feat: add TLS endpoint to kepler exporter

[aharivel]

Add TLS support via the new web configuration file, following the Prometheus Exporter Toolkit style for consistency across exporters.

• Usage:

kepler --web.config.file=web-config.yml

• Content of web-config.yml:

tls_server_config:
cert_file: /path/to/server.crt
key_file: /path/to/server.key

[github-actions]

🤖 SeineSailor

Here is a concise summary of the pull request changes:

Summary: This pull request adds TLS support to the Kepler exporter by introducing a new web-config.yml file for specifying TLS server certificates and keys. The main function now reads TLS configuration from the file, enabling the server to listen on an HTTPS endpoint when configured.

Key Modifications:

• Added web-config.yml file for TLS configuration
• Updated main function to read TLS configuration from the file
• Server now supports TLS and listens on HTTPS endpoint when configured

Impact: The external interface remains unchanged, but the code behavior changes when TLS is configured, switching from HTTP to HTTPS.

Observations/Suggestions:

• It would be beneficial to include tests to verify the TLS configuration and HTTPS endpoint functionality.
• Consider adding documentation to explain the new TLS configuration options and their usage.
• Review the error handling and logging mechanisms to ensure they are adequate for TLS-related issues.

[SamYuan1990]

https://prometheus.io/docs/introduction/roadmap/#tls-and-authentication-in-http-serving-endpoints I don't mind for TLS endpoint, but considering with prometheus TLS note for official exporters...

TLS and authentication in HTTP serving endpoints

TLS and authentication are currently being rolled out to the Prometheus, Alertmanager, and the official exporters. Adding this support will make it easier for people to deploy Prometheus components securely without requiring a reverse proxy to add those features externally.

at meanwhile, if we are going to enable TLS for kepler, considering in a k8s cluster with node A,B,C
what will be the hostname in cert for the TLS cert?what will be the changes for kepler pod?
as for example if we are going to use kepler.svc.nodeX.com as host name in k8s cluster, and the key for each node are different.
so, somehow will it impact/it will change our deployment yaml?
as we have to inject/put a specific node cert-key pair as configuration?

mark with change request for more information and discussion.

[aharivel]

Hi @SamYuan1990 ,
I wanted to clarify something regarding your comments about Prometheus official support. Could it be that there was a mix-up between the terms "rolled out" and "rules out"?

While I don't claim expertise in Kubernetes security or managing certificates in multi-node deployments, I can point out that some IaaS platforms, like Red Hat OpenStack (RHOSO), are already using node_exporter with TLS. Here are a couple of links to highlight this:

Node Exporter Configuration
Node Exporter Setup Tasks

Furthermore, they are also using Kepler, as shown here:
Kepler Integration Tasks

This leads me to my point: if someone knows how to manage their certificates effectively, Kepler should be capable of supporting TLS endpoints. Why should Kepler be the only exporter in an IaaS setup like OpenStack that does not support TLS, especially when node_exporter, ipmi_exporter, and others do?

Additionally, Kepler is handling sensitive data. For instance, consider the CVEs related to RAPL and side-channel attacks, which I’m sure you’re familiar with. Would organizations that prioritize security really allow this data to be transmitted in plaintext over the network?

Finally, I want to stress that this is an optional feature. For users content with unencrypted data, nothing changes—they can continue as before. But adding this option would present Kepler as a more robust and serious tool for those who care about security.