search

strimzi / metrics-reporter

Prometheus Metrics Reporter for Apache Kafka server and client components
Apache License 2.0
5 stars 10 forks source link

Add support for https #65

Open mimaison opened 2 weeks ago

mimaison commented 2 weeks ago

The metrics reporter should support exposing the metrics endpoint via https.

scholzj commented 2 weeks ago

I do not want to reject this, but I think we should think about the prioritizations. Strimzi itself does not support HTTPS for metrics and there does not seem to be any issue with it. So I wonder if this should be postponed to see:

mimaison commented 2 weeks ago

In all regulated industries, encrypting all communication links is mandatory. But even for other users, HTTPS support is kind of expected nowadays for any project. For example jmx_exporter supports HTTPS since last year, so this will likely be needed for anyone wanting to switch over.

This project is expected to be usable outside of Strimzi. Waiting for users to adopt the reporter before adding "standard" features is a bit of a chicken vs egg.

Implementing this feature should not impact the integration work with the operator, and the operator does not need to use that feature.

Maybe we should discuss the roadmap in an upcoming Strimzi community call. In my mind this and the allowlist reconfiguration support (https://github.com/strimzi/metrics-reporter/issues/55) were great features to push for the 0.2.0 release. Not a feature per-se but adding integration tests (and potentially performance tests too, as one of the key motivation is to scale better than jmx_exporter) should also be a priority, so we ensure new features don't break anything.

Then for 0.3.0, I was considering adding support for KIP-714.

I should add that I'm willing to work on these items, I'm not opening issues demanding new features.

scholzj commented 2 weeks ago

Strimzi does not support TLS on metrics and so far there has been only very little demand for it. With pull-based metrics, it is also very hard to implement on the practical level as you need server certificates with the right SANs that are trusted etc. This will be even more of an issue outside of Strimzi than in Strimzi. So I definitely don't think this is a standard feature that would block adoption.

im-konge commented 1 week ago

Triaged on 14.11.2024: Let's leave this open for the next time when we will have Jakub on the call as well.