Simplify testing with TLS (#4095)

This commit is contained in:
Daniel Nelson 2018-05-04 16:33:23 -07:00 committed by GitHub
parent 6e10a4ea88
commit 55b4fcb40d
92 changed files with 1246 additions and 1360 deletions

View File

@ -7,6 +7,10 @@
an [example configuration](./plugins/inputs/jolokia2/examples) to help you an [example configuration](./plugins/inputs/jolokia2/examples) to help you
get started. get started.
- For plugins supporting TLS, you can now specify the certificate and keys
using `tls_ca`, `tls_cert`, `tls_key`. These options behave the same as
the, now deprecated, `ssl` forms.
### New Inputs ### New Inputs
- [fibaro](./plugins/inputs/fibaro/README.md) - Contributed by @dynek - [fibaro](./plugins/inputs/fibaro/README.md) - Contributed by @dynek

View File

@ -121,11 +121,11 @@
## UDP payload size is the maximum packet size to send. ## UDP payload size is the maximum packet size to send.
# udp_payload = 512 # udp_payload = 512
## Optional SSL Config for use on HTTP connections. ## Optional TLS Config for use on HTTP connections.
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## HTTP Proxy override, if unset values the standard proxy environment ## HTTP Proxy override, if unset values the standard proxy environment
@ -184,11 +184,11 @@
# ## to 5s. 0s means no timeout (not recommended). # ## to 5s. 0s means no timeout (not recommended).
# # timeout = "5s" # # timeout = "5s"
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
# #
# ## Data format to output. # ## Data format to output.
@ -284,11 +284,11 @@
# # default_tag_value = "none" # # default_tag_value = "none"
# index_name = "telegraf-%Y.%m.%d" # required. # index_name = "telegraf-%Y.%m.%d" # required.
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
# #
# ## Template Config # ## Template Config
@ -327,11 +327,11 @@
# ## timeout in seconds for the write connection to graphite # ## timeout in seconds for the write connection to graphite
# timeout = 2 # timeout = 2
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
@ -420,11 +420,11 @@
# ## The total number of times to retry sending a message # ## The total number of times to retry sending a message
# max_retry = 3 # max_retry = 3
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
# #
# ## Optional SASL Config # ## Optional SASL Config
@ -536,11 +536,11 @@
# ## client ID, if not set a random ID is generated # ## client ID, if not set a random ID is generated
# # client_id = "" # # client_id = ""
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
# #
# ## Data format to output. # ## Data format to output.
@ -560,11 +560,11 @@
# ## NATS subject for producer messages # ## NATS subject for producer messages
# subject = "telegraf" # subject = "telegraf"
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
# #
# ## Data format to output. # ## Data format to output.
@ -695,11 +695,11 @@
# # address = "unix:///tmp/telegraf.sock" # # address = "unix:///tmp/telegraf.sock"
# # address = "unixgram:///tmp/telegraf.sock" # # address = "unixgram:///tmp/telegraf.sock"
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
# #
# ## Period between keep alive probes. # ## Period between keep alive probes.
@ -928,11 +928,11 @@
# ## Maximum time to receive response. # ## Maximum time to receive response.
# # response_timeout = "5s" # # response_timeout = "5s"
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
@ -1112,11 +1112,11 @@
# ## Data centre to query the health checks from # ## Data centre to query the health checks from
# # datacentre = "" # # datacentre = ""
# #
# ## SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## If false, skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = true # # insecure_skip_verify = true
@ -1173,10 +1173,10 @@
# ## Maximum time to receive a response from cluster. # ## Maximum time to receive a response from cluster.
# # response_timeout = "20s" # # response_timeout = "20s"
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## If false, skip chain & host verification # ## If false, skip chain & host verification
# # insecure_skip_verify = true # # insecure_skip_verify = true
# #
@ -1261,11 +1261,11 @@
# docker_label_include = [] # docker_label_include = []
# docker_label_exclude = [] # docker_label_exclude = []
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
@ -1317,11 +1317,11 @@
# ## "breaker". Per default, all stats are gathered. # ## "breaker". Per default, all stats are gathered.
# # node_stats = ["jvm", "http"] # # node_stats = ["jvm", "http"]
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
@ -1428,11 +1428,11 @@
# username = "" # username = ""
# password = "" # password = ""
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
@ -1456,11 +1456,11 @@
# ## field names. # ## field names.
# # keep_field_names = false # # keep_field_names = false
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
@ -1497,11 +1497,11 @@
# ## Tag all metrics with the url # ## Tag all metrics with the url
# # tag_url = true # # tag_url = true
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
# #
# ## Amount of time allowed to complete the HTTP request # ## Amount of time allowed to complete the HTTP request
@ -1541,11 +1541,11 @@
# # response_string_match = "ok" # # response_string_match = "ok"
# # response_string_match = "\".*_status\".?:.?\"up\"" # # response_string_match = "\".*_status\".?:.?\"up\""
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
# #
# ## HTTP Request Headers (all values must be strings) # ## HTTP Request Headers (all values must be strings)
@ -1581,11 +1581,11 @@
# # "my_tag_2" # # "my_tag_2"
# # ] # # ]
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
# #
# ## HTTP parameters (all values must be strings). For "GET" requests, data # ## HTTP parameters (all values must be strings). For "GET" requests, data
@ -1613,11 +1613,11 @@
# "http://localhost:8086/debug/vars" # "http://localhost:8086/debug/vars"
# ] # ]
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
# #
# ## http request & header timeout # ## http request & header timeout
@ -1771,10 +1771,10 @@
# # password = "" # # password = ""
# # response_timeout = "5s" # # response_timeout = "5s"
# #
# ## Optional SSL config # ## Optional TLS config
# # ssl_ca = "/var/private/ca.pem" # # tls_ca = "/var/private/ca.pem"
# # ssl_cert = "/var/private/client.pem" # # tls_cert = "/var/private/client.pem"
# # ssl_key = "/var/private/client-key.pem" # # tls_key = "/var/private/client-key.pem"
# # insecure_skip_verify = false # # insecure_skip_verify = false
# #
# ## Add metrics to read # ## Add metrics to read
@ -1796,10 +1796,10 @@
# # password = "" # # password = ""
# # response_timeout = "5s" # # response_timeout = "5s"
# #
# ## Optional SSL config # ## Optional TLS config
# # ssl_ca = "/var/private/ca.pem" # # tls_ca = "/var/private/ca.pem"
# # ssl_cert = "/var/private/client.pem" # # tls_cert = "/var/private/client.pem"
# # ssl_key = "/var/private/client-key.pem" # # tls_key = "/var/private/client-key.pem"
# # insecure_skip_verify = false # # insecure_skip_verify = false
# #
# ## Add proxy targets to query # ## Add proxy targets to query
@ -1828,11 +1828,11 @@
# ## Time limit for http requests # ## Time limit for http requests
# timeout = "5s" # timeout = "5s"
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
@ -1852,11 +1852,11 @@
# ## Set response_timeout (default 5 seconds) # ## Set response_timeout (default 5 seconds)
# # response_timeout = "5s" # # response_timeout = "5s"
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = /path/to/cafile # # tls_ca = /path/to/cafile
# # ssl_cert = /path/to/certfile # # tls_cert = /path/to/certfile
# # ssl_key = /path/to/keyfile # # tls_key = /path/to/keyfile
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
@ -1948,11 +1948,11 @@
# # "messages", # # "messages",
# # ] # # ]
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
@ -1978,11 +1978,11 @@
# ## When true, collect per database stats # ## When true, collect per database stats
# # gather_perdb_stats = false # # gather_perdb_stats = false
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
@ -2061,10 +2061,12 @@
# ## Some queries we may want to run less often (such as SHOW GLOBAL VARIABLES) # ## Some queries we may want to run less often (such as SHOW GLOBAL VARIABLES)
# interval_slow = "30m" # interval_slow = "30m"
# #
# ## Optional SSL Config (will be used if tls=custom parameter specified in server uri) # ## Optional TLS Config (will be used if tls=custom parameter specified in server uri)
# ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false
# # Provides metrics about the state of a NATS server # # Provides metrics about the state of a NATS server
@ -2124,10 +2126,11 @@
# # An array of Nginx stub_status URI to gather stats. # # An array of Nginx stub_status URI to gather stats.
# urls = ["http://localhost/server_status"] # urls = ["http://localhost/server_status"]
# #
# # TLS/SSL configuration # ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.cer" # tls_cert = "/etc/telegraf/cert.cer"
# ssl_key = "/etc/telegraf/key.key" # tls_key = "/etc/telegraf/key.key"
# ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
# #
# # HTTP response timeout (default: 5s) # # HTTP response timeout (default: 5s)
@ -2190,7 +2193,7 @@
# insecure_skip_verify = false # insecure_skip_verify = false
# #
# # Path to PEM-encoded Root certificate to use to verify server certificate # # Path to PEM-encoded Root certificate to use to verify server certificate
# ssl_ca = "/etc/ssl/certs.pem" # tls_ca = "/etc/ssl/certs.pem"
# #
# # dn/password to bind with. If bind_dn is empty, an anonymous bind is performed. # # dn/password to bind with. If bind_dn is empty, an anonymous bind is performed.
# bind_dn = "" # bind_dn = ""
@ -2341,11 +2344,11 @@
# ## Specify timeout duration for slower prometheus clients (default is 3s) # ## Specify timeout duration for slower prometheus clients (default is 3s)
# # response_timeout = "3s" # # response_timeout = "3s"
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = /path/to/cafile # # tls_ca = /path/to/cafile
# # ssl_cert = /path/to/certfile # # tls_cert = /path/to/certfile
# # ssl_key = /path/to/keyfile # # tls_key = /path/to/keyfile
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
@ -2365,11 +2368,11 @@
# # username = "guest" # # username = "guest"
# # password = "guest" # # password = "guest"
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
# #
# ## Optional request timeouts # ## Optional request timeouts
@ -2798,11 +2801,11 @@
# ## Request timeout # ## Request timeout
# # timeout = "5s" # # timeout = "5s"
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
@ -2886,11 +2889,11 @@
# ## Timeout for metric collections from all servers. Minimum timeout is "1s". # ## Timeout for metric collections from all servers. Minimum timeout is "1s".
# # timeout = "5s" # # timeout = "5s"
# #
# ## Optional SSL Config # ## Optional TLS Config
# # enable_ssl = true # # enable_tls = true
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## If false, skip chain & host verification # ## If false, skip chain & host verification
# # insecure_skip_verify = true # # insecure_skip_verify = true
@ -2919,11 +2922,11 @@
# ## described here: https://www.rabbitmq.com/plugins.html # ## described here: https://www.rabbitmq.com/plugins.html
# # auth_method = "PLAIN" # # auth_method = "PLAIN"
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
# #
# ## Data format to consume. # ## Data format to consume.
@ -2994,11 +2997,11 @@
# ## topic(s) to consume # ## topic(s) to consume
# topics = ["telegraf"] # topics = ["telegraf"]
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
# #
# ## Optional SASL Config # ## Optional SASL Config
@ -3124,11 +3127,11 @@
# # username = "telegraf" # # username = "telegraf"
# # password = "metricsmetricsmetricsmetrics" # # password = "metricsmetricsmetricsmetrics"
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
# #
# ## Data format to consume. # ## Data format to consume.

View File

@ -4,11 +4,7 @@ import (
"bufio" "bufio"
"bytes" "bytes"
"crypto/rand" "crypto/rand"
"crypto/tls"
"crypto/x509"
"errors" "errors"
"fmt"
"io/ioutil"
"log" "log"
"math/big" "math/big"
"os" "os"
@ -112,94 +108,6 @@ func RandomString(n int) string {
return string(bytes) return string(bytes)
} }
// GetTLSConfig gets a tls.Config object from the given certs, key, and CA files
// for use with a client.
// The full path to each file must be provided.
// Returns a nil pointer if all files are blank and InsecureSkipVerify=false.
func GetTLSConfig(
SSLCert, SSLKey, SSLCA string,
InsecureSkipVerify bool,
) (*tls.Config, error) {
if SSLCert == "" && SSLKey == "" && SSLCA == "" && !InsecureSkipVerify {
return nil, nil
}
t := &tls.Config{
InsecureSkipVerify: InsecureSkipVerify,
}
if SSLCA != "" {
caCert, err := ioutil.ReadFile(SSLCA)
if err != nil {
return nil, errors.New(fmt.Sprintf("Could not load TLS CA: %s",
err))
}
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
t.RootCAs = caCertPool
}
if SSLCert != "" && SSLKey != "" {
cert, err := tls.LoadX509KeyPair(SSLCert, SSLKey)
if err != nil {
return nil, errors.New(fmt.Sprintf(
"Could not load TLS client key/certificate from %s:%s: %s",
SSLKey, SSLCert, err))
}
t.Certificates = []tls.Certificate{cert}
t.BuildNameToCertificate()
}
// will be nil by default if nothing is provided
return t, nil
}
// GetServerTLSConfig gets a tls.Config object from the given certs, key, and one or more CA files
// for use with a server.
// The full path to each file must be provided.
// Returns a nil pointer if all files are blank.
func GetServerTLSConfig(
TLSCert, TLSKey string,
TLSAllowedCACerts []string,
) (*tls.Config, error) {
if TLSCert == "" && TLSKey == "" && len(TLSAllowedCACerts) == 0 {
return nil, nil
}
t := &tls.Config{}
if len(TLSAllowedCACerts) != 0 {
caCertPool := x509.NewCertPool()
for _, cert := range TLSAllowedCACerts {
c, err := ioutil.ReadFile(cert)
if err != nil {
return nil, errors.New(fmt.Sprintf("Could not load TLS CA: %s",
err))
}
caCertPool.AppendCertsFromPEM(c)
}
t.ClientCAs = caCertPool
t.ClientAuth = tls.RequireAndVerifyClientCert
}
if TLSCert != "" && TLSKey != "" {
cert, err := tls.LoadX509KeyPair(TLSCert, TLSKey)
if err != nil {
return nil, errors.New(fmt.Sprintf(
"Could not load TLS client key/certificate from %s:%s: %s",
TLSKey, TLSCert, err))
}
t.Certificates = []tls.Certificate{cert}
}
t.BuildNameToCertificate()
return t, nil
}
// SnakeCase converts the given string to snake case following the Golang format: // SnakeCase converts the given string to snake case following the Golang format:
// acronyms are converted to lower-case and preceded by an underscore. // acronyms are converted to lower-case and preceded by an underscore.
func SnakeCase(in string) string { func SnakeCase(in string) string {

130
internal/tls/config.go Normal file
View File

@ -0,0 +1,130 @@
package tls
import (
"crypto/tls"
"crypto/x509"
"fmt"
"io/ioutil"
)
// ClientConfig represents the standard client TLS config.
type ClientConfig struct {
TLSCA string `toml:"tls_ca"`
TLSCert string `toml:"tls_cert"`
TLSKey string `toml:"tls_key"`
InsecureSkipVerify bool `toml:"insecure_skip_verify"`
// Deprecated in 1.7; use TLS variables above
SSLCA string `toml:"ssl_ca"`
SSLCert string `toml:"ssl_cert"`
SSLKey string `toml:"ssl_ca"`
}
// ServerConfig represents the standard server TLS config.
type ServerConfig struct {
TLSCert string `toml:"tls_cert"`
TLSKey string `toml:"tls_key"`
TLSAllowedCACerts []string `toml:"tls_allowed_cacerts"`
}
// TLSConfig returns a tls.Config, may be nil without error if TLS is not
// configured.
func (c *ClientConfig) TLSConfig() (*tls.Config, error) {
// Support deprecated variable names
if c.TLSCA == "" && c.SSLCA != "" {
c.TLSCA = c.SSLCA
}
if c.TLSCert == "" && c.SSLCert != "" {
c.TLSCert = c.SSLCert
}
if c.TLSKey == "" && c.SSLKey != "" {
c.TLSKey = c.SSLKey
}
// TODO: return default tls.Config; plugins should not call if they don't
// want TLS, this will require using another option to determine. In the
// case of an HTTP plugin, you could use `https`. Other plugins may need
// the dedicated option `TLSEnable`.
if c.TLSCA == "" && c.TLSKey == "" && c.TLSCert == "" && !c.InsecureSkipVerify {
return nil, nil
}
tlsConfig := &tls.Config{
InsecureSkipVerify: c.InsecureSkipVerify,
Renegotiation: tls.RenegotiateNever,
}
if c.TLSCA != "" {
pool, err := makeCertPool([]string{c.TLSCA})
if err != nil {
return nil, err
}
tlsConfig.RootCAs = pool
}
if c.TLSCert != "" && c.TLSKey != "" {
err := loadCertificate(tlsConfig, c.TLSCert, c.TLSKey)
if err != nil {
return nil, err
}
}
return tlsConfig, nil
}
// TLSConfig returns a tls.Config, may be nil without error if TLS is not
// configured.
func (c *ServerConfig) TLSConfig() (*tls.Config, error) {
if c.TLSCert == "" && c.TLSKey == "" && len(c.TLSAllowedCACerts) == 0 {
return nil, nil
}
tlsConfig := &tls.Config{}
if len(c.TLSAllowedCACerts) != 0 {
pool, err := makeCertPool(c.TLSAllowedCACerts)
if err != nil {
return nil, err
}
tlsConfig.ClientCAs = pool
tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
}
if c.TLSCert != "" && c.TLSKey != "" {
err := loadCertificate(tlsConfig, c.TLSCert, c.TLSKey)
if err != nil {
return nil, err
}
}
return tlsConfig, nil
}
func makeCertPool(certFiles []string) (*x509.CertPool, error) {
pool := x509.NewCertPool()
for _, certFile := range certFiles {
pem, err := ioutil.ReadFile(certFile)
if err != nil {
return nil, fmt.Errorf(
"could not read certificate %q: %v", certFile, err)
}
ok := pool.AppendCertsFromPEM(pem)
if !ok {
return nil, fmt.Errorf(
"could not parse any PEM certificates %q: %v", certFile, err)
}
}
return pool, nil
}
func loadCertificate(config *tls.Config, certFile, keyFile string) error {
cert, err := tls.LoadX509KeyPair(certFile, keyFile)
if err != nil {
return fmt.Errorf(
"could not load keypair %s:%s: %v", certFile, keyFile, err)
}
config.Certificates = []tls.Certificate{cert}
config.BuildNameToCertificate()
return nil
}

226
internal/tls/config_test.go Normal file
View File

@ -0,0 +1,226 @@
package tls_test
import (
"net/http"
"net/http/httptest"
"testing"
"time"
"github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/testutil"
"github.com/stretchr/testify/require"
)
var pki = testutil.NewPKI("../../testutil/pki")
func TestClientConfig(t *testing.T) {
tests := []struct {
name string
client tls.ClientConfig
expNil bool
expErr bool
}{
{
name: "unset",
client: tls.ClientConfig{},
expNil: true,
},
{
name: "success",
client: tls.ClientConfig{
TLSCA: pki.CACertPath(),
TLSCert: pki.ClientCertPath(),
TLSKey: pki.ClientKeyPath(),
},
},
{
name: "invalid ca",
client: tls.ClientConfig{
TLSCA: pki.ClientKeyPath(),
TLSCert: pki.ClientCertPath(),
TLSKey: pki.ClientKeyPath(),
},
expNil: true,
expErr: true,
},
{
name: "missing ca is okay",
client: tls.ClientConfig{
TLSCert: pki.ClientCertPath(),
TLSKey: pki.ClientKeyPath(),
},
},
{
name: "invalid cert",
client: tls.ClientConfig{
TLSCA: pki.CACertPath(),
TLSCert: pki.ClientKeyPath(),
TLSKey: pki.ClientKeyPath(),
},
expNil: true,
expErr: true,
},
{
name: "missing cert skips client keypair",
client: tls.ClientConfig{
TLSCA: pki.CACertPath(),
TLSKey: pki.ClientKeyPath(),
},
expNil: false,
expErr: false,
},
{
name: "missing key skips client keypair",
client: tls.ClientConfig{
TLSCA: pki.CACertPath(),
TLSCert: pki.ClientCertPath(),
},
expNil: false,
expErr: false,
},
{
name: "support deprecated ssl field names",
client: tls.ClientConfig{
SSLCA: pki.CACertPath(),
SSLCert: pki.ClientCertPath(),
SSLKey: pki.ClientKeyPath(),
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
tlsConfig, err := tt.client.TLSConfig()
if !tt.expNil {
require.NotNil(t, tlsConfig)
} else {
require.Nil(t, tlsConfig)
}
if !tt.expErr {
require.NoError(t, err)
} else {
require.Error(t, err)
}
})
}
}
func TestServerConfig(t *testing.T) {
tests := []struct {
name string
server tls.ServerConfig
expNil bool
expErr bool
}{
{
name: "unset",
server: tls.ServerConfig{},
expNil: true,
},
{
name: "success",
server: tls.ServerConfig{
TLSCert: pki.ServerCertPath(),
TLSKey: pki.ServerKeyPath(),
TLSAllowedCACerts: []string{pki.CACertPath()},
},
},
{
name: "invalid ca",
server: tls.ServerConfig{
TLSCert: pki.ServerCertPath(),
TLSKey: pki.ServerKeyPath(),
TLSAllowedCACerts: []string{pki.ServerKeyPath()},
},
expNil: true,
expErr: true,
},
{
name: "missing allowed ca is okay",
server: tls.ServerConfig{
TLSCert: pki.ServerCertPath(),
TLSKey: pki.ServerKeyPath(),
},
expNil: true,
expErr: true,
},
{
name: "invalid cert",
server: tls.ServerConfig{
TLSCert: pki.ServerKeyPath(),
TLSKey: pki.ServerKeyPath(),
TLSAllowedCACerts: []string{pki.CACertPath()},
},
expNil: true,
expErr: true,
},
{
name: "missing cert",
server: tls.ServerConfig{
TLSKey: pki.ServerKeyPath(),
TLSAllowedCACerts: []string{pki.CACertPath()},
},
expNil: true,
expErr: true,
},
{
name: "missing key",
server: tls.ServerConfig{
TLSCert: pki.ServerCertPath(),
TLSAllowedCACerts: []string{pki.CACertPath()},
},
expNil: true,
expErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
tlsConfig, err := tt.server.TLSConfig()
if !tt.expNil {
require.NotNil(t, tlsConfig)
}
if !tt.expErr {
require.NoError(t, err)
}
})
}
}
func TestConnect(t *testing.T) {
clientConfig := tls.ClientConfig{
TLSCA: pki.CACertPath(),
TLSCert: pki.ClientCertPath(),
TLSKey: pki.ClientKeyPath(),
}
serverConfig := tls.ServerConfig{
TLSCert: pki.ServerCertPath(),
TLSKey: pki.ServerKeyPath(),
TLSAllowedCACerts: []string{pki.CACertPath()},
}
serverTLSConfig, err := serverConfig.TLSConfig()
require.NoError(t, err)
ts := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
}))
ts.TLS = serverTLSConfig
ts.StartTLS()
defer ts.Close()
clientTLSConfig, err := clientConfig.TLSConfig()
require.NoError(t, err)
client := http.Client{
Transport: &http.Transport{
TLSClientConfig: clientTLSConfig,
},
Timeout: 10 * time.Second,
}
resp, err := client.Get(ts.URL)
require.NoError(t, err)
require.Equal(t, 200, resp.StatusCode)
}

View File

@ -32,11 +32,11 @@ The following defaults are known to work with RabbitMQ:
## Using EXTERNAL requires enabling the rabbitmq_auth_mechanism_ssl plugin as ## Using EXTERNAL requires enabling the rabbitmq_auth_mechanism_ssl plugin as
## described here: https://www.rabbitmq.com/plugins.html ## described here: https://www.rabbitmq.com/plugins.html
# auth_method = "PLAIN" # auth_method = "PLAIN"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## Data format to consume. ## Data format to consume.

View File

@ -10,7 +10,7 @@ import (
"github.com/streadway/amqp" "github.com/streadway/amqp"
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
"github.com/influxdata/telegraf/plugins/parsers" "github.com/influxdata/telegraf/plugins/parsers"
) )
@ -31,14 +31,7 @@ type AMQPConsumer struct {
// AMQP Auth method // AMQP Auth method
AuthMethod string AuthMethod string
// Path to CA file tls.ClientConfig
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Use SSL but skip chain & host verification
InsecureSkipVerify bool
parser parsers.Parser parser parsers.Parser
conn *amqp.Connection conn *amqp.Connection
@ -78,11 +71,11 @@ func (a *AMQPConsumer) SampleConfig() string {
## described here: https://www.rabbitmq.com/plugins.html ## described here: https://www.rabbitmq.com/plugins.html
# auth_method = "PLAIN" # auth_method = "PLAIN"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## Data format to consume. ## Data format to consume.
@ -108,8 +101,7 @@ func (a *AMQPConsumer) Gather(_ telegraf.Accumulator) error {
func (a *AMQPConsumer) createConfig() (*amqp.Config, error) { func (a *AMQPConsumer) createConfig() (*amqp.Config, error) {
// make new tls config // make new tls config
tls, err := internal.GetTLSConfig( tls, err := a.ClientConfig.TLSConfig()
a.SSLCert, a.SSLKey, a.SSLCA, a.InsecureSkipVerify)
if err != nil { if err != nil {
return nil, err return nil, err
} }

View File

@ -21,11 +21,11 @@ Typically, the `mod_status` module is configured to expose a page at the `/serve
## Maximum time to receive response. ## Maximum time to receive response.
# response_timeout = "5s" # response_timeout = "5s"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
``` ```

View File

@ -13,6 +13,7 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
"github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
) )
@ -21,14 +22,7 @@ type Apache struct {
Username string Username string
Password string Password string
ResponseTimeout internal.Duration ResponseTimeout internal.Duration
// Path to CA file tls.ClientConfig
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Use SSL but skip chain & host verification
InsecureSkipVerify bool
client *http.Client client *http.Client
} }
@ -46,11 +40,11 @@ var sampleConfig = `
## Maximum time to receive response. ## Maximum time to receive response.
# response_timeout = "5s" # response_timeout = "5s"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
` `
@ -98,8 +92,7 @@ func (n *Apache) Gather(acc telegraf.Accumulator) error {
} }
func (n *Apache) createHttpClient() (*http.Client, error) { func (n *Apache) createHttpClient() (*http.Client, error) {
tlsCfg, err := internal.GetTLSConfig( tlsCfg, err := n.ClientConfig.TLSConfig()
n.SSLCert, n.SSLKey, n.SSLCA, n.InsecureSkipVerify)
if err != nil { if err != nil {
return nil, err return nil, err
} }

View File

@ -27,11 +27,11 @@ report those stats already using StatsD protocol if needed.
## Data centre to query the health checks from ## Data centre to query the health checks from
# datacentre = "" # datacentre = ""
## SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## If false, skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = true # insecure_skip_verify = true
``` ```

View File

@ -5,7 +5,7 @@ import (
"github.com/hashicorp/consul/api" "github.com/hashicorp/consul/api"
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
) )
@ -16,15 +16,7 @@ type Consul struct {
Username string Username string
Password string Password string
Datacentre string Datacentre string
tls.ClientConfig
// Path to CA file
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Use SSL but skip chain & host verification
InsecureSkipVerify bool
// client used to connect to Consul agnet // client used to connect to Consul agnet
client *api.Client client *api.Client
@ -47,11 +39,11 @@ var sampleConfig = `
## Data centre to query the health checks from ## Data centre to query the health checks from
# datacentre = "" # datacentre = ""
## SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## If false, skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = true # insecure_skip_verify = true
` `
@ -89,9 +81,7 @@ func (c *Consul) createAPIClient() (*api.Client, error) {
} }
} }
tlsCfg, err := internal.GetTLSConfig( tlsCfg, err := c.ClientConfig.TLSConfig()
c.SSLCert, c.SSLKey, c.SSLCA, c.InsecureSkipVerify)
if err != nil { if err != nil {
return nil, err return nil, err
} }

View File

@ -54,10 +54,10 @@ your database.
## Maximum time to receive a response from cluster. ## Maximum time to receive a response from cluster.
# response_timeout = "20s" # response_timeout = "20s"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## If false, skip chain & host verification ## If false, skip chain & host verification
# insecure_skip_verify = true # insecure_skip_verify = true

View File

@ -9,26 +9,11 @@ import (
"testing" "testing"
jwt "github.com/dgrijalva/jwt-go" jwt "github.com/dgrijalva/jwt-go"
"github.com/influxdata/telegraf/testutil"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
) )
const ( var privateKey = testutil.NewPKI("../../../testutil/pki").ReadServerKey()
privateKey = `-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQCwlGyzVp9cqtwiNCgCnaR0kilPZhr4xFBcnXxvQ8/uzOHaWKxj
XWR38cKR3gPh5+4iSmzMdo3HDJM5ks6imXGnp+LPOA5iNewnpLNs7UxA2arwKH/6
4qIaAXAtf5jE46wZIMgc2EW9wGL3dxC0JY8EXPpBFB/3J8gADkorFR8lwwIDAQAB
AoGBAJaFHxfMmjHK77U0UnrQWFSKFy64cftmlL4t/Nl3q7L68PdIKULWZIMeEWZ4
I0UZiFOwr4em83oejQ1ByGSwekEuiWaKUI85IaHfcbt+ogp9hY/XbOEo56OPQUAd
bEZv1JqJOqta9Ug1/E1P9LjEEyZ5F5ubx7813rxAE31qKtKJAkEA1zaMlCWIr+Rj
hGvzv5rlHH3wbOB4kQFXO4nqj3J/ttzR5QiJW24STMDcbNngFlVcDVju56LrNTiD
dPh9qvl7nwJBANILguR4u33OMksEZTYB7nQZSurqXsq6382zH7pTl29ANQTROHaM
PKC8dnDWq8RGTqKuvWblIzzGIKqIMovZo10CQC96T0UXirITFolOL3XjvAuvFO1Q
EAkdXJs77805m0dCK+P1IChVfiAEpBw3bKJArpAbQIlFfdI953JUp5SieU0CQEub
BSSEKMjh/cxu6peEHnb/262vayuCFKkQPu1sxWewLuVrAe36EKCy9dcsDmv5+rgo
Odjdxc9Madm4aKlaT6kCQQCpAgeblDrrxTrNQ+Typzo37PlnQrvI+0EceAUuJ72G
P0a+YZUeHNRqT2pPN9lMTAZGGi3CtcF2XScbLNEBeXge
-----END RSA PRIVATE KEY-----`
)
func TestLogin(t *testing.T) { func TestLogin(t *testing.T) {
ts := httptest.NewServer(http.NotFoundHandler()) ts := httptest.NewServer(http.NotFoundHandler())

View File

@ -13,6 +13,7 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/filter" "github.com/influxdata/telegraf/filter"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
"github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
) )
@ -56,11 +57,7 @@ type DCOS struct {
MaxConnections int MaxConnections int
ResponseTimeout internal.Duration ResponseTimeout internal.Duration
tls.ClientConfig
SSLCA string `toml:"ssl_ca"`
SSLCert string `toml:"ssl_cert"`
SSLKey string `toml:"ssl_key"`
InsecureSkipVerify bool `toml:"insecure_skip_verify"`
client Client client Client
creds Credentials creds Credentials
@ -107,10 +104,10 @@ var sampleConfig = `
## Maximum time to receive a response from cluster. ## Maximum time to receive a response from cluster.
# response_timeout = "20s" # response_timeout = "20s"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## If false, skip chain & host verification ## If false, skip chain & host verification
# insecure_skip_verify = true # insecure_skip_verify = true
@ -351,8 +348,7 @@ func (d *DCOS) init() error {
} }
func (d *DCOS) createClient() (Client, error) { func (d *DCOS) createClient() (Client, error) {
tlsCfg, err := internal.GetTLSConfig( tlsCfg, err := d.ClientConfig.TLSConfig()
d.SSLCert, d.SSLKey, d.SSLCA, d.InsecureSkipVerify)
if err != nil { if err != nil {
return nil, err return nil, err
} }

View File

@ -53,11 +53,11 @@ to gather stats from the [Engine API](https://docs.docker.com/engine/api/v1.24/)
## Which environment variables should we use as a tag ## Which environment variables should we use as a tag
tag_env = ["JAVA_HOME", "HEAP_SIZE"] tag_env = ["JAVA_HOME", "HEAP_SIZE"]
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
``` ```

View File

@ -20,6 +20,7 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/filter" "github.com/influxdata/telegraf/filter"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
tlsint "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
) )
@ -43,10 +44,7 @@ type Docker struct {
ContainerStateInclude []string `toml:"container_state_include"` ContainerStateInclude []string `toml:"container_state_include"`
ContainerStateExclude []string `toml:"container_state_exclude"` ContainerStateExclude []string `toml:"container_state_exclude"`
SSLCA string `toml:"ssl_ca"` tlsint.ClientConfig
SSLCert string `toml:"ssl_cert"`
SSLKey string `toml:"ssl_key"`
InsecureSkipVerify bool
newEnvClient func() (Client, error) newEnvClient func() (Client, error)
newClient func(string, *tls.Config) (Client, error) newClient func(string, *tls.Config) (Client, error)
@ -115,11 +113,11 @@ var sampleConfig = `
docker_label_include = [] docker_label_include = []
docker_label_exclude = [] docker_label_exclude = []
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
` `
@ -136,8 +134,7 @@ func (d *Docker) Gather(acc telegraf.Accumulator) error {
if d.Endpoint == "ENV" { if d.Endpoint == "ENV" {
c, err = d.newEnvClient() c, err = d.newEnvClient()
} else { } else {
tlsConfig, err := internal.GetTLSConfig( tlsConfig, err := d.ClientConfig.TLSConfig()
d.SSLCert, d.SSLKey, d.SSLCA, d.InsecureSkipVerify)
if err != nil { if err != nil {
return err return err
} }

View File

@ -38,11 +38,11 @@ or [cluster-stats](https://www.elastic.co/guide/en/elasticsearch/reference/curre
## "breaker". Per default, all stats are gathered. ## "breaker". Per default, all stats are gathered.
# node_stats = ["jvm", "http"] # node_stats = ["jvm", "http"]
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
``` ```

View File

@ -3,16 +3,18 @@ package elasticsearch
import ( import (
"encoding/json" "encoding/json"
"fmt" "fmt"
"github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal"
"github.com/influxdata/telegraf/plugins/inputs"
jsonparser "github.com/influxdata/telegraf/plugins/parsers/json"
"io/ioutil" "io/ioutil"
"net/http" "net/http"
"regexp" "regexp"
"strings" "strings"
"sync" "sync"
"time" "time"
"github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal"
"github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs"
jsonparser "github.com/influxdata/telegraf/plugins/parsers/json"
) )
// mask for masking username/password from error messages // mask for masking username/password from error messages
@ -108,28 +110,26 @@ const sampleConfig = `
## "breaker". Per default, all stats are gathered. ## "breaker". Per default, all stats are gathered.
# node_stats = ["jvm", "http"] # node_stats = ["jvm", "http"]
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
` `
// Elasticsearch is a plugin to read stats from one or many Elasticsearch // Elasticsearch is a plugin to read stats from one or many Elasticsearch
// servers. // servers.
type Elasticsearch struct { type Elasticsearch struct {
Local bool Local bool
Servers []string Servers []string
HttpTimeout internal.Duration HttpTimeout internal.Duration
ClusterHealth bool ClusterHealth bool
ClusterHealthLevel string ClusterHealthLevel string
ClusterStats bool ClusterStats bool
NodeStats []string NodeStats []string
SSLCA string `toml:"ssl_ca"` // Path to CA file tls.ClientConfig
SSLCert string `toml:"ssl_cert"` // Path to host cert file
SSLKey string `toml:"ssl_key"` // Path to cert key file
InsecureSkipVerify bool // Use SSL but skip chain & host verification
client *http.Client client *http.Client
catMasterResponseTokens []string catMasterResponseTokens []string
isMaster bool isMaster bool
@ -227,7 +227,7 @@ func (e *Elasticsearch) Gather(acc telegraf.Accumulator) error {
} }
func (e *Elasticsearch) createHttpClient() (*http.Client, error) { func (e *Elasticsearch) createHttpClient() (*http.Client, error) {
tlsCfg, err := internal.GetTLSConfig(e.SSLCert, e.SSLKey, e.SSLCA, e.InsecureSkipVerify) tlsCfg, err := e.ClientConfig.TLSConfig()
if err != nil { if err != nil {
return nil, err return nil, err
} }

View File

@ -44,11 +44,11 @@ Note: if namespace end point specified metrics array will be ignored for that ca
username = "" username = ""
password = "" password = ""
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
``` ```

View File

@ -14,7 +14,7 @@ import (
"time" "time"
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
) )
@ -35,15 +35,7 @@ type GrayLog struct {
Metrics []string Metrics []string
Username string Username string
Password string Password string
tls.ClientConfig
// Path to CA file
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Use SSL but skip chain & host verification
InsecureSkipVerify bool
client HTTPClient client HTTPClient
} }
@ -111,11 +103,11 @@ var sampleConfig = `
username = "" username = ""
password = "" password = ""
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
` `
@ -132,8 +124,7 @@ func (h *GrayLog) Gather(acc telegraf.Accumulator) error {
var wg sync.WaitGroup var wg sync.WaitGroup
if h.client.HTTPClient() == nil { if h.client.HTTPClient() == nil {
tlsCfg, err := internal.GetTLSConfig( tlsCfg, err := h.ClientConfig.TLSConfig()
h.SSLCert, h.SSLKey, h.SSLCA, h.InsecureSkipVerify)
if err != nil { if err != nil {
return err return err
} }

View File

@ -28,11 +28,11 @@ or [HTTP statistics page](https://cbonte.github.io/haproxy-dconv/1.9/management.
## field names. ## field names.
# keep_field_names = false # keep_field_names = false
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
``` ```

View File

@ -14,27 +14,18 @@ import (
"time" "time"
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
) )
//CSV format: https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#9.1 //CSV format: https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#9.1
type haproxy struct { type haproxy struct {
Servers []string Servers []string
KeepFieldNames bool
tls.ClientConfig
client *http.Client client *http.Client
KeepFieldNames bool
// Path to CA file
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Use SSL but skip chain & host verification
InsecureSkipVerify bool
} }
var sampleConfig = ` var sampleConfig = `
@ -56,11 +47,11 @@ var sampleConfig = `
## field names. ## field names.
# keep_field_names = false # keep_field_names = false
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
` `
@ -144,8 +135,7 @@ func (g *haproxy) gatherServer(addr string, acc telegraf.Accumulator) error {
} }
if g.client == nil { if g.client == nil {
tlsCfg, err := internal.GetTLSConfig( tlsCfg, err := g.ClientConfig.TLSConfig()
g.SSLCert, g.SSLKey, g.SSLCA, g.InsecureSkipVerify)
if err != nil { if err != nil {
return err return err
} }

View File

@ -23,11 +23,11 @@ The HTTP input plugin collects metrics from one or more HTTP(S) endpoints. The
# username = "username" # username = "username"
# password = "pa$$word" # password = "pa$$word"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## Amount of time allowed to complete the HTTP request ## Amount of time allowed to complete the HTTP request

View File

@ -11,6 +11,7 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
"github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
"github.com/influxdata/telegraf/plugins/parsers" "github.com/influxdata/telegraf/plugins/parsers"
) )
@ -24,15 +25,7 @@ type HTTP struct {
// HTTP Basic Auth Credentials // HTTP Basic Auth Credentials
Username string Username string
Password string Password string
tls.ClientConfig
// Path to CA file
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Use SSL but skip chain & host verification
InsecureSkipVerify bool
Timeout internal.Duration Timeout internal.Duration
@ -62,11 +55,11 @@ var sampleConfig = `
## Tag all metrics with the url ## Tag all metrics with the url
# tag_url = true # tag_url = true
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## Amount of time allowed to complete the HTTP request ## Amount of time allowed to complete the HTTP request
@ -97,8 +90,7 @@ func (h *HTTP) Gather(acc telegraf.Accumulator) error {
} }
if h.client == nil { if h.client == nil {
tlsCfg, err := internal.GetTLSConfig( tlsCfg, err := h.ClientConfig.TLSConfig()
h.SSLCert, h.SSLKey, h.SSLCA, h.InsecureSkipVerify)
if err != nil { if err != nil {
return err return err
} }

View File

@ -5,9 +5,7 @@ import (
"compress/gzip" "compress/gzip"
"crypto/subtle" "crypto/subtle"
"crypto/tls" "crypto/tls"
"crypto/x509"
"io" "io"
"io/ioutil"
"log" "log"
"net" "net"
"net/http" "net/http"
@ -16,6 +14,7 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
tlsint "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
"github.com/influxdata/telegraf/plugins/parsers/influx" "github.com/influxdata/telegraf/plugins/parsers/influx"
"github.com/influxdata/telegraf/selfstat" "github.com/influxdata/telegraf/selfstat"
@ -43,9 +42,7 @@ type HTTPListener struct {
MaxLineSize int MaxLineSize int
Port int Port int
TlsAllowedCacerts []string tlsint.ServerConfig
TlsCert string
TlsKey string
BasicUsername string BasicUsername string
BasicPassword string BasicPassword string
@ -158,7 +155,10 @@ func (h *HTTPListener) Start(acc telegraf.Accumulator) error {
h.acc = acc h.acc = acc
h.pool = NewPool(200, h.MaxLineSize) h.pool = NewPool(200, h.MaxLineSize)
tlsConf := h.getTLSConfig() tlsConf, err := h.ServerConfig.TLSConfig()
if err != nil {
return err
}
server := &http.Server{ server := &http.Server{
Addr: h.ServiceAddress, Addr: h.ServiceAddress,
@ -168,7 +168,6 @@ func (h *HTTPListener) Start(acc telegraf.Accumulator) error {
TLSConfig: tlsConf, TLSConfig: tlsConf,
} }
var err error
var listener net.Listener var listener net.Listener
if tlsConf != nil { if tlsConf != nil {
listener, err = tls.Listen("tcp", h.ServiceAddress, tlsConf) listener, err = tls.Listen("tcp", h.ServiceAddress, tlsConf)
@ -372,38 +371,6 @@ func badRequest(res http.ResponseWriter) {
res.Write([]byte(`{"error":"http: bad request"}`)) res.Write([]byte(`{"error":"http: bad request"}`))
} }
func (h *HTTPListener) getTLSConfig() *tls.Config {
tlsConf := &tls.Config{
InsecureSkipVerify: false,
Renegotiation: tls.RenegotiateNever,
}
if len(h.TlsCert) == 0 || len(h.TlsKey) == 0 {
return nil
}
cert, err := tls.LoadX509KeyPair(h.TlsCert, h.TlsKey)
if err != nil {
return nil
}
tlsConf.Certificates = []tls.Certificate{cert}
if h.TlsAllowedCacerts != nil {
tlsConf.ClientAuth = tls.RequireAndVerifyClientCert
clientPool := x509.NewCertPool()
for _, ca := range h.TlsAllowedCacerts {
c, err := ioutil.ReadFile(ca)
if err != nil {
continue
}
clientPool.AppendCertsFromPEM(c)
}
tlsConf.ClientCAs = clientPool
}
return tlsConf
}
func (h *HTTPListener) AuthenticateIfSet(handler http.HandlerFunc, res http.ResponseWriter, req *http.Request) { func (h *HTTPListener) AuthenticateIfSet(handler http.HandlerFunc, res http.ResponseWriter, req *http.Request) {
if h.BasicUsername != "" && h.BasicPassword != "" { if h.BasicUsername != "" && h.BasicPassword != "" {
reqUsername, reqPassword, ok := req.BasicAuth() reqUsername, reqPassword, ok := req.BasicAuth()

View File

@ -4,7 +4,6 @@ import (
"bytes" "bytes"
"crypto/tls" "crypto/tls"
"crypto/x509" "crypto/x509"
"io"
"io/ioutil" "io/ioutil"
"net/http" "net/http"
"net/url" "net/url"
@ -34,86 +33,12 @@ cpu_load_short,host=server06 value=12.0 1422568543702900257
emptyMsg = "" emptyMsg = ""
serviceRootPEM = `-----BEGIN CERTIFICATE-----
MIIBxzCCATCgAwIBAgIJAJb7HqN2BzWWMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV
BAMMC1RlbGVncmFmIENBMB4XDTE3MTEwNDA0MzEwN1oXDTI3MTEwMjA0MzEwN1ow
FjEUMBIGA1UEAwwLVGVsZWdyYWYgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBANbkUkK6JQC3rbLcXhLJTS9SX6uXyFwl7bUfpAN5Hm5EqfvG3PnLrogfTGLr
Tq5CRAu/gbbdcMoL9TLv/aaDVnrpV0FslKhqYmkOgT28bdmA7Qtr539aQpMKCfcW
WCnoMcBD5u5h9MsRqpdq+0Mjlsf1H2hSf07jHk5R1T4l8RMXAgMBAAGjHTAbMAwG
A1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBANSrwvpU
t8ihIhpHqgJZ34DM92CZZ3ZHmH/KyqlnuGzjjpnVZiXVrLDTOzrA0ziVhmefY29w
roHjENbFm54HW97ogxeURuO8HRHIVh2U0rkyVxOfGZiUdINHqsZdSnDY07bzCtSr
Z/KsfWXM5llD1Ig1FyBHpKjyUvfzr73sjm/4
-----END CERTIFICATE-----`
serviceCertPEM = `-----BEGIN CERTIFICATE-----
MIIBzzCCATigAwIBAgIBATANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDDAtUZWxl
Z3JhZiBDQTAeFw0xNzExMDQwNDMxMDdaFw0yNzExMDIwNDMxMDdaMBQxEjAQBgNV
BAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsJRss1af
XKrcIjQoAp2kdJIpT2Ya+MRQXJ18b0PP7szh2lisY11kd/HCkd4D4efuIkpszHaN
xwyTOZLOoplxp6fizzgOYjXsJ6SzbO1MQNmq8Ch/+uKiGgFwLX+YxOOsGSDIHNhF
vcBi93cQtCWPBFz6QRQf9yfIAA5KKxUfJcMCAwEAAaMvMC0wCQYDVR0TBAIwADAL
BgNVHQ8EBAMCBSAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQAD
gYEAiC3WI4y9vfYz53gw7FKnNK7BBdwRc43x7Pd+5J/cclWyUZPdmcj1UNmv/3rj
2qcMmX06UdgPoHppzNAJePvMVk0vjMBUe9MmYlafMz0h4ma/it5iuldXwmejFcdL
6wWQp7gVTileCEmq9sNvfQN1FmT3EWf4IMdO2MNat/1If0g=
-----END CERTIFICATE-----`
serviceKeyPEM = `-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQCwlGyzVp9cqtwiNCgCnaR0kilPZhr4xFBcnXxvQ8/uzOHaWKxj
XWR38cKR3gPh5+4iSmzMdo3HDJM5ks6imXGnp+LPOA5iNewnpLNs7UxA2arwKH/6
4qIaAXAtf5jE46wZIMgc2EW9wGL3dxC0JY8EXPpBFB/3J8gADkorFR8lwwIDAQAB
AoGBAJaFHxfMmjHK77U0UnrQWFSKFy64cftmlL4t/Nl3q7L68PdIKULWZIMeEWZ4
I0UZiFOwr4em83oejQ1ByGSwekEuiWaKUI85IaHfcbt+ogp9hY/XbOEo56OPQUAd
bEZv1JqJOqta9Ug1/E1P9LjEEyZ5F5ubx7813rxAE31qKtKJAkEA1zaMlCWIr+Rj
hGvzv5rlHH3wbOB4kQFXO4nqj3J/ttzR5QiJW24STMDcbNngFlVcDVju56LrNTiD
dPh9qvl7nwJBANILguR4u33OMksEZTYB7nQZSurqXsq6382zH7pTl29ANQTROHaM
PKC8dnDWq8RGTqKuvWblIzzGIKqIMovZo10CQC96T0UXirITFolOL3XjvAuvFO1Q
EAkdXJs77805m0dCK+P1IChVfiAEpBw3bKJArpAbQIlFfdI953JUp5SieU0CQEub
BSSEKMjh/cxu6peEHnb/262vayuCFKkQPu1sxWewLuVrAe36EKCy9dcsDmv5+rgo
Odjdxc9Madm4aKlaT6kCQQCpAgeblDrrxTrNQ+Typzo37PlnQrvI+0EceAUuJ72G
P0a+YZUeHNRqT2pPN9lMTAZGGi3CtcF2XScbLNEBeXge
-----END RSA PRIVATE KEY-----`
clientRootPEM = serviceRootPEM
clientCertPEM = `-----BEGIN CERTIFICATE-----
MIIBzjCCATegAwIBAgIBAjANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDDAtUZWxl
Z3JhZiBDQTAeFw0xNzExMDQwNDMxMDdaFw0yNzExMDIwNDMxMDdaMBMxETAPBgNV
BAMMCHRlbGVncmFmMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDP2IMqyOqI
sJjwBprrz8WPzmlrpyYikQ4XSCSJB3DSTIO+igqMpBUTj3vLlOzsHfVVot1WRqc6
3esM4JE92rc6S73xi4g8L/r8cPIHW4hvFJdMti4UkJBWim8ArSbFqnZjcR19G3tG
LUOiXAUG3nWzMzoEsPruvV1dkKRbJVE4MwIDAQABoy8wLTAJBgNVHRMEAjAAMAsG
A1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOB
gQCHxMk38XNxL9nPFBYo3JqITJCFswu6/NLHwDBXCuZKl53rUuFWduiO+1OuScKQ
sQ79W0jHsWRKGOUFrF5/Gdnh8AlkVaITVlcmhdAOFCEbeGpeEvLuuK6grckPitxy
bRF5oM4TCLKKAha60Ir41rk2bomZM9+NZu+Bm+csDqCoxQ==
-----END CERTIFICATE-----`
clientKeyPEM = `-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDP2IMqyOqIsJjwBprrz8WPzmlrpyYikQ4XSCSJB3DSTIO+igqM
pBUTj3vLlOzsHfVVot1WRqc63esM4JE92rc6S73xi4g8L/r8cPIHW4hvFJdMti4U
kJBWim8ArSbFqnZjcR19G3tGLUOiXAUG3nWzMzoEsPruvV1dkKRbJVE4MwIDAQAB
AoGAFzb/r4+xYoMXEfgq5ZvXXTCY5cVNpR6+jCsqqYODPnn9XRLeCsdo8z5bfWms
7NKLzHzca/6IPzL6Rf3vOxFq1YyIZfYVHH+d63/9blAm3Iajjp1W2yW5aj9BJjTb
nm6F0RfuW/SjrZ9IXxTZhSpCklPmUzVZpzvwV3KGeVTVCEECQQDoavCeOwLuqDpt
0aM9GMFUpOU7kLPDuicSwCDaTae4kN2rS17Zki41YXe8A8+509IEN7mK09Vq9HxY
SX6EmV1FAkEA5O9QcCHEa8P12EmUC8oqD2bjq6o7JjUIRlKinwZTlooMJYZw98gA
FVSngTUvLVCVIvSdjldXPOGgfYiccTZrFwJAfHS3gKOtAEuJbkEyHodhD4h1UB4+
hPLr9Xh4ny2yQH0ilpV3px5GLEOTMFUCKUoqTiPg8VxaDjn5U/WXED5n2QJAR4J1
NsFlcGACj+/TvacFYlA6N2nyFeokzoqLX28Ddxdh2erXqJ4hYIhT1ik9tkLggs2z
1T1084BquCuO6lIcOwJBALX4xChoMUF9k0IxSQzlz//seQYDkQNsE7y9IgAOXkzp
RaR4pzgPbnKj7atG+2dBnffWfE+1Mcy0INDAO6WxPg0=
-----END RSA PRIVATE KEY-----`
basicUsername = "test-username-please-ignore" basicUsername = "test-username-please-ignore"
basicPassword = "super-secure-password!" basicPassword = "super-secure-password!"
) )
var ( var (
initClient sync.Once pki = testutil.NewPKI("../../../testutil/pki")
client *http.Client
initServiceCertFiles sync.Once
allowedCAFiles []string
serviceCAFiles []string
serviceCertFile string
serviceKeyFile string
) )
func newTestHTTPListener() *HTTPListener { func newTestHTTPListener() *HTTPListener {
@ -132,74 +57,25 @@ func newTestHTTPAuthListener() *HTTPListener {
} }
func newTestHTTPSListener() *HTTPListener { func newTestHTTPSListener() *HTTPListener {
initServiceCertFiles.Do(func() {
acaf, err := ioutil.TempFile("", "allowedCAFile.crt")
if err != nil {
panic(err)
}
defer acaf.Close()
_, err = io.Copy(acaf, bytes.NewReader([]byte(clientRootPEM)))
allowedCAFiles = []string{acaf.Name()}
scaf, err := ioutil.TempFile("", "serviceCAFile.crt")
if err != nil {
panic(err)
}
defer scaf.Close()
_, err = io.Copy(scaf, bytes.NewReader([]byte(serviceRootPEM)))
serviceCAFiles = []string{scaf.Name()}
scf, err := ioutil.TempFile("", "serviceCertFile.crt")
if err != nil {
panic(err)
}
defer scf.Close()
_, err = io.Copy(scf, bytes.NewReader([]byte(serviceCertPEM)))
serviceCertFile = scf.Name()
skf, err := ioutil.TempFile("", "serviceKeyFile.crt")
if err != nil {
panic(err)
}
defer skf.Close()
_, err = io.Copy(skf, bytes.NewReader([]byte(serviceKeyPEM)))
serviceKeyFile = skf.Name()
})
listener := &HTTPListener{ listener := &HTTPListener{
ServiceAddress: "localhost:0", ServiceAddress: "localhost:0",
TlsAllowedCacerts: allowedCAFiles, ServerConfig: *pki.TLSServerConfig(),
TlsCert: serviceCertFile, TimeFunc: time.Now,
TlsKey: serviceKeyFile,
TimeFunc: time.Now,
} }
return listener return listener
} }
func getHTTPSClient() *http.Client { func getHTTPSClient() *http.Client {
initClient.Do(func() { tlsConfig, err := pki.TLSClientConfig().TLSConfig()
cas := x509.NewCertPool() if err != nil {
cas.AppendCertsFromPEM([]byte(serviceRootPEM)) panic(err)
clientCert, err := tls.X509KeyPair([]byte(clientCertPEM), []byte(clientKeyPEM)) }
if err != nil { return &http.Client{
panic(err) Transport: &http.Transport{
} TLSClientConfig: tlsConfig,
client = &http.Client{ },
Transport: &http.Transport{ }
TLSClientConfig: &tls.Config{
RootCAs: cas,
Certificates: []tls.Certificate{clientCert},
MinVersion: tls.VersionTLS12,
MaxVersion: tls.VersionTLS12,
CipherSuites: []uint16{tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
Renegotiation: tls.RenegotiateNever,
InsecureSkipVerify: false,
},
},
}
})
return client
} }
func createURL(listener *HTTPListener, scheme string, path string, rawquery string) string { func createURL(listener *HTTPListener, scheme string, path string, rawquery string) string {
@ -214,14 +90,14 @@ func createURL(listener *HTTPListener, scheme string, path string, rawquery stri
func TestWriteHTTPSNoClientAuth(t *testing.T) { func TestWriteHTTPSNoClientAuth(t *testing.T) {
listener := newTestHTTPSListener() listener := newTestHTTPSListener()
listener.TlsAllowedCacerts = nil listener.TLSAllowedCACerts = nil
acc := &testutil.Accumulator{} acc := &testutil.Accumulator{}
require.NoError(t, listener.Start(acc)) require.NoError(t, listener.Start(acc))
defer listener.Stop() defer listener.Stop()
cas := x509.NewCertPool() cas := x509.NewCertPool()
cas.AppendCertsFromPEM([]byte(serviceRootPEM)) cas.AppendCertsFromPEM([]byte(pki.ReadServerCert()))
noClientAuthClient := &http.Client{ noClientAuthClient := &http.Client{
Transport: &http.Transport{ Transport: &http.Transport{
TLSClientConfig: &tls.Config{ TLSClientConfig: &tls.Config{

View File

@ -32,11 +32,11 @@ This input plugin checks HTTP/HTTPS connections.
# response_string_match = "ok" # response_string_match = "ok"
# response_string_match = "\".*_status\".?:.?\"up\"" # response_string_match = "\".*_status\".?:.?\"up\""
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## HTTP Request Headers (all values must be strings) ## HTTP Request Headers (all values must be strings)

View File

@ -16,6 +16,7 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
"github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
) )
@ -29,15 +30,7 @@ type HTTPResponse struct {
Headers map[string]string Headers map[string]string
FollowRedirects bool FollowRedirects bool
ResponseStringMatch string ResponseStringMatch string
tls.ClientConfig
// Path to CA file
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Use SSL but skip chain & host verification
InsecureSkipVerify bool
compiledStringMatch *regexp.Regexp compiledStringMatch *regexp.Regexp
client *http.Client client *http.Client
@ -74,11 +67,11 @@ var sampleConfig = `
# response_string_match = "ok" # response_string_match = "ok"
# response_string_match = "\".*_status\".?:.?\"up\"" # response_string_match = "\".*_status\".?:.?\"up\""
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## HTTP Request Headers (all values must be strings) ## HTTP Request Headers (all values must be strings)
@ -113,8 +106,7 @@ func getProxyFunc(http_proxy string) func(*http.Request) (*url.URL, error) {
// CreateHttpClient creates an http client which will timeout at the specified // CreateHttpClient creates an http client which will timeout at the specified
// timeout period and can follow redirects if specified // timeout period and can follow redirects if specified
func (h *HTTPResponse) createHttpClient() (*http.Client, error) { func (h *HTTPResponse) createHttpClient() (*http.Client, error) {
tlsCfg, err := internal.GetTLSConfig( tlsCfg, err := h.ClientConfig.TLSConfig()
h.SSLCert, h.SSLKey, h.SSLCA, h.InsecureSkipVerify)
if err != nil { if err != nil {
return nil, err return nil, err
} }

View File

@ -34,11 +34,11 @@ Deprecated (1.6): use the [http](../http) input.
# "my_tag_2" # "my_tag_2"
# ] # ]
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## HTTP Request Parameters (all values must be strings). For "GET" requests, data ## HTTP Request Parameters (all values must be strings). For "GET" requests, data

View File

@ -12,6 +12,7 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
"github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
"github.com/influxdata/telegraf/plugins/parsers" "github.com/influxdata/telegraf/plugins/parsers"
) )
@ -29,15 +30,7 @@ type HttpJson struct {
ResponseTimeout internal.Duration ResponseTimeout internal.Duration
Parameters map[string]string Parameters map[string]string
Headers map[string]string Headers map[string]string
tls.ClientConfig
// Path to CA file
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Use SSL but skip chain & host verification
InsecureSkipVerify bool
client HTTPClient client HTTPClient
} }
@ -100,11 +93,11 @@ var sampleConfig = `
# "my_tag_2" # "my_tag_2"
# ] # ]
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## HTTP parameters (all values must be strings). For "GET" requests, data ## HTTP parameters (all values must be strings). For "GET" requests, data
@ -133,8 +126,7 @@ func (h *HttpJson) Gather(acc telegraf.Accumulator) error {
var wg sync.WaitGroup var wg sync.WaitGroup
if h.client.HTTPClient() == nil { if h.client.HTTPClient() == nil {
tlsCfg, err := internal.GetTLSConfig( tlsCfg, err := h.ClientConfig.TLSConfig()
h.SSLCert, h.SSLKey, h.SSLCA, h.InsecureSkipVerify)
if err != nil { if err != nil {
return err return err
} }

View File

@ -20,11 +20,11 @@ InfluxDB-formatted endpoints. See below for more information.
"http://localhost:8086/debug/vars" "http://localhost:8086/debug/vars"
] ]
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## http request & header timeout ## http request & header timeout

View File

@ -10,21 +10,14 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
"github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
) )
type InfluxDB struct { type InfluxDB struct {
URLs []string `toml:"urls"` URLs []string `toml:"urls"`
// Path to CA file
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Use SSL but skip chain & host verification
InsecureSkipVerify bool
Timeout internal.Duration Timeout internal.Duration
tls.ClientConfig
client *http.Client client *http.Client
} }
@ -45,11 +38,11 @@ func (*InfluxDB) SampleConfig() string {
"http://localhost:8086/debug/vars" "http://localhost:8086/debug/vars"
] ]
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## http request & header timeout ## http request & header timeout
@ -63,8 +56,7 @@ func (i *InfluxDB) Gather(acc telegraf.Accumulator) error {
} }
if i.client == nil { if i.client == nil {
tlsCfg, err := internal.GetTLSConfig( tlsCfg, err := i.ClientConfig.TLSConfig()
i.SSLCert, i.SSLKey, i.SSLCA, i.InsecureSkipVerify)
if err != nil { if err != nil {
return err return err
} }

View File

@ -18,14 +18,14 @@ The `jolokia2_agent` input plugin reads JMX metrics from one or more [Jolokia ag
paths = ["Uptime"] paths = ["Uptime"]
``` ```
Optionally, specify SSL options for communicating with agents: Optionally, specify TLS options for communicating with agents:
```toml ```toml
[[inputs.jolokia2_agent]] [[inputs.jolokia2_agent]]
urls = ["https://agent:8080/jolokia"] urls = ["https://agent:8080/jolokia"]
ssl_ca = "/var/private/ca.pem" tls_ca = "/var/private/ca.pem"
ssl_cert = "/var/private/client.pem" tls_cert = "/var/private/client.pem"
ssl_key = "/var/private/client-key.pem" tls_key = "/var/private/client-key.pem"
#insecure_skip_verify = false #insecure_skip_verify = false
[[inputs.jolokia2_agent.metric]] [[inputs.jolokia2_agent.metric]]
@ -55,15 +55,15 @@ The `jolokia2_proxy` input plugin reads JMX metrics from one or more _targets_ b
paths = ["Uptime"] paths = ["Uptime"]
``` ```
Optionally, specify SSL options for communicating with proxies: Optionally, specify TLS options for communicating with proxies:
```toml ```toml
[[inputs.jolokia2_proxy]] [[inputs.jolokia2_proxy]]
url = "https://proxy:8080/jolokia" url = "https://proxy:8080/jolokia"
ssl_ca = "/var/private/ca.pem" tls_ca = "/var/private/ca.pem"
ssl_cert = "/var/private/client.pem" tls_cert = "/var/private/client.pem"
ssl_key = "/var/private/client-key.pem" tls_key = "/var/private/client-key.pem"
#insecure_skip_verify = false #insecure_skip_verify = false
#default_target_username = "" #default_target_username = ""

View File

@ -10,7 +10,7 @@ import (
"path" "path"
"time" "time"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal/tls"
) )
type Client struct { type Client struct {
@ -20,15 +20,11 @@ type Client struct {
} }
type ClientConfig struct { type ClientConfig struct {
ResponseTimeout time.Duration ResponseTimeout time.Duration
Username string Username string
Password string Password string
SSLCA string ProxyConfig *ProxyConfig
SSLCert string tls.ClientConfig
SSLKey string
InsecureSkipVerify bool
ProxyConfig *ProxyConfig
} }
type ProxyConfig struct { type ProxyConfig struct {
@ -100,8 +96,7 @@ type jolokiaResponse struct {
} }
func NewClient(url string, config *ClientConfig) (*Client, error) { func NewClient(url string, config *ClientConfig) (*Client, error) {
tlsConfig, err := internal.GetTLSConfig( tlsConfig, err := config.ClientConfig.TLSConfig()
config.SSLCert, config.SSLKey, config.SSLCA, config.InsecureSkipVerify)
if err != nil { if err != nil {
return nil, err return nil, err
} }

View File

@ -6,6 +6,7 @@ import (
"time" "time"
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal/tls"
) )
type JolokiaAgent struct { type JolokiaAgent struct {
@ -18,10 +19,7 @@ type JolokiaAgent struct {
Password string Password string
ResponseTimeout time.Duration `toml:"response_timeout"` ResponseTimeout time.Duration `toml:"response_timeout"`
SSLCA string `toml:"ssl_ca"` tls.ClientConfig
SSLCert string `toml:"ssl_cert"`
SSLKey string `toml:"ssl_key"`
InsecureSkipVerify bool
Metrics []MetricConfig `toml:"metric"` Metrics []MetricConfig `toml:"metric"`
gatherer *Gatherer gatherer *Gatherer
@ -39,10 +37,10 @@ func (ja *JolokiaAgent) SampleConfig() string {
# password = "" # password = ""
# response_timeout = "5s" # response_timeout = "5s"
## Optional SSL config ## Optional TLS config
# ssl_ca = "/var/private/ca.pem" # tls_ca = "/var/private/ca.pem"
# ssl_cert = "/var/private/client.pem" # tls_cert = "/var/private/client.pem"
# ssl_key = "/var/private/client-key.pem" # tls_key = "/var/private/client-key.pem"
# insecure_skip_verify = false # insecure_skip_verify = false
## Add metrics to read ## Add metrics to read
@ -101,12 +99,9 @@ func (ja *JolokiaAgent) createMetrics() []Metric {
func (ja *JolokiaAgent) createClient(url string) (*Client, error) { func (ja *JolokiaAgent) createClient(url string) (*Client, error) {
return NewClient(url, &ClientConfig{ return NewClient(url, &ClientConfig{
Username: ja.Username, Username: ja.Username,
Password: ja.Password, Password: ja.Password,
ResponseTimeout: ja.ResponseTimeout, ResponseTimeout: ja.ResponseTimeout,
SSLCA: ja.SSLCA, ClientConfig: ja.ClientConfig,
SSLCert: ja.SSLCert,
SSLKey: ja.SSLKey,
InsecureSkipVerify: ja.InsecureSkipVerify,
}) })
} }

View File

@ -4,6 +4,7 @@ import (
"time" "time"
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal/tls"
) )
type JolokiaProxy struct { type JolokiaProxy struct {
@ -16,13 +17,10 @@ type JolokiaProxy struct {
DefaultTargetUsername string DefaultTargetUsername string
Targets []JolokiaProxyTargetConfig `toml:"target"` Targets []JolokiaProxyTargetConfig `toml:"target"`
Username string Username string
Password string Password string
SSLCA string `toml:"ssl_ca"` ResponseTimeout time.Duration `toml:"response_timeout"`
SSLCert string `toml:"ssl_cert"` tls.ClientConfig
SSLKey string `toml:"ssl_key"`
InsecureSkipVerify bool
ResponseTimeout time.Duration `toml:"response_timeout"`
Metrics []MetricConfig `toml:"metric"` Metrics []MetricConfig `toml:"metric"`
client *Client client *Client
@ -47,10 +45,10 @@ func (jp *JolokiaProxy) SampleConfig() string {
# password = "" # password = ""
# response_timeout = "5s" # response_timeout = "5s"
## Optional SSL config ## Optional TLS config
# ssl_ca = "/var/private/ca.pem" # tls_ca = "/var/private/ca.pem"
# ssl_cert = "/var/private/client.pem" # tls_cert = "/var/private/client.pem"
# ssl_key = "/var/private/client-key.pem" # tls_key = "/var/private/client-key.pem"
# insecure_skip_verify = false # insecure_skip_verify = false
## Add proxy targets to query ## Add proxy targets to query
@ -117,13 +115,10 @@ func (jp *JolokiaProxy) createClient() (*Client, error) {
} }
return NewClient(jp.URL, &ClientConfig{ return NewClient(jp.URL, &ClientConfig{
Username: jp.Username, Username: jp.Username,
Password: jp.Password, Password: jp.Password,
ResponseTimeout: jp.ResponseTimeout, ResponseTimeout: jp.ResponseTimeout,
SSLCA: jp.SSLCA, ClientConfig: jp.ClientConfig,
SSLCert: jp.SSLCert, ProxyConfig: proxyConfig,
SSLKey: jp.SSLKey,
InsecureSkipVerify: jp.InsecureSkipVerify,
ProxyConfig: proxyConfig,
}) })
} }

View File

@ -22,11 +22,11 @@ and use the old zookeeper connection method.
## Offset (must be either "oldest" or "newest") ## Offset (must be either "oldest" or "newest")
offset = "oldest" offset = "oldest"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## Optional SASL Config ## Optional SASL Config

View File

@ -7,7 +7,7 @@ import (
"sync" "sync"
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
"github.com/influxdata/telegraf/plugins/parsers" "github.com/influxdata/telegraf/plugins/parsers"
@ -23,14 +23,7 @@ type Kafka struct {
Cluster *cluster.Consumer Cluster *cluster.Consumer
// Verify Kafka SSL Certificate tls.ClientConfig
InsecureSkipVerify bool
// Path to CA file
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// SASL Username // SASL Username
SASLUsername string `toml:"sasl_username"` SASLUsername string `toml:"sasl_username"`
@ -67,11 +60,11 @@ var sampleConfig = `
## topic(s) to consume ## topic(s) to consume
topics = ["telegraf"] topics = ["telegraf"]
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## Optional SASL Config ## Optional SASL Config
@ -116,8 +109,7 @@ func (k *Kafka) Start(acc telegraf.Accumulator) error {
config := cluster.NewConfig() config := cluster.NewConfig()
config.Consumer.Return.Errors = true config.Consumer.Return.Errors = true
tlsConfig, err := internal.GetTLSConfig( tlsConfig, err := k.ClientConfig.TLSConfig()
k.SSLCert, k.SSLKey, k.SSLCA, k.InsecureSkipVerify)
if err != nil { if err != nil {
return err return err
} }

View File

@ -15,11 +15,11 @@ The Kapacitor plugin will collect metrics from the given Kapacitor instances.
## Time limit for http requests ## Time limit for http requests
timeout = "5s" timeout = "5s"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
``` ```

View File

@ -9,6 +9,7 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
"github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
) )
@ -17,18 +18,9 @@ const (
) )
type Kapacitor struct { type Kapacitor struct {
URLs []string `toml:"urls"` URLs []string `toml:"urls"`
Timeout internal.Duration Timeout internal.Duration
tls.ClientConfig
// Path to CA file
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Use SSL but skip chain & host verification
InsecureSkipVerify bool
client *http.Client client *http.Client
} }
@ -48,11 +40,11 @@ func (*Kapacitor) SampleConfig() string {
## Time limit for http requests ## Time limit for http requests
timeout = "5s" timeout = "5s"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
` `
} }
@ -82,8 +74,7 @@ func (k *Kapacitor) Gather(acc telegraf.Accumulator) error {
} }
func (k *Kapacitor) createHttpClient() (*http.Client, error) { func (k *Kapacitor) createHttpClient() (*http.Client, error) {
tlsCfg, err := internal.GetTLSConfig( tlsCfg, err := k.ClientConfig.TLSConfig()
k.SSLCert, k.SSLKey, k.SSLCA, k.InsecureSkipVerify)
if err != nil { if err != nil {
return nil, err return nil, err
} }

View File

@ -11,6 +11,7 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
"github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
) )
@ -21,18 +22,11 @@ type Kubernetes struct {
// Bearer Token authorization file path // Bearer Token authorization file path
BearerToken string `toml:"bearer_token"` BearerToken string `toml:"bearer_token"`
// Path to CA file
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Use SSL but skip chain & host verification
InsecureSkipVerify bool
// HTTP Timeout specified as a string - 3s, 1m, 1h // HTTP Timeout specified as a string - 3s, 1m, 1h
ResponseTimeout internal.Duration ResponseTimeout internal.Duration
tls.ClientConfig
RoundTripper http.RoundTripper RoundTripper http.RoundTripper
} }
@ -46,11 +40,11 @@ var sampleConfig = `
## Set response_timeout (default 5 seconds) ## Set response_timeout (default 5 seconds)
# response_timeout = "5s" # response_timeout = "5s"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = /path/to/cafile # tls_ca = /path/to/cafile
# ssl_cert = /path/to/certfile # tls_cert = /path/to/certfile
# ssl_key = /path/to/keyfile # tls_key = /path/to/keyfile
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
` `
@ -101,7 +95,7 @@ func (k *Kubernetes) gatherSummary(baseURL string, acc telegraf.Accumulator) err
var token []byte var token []byte
var resp *http.Response var resp *http.Response
tlsCfg, err := internal.GetTLSConfig(k.SSLCert, k.SSLKey, k.SSLCA, k.InsecureSkipVerify) tlsCfg, err := k.ClientConfig.TLSConfig()
if err != nil { if err != nil {
return err return err
} }

View File

@ -36,11 +36,11 @@ For more information, please check the [Mesos Observability Metrics](http://meso
# "messages", # "messages",
# ] # ]
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
``` ```

View File

@ -14,7 +14,7 @@ import (
"time" "time"
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
jsonparser "github.com/influxdata/telegraf/plugins/parsers/json" jsonparser "github.com/influxdata/telegraf/plugins/parsers/json"
) )
@ -33,15 +33,7 @@ type Mesos struct {
Slaves []string Slaves []string
SlaveCols []string `toml:"slave_collections"` SlaveCols []string `toml:"slave_collections"`
//SlaveTasks bool //SlaveTasks bool
tls.ClientConfig
// Path to CA file
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Use SSL but skip chain & host verification
InsecureSkipVerify bool
initialized bool initialized bool
client *http.Client client *http.Client
@ -83,11 +75,11 @@ var sampleConfig = `
# "messages", # "messages",
# ] # ]
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
` `
@ -216,8 +208,7 @@ func (m *Mesos) Gather(acc telegraf.Accumulator) error {
} }
func (m *Mesos) createHttpClient() (*http.Client, error) { func (m *Mesos) createHttpClient() (*http.Client, error) {
tlsCfg, err := internal.GetTLSConfig( tlsCfg, err := m.ClientConfig.TLSConfig()
m.SSLCert, m.SSLKey, m.SSLCA, m.InsecureSkipVerify)
if err != nil { if err != nil {
return nil, err return nil, err
} }

View File

@ -14,11 +14,11 @@
## When true, collect per database stats ## When true, collect per database stats
# gather_perdb_stats = false # gather_perdb_stats = false
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
``` ```

View File

@ -12,7 +12,7 @@ import (
"time" "time"
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" tlsint "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
"gopkg.in/mgo.v2" "gopkg.in/mgo.v2"
) )
@ -22,15 +22,7 @@ type MongoDB struct {
Ssl Ssl Ssl Ssl
mongos map[string]*Server mongos map[string]*Server
GatherPerdbStats bool GatherPerdbStats bool
tlsint.ClientConfig
// Path to CA file
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Use SSL but skip chain & host verification
InsecureSkipVerify bool
} }
type Ssl struct { type Ssl struct {
@ -49,11 +41,11 @@ var sampleConfig = `
## When true, collect per database stats ## When true, collect per database stats
# gather_perdb_stats = false # gather_perdb_stats = false
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
` `
@ -134,7 +126,7 @@ func (m *MongoDB) gatherServer(server *Server, acc telegraf.Accumulator) error {
var tlsConfig *tls.Config var tlsConfig *tls.Config
if m.Ssl.Enabled { if m.Ssl.Enabled {
// Deprecated SSL config // Deprecated TLS config
tlsConfig = &tls.Config{} tlsConfig = &tls.Config{}
if len(m.Ssl.CaCerts) > 0 { if len(m.Ssl.CaCerts) > 0 {
roots := x509.NewCertPool() roots := x509.NewCertPool()
@ -149,8 +141,7 @@ func (m *MongoDB) gatherServer(server *Server, acc telegraf.Accumulator) error {
tlsConfig.InsecureSkipVerify = true tlsConfig.InsecureSkipVerify = true
} }
} else { } else {
tlsConfig, err = internal.GetTLSConfig( tlsConfig, err = m.ClientConfig.TLSConfig()
m.SSLCert, m.SSLKey, m.SSLCA, m.InsecureSkipVerify)
if err != nil { if err != nil {
return err return err
} }

View File

@ -36,11 +36,11 @@ The plugin expects messages in the
# username = "telegraf" # username = "telegraf"
# password = "metricsmetricsmetricsmetrics" # password = "metricsmetricsmetricsmetrics"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## Data format to consume. ## Data format to consume.

View File

@ -9,6 +9,7 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
"github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
"github.com/influxdata/telegraf/plugins/parsers" "github.com/influxdata/telegraf/plugins/parsers"
@ -33,15 +34,7 @@ type MQTTConsumer struct {
PersistentSession bool PersistentSession bool
ClientID string `toml:"client_id"` ClientID string `toml:"client_id"`
tls.ClientConfig
// Path to CA file
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Use SSL but skip chain & host verification
InsecureSkipVerify bool
sync.Mutex sync.Mutex
client mqtt.Client client mqtt.Client
@ -83,11 +76,11 @@ var sampleConfig = `
# username = "telegraf" # username = "telegraf"
# password = "metricsmetricsmetricsmetrics" # password = "metricsmetricsmetricsmetrics"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## Data format to consume. ## Data format to consume.
@ -236,8 +229,7 @@ func (m *MQTTConsumer) createOpts() (*mqtt.ClientOptions, error) {
opts.SetClientID(m.ClientID) opts.SetClientID(m.ClientID)
} }
tlsCfg, err := internal.GetTLSConfig( tlsCfg, err := m.ClientConfig.TLSConfig()
m.SSLCert, m.SSLKey, m.SSLCA, m.InsecureSkipVerify)
if err != nil { if err != nil {
return nil, err return nil, err
} }

View File

@ -82,10 +82,10 @@ This plugin gathers the statistic data from MySQL server
## Some queries we may want to run less often (such as SHOW GLOBAL VARIABLES) ## Some queries we may want to run less often (such as SHOW GLOBAL VARIABLES)
interval_slow = "30m" interval_slow = "30m"
## Optional SSL Config (will be used if tls=custom parameter specified in server uri) ## Optional TLS Config (will be used if tls=custom parameter specified in server uri)
ssl_ca = "/etc/telegraf/ca.pem" tls_ca = "/etc/telegraf/ca.pem"
ssl_cert = "/etc/telegraf/cert.pem" tls_cert = "/etc/telegraf/cert.pem"
ssl_key = "/etc/telegraf/key.pem" tls_key = "/etc/telegraf/key.pem"
``` ```
#### Metric Version #### Metric Version

View File

@ -11,7 +11,7 @@ import (
"time" "time"
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
"github.com/influxdata/telegraf/plugins/inputs/mysql/v1" "github.com/influxdata/telegraf/plugins/inputs/mysql/v1"
@ -38,10 +38,8 @@ type Mysql struct {
GatherFileEventsStats bool `toml:"gather_file_events_stats"` GatherFileEventsStats bool `toml:"gather_file_events_stats"`
GatherPerfEventsStatements bool `toml:"gather_perf_events_statements"` GatherPerfEventsStatements bool `toml:"gather_perf_events_statements"`
IntervalSlow string `toml:"interval_slow"` IntervalSlow string `toml:"interval_slow"`
SSLCA string `toml:"ssl_ca"`
SSLCert string `toml:"ssl_cert"`
SSLKey string `toml:"ssl_key"`
MetricVersion int `toml:"metric_version"` MetricVersion int `toml:"metric_version"`
tls.ClientConfig
} }
var sampleConfig = ` var sampleConfig = `
@ -118,10 +116,12 @@ var sampleConfig = `
## Some queries we may want to run less often (such as SHOW GLOBAL VARIABLES) ## Some queries we may want to run less often (such as SHOW GLOBAL VARIABLES)
interval_slow = "30m" interval_slow = "30m"
## Optional SSL Config (will be used if tls=custom parameter specified in server uri) ## Optional TLS Config (will be used if tls=custom parameter specified in server uri)
ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use TLS but skip chain & host verification
# insecure_skip_verify = false
` `
var defaultTimeout = time.Second * time.Duration(5) var defaultTimeout = time.Second * time.Duration(5)
@ -161,7 +161,7 @@ func (m *Mysql) Gather(acc telegraf.Accumulator) error {
m.InitMysql() m.InitMysql()
} }
tlsConfig, err := internal.GetTLSConfig(m.SSLCert, m.SSLKey, m.SSLCA, false) tlsConfig, err := m.ClientConfig.TLSConfig()
if err != nil { if err != nil {
return fmt.Errorf("registering TLS config: %s", err) return fmt.Errorf("registering TLS config: %s", err)
} }

View File

@ -8,11 +8,11 @@
## An array of Nginx stub_status URI to gather stats. ## An array of Nginx stub_status URI to gather stats.
urls = ["http://localhost/server_status"] urls = ["http://localhost/server_status"]
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## HTTP response timeout (default: 5s) ## HTTP response timeout (default: 5s)

View File

@ -13,34 +13,28 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
"github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
) )
type Nginx struct { type Nginx struct {
// List of status URLs Urls []string
Urls []string ResponseTimeout internal.Duration
// Path to CA file tls.ClientConfig
SSLCA string `toml:"ssl_ca"`
// Path to client cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Use SSL but skip chain & host verification
InsecureSkipVerify bool
// HTTP client // HTTP client
client *http.Client client *http.Client
// Response timeout
ResponseTimeout internal.Duration
} }
var sampleConfig = ` var sampleConfig = `
# An array of Nginx stub_status URI to gather stats. # An array of Nginx stub_status URI to gather stats.
urls = ["http://localhost/server_status"] urls = ["http://localhost/server_status"]
# TLS/SSL configuration ## Optional TLS Config
ssl_ca = "/etc/telegraf/ca.pem" tls_ca = "/etc/telegraf/ca.pem"
ssl_cert = "/etc/telegraf/cert.cer" tls_cert = "/etc/telegraf/cert.cer"
ssl_key = "/etc/telegraf/key.key" tls_key = "/etc/telegraf/key.key"
## Use TLS but skip chain & host verification
insecure_skip_verify = false insecure_skip_verify = false
# HTTP response timeout (default: 5s) # HTTP response timeout (default: 5s)
@ -87,8 +81,7 @@ func (n *Nginx) Gather(acc telegraf.Accumulator) error {
} }
func (n *Nginx) createHttpClient() (*http.Client, error) { func (n *Nginx) createHttpClient() (*http.Client, error) {
tlsCfg, err := internal.GetTLSConfig( tlsCfg, err := n.ClientConfig.TLSConfig()
n.SSLCert, n.SSLKey, n.SSLCA, n.InsecureSkipVerify)
if err != nil { if err != nil {
return nil, err return nil, err
} }

View File

@ -20,7 +20,7 @@ To use this plugin you must enable the [monitoring](https://www.openldap.org/dev
insecure_skip_verify = false insecure_skip_verify = false
# Path to PEM-encoded Root certificate to use to verify server certificate # Path to PEM-encoded Root certificate to use to verify server certificate
ssl_ca = "/etc/ssl/certs.pem" tls_ca = "/etc/ssl/certs.pem"
# dn/password to bind with. If bind_dn is empty, an anonymous bind is performed. # dn/password to bind with. If bind_dn is empty, an anonymous bind is performed.
bind_dn = "" bind_dn = ""

View File

@ -8,7 +8,7 @@ import (
"gopkg.in/ldap.v2" "gopkg.in/ldap.v2"
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
) )
@ -36,7 +36,7 @@ const sampleConfig string = `
insecure_skip_verify = false insecure_skip_verify = false
# Path to PEM-encoded Root certificate to use to verify server certificate # Path to PEM-encoded Root certificate to use to verify server certificate
ssl_ca = "/etc/ssl/certs.pem" tls_ca = "/etc/ssl/certs.pem"
# dn/password to bind with. If bind_dn is empty, an anonymous bind is performed. # dn/password to bind with. If bind_dn is empty, an anonymous bind is performed.
bind_dn = "" bind_dn = ""
@ -85,7 +85,11 @@ func (o *Openldap) Gather(acc telegraf.Accumulator) error {
var l *ldap.Conn var l *ldap.Conn
if o.Ssl != "" { if o.Ssl != "" {
// build tls config // build tls config
tlsConfig, err := internal.GetTLSConfig("", "", o.SslCa, o.InsecureSkipVerify) clientTLSConfig := tls.ClientConfig{
SSLCA: o.SslCa,
InsecureSkipVerify: o.InsecureSkipVerify,
}
tlsConfig, err := clientTLSConfig.TLSConfig()
if err != nil { if err != nil {
acc.AddError(err) acc.AddError(err)
return nil return nil

View File

@ -20,11 +20,11 @@ in Prometheus format.
## Specify timeout duration for slower prometheus clients (default is 3s) ## Specify timeout duration for slower prometheus clients (default is 3s)
# response_timeout = "3s" # response_timeout = "3s"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = /path/to/cafile # tls_ca = /path/to/cafile
# ssl_cert = /path/to/certfile # tls_cert = /path/to/certfile
# ssl_key = /path/to/keyfile # tls_key = /path/to/keyfile
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
``` ```

View File

@ -13,6 +13,7 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
"github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
) )
@ -30,14 +31,7 @@ type Prometheus struct {
ResponseTimeout internal.Duration `toml:"response_timeout"` ResponseTimeout internal.Duration `toml:"response_timeout"`
// Path to CA file tls.ClientConfig
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Use SSL but skip chain & host verification
InsecureSkipVerify bool
client *http.Client client *http.Client
} }
@ -55,11 +49,11 @@ var sampleConfig = `
## Specify timeout duration for slower prometheus clients (default is 3s) ## Specify timeout duration for slower prometheus clients (default is 3s)
# response_timeout = "3s" # response_timeout = "3s"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = /path/to/cafile # tls_ca = /path/to/cafile
# ssl_cert = /path/to/certfile # tls_cert = /path/to/certfile
# ssl_key = /path/to/keyfile # tls_key = /path/to/keyfile
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
` `
@ -167,8 +161,7 @@ var client = &http.Client{
} }
func (p *Prometheus) createHttpClient() (*http.Client, error) { func (p *Prometheus) createHttpClient() (*http.Client, error) {
tlsCfg, err := internal.GetTLSConfig( tlsCfg, err := p.ClientConfig.TLSConfig()
p.SSLCert, p.SSLKey, p.SSLCA, p.InsecureSkipVerify)
if err != nil { if err != nil {
return nil, err return nil, err
} }

View File

@ -16,11 +16,11 @@ For additional details reference the [RabbitMQ Management HTTP Stats](https://cd
# username = "guest" # username = "guest"
# password = "guest" # password = "guest"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## Optional request timeouts ## Optional request timeouts

View File

@ -11,6 +11,7 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/filter" "github.com/influxdata/telegraf/filter"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
"github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
) )
@ -37,14 +38,7 @@ type RabbitMQ struct {
Name string Name string
Username string Username string
Password string Password string
// Path to CA file tls.ClientConfig
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Use SSL but skip chain & host verification
InsecureSkipVerify bool
ResponseHeaderTimeout internal.Duration `toml:"header_timeout"` ResponseHeaderTimeout internal.Duration `toml:"header_timeout"`
ClientTimeout internal.Duration `toml:"client_timeout"` ClientTimeout internal.Duration `toml:"client_timeout"`
@ -175,11 +169,11 @@ var sampleConfig = `
# username = "guest" # username = "guest"
# password = "guest" # password = "guest"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## Optional request timeouts ## Optional request timeouts
@ -223,8 +217,7 @@ func (r *RabbitMQ) Description() string {
// Gather ... // Gather ...
func (r *RabbitMQ) Gather(acc telegraf.Accumulator) error { func (r *RabbitMQ) Gather(acc telegraf.Accumulator) error {
if r.Client == nil { if r.Client == nil {
tlsCfg, err := internal.GetTLSConfig( tlsCfg, err := r.ClientConfig.TLSConfig()
r.SSLCert, r.SSLKey, r.SSLCA, r.InsecureSkipVerify)
if err != nil { if err != nil {
return err return err
} }

View File

@ -16,6 +16,7 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
tlsint "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
"github.com/influxdata/telegraf/plugins/parsers" "github.com/influxdata/telegraf/plugins/parsers"
) )
@ -161,14 +162,12 @@ func (psl *packetSocketListener) listen() {
} }
type SocketListener struct { type SocketListener struct {
ServiceAddress string `toml:"service_address"` ServiceAddress string `toml:"service_address"`
MaxConnections int `toml:"max_connections"` MaxConnections int `toml:"max_connections"`
ReadBufferSize int `toml:"read_buffer_size"` ReadBufferSize int `toml:"read_buffer_size"`
ReadTimeout *internal.Duration `toml:"read_timeout"` ReadTimeout *internal.Duration `toml:"read_timeout"`
TLSAllowedCACerts []string `toml:"tls_allowed_cacerts"` KeepAlivePeriod *internal.Duration `toml:"keep_alive_period"`
TLSCert string `toml:"tls_cert"` tlsint.ServerConfig
TLSKey string `toml:"tls_key"`
KeepAlivePeriod *internal.Duration `toml:"keep_alive_period"`
parsers.Parser parsers.Parser
telegraf.Accumulator telegraf.Accumulator
@ -259,7 +258,7 @@ func (sl *SocketListener) Start(acc telegraf.Accumulator) error {
l net.Listener l net.Listener
) )
tlsCfg, err := internal.GetServerTLSConfig(sl.TLSCert, sl.TLSKey, sl.TLSAllowedCACerts) tlsCfg, err := sl.ServerConfig.TLSConfig()
if err != nil { if err != nil {
return nil return nil
} }

View File

@ -9,12 +9,13 @@ import (
"testing" "testing"
"time" "time"
"github.com/influxdata/telegraf/internal"
"github.com/influxdata/telegraf/testutil" "github.com/influxdata/telegraf/testutil"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
) )
var pki = testutil.NewPKI("../../../testutil/pki")
// testEmptyLog is a helper function to ensure no data is written to log. // testEmptyLog is a helper function to ensure no data is written to log.
// Should be called at the start of the test, and returns a function which should run at the end. // Should be called at the start of the test, and returns a function which should run at the end.
func testEmptyLog(t *testing.T) func() { func testEmptyLog(t *testing.T) func() {
@ -32,16 +33,14 @@ func TestSocketListener_tcp_tls(t *testing.T) {
sl := newSocketListener() sl := newSocketListener()
sl.ServiceAddress = "tcp://127.0.0.1:0" sl.ServiceAddress = "tcp://127.0.0.1:0"
sl.TLSCert = "testdata/server.pem" sl.ServerConfig = *pki.TLSServerConfig()
sl.TLSKey = "testdata/server.key"
sl.TLSAllowedCACerts = []string{"testdata/ca.pem"}
acc := &testutil.Accumulator{} acc := &testutil.Accumulator{}
err := sl.Start(acc) err := sl.Start(acc)
require.NoError(t, err) require.NoError(t, err)
defer sl.Stop() defer sl.Stop()
tlsCfg, err := internal.GetTLSConfig("testdata/client.pem", "testdata/client.key", "testdata/ca.pem", true) tlsCfg, err := pki.TLSClientConfig().TLSConfig()
require.NoError(t, err) require.NoError(t, err)
secureClient, err := tls.Dial("tcp", sl.Closer.(net.Listener).Addr().String(), tlsCfg) secureClient, err := tls.Dial("tcp", sl.Closer.(net.Listener).Addr().String(), tlsCfg)
@ -55,16 +54,15 @@ func TestSocketListener_unix_tls(t *testing.T) {
sl := newSocketListener() sl := newSocketListener()
sl.ServiceAddress = "unix:///tmp/telegraf_test.sock" sl.ServiceAddress = "unix:///tmp/telegraf_test.sock"
sl.TLSCert = "testdata/server.pem" sl.ServerConfig = *pki.TLSServerConfig()
sl.TLSKey = "testdata/server.key"
sl.TLSAllowedCACerts = []string{"testdata/ca.pem"}
acc := &testutil.Accumulator{} acc := &testutil.Accumulator{}
err := sl.Start(acc) err := sl.Start(acc)
require.NoError(t, err) require.NoError(t, err)
defer sl.Stop() defer sl.Stop()
tlsCfg, err := internal.GetTLSConfig("testdata/client.pem", "testdata/client.key", "testdata/ca.pem", true) tlsCfg, err := pki.TLSClientConfig().TLSConfig()
tlsCfg.InsecureSkipVerify = true
require.NoError(t, err) require.NoError(t, err)
secureClient, err := tls.Dial("unix", "/tmp/telegraf_test.sock", tlsCfg) secureClient, err := tls.Dial("unix", "/tmp/telegraf_test.sock", tlsCfg)

View File

@ -1,31 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIFVTCCAz2gAwIBAgIJAOhLvwv6zUf+MA0GCSqGSIb3DQEBCwUAMEExCzAJBgNV
BAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsG
A1UECgwEVGVzdDAeFw0xODA0MTcwNDIwNDZaFw0yMTAyMDQwNDIwNDZaMEExCzAJ
BgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEN
MAsGA1UECgwEVGVzdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKwE
Xy814CDH03G3Fg2/XSpYZXVMzwp6oq/bUe3iLhkOpA6C4+j07AxAAa22qEPlvYkb
W7oxVJiL0ih1od2FeAxvroBTmjG54j/Syb8OeQsZaJLNp1rRmwYGBIVi284ScaIc
dn+2bfmfpSLjK3SbU5XygtwIE3gh/B7x02UJRNJmJ1faRT2CfTeg/56xnTE4bcR5
HRrlojoN5laJngowLWAEAvWljCR8oge+ciNYB3xoK8Hgc9+WgTy95G1RBCNkaFFI
73nrcHl6dGOH9UgIqfbHJYxNEarI3o/JAr8DIBS0W4r8r4aY4JQ4LoN3bg4mLHQq
THKkVW5hyBeWe47qmlL0m4F6/+mzVi95NAWG2BQDCZJAWJNc+PbSRHi81838m7ff
O4rixd/F53LUUas8/zVca3vtv+XjOHZzIQLIy1bM4MhzpHlRcSmS9kqxxZ3S70e3
ZIWFdM0iRrtlBbJeoHIJRDpgPRYIWdRc6XotljTTi6/lN4Bj/0NK4E3iONcDsscN
kiqEHRAWZ4ptCqdVPgYR0S096Fx6OaC3ASODE0Cjb18ylZQRsQi8TiYSihGzuoio
wJwSLdIifDbbSUkjT1384cA/HsOjFQ9xHXYa6cQnAg3TUZyG1lAMJyFWYke+rxmG
srfL/EtIzgbzmEOC5anQjA2pdgUO9Pk2SinJaMApAgMBAAGjUDBOMB0GA1UdDgQW
BBQNJctDLjj8bVKNCYANaOcboPQnmzAfBgNVHSMEGDAWgBQNJctDLjj8bVKNCYAN
aOcboPQnmzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQATSr26Kc8g
3l2zuccoKWM57DQcgRmzSYwEOKA2jn3FWmrAdwozEIkLaTK0OXz0zh2dZxh9V3GR
w0WFCynbGNy/9s33MSi+zIWJOU/MZvt6zGE5CTcTgZ+u5IZyvSubMkPcwQi3Yvcg
AHmWzpF42kT2J5C5MfrSU65hrhPX7hT/CUoV3gN7oxFzj+/ED4kgNorO8SUUJCmq
DJNFbjgsD63EhnvAhn1AeM35GmKdl2enEKqcZsRkE4ZLpU7ibrThEm1aOQuJUtHk
gDAx49QMdQpWnxWxnfoiwpLu7ufR7ls8O9oA8ZJux/SVHEmtkOdRsuMtY5MElFZg
dANlQsdFWDko4ixaxFYzppuPNnRlqjGNnaEFJrNc2KR0Dxgmp28Yh2VyLd4r3fLT
nLVBYF8KzFchUdXYYPNBXwAf/N52jGfugDx8snLxOfzxoUZ4y64qMCpYhntGgBJ1
Rrk2trcn3Dw19gi8p3ylbdoz/Ch1INDDrO35pd0bZpcwASc/UNU72W5v2kGL0H7o
nJzgtrqeHcoIzNBmBhHlMlnTF5GMfrYGsf5d30KyKv7UL6qJTvT641dpKpB/FFrk
y3AQbKmKRDI+aVzeOlwdy/eJAwt7FikD4bR9GZ4PBX9n9jd4u/PHZNfxtgzplqo1
oy7kJv0cB/vRKOblmn/vPUfTFtAX7M3GkQ==
-----END CERTIFICATE-----

View File

@ -1,27 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAmRuY+9Gg5V4e9hCd2mYek1jKeoaZijz89EPvox78XzoGdxPf
RoukUcTVS9VWN7HyJBjRA9P+KuHI9dX47skxyxH53uXZvRmGQAJBY4cE07JHvGkZ
eK1heXoWlBzYtivckha7bLBfn1ttAzcFCblUfJdzsn9XDuC4Jfn4oSaKn1o8Rzy1
KRvyLgvsYxMA/XzhyBzVMyoUOulye7EZx4f+AwSNmNHD4OgtxxPofrrMOtXZ2tC6
xNOexIZXbsB9dyrUW+4pWXYaadU7fl2V+arAJj+NVxV+3tmGGjmd1MiIypPx6BbP
g7xH20nJ/Y0U6V7gklZpYO1i84RbtR/kqBgi9QIDAQABAoIBAEONJJM+KyHnw/tG
246HbcgO7c7fYhDW1bgj3S/4NNsC6+VP1Dv40nftQzphFtgd37rDZDyvJL3gvlyQ
mnMoO5rgBIGuocHH6C6HkDgMUznft7zOFhnjTVVeY2XX0FmXwoqGEw1iR940ZUV8
2fEvXrJV1AsWGeALj9PZlTPsoE6rv5sUk9Lh3wCD73m7GSg7DzBRE+6bBze8Lmwn
ZzTvmimhgPJw8LR5rRpYbDbhAJLAfgA7/yPgYEPxA/ffry6Ba4epj8tVNUNOAcOf
PURF+uuIF7RceI2PkdvoNuQyVR5oxQUPUfidfVK5ClUmnHECSgb/FFnYC+nU2vSi
IAnmC6ECgYEAyrUFHyxxuIQAiinjBxa0OQ3ynvMxDnF/+zvWe8536Y61lz9dblKb
0xvFhpOEMfiG/zFdZdWJ+xdq7VQVNMHu4USoskG8sZs5zImMTu50kuDNln7xYqVf
SUuN1U7cp7JouI1qkZAOsytPfAgZN/83hLObd07lAvL44jKYaHVeMmkCgYEAwVxZ
wKXpboHwQawA+4ubsnZ36IlOk21/+FlGJiDg/LB643BS+QhgVNxuB2gL1gOCYkhl
6BBcIhWMvZOIIo5uwnv4fQ+WfFwntU9POFViZgbZvkitQtorB7MXc/NU2BDrNYx2
TBCiRn/9BaZ4fziW8I3Fx3xQ3rKDBXrexmrJQq0CgYEAvYGQYT12r47Qxlo0gcsL
AA/3E/y9jwgzItglQ6eZ2ULup5C4s0wNm8Zp2s+Mlf8HjgpDi9Gf5ptU/r1N+f2Y
awd6QvRMCSraVUr+Xkh1uV7rNNhGqPd75pT460OH7EtRtb+XsrAf3gcOjyEvGnfC
GpCjNl4OobwvS6ELdRTM1IkCgYAHUGX4uo3k5zdeVJJI8ZP3ITIR8retLfQsQbw8
jvvTsx1C4ynQT7fNHfVvhEkGVGWnMBPivlOt2mDTfvQkUnzwEF5q5J8NnzLFUfWu
LNSnBVVRNFCRec0s4mJduXOZJLKw+No0sGBjCE5a21wte8eB2+sCS7qHYftAxtAM
c1eflQKBgQDGTFsMvpM8BEPTreinTllFBdjeYchcdY/Ov9DZ3mMVopjAWRD81MKM
zM1RCqwLkgv9FvF79B1FLJ1Inr8e/XIGdcrhE1a4sZdIWdqTWQ4xFrlDgxCquq66
da09WVBRdvq2kVLAMaBViH2/GP1G4ZV9a8+JHuWKj+Arrr52Qeazjw==
-----END RSA PRIVATE KEY-----

View File

@ -1,24 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIEEjCCAfoCCQCmcronmMSqXTANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJV
UzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM
BFRlc3QwHhcNMTgwNDE3MDQyNDMwWhcNNDUwOTAyMDQyNDMwWjBVMQswCQYDVQQG
EwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xITAfBgNV
BAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAJkbmPvRoOVeHvYQndpmHpNYynqGmYo8/PRD76Me/F86BncT
30aLpFHE1UvVVjex8iQY0QPT/irhyPXV+O7JMcsR+d7l2b0ZhkACQWOHBNOyR7xp
GXitYXl6FpQc2LYr3JIWu2ywX59bbQM3BQm5VHyXc7J/Vw7guCX5+KEmip9aPEc8
tSkb8i4L7GMTAP184cgc1TMqFDrpcnuxGceH/gMEjZjRw+DoLccT6H66zDrV2drQ
usTTnsSGV27AfXcq1FvuKVl2GmnVO35dlfmqwCY/jVcVft7Zhho5ndTIiMqT8egW
z4O8R9tJyf2NFOle4JJWaWDtYvOEW7Uf5KgYIvUCAwEAATANBgkqhkiG9w0BAQsF
AAOCAgEACJkccOvBavtagiMQc9OLsbo0PkHv7Qk9uTm5Sg9+LjLGUsu+3WLjAAmj
YScHyGbvQzXlwpgo8JuwY0lMNoPfwGuydlJPfOBCbaoAqFp6Vpc/E49J9YovCsqa
2HJUJeuxpf6SiH1Vc1SECjzwzKo03t8ul7t7SNVqA0r9fV4I936FlJOeQ4d5U+Wv
H7c2LmAqbHi2Mwf+m+W6ziOvzp+szspcP2gJDX7hsKEtIlqmHYm2bzZ4fsCuU9xN
3quewBVQUOuParO632yaLgzpGmfzzxLmCPO84lxarJKCxjHG2Q2l30TO/wA44m+r
Wd17HpCT3PkCDG5eSNCSnYqfLm8DE1hLGfHiXxKmrgU94q4wvwVGOlcYa+CQeP9Q
ZW3Tj0Axz0Mqlg1iLLo12+Z/yocSY2nFnFntBFT4qBKNCeD0xH3PxC0HJdK66xBv
MVDE/OE2hBtTTts+vC9yjx4W8thtMSA4VCOgtt5sHjt3ZekiYYh5VZK47Bx/a0uc
8CouRdyppWyPp/cNC+PcGW3YnXpAkxe/bSY/qgfK5kmbeOf+HzvZAIwAH/d9VK0g
AoLNp46eP6U2E2lVvtc/HJ1C/gsiC/1TSIq/kBbYtuIJjhhH3u6IVet7WSD22Akv
o5gOpcoKwy8IPDRC5lJEAAVYUKt7ORo2en3OVg6I4FaQmeBFp5s=
-----END CERTIFICATE-----

View File

@ -1,27 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAzkEDLijGOqXNQPAqUjOz5TLuM28SENauknLtcfIyEN/N6PwZ
re5DjokxtDPp+c9yP/9qtn7+dBfdUXg2Mu7HQz8lAKniir2ZH+axkjp5LUE6vYJd
I1W8lOOc0kXDjozBetgriE0jkgc3v9oDBbLhN5waKR86jpQaNkfnI7/4U3yrlymK
yaT3uD6L1ldUJubdQ/xc1HxdmX8VewBnkK1urYyiRbju2iL9YmtSM72yWXvFsD1O
I4fP/XuiaymicBmXKL4cu6KYdfn1qeLAV3U35xG597M031WmR5o67rc63sqs+Q//
V3dbGqnFXRMkLhoOnuKK0DD28ujY1kctbNQWVQIDAQABAoIBAHFxFJy41H7BXulO
rxhTU6jGoHktqBQW4CGwkKTRf3QEhK6WqlEd8Y5eKzZgL1q1HLPSehEyPCYCUjpT
EgxlhLeZ7XI1/mIs8iG3swconimj7Pj60Nt0dqq1njWRJYQsKua0Kw1m0B+rVKBy
+qKRxondlA32HTD6iIg+eAUTuzO/KzimZcyL9hiT/g6aN9k0H5+qURi8dO7VV8fD
zvP8Y+oOGLwW2ccp+ZjFQizjTOkL4lgldr0hsGQXZJNHL94fA7jPdAxAUbnTicMJ
oXM++L3eCwIVabipGxxlqCMj9Dn8yfbQvRGzP2e76QDeROYZHX4osH6vLcZEjx9i
tJ4J+ekCgYEA82kKzkSKmFo4gZxnqAywlfZ2X2PADuMmHdqdiDFwt54orlMlKf/b
wVSvN/djLXwvFHuyzFmJeMFSHKFkYVTOsh8kPSETAIGkcJEMHD3viYn7DwjkQudY
vB/FpBWSiDT0T7qDUCzW3iMbx/JvTUSp7uO4ZuwOu6t6v3PEZwIChQ8CgYEA2Ov9
FXHmm7sS54HgvZd6Wk8zLMLIDnyMmECjtYOasJ9c40yQHpRlXsb+Dzn/2xhMMwth
Bln2hIiJ/e+G0bzFu4x0cItRPOQeRNyz5Pal8EsATeUwcX4KRKOZaUpDkV6XV1L0
r/HSk/wed+90B74sGoJY1qsFflOATIUVs7SIllsCgYEAwhGSB/sl9WqZet1U1+um
LyqeHlfNnREGJu9Sgm/Iyt1S2gp4qw/QCkiWmyym6nEEqHQnjj4lGR4pdaJIAkI3
ulSR9BsWp2S10voSicHn5eUZQld4hs8lNHiwf66jce2mjJrMb3QQrHOZhsWIcDa6
tjjhoU28QWzrJRIMGYTEtYkCgYA17NSJlDsj06mra5oXB6Ue9jlekz1wfH3nC4qn
AQRfi/5ncw0QzQs2OHnIBz8XlD69IcMI9SxXXioPuo/la+wr54q6v6d+X6c2rzb5
YGd4CO0WcDdOv2qGDbWBezi41q8AwlqZsqAKsc5ROnG5ywjjviufkfxXnyJx41O1
zNd3qQKBgGEy+EwUXD5iGeQxdCDnd6iVu14SoBscHO5SpIeDu3DIhnu+7gPq2VMg
Vp9j/iNVtEA3HyYCOeXc2rz9Di1wwt3YijED4birLAkC5YW6YB9rmLMfCNc1EyLh
BKAkUQN3D+XCN4pXdbKvbkOcfYRUHoD+pPBjRYH020OtPBUc6Wkl
-----END RSA PRIVATE KEY-----

View File

@ -1,25 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIEJjCCAg4CCQCmcronmMSqXDANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJV
UzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM
BFRlc3QwHhcNMTgwNDE3MDQyNDAwWhcNNDUwOTAyMDQyNDAwWjBpMQswCQYDVQQG
EwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xITAfBgNV
BAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDESMBAGA1UEAwwJMTI3LjAuMC4x
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzkEDLijGOqXNQPAqUjOz
5TLuM28SENauknLtcfIyEN/N6PwZre5DjokxtDPp+c9yP/9qtn7+dBfdUXg2Mu7H
Qz8lAKniir2ZH+axkjp5LUE6vYJdI1W8lOOc0kXDjozBetgriE0jkgc3v9oDBbLh
N5waKR86jpQaNkfnI7/4U3yrlymKyaT3uD6L1ldUJubdQ/xc1HxdmX8VewBnkK1u
rYyiRbju2iL9YmtSM72yWXvFsD1OI4fP/XuiaymicBmXKL4cu6KYdfn1qeLAV3U3
5xG597M031WmR5o67rc63sqs+Q//V3dbGqnFXRMkLhoOnuKK0DD28ujY1kctbNQW
VQIDAQABMA0GCSqGSIb3DQEBCwUAA4ICAQCVgzqFrehoRAMFLMEL8avfokYtsSYc
50Yug4Es0ISo/PRWGeUnv8k1inyE3Y1iR/gbN5n/yjLXJKEflan6BuqGuukfr2eA
fRdDCyPvzQLABdxCx2n6ByQFxj92z82tizf35R2OMuHHWzTckta+7s5EvxwIiUsd
rUuXp+0ltJzlYYW9xTGFiJO9hAbRgMgZiwL8F7ayic8GmLQ1eRK/DfKDCOH3afeX
MNN5FulgjqNyhXHF33vwgIJynGDg2JEhkWjB1DkUAxll0+SMQoYyVGZVrQSGbGw1
JhOLc8C8bTzfK3qcJDuyldvjiut+To+lpu76R0u0+sn+wxQFL1uCWuAbMJgGsJgM
ARavu2XDeae9X+e8MgJuN1FYS3tihBplPjMJD3UYRybRvHAvQh26BZ7Ch3JNSNST
AL2l5T7JKU+XaWWeo+crV+AnGIJyqyh9Su/n97PEoZoEMGH4Kcl/n/w2Jms60+5s
K0FK2OGNL42ddUfQiVL9CwYQQo70hydjsIo1x8S6+tSFLMAAysQEToSjfAA6qxDu
fgGVMuIYHo0rSkpTVsHVwru08Z5o4m+XDAK0iHalZ4knKsO0lJ+9l7vFnQHlzwt7
JTjDhnyOKWPIANeWf3PrHPWE7kKpFVBqFBzOvWLJuxDu5NlgLo1PFahsahTqB9bz
qwUyMg/oYWnwqw==
-----END CERTIFICATE-----

View File

@ -19,11 +19,11 @@ See the [Tomcat documentation](https://tomcat.apache.org/tomcat-9.0-doc/manager-
## Request timeout ## Request timeout
# timeout = "5s" # timeout = "5s"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
``` ```

View File

@ -10,6 +10,7 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
"github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
) )
@ -63,11 +64,7 @@ type Tomcat struct {
Username string Username string
Password string Password string
Timeout internal.Duration Timeout internal.Duration
tls.ClientConfig
SSLCA string `toml:"ssl_ca"`
SSLCert string `toml:"ssl_cert"`
SSLKey string `toml:"ssl_key"`
InsecureSkipVerify bool
client *http.Client client *http.Client
request *http.Request request *http.Request
@ -84,11 +81,11 @@ var sampleconfig = `
## Request timeout ## Request timeout
# timeout = "5s" # timeout = "5s"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
` `
@ -191,8 +188,7 @@ func (s *Tomcat) Gather(acc telegraf.Accumulator) error {
} }
func (s *Tomcat) createHttpClient() (*http.Client, error) { func (s *Tomcat) createHttpClient() (*http.Client, error) {
tlsConfig, err := internal.GetTLSConfig( tlsConfig, err := s.ClientConfig.TLSConfig()
s.SSLCert, s.SSLKey, s.SSLCA, s.InsecureSkipVerify)
if err != nil { if err != nil {
return nil, err return nil, err
} }

View File

@ -18,11 +18,11 @@ The zookeeper plugin collects variables outputted from the 'mntr' command
## Timeout for metric collections from all servers. Minimum timeout is "1s". ## Timeout for metric collections from all servers. Minimum timeout is "1s".
# timeout = "5s" # timeout = "5s"
## Optional SSL Config ## Optional TLS Config
# enable_ssl = true # enable_ssl = true
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## If false, skip chain & host verification ## If false, skip chain & host verification
# insecure_skip_verify = true # insecure_skip_verify = true
``` ```

View File

@ -13,6 +13,7 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
tlsint "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
) )
@ -21,11 +22,9 @@ type Zookeeper struct {
Servers []string Servers []string
Timeout internal.Duration Timeout internal.Duration
EnableSSL bool `toml:"enable_ssl"` EnableTLS bool `toml:"enable_tls"`
SSLCA string `toml:"ssl_ca"` EnableSSL bool `toml:"enable_ssl"` // deprecated in 1.7; use enable_tls
SSLCert string `toml:"ssl_cert"` tlsint.ClientConfig
SSLKey string `toml:"ssl_key"`
InsecureSkipVerify bool `toml:"insecure_skip_verify"`
initialized bool initialized bool
tlsConfig *tls.Config tlsConfig *tls.Config
@ -42,11 +41,11 @@ var sampleConfig = `
## Timeout for metric collections from all servers. Minimum timeout is "1s". ## Timeout for metric collections from all servers. Minimum timeout is "1s".
# timeout = "5s" # timeout = "5s"
## Optional SSL Config ## Optional TLS Config
# enable_ssl = true # enable_tls = true
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## If false, skip chain & host verification ## If false, skip chain & host verification
# insecure_skip_verify = true # insecure_skip_verify = true
` `
@ -65,7 +64,7 @@ func (z *Zookeeper) Description() string {
func (z *Zookeeper) dial(ctx context.Context, addr string) (net.Conn, error) { func (z *Zookeeper) dial(ctx context.Context, addr string) (net.Conn, error) {
var dialer net.Dialer var dialer net.Dialer
if z.EnableSSL { if z.EnableTLS || z.EnableSSL {
deadline, ok := ctx.Deadline() deadline, ok := ctx.Deadline()
if ok { if ok {
dialer.Deadline = deadline dialer.Deadline = deadline
@ -81,8 +80,7 @@ func (z *Zookeeper) Gather(acc telegraf.Accumulator) error {
ctx := context.Background() ctx := context.Background()
if !z.initialized { if !z.initialized {
tlsConfig, err := internal.GetTLSConfig( tlsConfig, err := z.ClientConfig.TLSConfig()
z.SSLCert, z.SSLKey, z.SSLCA, z.InsecureSkipVerify)
if err != nil { if err != nil {
return err return err
} }

View File

@ -42,11 +42,11 @@ For an introduction to AMQP see:
## to 5s. 0s means no timeout (not recommended). ## to 5s. 0s means no timeout (not recommended).
# timeout = "5s" # timeout = "5s"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## Data format to output. ## Data format to output.

View File

@ -10,6 +10,7 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
"github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/outputs" "github.com/influxdata/telegraf/plugins/outputs"
"github.com/influxdata/telegraf/plugins/serializers" "github.com/influxdata/telegraf/plugins/serializers"
@ -43,14 +44,7 @@ type AMQP struct {
// Valid options are "transient" and "persistent". default: "transient" // Valid options are "transient" and "persistent". default: "transient"
DeliveryMode string DeliveryMode string
// Path to CA file tls.ClientConfig
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Use SSL but skip chain & host verification
InsecureSkipVerify bool
sync.Mutex sync.Mutex
c *client c *client
@ -99,11 +93,11 @@ var sampleConfig = `
## to 5s. 0s means no timeout (not recommended). ## to 5s. 0s means no timeout (not recommended).
# timeout = "5s" # timeout = "5s"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## Data format to output. ## Data format to output.
@ -137,8 +131,7 @@ func (q *AMQP) Connect() error {
var connection *amqp.Connection var connection *amqp.Connection
// make new tls config // make new tls config
tls, err := internal.GetTLSConfig( tls, err := q.ClientConfig.TLSConfig()
q.SSLCert, q.SSLKey, q.SSLCA, q.InsecureSkipVerify)
if err != nil { if err != nil {
return err return err
} }

View File

@ -180,11 +180,11 @@ This plugin will format the events in the following way:
# default_tag_value = "none" # default_tag_value = "none"
index_name = "telegraf-%Y.%m.%d" # required. index_name = "telegraf-%Y.%m.%d" # required.
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## Template Config ## Template Config

View File

@ -11,6 +11,7 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
"github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/outputs" "github.com/influxdata/telegraf/plugins/outputs"
"gopkg.in/olivere/elastic.v5" "gopkg.in/olivere/elastic.v5"
) )
@ -28,11 +29,9 @@ type Elasticsearch struct {
ManageTemplate bool ManageTemplate bool
TemplateName string TemplateName string
OverwriteTemplate bool OverwriteTemplate bool
SSLCA string `toml:"ssl_ca"` // Path to CA file tls.ClientConfig
SSLCert string `toml:"ssl_cert"` // Path to host cert file
SSLKey string `toml:"ssl_key"` // Path to cert key file Client *elastic.Client
InsecureSkipVerify bool // Use SSL but skip chain & host verification
Client *elastic.Client
} }
var sampleConfig = ` var sampleConfig = `
@ -69,11 +68,11 @@ var sampleConfig = `
# default_tag_value = "none" # default_tag_value = "none"
index_name = "telegraf-%Y.%m.%d" # required. index_name = "telegraf-%Y.%m.%d" # required.
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## Template Config ## Template Config
@ -96,7 +95,7 @@ func (a *Elasticsearch) Connect() error {
var clientOptions []elastic.ClientOptionFunc var clientOptions []elastic.ClientOptionFunc
tlsCfg, err := internal.GetTLSConfig(a.SSLCert, a.SSLKey, a.SSLCA, a.InsecureSkipVerify) tlsCfg, err := a.ClientConfig.TLSConfig()
if err != nil { if err != nil {
return err return err
} }

View File

@ -20,42 +20,10 @@ via raw TCP.
## timeout in seconds for the write connection to graphite ## timeout in seconds for the write connection to graphite
timeout = 2 timeout = 2
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
``` ```
Parameters:
Servers []string
Prefix string
Timeout int
Template string
// Path to CA file
SSLCA string
// Path to host cert file
SSLCert string
// Path to cert key file
SSLKey string
// Skip SSL verification
InsecureSkipVerify bool
### Required parameters:
* `servers`: List of strings, ["mygraphiteserver:2003"].
* `prefix`: String use to prefix all sent metrics.
* `timeout`: Connection timeout in seconds.
* `template`: Template for graphite output format, see
https://github.com/influxdata/telegraf/blob/master/docs/DATA_FORMATS_OUTPUT.md
for more details.
### Optional parameters:
* `ssl_ca`: SSL CA
* `ssl_cert`: SSL CERT
* `ssl_key`: SSL key
* `insecure_skip_verify`: Use SSL but skip chain & host verification (default: false)

View File

@ -10,7 +10,7 @@ import (
"time" "time"
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" tlsint "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/outputs" "github.com/influxdata/telegraf/plugins/outputs"
"github.com/influxdata/telegraf/plugins/serializers" "github.com/influxdata/telegraf/plugins/serializers"
) )
@ -22,18 +22,7 @@ type Graphite struct {
Template string Template string
Timeout int Timeout int
conns []net.Conn conns []net.Conn
tlsint.ClientConfig
// Path to CA file
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Skip SSL verification
InsecureSkipVerify bool
// tls config
tlsConfig *tls.Config
} }
var sampleConfig = ` var sampleConfig = `
@ -49,11 +38,11 @@ var sampleConfig = `
## timeout in seconds for the write connection to graphite ## timeout in seconds for the write connection to graphite
timeout = 2 timeout = 2
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
` `
@ -67,9 +56,7 @@ func (g *Graphite) Connect() error {
} }
// Set tls config // Set tls config
var err error tlsConfig, err := g.ClientConfig.TLSConfig()
g.tlsConfig, err = internal.GetTLSConfig(
g.SSLCert, g.SSLKey, g.SSLCA, g.InsecureSkipVerify)
if err != nil { if err != nil {
return err return err
} }
@ -82,8 +69,8 @@ func (g *Graphite) Connect() error {
// Get secure connection if tls config is set // Get secure connection if tls config is set
var conn net.Conn var conn net.Conn
if g.tlsConfig != nil { if tlsConfig != nil {
conn, err = tls.DialWithDialer(&d, "tcp", server, g.tlsConfig) conn, err = tls.DialWithDialer(&d, "tcp", server, tlsConfig)
} else { } else {
conn, err = d.Dial("tcp", server) conn, err = d.Dial("tcp", server)
} }

View File

@ -44,11 +44,11 @@ This InfluxDB output plugin writes metrics to the [InfluxDB](https://github.com/
## UDP payload size is the maximum packet size to send. ## UDP payload size is the maximum packet size to send.
# udp_payload = 512 # udp_payload = 512
## Optional SSL Config for use on HTTP connections. ## Optional TLS Config for use on HTTP connections.
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## HTTP Proxy override, if unset values the standard proxy environment ## HTTP Proxy override, if unset values the standard proxy environment

View File

@ -11,6 +11,7 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
"github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/outputs" "github.com/influxdata/telegraf/plugins/outputs"
"github.com/influxdata/telegraf/plugins/serializers/influx" "github.com/influxdata/telegraf/plugins/serializers/influx"
) )
@ -46,15 +47,7 @@ type InfluxDB struct {
ContentEncoding string `toml:"content_encoding"` ContentEncoding string `toml:"content_encoding"`
SkipDatabaseCreation bool `toml:"skip_database_creation"` SkipDatabaseCreation bool `toml:"skip_database_creation"`
InfluxUintSupport bool `toml:"influx_uint_support"` InfluxUintSupport bool `toml:"influx_uint_support"`
tls.ClientConfig
// Path to CA file
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Use SSL but skip chain & host verification
InsecureSkipVerify bool
Precision string // precision deprecated in 1.0; value is ignored Precision string // precision deprecated in 1.0; value is ignored
@ -104,11 +97,11 @@ var sampleConfig = `
## UDP payload size is the maximum packet size to send. ## UDP payload size is the maximum packet size to send.
# udp_payload = 512 # udp_payload = 512
## Optional SSL Config for use on HTTP connections. ## Optional TLS Config for use on HTTP connections.
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## HTTP Proxy override, if unset values the standard proxy environment ## HTTP Proxy override, if unset values the standard proxy environment
@ -245,8 +238,7 @@ func (i *InfluxDB) udpClient(url *url.URL) (Client, error) {
} }
func (i *InfluxDB) httpClient(ctx context.Context, url *url.URL, proxy *url.URL) (Client, error) { func (i *InfluxDB) httpClient(ctx context.Context, url *url.URL, proxy *url.URL) (Client, error) {
tlsConfig, err := internal.GetTLSConfig( tlsConfig, err := i.ClientConfig.TLSConfig()
i.SSLCert, i.SSLKey, i.SSLCA, i.InsecureSkipVerify)
if err != nil { if err != nil {
return nil, err return nil, err
} }

View File

@ -8,6 +8,7 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
"github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/metric" "github.com/influxdata/telegraf/metric"
"github.com/influxdata/telegraf/plugins/outputs/influxdb" "github.com/influxdata/telegraf/plugins/outputs/influxdb"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
@ -104,8 +105,10 @@ func TestConnectHTTPConfig(t *testing.T) {
HTTPHeaders: map[string]string{ HTTPHeaders: map[string]string{
"x": "y", "x": "y",
}, },
ContentEncoding: "gzip", ContentEncoding: "gzip",
InsecureSkipVerify: true, ClientConfig: tls.ClientConfig{
InsecureSkipVerify: true,
},
CreateHTTPClientF: func(config *influxdb.HTTPConfig) (influxdb.Client, error) { CreateHTTPClientF: func(config *influxdb.HTTPConfig) (influxdb.Client, error) {
actual = config actual = config

View File

@ -68,11 +68,11 @@ This plugin writes to a [Kafka Broker](http://kafka.apache.org/07/quickstart.htm
## until the next flush. ## until the next flush.
# max_retry = 3 # max_retry = 3
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## Optional SASL Config ## Optional SASL Config

View File

@ -6,7 +6,7 @@ import (
"strings" "strings"
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" tlsint "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/outputs" "github.com/influxdata/telegraf/plugins/outputs"
"github.com/influxdata/telegraf/plugins/serializers" "github.com/influxdata/telegraf/plugins/serializers"
@ -36,7 +36,7 @@ type (
// MaxRetry Tag // MaxRetry Tag
MaxRetry int MaxRetry int
// Legacy SSL config options // Legacy TLS config options
// TLS client certificate // TLS client certificate
Certificate string Certificate string
// TLS client key // TLS client key
@ -44,15 +44,7 @@ type (
// TLS certificate authority // TLS certificate authority
CA string CA string
// Path to CA file tlsint.ClientConfig
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Skip SSL verification
InsecureSkipVerify bool
// SASL Username // SASL Username
SASLUsername string `toml:"sasl_username"` SASLUsername string `toml:"sasl_username"`
@ -135,11 +127,11 @@ var sampleConfig = `
## until the next flush. ## until the next flush.
# max_retry = 3 # max_retry = 3
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## Optional SASL Config ## Optional SASL Config
@ -201,13 +193,12 @@ func (k *Kafka) Connect() error {
// Legacy support ssl config // Legacy support ssl config
if k.Certificate != "" { if k.Certificate != "" {
k.SSLCert = k.Certificate k.TLSCert = k.Certificate
k.SSLCA = k.CA k.TLSCA = k.CA
k.SSLKey = k.Key k.TLSKey = k.Key
} }
tlsConfig, err := internal.GetTLSConfig( tlsConfig, err := k.ClientConfig.TLSConfig()
k.SSLCert, k.SSLKey, k.SSLCA, k.InsecureSkipVerify)
if err != nil { if err != nil {
return err return err
} }

View File

@ -22,12 +22,12 @@ This plugin writes to a [MQTT Broker](http://http://mqtt.org/) acting as a mqtt
## Timeout for write operations. default: 5s ## Timeout for write operations. default: 5s
# timeout = "5s" # timeout = "5s"
## Optional SSL Config
# ssl_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Optional TLS Config
# tls_ca = "/etc/telegraf/ca.pem"
# tls_cert = "/etc/telegraf/cert.pem"
# tls_key = "/etc/telegraf/key.pem"
## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## Data format to output. ## Data format to output.
@ -45,8 +45,8 @@ This plugin writes to a [MQTT Broker](http://http://mqtt.org/) acting as a mqtt
* `password`: The password to connect MQTT server. * `password`: The password to connect MQTT server.
* `client_id`: The unique client id to connect MQTT server. If this paramater is not set then a random ID is generated. * `client_id`: The unique client id to connect MQTT server. If this paramater is not set then a random ID is generated.
* `timeout`: Timeout for write operations. default: 5s * `timeout`: Timeout for write operations. default: 5s
* `ssl_ca`: SSL CA * `tls_ca`: TLS CA
* `ssl_cert`: SSL CERT * `tls_cert`: TLS CERT
* `ssl_key`: SSL key * `tls_key`: TLS key
* `insecure_skip_verify`: Use SSL but skip chain & host verification (default: false) * `insecure_skip_verify`: Use TLS but skip chain & host verification (default: false)
* `data_format`: [About Telegraf data formats](https://github.com/influxdata/telegraf/blob/master/docs/DATA_FORMATS_OUTPUT.md) * `data_format`: [About Telegraf data formats](https://github.com/influxdata/telegraf/blob/master/docs/DATA_FORMATS_OUTPUT.md)

View File

@ -8,6 +8,7 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
"github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/outputs" "github.com/influxdata/telegraf/plugins/outputs"
"github.com/influxdata/telegraf/plugins/serializers" "github.com/influxdata/telegraf/plugins/serializers"
@ -32,11 +33,11 @@ var sampleConfig = `
## client ID, if not set a random ID is generated ## client ID, if not set a random ID is generated
# client_id = "" # client_id = ""
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## Data format to output. ## Data format to output.
@ -55,15 +56,7 @@ type MQTT struct {
TopicPrefix string TopicPrefix string
QoS int `toml:"qos"` QoS int `toml:"qos"`
ClientID string `toml:"client_id"` ClientID string `toml:"client_id"`
tls.ClientConfig
// Path to CA file
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Use SSL but skip chain & host verification
InsecureSkipVerify bool
client paho.Client client paho.Client
opts *paho.ClientOptions opts *paho.ClientOptions
@ -174,8 +167,7 @@ func (m *MQTT) createOpts() (*paho.ClientOptions, error) {
opts.SetClientID("Telegraf-Output-" + internal.RandomString(5)) opts.SetClientID("Telegraf-Output-" + internal.RandomString(5))
} }
tlsCfg, err := internal.GetTLSConfig( tlsCfg, err := m.ClientConfig.TLSConfig()
m.SSLCert, m.SSLKey, m.SSLCA, m.InsecureSkipVerify)
if err != nil { if err != nil {
return nil, err return nil, err
} }

View File

@ -6,7 +6,7 @@ import (
nats_client "github.com/nats-io/nats" nats_client "github.com/nats-io/nats"
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/outputs" "github.com/influxdata/telegraf/plugins/outputs"
"github.com/influxdata/telegraf/plugins/serializers" "github.com/influxdata/telegraf/plugins/serializers"
) )
@ -19,15 +19,7 @@ type NATS struct {
Password string Password string
// NATS subject to publish metrics to // NATS subject to publish metrics to
Subject string Subject string
tls.ClientConfig
// Path to CA file
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Use SSL but skip chain & host verification
InsecureSkipVerify bool
conn *nats_client.Conn conn *nats_client.Conn
serializer serializers.Serializer serializer serializers.Serializer
@ -42,11 +34,11 @@ var sampleConfig = `
## NATS subject for producer messages ## NATS subject for producer messages
subject = "telegraf" subject = "telegraf"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## Data format to output. ## Data format to output.
@ -79,8 +71,7 @@ func (n *NATS) Connect() error {
} }
// override TLS, if it was specified // override TLS, if it was specified
tlsConfig, err := internal.GetTLSConfig( tlsConfig, err := n.ClientConfig.TLSConfig()
n.SSLCert, n.SSLKey, n.SSLCA, n.InsecureSkipVerify)
if err != nil { if err != nil {
return err return err
} }

View File

@ -19,11 +19,11 @@ It can output data in any of the [supported output formats](https://github.com/i
# address = "unix:///tmp/telegraf.sock" # address = "unix:///tmp/telegraf.sock"
# address = "unixgram:///tmp/telegraf.sock" # address = "unixgram:///tmp/telegraf.sock"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## Period between keep alive probes. ## Period between keep alive probes.

View File

@ -10,17 +10,15 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
tlsint "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/outputs" "github.com/influxdata/telegraf/plugins/outputs"
"github.com/influxdata/telegraf/plugins/serializers" "github.com/influxdata/telegraf/plugins/serializers"
) )
type SocketWriter struct { type SocketWriter struct {
Address string Address string
KeepAlivePeriod *internal.Duration KeepAlivePeriod *internal.Duration
SSLCA string tlsint.ClientConfig
SSLCert string
SSLKey string
InsecureSkipVerify bool
serializers.Serializer serializers.Serializer
@ -45,11 +43,11 @@ func (sw *SocketWriter) SampleConfig() string {
# address = "unix:///tmp/telegraf.sock" # address = "unix:///tmp/telegraf.sock"
# address = "unixgram:///tmp/telegraf.sock" # address = "unixgram:///tmp/telegraf.sock"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## Period between keep alive probes. ## Period between keep alive probes.
@ -76,7 +74,7 @@ func (sw *SocketWriter) Connect() error {
return fmt.Errorf("invalid address: %s", sw.Address) return fmt.Errorf("invalid address: %s", sw.Address)
} }
tlsCfg, err := internal.GetTLSConfig(sw.SSLCert, sw.SSLKey, sw.SSLCA, sw.InsecureSkipVerify) tlsCfg, err := sw.ClientConfig.TLSConfig()
if err != nil { if err != nil {
return err return err
} }

12
testutil/pki/cacert.pem Normal file
View File

@ -0,0 +1,12 @@
-----BEGIN CERTIFICATE-----
MIIB0TCCATqgAwIBAgIJAMgbq6rkA4b/MA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV
BAMMEFRlbGVncmFmIFRlc3QgQ0EwHhcNMTgwNTAzMDEwNTI5WhcNMjgwNDMwMDEw
NTI5WjAbMRkwFwYDVQQDDBBUZWxlZ3JhZiBUZXN0IENBMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDTySxyXeyQQjCOtNQ/7cKtXN91sp4B1k7whPKBO6yXEFFR
rYaw76xY5CTTPTJaAPBJ+amHPdPGfmGq6yX10tjAaWQQYV26Axngfpti6F14ci0/
X/sTay8ii/4Du5DRr9f9rHVimPASR1fkgK+IFhXnONn1R+pNbHYmGS4OVNyoPwID
AQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsF
AAOBgQA9v3eMU33q+bGPEd65kKQcVddPEFdSqmuUJMeO2VQmUFc/ejkP48u42eDK
Y1GAR+209XgkuWItEBH8HJysOU2plunuIPXpnPcxyP30tpFVLaWzWTQvUehhYpfQ
C0v9Re3jdLfLORxiaAPyyKogMpAQrjGX+u1aMSOCkcTD2Hjvbw==
-----END CERTIFICATE-----

16
testutil/pki/cakey.pem Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PRIVATE KEY-----
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBANPJLHJd7JBCMI60
1D/twq1c33WyngHWTvCE8oE7rJcQUVGthrDvrFjkJNM9MloA8En5qYc908Z+Yarr
JfXS2MBpZBBhXboDGeB+m2LoXXhyLT9f+xNrLyKL/gO7kNGv1/2sdWKY8BJHV+SA
r4gWFec42fVH6k1sdiYZLg5U3Kg/AgMBAAECgYA2PCtssk7Vdo3WzcoZAPs8yC7V
hkNedxJKF9G+dJizKtOYVhbLEuWQ8gPYMLDHSbw/RXc7kgK8rzq1uXhEJpWo4THD
CUUlxGRu3gt94202hbnEnV93Kix4hP98qpv1jPErlx2KywsRPTegMnUAZ2xeI564
yYwDITqXALa/PqRqSQJBAPPZQeRDtBSfEjZFJS3IgUkmN3RJn4rJz+6D0ahgXPga
YAYVe8SJyj2epLJP2aOBzrqBSUVkVGg8qOG5w+ibebsCQQDeVuUzYOffthO5f1Hl
LvdEmfaHjXI0Q+grOnDjNRcvQaCDYYkC9JewBQmnpFrd85rN/Leo0gQ5Yyxp/ja5
gPFNAkAFwn/38FF0mz1G4uM57Z6AJ9LvgD2wfYvXym1NWNlZUuYpvqApyEdqpTCm
tZQidJJ5fUxJw1DrFWO30Td7axC5AkEAjSbRX6rXyhiHsS35SexlInI0Jp5PsIqj
7D2vyS69R0z8oCvdlbi+TAsGtB0Navbqgnc8Cbs630vsuGWhTGdlyQJBAKqQ2gYw
+WeXH77FP8yDQOjpFw80tSyXVykT0Am75RF3sQ1OIn0o0DLhE+he0crb2n8g3FJh
WyxmGkbTDelSG20=
-----END PRIVATE KEY-----

View File

@ -0,0 +1,13 @@
-----BEGIN CERTIFICATE-----
MIIB+TCCAWKgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDDBBUZWxl
Z3JhZiBUZXN0IENBMB4XDTE4MDUwMzAxMDUyOVoXDTI4MDQzMDAxMDUyOVowHTEb
MBkGA1UEAwwSY2xpZW50LmxvY2FsZG9tYWluMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDX7Plvu0MJtA9TrusYtQnAogsdiYJZd9wfFIjH5FxE3SWJ4KAIE+yR
WRqcqX8XnpieQLaNsfXhDPWLkWngTDydk4NO/jlAQk0e6+9+NeiZ2ViIHmtXERb9
CyiiWUmo+YCd69lhzSEIMK9EPBSDHQTgQMtEfGak03G5rx3MCakE1QIDAQABo0sw
STAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgglsb2NhbGhvc3SH
BH8AAAEwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADgYEAVry0
L07oTN+FMLncY/Be9BzFB3b3mnbxbZr58OgI4WHuOeYBuvDI033FIIIzpwb8XYpG
HJkZlSbviqq19lAh/Cktl35BCNrA6Uc+dgW7QWhnYS2tZandVTo/8FFstJTNiiLw
uiz/Hr3mRXUIDi5OygJHY1IZr8hFTOOJY+0ws3E=
-----END CERTIFICATE-----

View File

@ -0,0 +1,15 @@
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDX7Plvu0MJtA9TrusYtQnAogsdiYJZd9wfFIjH5FxE3SWJ4KAI
E+yRWRqcqX8XnpieQLaNsfXhDPWLkWngTDydk4NO/jlAQk0e6+9+NeiZ2ViIHmtX
ERb9CyiiWUmo+YCd69lhzSEIMK9EPBSDHQTgQMtEfGak03G5rx3MCakE1QIDAQAB
AoGAOjRU4Lt3zKvO3d3u3ZAfet+zY1jn3DolCfO9EzUJcj6ymcIFIWhNgrikJcrC
yZkkxrPnAbcQ8oNNxTuDcMTcKZbnyUnlQj5NtVuty5Q+zgf3/Q2pRhaE+TwrpOJ+
ETtVp9R/PrPN2NC5wPo289fPNWFYkd4DPbdWZp5AJHz1XYECQQD3kKpinJxMYp9F
Q1Qj1OkxGln0KPgdqRYjjW/rXI4/hUodfg+xXWHPFSGj3AgEjQIvuengbOAeH3qo
wF1uxVTlAkEA30hXM3EbboMCDQzNRNkkV9EiZ0MZXhj1aIGl+sQZOmOeFdcdjGkD
dsA42nmaYqXCD9KAvc+S/tGJaa0Qg0VhMQJAb2+TAqh0Qn3yK39PFIH2JcAy1ZDL
fq5p5L75rfwPm9AnuHbSIYhjSo+8gMG+ai3+2fTZrcfUajrJP8S3SfFRcQJBANQQ
POHatxcKzlPeqMaPBXlyY553mAxK4CnVmPLGdL+EBYzwtlu5EVUj09uMSxkOHXYx
k5yzHQVvtXbsrBZBOsECQBJLlkMjJmXrIIdLPmHQWL3bm9MMg1PqzupSEwz6cyrG
uIIm/X91pDyxCHaKYWp38FXBkYAgohI8ow5/sgRvU5w=
-----END RSA PRIVATE KEY-----

View File

@ -0,0 +1,13 @@
-----BEGIN CERTIFICATE-----
MIIB+TCCAWKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDDBBUZWxl
Z3JhZiBUZXN0IENBMB4XDTE4MDUwMzAxMDUyOVoXDTI4MDQzMDAxMDUyOVowHTEb
MBkGA1UEAwwSc2VydmVyLmxvY2FsZG9tYWluMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDTBmLJ0pBFUxnPkkx38sBnOKvs+OinVqxTnVcc1iCyQJQleB37uY6D
L55mSsPvnad/oDpyGpHt4RVtrhmyC6ptSrWLyk7mraeAo30Cooqr5tA9A+6yj0ij
ySLlYimTMQy8tbnVNWLwKbxgT9N4NlUzwyqxLWUMfRzLfmefqzk5bQIDAQABo0sw
STAJBgNVHRMEAjAAMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATALBgNVHQ8E
BAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADgYEATNnM
ol0s29lJ+WkP+HUFtKaXxQ+kXLADqfhsk2G1/kZAVRHsYUDlJ+GkHnWIHlg/ggIP
JS+z44iwMPOtzJQI7MvAFYVKpYAEdIFTjXf6GafLjUfoXYi0vwHoVJHtQu3Kpm9L
Ugm02h0ycIadN8RdWAAFUf6XpVKUJa0YYLuyaXY=
-----END CERTIFICATE-----

View File

@ -0,0 +1,15 @@
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDTBmLJ0pBFUxnPkkx38sBnOKvs+OinVqxTnVcc1iCyQJQleB37
uY6DL55mSsPvnad/oDpyGpHt4RVtrhmyC6ptSrWLyk7mraeAo30Cooqr5tA9A+6y
j0ijySLlYimTMQy8tbnVNWLwKbxgT9N4NlUzwyqxLWUMfRzLfmefqzk5bQIDAQAB
AoGBALWQAgFJxM2QwV1hr59oYnitPudmBa6smRpb/q6V4Y3cmFpgrdN+hIqEtxGl
9E0+5PWfI4o3KCV2itxSdlNFTDyqTZkM+BT8PPKISzAewkdqnKjbWgAmluzOJH4O
hc1zBfIOuT5+cfx5JR5/j9BhWVC7BJ+EiREkd/Z8ZnAMeItVAkEA8bhcC+8luiFQ
6kytXx2XfbKKh4Q99+KEQHqSGeuHZOcnWfjX99jo67CIxpwBRENslpZOw78fBmi4
4kf8j+dgLwJBAN99zyRxYzKc8TSsy/fF+3V/Ex75HYGGS/eOWcwPFXpGNA63hIa8
fJ/2pDnLzCqLZ9vWdBF39NtkacJS7bo6XSMCQQCZgN2bipSn3k53bJhRJga1gXOt
2dJMoGIiXHR513QVJSJ9ZaUpNWu9eU9y6VF4m2TTQMLmVnIKbOi0csi2TlZrAkAi
7URsC5RXGpPPiZmutTAhIqTYWFI2JcjFfWenLkxK+aG1ExURAW/wh9kOdz0HARZQ
Eum8uSR5DO5CQjeIvQpFAkAgZJXAwRxuts/p1EoLuPCJTaDkIY2vc0AJzzr5nuAs
pyjnLYCYqSBUJ+3nDDBqNYpgxCJddzmjNxGuO7mef9Ue
-----END RSA PRIVATE KEY-----

View File

@ -46,21 +46,31 @@ keyUsage = keyCertSign, cRLSign
[ client_ca_extensions ] [ client_ca_extensions ]
basicConstraints = CA:false basicConstraints = CA:false
keyUsage = digitalSignature keyUsage = digitalSignature
subjectAltName = @client_alt_names
extendedKeyUsage = 1.3.6.1.5.5.7.3.2 extendedKeyUsage = 1.3.6.1.5.5.7.3.2
[ client_alt_names ]
DNS.1 = localhost
IP.1 = 127.0.0.1
[ server_ca_extensions ] [ server_ca_extensions ]
basicConstraints = CA:false basicConstraints = CA:false
keyUsage = keyEncipherment subjectAltName = @server_alt_names
keyUsage = keyEncipherment, digitalSignature
extendedKeyUsage = 1.3.6.1.5.5.7.3.1 extendedKeyUsage = 1.3.6.1.5.5.7.3.1
[ server_alt_names ]
DNS.1 = localhost
IP.1 = 127.0.0.1
EOF EOF
openssl req -x509 -config ./openssl.conf -days 3650 -newkey rsa:1024 -out ./certs/cacert.pem -keyout ./private/cakey.pem -subj "/CN=Telegraf CA/" -nodes && openssl req -x509 -config ./openssl.conf -days 3650 -newkey rsa:1024 -out ./certs/cacert.pem -keyout ./private/cakey.pem -subj "/CN=Telegraf Test CA/" -nodes &&
# Create server keypair # Create server keypair
openssl genrsa -out ./private/serverkey.pem 1024 && openssl genrsa -out ./private/serverkey.pem 1024 &&
openssl req -new -key ./private/serverkey.pem -out ./certs/servercsr.pem -outform PEM -subj "/CN=localhost/O=server/" && openssl req -new -key ./private/serverkey.pem -out ./certs/servercsr.pem -outform PEM -subj "/CN=server.localdomain/O=server/" &&
openssl ca -config ./openssl.conf -in ./certs/servercsr.pem -out ./certs/servercert.pem -notext -batch -extensions server_ca_extensions && openssl ca -config ./openssl.conf -in ./certs/servercsr.pem -out ./certs/servercert.pem -notext -batch -extensions server_ca_extensions &&
# Create client keypair # Create client keypair
openssl genrsa -out ./private/clientkey.pem 1024 && openssl genrsa -out ./private/clientkey.pem 1024 &&
openssl req -new -key ./private/clientkey.pem -out ./certs/clientcsr.pem -outform PEM -subj "/CN=telegraf/O=client/" && openssl req -new -key ./private/clientkey.pem -out ./certs/clientcsr.pem -outform PEM -subj "/CN=client.localdomain/O=client/" &&
openssl ca -config ./openssl.conf -in ./certs/clientcsr.pem -out ./certs/clientcert.pem -notext -batch -extensions client_ca_extensions openssl ca -config ./openssl.conf -in ./certs/clientcsr.pem -out ./certs/clientcert.pem -notext -batch -extensions client_ca_extensions

86
testutil/tls.go Normal file
View File

@ -0,0 +1,86 @@
package testutil
import (
"fmt"
"io/ioutil"
"os"
"path"
"github.com/influxdata/telegraf/internal/tls"
)
type pki struct {
path string
}
func NewPKI(path string) *pki {
return &pki{path: path}
}
func (p *pki) TLSClientConfig() *tls.ClientConfig {
return &tls.ClientConfig{
TLSCA: p.CACertPath(),
TLSCert: p.ClientCertPath(),
TLSKey: p.ClientKeyPath(),
}
}
func (p *pki) TLSServerConfig() *tls.ServerConfig {
return &tls.ServerConfig{
TLSAllowedCACerts: []string{p.CACertPath()},
TLSCert: p.ServerCertPath(),
TLSKey: p.ServerKeyPath(),
}
}
func (p *pki) ReadCACert() string {
return readCertificate(p.CACertPath())
}
func (p *pki) CACertPath() string {
return path.Join(p.path, "cacert.pem")
}
func (p *pki) ReadClientCert() string {
return readCertificate(p.ClientCertPath())
}
func (p *pki) ClientCertPath() string {
return path.Join(p.path, "clientcert.pem")
}
func (p *pki) ReadClientKey() string {
return readCertificate(p.ClientKeyPath())
}
func (p *pki) ClientKeyPath() string {
return path.Join(p.path, "clientkey.pem")
}
func (p *pki) ReadServerCert() string {
return readCertificate(p.ServerCertPath())
}
func (p *pki) ServerCertPath() string {
return path.Join(p.path, "servercert.pem")
}
func (p *pki) ReadServerKey() string {
return readCertificate(p.ServerKeyPath())
}
func (p *pki) ServerKeyPath() string {
return path.Join(p.path, "serverkey.pem")
}
func readCertificate(filename string) string {
file, err := os.Open(filename)
if err != nil {
panic(fmt.Sprintf("opening %q: %v", filename, err))
}
octets, err := ioutil.ReadAll(file)
if err != nil {
panic(fmt.Sprintf("reading %q: %v", filename, err))
}
return string(octets)
}