metrics: add TLS options (#1939)

* move metrics listener to envoy * add metrics tls options * add test * update docs * update config proto * add function to validate metric addr * fix validation
2025-06-01 18:33:19 +02:00 · 2021-02-24 09:42:53 -07:00 · 2021-02-24 09:42:53 -07:00 · a825b06014
commit a825b06014
parent ec02761e2f
15 changed files with 633 additions and 296 deletions
--- a/docs/reference/readme.md
+++ b/docs/reference/readme.md
@ -510,6 +510,27 @@ To support this in Prometheus, consult the `basic_auth` option in the [`scrape_c
 documentation.


+### Metrics Certificate
+- Config File Key: `metrics_certificate` / `metrics_certificate_key`
+- Config File Key: `metrics_certificate_file` / `metrics_certificate_key_file`
+- Environmental Variable: `METRICS_CERTIFICATE` / `METRICS_CERTIFICATE_KEY`
+- Environmental Variable: `METRICS_CERTIFICATE_FILE` / `METRICS_CERTIFICATE_KEY_FILE`
+- Type: [base64 encoded] `string`
+- Type: certificate relative file location `string`
+- Optional
+
+Certificates are the x509 _public-key_ and _private-key_ used to secure the metrics endpoint.
+
+
+### Metrics Client Certificate Authority
+- Environment Variable: `METRICS_CLIENT_CA` / `METRICS_CLIENT_CA_FILE`
+- Config File Key: `metrics_client_ca` / `metrics_client_ca_file`
+- Type: [base64 encoded] `string` or relative file location
+- Optional
+
+The Client Certificate Authority is the x509 _public-key_ used to validate [mTLS](https://en.wikipedia.org/wiki/Mutual_authentication) client certificates for the metrics endpoint. If not set, no client certificate will be required.
+
+
 ### Proxy Log Level
 - Environmental Variable: `PROXY_LOG_LEVEL`
 - Config File Key: `proxy_log_level`
--- a/docs/reference/settings.yaml
+++ b/docs/reference/settings.yaml
@ -576,6 +576,33 @@ settings:

          To support this in Prometheus, consult the `basic_auth` option in the [`scrape_config`](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config)
          documentation.
+      - name: "Metrics Certificate"
+        keys:
+          [
+            "metrics_certificate",
+            "metrics_certificate_key",
+            "metrics_certificate_file",
+            "metrics_certificate_key_file",
+          ]
+        attributes: |
+          - Config File Key: `metrics_certificate` / `metrics_certificate_key`
+          - Config File Key: `metrics_certificate_file` / `metrics_certificate_key_file`
+          - Environmental Variable: `METRICS_CERTIFICATE` / `METRICS_CERTIFICATE_KEY`
+          - Environmental Variable: `METRICS_CERTIFICATE_FILE` / `METRICS_CERTIFICATE_KEY_FILE`
+          - Type: [base64 encoded] `string`
+          - Type: certificate relative file location `string`
+          - Optional
+        doc: |
+          Certificates are the x509 _public-key_ and _private-key_ used to secure the metrics endpoint.
+      - name: "Metrics Client Certificate Authority"
+        keys: ["metrics_client_ca", "metrics_client_ca_file"]
+        attributes: |
+          - Environment Variable: `METRICS_CLIENT_CA` / `METRICS_CLIENT_CA_FILE`
+          - Config File Key: `metrics_client_ca` / `metrics_client_ca_file`
+          - Type: [base64 encoded] `string` or relative file location
+          - Optional
+        doc: |
+          The Client Certificate Authority is the x509 _public-key_ used to validate [mTLS](https://en.wikipedia.org/wiki/Mutual_authentication) client certificates for the metrics endpoint. If not set, no client certificate will be required.
      - name: "Proxy Log Level"
        keys: ["proxy_log_level"]
        attributes: |