All metrics data must be encrypted in transit to ensure security. The monitoring component of Google Distributed Cloud (GDC) air-gapped provides in-transit encryption and authentication through mutual Transport Layer Security (mTLS). The mTLS method verifies the identity of both parties in a network connection, confirming they are who they claim to be.
This page explains how to set up mTLS for your metrics server.
Before you begin
To get the permissions that you need to manage MonitoringTarget custom resources, ask your Organization IAM Admin or Project IAM Admin to grant you one of the associated MonitoringTarget roles.
Depending on the level of access and permissions you need, you might obtain creator, editor, or viewer roles for this resource in an organization or a project. For more information, see Prepare IAM permissions.
After obtaining the necessary permissions, complete these steps before enabling metrics encryption:
- Deploy your metrics server.
- Collect metrics from your workloads.
Ensure your
MonitoringTargetcustom resource shows aReadystatus, like in the following example:apiVersion: monitoring.gdc.goog/v1 kind: MonitoringTarget [...] status: conditions: - lastTransitionTime: "2023-10-27T15:27:51Z" message: "" observedGeneration: 1 reason: Ready status: True type: ReadyQuery and view metrics on dashboards to confirm that your metrics server is sending the expected data.
Mount the certificate
Your workload needs to use a certificate that is automatically generated when you enable mTLS on the MonitoringTarget custom resource. Add a volume and volume mount for this certificate using the following template:
apiVersion: apps/v1 kind: Deployment # or StatefulSet metadata: name: "SERVICE_NAME" spec: template: spec: containers: - name: "CONTAINER_NAME" volumeMounts: - mountPath: "/etc/ssl/MONITORING_TARGET_NAME-cert" name: "MONITORING_TARGET_NAME-cert" readOnly: true volumes: - name: "MONITORING_TARGET_NAME-cert" secret: secretName: "MONITORING_TARGET_NAME-cert" [...] Replace the following:
SERVICE_NAME: the name of yourDeploymentorStatefulSetobject.CONTAINER_NAME: the name of the container where you are adding the volume mount.MONITORING_TARGET_NAME: the name of yourMonitoringTargetcustom resource. The secret name is based on this name. For example, amy-mon-targetresource creates amy-mon-target-certsecret name.
Serve metrics
Your metrics server must serve metrics from an mTLS-enabled HTTP server. You might want to encrypt metrics in one of the following two scenarios:
- For applications you own: Modify the source code to support mTLS and configure the metrics server with the mTLS certificate.
- For applications you don't own: Consult the application's documentation to enable an HTTPS metrics endpoint. Apply the necessary configuration, like configuring command-line arguments or deploying a
configfile.
Enable mTLS metrics collection
Add the following label to the metadata section of your MonitoringTarget custom resource to enable the collection of encrypted metrics:
monitoring.gdc.goog/enable-mtls: "true" The custom resource must look like the following example:
apiVersion: monitoring.gdc.goog/v1 kind: MonitoringTarget metadata: namespace: my-project-namespace name: "SERVICE_NAME" labels: monitoring.gdc.goog/enable-mtls: "true" # Enable mTLS metrics collection spec: [...] To verify that you enabled mTLS authentication, check that your MonitoringTarget custom resource shows a Ready status for the certificate and the certificate secret, like in the following example:
apiVersion: monitoring.gdc.goog/v1 kind: MonitoringTarget [...] status: conditions: - lastTransitionTime: "2023-11-09T11:15:10Z" message: "admin,user-vm-1,user-vm-2,org-1-system" observedGeneration: 2 reason: Ready status: "True" type: Ready - lastTransitionTime: "2023-11-09T11:14:43Z" message: "Certificate is ready" observedGeneration: 2 reason: Ready status: "True" type: CertificateReady - lastTransitionTime: "2023-11-09T11:15:10Z" message: "Successfully created secret" observedGeneration: 2 reason: Ready status: "True" type: CertificateSecretReady