Merge pull request #81 from alicerum/metrics-tls

Support TLS in the metrics endpoint
openshift · Dec 14, 2021 · 2dd927f · 2dd927f
2 parents 3943b72 + 1a92e17
commit 2dd927f
Show file tree

Hide file tree

Showing 2 changed files with 79 additions and 4 deletions.
diff --git a/pkg/metrics/server.go b/pkg/metrics/server.go
@@ -11,6 +11,14 @@ import (
 	"k8s.io/klog/v2"
 )
 
+var (
+	// these files are mounted from the openshift secret
+	// shared-resource-csi-driver-node-metrics-serving-cert
+	// by the csi-driver-shared-resource-operator
+	tlsCRT = "/etc/secrets/tls.crt"
+	tlsKey = "/etc/secrets/tls.key"
+)
+
 // BuildServer creates the http.Server struct
 func BuildServer(port int) (*http.Server, error) {
 	if port <= 0 {
@@ -41,7 +49,7 @@ func StopServer(srv *http.Server) {
 // RunServer starts the metrics server.
 func RunServer(srv *http.Server, stopCh <-chan struct{}) {
 	go func() {
-		err := srv.ListenAndServe()
+		err := srv.ListenAndServeTLS(tlsCRT, tlsKey)
 		if err != nil && err != http.ErrServerClosed {
 			klog.Errorf("error starting metrics server: %v", err)
 		}

diff --git a/pkg/metrics/server_test.go b/pkg/metrics/server_test.go
@@ -1,8 +1,17 @@
 package metrics
 
 import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/pem"
 	"fmt"
+	"io/ioutil"
+	"math/big"
+	mr "math/rand"
 	"net/http"
+	"os"
 	"sync/atomic"
 	"testing"
 	"time"
@@ -19,9 +28,67 @@ var (
 	portOffset uint32 = 0
 )
 
+func TestMain(m *testing.M) {
+	var err error
+
+	mr.Seed(time.Now().UnixNano())
+
+	tlsKey, tlsCRT, err = generateTempCertificates()
+	if err != nil {
+		panic(err)
+	}
+
+	// sets the default http client to skip certificate check.
+	http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{
+		InsecureSkipVerify: true,
+	}
+
+	code := m.Run()
+	os.Remove(tlsKey)
+	os.Remove(tlsCRT)
+	os.Exit(code)
+}
+
+func generateTempCertificates() (string, string, error) {
+	key, err := rsa.GenerateKey(rand.Reader, 1024)
+	if err != nil {
+		return "", "", err
+	}
+
+	template := x509.Certificate{
+		SerialNumber: big.NewInt(1),
+	}
+	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, key.Public(), key)
+	if err != nil {
+		return "", "", err
+	}
+
+	cert, err := ioutil.TempFile("", "testcert-")
+	if err != nil {
+		return "", "", err
+	}
+	defer cert.Close()
+	pem.Encode(cert, &pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: derBytes,
+	})
+
+	keyPath, err := ioutil.TempFile("", "testkey-")
+	if err != nil {
+		return "", "", err
+	}
+	defer keyPath.Close()
+	pem.Encode(keyPath, &pem.Block{
+		Type:  "RSA PRIVATE KEY",
+		Bytes: x509.MarshalPKCS1PrivateKey(key),
+	})
+
+	return keyPath.Name(), cert.Name(), nil
+}
+
 func blockUntilServerStarted(port int) error {
 	return wait.PollImmediate(100*time.Millisecond, 5*time.Second, func() (bool, error) {
-		if _, err := http.Get(fmt.Sprintf("http://localhost:%d/metrics", port)); err != nil {
+		if _, err := http.Get(fmt.Sprintf("https://localhost:%d/metrics", port)); err != nil {
 			// in case error is "connection refused", server is not up (yet)
 			// it is possible that it is still being started
 			// in that case we need to try more
@@ -60,7 +127,7 @@ func TestRunServer(t *testing.T) {
 	port, ch := runMetricsServer(t)
 	defer close(ch)
 
-	resp, err := http.Get(fmt.Sprintf("http://localhost:%d/metrics", port))
+	resp, err := http.Get(fmt.Sprintf("https://localhost:%d/metrics", port))
 	if err != nil {
 		t.Fatalf("error while querying metrics server: %v", err)
 	}
@@ -83,7 +150,7 @@ func findMetricByLabel(metrics []*io_prometheus_client.Metric, label, value stri
 }
 
 func testServerForExpected(t *testing.T, testName string, port int, expected []metric) {
-	resp, err := http.Get(fmt.Sprintf("http://localhost:%d/metrics", port))
+	resp, err := http.Get(fmt.Sprintf("https://localhost:%d/metrics", port))
 	if err != nil {
 		t.Fatalf("error requesting metrics server: %v in test %q", err, testName)
 	}