Add mutual TLS support to prometheus_client output
This commit is contained in:
commit
29cbb0ab2d
|
@ -1566,6 +1566,7 @@
|
||||||
"github.com/go-sql-driver/mysql",
|
"github.com/go-sql-driver/mysql",
|
||||||
"github.com/gobwas/glob",
|
"github.com/gobwas/glob",
|
||||||
"github.com/golang/protobuf/proto",
|
"github.com/golang/protobuf/proto",
|
||||||
|
"github.com/golang/protobuf/ptypes/duration",
|
||||||
"github.com/golang/protobuf/ptypes/empty",
|
"github.com/golang/protobuf/ptypes/empty",
|
||||||
"github.com/golang/protobuf/ptypes/timestamp",
|
"github.com/golang/protobuf/ptypes/timestamp",
|
||||||
"github.com/google/go-cmp/cmp",
|
"github.com/google/go-cmp/cmp",
|
||||||
|
@ -1639,8 +1640,10 @@
|
||||||
"golang.org/x/sys/windows",
|
"golang.org/x/sys/windows",
|
||||||
"golang.org/x/sys/windows/svc",
|
"golang.org/x/sys/windows/svc",
|
||||||
"golang.org/x/sys/windows/svc/mgr",
|
"golang.org/x/sys/windows/svc/mgr",
|
||||||
|
"google.golang.org/api/iterator",
|
||||||
"google.golang.org/api/option",
|
"google.golang.org/api/option",
|
||||||
"google.golang.org/api/support/bundler",
|
"google.golang.org/api/support/bundler",
|
||||||
|
"google.golang.org/genproto/googleapis/api/distribution",
|
||||||
"google.golang.org/genproto/googleapis/api/metric",
|
"google.golang.org/genproto/googleapis/api/metric",
|
||||||
"google.golang.org/genproto/googleapis/api/monitoredres",
|
"google.golang.org/genproto/googleapis/api/monitoredres",
|
||||||
"google.golang.org/genproto/googleapis/monitoring/v3",
|
"google.golang.org/genproto/googleapis/monitoring/v3",
|
||||||
|
|
|
@ -36,6 +36,10 @@ This plugin starts a [Prometheus](https://prometheus.io/) Client, it exposes all
|
||||||
# tls_cert = "/etc/ssl/telegraf.crt"
|
# tls_cert = "/etc/ssl/telegraf.crt"
|
||||||
# tls_key = "/etc/ssl/telegraf.key"
|
# tls_key = "/etc/ssl/telegraf.key"
|
||||||
|
|
||||||
|
## Set one or more allowed client CA certificate file names to
|
||||||
|
## enable mutually authenticated TLS connections
|
||||||
|
# tls_allowed_cacerts = ["/etc/telegraf/clientca.pem"]
|
||||||
|
|
||||||
## Export metric collection time.
|
## Export metric collection time.
|
||||||
# export_timestamp = false
|
# export_timestamp = false
|
||||||
```
|
```
|
||||||
|
|
|
@ -16,6 +16,7 @@ import (
|
||||||
|
|
||||||
"github.com/influxdata/telegraf"
|
"github.com/influxdata/telegraf"
|
||||||
"github.com/influxdata/telegraf/internal"
|
"github.com/influxdata/telegraf/internal"
|
||||||
|
"github.com/influxdata/telegraf/internal/tls"
|
||||||
"github.com/influxdata/telegraf/plugins/outputs"
|
"github.com/influxdata/telegraf/plugins/outputs"
|
||||||
"github.com/prometheus/client_golang/prometheus"
|
"github.com/prometheus/client_golang/prometheus"
|
||||||
"github.com/prometheus/client_golang/prometheus/promhttp"
|
"github.com/prometheus/client_golang/prometheus/promhttp"
|
||||||
|
@ -56,8 +57,6 @@ type MetricFamily struct {
|
||||||
|
|
||||||
type PrometheusClient struct {
|
type PrometheusClient struct {
|
||||||
Listen string
|
Listen string
|
||||||
TLSCert string `toml:"tls_cert"`
|
|
||||||
TLSKey string `toml:"tls_key"`
|
|
||||||
BasicUsername string `toml:"basic_username"`
|
BasicUsername string `toml:"basic_username"`
|
||||||
BasicPassword string `toml:"basic_password"`
|
BasicPassword string `toml:"basic_password"`
|
||||||
IPRange []string `toml:"ip_range"`
|
IPRange []string `toml:"ip_range"`
|
||||||
|
@ -67,6 +66,8 @@ type PrometheusClient struct {
|
||||||
StringAsLabel bool `toml:"string_as_label"`
|
StringAsLabel bool `toml:"string_as_label"`
|
||||||
ExportTimestamp bool `toml:"export_timestamp"`
|
ExportTimestamp bool `toml:"export_timestamp"`
|
||||||
|
|
||||||
|
tls.ServerConfig
|
||||||
|
|
||||||
server *http.Server
|
server *http.Server
|
||||||
|
|
||||||
sync.Mutex
|
sync.Mutex
|
||||||
|
@ -106,6 +107,10 @@ var sampleConfig = `
|
||||||
# tls_cert = "/etc/ssl/telegraf.crt"
|
# tls_cert = "/etc/ssl/telegraf.crt"
|
||||||
# tls_key = "/etc/ssl/telegraf.key"
|
# tls_key = "/etc/ssl/telegraf.key"
|
||||||
|
|
||||||
|
## Set one or more allowed client CA certificate file names to
|
||||||
|
## enable mutually authenticated TLS connections
|
||||||
|
# tls_allowed_cacerts = ["/etc/telegraf/clientca.pem"]
|
||||||
|
|
||||||
## Export metric collection time.
|
## Export metric collection time.
|
||||||
# export_timestamp = false
|
# export_timestamp = false
|
||||||
`
|
`
|
||||||
|
@ -184,15 +189,20 @@ func (p *PrometheusClient) Connect() error {
|
||||||
mux.Handle(p.Path, p.auth(promhttp.HandlerFor(
|
mux.Handle(p.Path, p.auth(promhttp.HandlerFor(
|
||||||
registry, promhttp.HandlerOpts{ErrorHandling: promhttp.ContinueOnError})))
|
registry, promhttp.HandlerOpts{ErrorHandling: promhttp.ContinueOnError})))
|
||||||
|
|
||||||
|
tlsConfig, err := p.TLSConfig()
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
p.server = &http.Server{
|
p.server = &http.Server{
|
||||||
Addr: p.Listen,
|
Addr: p.Listen,
|
||||||
Handler: mux,
|
Handler: mux,
|
||||||
|
TLSConfig: tlsConfig,
|
||||||
}
|
}
|
||||||
|
|
||||||
go func() {
|
go func() {
|
||||||
var err error
|
var err error
|
||||||
if p.TLSCert != "" && p.TLSKey != "" {
|
if p.TLSCert != "" && p.TLSKey != "" {
|
||||||
err = p.server.ListenAndServeTLS(p.TLSCert, p.TLSKey)
|
err = p.server.ListenAndServeTLS("", "")
|
||||||
} else {
|
} else {
|
||||||
err = p.server.ListenAndServe()
|
err = p.server.ListenAndServe()
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,104 @@
|
||||||
|
package prometheus_client_test
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/tls"
|
||||||
|
"fmt"
|
||||||
|
"github.com/influxdata/telegraf/plugins/outputs/prometheus_client"
|
||||||
|
"github.com/influxdata/telegraf/testutil"
|
||||||
|
"github.com/influxdata/toml"
|
||||||
|
"github.com/stretchr/testify/require"
|
||||||
|
"net/http"
|
||||||
|
"testing"
|
||||||
|
)
|
||||||
|
|
||||||
|
var pki = testutil.NewPKI("../../../testutil/pki")
|
||||||
|
|
||||||
|
var configWithTLS = fmt.Sprintf(`
|
||||||
|
listen = "127.0.0.1:9090"
|
||||||
|
tls_allowed_cacerts = ["%s"]
|
||||||
|
tls_cert = "%s"
|
||||||
|
tls_key = "%s"
|
||||||
|
`, pki.TLSServerConfig().TLSAllowedCACerts[0], pki.TLSServerConfig().TLSCert, pki.TLSServerConfig().TLSKey)
|
||||||
|
|
||||||
|
var configWithoutTLS = `
|
||||||
|
listen = "127.0.0.1:9090"
|
||||||
|
`
|
||||||
|
|
||||||
|
type PrometheusClientTestContext struct {
|
||||||
|
Output *prometheus_client.PrometheusClient
|
||||||
|
Accumulator *testutil.Accumulator
|
||||||
|
Client *http.Client
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestWorksWithoutTLS(t *testing.T) {
|
||||||
|
tc := buildTestContext(t, []byte(configWithoutTLS))
|
||||||
|
err := tc.Output.Connect()
|
||||||
|
defer tc.Output.Close()
|
||||||
|
|
||||||
|
require.NoError(t, err)
|
||||||
|
|
||||||
|
response, err := tc.Client.Get("http://localhost:9090/metrics")
|
||||||
|
require.NoError(t, err)
|
||||||
|
|
||||||
|
require.NoError(t, err)
|
||||||
|
require.Equal(t, response.StatusCode, http.StatusOK)
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestWorksWithTLS(t *testing.T) {
|
||||||
|
tc := buildTestContext(t, []byte(configWithTLS))
|
||||||
|
err := tc.Output.Connect()
|
||||||
|
defer tc.Output.Close()
|
||||||
|
require.NoError(t, err)
|
||||||
|
|
||||||
|
response, err := tc.Client.Get("https://localhost:9090/metrics")
|
||||||
|
require.NoError(t, err)
|
||||||
|
|
||||||
|
require.NoError(t, err)
|
||||||
|
require.Equal(t, response.StatusCode, http.StatusOK)
|
||||||
|
|
||||||
|
response, err = tc.Client.Get("http://localhost:9090/metrics")
|
||||||
|
require.Error(t, err)
|
||||||
|
|
||||||
|
tr := &http.Transport{
|
||||||
|
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
|
||||||
|
}
|
||||||
|
|
||||||
|
client := &http.Client{Transport: tr}
|
||||||
|
response, err = client.Get("https://localhost:9090/metrics")
|
||||||
|
|
||||||
|
require.Error(t, err)
|
||||||
|
}
|
||||||
|
|
||||||
|
func buildTestContext(t *testing.T, config []byte) *PrometheusClientTestContext {
|
||||||
|
output := prometheus_client.NewClient()
|
||||||
|
err := toml.Unmarshal(config, output)
|
||||||
|
require.NoError(t, err)
|
||||||
|
|
||||||
|
var (
|
||||||
|
httpClient *http.Client
|
||||||
|
)
|
||||||
|
|
||||||
|
if len(output.TLSAllowedCACerts) != 0 {
|
||||||
|
httpClient = buildClientWithTLS(t, output)
|
||||||
|
} else {
|
||||||
|
httpClient = buildClientWithoutTLS()
|
||||||
|
}
|
||||||
|
|
||||||
|
return &PrometheusClientTestContext{
|
||||||
|
Output: output,
|
||||||
|
Accumulator: &testutil.Accumulator{},
|
||||||
|
Client: httpClient,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func buildClientWithoutTLS() *http.Client {
|
||||||
|
return &http.Client{}
|
||||||
|
}
|
||||||
|
|
||||||
|
func buildClientWithTLS(t *testing.T, output *prometheus_client.PrometheusClient) *http.Client {
|
||||||
|
tlsConfig, err := pki.TLSClientConfig().TLSConfig()
|
||||||
|
require.NoError(t, err)
|
||||||
|
|
||||||
|
transport := &http.Transport{TLSClientConfig: tlsConfig}
|
||||||
|
return &http.Client{Transport: transport}
|
||||||
|
}
|
Loading…
Reference in New Issue