TLS support

[lentzi90]

• [ ] This feature/enhancement benefits everyone

(I guess not everyone would use this feature, so left it unticked. :shrug: )

Description

In some situations it would be useful or even required to use TLS for the traffic between prometheus and node-cert-exporter. This feature request is for adding support for TLS to node-cert-exporter. I imagine this would work similar to other applications that support TLS, by adding some flags like --tls, --tls-cert-file and --tls-key-file.

Additional information

My employer is interested in this feature and I would be willing to implement it if it is accepted.

[amimof]

Hi @lentzi90 Thanks for your input. However I suggest you look at kube-rbac-proxy which will solve this for you. You run node-cert-exporter with kube-rbac-proxy as a side-car container terminating TLS connections before forwarding to node-cert-exporter. As an example, you put this additional container in the daemonset for node-cert-exporter:

- image: quay.io/brancz/kube-rbac-proxy:v0.8.0
  name: kube-rbac-proxy
  args:
  - --logtostderr
  - --secure-listen-address=[$(IP)]:9100
  - --upstream=http://127.0.0.1:9100/
  env:
  - name: IP
    valueFrom:
      fieldRef:
        fieldPath: status.podIP
  ports:
  - containerPort: 9100
    hostPort: 9100
    name: https

[lentzi90]

Hi and thanks for the comment!

We have considered a side-car solution but would prefer "native" TLS support in node-cert-exporter. This is because we want to keep the footprint as minimal as possible and the complexity low. Do you think this would make it reasonable to add TLS support?

I can create a PR where we can more easily discuss the technical details of it!