Clean up TLS configuration in prometheus_client output plugin
Signed-off-by: Jesse Weaver <jeweaver@pivotal.io>
This commit is contained in:
parent
c9fb1fcdca
commit
05af32b191
|
@ -1,2 +0,0 @@
|
|||
vendor
|
||||
assets
|
|
@ -3,10 +3,7 @@ package prometheus_client
|
|||
import (
|
||||
"context"
|
||||
"crypto/subtle"
|
||||
cryptotls "crypto/tls"
|
||||
"crypto/x509"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"log"
|
||||
"net"
|
||||
"net/http"
|
||||
|
@ -69,7 +66,8 @@ type PrometheusClient struct {
|
|||
StringAsLabel bool `toml:"string_as_label"`
|
||||
ExportTimestamp bool `toml:"export_timestamp"`
|
||||
|
||||
tls.ClientConfig
|
||||
tls.ServerConfig
|
||||
|
||||
server *http.Server
|
||||
|
||||
sync.Mutex
|
||||
|
@ -193,24 +191,20 @@ func (p *PrometheusClient) Connect() error {
|
|||
mux.Handle(p.Path, p.auth(promhttp.HandlerFor(
|
||||
registry, promhttp.HandlerOpts{ErrorHandling: promhttp.ContinueOnError})))
|
||||
|
||||
if p.TLSCA != "" {
|
||||
log.Printf("Starting Prometheus Output Plugin Server with Mutual TLS enabled.\n")
|
||||
tlsConfig, err := p.TLSConfig()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
p.server = &http.Server{
|
||||
Addr: p.Listen,
|
||||
Handler: mux,
|
||||
TLSConfig: p.buildMutualTLSConfig(),
|
||||
}
|
||||
} else {
|
||||
p.server = &http.Server{
|
||||
Addr: p.Listen,
|
||||
Handler: mux,
|
||||
}
|
||||
TLSConfig: tlsConfig,
|
||||
}
|
||||
|
||||
go func() {
|
||||
var err error
|
||||
if p.TLSCert != "" && p.TLSKey != "" {
|
||||
err = p.server.ListenAndServeTLS(p.TLSCert, p.TLSKey)
|
||||
err = p.server.ListenAndServeTLS("", "")
|
||||
} else {
|
||||
err = p.server.ListenAndServe()
|
||||
}
|
||||
|
@ -223,34 +217,6 @@ func (p *PrometheusClient) Connect() error {
|
|||
return nil
|
||||
}
|
||||
|
||||
func (p *PrometheusClient) buildMutualTLSConfig() *cryptotls.Config {
|
||||
certPool := x509.NewCertPool()
|
||||
caCert, err := ioutil.ReadFile(p.TLSCA)
|
||||
if err != nil {
|
||||
log.Printf("failed to read client ca cert: %s", err.Error())
|
||||
panic(err)
|
||||
}
|
||||
ok := certPool.AppendCertsFromPEM(caCert)
|
||||
if !ok {
|
||||
log.Printf("failed to append client certs: %s", err.Error())
|
||||
panic(err)
|
||||
}
|
||||
|
||||
clientAuth := cryptotls.RequireAndVerifyClientCert
|
||||
if p.InsecureSkipVerify {
|
||||
clientAuth = cryptotls.RequestClientCert
|
||||
}
|
||||
|
||||
return &cryptotls.Config{
|
||||
ClientAuth: clientAuth,
|
||||
ClientCAs: certPool,
|
||||
MinVersion: cryptotls.VersionTLS12,
|
||||
CipherSuites: []uint16{cryptotls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, cryptotls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
|
||||
PreferServerCipherSuites: true,
|
||||
InsecureSkipVerify: p.InsecureSkipVerify,
|
||||
}
|
||||
}
|
||||
|
||||
func (p *PrometheusClient) Close() error {
|
||||
ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
|
||||
defer cancel()
|
||||
|
|
|
@ -2,28 +2,23 @@ package prometheus_client_test
|
|||
|
||||
import (
|
||||
"crypto/tls"
|
||||
"crypto/x509"
|
||||
"fmt"
|
||||
"github.com/influxdata/telegraf/plugins/outputs/prometheus_client"
|
||||
"github.com/influxdata/telegraf/testutil"
|
||||
"github.com/influxdata/toml"
|
||||
. "github.com/onsi/gomega"
|
||||
"io/ioutil"
|
||||
"net/http"
|
||||
"os/exec"
|
||||
"path/filepath"
|
||||
"testing"
|
||||
)
|
||||
|
||||
var ca, _ = filepath.Abs("assets/telegrafCA.crt")
|
||||
var cert, _ = filepath.Abs("assets/telegraf.crt")
|
||||
var key, _ = filepath.Abs("assets/telegraf.key")
|
||||
var pki = testutil.NewPKI("../../../testutil/pki")
|
||||
|
||||
var configWithTLS = fmt.Sprintf(`
|
||||
listen = "127.0.0.1:9090"
|
||||
tls_ca = "%s"
|
||||
tls_allowed_cacerts = ["%s"]
|
||||
tls_cert = "%s"
|
||||
tls_key = "%s"
|
||||
`, ca, cert, key)
|
||||
`, pki.TLSServerConfig().TLSAllowedCACerts[0], pki.TLSServerConfig().TLSCert, pki.TLSServerConfig().TLSKey)
|
||||
|
||||
var configWithoutTLS = `
|
||||
listen = "127.0.0.1:9090"
|
||||
|
@ -37,14 +32,6 @@ type PrometheusClientTestContext struct {
|
|||
*GomegaWithT
|
||||
}
|
||||
|
||||
func init() {
|
||||
path, _ := filepath.Abs("./scripts/generate_certs.sh")
|
||||
_, err := exec.Command(path).CombinedOutput()
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
}
|
||||
|
||||
func TestWorksWithoutTLS(t *testing.T) {
|
||||
tc := buildTestContext(t, []byte(configWithoutTLS))
|
||||
err := tc.Output.Connect()
|
||||
|
@ -114,7 +101,7 @@ func buildTestContext(t *testing.T, config []byte) *PrometheusClientTestContext
|
|||
httpClient *http.Client
|
||||
)
|
||||
|
||||
if output.TLSCA != "" {
|
||||
if len(output.TLSAllowedCACerts) != 0 {
|
||||
httpClient = buildClientWithTLS(output)
|
||||
} else {
|
||||
httpClient = buildClientWithoutTLS()
|
||||
|
@ -133,26 +120,10 @@ func buildClientWithoutTLS() *http.Client {
|
|||
}
|
||||
|
||||
func buildClientWithTLS(output *prometheus_client.PrometheusClient) *http.Client {
|
||||
cert, err := tls.LoadX509KeyPair(output.TLSCert, output.TLSKey)
|
||||
tlsConfig, err := pki.TLSClientConfig().TLSConfig()
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
|
||||
caCert, err := ioutil.ReadFile(output.TLSCA)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
caCertPool := x509.NewCertPool()
|
||||
caCertPool.AppendCertsFromPEM(caCert)
|
||||
|
||||
tlsConfig := &tls.Config{
|
||||
Certificates: []tls.Certificate{cert},
|
||||
RootCAs: caCertPool,
|
||||
MinVersion: tls.VersionTLS12,
|
||||
CipherSuites: []uint16{tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
|
||||
ServerName: "telegraf",
|
||||
}
|
||||
tlsConfig.BuildNameToCertificate()
|
||||
transport := &http.Transport{TLSClientConfig: tlsConfig}
|
||||
return &http.Client{Transport: transport}
|
||||
}
|
||||
|
|
|
@ -1,17 +0,0 @@
|
|||
#!/bin/bash -e
|
||||
|
||||
scripts_dir=$(cd $(dirname $0) && pwd)
|
||||
|
||||
mkdir -p ${scripts_dir}/../assets
|
||||
assets_dir=$(cd ${scripts_dir}/../assets && pwd)
|
||||
|
||||
echo "Generating certs into ${assets_dir}"
|
||||
|
||||
test ! `which certstrap` && go get -u -v github.com/square/certstrap
|
||||
|
||||
rm -f ${assets_dir}/*
|
||||
|
||||
# CA to distribute to loggregator certs
|
||||
certstrap --depot-path ${assets_dir} init --passphrase '' --common-name telegrafCA --expires "25 years"
|
||||
certstrap --depot-path ${assets_dir} request-cert --passphrase '' --common-name telegraf
|
||||
certstrap --depot-path ${assets_dir} sign telegraf --CA telegrafCA --expires "25 years"
|
Loading…
Reference in New Issue