrics,
 			CSIFeatureGates:         csiFeatureGateYAMLSnippets,
 		}
 		returnError = client.CreateObjectByYAML(

cli/k8s_client/types.go

@@ -173,6 +173,7 @@ type DeploymentYAMLArguments struct {
 	IdentityLabel              bool                  `json:"identityLabel"`
 	K8sAPIQPS                  int                   `json:"k8sAPIQPS"`
 	EnableConcurrency          bool                  `json:"enableConcurrency"`
+	HTTPSMetrics               bool                  `json:"httpsMetrics"`
 	CSIFeatureGates            map[string]string     `json:"csiFeatureGates"`
 }
 

cli/k8s_client/yaml_factory.go

@@ -349,6 +349,10 @@ spec:
     protocol: TCP
     port: 9220
     targetPort: 8001
+  - name: https-metrics
+    protocol: TCP
+    port: 8444
+    targetPort: 8444
 `
 
 func GetResourceQuotaYAML(resourceQuotaName, namespace string, labels, controllingCRDetails map[string]string) string {
@@ -506,7 +510,7 @@ func getCSIDeploymentAutosupportVolumeYAML(args *DeploymentYAMLArguments) string
 }
 
 func GetCSIDeploymentYAML(args *DeploymentYAMLArguments) string {
-	var debugLine, sideCarLogLevel, ipLocalhost, enableACP, K8sAPISidecarThrottle, K8sAPITridentThrottle string
+	var debugLine, sideCarLogLevel, ipLocalhost, enableACP, httpsMetrics, metrics, K8sAPISidecarThrottle, K8sAPITridentThrottle string
 	Log().WithFields(LogFields{
 		"Args": args,
 	}).Trace(">>>> GetCSIDeploymentYAML")
@@ -567,6 +571,12 @@ func GetCSIDeploymentYAML(args *DeploymentYAMLArguments) string {
 		enableACP = "- \"-enable_acp\""
 	}
 
+	if args.HTTPSMetrics {
+		httpsMetrics = "- \"--https_metrics\""
+	} else {
+		metrics = "- \"--metrics\""
+	}
+
 	if strings.EqualFold(args.CloudProvider, CloudProviderAzure) {
 		deploymentYAML = strings.ReplaceAll(deploymentYAML, "{AZURE_CREDENTIAL_FILE_ENV}", "- name: AZURE_CREDENTIAL_FILE\n          value: /etc/kubernetes/azure.json")
 		deploymentYAML = strings.ReplaceAll(deploymentYAML, "{AZURE_CREDENTIAL_FILE_VOLUME}",
@@ -633,6 +643,8 @@ func GetCSIDeploymentYAML(args *DeploymentYAMLArguments) string {
 	deploymentYAML = strings.ReplaceAll(deploymentYAML, "{K8S_API_CLIENT_TRIDENT_THROTTLE}", K8sAPITridentThrottle)
 	deploymentYAML = strings.ReplaceAll(deploymentYAML, "{K8S_API_CLIENT_SIDECAR_THROTTLE}", K8sAPISidecarThrottle)
 	deploymentYAML = strings.ReplaceAll(deploymentYAML, "{ENABLE_CONCURRENCY}", strconv.FormatBool(args.EnableConcurrency))
+	deploymentYAML = strings.ReplaceAll(deploymentYAML, "{METRICS}", metrics)
+	deploymentYAML = strings.ReplaceAll(deploymentYAML, "{HTTPS_METRICS}", httpsMetrics)
 
 	// Log before secrets are inserted into YAML.
 	Log().WithField("yaml", deploymentYAML).Trace("CSI Deployment YAML.")
@@ -696,7 +708,8 @@ spec:
         - "--http_request_timeout={HTTP_REQUEST_TIMEOUT}"
         - "--enable_force_detach={ENABLE_FORCE_DETACH}"
         - "--enable_concurrency={ENABLE_CONCURRENCY}"
-        - "--metrics"
+        {METRICS}
+        {HTTPS_METRICS}
         {ENABLE_ACP}
         {DEBUG}
         {K8S_API_CLIENT_TRIDENT_THROTTLE}

cli/k8s_client/yaml_factory_test.go

@@ -92,6 +92,7 @@ func TestYAMLFactory(t *testing.T) {
 		Version:                 version,
 		HTTPRequestTimeout:      config.HTTPTimeoutString,
 		EnableACP:               true,
+		HTTPSMetrics:            true,
 		IdentityLabel:           true,
 		K8sAPIQPS:               100,
 	}
@@ -191,6 +192,7 @@ func TestGetCSIDeploymentYAML_WithExcludeAutosupport(t *testing.T) {
 		SilenceAutosupport:      false,
 		ExcludeAutosupport:      true,
 		EnableACP:               true,
+		HTTPSMetrics:            true,
 		K8sAPIQPS:               100,
 	}
 	installASUPDeploymentArgs := &DeploymentYAMLArguments{
@@ -215,6 +217,7 @@ func TestGetCSIDeploymentYAML_WithExcludeAutosupport(t *testing.T) {
 		SilenceAutosupport:      false,
 		ExcludeAutosupport:      false,
 		EnableACP:               true,
+		HTTPSMetrics:            true,
 		K8sAPIQPS:               100,
 	}
 
@@ -259,6 +262,7 @@ func TestValidateGetCSIDeploymentYAMLSuccess(t *testing.T) {
 		SilenceAutosupport:      false,
 		ExcludeAutosupport:      false,
 		EnableACP:               true,
+		HTTPSMetrics:            true,
 		K8sAPIQPS:               100,
 	}
 
@@ -593,6 +597,7 @@ func TestGetCSIDeploymentYAML_AutosupportYAML_ExcludeAutosupport(t *testing.T) {
 		SilenceAutosupport:      false,
 		ExcludeAutosupport:      true,
 		EnableACP:               true,
+		HTTPSMetrics:            true,
 		K8sAPIQPS:               100,
 	}
 
@@ -640,6 +645,7 @@ func TestGetCSIDeploymentYAML_AutosupportYAML_EnableButSilenceAutosupport(t *tes
 		SilenceAutosupport:      silenceASUP,
 		ExcludeAutosupport:      false,
 		EnableACP:               true,
+		HTTPSMetrics:            true,
 		K8sAPIQPS:               100,
 	}
 

frontend/metrics/plugin.go

@@ -1,11 +1,15 @@
-// Copyright 2019 NetApp, Inc. All Rights Reserved.
+// Copyright 2025 NetApp, Inc. All Rights Reserved.
 
 package metrics
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"net/http"
+	"os"
+	"time"
 
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 
@@ -68,3 +72,103 @@ func (s *Server) GetName() string {
 func (s *Server) Version() string {
 	return config.OrchestratorAPIVersion
 }
+
+// HTTPSServer represents an HTTPS metrics server
+type HTTPSServer struct {
+	server         *http.Server
+	caCertFile     string
+	serverCertFile string
+	serverKeyFile  string
+}
+
+// NewHTTPSMetricsServer creates a new HTTPS metrics server with TLS configuration
+func NewHTTPSMetricsServer(address, port, caCertFile, serverCertFile, serverKeyFile string, enableMutualTLS bool, writeTimeout time.Duration) (*HTTPSServer, error) {
+	ctx := GenerateRequestContext(nil, "", ContextSourceInternal, WorkflowPluginCreate, LogLayerMetricsFrontend)
+
+	httpsServer := &HTTPSServer{
+		server: &http.Server{
+			Addr:    fmt.Sprintf("%s:%s", address, port),
+			Handler: &metricsAuthHandler{handler: promhttp.Handler()},
+			TLSConfig: &tls.Config{
+				ClientAuth: tls.RequireAndVerifyClientCert,
+				MinVersion: config.MinServerTLSVersion,
+			},
+			ReadTimeout:  config.HTTPTimeout,
+			WriteTimeout: writeTimeout,
+		},
+		caCertFile:     caCertFile,
+		serverCertFile: serverCertFile,
+		serverKeyFile:  serverKeyFile,
+	}
+
+	// Configure for non-mutual TLS if needed
+	if !enableMutualTLS {
+		httpsServer.server.Handler = promhttp.Handler()
+		httpsServer.server.TLSConfig.ClientAuth = tls.NoClientCert
+	}
+
+	// Load CA certificate if provided
+	if caCertFile != "" {
+		caCert, err := os.ReadFile(caCertFile)
+		if err != nil {
+			return nil, fmt.Errorf("could not read CA certificate file: %v", err)
+		}
+		caCertPool := x509.NewCertPool()
+		caCertPool.AppendCertsFromPEM(caCert)
+		httpsServer.server.TLSConfig.ClientCAs = caCertPool
+	}
+
+	Logc(ctx).WithField("address", httpsServer.server.Addr).Info("Initializing HTTPS metrics frontend.")
+
+	return httpsServer, nil
+}
+
+func (s *HTTPSServer) Activate() error {
+	go func() {
+		ctx := GenerateRequestContext(nil, "", ContextSourceInternal, WorkflowPluginActivate, LogLayerMetricsFrontend)
+
+		Logc(ctx).WithField("address", s.server.Addr).Info("Activating HTTPS metrics frontend.")
+
+		err := s.server.ListenAndServeTLS(s.serverCertFile, s.serverKeyFile)
+		if err == http.ErrServerClosed {
+			Logc(ctx).WithField("address", s.server.Addr).Info("HTTPS metrics frontend server has closed.")
+		} else if err != nil {
+			Logc(ctx).Fatal(err)
+		}
+	}()
+	return nil
+}
+
+func (s *HTTPSServer) Deactivate() error {
+	ctx := GenerateRequestContext(nil, "", ContextSourceInternal, WorkflowPluginDeactivate, LogLayerMetricsFrontend)
+
+	Logc(ctx).WithField("address", s.server.Addr).Info("Deactivating HTTPS metrics frontend.")
+	ctx, cancel := context.WithTimeout(ctx, config.HTTPTimeout)
+	defer cancel()
+	return s.server.Shutdown(ctx)
+}
+
+func (s *HTTPSServer) GetName() string {
+	return "HTTPS metrics"
+}
+
+func (s *HTTPSServer) Version() string {
+	return config.OrchestratorAPIVersion
+}
+
+// metricsAuthHandler handles TLS authentication for metrics endpoints
+type metricsAuthHandler struct {
+	handler http.Handler
+}
+
+func (h *metricsAuthHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	// Service requests from Trident nodes with a valid client certificate
+	if len(r.TLS.PeerCertificates) > 0 && r.TLS.PeerCertificates[0].Subject.CommonName == config.ClientCertName {
+		ctx := GenerateRequestContext(nil, "", ContextSourceInternal, WorkflowPluginActivate, LogLayerMetricsFrontend)
+		Logc(ctx).WithField("peerCert", config.ClientCertName).Debug("Authenticated by HTTPS metrics frontend.")
+		h.handler.ServeHTTP(w, r)
+	} else {
+		w.Header().Set("WWW-Authenticate", fmt.Sprintf("Basic realm=\"%s\"", config.OrchestratorName))
+		w.WriteHeader(http.StatusUnauthorized)
+	}
+}