metrics: Add rate metrics to Client CSI endpoints (#15905)

Also tightens up authentication for these endpoints by enforcing the server certificate name is valid. We protect these endpoints currently by mTLS and can't use an auth token because these endpoints are (uniquely) called by the leader and followers for a given node won't have the leader's ephemeral ACL token. Add a certificate name check that requests come from a server and not a client, because no client should ever send these RPCs directly.
hashicorp · Jan 26, 2023 · 94381bd · 94381bd
1 parent 9308b52
commit 94381bd
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 5 deletions.
diff --git a/nomad/client_csi_endpoint.go b/nomad/client_csi_endpoint.go
@@ -10,17 +10,19 @@ import (
 	log "github.com/hashicorp/go-hclog"
 	memdb "github.com/hashicorp/go-memdb"
 	cstructs "github.com/hashicorp/nomad/client/structs"
+	"github.com/hashicorp/nomad/nomad/structs"
 )
 
 // ClientCSI is used to forward RPC requests to the targed Nomad client's
 // CSIController endpoint.
 type ClientCSI struct {
 	srv    *Server
+	ctx    *RPCContext
 	logger log.Logger
 }
 
-func NewClientCSIEndpoint(srv *Server) *ClientCSI {
-	return &ClientCSI{srv: srv, logger: srv.logger.Named("client_csi")}
+func NewClientCSIEndpoint(srv *Server, ctx *RPCContext) *ClientCSI {
+	return &ClientCSI{srv: srv, ctx: ctx, logger: srv.logger.Named("client_csi")}
 }
 
 func (a *ClientCSI) ControllerAttachVolume(args *cstructs.ClientCSIControllerAttachVolumeRequest, reply *cstructs.ClientCSIControllerAttachVolumeResponse) error {
@@ -29,6 +31,7 @@ func (a *ClientCSI) ControllerAttachVolume(args *cstructs.ClientCSIControllerAtt
 	err := a.sendCSIControllerRPC(args.PluginID,
 		"CSI.ControllerAttachVolume",
 		"ClientCSI.ControllerAttachVolume",
+		structs.RateMetricWrite,
 		args, reply)
 	if err != nil {
 		return fmt.Errorf("controller attach volume: %v", err)
@@ -42,6 +45,7 @@ func (a *ClientCSI) ControllerValidateVolume(args *cstructs.ClientCSIControllerV
 	err := a.sendCSIControllerRPC(args.PluginID,
 		"CSI.ControllerValidateVolume",
 		"ClientCSI.ControllerValidateVolume",
+		structs.RateMetricWrite,
 		args, reply)
 	if err != nil {
 		return fmt.Errorf("controller validate volume: %v", err)
@@ -55,6 +59,7 @@ func (a *ClientCSI) ControllerDetachVolume(args *cstructs.ClientCSIControllerDet
 	err := a.sendCSIControllerRPC(args.PluginID,
 		"CSI.ControllerDetachVolume",
 		"ClientCSI.ControllerDetachVolume",
+		structs.RateMetricWrite,
 		args, reply)
 	if err != nil {
 		return fmt.Errorf("controller detach volume: %v", err)
@@ -68,6 +73,7 @@ func (a *ClientCSI) ControllerCreateVolume(args *cstructs.ClientCSIControllerCre
 	err := a.sendCSIControllerRPC(args.PluginID,
 		"CSI.ControllerCreateVolume",
 		"ClientCSI.ControllerCreateVolume",
+		structs.RateMetricWrite,
 		args, reply)
 	if err != nil {
 		return fmt.Errorf("controller create volume: %v", err)
@@ -81,6 +87,7 @@ func (a *ClientCSI) ControllerDeleteVolume(args *cstructs.ClientCSIControllerDel
 	err := a.sendCSIControllerRPC(args.PluginID,
 		"CSI.ControllerDeleteVolume",
 		"ClientCSI.ControllerDeleteVolume",
+		structs.RateMetricWrite,
 		args, reply)
 	if err != nil {
 		return fmt.Errorf("controller delete volume: %v", err)
@@ -94,6 +101,7 @@ func (a *ClientCSI) ControllerListVolumes(args *cstructs.ClientCSIControllerList
 	err := a.sendCSIControllerRPC(args.PluginID,
 		"CSI.ControllerListVolumes",
 		"ClientCSI.ControllerListVolumes",
+		structs.RateMetricList,
 		args, reply)
 	if err != nil {
 		return fmt.Errorf("controller list volumes: %v", err)
@@ -107,6 +115,7 @@ func (a *ClientCSI) ControllerCreateSnapshot(args *cstructs.ClientCSIControllerC
 	err := a.sendCSIControllerRPC(args.PluginID,
 		"CSI.ControllerCreateSnapshot",
 		"ClientCSI.ControllerCreateSnapshot",
+		structs.RateMetricWrite,
 		args, reply)
 	if err != nil {
 		return fmt.Errorf("controller create snapshot: %v", err)
@@ -120,6 +129,7 @@ func (a *ClientCSI) ControllerDeleteSnapshot(args *cstructs.ClientCSIControllerD
 	err := a.sendCSIControllerRPC(args.PluginID,
 		"CSI.ControllerDeleteSnapshot",
 		"ClientCSI.ControllerDeleteSnapshot",
+		structs.RateMetricWrite,
 		args, reply)
 	if err != nil {
 		return fmt.Errorf("controller delete snapshot: %v", err)
@@ -133,14 +143,27 @@ func (a *ClientCSI) ControllerListSnapshots(args *cstructs.ClientCSIControllerLi
 	err := a.sendCSIControllerRPC(args.PluginID,
 		"CSI.ControllerListSnapshots",
 		"ClientCSI.ControllerListSnapshots",
+		structs.RateMetricList,
 		args, reply)
 	if err != nil {
 		return fmt.Errorf("controller list snapshots: %v", err)
 	}
 	return nil
 }
 
-func (a *ClientCSI) sendCSIControllerRPC(pluginID, method, fwdMethod string, args cstructs.CSIControllerRequest, reply interface{}) error {
+func (a *ClientCSI) sendCSIControllerRPC(pluginID, method, fwdMethod, op string, args cstructs.CSIControllerRequest, reply interface{}) error {
+
+	// client requests aren't RequestWithIdentity, so we use a placeholder here
+	// to populate the identity data for metrics
+	identityReq := &structs.GenericRequest{}
+	authErr := a.srv.Authenticate(a.ctx, identityReq)
+	a.srv.MeasureRPCRate("client_csi", op, identityReq)
+
+	// only servers can send these client RPCs
+	err := validateTLSCertificateLevel(a.srv, a.ctx, tlsCertificateLevelServer)
+	if authErr != nil || err != nil {
+		return structs.ErrPermissionDenied
+	}
 
 	clientIDs, err := a.clientIDsForController(pluginID)
 	if err != nil {
@@ -183,6 +206,18 @@ func (a *ClientCSI) isRetryable(err error) bool {
 func (a *ClientCSI) NodeDetachVolume(args *cstructs.ClientCSINodeDetachVolumeRequest, reply *cstructs.ClientCSINodeDetachVolumeResponse) error {
 	defer metrics.MeasureSince([]string{"nomad", "client_csi_node", "detach_volume"}, time.Now())
 
+	// client requests aren't RequestWithIdentity, so we use a placeholder here
+	// to populate the identity data for metrics
+	identityReq := &structs.GenericRequest{}
+	authErr := a.srv.Authenticate(a.ctx, identityReq)
+	a.srv.MeasureRPCRate("client_csi", structs.RateMetricWrite, identityReq)
+
+	// only servers can send these client RPCs
+	err := validateTLSCertificateLevel(a.srv, a.ctx, tlsCertificateLevelServer)
+	if authErr != nil || err != nil {
+		return structs.ErrPermissionDenied
+	}
+
 	// Make sure Node is valid and new enough to support RPC
 	snap, err := a.srv.State().Snapshot()
 	if err != nil {

diff --git a/nomad/client_csi_endpoint_test.go b/nomad/client_csi_endpoint_test.go
@@ -428,7 +428,7 @@ func TestClientCSI_NodeForControllerPlugin(t *testing.T) {
 	plugin, err := state.CSIPluginByID(ws, "minnie")
 	require.NoError(t, err)
 
-	clientCSI := NewClientCSIEndpoint(srv)
+	clientCSI := NewClientCSIEndpoint(srv, nil)
 	nodeIDs, err := clientCSI.clientIDsForController(plugin.ID)
 	require.NoError(t, err)
 	require.Equal(t, 1, len(nodeIDs))

diff --git a/nomad/server.go b/nomad/server.go
@@ -1254,7 +1254,6 @@ func (s *Server) setupStreamingEndpoints(server *rpc.Server) {
 // handlers can have per-connection context.
 func (s *Server) setupRpcServer(server *rpc.Server, ctx *RPCContext) {
 	// These endpoints are client RPCs and don't include a connection context
-	_ = server.Register(NewClientCSIEndpoint(s))
 	_ = server.Register(NewClientStatsEndpoint(s))
 
 	// These endpoints have their streaming component registered in
@@ -1270,6 +1269,7 @@ func (s *Server) setupRpcServer(server *rpc.Server, ctx *RPCContext) {
 
 	_ = server.Register(NewACLEndpoint(s, ctx))
 	_ = server.Register(NewAllocEndpoint(s, ctx))
+	_ = server.Register(NewClientCSIEndpoint(s, ctx))
 	_ = server.Register(NewCSIVolumeEndpoint(s, ctx))
 	_ = server.Register(NewCSIPluginEndpoint(s, ctx))
 	_ = server.Register(NewDeploymentEndpoint(s, ctx))