dom
/
telegraf
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Clean up TLS configuration in prometheus_client output plugin 

Signed-off-by: Jesse Weaver <jeweaver@pivotal.io>
This commit is contained in:
Robert Sullivan 2019-02-22 15:18:36 -07:00 committed by Jesse Weaver
parent c9fb1fcdca
commit 05af32b191
4 changed files with 17 additions and 99 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
plugins/outputs/prometheus_client/.gitignore vendored
View File

@ -1,2 +0,0 @@
vendor
assets

50
plugins/outputs/prometheus_client/prometheus_client.go
View File

@ -3,10 +3,7 @@ package prometheus_client
import ( import (
"context" "context"
"crypto/subtle" "crypto/subtle"
cryptotls "crypto/tls"
"crypto/x509"
"fmt" "fmt"
"io/ioutil"
"log" "log"
"net" "net"
"net/http" "net/http"
@ -69,7 +66,8 @@ type PrometheusClient struct {
StringAsLabel bool `toml:"string_as_label"` StringAsLabel bool `toml:"string_as_label"`
ExportTimestamp bool `toml:"export_timestamp"` ExportTimestamp bool `toml:"export_timestamp"`
tls.ClientConfig tls.ServerConfig
server *http.Server server *http.Server
sync.Mutex sync.Mutex
@ -193,24 +191,20 @@ func (p *PrometheusClient) Connect() error {
mux.Handle(p.Path, p.auth(promhttp.HandlerFor( mux.Handle(p.Path, p.auth(promhttp.HandlerFor(
registry, promhttp.HandlerOpts{ErrorHandling: promhttp.ContinueOnError}))) registry, promhttp.HandlerOpts{ErrorHandling: promhttp.ContinueOnError})))
if p.TLSCA != "" { tlsConfig, err := p.TLSConfig()
log.Printf("Starting Prometheus Output Plugin Server with Mutual TLS enabled.\n") if err != nil {
return err
}
p.server = &http.Server{ p.server = &http.Server{
Addr: p.Listen, Addr: p.Listen,
Handler: mux, Handler: mux,
TLSConfig: p.buildMutualTLSConfig(), TLSConfig: tlsConfig,
}
} else {
p.server = &http.Server{
Addr: p.Listen,
Handler: mux,
}
} }
go func() { go func() {
var err error var err error
if p.TLSCert != "" && p.TLSKey != "" { if p.TLSCert != "" && p.TLSKey != "" {
err = p.server.ListenAndServeTLS(p.TLSCert, p.TLSKey) err = p.server.ListenAndServeTLS("", "")
} else { } else {
err = p.server.ListenAndServe() err = p.server.ListenAndServe()
} }
@ -223,34 +217,6 @@ func (p *PrometheusClient) Connect() error {
return nil return nil
} }
func (p *PrometheusClient) buildMutualTLSConfig() *cryptotls.Config {
certPool := x509.NewCertPool()
caCert, err := ioutil.ReadFile(p.TLSCA)
if err != nil {
log.Printf("failed to read client ca cert: %s", err.Error())
panic(err)
}
ok := certPool.AppendCertsFromPEM(caCert)
if !ok {
log.Printf("failed to append client certs: %s", err.Error())
panic(err)
}
clientAuth := cryptotls.RequireAndVerifyClientCert
if p.InsecureSkipVerify {
clientAuth = cryptotls.RequestClientCert
}
return &cryptotls.Config{
ClientAuth: clientAuth,
ClientCAs: certPool,
MinVersion: cryptotls.VersionTLS12,
CipherSuites: []uint16{cryptotls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, cryptotls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
PreferServerCipherSuites: true,
InsecureSkipVerify: p.InsecureSkipVerify,
}
}
func (p *PrometheusClient) Close() error { func (p *PrometheusClient) Close() error {
ctx, cancel := context.WithTimeout(context.Background(), time.Second*5) ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
defer cancel() defer cancel()

41
plugins/outputs/prometheus_client/prometheus_client_tls_test.go
View File

@ -2,28 +2,23 @@ package prometheus_client_test
import ( import (
"crypto/tls" "crypto/tls"
"crypto/x509"
"fmt" "fmt"
"github.com/influxdata/telegraf/plugins/outputs/prometheus_client" "github.com/influxdata/telegraf/plugins/outputs/prometheus_client"
"github.com/influxdata/telegraf/testutil" "github.com/influxdata/telegraf/testutil"
"github.com/influxdata/toml" "github.com/influxdata/toml"
. "github.com/onsi/gomega" . "github.com/onsi/gomega"
"io/ioutil"
"net/http" "net/http"
"os/exec"
"path/filepath"
"testing" "testing"
) )
var ca, _ = filepath.Abs("assets/telegrafCA.crt") var pki = testutil.NewPKI("../../../testutil/pki")
var cert, _ = filepath.Abs("assets/telegraf.crt")
var key, _ = filepath.Abs("assets/telegraf.key")
var configWithTLS = fmt.Sprintf(` var configWithTLS = fmt.Sprintf(`
listen = "127.0.0.1:9090" listen = "127.0.0.1:9090"
tls_ca = "%s" tls_allowed_cacerts = ["%s"]
tls_cert = "%s" tls_cert = "%s"
tls_key = "%s" tls_key = "%s"
`, ca, cert, key) `, pki.TLSServerConfig().TLSAllowedCACerts[0], pki.TLSServerConfig().TLSCert, pki.TLSServerConfig().TLSKey)
var configWithoutTLS = ` var configWithoutTLS = `
listen = "127.0.0.1:9090" listen = "127.0.0.1:9090"
@ -37,14 +32,6 @@ type PrometheusClientTestContext struct {
*GomegaWithT *GomegaWithT
} }
func init() {
path, _ := filepath.Abs("./scripts/generate_certs.sh")
_, err := exec.Command(path).CombinedOutput()
if err != nil {
panic(err)
}
}
func TestWorksWithoutTLS(t *testing.T) { func TestWorksWithoutTLS(t *testing.T) {
tc := buildTestContext(t, []byte(configWithoutTLS)) tc := buildTestContext(t, []byte(configWithoutTLS))
err := tc.Output.Connect() err := tc.Output.Connect()
@ -114,7 +101,7 @@ func buildTestContext(t *testing.T, config []byte) *PrometheusClientTestContext
httpClient *http.Client httpClient *http.Client
) )
if output.TLSCA != "" { if len(output.TLSAllowedCACerts) != 0 {
httpClient = buildClientWithTLS(output) httpClient = buildClientWithTLS(output)
} else { } else {
httpClient = buildClientWithoutTLS() httpClient = buildClientWithoutTLS()
@ -133,26 +120,10 @@ func buildClientWithoutTLS() *http.Client {
} }
func buildClientWithTLS(output *prometheus_client.PrometheusClient) *http.Client { func buildClientWithTLS(output *prometheus_client.PrometheusClient) *http.Client {
cert, err := tls.LoadX509KeyPair(output.TLSCert, output.TLSKey) tlsConfig, err := pki.TLSClientConfig().TLSConfig()
if err != nil { if err != nil {
panic(err) panic(err)
} }
caCert, err := ioutil.ReadFile(output.TLSCA)
if err != nil {
panic(err)
}
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
tlsConfig := &tls.Config{
Certificates: []tls.Certificate{cert},
RootCAs: caCertPool,
MinVersion: tls.VersionTLS12,
CipherSuites: []uint16{tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
ServerName: "telegraf",
}
tlsConfig.BuildNameToCertificate()
transport := &http.Transport{TLSClientConfig: tlsConfig} transport := &http.Transport{TLSClientConfig: tlsConfig}
return &http.Client{Transport: transport} return &http.Client{Transport: transport}
} }

17
plugins/outputs/prometheus_client/scripts/generate_certs.sh
View File

@ -1,17 +0,0 @@
#!/bin/bash -e
scripts_dir=$(cd $(dirname $0) && pwd)
mkdir -p ${scripts_dir}/../assets
assets_dir=$(cd ${scripts_dir}/../assets && pwd)
echo "Generating certs into ${assets_dir}"
test ! `which certstrap` && go get -u -v github.com/square/certstrap
rm -f ${assets_dir}/*
# CA to distribute to loggregator certs
certstrap --depot-path ${assets_dir} init --passphrase '' --common-name telegrafCA --expires "25 years"
certstrap --depot-path ${assets_dir} request-cert --passphrase '' --common-name telegraf
certstrap --depot-path ${assets_dir} sign telegraf --CA telegrafCA --expires "25 years"