PMM-12422 restrict agent interface (#2534)

* register node exporters with expose address disabled

* include expose-exporter-address flag for all services

* update inventory api

* fix tests

* try to fix linter

* include expose mode in agent list api

* rename to expose exporter

* include expose exporter commands for inventory

* fix add tests

* fix database tests

* update documentation of flag

* fix address in test

admin/commands/inventory/add_agent_mysqld_exporter.go

@@ -96,6 +96,7 @@ type AddAgentMysqldExporterCommand struct {
 	TLSKeyFile                string            `name:"tls-key" help:"Path to client key file"`
 	TablestatsGroupTableLimit int32             `placeholder:"number" help:"Tablestats group collectors will be disabled if there are more than that number of tables (default: server-defined, -1: always disabled)"`
 	PushMetrics               bool              `help:"Enables push metrics model flow, it will be sent to the server by an agent"`
+	ExposeExporter            bool              `help:"Expose the address of the exporter publicly on 0.0.0.0"`
 	DisableCollectors         []string          `help:"Comma-separated list of collector names to exclude from exporter"`
 	LogLevel                  string            `enum:"debug,info,warn,error" default:"warn" help:"Service logging level. One of: [debug, info, warn, error]"`
 }
@@ -140,6 +141,7 @@ func (cmd *AddAgentMysqldExporterCommand) RunCmd() (commands.Result, error) {
 			TLSKey:                    tlsKey,
 			TablestatsGroupTableLimit: cmd.TablestatsGroupTableLimit,
 			PushMetrics:               cmd.PushMetrics,
+			ExposeExporter:            cmd.ExposeExporter,
 			DisableCollectors:         commands.ParseDisableCollectors(cmd.DisableCollectors),
 			LogLevel:                  &cmd.LogLevel,
 		},

admin/commands/inventory/add_agent_node_exporter.go

@@ -46,6 +46,7 @@ type AddAgentNodeExporterCommand struct {
 	PMMAgentID        string            `arg:"" help:"The pmm-agent identifier which runs this instance"`
 	CustomLabels      map[string]string `mapsep:"," help:"Custom user-assigned labels"`
 	PushMetrics       bool              `help:"Enables push metrics model flow, it will be sent to the server by an agent"`
+	ExposeExporter    bool              `help:"Expose the address of the exporter publicly on 0.0.0.0"`
 	DisableCollectors []string          `help:"Comma-separated list of collector names to exclude from exporter"`
 	LogLevel          string            `enum:"debug,info,warn,error" default:"warn" help:"Service logging level. One of: [debug, info, warn, error]"`
 }
@@ -57,6 +58,7 @@ func (cmd *AddAgentNodeExporterCommand) RunCmd() (commands.Result, error) {
 			PMMAgentID:        cmd.PMMAgentID,
 			CustomLabels:      customLabels,
 			PushMetrics:       cmd.PushMetrics,
+			ExposeExporter:    cmd.ExposeExporter,
 			DisableCollectors: commands.ParseDisableCollectors(cmd.DisableCollectors),
 			LogLevel:          &cmd.LogLevel,
 		},

admin/commands/inventory/add_agent_postgres_exporter.go

@@ -57,6 +57,7 @@ type AddAgentPostgresExporterCommand struct {
 	CustomLabels        map[string]string `mapsep:"," help:"Custom user-assigned labels"`
 	SkipConnectionCheck bool              `help:"Skip connection check"`
 	PushMetrics         bool              `help:"Enables push metrics model flow, it will be sent to the server by an agent"`
+	ExposeExporter      bool              `help:"Expose the address of the exporter publicly on 0.0.0.0"`
 	DisableCollectors   []string          `help:"Comma-separated list of collector names to exclude from exporter"`
 	TLS                 bool              `help:"Use TLS to connect to the database"`
 	TLSSkipVerify       bool              `help:"Skip TLS certificates validation"`
@@ -101,6 +102,7 @@ func (cmd *AddAgentPostgresExporterCommand) RunCmd() (commands.Result, error) {
 			CustomLabels:        customLabels,
 			SkipConnectionCheck: cmd.SkipConnectionCheck,
 			PushMetrics:         cmd.PushMetrics,
+			ExposeExporter:      cmd.ExposeExporter,
 			DisableCollectors:   commands.ParseDisableCollectors(cmd.DisableCollectors),
 			AutoDiscoveryLimit:  cmd.AutoDiscoveryLimit,
 

admin/commands/inventory/add_agent_proxysql_exporter.go

@@ -57,6 +57,7 @@ type AddAgentProxysqlExporterCommand struct {
 	TLS                 bool              `help:"Use TLS to connect to the database"`
 	TLSSkipVerify       bool              `help:"Skip TLS certificates validation"`
 	PushMetrics         bool              `help:"Enables push metrics model flow, it will be sent to the server by an agent"`
+	ExposeExporter      bool              `help:"Expose the address of the exporter publicly on 0.0.0.0"`
 	DisableCollectors   []string          `help:"Comma-separated list of collector names to exclude from exporter"`
 	LogLevel            string            `enum:"debug,info,warn,error,fatal" default:"warn" help:"Service logging level. One of: [debug, info, warn, error, fatal]"`
 }
@@ -75,6 +76,7 @@ func (cmd *AddAgentProxysqlExporterCommand) RunCmd() (commands.Result, error) {
 			TLS:                 cmd.TLS,
 			TLSSkipVerify:       cmd.TLSSkipVerify,
 			PushMetrics:         cmd.PushMetrics,
+			ExposeExporter:      cmd.ExposeExporter,
 			DisableCollectors:   commands.ParseDisableCollectors(cmd.DisableCollectors),
 			LogLevel:            &cmd.LogLevel,
 		},

admin/commands/management/add_mongodb.go

@@ -82,6 +82,7 @@ type AddMongoDBCommand struct {
 	DisableCollectors             []string          `help:"Comma-separated list of collector names to exclude from exporter"`
 	StatsCollections              []string          `help:"Collections for collstats & indexstats"`
 	CollectionsLimit              int32             `name:"max-collections-limit" default:"-1" help:"Disable collstats, dbstats, topmetrics and indexstats if there are more than <n> collections. 0: No limit. Default is -1, which let PMM automatically set this value"`
+	ExposeExporter                bool              `name:"expose-exporter" help:"Optionally expose the address of the exporter publicly on 0.0.0.0"`
 
 	AddCommonFlags
 	AddLogLevelFatalFlags
@@ -157,8 +158,9 @@ func (cmd *AddMongoDBCommand) RunCmd() (commands.Result, error) {
 			NodeID:         cmd.NodeID,
 			ServiceName:    serviceName,
 			Address:        host,
-			Port:           int64(port),
 			Socket:         socket,
+			Port:           int64(port),
+			ExposeExporter: cmd.ExposeExporter,
 			PMMAgentID:     cmd.PMMAgentID,
 			Environment:    cmd.Environment,
 			Cluster:        cmd.Cluster,

admin/commands/management/add_mysql.go

@@ -120,6 +120,7 @@ type AddMySQLCommand struct {
 	CreateUser             bool              `hidden:"" help:"Create pmm user"`
 	MetricsMode            string            `enum:"${metricsModesEnum}" default:"auto" help:"Metrics flow mode, can be push - agent will push metrics, pull - server scrape metrics from agent or auto - chosen by server"`
 	DisableCollectors      []string          `help:"Comma-separated list of collector names to exclude from exporter"`
+	ExposeExporter         bool              `name:"expose-exporter" help:"Optionally expose the address of the exporter publicly on 0.0.0.0"`
 
 	AddCommonFlags
 	AddLogLevelNoFatalFlags
@@ -209,6 +210,7 @@ func (cmd *AddMySQLCommand) RunCmd() (commands.Result, error) {
 			Address:        host,
 			Socket:         socket,
 			Port:           int64(port),
+			ExposeExporter: cmd.ExposeExporter,
 			PMMAgentID:     cmd.PMMAgentID,
 			Environment:    cmd.Environment,
 			Cluster:        cmd.Cluster,

admin/commands/management/add_postgresql.go

@@ -73,6 +73,7 @@ type AddPostgreSQLCommand struct {
 	DisableQueryExamples bool              `name:"disable-queryexamples" help:"Disable collection of query examples"`
 	MetricsMode          string            `enum:"${metricsModesEnum}" default:"auto" help:"Metrics flow mode, can be push - agent will push metrics, pull - server scrape metrics from agent or auto - chosen by server"`
 	DisableCollectors    []string          `help:"Comma-separated list of collector names to exclude from exporter"`
+	ExposeExporter       bool              `name:"expose-exporter" help:"Optionally expose the address of the exporter publicly on 0.0.0.0"`
 	AutoDiscoveryLimit   int32             `default:"0" placeholder:"NUMBER" help:"Auto-discovery will be disabled if there are more than that number of databases (default: server-defined, -1: always disabled)"`
 
 	AddCommonFlags
@@ -172,16 +173,16 @@ func (cmd *AddPostgreSQLCommand) RunCmd() (commands.Result, error) {
 
 	params := &postgresql.AddPostgreSQLParams{
 		Body: postgresql.AddPostgreSQLBody{
-			NodeID:      cmd.NodeID,
-			ServiceName: serviceName,
-
+			NodeID:                 cmd.NodeID,
+			ServiceName:            serviceName,
 			Address:                host,
+			Socket:                 socket,
 			Port:                   int64(port),
+			ExposeExporter:         cmd.ExposeExporter,
 			Username:               cmd.Username,
 			Password:               cmd.Password,
 			Database:               cmd.Database,
 			AgentPassword:          cmd.AgentPassword,
-			Socket:                 socket,
 			SkipConnectionCheck:    cmd.SkipConnectionCheck,
 			DisableCommentsParsing: disableCommentsParsing,
 

admin/commands/management/add_proxysql.go

@@ -64,6 +64,7 @@ type AddProxySQLCommand struct {
 	TLSSkipVerify       bool              `help:"Skip TLS certificates validation"`
 	MetricsMode         string            `enum:"${metricsModesEnum}" default:"auto" help:"Metrics flow mode, can be push - agent will push metrics, pull - server scrape metrics from agent or auto - chosen by server"`
 	DisableCollectors   []string          `help:"Comma-separated list of collector names to exclude from exporter"`
+	ExposeExporter      bool              `name:"expose-exporter" help:"Optionally expose the address of the exporter publicly on 0.0.0.0"`
 
 	AddCommonFlags
 	AddLogLevelFatalFlags
@@ -130,8 +131,9 @@ func (cmd *AddProxySQLCommand) RunCmd() (commands.Result, error) {
 			NodeID:         cmd.NodeID,
 			ServiceName:    serviceName,
 			Address:        host,
-			Port:           int64(port),
 			Socket:         socket,
+			Port:           int64(port),
+			ExposeExporter: cmd.ExposeExporter,
 			PMMAgentID:     cmd.PMMAgentID,
 			Environment:    cmd.Environment,
 			Cluster:        cmd.Cluster,

admin/commands/management/add_test.go

@@ -122,11 +122,11 @@ func TestManagementGlobalFlags(t *testing.T) {
 				},
 			}
 
-			serviceName, socket, address, port, err := processGlobalAddFlagsWithSocket(cmd, cmd.AddCommonFlags)
+			serviceName, socket, host, port, err := processGlobalAddFlagsWithSocket(cmd, cmd.AddCommonFlags)
 
 			assert.NoError(t, err)
 			assert.Equal(t, serviceName, test.wantServiceName)
-			assert.Equal(t, address, test.wantHost)
+			assert.Equal(t, host, test.wantHost)
 			assert.Equal(t, int(port), int(test.wantPort))
 			assert.Equal(t, socket, test.wantSocket)
 		})

agent/commands/clients.go

@@ -197,6 +197,7 @@ func serverRegister(cfgSetup *config.Setup) (agentID, token string, _ error) { /
 			Reregister:        cfgSetup.Force,
 			MetricsMode:       pointer.ToString(strings.ToUpper(cfgSetup.MetricsMode)),
 			DisableCollectors: disableCollectors,
+			ExposeExporter:    cfgSetup.ExposeExporter,
 		},
 		Context: context.Background(),
 	})

agent/config/config.go

@@ -139,6 +139,7 @@ type Setup struct {
 
 	Force            bool
 	SkipRegistration bool
+	ExposeExporter   bool
 }
 
 // Cache represent cache settings.
@@ -512,6 +513,8 @@ func Application(cfg *Config) (*kingpin.Application, *string) {
 		Envar("PMM_AGENT_SETUP_CUSTOM_LABELS").StringVar(&cfg.Setup.CustomLabels)
 	setupCmd.Flag("agent-password", "Custom password for /metrics endpoint [PMM_AGENT_SETUP_NODE_PASSWORD]").
 		Envar("PMM_AGENT_SETUP_NODE_PASSWORD").StringVar(&cfg.Setup.AgentPassword)
+	setupCmd.Flag("expose-exporter", "Expose the address of the agent's node-exporter publicly on 0.0.0.0").
+		Envar("PMM_AGENT_EXPOSE_EXPORTER").BoolVar(&cfg.Setup.ExposeExporter)
 
 	return app, configFileF
 }