add https support to builtin monitoring KIKIMR-14868

ref:1350d4933ca320aa0d84b8e7aac2a1e957942567
author: Alexey Efimov <xeno@prnwatch.com> 2022-05-23 20:19:46 +0300
committer: Alexey Efimov <xeno@prnwatch.com> 2022-05-23 20:19:46 +0300
commit: 9dd615edaba4dfedb926ab0cd2a8c815c1f1941b (patch)
tree: 1a85fd2901d789b00c92bd90881c29979468554d
parent: 5ceeb213cb4dfda5141c188bf6578309fe6da570 (diff)
download: ydb-9dd615edaba4dfedb926ab0cd2a8c815c1f1941b.tar.gz
10 files changed, 41 insertions, 6 deletions
diff --git a/library/cpp/actors/http/http_proxy_acceptor.cpp b/library/cpp/actors/http/http_proxy_acceptor.cpp
index f73c239780..c44921fe0c 100644
--- a/library/cpp/actors/http/http_proxy_acceptor.cpp
+++ b/library/cpp/actors/http/http_proxy_acceptor.cpp
@@ -66,10 +66,11 @@ protected:
         if (err == 0) {
             err = Socket->Socket.Bind(bindAddress.get());
         }
+        TStringBuf schema = Endpoint->Secure ? "https://" : "http://";
         if (err == 0) {
             err = Socket->Socket.Listen(LISTEN_QUEUE);
             if (err == 0) {
-                LOG_INFO_S(ctx, HttpLog, "Listening on " << bindAddress->ToString());
+                LOG_INFO_S(ctx, HttpLog, "Listening on " << schema << bindAddress->ToString());
                 SetNonBlock(Socket->Socket);
                 ctx.Send(Poller, new NActors::TEvPollerRegister(Socket, SelfId(), SelfId()));
                 TBase::Become(&TAcceptorActor::StateListening);
@@ -77,7 +78,7 @@ protected:
                 return;
             }
         }
-        LOG_WARN_S(ctx, HttpLog, "Failed to listen on " << bindAddress->ToString() << " - retrying...");
+        LOG_WARN_S(ctx, HttpLog, "Failed to listen on " << schema << bindAddress->ToString() << " - retrying...");
         ctx.ExecutorThread.Schedule(TDuration::Seconds(1), event.Release());
     }
 
diff --git a/ydb/core/driver_lib/cli_utils/cli_cmds_server.cpp b/ydb/core/driver_lib/cli_utils/cli_cmds_server.cpp
index fbf3c7dadf..4a1962986f 100644
--- a/ydb/core/driver_lib/cli_utils/cli_cmds_server.cpp
+++ b/ydb/core/driver_lib/cli_utils/cli_cmds_server.cpp
@@ -46,6 +46,7 @@ protected:
     ui32 MonitoringPort;
     TString MonitoringAddress;
     ui32 MonitoringThreads;
+    TString MonitoringCertificateFile;
     TString RestartsCountFile;
     TString TracePath;
     size_t CompileInflightLimit; // MiniKQLCompileService
@@ -186,6 +187,7 @@ protected:
             .RequiredArgument("NUM").StoreResult(&TenantNetwork);
         config.Opts->AddLongOption("mon-port", "Monitoring port").OptionalArgument("NUM").StoreResult(&MonitoringPort);
         config.Opts->AddLongOption("mon-address", "Monitoring address").OptionalArgument("ADDR").StoreResult(&MonitoringAddress);
+        config.Opts->AddLongOption("mon-cert", "Monitoring certificate (https)").OptionalArgument("PATH").StoreResult(&MonitoringCertificateFile);
         config.Opts->AddLongOption("mon-threads", "Monitoring http server threads").RequiredArgument("NUM").StoreResult(&MonitoringThreads);
         config.Opts->AddLongOption("suppress-version-check", "Suppress version compatibility checking via IC").NoArgument();
 
@@ -550,6 +552,14 @@ protected:
             AppConfig.MutableMonitoringConfig()->SetMonitoringPort(MonitoringPort);
         if (MonitoringAddress)
             AppConfig.MutableMonitoringConfig()->SetMonitoringAddress(MonitoringAddress);
+        if (MonitoringCertificateFile) {
+            TString sslCertificate = TUnbufferedFileInput(MonitoringCertificateFile).ReadAll();
+            if (!sslCertificate.empty()) {
+                AppConfig.MutableMonitoringConfig()->SetMonitoringCertificate(sslCertificate);
+            } else {
+                ythrow yexception() << "invalid ssl certificate file";
+            }
+        }
         if (SqsHttpPort)
             RunConfig.AppConfig.MutableSqsConfig()->MutableHttpServerConfig()->SetPort(SqsHttpPort);
         if (GRpcPort) {
diff --git a/ydb/core/driver_lib/run/config_parser.cpp b/ydb/core/driver_lib/run/config_parser.cpp
index a5f94ba124..fc3ab1e96e 100644
--- a/ydb/core/driver_lib/run/config_parser.cpp
+++ b/ydb/core/driver_lib/run/config_parser.cpp
@@ -250,6 +250,7 @@ void TRunCommandConfigParser::ParseRunOpts(int argc, char **argv) {
     opts.AddLongOption("proxy", "Bind to proxy(-ies)").RequiredArgument("ADDR").AppendTo(&RunOpts.ProxyBindToProxy);
     opts.AddLongOption("mon-port", "Monitoring port").OptionalArgument("NUM").StoreResult(&RunOpts.MonitoringPort);
     opts.AddLongOption("mon-address", "Monitoring address").OptionalArgument("ADDR").StoreResult(&RunOpts.MonitoringAddress);
+    opts.AddLongOption("mon-cert", "Monitoring certificate (https)").OptionalArgument("PATH").StoreResult(&RunOpts.MonitoringCertificateFile);
     opts.AddLongOption("mon-threads", "Monitoring http server threads").RequiredArgument("NUM").StoreResult(&RunOpts.MonitoringThreads);
 
     SetupLastGetOptForConfigFiles(opts);
@@ -353,6 +354,7 @@ void TRunCommandConfigParser::ApplyParsedOptions() {
     Config.AppConfig.MutableMonitoringConfig()->SetMonitoringPort(RunOpts.MonitoringPort);
     Config.AppConfig.MutableMonitoringConfig()->SetMonitoringAddress(RunOpts.MonitoringAddress);
     Config.AppConfig.MutableMonitoringConfig()->SetMonitoringThreads(RunOpts.MonitoringThreads);
+    Config.AppConfig.MutableMonitoringConfig()->SetMonitoringCertificate(TUnbufferedFileInput(RunOpts.MonitoringCertificateFile).ReadAll());
     Config.AppConfig.MutableRestartsCountConfig()->SetRestartsCountFile(RunOpts.RestartsCountFile);
 }
 
diff --git a/ydb/core/driver_lib/run/config_parser.h b/ydb/core/driver_lib/run/config_parser.h
index 5825ec6c49..b32b7de76b 100644
--- a/ydb/core/driver_lib/run/config_parser.h
+++ b/ydb/core/driver_lib/run/config_parser.h
@@ -48,6 +48,7 @@ protected:
         TVector<ui64> ProxyBindToProxy;
         ui32 MonitoringPort;
         TString MonitoringAddress;
+        TString MonitoringCertificateFile;
         ui32 MonitoringThreads;
         TString RestartsCountFile;
         bool StartTracingBusProxy;
diff --git a/ydb/core/driver_lib/run/run.cpp b/ydb/core/driver_lib/run/run.cpp
index 359c2098c8..460393345a 100644
--- a/ydb/core/driver_lib/run/run.cpp
+++ b/ydb/core/driver_lib/run/run.cpp
@@ -350,6 +350,10 @@ void TKikimrRunner::InitializeMonitoring(const TKikimrRunConfig& runConfig, bool
         monConfig.Title = appConfig.HasMonitoringConfig() ? appConfig.GetMonitoringConfig().GetMonitoringCaption() : "YDB Monitoring";
         monConfig.Threads = appConfig.GetMonitoringConfig().GetMonitoringThreads();
         monConfig.Address = appConfig.GetMonitoringConfig().GetMonitoringAddress();
+        monConfig.Certificate = appConfig.GetMonitoringConfig().GetMonitoringCertificate();
+        if (appConfig.GetMonitoringConfig().HasMonitoringCertificateFile()) {
+            monConfig.Certificate = TUnbufferedFileInput(appConfig.GetMonitoringConfig().GetMonitoringCertificateFile()).ReadAll();
+        }
         monConfig.RedirectMainPageTo = appConfig.GetMonitoringConfig().GetRedirectMainPageTo();
         if (includeHostName) {
             if (appConfig.HasNameserviceConfig() && appConfig.GetNameserviceConfig().NodeSize() > 0) {
@@ -939,7 +943,7 @@ void TKikimrRunner::InitializeAppData(const TKikimrRunConfig& runConfig)
 
     if (runConfig.AppConfig.GetBootstrapConfig().HasEnableIntrospection())
         AppData->EnableIntrospection = runConfig.AppConfig.GetBootstrapConfig().GetEnableIntrospection();
-    
+
     TAppDataInitializersList appDataInitializers;
     // setup domain info
     appDataInitializers.AddAppDataInitializer(new TDomainsInitializer(runConfig));
diff --git a/ydb/core/mon/async_http_mon.cpp b/ydb/core/mon/async_http_mon.cpp
index 3cd0fba615..835bb094bd 100644
--- a/ydb/core/mon/async_http_mon.cpp
+++ b/ydb/core/mon/async_http_mon.cpp
@@ -678,6 +678,8 @@ void TAsyncHttpMon::Start(TActorSystem* actorSystem) {
             "text/javascript",
             "application/json",
         };
+        addPort->SslCertificatePem = Config.Certificate;
+        addPort->Secure = !Config.Certificate.empty();
         ActorSystem->Send(HttpProxyActorId, addPort.release());
         ActorSystem->Send(HttpProxyActorId, new NHttp::TEvHttpProxy::TEvRegisterHandler("/", HttpMonServiceActorId));
         ActorSystem->Send(HttpProxyActorId, new NHttp::TEvHttpProxy::TEvRegisterHandler("/node", NodeProxyServiceActorId));
diff --git a/ydb/core/mon/mon.h b/ydb/core/mon/mon.h
index 976c2ee748..822db0fcdc 100644
--- a/ydb/core/mon/mon.h
+++ b/ydb/core/mon/mon.h
@@ -28,6 +28,7 @@ public:
         TRequestAuthorizer Authorizer = DefaultAuthorizer;
         TVector<TString> AllowedSIDs;
         TString RedirectMainPageTo;
+        TString Certificate;
     };
 
     virtual ~TMon() = default;
diff --git a/ydb/core/protos/config.proto b/ydb/core/protos/config.proto
index bfc21abcf9..e132127487 100644
--- a/ydb/core/protos/config.proto
+++ b/ydb/core/protos/config.proto
@@ -499,6 +499,8 @@ message TMonitoringConfig {
     optional string ProcessLocation = 11;
     optional string AllowOrigin = 12;
     optional string RedirectMainPageTo = 13 [default = "monitoring/"];
+    optional string MonitoringCertificate = 14;
+    optional string MonitoringCertificateFile = 15;
 }
 
 message TRestartsCountConfig {
diff --git a/ydb/services/persqueue_v1/persqueue_new_schemecache_ut.cpp b/ydb/services/persqueue_v1/persqueue_new_schemecache_ut.cpp
index db11350c10..2a4aed1fc7 100644
--- a/ydb/services/persqueue_v1/persqueue_new_schemecache_ut.cpp
+++ b/ydb/services/persqueue_v1/persqueue_new_schemecache_ut.cpp
@@ -14,7 +14,7 @@
 #include <ydb/library/persqueue/topic_parser/topic_parser.h>
 
 #include <library/cpp/testing/unittest/tests_data.h>
-#include <library/cpp/testing/unittest/registar.h>  
+#include <library/cpp/testing/unittest/registar.h>
 #include <library/cpp/json/json_reader.h>
 
 #include <util/string/join.h>
@@ -331,7 +331,13 @@ namespace NKikimr::NPersQueueTests {
 
                 const auto monPort = TPortManager().GetPort();
                 auto Counters = server.CleverServer->GetGRpcServerRootCounters();
-                NActors::TSyncHttpMon Monitoring({monPort, "localhost", 3, "root", "localhost", {}, {}, {}});
+                NActors::TSyncHttpMon Monitoring({
+                    .Port = monPort,
+                    .Address = "localhost",
+                    .Threads = 3,
+                    .Title = "root",
+                    .Host = "localhost",
+                });
                 Monitoring.RegisterCountersPage("counters", "Counters", Counters);
                 Monitoring.Start();
 
diff --git a/ydb/services/persqueue_v1/persqueue_ut.cpp b/ydb/services/persqueue_v1/persqueue_ut.cpp
index 2485ec5616..9fedc4d662 100644
--- a/ydb/services/persqueue_v1/persqueue_ut.cpp
+++ b/ydb/services/persqueue_v1/persqueue_ut.cpp
@@ -1752,7 +1752,13 @@ Y_UNIT_TEST_SUITE(TPersQueueTest) {
 
             const auto monPort = TPortManager().GetPort();
             auto Counters = server.CleverServer->GetGRpcServerRootCounters();
-            NActors::TSyncHttpMon Monitoring({monPort, "localhost", 3, "root", "localhost", {}, {}, {}});
+            NActors::TSyncHttpMon Monitoring({
+                .Port = monPort,
+                .Address = "localhost",
+                .Threads = 3,
+                .Title = "root",
+                .Host = "localhost",
+            });
             Monitoring.RegisterCountersPage("counters", "Counters", Counters);
             Monitoring.Start();
author	Alexey Efimov <xeno@prnwatch.com>	2022-05-23 20:19:46 +0300
committer	Alexey Efimov <xeno@prnwatch.com>	2022-05-23 20:19:46 +0300
commit	9dd615edaba4dfedb926ab0cd2a8c815c1f1941b (patch)
tree	1a85fd2901d789b00c92bd90881c29979468554d
parent	5ceeb213cb4dfda5141c188bf6578309fe6da570 (diff)
download	ydb-9dd615edaba4dfedb926ab0cd2a8c815c1f1941b.tar.gz