Add TLS mutual auth supoort to jti_openconfig_telemetry plugin (#6027)

This commit is contained in:
Mike Moein 2019-06-21 15:25:45 -04:00 committed by Daniel Nelson
parent 773ed5e622
commit 131f85db73
3 changed files with 43 additions and 27 deletions

View File

@ -4772,9 +4772,12 @@
# "/interfaces", # "/interfaces",
# ] # ]
# #
# ## x509 Certificate to use with TLS connection. If it is not provided, an insecure # ## Optional TLS Config
# ## channel will be opened with server # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# tls_key = "/etc/telegraf/key.pem"
# ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
# #
# ## Delay between retry attempts of failed RPC calls or streams. Defaults to 1000ms. # ## Delay between retry attempts of failed RPC calls or streams. Defaults to 1000ms.
# ## Failed streams/calls will not be retried if 0 is provided # ## Failed streams/calls will not be retried if 0 is provided

View File

@ -41,9 +41,12 @@ This plugin reads Juniper Networks implementation of OpenConfig telemetry data f
"/interfaces", "/interfaces",
] ]
## x509 Certificate to use with TLS connection. If it is not provided, an insecure ## Optional TLS Config
## channel will be opened with server # tls_ca = "/etc/telegraf/ca.pem"
ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# tls_key = "/etc/telegraf/key.pem"
## Use TLS but skip chain & host verification
# insecure_skip_verify = false
## Delay between retry attempts of failed RPC calls or streams. Defaults to 1000ms. ## Delay between retry attempts of failed RPC calls or streams. Defaults to 1000ms.
## Failed streams/calls will not be retried if 0 is provided ## Failed streams/calls will not be retried if 0 is provided

View File

@ -1,6 +1,7 @@
package jti_openconfig_telemetry package jti_openconfig_telemetry
import ( import (
"crypto/tls"
"fmt" "fmt"
"log" "log"
"net" "net"
@ -11,6 +12,7 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
internaltls "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
"github.com/influxdata/telegraf/plugins/inputs/jti_openconfig_telemetry/auth" "github.com/influxdata/telegraf/plugins/inputs/jti_openconfig_telemetry/auth"
"github.com/influxdata/telegraf/plugins/inputs/jti_openconfig_telemetry/oc" "github.com/influxdata/telegraf/plugins/inputs/jti_openconfig_telemetry/oc"
@ -28,13 +30,17 @@ type OpenConfigTelemetry struct {
Password string Password string
ClientID string `toml:"client_id"` ClientID string `toml:"client_id"`
SampleFrequency internal.Duration `toml:"sample_frequency"` SampleFrequency internal.Duration `toml:"sample_frequency"`
SSLCert string `toml:"ssl_cert"`
StrAsTags bool `toml:"str_as_tags"` StrAsTags bool `toml:"str_as_tags"`
RetryDelay internal.Duration `toml:"retry_delay"` RetryDelay internal.Duration `toml:"retry_delay"`
sensorsConfig []sensorConfig sensorsConfig []sensorConfig
// GRPC settings
grpcClientConns []*grpc.ClientConn grpcClientConns []*grpc.ClientConn
wg *sync.WaitGroup EnableTLS bool `toml:"enable_tls"`
internaltls.ClientConfig
wg *sync.WaitGroup
} }
var ( var (
@ -74,10 +80,13 @@ var (
"/interfaces", "/interfaces",
] ]
## x509 Certificate to use with TLS connection. If it is not provided, an insecure ## Optional TLS Config
## channel will be opened with server # tls_ca = "/etc/telegraf/ca.pem"
ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# tls_key = "/etc/telegraf/key.pem"
## Use TLS but skip chain & host verification
# insecure_skip_verify = false
## Delay between retry attempts of failed RPC calls or streams. Defaults to 1000ms. ## Delay between retry attempts of failed RPC calls or streams. Defaults to 1000ms.
## Failed streams/calls will not be retried if 0 is provided ## Failed streams/calls will not be retried if 0 is provided
retry_delay = "1000ms" retry_delay = "1000ms"
@ -343,21 +352,27 @@ func (m *OpenConfigTelemetry) collectData(ctx context.Context,
} }
func (m *OpenConfigTelemetry) Start(acc telegraf.Accumulator) error { func (m *OpenConfigTelemetry) Start(acc telegraf.Accumulator) error {
var tlscfg *tls.Config
var opts []grpc.DialOption
var err error
// Build sensors config // Build sensors config
if m.splitSensorConfig() == 0 { if m.splitSensorConfig() == 0 {
return fmt.Errorf("E! No valid sensor configuration available") return fmt.Errorf("E! No valid sensor configuration available")
} }
// If SSL certificate is provided, use transport credentials // Parse TLS config
var err error if m.EnableTLS {
var transportCredentials credentials.TransportCredentials if tlscfg, err = m.ClientConfig.TLSConfig(); err != nil {
if m.SSLCert != "" { return err
transportCredentials, err = credentials.NewClientTLSFromFile(m.SSLCert, "")
if err != nil {
return fmt.Errorf("E! Failed to read certificate: %v", err)
} }
}
if tlscfg != nil {
opts = append(opts, grpc.WithTransportCredentials(credentials.NewTLS(tlscfg)))
} else { } else {
transportCredentials = nil opts = append(opts, grpc.WithInsecure())
} }
// Connect to given list of servers and start collecting data // Connect to given list of servers and start collecting data
@ -373,12 +388,7 @@ func (m *OpenConfigTelemetry) Start(acc telegraf.Accumulator) error {
continue continue
} }
// If a certificate is provided, open a secure channel. Else open insecure one grpcClientConn, err = grpc.Dial(server, opts...)
if transportCredentials != nil {
grpcClientConn, err = grpc.Dial(server, grpc.WithTransportCredentials(transportCredentials))
} else {
grpcClientConn, err = grpc.Dial(server, grpc.WithInsecure())
}
if err != nil { if err != nil {
log.Printf("E! Failed to connect to %s: %v", server, err) log.Printf("E! Failed to connect to %s: %v", server, err)
} else { } else {