From de355b76d6697f42336b9ac9df09c78697d711dc Mon Sep 17 00:00:00 2001 From: Daniel Nelson Date: Fri, 4 May 2018 16:33:23 -0700 Subject: [PATCH] Simplify testing with TLS (#4095) --- CHANGELOG.md | 4 + etc/telegraf.conf | 335 +++++++++--------- internal/internal.go | 92 ----- internal/tls/config.go | 130 +++++++ internal/tls/config_test.go | 226 ++++++++++++ plugins/inputs/amqp_consumer/README.md | 10 +- plugins/inputs/amqp_consumer/amqp_consumer.go | 24 +- plugins/inputs/apache/README.md | 10 +- plugins/inputs/apache/apache.go | 23 +- plugins/inputs/consul/README.md | 10 +- plugins/inputs/consul/consul.go | 26 +- plugins/inputs/dcos/README.md | 8 +- plugins/inputs/dcos/client_test.go | 19 +- plugins/inputs/dcos/dcos.go | 18 +- plugins/inputs/docker/README.md | 10 +- plugins/inputs/docker/docker.go | 19 +- plugins/inputs/elasticsearch/README.md | 10 +- plugins/inputs/elasticsearch/elasticsearch.go | 42 +-- plugins/inputs/graylog/README.md | 10 +- plugins/inputs/graylog/graylog.go | 25 +- plugins/inputs/haproxy/README.md | 10 +- plugins/inputs/haproxy/haproxy.go | 30 +- plugins/inputs/http/README.md | 10 +- plugins/inputs/http/http.go | 24 +- plugins/inputs/http_listener/http_listener.go | 45 +-- .../http_listener/http_listener_test.go | 154 +------- plugins/inputs/http_response/README.md | 10 +- plugins/inputs/http_response/http_response.go | 24 +- plugins/inputs/httpjson/README.md | 10 +- plugins/inputs/httpjson/httpjson.go | 24 +- plugins/inputs/influxdb/README.md | 10 +- plugins/inputs/influxdb/influxdb.go | 26 +- plugins/inputs/jolokia2/README.md | 16 +- plugins/inputs/jolokia2/client.go | 19 +- plugins/inputs/jolokia2/jolokia_agent.go | 25 +- plugins/inputs/jolokia2/jolokia_proxy.go | 33 +- plugins/inputs/kafka_consumer/README.md | 10 +- .../inputs/kafka_consumer/kafka_consumer.go | 24 +- plugins/inputs/kapacitor/README.md | 10 +- plugins/inputs/kapacitor/kapacitor.go | 27 +- plugins/inputs/kubernetes/kubernetes.go | 24 +- plugins/inputs/mesos/README.md | 10 +- plugins/inputs/mesos/mesos.go | 25 +- plugins/inputs/mongodb/README.md | 10 +- plugins/inputs/mongodb/mongodb.go | 27 +- plugins/inputs/mqtt_consumer/README.md | 10 +- plugins/inputs/mqtt_consumer/mqtt_consumer.go | 24 +- plugins/inputs/mysql/README.md | 8 +- plugins/inputs/mysql/mysql.go | 18 +- plugins/inputs/nginx/README.md | 10 +- plugins/inputs/nginx/nginx.go | 29 +- plugins/inputs/openldap/README.md | 2 +- plugins/inputs/openldap/openldap.go | 10 +- plugins/inputs/prometheus/README.md | 10 +- plugins/inputs/prometheus/prometheus.go | 23 +- plugins/inputs/rabbitmq/README.md | 10 +- plugins/inputs/rabbitmq/rabbitmq.go | 23 +- .../inputs/socket_listener/socket_listener.go | 17 +- .../socket_listener/socket_listener_test.go | 16 +- .../inputs/socket_listener/testdata/ca.pem | 31 -- .../socket_listener/testdata/client.key | 27 -- .../socket_listener/testdata/client.pem | 24 -- .../socket_listener/testdata/server.key | 27 -- .../socket_listener/testdata/server.pem | 25 -- plugins/inputs/tomcat/README.md | 10 +- plugins/inputs/tomcat/tomcat.go | 20 +- plugins/inputs/zookeeper/README.md | 8 +- plugins/inputs/zookeeper/zookeeper.go | 24 +- plugins/outputs/amqp/README.md | 10 +- plugins/outputs/amqp/amqp.go | 23 +- plugins/outputs/elasticsearch/README.md | 12 +- .../outputs/elasticsearch/elasticsearch.go | 21 +- plugins/outputs/graphite/README.md | 42 +-- plugins/outputs/graphite/graphite.go | 33 +- plugins/outputs/influxdb/README.md | 10 +- plugins/outputs/influxdb/influxdb.go | 24 +- plugins/outputs/influxdb/influxdb_test.go | 7 +- plugins/outputs/kafka/README.md | 10 +- plugins/outputs/kafka/kafka.go | 33 +- plugins/outputs/mqtt/README.md | 18 +- plugins/outputs/mqtt/mqtt.go | 24 +- plugins/outputs/nats/nats.go | 25 +- plugins/outputs/socket_writer/README.md | 10 +- .../outputs/socket_writer/socket_writer.go | 22 +- testutil/pki/cacert.pem | 12 + testutil/pki/cakey.pem | 16 + testutil/pki/clientcert.pem | 13 + testutil/pki/clientkey.pem | 15 + testutil/pki/servercert.pem | 13 + testutil/pki/serverkey.pem | 15 + {scripts => testutil/pki}/tls-certs.sh | 18 +- testutil/tls.go | 86 +++++ 92 files changed, 1246 insertions(+), 1360 deletions(-) create mode 100644 internal/tls/config.go create mode 100644 internal/tls/config_test.go delete mode 100644 plugins/inputs/socket_listener/testdata/ca.pem delete mode 100644 plugins/inputs/socket_listener/testdata/client.key delete mode 100644 plugins/inputs/socket_listener/testdata/client.pem delete mode 100644 plugins/inputs/socket_listener/testdata/server.key delete mode 100644 plugins/inputs/socket_listener/testdata/server.pem create mode 100644 testutil/pki/cacert.pem create mode 100644 testutil/pki/cakey.pem create mode 100644 testutil/pki/clientcert.pem create mode 100644 testutil/pki/clientkey.pem create mode 100644 testutil/pki/servercert.pem create mode 100644 testutil/pki/serverkey.pem rename {scripts => testutil/pki}/tls-certs.sh (81%) create mode 100644 testutil/tls.go diff --git a/CHANGELOG.md b/CHANGELOG.md index 9216cb762..d109ad090 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,10 @@ an [example configuration](./plugins/inputs/jolokia2/examples) to help you get started. +- For plugins supporting TLS, you can now specify the certificate and keys + using `tls_ca`, `tls_cert`, `tls_key`. These options behave the same as + the, now deprecated, `ssl` forms. + ### New Inputs - [fibaro](./plugins/inputs/fibaro/README.md) - Contributed by @dynek diff --git a/etc/telegraf.conf b/etc/telegraf.conf index 2ef4fe2e4..97a14727c 100644 --- a/etc/telegraf.conf +++ b/etc/telegraf.conf @@ -121,11 +121,11 @@ ## UDP payload size is the maximum packet size to send. # udp_payload = 512 - ## Optional SSL Config for use on HTTP connections. - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config for use on HTTP connections. + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## HTTP Proxy override, if unset values the standard proxy environment @@ -184,11 +184,11 @@ # ## to 5s. 0s means no timeout (not recommended). # # timeout = "5s" # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false # # ## Data format to output. @@ -284,11 +284,11 @@ # # default_tag_value = "none" # index_name = "telegraf-%Y.%m.%d" # required. # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false # # ## Template Config @@ -327,11 +327,11 @@ # ## timeout in seconds for the write connection to graphite # timeout = 2 # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false @@ -420,11 +420,11 @@ # ## The total number of times to retry sending a message # max_retry = 3 # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false # # ## Optional SASL Config @@ -536,11 +536,11 @@ # ## client ID, if not set a random ID is generated # # client_id = "" # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false # # ## Data format to output. @@ -560,11 +560,11 @@ # ## NATS subject for producer messages # subject = "telegraf" # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false # # ## Data format to output. @@ -695,11 +695,11 @@ # # address = "unix:///tmp/telegraf.sock" # # address = "unixgram:///tmp/telegraf.sock" # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false # # ## Period between keep alive probes. @@ -928,11 +928,11 @@ # ## Maximum time to receive response. # # response_timeout = "5s" # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false @@ -1112,11 +1112,11 @@ # ## Data centre to query the health checks from # # datacentre = "" # -# ## SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## If false, skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = true @@ -1173,10 +1173,10 @@ # ## Maximum time to receive a response from cluster. # # response_timeout = "20s" # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" # ## If false, skip chain & host verification # # insecure_skip_verify = true # @@ -1261,11 +1261,11 @@ # docker_label_include = [] # docker_label_exclude = [] # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false @@ -1317,11 +1317,11 @@ # ## "breaker". Per default, all stats are gathered. # # node_stats = ["jvm", "http"] # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false @@ -1428,11 +1428,11 @@ # username = "" # password = "" # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false @@ -1456,11 +1456,11 @@ # ## field names. # # keep_field_names = false # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false @@ -1497,11 +1497,11 @@ # ## Tag all metrics with the url # # tag_url = true # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false # # ## Amount of time allowed to complete the HTTP request @@ -1541,11 +1541,11 @@ # # response_string_match = "ok" # # response_string_match = "\".*_status\".?:.?\"up\"" # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false # # ## HTTP Request Headers (all values must be strings) @@ -1581,11 +1581,11 @@ # # "my_tag_2" # # ] # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false # # ## HTTP parameters (all values must be strings). For "GET" requests, data @@ -1613,11 +1613,11 @@ # "http://localhost:8086/debug/vars" # ] # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false # # ## http request & header timeout @@ -1771,10 +1771,10 @@ # # password = "" # # response_timeout = "5s" # -# ## Optional SSL config -# # ssl_ca = "/var/private/ca.pem" -# # ssl_cert = "/var/private/client.pem" -# # ssl_key = "/var/private/client-key.pem" +# ## Optional TLS config +# # tls_ca = "/var/private/ca.pem" +# # tls_cert = "/var/private/client.pem" +# # tls_key = "/var/private/client-key.pem" # # insecure_skip_verify = false # # ## Add metrics to read @@ -1796,10 +1796,10 @@ # # password = "" # # response_timeout = "5s" # -# ## Optional SSL config -# # ssl_ca = "/var/private/ca.pem" -# # ssl_cert = "/var/private/client.pem" -# # ssl_key = "/var/private/client-key.pem" +# ## Optional TLS config +# # tls_ca = "/var/private/ca.pem" +# # tls_cert = "/var/private/client.pem" +# # tls_key = "/var/private/client-key.pem" # # insecure_skip_verify = false # # ## Add proxy targets to query @@ -1828,11 +1828,11 @@ # ## Time limit for http requests # timeout = "5s" # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false @@ -1852,11 +1852,11 @@ # ## Set response_timeout (default 5 seconds) # # response_timeout = "5s" # -# ## Optional SSL Config -# # ssl_ca = /path/to/cafile -# # ssl_cert = /path/to/certfile -# # ssl_key = /path/to/keyfile -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = /path/to/cafile +# # tls_cert = /path/to/certfile +# # tls_key = /path/to/keyfile +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false @@ -1948,11 +1948,11 @@ # # "messages", # # ] # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false @@ -1978,11 +1978,11 @@ # ## When true, collect per database stats # # gather_perdb_stats = false # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false @@ -2061,10 +2061,12 @@ # ## Some queries we may want to run less often (such as SHOW GLOBAL VARIABLES) # interval_slow = "30m" # -# ## Optional SSL Config (will be used if tls=custom parameter specified in server uri) -# ssl_ca = "/etc/telegraf/ca.pem" -# ssl_cert = "/etc/telegraf/cert.pem" -# ssl_key = "/etc/telegraf/key.pem" +# ## Optional TLS Config (will be used if tls=custom parameter specified in server uri) +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification +# # insecure_skip_verify = false # # Provides metrics about the state of a NATS server @@ -2124,10 +2126,11 @@ # # An array of Nginx stub_status URI to gather stats. # urls = ["http://localhost/server_status"] # -# # TLS/SSL configuration -# ssl_ca = "/etc/telegraf/ca.pem" -# ssl_cert = "/etc/telegraf/cert.cer" -# ssl_key = "/etc/telegraf/key.key" +# ## Optional TLS Config +# tls_ca = "/etc/telegraf/ca.pem" +# tls_cert = "/etc/telegraf/cert.cer" +# tls_key = "/etc/telegraf/key.key" +# ## Use TLS but skip chain & host verification # insecure_skip_verify = false # # # HTTP response timeout (default: 5s) @@ -2190,7 +2193,7 @@ # insecure_skip_verify = false # # # Path to PEM-encoded Root certificate to use to verify server certificate -# ssl_ca = "/etc/ssl/certs.pem" +# tls_ca = "/etc/ssl/certs.pem" # # # dn/password to bind with. If bind_dn is empty, an anonymous bind is performed. # bind_dn = "" @@ -2341,11 +2344,11 @@ # ## Specify timeout duration for slower prometheus clients (default is 3s) # # response_timeout = "3s" # -# ## Optional SSL Config -# # ssl_ca = /path/to/cafile -# # ssl_cert = /path/to/certfile -# # ssl_key = /path/to/keyfile -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = /path/to/cafile +# # tls_cert = /path/to/certfile +# # tls_key = /path/to/keyfile +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false @@ -2365,11 +2368,11 @@ # # username = "guest" # # password = "guest" # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false # # ## Optional request timeouts @@ -2798,11 +2801,11 @@ # ## Request timeout # # timeout = "5s" # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false @@ -2886,11 +2889,11 @@ # ## Timeout for metric collections from all servers. Minimum timeout is "1s". # # timeout = "5s" # -# ## Optional SSL Config -# # enable_ssl = true -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" +# ## Optional TLS Config +# # enable_tls = true +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" # ## If false, skip chain & host verification # # insecure_skip_verify = true @@ -2919,11 +2922,11 @@ # ## described here: https://www.rabbitmq.com/plugins.html # # auth_method = "PLAIN" # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false # # ## Data format to consume. @@ -2994,11 +2997,11 @@ # ## topic(s) to consume # topics = ["telegraf"] # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false # # ## Optional SASL Config @@ -3124,11 +3127,11 @@ # # username = "telegraf" # # password = "metricsmetricsmetricsmetrics" # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false # # ## Data format to consume. diff --git a/internal/internal.go b/internal/internal.go index 3227832c9..d86b32d26 100644 --- a/internal/internal.go +++ b/internal/internal.go @@ -4,11 +4,7 @@ import ( "bufio" "bytes" "crypto/rand" - "crypto/tls" - "crypto/x509" "errors" - "fmt" - "io/ioutil" "log" "math/big" "os" @@ -112,94 +108,6 @@ func RandomString(n int) string { return string(bytes) } -// GetTLSConfig gets a tls.Config object from the given certs, key, and CA files -// for use with a client. -// The full path to each file must be provided. -// Returns a nil pointer if all files are blank and InsecureSkipVerify=false. -func GetTLSConfig( - SSLCert, SSLKey, SSLCA string, - InsecureSkipVerify bool, -) (*tls.Config, error) { - if SSLCert == "" && SSLKey == "" && SSLCA == "" && !InsecureSkipVerify { - return nil, nil - } - - t := &tls.Config{ - InsecureSkipVerify: InsecureSkipVerify, - } - - if SSLCA != "" { - caCert, err := ioutil.ReadFile(SSLCA) - if err != nil { - return nil, errors.New(fmt.Sprintf("Could not load TLS CA: %s", - err)) - } - - caCertPool := x509.NewCertPool() - caCertPool.AppendCertsFromPEM(caCert) - t.RootCAs = caCertPool - } - - if SSLCert != "" && SSLKey != "" { - cert, err := tls.LoadX509KeyPair(SSLCert, SSLKey) - if err != nil { - return nil, errors.New(fmt.Sprintf( - "Could not load TLS client key/certificate from %s:%s: %s", - SSLKey, SSLCert, err)) - } - - t.Certificates = []tls.Certificate{cert} - t.BuildNameToCertificate() - } - - // will be nil by default if nothing is provided - return t, nil -} - -// GetServerTLSConfig gets a tls.Config object from the given certs, key, and one or more CA files -// for use with a server. -// The full path to each file must be provided. -// Returns a nil pointer if all files are blank. -func GetServerTLSConfig( - TLSCert, TLSKey string, - TLSAllowedCACerts []string, -) (*tls.Config, error) { - if TLSCert == "" && TLSKey == "" && len(TLSAllowedCACerts) == 0 { - return nil, nil - } - - t := &tls.Config{} - - if len(TLSAllowedCACerts) != 0 { - caCertPool := x509.NewCertPool() - for _, cert := range TLSAllowedCACerts { - c, err := ioutil.ReadFile(cert) - if err != nil { - return nil, errors.New(fmt.Sprintf("Could not load TLS CA: %s", - err)) - } - caCertPool.AppendCertsFromPEM(c) - } - t.ClientCAs = caCertPool - t.ClientAuth = tls.RequireAndVerifyClientCert - } - - if TLSCert != "" && TLSKey != "" { - cert, err := tls.LoadX509KeyPair(TLSCert, TLSKey) - if err != nil { - return nil, errors.New(fmt.Sprintf( - "Could not load TLS client key/certificate from %s:%s: %s", - TLSKey, TLSCert, err)) - } - - t.Certificates = []tls.Certificate{cert} - } - - t.BuildNameToCertificate() - - return t, nil -} - // SnakeCase converts the given string to snake case following the Golang format: // acronyms are converted to lower-case and preceded by an underscore. func SnakeCase(in string) string { diff --git a/internal/tls/config.go b/internal/tls/config.go new file mode 100644 index 000000000..25c0678d4 --- /dev/null +++ b/internal/tls/config.go @@ -0,0 +1,130 @@ +package tls + +import ( + "crypto/tls" + "crypto/x509" + "fmt" + "io/ioutil" +) + +// ClientConfig represents the standard client TLS config. +type ClientConfig struct { + TLSCA string `toml:"tls_ca"` + TLSCert string `toml:"tls_cert"` + TLSKey string `toml:"tls_key"` + InsecureSkipVerify bool `toml:"insecure_skip_verify"` + + // Deprecated in 1.7; use TLS variables above + SSLCA string `toml:"ssl_ca"` + SSLCert string `toml:"ssl_cert"` + SSLKey string `toml:"ssl_ca"` +} + +// ServerConfig represents the standard server TLS config. +type ServerConfig struct { + TLSCert string `toml:"tls_cert"` + TLSKey string `toml:"tls_key"` + TLSAllowedCACerts []string `toml:"tls_allowed_cacerts"` +} + +// TLSConfig returns a tls.Config, may be nil without error if TLS is not +// configured. +func (c *ClientConfig) TLSConfig() (*tls.Config, error) { + // Support deprecated variable names + if c.TLSCA == "" && c.SSLCA != "" { + c.TLSCA = c.SSLCA + } + if c.TLSCert == "" && c.SSLCert != "" { + c.TLSCert = c.SSLCert + } + if c.TLSKey == "" && c.SSLKey != "" { + c.TLSKey = c.SSLKey + } + + // TODO: return default tls.Config; plugins should not call if they don't + // want TLS, this will require using another option to determine. In the + // case of an HTTP plugin, you could use `https`. Other plugins may need + // the dedicated option `TLSEnable`. + if c.TLSCA == "" && c.TLSKey == "" && c.TLSCert == "" && !c.InsecureSkipVerify { + return nil, nil + } + + tlsConfig := &tls.Config{ + InsecureSkipVerify: c.InsecureSkipVerify, + Renegotiation: tls.RenegotiateNever, + } + + if c.TLSCA != "" { + pool, err := makeCertPool([]string{c.TLSCA}) + if err != nil { + return nil, err + } + tlsConfig.RootCAs = pool + } + + if c.TLSCert != "" && c.TLSKey != "" { + err := loadCertificate(tlsConfig, c.TLSCert, c.TLSKey) + if err != nil { + return nil, err + } + } + + return tlsConfig, nil +} + +// TLSConfig returns a tls.Config, may be nil without error if TLS is not +// configured. +func (c *ServerConfig) TLSConfig() (*tls.Config, error) { + if c.TLSCert == "" && c.TLSKey == "" && len(c.TLSAllowedCACerts) == 0 { + return nil, nil + } + + tlsConfig := &tls.Config{} + + if len(c.TLSAllowedCACerts) != 0 { + pool, err := makeCertPool(c.TLSAllowedCACerts) + if err != nil { + return nil, err + } + tlsConfig.ClientCAs = pool + tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert + } + + if c.TLSCert != "" && c.TLSKey != "" { + err := loadCertificate(tlsConfig, c.TLSCert, c.TLSKey) + if err != nil { + return nil, err + } + } + + return tlsConfig, nil +} + +func makeCertPool(certFiles []string) (*x509.CertPool, error) { + pool := x509.NewCertPool() + for _, certFile := range certFiles { + pem, err := ioutil.ReadFile(certFile) + if err != nil { + return nil, fmt.Errorf( + "could not read certificate %q: %v", certFile, err) + } + ok := pool.AppendCertsFromPEM(pem) + if !ok { + return nil, fmt.Errorf( + "could not parse any PEM certificates %q: %v", certFile, err) + } + } + return pool, nil +} + +func loadCertificate(config *tls.Config, certFile, keyFile string) error { + cert, err := tls.LoadX509KeyPair(certFile, keyFile) + if err != nil { + return fmt.Errorf( + "could not load keypair %s:%s: %v", certFile, keyFile, err) + } + + config.Certificates = []tls.Certificate{cert} + config.BuildNameToCertificate() + return nil +} diff --git a/internal/tls/config_test.go b/internal/tls/config_test.go new file mode 100644 index 000000000..31a70d9a1 --- /dev/null +++ b/internal/tls/config_test.go @@ -0,0 +1,226 @@ +package tls_test + +import ( + "net/http" + "net/http/httptest" + "testing" + "time" + + "github.com/influxdata/telegraf/internal/tls" + "github.com/influxdata/telegraf/testutil" + "github.com/stretchr/testify/require" +) + +var pki = testutil.NewPKI("../../testutil/pki") + +func TestClientConfig(t *testing.T) { + tests := []struct { + name string + client tls.ClientConfig + expNil bool + expErr bool + }{ + { + name: "unset", + client: tls.ClientConfig{}, + expNil: true, + }, + { + name: "success", + client: tls.ClientConfig{ + TLSCA: pki.CACertPath(), + TLSCert: pki.ClientCertPath(), + TLSKey: pki.ClientKeyPath(), + }, + }, + { + name: "invalid ca", + client: tls.ClientConfig{ + TLSCA: pki.ClientKeyPath(), + TLSCert: pki.ClientCertPath(), + TLSKey: pki.ClientKeyPath(), + }, + expNil: true, + expErr: true, + }, + { + name: "missing ca is okay", + client: tls.ClientConfig{ + TLSCert: pki.ClientCertPath(), + TLSKey: pki.ClientKeyPath(), + }, + }, + { + name: "invalid cert", + client: tls.ClientConfig{ + TLSCA: pki.CACertPath(), + TLSCert: pki.ClientKeyPath(), + TLSKey: pki.ClientKeyPath(), + }, + expNil: true, + expErr: true, + }, + { + name: "missing cert skips client keypair", + client: tls.ClientConfig{ + TLSCA: pki.CACertPath(), + TLSKey: pki.ClientKeyPath(), + }, + expNil: false, + expErr: false, + }, + { + name: "missing key skips client keypair", + client: tls.ClientConfig{ + TLSCA: pki.CACertPath(), + TLSCert: pki.ClientCertPath(), + }, + expNil: false, + expErr: false, + }, + { + name: "support deprecated ssl field names", + client: tls.ClientConfig{ + SSLCA: pki.CACertPath(), + SSLCert: pki.ClientCertPath(), + SSLKey: pki.ClientKeyPath(), + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + tlsConfig, err := tt.client.TLSConfig() + if !tt.expNil { + require.NotNil(t, tlsConfig) + } else { + require.Nil(t, tlsConfig) + } + + if !tt.expErr { + require.NoError(t, err) + } else { + require.Error(t, err) + } + }) + } +} + +func TestServerConfig(t *testing.T) { + tests := []struct { + name string + server tls.ServerConfig + expNil bool + expErr bool + }{ + { + name: "unset", + server: tls.ServerConfig{}, + expNil: true, + }, + { + name: "success", + server: tls.ServerConfig{ + TLSCert: pki.ServerCertPath(), + TLSKey: pki.ServerKeyPath(), + TLSAllowedCACerts: []string{pki.CACertPath()}, + }, + }, + { + name: "invalid ca", + server: tls.ServerConfig{ + TLSCert: pki.ServerCertPath(), + TLSKey: pki.ServerKeyPath(), + TLSAllowedCACerts: []string{pki.ServerKeyPath()}, + }, + expNil: true, + expErr: true, + }, + { + name: "missing allowed ca is okay", + server: tls.ServerConfig{ + TLSCert: pki.ServerCertPath(), + TLSKey: pki.ServerKeyPath(), + }, + expNil: true, + expErr: true, + }, + { + name: "invalid cert", + server: tls.ServerConfig{ + TLSCert: pki.ServerKeyPath(), + TLSKey: pki.ServerKeyPath(), + TLSAllowedCACerts: []string{pki.CACertPath()}, + }, + expNil: true, + expErr: true, + }, + { + name: "missing cert", + server: tls.ServerConfig{ + TLSKey: pki.ServerKeyPath(), + TLSAllowedCACerts: []string{pki.CACertPath()}, + }, + expNil: true, + expErr: true, + }, + { + name: "missing key", + server: tls.ServerConfig{ + TLSCert: pki.ServerCertPath(), + TLSAllowedCACerts: []string{pki.CACertPath()}, + }, + expNil: true, + expErr: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + tlsConfig, err := tt.server.TLSConfig() + if !tt.expNil { + require.NotNil(t, tlsConfig) + } + if !tt.expErr { + require.NoError(t, err) + } + }) + } +} + +func TestConnect(t *testing.T) { + clientConfig := tls.ClientConfig{ + TLSCA: pki.CACertPath(), + TLSCert: pki.ClientCertPath(), + TLSKey: pki.ClientKeyPath(), + } + + serverConfig := tls.ServerConfig{ + TLSCert: pki.ServerCertPath(), + TLSKey: pki.ServerKeyPath(), + TLSAllowedCACerts: []string{pki.CACertPath()}, + } + + serverTLSConfig, err := serverConfig.TLSConfig() + require.NoError(t, err) + + ts := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(http.StatusOK) + })) + ts.TLS = serverTLSConfig + + ts.StartTLS() + defer ts.Close() + + clientTLSConfig, err := clientConfig.TLSConfig() + require.NoError(t, err) + + client := http.Client{ + Transport: &http.Transport{ + TLSClientConfig: clientTLSConfig, + }, + Timeout: 10 * time.Second, + } + + resp, err := client.Get(ts.URL) + require.NoError(t, err) + require.Equal(t, 200, resp.StatusCode) +} diff --git a/plugins/inputs/amqp_consumer/README.md b/plugins/inputs/amqp_consumer/README.md index 11084bedc..a14e2c8b0 100644 --- a/plugins/inputs/amqp_consumer/README.md +++ b/plugins/inputs/amqp_consumer/README.md @@ -32,11 +32,11 @@ The following defaults are known to work with RabbitMQ: ## Using EXTERNAL requires enabling the rabbitmq_auth_mechanism_ssl plugin as ## described here: https://www.rabbitmq.com/plugins.html # auth_method = "PLAIN" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## Data format to consume. diff --git a/plugins/inputs/amqp_consumer/amqp_consumer.go b/plugins/inputs/amqp_consumer/amqp_consumer.go index c96272fa7..48458a0b7 100644 --- a/plugins/inputs/amqp_consumer/amqp_consumer.go +++ b/plugins/inputs/amqp_consumer/amqp_consumer.go @@ -10,7 +10,7 @@ import ( "github.com/streadway/amqp" "github.com/influxdata/telegraf" - "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/parsers" ) @@ -31,14 +31,7 @@ type AMQPConsumer struct { // AMQP Auth method AuthMethod string - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Use SSL but skip chain & host verification - InsecureSkipVerify bool + tls.ClientConfig parser parsers.Parser conn *amqp.Connection @@ -78,11 +71,11 @@ func (a *AMQPConsumer) SampleConfig() string { ## described here: https://www.rabbitmq.com/plugins.html # auth_method = "PLAIN" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## Data format to consume. @@ -108,8 +101,7 @@ func (a *AMQPConsumer) Gather(_ telegraf.Accumulator) error { func (a *AMQPConsumer) createConfig() (*amqp.Config, error) { // make new tls config - tls, err := internal.GetTLSConfig( - a.SSLCert, a.SSLKey, a.SSLCA, a.InsecureSkipVerify) + tls, err := a.ClientConfig.TLSConfig() if err != nil { return nil, err } diff --git a/plugins/inputs/apache/README.md b/plugins/inputs/apache/README.md index 0edac3166..b8822edeb 100644 --- a/plugins/inputs/apache/README.md +++ b/plugins/inputs/apache/README.md @@ -21,11 +21,11 @@ Typically, the `mod_status` module is configured to expose a page at the `/serve ## Maximum time to receive response. # response_timeout = "5s" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ``` diff --git a/plugins/inputs/apache/apache.go b/plugins/inputs/apache/apache.go index a3df105bb..a04d1bbb8 100644 --- a/plugins/inputs/apache/apache.go +++ b/plugins/inputs/apache/apache.go @@ -13,6 +13,7 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" ) @@ -21,14 +22,7 @@ type Apache struct { Username string Password string ResponseTimeout internal.Duration - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Use SSL but skip chain & host verification - InsecureSkipVerify bool + tls.ClientConfig client *http.Client } @@ -46,11 +40,11 @@ var sampleConfig = ` ## Maximum time to receive response. # response_timeout = "5s" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ` @@ -98,8 +92,7 @@ func (n *Apache) Gather(acc telegraf.Accumulator) error { } func (n *Apache) createHttpClient() (*http.Client, error) { - tlsCfg, err := internal.GetTLSConfig( - n.SSLCert, n.SSLKey, n.SSLCA, n.InsecureSkipVerify) + tlsCfg, err := n.ClientConfig.TLSConfig() if err != nil { return nil, err } diff --git a/plugins/inputs/consul/README.md b/plugins/inputs/consul/README.md index 7e68a4931..42e1a1336 100644 --- a/plugins/inputs/consul/README.md +++ b/plugins/inputs/consul/README.md @@ -27,11 +27,11 @@ report those stats already using StatsD protocol if needed. ## Data centre to query the health checks from # datacentre = "" - ## SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## If false, skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = true ``` diff --git a/plugins/inputs/consul/consul.go b/plugins/inputs/consul/consul.go index bfd9b4340..fe9bde1db 100644 --- a/plugins/inputs/consul/consul.go +++ b/plugins/inputs/consul/consul.go @@ -5,7 +5,7 @@ import ( "github.com/hashicorp/consul/api" "github.com/influxdata/telegraf" - "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" ) @@ -16,15 +16,7 @@ type Consul struct { Username string Password string Datacentre string - - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Use SSL but skip chain & host verification - InsecureSkipVerify bool + tls.ClientConfig // client used to connect to Consul agnet client *api.Client @@ -47,11 +39,11 @@ var sampleConfig = ` ## Data centre to query the health checks from # datacentre = "" - ## SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## If false, skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = true ` @@ -89,9 +81,7 @@ func (c *Consul) createAPIClient() (*api.Client, error) { } } - tlsCfg, err := internal.GetTLSConfig( - c.SSLCert, c.SSLKey, c.SSLCA, c.InsecureSkipVerify) - + tlsCfg, err := c.ClientConfig.TLSConfig() if err != nil { return nil, err } diff --git a/plugins/inputs/dcos/README.md b/plugins/inputs/dcos/README.md index 967c376a7..790590aea 100644 --- a/plugins/inputs/dcos/README.md +++ b/plugins/inputs/dcos/README.md @@ -54,10 +54,10 @@ your database. ## Maximum time to receive a response from cluster. # response_timeout = "20s" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" ## If false, skip chain & host verification # insecure_skip_verify = true diff --git a/plugins/inputs/dcos/client_test.go b/plugins/inputs/dcos/client_test.go index 3b8d93e37..1b563c63f 100644 --- a/plugins/inputs/dcos/client_test.go +++ b/plugins/inputs/dcos/client_test.go @@ -9,26 +9,11 @@ import ( "testing" jwt "github.com/dgrijalva/jwt-go" + "github.com/influxdata/telegraf/testutil" "github.com/stretchr/testify/require" ) -const ( - privateKey = `-----BEGIN RSA PRIVATE KEY----- -MIICXQIBAAKBgQCwlGyzVp9cqtwiNCgCnaR0kilPZhr4xFBcnXxvQ8/uzOHaWKxj -XWR38cKR3gPh5+4iSmzMdo3HDJM5ks6imXGnp+LPOA5iNewnpLNs7UxA2arwKH/6 -4qIaAXAtf5jE46wZIMgc2EW9wGL3dxC0JY8EXPpBFB/3J8gADkorFR8lwwIDAQAB -AoGBAJaFHxfMmjHK77U0UnrQWFSKFy64cftmlL4t/Nl3q7L68PdIKULWZIMeEWZ4 -I0UZiFOwr4em83oejQ1ByGSwekEuiWaKUI85IaHfcbt+ogp9hY/XbOEo56OPQUAd -bEZv1JqJOqta9Ug1/E1P9LjEEyZ5F5ubx7813rxAE31qKtKJAkEA1zaMlCWIr+Rj -hGvzv5rlHH3wbOB4kQFXO4nqj3J/ttzR5QiJW24STMDcbNngFlVcDVju56LrNTiD -dPh9qvl7nwJBANILguR4u33OMksEZTYB7nQZSurqXsq6382zH7pTl29ANQTROHaM -PKC8dnDWq8RGTqKuvWblIzzGIKqIMovZo10CQC96T0UXirITFolOL3XjvAuvFO1Q -EAkdXJs77805m0dCK+P1IChVfiAEpBw3bKJArpAbQIlFfdI953JUp5SieU0CQEub -BSSEKMjh/cxu6peEHnb/262vayuCFKkQPu1sxWewLuVrAe36EKCy9dcsDmv5+rgo -Odjdxc9Madm4aKlaT6kCQQCpAgeblDrrxTrNQ+Typzo37PlnQrvI+0EceAUuJ72G -P0a+YZUeHNRqT2pPN9lMTAZGGi3CtcF2XScbLNEBeXge ------END RSA PRIVATE KEY-----` -) +var privateKey = testutil.NewPKI("../../../testutil/pki").ReadServerKey() func TestLogin(t *testing.T) { ts := httptest.NewServer(http.NotFoundHandler()) diff --git a/plugins/inputs/dcos/dcos.go b/plugins/inputs/dcos/dcos.go index 91370b81f..e37bf996b 100644 --- a/plugins/inputs/dcos/dcos.go +++ b/plugins/inputs/dcos/dcos.go @@ -13,6 +13,7 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/filter" "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" ) @@ -56,11 +57,7 @@ type DCOS struct { MaxConnections int ResponseTimeout internal.Duration - - SSLCA string `toml:"ssl_ca"` - SSLCert string `toml:"ssl_cert"` - SSLKey string `toml:"ssl_key"` - InsecureSkipVerify bool `toml:"insecure_skip_verify"` + tls.ClientConfig client Client creds Credentials @@ -107,10 +104,10 @@ var sampleConfig = ` ## Maximum time to receive a response from cluster. # response_timeout = "20s" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" ## If false, skip chain & host verification # insecure_skip_verify = true @@ -351,8 +348,7 @@ func (d *DCOS) init() error { } func (d *DCOS) createClient() (Client, error) { - tlsCfg, err := internal.GetTLSConfig( - d.SSLCert, d.SSLKey, d.SSLCA, d.InsecureSkipVerify) + tlsCfg, err := d.ClientConfig.TLSConfig() if err != nil { return nil, err } diff --git a/plugins/inputs/docker/README.md b/plugins/inputs/docker/README.md index b93b4a036..87b5e65d1 100644 --- a/plugins/inputs/docker/README.md +++ b/plugins/inputs/docker/README.md @@ -53,11 +53,11 @@ to gather stats from the [Engine API](https://docs.docker.com/engine/api/v1.24/) ## Which environment variables should we use as a tag tag_env = ["JAVA_HOME", "HEAP_SIZE"] - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ``` diff --git a/plugins/inputs/docker/docker.go b/plugins/inputs/docker/docker.go index b0b9b8cf2..a59b9f7fa 100644 --- a/plugins/inputs/docker/docker.go +++ b/plugins/inputs/docker/docker.go @@ -20,6 +20,7 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/filter" "github.com/influxdata/telegraf/internal" + tlsint "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" ) @@ -43,10 +44,7 @@ type Docker struct { ContainerStateInclude []string `toml:"container_state_include"` ContainerStateExclude []string `toml:"container_state_exclude"` - SSLCA string `toml:"ssl_ca"` - SSLCert string `toml:"ssl_cert"` - SSLKey string `toml:"ssl_key"` - InsecureSkipVerify bool + tlsint.ClientConfig newEnvClient func() (Client, error) newClient func(string, *tls.Config) (Client, error) @@ -115,11 +113,11 @@ var sampleConfig = ` docker_label_include = [] docker_label_exclude = [] - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ` @@ -136,8 +134,7 @@ func (d *Docker) Gather(acc telegraf.Accumulator) error { if d.Endpoint == "ENV" { c, err = d.newEnvClient() } else { - tlsConfig, err := internal.GetTLSConfig( - d.SSLCert, d.SSLKey, d.SSLCA, d.InsecureSkipVerify) + tlsConfig, err := d.ClientConfig.TLSConfig() if err != nil { return err } diff --git a/plugins/inputs/elasticsearch/README.md b/plugins/inputs/elasticsearch/README.md index 09ae15cc3..e88c3f4d6 100644 --- a/plugins/inputs/elasticsearch/README.md +++ b/plugins/inputs/elasticsearch/README.md @@ -38,11 +38,11 @@ or [cluster-stats](https://www.elastic.co/guide/en/elasticsearch/reference/curre ## "breaker". Per default, all stats are gathered. # node_stats = ["jvm", "http"] - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ``` diff --git a/plugins/inputs/elasticsearch/elasticsearch.go b/plugins/inputs/elasticsearch/elasticsearch.go index 1f548a0e0..eee8d4182 100644 --- a/plugins/inputs/elasticsearch/elasticsearch.go +++ b/plugins/inputs/elasticsearch/elasticsearch.go @@ -3,16 +3,18 @@ package elasticsearch import ( "encoding/json" "fmt" - "github.com/influxdata/telegraf" - "github.com/influxdata/telegraf/internal" - "github.com/influxdata/telegraf/plugins/inputs" - jsonparser "github.com/influxdata/telegraf/plugins/parsers/json" "io/ioutil" "net/http" "regexp" "strings" "sync" "time" + + "github.com/influxdata/telegraf" + "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" + "github.com/influxdata/telegraf/plugins/inputs" + jsonparser "github.com/influxdata/telegraf/plugins/parsers/json" ) // mask for masking username/password from error messages @@ -108,28 +110,26 @@ const sampleConfig = ` ## "breaker". Per default, all stats are gathered. # node_stats = ["jvm", "http"] - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ` // Elasticsearch is a plugin to read stats from one or many Elasticsearch // servers. type Elasticsearch struct { - Local bool - Servers []string - HttpTimeout internal.Duration - ClusterHealth bool - ClusterHealthLevel string - ClusterStats bool - NodeStats []string - SSLCA string `toml:"ssl_ca"` // Path to CA file - SSLCert string `toml:"ssl_cert"` // Path to host cert file - SSLKey string `toml:"ssl_key"` // Path to cert key file - InsecureSkipVerify bool // Use SSL but skip chain & host verification + Local bool + Servers []string + HttpTimeout internal.Duration + ClusterHealth bool + ClusterHealthLevel string + ClusterStats bool + NodeStats []string + tls.ClientConfig + client *http.Client catMasterResponseTokens []string isMaster bool @@ -227,7 +227,7 @@ func (e *Elasticsearch) Gather(acc telegraf.Accumulator) error { } func (e *Elasticsearch) createHttpClient() (*http.Client, error) { - tlsCfg, err := internal.GetTLSConfig(e.SSLCert, e.SSLKey, e.SSLCA, e.InsecureSkipVerify) + tlsCfg, err := e.ClientConfig.TLSConfig() if err != nil { return nil, err } diff --git a/plugins/inputs/graylog/README.md b/plugins/inputs/graylog/README.md index 6d4aa6131..6ab4a70c4 100644 --- a/plugins/inputs/graylog/README.md +++ b/plugins/inputs/graylog/README.md @@ -44,11 +44,11 @@ Note: if namespace end point specified metrics array will be ignored for that ca username = "" password = "" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ``` diff --git a/plugins/inputs/graylog/graylog.go b/plugins/inputs/graylog/graylog.go index 6dcc9b979..8e580480d 100644 --- a/plugins/inputs/graylog/graylog.go +++ b/plugins/inputs/graylog/graylog.go @@ -14,7 +14,7 @@ import ( "time" "github.com/influxdata/telegraf" - "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" ) @@ -35,15 +35,7 @@ type GrayLog struct { Metrics []string Username string Password string - - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Use SSL but skip chain & host verification - InsecureSkipVerify bool + tls.ClientConfig client HTTPClient } @@ -111,11 +103,11 @@ var sampleConfig = ` username = "" password = "" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ` @@ -132,8 +124,7 @@ func (h *GrayLog) Gather(acc telegraf.Accumulator) error { var wg sync.WaitGroup if h.client.HTTPClient() == nil { - tlsCfg, err := internal.GetTLSConfig( - h.SSLCert, h.SSLKey, h.SSLCA, h.InsecureSkipVerify) + tlsCfg, err := h.ClientConfig.TLSConfig() if err != nil { return err } diff --git a/plugins/inputs/haproxy/README.md b/plugins/inputs/haproxy/README.md index 50bd4b3da..35b59524d 100644 --- a/plugins/inputs/haproxy/README.md +++ b/plugins/inputs/haproxy/README.md @@ -28,11 +28,11 @@ or [HTTP statistics page](https://cbonte.github.io/haproxy-dconv/1.9/management. ## field names. # keep_field_names = false - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ``` diff --git a/plugins/inputs/haproxy/haproxy.go b/plugins/inputs/haproxy/haproxy.go index 81783cf2b..19087a978 100644 --- a/plugins/inputs/haproxy/haproxy.go +++ b/plugins/inputs/haproxy/haproxy.go @@ -14,27 +14,18 @@ import ( "time" "github.com/influxdata/telegraf" - "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" ) //CSV format: https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#9.1 type haproxy struct { - Servers []string + Servers []string + KeepFieldNames bool + tls.ClientConfig client *http.Client - - KeepFieldNames bool - - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Use SSL but skip chain & host verification - InsecureSkipVerify bool } var sampleConfig = ` @@ -56,11 +47,11 @@ var sampleConfig = ` ## field names. # keep_field_names = false - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ` @@ -144,8 +135,7 @@ func (g *haproxy) gatherServer(addr string, acc telegraf.Accumulator) error { } if g.client == nil { - tlsCfg, err := internal.GetTLSConfig( - g.SSLCert, g.SSLKey, g.SSLCA, g.InsecureSkipVerify) + tlsCfg, err := g.ClientConfig.TLSConfig() if err != nil { return err } diff --git a/plugins/inputs/http/README.md b/plugins/inputs/http/README.md index 2c0441364..25d3d2b2d 100644 --- a/plugins/inputs/http/README.md +++ b/plugins/inputs/http/README.md @@ -23,11 +23,11 @@ The HTTP input plugin collects metrics from one or more HTTP(S) endpoints. The # username = "username" # password = "pa$$word" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## Amount of time allowed to complete the HTTP request diff --git a/plugins/inputs/http/http.go b/plugins/inputs/http/http.go index 16e776cd0..c9c3460be 100644 --- a/plugins/inputs/http/http.go +++ b/plugins/inputs/http/http.go @@ -11,6 +11,7 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/parsers" ) @@ -24,15 +25,7 @@ type HTTP struct { // HTTP Basic Auth Credentials Username string Password string - - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Use SSL but skip chain & host verification - InsecureSkipVerify bool + tls.ClientConfig Timeout internal.Duration @@ -62,11 +55,11 @@ var sampleConfig = ` ## Tag all metrics with the url # tag_url = true - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## Amount of time allowed to complete the HTTP request @@ -97,8 +90,7 @@ func (h *HTTP) Gather(acc telegraf.Accumulator) error { } if h.client == nil { - tlsCfg, err := internal.GetTLSConfig( - h.SSLCert, h.SSLKey, h.SSLCA, h.InsecureSkipVerify) + tlsCfg, err := h.ClientConfig.TLSConfig() if err != nil { return err } diff --git a/plugins/inputs/http_listener/http_listener.go b/plugins/inputs/http_listener/http_listener.go index bda4ce463..595c74ed2 100644 --- a/plugins/inputs/http_listener/http_listener.go +++ b/plugins/inputs/http_listener/http_listener.go @@ -5,9 +5,7 @@ import ( "compress/gzip" "crypto/subtle" "crypto/tls" - "crypto/x509" "io" - "io/ioutil" "log" "net" "net/http" @@ -16,6 +14,7 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/internal" + tlsint "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/parsers/influx" "github.com/influxdata/telegraf/selfstat" @@ -43,9 +42,7 @@ type HTTPListener struct { MaxLineSize int Port int - TlsAllowedCacerts []string - TlsCert string - TlsKey string + tlsint.ServerConfig BasicUsername string BasicPassword string @@ -158,7 +155,10 @@ func (h *HTTPListener) Start(acc telegraf.Accumulator) error { h.acc = acc h.pool = NewPool(200, h.MaxLineSize) - tlsConf := h.getTLSConfig() + tlsConf, err := h.ServerConfig.TLSConfig() + if err != nil { + return err + } server := &http.Server{ Addr: h.ServiceAddress, @@ -168,7 +168,6 @@ func (h *HTTPListener) Start(acc telegraf.Accumulator) error { TLSConfig: tlsConf, } - var err error var listener net.Listener if tlsConf != nil { listener, err = tls.Listen("tcp", h.ServiceAddress, tlsConf) @@ -372,38 +371,6 @@ func badRequest(res http.ResponseWriter) { res.Write([]byte(`{"error":"http: bad request"}`)) } -func (h *HTTPListener) getTLSConfig() *tls.Config { - tlsConf := &tls.Config{ - InsecureSkipVerify: false, - Renegotiation: tls.RenegotiateNever, - } - - if len(h.TlsCert) == 0 || len(h.TlsKey) == 0 { - return nil - } - - cert, err := tls.LoadX509KeyPair(h.TlsCert, h.TlsKey) - if err != nil { - return nil - } - tlsConf.Certificates = []tls.Certificate{cert} - - if h.TlsAllowedCacerts != nil { - tlsConf.ClientAuth = tls.RequireAndVerifyClientCert - clientPool := x509.NewCertPool() - for _, ca := range h.TlsAllowedCacerts { - c, err := ioutil.ReadFile(ca) - if err != nil { - continue - } - clientPool.AppendCertsFromPEM(c) - } - tlsConf.ClientCAs = clientPool - } - - return tlsConf -} - func (h *HTTPListener) AuthenticateIfSet(handler http.HandlerFunc, res http.ResponseWriter, req *http.Request) { if h.BasicUsername != "" && h.BasicPassword != "" { reqUsername, reqPassword, ok := req.BasicAuth() diff --git a/plugins/inputs/http_listener/http_listener_test.go b/plugins/inputs/http_listener/http_listener_test.go index 7f6ab406c..7c6cdf728 100644 --- a/plugins/inputs/http_listener/http_listener_test.go +++ b/plugins/inputs/http_listener/http_listener_test.go @@ -4,7 +4,6 @@ import ( "bytes" "crypto/tls" "crypto/x509" - "io" "io/ioutil" "net/http" "net/url" @@ -34,86 +33,12 @@ cpu_load_short,host=server06 value=12.0 1422568543702900257 emptyMsg = "" - serviceRootPEM = `-----BEGIN CERTIFICATE----- -MIIBxzCCATCgAwIBAgIJAJb7HqN2BzWWMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV -BAMMC1RlbGVncmFmIENBMB4XDTE3MTEwNDA0MzEwN1oXDTI3MTEwMjA0MzEwN1ow -FjEUMBIGA1UEAwwLVGVsZWdyYWYgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ -AoGBANbkUkK6JQC3rbLcXhLJTS9SX6uXyFwl7bUfpAN5Hm5EqfvG3PnLrogfTGLr -Tq5CRAu/gbbdcMoL9TLv/aaDVnrpV0FslKhqYmkOgT28bdmA7Qtr539aQpMKCfcW -WCnoMcBD5u5h9MsRqpdq+0Mjlsf1H2hSf07jHk5R1T4l8RMXAgMBAAGjHTAbMAwG -A1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBANSrwvpU -t8ihIhpHqgJZ34DM92CZZ3ZHmH/KyqlnuGzjjpnVZiXVrLDTOzrA0ziVhmefY29w -roHjENbFm54HW97ogxeURuO8HRHIVh2U0rkyVxOfGZiUdINHqsZdSnDY07bzCtSr -Z/KsfWXM5llD1Ig1FyBHpKjyUvfzr73sjm/4 ------END CERTIFICATE-----` - serviceCertPEM = `-----BEGIN CERTIFICATE----- -MIIBzzCCATigAwIBAgIBATANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDDAtUZWxl -Z3JhZiBDQTAeFw0xNzExMDQwNDMxMDdaFw0yNzExMDIwNDMxMDdaMBQxEjAQBgNV -BAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsJRss1af -XKrcIjQoAp2kdJIpT2Ya+MRQXJ18b0PP7szh2lisY11kd/HCkd4D4efuIkpszHaN -xwyTOZLOoplxp6fizzgOYjXsJ6SzbO1MQNmq8Ch/+uKiGgFwLX+YxOOsGSDIHNhF -vcBi93cQtCWPBFz6QRQf9yfIAA5KKxUfJcMCAwEAAaMvMC0wCQYDVR0TBAIwADAL -BgNVHQ8EBAMCBSAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQAD -gYEAiC3WI4y9vfYz53gw7FKnNK7BBdwRc43x7Pd+5J/cclWyUZPdmcj1UNmv/3rj -2qcMmX06UdgPoHppzNAJePvMVk0vjMBUe9MmYlafMz0h4ma/it5iuldXwmejFcdL -6wWQp7gVTileCEmq9sNvfQN1FmT3EWf4IMdO2MNat/1If0g= ------END CERTIFICATE-----` - serviceKeyPEM = `-----BEGIN RSA PRIVATE KEY----- -MIICXQIBAAKBgQCwlGyzVp9cqtwiNCgCnaR0kilPZhr4xFBcnXxvQ8/uzOHaWKxj -XWR38cKR3gPh5+4iSmzMdo3HDJM5ks6imXGnp+LPOA5iNewnpLNs7UxA2arwKH/6 -4qIaAXAtf5jE46wZIMgc2EW9wGL3dxC0JY8EXPpBFB/3J8gADkorFR8lwwIDAQAB -AoGBAJaFHxfMmjHK77U0UnrQWFSKFy64cftmlL4t/Nl3q7L68PdIKULWZIMeEWZ4 -I0UZiFOwr4em83oejQ1ByGSwekEuiWaKUI85IaHfcbt+ogp9hY/XbOEo56OPQUAd -bEZv1JqJOqta9Ug1/E1P9LjEEyZ5F5ubx7813rxAE31qKtKJAkEA1zaMlCWIr+Rj -hGvzv5rlHH3wbOB4kQFXO4nqj3J/ttzR5QiJW24STMDcbNngFlVcDVju56LrNTiD -dPh9qvl7nwJBANILguR4u33OMksEZTYB7nQZSurqXsq6382zH7pTl29ANQTROHaM -PKC8dnDWq8RGTqKuvWblIzzGIKqIMovZo10CQC96T0UXirITFolOL3XjvAuvFO1Q -EAkdXJs77805m0dCK+P1IChVfiAEpBw3bKJArpAbQIlFfdI953JUp5SieU0CQEub -BSSEKMjh/cxu6peEHnb/262vayuCFKkQPu1sxWewLuVrAe36EKCy9dcsDmv5+rgo -Odjdxc9Madm4aKlaT6kCQQCpAgeblDrrxTrNQ+Typzo37PlnQrvI+0EceAUuJ72G -P0a+YZUeHNRqT2pPN9lMTAZGGi3CtcF2XScbLNEBeXge ------END RSA PRIVATE KEY-----` - clientRootPEM = serviceRootPEM - clientCertPEM = `-----BEGIN CERTIFICATE----- -MIIBzjCCATegAwIBAgIBAjANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDDAtUZWxl -Z3JhZiBDQTAeFw0xNzExMDQwNDMxMDdaFw0yNzExMDIwNDMxMDdaMBMxETAPBgNV -BAMMCHRlbGVncmFmMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDP2IMqyOqI -sJjwBprrz8WPzmlrpyYikQ4XSCSJB3DSTIO+igqMpBUTj3vLlOzsHfVVot1WRqc6 -3esM4JE92rc6S73xi4g8L/r8cPIHW4hvFJdMti4UkJBWim8ArSbFqnZjcR19G3tG -LUOiXAUG3nWzMzoEsPruvV1dkKRbJVE4MwIDAQABoy8wLTAJBgNVHRMEAjAAMAsG -A1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOB -gQCHxMk38XNxL9nPFBYo3JqITJCFswu6/NLHwDBXCuZKl53rUuFWduiO+1OuScKQ -sQ79W0jHsWRKGOUFrF5/Gdnh8AlkVaITVlcmhdAOFCEbeGpeEvLuuK6grckPitxy -bRF5oM4TCLKKAha60Ir41rk2bomZM9+NZu+Bm+csDqCoxQ== ------END CERTIFICATE-----` - clientKeyPEM = `-----BEGIN RSA PRIVATE KEY----- -MIICXAIBAAKBgQDP2IMqyOqIsJjwBprrz8WPzmlrpyYikQ4XSCSJB3DSTIO+igqM -pBUTj3vLlOzsHfVVot1WRqc63esM4JE92rc6S73xi4g8L/r8cPIHW4hvFJdMti4U -kJBWim8ArSbFqnZjcR19G3tGLUOiXAUG3nWzMzoEsPruvV1dkKRbJVE4MwIDAQAB -AoGAFzb/r4+xYoMXEfgq5ZvXXTCY5cVNpR6+jCsqqYODPnn9XRLeCsdo8z5bfWms -7NKLzHzca/6IPzL6Rf3vOxFq1YyIZfYVHH+d63/9blAm3Iajjp1W2yW5aj9BJjTb -nm6F0RfuW/SjrZ9IXxTZhSpCklPmUzVZpzvwV3KGeVTVCEECQQDoavCeOwLuqDpt -0aM9GMFUpOU7kLPDuicSwCDaTae4kN2rS17Zki41YXe8A8+509IEN7mK09Vq9HxY -SX6EmV1FAkEA5O9QcCHEa8P12EmUC8oqD2bjq6o7JjUIRlKinwZTlooMJYZw98gA -FVSngTUvLVCVIvSdjldXPOGgfYiccTZrFwJAfHS3gKOtAEuJbkEyHodhD4h1UB4+ -hPLr9Xh4ny2yQH0ilpV3px5GLEOTMFUCKUoqTiPg8VxaDjn5U/WXED5n2QJAR4J1 -NsFlcGACj+/TvacFYlA6N2nyFeokzoqLX28Ddxdh2erXqJ4hYIhT1ik9tkLggs2z -1T1084BquCuO6lIcOwJBALX4xChoMUF9k0IxSQzlz//seQYDkQNsE7y9IgAOXkzp -RaR4pzgPbnKj7atG+2dBnffWfE+1Mcy0INDAO6WxPg0= ------END RSA PRIVATE KEY-----` - basicUsername = "test-username-please-ignore" basicPassword = "super-secure-password!" ) var ( - initClient sync.Once - client *http.Client - initServiceCertFiles sync.Once - allowedCAFiles []string - serviceCAFiles []string - serviceCertFile string - serviceKeyFile string + pki = testutil.NewPKI("../../../testutil/pki") ) func newTestHTTPListener() *HTTPListener { @@ -132,74 +57,25 @@ func newTestHTTPAuthListener() *HTTPListener { } func newTestHTTPSListener() *HTTPListener { - initServiceCertFiles.Do(func() { - acaf, err := ioutil.TempFile("", "allowedCAFile.crt") - if err != nil { - panic(err) - } - defer acaf.Close() - _, err = io.Copy(acaf, bytes.NewReader([]byte(clientRootPEM))) - allowedCAFiles = []string{acaf.Name()} - - scaf, err := ioutil.TempFile("", "serviceCAFile.crt") - if err != nil { - panic(err) - } - defer scaf.Close() - _, err = io.Copy(scaf, bytes.NewReader([]byte(serviceRootPEM))) - serviceCAFiles = []string{scaf.Name()} - - scf, err := ioutil.TempFile("", "serviceCertFile.crt") - if err != nil { - panic(err) - } - defer scf.Close() - _, err = io.Copy(scf, bytes.NewReader([]byte(serviceCertPEM))) - serviceCertFile = scf.Name() - - skf, err := ioutil.TempFile("", "serviceKeyFile.crt") - if err != nil { - panic(err) - } - defer skf.Close() - _, err = io.Copy(skf, bytes.NewReader([]byte(serviceKeyPEM))) - serviceKeyFile = skf.Name() - }) - listener := &HTTPListener{ - ServiceAddress: "localhost:0", - TlsAllowedCacerts: allowedCAFiles, - TlsCert: serviceCertFile, - TlsKey: serviceKeyFile, - TimeFunc: time.Now, + ServiceAddress: "localhost:0", + ServerConfig: *pki.TLSServerConfig(), + TimeFunc: time.Now, } return listener } func getHTTPSClient() *http.Client { - initClient.Do(func() { - cas := x509.NewCertPool() - cas.AppendCertsFromPEM([]byte(serviceRootPEM)) - clientCert, err := tls.X509KeyPair([]byte(clientCertPEM), []byte(clientKeyPEM)) - if err != nil { - panic(err) - } - client = &http.Client{ - Transport: &http.Transport{ - TLSClientConfig: &tls.Config{ - RootCAs: cas, - Certificates: []tls.Certificate{clientCert}, - MinVersion: tls.VersionTLS12, - MaxVersion: tls.VersionTLS12, - CipherSuites: []uint16{tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, - Renegotiation: tls.RenegotiateNever, - InsecureSkipVerify: false, - }, - }, - } - }) - return client + tlsConfig, err := pki.TLSClientConfig().TLSConfig() + if err != nil { + panic(err) + } + return &http.Client{ + Transport: &http.Transport{ + TLSClientConfig: tlsConfig, + }, + } } func createURL(listener *HTTPListener, scheme string, path string, rawquery string) string { @@ -214,14 +90,14 @@ func createURL(listener *HTTPListener, scheme string, path string, rawquery stri func TestWriteHTTPSNoClientAuth(t *testing.T) { listener := newTestHTTPSListener() - listener.TlsAllowedCacerts = nil + listener.TLSAllowedCACerts = nil acc := &testutil.Accumulator{} require.NoError(t, listener.Start(acc)) defer listener.Stop() cas := x509.NewCertPool() - cas.AppendCertsFromPEM([]byte(serviceRootPEM)) + cas.AppendCertsFromPEM([]byte(pki.ReadServerCert())) noClientAuthClient := &http.Client{ Transport: &http.Transport{ TLSClientConfig: &tls.Config{ diff --git a/plugins/inputs/http_response/README.md b/plugins/inputs/http_response/README.md index 69b477ed4..4ccd236a5 100644 --- a/plugins/inputs/http_response/README.md +++ b/plugins/inputs/http_response/README.md @@ -32,11 +32,11 @@ This input plugin checks HTTP/HTTPS connections. # response_string_match = "ok" # response_string_match = "\".*_status\".?:.?\"up\"" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## HTTP Request Headers (all values must be strings) diff --git a/plugins/inputs/http_response/http_response.go b/plugins/inputs/http_response/http_response.go index 9dcf9394a..1f1f68707 100644 --- a/plugins/inputs/http_response/http_response.go +++ b/plugins/inputs/http_response/http_response.go @@ -16,6 +16,7 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" ) @@ -29,15 +30,7 @@ type HTTPResponse struct { Headers map[string]string FollowRedirects bool ResponseStringMatch string - - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Use SSL but skip chain & host verification - InsecureSkipVerify bool + tls.ClientConfig compiledStringMatch *regexp.Regexp client *http.Client @@ -74,11 +67,11 @@ var sampleConfig = ` # response_string_match = "ok" # response_string_match = "\".*_status\".?:.?\"up\"" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## HTTP Request Headers (all values must be strings) @@ -113,8 +106,7 @@ func getProxyFunc(http_proxy string) func(*http.Request) (*url.URL, error) { // CreateHttpClient creates an http client which will timeout at the specified // timeout period and can follow redirects if specified func (h *HTTPResponse) createHttpClient() (*http.Client, error) { - tlsCfg, err := internal.GetTLSConfig( - h.SSLCert, h.SSLKey, h.SSLCA, h.InsecureSkipVerify) + tlsCfg, err := h.ClientConfig.TLSConfig() if err != nil { return nil, err } diff --git a/plugins/inputs/httpjson/README.md b/plugins/inputs/httpjson/README.md index e3ef83c87..19fe01445 100644 --- a/plugins/inputs/httpjson/README.md +++ b/plugins/inputs/httpjson/README.md @@ -34,11 +34,11 @@ Deprecated (1.6): use the [http](../http) input. # "my_tag_2" # ] - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## HTTP Request Parameters (all values must be strings). For "GET" requests, data diff --git a/plugins/inputs/httpjson/httpjson.go b/plugins/inputs/httpjson/httpjson.go index bfa35752b..c7324dee4 100644 --- a/plugins/inputs/httpjson/httpjson.go +++ b/plugins/inputs/httpjson/httpjson.go @@ -12,6 +12,7 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/parsers" ) @@ -29,15 +30,7 @@ type HttpJson struct { ResponseTimeout internal.Duration Parameters map[string]string Headers map[string]string - - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Use SSL but skip chain & host verification - InsecureSkipVerify bool + tls.ClientConfig client HTTPClient } @@ -100,11 +93,11 @@ var sampleConfig = ` # "my_tag_2" # ] - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## HTTP parameters (all values must be strings). For "GET" requests, data @@ -133,8 +126,7 @@ func (h *HttpJson) Gather(acc telegraf.Accumulator) error { var wg sync.WaitGroup if h.client.HTTPClient() == nil { - tlsCfg, err := internal.GetTLSConfig( - h.SSLCert, h.SSLKey, h.SSLCA, h.InsecureSkipVerify) + tlsCfg, err := h.ClientConfig.TLSConfig() if err != nil { return err } diff --git a/plugins/inputs/influxdb/README.md b/plugins/inputs/influxdb/README.md index 852393165..2bab123f8 100644 --- a/plugins/inputs/influxdb/README.md +++ b/plugins/inputs/influxdb/README.md @@ -20,11 +20,11 @@ InfluxDB-formatted endpoints. See below for more information. "http://localhost:8086/debug/vars" ] - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## http request & header timeout diff --git a/plugins/inputs/influxdb/influxdb.go b/plugins/inputs/influxdb/influxdb.go index 811f4ce56..0bb3ead5e 100644 --- a/plugins/inputs/influxdb/influxdb.go +++ b/plugins/inputs/influxdb/influxdb.go @@ -10,21 +10,14 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" ) type InfluxDB struct { - URLs []string `toml:"urls"` - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Use SSL but skip chain & host verification - InsecureSkipVerify bool - + URLs []string `toml:"urls"` Timeout internal.Duration + tls.ClientConfig client *http.Client } @@ -45,11 +38,11 @@ func (*InfluxDB) SampleConfig() string { "http://localhost:8086/debug/vars" ] - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## http request & header timeout @@ -63,8 +56,7 @@ func (i *InfluxDB) Gather(acc telegraf.Accumulator) error { } if i.client == nil { - tlsCfg, err := internal.GetTLSConfig( - i.SSLCert, i.SSLKey, i.SSLCA, i.InsecureSkipVerify) + tlsCfg, err := i.ClientConfig.TLSConfig() if err != nil { return err } diff --git a/plugins/inputs/jolokia2/README.md b/plugins/inputs/jolokia2/README.md index 283c4a5e5..441ede226 100644 --- a/plugins/inputs/jolokia2/README.md +++ b/plugins/inputs/jolokia2/README.md @@ -18,14 +18,14 @@ The `jolokia2_agent` input plugin reads JMX metrics from one or more [Jolokia ag paths = ["Uptime"] ``` -Optionally, specify SSL options for communicating with agents: +Optionally, specify TLS options for communicating with agents: ```toml [[inputs.jolokia2_agent]] urls = ["https://agent:8080/jolokia"] - ssl_ca = "/var/private/ca.pem" - ssl_cert = "/var/private/client.pem" - ssl_key = "/var/private/client-key.pem" + tls_ca = "/var/private/ca.pem" + tls_cert = "/var/private/client.pem" + tls_key = "/var/private/client-key.pem" #insecure_skip_verify = false [[inputs.jolokia2_agent.metric]] @@ -55,15 +55,15 @@ The `jolokia2_proxy` input plugin reads JMX metrics from one or more _targets_ b paths = ["Uptime"] ``` -Optionally, specify SSL options for communicating with proxies: +Optionally, specify TLS options for communicating with proxies: ```toml [[inputs.jolokia2_proxy]] url = "https://proxy:8080/jolokia" - ssl_ca = "/var/private/ca.pem" - ssl_cert = "/var/private/client.pem" - ssl_key = "/var/private/client-key.pem" + tls_ca = "/var/private/ca.pem" + tls_cert = "/var/private/client.pem" + tls_key = "/var/private/client-key.pem" #insecure_skip_verify = false #default_target_username = "" diff --git a/plugins/inputs/jolokia2/client.go b/plugins/inputs/jolokia2/client.go index aa9a8f87b..9f5de15d8 100644 --- a/plugins/inputs/jolokia2/client.go +++ b/plugins/inputs/jolokia2/client.go @@ -10,7 +10,7 @@ import ( "path" "time" - "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" ) type Client struct { @@ -20,15 +20,11 @@ type Client struct { } type ClientConfig struct { - ResponseTimeout time.Duration - Username string - Password string - SSLCA string - SSLCert string - SSLKey string - InsecureSkipVerify bool - - ProxyConfig *ProxyConfig + ResponseTimeout time.Duration + Username string + Password string + ProxyConfig *ProxyConfig + tls.ClientConfig } type ProxyConfig struct { @@ -100,8 +96,7 @@ type jolokiaResponse struct { } func NewClient(url string, config *ClientConfig) (*Client, error) { - tlsConfig, err := internal.GetTLSConfig( - config.SSLCert, config.SSLKey, config.SSLCA, config.InsecureSkipVerify) + tlsConfig, err := config.ClientConfig.TLSConfig() if err != nil { return nil, err } diff --git a/plugins/inputs/jolokia2/jolokia_agent.go b/plugins/inputs/jolokia2/jolokia_agent.go index 1042da9d9..f1d58e681 100644 --- a/plugins/inputs/jolokia2/jolokia_agent.go +++ b/plugins/inputs/jolokia2/jolokia_agent.go @@ -6,6 +6,7 @@ import ( "time" "github.com/influxdata/telegraf" + "github.com/influxdata/telegraf/internal/tls" ) type JolokiaAgent struct { @@ -18,10 +19,7 @@ type JolokiaAgent struct { Password string ResponseTimeout time.Duration `toml:"response_timeout"` - SSLCA string `toml:"ssl_ca"` - SSLCert string `toml:"ssl_cert"` - SSLKey string `toml:"ssl_key"` - InsecureSkipVerify bool + tls.ClientConfig Metrics []MetricConfig `toml:"metric"` gatherer *Gatherer @@ -39,10 +37,10 @@ func (ja *JolokiaAgent) SampleConfig() string { # password = "" # response_timeout = "5s" - ## Optional SSL config - # ssl_ca = "/var/private/ca.pem" - # ssl_cert = "/var/private/client.pem" - # ssl_key = "/var/private/client-key.pem" + ## Optional TLS config + # tls_ca = "/var/private/ca.pem" + # tls_cert = "/var/private/client.pem" + # tls_key = "/var/private/client-key.pem" # insecure_skip_verify = false ## Add metrics to read @@ -101,12 +99,9 @@ func (ja *JolokiaAgent) createMetrics() []Metric { func (ja *JolokiaAgent) createClient(url string) (*Client, error) { return NewClient(url, &ClientConfig{ - Username: ja.Username, - Password: ja.Password, - ResponseTimeout: ja.ResponseTimeout, - SSLCA: ja.SSLCA, - SSLCert: ja.SSLCert, - SSLKey: ja.SSLKey, - InsecureSkipVerify: ja.InsecureSkipVerify, + Username: ja.Username, + Password: ja.Password, + ResponseTimeout: ja.ResponseTimeout, + ClientConfig: ja.ClientConfig, }) } diff --git a/plugins/inputs/jolokia2/jolokia_proxy.go b/plugins/inputs/jolokia2/jolokia_proxy.go index c9474871f..40909dcce 100644 --- a/plugins/inputs/jolokia2/jolokia_proxy.go +++ b/plugins/inputs/jolokia2/jolokia_proxy.go @@ -4,6 +4,7 @@ import ( "time" "github.com/influxdata/telegraf" + "github.com/influxdata/telegraf/internal/tls" ) type JolokiaProxy struct { @@ -16,13 +17,10 @@ type JolokiaProxy struct { DefaultTargetUsername string Targets []JolokiaProxyTargetConfig `toml:"target"` - Username string - Password string - SSLCA string `toml:"ssl_ca"` - SSLCert string `toml:"ssl_cert"` - SSLKey string `toml:"ssl_key"` - InsecureSkipVerify bool - ResponseTimeout time.Duration `toml:"response_timeout"` + Username string + Password string + ResponseTimeout time.Duration `toml:"response_timeout"` + tls.ClientConfig Metrics []MetricConfig `toml:"metric"` client *Client @@ -47,10 +45,10 @@ func (jp *JolokiaProxy) SampleConfig() string { # password = "" # response_timeout = "5s" - ## Optional SSL config - # ssl_ca = "/var/private/ca.pem" - # ssl_cert = "/var/private/client.pem" - # ssl_key = "/var/private/client-key.pem" + ## Optional TLS config + # tls_ca = "/var/private/ca.pem" + # tls_cert = "/var/private/client.pem" + # tls_key = "/var/private/client-key.pem" # insecure_skip_verify = false ## Add proxy targets to query @@ -117,13 +115,10 @@ func (jp *JolokiaProxy) createClient() (*Client, error) { } return NewClient(jp.URL, &ClientConfig{ - Username: jp.Username, - Password: jp.Password, - ResponseTimeout: jp.ResponseTimeout, - SSLCA: jp.SSLCA, - SSLCert: jp.SSLCert, - SSLKey: jp.SSLKey, - InsecureSkipVerify: jp.InsecureSkipVerify, - ProxyConfig: proxyConfig, + Username: jp.Username, + Password: jp.Password, + ResponseTimeout: jp.ResponseTimeout, + ClientConfig: jp.ClientConfig, + ProxyConfig: proxyConfig, }) } diff --git a/plugins/inputs/kafka_consumer/README.md b/plugins/inputs/kafka_consumer/README.md index 695001274..67dbb539e 100644 --- a/plugins/inputs/kafka_consumer/README.md +++ b/plugins/inputs/kafka_consumer/README.md @@ -22,11 +22,11 @@ and use the old zookeeper connection method. ## Offset (must be either "oldest" or "newest") offset = "oldest" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## Optional SASL Config diff --git a/plugins/inputs/kafka_consumer/kafka_consumer.go b/plugins/inputs/kafka_consumer/kafka_consumer.go index 4e4715617..bf74dd5ab 100644 --- a/plugins/inputs/kafka_consumer/kafka_consumer.go +++ b/plugins/inputs/kafka_consumer/kafka_consumer.go @@ -7,7 +7,7 @@ import ( "sync" "github.com/influxdata/telegraf" - "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/parsers" @@ -23,14 +23,7 @@ type Kafka struct { Cluster *cluster.Consumer - // Verify Kafka SSL Certificate - InsecureSkipVerify bool - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` + tls.ClientConfig // SASL Username SASLUsername string `toml:"sasl_username"` @@ -67,11 +60,11 @@ var sampleConfig = ` ## topic(s) to consume topics = ["telegraf"] - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## Optional SASL Config @@ -116,8 +109,7 @@ func (k *Kafka) Start(acc telegraf.Accumulator) error { config := cluster.NewConfig() config.Consumer.Return.Errors = true - tlsConfig, err := internal.GetTLSConfig( - k.SSLCert, k.SSLKey, k.SSLCA, k.InsecureSkipVerify) + tlsConfig, err := k.ClientConfig.TLSConfig() if err != nil { return err } diff --git a/plugins/inputs/kapacitor/README.md b/plugins/inputs/kapacitor/README.md index ae5b365da..2ff4eab88 100644 --- a/plugins/inputs/kapacitor/README.md +++ b/plugins/inputs/kapacitor/README.md @@ -15,11 +15,11 @@ The Kapacitor plugin will collect metrics from the given Kapacitor instances. ## Time limit for http requests timeout = "5s" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ``` diff --git a/plugins/inputs/kapacitor/kapacitor.go b/plugins/inputs/kapacitor/kapacitor.go index ea0ca055b..f20b98774 100644 --- a/plugins/inputs/kapacitor/kapacitor.go +++ b/plugins/inputs/kapacitor/kapacitor.go @@ -9,6 +9,7 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" ) @@ -17,18 +18,9 @@ const ( ) type Kapacitor struct { - URLs []string `toml:"urls"` - + URLs []string `toml:"urls"` Timeout internal.Duration - - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Use SSL but skip chain & host verification - InsecureSkipVerify bool + tls.ClientConfig client *http.Client } @@ -48,11 +40,11 @@ func (*Kapacitor) SampleConfig() string { ## Time limit for http requests timeout = "5s" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ` } @@ -82,8 +74,7 @@ func (k *Kapacitor) Gather(acc telegraf.Accumulator) error { } func (k *Kapacitor) createHttpClient() (*http.Client, error) { - tlsCfg, err := internal.GetTLSConfig( - k.SSLCert, k.SSLKey, k.SSLCA, k.InsecureSkipVerify) + tlsCfg, err := k.ClientConfig.TLSConfig() if err != nil { return nil, err } diff --git a/plugins/inputs/kubernetes/kubernetes.go b/plugins/inputs/kubernetes/kubernetes.go index 9d07d6a42..870524a80 100644 --- a/plugins/inputs/kubernetes/kubernetes.go +++ b/plugins/inputs/kubernetes/kubernetes.go @@ -11,6 +11,7 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" ) @@ -21,18 +22,11 @@ type Kubernetes struct { // Bearer Token authorization file path BearerToken string `toml:"bearer_token"` - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Use SSL but skip chain & host verification - InsecureSkipVerify bool - // HTTP Timeout specified as a string - 3s, 1m, 1h ResponseTimeout internal.Duration + tls.ClientConfig + RoundTripper http.RoundTripper } @@ -46,11 +40,11 @@ var sampleConfig = ` ## Set response_timeout (default 5 seconds) # response_timeout = "5s" - ## Optional SSL Config - # ssl_ca = /path/to/cafile - # ssl_cert = /path/to/certfile - # ssl_key = /path/to/keyfile - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = /path/to/cafile + # tls_cert = /path/to/certfile + # tls_key = /path/to/keyfile + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ` @@ -101,7 +95,7 @@ func (k *Kubernetes) gatherSummary(baseURL string, acc telegraf.Accumulator) err var token []byte var resp *http.Response - tlsCfg, err := internal.GetTLSConfig(k.SSLCert, k.SSLKey, k.SSLCA, k.InsecureSkipVerify) + tlsCfg, err := k.ClientConfig.TLSConfig() if err != nil { return err } diff --git a/plugins/inputs/mesos/README.md b/plugins/inputs/mesos/README.md index 46df267aa..b18908b8a 100644 --- a/plugins/inputs/mesos/README.md +++ b/plugins/inputs/mesos/README.md @@ -36,11 +36,11 @@ For more information, please check the [Mesos Observability Metrics](http://meso # "messages", # ] - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ``` diff --git a/plugins/inputs/mesos/mesos.go b/plugins/inputs/mesos/mesos.go index 5b0697cab..15e2bfccb 100644 --- a/plugins/inputs/mesos/mesos.go +++ b/plugins/inputs/mesos/mesos.go @@ -14,7 +14,7 @@ import ( "time" "github.com/influxdata/telegraf" - "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" jsonparser "github.com/influxdata/telegraf/plugins/parsers/json" ) @@ -33,15 +33,7 @@ type Mesos struct { Slaves []string SlaveCols []string `toml:"slave_collections"` //SlaveTasks bool - - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Use SSL but skip chain & host verification - InsecureSkipVerify bool + tls.ClientConfig initialized bool client *http.Client @@ -83,11 +75,11 @@ var sampleConfig = ` # "messages", # ] - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ` @@ -216,8 +208,7 @@ func (m *Mesos) Gather(acc telegraf.Accumulator) error { } func (m *Mesos) createHttpClient() (*http.Client, error) { - tlsCfg, err := internal.GetTLSConfig( - m.SSLCert, m.SSLKey, m.SSLCA, m.InsecureSkipVerify) + tlsCfg, err := m.ClientConfig.TLSConfig() if err != nil { return nil, err } diff --git a/plugins/inputs/mongodb/README.md b/plugins/inputs/mongodb/README.md index 48c01a590..a78d7b954 100644 --- a/plugins/inputs/mongodb/README.md +++ b/plugins/inputs/mongodb/README.md @@ -14,11 +14,11 @@ ## When true, collect per database stats # gather_perdb_stats = false - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ``` diff --git a/plugins/inputs/mongodb/mongodb.go b/plugins/inputs/mongodb/mongodb.go index e6b811e54..895667dee 100644 --- a/plugins/inputs/mongodb/mongodb.go +++ b/plugins/inputs/mongodb/mongodb.go @@ -12,7 +12,7 @@ import ( "time" "github.com/influxdata/telegraf" - "github.com/influxdata/telegraf/internal" + tlsint "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" "gopkg.in/mgo.v2" ) @@ -22,15 +22,7 @@ type MongoDB struct { Ssl Ssl mongos map[string]*Server GatherPerdbStats bool - - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Use SSL but skip chain & host verification - InsecureSkipVerify bool + tlsint.ClientConfig } type Ssl struct { @@ -49,11 +41,11 @@ var sampleConfig = ` ## When true, collect per database stats # gather_perdb_stats = false - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ` @@ -134,7 +126,7 @@ func (m *MongoDB) gatherServer(server *Server, acc telegraf.Accumulator) error { var tlsConfig *tls.Config if m.Ssl.Enabled { - // Deprecated SSL config + // Deprecated TLS config tlsConfig = &tls.Config{} if len(m.Ssl.CaCerts) > 0 { roots := x509.NewCertPool() @@ -149,8 +141,7 @@ func (m *MongoDB) gatherServer(server *Server, acc telegraf.Accumulator) error { tlsConfig.InsecureSkipVerify = true } } else { - tlsConfig, err = internal.GetTLSConfig( - m.SSLCert, m.SSLKey, m.SSLCA, m.InsecureSkipVerify) + tlsConfig, err = m.ClientConfig.TLSConfig() if err != nil { return err } diff --git a/plugins/inputs/mqtt_consumer/README.md b/plugins/inputs/mqtt_consumer/README.md index 2889bde59..df7869a86 100644 --- a/plugins/inputs/mqtt_consumer/README.md +++ b/plugins/inputs/mqtt_consumer/README.md @@ -36,11 +36,11 @@ The plugin expects messages in the # username = "telegraf" # password = "metricsmetricsmetricsmetrics" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## Data format to consume. diff --git a/plugins/inputs/mqtt_consumer/mqtt_consumer.go b/plugins/inputs/mqtt_consumer/mqtt_consumer.go index 6903f654d..58074af79 100644 --- a/plugins/inputs/mqtt_consumer/mqtt_consumer.go +++ b/plugins/inputs/mqtt_consumer/mqtt_consumer.go @@ -9,6 +9,7 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/parsers" @@ -33,15 +34,7 @@ type MQTTConsumer struct { PersistentSession bool ClientID string `toml:"client_id"` - - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Use SSL but skip chain & host verification - InsecureSkipVerify bool + tls.ClientConfig sync.Mutex client mqtt.Client @@ -83,11 +76,11 @@ var sampleConfig = ` # username = "telegraf" # password = "metricsmetricsmetricsmetrics" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## Data format to consume. @@ -236,8 +229,7 @@ func (m *MQTTConsumer) createOpts() (*mqtt.ClientOptions, error) { opts.SetClientID(m.ClientID) } - tlsCfg, err := internal.GetTLSConfig( - m.SSLCert, m.SSLKey, m.SSLCA, m.InsecureSkipVerify) + tlsCfg, err := m.ClientConfig.TLSConfig() if err != nil { return nil, err } diff --git a/plugins/inputs/mysql/README.md b/plugins/inputs/mysql/README.md index a190c600d..564d75e61 100644 --- a/plugins/inputs/mysql/README.md +++ b/plugins/inputs/mysql/README.md @@ -82,10 +82,10 @@ This plugin gathers the statistic data from MySQL server ## Some queries we may want to run less often (such as SHOW GLOBAL VARIABLES) interval_slow = "30m" - ## Optional SSL Config (will be used if tls=custom parameter specified in server uri) - ssl_ca = "/etc/telegraf/ca.pem" - ssl_cert = "/etc/telegraf/cert.pem" - ssl_key = "/etc/telegraf/key.pem" + ## Optional TLS Config (will be used if tls=custom parameter specified in server uri) + tls_ca = "/etc/telegraf/ca.pem" + tls_cert = "/etc/telegraf/cert.pem" + tls_key = "/etc/telegraf/key.pem" ``` #### Metric Version diff --git a/plugins/inputs/mysql/mysql.go b/plugins/inputs/mysql/mysql.go index 6e5a89e3b..063452b7c 100644 --- a/plugins/inputs/mysql/mysql.go +++ b/plugins/inputs/mysql/mysql.go @@ -11,7 +11,7 @@ import ( "time" "github.com/influxdata/telegraf" - "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs/mysql/v1" @@ -38,10 +38,8 @@ type Mysql struct { GatherFileEventsStats bool `toml:"gather_file_events_stats"` GatherPerfEventsStatements bool `toml:"gather_perf_events_statements"` IntervalSlow string `toml:"interval_slow"` - SSLCA string `toml:"ssl_ca"` - SSLCert string `toml:"ssl_cert"` - SSLKey string `toml:"ssl_key"` MetricVersion int `toml:"metric_version"` + tls.ClientConfig } var sampleConfig = ` @@ -118,10 +116,12 @@ var sampleConfig = ` ## Some queries we may want to run less often (such as SHOW GLOBAL VARIABLES) interval_slow = "30m" - ## Optional SSL Config (will be used if tls=custom parameter specified in server uri) - ssl_ca = "/etc/telegraf/ca.pem" - ssl_cert = "/etc/telegraf/cert.pem" - ssl_key = "/etc/telegraf/key.pem" + ## Optional TLS Config (will be used if tls=custom parameter specified in server uri) + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification + # insecure_skip_verify = false ` var defaultTimeout = time.Second * time.Duration(5) @@ -161,7 +161,7 @@ func (m *Mysql) Gather(acc telegraf.Accumulator) error { m.InitMysql() } - tlsConfig, err := internal.GetTLSConfig(m.SSLCert, m.SSLKey, m.SSLCA, false) + tlsConfig, err := m.ClientConfig.TLSConfig() if err != nil { return fmt.Errorf("registering TLS config: %s", err) } diff --git a/plugins/inputs/nginx/README.md b/plugins/inputs/nginx/README.md index 819501ea7..7b5215dc3 100644 --- a/plugins/inputs/nginx/README.md +++ b/plugins/inputs/nginx/README.md @@ -8,11 +8,11 @@ ## An array of Nginx stub_status URI to gather stats. urls = ["http://localhost/server_status"] - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## HTTP response timeout (default: 5s) diff --git a/plugins/inputs/nginx/nginx.go b/plugins/inputs/nginx/nginx.go index 3880dd91d..1a1a115d3 100644 --- a/plugins/inputs/nginx/nginx.go +++ b/plugins/inputs/nginx/nginx.go @@ -13,34 +13,28 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" ) type Nginx struct { - // List of status URLs - Urls []string - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to client cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Use SSL but skip chain & host verification - InsecureSkipVerify bool + Urls []string + ResponseTimeout internal.Duration + tls.ClientConfig + // HTTP client client *http.Client - // Response timeout - ResponseTimeout internal.Duration } var sampleConfig = ` # An array of Nginx stub_status URI to gather stats. urls = ["http://localhost/server_status"] - # TLS/SSL configuration - ssl_ca = "/etc/telegraf/ca.pem" - ssl_cert = "/etc/telegraf/cert.cer" - ssl_key = "/etc/telegraf/key.key" + ## Optional TLS Config + tls_ca = "/etc/telegraf/ca.pem" + tls_cert = "/etc/telegraf/cert.cer" + tls_key = "/etc/telegraf/key.key" + ## Use TLS but skip chain & host verification insecure_skip_verify = false # HTTP response timeout (default: 5s) @@ -87,8 +81,7 @@ func (n *Nginx) Gather(acc telegraf.Accumulator) error { } func (n *Nginx) createHttpClient() (*http.Client, error) { - tlsCfg, err := internal.GetTLSConfig( - n.SSLCert, n.SSLKey, n.SSLCA, n.InsecureSkipVerify) + tlsCfg, err := n.ClientConfig.TLSConfig() if err != nil { return nil, err } diff --git a/plugins/inputs/openldap/README.md b/plugins/inputs/openldap/README.md index 44e751f5e..aac600219 100644 --- a/plugins/inputs/openldap/README.md +++ b/plugins/inputs/openldap/README.md @@ -20,7 +20,7 @@ To use this plugin you must enable the [monitoring](https://www.openldap.org/dev insecure_skip_verify = false # Path to PEM-encoded Root certificate to use to verify server certificate - ssl_ca = "/etc/ssl/certs.pem" + tls_ca = "/etc/ssl/certs.pem" # dn/password to bind with. If bind_dn is empty, an anonymous bind is performed. bind_dn = "" diff --git a/plugins/inputs/openldap/openldap.go b/plugins/inputs/openldap/openldap.go index e413ecbed..8a423ba51 100644 --- a/plugins/inputs/openldap/openldap.go +++ b/plugins/inputs/openldap/openldap.go @@ -8,7 +8,7 @@ import ( "gopkg.in/ldap.v2" "github.com/influxdata/telegraf" - "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" ) @@ -36,7 +36,7 @@ const sampleConfig string = ` insecure_skip_verify = false # Path to PEM-encoded Root certificate to use to verify server certificate - ssl_ca = "/etc/ssl/certs.pem" + tls_ca = "/etc/ssl/certs.pem" # dn/password to bind with. If bind_dn is empty, an anonymous bind is performed. bind_dn = "" @@ -85,7 +85,11 @@ func (o *Openldap) Gather(acc telegraf.Accumulator) error { var l *ldap.Conn if o.Ssl != "" { // build tls config - tlsConfig, err := internal.GetTLSConfig("", "", o.SslCa, o.InsecureSkipVerify) + clientTLSConfig := tls.ClientConfig{ + SSLCA: o.SslCa, + InsecureSkipVerify: o.InsecureSkipVerify, + } + tlsConfig, err := clientTLSConfig.TLSConfig() if err != nil { acc.AddError(err) return nil diff --git a/plugins/inputs/prometheus/README.md b/plugins/inputs/prometheus/README.md index ac7405014..227f3f737 100644 --- a/plugins/inputs/prometheus/README.md +++ b/plugins/inputs/prometheus/README.md @@ -20,11 +20,11 @@ in Prometheus format. ## Specify timeout duration for slower prometheus clients (default is 3s) # response_timeout = "3s" - ## Optional SSL Config - # ssl_ca = /path/to/cafile - # ssl_cert = /path/to/certfile - # ssl_key = /path/to/keyfile - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = /path/to/cafile + # tls_cert = /path/to/certfile + # tls_key = /path/to/keyfile + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ``` diff --git a/plugins/inputs/prometheus/prometheus.go b/plugins/inputs/prometheus/prometheus.go index 2a8a6b284..23709790f 100644 --- a/plugins/inputs/prometheus/prometheus.go +++ b/plugins/inputs/prometheus/prometheus.go @@ -13,6 +13,7 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" ) @@ -30,14 +31,7 @@ type Prometheus struct { ResponseTimeout internal.Duration `toml:"response_timeout"` - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Use SSL but skip chain & host verification - InsecureSkipVerify bool + tls.ClientConfig client *http.Client } @@ -55,11 +49,11 @@ var sampleConfig = ` ## Specify timeout duration for slower prometheus clients (default is 3s) # response_timeout = "3s" - ## Optional SSL Config - # ssl_ca = /path/to/cafile - # ssl_cert = /path/to/certfile - # ssl_key = /path/to/keyfile - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = /path/to/cafile + # tls_cert = /path/to/certfile + # tls_key = /path/to/keyfile + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ` @@ -167,8 +161,7 @@ var client = &http.Client{ } func (p *Prometheus) createHttpClient() (*http.Client, error) { - tlsCfg, err := internal.GetTLSConfig( - p.SSLCert, p.SSLKey, p.SSLCA, p.InsecureSkipVerify) + tlsCfg, err := p.ClientConfig.TLSConfig() if err != nil { return nil, err } diff --git a/plugins/inputs/rabbitmq/README.md b/plugins/inputs/rabbitmq/README.md index 5dae5e091..ae6dac6f1 100644 --- a/plugins/inputs/rabbitmq/README.md +++ b/plugins/inputs/rabbitmq/README.md @@ -16,11 +16,11 @@ For additional details reference the [RabbitMQ Management HTTP Stats](https://cd # username = "guest" # password = "guest" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## Optional request timeouts diff --git a/plugins/inputs/rabbitmq/rabbitmq.go b/plugins/inputs/rabbitmq/rabbitmq.go index e0d12c3db..49dabe1b5 100644 --- a/plugins/inputs/rabbitmq/rabbitmq.go +++ b/plugins/inputs/rabbitmq/rabbitmq.go @@ -11,6 +11,7 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/filter" "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" ) @@ -37,14 +38,7 @@ type RabbitMQ struct { Name string Username string Password string - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Use SSL but skip chain & host verification - InsecureSkipVerify bool + tls.ClientConfig ResponseHeaderTimeout internal.Duration `toml:"header_timeout"` ClientTimeout internal.Duration `toml:"client_timeout"` @@ -175,11 +169,11 @@ var sampleConfig = ` # username = "guest" # password = "guest" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## Optional request timeouts @@ -223,8 +217,7 @@ func (r *RabbitMQ) Description() string { // Gather ... func (r *RabbitMQ) Gather(acc telegraf.Accumulator) error { if r.Client == nil { - tlsCfg, err := internal.GetTLSConfig( - r.SSLCert, r.SSLKey, r.SSLCA, r.InsecureSkipVerify) + tlsCfg, err := r.ClientConfig.TLSConfig() if err != nil { return err } diff --git a/plugins/inputs/socket_listener/socket_listener.go b/plugins/inputs/socket_listener/socket_listener.go index 076e1f4b8..daab84952 100644 --- a/plugins/inputs/socket_listener/socket_listener.go +++ b/plugins/inputs/socket_listener/socket_listener.go @@ -16,6 +16,7 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/internal" + tlsint "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/parsers" ) @@ -161,14 +162,12 @@ func (psl *packetSocketListener) listen() { } type SocketListener struct { - ServiceAddress string `toml:"service_address"` - MaxConnections int `toml:"max_connections"` - ReadBufferSize int `toml:"read_buffer_size"` - ReadTimeout *internal.Duration `toml:"read_timeout"` - TLSAllowedCACerts []string `toml:"tls_allowed_cacerts"` - TLSCert string `toml:"tls_cert"` - TLSKey string `toml:"tls_key"` - KeepAlivePeriod *internal.Duration `toml:"keep_alive_period"` + ServiceAddress string `toml:"service_address"` + MaxConnections int `toml:"max_connections"` + ReadBufferSize int `toml:"read_buffer_size"` + ReadTimeout *internal.Duration `toml:"read_timeout"` + KeepAlivePeriod *internal.Duration `toml:"keep_alive_period"` + tlsint.ServerConfig parsers.Parser telegraf.Accumulator @@ -259,7 +258,7 @@ func (sl *SocketListener) Start(acc telegraf.Accumulator) error { l net.Listener ) - tlsCfg, err := internal.GetServerTLSConfig(sl.TLSCert, sl.TLSKey, sl.TLSAllowedCACerts) + tlsCfg, err := sl.ServerConfig.TLSConfig() if err != nil { return nil } diff --git a/plugins/inputs/socket_listener/socket_listener_test.go b/plugins/inputs/socket_listener/socket_listener_test.go index b647e724f..65ee0db94 100644 --- a/plugins/inputs/socket_listener/socket_listener_test.go +++ b/plugins/inputs/socket_listener/socket_listener_test.go @@ -9,12 +9,13 @@ import ( "testing" "time" - "github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/testutil" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) +var pki = testutil.NewPKI("../../../testutil/pki") + // testEmptyLog is a helper function to ensure no data is written to log. // Should be called at the start of the test, and returns a function which should run at the end. func testEmptyLog(t *testing.T) func() { @@ -32,16 +33,14 @@ func TestSocketListener_tcp_tls(t *testing.T) { sl := newSocketListener() sl.ServiceAddress = "tcp://127.0.0.1:0" - sl.TLSCert = "testdata/server.pem" - sl.TLSKey = "testdata/server.key" - sl.TLSAllowedCACerts = []string{"testdata/ca.pem"} + sl.ServerConfig = *pki.TLSServerConfig() acc := &testutil.Accumulator{} err := sl.Start(acc) require.NoError(t, err) defer sl.Stop() - tlsCfg, err := internal.GetTLSConfig("testdata/client.pem", "testdata/client.key", "testdata/ca.pem", true) + tlsCfg, err := pki.TLSClientConfig().TLSConfig() require.NoError(t, err) secureClient, err := tls.Dial("tcp", sl.Closer.(net.Listener).Addr().String(), tlsCfg) @@ -55,16 +54,15 @@ func TestSocketListener_unix_tls(t *testing.T) { sl := newSocketListener() sl.ServiceAddress = "unix:///tmp/telegraf_test.sock" - sl.TLSCert = "testdata/server.pem" - sl.TLSKey = "testdata/server.key" - sl.TLSAllowedCACerts = []string{"testdata/ca.pem"} + sl.ServerConfig = *pki.TLSServerConfig() acc := &testutil.Accumulator{} err := sl.Start(acc) require.NoError(t, err) defer sl.Stop() - tlsCfg, err := internal.GetTLSConfig("testdata/client.pem", "testdata/client.key", "testdata/ca.pem", true) + tlsCfg, err := pki.TLSClientConfig().TLSConfig() + tlsCfg.InsecureSkipVerify = true require.NoError(t, err) secureClient, err := tls.Dial("unix", "/tmp/telegraf_test.sock", tlsCfg) diff --git a/plugins/inputs/socket_listener/testdata/ca.pem b/plugins/inputs/socket_listener/testdata/ca.pem deleted file mode 100644 index d3b6d9a14..000000000 --- a/plugins/inputs/socket_listener/testdata/ca.pem +++ /dev/null @@ -1,31 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFVTCCAz2gAwIBAgIJAOhLvwv6zUf+MA0GCSqGSIb3DQEBCwUAMEExCzAJBgNV -BAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsG -A1UECgwEVGVzdDAeFw0xODA0MTcwNDIwNDZaFw0yMTAyMDQwNDIwNDZaMEExCzAJ -BgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEN -MAsGA1UECgwEVGVzdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKwE -Xy814CDH03G3Fg2/XSpYZXVMzwp6oq/bUe3iLhkOpA6C4+j07AxAAa22qEPlvYkb -W7oxVJiL0ih1od2FeAxvroBTmjG54j/Syb8OeQsZaJLNp1rRmwYGBIVi284ScaIc -dn+2bfmfpSLjK3SbU5XygtwIE3gh/B7x02UJRNJmJ1faRT2CfTeg/56xnTE4bcR5 -HRrlojoN5laJngowLWAEAvWljCR8oge+ciNYB3xoK8Hgc9+WgTy95G1RBCNkaFFI -73nrcHl6dGOH9UgIqfbHJYxNEarI3o/JAr8DIBS0W4r8r4aY4JQ4LoN3bg4mLHQq -THKkVW5hyBeWe47qmlL0m4F6/+mzVi95NAWG2BQDCZJAWJNc+PbSRHi81838m7ff -O4rixd/F53LUUas8/zVca3vtv+XjOHZzIQLIy1bM4MhzpHlRcSmS9kqxxZ3S70e3 -ZIWFdM0iRrtlBbJeoHIJRDpgPRYIWdRc6XotljTTi6/lN4Bj/0NK4E3iONcDsscN -kiqEHRAWZ4ptCqdVPgYR0S096Fx6OaC3ASODE0Cjb18ylZQRsQi8TiYSihGzuoio -wJwSLdIifDbbSUkjT1384cA/HsOjFQ9xHXYa6cQnAg3TUZyG1lAMJyFWYke+rxmG -srfL/EtIzgbzmEOC5anQjA2pdgUO9Pk2SinJaMApAgMBAAGjUDBOMB0GA1UdDgQW -BBQNJctDLjj8bVKNCYANaOcboPQnmzAfBgNVHSMEGDAWgBQNJctDLjj8bVKNCYAN -aOcboPQnmzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQATSr26Kc8g -3l2zuccoKWM57DQcgRmzSYwEOKA2jn3FWmrAdwozEIkLaTK0OXz0zh2dZxh9V3GR -w0WFCynbGNy/9s33MSi+zIWJOU/MZvt6zGE5CTcTgZ+u5IZyvSubMkPcwQi3Yvcg -AHmWzpF42kT2J5C5MfrSU65hrhPX7hT/CUoV3gN7oxFzj+/ED4kgNorO8SUUJCmq -DJNFbjgsD63EhnvAhn1AeM35GmKdl2enEKqcZsRkE4ZLpU7ibrThEm1aOQuJUtHk -gDAx49QMdQpWnxWxnfoiwpLu7ufR7ls8O9oA8ZJux/SVHEmtkOdRsuMtY5MElFZg -dANlQsdFWDko4ixaxFYzppuPNnRlqjGNnaEFJrNc2KR0Dxgmp28Yh2VyLd4r3fLT -nLVBYF8KzFchUdXYYPNBXwAf/N52jGfugDx8snLxOfzxoUZ4y64qMCpYhntGgBJ1 -Rrk2trcn3Dw19gi8p3ylbdoz/Ch1INDDrO35pd0bZpcwASc/UNU72W5v2kGL0H7o -nJzgtrqeHcoIzNBmBhHlMlnTF5GMfrYGsf5d30KyKv7UL6qJTvT641dpKpB/FFrk -y3AQbKmKRDI+aVzeOlwdy/eJAwt7FikD4bR9GZ4PBX9n9jd4u/PHZNfxtgzplqo1 -oy7kJv0cB/vRKOblmn/vPUfTFtAX7M3GkQ== ------END CERTIFICATE----- diff --git a/plugins/inputs/socket_listener/testdata/client.key b/plugins/inputs/socket_listener/testdata/client.key deleted file mode 100644 index 285a27478..000000000 --- a/plugins/inputs/socket_listener/testdata/client.key +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAmRuY+9Gg5V4e9hCd2mYek1jKeoaZijz89EPvox78XzoGdxPf -RoukUcTVS9VWN7HyJBjRA9P+KuHI9dX47skxyxH53uXZvRmGQAJBY4cE07JHvGkZ -eK1heXoWlBzYtivckha7bLBfn1ttAzcFCblUfJdzsn9XDuC4Jfn4oSaKn1o8Rzy1 -KRvyLgvsYxMA/XzhyBzVMyoUOulye7EZx4f+AwSNmNHD4OgtxxPofrrMOtXZ2tC6 -xNOexIZXbsB9dyrUW+4pWXYaadU7fl2V+arAJj+NVxV+3tmGGjmd1MiIypPx6BbP -g7xH20nJ/Y0U6V7gklZpYO1i84RbtR/kqBgi9QIDAQABAoIBAEONJJM+KyHnw/tG -246HbcgO7c7fYhDW1bgj3S/4NNsC6+VP1Dv40nftQzphFtgd37rDZDyvJL3gvlyQ -mnMoO5rgBIGuocHH6C6HkDgMUznft7zOFhnjTVVeY2XX0FmXwoqGEw1iR940ZUV8 -2fEvXrJV1AsWGeALj9PZlTPsoE6rv5sUk9Lh3wCD73m7GSg7DzBRE+6bBze8Lmwn -ZzTvmimhgPJw8LR5rRpYbDbhAJLAfgA7/yPgYEPxA/ffry6Ba4epj8tVNUNOAcOf -PURF+uuIF7RceI2PkdvoNuQyVR5oxQUPUfidfVK5ClUmnHECSgb/FFnYC+nU2vSi -IAnmC6ECgYEAyrUFHyxxuIQAiinjBxa0OQ3ynvMxDnF/+zvWe8536Y61lz9dblKb -0xvFhpOEMfiG/zFdZdWJ+xdq7VQVNMHu4USoskG8sZs5zImMTu50kuDNln7xYqVf -SUuN1U7cp7JouI1qkZAOsytPfAgZN/83hLObd07lAvL44jKYaHVeMmkCgYEAwVxZ -wKXpboHwQawA+4ubsnZ36IlOk21/+FlGJiDg/LB643BS+QhgVNxuB2gL1gOCYkhl -6BBcIhWMvZOIIo5uwnv4fQ+WfFwntU9POFViZgbZvkitQtorB7MXc/NU2BDrNYx2 -TBCiRn/9BaZ4fziW8I3Fx3xQ3rKDBXrexmrJQq0CgYEAvYGQYT12r47Qxlo0gcsL -AA/3E/y9jwgzItglQ6eZ2ULup5C4s0wNm8Zp2s+Mlf8HjgpDi9Gf5ptU/r1N+f2Y -awd6QvRMCSraVUr+Xkh1uV7rNNhGqPd75pT460OH7EtRtb+XsrAf3gcOjyEvGnfC -GpCjNl4OobwvS6ELdRTM1IkCgYAHUGX4uo3k5zdeVJJI8ZP3ITIR8retLfQsQbw8 -jvvTsx1C4ynQT7fNHfVvhEkGVGWnMBPivlOt2mDTfvQkUnzwEF5q5J8NnzLFUfWu -LNSnBVVRNFCRec0s4mJduXOZJLKw+No0sGBjCE5a21wte8eB2+sCS7qHYftAxtAM -c1eflQKBgQDGTFsMvpM8BEPTreinTllFBdjeYchcdY/Ov9DZ3mMVopjAWRD81MKM -zM1RCqwLkgv9FvF79B1FLJ1Inr8e/XIGdcrhE1a4sZdIWdqTWQ4xFrlDgxCquq66 -da09WVBRdvq2kVLAMaBViH2/GP1G4ZV9a8+JHuWKj+Arrr52Qeazjw== ------END RSA PRIVATE KEY----- diff --git a/plugins/inputs/socket_listener/testdata/client.pem b/plugins/inputs/socket_listener/testdata/client.pem deleted file mode 100644 index d741e6518..000000000 --- a/plugins/inputs/socket_listener/testdata/client.pem +++ /dev/null @@ -1,24 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEEjCCAfoCCQCmcronmMSqXTANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJV -UzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM -BFRlc3QwHhcNMTgwNDE3MDQyNDMwWhcNNDUwOTAyMDQyNDMwWjBVMQswCQYDVQQG -EwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xITAfBgNV -BAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQAD -ggEPADCCAQoCggEBAJkbmPvRoOVeHvYQndpmHpNYynqGmYo8/PRD76Me/F86BncT -30aLpFHE1UvVVjex8iQY0QPT/irhyPXV+O7JMcsR+d7l2b0ZhkACQWOHBNOyR7xp -GXitYXl6FpQc2LYr3JIWu2ywX59bbQM3BQm5VHyXc7J/Vw7guCX5+KEmip9aPEc8 -tSkb8i4L7GMTAP184cgc1TMqFDrpcnuxGceH/gMEjZjRw+DoLccT6H66zDrV2drQ -usTTnsSGV27AfXcq1FvuKVl2GmnVO35dlfmqwCY/jVcVft7Zhho5ndTIiMqT8egW -z4O8R9tJyf2NFOle4JJWaWDtYvOEW7Uf5KgYIvUCAwEAATANBgkqhkiG9w0BAQsF -AAOCAgEACJkccOvBavtagiMQc9OLsbo0PkHv7Qk9uTm5Sg9+LjLGUsu+3WLjAAmj -YScHyGbvQzXlwpgo8JuwY0lMNoPfwGuydlJPfOBCbaoAqFp6Vpc/E49J9YovCsqa -2HJUJeuxpf6SiH1Vc1SECjzwzKo03t8ul7t7SNVqA0r9fV4I936FlJOeQ4d5U+Wv -H7c2LmAqbHi2Mwf+m+W6ziOvzp+szspcP2gJDX7hsKEtIlqmHYm2bzZ4fsCuU9xN -3quewBVQUOuParO632yaLgzpGmfzzxLmCPO84lxarJKCxjHG2Q2l30TO/wA44m+r -Wd17HpCT3PkCDG5eSNCSnYqfLm8DE1hLGfHiXxKmrgU94q4wvwVGOlcYa+CQeP9Q -ZW3Tj0Axz0Mqlg1iLLo12+Z/yocSY2nFnFntBFT4qBKNCeD0xH3PxC0HJdK66xBv -MVDE/OE2hBtTTts+vC9yjx4W8thtMSA4VCOgtt5sHjt3ZekiYYh5VZK47Bx/a0uc -8CouRdyppWyPp/cNC+PcGW3YnXpAkxe/bSY/qgfK5kmbeOf+HzvZAIwAH/d9VK0g -AoLNp46eP6U2E2lVvtc/HJ1C/gsiC/1TSIq/kBbYtuIJjhhH3u6IVet7WSD22Akv -o5gOpcoKwy8IPDRC5lJEAAVYUKt7ORo2en3OVg6I4FaQmeBFp5s= ------END CERTIFICATE----- diff --git a/plugins/inputs/socket_listener/testdata/server.key b/plugins/inputs/socket_listener/testdata/server.key deleted file mode 100644 index 4ad8e642f..000000000 --- a/plugins/inputs/socket_listener/testdata/server.key +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEAzkEDLijGOqXNQPAqUjOz5TLuM28SENauknLtcfIyEN/N6PwZ -re5DjokxtDPp+c9yP/9qtn7+dBfdUXg2Mu7HQz8lAKniir2ZH+axkjp5LUE6vYJd -I1W8lOOc0kXDjozBetgriE0jkgc3v9oDBbLhN5waKR86jpQaNkfnI7/4U3yrlymK -yaT3uD6L1ldUJubdQ/xc1HxdmX8VewBnkK1urYyiRbju2iL9YmtSM72yWXvFsD1O -I4fP/XuiaymicBmXKL4cu6KYdfn1qeLAV3U35xG597M031WmR5o67rc63sqs+Q// -V3dbGqnFXRMkLhoOnuKK0DD28ujY1kctbNQWVQIDAQABAoIBAHFxFJy41H7BXulO -rxhTU6jGoHktqBQW4CGwkKTRf3QEhK6WqlEd8Y5eKzZgL1q1HLPSehEyPCYCUjpT -EgxlhLeZ7XI1/mIs8iG3swconimj7Pj60Nt0dqq1njWRJYQsKua0Kw1m0B+rVKBy -+qKRxondlA32HTD6iIg+eAUTuzO/KzimZcyL9hiT/g6aN9k0H5+qURi8dO7VV8fD -zvP8Y+oOGLwW2ccp+ZjFQizjTOkL4lgldr0hsGQXZJNHL94fA7jPdAxAUbnTicMJ -oXM++L3eCwIVabipGxxlqCMj9Dn8yfbQvRGzP2e76QDeROYZHX4osH6vLcZEjx9i -tJ4J+ekCgYEA82kKzkSKmFo4gZxnqAywlfZ2X2PADuMmHdqdiDFwt54orlMlKf/b -wVSvN/djLXwvFHuyzFmJeMFSHKFkYVTOsh8kPSETAIGkcJEMHD3viYn7DwjkQudY -vB/FpBWSiDT0T7qDUCzW3iMbx/JvTUSp7uO4ZuwOu6t6v3PEZwIChQ8CgYEA2Ov9 -FXHmm7sS54HgvZd6Wk8zLMLIDnyMmECjtYOasJ9c40yQHpRlXsb+Dzn/2xhMMwth -Bln2hIiJ/e+G0bzFu4x0cItRPOQeRNyz5Pal8EsATeUwcX4KRKOZaUpDkV6XV1L0 -r/HSk/wed+90B74sGoJY1qsFflOATIUVs7SIllsCgYEAwhGSB/sl9WqZet1U1+um -LyqeHlfNnREGJu9Sgm/Iyt1S2gp4qw/QCkiWmyym6nEEqHQnjj4lGR4pdaJIAkI3 -ulSR9BsWp2S10voSicHn5eUZQld4hs8lNHiwf66jce2mjJrMb3QQrHOZhsWIcDa6 -tjjhoU28QWzrJRIMGYTEtYkCgYA17NSJlDsj06mra5oXB6Ue9jlekz1wfH3nC4qn -AQRfi/5ncw0QzQs2OHnIBz8XlD69IcMI9SxXXioPuo/la+wr54q6v6d+X6c2rzb5 -YGd4CO0WcDdOv2qGDbWBezi41q8AwlqZsqAKsc5ROnG5ywjjviufkfxXnyJx41O1 -zNd3qQKBgGEy+EwUXD5iGeQxdCDnd6iVu14SoBscHO5SpIeDu3DIhnu+7gPq2VMg -Vp9j/iNVtEA3HyYCOeXc2rz9Di1wwt3YijED4birLAkC5YW6YB9rmLMfCNc1EyLh -BKAkUQN3D+XCN4pXdbKvbkOcfYRUHoD+pPBjRYH020OtPBUc6Wkl ------END RSA PRIVATE KEY----- diff --git a/plugins/inputs/socket_listener/testdata/server.pem b/plugins/inputs/socket_listener/testdata/server.pem deleted file mode 100644 index 96cfa0b00..000000000 --- a/plugins/inputs/socket_listener/testdata/server.pem +++ /dev/null @@ -1,25 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEJjCCAg4CCQCmcronmMSqXDANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJV -UzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM -BFRlc3QwHhcNMTgwNDE3MDQyNDAwWhcNNDUwOTAyMDQyNDAwWjBpMQswCQYDVQQG -EwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xITAfBgNV -BAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDESMBAGA1UEAwwJMTI3LjAuMC4x -MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzkEDLijGOqXNQPAqUjOz -5TLuM28SENauknLtcfIyEN/N6PwZre5DjokxtDPp+c9yP/9qtn7+dBfdUXg2Mu7H -Qz8lAKniir2ZH+axkjp5LUE6vYJdI1W8lOOc0kXDjozBetgriE0jkgc3v9oDBbLh -N5waKR86jpQaNkfnI7/4U3yrlymKyaT3uD6L1ldUJubdQ/xc1HxdmX8VewBnkK1u -rYyiRbju2iL9YmtSM72yWXvFsD1OI4fP/XuiaymicBmXKL4cu6KYdfn1qeLAV3U3 -5xG597M031WmR5o67rc63sqs+Q//V3dbGqnFXRMkLhoOnuKK0DD28ujY1kctbNQW -VQIDAQABMA0GCSqGSIb3DQEBCwUAA4ICAQCVgzqFrehoRAMFLMEL8avfokYtsSYc -50Yug4Es0ISo/PRWGeUnv8k1inyE3Y1iR/gbN5n/yjLXJKEflan6BuqGuukfr2eA -fRdDCyPvzQLABdxCx2n6ByQFxj92z82tizf35R2OMuHHWzTckta+7s5EvxwIiUsd -rUuXp+0ltJzlYYW9xTGFiJO9hAbRgMgZiwL8F7ayic8GmLQ1eRK/DfKDCOH3afeX -MNN5FulgjqNyhXHF33vwgIJynGDg2JEhkWjB1DkUAxll0+SMQoYyVGZVrQSGbGw1 -JhOLc8C8bTzfK3qcJDuyldvjiut+To+lpu76R0u0+sn+wxQFL1uCWuAbMJgGsJgM -ARavu2XDeae9X+e8MgJuN1FYS3tihBplPjMJD3UYRybRvHAvQh26BZ7Ch3JNSNST -AL2l5T7JKU+XaWWeo+crV+AnGIJyqyh9Su/n97PEoZoEMGH4Kcl/n/w2Jms60+5s -K0FK2OGNL42ddUfQiVL9CwYQQo70hydjsIo1x8S6+tSFLMAAysQEToSjfAA6qxDu -fgGVMuIYHo0rSkpTVsHVwru08Z5o4m+XDAK0iHalZ4knKsO0lJ+9l7vFnQHlzwt7 -JTjDhnyOKWPIANeWf3PrHPWE7kKpFVBqFBzOvWLJuxDu5NlgLo1PFahsahTqB9bz -qwUyMg/oYWnwqw== ------END CERTIFICATE----- diff --git a/plugins/inputs/tomcat/README.md b/plugins/inputs/tomcat/README.md index 3baf68556..1399a3157 100644 --- a/plugins/inputs/tomcat/README.md +++ b/plugins/inputs/tomcat/README.md @@ -19,11 +19,11 @@ See the [Tomcat documentation](https://tomcat.apache.org/tomcat-9.0-doc/manager- ## Request timeout # timeout = "5s" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ``` diff --git a/plugins/inputs/tomcat/tomcat.go b/plugins/inputs/tomcat/tomcat.go index dd3c03ce3..40ae7de81 100644 --- a/plugins/inputs/tomcat/tomcat.go +++ b/plugins/inputs/tomcat/tomcat.go @@ -10,6 +10,7 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" ) @@ -63,11 +64,7 @@ type Tomcat struct { Username string Password string Timeout internal.Duration - - SSLCA string `toml:"ssl_ca"` - SSLCert string `toml:"ssl_cert"` - SSLKey string `toml:"ssl_key"` - InsecureSkipVerify bool + tls.ClientConfig client *http.Client request *http.Request @@ -84,11 +81,11 @@ var sampleconfig = ` ## Request timeout # timeout = "5s" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ` @@ -191,8 +188,7 @@ func (s *Tomcat) Gather(acc telegraf.Accumulator) error { } func (s *Tomcat) createHttpClient() (*http.Client, error) { - tlsConfig, err := internal.GetTLSConfig( - s.SSLCert, s.SSLKey, s.SSLCA, s.InsecureSkipVerify) + tlsConfig, err := s.ClientConfig.TLSConfig() if err != nil { return nil, err } diff --git a/plugins/inputs/zookeeper/README.md b/plugins/inputs/zookeeper/README.md index 99abbc227..d54caae44 100644 --- a/plugins/inputs/zookeeper/README.md +++ b/plugins/inputs/zookeeper/README.md @@ -18,11 +18,11 @@ The zookeeper plugin collects variables outputted from the 'mntr' command ## Timeout for metric collections from all servers. Minimum timeout is "1s". # timeout = "5s" - ## Optional SSL Config + ## Optional TLS Config # enable_ssl = true - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" ## If false, skip chain & host verification # insecure_skip_verify = true ``` diff --git a/plugins/inputs/zookeeper/zookeeper.go b/plugins/inputs/zookeeper/zookeeper.go index 1c60e368a..20e7aee01 100644 --- a/plugins/inputs/zookeeper/zookeeper.go +++ b/plugins/inputs/zookeeper/zookeeper.go @@ -13,6 +13,7 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/internal" + tlsint "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" ) @@ -21,11 +22,9 @@ type Zookeeper struct { Servers []string Timeout internal.Duration - EnableSSL bool `toml:"enable_ssl"` - SSLCA string `toml:"ssl_ca"` - SSLCert string `toml:"ssl_cert"` - SSLKey string `toml:"ssl_key"` - InsecureSkipVerify bool `toml:"insecure_skip_verify"` + EnableTLS bool `toml:"enable_tls"` + EnableSSL bool `toml:"enable_ssl"` // deprecated in 1.7; use enable_tls + tlsint.ClientConfig initialized bool tlsConfig *tls.Config @@ -42,11 +41,11 @@ var sampleConfig = ` ## Timeout for metric collections from all servers. Minimum timeout is "1s". # timeout = "5s" - ## Optional SSL Config - # enable_ssl = true - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" + ## Optional TLS Config + # enable_tls = true + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" ## If false, skip chain & host verification # insecure_skip_verify = true ` @@ -65,7 +64,7 @@ func (z *Zookeeper) Description() string { func (z *Zookeeper) dial(ctx context.Context, addr string) (net.Conn, error) { var dialer net.Dialer - if z.EnableSSL { + if z.EnableTLS || z.EnableSSL { deadline, ok := ctx.Deadline() if ok { dialer.Deadline = deadline @@ -81,8 +80,7 @@ func (z *Zookeeper) Gather(acc telegraf.Accumulator) error { ctx := context.Background() if !z.initialized { - tlsConfig, err := internal.GetTLSConfig( - z.SSLCert, z.SSLKey, z.SSLCA, z.InsecureSkipVerify) + tlsConfig, err := z.ClientConfig.TLSConfig() if err != nil { return err } diff --git a/plugins/outputs/amqp/README.md b/plugins/outputs/amqp/README.md index 834074436..ea17fe769 100644 --- a/plugins/outputs/amqp/README.md +++ b/plugins/outputs/amqp/README.md @@ -42,11 +42,11 @@ For an introduction to AMQP see: ## to 5s. 0s means no timeout (not recommended). # timeout = "5s" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## Data format to output. diff --git a/plugins/outputs/amqp/amqp.go b/plugins/outputs/amqp/amqp.go index fed1edfe4..f2bfb7ac7 100644 --- a/plugins/outputs/amqp/amqp.go +++ b/plugins/outputs/amqp/amqp.go @@ -10,6 +10,7 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/outputs" "github.com/influxdata/telegraf/plugins/serializers" @@ -43,14 +44,7 @@ type AMQP struct { // Valid options are "transient" and "persistent". default: "transient" DeliveryMode string - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Use SSL but skip chain & host verification - InsecureSkipVerify bool + tls.ClientConfig sync.Mutex c *client @@ -99,11 +93,11 @@ var sampleConfig = ` ## to 5s. 0s means no timeout (not recommended). # timeout = "5s" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## Data format to output. @@ -137,8 +131,7 @@ func (q *AMQP) Connect() error { var connection *amqp.Connection // make new tls config - tls, err := internal.GetTLSConfig( - q.SSLCert, q.SSLKey, q.SSLCA, q.InsecureSkipVerify) + tls, err := q.ClientConfig.TLSConfig() if err != nil { return err } diff --git a/plugins/outputs/elasticsearch/README.md b/plugins/outputs/elasticsearch/README.md index b0d2e6f9b..11f3c1385 100644 --- a/plugins/outputs/elasticsearch/README.md +++ b/plugins/outputs/elasticsearch/README.md @@ -180,11 +180,11 @@ This plugin will format the events in the following way: # default_tag_value = "none" index_name = "telegraf-%Y.%m.%d" # required. - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## Template Config @@ -230,4 +230,4 @@ Integer values collected that are bigger than 2^63 and smaller than 1e21 (or in The correct field mapping will be created on the telegraf index as soon as a supported JSON value is received by Elasticsearch, and subsequent insertions will work because the field mapping will already exist. -This issue is caused by the way Elasticsearch tries to detect integer fields, and by how golang encodes numbers in JSON. There is no clear workaround for this at the moment. \ No newline at end of file +This issue is caused by the way Elasticsearch tries to detect integer fields, and by how golang encodes numbers in JSON. There is no clear workaround for this at the moment. diff --git a/plugins/outputs/elasticsearch/elasticsearch.go b/plugins/outputs/elasticsearch/elasticsearch.go index 326def1d1..56169135a 100644 --- a/plugins/outputs/elasticsearch/elasticsearch.go +++ b/plugins/outputs/elasticsearch/elasticsearch.go @@ -11,6 +11,7 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/outputs" "gopkg.in/olivere/elastic.v5" ) @@ -28,11 +29,9 @@ type Elasticsearch struct { ManageTemplate bool TemplateName string OverwriteTemplate bool - SSLCA string `toml:"ssl_ca"` // Path to CA file - SSLCert string `toml:"ssl_cert"` // Path to host cert file - SSLKey string `toml:"ssl_key"` // Path to cert key file - InsecureSkipVerify bool // Use SSL but skip chain & host verification - Client *elastic.Client + tls.ClientConfig + + Client *elastic.Client } var sampleConfig = ` @@ -69,11 +68,11 @@ var sampleConfig = ` # default_tag_value = "none" index_name = "telegraf-%Y.%m.%d" # required. - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## Template Config @@ -96,7 +95,7 @@ func (a *Elasticsearch) Connect() error { var clientOptions []elastic.ClientOptionFunc - tlsCfg, err := internal.GetTLSConfig(a.SSLCert, a.SSLKey, a.SSLCA, a.InsecureSkipVerify) + tlsCfg, err := a.ClientConfig.TLSConfig() if err != nil { return err } diff --git a/plugins/outputs/graphite/README.md b/plugins/outputs/graphite/README.md index 1b173962f..216c09ca0 100644 --- a/plugins/outputs/graphite/README.md +++ b/plugins/outputs/graphite/README.md @@ -20,42 +20,10 @@ via raw TCP. ## timeout in seconds for the write connection to graphite timeout = 2 - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ``` - -Parameters: - - Servers []string - Prefix string - Timeout int - Template string - - // Path to CA file - SSLCA string - // Path to host cert file - SSLCert string - // Path to cert key file - SSLKey string - // Skip SSL verification - InsecureSkipVerify bool - -### Required parameters: - -* `servers`: List of strings, ["mygraphiteserver:2003"]. -* `prefix`: String use to prefix all sent metrics. -* `timeout`: Connection timeout in seconds. -* `template`: Template for graphite output format, see -https://github.com/influxdata/telegraf/blob/master/docs/DATA_FORMATS_OUTPUT.md -for more details. - -### Optional parameters: - -* `ssl_ca`: SSL CA -* `ssl_cert`: SSL CERT -* `ssl_key`: SSL key -* `insecure_skip_verify`: Use SSL but skip chain & host verification (default: false) diff --git a/plugins/outputs/graphite/graphite.go b/plugins/outputs/graphite/graphite.go index 7bad4be07..4346c50d8 100644 --- a/plugins/outputs/graphite/graphite.go +++ b/plugins/outputs/graphite/graphite.go @@ -10,7 +10,7 @@ import ( "time" "github.com/influxdata/telegraf" - "github.com/influxdata/telegraf/internal" + tlsint "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/outputs" "github.com/influxdata/telegraf/plugins/serializers" ) @@ -22,18 +22,7 @@ type Graphite struct { Template string Timeout int conns []net.Conn - - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Skip SSL verification - InsecureSkipVerify bool - - // tls config - tlsConfig *tls.Config + tlsint.ClientConfig } var sampleConfig = ` @@ -49,11 +38,11 @@ var sampleConfig = ` ## timeout in seconds for the write connection to graphite timeout = 2 - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ` @@ -67,9 +56,7 @@ func (g *Graphite) Connect() error { } // Set tls config - var err error - g.tlsConfig, err = internal.GetTLSConfig( - g.SSLCert, g.SSLKey, g.SSLCA, g.InsecureSkipVerify) + tlsConfig, err := g.ClientConfig.TLSConfig() if err != nil { return err } @@ -82,8 +69,8 @@ func (g *Graphite) Connect() error { // Get secure connection if tls config is set var conn net.Conn - if g.tlsConfig != nil { - conn, err = tls.DialWithDialer(&d, "tcp", server, g.tlsConfig) + if tlsConfig != nil { + conn, err = tls.DialWithDialer(&d, "tcp", server, tlsConfig) } else { conn, err = d.Dial("tcp", server) } diff --git a/plugins/outputs/influxdb/README.md b/plugins/outputs/influxdb/README.md index 74f33748d..aed96e463 100644 --- a/plugins/outputs/influxdb/README.md +++ b/plugins/outputs/influxdb/README.md @@ -44,11 +44,11 @@ This InfluxDB output plugin writes metrics to the [InfluxDB](https://github.com/ ## UDP payload size is the maximum packet size to send. # udp_payload = 512 - ## Optional SSL Config for use on HTTP connections. - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config for use on HTTP connections. + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## HTTP Proxy override, if unset values the standard proxy environment diff --git a/plugins/outputs/influxdb/influxdb.go b/plugins/outputs/influxdb/influxdb.go index d34e9e3e8..f80722bc3 100644 --- a/plugins/outputs/influxdb/influxdb.go +++ b/plugins/outputs/influxdb/influxdb.go @@ -11,6 +11,7 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/outputs" "github.com/influxdata/telegraf/plugins/serializers/influx" ) @@ -46,15 +47,7 @@ type InfluxDB struct { ContentEncoding string `toml:"content_encoding"` SkipDatabaseCreation bool `toml:"skip_database_creation"` InfluxUintSupport bool `toml:"influx_uint_support"` - - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Use SSL but skip chain & host verification - InsecureSkipVerify bool + tls.ClientConfig Precision string // precision deprecated in 1.0; value is ignored @@ -104,11 +97,11 @@ var sampleConfig = ` ## UDP payload size is the maximum packet size to send. # udp_payload = 512 - ## Optional SSL Config for use on HTTP connections. - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config for use on HTTP connections. + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## HTTP Proxy override, if unset values the standard proxy environment @@ -245,8 +238,7 @@ func (i *InfluxDB) udpClient(url *url.URL) (Client, error) { } func (i *InfluxDB) httpClient(ctx context.Context, url *url.URL, proxy *url.URL) (Client, error) { - tlsConfig, err := internal.GetTLSConfig( - i.SSLCert, i.SSLKey, i.SSLCA, i.InsecureSkipVerify) + tlsConfig, err := i.ClientConfig.TLSConfig() if err != nil { return nil, err } diff --git a/plugins/outputs/influxdb/influxdb_test.go b/plugins/outputs/influxdb/influxdb_test.go index eeef97618..3ec10989e 100644 --- a/plugins/outputs/influxdb/influxdb_test.go +++ b/plugins/outputs/influxdb/influxdb_test.go @@ -8,6 +8,7 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/metric" "github.com/influxdata/telegraf/plugins/outputs/influxdb" "github.com/stretchr/testify/require" @@ -104,8 +105,10 @@ func TestConnectHTTPConfig(t *testing.T) { HTTPHeaders: map[string]string{ "x": "y", }, - ContentEncoding: "gzip", - InsecureSkipVerify: true, + ContentEncoding: "gzip", + ClientConfig: tls.ClientConfig{ + InsecureSkipVerify: true, + }, CreateHTTPClientF: func(config *influxdb.HTTPConfig) (influxdb.Client, error) { actual = config diff --git a/plugins/outputs/kafka/README.md b/plugins/outputs/kafka/README.md index 93182ba08..196e2e914 100644 --- a/plugins/outputs/kafka/README.md +++ b/plugins/outputs/kafka/README.md @@ -68,11 +68,11 @@ This plugin writes to a [Kafka Broker](http://kafka.apache.org/07/quickstart.htm ## until the next flush. # max_retry = 3 - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## Optional SASL Config diff --git a/plugins/outputs/kafka/kafka.go b/plugins/outputs/kafka/kafka.go index 8094d4334..716e06c44 100644 --- a/plugins/outputs/kafka/kafka.go +++ b/plugins/outputs/kafka/kafka.go @@ -6,7 +6,7 @@ import ( "strings" "github.com/influxdata/telegraf" - "github.com/influxdata/telegraf/internal" + tlsint "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/outputs" "github.com/influxdata/telegraf/plugins/serializers" @@ -36,7 +36,7 @@ type ( // MaxRetry Tag MaxRetry int - // Legacy SSL config options + // Legacy TLS config options // TLS client certificate Certificate string // TLS client key @@ -44,15 +44,7 @@ type ( // TLS certificate authority CA string - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - - // Skip SSL verification - InsecureSkipVerify bool + tlsint.ClientConfig // SASL Username SASLUsername string `toml:"sasl_username"` @@ -135,11 +127,11 @@ var sampleConfig = ` ## until the next flush. # max_retry = 3 - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## Optional SASL Config @@ -201,13 +193,12 @@ func (k *Kafka) Connect() error { // Legacy support ssl config if k.Certificate != "" { - k.SSLCert = k.Certificate - k.SSLCA = k.CA - k.SSLKey = k.Key + k.TLSCert = k.Certificate + k.TLSCA = k.CA + k.TLSKey = k.Key } - tlsConfig, err := internal.GetTLSConfig( - k.SSLCert, k.SSLKey, k.SSLCA, k.InsecureSkipVerify) + tlsConfig, err := k.ClientConfig.TLSConfig() if err != nil { return err } diff --git a/plugins/outputs/mqtt/README.md b/plugins/outputs/mqtt/README.md index 21987c30c..53483d967 100644 --- a/plugins/outputs/mqtt/README.md +++ b/plugins/outputs/mqtt/README.md @@ -22,12 +22,12 @@ This plugin writes to a [MQTT Broker](http://http://mqtt.org/) acting as a mqtt ## Timeout for write operations. default: 5s # timeout = "5s" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## Data format to output. @@ -45,8 +45,8 @@ This plugin writes to a [MQTT Broker](http://http://mqtt.org/) acting as a mqtt * `password`: The password to connect MQTT server. * `client_id`: The unique client id to connect MQTT server. If this paramater is not set then a random ID is generated. * `timeout`: Timeout for write operations. default: 5s -* `ssl_ca`: SSL CA -* `ssl_cert`: SSL CERT -* `ssl_key`: SSL key -* `insecure_skip_verify`: Use SSL but skip chain & host verification (default: false) +* `tls_ca`: TLS CA +* `tls_cert`: TLS CERT +* `tls_key`: TLS key +* `insecure_skip_verify`: Use TLS but skip chain & host verification (default: false) * `data_format`: [About Telegraf data formats](https://github.com/influxdata/telegraf/blob/master/docs/DATA_FORMATS_OUTPUT.md) diff --git a/plugins/outputs/mqtt/mqtt.go b/plugins/outputs/mqtt/mqtt.go index eea7b6088..1c700332e 100644 --- a/plugins/outputs/mqtt/mqtt.go +++ b/plugins/outputs/mqtt/mqtt.go @@ -8,6 +8,7 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/outputs" "github.com/influxdata/telegraf/plugins/serializers" @@ -32,11 +33,11 @@ var sampleConfig = ` ## client ID, if not set a random ID is generated # client_id = "" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## Data format to output. @@ -55,15 +56,7 @@ type MQTT struct { TopicPrefix string QoS int `toml:"qos"` ClientID string `toml:"client_id"` - - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Use SSL but skip chain & host verification - InsecureSkipVerify bool + tls.ClientConfig client paho.Client opts *paho.ClientOptions @@ -174,8 +167,7 @@ func (m *MQTT) createOpts() (*paho.ClientOptions, error) { opts.SetClientID("Telegraf-Output-" + internal.RandomString(5)) } - tlsCfg, err := internal.GetTLSConfig( - m.SSLCert, m.SSLKey, m.SSLCA, m.InsecureSkipVerify) + tlsCfg, err := m.ClientConfig.TLSConfig() if err != nil { return nil, err } diff --git a/plugins/outputs/nats/nats.go b/plugins/outputs/nats/nats.go index d97c4688d..a664bc1bb 100644 --- a/plugins/outputs/nats/nats.go +++ b/plugins/outputs/nats/nats.go @@ -6,7 +6,7 @@ import ( nats_client "github.com/nats-io/nats" "github.com/influxdata/telegraf" - "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/outputs" "github.com/influxdata/telegraf/plugins/serializers" ) @@ -19,15 +19,7 @@ type NATS struct { Password string // NATS subject to publish metrics to Subject string - - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Use SSL but skip chain & host verification - InsecureSkipVerify bool + tls.ClientConfig conn *nats_client.Conn serializer serializers.Serializer @@ -42,11 +34,11 @@ var sampleConfig = ` ## NATS subject for producer messages subject = "telegraf" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## Data format to output. @@ -79,8 +71,7 @@ func (n *NATS) Connect() error { } // override TLS, if it was specified - tlsConfig, err := internal.GetTLSConfig( - n.SSLCert, n.SSLKey, n.SSLCA, n.InsecureSkipVerify) + tlsConfig, err := n.ClientConfig.TLSConfig() if err != nil { return err } diff --git a/plugins/outputs/socket_writer/README.md b/plugins/outputs/socket_writer/README.md index 8e28c5f88..149cda2a6 100644 --- a/plugins/outputs/socket_writer/README.md +++ b/plugins/outputs/socket_writer/README.md @@ -19,11 +19,11 @@ It can output data in any of the [supported output formats](https://github.com/i # address = "unix:///tmp/telegraf.sock" # address = "unixgram:///tmp/telegraf.sock" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## Period between keep alive probes. diff --git a/plugins/outputs/socket_writer/socket_writer.go b/plugins/outputs/socket_writer/socket_writer.go index 382aad266..7c4660bc8 100644 --- a/plugins/outputs/socket_writer/socket_writer.go +++ b/plugins/outputs/socket_writer/socket_writer.go @@ -10,17 +10,15 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/internal" + tlsint "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/outputs" "github.com/influxdata/telegraf/plugins/serializers" ) type SocketWriter struct { - Address string - KeepAlivePeriod *internal.Duration - SSLCA string - SSLCert string - SSLKey string - InsecureSkipVerify bool + Address string + KeepAlivePeriod *internal.Duration + tlsint.ClientConfig serializers.Serializer @@ -45,11 +43,11 @@ func (sw *SocketWriter) SampleConfig() string { # address = "unix:///tmp/telegraf.sock" # address = "unixgram:///tmp/telegraf.sock" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## Period between keep alive probes. @@ -76,7 +74,7 @@ func (sw *SocketWriter) Connect() error { return fmt.Errorf("invalid address: %s", sw.Address) } - tlsCfg, err := internal.GetTLSConfig(sw.SSLCert, sw.SSLKey, sw.SSLCA, sw.InsecureSkipVerify) + tlsCfg, err := sw.ClientConfig.TLSConfig() if err != nil { return err } diff --git a/testutil/pki/cacert.pem b/testutil/pki/cacert.pem new file mode 100644 index 000000000..b0a47334e --- /dev/null +++ b/testutil/pki/cacert.pem @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIB0TCCATqgAwIBAgIJAMgbq6rkA4b/MA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV +BAMMEFRlbGVncmFmIFRlc3QgQ0EwHhcNMTgwNTAzMDEwNTI5WhcNMjgwNDMwMDEw +NTI5WjAbMRkwFwYDVQQDDBBUZWxlZ3JhZiBUZXN0IENBMIGfMA0GCSqGSIb3DQEB +AQUAA4GNADCBiQKBgQDTySxyXeyQQjCOtNQ/7cKtXN91sp4B1k7whPKBO6yXEFFR +rYaw76xY5CTTPTJaAPBJ+amHPdPGfmGq6yX10tjAaWQQYV26Axngfpti6F14ci0/ +X/sTay8ii/4Du5DRr9f9rHVimPASR1fkgK+IFhXnONn1R+pNbHYmGS4OVNyoPwID +AQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsF +AAOBgQA9v3eMU33q+bGPEd65kKQcVddPEFdSqmuUJMeO2VQmUFc/ejkP48u42eDK +Y1GAR+209XgkuWItEBH8HJysOU2plunuIPXpnPcxyP30tpFVLaWzWTQvUehhYpfQ +C0v9Re3jdLfLORxiaAPyyKogMpAQrjGX+u1aMSOCkcTD2Hjvbw== +-----END CERTIFICATE----- diff --git a/testutil/pki/cakey.pem b/testutil/pki/cakey.pem new file mode 100644 index 000000000..3606c89be --- /dev/null +++ b/testutil/pki/cakey.pem @@ -0,0 +1,16 @@ +-----BEGIN PRIVATE KEY----- +MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBANPJLHJd7JBCMI60 +1D/twq1c33WyngHWTvCE8oE7rJcQUVGthrDvrFjkJNM9MloA8En5qYc908Z+Yarr +JfXS2MBpZBBhXboDGeB+m2LoXXhyLT9f+xNrLyKL/gO7kNGv1/2sdWKY8BJHV+SA +r4gWFec42fVH6k1sdiYZLg5U3Kg/AgMBAAECgYA2PCtssk7Vdo3WzcoZAPs8yC7V +hkNedxJKF9G+dJizKtOYVhbLEuWQ8gPYMLDHSbw/RXc7kgK8rzq1uXhEJpWo4THD +CUUlxGRu3gt94202hbnEnV93Kix4hP98qpv1jPErlx2KywsRPTegMnUAZ2xeI564 +yYwDITqXALa/PqRqSQJBAPPZQeRDtBSfEjZFJS3IgUkmN3RJn4rJz+6D0ahgXPga +YAYVe8SJyj2epLJP2aOBzrqBSUVkVGg8qOG5w+ibebsCQQDeVuUzYOffthO5f1Hl +LvdEmfaHjXI0Q+grOnDjNRcvQaCDYYkC9JewBQmnpFrd85rN/Leo0gQ5Yyxp/ja5 +gPFNAkAFwn/38FF0mz1G4uM57Z6AJ9LvgD2wfYvXym1NWNlZUuYpvqApyEdqpTCm +tZQidJJ5fUxJw1DrFWO30Td7axC5AkEAjSbRX6rXyhiHsS35SexlInI0Jp5PsIqj +7D2vyS69R0z8oCvdlbi+TAsGtB0Navbqgnc8Cbs630vsuGWhTGdlyQJBAKqQ2gYw ++WeXH77FP8yDQOjpFw80tSyXVykT0Am75RF3sQ1OIn0o0DLhE+he0crb2n8g3FJh +WyxmGkbTDelSG20= +-----END PRIVATE KEY----- diff --git a/testutil/pki/clientcert.pem b/testutil/pki/clientcert.pem new file mode 100644 index 000000000..9e5b60807 --- /dev/null +++ b/testutil/pki/clientcert.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB+TCCAWKgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDDBBUZWxl +Z3JhZiBUZXN0IENBMB4XDTE4MDUwMzAxMDUyOVoXDTI4MDQzMDAxMDUyOVowHTEb +MBkGA1UEAwwSY2xpZW50LmxvY2FsZG9tYWluMIGfMA0GCSqGSIb3DQEBAQUAA4GN +ADCBiQKBgQDX7Plvu0MJtA9TrusYtQnAogsdiYJZd9wfFIjH5FxE3SWJ4KAIE+yR +WRqcqX8XnpieQLaNsfXhDPWLkWngTDydk4NO/jlAQk0e6+9+NeiZ2ViIHmtXERb9 +CyiiWUmo+YCd69lhzSEIMK9EPBSDHQTgQMtEfGak03G5rx3MCakE1QIDAQABo0sw +STAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgglsb2NhbGhvc3SH +BH8AAAEwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADgYEAVry0 +L07oTN+FMLncY/Be9BzFB3b3mnbxbZr58OgI4WHuOeYBuvDI033FIIIzpwb8XYpG +HJkZlSbviqq19lAh/Cktl35BCNrA6Uc+dgW7QWhnYS2tZandVTo/8FFstJTNiiLw +uiz/Hr3mRXUIDi5OygJHY1IZr8hFTOOJY+0ws3E= +-----END CERTIFICATE----- diff --git a/testutil/pki/clientkey.pem b/testutil/pki/clientkey.pem new file mode 100644 index 000000000..cc11e20ea --- /dev/null +++ b/testutil/pki/clientkey.pem @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXAIBAAKBgQDX7Plvu0MJtA9TrusYtQnAogsdiYJZd9wfFIjH5FxE3SWJ4KAI +E+yRWRqcqX8XnpieQLaNsfXhDPWLkWngTDydk4NO/jlAQk0e6+9+NeiZ2ViIHmtX +ERb9CyiiWUmo+YCd69lhzSEIMK9EPBSDHQTgQMtEfGak03G5rx3MCakE1QIDAQAB +AoGAOjRU4Lt3zKvO3d3u3ZAfet+zY1jn3DolCfO9EzUJcj6ymcIFIWhNgrikJcrC +yZkkxrPnAbcQ8oNNxTuDcMTcKZbnyUnlQj5NtVuty5Q+zgf3/Q2pRhaE+TwrpOJ+ +ETtVp9R/PrPN2NC5wPo289fPNWFYkd4DPbdWZp5AJHz1XYECQQD3kKpinJxMYp9F +Q1Qj1OkxGln0KPgdqRYjjW/rXI4/hUodfg+xXWHPFSGj3AgEjQIvuengbOAeH3qo +wF1uxVTlAkEA30hXM3EbboMCDQzNRNkkV9EiZ0MZXhj1aIGl+sQZOmOeFdcdjGkD +dsA42nmaYqXCD9KAvc+S/tGJaa0Qg0VhMQJAb2+TAqh0Qn3yK39PFIH2JcAy1ZDL +fq5p5L75rfwPm9AnuHbSIYhjSo+8gMG+ai3+2fTZrcfUajrJP8S3SfFRcQJBANQQ +POHatxcKzlPeqMaPBXlyY553mAxK4CnVmPLGdL+EBYzwtlu5EVUj09uMSxkOHXYx +k5yzHQVvtXbsrBZBOsECQBJLlkMjJmXrIIdLPmHQWL3bm9MMg1PqzupSEwz6cyrG +uIIm/X91pDyxCHaKYWp38FXBkYAgohI8ow5/sgRvU5w= +-----END RSA PRIVATE KEY----- diff --git a/testutil/pki/servercert.pem b/testutil/pki/servercert.pem new file mode 100644 index 000000000..886219517 --- /dev/null +++ b/testutil/pki/servercert.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB+TCCAWKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDDBBUZWxl +Z3JhZiBUZXN0IENBMB4XDTE4MDUwMzAxMDUyOVoXDTI4MDQzMDAxMDUyOVowHTEb +MBkGA1UEAwwSc2VydmVyLmxvY2FsZG9tYWluMIGfMA0GCSqGSIb3DQEBAQUAA4GN +ADCBiQKBgQDTBmLJ0pBFUxnPkkx38sBnOKvs+OinVqxTnVcc1iCyQJQleB37uY6D +L55mSsPvnad/oDpyGpHt4RVtrhmyC6ptSrWLyk7mraeAo30Cooqr5tA9A+6yj0ij +ySLlYimTMQy8tbnVNWLwKbxgT9N4NlUzwyqxLWUMfRzLfmefqzk5bQIDAQABo0sw +STAJBgNVHRMEAjAAMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATALBgNVHQ8E +BAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADgYEATNnM +ol0s29lJ+WkP+HUFtKaXxQ+kXLADqfhsk2G1/kZAVRHsYUDlJ+GkHnWIHlg/ggIP +JS+z44iwMPOtzJQI7MvAFYVKpYAEdIFTjXf6GafLjUfoXYi0vwHoVJHtQu3Kpm9L +Ugm02h0ycIadN8RdWAAFUf6XpVKUJa0YYLuyaXY= +-----END CERTIFICATE----- diff --git a/testutil/pki/serverkey.pem b/testutil/pki/serverkey.pem new file mode 100644 index 000000000..363f5d9af --- /dev/null +++ b/testutil/pki/serverkey.pem @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXQIBAAKBgQDTBmLJ0pBFUxnPkkx38sBnOKvs+OinVqxTnVcc1iCyQJQleB37 +uY6DL55mSsPvnad/oDpyGpHt4RVtrhmyC6ptSrWLyk7mraeAo30Cooqr5tA9A+6y +j0ijySLlYimTMQy8tbnVNWLwKbxgT9N4NlUzwyqxLWUMfRzLfmefqzk5bQIDAQAB +AoGBALWQAgFJxM2QwV1hr59oYnitPudmBa6smRpb/q6V4Y3cmFpgrdN+hIqEtxGl +9E0+5PWfI4o3KCV2itxSdlNFTDyqTZkM+BT8PPKISzAewkdqnKjbWgAmluzOJH4O +hc1zBfIOuT5+cfx5JR5/j9BhWVC7BJ+EiREkd/Z8ZnAMeItVAkEA8bhcC+8luiFQ +6kytXx2XfbKKh4Q99+KEQHqSGeuHZOcnWfjX99jo67CIxpwBRENslpZOw78fBmi4 +4kf8j+dgLwJBAN99zyRxYzKc8TSsy/fF+3V/Ex75HYGGS/eOWcwPFXpGNA63hIa8 +fJ/2pDnLzCqLZ9vWdBF39NtkacJS7bo6XSMCQQCZgN2bipSn3k53bJhRJga1gXOt +2dJMoGIiXHR513QVJSJ9ZaUpNWu9eU9y6VF4m2TTQMLmVnIKbOi0csi2TlZrAkAi +7URsC5RXGpPPiZmutTAhIqTYWFI2JcjFfWenLkxK+aG1ExURAW/wh9kOdz0HARZQ +Eum8uSR5DO5CQjeIvQpFAkAgZJXAwRxuts/p1EoLuPCJTaDkIY2vc0AJzzr5nuAs +pyjnLYCYqSBUJ+3nDDBqNYpgxCJddzmjNxGuO7mef9Ue +-----END RSA PRIVATE KEY----- diff --git a/scripts/tls-certs.sh b/testutil/pki/tls-certs.sh similarity index 81% rename from scripts/tls-certs.sh rename to testutil/pki/tls-certs.sh index b37d6541a..55075df4b 100644 --- a/scripts/tls-certs.sh +++ b/testutil/pki/tls-certs.sh @@ -46,21 +46,31 @@ keyUsage = keyCertSign, cRLSign [ client_ca_extensions ] basicConstraints = CA:false keyUsage = digitalSignature +subjectAltName = @client_alt_names extendedKeyUsage = 1.3.6.1.5.5.7.3.2 +[ client_alt_names ] +DNS.1 = localhost +IP.1 = 127.0.0.1 + [ server_ca_extensions ] basicConstraints = CA:false -keyUsage = keyEncipherment +subjectAltName = @server_alt_names +keyUsage = keyEncipherment, digitalSignature extendedKeyUsage = 1.3.6.1.5.5.7.3.1 + +[ server_alt_names ] +DNS.1 = localhost +IP.1 = 127.0.0.1 EOF -openssl req -x509 -config ./openssl.conf -days 3650 -newkey rsa:1024 -out ./certs/cacert.pem -keyout ./private/cakey.pem -subj "/CN=Telegraf CA/" -nodes && +openssl req -x509 -config ./openssl.conf -days 3650 -newkey rsa:1024 -out ./certs/cacert.pem -keyout ./private/cakey.pem -subj "/CN=Telegraf Test CA/" -nodes && # Create server keypair openssl genrsa -out ./private/serverkey.pem 1024 && -openssl req -new -key ./private/serverkey.pem -out ./certs/servercsr.pem -outform PEM -subj "/CN=localhost/O=server/" && +openssl req -new -key ./private/serverkey.pem -out ./certs/servercsr.pem -outform PEM -subj "/CN=server.localdomain/O=server/" && openssl ca -config ./openssl.conf -in ./certs/servercsr.pem -out ./certs/servercert.pem -notext -batch -extensions server_ca_extensions && # Create client keypair openssl genrsa -out ./private/clientkey.pem 1024 && -openssl req -new -key ./private/clientkey.pem -out ./certs/clientcsr.pem -outform PEM -subj "/CN=telegraf/O=client/" && +openssl req -new -key ./private/clientkey.pem -out ./certs/clientcsr.pem -outform PEM -subj "/CN=client.localdomain/O=client/" && openssl ca -config ./openssl.conf -in ./certs/clientcsr.pem -out ./certs/clientcert.pem -notext -batch -extensions client_ca_extensions diff --git a/testutil/tls.go b/testutil/tls.go new file mode 100644 index 000000000..4f7fc012a --- /dev/null +++ b/testutil/tls.go @@ -0,0 +1,86 @@ +package testutil + +import ( + "fmt" + "io/ioutil" + "os" + "path" + + "github.com/influxdata/telegraf/internal/tls" +) + +type pki struct { + path string +} + +func NewPKI(path string) *pki { + return &pki{path: path} +} + +func (p *pki) TLSClientConfig() *tls.ClientConfig { + return &tls.ClientConfig{ + TLSCA: p.CACertPath(), + TLSCert: p.ClientCertPath(), + TLSKey: p.ClientKeyPath(), + } +} + +func (p *pki) TLSServerConfig() *tls.ServerConfig { + return &tls.ServerConfig{ + TLSAllowedCACerts: []string{p.CACertPath()}, + TLSCert: p.ServerCertPath(), + TLSKey: p.ServerKeyPath(), + } +} + +func (p *pki) ReadCACert() string { + return readCertificate(p.CACertPath()) +} + +func (p *pki) CACertPath() string { + return path.Join(p.path, "cacert.pem") +} + +func (p *pki) ReadClientCert() string { + return readCertificate(p.ClientCertPath()) +} + +func (p *pki) ClientCertPath() string { + return path.Join(p.path, "clientcert.pem") +} + +func (p *pki) ReadClientKey() string { + return readCertificate(p.ClientKeyPath()) +} + +func (p *pki) ClientKeyPath() string { + return path.Join(p.path, "clientkey.pem") +} + +func (p *pki) ReadServerCert() string { + return readCertificate(p.ServerCertPath()) +} + +func (p *pki) ServerCertPath() string { + return path.Join(p.path, "servercert.pem") +} + +func (p *pki) ReadServerKey() string { + return readCertificate(p.ServerKeyPath()) +} + +func (p *pki) ServerKeyPath() string { + return path.Join(p.path, "serverkey.pem") +} + +func readCertificate(filename string) string { + file, err := os.Open(filename) + if err != nil { + panic(fmt.Sprintf("opening %q: %v", filename, err)) + } + octets, err := ioutil.ReadAll(file) + if err != nil { + panic(fmt.Sprintf("reading %q: %v", filename, err)) + } + return string(octets) +}