Prometheus Metrics: TLS authentication and encryption

[volker-raschek]

What would you like to be added:

I need an option that allows applications to use TLS certificates to secure the metric endpoint /metrics via HTTPS. The TLS certificate can be generated using cert-manager, for example, and integrated as a secret into the file system of the container or containers. A corresponding configuration option would be helpful. For example, via an environment variable.

In addition, the dictionary prometheus should be adjusted in values.yaml to tlsConfig. There, you can configure how prometheus should connect to retrieve the metrics. For example, via TLS-authenticated and encrypted communication.

prometheus:
  enable: true
  scrapeInterval: 10s
  labels: {}
  schema: https
  tlsConfig: {}

Further information can be found via kubectl explain.

$ kubectl explain podmonitor.spec.podMetricsEndpoints.tlsConfig
GROUP:      monitoring.coreos.com
KIND:       PodMonitor
VERSION:    v1

FIELD: tlsConfig <Object>


DESCRIPTION:
    TLS configuration to use when scraping the target.
    
FIELDS:
  ca	<Object>
    Certificate authority used when verifying server certificates.

  cert	<Object>
    Client certificate to present when doing client-authentication.

  insecureSkipVerify	<boolean>
    Disable target certificate validation.

  keySecret	<Object>
    Secret containing the client key file for the targets.

  maxVersion	<string>
  enum: TLS10, TLS11, TLS12, TLS13
    Maximum acceptable TLS version.
    
    It requires Prometheus >= v2.41.0.

  minVersion	<string>
  enum: TLS10, TLS11, TLS12, TLS13
    Minimum acceptable TLS version.
    
    It requires Prometheus >= v2.35.0.

  serverName	<string>
    Used to verify the hostname for the targets.

Why is this needed:

We are currently evaluating which applications do not support TLS. This includes the /metrics endpoint of applications.

Metrics may contain sensitive data. It is important to secure this data. In unsecure networks, this is best done using TLS authentication or encryption.

Network policies are not currently being considered, as they are difficult to roll out automatically. TLS certificates in combination with cert-manager provide a much simpler solution to the security problem for the time being.

[marquiz]

Thank you for the proposal. Looking for somebody willing to work on this.
/help

[k8s-ci-robot]

@marquiz:
This request has been marked as needing help from a contributor.

Guidelines

Please ensure that the issue body includes answers to the following questions:

• Why are we solving this issue?
• To address this issue, are there any code changes? If there are code changes, what needs to be done in the code and what places can the assignee treat as reference points?
• How can the assignee reach out to you for help?

For more details on the requirements of such an issue, please see here and ensure that they are met.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.

In response to this:

Thank you for the proposal. Looking for somebody willing to work on this.
/help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.