Skip to content

feat: add metricsgateway proxy to decouple syslog certs from metricsforwarder#1141

Draft
bonzofenix wants to merge 15 commits intomainfrom
metricsgateway
Draft

feat: add metricsgateway proxy to decouple syslog certs from metricsforwarder#1141
bonzofenix wants to merge 15 commits intomainfrom
metricsgateway

Conversation

@bonzofenix
Copy link
Copy Markdown
Contributor

@bonzofenix bonzofenix commented Apr 9, 2026

Summary

  • Introduces a new metricsgateway Go app deployed in the system org that holds syslog TLS certs and proxies metrics to log-cache via syslog
  • metricsforwarder no longer needs syslog certs — it sends metrics to metricsgateway over HTTPS using CF instance identity (XFCC) for auth
  • The gateway validates the caller's org_guid from the XFCC header to ensure only the autoscaler deployment org can send metrics

Changes

  • New metricsgateway/ app — config, syslog emitter (adapted from original metricsforwarder syslog emitter), HTTP server with XFCC auth middleware, health endpoint, main.go using startup.Bootstrap
  • New GatewayEmitter in metricsforwarder — HTTP client that POSTs CustomMetric JSON to the gateway using CF_INSTANCE_CERT/CF_INSTANCE_KEY as client TLS certs
  • helpers/auth/xfcc_auth.go — Space/org validation now optional (empty string skips the check), allowing the gateway to validate only org_guid
  • metricsforwarder/config/config.go — Added MetricsGatewayConfig and InstanceTLSCerts fields, UsingGateway() method, conditional VCAP loading (gateway certs vs syslog certs)
  • mta.tpl.yaml — Added metricsgateway module and config resource, moved syslog-client binding from metricsforwarder to metricsgateway
  • scripts/build-extension-file.sh — Added metricsgateway health password, AUTOSCALER_ORG_GUID resolution via cf org --guid, gateway URL injected into metricsforwarder config

Testing

  • Unit tests for metricsgateway server (4 tests — valid metrics, invalid JSON, empty array, emitter errors)
  • Unit tests for GatewayEmitter (3 tests — success, error status, unreachable)
  • Unit tests for forwarder factory (gateway routing test)
  • XFCC auth tests pass with optional space validation
  • Integration/acceptance tests for custom metrics end-to-end flow
  • Verify metricsgateway can reach log-cache via syslog from system org

🤖 Generated with Claude Code

@bonzofenix
feat: replace syslog emitter with log-cache gRPC ingress emitter
973f536 
The metricsforwarder previously sent custom metrics to log-cache via
syslog (TCP/TLS), which required TLS certificates. This replaces that
with a direct gRPC connection to log-cache's Ingress API using the
existing go-log-cache/v3 library, removing the TLS cert requirement.

- Add LogCacheEmitter using logcache_v1.IngressClient.Send()
- Support plain gRPC (default) and optional TLS
- Remove SyslogEmitter, SyslogConfig, and all syslog references
- Remove syslog-client resource from mta.tpl.yaml and build scripts
- Update default config: syslog section replaced with log_cache
@bonzofenix
chore: run go mod tidy after removing loggregator-agent-release
bbae60a 
The syslog emitter removal left loggregator-agent-release and its
transitive dependencies unused. This cleans up go.mod and go.sum.
@bonzofenix
fix: apply gofmt formatting to logcache emitter files
946f554
@bonzofenix
Revert "fix: apply gofmt formatting to logcache emitter files"
5fea2ff 
This reverts commit 946f554.
@bonzofenix
Revert "chore: run go mod tidy after removing loggregator-agent-release"
4d4cfa4 
This reverts commit bbae60a.
@bonzofenix
Revert "feat: replace syslog emitter with log-cache gRPC ingress emit…
9e4b337 
…ter"

This reverts commit 973f536.
@bonzofenix
feat: add metricsgateway proxy to decouple syslog certs from metricsf…
6dd5142 
…orwarder

Introduce a new metricsgateway app that runs in the system org with
syslog TLS certs and receives metrics from metricsforwarder over HTTPS.
This eliminates the need for metricsforwarder to hold syslog certs.

Auth between components uses CF instance identity (XFCC header) with
org_guid validation.

- New metricsgateway app (config, syslog emitter, HTTP server, main)
- New GatewayEmitter in metricsforwarder sends metrics via HTTPS
- XFCC auth space validation now optional (empty string skips check)
- MTA deployment updated: syslog-client moved to metricsgateway
- Extension file updated with metricsgateway config and org GUID
github-advanced-security[bot]
github-advanced-security AI found potential problems Apr 9, 2026
View reviewed changes
Comment thread metricsforwarder/forwarder/gateway_emitter.go Fixed
@bonzofenix
fix: keep metricsforwarder using syslog until metricsgateway is deployed
12a5d72 
The metricsforwarder was configured to use the gateway URL in the
extension file, but the metricsgateway isn't deployed yet in CI.
Keep syslog-client on metricsforwarder and don't set the gateway URL
until the metricsgateway deployment is verified.
@bonzofenix
Revert "fix: keep metricsforwarder using syslog until metricsgateway …
5bb654e 
…is deployed"

This reverts commit 12a5d72.
@bonzofenix
fix: add metricsgateway to MODULES list and security group setup
304bfa7 
The metricsgateway module was not being deployed because it wasn't
in the MODULES variable used by cf deploy -m. Also adds security
group setup for metricsgateway (syslog port 6067 access).
@silvestre silvestre marked this pull request as draft April 13, 2026 13:02
@bonzofenix
fix: resolve SonarCloud code quality issues
9ec0071 
- Add comment explaining empty dummyCounter.Add() method
- Extract /v1/envelopes literal to constant
@bonzofenix
fix: enable proper TLS cert validation for metricsgateway communication
bb18112 
Remove InsecureSkipVerify by configuring proper TLS on both sides:

**Root cause**: Previous code skipped cert validation because gateway
server had no TLS cert configured.

**Changes**:
1. Metricsgateway now serves with CF instance identity cert
2. Metricsforwarder validates using CF_INSTANCE_CA_CERT
3. Removed InsecureSkipVerify from gateway_emitter.go

**Security improvement**:
- Previous: No server cert validation (vulnerable to MITM)
- Now: Full mTLS with CF instance identity (client + server auth)

**Tests added**:
- metricsgateway/config/config_test.go: verify TLS config loading
- metricsforwarder/forwarder/gateway_emitter_tls_test.go: verify cert validation works

All other component communication already used proper TLS validation.
This brings metricsgateway to same security standard.
@bonzofenix
fix: correct test compilation errors
a81108e 
- Fix NewVCAPConfigurationReader call (returns 2 values)
- Fix TLS test cert validation (use self-signed cert as CA)
@bonzofenix
fix: encode TLS test cert as PEM format
b9d70c4 
httptest server cert needs PEM encoding, not raw bytes.
Fixes x509 'certificate signed by unknown authority' error.
@bonzofenix
fix: handle error returns in TLS test and support CA-only client mode
a070eb8 
- Check json.Unmarshal errors (errcheck)
- Check pem.Encode errors (errcheck)
- Check file Close errors (errcheck)
- Support CA-only TLS client config (no client cert required)

Fixes TLS test failure where client only validates server CA
without presenting its own certificate.
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Apr 14, 2026

Quality Gate Passed Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
2.4% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

enhancement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bonzofenix @github-advanced-security