dom
/
telegraf
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Simplify testing with TLS (#4095)

This commit is contained in:
Daniel Nelson 2018-05-04 16:33:23 -07:00 committed by GitHub
parent 6e10a4ea88
commit 55b4fcb40d
92 changed files with 1246 additions and 1360 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGELOG.md
View File

@ -7,6 +7,10 @@
an [example configuration](./plugins/inputs/jolokia2/examples) to help you an [example configuration](./plugins/inputs/jolokia2/examples) to help you
get started. get started.
- For plugins supporting TLS, you can now specify the certificate and keys
using `tls_ca`, `tls_cert`, `tls_key`. These options behave the same as
the, now deprecated, `ssl` forms.
### New Inputs ### New Inputs
- [fibaro](./plugins/inputs/fibaro/README.md) - Contributed by @dynek - [fibaro](./plugins/inputs/fibaro/README.md) - Contributed by @dynek

335
etc/telegraf.conf
View File

@ -121,11 +121,11 @@
## UDP payload size is the maximum packet size to send. ## UDP payload size is the maximum packet size to send.
# udp_payload = 512 # udp_payload = 512
## Optional SSL Config for use on HTTP connections. ## Optional TLS Config for use on HTTP connections.
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## HTTP Proxy override, if unset values the standard proxy environment ## HTTP Proxy override, if unset values the standard proxy environment
@ -184,11 +184,11 @@
# ## to 5s. 0s means no timeout (not recommended). # ## to 5s. 0s means no timeout (not recommended).
# # timeout = "5s" # # timeout = "5s"
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
# #
# ## Data format to output. # ## Data format to output.
@ -284,11 +284,11 @@
# # default_tag_value = "none" # # default_tag_value = "none"
# index_name = "telegraf-%Y.%m.%d" # required. # index_name = "telegraf-%Y.%m.%d" # required.
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
# #
# ## Template Config # ## Template Config
@ -327,11 +327,11 @@
# ## timeout in seconds for the write connection to graphite # ## timeout in seconds for the write connection to graphite
# timeout = 2 # timeout = 2
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
@ -420,11 +420,11 @@
# ## The total number of times to retry sending a message # ## The total number of times to retry sending a message
# max_retry = 3 # max_retry = 3
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
# #
# ## Optional SASL Config # ## Optional SASL Config
@ -536,11 +536,11 @@
# ## client ID, if not set a random ID is generated # ## client ID, if not set a random ID is generated
# # client_id = "" # # client_id = ""
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
# #
# ## Data format to output. # ## Data format to output.
@ -560,11 +560,11 @@
# ## NATS subject for producer messages # ## NATS subject for producer messages
# subject = "telegraf" # subject = "telegraf"
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
# #
# ## Data format to output. # ## Data format to output.
@ -695,11 +695,11 @@
# # address = "unix:///tmp/telegraf.sock" # # address = "unix:///tmp/telegraf.sock"
# # address = "unixgram:///tmp/telegraf.sock" # # address = "unixgram:///tmp/telegraf.sock"
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
# #
# ## Period between keep alive probes. # ## Period between keep alive probes.
@ -928,11 +928,11 @@
# ## Maximum time to receive response. # ## Maximum time to receive response.
# # response_timeout = "5s" # # response_timeout = "5s"
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
@ -1112,11 +1112,11 @@
# ## Data centre to query the health checks from # ## Data centre to query the health checks from
# # datacentre = "" # # datacentre = ""
# #
# ## SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## If false, skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = true # # insecure_skip_verify = true
@ -1173,10 +1173,10 @@
# ## Maximum time to receive a response from cluster. # ## Maximum time to receive a response from cluster.
# # response_timeout = "20s" # # response_timeout = "20s"
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## If false, skip chain & host verification # ## If false, skip chain & host verification
# # insecure_skip_verify = true # # insecure_skip_verify = true
# #
@ -1261,11 +1261,11 @@
# docker_label_include = [] # docker_label_include = []
# docker_label_exclude = [] # docker_label_exclude = []
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
@ -1317,11 +1317,11 @@
# ## "breaker". Per default, all stats are gathered. # ## "breaker". Per default, all stats are gathered.
# # node_stats = ["jvm", "http"] # # node_stats = ["jvm", "http"]
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
@ -1428,11 +1428,11 @@
# username = "" # username = ""
# password = "" # password = ""
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
@ -1456,11 +1456,11 @@
# ## field names. # ## field names.
# # keep_field_names = false # # keep_field_names = false
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
@ -1497,11 +1497,11 @@
# ## Tag all metrics with the url # ## Tag all metrics with the url
# # tag_url = true # # tag_url = true
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
# #
# ## Amount of time allowed to complete the HTTP request # ## Amount of time allowed to complete the HTTP request
@ -1541,11 +1541,11 @@
# # response_string_match = "ok" # # response_string_match = "ok"
# # response_string_match = "\".*_status\".?:.?\"up\"" # # response_string_match = "\".*_status\".?:.?\"up\""
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
# #
# ## HTTP Request Headers (all values must be strings) # ## HTTP Request Headers (all values must be strings)
@ -1581,11 +1581,11 @@
# # "my_tag_2" # # "my_tag_2"
# # ] # # ]
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
# #
# ## HTTP parameters (all values must be strings). For "GET" requests, data # ## HTTP parameters (all values must be strings). For "GET" requests, data
@ -1613,11 +1613,11 @@
# "http://localhost:8086/debug/vars" # "http://localhost:8086/debug/vars"
# ] # ]
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
# #
# ## http request & header timeout # ## http request & header timeout
@ -1771,10 +1771,10 @@
# # password = "" # # password = ""
# # response_timeout = "5s" # # response_timeout = "5s"
# #
# ## Optional SSL config # ## Optional TLS config
# # ssl_ca = "/var/private/ca.pem" # # tls_ca = "/var/private/ca.pem"
# # ssl_cert = "/var/private/client.pem" # # tls_cert = "/var/private/client.pem"
# # ssl_key = "/var/private/client-key.pem" # # tls_key = "/var/private/client-key.pem"
# # insecure_skip_verify = false # # insecure_skip_verify = false
# #
# ## Add metrics to read # ## Add metrics to read
@ -1796,10 +1796,10 @@
# # password = "" # # password = ""
# # response_timeout = "5s" # # response_timeout = "5s"
# #
# ## Optional SSL config # ## Optional TLS config
# # ssl_ca = "/var/private/ca.pem" # # tls_ca = "/var/private/ca.pem"
# # ssl_cert = "/var/private/client.pem" # # tls_cert = "/var/private/client.pem"
# # ssl_key = "/var/private/client-key.pem" # # tls_key = "/var/private/client-key.pem"
# # insecure_skip_verify = false # # insecure_skip_verify = false
# #
# ## Add proxy targets to query # ## Add proxy targets to query
@ -1828,11 +1828,11 @@
# ## Time limit for http requests # ## Time limit for http requests
# timeout = "5s" # timeout = "5s"
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
@ -1852,11 +1852,11 @@
# ## Set response_timeout (default 5 seconds) # ## Set response_timeout (default 5 seconds)
# # response_timeout = "5s" # # response_timeout = "5s"
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = /path/to/cafile # # tls_ca = /path/to/cafile
# # ssl_cert = /path/to/certfile # # tls_cert = /path/to/certfile
# # ssl_key = /path/to/keyfile # # tls_key = /path/to/keyfile
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
@ -1948,11 +1948,11 @@
# # "messages", # # "messages",
# # ] # # ]
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
@ -1978,11 +1978,11 @@
# ## When true, collect per database stats # ## When true, collect per database stats
# # gather_perdb_stats = false # # gather_perdb_stats = false
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
@ -2061,10 +2061,12 @@
# ## Some queries we may want to run less often (such as SHOW GLOBAL VARIABLES) # ## Some queries we may want to run less often (such as SHOW GLOBAL VARIABLES)
# interval_slow = "30m" # interval_slow = "30m"
# #
# ## Optional SSL Config (will be used if tls=custom parameter specified in server uri) # ## Optional TLS Config (will be used if tls=custom parameter specified in server uri)
# ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false
# # Provides metrics about the state of a NATS server # # Provides metrics about the state of a NATS server
@ -2124,10 +2126,11 @@
# # An array of Nginx stub_status URI to gather stats. # # An array of Nginx stub_status URI to gather stats.
# urls = ["http://localhost/server_status"] # urls = ["http://localhost/server_status"]
# #
# # TLS/SSL configuration # ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.cer" # tls_cert = "/etc/telegraf/cert.cer"
# ssl_key = "/etc/telegraf/key.key" # tls_key = "/etc/telegraf/key.key"
# ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
# #
# # HTTP response timeout (default: 5s) # # HTTP response timeout (default: 5s)
@ -2190,7 +2193,7 @@
# insecure_skip_verify = false # insecure_skip_verify = false
# #
# # Path to PEM-encoded Root certificate to use to verify server certificate # # Path to PEM-encoded Root certificate to use to verify server certificate
# ssl_ca = "/etc/ssl/certs.pem" # tls_ca = "/etc/ssl/certs.pem"
# #
# # dn/password to bind with. If bind_dn is empty, an anonymous bind is performed. # # dn/password to bind with. If bind_dn is empty, an anonymous bind is performed.
# bind_dn = "" # bind_dn = ""
@ -2341,11 +2344,11 @@
# ## Specify timeout duration for slower prometheus clients (default is 3s) # ## Specify timeout duration for slower prometheus clients (default is 3s)
# # response_timeout = "3s" # # response_timeout = "3s"
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = /path/to/cafile # # tls_ca = /path/to/cafile
# # ssl_cert = /path/to/certfile # # tls_cert = /path/to/certfile
# # ssl_key = /path/to/keyfile # # tls_key = /path/to/keyfile
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
@ -2365,11 +2368,11 @@
# # username = "guest" # # username = "guest"
# # password = "guest" # # password = "guest"
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
# #
# ## Optional request timeouts # ## Optional request timeouts
@ -2798,11 +2801,11 @@
# ## Request timeout # ## Request timeout
# # timeout = "5s" # # timeout = "5s"
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
@ -2886,11 +2889,11 @@
# ## Timeout for metric collections from all servers. Minimum timeout is "1s". # ## Timeout for metric collections from all servers. Minimum timeout is "1s".
# # timeout = "5s" # # timeout = "5s"
# #
# ## Optional SSL Config # ## Optional TLS Config
# # enable_ssl = true # # enable_tls = true
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## If false, skip chain & host verification # ## If false, skip chain & host verification
# # insecure_skip_verify = true # # insecure_skip_verify = true
@ -2919,11 +2922,11 @@
# ## described here: https://www.rabbitmq.com/plugins.html # ## described here: https://www.rabbitmq.com/plugins.html
# # auth_method = "PLAIN" # # auth_method = "PLAIN"
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
# #
# ## Data format to consume. # ## Data format to consume.
@ -2994,11 +2997,11 @@
# ## topic(s) to consume # ## topic(s) to consume
# topics = ["telegraf"] # topics = ["telegraf"]
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
# #
# ## Optional SASL Config # ## Optional SASL Config
@ -3124,11 +3127,11 @@
# # username = "telegraf" # # username = "telegraf"
# # password = "metricsmetricsmetricsmetrics" # # password = "metricsmetricsmetricsmetrics"
# #
# ## Optional SSL Config # ## Optional TLS Config
# # ssl_ca = "/etc/telegraf/ca.pem" # # tls_ca = "/etc/telegraf/ca.pem"
# # ssl_cert = "/etc/telegraf/cert.pem" # # tls_cert = "/etc/telegraf/cert.pem"
# # ssl_key = "/etc/telegraf/key.pem" # # tls_key = "/etc/telegraf/key.pem"
# ## Use SSL but skip chain & host verification # ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false # # insecure_skip_verify = false
# #
# ## Data format to consume. # ## Data format to consume.

92
internal/internal.go
View File

@ -4,11 +4,7 @@ import (
"bufio" "bufio"
"bytes" "bytes"
"crypto/rand" "crypto/rand"
"crypto/tls"
"crypto/x509"
"errors" "errors"
"fmt"
"io/ioutil"
"log" "log"
"math/big" "math/big"
"os" "os"
@ -112,94 +108,6 @@ func RandomString(n int) string {
return string(bytes) return string(bytes)
} }
// GetTLSConfig gets a tls.Config object from the given certs, key, and CA files
// for use with a client.
// The full path to each file must be provided.
// Returns a nil pointer if all files are blank and InsecureSkipVerify=false.
func GetTLSConfig(
SSLCert, SSLKey, SSLCA string,
InsecureSkipVerify bool,
) (*tls.Config, error) {
if SSLCert == "" && SSLKey == "" && SSLCA == "" && !InsecureSkipVerify {
return nil, nil
}
t := &tls.Config{
InsecureSkipVerify: InsecureSkipVerify,
}
if SSLCA != "" {
caCert, err := ioutil.ReadFile(SSLCA)
if err != nil {
return nil, errors.New(fmt.Sprintf("Could not load TLS CA: %s",
err))
}
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
t.RootCAs = caCertPool
}
if SSLCert != "" && SSLKey != "" {
cert, err := tls.LoadX509KeyPair(SSLCert, SSLKey)
if err != nil {
return nil, errors.New(fmt.Sprintf(
"Could not load TLS client key/certificate from %s:%s: %s",
SSLKey, SSLCert, err))
}
t.Certificates = []tls.Certificate{cert}
t.BuildNameToCertificate()
}
// will be nil by default if nothing is provided
return t, nil
}
// GetServerTLSConfig gets a tls.Config object from the given certs, key, and one or more CA files
// for use with a server.
// The full path to each file must be provided.
// Returns a nil pointer if all files are blank.
func GetServerTLSConfig(
TLSCert, TLSKey string,
TLSAllowedCACerts []string,
) (*tls.Config, error) {
if TLSCert == "" && TLSKey == "" && len(TLSAllowedCACerts) == 0 {
return nil, nil
}
t := &tls.Config{}
if len(TLSAllowedCACerts) != 0 {
caCertPool := x509.NewCertPool()
for _, cert := range TLSAllowedCACerts {
c, err := ioutil.ReadFile(cert)
if err != nil {
return nil, errors.New(fmt.Sprintf("Could not load TLS CA: %s",
err))
}
caCertPool.AppendCertsFromPEM(c)
}
t.ClientCAs = caCertPool
t.ClientAuth = tls.RequireAndVerifyClientCert
}
if TLSCert != "" && TLSKey != "" {
cert, err := tls.LoadX509KeyPair(TLSCert, TLSKey)
if err != nil {
return nil, errors.New(fmt.Sprintf(
"Could not load TLS client key/certificate from %s:%s: %s",
TLSKey, TLSCert, err))
}
t.Certificates = []tls.Certificate{cert}
}
t.BuildNameToCertificate()
return t, nil
}
// SnakeCase converts the given string to snake case following the Golang format: // SnakeCase converts the given string to snake case following the Golang format:
// acronyms are converted to lower-case and preceded by an underscore. // acronyms are converted to lower-case and preceded by an underscore.
func SnakeCase(in string) string { func SnakeCase(in string) string {

130
internal/tls/config.go Normal file
View File

@ -0,0 +1,130 @@
package tls
import (
"crypto/tls"
"crypto/x509"
"fmt"
"io/ioutil"
)
// ClientConfig represents the standard client TLS config.
type ClientConfig struct {
TLSCA string `toml:"tls_ca"`
TLSCert string `toml:"tls_cert"`
TLSKey string `toml:"tls_key"`
InsecureSkipVerify bool `toml:"insecure_skip_verify"`
// Deprecated in 1.7; use TLS variables above
SSLCA string `toml:"ssl_ca"`
SSLCert string `toml:"ssl_cert"`
SSLKey string `toml:"ssl_ca"`
}
// ServerConfig represents the standard server TLS config.
type ServerConfig struct {
TLSCert string `toml:"tls_cert"`
TLSKey string `toml:"tls_key"`
TLSAllowedCACerts []string `toml:"tls_allowed_cacerts"`
}
// TLSConfig returns a tls.Config, may be nil without error if TLS is not
// configured.
func (c *ClientConfig) TLSConfig() (*tls.Config, error) {
// Support deprecated variable names
if c.TLSCA == "" && c.SSLCA != "" {
c.TLSCA = c.SSLCA
}
if c.TLSCert == "" && c.SSLCert != "" {
c.TLSCert = c.SSLCert
}
if c.TLSKey == "" && c.SSLKey != "" {
c.TLSKey = c.SSLKey
}
// TODO: return default tls.Config; plugins should not call if they don't
// want TLS, this will require using another option to determine. In the
// case of an HTTP plugin, you could use `https`. Other plugins may need
// the dedicated option `TLSEnable`.
if c.TLSCA == "" && c.TLSKey == "" && c.TLSCert == "" && !c.InsecureSkipVerify {
return nil, nil
}
tlsConfig := &tls.Config{
InsecureSkipVerify: c.InsecureSkipVerify,
Renegotiation: tls.RenegotiateNever,
}
if c.TLSCA != "" {
pool, err := makeCertPool([]string{c.TLSCA})
if err != nil {
return nil, err
}
tlsConfig.RootCAs = pool
}
if c.TLSCert != "" && c.TLSKey != "" {
err := loadCertificate(tlsConfig, c.TLSCert, c.TLSKey)
if err != nil {
return nil, err
}
}
return tlsConfig, nil
}
// TLSConfig returns a tls.Config, may be nil without error if TLS is not
// configured.
func (c *ServerConfig) TLSConfig() (*tls.Config, error) {
if c.TLSCert == "" && c.TLSKey == "" && len(c.TLSAllowedCACerts) == 0 {
return nil, nil
}
tlsConfig := &tls.Config{}
if len(c.TLSAllowedCACerts) != 0 {
pool, err := makeCertPool(c.TLSAllowedCACerts)
if err != nil {
return nil, err
}
tlsConfig.ClientCAs = pool
tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
}
if c.TLSCert != "" && c.TLSKey != "" {
err := loadCertificate(tlsConfig, c.TLSCert, c.TLSKey)
if err != nil {
return nil, err
}
}
return tlsConfig, nil
}
func makeCertPool(certFiles []string) (*x509.CertPool, error) {
pool := x509.NewCertPool()
for _, certFile := range certFiles {
pem, err := ioutil.ReadFile(certFile)
if err != nil {
return nil, fmt.Errorf(
"could not read certificate %q: %v", certFile, err)
}
ok := pool.AppendCertsFromPEM(pem)
if !ok {
return nil, fmt.Errorf(
"could not parse any PEM certificates %q: %v", certFile, err)
}
}
return pool, nil
}
func loadCertificate(config *tls.Config, certFile, keyFile string) error {
cert, err := tls.LoadX509KeyPair(certFile, keyFile)
if err != nil {
return fmt.Errorf(
"could not load keypair %s:%s: %v", certFile, keyFile, err)
}
config.Certificates = []tls.Certificate{cert}
config.BuildNameToCertificate()
return nil
}

226
internal/tls/config_test.go Normal file
View File

@ -0,0 +1,226 @@
package tls_test
import (
"net/http"
"net/http/httptest"
"testing"
"time"
"github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/testutil"
"github.com/stretchr/testify/require"
)
var pki = testutil.NewPKI("../../testutil/pki")
func TestClientConfig(t *testing.T) {
tests := []struct {
name string
client tls.ClientConfig
expNil bool
expErr bool
}{
{
name: "unset",
client: tls.ClientConfig{},
expNil: true,
},
{
name: "success",
client: tls.ClientConfig{
TLSCA: pki.CACertPath(),
TLSCert: pki.ClientCertPath(),
TLSKey: pki.ClientKeyPath(),
},
},
{
name: "invalid ca",
client: tls.ClientConfig{
TLSCA: pki.ClientKeyPath(),
TLSCert: pki.ClientCertPath(),
TLSKey: pki.ClientKeyPath(),
},
expNil: true,
expErr: true,
},
{
name: "missing ca is okay",
client: tls.ClientConfig{
TLSCert: pki.ClientCertPath(),
TLSKey: pki.ClientKeyPath(),
},
},
{
name: "invalid cert",
client: tls.ClientConfig{
TLSCA: pki.CACertPath(),
TLSCert: pki.ClientKeyPath(),
TLSKey: pki.ClientKeyPath(),
},
expNil: true,
expErr: true,
},
{
name: "missing cert skips client keypair",
client: tls.ClientConfig{
TLSCA: pki.CACertPath(),
TLSKey: pki.ClientKeyPath(),
},
expNil: false,
expErr: false,
},
{
name: "missing key skips client keypair",
client: tls.ClientConfig{
TLSCA: pki.CACertPath(),
TLSCert: pki.ClientCertPath(),
},
expNil: false,
expErr: false,
},
{
name: "support deprecated ssl field names",
client: tls.ClientConfig{
SSLCA: pki.CACertPath(),
SSLCert: pki.ClientCertPath(),
SSLKey: pki.ClientKeyPath(),
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
tlsConfig, err := tt.client.TLSConfig()
if !tt.expNil {
require.NotNil(t, tlsConfig)
} else {
require.Nil(t, tlsConfig)
}
if !tt.expErr {
require.NoError(t, err)
} else {
require.Error(t, err)
}
})
}
}
func TestServerConfig(t *testing.T) {
tests := []struct {
name string
server tls.ServerConfig
expNil bool
expErr bool
}{
{
name: "unset",
server: tls.ServerConfig{},
expNil: true,
},
{
name: "success",
server: tls.ServerConfig{
TLSCert: pki.ServerCertPath(),
TLSKey: pki.ServerKeyPath(),
TLSAllowedCACerts: []string{pki.CACertPath()},
},
},
{
name: "invalid ca",
server: tls.ServerConfig{
TLSCert: pki.ServerCertPath(),
TLSKey: pki.ServerKeyPath(),
TLSAllowedCACerts: []string{pki.ServerKeyPath()},
},
expNil: true,
expErr: true,
},
{
name: "missing allowed ca is okay",
server: tls.ServerConfig{
TLSCert: pki.ServerCertPath(),
TLSKey: pki.ServerKeyPath(),
},
expNil: true,
expErr: true,
},
{
name: "invalid cert",
server: tls.ServerConfig{
TLSCert: pki.ServerKeyPath(),
TLSKey: pki.ServerKeyPath(),
TLSAllowedCACerts: []string{pki.CACertPath()},
},
expNil: true,
expErr: true,
},
{
name: "missing cert",
server: tls.ServerConfig{
TLSKey: pki.ServerKeyPath(),
TLSAllowedCACerts: []string{pki.CACertPath()},
},
expNil: true,
expErr: true,
},
{
name: "missing key",
server: tls.ServerConfig{
TLSCert: pki.ServerCertPath(),
TLSAllowedCACerts: []string{pki.CACertPath()},
},
expNil: true,
expErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
tlsConfig, err := tt.server.TLSConfig()
if !tt.expNil {
require.NotNil(t, tlsConfig)
}
if !tt.expErr {
require.NoError(t, err)
}
})
}
}
func TestConnect(t *testing.T) {
clientConfig := tls.ClientConfig{
TLSCA: pki.CACertPath(),
TLSCert: pki.ClientCertPath(),
TLSKey: pki.ClientKeyPath(),
}
serverConfig := tls.ServerConfig{
TLSCert: pki.ServerCertPath(),
TLSKey: pki.ServerKeyPath(),
TLSAllowedCACerts: []string{pki.CACertPath()},
}
serverTLSConfig, err := serverConfig.TLSConfig()
require.NoError(t, err)
ts := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
}))
ts.TLS = serverTLSConfig
ts.StartTLS()
defer ts.Close()
clientTLSConfig, err := clientConfig.TLSConfig()
require.NoError(t, err)
client := http.Client{
Transport: &http.Transport{
TLSClientConfig: clientTLSConfig,
},
Timeout: 10 * time.Second,
}
resp, err := client.Get(ts.URL)
require.NoError(t, err)
require.Equal(t, 200, resp.StatusCode)
}

10
plugins/inputs/amqp_consumer/README.md
View File

@ -32,11 +32,11 @@ The following defaults are known to work with RabbitMQ:
## Using EXTERNAL requires enabling the rabbitmq_auth_mechanism_ssl plugin as ## Using EXTERNAL requires enabling the rabbitmq_auth_mechanism_ssl plugin as
## described here: https://www.rabbitmq.com/plugins.html ## described here: https://www.rabbitmq.com/plugins.html
# auth_method = "PLAIN" # auth_method = "PLAIN"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## Data format to consume. ## Data format to consume.

24
plugins/inputs/amqp_consumer/amqp_consumer.go
View File

@ -10,7 +10,7 @@ import (
"github.com/streadway/amqp" "github.com/streadway/amqp"
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
"github.com/influxdata/telegraf/plugins/parsers" "github.com/influxdata/telegraf/plugins/parsers"
) )
@ -31,14 +31,7 @@ type AMQPConsumer struct {
// AMQP Auth method // AMQP Auth method
AuthMethod string AuthMethod string
// Path to CA file tls.ClientConfig
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Use SSL but skip chain & host verification
InsecureSkipVerify bool
parser parsers.Parser parser parsers.Parser
conn *amqp.Connection conn *amqp.Connection
@ -78,11 +71,11 @@ func (a *AMQPConsumer) SampleConfig() string {
## described here: https://www.rabbitmq.com/plugins.html ## described here: https://www.rabbitmq.com/plugins.html
# auth_method = "PLAIN" # auth_method = "PLAIN"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## Data format to consume. ## Data format to consume.
@ -108,8 +101,7 @@ func (a *AMQPConsumer) Gather(_ telegraf.Accumulator) error {
func (a *AMQPConsumer) createConfig() (*amqp.Config, error) { func (a *AMQPConsumer) createConfig() (*amqp.Config, error) {
// make new tls config // make new tls config
tls, err := internal.GetTLSConfig( tls, err := a.ClientConfig.TLSConfig()
a.SSLCert, a.SSLKey, a.SSLCA, a.InsecureSkipVerify)
if err != nil { if err != nil {
return nil, err return nil, err
} }

10
plugins/inputs/apache/README.md
View File

@ -21,11 +21,11 @@ Typically, the `mod_status` module is configured to expose a page at the `/serve
## Maximum time to receive response. ## Maximum time to receive response.
# response_timeout = "5s" # response_timeout = "5s"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
``` ```

23
plugins/inputs/apache/apache.go
View File

@ -13,6 +13,7 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
"github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
) )
@ -21,14 +22,7 @@ type Apache struct {
Username string Username string
Password string Password string
ResponseTimeout internal.Duration ResponseTimeout internal.Duration
// Path to CA file tls.ClientConfig
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Use SSL but skip chain & host verification
InsecureSkipVerify bool
client *http.Client client *http.Client
} }
@ -46,11 +40,11 @@ var sampleConfig = `
## Maximum time to receive response. ## Maximum time to receive response.
# response_timeout = "5s" # response_timeout = "5s"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
` `
@ -98,8 +92,7 @@ func (n *Apache) Gather(acc telegraf.Accumulator) error {
} }
func (n *Apache) createHttpClient() (*http.Client, error) { func (n *Apache) createHttpClient() (*http.Client, error) {
tlsCfg, err := internal.GetTLSConfig( tlsCfg, err := n.ClientConfig.TLSConfig()
n.SSLCert, n.SSLKey, n.SSLCA, n.InsecureSkipVerify)
if err != nil { if err != nil {
return nil, err return nil, err
} }

10
plugins/inputs/consul/README.md
View File

@ -27,11 +27,11 @@ report those stats already using StatsD protocol if needed.
## Data centre to query the health checks from ## Data centre to query the health checks from
# datacentre = "" # datacentre = ""
## SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## If false, skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = true # insecure_skip_verify = true
``` ```

26
plugins/inputs/consul/consul.go
View File

@ -5,7 +5,7 @@ import (
"github.com/hashicorp/consul/api" "github.com/hashicorp/consul/api"
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
) )
@ -16,15 +16,7 @@ type Consul struct {
Username string Username string
Password string Password string
Datacentre string Datacentre string
tls.ClientConfig
// Path to CA file
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Use SSL but skip chain & host verification
InsecureSkipVerify bool
// client used to connect to Consul agnet // client used to connect to Consul agnet
client *api.Client client *api.Client
@ -47,11 +39,11 @@ var sampleConfig = `
## Data centre to query the health checks from ## Data centre to query the health checks from
# datacentre = "" # datacentre = ""
## SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## If false, skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = true # insecure_skip_verify = true
` `
@ -89,9 +81,7 @@ func (c *Consul) createAPIClient() (*api.Client, error) {
} }
} }
tlsCfg, err := internal.GetTLSConfig( tlsCfg, err := c.ClientConfig.TLSConfig()
c.SSLCert, c.SSLKey, c.SSLCA, c.InsecureSkipVerify)
if err != nil { if err != nil {
return nil, err return nil, err
} }

8
plugins/inputs/dcos/README.md
View File

@ -54,10 +54,10 @@ your database.
## Maximum time to receive a response from cluster. ## Maximum time to receive a response from cluster.
# response_timeout = "20s" # response_timeout = "20s"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## If false, skip chain & host verification ## If false, skip chain & host verification
# insecure_skip_verify = true # insecure_skip_verify = true

19
plugins/inputs/dcos/client_test.go
View File

@ -9,26 +9,11 @@ import (
"testing" "testing"
jwt "github.com/dgrijalva/jwt-go" jwt "github.com/dgrijalva/jwt-go"
"github.com/influxdata/telegraf/testutil"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
) )
const ( var privateKey = testutil.NewPKI("../../../testutil/pki").ReadServerKey()
privateKey = `-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQCwlGyzVp9cqtwiNCgCnaR0kilPZhr4xFBcnXxvQ8/uzOHaWKxj
XWR38cKR3gPh5+4iSmzMdo3HDJM5ks6imXGnp+LPOA5iNewnpLNs7UxA2arwKH/6
4qIaAXAtf5jE46wZIMgc2EW9wGL3dxC0JY8EXPpBFB/3J8gADkorFR8lwwIDAQAB
AoGBAJaFHxfMmjHK77U0UnrQWFSKFy64cftmlL4t/Nl3q7L68PdIKULWZIMeEWZ4
I0UZiFOwr4em83oejQ1ByGSwekEuiWaKUI85IaHfcbt+ogp9hY/XbOEo56OPQUAd
bEZv1JqJOqta9Ug1/E1P9LjEEyZ5F5ubx7813rxAE31qKtKJAkEA1zaMlCWIr+Rj
hGvzv5rlHH3wbOB4kQFXO4nqj3J/ttzR5QiJW24STMDcbNngFlVcDVju56LrNTiD
dPh9qvl7nwJBANILguR4u33OMksEZTYB7nQZSurqXsq6382zH7pTl29ANQTROHaM
PKC8dnDWq8RGTqKuvWblIzzGIKqIMovZo10CQC96T0UXirITFolOL3XjvAuvFO1Q
EAkdXJs77805m0dCK+P1IChVfiAEpBw3bKJArpAbQIlFfdI953JUp5SieU0CQEub
BSSEKMjh/cxu6peEHnb/262vayuCFKkQPu1sxWewLuVrAe36EKCy9dcsDmv5+rgo
Odjdxc9Madm4aKlaT6kCQQCpAgeblDrrxTrNQ+Typzo37PlnQrvI+0EceAUuJ72G
P0a+YZUeHNRqT2pPN9lMTAZGGi3CtcF2XScbLNEBeXge
-----END RSA PRIVATE KEY-----`
)
func TestLogin(t *testing.T) { func TestLogin(t *testing.T) {
ts := httptest.NewServer(http.NotFoundHandler()) ts := httptest.NewServer(http.NotFoundHandler())

18
plugins/inputs/dcos/dcos.go
View File

@ -13,6 +13,7 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/filter" "github.com/influxdata/telegraf/filter"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
"github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
) )
@ -56,11 +57,7 @@ type DCOS struct {
MaxConnections int MaxConnections int
ResponseTimeout internal.Duration ResponseTimeout internal.Duration
tls.ClientConfig
SSLCA string `toml:"ssl_ca"`
SSLCert string `toml:"ssl_cert"`
SSLKey string `toml:"ssl_key"`
InsecureSkipVerify bool `toml:"insecure_skip_verify"`
client Client client Client
creds Credentials creds Credentials
@ -107,10 +104,10 @@ var sampleConfig = `
## Maximum time to receive a response from cluster. ## Maximum time to receive a response from cluster.
# response_timeout = "20s" # response_timeout = "20s"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## If false, skip chain & host verification ## If false, skip chain & host verification
# insecure_skip_verify = true # insecure_skip_verify = true
@ -351,8 +348,7 @@ func (d *DCOS) init() error {
} }
func (d *DCOS) createClient() (Client, error) { func (d *DCOS) createClient() (Client, error) {
tlsCfg, err := internal.GetTLSConfig( tlsCfg, err := d.ClientConfig.TLSConfig()
d.SSLCert, d.SSLKey, d.SSLCA, d.InsecureSkipVerify)
if err != nil { if err != nil {
return nil, err return nil, err
} }

10
plugins/inputs/docker/README.md
View File

@ -53,11 +53,11 @@ to gather stats from the [Engine API](https://docs.docker.com/engine/api/v1.24/)
## Which environment variables should we use as a tag ## Which environment variables should we use as a tag
tag_env = ["JAVA_HOME", "HEAP_SIZE"] tag_env = ["JAVA_HOME", "HEAP_SIZE"]
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
``` ```

19
plugins/inputs/docker/docker.go
View File

@ -20,6 +20,7 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/filter" "github.com/influxdata/telegraf/filter"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
tlsint "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
) )
@ -43,10 +44,7 @@ type Docker struct {
ContainerStateInclude []string `toml:"container_state_include"` ContainerStateInclude []string `toml:"container_state_include"`
ContainerStateExclude []string `toml:"container_state_exclude"` ContainerStateExclude []string `toml:"container_state_exclude"`
SSLCA string `toml:"ssl_ca"` tlsint.ClientConfig
SSLCert string `toml:"ssl_cert"`
SSLKey string `toml:"ssl_key"`
InsecureSkipVerify bool
newEnvClient func() (Client, error) newEnvClient func() (Client, error)
newClient func(string, *tls.Config) (Client, error) newClient func(string, *tls.Config) (Client, error)
@ -115,11 +113,11 @@ var sampleConfig = `
docker_label_include = [] docker_label_include = []
docker_label_exclude = [] docker_label_exclude = []
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
` `
@ -136,8 +134,7 @@ func (d *Docker) Gather(acc telegraf.Accumulator) error {
if d.Endpoint == "ENV" { if d.Endpoint == "ENV" {
c, err = d.newEnvClient() c, err = d.newEnvClient()
} else { } else {
tlsConfig, err := internal.GetTLSConfig( tlsConfig, err := d.ClientConfig.TLSConfig()
d.SSLCert, d.SSLKey, d.SSLCA, d.InsecureSkipVerify)
if err != nil { if err != nil {
return err return err
} }

10
plugins/inputs/elasticsearch/README.md
View File

@ -38,11 +38,11 @@ or [cluster-stats](https://www.elastic.co/guide/en/elasticsearch/reference/curre
## "breaker". Per default, all stats are gathered. ## "breaker". Per default, all stats are gathered.
# node_stats = ["jvm", "http"] # node_stats = ["jvm", "http"]
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
``` ```

42
plugins/inputs/elasticsearch/elasticsearch.go
View File

@ -3,16 +3,18 @@ package elasticsearch
import ( import (
"encoding/json" "encoding/json"
"fmt" "fmt"
"github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal"
"github.com/influxdata/telegraf/plugins/inputs"
jsonparser "github.com/influxdata/telegraf/plugins/parsers/json"
"io/ioutil" "io/ioutil"
"net/http" "net/http"
"regexp" "regexp"
"strings" "strings"
"sync" "sync"
"time" "time"
"github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal"
"github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs"
jsonparser "github.com/influxdata/telegraf/plugins/parsers/json"
) )
// mask for masking username/password from error messages // mask for masking username/password from error messages
@ -108,28 +110,26 @@ const sampleConfig = `
## "breaker". Per default, all stats are gathered. ## "breaker". Per default, all stats are gathered.
# node_stats = ["jvm", "http"] # node_stats = ["jvm", "http"]
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
` `
// Elasticsearch is a plugin to read stats from one or many Elasticsearch // Elasticsearch is a plugin to read stats from one or many Elasticsearch
// servers. // servers.
type Elasticsearch struct { type Elasticsearch struct {
Local bool Local bool
Servers []string Servers []string
HttpTimeout internal.Duration HttpTimeout internal.Duration
ClusterHealth bool ClusterHealth bool
ClusterHealthLevel string ClusterHealthLevel string
ClusterStats bool ClusterStats bool
NodeStats []string NodeStats []string
SSLCA string `toml:"ssl_ca"` // Path to CA file tls.ClientConfig
SSLCert string `toml:"ssl_cert"` // Path to host cert file
SSLKey string `toml:"ssl_key"` // Path to cert key file
InsecureSkipVerify bool // Use SSL but skip chain & host verification
client *http.Client client *http.Client
catMasterResponseTokens []string catMasterResponseTokens []string
isMaster bool isMaster bool
@ -227,7 +227,7 @@ func (e *Elasticsearch) Gather(acc telegraf.Accumulator) error {
} }
func (e *Elasticsearch) createHttpClient() (*http.Client, error) { func (e *Elasticsearch) createHttpClient() (*http.Client, error) {
tlsCfg, err := internal.GetTLSConfig(e.SSLCert, e.SSLKey, e.SSLCA, e.InsecureSkipVerify) tlsCfg, err := e.ClientConfig.TLSConfig()
if err != nil { if err != nil {
return nil, err return nil, err
} }

10
plugins/inputs/graylog/README.md
View File

@ -44,11 +44,11 @@ Note: if namespace end point specified metrics array will be ignored for that ca
username = "" username = ""
password = "" password = ""
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
``` ```

25
plugins/inputs/graylog/graylog.go
View File

@ -14,7 +14,7 @@ import (
"time" "time"
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
) )
@ -35,15 +35,7 @@ type GrayLog struct {
Metrics []string Metrics []string
Username string Username string
Password string Password string
tls.ClientConfig
// Path to CA file
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Use SSL but skip chain & host verification
InsecureSkipVerify bool
client HTTPClient client HTTPClient
} }
@ -111,11 +103,11 @@ var sampleConfig = `
username = "" username = ""
password = "" password = ""
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
` `
@ -132,8 +124,7 @@ func (h *GrayLog) Gather(acc telegraf.Accumulator) error {
var wg sync.WaitGroup var wg sync.WaitGroup
if h.client.HTTPClient() == nil { if h.client.HTTPClient() == nil {
tlsCfg, err := internal.GetTLSConfig( tlsCfg, err := h.ClientConfig.TLSConfig()
h.SSLCert, h.SSLKey, h.SSLCA, h.InsecureSkipVerify)
if err != nil { if err != nil {
return err return err
} }

10
plugins/inputs/haproxy/README.md
View File

@ -28,11 +28,11 @@ or [HTTP statistics page](https://cbonte.github.io/haproxy-dconv/1.9/management.
## field names. ## field names.
# keep_field_names = false # keep_field_names = false
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
``` ```

30
plugins/inputs/haproxy/haproxy.go
View File

@ -14,27 +14,18 @@ import (
"time" "time"
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
) )
//CSV format: https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#9.1 //CSV format: https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#9.1
type haproxy struct { type haproxy struct {
Servers []string Servers []string
KeepFieldNames bool
tls.ClientConfig
client *http.Client client *http.Client
KeepFieldNames bool
// Path to CA file
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Use SSL but skip chain & host verification
InsecureSkipVerify bool
} }
var sampleConfig = ` var sampleConfig = `
@ -56,11 +47,11 @@ var sampleConfig = `
## field names. ## field names.
# keep_field_names = false # keep_field_names = false
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
` `
@ -144,8 +135,7 @@ func (g *haproxy) gatherServer(addr string, acc telegraf.Accumulator) error {
} }
if g.client == nil { if g.client == nil {
tlsCfg, err := internal.GetTLSConfig( tlsCfg, err := g.ClientConfig.TLSConfig()
g.SSLCert, g.SSLKey, g.SSLCA, g.InsecureSkipVerify)
if err != nil { if err != nil {
return err return err
} }

10
plugins/inputs/http/README.md
View File

@ -23,11 +23,11 @@ The HTTP input plugin collects metrics from one or more HTTP(S) endpoints. The
# username = "username" # username = "username"
# password = "pa$$word" # password = "pa$$word"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## Amount of time allowed to complete the HTTP request ## Amount of time allowed to complete the HTTP request

24
plugins/inputs/http/http.go
View File

@ -11,6 +11,7 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
"github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
"github.com/influxdata/telegraf/plugins/parsers" "github.com/influxdata/telegraf/plugins/parsers"
) )
@ -24,15 +25,7 @@ type HTTP struct {
// HTTP Basic Auth Credentials // HTTP Basic Auth Credentials
Username string Username string
Password string Password string
tls.ClientConfig
// Path to CA file
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Use SSL but skip chain & host verification
InsecureSkipVerify bool
Timeout internal.Duration Timeout internal.Duration
@ -62,11 +55,11 @@ var sampleConfig = `
## Tag all metrics with the url ## Tag all metrics with the url
# tag_url = true # tag_url = true
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## Amount of time allowed to complete the HTTP request ## Amount of time allowed to complete the HTTP request
@ -97,8 +90,7 @@ func (h *HTTP) Gather(acc telegraf.Accumulator) error {
} }
if h.client == nil { if h.client == nil {
tlsCfg, err := internal.GetTLSConfig( tlsCfg, err := h.ClientConfig.TLSConfig()
h.SSLCert, h.SSLKey, h.SSLCA, h.InsecureSkipVerify)
if err != nil { if err != nil {
return err return err
} }

45
plugins/inputs/http_listener/http_listener.go
View File

@ -5,9 +5,7 @@ import (
"compress/gzip" "compress/gzip"
"crypto/subtle" "crypto/subtle"
"crypto/tls" "crypto/tls"
"crypto/x509"
"io" "io"
"io/ioutil"
"log" "log"
"net" "net"
"net/http" "net/http"
@ -16,6 +14,7 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
tlsint "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
"github.com/influxdata/telegraf/plugins/parsers/influx" "github.com/influxdata/telegraf/plugins/parsers/influx"
"github.com/influxdata/telegraf/selfstat" "github.com/influxdata/telegraf/selfstat"
@ -43,9 +42,7 @@ type HTTPListener struct {
MaxLineSize int MaxLineSize int
Port int Port int
TlsAllowedCacerts []string tlsint.ServerConfig
TlsCert string
TlsKey string
BasicUsername string BasicUsername string
BasicPassword string BasicPassword string
@ -158,7 +155,10 @@ func (h *HTTPListener) Start(acc telegraf.Accumulator) error {
h.acc = acc h.acc = acc
h.pool = NewPool(200, h.MaxLineSize) h.pool = NewPool(200, h.MaxLineSize)
tlsConf := h.getTLSConfig() tlsConf, err := h.ServerConfig.TLSConfig()
if err != nil {
return err
}
server := &http.Server{ server := &http.Server{
Addr: h.ServiceAddress, Addr: h.ServiceAddress,
@ -168,7 +168,6 @@ func (h *HTTPListener) Start(acc telegraf.Accumulator) error {
TLSConfig: tlsConf, TLSConfig: tlsConf,
} }
var err error
var listener net.Listener var listener net.Listener
if tlsConf != nil { if tlsConf != nil {
listener, err = tls.Listen("tcp", h.ServiceAddress, tlsConf) listener, err = tls.Listen("tcp", h.ServiceAddress, tlsConf)
@ -372,38 +371,6 @@ func badRequest(res http.ResponseWriter) {
res.Write([]byte(`{"error":"http: bad request"}`)) res.Write([]byte(`{"error":"http: bad request"}`))
} }
func (h *HTTPListener) getTLSConfig() *tls.Config {
tlsConf := &tls.Config{
InsecureSkipVerify: false,
Renegotiation: tls.RenegotiateNever,
}
if len(h.TlsCert) == 0 || len(h.TlsKey) == 0 {
return nil
}
cert, err := tls.LoadX509KeyPair(h.TlsCert, h.TlsKey)
if err != nil {
return nil
}
tlsConf.Certificates = []tls.Certificate{cert}
if h.TlsAllowedCacerts != nil {
tlsConf.ClientAuth = tls.RequireAndVerifyClientCert
clientPool := x509.NewCertPool()
for _, ca := range h.TlsAllowedCacerts {
c, err := ioutil.ReadFile(ca)
if err != nil {
continue
}
clientPool.AppendCertsFromPEM(c)
}
tlsConf.ClientCAs = clientPool
}
return tlsConf
}
func (h *HTTPListener) AuthenticateIfSet(handler http.HandlerFunc, res http.ResponseWriter, req *http.Request) { func (h *HTTPListener) AuthenticateIfSet(handler http.HandlerFunc, res http.ResponseWriter, req *http.Request) {
if h.BasicUsername != "" && h.BasicPassword != "" { if h.BasicUsername != "" && h.BasicPassword != "" {
reqUsername, reqPassword, ok := req.BasicAuth() reqUsername, reqPassword, ok := req.BasicAuth()

154
plugins/inputs/http_listener/http_listener_test.go
View File

@ -4,7 +4,6 @@ import (
"bytes" "bytes"
"crypto/tls" "crypto/tls"
"crypto/x509" "crypto/x509"
"io"
"io/ioutil" "io/ioutil"
"net/http" "net/http"
"net/url" "net/url"
@ -34,86 +33,12 @@ cpu_load_short,host=server06 value=12.0 1422568543702900257
emptyMsg = "" emptyMsg = ""
serviceRootPEM = `-----BEGIN CERTIFICATE-----
MIIBxzCCATCgAwIBAgIJAJb7HqN2BzWWMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV
BAMMC1RlbGVncmFmIENBMB4XDTE3MTEwNDA0MzEwN1oXDTI3MTEwMjA0MzEwN1ow
FjEUMBIGA1UEAwwLVGVsZWdyYWYgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBANbkUkK6JQC3rbLcXhLJTS9SX6uXyFwl7bUfpAN5Hm5EqfvG3PnLrogfTGLr
Tq5CRAu/gbbdcMoL9TLv/aaDVnrpV0FslKhqYmkOgT28bdmA7Qtr539aQpMKCfcW
WCnoMcBD5u5h9MsRqpdq+0Mjlsf1H2hSf07jHk5R1T4l8RMXAgMBAAGjHTAbMAwG
A1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBANSrwvpU
t8ihIhpHqgJZ34DM92CZZ3ZHmH/KyqlnuGzjjpnVZiXVrLDTOzrA0ziVhmefY29w
roHjENbFm54HW97ogxeURuO8HRHIVh2U0rkyVxOfGZiUdINHqsZdSnDY07bzCtSr
Z/KsfWXM5llD1Ig1FyBHpKjyUvfzr73sjm/4
-----END CERTIFICATE-----`
serviceCertPEM = `-----BEGIN CERTIFICATE-----
MIIBzzCCATigAwIBAgIBATANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDDAtUZWxl
Z3JhZiBDQTAeFw0xNzExMDQwNDMxMDdaFw0yNzExMDIwNDMxMDdaMBQxEjAQBgNV
BAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsJRss1af
XKrcIjQoAp2kdJIpT2Ya+MRQXJ18b0PP7szh2lisY11kd/HCkd4D4efuIkpszHaN
xwyTOZLOoplxp6fizzgOYjXsJ6SzbO1MQNmq8Ch/+uKiGgFwLX+YxOOsGSDIHNhF
vcBi93cQtCWPBFz6QRQf9yfIAA5KKxUfJcMCAwEAAaMvMC0wCQYDVR0TBAIwADAL
BgNVHQ8EBAMCBSAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQAD
gYEAiC3WI4y9vfYz53gw7FKnNK7BBdwRc43x7Pd+5J/cclWyUZPdmcj1UNmv/3rj
2qcMmX06UdgPoHppzNAJePvMVk0vjMBUe9MmYlafMz0h4ma/it5iuldXwmejFcdL
6wWQp7gVTileCEmq9sNvfQN1FmT3EWf4IMdO2MNat/1If0g=
-----END CERTIFICATE-----`
serviceKeyPEM = `-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQCwlGyzVp9cqtwiNCgCnaR0kilPZhr4xFBcnXxvQ8/uzOHaWKxj
XWR38cKR3gPh5+4iSmzMdo3HDJM5ks6imXGnp+LPOA5iNewnpLNs7UxA2arwKH/6
4qIaAXAtf5jE46wZIMgc2EW9wGL3dxC0JY8EXPpBFB/3J8gADkorFR8lwwIDAQAB
AoGBAJaFHxfMmjHK77U0UnrQWFSKFy64cftmlL4t/Nl3q7L68PdIKULWZIMeEWZ4
I0UZiFOwr4em83oejQ1ByGSwekEuiWaKUI85IaHfcbt+ogp9hY/XbOEo56OPQUAd
bEZv1JqJOqta9Ug1/E1P9LjEEyZ5F5ubx7813rxAE31qKtKJAkEA1zaMlCWIr+Rj
hGvzv5rlHH3wbOB4kQFXO4nqj3J/ttzR5QiJW24STMDcbNngFlVcDVju56LrNTiD
dPh9qvl7nwJBANILguR4u33OMksEZTYB7nQZSurqXsq6382zH7pTl29ANQTROHaM
PKC8dnDWq8RGTqKuvWblIzzGIKqIMovZo10CQC96T0UXirITFolOL3XjvAuvFO1Q
EAkdXJs77805m0dCK+P1IChVfiAEpBw3bKJArpAbQIlFfdI953JUp5SieU0CQEub
BSSEKMjh/cxu6peEHnb/262vayuCFKkQPu1sxWewLuVrAe36EKCy9dcsDmv5+rgo
Odjdxc9Madm4aKlaT6kCQQCpAgeblDrrxTrNQ+Typzo37PlnQrvI+0EceAUuJ72G
P0a+YZUeHNRqT2pPN9lMTAZGGi3CtcF2XScbLNEBeXge
-----END RSA PRIVATE KEY-----`
clientRootPEM = serviceRootPEM
clientCertPEM = `-----BEGIN CERTIFICATE-----
MIIBzjCCATegAwIBAgIBAjANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDDAtUZWxl
Z3JhZiBDQTAeFw0xNzExMDQwNDMxMDdaFw0yNzExMDIwNDMxMDdaMBMxETAPBgNV
BAMMCHRlbGVncmFmMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDP2IMqyOqI
sJjwBprrz8WPzmlrpyYikQ4XSCSJB3DSTIO+igqMpBUTj3vLlOzsHfVVot1WRqc6
3esM4JE92rc6S73xi4g8L/r8cPIHW4hvFJdMti4UkJBWim8ArSbFqnZjcR19G3tG
LUOiXAUG3nWzMzoEsPruvV1dkKRbJVE4MwIDAQABoy8wLTAJBgNVHRMEAjAAMAsG
A1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOB
gQCHxMk38XNxL9nPFBYo3JqITJCFswu6/NLHwDBXCuZKl53rUuFWduiO+1OuScKQ
sQ79W0jHsWRKGOUFrF5/Gdnh8AlkVaITVlcmhdAOFCEbeGpeEvLuuK6grckPitxy
bRF5oM4TCLKKAha60Ir41rk2bomZM9+NZu+Bm+csDqCoxQ==
-----END CERTIFICATE-----`
clientKeyPEM = `-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDP2IMqyOqIsJjwBprrz8WPzmlrpyYikQ4XSCSJB3DSTIO+igqM
pBUTj3vLlOzsHfVVot1WRqc63esM4JE92rc6S73xi4g8L/r8cPIHW4hvFJdMti4U
kJBWim8ArSbFqnZjcR19G3tGLUOiXAUG3nWzMzoEsPruvV1dkKRbJVE4MwIDAQAB
AoGAFzb/r4+xYoMXEfgq5ZvXXTCY5cVNpR6+jCsqqYODPnn9XRLeCsdo8z5bfWms
7NKLzHzca/6IPzL6Rf3vOxFq1YyIZfYVHH+d63/9blAm3Iajjp1W2yW5aj9BJjTb
nm6F0RfuW/SjrZ9IXxTZhSpCklPmUzVZpzvwV3KGeVTVCEECQQDoavCeOwLuqDpt
0aM9GMFUpOU7kLPDuicSwCDaTae4kN2rS17Zki41YXe8A8+509IEN7mK09Vq9HxY
SX6EmV1FAkEA5O9QcCHEa8P12EmUC8oqD2bjq6o7JjUIRlKinwZTlooMJYZw98gA
FVSngTUvLVCVIvSdjldXPOGgfYiccTZrFwJAfHS3gKOtAEuJbkEyHodhD4h1UB4+
hPLr9Xh4ny2yQH0ilpV3px5GLEOTMFUCKUoqTiPg8VxaDjn5U/WXED5n2QJAR4J1
NsFlcGACj+/TvacFYlA6N2nyFeokzoqLX28Ddxdh2erXqJ4hYIhT1ik9tkLggs2z
1T1084BquCuO6lIcOwJBALX4xChoMUF9k0IxSQzlz//seQYDkQNsE7y9IgAOXkzp
RaR4pzgPbnKj7atG+2dBnffWfE+1Mcy0INDAO6WxPg0=
-----END RSA PRIVATE KEY-----`
basicUsername = "test-username-please-ignore" basicUsername = "test-username-please-ignore"
basicPassword = "super-secure-password!" basicPassword = "super-secure-password!"
) )
var ( var (
initClient sync.Once pki = testutil.NewPKI("../../../testutil/pki")
client *http.Client
initServiceCertFiles sync.Once
allowedCAFiles []string
serviceCAFiles []string
serviceCertFile string
serviceKeyFile string
) )
func newTestHTTPListener() *HTTPListener { func newTestHTTPListener() *HTTPListener {
@ -132,74 +57,25 @@ func newTestHTTPAuthListener() *HTTPListener {
} }
func newTestHTTPSListener() *HTTPListener { func newTestHTTPSListener() *HTTPListener {
initServiceCertFiles.Do(func() {
acaf, err := ioutil.TempFile("", "allowedCAFile.crt")
if err != nil {
panic(err)
}
defer acaf.Close()
_, err = io.Copy(acaf, bytes.NewReader([]byte(clientRootPEM)))
allowedCAFiles = []string{acaf.Name()}
scaf, err := ioutil.TempFile("", "serviceCAFile.crt")
if err != nil {
panic(err)
}
defer scaf.Close()
_, err = io.Copy(scaf, bytes.NewReader([]byte(serviceRootPEM)))
serviceCAFiles = []string{scaf.Name()}
scf, err := ioutil.TempFile("", "serviceCertFile.crt")
if err != nil {
panic(err)
}
defer scf.Close()
_, err = io.Copy(scf, bytes.NewReader([]byte(serviceCertPEM)))
serviceCertFile = scf.Name()
skf, err := ioutil.TempFile("", "serviceKeyFile.crt")
if err != nil {
panic(err)
}
defer skf.Close()
_, err = io.Copy(skf, bytes.NewReader([]byte(serviceKeyPEM)))
serviceKeyFile = skf.Name()
})
listener := &HTTPListener{ listener := &HTTPListener{
ServiceAddress: "localhost:0", ServiceAddress: "localhost:0",
TlsAllowedCacerts: allowedCAFiles, ServerConfig: *pki.TLSServerConfig(),
TlsCert: serviceCertFile, TimeFunc: time.Now,
TlsKey: serviceKeyFile,
TimeFunc: time.Now,
} }
return listener return listener
} }
func getHTTPSClient() *http.Client { func getHTTPSClient() *http.Client {
initClient.Do(func() { tlsConfig, err := pki.TLSClientConfig().TLSConfig()
cas := x509.NewCertPool() if err != nil {
cas.AppendCertsFromPEM([]byte(serviceRootPEM)) panic(err)
clientCert, err := tls.X509KeyPair([]byte(clientCertPEM), []byte(clientKeyPEM)) }
if err != nil { return &http.Client{
panic(err) Transport: &http.Transport{
} TLSClientConfig: tlsConfig,
client = &http.Client{ },
Transport: &http.Transport{ }
TLSClientConfig: &tls.Config{
RootCAs: cas,
Certificates: []tls.Certificate{clientCert},
MinVersion: tls.VersionTLS12,
MaxVersion: tls.VersionTLS12,
CipherSuites: []uint16{tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
Renegotiation: tls.RenegotiateNever,
InsecureSkipVerify: false,
},
},
}
})
return client
} }
func createURL(listener *HTTPListener, scheme string, path string, rawquery string) string { func createURL(listener *HTTPListener, scheme string, path string, rawquery string) string {
@ -214,14 +90,14 @@ func createURL(listener *HTTPListener, scheme string, path string, rawquery stri
func TestWriteHTTPSNoClientAuth(t *testing.T) { func TestWriteHTTPSNoClientAuth(t *testing.T) {
listener := newTestHTTPSListener() listener := newTestHTTPSListener()
listener.TlsAllowedCacerts = nil listener.TLSAllowedCACerts = nil
acc := &testutil.Accumulator{} acc := &testutil.Accumulator{}
require.NoError(t, listener.Start(acc)) require.NoError(t, listener.Start(acc))
defer listener.Stop() defer listener.Stop()
cas := x509.NewCertPool() cas := x509.NewCertPool()
cas.AppendCertsFromPEM([]byte(serviceRootPEM)) cas.AppendCertsFromPEM([]byte(pki.ReadServerCert()))
noClientAuthClient := &http.Client{ noClientAuthClient := &http.Client{
Transport: &http.Transport{ Transport: &http.Transport{
TLSClientConfig: &tls.Config{ TLSClientConfig: &tls.Config{

10
plugins/inputs/http_response/README.md
View File

@ -32,11 +32,11 @@ This input plugin checks HTTP/HTTPS connections.
# response_string_match = "ok" # response_string_match = "ok"
# response_string_match = "\".*_status\".?:.?\"up\"" # response_string_match = "\".*_status\".?:.?\"up\""
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## HTTP Request Headers (all values must be strings) ## HTTP Request Headers (all values must be strings)

24
plugins/inputs/http_response/http_response.go
View File

@ -16,6 +16,7 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
"github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
) )
@ -29,15 +30,7 @@ type HTTPResponse struct {
Headers map[string]string Headers map[string]string
FollowRedirects bool FollowRedirects bool
ResponseStringMatch string ResponseStringMatch string
tls.ClientConfig
// Path to CA file
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Use SSL but skip chain & host verification
InsecureSkipVerify bool
compiledStringMatch *regexp.Regexp compiledStringMatch *regexp.Regexp
client *http.Client client *http.Client
@ -74,11 +67,11 @@ var sampleConfig = `
# response_string_match = "ok" # response_string_match = "ok"
# response_string_match = "\".*_status\".?:.?\"up\"" # response_string_match = "\".*_status\".?:.?\"up\""
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## HTTP Request Headers (all values must be strings) ## HTTP Request Headers (all values must be strings)
@ -113,8 +106,7 @@ func getProxyFunc(http_proxy string) func(*http.Request) (*url.URL, error) {
// CreateHttpClient creates an http client which will timeout at the specified // CreateHttpClient creates an http client which will timeout at the specified
// timeout period and can follow redirects if specified // timeout period and can follow redirects if specified
func (h *HTTPResponse) createHttpClient() (*http.Client, error) { func (h *HTTPResponse) createHttpClient() (*http.Client, error) {
tlsCfg, err := internal.GetTLSConfig( tlsCfg, err := h.ClientConfig.TLSConfig()
h.SSLCert, h.SSLKey, h.SSLCA, h.InsecureSkipVerify)
if err != nil { if err != nil {
return nil, err return nil, err
} }

10
plugins/inputs/httpjson/README.md
View File

@ -34,11 +34,11 @@ Deprecated (1.6): use the [http](../http) input.
# "my_tag_2" # "my_tag_2"
# ] # ]
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## HTTP Request Parameters (all values must be strings). For "GET" requests, data ## HTTP Request Parameters (all values must be strings). For "GET" requests, data

24
plugins/inputs/httpjson/httpjson.go
View File

@ -12,6 +12,7 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
"github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
"github.com/influxdata/telegraf/plugins/parsers" "github.com/influxdata/telegraf/plugins/parsers"
) )
@ -29,15 +30,7 @@ type HttpJson struct {
ResponseTimeout internal.Duration ResponseTimeout internal.Duration
Parameters map[string]string Parameters map[string]string
Headers map[string]string Headers map[string]string
tls.ClientConfig
// Path to CA file
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Use SSL but skip chain & host verification
InsecureSkipVerify bool
client HTTPClient client HTTPClient
} }
@ -100,11 +93,11 @@ var sampleConfig = `
# "my_tag_2" # "my_tag_2"
# ] # ]
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## HTTP parameters (all values must be strings). For "GET" requests, data ## HTTP parameters (all values must be strings). For "GET" requests, data
@ -133,8 +126,7 @@ func (h *HttpJson) Gather(acc telegraf.Accumulator) error {
var wg sync.WaitGroup var wg sync.WaitGroup
if h.client.HTTPClient() == nil { if h.client.HTTPClient() == nil {
tlsCfg, err := internal.GetTLSConfig( tlsCfg, err := h.ClientConfig.TLSConfig()
h.SSLCert, h.SSLKey, h.SSLCA, h.InsecureSkipVerify)
if err != nil { if err != nil {
return err return err
} }

10
plugins/inputs/influxdb/README.md
View File

@ -20,11 +20,11 @@ InfluxDB-formatted endpoints. See below for more information.
"http://localhost:8086/debug/vars" "http://localhost:8086/debug/vars"
] ]
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## http request & header timeout ## http request & header timeout

26
plugins/inputs/influxdb/influxdb.go
View File

@ -10,21 +10,14 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
"github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
) )
type InfluxDB struct { type InfluxDB struct {
URLs []string `toml:"urls"` URLs []string `toml:"urls"`
// Path to CA file
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Use SSL but skip chain & host verification
InsecureSkipVerify bool
Timeout internal.Duration Timeout internal.Duration
tls.ClientConfig
client *http.Client client *http.Client
} }
@ -45,11 +38,11 @@ func (*InfluxDB) SampleConfig() string {
"http://localhost:8086/debug/vars" "http://localhost:8086/debug/vars"
] ]
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## http request & header timeout ## http request & header timeout
@ -63,8 +56,7 @@ func (i *InfluxDB) Gather(acc telegraf.Accumulator) error {
} }
if i.client == nil { if i.client == nil {
tlsCfg, err := internal.GetTLSConfig( tlsCfg, err := i.ClientConfig.TLSConfig()
i.SSLCert, i.SSLKey, i.SSLCA, i.InsecureSkipVerify)
if err != nil { if err != nil {
return err return err
} }

16
plugins/inputs/jolokia2/README.md
View File

@ -18,14 +18,14 @@ The `jolokia2_agent` input plugin reads JMX metrics from one or more [Jolokia ag
paths = ["Uptime"] paths = ["Uptime"]
``` ```
Optionally, specify SSL options for communicating with agents: Optionally, specify TLS options for communicating with agents:
```toml ```toml
[[inputs.jolokia2_agent]] [[inputs.jolokia2_agent]]
urls = ["https://agent:8080/jolokia"] urls = ["https://agent:8080/jolokia"]
ssl_ca = "/var/private/ca.pem" tls_ca = "/var/private/ca.pem"
ssl_cert = "/var/private/client.pem" tls_cert = "/var/private/client.pem"
ssl_key = "/var/private/client-key.pem" tls_key = "/var/private/client-key.pem"
#insecure_skip_verify = false #insecure_skip_verify = false
[[inputs.jolokia2_agent.metric]] [[inputs.jolokia2_agent.metric]]
@ -55,15 +55,15 @@ The `jolokia2_proxy` input plugin reads JMX metrics from one or more _targets_ b
paths = ["Uptime"] paths = ["Uptime"]
``` ```
Optionally, specify SSL options for communicating with proxies: Optionally, specify TLS options for communicating with proxies:
```toml ```toml
[[inputs.jolokia2_proxy]] [[inputs.jolokia2_proxy]]
url = "https://proxy:8080/jolokia" url = "https://proxy:8080/jolokia"
ssl_ca = "/var/private/ca.pem" tls_ca = "/var/private/ca.pem"
ssl_cert = "/var/private/client.pem" tls_cert = "/var/private/client.pem"
ssl_key = "/var/private/client-key.pem" tls_key = "/var/private/client-key.pem"
#insecure_skip_verify = false #insecure_skip_verify = false
#default_target_username = "" #default_target_username = ""

19
plugins/inputs/jolokia2/client.go
View File

@ -10,7 +10,7 @@ import (
"path" "path"
"time" "time"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal/tls"
) )
type Client struct { type Client struct {
@ -20,15 +20,11 @@ type Client struct {
} }
type ClientConfig struct { type ClientConfig struct {
ResponseTimeout time.Duration ResponseTimeout time.Duration
Username string Username string
Password string Password string
SSLCA string ProxyConfig *ProxyConfig
SSLCert string tls.ClientConfig
SSLKey string
InsecureSkipVerify bool
ProxyConfig *ProxyConfig
} }
type ProxyConfig struct { type ProxyConfig struct {
@ -100,8 +96,7 @@ type jolokiaResponse struct {
} }
func NewClient(url string, config *ClientConfig) (*Client, error) { func NewClient(url string, config *ClientConfig) (*Client, error) {
tlsConfig, err := internal.GetTLSConfig( tlsConfig, err := config.ClientConfig.TLSConfig()
config.SSLCert, config.SSLKey, config.SSLCA, config.InsecureSkipVerify)
if err != nil { if err != nil {
return nil, err return nil, err
} }

25
plugins/inputs/jolokia2/jolokia_agent.go
View File

@ -6,6 +6,7 @@ import (
"time" "time"
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal/tls"
) )
type JolokiaAgent struct { type JolokiaAgent struct {
@ -18,10 +19,7 @@ type JolokiaAgent struct {
Password string Password string
ResponseTimeout time.Duration `toml:"response_timeout"` ResponseTimeout time.Duration `toml:"response_timeout"`
SSLCA string `toml:"ssl_ca"` tls.ClientConfig
SSLCert string `toml:"ssl_cert"`
SSLKey string `toml:"ssl_key"`
InsecureSkipVerify bool
Metrics []MetricConfig `toml:"metric"` Metrics []MetricConfig `toml:"metric"`
gatherer *Gatherer gatherer *Gatherer
@ -39,10 +37,10 @@ func (ja *JolokiaAgent) SampleConfig() string {
# password = "" # password = ""
# response_timeout = "5s" # response_timeout = "5s"
## Optional SSL config ## Optional TLS config
# ssl_ca = "/var/private/ca.pem" # tls_ca = "/var/private/ca.pem"
# ssl_cert = "/var/private/client.pem" # tls_cert = "/var/private/client.pem"
# ssl_key = "/var/private/client-key.pem" # tls_key = "/var/private/client-key.pem"
# insecure_skip_verify = false # insecure_skip_verify = false
## Add metrics to read ## Add metrics to read
@ -101,12 +99,9 @@ func (ja *JolokiaAgent) createMetrics() []Metric {
func (ja *JolokiaAgent) createClient(url string) (*Client, error) { func (ja *JolokiaAgent) createClient(url string) (*Client, error) {
return NewClient(url, &ClientConfig{ return NewClient(url, &ClientConfig{
Username: ja.Username, Username: ja.Username,
Password: ja.Password, Password: ja.Password,
ResponseTimeout: ja.ResponseTimeout, ResponseTimeout: ja.ResponseTimeout,
SSLCA: ja.SSLCA, ClientConfig: ja.ClientConfig,
SSLCert: ja.SSLCert,
SSLKey: ja.SSLKey,
InsecureSkipVerify: ja.InsecureSkipVerify,
}) })
} }

33
plugins/inputs/jolokia2/jolokia_proxy.go
View File

@ -4,6 +4,7 @@ import (
"time" "time"
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal/tls"
) )
type JolokiaProxy struct { type JolokiaProxy struct {
@ -16,13 +17,10 @@ type JolokiaProxy struct {
DefaultTargetUsername string DefaultTargetUsername string
Targets []JolokiaProxyTargetConfig `toml:"target"` Targets []JolokiaProxyTargetConfig `toml:"target"`
Username string Username string
Password string Password string
SSLCA string `toml:"ssl_ca"` ResponseTimeout time.Duration `toml:"response_timeout"`
SSLCert string `toml:"ssl_cert"` tls.ClientConfig
SSLKey string `toml:"ssl_key"`
InsecureSkipVerify bool
ResponseTimeout time.Duration `toml:"response_timeout"`
Metrics []MetricConfig `toml:"metric"` Metrics []MetricConfig `toml:"metric"`
client *Client client *Client
@ -47,10 +45,10 @@ func (jp *JolokiaProxy) SampleConfig() string {
# password = "" # password = ""
# response_timeout = "5s" # response_timeout = "5s"
## Optional SSL config ## Optional TLS config
# ssl_ca = "/var/private/ca.pem" # tls_ca = "/var/private/ca.pem"
# ssl_cert = "/var/private/client.pem" # tls_cert = "/var/private/client.pem"
# ssl_key = "/var/private/client-key.pem" # tls_key = "/var/private/client-key.pem"
# insecure_skip_verify = false # insecure_skip_verify = false
## Add proxy targets to query ## Add proxy targets to query
@ -117,13 +115,10 @@ func (jp *JolokiaProxy) createClient() (*Client, error) {
} }
return NewClient(jp.URL, &ClientConfig{ return NewClient(jp.URL, &ClientConfig{
Username: jp.Username, Username: jp.Username,
Password: jp.Password, Password: jp.Password,
ResponseTimeout: jp.ResponseTimeout, ResponseTimeout: jp.ResponseTimeout,
SSLCA: jp.SSLCA, ClientConfig: jp.ClientConfig,
SSLCert: jp.SSLCert, ProxyConfig: proxyConfig,
SSLKey: jp.SSLKey,
InsecureSkipVerify: jp.InsecureSkipVerify,
ProxyConfig: proxyConfig,
}) })
} }

10
plugins/inputs/kafka_consumer/README.md
View File

@ -22,11 +22,11 @@ and use the old zookeeper connection method.
## Offset (must be either "oldest" or "newest") ## Offset (must be either "oldest" or "newest")
offset = "oldest" offset = "oldest"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## Optional SASL Config ## Optional SASL Config

24
plugins/inputs/kafka_consumer/kafka_consumer.go
View File

@ -7,7 +7,7 @@ import (
"sync" "sync"
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
"github.com/influxdata/telegraf/plugins/parsers" "github.com/influxdata/telegraf/plugins/parsers"
@ -23,14 +23,7 @@ type Kafka struct {
Cluster *cluster.Consumer Cluster *cluster.Consumer
// Verify Kafka SSL Certificate tls.ClientConfig
InsecureSkipVerify bool
// Path to CA file
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// SASL Username // SASL Username
SASLUsername string `toml:"sasl_username"` SASLUsername string `toml:"sasl_username"`
@ -67,11 +60,11 @@ var sampleConfig = `
## topic(s) to consume ## topic(s) to consume
topics = ["telegraf"] topics = ["telegraf"]
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## Optional SASL Config ## Optional SASL Config
@ -116,8 +109,7 @@ func (k *Kafka) Start(acc telegraf.Accumulator) error {
config := cluster.NewConfig() config := cluster.NewConfig()
config.Consumer.Return.Errors = true config.Consumer.Return.Errors = true
tlsConfig, err := internal.GetTLSConfig( tlsConfig, err := k.ClientConfig.TLSConfig()
k.SSLCert, k.SSLKey, k.SSLCA, k.InsecureSkipVerify)
if err != nil { if err != nil {
return err return err
} }

10
plugins/inputs/kapacitor/README.md
View File

@ -15,11 +15,11 @@ The Kapacitor plugin will collect metrics from the given Kapacitor instances.
## Time limit for http requests ## Time limit for http requests
timeout = "5s" timeout = "5s"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
``` ```

27
plugins/inputs/kapacitor/kapacitor.go
View File

@ -9,6 +9,7 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
"github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
) )
@ -17,18 +18,9 @@ const (
) )
type Kapacitor struct { type Kapacitor struct {
URLs []string `toml:"urls"` URLs []string `toml:"urls"`
Timeout internal.Duration Timeout internal.Duration
tls.ClientConfig
// Path to CA file
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Use SSL but skip chain & host verification
InsecureSkipVerify bool
client *http.Client client *http.Client
} }
@ -48,11 +40,11 @@ func (*Kapacitor) SampleConfig() string {
## Time limit for http requests ## Time limit for http requests
timeout = "5s" timeout = "5s"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
` `
} }
@ -82,8 +74,7 @@ func (k *Kapacitor) Gather(acc telegraf.Accumulator) error {
} }
func (k *Kapacitor) createHttpClient() (*http.Client, error) { func (k *Kapacitor) createHttpClient() (*http.Client, error) {
tlsCfg, err := internal.GetTLSConfig( tlsCfg, err := k.ClientConfig.TLSConfig()
k.SSLCert, k.SSLKey, k.SSLCA, k.InsecureSkipVerify)
if err != nil { if err != nil {
return nil, err return nil, err
} }

24
plugins/inputs/kubernetes/kubernetes.go
View File

@ -11,6 +11,7 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
"github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
) )
@ -21,18 +22,11 @@ type Kubernetes struct {
// Bearer Token authorization file path // Bearer Token authorization file path
BearerToken string `toml:"bearer_token"` BearerToken string `toml:"bearer_token"`
// Path to CA file
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Use SSL but skip chain & host verification
InsecureSkipVerify bool
// HTTP Timeout specified as a string - 3s, 1m, 1h // HTTP Timeout specified as a string - 3s, 1m, 1h
ResponseTimeout internal.Duration ResponseTimeout internal.Duration
tls.ClientConfig
RoundTripper http.RoundTripper RoundTripper http.RoundTripper
} }
@ -46,11 +40,11 @@ var sampleConfig = `
## Set response_timeout (default 5 seconds) ## Set response_timeout (default 5 seconds)
# response_timeout = "5s" # response_timeout = "5s"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = /path/to/cafile # tls_ca = /path/to/cafile
# ssl_cert = /path/to/certfile # tls_cert = /path/to/certfile
# ssl_key = /path/to/keyfile # tls_key = /path/to/keyfile
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
` `
@ -101,7 +95,7 @@ func (k *Kubernetes) gatherSummary(baseURL string, acc telegraf.Accumulator) err
var token []byte var token []byte
var resp *http.Response var resp *http.Response
tlsCfg, err := internal.GetTLSConfig(k.SSLCert, k.SSLKey, k.SSLCA, k.InsecureSkipVerify) tlsCfg, err := k.ClientConfig.TLSConfig()
if err != nil { if err != nil {
return err return err
} }

10
plugins/inputs/mesos/README.md
View File

@ -36,11 +36,11 @@ For more information, please check the [Mesos Observability Metrics](http://meso
# "messages", # "messages",
# ] # ]
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
``` ```

25
plugins/inputs/mesos/mesos.go
View File

@ -14,7 +14,7 @@ import (
"time" "time"
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
jsonparser "github.com/influxdata/telegraf/plugins/parsers/json" jsonparser "github.com/influxdata/telegraf/plugins/parsers/json"
) )
@ -33,15 +33,7 @@ type Mesos struct {
Slaves []string Slaves []string
SlaveCols []string `toml:"slave_collections"` SlaveCols []string `toml:"slave_collections"`
//SlaveTasks bool //SlaveTasks bool
tls.ClientConfig
// Path to CA file
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Use SSL but skip chain & host verification
InsecureSkipVerify bool
initialized bool initialized bool
client *http.Client client *http.Client
@ -83,11 +75,11 @@ var sampleConfig = `
# "messages", # "messages",
# ] # ]
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
` `
@ -216,8 +208,7 @@ func (m *Mesos) Gather(acc telegraf.Accumulator) error {
} }
func (m *Mesos) createHttpClient() (*http.Client, error) { func (m *Mesos) createHttpClient() (*http.Client, error) {
tlsCfg, err := internal.GetTLSConfig( tlsCfg, err := m.ClientConfig.TLSConfig()
m.SSLCert, m.SSLKey, m.SSLCA, m.InsecureSkipVerify)
if err != nil { if err != nil {
return nil, err return nil, err
} }

10
plugins/inputs/mongodb/README.md
View File

@ -14,11 +14,11 @@
## When true, collect per database stats ## When true, collect per database stats
# gather_perdb_stats = false # gather_perdb_stats = false
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
``` ```

27
plugins/inputs/mongodb/mongodb.go
View File

@ -12,7 +12,7 @@ import (
"time" "time"
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" tlsint "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
"gopkg.in/mgo.v2" "gopkg.in/mgo.v2"
) )
@ -22,15 +22,7 @@ type MongoDB struct {
Ssl Ssl Ssl Ssl
mongos map[string]*Server mongos map[string]*Server
GatherPerdbStats bool GatherPerdbStats bool
tlsint.ClientConfig
// Path to CA file
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Use SSL but skip chain & host verification
InsecureSkipVerify bool
} }
type Ssl struct { type Ssl struct {
@ -49,11 +41,11 @@ var sampleConfig = `
## When true, collect per database stats ## When true, collect per database stats
# gather_perdb_stats = false # gather_perdb_stats = false
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
` `
@ -134,7 +126,7 @@ func (m *MongoDB) gatherServer(server *Server, acc telegraf.Accumulator) error {
var tlsConfig *tls.Config var tlsConfig *tls.Config
if m.Ssl.Enabled { if m.Ssl.Enabled {
// Deprecated SSL config // Deprecated TLS config
tlsConfig = &tls.Config{} tlsConfig = &tls.Config{}
if len(m.Ssl.CaCerts) > 0 { if len(m.Ssl.CaCerts) > 0 {
roots := x509.NewCertPool() roots := x509.NewCertPool()
@ -149,8 +141,7 @@ func (m *MongoDB) gatherServer(server *Server, acc telegraf.Accumulator) error {
tlsConfig.InsecureSkipVerify = true tlsConfig.InsecureSkipVerify = true
} }
} else { } else {
tlsConfig, err = internal.GetTLSConfig( tlsConfig, err = m.ClientConfig.TLSConfig()
m.SSLCert, m.SSLKey, m.SSLCA, m.InsecureSkipVerify)
if err != nil { if err != nil {
return err return err
} }

10
plugins/inputs/mqtt_consumer/README.md
View File

@ -36,11 +36,11 @@ The plugin expects messages in the
# username = "telegraf" # username = "telegraf"
# password = "metricsmetricsmetricsmetrics" # password = "metricsmetricsmetricsmetrics"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## Data format to consume. ## Data format to consume.

24
plugins/inputs/mqtt_consumer/mqtt_consumer.go
View File

@ -9,6 +9,7 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
"github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
"github.com/influxdata/telegraf/plugins/parsers" "github.com/influxdata/telegraf/plugins/parsers"
@ -33,15 +34,7 @@ type MQTTConsumer struct {
PersistentSession bool PersistentSession bool
ClientID string `toml:"client_id"` ClientID string `toml:"client_id"`
tls.ClientConfig
// Path to CA file
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Use SSL but skip chain & host verification
InsecureSkipVerify bool
sync.Mutex sync.Mutex
client mqtt.Client client mqtt.Client
@ -83,11 +76,11 @@ var sampleConfig = `
# username = "telegraf" # username = "telegraf"
# password = "metricsmetricsmetricsmetrics" # password = "metricsmetricsmetricsmetrics"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## Data format to consume. ## Data format to consume.
@ -236,8 +229,7 @@ func (m *MQTTConsumer) createOpts() (*mqtt.ClientOptions, error) {
opts.SetClientID(m.ClientID) opts.SetClientID(m.ClientID)
} }
tlsCfg, err := internal.GetTLSConfig( tlsCfg, err := m.ClientConfig.TLSConfig()
m.SSLCert, m.SSLKey, m.SSLCA, m.InsecureSkipVerify)
if err != nil { if err != nil {
return nil, err return nil, err
} }

8
plugins/inputs/mysql/README.md
View File

@ -82,10 +82,10 @@ This plugin gathers the statistic data from MySQL server
## Some queries we may want to run less often (such as SHOW GLOBAL VARIABLES) ## Some queries we may want to run less often (such as SHOW GLOBAL VARIABLES)
interval_slow = "30m" interval_slow = "30m"
## Optional SSL Config (will be used if tls=custom parameter specified in server uri) ## Optional TLS Config (will be used if tls=custom parameter specified in server uri)
ssl_ca = "/etc/telegraf/ca.pem" tls_ca = "/etc/telegraf/ca.pem"
ssl_cert = "/etc/telegraf/cert.pem" tls_cert = "/etc/telegraf/cert.pem"
ssl_key = "/etc/telegraf/key.pem" tls_key = "/etc/telegraf/key.pem"
``` ```
#### Metric Version #### Metric Version

18
plugins/inputs/mysql/mysql.go
View File

@ -11,7 +11,7 @@ import (
"time" "time"
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
"github.com/influxdata/telegraf/plugins/inputs/mysql/v1" "github.com/influxdata/telegraf/plugins/inputs/mysql/v1"
@ -38,10 +38,8 @@ type Mysql struct {
GatherFileEventsStats bool `toml:"gather_file_events_stats"` GatherFileEventsStats bool `toml:"gather_file_events_stats"`
GatherPerfEventsStatements bool `toml:"gather_perf_events_statements"` GatherPerfEventsStatements bool `toml:"gather_perf_events_statements"`
IntervalSlow string `toml:"interval_slow"` IntervalSlow string `toml:"interval_slow"`
SSLCA string `toml:"ssl_ca"`
SSLCert string `toml:"ssl_cert"`
SSLKey string `toml:"ssl_key"`
MetricVersion int `toml:"metric_version"` MetricVersion int `toml:"metric_version"`
tls.ClientConfig
} }
var sampleConfig = ` var sampleConfig = `
@ -118,10 +116,12 @@ var sampleConfig = `
## Some queries we may want to run less often (such as SHOW GLOBAL VARIABLES) ## Some queries we may want to run less often (such as SHOW GLOBAL VARIABLES)
interval_slow = "30m" interval_slow = "30m"
## Optional SSL Config (will be used if tls=custom parameter specified in server uri) ## Optional TLS Config (will be used if tls=custom parameter specified in server uri)
ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use TLS but skip chain & host verification
# insecure_skip_verify = false
` `
var defaultTimeout = time.Second * time.Duration(5) var defaultTimeout = time.Second * time.Duration(5)
@ -161,7 +161,7 @@ func (m *Mysql) Gather(acc telegraf.Accumulator) error {
m.InitMysql() m.InitMysql()
} }
tlsConfig, err := internal.GetTLSConfig(m.SSLCert, m.SSLKey, m.SSLCA, false) tlsConfig, err := m.ClientConfig.TLSConfig()
if err != nil { if err != nil {
return fmt.Errorf("registering TLS config: %s", err) return fmt.Errorf("registering TLS config: %s", err)
} }

10
plugins/inputs/nginx/README.md
View File

@ -8,11 +8,11 @@
## An array of Nginx stub_status URI to gather stats. ## An array of Nginx stub_status URI to gather stats.
urls = ["http://localhost/server_status"] urls = ["http://localhost/server_status"]
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## HTTP response timeout (default: 5s) ## HTTP response timeout (default: 5s)

29
plugins/inputs/nginx/nginx.go
View File

@ -13,34 +13,28 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
"github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
) )
type Nginx struct { type Nginx struct {
// List of status URLs Urls []string
Urls []string ResponseTimeout internal.Duration
// Path to CA file tls.ClientConfig
SSLCA string `toml:"ssl_ca"`
// Path to client cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Use SSL but skip chain & host verification
InsecureSkipVerify bool
// HTTP client // HTTP client
client *http.Client client *http.Client
// Response timeout
ResponseTimeout internal.Duration
} }
var sampleConfig = ` var sampleConfig = `
# An array of Nginx stub_status URI to gather stats. # An array of Nginx stub_status URI to gather stats.
urls = ["http://localhost/server_status"] urls = ["http://localhost/server_status"]
# TLS/SSL configuration ## Optional TLS Config
ssl_ca = "/etc/telegraf/ca.pem" tls_ca = "/etc/telegraf/ca.pem"
ssl_cert = "/etc/telegraf/cert.cer" tls_cert = "/etc/telegraf/cert.cer"
ssl_key = "/etc/telegraf/key.key" tls_key = "/etc/telegraf/key.key"
## Use TLS but skip chain & host verification
insecure_skip_verify = false insecure_skip_verify = false
# HTTP response timeout (default: 5s) # HTTP response timeout (default: 5s)
@ -87,8 +81,7 @@ func (n *Nginx) Gather(acc telegraf.Accumulator) error {
} }
func (n *Nginx) createHttpClient() (*http.Client, error) { func (n *Nginx) createHttpClient() (*http.Client, error) {
tlsCfg, err := internal.GetTLSConfig( tlsCfg, err := n.ClientConfig.TLSConfig()
n.SSLCert, n.SSLKey, n.SSLCA, n.InsecureSkipVerify)
if err != nil { if err != nil {
return nil, err return nil, err
} }

2
plugins/inputs/openldap/README.md
View File

@ -20,7 +20,7 @@ To use this plugin you must enable the [monitoring](https://www.openldap.org/dev
insecure_skip_verify = false insecure_skip_verify = false
# Path to PEM-encoded Root certificate to use to verify server certificate # Path to PEM-encoded Root certificate to use to verify server certificate
ssl_ca = "/etc/ssl/certs.pem" tls_ca = "/etc/ssl/certs.pem"
# dn/password to bind with. If bind_dn is empty, an anonymous bind is performed. # dn/password to bind with. If bind_dn is empty, an anonymous bind is performed.
bind_dn = "" bind_dn = ""

10
plugins/inputs/openldap/openldap.go
View File

@ -8,7 +8,7 @@ import (
"gopkg.in/ldap.v2" "gopkg.in/ldap.v2"
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
) )
@ -36,7 +36,7 @@ const sampleConfig string = `
insecure_skip_verify = false insecure_skip_verify = false
# Path to PEM-encoded Root certificate to use to verify server certificate # Path to PEM-encoded Root certificate to use to verify server certificate
ssl_ca = "/etc/ssl/certs.pem" tls_ca = "/etc/ssl/certs.pem"
# dn/password to bind with. If bind_dn is empty, an anonymous bind is performed. # dn/password to bind with. If bind_dn is empty, an anonymous bind is performed.
bind_dn = "" bind_dn = ""
@ -85,7 +85,11 @@ func (o *Openldap) Gather(acc telegraf.Accumulator) error {
var l *ldap.Conn var l *ldap.Conn
if o.Ssl != "" { if o.Ssl != "" {
// build tls config // build tls config
tlsConfig, err := internal.GetTLSConfig("", "", o.SslCa, o.InsecureSkipVerify) clientTLSConfig := tls.ClientConfig{
SSLCA: o.SslCa,
InsecureSkipVerify: o.InsecureSkipVerify,
}
tlsConfig, err := clientTLSConfig.TLSConfig()
if err != nil { if err != nil {
acc.AddError(err) acc.AddError(err)
return nil return nil

10
plugins/inputs/prometheus/README.md
View File

@ -20,11 +20,11 @@ in Prometheus format.
## Specify timeout duration for slower prometheus clients (default is 3s) ## Specify timeout duration for slower prometheus clients (default is 3s)
# response_timeout = "3s" # response_timeout = "3s"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = /path/to/cafile # tls_ca = /path/to/cafile
# ssl_cert = /path/to/certfile # tls_cert = /path/to/certfile
# ssl_key = /path/to/keyfile # tls_key = /path/to/keyfile
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
``` ```

23
plugins/inputs/prometheus/prometheus.go
View File

@ -13,6 +13,7 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
"github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
) )
@ -30,14 +31,7 @@ type Prometheus struct {
ResponseTimeout internal.Duration `toml:"response_timeout"` ResponseTimeout internal.Duration `toml:"response_timeout"`
// Path to CA file tls.ClientConfig
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Use SSL but skip chain & host verification
InsecureSkipVerify bool
client *http.Client client *http.Client
} }
@ -55,11 +49,11 @@ var sampleConfig = `
## Specify timeout duration for slower prometheus clients (default is 3s) ## Specify timeout duration for slower prometheus clients (default is 3s)
# response_timeout = "3s" # response_timeout = "3s"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = /path/to/cafile # tls_ca = /path/to/cafile
# ssl_cert = /path/to/certfile # tls_cert = /path/to/certfile
# ssl_key = /path/to/keyfile # tls_key = /path/to/keyfile
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
` `
@ -167,8 +161,7 @@ var client = &http.Client{
} }
func (p *Prometheus) createHttpClient() (*http.Client, error) { func (p *Prometheus) createHttpClient() (*http.Client, error) {
tlsCfg, err := internal.GetTLSConfig( tlsCfg, err := p.ClientConfig.TLSConfig()
p.SSLCert, p.SSLKey, p.SSLCA, p.InsecureSkipVerify)
if err != nil { if err != nil {
return nil, err return nil, err
} }

10
plugins/inputs/rabbitmq/README.md
View File

@ -16,11 +16,11 @@ For additional details reference the [RabbitMQ Management HTTP Stats](https://cd
# username = "guest" # username = "guest"
# password = "guest" # password = "guest"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## Optional request timeouts ## Optional request timeouts

23
plugins/inputs/rabbitmq/rabbitmq.go
View File

@ -11,6 +11,7 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/filter" "github.com/influxdata/telegraf/filter"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
"github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
) )
@ -37,14 +38,7 @@ type RabbitMQ struct {
Name string Name string
Username string Username string
Password string Password string
// Path to CA file tls.ClientConfig
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Use SSL but skip chain & host verification
InsecureSkipVerify bool
ResponseHeaderTimeout internal.Duration `toml:"header_timeout"` ResponseHeaderTimeout internal.Duration `toml:"header_timeout"`
ClientTimeout internal.Duration `toml:"client_timeout"` ClientTimeout internal.Duration `toml:"client_timeout"`
@ -175,11 +169,11 @@ var sampleConfig = `
# username = "guest" # username = "guest"
# password = "guest" # password = "guest"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## Optional request timeouts ## Optional request timeouts
@ -223,8 +217,7 @@ func (r *RabbitMQ) Description() string {
// Gather ... // Gather ...
func (r *RabbitMQ) Gather(acc telegraf.Accumulator) error { func (r *RabbitMQ) Gather(acc telegraf.Accumulator) error {
if r.Client == nil { if r.Client == nil {
tlsCfg, err := internal.GetTLSConfig( tlsCfg, err := r.ClientConfig.TLSConfig()
r.SSLCert, r.SSLKey, r.SSLCA, r.InsecureSkipVerify)
if err != nil { if err != nil {
return err return err
} }

17
plugins/inputs/socket_listener/socket_listener.go
View File

@ -16,6 +16,7 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
tlsint "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
"github.com/influxdata/telegraf/plugins/parsers" "github.com/influxdata/telegraf/plugins/parsers"
) )
@ -161,14 +162,12 @@ func (psl *packetSocketListener) listen() {
} }
type SocketListener struct { type SocketListener struct {
ServiceAddress string `toml:"service_address"` ServiceAddress string `toml:"service_address"`
MaxConnections int `toml:"max_connections"` MaxConnections int `toml:"max_connections"`
ReadBufferSize int `toml:"read_buffer_size"` ReadBufferSize int `toml:"read_buffer_size"`
ReadTimeout *internal.Duration `toml:"read_timeout"` ReadTimeout *internal.Duration `toml:"read_timeout"`
TLSAllowedCACerts []string `toml:"tls_allowed_cacerts"` KeepAlivePeriod *internal.Duration `toml:"keep_alive_period"`
TLSCert string `toml:"tls_cert"` tlsint.ServerConfig
TLSKey string `toml:"tls_key"`
KeepAlivePeriod *internal.Duration `toml:"keep_alive_period"`
parsers.Parser parsers.Parser
telegraf.Accumulator telegraf.Accumulator
@ -259,7 +258,7 @@ func (sl *SocketListener) Start(acc telegraf.Accumulator) error {
l net.Listener l net.Listener
) )
tlsCfg, err := internal.GetServerTLSConfig(sl.TLSCert, sl.TLSKey, sl.TLSAllowedCACerts) tlsCfg, err := sl.ServerConfig.TLSConfig()
if err != nil { if err != nil {
return nil return nil
} }

16
plugins/inputs/socket_listener/socket_listener_test.go
View File

@ -9,12 +9,13 @@ import (
"testing" "testing"
"time" "time"
"github.com/influxdata/telegraf/internal"
"github.com/influxdata/telegraf/testutil" "github.com/influxdata/telegraf/testutil"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
) )
var pki = testutil.NewPKI("../../../testutil/pki")
// testEmptyLog is a helper function to ensure no data is written to log. // testEmptyLog is a helper function to ensure no data is written to log.
// Should be called at the start of the test, and returns a function which should run at the end. // Should be called at the start of the test, and returns a function which should run at the end.
func testEmptyLog(t *testing.T) func() { func testEmptyLog(t *testing.T) func() {
@ -32,16 +33,14 @@ func TestSocketListener_tcp_tls(t *testing.T) {
sl := newSocketListener() sl := newSocketListener()
sl.ServiceAddress = "tcp://127.0.0.1:0" sl.ServiceAddress = "tcp://127.0.0.1:0"
sl.TLSCert = "testdata/server.pem" sl.ServerConfig = *pki.TLSServerConfig()
sl.TLSKey = "testdata/server.key"
sl.TLSAllowedCACerts = []string{"testdata/ca.pem"}
acc := &testutil.Accumulator{} acc := &testutil.Accumulator{}
err := sl.Start(acc) err := sl.Start(acc)
require.NoError(t, err) require.NoError(t, err)
defer sl.Stop() defer sl.Stop()
tlsCfg, err := internal.GetTLSConfig("testdata/client.pem", "testdata/client.key", "testdata/ca.pem", true) tlsCfg, err := pki.TLSClientConfig().TLSConfig()
require.NoError(t, err) require.NoError(t, err)
secureClient, err := tls.Dial("tcp", sl.Closer.(net.Listener).Addr().String(), tlsCfg) secureClient, err := tls.Dial("tcp", sl.Closer.(net.Listener).Addr().String(), tlsCfg)
@ -55,16 +54,15 @@ func TestSocketListener_unix_tls(t *testing.T) {
sl := newSocketListener() sl := newSocketListener()
sl.ServiceAddress = "unix:///tmp/telegraf_test.sock" sl.ServiceAddress = "unix:///tmp/telegraf_test.sock"
sl.TLSCert = "testdata/server.pem" sl.ServerConfig = *pki.TLSServerConfig()
sl.TLSKey = "testdata/server.key"
sl.TLSAllowedCACerts = []string{"testdata/ca.pem"}
acc := &testutil.Accumulator{} acc := &testutil.Accumulator{}
err := sl.Start(acc) err := sl.Start(acc)
require.NoError(t, err) require.NoError(t, err)
defer sl.Stop() defer sl.Stop()
tlsCfg, err := internal.GetTLSConfig("testdata/client.pem", "testdata/client.key", "testdata/ca.pem", true) tlsCfg, err := pki.TLSClientConfig().TLSConfig()
tlsCfg.InsecureSkipVerify = true
require.NoError(t, err) require.NoError(t, err)
secureClient, err := tls.Dial("unix", "/tmp/telegraf_test.sock", tlsCfg) secureClient, err := tls.Dial("unix", "/tmp/telegraf_test.sock", tlsCfg)

31
plugins/inputs/socket_listener/testdata/ca.pem vendored
View File

@ -1,31 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIFVTCCAz2gAwIBAgIJAOhLvwv6zUf+MA0GCSqGSIb3DQEBCwUAMEExCzAJBgNV
BAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsG
A1UECgwEVGVzdDAeFw0xODA0MTcwNDIwNDZaFw0yMTAyMDQwNDIwNDZaMEExCzAJ
BgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEN
MAsGA1UECgwEVGVzdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKwE
Xy814CDH03G3Fg2/XSpYZXVMzwp6oq/bUe3iLhkOpA6C4+j07AxAAa22qEPlvYkb
W7oxVJiL0ih1od2FeAxvroBTmjG54j/Syb8OeQsZaJLNp1rRmwYGBIVi284ScaIc
dn+2bfmfpSLjK3SbU5XygtwIE3gh/B7x02UJRNJmJ1faRT2CfTeg/56xnTE4bcR5
HRrlojoN5laJngowLWAEAvWljCR8oge+ciNYB3xoK8Hgc9+WgTy95G1RBCNkaFFI
73nrcHl6dGOH9UgIqfbHJYxNEarI3o/JAr8DIBS0W4r8r4aY4JQ4LoN3bg4mLHQq
THKkVW5hyBeWe47qmlL0m4F6/+mzVi95NAWG2BQDCZJAWJNc+PbSRHi81838m7ff
O4rixd/F53LUUas8/zVca3vtv+XjOHZzIQLIy1bM4MhzpHlRcSmS9kqxxZ3S70e3
ZIWFdM0iRrtlBbJeoHIJRDpgPRYIWdRc6XotljTTi6/lN4Bj/0NK4E3iONcDsscN
kiqEHRAWZ4ptCqdVPgYR0S096Fx6OaC3ASODE0Cjb18ylZQRsQi8TiYSihGzuoio
wJwSLdIifDbbSUkjT1384cA/HsOjFQ9xHXYa6cQnAg3TUZyG1lAMJyFWYke+rxmG
srfL/EtIzgbzmEOC5anQjA2pdgUO9Pk2SinJaMApAgMBAAGjUDBOMB0GA1UdDgQW
BBQNJctDLjj8bVKNCYANaOcboPQnmzAfBgNVHSMEGDAWgBQNJctDLjj8bVKNCYAN
aOcboPQnmzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQATSr26Kc8g
3l2zuccoKWM57DQcgRmzSYwEOKA2jn3FWmrAdwozEIkLaTK0OXz0zh2dZxh9V3GR
w0WFCynbGNy/9s33MSi+zIWJOU/MZvt6zGE5CTcTgZ+u5IZyvSubMkPcwQi3Yvcg
AHmWzpF42kT2J5C5MfrSU65hrhPX7hT/CUoV3gN7oxFzj+/ED4kgNorO8SUUJCmq
DJNFbjgsD63EhnvAhn1AeM35GmKdl2enEKqcZsRkE4ZLpU7ibrThEm1aOQuJUtHk
gDAx49QMdQpWnxWxnfoiwpLu7ufR7ls8O9oA8ZJux/SVHEmtkOdRsuMtY5MElFZg
dANlQsdFWDko4ixaxFYzppuPNnRlqjGNnaEFJrNc2KR0Dxgmp28Yh2VyLd4r3fLT
nLVBYF8KzFchUdXYYPNBXwAf/N52jGfugDx8snLxOfzxoUZ4y64qMCpYhntGgBJ1
Rrk2trcn3Dw19gi8p3ylbdoz/Ch1INDDrO35pd0bZpcwASc/UNU72W5v2kGL0H7o
nJzgtrqeHcoIzNBmBhHlMlnTF5GMfrYGsf5d30KyKv7UL6qJTvT641dpKpB/FFrk
y3AQbKmKRDI+aVzeOlwdy/eJAwt7FikD4bR9GZ4PBX9n9jd4u/PHZNfxtgzplqo1
oy7kJv0cB/vRKOblmn/vPUfTFtAX7M3GkQ==
-----END CERTIFICATE-----

27
plugins/inputs/socket_listener/testdata/client.key vendored
View File

@ -1,27 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAmRuY+9Gg5V4e9hCd2mYek1jKeoaZijz89EPvox78XzoGdxPf
RoukUcTVS9VWN7HyJBjRA9P+KuHI9dX47skxyxH53uXZvRmGQAJBY4cE07JHvGkZ
eK1heXoWlBzYtivckha7bLBfn1ttAzcFCblUfJdzsn9XDuC4Jfn4oSaKn1o8Rzy1
KRvyLgvsYxMA/XzhyBzVMyoUOulye7EZx4f+AwSNmNHD4OgtxxPofrrMOtXZ2tC6
xNOexIZXbsB9dyrUW+4pWXYaadU7fl2V+arAJj+NVxV+3tmGGjmd1MiIypPx6BbP
g7xH20nJ/Y0U6V7gklZpYO1i84RbtR/kqBgi9QIDAQABAoIBAEONJJM+KyHnw/tG
246HbcgO7c7fYhDW1bgj3S/4NNsC6+VP1Dv40nftQzphFtgd37rDZDyvJL3gvlyQ
mnMoO5rgBIGuocHH6C6HkDgMUznft7zOFhnjTVVeY2XX0FmXwoqGEw1iR940ZUV8
2fEvXrJV1AsWGeALj9PZlTPsoE6rv5sUk9Lh3wCD73m7GSg7DzBRE+6bBze8Lmwn
ZzTvmimhgPJw8LR5rRpYbDbhAJLAfgA7/yPgYEPxA/ffry6Ba4epj8tVNUNOAcOf
PURF+uuIF7RceI2PkdvoNuQyVR5oxQUPUfidfVK5ClUmnHECSgb/FFnYC+nU2vSi
IAnmC6ECgYEAyrUFHyxxuIQAiinjBxa0OQ3ynvMxDnF/+zvWe8536Y61lz9dblKb
0xvFhpOEMfiG/zFdZdWJ+xdq7VQVNMHu4USoskG8sZs5zImMTu50kuDNln7xYqVf
SUuN1U7cp7JouI1qkZAOsytPfAgZN/83hLObd07lAvL44jKYaHVeMmkCgYEAwVxZ
wKXpboHwQawA+4ubsnZ36IlOk21/+FlGJiDg/LB643BS+QhgVNxuB2gL1gOCYkhl
6BBcIhWMvZOIIo5uwnv4fQ+WfFwntU9POFViZgbZvkitQtorB7MXc/NU2BDrNYx2
TBCiRn/9BaZ4fziW8I3Fx3xQ3rKDBXrexmrJQq0CgYEAvYGQYT12r47Qxlo0gcsL
AA/3E/y9jwgzItglQ6eZ2ULup5C4s0wNm8Zp2s+Mlf8HjgpDi9Gf5ptU/r1N+f2Y
awd6QvRMCSraVUr+Xkh1uV7rNNhGqPd75pT460OH7EtRtb+XsrAf3gcOjyEvGnfC
GpCjNl4OobwvS6ELdRTM1IkCgYAHUGX4uo3k5zdeVJJI8ZP3ITIR8retLfQsQbw8
jvvTsx1C4ynQT7fNHfVvhEkGVGWnMBPivlOt2mDTfvQkUnzwEF5q5J8NnzLFUfWu
LNSnBVVRNFCRec0s4mJduXOZJLKw+No0sGBjCE5a21wte8eB2+sCS7qHYftAxtAM
c1eflQKBgQDGTFsMvpM8BEPTreinTllFBdjeYchcdY/Ov9DZ3mMVopjAWRD81MKM
zM1RCqwLkgv9FvF79B1FLJ1Inr8e/XIGdcrhE1a4sZdIWdqTWQ4xFrlDgxCquq66
da09WVBRdvq2kVLAMaBViH2/GP1G4ZV9a8+JHuWKj+Arrr52Qeazjw==
-----END RSA PRIVATE KEY-----

24
plugins/inputs/socket_listener/testdata/client.pem vendored
View File

@ -1,24 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIEEjCCAfoCCQCmcronmMSqXTANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJV
UzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM
BFRlc3QwHhcNMTgwNDE3MDQyNDMwWhcNNDUwOTAyMDQyNDMwWjBVMQswCQYDVQQG
EwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xITAfBgNV
BAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAJkbmPvRoOVeHvYQndpmHpNYynqGmYo8/PRD76Me/F86BncT
30aLpFHE1UvVVjex8iQY0QPT/irhyPXV+O7JMcsR+d7l2b0ZhkACQWOHBNOyR7xp
GXitYXl6FpQc2LYr3JIWu2ywX59bbQM3BQm5VHyXc7J/Vw7guCX5+KEmip9aPEc8
tSkb8i4L7GMTAP184cgc1TMqFDrpcnuxGceH/gMEjZjRw+DoLccT6H66zDrV2drQ
usTTnsSGV27AfXcq1FvuKVl2GmnVO35dlfmqwCY/jVcVft7Zhho5ndTIiMqT8egW
z4O8R9tJyf2NFOle4JJWaWDtYvOEW7Uf5KgYIvUCAwEAATANBgkqhkiG9w0BAQsF
AAOCAgEACJkccOvBavtagiMQc9OLsbo0PkHv7Qk9uTm5Sg9+LjLGUsu+3WLjAAmj
YScHyGbvQzXlwpgo8JuwY0lMNoPfwGuydlJPfOBCbaoAqFp6Vpc/E49J9YovCsqa
2HJUJeuxpf6SiH1Vc1SECjzwzKo03t8ul7t7SNVqA0r9fV4I936FlJOeQ4d5U+Wv
H7c2LmAqbHi2Mwf+m+W6ziOvzp+szspcP2gJDX7hsKEtIlqmHYm2bzZ4fsCuU9xN
3quewBVQUOuParO632yaLgzpGmfzzxLmCPO84lxarJKCxjHG2Q2l30TO/wA44m+r
Wd17HpCT3PkCDG5eSNCSnYqfLm8DE1hLGfHiXxKmrgU94q4wvwVGOlcYa+CQeP9Q
ZW3Tj0Axz0Mqlg1iLLo12+Z/yocSY2nFnFntBFT4qBKNCeD0xH3PxC0HJdK66xBv
MVDE/OE2hBtTTts+vC9yjx4W8thtMSA4VCOgtt5sHjt3ZekiYYh5VZK47Bx/a0uc
8CouRdyppWyPp/cNC+PcGW3YnXpAkxe/bSY/qgfK5kmbeOf+HzvZAIwAH/d9VK0g
AoLNp46eP6U2E2lVvtc/HJ1C/gsiC/1TSIq/kBbYtuIJjhhH3u6IVet7WSD22Akv
o5gOpcoKwy8IPDRC5lJEAAVYUKt7ORo2en3OVg6I4FaQmeBFp5s=
-----END CERTIFICATE-----

27
plugins/inputs/socket_listener/testdata/server.key vendored
View File

@ -1,27 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAzkEDLijGOqXNQPAqUjOz5TLuM28SENauknLtcfIyEN/N6PwZ
re5DjokxtDPp+c9yP/9qtn7+dBfdUXg2Mu7HQz8lAKniir2ZH+axkjp5LUE6vYJd
I1W8lOOc0kXDjozBetgriE0jkgc3v9oDBbLhN5waKR86jpQaNkfnI7/4U3yrlymK
yaT3uD6L1ldUJubdQ/xc1HxdmX8VewBnkK1urYyiRbju2iL9YmtSM72yWXvFsD1O
I4fP/XuiaymicBmXKL4cu6KYdfn1qeLAV3U35xG597M031WmR5o67rc63sqs+Q//
V3dbGqnFXRMkLhoOnuKK0DD28ujY1kctbNQWVQIDAQABAoIBAHFxFJy41H7BXulO
rxhTU6jGoHktqBQW4CGwkKTRf3QEhK6WqlEd8Y5eKzZgL1q1HLPSehEyPCYCUjpT
EgxlhLeZ7XI1/mIs8iG3swconimj7Pj60Nt0dqq1njWRJYQsKua0Kw1m0B+rVKBy
+qKRxondlA32HTD6iIg+eAUTuzO/KzimZcyL9hiT/g6aN9k0H5+qURi8dO7VV8fD
zvP8Y+oOGLwW2ccp+ZjFQizjTOkL4lgldr0hsGQXZJNHL94fA7jPdAxAUbnTicMJ
oXM++L3eCwIVabipGxxlqCMj9Dn8yfbQvRGzP2e76QDeROYZHX4osH6vLcZEjx9i
tJ4J+ekCgYEA82kKzkSKmFo4gZxnqAywlfZ2X2PADuMmHdqdiDFwt54orlMlKf/b
wVSvN/djLXwvFHuyzFmJeMFSHKFkYVTOsh8kPSETAIGkcJEMHD3viYn7DwjkQudY
vB/FpBWSiDT0T7qDUCzW3iMbx/JvTUSp7uO4ZuwOu6t6v3PEZwIChQ8CgYEA2Ov9
FXHmm7sS54HgvZd6Wk8zLMLIDnyMmECjtYOasJ9c40yQHpRlXsb+Dzn/2xhMMwth
Bln2hIiJ/e+G0bzFu4x0cItRPOQeRNyz5Pal8EsATeUwcX4KRKOZaUpDkV6XV1L0
r/HSk/wed+90B74sGoJY1qsFflOATIUVs7SIllsCgYEAwhGSB/sl9WqZet1U1+um
LyqeHlfNnREGJu9Sgm/Iyt1S2gp4qw/QCkiWmyym6nEEqHQnjj4lGR4pdaJIAkI3
ulSR9BsWp2S10voSicHn5eUZQld4hs8lNHiwf66jce2mjJrMb3QQrHOZhsWIcDa6
tjjhoU28QWzrJRIMGYTEtYkCgYA17NSJlDsj06mra5oXB6Ue9jlekz1wfH3nC4qn
AQRfi/5ncw0QzQs2OHnIBz8XlD69IcMI9SxXXioPuo/la+wr54q6v6d+X6c2rzb5
YGd4CO0WcDdOv2qGDbWBezi41q8AwlqZsqAKsc5ROnG5ywjjviufkfxXnyJx41O1
zNd3qQKBgGEy+EwUXD5iGeQxdCDnd6iVu14SoBscHO5SpIeDu3DIhnu+7gPq2VMg
Vp9j/iNVtEA3HyYCOeXc2rz9Di1wwt3YijED4birLAkC5YW6YB9rmLMfCNc1EyLh
BKAkUQN3D+XCN4pXdbKvbkOcfYRUHoD+pPBjRYH020OtPBUc6Wkl
-----END RSA PRIVATE KEY-----

25
plugins/inputs/socket_listener/testdata/server.pem vendored
View File

@ -1,25 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIEJjCCAg4CCQCmcronmMSqXDANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJV
UzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM
BFRlc3QwHhcNMTgwNDE3MDQyNDAwWhcNNDUwOTAyMDQyNDAwWjBpMQswCQYDVQQG
EwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xITAfBgNV
BAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDESMBAGA1UEAwwJMTI3LjAuMC4x
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzkEDLijGOqXNQPAqUjOz
5TLuM28SENauknLtcfIyEN/N6PwZre5DjokxtDPp+c9yP/9qtn7+dBfdUXg2Mu7H
Qz8lAKniir2ZH+axkjp5LUE6vYJdI1W8lOOc0kXDjozBetgriE0jkgc3v9oDBbLh
N5waKR86jpQaNkfnI7/4U3yrlymKyaT3uD6L1ldUJubdQ/xc1HxdmX8VewBnkK1u
rYyiRbju2iL9YmtSM72yWXvFsD1OI4fP/XuiaymicBmXKL4cu6KYdfn1qeLAV3U3
5xG597M031WmR5o67rc63sqs+Q//V3dbGqnFXRMkLhoOnuKK0DD28ujY1kctbNQW
VQIDAQABMA0GCSqGSIb3DQEBCwUAA4ICAQCVgzqFrehoRAMFLMEL8avfokYtsSYc
50Yug4Es0ISo/PRWGeUnv8k1inyE3Y1iR/gbN5n/yjLXJKEflan6BuqGuukfr2eA
fRdDCyPvzQLABdxCx2n6ByQFxj92z82tizf35R2OMuHHWzTckta+7s5EvxwIiUsd
rUuXp+0ltJzlYYW9xTGFiJO9hAbRgMgZiwL8F7ayic8GmLQ1eRK/DfKDCOH3afeX
MNN5FulgjqNyhXHF33vwgIJynGDg2JEhkWjB1DkUAxll0+SMQoYyVGZVrQSGbGw1
JhOLc8C8bTzfK3qcJDuyldvjiut+To+lpu76R0u0+sn+wxQFL1uCWuAbMJgGsJgM
ARavu2XDeae9X+e8MgJuN1FYS3tihBplPjMJD3UYRybRvHAvQh26BZ7Ch3JNSNST
AL2l5T7JKU+XaWWeo+crV+AnGIJyqyh9Su/n97PEoZoEMGH4Kcl/n/w2Jms60+5s
K0FK2OGNL42ddUfQiVL9CwYQQo70hydjsIo1x8S6+tSFLMAAysQEToSjfAA6qxDu
fgGVMuIYHo0rSkpTVsHVwru08Z5o4m+XDAK0iHalZ4knKsO0lJ+9l7vFnQHlzwt7
JTjDhnyOKWPIANeWf3PrHPWE7kKpFVBqFBzOvWLJuxDu5NlgLo1PFahsahTqB9bz
qwUyMg/oYWnwqw==
-----END CERTIFICATE-----

10
plugins/inputs/tomcat/README.md
View File

@ -19,11 +19,11 @@ See the [Tomcat documentation](https://tomcat.apache.org/tomcat-9.0-doc/manager-
## Request timeout ## Request timeout
# timeout = "5s" # timeout = "5s"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
``` ```

20
plugins/inputs/tomcat/tomcat.go
View File

@ -10,6 +10,7 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
"github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
) )
@ -63,11 +64,7 @@ type Tomcat struct {
Username string Username string
Password string Password string
Timeout internal.Duration Timeout internal.Duration
tls.ClientConfig
SSLCA string `toml:"ssl_ca"`
SSLCert string `toml:"ssl_cert"`
SSLKey string `toml:"ssl_key"`
InsecureSkipVerify bool
client *http.Client client *http.Client
request *http.Request request *http.Request
@ -84,11 +81,11 @@ var sampleconfig = `
## Request timeout ## Request timeout
# timeout = "5s" # timeout = "5s"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
` `
@ -191,8 +188,7 @@ func (s *Tomcat) Gather(acc telegraf.Accumulator) error {
} }
func (s *Tomcat) createHttpClient() (*http.Client, error) { func (s *Tomcat) createHttpClient() (*http.Client, error) {
tlsConfig, err := internal.GetTLSConfig( tlsConfig, err := s.ClientConfig.TLSConfig()
s.SSLCert, s.SSLKey, s.SSLCA, s.InsecureSkipVerify)
if err != nil { if err != nil {
return nil, err return nil, err
} }

8
plugins/inputs/zookeeper/README.md
View File

@ -18,11 +18,11 @@ The zookeeper plugin collects variables outputted from the 'mntr' command
## Timeout for metric collections from all servers. Minimum timeout is "1s". ## Timeout for metric collections from all servers. Minimum timeout is "1s".
# timeout = "5s" # timeout = "5s"
## Optional SSL Config ## Optional TLS Config
# enable_ssl = true # enable_ssl = true
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## If false, skip chain & host verification ## If false, skip chain & host verification
# insecure_skip_verify = true # insecure_skip_verify = true
``` ```

24
plugins/inputs/zookeeper/zookeeper.go
View File

@ -13,6 +13,7 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
tlsint "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
) )
@ -21,11 +22,9 @@ type Zookeeper struct {
Servers []string Servers []string
Timeout internal.Duration Timeout internal.Duration
EnableSSL bool `toml:"enable_ssl"` EnableTLS bool `toml:"enable_tls"`
SSLCA string `toml:"ssl_ca"` EnableSSL bool `toml:"enable_ssl"` // deprecated in 1.7; use enable_tls
SSLCert string `toml:"ssl_cert"` tlsint.ClientConfig
SSLKey string `toml:"ssl_key"`
InsecureSkipVerify bool `toml:"insecure_skip_verify"`
initialized bool initialized bool
tlsConfig *tls.Config tlsConfig *tls.Config
@ -42,11 +41,11 @@ var sampleConfig = `
## Timeout for metric collections from all servers. Minimum timeout is "1s". ## Timeout for metric collections from all servers. Minimum timeout is "1s".
# timeout = "5s" # timeout = "5s"
## Optional SSL Config ## Optional TLS Config
# enable_ssl = true # enable_tls = true
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## If false, skip chain & host verification ## If false, skip chain & host verification
# insecure_skip_verify = true # insecure_skip_verify = true
` `
@ -65,7 +64,7 @@ func (z *Zookeeper) Description() string {
func (z *Zookeeper) dial(ctx context.Context, addr string) (net.Conn, error) { func (z *Zookeeper) dial(ctx context.Context, addr string) (net.Conn, error) {
var dialer net.Dialer var dialer net.Dialer
if z.EnableSSL { if z.EnableTLS || z.EnableSSL {
deadline, ok := ctx.Deadline() deadline, ok := ctx.Deadline()
if ok { if ok {
dialer.Deadline = deadline dialer.Deadline = deadline
@ -81,8 +80,7 @@ func (z *Zookeeper) Gather(acc telegraf.Accumulator) error {
ctx := context.Background() ctx := context.Background()
if !z.initialized { if !z.initialized {
tlsConfig, err := internal.GetTLSConfig( tlsConfig, err := z.ClientConfig.TLSConfig()
z.SSLCert, z.SSLKey, z.SSLCA, z.InsecureSkipVerify)
if err != nil { if err != nil {
return err return err
} }

10
plugins/outputs/amqp/README.md
View File

@ -42,11 +42,11 @@ For an introduction to AMQP see:
## to 5s. 0s means no timeout (not recommended). ## to 5s. 0s means no timeout (not recommended).
# timeout = "5s" # timeout = "5s"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## Data format to output. ## Data format to output.

23
plugins/outputs/amqp/amqp.go
View File

@ -10,6 +10,7 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
"github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/outputs" "github.com/influxdata/telegraf/plugins/outputs"
"github.com/influxdata/telegraf/plugins/serializers" "github.com/influxdata/telegraf/plugins/serializers"
@ -43,14 +44,7 @@ type AMQP struct {
// Valid options are "transient" and "persistent". default: "transient" // Valid options are "transient" and "persistent". default: "transient"
DeliveryMode string DeliveryMode string
// Path to CA file tls.ClientConfig
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Use SSL but skip chain & host verification
InsecureSkipVerify bool
sync.Mutex sync.Mutex
c *client c *client
@ -99,11 +93,11 @@ var sampleConfig = `
## to 5s. 0s means no timeout (not recommended). ## to 5s. 0s means no timeout (not recommended).
# timeout = "5s" # timeout = "5s"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## Data format to output. ## Data format to output.
@ -137,8 +131,7 @@ func (q *AMQP) Connect() error {
var connection *amqp.Connection var connection *amqp.Connection
// make new tls config // make new tls config
tls, err := internal.GetTLSConfig( tls, err := q.ClientConfig.TLSConfig()
q.SSLCert, q.SSLKey, q.SSLCA, q.InsecureSkipVerify)
if err != nil { if err != nil {
return err return err
} }

12
plugins/outputs/elasticsearch/README.md
View File

@ -180,11 +180,11 @@ This plugin will format the events in the following way:
# default_tag_value = "none" # default_tag_value = "none"
index_name = "telegraf-%Y.%m.%d" # required. index_name = "telegraf-%Y.%m.%d" # required.
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## Template Config ## Template Config
@ -230,4 +230,4 @@ Integer values collected that are bigger than 2^63 and smaller than 1e21 (or in
The correct field mapping will be created on the telegraf index as soon as a supported JSON value is received by Elasticsearch, and subsequent insertions will work because the field mapping will already exist. The correct field mapping will be created on the telegraf index as soon as a supported JSON value is received by Elasticsearch, and subsequent insertions will work because the field mapping will already exist.
This issue is caused by the way Elasticsearch tries to detect integer fields, and by how golang encodes numbers in JSON. There is no clear workaround for this at the moment. This issue is caused by the way Elasticsearch tries to detect integer fields, and by how golang encodes numbers in JSON. There is no clear workaround for this at the moment.

21
plugins/outputs/elasticsearch/elasticsearch.go
View File

@ -11,6 +11,7 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
"github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/outputs" "github.com/influxdata/telegraf/plugins/outputs"
"gopkg.in/olivere/elastic.v5" "gopkg.in/olivere/elastic.v5"
) )
@ -28,11 +29,9 @@ type Elasticsearch struct {
ManageTemplate bool ManageTemplate bool
TemplateName string TemplateName string
OverwriteTemplate bool OverwriteTemplate bool
SSLCA string `toml:"ssl_ca"` // Path to CA file tls.ClientConfig
SSLCert string `toml:"ssl_cert"` // Path to host cert file
SSLKey string `toml:"ssl_key"` // Path to cert key file Client *elastic.Client
InsecureSkipVerify bool // Use SSL but skip chain & host verification
Client *elastic.Client
} }
var sampleConfig = ` var sampleConfig = `
@ -69,11 +68,11 @@ var sampleConfig = `
# default_tag_value = "none" # default_tag_value = "none"
index_name = "telegraf-%Y.%m.%d" # required. index_name = "telegraf-%Y.%m.%d" # required.
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## Template Config ## Template Config
@ -96,7 +95,7 @@ func (a *Elasticsearch) Connect() error {
var clientOptions []elastic.ClientOptionFunc var clientOptions []elastic.ClientOptionFunc
tlsCfg, err := internal.GetTLSConfig(a.SSLCert, a.SSLKey, a.SSLCA, a.InsecureSkipVerify) tlsCfg, err := a.ClientConfig.TLSConfig()
if err != nil { if err != nil {
return err return err
} }

42
plugins/outputs/graphite/README.md
View File

@ -20,42 +20,10 @@ via raw TCP.
## timeout in seconds for the write connection to graphite ## timeout in seconds for the write connection to graphite
timeout = 2 timeout = 2
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
``` ```
Parameters:
Servers []string
Prefix string
Timeout int
Template string
// Path to CA file
SSLCA string
// Path to host cert file
SSLCert string
// Path to cert key file
SSLKey string
// Skip SSL verification
InsecureSkipVerify bool
### Required parameters:
* `servers`: List of strings, ["mygraphiteserver:2003"].
* `prefix`: String use to prefix all sent metrics.
* `timeout`: Connection timeout in seconds.
* `template`: Template for graphite output format, see
https://github.com/influxdata/telegraf/blob/master/docs/DATA_FORMATS_OUTPUT.md
for more details.
### Optional parameters:
* `ssl_ca`: SSL CA
* `ssl_cert`: SSL CERT
* `ssl_key`: SSL key
* `insecure_skip_verify`: Use SSL but skip chain & host verification (default: false)

33
plugins/outputs/graphite/graphite.go
View File

@ -10,7 +10,7 @@ import (
"time" "time"
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" tlsint "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/outputs" "github.com/influxdata/telegraf/plugins/outputs"
"github.com/influxdata/telegraf/plugins/serializers" "github.com/influxdata/telegraf/plugins/serializers"
) )
@ -22,18 +22,7 @@ type Graphite struct {
Template string Template string
Timeout int Timeout int
conns []net.Conn conns []net.Conn
tlsint.ClientConfig
// Path to CA file
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Skip SSL verification
InsecureSkipVerify bool
// tls config
tlsConfig *tls.Config
} }
var sampleConfig = ` var sampleConfig = `
@ -49,11 +38,11 @@ var sampleConfig = `
## timeout in seconds for the write connection to graphite ## timeout in seconds for the write connection to graphite
timeout = 2 timeout = 2
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
` `
@ -67,9 +56,7 @@ func (g *Graphite) Connect() error {
} }
// Set tls config // Set tls config
var err error tlsConfig, err := g.ClientConfig.TLSConfig()
g.tlsConfig, err = internal.GetTLSConfig(
g.SSLCert, g.SSLKey, g.SSLCA, g.InsecureSkipVerify)
if err != nil { if err != nil {
return err return err
} }
@ -82,8 +69,8 @@ func (g *Graphite) Connect() error {
// Get secure connection if tls config is set // Get secure connection if tls config is set
var conn net.Conn var conn net.Conn
if g.tlsConfig != nil { if tlsConfig != nil {
conn, err = tls.DialWithDialer(&d, "tcp", server, g.tlsConfig) conn, err = tls.DialWithDialer(&d, "tcp", server, tlsConfig)
} else { } else {
conn, err = d.Dial("tcp", server) conn, err = d.Dial("tcp", server)
} }

10
plugins/outputs/influxdb/README.md
View File

@ -44,11 +44,11 @@ This InfluxDB output plugin writes metrics to the [InfluxDB](https://github.com/
## UDP payload size is the maximum packet size to send. ## UDP payload size is the maximum packet size to send.
# udp_payload = 512 # udp_payload = 512
## Optional SSL Config for use on HTTP connections. ## Optional TLS Config for use on HTTP connections.
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## HTTP Proxy override, if unset values the standard proxy environment ## HTTP Proxy override, if unset values the standard proxy environment

24
plugins/outputs/influxdb/influxdb.go
View File

@ -11,6 +11,7 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
"github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/outputs" "github.com/influxdata/telegraf/plugins/outputs"
"github.com/influxdata/telegraf/plugins/serializers/influx" "github.com/influxdata/telegraf/plugins/serializers/influx"
) )
@ -46,15 +47,7 @@ type InfluxDB struct {
ContentEncoding string `toml:"content_encoding"` ContentEncoding string `toml:"content_encoding"`
SkipDatabaseCreation bool `toml:"skip_database_creation"` SkipDatabaseCreation bool `toml:"skip_database_creation"`
InfluxUintSupport bool `toml:"influx_uint_support"` InfluxUintSupport bool `toml:"influx_uint_support"`
tls.ClientConfig
// Path to CA file
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Use SSL but skip chain & host verification
InsecureSkipVerify bool
Precision string // precision deprecated in 1.0; value is ignored Precision string // precision deprecated in 1.0; value is ignored
@ -104,11 +97,11 @@ var sampleConfig = `
## UDP payload size is the maximum packet size to send. ## UDP payload size is the maximum packet size to send.
# udp_payload = 512 # udp_payload = 512
## Optional SSL Config for use on HTTP connections. ## Optional TLS Config for use on HTTP connections.
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## HTTP Proxy override, if unset values the standard proxy environment ## HTTP Proxy override, if unset values the standard proxy environment
@ -245,8 +238,7 @@ func (i *InfluxDB) udpClient(url *url.URL) (Client, error) {
} }
func (i *InfluxDB) httpClient(ctx context.Context, url *url.URL, proxy *url.URL) (Client, error) { func (i *InfluxDB) httpClient(ctx context.Context, url *url.URL, proxy *url.URL) (Client, error) {
tlsConfig, err := internal.GetTLSConfig( tlsConfig, err := i.ClientConfig.TLSConfig()
i.SSLCert, i.SSLKey, i.SSLCA, i.InsecureSkipVerify)
if err != nil { if err != nil {
return nil, err return nil, err
} }

7
plugins/outputs/influxdb/influxdb_test.go
View File

@ -8,6 +8,7 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
"github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/metric" "github.com/influxdata/telegraf/metric"
"github.com/influxdata/telegraf/plugins/outputs/influxdb" "github.com/influxdata/telegraf/plugins/outputs/influxdb"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
@ -104,8 +105,10 @@ func TestConnectHTTPConfig(t *testing.T) {
HTTPHeaders: map[string]string{ HTTPHeaders: map[string]string{
"x": "y", "x": "y",
}, },
ContentEncoding: "gzip", ContentEncoding: "gzip",
InsecureSkipVerify: true, ClientConfig: tls.ClientConfig{
InsecureSkipVerify: true,
},
CreateHTTPClientF: func(config *influxdb.HTTPConfig) (influxdb.Client, error) { CreateHTTPClientF: func(config *influxdb.HTTPConfig) (influxdb.Client, error) {
actual = config actual = config

10
plugins/outputs/kafka/README.md
View File

@ -68,11 +68,11 @@ This plugin writes to a [Kafka Broker](http://kafka.apache.org/07/quickstart.htm
## until the next flush. ## until the next flush.
# max_retry = 3 # max_retry = 3
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## Optional SASL Config ## Optional SASL Config

33
plugins/outputs/kafka/kafka.go
View File

@ -6,7 +6,7 @@ import (
"strings" "strings"
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" tlsint "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/outputs" "github.com/influxdata/telegraf/plugins/outputs"
"github.com/influxdata/telegraf/plugins/serializers" "github.com/influxdata/telegraf/plugins/serializers"
@ -36,7 +36,7 @@ type (
// MaxRetry Tag // MaxRetry Tag
MaxRetry int MaxRetry int
// Legacy SSL config options // Legacy TLS config options
// TLS client certificate // TLS client certificate
Certificate string Certificate string
// TLS client key // TLS client key
@ -44,15 +44,7 @@ type (
// TLS certificate authority // TLS certificate authority
CA string CA string
// Path to CA file tlsint.ClientConfig
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Skip SSL verification
InsecureSkipVerify bool
// SASL Username // SASL Username
SASLUsername string `toml:"sasl_username"` SASLUsername string `toml:"sasl_username"`
@ -135,11 +127,11 @@ var sampleConfig = `
## until the next flush. ## until the next flush.
# max_retry = 3 # max_retry = 3
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## Optional SASL Config ## Optional SASL Config
@ -201,13 +193,12 @@ func (k *Kafka) Connect() error {
// Legacy support ssl config // Legacy support ssl config
if k.Certificate != "" { if k.Certificate != "" {
k.SSLCert = k.Certificate k.TLSCert = k.Certificate
k.SSLCA = k.CA k.TLSCA = k.CA
k.SSLKey = k.Key k.TLSKey = k.Key
} }
tlsConfig, err := internal.GetTLSConfig( tlsConfig, err := k.ClientConfig.TLSConfig()
k.SSLCert, k.SSLKey, k.SSLCA, k.InsecureSkipVerify)
if err != nil { if err != nil {
return err return err
} }

18
plugins/outputs/mqtt/README.md
View File

@ -22,12 +22,12 @@ This plugin writes to a [MQTT Broker](http://http://mqtt.org/) acting as a mqtt
## Timeout for write operations. default: 5s ## Timeout for write operations. default: 5s
# timeout = "5s" # timeout = "5s"
## Optional SSL Config
# ssl_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Optional TLS Config
# tls_ca = "/etc/telegraf/ca.pem"
# tls_cert = "/etc/telegraf/cert.pem"
# tls_key = "/etc/telegraf/key.pem"
## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## Data format to output. ## Data format to output.
@ -45,8 +45,8 @@ This plugin writes to a [MQTT Broker](http://http://mqtt.org/) acting as a mqtt
* `password`: The password to connect MQTT server. * `password`: The password to connect MQTT server.
* `client_id`: The unique client id to connect MQTT server. If this paramater is not set then a random ID is generated. * `client_id`: The unique client id to connect MQTT server. If this paramater is not set then a random ID is generated.
* `timeout`: Timeout for write operations. default: 5s * `timeout`: Timeout for write operations. default: 5s
* `ssl_ca`: SSL CA * `tls_ca`: TLS CA
* `ssl_cert`: SSL CERT * `tls_cert`: TLS CERT
* `ssl_key`: SSL key * `tls_key`: TLS key
* `insecure_skip_verify`: Use SSL but skip chain & host verification (default: false) * `insecure_skip_verify`: Use TLS but skip chain & host verification (default: false)
* `data_format`: [About Telegraf data formats](https://github.com/influxdata/telegraf/blob/master/docs/DATA_FORMATS_OUTPUT.md) * `data_format`: [About Telegraf data formats](https://github.com/influxdata/telegraf/blob/master/docs/DATA_FORMATS_OUTPUT.md)

24
plugins/outputs/mqtt/mqtt.go
View File

@ -8,6 +8,7 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
"github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/outputs" "github.com/influxdata/telegraf/plugins/outputs"
"github.com/influxdata/telegraf/plugins/serializers" "github.com/influxdata/telegraf/plugins/serializers"
@ -32,11 +33,11 @@ var sampleConfig = `
## client ID, if not set a random ID is generated ## client ID, if not set a random ID is generated
# client_id = "" # client_id = ""
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## Data format to output. ## Data format to output.
@ -55,15 +56,7 @@ type MQTT struct {
TopicPrefix string TopicPrefix string
QoS int `toml:"qos"` QoS int `toml:"qos"`
ClientID string `toml:"client_id"` ClientID string `toml:"client_id"`
tls.ClientConfig
// Path to CA file
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Use SSL but skip chain & host verification
InsecureSkipVerify bool
client paho.Client client paho.Client
opts *paho.ClientOptions opts *paho.ClientOptions
@ -174,8 +167,7 @@ func (m *MQTT) createOpts() (*paho.ClientOptions, error) {
opts.SetClientID("Telegraf-Output-" + internal.RandomString(5)) opts.SetClientID("Telegraf-Output-" + internal.RandomString(5))
} }
tlsCfg, err := internal.GetTLSConfig( tlsCfg, err := m.ClientConfig.TLSConfig()
m.SSLCert, m.SSLKey, m.SSLCA, m.InsecureSkipVerify)
if err != nil { if err != nil {
return nil, err return nil, err
} }

25
plugins/outputs/nats/nats.go
View File

@ -6,7 +6,7 @@ import (
nats_client "github.com/nats-io/nats" nats_client "github.com/nats-io/nats"
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/outputs" "github.com/influxdata/telegraf/plugins/outputs"
"github.com/influxdata/telegraf/plugins/serializers" "github.com/influxdata/telegraf/plugins/serializers"
) )
@ -19,15 +19,7 @@ type NATS struct {
Password string Password string
// NATS subject to publish metrics to // NATS subject to publish metrics to
Subject string Subject string
tls.ClientConfig
// Path to CA file
SSLCA string `toml:"ssl_ca"`
// Path to host cert file
SSLCert string `toml:"ssl_cert"`
// Path to cert key file
SSLKey string `toml:"ssl_key"`
// Use SSL but skip chain & host verification
InsecureSkipVerify bool
conn *nats_client.Conn conn *nats_client.Conn
serializer serializers.Serializer serializer serializers.Serializer
@ -42,11 +34,11 @@ var sampleConfig = `
## NATS subject for producer messages ## NATS subject for producer messages
subject = "telegraf" subject = "telegraf"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## Data format to output. ## Data format to output.
@ -79,8 +71,7 @@ func (n *NATS) Connect() error {
} }
// override TLS, if it was specified // override TLS, if it was specified
tlsConfig, err := internal.GetTLSConfig( tlsConfig, err := n.ClientConfig.TLSConfig()
n.SSLCert, n.SSLKey, n.SSLCA, n.InsecureSkipVerify)
if err != nil { if err != nil {
return err return err
} }

10
plugins/outputs/socket_writer/README.md
View File

@ -19,11 +19,11 @@ It can output data in any of the [supported output formats](https://github.com/i
# address = "unix:///tmp/telegraf.sock" # address = "unix:///tmp/telegraf.sock"
# address = "unixgram:///tmp/telegraf.sock" # address = "unixgram:///tmp/telegraf.sock"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## Period between keep alive probes. ## Period between keep alive probes.

22
plugins/outputs/socket_writer/socket_writer.go
View File

@ -10,17 +10,15 @@ import (
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal"
tlsint "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/outputs" "github.com/influxdata/telegraf/plugins/outputs"
"github.com/influxdata/telegraf/plugins/serializers" "github.com/influxdata/telegraf/plugins/serializers"
) )
type SocketWriter struct { type SocketWriter struct {
Address string Address string
KeepAlivePeriod *internal.Duration KeepAlivePeriod *internal.Duration
SSLCA string tlsint.ClientConfig
SSLCert string
SSLKey string
InsecureSkipVerify bool
serializers.Serializer serializers.Serializer
@ -45,11 +43,11 @@ func (sw *SocketWriter) SampleConfig() string {
# address = "unix:///tmp/telegraf.sock" # address = "unix:///tmp/telegraf.sock"
# address = "unixgram:///tmp/telegraf.sock" # address = "unixgram:///tmp/telegraf.sock"
## Optional SSL Config ## Optional TLS Config
# ssl_ca = "/etc/telegraf/ca.pem" # tls_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem" # tls_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem" # tls_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification ## Use TLS but skip chain & host verification
# insecure_skip_verify = false # insecure_skip_verify = false
## Period between keep alive probes. ## Period between keep alive probes.
@ -76,7 +74,7 @@ func (sw *SocketWriter) Connect() error {
return fmt.Errorf("invalid address: %s", sw.Address) return fmt.Errorf("invalid address: %s", sw.Address)
} }
tlsCfg, err := internal.GetTLSConfig(sw.SSLCert, sw.SSLKey, sw.SSLCA, sw.InsecureSkipVerify) tlsCfg, err := sw.ClientConfig.TLSConfig()
if err != nil { if err != nil {
return err return err
} }

12
testutil/pki/cacert.pem Normal file
View File

@ -0,0 +1,12 @@
-----BEGIN CERTIFICATE-----
MIIB0TCCATqgAwIBAgIJAMgbq6rkA4b/MA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV
BAMMEFRlbGVncmFmIFRlc3QgQ0EwHhcNMTgwNTAzMDEwNTI5WhcNMjgwNDMwMDEw
NTI5WjAbMRkwFwYDVQQDDBBUZWxlZ3JhZiBUZXN0IENBMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDTySxyXeyQQjCOtNQ/7cKtXN91sp4B1k7whPKBO6yXEFFR
rYaw76xY5CTTPTJaAPBJ+amHPdPGfmGq6yX10tjAaWQQYV26Axngfpti6F14ci0/
X/sTay8ii/4Du5DRr9f9rHVimPASR1fkgK+IFhXnONn1R+pNbHYmGS4OVNyoPwID
AQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsF
AAOBgQA9v3eMU33q+bGPEd65kKQcVddPEFdSqmuUJMeO2VQmUFc/ejkP48u42eDK
Y1GAR+209XgkuWItEBH8HJysOU2plunuIPXpnPcxyP30tpFVLaWzWTQvUehhYpfQ
C0v9Re3jdLfLORxiaAPyyKogMpAQrjGX+u1aMSOCkcTD2Hjvbw==
-----END CERTIFICATE-----

16
testutil/pki/cakey.pem Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PRIVATE KEY-----
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBANPJLHJd7JBCMI60
1D/twq1c33WyngHWTvCE8oE7rJcQUVGthrDvrFjkJNM9MloA8En5qYc908Z+Yarr
JfXS2MBpZBBhXboDGeB+m2LoXXhyLT9f+xNrLyKL/gO7kNGv1/2sdWKY8BJHV+SA
r4gWFec42fVH6k1sdiYZLg5U3Kg/AgMBAAECgYA2PCtssk7Vdo3WzcoZAPs8yC7V
hkNedxJKF9G+dJizKtOYVhbLEuWQ8gPYMLDHSbw/RXc7kgK8rzq1uXhEJpWo4THD
CUUlxGRu3gt94202hbnEnV93Kix4hP98qpv1jPErlx2KywsRPTegMnUAZ2xeI564
yYwDITqXALa/PqRqSQJBAPPZQeRDtBSfEjZFJS3IgUkmN3RJn4rJz+6D0ahgXPga
YAYVe8SJyj2epLJP2aOBzrqBSUVkVGg8qOG5w+ibebsCQQDeVuUzYOffthO5f1Hl
LvdEmfaHjXI0Q+grOnDjNRcvQaCDYYkC9JewBQmnpFrd85rN/Leo0gQ5Yyxp/ja5
gPFNAkAFwn/38FF0mz1G4uM57Z6AJ9LvgD2wfYvXym1NWNlZUuYpvqApyEdqpTCm
tZQidJJ5fUxJw1DrFWO30Td7axC5AkEAjSbRX6rXyhiHsS35SexlInI0Jp5PsIqj
7D2vyS69R0z8oCvdlbi+TAsGtB0Navbqgnc8Cbs630vsuGWhTGdlyQJBAKqQ2gYw
+WeXH77FP8yDQOjpFw80tSyXVykT0Am75RF3sQ1OIn0o0DLhE+he0crb2n8g3FJh
WyxmGkbTDelSG20=
-----END PRIVATE KEY-----

13
testutil/pki/clientcert.pem Normal file
View File

@ -0,0 +1,13 @@
-----BEGIN CERTIFICATE-----
MIIB+TCCAWKgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDDBBUZWxl
Z3JhZiBUZXN0IENBMB4XDTE4MDUwMzAxMDUyOVoXDTI4MDQzMDAxMDUyOVowHTEb
MBkGA1UEAwwSY2xpZW50LmxvY2FsZG9tYWluMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDX7Plvu0MJtA9TrusYtQnAogsdiYJZd9wfFIjH5FxE3SWJ4KAIE+yR
WRqcqX8XnpieQLaNsfXhDPWLkWngTDydk4NO/jlAQk0e6+9+NeiZ2ViIHmtXERb9
CyiiWUmo+YCd69lhzSEIMK9EPBSDHQTgQMtEfGak03G5rx3MCakE1QIDAQABo0sw
STAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgglsb2NhbGhvc3SH
BH8AAAEwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADgYEAVry0
L07oTN+FMLncY/Be9BzFB3b3mnbxbZr58OgI4WHuOeYBuvDI033FIIIzpwb8XYpG
HJkZlSbviqq19lAh/Cktl35BCNrA6Uc+dgW7QWhnYS2tZandVTo/8FFstJTNiiLw
uiz/Hr3mRXUIDi5OygJHY1IZr8hFTOOJY+0ws3E=
-----END CERTIFICATE-----

15
testutil/pki/clientkey.pem Normal file
View File

@ -0,0 +1,15 @@
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDX7Plvu0MJtA9TrusYtQnAogsdiYJZd9wfFIjH5FxE3SWJ4KAI
E+yRWRqcqX8XnpieQLaNsfXhDPWLkWngTDydk4NO/jlAQk0e6+9+NeiZ2ViIHmtX
ERb9CyiiWUmo+YCd69lhzSEIMK9EPBSDHQTgQMtEfGak03G5rx3MCakE1QIDAQAB
AoGAOjRU4Lt3zKvO3d3u3ZAfet+zY1jn3DolCfO9EzUJcj6ymcIFIWhNgrikJcrC
yZkkxrPnAbcQ8oNNxTuDcMTcKZbnyUnlQj5NtVuty5Q+zgf3/Q2pRhaE+TwrpOJ+
ETtVp9R/PrPN2NC5wPo289fPNWFYkd4DPbdWZp5AJHz1XYECQQD3kKpinJxMYp9F
Q1Qj1OkxGln0KPgdqRYjjW/rXI4/hUodfg+xXWHPFSGj3AgEjQIvuengbOAeH3qo
wF1uxVTlAkEA30hXM3EbboMCDQzNRNkkV9EiZ0MZXhj1aIGl+sQZOmOeFdcdjGkD
dsA42nmaYqXCD9KAvc+S/tGJaa0Qg0VhMQJAb2+TAqh0Qn3yK39PFIH2JcAy1ZDL
fq5p5L75rfwPm9AnuHbSIYhjSo+8gMG+ai3+2fTZrcfUajrJP8S3SfFRcQJBANQQ
POHatxcKzlPeqMaPBXlyY553mAxK4CnVmPLGdL+EBYzwtlu5EVUj09uMSxkOHXYx
k5yzHQVvtXbsrBZBOsECQBJLlkMjJmXrIIdLPmHQWL3bm9MMg1PqzupSEwz6cyrG
uIIm/X91pDyxCHaKYWp38FXBkYAgohI8ow5/sgRvU5w=
-----END RSA PRIVATE KEY-----

13
testutil/pki/servercert.pem Normal file
View File

@ -0,0 +1,13 @@
-----BEGIN CERTIFICATE-----
MIIB+TCCAWKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDDBBUZWxl
Z3JhZiBUZXN0IENBMB4XDTE4MDUwMzAxMDUyOVoXDTI4MDQzMDAxMDUyOVowHTEb
MBkGA1UEAwwSc2VydmVyLmxvY2FsZG9tYWluMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDTBmLJ0pBFUxnPkkx38sBnOKvs+OinVqxTnVcc1iCyQJQleB37uY6D
L55mSsPvnad/oDpyGpHt4RVtrhmyC6ptSrWLyk7mraeAo30Cooqr5tA9A+6yj0ij
ySLlYimTMQy8tbnVNWLwKbxgT9N4NlUzwyqxLWUMfRzLfmefqzk5bQIDAQABo0sw
STAJBgNVHRMEAjAAMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATALBgNVHQ8E
BAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADgYEATNnM
ol0s29lJ+WkP+HUFtKaXxQ+kXLADqfhsk2G1/kZAVRHsYUDlJ+GkHnWIHlg/ggIP
JS+z44iwMPOtzJQI7MvAFYVKpYAEdIFTjXf6GafLjUfoXYi0vwHoVJHtQu3Kpm9L
Ugm02h0ycIadN8RdWAAFUf6XpVKUJa0YYLuyaXY=
-----END CERTIFICATE-----

15
testutil/pki/serverkey.pem Normal file
View File

@ -0,0 +1,15 @@
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDTBmLJ0pBFUxnPkkx38sBnOKvs+OinVqxTnVcc1iCyQJQleB37
uY6DL55mSsPvnad/oDpyGpHt4RVtrhmyC6ptSrWLyk7mraeAo30Cooqr5tA9A+6y
j0ijySLlYimTMQy8tbnVNWLwKbxgT9N4NlUzwyqxLWUMfRzLfmefqzk5bQIDAQAB
AoGBALWQAgFJxM2QwV1hr59oYnitPudmBa6smRpb/q6V4Y3cmFpgrdN+hIqEtxGl
9E0+5PWfI4o3KCV2itxSdlNFTDyqTZkM+BT8PPKISzAewkdqnKjbWgAmluzOJH4O
hc1zBfIOuT5+cfx5JR5/j9BhWVC7BJ+EiREkd/Z8ZnAMeItVAkEA8bhcC+8luiFQ
6kytXx2XfbKKh4Q99+KEQHqSGeuHZOcnWfjX99jo67CIxpwBRENslpZOw78fBmi4
4kf8j+dgLwJBAN99zyRxYzKc8TSsy/fF+3V/Ex75HYGGS/eOWcwPFXpGNA63hIa8
fJ/2pDnLzCqLZ9vWdBF39NtkacJS7bo6XSMCQQCZgN2bipSn3k53bJhRJga1gXOt
2dJMoGIiXHR513QVJSJ9ZaUpNWu9eU9y6VF4m2TTQMLmVnIKbOi0csi2TlZrAkAi
7URsC5RXGpPPiZmutTAhIqTYWFI2JcjFfWenLkxK+aG1ExURAW/wh9kOdz0HARZQ
Eum8uSR5DO5CQjeIvQpFAkAgZJXAwRxuts/p1EoLuPCJTaDkIY2vc0AJzzr5nuAs
pyjnLYCYqSBUJ+3nDDBqNYpgxCJddzmjNxGuO7mef9Ue
-----END RSA PRIVATE KEY-----

18
scripts/tls-certs.sh → testutil/pki/tls-certs.sh
View File

@ -46,21 +46,31 @@ keyUsage = keyCertSign, cRLSign
[ client_ca_extensions ] [ client_ca_extensions ]
basicConstraints = CA:false basicConstraints = CA:false
keyUsage = digitalSignature keyUsage = digitalSignature
subjectAltName = @client_alt_names
extendedKeyUsage = 1.3.6.1.5.5.7.3.2 extendedKeyUsage = 1.3.6.1.5.5.7.3.2
[ client_alt_names ]
DNS.1 = localhost
IP.1 = 127.0.0.1
[ server_ca_extensions ] [ server_ca_extensions ]
basicConstraints = CA:false basicConstraints = CA:false
keyUsage = keyEncipherment subjectAltName = @server_alt_names
keyUsage = keyEncipherment, digitalSignature
extendedKeyUsage = 1.3.6.1.5.5.7.3.1 extendedKeyUsage = 1.3.6.1.5.5.7.3.1
[ server_alt_names ]
DNS.1 = localhost
IP.1 = 127.0.0.1
EOF EOF
openssl req -x509 -config ./openssl.conf -days 3650 -newkey rsa:1024 -out ./certs/cacert.pem -keyout ./private/cakey.pem -subj "/CN=Telegraf CA/" -nodes && openssl req -x509 -config ./openssl.conf -days 3650 -newkey rsa:1024 -out ./certs/cacert.pem -keyout ./private/cakey.pem -subj "/CN=Telegraf Test CA/" -nodes &&
# Create server keypair # Create server keypair
openssl genrsa -out ./private/serverkey.pem 1024 && openssl genrsa -out ./private/serverkey.pem 1024 &&
openssl req -new -key ./private/serverkey.pem -out ./certs/servercsr.pem -outform PEM -subj "/CN=localhost/O=server/" && openssl req -new -key ./private/serverkey.pem -out ./certs/servercsr.pem -outform PEM -subj "/CN=server.localdomain/O=server/" &&
openssl ca -config ./openssl.conf -in ./certs/servercsr.pem -out ./certs/servercert.pem -notext -batch -extensions server_ca_extensions && openssl ca -config ./openssl.conf -in ./certs/servercsr.pem -out ./certs/servercert.pem -notext -batch -extensions server_ca_extensions &&
# Create client keypair # Create client keypair
openssl genrsa -out ./private/clientkey.pem 1024 && openssl genrsa -out ./private/clientkey.pem 1024 &&
openssl req -new -key ./private/clientkey.pem -out ./certs/clientcsr.pem -outform PEM -subj "/CN=telegraf/O=client/" && openssl req -new -key ./private/clientkey.pem -out ./certs/clientcsr.pem -outform PEM -subj "/CN=client.localdomain/O=client/" &&
openssl ca -config ./openssl.conf -in ./certs/clientcsr.pem -out ./certs/clientcert.pem -notext -batch -extensions client_ca_extensions openssl ca -config ./openssl.conf -in ./certs/clientcsr.pem -out ./certs/clientcert.pem -notext -batch -extensions client_ca_extensions

86
testutil/tls.go Normal file
View File

@ -0,0 +1,86 @@
package testutil
import (
"fmt"
"io/ioutil"
"os"
"path"
"github.com/influxdata/telegraf/internal/tls"
)
type pki struct {
path string
}
func NewPKI(path string) *pki {
return &pki{path: path}
}
func (p *pki) TLSClientConfig() *tls.ClientConfig {
return &tls.ClientConfig{
TLSCA: p.CACertPath(),
TLSCert: p.ClientCertPath(),
TLSKey: p.ClientKeyPath(),
}
}
func (p *pki) TLSServerConfig() *tls.ServerConfig {
return &tls.ServerConfig{
TLSAllowedCACerts: []string{p.CACertPath()},
TLSCert: p.ServerCertPath(),
TLSKey: p.ServerKeyPath(),
}
}
func (p *pki) ReadCACert() string {
return readCertificate(p.CACertPath())
}
func (p *pki) CACertPath() string {
return path.Join(p.path, "cacert.pem")
}
func (p *pki) ReadClientCert() string {
return readCertificate(p.ClientCertPath())
}
func (p *pki) ClientCertPath() string {
return path.Join(p.path, "clientcert.pem")
}
func (p *pki) ReadClientKey() string {
return readCertificate(p.ClientKeyPath())
}
func (p *pki) ClientKeyPath() string {
return path.Join(p.path, "clientkey.pem")
}
func (p *pki) ReadServerCert() string {
return readCertificate(p.ServerCertPath())
}
func (p *pki) ServerCertPath() string {
return path.Join(p.path, "servercert.pem")
}
func (p *pki) ReadServerKey() string {
return readCertificate(p.ServerKeyPath())
}
func (p *pki) ServerKeyPath() string {
return path.Join(p.path, "serverkey.pem")
}
func readCertificate(filename string) string {
file, err := os.Open(filename)
if err != nil {
panic(fmt.Sprintf("opening %q: %v", filename, err))
}
octets, err := ioutil.ReadAll(file)
if err != nil {
panic(fmt.Sprintf("reading %q: %v", filename, err))
}
return string(octets)
}