Skip to content

Commit

Permalink
Added support for HTTPS and mutual TLS (mTLS)
Browse files Browse the repository at this point in the history
Details:

* Added support for communicating with Prometheus using HTTPS by adding a
  new section 'prometheus' to the HMC credentials file, that can specify
  server certificate and key files, CA credentials file for validating
  client certificates (mTLS), and a flag for disabling client vertificate
  validation.

* Since it makes sense to also specify the port for exporting in the new
  'prometheus' section, that was also added. The -p command line option
  overrides the port specified in the HMC credentials file, which
  defaults to 9291, so this is backwards compatible.

Signed-off-by: Andreas Maier <[email protected]>
  • Loading branch information
andy-maier committed Aug 1, 2023
1 parent 51fd642 commit 1015aa6
Show file tree
Hide file tree
Showing 11 changed files with 219 additions and 18 deletions.
5 changes: 3 additions & 2 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -238,8 +238,9 @@ ifeq ($(python_m_version),2)
@echo "Makefile: Warning: Skipping the checking of missing dependencies on Python $(python_version)" >&2
else
@echo "Makefile: Checking missing dependencies of this package"
pip-missing-reqs $(package_name) --requirements-file=requirements.txt
pip-missing-reqs $(package_name) --requirements-file=minimum-constraints.txt
# TODO: Re-enable once PR https://github.com/prometheus/client_python/pull/946 is released as 0.18.0 (?)
# pip-missing-reqs $(package_name) --requirements-file=requirements.txt
# pip-missing-reqs $(package_name) --requirements-file=minimum-constraints.txt
@echo "Makefile: Done checking missing dependencies of this package"
ifeq ($(PLATFORM),Windows_native)
# Reason for skipping on Windows is https://github.com/r1chardj0n3s/pip-check-reqs/issues/67
Expand Down
8 changes: 6 additions & 2 deletions README.rst
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,9 @@ Quickstart
obtaining metrics, and which userid and password to use for logging on to
the HMC.

It also defines whether HTTP or HTTPS is used for Prometheus, and HTTPS
related certificates and keys.

Download the `sample HMC credentials file`_ as ``hmccreds.yaml`` and edit
that copy accordingly.

Expand Down Expand Up @@ -107,8 +110,9 @@ Quickstart
up and running. You can see what it does in the mean time by using the ``-v``
option. Subsequent requests to the exporter will be sub-second.

* Direct your web browser at http://localhost:9291 to see the exported
Prometheus metrics. Refreshing the browser will update the metrics.
* Direct your web browser at http://localhost:9291 (or https://localhost:9291
when using HTTPS) to see the exported Prometheus metrics. Refreshing the
browser will update the metrics.

Reporting issues
----------------
Expand Down
3 changes: 3 additions & 0 deletions docs/changes.rst
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,9 @@ Released: not yet
a new metric zhmc_partition_storage_groups that lists the storage groups
attached to a partition. (issue #346)

* Added support for HTTPS and mutual TLS (mTLS) by adding a new section
'prometheus' to the HMC credentials file. (issue #347)

**Cleanup:**

**Known issues:**
Expand Down
11 changes: 9 additions & 2 deletions docs/intro.rst
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,9 @@ automatic session renewals with the HMC if the logon session expires, and it
survives HMC reboots and automatically picks up metrics collection again once
the HMC come back up.

The exporter supports HTTP and HTTPS (with and without mutual TLS) for
Prometheus.

.. _IBM Z: https://www.ibm.com/it-infrastructure/z
.. _Prometheus exporter: https://prometheus.io/docs/instrumenting/exporters/
.. _Prometheus: https://prometheus.io
Expand All @@ -53,6 +56,9 @@ Quickstart
obtaining metrics, and which userid and password to use for logging on to
the HMC.

It also defines whether HTTP or HTTPS is used for Prometheus, and HTTPS
related certificates and keys.

Download the :ref:`sample HMC credentials file` as ``hmccreds.yaml`` and edit
that copy accordingly.

Expand Down Expand Up @@ -86,8 +92,9 @@ Quickstart
up and running. You can see what it does in the mean time by using the ``-v``
option. Subsequent requests to the exporter will be sub-second.

* Direct your web browser at http://localhost:9291 to see the exported
Prometheus metrics. Refreshing the browser will update the metrics.
* Direct your web browser at http://localhost:9291 (or https://localhost:9291
when using HTTPS) to see the exported Prometheus metrics. Refreshing the
browser will update the metrics.

Reporting issues
----------------
Expand Down
74 changes: 71 additions & 3 deletions docs/usage.rst
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,7 @@ The ``zhmc_prometheus_exporter`` command supports the following arguments:
-m METRICS_FILE path name of metric definition file. Use --help-metrics for details.
Default: /etc/zhmc-prometheus-exporter/metrics.yaml
-p PORT port for exporting. Default: 9291
-p PORT port for exporting. Default: prometheus.port in HMC credentials file.
--log DEST enable logging and set a log destination (stderr, syslog, FILE). Default:
no logging
Expand Down Expand Up @@ -253,6 +253,36 @@ For more information, see the
section in the documentation of the 'zhmcclient' package.


Communication with Prometheus
-----------------------------

The exporter is an HTTP or HTTPS server that is regularly contacted by Prometheus
for collecting metrics using HTTP GET.

The parameters for the communication with Prometheus are defined in the
HMC credentials file in the ``prometheus`` section, as in the following example:

.. code-block:: yaml
prometheus: # optional
port: 9291
scheme: https
server_cert_file: server_cert.pem
server_key_file: server_key.pem
ca_cert_file: ca_certs.pem
verify_cert: true
If the ``prometheus`` section is not specified, the exporter starts its
server with HTTP. Otherwise, the optional ``scheme`` parameter specifies
whether the server starts with HTTP or HTTPS. It defaults to HTTP, for
compatibility with prior versions.

When the server starts with HTTP, the remaining parameters (except ``port``)
are ignored.

The meaning of the parameters is described in :ref:`HMC credentials file`.


Exported metric concepts
------------------------

Expand Down Expand Up @@ -734,6 +764,8 @@ The *HMC credentials file* tells the exporter which HMC to talk to for
obtaining metrics, and which userid and password to use for logging on to
the HMC.

It also specifies how Prometheus should communicate with the exporter.

In addition, it allows specifying additional labels to be used in all
metrics exported to Prometheus. This can be used for defining labels that
identify the environment managed by the HMC, in cases where metrics from
Expand All @@ -747,7 +779,15 @@ The HMC credentials file is in YAML format and has the following structure:
hmc: {hmc-ip-address}
userid: {hmc-userid}
password: {hmc-password}
verify_cert: {verify-cert}
verify_cert: {hmc-verify-cert}
prometheus: # optional
port: {prom-port}
scheme: {prom-scheme}
server_cert_file: {prom-server-cert-file}
server_key_file: {prom-server-key-file}
ca_cert_file: {prom-ca-cert-file}
verify_cert: {prom-verify-cert}
extra_labels: # optional
# list of labels:
Expand All @@ -762,9 +802,37 @@ Where:

* ``{hmc-password}`` is the password of that userid.

* ``{verify-cert}`` controls whether and how the HMC server certificate is
* ``{hmc-verify-cert}`` controls whether and how the HMC server certificate is
verified. For details, see :ref:`HMC certificate`.

* ``{prom-port}`` is the port for exporting. Default: 9291.

* ``{prom-scheme}`` is the scheme to be used (``http``, ``https``).
Using HTTPS requires Python 3.8 or higher. Default: ``http``.

* ``{prom-server-cert-file}`` is the path name of a certificate file in PEM
format containing an X.509 server certificate that will be presented to
Prometheus during TLS handshake. Relative path names are relative to the
directory of the HMC credentials file. Ignored when using HTTP. Required when
using HTTPS.

* ``{prom-server-key-file}`` is the path name of a key file in PEM format
containing an X.509 private key that belongs to the public key in the server
certificate. Relative path names are relative to the directory of the HMC
credentials file. Ignored when using HTTP. Required when using HTTPS.

* ``{prom-ca-cert-file}`` is the path name of a CA file in PEM format
containing X.509 CA certificates that will be used for validating a client
certificate presented by Prometheus during TLS handshake. Relative path names
are relative to the directory of the HMC credentials file. Ignored when using
HTTP. Default: Default CA certificates established by Python
`ssl.SSLContext.load_default_certs() <https://docs.python.org/3/library/ssl.html#ssl.SSLContext.load_default_certs>`_.

* ``{prom-verify-cert}`` is a boolean indicating whether a client certificate
will be required to be presented by Prometheus during TLS handshake and then
validated (mutual TLS, mTLS). If set to false, no client certificate will be
validated. Ignored when using HTTP. Default: true.

* ``{extra-label-name}`` is the label name.

* ``{extra-label-value}`` is the label value. The string value is used directly
Expand Down
8 changes: 8 additions & 0 deletions examples/hmccreds.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,14 @@ metrics:
password: password
verify_cert: true

prometheus:
port: 9291
scheme: http
# server_cert_file: server_cert.pem
# server_key_file: server_key.pem
# ca_cert_file: ca_certs.pem
# verify_cert: true

extra_labels:
- name: hmc
value: "hmc_info['hmc-name']"
Expand Down
5 changes: 4 additions & 1 deletion minimum-constraints.txt
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,10 @@ wheel==0.38.1; python_version >= '3.7'

zhmcclient==1.9.1

prometheus-client==0.9.0
# TODO: Re-enable once PR https://github.com/prometheus/client_python/pull/946 is released as 0.18.0 (?)
# prometheus-client==0.9.0; python_version <= '3.7'
# prometheus-client==0.18.0; python_version >= '3.8'

urllib3==1.26.5
jsonschema==3.2.0
six==1.14.0; python_version <= '3.9'
Expand Down
7 changes: 6 additions & 1 deletion requirements.txt
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,12 @@
# zhmcclient @ git+https://github.com/zhmcclient/python-zhmcclient.git@master
zhmcclient>=1.9.1

prometheus-client>=0.9.0
# TODO: Re-enable once PR https://github.com/prometheus/client_python/pull/946 is released as 0.18.0 (?)
# prometheus-client>=0.9.0; python_version <= '3.7'
# prometheus-client>=0.18.0; python_version >= '3.8'
prometheus-client @ git+https://github.com/karezachen/client_python.git@master


urllib3>=1.25.9; python_version <= '3.9'
urllib3>=1.26.5; python_version >= '3.10'
jsonschema>=3.2.0
Expand Down
2 changes: 1 addition & 1 deletion tests/test_all.py
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ def test_args_store(self):
def test_default_args(self):
"""Tests for all defaults."""
args = zhmc_prometheus_exporter.zhmc_prometheus_exporter.parse_args([])
self.assertEqual(args.p, "9291")
self.assertEqual(args.p, None)
self.assertEqual(args.c, "/etc/zhmc-prometheus-exporter/hmccreds.yaml")
self.assertEqual(args.m, "/etc/zhmc-prometheus-exporter/metrics.yaml")

Expand Down
24 changes: 24 additions & 0 deletions zhmc_prometheus_exporter/schemas/hmccreds_schema.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,30 @@ properties:
verify_cert:
description: "Controls whether and how the HMC certificate is verified. For details, see doc section 'HMC certificate'"
type: [boolean, string]
prometheus:
description: Communication with Prometheus
type: object
additionalProperties: false
properties:
port:
description: "Port for exporting."
type: integer
scheme:
description: "Scheme to be used."
type: string
enum: ['http', 'https']
server_cert_file:
description: "Path name of server certificate file."
type: string
server_key_file:
description: "Path name of private key file."
type: string
ca_cert_file:
description: "Path name of CA certificates file for validating the client certificate."
type: string
verify_cert:
description: "Indicates whether a client certificate will be required (mutual TLS)."
type: boolean
extra_labels:
description: "Additional Prometheus labels to be added to all metrics"
type: array
Expand Down
90 changes: 84 additions & 6 deletions zhmc_prometheus_exporter/zhmc_prometheus_exporter.py
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@

DEFAULT_CREDS_FILE = '/etc/zhmc-prometheus-exporter/hmccreds.yaml'
DEFAULT_METRICS_FILE = '/etc/zhmc-prometheus-exporter/metrics.yaml'
DEFAULT_PORT = 9291

EXPORTER_LOGGER_NAME = 'zhmcexporter'

Expand Down Expand Up @@ -202,6 +203,7 @@ def zhmc_exceptions(session, hmccreds_filename):

def parse_args(args):
"""Parses the CLI arguments."""

parser = argparse.ArgumentParser(
description="IBM Z HMC Exporter - a Prometheus exporter for metrics "
"from the IBM Z HMC")
Expand All @@ -216,8 +218,9 @@ def parse_args(args):
"Use --help-metrics for details. "
"Default: {}".format(DEFAULT_METRICS_FILE))
parser.add_argument("-p", metavar="PORT",
default="9291",
help="port for exporting. Default: 9291")
default=None,
help="port for exporting. Default: prometheus.port in "
"HMC credentials file")
parser.add_argument("--log", dest='log_dest', metavar="DEST", default=None,
help="enable logging and set a log destination "
"({dests}). Default: no logging".
Expand Down Expand Up @@ -284,6 +287,14 @@ def help_creds():
userid: myuser
password: mypassword
prometheus:
port: 9291
scheme: http
# server_cert_file: server_cert.pem
# server_key_file: server_key.pem
# ca_cert_file: ca_certs.pem
# verify_cert: true
extra_labels:
- name: pod
value: mypod
Expand Down Expand Up @@ -1802,12 +1813,79 @@ def main():
"Registering the collector and performing first collection")
REGISTRY.register(coll) # Performs a first collection

logprint(logging.INFO, PRINT_V,
"Starting the HTTP server on port {}".format(args.p))
start_http_server(int(args.p))
# Get the Prometheus communication parameters
prom_item = yaml_creds_content.get("prometheus", {})
config_port = prom_item.get("port", None)
scheme = prom_item.get("scheme", 'http')
if scheme == 'https':
prometheus_client_supports_https = sys.version_info[0:2] >= (3, 8)
if not prometheus_client_supports_https:
raise ImproperExit(
"Use of https requires Python 3.8 or higher.")
server_cert_file = prom_item.get("server_cert_file", None)
server_key_file = prom_item.get("server_key_file", None)
ca_cert_file = prom_item.get("ca_cert_file", None)
verify_cert = prom_item.get("verify_cert", True)
if not server_cert_file:
raise ImproperExit(
"server_cert_file not specified in HMC credentials file "
"when using https.")
if not server_key_file:
raise ImproperExit(
"server_key_file not specified in HMC credentials file "
"when using https.")
hmccreds_dir = os.path.dirname(hmccreds_filename)
if not os.path.isabs(server_cert_file):
server_cert_file = os.path.join(hmccreds_dir, server_cert_file)
if not os.path.isabs(server_key_file):
server_key_file = os.path.join(hmccreds_dir, server_key_file)
if ca_cert_file and not os.path.isabs(ca_cert_file):
ca_cert_file = os.path.join(hmccreds_dir, ca_cert_file)
else: # http
server_cert_file = None
server_key_file = None
ca_cert_file = None
verify_cert = True

port = int(args.p or config_port or DEFAULT_PORT)

if scheme == 'https':
logprint(logging.INFO, PRINT_V,
"Starting the server with HTTPS on port {}".format(port))
logprint(logging.INFO, PRINT_V,
"Server certificate file: {}".format(server_cert_file))
logprint(logging.INFO, PRINT_V,
"Server private key file: {}".format(server_key_file))
ca_str = ca_cert_file or "default"
logprint(logging.INFO, PRINT_V,
"CA certificates file: {}".format(ca_str))
# TODO: Change "Optional" to "Enforced" if prometheus-client
# decides to specify ssl.CERT_REQUIRED in PR
# https://github.com/prometheus/client_python/pull/946
verify_str = "Optional" if verify_cert else "Disabled"
logprint(logging.INFO, PRINT_V,
"Client certificate verfication: {}".format(verify_str))
else:
logprint(logging.INFO, PRINT_V,
"Starting the server with HTTP on port {}".format(port))

if scheme == 'https':
try:
start_http_server(
port=port,
certfile=server_cert_file,
keyfile=server_key_file,
cafile=ca_cert_file,
insecure_skip_verify=not verify_cert)
except IOError as exc:
raise ImproperExit(
"Issues with server certificate, key, or CA certificate "
"files: {}: {}".format(exc.__class__.__name__, exc))
else:
start_http_server(port=port)

logprint(logging.INFO, PRINT_ALWAYS,
"Exporter is up and running on port {}".format(args.p))
"Exporter is up and running on port {}".format(port))
while True:
try:
time.sleep(1)
Expand Down

0 comments on commit 1015aa6

Please sign in to comment.