Skip to content

Commit

Permalink
Clean up TLS configuration in prometheus_client output plugin
Browse files Browse the repository at this point in the history
Signed-off-by: Jesse Weaver <jeweaver@pivotal.io>
  • Loading branch information
robertjsullivan authored and bitcharmer committed Oct 18, 2019
1 parent 4b41f09 commit 9cb362a
Show file tree
Hide file tree
Showing 4 changed files with 17 additions and 99 deletions.
2 changes: 0 additions & 2 deletions plugins/outputs/prometheus_client/.gitignore

This file was deleted.

56 changes: 11 additions & 45 deletions plugins/outputs/prometheus_client/prometheus_client.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,7 @@ package prometheus_client
import (
"context"
"crypto/subtle"
cryptotls "crypto/tls"
"crypto/x509"
"fmt"
"io/ioutil"
"log"
"net"
"net/http"
Expand Down Expand Up @@ -69,7 +66,8 @@ type PrometheusClient struct {
StringAsLabel bool `toml:"string_as_label"`
ExportTimestamp bool `toml:"export_timestamp"`

tls.ClientConfig
tls.ServerConfig

server *http.Server

sync.Mutex
Expand Down Expand Up @@ -193,24 +191,20 @@ func (p *PrometheusClient) Connect() error {
mux.Handle(p.Path, p.auth(promhttp.HandlerFor(
registry, promhttp.HandlerOpts{ErrorHandling: promhttp.ContinueOnError})))

if p.TLSCA != "" {
log.Printf("Starting Prometheus Output Plugin Server with Mutual TLS enabled.\n")
p.server = &http.Server{
Addr: p.Listen,
Handler: mux,
TLSConfig: p.buildMutualTLSConfig(),
}
} else {
p.server = &http.Server{
Addr: p.Listen,
Handler: mux,
}
tlsConfig, err := p.TLSConfig()
if err != nil {
return err
}
p.server = &http.Server{
Addr: p.Listen,
Handler: mux,
TLSConfig: tlsConfig,
}

go func() {
var err error
if p.TLSCert != "" && p.TLSKey != "" {
err = p.server.ListenAndServeTLS(p.TLSCert, p.TLSKey)
err = p.server.ListenAndServeTLS("", "")
} else {
err = p.server.ListenAndServe()
}
Expand All @@ -223,34 +217,6 @@ func (p *PrometheusClient) Connect() error {
return nil
}

func (p *PrometheusClient) buildMutualTLSConfig() *cryptotls.Config {
certPool := x509.NewCertPool()
caCert, err := ioutil.ReadFile(p.TLSCA)
if err != nil {
log.Printf("failed to read client ca cert: %s", err.Error())
panic(err)
}
ok := certPool.AppendCertsFromPEM(caCert)
if !ok {
log.Printf("failed to append client certs: %s", err.Error())
panic(err)
}

clientAuth := cryptotls.RequireAndVerifyClientCert
if p.InsecureSkipVerify {
clientAuth = cryptotls.RequestClientCert
}

return &cryptotls.Config{
ClientAuth: clientAuth,
ClientCAs: certPool,
MinVersion: cryptotls.VersionTLS12,
CipherSuites: []uint16{cryptotls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, cryptotls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
PreferServerCipherSuites: true,
InsecureSkipVerify: p.InsecureSkipVerify,
}
}

func (p *PrometheusClient) Close() error {
ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
defer cancel()
Expand Down
41 changes: 6 additions & 35 deletions plugins/outputs/prometheus_client/prometheus_client_tls_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,28 +2,23 @@ package prometheus_client_test

import (
"crypto/tls"
"crypto/x509"
"fmt"
"github.com/influxdata/telegraf/plugins/outputs/prometheus_client"
"github.com/influxdata/telegraf/testutil"
"github.com/influxdata/toml"
. "github.com/onsi/gomega"
"io/ioutil"
"net/http"
"os/exec"
"path/filepath"
"testing"
)

var ca, _ = filepath.Abs("assets/telegrafCA.crt")
var cert, _ = filepath.Abs("assets/telegraf.crt")
var key, _ = filepath.Abs("assets/telegraf.key")
var pki = testutil.NewPKI("../../../testutil/pki")

var configWithTLS = fmt.Sprintf(`
listen = "127.0.0.1:9090"
tls_ca = "%s"
tls_allowed_cacerts = ["%s"]
tls_cert = "%s"
tls_key = "%s"
`, ca, cert, key)
`, pki.TLSServerConfig().TLSAllowedCACerts[0], pki.TLSServerConfig().TLSCert, pki.TLSServerConfig().TLSKey)

var configWithoutTLS = `
listen = "127.0.0.1:9090"
Expand All @@ -37,14 +32,6 @@ type PrometheusClientTestContext struct {
*GomegaWithT
}

func init() {
path, _ := filepath.Abs("./scripts/generate_certs.sh")
_, err := exec.Command(path).CombinedOutput()
if err != nil {
panic(err)
}
}

func TestWorksWithoutTLS(t *testing.T) {
tc := buildTestContext(t, []byte(configWithoutTLS))
err := tc.Output.Connect()
Expand Down Expand Up @@ -114,7 +101,7 @@ func buildTestContext(t *testing.T, config []byte) *PrometheusClientTestContext
httpClient *http.Client
)

if output.TLSCA != "" {
if len(output.TLSAllowedCACerts) != 0 {
httpClient = buildClientWithTLS(output)
} else {
httpClient = buildClientWithoutTLS()
Expand All @@ -133,26 +120,10 @@ func buildClientWithoutTLS() *http.Client {
}

func buildClientWithTLS(output *prometheus_client.PrometheusClient) *http.Client {
cert, err := tls.LoadX509KeyPair(output.TLSCert, output.TLSKey)
tlsConfig, err := pki.TLSClientConfig().TLSConfig()
if err != nil {
panic(err)
}

caCert, err := ioutil.ReadFile(output.TLSCA)
if err != nil {
panic(err)
}
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)

tlsConfig := &tls.Config{
Certificates: []tls.Certificate{cert},
RootCAs: caCertPool,
MinVersion: tls.VersionTLS12,
CipherSuites: []uint16{tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
ServerName: "telegraf",
}
tlsConfig.BuildNameToCertificate()
transport := &http.Transport{TLSClientConfig: tlsConfig}
return &http.Client{Transport: transport}
}
17 changes: 0 additions & 17 deletions plugins/outputs/prometheus_client/scripts/generate_certs.sh

This file was deleted.

0 comments on commit 9cb362a

Please sign in to comment.