Clean up TLS configuration in prometheus_client output plugin

Signed-off-by: Jesse Weaver <jeweaver@pivotal.io>
This commit is contained in:
Robert Sullivan 2019-02-22 15:18:36 -07:00 committed by Jesse Weaver
parent c9fb1fcdca
commit 05af32b191
4 changed files with 17 additions and 99 deletions

View File

@ -1,2 +0,0 @@
vendor
assets

View File

@ -3,10 +3,7 @@ package prometheus_client
import (
"context"
"crypto/subtle"
cryptotls "crypto/tls"
"crypto/x509"
"fmt"
"io/ioutil"
"log"
"net"
"net/http"
@ -69,7 +66,8 @@ type PrometheusClient struct {
StringAsLabel bool `toml:"string_as_label"`
ExportTimestamp bool `toml:"export_timestamp"`
tls.ClientConfig
tls.ServerConfig
server *http.Server
sync.Mutex
@ -193,24 +191,20 @@ func (p *PrometheusClient) Connect() error {
mux.Handle(p.Path, p.auth(promhttp.HandlerFor(
registry, promhttp.HandlerOpts{ErrorHandling: promhttp.ContinueOnError})))
if p.TLSCA != "" {
log.Printf("Starting Prometheus Output Plugin Server with Mutual TLS enabled.\n")
p.server = &http.Server{
Addr: p.Listen,
Handler: mux,
TLSConfig: p.buildMutualTLSConfig(),
}
} else {
p.server = &http.Server{
Addr: p.Listen,
Handler: mux,
}
tlsConfig, err := p.TLSConfig()
if err != nil {
return err
}
p.server = &http.Server{
Addr: p.Listen,
Handler: mux,
TLSConfig: tlsConfig,
}
go func() {
var err error
if p.TLSCert != "" && p.TLSKey != "" {
err = p.server.ListenAndServeTLS(p.TLSCert, p.TLSKey)
err = p.server.ListenAndServeTLS("", "")
} else {
err = p.server.ListenAndServe()
}
@ -223,34 +217,6 @@ func (p *PrometheusClient) Connect() error {
return nil
}
func (p *PrometheusClient) buildMutualTLSConfig() *cryptotls.Config {
certPool := x509.NewCertPool()
caCert, err := ioutil.ReadFile(p.TLSCA)
if err != nil {
log.Printf("failed to read client ca cert: %s", err.Error())
panic(err)
}
ok := certPool.AppendCertsFromPEM(caCert)
if !ok {
log.Printf("failed to append client certs: %s", err.Error())
panic(err)
}
clientAuth := cryptotls.RequireAndVerifyClientCert
if p.InsecureSkipVerify {
clientAuth = cryptotls.RequestClientCert
}
return &cryptotls.Config{
ClientAuth: clientAuth,
ClientCAs: certPool,
MinVersion: cryptotls.VersionTLS12,
CipherSuites: []uint16{cryptotls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, cryptotls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
PreferServerCipherSuites: true,
InsecureSkipVerify: p.InsecureSkipVerify,
}
}
func (p *PrometheusClient) Close() error {
ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
defer cancel()

View File

@ -2,28 +2,23 @@ package prometheus_client_test
import (
"crypto/tls"
"crypto/x509"
"fmt"
"github.com/influxdata/telegraf/plugins/outputs/prometheus_client"
"github.com/influxdata/telegraf/testutil"
"github.com/influxdata/toml"
. "github.com/onsi/gomega"
"io/ioutil"
"net/http"
"os/exec"
"path/filepath"
"testing"
)
var ca, _ = filepath.Abs("assets/telegrafCA.crt")
var cert, _ = filepath.Abs("assets/telegraf.crt")
var key, _ = filepath.Abs("assets/telegraf.key")
var pki = testutil.NewPKI("../../../testutil/pki")
var configWithTLS = fmt.Sprintf(`
listen = "127.0.0.1:9090"
tls_ca = "%s"
tls_allowed_cacerts = ["%s"]
tls_cert = "%s"
tls_key = "%s"
`, ca, cert, key)
`, pki.TLSServerConfig().TLSAllowedCACerts[0], pki.TLSServerConfig().TLSCert, pki.TLSServerConfig().TLSKey)
var configWithoutTLS = `
listen = "127.0.0.1:9090"
@ -37,14 +32,6 @@ type PrometheusClientTestContext struct {
*GomegaWithT
}
func init() {
path, _ := filepath.Abs("./scripts/generate_certs.sh")
_, err := exec.Command(path).CombinedOutput()
if err != nil {
panic(err)
}
}
func TestWorksWithoutTLS(t *testing.T) {
tc := buildTestContext(t, []byte(configWithoutTLS))
err := tc.Output.Connect()
@ -114,7 +101,7 @@ func buildTestContext(t *testing.T, config []byte) *PrometheusClientTestContext
httpClient *http.Client
)
if output.TLSCA != "" {
if len(output.TLSAllowedCACerts) != 0 {
httpClient = buildClientWithTLS(output)
} else {
httpClient = buildClientWithoutTLS()
@ -133,26 +120,10 @@ func buildClientWithoutTLS() *http.Client {
}
func buildClientWithTLS(output *prometheus_client.PrometheusClient) *http.Client {
cert, err := tls.LoadX509KeyPair(output.TLSCert, output.TLSKey)
tlsConfig, err := pki.TLSClientConfig().TLSConfig()
if err != nil {
panic(err)
}
caCert, err := ioutil.ReadFile(output.TLSCA)
if err != nil {
panic(err)
}
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
tlsConfig := &tls.Config{
Certificates: []tls.Certificate{cert},
RootCAs: caCertPool,
MinVersion: tls.VersionTLS12,
CipherSuites: []uint16{tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
ServerName: "telegraf",
}
tlsConfig.BuildNameToCertificate()
transport := &http.Transport{TLSClientConfig: tlsConfig}
return &http.Client{Transport: transport}
}

View File

@ -1,17 +0,0 @@
#!/bin/bash -e
scripts_dir=$(cd $(dirname $0) && pwd)
mkdir -p ${scripts_dir}/../assets
assets_dir=$(cd ${scripts_dir}/../assets && pwd)
echo "Generating certs into ${assets_dir}"
test ! `which certstrap` && go get -u -v github.com/square/certstrap
rm -f ${assets_dir}/*
# CA to distribute to loggregator certs
certstrap --depot-path ${assets_dir} init --passphrase '' --common-name telegrafCA --expires "25 years"
certstrap --depot-path ${assets_dir} request-cert --passphrase '' --common-name telegraf
certstrap --depot-path ${assets_dir} sign telegraf --CA telegrafCA --expires "25 years"