gnmic icon indicating copy to clipboard operation
gnmic copied to clipboard
verified publisher icon openconfig

GRPC server access to metrics from prometheus

Open vseregin63 opened this issue 1 year ago • 1 comments

Have a good day, @karimra !

We use TLS client-auth protection on GNMIC api interface. It helps us to hide sensitive data, available through this interface. But before TLS was enabled we also collected grpc server metrics from point http://hostname:7890/metrics on the same api port 7890.

api-server:
  tls:
    ca-file: /certs/rootCA.crt
    cert-file: /certs/api_server.pem
    key-file: /certs/api_server.key
    client-auth: "require"
  enable-metrics: true

Now after TLS was enabled we can't collect this data by prometheus because it doesn't support TLS authentication by client certs (at least in our infra). Please tell us how we can disable TLS for this url only (http://hostname:7890/metrics), or may be we can add some hosts/nets to exception? If we cant do it now, can you please add it to project development plan?

Thnx

vseregin63 avatar Dec 17 '24 06:12 vseregin63

TLS cannot be disabled per URL.

Prometheus supports TLS on the client side:

scrape_configs:
  - job_name: 'telemetry'
    scheme: https
    tls_config:
        ca_file: 'ca.crt'
        cert_file: 'client.crt'
        key_file: 'client.key'
    static_configs:
    - targets: ['router1:57400']

karimra avatar Dec 30 '24 15:12 karimra