Encrypt metrics from your applications

All metrics data must be encrypted in transit to ensure security. The monitoring component of Google Distributed Cloud (GDC) air-gapped appliance provides in-transit encryption and authentication through mutual Transport Layer Security (mTLS). The mTLS method verifies the identity of both parties in a network connection, confirming they are who they claim to be.

This page explains how to set up mTLS for your metrics server.

Before you begin

To manage MonitoringTarget custom resources, request the necessary permissions from your administrator.

Required IAM roles

Contact your Project IAM Admin to request the following roles:

MonitoringTarget Creator (monitoringtarget-creator):create MonitoringTarget custom resources in the project namespace.
MonitoringTarget Editor (monitoringtarget-editor): edit or delete MonitoringTarget custom resources in the project namespace.
MonitoringTarget Viewer (monitoringtarget-viewer): view MonitoringTarget custom resources in the project namespace.

After obtaining the necessary permissions, complete these steps before enabling metrics encryption:

Deploy your metrics server.
Collect metrics from your workloads.

Ensure your MonitoringTarget custom resource shows a Ready status, like in the following example:

apiVersion: monitoring.gdc.goog/v1
kind: MonitoringTarget
[...]
status:
  conditions:
  - lastTransitionTime: "2023-10-27T15:27:51Z"
    message: ""
    observedGeneration: 1
    reason: Ready
    status: True
    type: Ready

Query and view metrics on dashboards to confirm that your metrics server is sending the expected data.

Note: If metrics are not showing up, resolve any issues with your MonitoringTarget configuration before enabling mTLS. Review the Collect metrics documentation to ensure your configuration is correct.

Mount the certificate

Your workload needs to use a certificate that is automatically generated when you enable mTLS on the MonitoringTarget custom resource. Add a volume and volume mount for this certificate using the following template:

apiVersion: apps/v1
kind: Deployment # or StatefulSet
metadata:
  name: "SERVICE_NAME"
spec:
  template:
    spec:
      containers:
        - name: "CONTAINER_NAME"
          volumeMounts:
          - mountPath: "/etc/ssl/MONITORING_TARGET_NAME-cert"
            name: "MONITORING_TARGET_NAME-cert"
            readOnly: true
      volumes:
      - name: "MONITORING_TARGET_NAME-cert"
        secret:
          secretName: "MONITORING_TARGET_NAME-cert"
  [...]

Replace the following:

SERVICE_NAME: the name of your Deployment or StatefulSet object.
CONTAINER_NAME: the name of the container where you are adding the volume mount.
MONITORING_TARGET_NAME: the name of your MonitoringTarget custom resource. The secret name is based on this name. For example, a my-mon-target resource creates a my-mon-target-cert secret name.

Serve metrics

Your metrics server must serve metrics from an mTLS-enabled HTTP server. You might want to encrypt metrics in one of the following two scenarios:

For applications you own: Modify the source code to support mTLS and configure the metrics server with the mTLS certificate.
For applications you don't own: Consult the application's documentation to enable an HTTPS metrics endpoint. Apply the necessary configuration, like configuring command-line arguments or deploying a config file.

Enable mTLS metrics collection

Add the following label to the metadata section of your MonitoringTarget custom resource to enable the collection of encrypted metrics:

monitoring.gdc.goog/enable-mtls: "true"

The custom resource must look like the following example:

  apiVersion: monitoring.gdc.goog/v1
  kind: MonitoringTarget
  metadata:
    namespace: my-project-namespace
    name: "SERVICE_NAME"
    labels:
      monitoring.gdc.goog/enable-mtls: "true" # Enable mTLS metrics collection
  spec:
    [...]

To verify that you enabled mTLS authentication, check that your MonitoringTarget custom resource shows a Ready status for the certificate and the certificate secret, like in the following example:

apiVersion: monitoring.gdc.goog/v1
kind: MonitoringTarget
[...]
status:
  conditions:
  - lastTransitionTime: "2023-11-09T11:15:10Z"
    message: "admin,user-vm-1,user-vm-2,org-1-system"
    observedGeneration: 2
    reason: Ready
    status: "True"
    type: Ready
  - lastTransitionTime: "2023-11-09T11:14:43Z"
    message: "Certificate is ready"
    observedGeneration: 2
    reason: Ready
    status: "True"
    type: CertificateReady
  - lastTransitionTime: "2023-11-09T11:15:10Z"
    message: "Successfully created secret"
    observedGeneration: 2
    reason: Ready
    status: "True"
    type: CertificateSecretReady