Merge pull request #10140 from hashicorp/b-gh-10070

agent: return req error if prometheus metrics are disabled.
hashicorp · May 14, 2021 · 7ef108c · 7ef108c
1 parent 652e714
commit 7ef108c
Show file tree

Hide file tree

Showing 6 changed files with 51 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,7 @@ SECURITY:
  * drivers/docker+exec+java: Disable `CAP_NET_RAW` linux capability by default to prevent ARP spoofing. CVE-2021-32575 [[GH-10568](https://github.com/hashicorp/nomad/issues/10568)](https://github.com/hashicorp/nomad/issues/10568)
 
 BUG FIXES:
+ * agent: Only allow querying Prometheus formatted metrics if Prometheus is enabled within the config [[GH-10140](https://github.com/hashicorp/nomad/pull/10140)]
  * api: Added missing devices block to AllocatedTaskResources [[GH-10064](https://github.com/hashicorp/nomad/pull/10064)]
  * cli: Fixed a bug where non-int proxy port would panic CLI [[GH-10072](https://github.com/hashicorp/nomad/issues/10072)]
  * cli: Fixed a bug where `nomad operator debug` incorrectly parsed https Consul API URLs. [[GH-10082](https://github.com/hashicorp/nomad/pull/10082)]

diff --git a/api/internal/testutil/server.go b/api/internal/testutil/server.go
@@ -42,6 +42,7 @@ type TestServerConfig struct {
 	Client            *ClientConfig `json:"client,omitempty"`
 	Vault             *VaultConfig  `json:"vault,omitempty"`
 	ACL               *ACLConfig    `json:"acl,omitempty"`
+	Telemetry         *Telemetry    `json:"telemetry,omitempty"`
 	DevMode           bool          `json:"-"`
 	Stdout, Stderr    io.Writer     `json:"-"`
 }
@@ -90,6 +91,11 @@ type ACLConfig struct {
 	Enabled bool `json:"enabled"`
 }
 
+// Telemetry is used to configure the Nomad telemetry setup.
+type Telemetry struct {
+	PrometheusMetrics bool `json:"prometheus_metrics"`
+}
+
 // ServerConfigCallback is a function interface which can be
 // passed to NewTestServerConfig to modify the server config.
 type ServerConfigCallback func(c *TestServerConfig)

diff --git a/api/operator_metrics_test.go b/api/operator_metrics_test.go
@@ -3,6 +3,7 @@ package api
 import (
 	"testing"
 
+	"github.com/hashicorp/nomad/api/internal/testutil"
 	"github.com/stretchr/testify/require"
 )
 
@@ -31,7 +32,9 @@ func TestOperator_MetricsSummary(t *testing.T) {
 
 func TestOperator_Metrics_Prometheus(t *testing.T) {
 	t.Parallel()
-	c, s := makeClient(t, nil, nil)
+	c, s := makeClient(t, nil, func(c *testutil.TestServerConfig) {
+		c.Telemetry = &testutil.Telemetry{PrometheusMetrics: true}
+	})
 	defer s.Stop()
 
 	operator := c.Operator()

diff --git a/command/agent/metrics_endpoint.go b/command/agent/metrics_endpoint.go
@@ -22,6 +22,12 @@ func (s *HTTPServer) MetricsRequest(resp http.ResponseWriter, req *http.Request)
 	}
 
 	if format := req.URL.Query().Get("format"); format == "prometheus" {
+
+		// Only return Prometheus formatted metrics if the user has enabled
+		// this functionality.
+		if !s.agent.config.Telemetry.PrometheusMetrics {
+			return nil, CodedError(http.StatusUnsupportedMediaType, "Prometheus is not enabled")
+		}
 		s.prometheusHandler().ServeHTTP(resp, req)
 		return nil, nil
 	}

diff --git a/command/agent/metrics_endpoint_test.go b/command/agent/metrics_endpoint_test.go
@@ -29,6 +29,40 @@ func TestHTTP_MetricsWithIllegalMethod(t *testing.T) {
 	})
 }
 
+func TestHTTP_MetricsPrometheusDisabled(t *testing.T) {
+	assert := assert.New(t)
+
+	t.Parallel()
+	httpTest(t, func(c *Config) { c.Telemetry.PrometheusMetrics = false }, func(s *TestAgent) {
+		req, err := http.NewRequest("GET", "/v1/metrics?format=prometheus", nil)
+		assert.Nil(err)
+
+		resp, err := s.Server.MetricsRequest(nil, req)
+		assert.Nil(resp)
+		assert.Error(err, "Prometheus is not enabled")
+	})
+}
+
+func TestHTTP_MetricsPrometheusEnabled(t *testing.T) {
+	assert := assert.New(t)
+
+	t.Parallel()
+	httpTest(t, nil, func(s *TestAgent) {
+		req, err := http.NewRequest("GET", "/v1/metrics?format=prometheus", nil)
+		assert.Nil(err)
+		respW := httptest.NewRecorder()
+
+		resp, err := s.Server.MetricsRequest(respW, req)
+		assert.Nil(resp)
+		assert.Nil(err)
+
+		// Ensure the response body is not empty and that it contains something
+		// that looks like a metric we expect.
+		assert.NotNil(respW.Body)
+		assert.Contains(respW.Body.String(), "HELP go_gc_duration_seconds")
+	})
+}
+
 func TestHTTP_Metrics(t *testing.T) {
 	assert := assert.New(t)
 

diff --git a/website/content/docs/upgrade/upgrade-specific.mdx b/website/content/docs/upgrade/upgrade-specific.mdx
@@ -104,7 +104,6 @@ such, processes from existing `docker`, `exec`, or `java` tasks will need to be
 manually restarted (using `alloc stop` or another mechanism) in order to be
 fully isolated.
 
->>>>>>> 4f1583163... drivers/docker+exec+java: disable net_raw capability by default
 ## Nomad 1.0.3, 0.12.10
 
 Nomad versions 1.0.3 and 0.12.10 change the behavior of the `exec` and `java` drivers so that