add TLS ability to fdb kubernetes monitor

2024-06-05 11:51:48 +01:00 · 2024-06-05 11:51:48 +01:00 · 74d37299cf
parent 3c4f5f655c
commit 74d37299cf
2 changed files with 23 additions and 3 deletions
--- a/fdbkubernetesmonitor/main.go
+++ b/fdbkubernetesmonitor/main.go
@ -47,6 +47,8 @@ var (
 	mainContainerVersion string
 	additionalEnvFile    string
 	listenAddress        string
+	certFile             string
+	keyFile              string
 	processCount         int
 	enablePprof          bool
 	enableNodeWatch      bool
@ -132,6 +134,8 @@ func main() {
 	pflag.BoolVar(&enablePprof, "enable-pprof", false, "Enables /debug/pprof endpoints on the listen address")
 	pflag.StringVar(&listenAddress, "listen-address", ":8081", "An address and port to listen on")
 	pflag.BoolVar(&enableNodeWatch, "enable-node-watch", false, "Enables the fdb-kubernetes-monitor to watch the node resource where the current Pod is running. This can be used to read node labels")
+	pflag.StringVar(&certFile, "cert-file", "", "The location of a PEM cert for the prometheus HTTP server")
+	pflag.StringVar(&keyFile, "key-file", "", "The location of a PEM key for the prometheus HTTP server")
 	err := parseFlagsAndSetEnvDefaults()
 	if err != nil {
 		panic(err)
@ -157,7 +161,12 @@ func main() {
 			logger.Error(err, "Error loading additional environment")
 			os.Exit(1)
 		}
-		StartMonitor(context.Background(), logger, path.Join(inputDir, monitorConfFile), customEnvironment, processCount, listenAddress, enablePprof, currentContainerVersion, enableNodeWatch)
+		promConfig := httpConfig{
+			listenAddr: listenAddress,
+			certFile:   certFile,
+			keyFile:    keyFile,
+		}
+		StartMonitor(context.Background(), logger, path.Join(inputDir, monitorConfFile), customEnvironment, processCount, promConfig, enablePprof, currentContainerVersion, enableNodeWatch)
 	case executionModeInit:
 		err = CopyFiles(logger, outputDir, copyDetails, requiredCopies)
 		if err != nil {
--- a/fdbkubernetesmonitor/monitor.go
+++ b/fdbkubernetesmonitor/monitor.go
@ -106,8 +106,12 @@ type Monitor struct {
 	metrics *metrics
 }

+type httpConfig struct {
+	listenAddr, certFile, keyFile string
+}
+
 // StartMonitor starts the monitor loop.
-func StartMonitor(ctx context.Context, logger logr.Logger, configFile string, customEnvironment map[string]string, processCount int, listenAddr string, enableDebug bool, currentContainerVersion string, enableNodeWatcher bool) {
+func StartMonitor(ctx context.Context, logger logr.Logger, configFile string, customEnvironment map[string]string, processCount int, promConfig httpConfig, enableDebug bool, currentContainerVersion string, enableNodeWatcher bool) {
 	podClient, err := CreatePodClient(ctx, logger, enableNodeWatcher, setupCache)
 	if err != nil {
 		logger.Error(err, "could not create Pod client")
@ -152,7 +156,14 @@ func StartMonitor(ctx context.Context, logger logr.Logger, configFile string, cu
 	// Add Prometheus support
 	mux.Handle("/metrics", promHandler)
 	go func() {
-		err := http.ListenAndServe(listenAddr, mux)
+		if promConfig.keyFile != "" || promConfig.certFile != "" {
+			err := http.ListenAndServeTLS(promConfig.listenAddr, promConfig.certFile, promConfig.keyFile, mux)
+			if err != nil {
+				logger.Error(err, "could not start HTTPS server")
+				os.Exit(1)
+			}
+		}
+		err := http.ListenAndServe(promConfig.listenAddr, mux)
 		if err != nil {
 			logger.Error(err, "could not start HTTP server")
 			os.Exit(1)