Allow metrics endpoint to run insecure when using mTLS on Alpha #4910
Description
Experience Report
Note: Feature requests are judged based on user experience and modeled on Go Experience Reports. These reports should focus on the problems: they should not focus on and need not propose solutions.
What you wanted to do
Be able to disable mTLS on health check and metrics endpoints when mTLS is used on Alpha nodes.
What you actually did
My deployment is on Kubernetes. For livenessProbe when using mTLS I'm forced to use exec.command instead of the standard http/https probe type:
command:
- /bin/sh
- '-c'
- "curl https://$MY_POD_NAME:8080/health?live=1 --http1.1 --cacert {{ .Values.alpha.config.tls_dir }}/ca.crt --cert {{ .Values.alpha.config.tls_dir }}/client.dgraphadmin.crt --key {{ .Values.alpha.config.tls_dir }}/client.dgraphadmin.key"
For prometheus metrics, /debug/prometheus_metrics, I had to first create a dgraph-tls secret with the needed Certs/Key and then tell the ServiceMonitor to auth with it:
{{- if .Values.alpha.config.tls_dir }}
scheme: https
tlsConfig:
insecureSkipVerify: true
ca:
secret:
name: dgraph-tls
key: "ca.crt"
cert:
secret:
name: dgraph-tls
key: "client.dgraphadmin.crt"
keySecret:
name: dgraph-tls
key: "client.dgraphadmin.key"
{{- end }}
Why that wasn't great, with examples
I don't think the health check and prometheus metrics endpoints need to be secured with mTLS and it adds a lot of overhead Kubernetes to make it all play nice. Zero is "open"; it would make sense to make Alpha the same. At the very least, make it a configurable option.