diff --git a/CHANGELOG.md b/CHANGELOG.md index a11752b5c170b..20a0365556908 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -57,6 +57,7 @@ be deprecated eventually. - [#2071](https://github.com/influxdata/telegraf/issues/2071): Use official docker SDK. - [#1678](https://github.com/influxdata/telegraf/pull/1678): Add AMQP consumer input plugin - [#2501](https://github.com/influxdata/telegraf/pull/2501): Support DEAD(X) state in system input plugin. +- [#2522](https://github.com/influxdata/telegraf/pull/2522): Add support for mongodb client certificates. ### Bugfixes diff --git a/plugins/inputs/mongodb/README.md b/plugins/inputs/mongodb/README.md index 72f87feb84ec8..678fe07770cb0 100644 --- a/plugins/inputs/mongodb/README.md +++ b/plugins/inputs/mongodb/README.md @@ -11,9 +11,16 @@ ## 10.0.0.1:10000, etc. servers = ["127.0.0.1:27017"] gather_perdb_stats = false + + ## Optional SSL Config + # ssl_ca = "/etc/telegraf/ca.pem" + # ssl_cert = "/etc/telegraf/cert.pem" + # ssl_key = "/etc/telegraf/key.pem" + ## Use SSL but skip chain & host verification + # insecure_skip_verify = false ``` -For authenticated mongodb istances use connection mongdb connection URI +For authenticated mongodb instances use `mongodb://` connection URI ```toml [[inputs.mongodb]] diff --git a/plugins/inputs/mongodb/mongodb.go b/plugins/inputs/mongodb/mongodb.go index 0bf822a4ceda1..a80b94690d359 100644 --- a/plugins/inputs/mongodb/mongodb.go +++ b/plugins/inputs/mongodb/mongodb.go @@ -10,6 +10,7 @@ import ( "time" "github.com/influxdata/telegraf" + "github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/internal/errchan" "github.com/influxdata/telegraf/plugins/inputs" "gopkg.in/mgo.v2" @@ -20,6 +21,15 @@ type MongoDB struct { Ssl Ssl mongos map[string]*Server GatherPerdbStats bool + + // Path to CA file + SSLCA string `toml:"ssl_ca"` + // Path to host cert file + SSLCert string `toml:"ssl_cert"` + // Path to cert key file + SSLKey string `toml:"ssl_key"` + // Use SSL but skip chain & host verification + InsecureSkipVerify bool } type Ssl struct { @@ -35,6 +45,13 @@ var sampleConfig = ` ## 10.0.0.1:10000, etc. servers = ["127.0.0.1:27017"] gather_perdb_stats = false + + ## Optional SSL Config + # ssl_ca = "/etc/telegraf/ca.pem" + # ssl_cert = "/etc/telegraf/cert.pem" + # ssl_key = "/etc/telegraf/key.pem" + ## Use SSL but skip chain & host verification + # insecure_skip_verify = false ` func (m *MongoDB) SampleConfig() string { @@ -105,8 +122,11 @@ func (m *MongoDB) gatherServer(server *Server, acc telegraf.Accumulator) error { dialInfo.Direct = true dialInfo.Timeout = 5 * time.Second + var tlsConfig *tls.Config + if m.Ssl.Enabled { - tlsConfig := &tls.Config{} + // Deprecated SSL config + tlsConfig = &tls.Config{} if len(m.Ssl.CaCerts) > 0 { roots := x509.NewCertPool() for _, caCert := range m.Ssl.CaCerts { @@ -119,6 +139,13 @@ func (m *MongoDB) gatherServer(server *Server, acc telegraf.Accumulator) error { } else { tlsConfig.InsecureSkipVerify = true } + } else { + tlsConfig, err = internal.GetTLSConfig( + m.SSLCert, m.SSLKey, m.SSLCA, m.InsecureSkipVerify) + } + + // If configured to use TLS, add a dial function + if tlsConfig != nil { dialInfo.DialServer = func(addr *mgo.ServerAddr) (net.Conn, error) { conn, err := tls.Dial("tcp", addr.String(), tlsConfig) if err != nil {