Add TLS mutual auth supoort to jti_openconfig_telemetry plugin (#6027)
This commit is contained in:
		
							parent
							
								
									773ed5e622
								
							
						
					
					
						commit
						131f85db73
					
				|  | @ -4772,9 +4772,12 @@ | ||||||
| #    "/interfaces", | #    "/interfaces", | ||||||
| #   ] | #   ] | ||||||
| # | # | ||||||
| #   ## x509 Certificate to use with TLS connection. If it is not provided, an insecure | #   ## Optional TLS Config | ||||||
| #   ## channel will be opened with server | #   tls_ca = "/etc/telegraf/ca.pem" | ||||||
| #   ssl_cert = "/etc/telegraf/cert.pem" | #   tls_cert = "/etc/telegraf/cert.pem" | ||||||
|  | #   tls_key = "/etc/telegraf/key.pem" | ||||||
|  | #   ## Use TLS but skip chain & host verification | ||||||
|  | #   insecure_skip_verify = false | ||||||
| # | # | ||||||
| #   ## Delay between retry attempts of failed RPC calls or streams. Defaults to 1000ms. | #   ## Delay between retry attempts of failed RPC calls or streams. Defaults to 1000ms. | ||||||
| #   ## Failed streams/calls will not be retried if 0 is provided | #   ## Failed streams/calls will not be retried if 0 is provided | ||||||
|  |  | ||||||
|  | @ -41,9 +41,12 @@ This plugin reads Juniper Networks implementation of OpenConfig telemetry data f | ||||||
|    "/interfaces", |    "/interfaces", | ||||||
|   ] |   ] | ||||||
| 
 | 
 | ||||||
|   ## x509 Certificate to use with TLS connection. If it is not provided, an insecure |   ## Optional TLS Config | ||||||
|   ## channel will be opened with server |   # tls_ca = "/etc/telegraf/ca.pem" | ||||||
|   ssl_cert = "/etc/telegraf/cert.pem" |   # tls_cert = "/etc/telegraf/cert.pem" | ||||||
|  |   # tls_key = "/etc/telegraf/key.pem" | ||||||
|  |   ## Use TLS but skip chain & host verification | ||||||
|  |   # insecure_skip_verify = false | ||||||
| 
 | 
 | ||||||
|   ## Delay between retry attempts of failed RPC calls or streams. Defaults to 1000ms. |   ## Delay between retry attempts of failed RPC calls or streams. Defaults to 1000ms. | ||||||
|   ## Failed streams/calls will not be retried if 0 is provided |   ## Failed streams/calls will not be retried if 0 is provided | ||||||
|  |  | ||||||
|  | @ -1,6 +1,7 @@ | ||||||
| package jti_openconfig_telemetry | package jti_openconfig_telemetry | ||||||
| 
 | 
 | ||||||
| import ( | import ( | ||||||
|  | 	"crypto/tls" | ||||||
| 	"fmt" | 	"fmt" | ||||||
| 	"log" | 	"log" | ||||||
| 	"net" | 	"net" | ||||||
|  | @ -11,6 +12,7 @@ import ( | ||||||
| 
 | 
 | ||||||
| 	"github.com/influxdata/telegraf" | 	"github.com/influxdata/telegraf" | ||||||
| 	"github.com/influxdata/telegraf/internal" | 	"github.com/influxdata/telegraf/internal" | ||||||
|  | 	internaltls "github.com/influxdata/telegraf/internal/tls" | ||||||
| 	"github.com/influxdata/telegraf/plugins/inputs" | 	"github.com/influxdata/telegraf/plugins/inputs" | ||||||
| 	"github.com/influxdata/telegraf/plugins/inputs/jti_openconfig_telemetry/auth" | 	"github.com/influxdata/telegraf/plugins/inputs/jti_openconfig_telemetry/auth" | ||||||
| 	"github.com/influxdata/telegraf/plugins/inputs/jti_openconfig_telemetry/oc" | 	"github.com/influxdata/telegraf/plugins/inputs/jti_openconfig_telemetry/oc" | ||||||
|  | @ -28,13 +30,17 @@ type OpenConfigTelemetry struct { | ||||||
| 	Password        string | 	Password        string | ||||||
| 	ClientID        string            `toml:"client_id"` | 	ClientID        string            `toml:"client_id"` | ||||||
| 	SampleFrequency internal.Duration `toml:"sample_frequency"` | 	SampleFrequency internal.Duration `toml:"sample_frequency"` | ||||||
| 	SSLCert         string            `toml:"ssl_cert"` |  | ||||||
| 	StrAsTags       bool              `toml:"str_as_tags"` | 	StrAsTags       bool              `toml:"str_as_tags"` | ||||||
| 	RetryDelay      internal.Duration `toml:"retry_delay"` | 	RetryDelay      internal.Duration `toml:"retry_delay"` | ||||||
| 
 | 
 | ||||||
| 	sensorsConfig   []sensorConfig | 	sensorsConfig []sensorConfig | ||||||
|  | 
 | ||||||
|  | 	// GRPC settings
 | ||||||
| 	grpcClientConns []*grpc.ClientConn | 	grpcClientConns []*grpc.ClientConn | ||||||
| 	wg              *sync.WaitGroup | 	EnableTLS       bool `toml:"enable_tls"` | ||||||
|  | 	internaltls.ClientConfig | ||||||
|  | 
 | ||||||
|  | 	wg *sync.WaitGroup | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| var ( | var ( | ||||||
|  | @ -74,9 +80,12 @@ var ( | ||||||
|    "/interfaces", |    "/interfaces", | ||||||
|   ] |   ] | ||||||
| 
 | 
 | ||||||
|   ## x509 Certificate to use with TLS connection. If it is not provided, an insecure  |   ## Optional TLS Config | ||||||
|   ## channel will be opened with server |   # tls_ca = "/etc/telegraf/ca.pem" | ||||||
|   ssl_cert = "/etc/telegraf/cert.pem" |   # tls_cert = "/etc/telegraf/cert.pem" | ||||||
|  |   # tls_key = "/etc/telegraf/key.pem" | ||||||
|  |   ## Use TLS but skip chain & host verification | ||||||
|  |   # insecure_skip_verify = false | ||||||
|    |    | ||||||
|   ## Delay between retry attempts of failed RPC calls or streams. Defaults to 1000ms. |   ## Delay between retry attempts of failed RPC calls or streams. Defaults to 1000ms. | ||||||
|   ## Failed streams/calls will not be retried if 0 is provided |   ## Failed streams/calls will not be retried if 0 is provided | ||||||
|  | @ -343,21 +352,27 @@ func (m *OpenConfigTelemetry) collectData(ctx context.Context, | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| func (m *OpenConfigTelemetry) Start(acc telegraf.Accumulator) error { | func (m *OpenConfigTelemetry) Start(acc telegraf.Accumulator) error { | ||||||
|  | 
 | ||||||
|  | 	var tlscfg *tls.Config | ||||||
|  | 	var opts []grpc.DialOption | ||||||
|  | 	var err error | ||||||
|  | 
 | ||||||
| 	// Build sensors config
 | 	// Build sensors config
 | ||||||
| 	if m.splitSensorConfig() == 0 { | 	if m.splitSensorConfig() == 0 { | ||||||
| 		return fmt.Errorf("E! No valid sensor configuration available") | 		return fmt.Errorf("E! No valid sensor configuration available") | ||||||
| 	} | 	} | ||||||
| 
 | 
 | ||||||
| 	// If SSL certificate is provided, use transport credentials
 | 	// Parse TLS config
 | ||||||
| 	var err error | 	if m.EnableTLS { | ||||||
| 	var transportCredentials credentials.TransportCredentials | 		if tlscfg, err = m.ClientConfig.TLSConfig(); err != nil { | ||||||
| 	if m.SSLCert != "" { | 			return err | ||||||
| 		transportCredentials, err = credentials.NewClientTLSFromFile(m.SSLCert, "") |  | ||||||
| 		if err != nil { |  | ||||||
| 			return fmt.Errorf("E! Failed to read certificate: %v", err) |  | ||||||
| 		} | 		} | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
|  | 	if tlscfg != nil { | ||||||
|  | 		opts = append(opts, grpc.WithTransportCredentials(credentials.NewTLS(tlscfg))) | ||||||
| 	} else { | 	} else { | ||||||
| 		transportCredentials = nil | 		opts = append(opts, grpc.WithInsecure()) | ||||||
| 	} | 	} | ||||||
| 
 | 
 | ||||||
| 	// Connect to given list of servers and start collecting data
 | 	// Connect to given list of servers and start collecting data
 | ||||||
|  | @ -373,12 +388,7 @@ func (m *OpenConfigTelemetry) Start(acc telegraf.Accumulator) error { | ||||||
| 			continue | 			continue | ||||||
| 		} | 		} | ||||||
| 
 | 
 | ||||||
| 		// If a certificate is provided, open a secure channel. Else open insecure one
 | 		grpcClientConn, err = grpc.Dial(server, opts...) | ||||||
| 		if transportCredentials != nil { |  | ||||||
| 			grpcClientConn, err = grpc.Dial(server, grpc.WithTransportCredentials(transportCredentials)) |  | ||||||
| 		} else { |  | ||||||
| 			grpcClientConn, err = grpc.Dial(server, grpc.WithInsecure()) |  | ||||||
| 		} |  | ||||||
| 		if err != nil { | 		if err != nil { | ||||||
| 			log.Printf("E! Failed to connect to %s: %v", server, err) | 			log.Printf("E! Failed to connect to %s: %v", server, err) | ||||||
| 		} else { | 		} else { | ||||||
|  |  | ||||||
		Loading…
	
		Reference in New Issue