New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow metrics endpoint to run insecure when using mTLS on Alpha #4910
Comments
Is that a common practice? Do you have examples from other DBs to back up the proposal? |
For the |
Also, Azure Load Balancers do not support health probe types other than TCP (See #76657 so you cannot front Alpha (w/mTLS) without getting spammed with |
For the health endpoint, Dgraph can't have only health and metrics be served over HTTP while the rest of the endpoints are served over HTTPS with mTLS. That would require a separate port to be exposed for insecure traffic only. That would be incompatible with the existing ports setup. For health checks, we can add to the Dgraph docs and K8s configs the way to set up health checks for liveness and readiness with exec command probes for client authentication via curl. For metrics, Prometheus has |
@danielmai Yea, we have Prometheus metrics configured with mTLS. It doesn't break any "standard pattern" and works just fine. I would also add that Prometheus Metrics could be used in a malicious way so should be configured with mTLS along with the primary endpoint. As for the Health Endpoint, using exec/curl, it introduces the following issues:
Ideally Dgraph would run as a non-root user, blocking anyone from being able to install packages (ie. curl), and only contain packages that are absolutely necessary to run Dgraph (Alpha). |
Github issues have been deprecated. |
Experience Report
Note: Feature requests are judged based on user experience and modeled on Go Experience Reports. These reports should focus on the problems: they should not focus on and need not propose solutions.
What you wanted to do
Be able to disable mTLS on health check and metrics endpoints when mTLS is used on Alpha nodes.
What you actually did
My deployment is on Kubernetes. For
livenessProbe
when using mTLS I'm forced to useexec.command
instead of the standard http/https probe type:For prometheus metrics,
/debug/prometheus_metrics
, I had to first create adgraph-tls
secret with the needed Certs/Key and then tell theServiceMonitor
to auth with it:Why that wasn't great, with examples
I don't think the health check and prometheus metrics endpoints need to be secured with mTLS and it adds a lot of overhead Kubernetes to make it all play nice. Zero is "open"; it would make sense to make Alpha the same. At the very least, make it a configurable option.
Any external references to support your case
The text was updated successfully, but these errors were encountered: