Encrypt metrics from your applications

All metrics data must be encrypted in transit to ensure security. The monitoring component of Google Distributed Cloud (GDC) air-gapped provides in-transit encryption and authentication through mutual Transport Layer Security (mTLS). The mTLS method verifies the identity of both parties in a network connection, confirming they are who they claim to be.

This page explains how to set up mTLS for your metrics server.

Before you begin

To get the permissions that you need to manage MonitoringTarget custom resources, ask your Organization IAM Admin or Project IAM Admin to grant you one of the associated MonitoringTarget roles.

Depending on the level of access and permissions you need, you might obtain creator, editor, or viewer roles for this resource in an organization or a project. For more information, see Prepare IAM permissions .

After obtaining the necessary permissions, complete these steps before enabling metrics encryption:

Deploy your metrics server.
Collect metrics from your workloads .

Ensure your MonitoringTarget custom resource shows a Ready status, like in the following example:

  apiVersion 
 : 
  
 monitoring.gdc.goog/v1 
 kind 
 : 
  
 MonitoringTarget 
 [ 
 ... 
 ] 
 status 
 : 
  
 conditions 
 : 
  
 - 
  
 lastTransitionTime 
 : 
  
 "2023-10-27T15:27:51Z" 
  
 message 
 : 
  
 "" 
  
 observedGeneration 
 : 
  
 1 
  
 reason 
 : 
  
 Ready 
  
 status 
 : 
  
 True 
  
 type 
 : 
  
 Ready

Query and view metrics on dashboards to confirm that your metrics server is sending the expected data.

Note: If metrics are not showing up, resolve any issues with your MonitoringTarget configuration before enabling mTLS. Review the Collect metrics documentation to ensure your configuration is correct.

Mount the certificate

Your workload needs to use a certificate that is automatically generated when you enable mTLS on the MonitoringTarget custom resource. Add a volume and volume mount for this certificate using the following template:

  apiVersion 
 : 
  
 apps/v1 
 kind 
 : 
  
 Deployment 
  
 # or StatefulSet 
 metadata 
 : 
  
 name 
 : 
  
 " SERVICE_NAME 
" 
 spec 
 : 
  
 template 
 : 
  
 spec 
 : 
  
 containers 
 : 
  
 - 
  
 name 
 : 
  
 " CONTAINER_NAME 
" 
  
 volumeMounts 
 : 
  
 - 
  
 mountPath 
 : 
  
 "/etc/ssl/ MONITORING_TARGET_NAME 
-cert" 
  
 name 
 : 
  
 " MONITORING_TARGET_NAME 
-cert" 
  
 readOnly 
 : 
  
 true 
  
 volumes 
 : 
  
 - 
  
 name 
 : 
  
 " MONITORING_TARGET_NAME 
-cert" 
  
 secret 
 : 
  
 secretName 
 : 
  
 " MONITORING_TARGET_NAME 
-cert" 
  
 [ 
 ... 
 ]

Replace the following:

SERVICE_NAME : the name of your Deployment or StatefulSet object.
CONTAINER_NAME : the name of the container where you are adding the volume mount.
MONITORING_TARGET_NAME : the name of your MonitoringTarget custom resource. The secret name is based on this name. For example, a my-mon-target resource creates a my-mon-target-cert secret name.

Serve metrics

Your metrics server must serve metrics from an mTLS-enabled HTTP server. You might want to encrypt metrics in one of the following two scenarios:

For applications you own: Modify the source code to support mTLS and configure the metrics server with the mTLS certificate.
For applications you don't own: Consult the application's documentation to enable an HTTPS metrics endpoint. Apply the necessary configuration, like configuring command-line arguments or deploying a config file.

Enable mTLS metrics collection

Add the following label to the metadata section of your MonitoringTarget custom resource to enable the collection of encrypted metrics:

  monitoring.gdc.goog/enable-mtls 
 : 
  
 "true"

The custom resource must look like the following example:

   
 apiVersion 
 : 
  
 monitoring.gdc.goog/v1 
  
 kind 
 : 
  
 MonitoringTarget 
  
 metadata 
 : 
  
 namespace 
 : 
  
 my-project-namespace 
  
 name 
 : 
  
 " SERVICE_NAME 
" 
  
 labels 
 : 
  
 monitoring.gdc.goog/enable-mtls 
 : 
  
 "true" 
  
 # Enable mTLS metrics collection 
  
 spec 
 : 
  
 [ 
 ... 
 ]

To verify that you enabled mTLS authentication, check that your MonitoringTarget custom resource shows a Ready status for the certificate and the certificate secret, like in the following example:

  apiVersion 
 : 
  
 monitoring.gdc.goog/v1 
 kind 
 : 
  
 MonitoringTarget 
 [ 
 ... 
 ] 
 status 
 : 
  
 conditions 
 : 
  
 - 
  
 lastTransitionTime 
 : 
  
 "2023-11-09T11:15:10Z" 
  
 message 
 : 
  
 "admin,user-vm-1,user-vm-2,org-1-system" 
  
 observedGeneration 
 : 
  
 2 
  
 reason 
 : 
  
 Ready 
  
 status 
 : 
  
 "True" 
  
 type 
 : 
  
 Ready 
  
 - 
  
 lastTransitionTime 
 : 
  
 "2023-11-09T11:14:43Z" 
  
 message 
 : 
  
 "Certificate 
  
 is 
  
 ready" 
  
 observedGeneration 
 : 
  
 2 
  
 reason 
 : 
  
 Ready 
  
 status 
 : 
  
 "True" 
  
 type 
 : 
  
 CertificateReady 
  
 - 
  
 lastTransitionTime 
 : 
  
 "2023-11-09T11:15:10Z" 
  
 message 
 : 
  
 "Successfully 
  
 created 
  
 secret" 
  
 observedGeneration 
 : 
  
 2 
  
 reason 
 : 
  
 Ready 
  
 status 
 : 
  
 "True" 
  
 type 
 : 
  
 CertificateSecretReady