Implementation of built-in support for TLS on the HTTP serving endpoints in Prometheus Server

308 views
Skip to first unread message

russellc...@gmail.com

unread,
Nov 26, 2018, 10:48:22 AM11/26/18
to Prometheus Developers
Moved to developer mailing list (here) following on from [https://groups.google.com/forum/#!topic/prometheus-users/3HMIv3O8ovI]


The Prometheus Server HTTP serving endpoints currently do not support TLS. This means that access to the scraped and stored metrics via the endpoints can be gained by any user/application with access to the endpoints etc.

As per the August 2018 Prometheus Roadmap update, TLS and Authentication in HTTP serving endpoints is stated to be implemented in the near future and I feel like there is quite the appetite for it within the community.
Would these items (TLS/Auth related) be closed-doors developed by Prometheus, or is this open for contributions?

In addition, judging from the previous post on user forum (link above), there may be some further thought required into where in the Prometheus project these items would get implemented (suggestions in: client_golang or Prometheus/common).

Thanks, Russ

Brian Brazil

unread,
Nov 27, 2018, 6:58:14 AM11/27/18
to russellc...@gmail.com, prometheus...@googlegroups.com
On Mon, 26 Nov 2018 at 15:48, <russellc...@gmail.com> wrote:
Moved to developer mailing list (here) following on from  [https://groups.google.com/forum/#!topic/prometheus-users/3HMIv3O8ovI]


The Prometheus Server HTTP serving endpoints currently do not support TLS. This means that access to the scraped and stored metrics via the endpoints can be gained by any user/application with access to the endpoints etc.

As per the August 2018 Prometheus Roadmap update, TLS and Authentication in HTTP serving endpoints is stated to be implemented in the near future and I feel like there is quite the appetite for it within the community.
Would these items (TLS/Auth related) be closed-doors developed by Prometheus, or is this open for contributions?

This is certainly open to contributions.
 

In addition, judging from the previous post on user forum (link above), there may be some further thought required into where in the Prometheus project these items would get implemented (suggestions in: client_golang or Prometheus/common).

I believe the plan was to get it working in node exporter, and then move it to common once that's looking stable.

Brian
 

Thanks, Russ

--
You received this message because you are subscribed to the Google Groups "Prometheus Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-devel...@googlegroups.com.
To post to this group, send email to prometheus...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/c1b70f63-d0dc-4067-a0bc-257cc1f67b81%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


--

russellc...@gmail.com

unread,
Nov 30, 2018, 6:44:21 AM11/30/18
to Prometheus Developers
Ah excellent good to hear :)

Have just been looking over the 2018 Dev Summit notes to try source some more requirements for this. Just to confirm for scrape security, going with TLS 1.2 for now?
And just to confirm, for Auth, going with: HTTP Basic Auth (TLS optional for BA) and then later on Client-authenticated TLS handshake (client certs)
and finally, cure53 are to review any implementations?

Thanks,
Russ

Brian Brazil

unread,
Nov 30, 2018, 6:48:24 AM11/30/18
to Russell Claxton, prometheus...@googlegroups.com
On Fri, 30 Nov 2018 at 11:44, <russellc...@gmail.com> wrote:
Ah excellent good to hear :)

Have just been looking over the 2018 Dev Summit notes to try source some more requirements for this. Just to confirm for scrape security, going with TLS 1.2 for now?

Whatever Go does by default, we don't want to get into the game of supporting all settings.
 
And just to confirm, for Auth, going with: HTTP Basic Auth (TLS optional for BA) and then later on Client-authenticated TLS handshake (client certs)
and finally, cure53 are to review any implementations?

That's what was said, but there's no issue (and personally I'd prefer) if cert auth was there from the start. I'd have to check on review.

Brian
 

For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages