feat(config/server): Add option to deploy a HTTP server for the metri…

…cs endpoint Signed-off-by: Anna Simon <asimon@mercari.com>
falcosecurity · Jul 20, 2023 · 6c14b02 · 6c14b02
1 parent 714e4bf
commit 6c14b02
Show file tree

Hide file tree

Showing 4 changed files with 48 additions and 7 deletions.
diff --git a/config.go b/config.go
@@ -58,6 +58,8 @@ func getConfig() *types.Configuration {
 	v.SetDefault("TLSServer.KeyFile", "/etc/certs/server/server.key")
 	v.SetDefault("TLSServer.MutualTLS", false)
 	v.SetDefault("TLSServer.CaCertFile", "/etc/certs/server/ca.crt")
+	v.SetDefault("TLSServer.MetricsHTTP", false)
+	v.SetDefault("TLSServer.MetricsPort", 2802)
 
 	v.SetDefault("Slack.WebhookURL", "")
 	v.SetDefault("Slack.Footer", "https://github.com/falcosecurity/falcosidekick")

diff --git a/config_example.yaml b/config_example.yaml
@@ -19,6 +19,8 @@ tlsserver:
   keyfile: "/etc/certs/server/server.key" # server key
   mutualtls: false # if true, mTLS server will be deployed instead of TLS, deploy also has to be true
   cacertfile: "/etc/certs/server/ca.crt" # for client certification if mutualtls is true
+  metricshttp: false # if true, a separate http server will be deployed for the Prometheus metrics endpoint
+  metricsport: 2802 # port to serve metrics http server if deployed (default: 2802)
 
 
 slack:

diff --git a/main.go b/main.go
@@ -767,8 +767,31 @@ func main() {
 			log.Printf("[DEBUG] : running TLS server")
 		}
 
-		if err := server.ListenAndServeTLS(config.TLSServer.CertFile, config.TLSServer.KeyFile); err != nil {
-			log.Fatalf("[ERROR] : %v", err.Error())
+		if config.TLSServer.MetricsHTTP {
+			if config.Debug {
+				log.Printf("[DEBUG] : running HTTP server for /metrics endpoint")
+			}
+
+			metricsServeMux := http.NewServeMux()
+			metricsServeMux.Handle("/metrics", promhttp.Handler())
+
+			metricsServer := &http.Server{
+				Addr:    fmt.Sprintf("%s:%d", config.ListenAddress, 2802),
+				Handler: metricsServeMux,
+				// Timeouts
+				ReadTimeout:       60 * time.Second,
+				ReadHeaderTimeout: 60 * time.Second,
+				WriteTimeout:      60 * time.Second,
+				IdleTimeout:       60 * time.Second,
+			}
+			errs := make(chan error, 1)
+			go serveTLS(server, errs)
+			go serveHTTP(metricsServer, errs)
+			log.Fatal(<-errs)
+		} else {
+			if err := server.ListenAndServeTLS(config.TLSServer.CertFile, config.TLSServer.KeyFile); err != nil {
+				log.Fatalf("[ERROR] : %v", err.Error())
+			}
 		}
 	} else {
 		if config.Debug {
@@ -779,8 +802,20 @@ func main() {
 			log.Printf("[WARN] : tlsserver.deploy is false but tlsserver.mutualtls is true, change tlsserver.deploy to true to use mTLS")
 		}
 
+		if config.TLSServer.MetricsHTTP {
+			log.Printf("[WARN] : tlsserver.deploy is false but tlsserver.metricshttp is true, change tlsserver.deploy to true to use TLS")
+		}
+
 		if err := server.ListenAndServe(); err != nil {
 			log.Fatalf("[ERROR] : %v", err.Error())
 		}
 	}
 }
+
+func serveTLS(server *http.Server, errs chan<- error) {
+	errs <- server.ListenAndServeTLS(config.TLSServer.CertFile, config.TLSServer.KeyFile)
+}
+
+func serveHTTP(server *http.Server, errs chan<- error) {
+	errs <- server.ListenAndServe()
+}
diff --git a/types/types.go b/types/types.go
@@ -116,11 +116,13 @@ type MutualTLSClient struct {
 
 // TLSServer represents parameters for TLS Server
 type TLSServer struct {
-	Deploy     bool
-	CertFile   string
-	KeyFile    string
-	MutualTLS  bool
-	CaCertFile string
+	Deploy      bool
+	CertFile    string
+	KeyFile     string
+	MutualTLS   bool
+	CaCertFile  string
+	MetricsHTTP bool
+	MetricsPort int
 }
 
 // SlackOutputConfig represents parameters for Slack