etcdmain: add options to configure metrics cert

Signed-off-by: Gladkov Alexey <agladkov@redhat.com>
etcd-io · Jul 13, 2020 · 575a000 · 575a000
1 parent 093db65
commit 575a000
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 0 deletions.
diff --git a/etcdmain/config.go b/etcdmain/config.go
@@ -210,6 +210,13 @@ func newConfig() *config {
 	fs.StringVar(&cfg.ec.PeerTLSInfo.CRLFile, "peer-crl-file", "", "Path to the peer certificate revocation list file.")
 	fs.StringVar(&cfg.ec.PeerTLSInfo.AllowedCN, "peer-cert-allowed-cn", "", "Allowed CN for inter peer authentication.")
 	fs.StringVar(&cfg.ec.PeerTLSInfo.AllowedHostname, "peer-cert-allowed-hostname", "", "Allowed TLS hostname for inter peer authentication.")
+	fs.StringVar(&cfg.ec.MetricsTLSInfo.CertFile, "metrics-cert-file", "", "Path to the metrics server TLS cert file.")
+	fs.StringVar(&cfg.ec.MetricsTLSInfo.KeyFile, "metrics-key-file", "", "Path to the metrics server TLS key file.")
+	fs.BoolVar(&cfg.ec.MetricsTLSInfo.ClientCertAuth, "metrics-client-cert-auth", false, "Enable metrics client cert authentication.")
+	fs.BoolVar(&cfg.ec.MetricsTLSInfo.InsecureSkipVerify, "metrics-auto-tls", false, "Metrics TLS using generated certificates")
+	fs.StringVar(&cfg.ec.MetricsTLSInfo.TrustedCAFile, "metrics-trusted-ca-file", "", "Path to the metrics server TLS trusted CA file.")
+	fs.StringVar(&cfg.ec.MetricsTLSInfo.CRLFile, "metrics-crl-file", "", "Path to the metrics certificate revocation list file.")
+	fs.StringVar(&cfg.ec.MetricsTLSInfo.AllowedCN, "metrics-cert-allowed-cn", "", "Allowed CN for metrics authentication.")
 	fs.Var(flags.NewStringsValue(""), "cipher-suites", "Comma-separated list of supported TLS cipher suites between client/server and peers (empty will be auto-populated by Go).")
 	fs.BoolVar(&cfg.ec.PeerTLSInfo.SkipClientSANVerify, "experimental-peer-skip-client-san-verification", false, "Skip verification of SAN field in client certificate for peer connections.")
 

diff --git a/etcdmain/grpc_proxy.go b/etcdmain/grpc_proxy.go
@@ -77,6 +77,13 @@ var (
 	grpcProxyListenAutoTLS bool
 	grpcProxyListenCRL     string
 
+	// tls for clients connecting to proxy for metrics
+
+	grpcProxyMetricsListenCA   string
+	grpcProxyMetricsListenCert string
+	grpcProxyMetricsListenKey  string
+	grpcProxyMetricsListenCRL  string
+
 	grpcProxyAdvertiseClientURL string
 	grpcProxyResolverPrefix     string
 	grpcProxyResolverTTL        int
@@ -150,6 +157,11 @@ func newGRPCProxyStartCommand() *cobra.Command {
 	cmd.Flags().BoolVar(&grpcProxyListenAutoTLS, "auto-tls", false, "proxy TLS using generated certificates")
 	cmd.Flags().StringVar(&grpcProxyListenCRL, "client-crl-file", "", "proxy client certificate revocation list file.")
 
+	cmd.Flags().StringVar(&grpcProxyMetricsListenCert, "metrics-cert-file", "", "identify secure connections to the /metrics endpoint using this TLS certificate file")
+	cmd.Flags().StringVar(&grpcProxyMetricsListenKey, "metrics-key-file", "", "identify secure connections to the /metrics endpoint using this TLS key file")
+	cmd.Flags().StringVar(&grpcProxyMetricsListenCA, "metrics-trusted-ca-file", "", "verify certificates of TLS-enabled secure /metrics endpoint using this CA bundle")
+	cmd.Flags().StringVar(&grpcProxyMetricsListenCRL, "metrics-client-crl-file", "", "/metrics endpoint client certificate revocation list file.")
+
 	// experimental flags
 	cmd.Flags().BoolVar(&grpcProxyEnableOrdering, "experimental-serializable-ordering", false, "Ensure serializable reads have monotonically increasing store revisions across endpoints.")
 	cmd.Flags().StringVar(&grpcProxyLeasing, "experimental-leasing-prefix", "", "leasing metadata prefix for disconnected linearized reads.")
@@ -211,6 +223,12 @@ func startGRPCProxy(cmd *cobra.Command, args []string) {
 	go func() { errc <- srvhttp.Serve(httpl) }()
 	go func() { errc <- m.Serve() }()
 	if len(grpcProxyMetricsListenAddr) > 0 {
+		if grpcProxyMetricsListenCert != "" && grpcProxyMetricsListenKey != "" {
+			tlsinfo = newTLS(grpcProxyMetricsListenCA, grpcProxyMetricsListenCert, grpcProxyMetricsListenKey)
+			if tlsinfo != nil {
+				tlsinfo.CRLFile = grpcProxyMetricsListenCRL
+			}
+		}
 		mhttpl := mustMetricsListener(lg, tlsinfo)
 		go func() {
 			mux := http.NewServeMux()

diff --git a/etcdmain/help.go b/etcdmain/help.go
@@ -174,6 +174,20 @@ Profiling and Monitoring:
     Set level of detail for exported metrics, specify 'extensive' to include server side grpc histogram metrics.
   --listen-metrics-urls ''
     List of URLs to listen on for the metrics and health endpoints.
+  --metrics-cert-file ''
+    Path to the metrics server TLS cert file.
+  --metrics-key-file ''
+    Path to the metrics server TLS key file.
+  --metrics-client-cert-auth 'false'
+    Enable metrics client cert authentication.
+  --metrics-trusted-ca-file ''
+    Path to the metrics server TLS trusted CA file.
+  --metrics-cert-allowed-cn ''
+    Required CN for client certs connecting to the metrics endpoint.
+  --metrics-crl-file ''
+    Path to the metrics certificate revocation list file.
+  --metrics-auto-tls 'false'
+    Metrics TLS using generated certificates.
 
 Logging:
   --logger 'zap'