Add TLS mutual auth supoort to jti_openconfig_telemetry plugin (#6027)
This commit is contained in:
parent
773ed5e622
commit
131f85db73
|
@ -4772,9 +4772,12 @@
|
||||||
# "/interfaces",
|
# "/interfaces",
|
||||||
# ]
|
# ]
|
||||||
#
|
#
|
||||||
# ## x509 Certificate to use with TLS connection. If it is not provided, an insecure
|
# ## Optional TLS Config
|
||||||
# ## channel will be opened with server
|
# tls_ca = "/etc/telegraf/ca.pem"
|
||||||
# ssl_cert = "/etc/telegraf/cert.pem"
|
# tls_cert = "/etc/telegraf/cert.pem"
|
||||||
|
# tls_key = "/etc/telegraf/key.pem"
|
||||||
|
# ## Use TLS but skip chain & host verification
|
||||||
|
# insecure_skip_verify = false
|
||||||
#
|
#
|
||||||
# ## Delay between retry attempts of failed RPC calls or streams. Defaults to 1000ms.
|
# ## Delay between retry attempts of failed RPC calls or streams. Defaults to 1000ms.
|
||||||
# ## Failed streams/calls will not be retried if 0 is provided
|
# ## Failed streams/calls will not be retried if 0 is provided
|
||||||
|
|
|
@ -41,9 +41,12 @@ This plugin reads Juniper Networks implementation of OpenConfig telemetry data f
|
||||||
"/interfaces",
|
"/interfaces",
|
||||||
]
|
]
|
||||||
|
|
||||||
## x509 Certificate to use with TLS connection. If it is not provided, an insecure
|
## Optional TLS Config
|
||||||
## channel will be opened with server
|
# tls_ca = "/etc/telegraf/ca.pem"
|
||||||
ssl_cert = "/etc/telegraf/cert.pem"
|
# tls_cert = "/etc/telegraf/cert.pem"
|
||||||
|
# tls_key = "/etc/telegraf/key.pem"
|
||||||
|
## Use TLS but skip chain & host verification
|
||||||
|
# insecure_skip_verify = false
|
||||||
|
|
||||||
## Delay between retry attempts of failed RPC calls or streams. Defaults to 1000ms.
|
## Delay between retry attempts of failed RPC calls or streams. Defaults to 1000ms.
|
||||||
## Failed streams/calls will not be retried if 0 is provided
|
## Failed streams/calls will not be retried if 0 is provided
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
package jti_openconfig_telemetry
|
package jti_openconfig_telemetry
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"crypto/tls"
|
||||||
"fmt"
|
"fmt"
|
||||||
"log"
|
"log"
|
||||||
"net"
|
"net"
|
||||||
|
@ -11,6 +12,7 @@ import (
|
||||||
|
|
||||||
"github.com/influxdata/telegraf"
|
"github.com/influxdata/telegraf"
|
||||||
"github.com/influxdata/telegraf/internal"
|
"github.com/influxdata/telegraf/internal"
|
||||||
|
internaltls "github.com/influxdata/telegraf/internal/tls"
|
||||||
"github.com/influxdata/telegraf/plugins/inputs"
|
"github.com/influxdata/telegraf/plugins/inputs"
|
||||||
"github.com/influxdata/telegraf/plugins/inputs/jti_openconfig_telemetry/auth"
|
"github.com/influxdata/telegraf/plugins/inputs/jti_openconfig_telemetry/auth"
|
||||||
"github.com/influxdata/telegraf/plugins/inputs/jti_openconfig_telemetry/oc"
|
"github.com/influxdata/telegraf/plugins/inputs/jti_openconfig_telemetry/oc"
|
||||||
|
@ -28,13 +30,17 @@ type OpenConfigTelemetry struct {
|
||||||
Password string
|
Password string
|
||||||
ClientID string `toml:"client_id"`
|
ClientID string `toml:"client_id"`
|
||||||
SampleFrequency internal.Duration `toml:"sample_frequency"`
|
SampleFrequency internal.Duration `toml:"sample_frequency"`
|
||||||
SSLCert string `toml:"ssl_cert"`
|
|
||||||
StrAsTags bool `toml:"str_as_tags"`
|
StrAsTags bool `toml:"str_as_tags"`
|
||||||
RetryDelay internal.Duration `toml:"retry_delay"`
|
RetryDelay internal.Duration `toml:"retry_delay"`
|
||||||
|
|
||||||
sensorsConfig []sensorConfig
|
sensorsConfig []sensorConfig
|
||||||
|
|
||||||
|
// GRPC settings
|
||||||
grpcClientConns []*grpc.ClientConn
|
grpcClientConns []*grpc.ClientConn
|
||||||
wg *sync.WaitGroup
|
EnableTLS bool `toml:"enable_tls"`
|
||||||
|
internaltls.ClientConfig
|
||||||
|
|
||||||
|
wg *sync.WaitGroup
|
||||||
}
|
}
|
||||||
|
|
||||||
var (
|
var (
|
||||||
|
@ -74,10 +80,13 @@ var (
|
||||||
"/interfaces",
|
"/interfaces",
|
||||||
]
|
]
|
||||||
|
|
||||||
## x509 Certificate to use with TLS connection. If it is not provided, an insecure
|
## Optional TLS Config
|
||||||
## channel will be opened with server
|
# tls_ca = "/etc/telegraf/ca.pem"
|
||||||
ssl_cert = "/etc/telegraf/cert.pem"
|
# tls_cert = "/etc/telegraf/cert.pem"
|
||||||
|
# tls_key = "/etc/telegraf/key.pem"
|
||||||
|
## Use TLS but skip chain & host verification
|
||||||
|
# insecure_skip_verify = false
|
||||||
|
|
||||||
## Delay between retry attempts of failed RPC calls or streams. Defaults to 1000ms.
|
## Delay between retry attempts of failed RPC calls or streams. Defaults to 1000ms.
|
||||||
## Failed streams/calls will not be retried if 0 is provided
|
## Failed streams/calls will not be retried if 0 is provided
|
||||||
retry_delay = "1000ms"
|
retry_delay = "1000ms"
|
||||||
|
@ -343,21 +352,27 @@ func (m *OpenConfigTelemetry) collectData(ctx context.Context,
|
||||||
}
|
}
|
||||||
|
|
||||||
func (m *OpenConfigTelemetry) Start(acc telegraf.Accumulator) error {
|
func (m *OpenConfigTelemetry) Start(acc telegraf.Accumulator) error {
|
||||||
|
|
||||||
|
var tlscfg *tls.Config
|
||||||
|
var opts []grpc.DialOption
|
||||||
|
var err error
|
||||||
|
|
||||||
// Build sensors config
|
// Build sensors config
|
||||||
if m.splitSensorConfig() == 0 {
|
if m.splitSensorConfig() == 0 {
|
||||||
return fmt.Errorf("E! No valid sensor configuration available")
|
return fmt.Errorf("E! No valid sensor configuration available")
|
||||||
}
|
}
|
||||||
|
|
||||||
// If SSL certificate is provided, use transport credentials
|
// Parse TLS config
|
||||||
var err error
|
if m.EnableTLS {
|
||||||
var transportCredentials credentials.TransportCredentials
|
if tlscfg, err = m.ClientConfig.TLSConfig(); err != nil {
|
||||||
if m.SSLCert != "" {
|
return err
|
||||||
transportCredentials, err = credentials.NewClientTLSFromFile(m.SSLCert, "")
|
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("E! Failed to read certificate: %v", err)
|
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if tlscfg != nil {
|
||||||
|
opts = append(opts, grpc.WithTransportCredentials(credentials.NewTLS(tlscfg)))
|
||||||
} else {
|
} else {
|
||||||
transportCredentials = nil
|
opts = append(opts, grpc.WithInsecure())
|
||||||
}
|
}
|
||||||
|
|
||||||
// Connect to given list of servers and start collecting data
|
// Connect to given list of servers and start collecting data
|
||||||
|
@ -373,12 +388,7 @@ func (m *OpenConfigTelemetry) Start(acc telegraf.Accumulator) error {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
||||||
// If a certificate is provided, open a secure channel. Else open insecure one
|
grpcClientConn, err = grpc.Dial(server, opts...)
|
||||||
if transportCredentials != nil {
|
|
||||||
grpcClientConn, err = grpc.Dial(server, grpc.WithTransportCredentials(transportCredentials))
|
|
||||||
} else {
|
|
||||||
grpcClientConn, err = grpc.Dial(server, grpc.WithInsecure())
|
|
||||||
}
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Printf("E! Failed to connect to %s: %v", server, err)
|
log.Printf("E! Failed to connect to %s: %v", server, err)
|
||||||
} else {
|
} else {
|
||||||
|
|
Loading…
Reference in New Issue