Add TLS and http basic_auth to prometheus_client output (#3719)

This commit is contained in:
Philipp Weber 2018-02-01 20:12:16 +01:00 committed by Daniel Nelson
parent ec8e923fda
commit a2635573a8
2 changed files with 51 additions and 7 deletions

View File

@ -10,6 +10,14 @@ This plugin starts a [Prometheus](https://prometheus.io/) Client, it exposes all
# Address to listen on # Address to listen on
listen = ":9273" listen = ":9273"
# Use TLS
tls_cert = "/etc/ssl/telegraf.crt"
tls_key = "/etc/ssl/telegraf.key"
# Use http basic authentication
basic_username = "Foo"
basic_password = "Bar"
# Path to publish the metrics on, defaults to /metrics # Path to publish the metrics on, defaults to /metrics
path = "/metrics" path = "/metrics"

View File

@ -2,6 +2,7 @@ package prometheus_client
import ( import (
"context" "context"
"crypto/subtle"
"fmt" "fmt"
"log" "log"
"net/http" "net/http"
@ -53,6 +54,10 @@ type MetricFamily struct {
type PrometheusClient struct { type PrometheusClient struct {
Listen string Listen string
TLSCert string `toml:"tls_cert"`
TLSKey string `toml:"tls_key"`
BasicUsername string `toml:"basic_username"`
BasicPassword string `toml:"basic_password"`
ExpirationInterval internal.Duration `toml:"expiration_interval"` ExpirationInterval internal.Duration `toml:"expiration_interval"`
Path string `toml:"path"` Path string `toml:"path"`
CollectorsExclude []string `toml:"collectors_exclude"` CollectorsExclude []string `toml:"collectors_exclude"`
@ -70,6 +75,14 @@ var sampleConfig = `
## Address to listen on ## Address to listen on
# listen = ":9273" # listen = ":9273"
## Use TLS
#tls_cert = "/etc/ssl/telegraf.crt"
#tls_key = "/etc/ssl/telegraf.key"
## Use http basic authentication
#basic_username = "Foo"
#basic_password = "Bar"
## Interval to expire metrics and not deliver to prometheus, 0 == no expiration ## Interval to expire metrics and not deliver to prometheus, 0 == no expiration
# expiration_interval = "60s" # expiration_interval = "60s"
@ -78,6 +91,24 @@ var sampleConfig = `
collectors_exclude = ["gocollector", "process"] collectors_exclude = ["gocollector", "process"]
` `
func (p *PrometheusClient) basicAuth(h http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if p.BasicUsername != "" && p.BasicPassword != "" {
w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
username, password, ok := r.BasicAuth()
if !ok ||
subtle.ConstantTimeCompare([]byte(username), []byte(p.BasicUsername)) != 1 ||
subtle.ConstantTimeCompare([]byte(password), []byte(p.BasicPassword)) != 1 {
http.Error(w, "Not authorized", 401)
return
}
}
h.ServeHTTP(w, r)
})
}
func (p *PrometheusClient) Start() error { func (p *PrometheusClient) Start() error {
defaultCollectors := map[string]bool{ defaultCollectors := map[string]bool{
"gocollector": true, "gocollector": true,
@ -110,8 +141,8 @@ func (p *PrometheusClient) Start() error {
} }
mux := http.NewServeMux() mux := http.NewServeMux()
mux.Handle(p.Path, promhttp.HandlerFor( mux.Handle(p.Path, p.basicAuth(promhttp.HandlerFor(
registry, promhttp.HandlerOpts{ErrorHandling: promhttp.ContinueOnError})) registry, promhttp.HandlerOpts{ErrorHandling: promhttp.ContinueOnError})))
p.server = &http.Server{ p.server = &http.Server{
Addr: p.Listen, Addr: p.Listen,
@ -119,13 +150,18 @@ func (p *PrometheusClient) Start() error {
} }
go func() { go func() {
if err := p.server.ListenAndServe(); err != nil { var err error
if err != http.ErrServerClosed { if p.TLSCert != "" && p.TLSKey != "" {
log.Printf("E! Error creating prometheus metric endpoint, err: %s\n", err = p.server.ListenAndServeTLS(p.TLSCert, p.TLSKey)
err.Error()) } else {
} err = p.server.ListenAndServe()
}
if err != nil && err != http.ErrServerClosed {
log.Printf("E! Error creating prometheus metric endpoint, err: %s\n",
err.Error())
} }
}() }()
return nil return nil
} }