Add support of TLS on `http.debug`
Summary
As part of an ongoing effort throughout GitLab, we would like to see the Prometheus metrics endpoint be capable of TLS, as we look to end-to-end encryption for application components in distributed environments. In order to do this, we need http.debug.tls
to be implemented.
Details
The current design of the Prometheus metrics within the Container Registry, is that it is only provided over http.debug
's listener, when http.debug.prometheus.enabled
is set true
. Currently, there is no means to configure this listener to service TLS requests, as can be done with the primary service via http.tls
. We request that we implement TLS support on the http.debug
listener.
An alternative may be to implement a dedicated Prometheus / metrics
listener, which would also require TLS functionality.
Proposal
Implement a structure of settings from http.tls
into http.debug.tls
, enabling http.debug
listener to serve TLS on http.debug.addr
as with http.addr
.
- If
http.tls
is provided, buthttp.debug.tls
is not, this would inherit, easily enabling TLS. - If
http.debug.tls
is provided, this would take precedence over any value withinhttp.tls
.
The logic is that the debug listener, and thus metrics endpoint, may wish to service traffic on a different FQDN / certificate CN/SAN than is present upon the primary service.