CFP: Add mTLS support for agent and operator metrics servers

[ulkub]

Cilium Feature Proposal

Is your proposed feature related to a problem?

Yes. We need to be able to encrypt all our Cilium metrics. Currently Cilium agent and operator do not have mTLS support for their metrics servers. Hubble metrics server has this support, and achieving parity with Hubble is required. We need mTLS support to be added.

Describe the feature you'd like

We'd like agent and operator metrics servers to have mTLS support with automatic certificate rotation.

(Optional) Describe your proposed solution

Hubble metrics server already has mTLS support. Similar work could be done for agent and operator.

In our case, we need strict TLS; we don't want to fail open. The question here is: When TLS is enabled but metrics server cannot be started with TLS, does it make sense not to start metrics server i.e not to expose metrics, or just to crash?
The solution approach for this problem will be adopted to Hubble metrics too.
If not exposing metrics is sensible, we can manage this with the help of an additional flag EnableStrictTLS. If both 'EnableMetricsServerTLS' and 'EnableStrictTLS' are 'true', metrics server will not be started.
The flags that we need in this case can be like:

// Enable tls for metrics server
EnableMetricsServerTLS bool

// Makes sure that metrics server is not started if tls is enabled  but could not be configured/started
EnableStrictTLS bool

// MetricsServerTLSCertFile specifies the path to the public key file for
// the metrics server. The file must contain PEM encoded data.
MetricsServerTLSCertFile string

// MetricsServerTLSKeyFile specifies the path to the private key file for
// the metrics server. The file must contain PEM encoded data.
MetricsServerTLSKeyFile string

// MetricsServerTLSClientCAFiles specifies the path to one or more client
// CA certificates to use for TLS with mutual authentication (mTLS) on the
// metrics server. The files must contain PEM encoded data.
MetricsServerTLSClientCAFiles []string

Certificates we use will be valid for 6 months, and will need renewal. Thus, we will also include Automatic Certification Rotation. This is required for Hubble metrics as well.

We have a working strict TLS support solution with certificate rotation for Cilium 1.13. A work-in-progress for the current head is here

[aditighag]

We have a working strict TLS support solution with certificate rotation for Cilium 1.13. A work-in-progress for the current head is here

Hi, Are you interested in upstreaming the changes?

[ulkub]

We have a working strict TLS support solution with certificate rotation for Cilium 1.13. A work-in-progress for the current head is here

Hi, Are you interested in upstreaming the changes?

Yes, we want to upstream the changes

[ulkub]

My CFP is quite similar to CFP-#32266 .

[bowei]

cc: @tommyp1ckles

[joestringer]

Broadly this seems useful. cc @cilium/sig-hubble

[bowei]

From the community meeting (2025-04-30): proposal looks ok, advise sending a PR to start the discussion

[chancez]

Seems reasonable. I think something that will be important is how you specify the CA for client certificates. You'll want to allow the CA bundle for validating client certificates to be separate from the existing CA bundles, as there may be multiple/different CAs from clients trying to scrape metrics. You could default to the existing CA bundle, but you should be able to configure a different one too.

Certificates we use will be valid for 6 months, and will need renewal. Thus, we will also include Automatic Certification Rotation. This is required for Hubble metrics as well.

You mean just the CA for validating the client certificates right? I don't think we need/want to provision client certificates for accessing the metrics, since most of the time, the clients scraping metrics from Cilium should have their own unique client certificate, and they'll likely be running in a different namespace, or not in Kubernetes at all.

You'll probably want to update docs to add a small section below https://github.com/cilium/cilium/blob/main/Documentation/observability/metrics.rst?plain=1#L132-L160 indicating how a user would configure TLS and specify client certificate in their scrape config.

[ulkub]

Thank you for the input @chancez. I'll take it into account while upstreaming.
A small note for the certificate rotation, I figured out that I don't have to do anything as the current approach (used for hubble metrics tls support), handles the issue.

[github-actions]

This issue has been automatically marked as stale because it has not
had recent activity. It will be closed if no further activity occurs.

[github-actions]

This issue has not seen any activity since it was marked stale.
Closing.