GRPC server access to metrics from prometheus

[vseregin63]

Have a good day, @karimra !

We use TLS client-auth protection on GNMIC api interface. It helps us to hide sensitive data, available through this interface. But before TLS was enabled we also collected grpc server metrics from point http://hostname:7890/metrics on the same api port 7890.

api-server:
  tls:
    ca-file: /certs/rootCA.crt
    cert-file: /certs/api_server.pem
    key-file: /certs/api_server.key
    client-auth: "require"
  enable-metrics: true 

Now after TLS was enabled we can't collect this data by prometheus because it doesn't support TLS authentication by client certs (at least in our infra). Please tell us how we can disable TLS for this url only (http://hostname:7890/metrics), or may be we can add some hosts/nets to exception? If we cant do it now, can you please add it to project development plan?

Thnx

[karimra]

TLS cannot be disabled per URL.

Prometheus supports TLS on the client side:

scrape_configs:
  - job_name: 'telemetry'
    scheme: https
    tls_config:
        ca_file: 'ca.crt'
        cert_file: 'client.crt'
        key_file: 'client.key'
    static_configs:
    - targets: ['router1:57400']