Allow to use own certificate for metrics endpoint

[legionus]

As a admin I want to give the monitoring system access only to metrics without access to the rest of the API.

[codecov-io]

Codecov Report

Merging #10504 into master will decrease coverage by 0.04%.
The diff coverage is 65.21%.

@@            Coverage Diff             @@
##           master   #10504      +/-   ##
==========================================
- Coverage   71.56%   71.52%   -0.05%     
==========================================
  Files         393      393              
  Lines       36503    36525      +22     
==========================================
  Hits        26123    26123              
- Misses       8546     8567      +21     
- Partials     1834     1835       +1

Impacted Files	Coverage Δ
embed/config.go	56.37% <ø> (ø)	⬆️
etcdmain/config.go	83.03% <100%> (+0.54%)	⬆️
etcdmain/grpc_proxy.go	62.18% <44.44%> (-0.43%)	⬇️
embed/etcd.go	72.76% <57.14%> (+1.75%)	⬆️
proxy/grpcproxy/register.go	69.44% <0%> (-13.89%)	⬇️
pkg/adt/interval_tree.go	83.78% <0%> (-7.51%)	⬇️
pkg/netutil/netutil.go	63.11% <0%> (-6.56%)	⬇️
etcdserver/v2_server.go	80.76% <0%> (-3.85%)	⬇️
pkg/testutil/recorder.go	77.77% <0%> (-3.71%)	⬇️
clientv3/leasing/kv.go	89.03% <0%> (-1.33%)	⬇️
... and 16 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 17de9bd...1da4d75. Read the comment docs.

[pweil-]

/cc @brancz @jim-minter

[brancz]

I lack expertise in the etcd code base to review this, but 👍 on the feature in general!

[jingyih]

Thanks for your PR!

[jingyih]

Is it possible to unify this function with metricsTest?

[legionus]

@jingyih Everything is possible. Now the test looks better?

[jingyih]

If we override tlsInfo, should we add a warning to log?

When MetricsTLSInfo is provided, client who has access to other APIs will not be able to access '/metrics' and '/health'?

[legionus]

When MetricsTLSInfo is provided, client who has access to other APIs will not be able to access '/metrics' and '/health'?

Yes. Theoretically, we can make both work (add them to tls.Config.RootCAs and to tls.Config.ClientCAs), but it will be much more difficult solution because it requires to extend transport.TLSInfo.

If we override tlsInfo, should we add a warning to log?

This is not a hidden behavior (the admin must pass the options explicitly). I am not sure what message do I need to write to log ?
You specified other certificates for metrics. Access by client certificates will not be possible ?

[jingyih]

This is not a hidden behavior (the admin must pass the options explicitly). I am not sure what message do I need to write to log ?

I was thinking about the scenario where etcd clients with clientTLS (not metricsTLS) might try to access the metrics and health endpoint. Adding something like 'ignoring client certificates since metrics certificates given' would help them understand why the connection is rejected. I am not an expert in this area, please feel free to let me know if you think this is reasonable.

[legionus]

@jingyih That's reasonable. I added the message.

[ironcladlou]

For better or worse, warning messages are often noted by administrators and automated systems which analyze log output for anomalies. The proposed metrics TLS configuration when used in conjunction with client TLS configuration is a valid state. So in that regard it's not clear to me a preemptive warning makes sense. It seems possible that when using both TLS configurations (again, a valid state), this warning might be interpreted as a false negative alert of some kind.

So, I would suggest we consider changing this to INFO level or omitting it entirely.

[jingyih]

/cc @wenjiaswe

[legionus]

@jingyih looks good now ?

[jingyih]

@legionus Sorry for the delayed response. I will take a look later this week (hopefully on Wednesday).

[jingyih]

I am having a hard time following the logic on how the command is generated. Does the if (line 145) make sense to you? For example, I tried to test TestV3MetricsSecure, but the actual curl command in the test was curl -L http://localhost:20000/metrics

[jingyih]

This particular test I mentioned above was not affected by the changes in your PR. But I want to make sure the tests are correct and reader-friendly.

[legionus]

I am having a hard time following the logic on how the command is generated.

@jingyih Me too. I had to add one more block to be able to use another certificate. It seems to me wrong that they are hardcoded in this function. On the other hand, they are pregenerated and their purpose is predefined. So maybe this makes sense.

Does the if (line 145) make sense to you?

No, it does not make sense to me. This code seems broken. It looks like someone tried to add the logic for secure connections, but failed.

For example, I tried to test TestV3MetricsSecure, but the actual curl command in the test was curl -L http://localhost:20000/metrics.

This is because this test does not test a secure connection :) The TestV3MetricsSecure and TestV3MetricsInsecure create custom cfg, but don't use it:

etcd/tests/e2e/metrics_test.go

Lines 25 to 37 in 024f3df

	func TestV3MetricsSecure(t *testing.T) {
	cfg := configTLS
	cfg.clusterSize = 1
	cfg.metricsURLScheme = "https"
	testCtl(t, metricsTest)
	}
	func TestV3MetricsInsecure(t *testing.T) {
	cfg := configTLS
	cfg.clusterSize = 1
	cfg.metricsURLScheme = "http"
	testCtl(t, metricsTest)
	}

To use custom config they must use withCfg(). It means that these tests use the default config:

etcd/tests/e2e/ctl_v3_test.go

Lines 133 to 141 in 024f3df

	func testCtl(t *testing.T, testFunc func(ctlCtx), opts ...ctlOption) {
	defer testutil.AfterTest(t)
	ret := ctlCtx{
	t: t,
	cfg: configAutoTLS,
	dialTimeout: 7 * time.Second,
	}
	ret.applyOpts(opts)

As you can see there is no metricsURLScheme definition here:

etcd/tests/e2e/cluster_test.go

Lines 42 to 47 in 024f3df

	configAutoTLS = etcdProcessClusterConfig{
	clusterSize: 3,
	isPeerTLS: true,
	isPeerAutoTLS: true,
	initialToken: "new",
	}

It means the cx.cfg.metricsURLScheme will be empty as well:

etcd/tests/e2e/metrics_test.go

Line 43 in 024f3df

if err := cURLGet(cx.epc, cURLReq{endpoint: "/metrics", expected: `etcd_debugging_mvcc_keys_total 1`, metricsURLScheme: cx.cfg.metricsURLScheme}); err != nil {

[jingyih]

Your PR looks good to me. One option is that we get it merged first, and fix the tests in a separate PR.

@hexfusion Any comment?

[legionus]

@jingyih @hexfusion ping

[hexfusion]

@legionus thanks for your patience. I will try to dig into this soon.

[xiang90]

/cc @hexfusion can you please take a look?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[brancz]

I think this is still something that’s very desirable to have. Anyone continuing the work? :)

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed after 21 days if no further activity occurs. Thank you for your contributions.

[brancz]

This would continue to be a valuable addition I think.

[ironcladlou]

@legionus do you intend to complete this?

[legionus]

@legionus do you intend to complete this?

@ironcladlou I have already changed the scope of work, but I can complete this PR if someone finds this PR useful.
What do I need to do ? rebase & resolve conflicts ?

[ironcladlou]

@legionus

@ironcladlou I have already changed the scope of work, but I can complete this PR if someone finds this PR useful.
What do I need to do ? rebase & resolve conflicts ?

Can you explain what you mean re: the scope change?

I'm trying to decide how to proceed with #11993 and want to make sure my solution integrates with this work if the intent is to proceed as-is.

I can't say whether there's demand for this one, as I haven't been involved.

[legionus]

Can you explain what you mean re: the scope change?

@ironcladlou I no longer develop openshift and etcd. Now I am involved in the development of completely different projects.
But I still remember golang :)

[ironcladlou]

@legionus

@ironcladlou I no longer develop openshift and etcd. Now I am involved in the development of completely different projects.
But I still remember golang :)

Ah ha! Thanks!

Okay, so as far as I can tell from the history of this PR all that's left is rebasing, but I can't speak to whether the demand for the change still exists. @brancz seems to say yes, but I'm not personally aware of anyone with use cases for it, so I'm neutral.

Who can make the decision about whether this should proceed or not?

[tangcong]

i think this pr is useful, @jingyih also agrees with it. can you rebase & resolve conflicts ? thanks. @legionus

[legionus]

i think this pr is useful, @jingyih also agrees with it. can you rebase & resolve conflicts ? thanks.

@tangcong, @ironcladlou Yes, I can. Done.

[tangcong]

pr #12114 adds health handler for grpcproxy self, if grpcProxyMetricsListenAddr uses own certificate for metrics endpoint, we should also update healthcheck client certs, otherwise, it is failed to access '/proxy/health' handle.

[tangcong]

@ironcladlou said For the health listener, honor global the global TLS configuration by default (for compatibility with today's behavior), but provide a new flag to allow control over health endpoint client certificate auth (e.g. --health-client-cert-auth=false). in issue #11993.
i agrees with it. can we add a flag to access /health,/proxy/health without cert auth?

[legionus]

pr #12114 adds health handler for grpcproxy self, if grpcProxyMetricsListenAddr uses own certificate for metrics endpoint, we should also update healthcheck client certs, otherwise, it is failed to access '/proxy/health' handle.

I already mentioned this before. Therefore, when using separate certificates for metrics, a warning is displayed.

i agrees with it. can we add a flag to access /health,/proxy/health without cert auth?

Do you want the server to serve some endpoints without certificates? Theoretically, this is possible, but will require rewriting the server. To do this, you will need to make authorization optional and do it not at the TLS level. This is out of scope of this proposal.

[tangcong]

ok. thanks. I will try to add --health-client-cert-auth flag in another PR. thanks.

[legionus]

@tangcong Can this PR be merged?

[tangcong]

lgtm. can you add changelog and doc in another pr? thanks. @hexfusion can you take a final look? thanks.

[hexfusion]

@tangcong sorry for delay yes I will take a look.

[hexfusion]

/assign

[legionus]

@hexfusion @tangcong, @ironcladlou Hi! Is there any news?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed after 21 days if no further activity occurs. Thank you for your contributions.