Merge "Enable prom-exporter with tls"

2025-04-24 08:29:14 +00:00 · 2025-04-24 08:29:14 +00:00 · e352e0dd10
commit e352e0dd10
parent 7d199f5751 e769a80b6c
4 changed files with 92 additions and 9 deletions
--- a/ceilometer/polling/manager.py
+++ b/ceilometer/polling/manager.py
@ -106,6 +106,17 @@ POLLING_OPTS = [
                default=False,
                help='Whether the polling service should ignore '
                     'disabled projects or not.'),
+    cfg.BoolOpt('prometheus_tls_enable',
+                default=False,
+                help='Whether it will expose tls metrics or not'),
+    cfg.StrOpt('prometheus_tls_certfile',
+               default=None,
+               help='The certificate file to allow this ceilometer to '
+                    'expose tls scrape endpoints'),
+    cfg.StrOpt('prometheus_tls_keyfile',
+               default=None,
+               help='The private key to allow this ceilometer to '
+                    'expose tls scrape endpoints'),
 ]


@ -514,7 +525,20 @@ class AgentManager(cotyledon.Service):
                address = netutils.parse_host_port(addr)
                if address[0] is None or address[1] is None:
                    LOG.warning('Ignoring invalid address: %s', addr)
-                prom_exporter.export(address[0], address[1])
+                certfile = self.conf.polling.prometheus_tls_certfile
+                keyfile = self.conf.polling.prometheus_tls_keyfile
+                if self.conf.polling.prometheus_tls_enable:
+                    if not certfile or not keyfile:
+                        raise ValueError(
+                            "Certfile and keyfile must be provided."
+                        )
+                else:
+                    certfile = keyfile = None
+                prom_exporter.export(
+                    address[0],
+                    address[1],
+                    certfile,
+                    keyfile)

        self._keystone = None
        self._keystone_last_exception = None
--- a/ceilometer/polling/prom_exporter.py
+++ b/ceilometer/polling/prom_exporter.py
@ -19,10 +19,12 @@ import prometheus_client as prom
 CEILOMETER_REGISTRY = prom.CollectorRegistry()


-def export(prometheus_iface, prometheus_port):
-    prom.start_http_server(port=prometheus_port,
-                           addr=prometheus_iface,
-                           registry=CEILOMETER_REGISTRY)
+def export(prom_iface, prom_port, tls_cert=None, tls_key=None):
+    prom.start_http_server(port=prom_port,
+                           addr=prom_iface,
+                           registry=CEILOMETER_REGISTRY,
+                           certfile=tls_cert,
+                           keyfile=tls_key)


 def collect_metrics(samples):
--- a/ceilometer/tests/unit/test_prom_exporter.py
+++ b/ceilometer/tests/unit/test_prom_exporter.py
@ -243,12 +243,65 @@ class TestPromExporter(base.BaseTestCase):
        manager.AgentManager(0, CONF)

        export.assert_has_calls([
-            call('127.0.0.1', 9101),
-            call('127.0.0.1', 9102),
-            call('::1', 9103),
-            call('localhost', 9104),
+            call('127.0.0.1', 9101, None, None),
+            call('127.0.0.1', 9102, None, None),
+            call('::1', 9103, None, None),
+            call('localhost', 9104, None, None),
        ])

+    @mock.patch('ceilometer.polling.prom_exporter.export')
+    def test_export_called_tls_disabled(self, export):
+        CONF = service.prepare_service([], [])
+        CONF.polling.enable_prometheus_exporter = True
+        CONF.polling.prometheus_tls_enable = False
+        CONF.polling.prometheus_tls_certfile = "cert.pem"
+        CONF.polling.prometheus_listen_addresses = [
+            '127.0.0.1:9101',
+            '127.0.0.1:9102',
+            '[::1]:9103',
+            'localhost:9104',
+        ]
+        manager.AgentManager(0, CONF)
+
+        export.assert_has_calls([
+            call('127.0.0.1', 9101, None, None),
+            call('127.0.0.1', 9102, None, None),
+            call('::1', 9103, None, None),
+            call('localhost', 9104, None, None),
+        ])
+
+    @mock.patch('ceilometer.polling.prom_exporter.export')
+    def test_export_called_with_tls(self, export):
+        CONF = service.prepare_service([], [])
+        CONF.polling.enable_prometheus_exporter = True
+        CONF.polling.prometheus_listen_addresses = [
+            '127.0.0.1:9101',
+            '127.0.0.1:9102',
+            '[::1]:9103',
+            'localhost:9104',
+        ]
+        CONF.polling.prometheus_tls_enable = True
+        CONF.polling.prometheus_tls_certfile = "cert.pem"
+        CONF.polling.prometheus_tls_keyfile = "key.pem"
+        manager.AgentManager(0, CONF)
+
+        export.assert_has_calls([
+            call('127.0.0.1', 9101, "cert.pem", "key.pem"),
+            call('127.0.0.1', 9102, "cert.pem", "key.pem"),
+            call('::1', 9103, "cert.pem", "key.pem"),
+            call('localhost', 9104, "cert.pem", "key.pem"),
+        ])
+
+    @mock.patch('ceilometer.polling.prom_exporter.export')
+    def test_export_fails_if_incomplete_tls(self, export):
+        CONF = service.prepare_service([], [])
+        CONF.polling.enable_prometheus_exporter = True
+        CONF.polling.prometheus_listen_addresses = ['127.0.0.1:9101']
+        CONF.polling.prometheus_tls_enable = True
+        CONF.polling.prometheus_tls_certfile = "cert.pem"
+        CONF.polling.prometheus_tls_keyfile = None  # Missing key
+        self.assertRaises(ValueError, manager.AgentManager, 0, CONF)
+
    def test_collect_metrics(self):
        prom_exporter.collect_metrics(self.test_image_size)
        sample_dict_1 = {'counter': 'image.size',
--- a/releasenotes/notes/enable-promethus-exporter-tls-76e78d4f4a52c6c4.yaml
+++ b/releasenotes/notes/enable-promethus-exporter-tls-76e78d4f4a52c6c4.yaml
@ -0,0 +1,4 @@
+---
+features:
+  - |
+    Enhanced the Prometheus exporter to support TLS for exposing metrics securely.