-
Notifications
You must be signed in to change notification settings - Fork 189
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add TLS endpoint to kepler exporter #1899
base: main
Are you sure you want to change the base?
Conversation
Add TLS support via the new web configuration file, following the Prometheus Exporter Toolkit style for consistency across exporters. * Usage: kepler --web.config.file=web-config.yml * Content of web-config.yml: tls_server_config: cert_file: /path/to/server.crt key_file: /path/to/server.key Signed-off-by: Anthony Harivel <[email protected]>
🤖 SeineSailor Here is a concise summary of the pull request changes: Summary: This pull request adds TLS support to the Kepler exporter by introducing a new Key Modifications:
Impact: The external interface remains unchanged, but the code behavior changes when TLS is configured, switching from HTTP to HTTPS. Observations/Suggestions:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://prometheus.io/docs/introduction/roadmap/#tls-and-authentication-in-http-serving-endpoints I don't mind for TLS endpoint, but considering with prometheus TLS note for official exporters...
TLS and authentication in HTTP serving endpoints
TLS and authentication are currently being rolled out to the Prometheus, Alertmanager, and the official exporters. Adding this support will make it easier for people to deploy Prometheus components securely without requiring a reverse proxy to add those features externally.
at meanwhile, if we are going to enable TLS for kepler, considering in a k8s cluster with node A,B,C
what will be the hostname in cert for the TLS cert?what will be the changes for kepler pod?
as for example if we are going to use kepler.svc.nodeX.com as host name in k8s cluster, and the key for each node are different.
so, somehow will it impact/it will change our deployment yaml?
as we have to inject/put a specific node cert-key pair as configuration?
mark with change request for more information and discussion.
Hi @SamYuan1990 , While I don't claim expertise in Kubernetes security or managing certificates in multi-node deployments, I can point out that some IaaS platforms, like Red Hat OpenStack (RHOSO), are already using node_exporter with TLS. Here are a couple of links to highlight this: Node Exporter Configuration This leads me to my point: if someone knows how to manage their certificates effectively, Kepler should be capable of supporting TLS endpoints. Why should Kepler be the only exporter in an IaaS setup like OpenStack that does not support TLS, especially when node_exporter, ipmi_exporter, and others do? Additionally, Kepler is handling sensitive data. For instance, consider the CVEs related to RAPL and side-channel attacks, which I’m sure you’re familiar with. Would organizations that prioritize security really allow this data to be transmitted in plaintext over the network? Finally, I want to stress that this is an optional feature. For users content with unencrypted data, nothing changes—they can continue as before. But adding this option would present Kepler as a more robust and serious tool for those who care about security. |
From security point of view, yes. We can make kepler protected by TLS to improve our baseline for sensitive data protection. So from deployment point of view, considering with kepler community operator and kepler community helm chat as deployment approaches.
and btw, any impacts to kepler RPM service? from security point:what's specific level for kepler's sensitive data? what are they?
how to protect those data according to it's level? to clear/clarify our security boundary.
from impl points of view:is there any chance for us to reuse https://github.com/prometheus/exporter-toolkit |
Add TLS support via the new web configuration file, following the Prometheus Exporter Toolkit style for consistency across exporters.
kepler --web.config.file=web-config.yml
tls_server_config:
cert_file: /path/to/server.crt
key_file: /path/to/server.key