From 7b5ef94b0184544cebfa67bd950a9eaf0784ce48 Mon Sep 17 00:00:00 2001 From: Sven Rebhan Date: Fri, 24 Nov 2023 12:32:51 +0100 Subject: [PATCH 1/4] fix(outputs.opensearch): Expose TLS setting correctly --- plugins/outputs/opensearch/README.md | 16 +++++++++--- plugins/outputs/opensearch/opensearch.go | 32 ++++++++++++------------ plugins/outputs/opensearch/sample.conf | 16 +++++++++--- 3 files changed, 40 insertions(+), 24 deletions(-) diff --git a/plugins/outputs/opensearch/README.md b/plugins/outputs/opensearch/README.md index 5572b3ae30dba..f4219d08476ae 100644 --- a/plugins/outputs/opensearch/README.md +++ b/plugins/outputs/opensearch/README.md @@ -30,7 +30,7 @@ See the [CONFIGURATION.md][CONFIGURATION.md] for more details. ## Target index name for metrics (OpenSearch will create if it not exists). ## This is a Golang template (see https://pkg.go.dev/text/template) ## You can also specify - ## metric name (`{{.Name}}`), tag value (`{{.Tag "tag_name"}}`), field value (`{{.Field "feild_name"}}`) + ## metric name (`{{.Name}}`), tag value (`{{.Tag "tag_name"}}`), field value (`{{.Field "feild_name"}}`) ## If the tag does not exist, the default tag value will be empty string "". ## the timestamp (`{{.Time.Format "xxxxxxxxx"}}`). ## For example: "telegraf-{{.Time.Format "2006-01-02"}}-{{.Tag "host"}}" would set it to telegraf-2023-07-27-HostName @@ -63,9 +63,17 @@ See the [CONFIGURATION.md][CONFIGURATION.md] for more details. # auth_bearer_token = "" ## Optional TLS Config - # tls_ca = "/etc/telegraf/ca.pem" - # tls_cert = "/etc/telegraf/cert.pem" - # tls_key = "/etc/telegraf/key.pem" + ## Set to true/false to enforce TLS being enabled/disabled. If not set, + ## enable TLS only if any of the other options are specified. + # tls_enable = + ## Trusted root certificates for server + # tls_ca = "/path/to/cafile" + ## Used for TLS client certificate authentication + # tls_cert = "/path/to/certfile" + ## Used for TLS client certificate authentication + # tls_key = "/path/to/keyfile" + ## Send the specified TLS server name via SNI + # tls_server_name = "kubernetes.example.com" ## Use TLS but skip chain & host verification # insecure_skip_verify = false diff --git a/plugins/outputs/opensearch/opensearch.go b/plugins/outputs/opensearch/opensearch.go index 1abc997485912..2a3c8dfae8b03 100644 --- a/plugins/outputs/opensearch/opensearch.go +++ b/plugins/outputs/opensearch/opensearch.go @@ -5,7 +5,6 @@ import ( "bytes" "context" "crypto/sha256" - "crypto/tls" _ "embed" "encoding/json" "fmt" @@ -23,7 +22,7 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/config" "github.com/influxdata/telegraf/internal/choice" - httpconfig "github.com/influxdata/telegraf/plugins/common/http" + commontls "github.com/influxdata/telegraf/plugins/common/tls" "github.com/influxdata/telegraf/plugins/outputs" ) @@ -50,14 +49,14 @@ type Opensearch struct { HealthCheckTimeout config.Duration `toml:"health_check_timeout"` URLs []string `toml:"urls"` Log telegraf.Logger `toml:"-"` - - pipelineName string - indexTmpl *template.Template - pipelineTmpl *template.Template - onSucc func(context.Context, opensearchutil.BulkIndexerItem, opensearchutil.BulkIndexerResponseItem) - onFail func(context.Context, opensearchutil.BulkIndexerItem, opensearchutil.BulkIndexerResponseItem, error) - configOptions httpconfig.HTTPClientConfig - osClient *opensearch.Client + commontls.ClientConfig + + pipelineName string + indexTmpl *template.Template + pipelineTmpl *template.Template + onSucc func(context.Context, opensearchutil.BulkIndexerItem, opensearchutil.BulkIndexerResponseItem) + onFail func(context.Context, opensearchutil.BulkIndexerItem, opensearchutil.BulkIndexerResponseItem, error) + osClient *opensearch.Client } //go:embed template.json @@ -158,16 +157,17 @@ func (o *Opensearch) newClient() error { } defer password.Destroy() + tlsConfig, err := o.ClientConfig.TLSConfig() + if err != nil { + return fmt.Errorf("creating TLS config failed: %w", err) + } clientConfig := opensearch.Config{ Addresses: o.URLs, Username: username.String(), Password: password.String(), - } - - if o.configOptions.InsecureSkipVerify { - clientConfig.Transport = &http.Transport{ - TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, - } + Transport: &http.Transport{ + TLSClientConfig: tlsConfig, + }, } header := http.Header{} diff --git a/plugins/outputs/opensearch/sample.conf b/plugins/outputs/opensearch/sample.conf index c4a5451c7f41d..8438053a41183 100644 --- a/plugins/outputs/opensearch/sample.conf +++ b/plugins/outputs/opensearch/sample.conf @@ -10,7 +10,7 @@ ## Target index name for metrics (OpenSearch will create if it not exists). ## This is a Golang template (see https://pkg.go.dev/text/template) ## You can also specify - ## metric name (`{{.Name}}`), tag value (`{{.Tag "tag_name"}}`), field value (`{{.Field "feild_name"}}`) + ## metric name (`{{.Name}}`), tag value (`{{.Tag "tag_name"}}`), field value (`{{.Field "feild_name"}}`) ## If the tag does not exist, the default tag value will be empty string "". ## the timestamp (`{{.Time.Format "xxxxxxxxx"}}`). ## For example: "telegraf-{{.Time.Format "2006-01-02"}}-{{.Tag "host"}}" would set it to telegraf-2023-07-27-HostName @@ -43,9 +43,17 @@ # auth_bearer_token = "" ## Optional TLS Config - # tls_ca = "/etc/telegraf/ca.pem" - # tls_cert = "/etc/telegraf/cert.pem" - # tls_key = "/etc/telegraf/key.pem" + ## Set to true/false to enforce TLS being enabled/disabled. If not set, + ## enable TLS only if any of the other options are specified. + # tls_enable = + ## Trusted root certificates for server + # tls_ca = "/path/to/cafile" + ## Used for TLS client certificate authentication + # tls_cert = "/path/to/certfile" + ## Used for TLS client certificate authentication + # tls_key = "/path/to/keyfile" + ## Send the specified TLS server name via SNI + # tls_server_name = "kubernetes.example.com" ## Use TLS but skip chain & host verification # insecure_skip_verify = false From a692b6fd2d511d0661d21b30f901c92670642a81 Mon Sep 17 00:00:00 2001 From: Sven Rebhan <36194019+srebhan@users.noreply.github.com> Date: Mon, 27 Nov 2023 11:25:07 +0100 Subject: [PATCH 2/4] Fix typo Co-authored-by: Thomas Casteleyn --- plugins/outputs/opensearch/sample.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/outputs/opensearch/sample.conf b/plugins/outputs/opensearch/sample.conf index 8438053a41183..ea8428026212e 100644 --- a/plugins/outputs/opensearch/sample.conf +++ b/plugins/outputs/opensearch/sample.conf @@ -10,7 +10,7 @@ ## Target index name for metrics (OpenSearch will create if it not exists). ## This is a Golang template (see https://pkg.go.dev/text/template) ## You can also specify - ## metric name (`{{.Name}}`), tag value (`{{.Tag "tag_name"}}`), field value (`{{.Field "feild_name"}}`) + ## metric name (`{{.Name}}`), tag value (`{{.Tag "tag_name"}}`), field value (`{{.Field "field_name"}}`) ## If the tag does not exist, the default tag value will be empty string "". ## the timestamp (`{{.Time.Format "xxxxxxxxx"}}`). ## For example: "telegraf-{{.Time.Format "2006-01-02"}}-{{.Tag "host"}}" would set it to telegraf-2023-07-27-HostName From 0384e123bbdfd976aacd65d8a2eaecb41164254b Mon Sep 17 00:00:00 2001 From: Sven Rebhan Date: Mon, 27 Nov 2023 15:20:19 +0100 Subject: [PATCH 3/4] Make docs --- plugins/outputs/opensearch/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/outputs/opensearch/README.md b/plugins/outputs/opensearch/README.md index f4219d08476ae..1aed64b1210f9 100644 --- a/plugins/outputs/opensearch/README.md +++ b/plugins/outputs/opensearch/README.md @@ -30,7 +30,7 @@ See the [CONFIGURATION.md][CONFIGURATION.md] for more details. ## Target index name for metrics (OpenSearch will create if it not exists). ## This is a Golang template (see https://pkg.go.dev/text/template) ## You can also specify - ## metric name (`{{.Name}}`), tag value (`{{.Tag "tag_name"}}`), field value (`{{.Field "feild_name"}}`) + ## metric name (`{{.Name}}`), tag value (`{{.Tag "tag_name"}}`), field value (`{{.Field "field_name"}}`) ## If the tag does not exist, the default tag value will be empty string "". ## the timestamp (`{{.Time.Format "xxxxxxxxx"}}`). ## For example: "telegraf-{{.Time.Format "2006-01-02"}}-{{.Tag "host"}}" would set it to telegraf-2023-07-27-HostName From bb942e132687dd5c14e391cda4eb647460c5d857 Mon Sep 17 00:00:00 2001 From: Sven Rebhan Date: Mon, 27 Nov 2023 15:23:43 +0100 Subject: [PATCH 4/4] Remove common/tls alias --- plugins/outputs/opensearch/opensearch.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/outputs/opensearch/opensearch.go b/plugins/outputs/opensearch/opensearch.go index 2a3c8dfae8b03..c6f227d05a37b 100644 --- a/plugins/outputs/opensearch/opensearch.go +++ b/plugins/outputs/opensearch/opensearch.go @@ -22,7 +22,7 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/config" "github.com/influxdata/telegraf/internal/choice" - commontls "github.com/influxdata/telegraf/plugins/common/tls" + "github.com/influxdata/telegraf/plugins/common/tls" "github.com/influxdata/telegraf/plugins/outputs" ) @@ -49,7 +49,7 @@ type Opensearch struct { HealthCheckTimeout config.Duration `toml:"health_check_timeout"` URLs []string `toml:"urls"` Log telegraf.Logger `toml:"-"` - commontls.ClientConfig + tls.ClientConfig pipelineName string indexTmpl *template.Template