rhelemeter-server

command
v0.0.0-...-18e1ab8 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 28, 2024 License: Apache-2.0 Imports: 32 Imported by: 0

README

Rhelemeter

Rhelemeter is a Prometheus remote write forward proxy. It allows RHEL hosts or an intermediate proxy to push metrics to a upstream Prometheus (or Prometheus remote write compatible) endpoint.

rhelemeter-server needs to receive and send metrics across security boundaries, and thus performs additional authorization and data integrity checks as required.

Architecture

C4Deployment
    title rhelemeter-server

    Deployment_Node(rhel-os, "RHEL OS VM", ""){
        Container(rhel, "Prometheus Remote Write Client", "", "Writes host OS based metrics.")
    }

    Deployment_Node(proxy, "Intermediate Proxy", ""){
        Container(remote-write-proxy, "mTLS auth proxy", "", "Validates client certificate and forwards contents as header")
    }
        
    Deployment_Node(rhelemeter, "rhelemeter-server", "Running in Red Hat infrastructure"){
        Container(rhelemeter-server, "rhelemeter-server", "", "Validates sender and request contents and forwards upstream or rejects.")
    }
        
    Deployment_Node(observatorium, "observatorium", ""){
        Container(observatorium, "observatorium-api", "", "Performs authz and ingests metrics")
    }
        
    Deployment_Node(sso, "SSO", "") {
        Container(rh-sso, "Red Hat SSO", "", "Issues and validates tokens")
    }
        

    Rel(rhel, remote-write-proxy, "Remote writes to", "")
    Rel(remote-write-proxy, rhelemeter-server, "Forwards requests to", "")
    Rel(rhelemeter-server, observatorium, "Forwards requests to", "")
    Rel_R(rhelemeter-server, rh-sso, "Fetches token from")
    Rel_R(observatorium, rh-sso, "Validates token with")

    UpdateRelStyle(rhel, remote-write-proxy, $offsetX="-40", $offsetY="-30")   
    UpdateRelStyle(remote-write-proxy, rhelemeter-server, $offsetY="-40")
    UpdateRelStyle(rhelemeter-server, observatorium, $offsetY="-20", $offsetX="-50")
    UpdateRelStyle(api, rh-sso, $offsetX="-40", $offsetY="-20")
    UpdateRelStyle(observatorium, rh-sso, $offsetY="+40")

Overview

The server on startup fetches a token from the configured authorization server and uses that to forward requests to the upstream remote write endpoint. Tokens are refreshed automatically when they expire.

The server supports two modes of operation:

Intermediate auth proxy

This is the flow described in the diagram above. The proxy is responsible for validating the client certificate and forwarding the contents of the request as a headers. The server then validates the header using a pre-shared key and forwards the request to the upstream as configured.

The client-info-data-file flag is used to specify the header names used to extract client info data.

Optionally, the client-info-subject-label flag can be used to specify a label name to store the client subject. If present, the labels value on each time series much match the common name as forwarded by the proxy. If set, the server expects the header to be present in the following format where x-rh-certauth-cn is configurable as described above:

x-rh-certauth-cn:  ${Certificate Subject}  
// Example  Certificate Subject ->  "/O = 1234567, /CN = 1234567-9b7c-48f6-8d5b-7654321```
mTLS

The server is responsible for validating and decoding the client certificate and determining the client identity.

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.