Resolves GCP API calls for monitoring.googleapis.com to set of IPs (#94)

nmdayton · web-flow · commit fc1c9e258971 · 2019-05-10T16:18:01.000-04:00
Enables the prometheus sidecar to be configured to resolve GCP API calls to monitoring.googleapis.com to a specific set of IPs. Bool flag stackdriver.use-restricted-ips enables this functionality.
diff --git a/cmd/stackdriver-prometheus-sidecar/main.go b/cmd/stackdriver-prometheus-sidecar/main.go
@@ -58,6 +58,8 @@ import (
 	"go.opencensus.io/plugin/ochttp"
 	"go.opencensus.io/stats/view"
 	"go.opencensus.io/tag"
+	"google.golang.org/grpc/resolver"
+	"google.golang.org/grpc/resolver/manual"
 	kingpin "gopkg.in/alecthomas/kingpin.v2"
 )
 
@@ -193,6 +195,8 @@ func main() {
 		aggregations       retrieval.CounterAggregatorConfig
 		metricRenames      map[string]string
 		staticMetadata     []scrape.MetricMetadata
+		useRestrictedIps   bool
+		manualResolver     *manual.Resolver
 		monitoringBackends []string
 
 		logLevel promlog.AllowedLevel
@@ -213,6 +217,9 @@ func main() {
 	a.Flag("stackdriver.api-address", "Address of the Stackdriver Monitoring API.").
 		Default("https://monitoring.googleapis.com:443/").URLVar(&cfg.stackdriverAddress)
 
+	a.Flag("stackdriver.use-restricted-ips", "If true, send all requests through restricted VIPs (EXPERIMENTAL).").
+		Default("false").BoolVar(&cfg.useRestrictedIps)
+
 	a.Flag("stackdriver.kubernetes.location", "Value of the 'location' label in the Kubernetes Stackdriver MonitoredResources.").
 		StringVar(&cfg.kubernetesLabels.location)
 
@@ -340,6 +347,19 @@ func main() {
 	}
 
 	cfg.projectIdResource = fmt.Sprintf("projects/%v", *projectId)
+	if cfg.useRestrictedIps {
+		// manual.GenerateAndRegisterManualResolver generates a Resolver and a random scheme.
+		// It also registers the resolver. rb.InitialAddrs adds the addresses we are using
+		// to resolve GCP API calls to the resolver.
+		cfg.manualResolver, _ = manual.GenerateAndRegisterManualResolver()
+		// These IP addresses correspond to restricted.googleapis.com and are not expected to change.
+		cfg.manualResolver.InitialAddrs([]resolver.Address{
+			{Addr: "199.36.153.4:443"},
+			{Addr: "199.36.153.5:443"},
+			{Addr: "199.36.153.6:443"},
+			{Addr: "199.36.153.7:443"},
+		})
+	}
 	targetsURL, err := cfg.prometheusURL.Parse(targets.DefaultAPIEndpoint)
 	if err != nil {
 		panic(err)
@@ -381,6 +401,7 @@ func main() {
 			projectIdResource: cfg.projectIdResource,
 			url:               cfg.stackdriverAddress,
 			timeout:           10 * time.Second,
+			manualResolver:    cfg.manualResolver,
 		},
 		tailer,
 	)
@@ -545,6 +566,7 @@ type clientFactory struct {
 	projectIdResource string
 	url               *url.URL
 	timeout           time.Duration
+	manualResolver    *manual.Resolver
 }
 
 func (f *clientFactory) New() stackdriver.StorageClient {
@@ -553,6 +575,7 @@ func (f *clientFactory) New() stackdriver.StorageClient {
 		ProjectId: f.projectIdResource,
 		URL:       f.url,
 		Timeout:   f.timeout,
+		Resolver:  f.manualResolver,
 	})
 }
 
diff --git a/stackdriver/client.go b/stackdriver/client.go
@@ -29,6 +29,7 @@ import (
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/oauth"
+	"google.golang.org/grpc/resolver/manual"
 	"google.golang.org/grpc/status"
 
 	"github.com/go-kit/kit/log"
@@ -49,6 +50,7 @@ type Client struct {
 	projectId string
 	url       *url.URL
 	timeout   time.Duration
+	resolver  *manual.Resolver
 
 	conn *grpc.ClientConn
 }
@@ -59,6 +61,7 @@ type ClientConfig struct {
 	ProjectId string // The Stackdriver project id in "projects/name-or-number" format.
 	URL       *url.URL
 	Timeout   time.Duration
+	Resolver  *manual.Resolver
 }
 
 // NewClient creates a new Client.
@@ -72,6 +75,7 @@ func NewClient(conf *ClientConfig) *Client {
 		projectId: conf.ProjectId,
 		url:       conf.URL,
 		timeout:   conf.Timeout,
+		resolver:  conf.Resolver,
 	}
 }
 
@@ -120,6 +124,9 @@ func (c *Client) getConnection(ctx context.Context) (*grpc.ClientConn, error) {
 	if len(c.url.Port()) > 0 {
 		address = fmt.Sprintf("%s:%s", address, c.url.Port())
 	}
+	if c.resolver != nil {
+		address = c.resolver.Scheme() + ":///" + address
+	}
 	conn, err := grpc.DialContext(ctx, address, dopts...)
 	c.conn = conn
 	return conn, err
diff --git a/stackdriver/client_test.go b/stackdriver/client_test.go
@@ -14,16 +14,20 @@
 package stackdriver
 
 import (
+	"bytes"
 	"fmt"
 	"net"
 	"net/url"
 	"strings"
 	"testing"
 	"time"
 
+	"github.com/go-kit/kit/log"
 	monitoring "google.golang.org/genproto/googleapis/monitoring/v3"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/resolver"
+	"google.golang.org/grpc/resolver/manual"
 	"google.golang.org/grpc/status"
 )
 
@@ -114,3 +118,51 @@ func TestEmptyRequest(t *testing.T) {
 		t.Fatal(err)
 	}
 }
+
+func TestResolver(t *testing.T) {
+	grpcServer := grpc.NewServer()
+	listener := newLocalListener()
+	monitoring.RegisterMetricServiceServer(grpcServer, &metricServiceServer{nil})
+	go grpcServer.Serve(listener)
+	defer grpcServer.Stop()
+
+	logBuffer := &bytes.Buffer{}
+	defer func() {
+		if logBuffer.Len() > 0 {
+			t.Log(logBuffer.String())
+		}
+	}()
+	logger := log.NewLogfmtLogger(logBuffer)
+	
+	// Without ?auth=false, the test fails with context deadline exceeded.
+	serverURL, err := url.Parse("http://stackdriver.invalid?auth=false")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	res, _ := manual.GenerateAndRegisterManualResolver()
+	res.InitialAddrs([]resolver.Address{
+		{Addr: listener.Addr().String()},
+	})
+
+	c := NewClient(&ClientConfig{
+		URL:      serverURL,
+		Timeout:  time.Second,
+		Resolver: res,
+		Logger:   logger,
+	})
+
+	err = c.Store(&monitoring.CreateTimeSeriesRequest{
+		TimeSeries: []*monitoring.TimeSeries{
+			&monitoring.TimeSeries{},
+		},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	requestedTarget := c.conn.Target()
+	if requestedTarget != c.resolver.Scheme()+":///stackdriver.invalid" {
+		t.Errorf("ERROR: Remote address is %s, want stackdriver.invalid.",
+			requestedTarget)
+	}
+}
