CFP: Support TLS for Cilium metrics endpoint

[chancez]

Cilium Feature Proposal

Is your proposed feature related to a problem?

Securing metrics is important for many users, so we should support TLS on the Cilium metrics endpoint. While we're there, we can also support mTLS so we can have a very simple authentication method for metrics.

Describe the feature you'd like

mTLS/TLS for cilium metrics.

Related: #31973

[Mukul1235]

Hi @chancez

I’m new to Cilium development but I’m eager to jump in and contribute! I have a cilium setup in my local. I wanted to work on this issue. Can you please guide me to work on this issue what should I learn and what are the necessary changes that are required? Also if I made the changes how I will be able to test those etc?

[chancez]

Hi @chancez

I’m new to Cilium development but I’m eager to jump in and contribute! I have a cilium setup in my local. I wanted to work on this issue. Can you please guide me to work on this issue what should I learn and what are the necessary changes that are required? Also if I made the changes how I will be able to test those etc?

Hey @Mukul1235 thanks for your interest, however we're aiming to get this feature into Cilium 1.16 before our feature freeze in a few weeks so I'm assigning this to an existing contributor to get this expedited.

[chancez]

@Mukul1235 feel free to pick this up, we decided we didn't need this immediately for the upcoming release.

[chaunceyjiang]

Hi @chancez Is it also necessary to implement a feature similar to this cilium/certgen#199 in certgen to fix this issue?

[chancez]

@chaunceyjiang probably yes, though it's a bit unclear since it's currently only being used for Hubble related certificates and we've discussed making certgen logic bit less hard-coded to each component, but nothing concrete has been decided on how we want to approach it.