All metrics data must be encrypted in transit to ensure security. The monitoring component of Google Distributed Cloud (GDC) air-gapped provides in-transit encryption and authentication through mutual Transport Layer Security (mTLS). The mTLS method verifies the identity of both parties in a network connection, confirming they are who they claim to be.
This page explains how to set up mTLS for your metrics server.
Before you begin
To get the permissions that you need to manage MonitoringTarget custom
resources, ask your Organization IAM Admin or Project IAM Admin to grant you one
of the associated MonitoringTarget roles.
Depending on the level of access and permissions you need, you might obtain creator, editor, or viewer roles for this resource in an organization or a project. For more information, see Prepare IAM permissions.
After obtaining the necessary permissions, complete these steps before enabling metrics encryption:
- Deploy your metrics server.
- Collect metrics from your workloads.
Ensure your
MonitoringTargetcustom resource shows aReadystatus, like in the following example:apiVersion: monitoring.gdc.goog/v1 kind: MonitoringTarget [...] status: conditions: - lastTransitionTime: "2023-10-27T15:27:51Z" message: "" observedGeneration: 1 reason: Ready status: True type: ReadyQuery and view metrics on dashboards to confirm that your metrics server is sending the expected data.
Mount the certificate
Your workload needs to use a certificate that is automatically generated when
you enable mTLS on the MonitoringTarget custom resource. Add a volume and
volume mount for this certificate using the following template:
apiVersion: apps/v1
kind: Deployment # or StatefulSet
metadata:
name: "SERVICE_NAME"
spec:
template:
spec:
containers:
- name: "CONTAINER_NAME"
volumeMounts:
- mountPath: "/etc/ssl/MONITORING_TARGET_NAME-cert"
name: "MONITORING_TARGET_NAME-cert"
readOnly: true
volumes:
- name: "MONITORING_TARGET_NAME-cert"
secret:
secretName: "MONITORING_TARGET_NAME-cert"
[...]
Replace the following:
SERVICE_NAME: the name of yourDeploymentorStatefulSetobject.CONTAINER_NAME: the name of the container where you are adding the volume mount.MONITORING_TARGET_NAME: the name of yourMonitoringTargetcustom resource. The secret name is based on this name. For example, amy-mon-targetresource creates amy-mon-target-certsecret name.
Serve metrics
Your metrics server must serve metrics from an mTLS-enabled HTTP server. You might want to encrypt metrics in one of the following two scenarios:
- For applications you own: Modify the source code to support mTLS and configure the metrics server with the mTLS certificate.
- For applications you don't own: Consult the application's documentation
to enable an HTTPS metrics endpoint. Apply the necessary configuration, like
configuring command-line arguments or deploying a
configfile.
Enable mTLS metrics collection
Add the following label to the metadata section of your MonitoringTarget
custom resource to enable the collection of encrypted metrics:
monitoring.gdc.goog/enable-mtls: "true"
The custom resource must look like the following example:
apiVersion: monitoring.gdc.goog/v1
kind: MonitoringTarget
metadata:
namespace: my-project-namespace
name: "SERVICE_NAME"
labels:
monitoring.gdc.goog/enable-mtls: "true" # Enable mTLS metrics collection
spec:
[...]
To verify that you enabled mTLS authentication, check that your
MonitoringTarget custom resource shows a Ready status for the certificate
and the certificate secret, like in the following example:
apiVersion: monitoring.gdc.goog/v1
kind: MonitoringTarget
[...]
status:
conditions:
- lastTransitionTime: "2023-11-09T11:15:10Z"
message: "admin,user-vm-1,user-vm-2,org-1-system"
observedGeneration: 2
reason: Ready
status: "True"
type: Ready
- lastTransitionTime: "2023-11-09T11:14:43Z"
message: "Certificate is ready"
observedGeneration: 2
reason: Ready
status: "True"
type: CertificateReady
- lastTransitionTime: "2023-11-09T11:15:10Z"
message: "Successfully created secret"
observedGeneration: 2
reason: Ready
status: "True"
type: CertificateSecretReady