Add tls options to docker input (#3063)

plugins/inputs/docker/README.md

@@ -1,15 +1,11 @@
 # Docker Input Plugin
 
-The docker plugin uses the docker remote API to gather metrics on running
-docker containers. You can read Docker's documentation for their remote API
-[here](https://docs.docker.com/engine/reference/api/docker_remote_api_v1.20/#get-container-stats-based-on-resource-usage)
+The docker plugin uses the Docker Engine API to gather metrics on running
+docker containers.
 
-The docker plugin uses the excellent
-[docker engine-api](https://github.com/docker/engine-api) library to
-gather stats. Documentation for the library can be found
-[here](https://godoc.org/github.com/docker/engine-api) and documentation
-for the stat structure can be found
-[here](https://godoc.org/github.com/docker/engine-api/types#Stats)
+The docker plugin uses the [Official Docker Client](https://github.com/moby/moby/tree/master/client)
+to gather stats from the [Engine API](https://docs.docker.com/engine/api/v1.20/).
+[Library Documentation](https://godoc.org/github.com/moby/moby/client)
 
 ### Configuration:
 
@@ -47,7 +43,7 @@ for the stat structure can be found
   ## Note that an empty array for both will include all labels as tags
   docker_label_include = []
   docker_label_exclude = []
-  
+
   ## Which environment variables should we use as a tag
   tag_env = ["JAVA_HOME", "HEAP_SIZE"]
 
@@ -59,6 +55,11 @@ for the stat structure can be found
   # insecure_skip_verify = false
 ```
 
+#### Environment Configuration
+
+When using the `"ENV"` endpoint, the connection is configured using the
+[cli Docker environment variables](https://godoc.org/github.com/moby/moby/client#NewEnvClient).
+
 ### Measurements & Fields:
 
 Every effort was made to preserve the names based on the JSON response from the

plugins/inputs/docker/client.go

@@ -2,9 +2,12 @@ package docker
 
 import (
 	"context"
+	"crypto/tls"
+	"net/http"
 
 	"github.com/docker/docker/api/types"
 	docker "github.com/docker/docker/client"
+	"github.com/docker/go-connections/sockets"
 )
 
 var (
@@ -27,8 +30,19 @@ func NewEnvClient() (Client, error) {
 	return &SocketClient{client}, nil
 }
 
-func NewClient(host string) (Client, error) {
-	client, err := docker.NewClient(host, version, nil, defaultHeaders)
+func NewClient(host string, tlsConfig *tls.Config) (Client, error) {
+	proto, addr, _, err := docker.ParseHost(host)
+	if err != nil {
+		return nil, err
+	}
+
+	transport := &http.Transport{
+		TLSClientConfig: tlsConfig,
+	}
+	sockets.ConfigureTransport(transport, proto, addr)
+	httpClient := &http.Client{Transport: transport}
+
+	client, err := docker.NewClient(host, version, httpClient, defaultHeaders)
 	if err != nil {
 		return nil, err
 	}

plugins/inputs/docker/docker.go

@@ -2,9 +2,11 @@ package docker
 
 import (
 	"context"
+	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"io"
+	"net/http"
 	"regexp"
 	"strconv"
 	"strings"
@@ -45,10 +47,16 @@ type Docker struct {
 	ContainerExclude []string `toml:"container_name_exclude"`
 	ContainerFilter  DockerContainerFilter
 
+	SSLCA              string `toml:"ssl_ca"`
+	SSLCert            string `toml:"ssl_cert"`
+	SSLKey             string `toml:"ssl_key"`
+	InsecureSkipVerify bool
+
 	newEnvClient func() (Client, error)
-	newClient    func(host string) (Client, error)
+	newClient    func(string, *tls.Config) (Client, error)
 
 	client         Client
+	httpClient     *http.Client
 	engine_host    string
 	filtersCreated bool
 }
@@ -60,6 +68,8 @@ const (
 	GB = 1000 * MB
 	TB = 1000 * GB
 	PB = 1000 * TB
+
+	defaultEndpoint = "unix:///var/run/docker.sock"
 )
 
 var (
@@ -95,6 +105,13 @@ var sampleConfig = `
   ## Note that an empty array for both will include all labels as tags
   docker_label_include = []
   docker_label_exclude = []
+
+  ## Optional SSL Config
+  # ssl_ca = "/etc/telegraf/ca.pem"
+  # ssl_cert = "/etc/telegraf/cert.pem"
+  # ssl_key = "/etc/telegraf/key.pem"
+  ## Use SSL but skip chain & host verification
+  # insecure_skip_verify = false
 `
 
 func (d *Docker) Description() string {
@@ -109,19 +126,17 @@ func (d *Docker) Gather(acc telegraf.Accumulator) error {
 		var err error
 		if d.Endpoint == "ENV" {
 			c, err = d.newEnvClient()
-			if err != nil {
-				return err
-			}
-		} else if d.Endpoint == "" {
-			c, err = d.newClient("unix:///var/run/docker.sock")
-			if err != nil {
-				return err
-			}
 		} else {
-			c, err = d.newClient(d.Endpoint)
+			tlsConfig, err := internal.GetTLSConfig(
+				d.SSLCert, d.SSLKey, d.SSLCA, d.InsecureSkipVerify)
 			if err != nil {
 				return err
 			}
+
+			c, err = d.newClient(d.Endpoint, tlsConfig)
+		}
+		if err != nil {
+			return err
 		}
 		d.client = c
 	}
@@ -699,6 +714,7 @@ func init() {
 		return &Docker{
 			PerDevice:      true,
 			Timeout:        internal.Duration{Duration: time.Second * 5},
+			Endpoint:       defaultEndpoint,
 			newEnvClient:   NewEnvClient,
 			newClient:      NewClient,
 			filtersCreated: false,

plugins/inputs/docker/docker_test.go

@@ -2,6 +2,7 @@ package docker
 
 import (
 	"context"
+	"crypto/tls"
 	"testing"
 
 	"github.com/influxdata/telegraf/testutil"
@@ -43,7 +44,7 @@ func (c *MockClient) ContainerInspect(
 	return c.ContainerInspectF(ctx, containerID)
 }
 
-func newClient(host string) (Client, error) {
+func newClient(host string, tlsConfig *tls.Config) (Client, error) {
 	return &MockClient{
 		InfoF: func(context.Context) (types.Info, error) {
 			return info, nil
@@ -212,7 +213,7 @@ func TestDocker_WindowsMemoryContainerStats(t *testing.T) {
 	var acc testutil.Accumulator
 
 	d := Docker{
-		newClient: func(string) (Client, error) {
+		newClient: func(string, *tls.Config) (Client, error) {
 			return &MockClient{
 				InfoF: func(ctx context.Context) (types.Info, error) {
 					return info, nil