Enable TLS for /metrics endpoint and add tests

Signed-off-by: peppi-lotta <[email protected]>

Author: peppi-lotta

api/pkg/apis/projectcalico/v3/felixconfig.go

@@ -442,6 +442,30 @@ type FelixConfigurationSpec struct {
 	// set to false. This reduces the number of metrics reported, reducing Prometheus load. [Default: true]
 	PrometheusWireGuardMetricsEnabled *bool `json:"prometheusWireGuardMetricsEnabled,omitempty"`
 
+	// MetricsTLSEnabled specifies whether TLS encryption is enabled for the /metrics endpoint.
+	// If set to true, the metrics server will only be accessible over HTTPS. Default is false.
+	MetricsTLSEnabled *bool `json:"metricsTLSEnabled,omitempty"`
+
+	// MetricsTLSCACertFile defines the absolute path to the TLS CA certificate file used for securing the /metrics endpoint.
+	// This certificate must be valid and accessible by the calico-node process.
+	MetricsTLSCACertFile *string `json:"metricsTLSCACertFile,omitempty"`
+
+	// MetricsTLSCertFile defines the absolute path to the TLS certificate file used for securing the /metrics endpoint.
+	// This certificate must be valid and accessible by the calico-node process.
+	MetricsTLSCertFile *string `json:"metricsTLSCertFile,omitempty"`
+
+	// MetricsTLSPrivateKeyFile defines the absolute path to the private key file corresponding to the TLS certificate
+	// used for securing the /metrics endpoint. The private key must be valid and accessible by the calico-node process.
+	MetricsTLSPrivateKeyFile *string `json:"metricsTLSPrivateKeyFile,omitempty"`
+
+	// MetricsClientAuthType specifies the client authentication type for the /metrics endpoint.
+	// This determines how the server validates client certificates. Default is "NoClientCert".
+	MetricsClientAuthType *string `json:"metricsClientAuthType,omitempty"`
+
+	// MetricsTLSMinVersion specifies the minimum TLS version allowed for the /metrics endpoint.
+	// This ensures that only secure versions of TLS are used. Default is "1.3".
+	MetricsTLSMinVersion *string `json:"metricsTLSMinVersion,omitempty"`
+
 	// FailsafeInboundHostPorts is a list of ProtoPort struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will
 	// allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally
 	// cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified,

api/pkg/apis/projectcalico/v3/zz_generated.deepcopy.go

@@ -404,6 +404,13 @@ type Config struct {
 	PrometheusProcessMetricsEnabled   bool   `config:"bool;true"`
 	PrometheusWireGuardMetricsEnabled bool   `config:"bool;true"`
 
+	MetricsTLSEnabled        bool   `config:"bool;false"`
+	MetricsTLSCACertFile     string `config:"string;"`
+	MetricsTLSCertFile       string `config:"string;"`
+	MetricsTLSPrivateKeyFile string `config:"string;"`
+	MetricsTLSMinVersion     string `config:"oneof(TLS12,TLS13);TLS13"`
+	MetricsClientAuthType    string `config:"oneof(RequireAndVerifyClientCert,VerifyClientCertIfGiven,NoClientCert);NoClientCert"`
+
 	FailsafeInboundHostPorts  []ProtoPort `config:"port-list;tcp:22,udp:68,tcp:179,tcp:2379,tcp:2380,tcp:5473,tcp:6443,tcp:6666,tcp:6667;die-on-fail"`
 	FailsafeOutboundHostPorts []ProtoPort `config:"port-list;udp:53,udp:67,tcp:179,tcp:2379,tcp:2380,tcp:5473,tcp:6443,tcp:6666,tcp:6667;die-on-fail"`
 

api/pkg/openapi/generated.openapi.go

@@ -733,10 +733,22 @@ configRetry:
 		gaugeHost.Set(1)
 		prometheus.MustRegister(gaugeHost)
 		dp.ConfigurePrometheusMetrics(configParams)
-		go metricsserver.ServePrometheusMetricsForever(
-			configParams.PrometheusMetricsHost,
-			configParams.PrometheusMetricsPort,
-		)
+		if configParams.MetricsTLSEnabled == true {
+			go metricsserver.ServePrometheusMetricsHTTPS(
+				configParams.PrometheusMetricsHost,
+				configParams.PrometheusMetricsPort,
+				configParams.MetricsTLSCertFile,
+				configParams.MetricsTLSPrivateKeyFile,
+				configParams.MetricsTLSMinVersion,
+				configParams.MetricsClientAuthType,
+				configParams.MetricsTLSCACertFile,
+			)
+		} else {
+			go metricsserver.ServePrometheusMetricsHTTP(
+				configParams.PrometheusMetricsHost,
+				configParams.PrometheusMetricsPort,
+			)
+		}
 	}
 
 	// Register signal handlers to dump memory/CPU profiles.