From 5bb797e1d9f77d387d508d40d2212c49b91f0cfa Mon Sep 17 00:00:00 2001 From: Daniel Nelson Date: Fri, 4 May 2018 16:33:23 -0700 Subject: [PATCH] Simplify testing with TLS (#4095) --- CHANGELOG.md | 4 + etc/telegraf.conf | 335 +++++++++--------- internal/internal.go | 92 ----- internal/tls/config.go | 130 +++++++ internal/tls/config_test.go | 226 ++++++++++++ plugins/inputs/amqp_consumer/README.md | 10 +- plugins/inputs/amqp_consumer/amqp_consumer.go | 24 +- plugins/inputs/apache/README.md | 10 +- plugins/inputs/apache/apache.go | 23 +- plugins/inputs/consul/README.md | 10 +- plugins/inputs/consul/consul.go | 26 +- plugins/inputs/dcos/README.md | 8 +- plugins/inputs/dcos/client_test.go | 19 +- plugins/inputs/dcos/dcos.go | 18 +- plugins/inputs/docker/README.md | 10 +- plugins/inputs/docker/docker.go | 19 +- plugins/inputs/elasticsearch/README.md | 10 +- plugins/inputs/elasticsearch/elasticsearch.go | 42 +-- plugins/inputs/graylog/README.md | 10 +- plugins/inputs/graylog/graylog.go | 25 +- plugins/inputs/haproxy/README.md | 10 +- plugins/inputs/haproxy/haproxy.go | 30 +- plugins/inputs/http/README.md | 10 +- plugins/inputs/http/http.go | 24 +- plugins/inputs/http_listener/http_listener.go | 45 +-- .../http_listener/http_listener_test.go | 154 +------- plugins/inputs/http_response/README.md | 10 +- plugins/inputs/http_response/http_response.go | 24 +- plugins/inputs/httpjson/README.md | 10 +- plugins/inputs/httpjson/httpjson.go | 24 +- plugins/inputs/influxdb/README.md | 10 +- plugins/inputs/influxdb/influxdb.go | 26 +- plugins/inputs/jolokia2/README.md | 16 +- plugins/inputs/jolokia2/client.go | 19 +- plugins/inputs/jolokia2/jolokia_agent.go | 25 +- plugins/inputs/jolokia2/jolokia_proxy.go | 33 +- plugins/inputs/kafka_consumer/README.md | 10 +- .../inputs/kafka_consumer/kafka_consumer.go | 24 +- plugins/inputs/kapacitor/README.md | 10 +- plugins/inputs/kapacitor/kapacitor.go | 27 +- plugins/inputs/kubernetes/kubernetes.go | 24 +- plugins/inputs/mesos/README.md | 10 +- plugins/inputs/mesos/mesos.go | 25 +- plugins/inputs/mongodb/README.md | 10 +- plugins/inputs/mongodb/mongodb.go | 27 +- plugins/inputs/mqtt_consumer/README.md | 10 +- plugins/inputs/mqtt_consumer/mqtt_consumer.go | 24 +- plugins/inputs/mysql/README.md | 8 +- plugins/inputs/mysql/mysql.go | 18 +- plugins/inputs/nginx/README.md | 10 +- plugins/inputs/nginx/nginx.go | 29 +- plugins/inputs/openldap/README.md | 2 +- plugins/inputs/openldap/openldap.go | 10 +- plugins/inputs/prometheus/README.md | 10 +- plugins/inputs/prometheus/prometheus.go | 23 +- plugins/inputs/rabbitmq/README.md | 10 +- plugins/inputs/rabbitmq/rabbitmq.go | 23 +- .../inputs/socket_listener/socket_listener.go | 17 +- .../socket_listener/socket_listener_test.go | 16 +- .../inputs/socket_listener/testdata/ca.pem | 31 -- .../socket_listener/testdata/client.key | 27 -- .../socket_listener/testdata/client.pem | 24 -- .../socket_listener/testdata/server.key | 27 -- .../socket_listener/testdata/server.pem | 25 -- plugins/inputs/tomcat/README.md | 10 +- plugins/inputs/tomcat/tomcat.go | 20 +- plugins/inputs/zookeeper/README.md | 8 +- plugins/inputs/zookeeper/zookeeper.go | 24 +- plugins/outputs/amqp/README.md | 10 +- plugins/outputs/amqp/amqp.go | 23 +- plugins/outputs/elasticsearch/README.md | 12 +- .../outputs/elasticsearch/elasticsearch.go | 21 +- plugins/outputs/graphite/README.md | 42 +-- plugins/outputs/graphite/graphite.go | 33 +- plugins/outputs/influxdb/README.md | 10 +- plugins/outputs/influxdb/influxdb.go | 24 +- plugins/outputs/influxdb/influxdb_test.go | 7 +- plugins/outputs/kafka/README.md | 10 +- plugins/outputs/kafka/kafka.go | 33 +- plugins/outputs/mqtt/README.md | 14 +- plugins/outputs/mqtt/mqtt.go | 40 +-- plugins/outputs/nats/nats.go | 25 +- plugins/outputs/socket_writer/README.md | 10 +- .../outputs/socket_writer/socket_writer.go | 22 +- testutil/pki/cacert.pem | 12 + testutil/pki/cakey.pem | 16 + testutil/pki/clientcert.pem | 13 + testutil/pki/clientkey.pem | 15 + testutil/pki/servercert.pem | 13 + testutil/pki/serverkey.pem | 15 + {scripts => testutil/pki}/tls-certs.sh | 18 +- testutil/tls.go | 86 +++++ 92 files changed, 1254 insertions(+), 1364 deletions(-) create mode 100644 internal/tls/config.go create mode 100644 internal/tls/config_test.go delete mode 100644 plugins/inputs/socket_listener/testdata/ca.pem delete mode 100644 plugins/inputs/socket_listener/testdata/client.key delete mode 100644 plugins/inputs/socket_listener/testdata/client.pem delete mode 100644 plugins/inputs/socket_listener/testdata/server.key delete mode 100644 plugins/inputs/socket_listener/testdata/server.pem create mode 100644 testutil/pki/cacert.pem create mode 100644 testutil/pki/cakey.pem create mode 100644 testutil/pki/clientcert.pem create mode 100644 testutil/pki/clientkey.pem create mode 100644 testutil/pki/servercert.pem create mode 100644 testutil/pki/serverkey.pem rename {scripts => testutil/pki}/tls-certs.sh (81%) create mode 100644 testutil/tls.go diff --git a/CHANGELOG.md b/CHANGELOG.md index 9216cb762ed45..d109ad0908532 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,10 @@ an [example configuration](./plugins/inputs/jolokia2/examples) to help you get started. +- For plugins supporting TLS, you can now specify the certificate and keys + using `tls_ca`, `tls_cert`, `tls_key`. These options behave the same as + the, now deprecated, `ssl` forms. + ### New Inputs - [fibaro](./plugins/inputs/fibaro/README.md) - Contributed by @dynek diff --git a/etc/telegraf.conf b/etc/telegraf.conf index d6c4b6f0d386e..0402e1e6a14da 100644 --- a/etc/telegraf.conf +++ b/etc/telegraf.conf @@ -121,11 +121,11 @@ ## UDP payload size is the maximum packet size to send. # udp_payload = 512 - ## Optional SSL Config for use on HTTP connections. - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config for use on HTTP connections. + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## HTTP Proxy override, if unset values the standard proxy environment @@ -184,11 +184,11 @@ # ## to 5s. 0s means no timeout (not recommended). # # timeout = "5s" # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false # # ## Data format to output. @@ -284,11 +284,11 @@ # # default_tag_value = "none" # index_name = "telegraf-%Y.%m.%d" # required. # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false # # ## Template Config @@ -327,11 +327,11 @@ # ## timeout in seconds for the write connection to graphite # timeout = 2 # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false @@ -420,11 +420,11 @@ # ## The total number of times to retry sending a message # max_retry = 3 # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false # # ## Optional SASL Config @@ -536,11 +536,11 @@ # ## client ID, if not set a random ID is generated # # client_id = "" # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false # # ## Batch messages in a topic @@ -567,11 +567,11 @@ # ## NATS subject for producer messages # subject = "telegraf" # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false # # ## Data format to output. @@ -702,11 +702,11 @@ # # address = "unix:///tmp/telegraf.sock" # # address = "unixgram:///tmp/telegraf.sock" # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false # # ## Period between keep alive probes. @@ -935,11 +935,11 @@ # ## Maximum time to receive response. # # response_timeout = "5s" # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false @@ -1119,11 +1119,11 @@ # ## Data centre to query the health checks from # # datacentre = "" # -# ## SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## If false, skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = true @@ -1180,10 +1180,10 @@ # ## Maximum time to receive a response from cluster. # # response_timeout = "20s" # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" # ## If false, skip chain & host verification # # insecure_skip_verify = true # @@ -1268,11 +1268,11 @@ # docker_label_include = [] # docker_label_exclude = [] # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false @@ -1324,11 +1324,11 @@ # ## "breaker". Per default, all stats are gathered. # # node_stats = ["jvm", "http"] # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false @@ -1435,11 +1435,11 @@ # username = "" # password = "" # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false @@ -1463,11 +1463,11 @@ # ## field names. # # keep_field_names = false # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false @@ -1504,11 +1504,11 @@ # ## Tag all metrics with the url # # tag_url = true # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false # # ## Amount of time allowed to complete the HTTP request @@ -1548,11 +1548,11 @@ # # response_string_match = "ok" # # response_string_match = "\".*_status\".?:.?\"up\"" # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false # # ## HTTP Request Headers (all values must be strings) @@ -1588,11 +1588,11 @@ # # "my_tag_2" # # ] # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false # # ## HTTP parameters (all values must be strings). For "GET" requests, data @@ -1620,11 +1620,11 @@ # "http://localhost:8086/debug/vars" # ] # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false # # ## http request & header timeout @@ -1778,10 +1778,10 @@ # # password = "" # # response_timeout = "5s" # -# ## Optional SSL config -# # ssl_ca = "/var/private/ca.pem" -# # ssl_cert = "/var/private/client.pem" -# # ssl_key = "/var/private/client-key.pem" +# ## Optional TLS config +# # tls_ca = "/var/private/ca.pem" +# # tls_cert = "/var/private/client.pem" +# # tls_key = "/var/private/client-key.pem" # # insecure_skip_verify = false # # ## Add metrics to read @@ -1803,10 +1803,10 @@ # # password = "" # # response_timeout = "5s" # -# ## Optional SSL config -# # ssl_ca = "/var/private/ca.pem" -# # ssl_cert = "/var/private/client.pem" -# # ssl_key = "/var/private/client-key.pem" +# ## Optional TLS config +# # tls_ca = "/var/private/ca.pem" +# # tls_cert = "/var/private/client.pem" +# # tls_key = "/var/private/client-key.pem" # # insecure_skip_verify = false # # ## Add proxy targets to query @@ -1835,11 +1835,11 @@ # ## Time limit for http requests # timeout = "5s" # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false @@ -1859,11 +1859,11 @@ # ## Set response_timeout (default 5 seconds) # # response_timeout = "5s" # -# ## Optional SSL Config -# # ssl_ca = /path/to/cafile -# # ssl_cert = /path/to/certfile -# # ssl_key = /path/to/keyfile -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = /path/to/cafile +# # tls_cert = /path/to/certfile +# # tls_key = /path/to/keyfile +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false @@ -1955,11 +1955,11 @@ # # "messages", # # ] # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false @@ -1985,11 +1985,11 @@ # ## When true, collect per database stats # # gather_perdb_stats = false # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false @@ -2068,10 +2068,12 @@ # ## Some queries we may want to run less often (such as SHOW GLOBAL VARIABLES) # interval_slow = "30m" # -# ## Optional SSL Config (will be used if tls=custom parameter specified in server uri) -# ssl_ca = "/etc/telegraf/ca.pem" -# ssl_cert = "/etc/telegraf/cert.pem" -# ssl_key = "/etc/telegraf/key.pem" +# ## Optional TLS Config (will be used if tls=custom parameter specified in server uri) +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification +# # insecure_skip_verify = false # # Provides metrics about the state of a NATS server @@ -2131,10 +2133,11 @@ # # An array of Nginx stub_status URI to gather stats. # urls = ["http://localhost/server_status"] # -# # TLS/SSL configuration -# ssl_ca = "/etc/telegraf/ca.pem" -# ssl_cert = "/etc/telegraf/cert.cer" -# ssl_key = "/etc/telegraf/key.key" +# ## Optional TLS Config +# tls_ca = "/etc/telegraf/ca.pem" +# tls_cert = "/etc/telegraf/cert.cer" +# tls_key = "/etc/telegraf/key.key" +# ## Use TLS but skip chain & host verification # insecure_skip_verify = false # # # HTTP response timeout (default: 5s) @@ -2197,7 +2200,7 @@ # insecure_skip_verify = false # # # Path to PEM-encoded Root certificate to use to verify server certificate -# ssl_ca = "/etc/ssl/certs.pem" +# tls_ca = "/etc/ssl/certs.pem" # # # dn/password to bind with. If bind_dn is empty, an anonymous bind is performed. # bind_dn = "" @@ -2348,11 +2351,11 @@ # ## Specify timeout duration for slower prometheus clients (default is 3s) # # response_timeout = "3s" # -# ## Optional SSL Config -# # ssl_ca = /path/to/cafile -# # ssl_cert = /path/to/certfile -# # ssl_key = /path/to/keyfile -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = /path/to/cafile +# # tls_cert = /path/to/certfile +# # tls_key = /path/to/keyfile +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false @@ -2372,11 +2375,11 @@ # # username = "guest" # # password = "guest" # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false # # ## Optional request timeouts @@ -2805,11 +2808,11 @@ # ## Request timeout # # timeout = "5s" # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false @@ -2893,11 +2896,11 @@ # ## Timeout for metric collections from all servers. Minimum timeout is "1s". # # timeout = "5s" # -# ## Optional SSL Config -# # enable_ssl = true -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" +# ## Optional TLS Config +# # enable_tls = true +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" # ## If false, skip chain & host verification # # insecure_skip_verify = true @@ -2926,11 +2929,11 @@ # ## described here: https://www.rabbitmq.com/plugins.html # # auth_method = "PLAIN" # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false # # ## Data format to consume. @@ -3001,11 +3004,11 @@ # ## topic(s) to consume # topics = ["telegraf"] # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false # # ## Optional SASL Config @@ -3131,11 +3134,11 @@ # # username = "telegraf" # # password = "metricsmetricsmetricsmetrics" # -# ## Optional SSL Config -# # ssl_ca = "/etc/telegraf/ca.pem" -# # ssl_cert = "/etc/telegraf/cert.pem" -# # ssl_key = "/etc/telegraf/key.pem" -# ## Use SSL but skip chain & host verification +# ## Optional TLS Config +# # tls_ca = "/etc/telegraf/ca.pem" +# # tls_cert = "/etc/telegraf/cert.pem" +# # tls_key = "/etc/telegraf/key.pem" +# ## Use TLS but skip chain & host verification # # insecure_skip_verify = false # # ## Data format to consume. diff --git a/internal/internal.go b/internal/internal.go index 3227832c991ec..d86b32d2630c1 100644 --- a/internal/internal.go +++ b/internal/internal.go @@ -4,11 +4,7 @@ import ( "bufio" "bytes" "crypto/rand" - "crypto/tls" - "crypto/x509" "errors" - "fmt" - "io/ioutil" "log" "math/big" "os" @@ -112,94 +108,6 @@ func RandomString(n int) string { return string(bytes) } -// GetTLSConfig gets a tls.Config object from the given certs, key, and CA files -// for use with a client. -// The full path to each file must be provided. -// Returns a nil pointer if all files are blank and InsecureSkipVerify=false. -func GetTLSConfig( - SSLCert, SSLKey, SSLCA string, - InsecureSkipVerify bool, -) (*tls.Config, error) { - if SSLCert == "" && SSLKey == "" && SSLCA == "" && !InsecureSkipVerify { - return nil, nil - } - - t := &tls.Config{ - InsecureSkipVerify: InsecureSkipVerify, - } - - if SSLCA != "" { - caCert, err := ioutil.ReadFile(SSLCA) - if err != nil { - return nil, errors.New(fmt.Sprintf("Could not load TLS CA: %s", - err)) - } - - caCertPool := x509.NewCertPool() - caCertPool.AppendCertsFromPEM(caCert) - t.RootCAs = caCertPool - } - - if SSLCert != "" && SSLKey != "" { - cert, err := tls.LoadX509KeyPair(SSLCert, SSLKey) - if err != nil { - return nil, errors.New(fmt.Sprintf( - "Could not load TLS client key/certificate from %s:%s: %s", - SSLKey, SSLCert, err)) - } - - t.Certificates = []tls.Certificate{cert} - t.BuildNameToCertificate() - } - - // will be nil by default if nothing is provided - return t, nil -} - -// GetServerTLSConfig gets a tls.Config object from the given certs, key, and one or more CA files -// for use with a server. -// The full path to each file must be provided. -// Returns a nil pointer if all files are blank. -func GetServerTLSConfig( - TLSCert, TLSKey string, - TLSAllowedCACerts []string, -) (*tls.Config, error) { - if TLSCert == "" && TLSKey == "" && len(TLSAllowedCACerts) == 0 { - return nil, nil - } - - t := &tls.Config{} - - if len(TLSAllowedCACerts) != 0 { - caCertPool := x509.NewCertPool() - for _, cert := range TLSAllowedCACerts { - c, err := ioutil.ReadFile(cert) - if err != nil { - return nil, errors.New(fmt.Sprintf("Could not load TLS CA: %s", - err)) - } - caCertPool.AppendCertsFromPEM(c) - } - t.ClientCAs = caCertPool - t.ClientAuth = tls.RequireAndVerifyClientCert - } - - if TLSCert != "" && TLSKey != "" { - cert, err := tls.LoadX509KeyPair(TLSCert, TLSKey) - if err != nil { - return nil, errors.New(fmt.Sprintf( - "Could not load TLS client key/certificate from %s:%s: %s", - TLSKey, TLSCert, err)) - } - - t.Certificates = []tls.Certificate{cert} - } - - t.BuildNameToCertificate() - - return t, nil -} - // SnakeCase converts the given string to snake case following the Golang format: // acronyms are converted to lower-case and preceded by an underscore. func SnakeCase(in string) string { diff --git a/internal/tls/config.go b/internal/tls/config.go new file mode 100644 index 0000000000000..25c0678d4c315 --- /dev/null +++ b/internal/tls/config.go @@ -0,0 +1,130 @@ +package tls + +import ( + "crypto/tls" + "crypto/x509" + "fmt" + "io/ioutil" +) + +// ClientConfig represents the standard client TLS config. +type ClientConfig struct { + TLSCA string `toml:"tls_ca"` + TLSCert string `toml:"tls_cert"` + TLSKey string `toml:"tls_key"` + InsecureSkipVerify bool `toml:"insecure_skip_verify"` + + // Deprecated in 1.7; use TLS variables above + SSLCA string `toml:"ssl_ca"` + SSLCert string `toml:"ssl_cert"` + SSLKey string `toml:"ssl_ca"` +} + +// ServerConfig represents the standard server TLS config. +type ServerConfig struct { + TLSCert string `toml:"tls_cert"` + TLSKey string `toml:"tls_key"` + TLSAllowedCACerts []string `toml:"tls_allowed_cacerts"` +} + +// TLSConfig returns a tls.Config, may be nil without error if TLS is not +// configured. +func (c *ClientConfig) TLSConfig() (*tls.Config, error) { + // Support deprecated variable names + if c.TLSCA == "" && c.SSLCA != "" { + c.TLSCA = c.SSLCA + } + if c.TLSCert == "" && c.SSLCert != "" { + c.TLSCert = c.SSLCert + } + if c.TLSKey == "" && c.SSLKey != "" { + c.TLSKey = c.SSLKey + } + + // TODO: return default tls.Config; plugins should not call if they don't + // want TLS, this will require using another option to determine. In the + // case of an HTTP plugin, you could use `https`. Other plugins may need + // the dedicated option `TLSEnable`. + if c.TLSCA == "" && c.TLSKey == "" && c.TLSCert == "" && !c.InsecureSkipVerify { + return nil, nil + } + + tlsConfig := &tls.Config{ + InsecureSkipVerify: c.InsecureSkipVerify, + Renegotiation: tls.RenegotiateNever, + } + + if c.TLSCA != "" { + pool, err := makeCertPool([]string{c.TLSCA}) + if err != nil { + return nil, err + } + tlsConfig.RootCAs = pool + } + + if c.TLSCert != "" && c.TLSKey != "" { + err := loadCertificate(tlsConfig, c.TLSCert, c.TLSKey) + if err != nil { + return nil, err + } + } + + return tlsConfig, nil +} + +// TLSConfig returns a tls.Config, may be nil without error if TLS is not +// configured. +func (c *ServerConfig) TLSConfig() (*tls.Config, error) { + if c.TLSCert == "" && c.TLSKey == "" && len(c.TLSAllowedCACerts) == 0 { + return nil, nil + } + + tlsConfig := &tls.Config{} + + if len(c.TLSAllowedCACerts) != 0 { + pool, err := makeCertPool(c.TLSAllowedCACerts) + if err != nil { + return nil, err + } + tlsConfig.ClientCAs = pool + tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert + } + + if c.TLSCert != "" && c.TLSKey != "" { + err := loadCertificate(tlsConfig, c.TLSCert, c.TLSKey) + if err != nil { + return nil, err + } + } + + return tlsConfig, nil +} + +func makeCertPool(certFiles []string) (*x509.CertPool, error) { + pool := x509.NewCertPool() + for _, certFile := range certFiles { + pem, err := ioutil.ReadFile(certFile) + if err != nil { + return nil, fmt.Errorf( + "could not read certificate %q: %v", certFile, err) + } + ok := pool.AppendCertsFromPEM(pem) + if !ok { + return nil, fmt.Errorf( + "could not parse any PEM certificates %q: %v", certFile, err) + } + } + return pool, nil +} + +func loadCertificate(config *tls.Config, certFile, keyFile string) error { + cert, err := tls.LoadX509KeyPair(certFile, keyFile) + if err != nil { + return fmt.Errorf( + "could not load keypair %s:%s: %v", certFile, keyFile, err) + } + + config.Certificates = []tls.Certificate{cert} + config.BuildNameToCertificate() + return nil +} diff --git a/internal/tls/config_test.go b/internal/tls/config_test.go new file mode 100644 index 0000000000000..31a70d9a18ebd --- /dev/null +++ b/internal/tls/config_test.go @@ -0,0 +1,226 @@ +package tls_test + +import ( + "net/http" + "net/http/httptest" + "testing" + "time" + + "github.com/influxdata/telegraf/internal/tls" + "github.com/influxdata/telegraf/testutil" + "github.com/stretchr/testify/require" +) + +var pki = testutil.NewPKI("../../testutil/pki") + +func TestClientConfig(t *testing.T) { + tests := []struct { + name string + client tls.ClientConfig + expNil bool + expErr bool + }{ + { + name: "unset", + client: tls.ClientConfig{}, + expNil: true, + }, + { + name: "success", + client: tls.ClientConfig{ + TLSCA: pki.CACertPath(), + TLSCert: pki.ClientCertPath(), + TLSKey: pki.ClientKeyPath(), + }, + }, + { + name: "invalid ca", + client: tls.ClientConfig{ + TLSCA: pki.ClientKeyPath(), + TLSCert: pki.ClientCertPath(), + TLSKey: pki.ClientKeyPath(), + }, + expNil: true, + expErr: true, + }, + { + name: "missing ca is okay", + client: tls.ClientConfig{ + TLSCert: pki.ClientCertPath(), + TLSKey: pki.ClientKeyPath(), + }, + }, + { + name: "invalid cert", + client: tls.ClientConfig{ + TLSCA: pki.CACertPath(), + TLSCert: pki.ClientKeyPath(), + TLSKey: pki.ClientKeyPath(), + }, + expNil: true, + expErr: true, + }, + { + name: "missing cert skips client keypair", + client: tls.ClientConfig{ + TLSCA: pki.CACertPath(), + TLSKey: pki.ClientKeyPath(), + }, + expNil: false, + expErr: false, + }, + { + name: "missing key skips client keypair", + client: tls.ClientConfig{ + TLSCA: pki.CACertPath(), + TLSCert: pki.ClientCertPath(), + }, + expNil: false, + expErr: false, + }, + { + name: "support deprecated ssl field names", + client: tls.ClientConfig{ + SSLCA: pki.CACertPath(), + SSLCert: pki.ClientCertPath(), + SSLKey: pki.ClientKeyPath(), + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + tlsConfig, err := tt.client.TLSConfig() + if !tt.expNil { + require.NotNil(t, tlsConfig) + } else { + require.Nil(t, tlsConfig) + } + + if !tt.expErr { + require.NoError(t, err) + } else { + require.Error(t, err) + } + }) + } +} + +func TestServerConfig(t *testing.T) { + tests := []struct { + name string + server tls.ServerConfig + expNil bool + expErr bool + }{ + { + name: "unset", + server: tls.ServerConfig{}, + expNil: true, + }, + { + name: "success", + server: tls.ServerConfig{ + TLSCert: pki.ServerCertPath(), + TLSKey: pki.ServerKeyPath(), + TLSAllowedCACerts: []string{pki.CACertPath()}, + }, + }, + { + name: "invalid ca", + server: tls.ServerConfig{ + TLSCert: pki.ServerCertPath(), + TLSKey: pki.ServerKeyPath(), + TLSAllowedCACerts: []string{pki.ServerKeyPath()}, + }, + expNil: true, + expErr: true, + }, + { + name: "missing allowed ca is okay", + server: tls.ServerConfig{ + TLSCert: pki.ServerCertPath(), + TLSKey: pki.ServerKeyPath(), + }, + expNil: true, + expErr: true, + }, + { + name: "invalid cert", + server: tls.ServerConfig{ + TLSCert: pki.ServerKeyPath(), + TLSKey: pki.ServerKeyPath(), + TLSAllowedCACerts: []string{pki.CACertPath()}, + }, + expNil: true, + expErr: true, + }, + { + name: "missing cert", + server: tls.ServerConfig{ + TLSKey: pki.ServerKeyPath(), + TLSAllowedCACerts: []string{pki.CACertPath()}, + }, + expNil: true, + expErr: true, + }, + { + name: "missing key", + server: tls.ServerConfig{ + TLSCert: pki.ServerCertPath(), + TLSAllowedCACerts: []string{pki.CACertPath()}, + }, + expNil: true, + expErr: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + tlsConfig, err := tt.server.TLSConfig() + if !tt.expNil { + require.NotNil(t, tlsConfig) + } + if !tt.expErr { + require.NoError(t, err) + } + }) + } +} + +func TestConnect(t *testing.T) { + clientConfig := tls.ClientConfig{ + TLSCA: pki.CACertPath(), + TLSCert: pki.ClientCertPath(), + TLSKey: pki.ClientKeyPath(), + } + + serverConfig := tls.ServerConfig{ + TLSCert: pki.ServerCertPath(), + TLSKey: pki.ServerKeyPath(), + TLSAllowedCACerts: []string{pki.CACertPath()}, + } + + serverTLSConfig, err := serverConfig.TLSConfig() + require.NoError(t, err) + + ts := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(http.StatusOK) + })) + ts.TLS = serverTLSConfig + + ts.StartTLS() + defer ts.Close() + + clientTLSConfig, err := clientConfig.TLSConfig() + require.NoError(t, err) + + client := http.Client{ + Transport: &http.Transport{ + TLSClientConfig: clientTLSConfig, + }, + Timeout: 10 * time.Second, + } + + resp, err := client.Get(ts.URL) + require.NoError(t, err) + require.Equal(t, 200, resp.StatusCode) +} diff --git a/plugins/inputs/amqp_consumer/README.md b/plugins/inputs/amqp_consumer/README.md index 11084bedcc303..a14e2c8b010f4 100644 --- a/plugins/inputs/amqp_consumer/README.md +++ b/plugins/inputs/amqp_consumer/README.md @@ -32,11 +32,11 @@ The following defaults are known to work with RabbitMQ: ## Using EXTERNAL requires enabling the rabbitmq_auth_mechanism_ssl plugin as ## described here: https://www.rabbitmq.com/plugins.html # auth_method = "PLAIN" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## Data format to consume. diff --git a/plugins/inputs/amqp_consumer/amqp_consumer.go b/plugins/inputs/amqp_consumer/amqp_consumer.go index c96272fa7dd75..48458a0b7689b 100644 --- a/plugins/inputs/amqp_consumer/amqp_consumer.go +++ b/plugins/inputs/amqp_consumer/amqp_consumer.go @@ -10,7 +10,7 @@ import ( "github.com/streadway/amqp" "github.com/influxdata/telegraf" - "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/parsers" ) @@ -31,14 +31,7 @@ type AMQPConsumer struct { // AMQP Auth method AuthMethod string - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Use SSL but skip chain & host verification - InsecureSkipVerify bool + tls.ClientConfig parser parsers.Parser conn *amqp.Connection @@ -78,11 +71,11 @@ func (a *AMQPConsumer) SampleConfig() string { ## described here: https://www.rabbitmq.com/plugins.html # auth_method = "PLAIN" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## Data format to consume. @@ -108,8 +101,7 @@ func (a *AMQPConsumer) Gather(_ telegraf.Accumulator) error { func (a *AMQPConsumer) createConfig() (*amqp.Config, error) { // make new tls config - tls, err := internal.GetTLSConfig( - a.SSLCert, a.SSLKey, a.SSLCA, a.InsecureSkipVerify) + tls, err := a.ClientConfig.TLSConfig() if err != nil { return nil, err } diff --git a/plugins/inputs/apache/README.md b/plugins/inputs/apache/README.md index 0edac31664c4b..b8822edebf314 100644 --- a/plugins/inputs/apache/README.md +++ b/plugins/inputs/apache/README.md @@ -21,11 +21,11 @@ Typically, the `mod_status` module is configured to expose a page at the `/serve ## Maximum time to receive response. # response_timeout = "5s" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ``` diff --git a/plugins/inputs/apache/apache.go b/plugins/inputs/apache/apache.go index a3df105bb5d10..a04d1bbb827ea 100644 --- a/plugins/inputs/apache/apache.go +++ b/plugins/inputs/apache/apache.go @@ -13,6 +13,7 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" ) @@ -21,14 +22,7 @@ type Apache struct { Username string Password string ResponseTimeout internal.Duration - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Use SSL but skip chain & host verification - InsecureSkipVerify bool + tls.ClientConfig client *http.Client } @@ -46,11 +40,11 @@ var sampleConfig = ` ## Maximum time to receive response. # response_timeout = "5s" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ` @@ -98,8 +92,7 @@ func (n *Apache) Gather(acc telegraf.Accumulator) error { } func (n *Apache) createHttpClient() (*http.Client, error) { - tlsCfg, err := internal.GetTLSConfig( - n.SSLCert, n.SSLKey, n.SSLCA, n.InsecureSkipVerify) + tlsCfg, err := n.ClientConfig.TLSConfig() if err != nil { return nil, err } diff --git a/plugins/inputs/consul/README.md b/plugins/inputs/consul/README.md index 7e68a4931aebd..42e1a13362029 100644 --- a/plugins/inputs/consul/README.md +++ b/plugins/inputs/consul/README.md @@ -27,11 +27,11 @@ report those stats already using StatsD protocol if needed. ## Data centre to query the health checks from # datacentre = "" - ## SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## If false, skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = true ``` diff --git a/plugins/inputs/consul/consul.go b/plugins/inputs/consul/consul.go index bfd9b43409ed2..fe9bde1db9b78 100644 --- a/plugins/inputs/consul/consul.go +++ b/plugins/inputs/consul/consul.go @@ -5,7 +5,7 @@ import ( "github.com/hashicorp/consul/api" "github.com/influxdata/telegraf" - "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" ) @@ -16,15 +16,7 @@ type Consul struct { Username string Password string Datacentre string - - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Use SSL but skip chain & host verification - InsecureSkipVerify bool + tls.ClientConfig // client used to connect to Consul agnet client *api.Client @@ -47,11 +39,11 @@ var sampleConfig = ` ## Data centre to query the health checks from # datacentre = "" - ## SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## If false, skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = true ` @@ -89,9 +81,7 @@ func (c *Consul) createAPIClient() (*api.Client, error) { } } - tlsCfg, err := internal.GetTLSConfig( - c.SSLCert, c.SSLKey, c.SSLCA, c.InsecureSkipVerify) - + tlsCfg, err := c.ClientConfig.TLSConfig() if err != nil { return nil, err } diff --git a/plugins/inputs/dcos/README.md b/plugins/inputs/dcos/README.md index 967c376a741e8..790590aeaf94b 100644 --- a/plugins/inputs/dcos/README.md +++ b/plugins/inputs/dcos/README.md @@ -54,10 +54,10 @@ your database. ## Maximum time to receive a response from cluster. # response_timeout = "20s" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" ## If false, skip chain & host verification # insecure_skip_verify = true diff --git a/plugins/inputs/dcos/client_test.go b/plugins/inputs/dcos/client_test.go index 3b8d93e377571..1b563c63fe6e2 100644 --- a/plugins/inputs/dcos/client_test.go +++ b/plugins/inputs/dcos/client_test.go @@ -9,26 +9,11 @@ import ( "testing" jwt "github.com/dgrijalva/jwt-go" + "github.com/influxdata/telegraf/testutil" "github.com/stretchr/testify/require" ) -const ( - privateKey = `-----BEGIN RSA PRIVATE KEY----- -MIICXQIBAAKBgQCwlGyzVp9cqtwiNCgCnaR0kilPZhr4xFBcnXxvQ8/uzOHaWKxj -XWR38cKR3gPh5+4iSmzMdo3HDJM5ks6imXGnp+LPOA5iNewnpLNs7UxA2arwKH/6 -4qIaAXAtf5jE46wZIMgc2EW9wGL3dxC0JY8EXPpBFB/3J8gADkorFR8lwwIDAQAB -AoGBAJaFHxfMmjHK77U0UnrQWFSKFy64cftmlL4t/Nl3q7L68PdIKULWZIMeEWZ4 -I0UZiFOwr4em83oejQ1ByGSwekEuiWaKUI85IaHfcbt+ogp9hY/XbOEo56OPQUAd -bEZv1JqJOqta9Ug1/E1P9LjEEyZ5F5ubx7813rxAE31qKtKJAkEA1zaMlCWIr+Rj -hGvzv5rlHH3wbOB4kQFXO4nqj3J/ttzR5QiJW24STMDcbNngFlVcDVju56LrNTiD -dPh9qvl7nwJBANILguR4u33OMksEZTYB7nQZSurqXsq6382zH7pTl29ANQTROHaM -PKC8dnDWq8RGTqKuvWblIzzGIKqIMovZo10CQC96T0UXirITFolOL3XjvAuvFO1Q -EAkdXJs77805m0dCK+P1IChVfiAEpBw3bKJArpAbQIlFfdI953JUp5SieU0CQEub -BSSEKMjh/cxu6peEHnb/262vayuCFKkQPu1sxWewLuVrAe36EKCy9dcsDmv5+rgo -Odjdxc9Madm4aKlaT6kCQQCpAgeblDrrxTrNQ+Typzo37PlnQrvI+0EceAUuJ72G -P0a+YZUeHNRqT2pPN9lMTAZGGi3CtcF2XScbLNEBeXge ------END RSA PRIVATE KEY-----` -) +var privateKey = testutil.NewPKI("../../../testutil/pki").ReadServerKey() func TestLogin(t *testing.T) { ts := httptest.NewServer(http.NotFoundHandler()) diff --git a/plugins/inputs/dcos/dcos.go b/plugins/inputs/dcos/dcos.go index 91370b81f81fc..e37bf996be571 100644 --- a/plugins/inputs/dcos/dcos.go +++ b/plugins/inputs/dcos/dcos.go @@ -13,6 +13,7 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/filter" "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" ) @@ -56,11 +57,7 @@ type DCOS struct { MaxConnections int ResponseTimeout internal.Duration - - SSLCA string `toml:"ssl_ca"` - SSLCert string `toml:"ssl_cert"` - SSLKey string `toml:"ssl_key"` - InsecureSkipVerify bool `toml:"insecure_skip_verify"` + tls.ClientConfig client Client creds Credentials @@ -107,10 +104,10 @@ var sampleConfig = ` ## Maximum time to receive a response from cluster. # response_timeout = "20s" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" ## If false, skip chain & host verification # insecure_skip_verify = true @@ -351,8 +348,7 @@ func (d *DCOS) init() error { } func (d *DCOS) createClient() (Client, error) { - tlsCfg, err := internal.GetTLSConfig( - d.SSLCert, d.SSLKey, d.SSLCA, d.InsecureSkipVerify) + tlsCfg, err := d.ClientConfig.TLSConfig() if err != nil { return nil, err } diff --git a/plugins/inputs/docker/README.md b/plugins/inputs/docker/README.md index b93b4a0364f9c..87b5e65d1e117 100644 --- a/plugins/inputs/docker/README.md +++ b/plugins/inputs/docker/README.md @@ -53,11 +53,11 @@ to gather stats from the [Engine API](https://docs.docker.com/engine/api/v1.24/) ## Which environment variables should we use as a tag tag_env = ["JAVA_HOME", "HEAP_SIZE"] - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ``` diff --git a/plugins/inputs/docker/docker.go b/plugins/inputs/docker/docker.go index b0b9b8cf20cf4..a59b9f7fa955c 100644 --- a/plugins/inputs/docker/docker.go +++ b/plugins/inputs/docker/docker.go @@ -20,6 +20,7 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/filter" "github.com/influxdata/telegraf/internal" + tlsint "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" ) @@ -43,10 +44,7 @@ type Docker struct { ContainerStateInclude []string `toml:"container_state_include"` ContainerStateExclude []string `toml:"container_state_exclude"` - SSLCA string `toml:"ssl_ca"` - SSLCert string `toml:"ssl_cert"` - SSLKey string `toml:"ssl_key"` - InsecureSkipVerify bool + tlsint.ClientConfig newEnvClient func() (Client, error) newClient func(string, *tls.Config) (Client, error) @@ -115,11 +113,11 @@ var sampleConfig = ` docker_label_include = [] docker_label_exclude = [] - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ` @@ -136,8 +134,7 @@ func (d *Docker) Gather(acc telegraf.Accumulator) error { if d.Endpoint == "ENV" { c, err = d.newEnvClient() } else { - tlsConfig, err := internal.GetTLSConfig( - d.SSLCert, d.SSLKey, d.SSLCA, d.InsecureSkipVerify) + tlsConfig, err := d.ClientConfig.TLSConfig() if err != nil { return err } diff --git a/plugins/inputs/elasticsearch/README.md b/plugins/inputs/elasticsearch/README.md index 09ae15cc37774..e88c3f4d6846b 100644 --- a/plugins/inputs/elasticsearch/README.md +++ b/plugins/inputs/elasticsearch/README.md @@ -38,11 +38,11 @@ or [cluster-stats](https://www.elastic.co/guide/en/elasticsearch/reference/curre ## "breaker". Per default, all stats are gathered. # node_stats = ["jvm", "http"] - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ``` diff --git a/plugins/inputs/elasticsearch/elasticsearch.go b/plugins/inputs/elasticsearch/elasticsearch.go index 1f548a0e0287c..eee8d4182ab10 100644 --- a/plugins/inputs/elasticsearch/elasticsearch.go +++ b/plugins/inputs/elasticsearch/elasticsearch.go @@ -3,16 +3,18 @@ package elasticsearch import ( "encoding/json" "fmt" - "github.com/influxdata/telegraf" - "github.com/influxdata/telegraf/internal" - "github.com/influxdata/telegraf/plugins/inputs" - jsonparser "github.com/influxdata/telegraf/plugins/parsers/json" "io/ioutil" "net/http" "regexp" "strings" "sync" "time" + + "github.com/influxdata/telegraf" + "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" + "github.com/influxdata/telegraf/plugins/inputs" + jsonparser "github.com/influxdata/telegraf/plugins/parsers/json" ) // mask for masking username/password from error messages @@ -108,28 +110,26 @@ const sampleConfig = ` ## "breaker". Per default, all stats are gathered. # node_stats = ["jvm", "http"] - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ` // Elasticsearch is a plugin to read stats from one or many Elasticsearch // servers. type Elasticsearch struct { - Local bool - Servers []string - HttpTimeout internal.Duration - ClusterHealth bool - ClusterHealthLevel string - ClusterStats bool - NodeStats []string - SSLCA string `toml:"ssl_ca"` // Path to CA file - SSLCert string `toml:"ssl_cert"` // Path to host cert file - SSLKey string `toml:"ssl_key"` // Path to cert key file - InsecureSkipVerify bool // Use SSL but skip chain & host verification + Local bool + Servers []string + HttpTimeout internal.Duration + ClusterHealth bool + ClusterHealthLevel string + ClusterStats bool + NodeStats []string + tls.ClientConfig + client *http.Client catMasterResponseTokens []string isMaster bool @@ -227,7 +227,7 @@ func (e *Elasticsearch) Gather(acc telegraf.Accumulator) error { } func (e *Elasticsearch) createHttpClient() (*http.Client, error) { - tlsCfg, err := internal.GetTLSConfig(e.SSLCert, e.SSLKey, e.SSLCA, e.InsecureSkipVerify) + tlsCfg, err := e.ClientConfig.TLSConfig() if err != nil { return nil, err } diff --git a/plugins/inputs/graylog/README.md b/plugins/inputs/graylog/README.md index 6d4aa6131b180..6ab4a70c4bd98 100644 --- a/plugins/inputs/graylog/README.md +++ b/plugins/inputs/graylog/README.md @@ -44,11 +44,11 @@ Note: if namespace end point specified metrics array will be ignored for that ca username = "" password = "" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ``` diff --git a/plugins/inputs/graylog/graylog.go b/plugins/inputs/graylog/graylog.go index 6dcc9b979b7ea..8e580480d844b 100644 --- a/plugins/inputs/graylog/graylog.go +++ b/plugins/inputs/graylog/graylog.go @@ -14,7 +14,7 @@ import ( "time" "github.com/influxdata/telegraf" - "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" ) @@ -35,15 +35,7 @@ type GrayLog struct { Metrics []string Username string Password string - - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Use SSL but skip chain & host verification - InsecureSkipVerify bool + tls.ClientConfig client HTTPClient } @@ -111,11 +103,11 @@ var sampleConfig = ` username = "" password = "" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ` @@ -132,8 +124,7 @@ func (h *GrayLog) Gather(acc telegraf.Accumulator) error { var wg sync.WaitGroup if h.client.HTTPClient() == nil { - tlsCfg, err := internal.GetTLSConfig( - h.SSLCert, h.SSLKey, h.SSLCA, h.InsecureSkipVerify) + tlsCfg, err := h.ClientConfig.TLSConfig() if err != nil { return err } diff --git a/plugins/inputs/haproxy/README.md b/plugins/inputs/haproxy/README.md index 50bd4b3dad1d0..35b59524de6b6 100644 --- a/plugins/inputs/haproxy/README.md +++ b/plugins/inputs/haproxy/README.md @@ -28,11 +28,11 @@ or [HTTP statistics page](https://cbonte.github.io/haproxy-dconv/1.9/management. ## field names. # keep_field_names = false - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ``` diff --git a/plugins/inputs/haproxy/haproxy.go b/plugins/inputs/haproxy/haproxy.go index 81783cf2b805b..19087a978cd1d 100644 --- a/plugins/inputs/haproxy/haproxy.go +++ b/plugins/inputs/haproxy/haproxy.go @@ -14,27 +14,18 @@ import ( "time" "github.com/influxdata/telegraf" - "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" ) //CSV format: https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#9.1 type haproxy struct { - Servers []string - - client *http.Client - + Servers []string KeepFieldNames bool + tls.ClientConfig - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Use SSL but skip chain & host verification - InsecureSkipVerify bool + client *http.Client } var sampleConfig = ` @@ -56,11 +47,11 @@ var sampleConfig = ` ## field names. # keep_field_names = false - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ` @@ -144,8 +135,7 @@ func (g *haproxy) gatherServer(addr string, acc telegraf.Accumulator) error { } if g.client == nil { - tlsCfg, err := internal.GetTLSConfig( - g.SSLCert, g.SSLKey, g.SSLCA, g.InsecureSkipVerify) + tlsCfg, err := g.ClientConfig.TLSConfig() if err != nil { return err } diff --git a/plugins/inputs/http/README.md b/plugins/inputs/http/README.md index 2c04413644417..25d3d2b2d8960 100644 --- a/plugins/inputs/http/README.md +++ b/plugins/inputs/http/README.md @@ -23,11 +23,11 @@ The HTTP input plugin collects metrics from one or more HTTP(S) endpoints. The # username = "username" # password = "pa$$word" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## Amount of time allowed to complete the HTTP request diff --git a/plugins/inputs/http/http.go b/plugins/inputs/http/http.go index 16e776cd09ff8..c9c3460be53c7 100644 --- a/plugins/inputs/http/http.go +++ b/plugins/inputs/http/http.go @@ -11,6 +11,7 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/parsers" ) @@ -24,15 +25,7 @@ type HTTP struct { // HTTP Basic Auth Credentials Username string Password string - - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Use SSL but skip chain & host verification - InsecureSkipVerify bool + tls.ClientConfig Timeout internal.Duration @@ -62,11 +55,11 @@ var sampleConfig = ` ## Tag all metrics with the url # tag_url = true - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## Amount of time allowed to complete the HTTP request @@ -97,8 +90,7 @@ func (h *HTTP) Gather(acc telegraf.Accumulator) error { } if h.client == nil { - tlsCfg, err := internal.GetTLSConfig( - h.SSLCert, h.SSLKey, h.SSLCA, h.InsecureSkipVerify) + tlsCfg, err := h.ClientConfig.TLSConfig() if err != nil { return err } diff --git a/plugins/inputs/http_listener/http_listener.go b/plugins/inputs/http_listener/http_listener.go index bda4ce463a8ae..595c74ed21b20 100644 --- a/plugins/inputs/http_listener/http_listener.go +++ b/plugins/inputs/http_listener/http_listener.go @@ -5,9 +5,7 @@ import ( "compress/gzip" "crypto/subtle" "crypto/tls" - "crypto/x509" "io" - "io/ioutil" "log" "net" "net/http" @@ -16,6 +14,7 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/internal" + tlsint "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/parsers/influx" "github.com/influxdata/telegraf/selfstat" @@ -43,9 +42,7 @@ type HTTPListener struct { MaxLineSize int Port int - TlsAllowedCacerts []string - TlsCert string - TlsKey string + tlsint.ServerConfig BasicUsername string BasicPassword string @@ -158,7 +155,10 @@ func (h *HTTPListener) Start(acc telegraf.Accumulator) error { h.acc = acc h.pool = NewPool(200, h.MaxLineSize) - tlsConf := h.getTLSConfig() + tlsConf, err := h.ServerConfig.TLSConfig() + if err != nil { + return err + } server := &http.Server{ Addr: h.ServiceAddress, @@ -168,7 +168,6 @@ func (h *HTTPListener) Start(acc telegraf.Accumulator) error { TLSConfig: tlsConf, } - var err error var listener net.Listener if tlsConf != nil { listener, err = tls.Listen("tcp", h.ServiceAddress, tlsConf) @@ -372,38 +371,6 @@ func badRequest(res http.ResponseWriter) { res.Write([]byte(`{"error":"http: bad request"}`)) } -func (h *HTTPListener) getTLSConfig() *tls.Config { - tlsConf := &tls.Config{ - InsecureSkipVerify: false, - Renegotiation: tls.RenegotiateNever, - } - - if len(h.TlsCert) == 0 || len(h.TlsKey) == 0 { - return nil - } - - cert, err := tls.LoadX509KeyPair(h.TlsCert, h.TlsKey) - if err != nil { - return nil - } - tlsConf.Certificates = []tls.Certificate{cert} - - if h.TlsAllowedCacerts != nil { - tlsConf.ClientAuth = tls.RequireAndVerifyClientCert - clientPool := x509.NewCertPool() - for _, ca := range h.TlsAllowedCacerts { - c, err := ioutil.ReadFile(ca) - if err != nil { - continue - } - clientPool.AppendCertsFromPEM(c) - } - tlsConf.ClientCAs = clientPool - } - - return tlsConf -} - func (h *HTTPListener) AuthenticateIfSet(handler http.HandlerFunc, res http.ResponseWriter, req *http.Request) { if h.BasicUsername != "" && h.BasicPassword != "" { reqUsername, reqPassword, ok := req.BasicAuth() diff --git a/plugins/inputs/http_listener/http_listener_test.go b/plugins/inputs/http_listener/http_listener_test.go index 7f6ab406cc996..7c6cdf7283394 100644 --- a/plugins/inputs/http_listener/http_listener_test.go +++ b/plugins/inputs/http_listener/http_listener_test.go @@ -4,7 +4,6 @@ import ( "bytes" "crypto/tls" "crypto/x509" - "io" "io/ioutil" "net/http" "net/url" @@ -34,86 +33,12 @@ cpu_load_short,host=server06 value=12.0 1422568543702900257 emptyMsg = "" - serviceRootPEM = `-----BEGIN CERTIFICATE----- -MIIBxzCCATCgAwIBAgIJAJb7HqN2BzWWMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV -BAMMC1RlbGVncmFmIENBMB4XDTE3MTEwNDA0MzEwN1oXDTI3MTEwMjA0MzEwN1ow -FjEUMBIGA1UEAwwLVGVsZWdyYWYgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ -AoGBANbkUkK6JQC3rbLcXhLJTS9SX6uXyFwl7bUfpAN5Hm5EqfvG3PnLrogfTGLr -Tq5CRAu/gbbdcMoL9TLv/aaDVnrpV0FslKhqYmkOgT28bdmA7Qtr539aQpMKCfcW -WCnoMcBD5u5h9MsRqpdq+0Mjlsf1H2hSf07jHk5R1T4l8RMXAgMBAAGjHTAbMAwG -A1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBANSrwvpU -t8ihIhpHqgJZ34DM92CZZ3ZHmH/KyqlnuGzjjpnVZiXVrLDTOzrA0ziVhmefY29w -roHjENbFm54HW97ogxeURuO8HRHIVh2U0rkyVxOfGZiUdINHqsZdSnDY07bzCtSr -Z/KsfWXM5llD1Ig1FyBHpKjyUvfzr73sjm/4 ------END CERTIFICATE-----` - serviceCertPEM = `-----BEGIN CERTIFICATE----- -MIIBzzCCATigAwIBAgIBATANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDDAtUZWxl -Z3JhZiBDQTAeFw0xNzExMDQwNDMxMDdaFw0yNzExMDIwNDMxMDdaMBQxEjAQBgNV -BAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsJRss1af -XKrcIjQoAp2kdJIpT2Ya+MRQXJ18b0PP7szh2lisY11kd/HCkd4D4efuIkpszHaN -xwyTOZLOoplxp6fizzgOYjXsJ6SzbO1MQNmq8Ch/+uKiGgFwLX+YxOOsGSDIHNhF -vcBi93cQtCWPBFz6QRQf9yfIAA5KKxUfJcMCAwEAAaMvMC0wCQYDVR0TBAIwADAL -BgNVHQ8EBAMCBSAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQAD -gYEAiC3WI4y9vfYz53gw7FKnNK7BBdwRc43x7Pd+5J/cclWyUZPdmcj1UNmv/3rj -2qcMmX06UdgPoHppzNAJePvMVk0vjMBUe9MmYlafMz0h4ma/it5iuldXwmejFcdL -6wWQp7gVTileCEmq9sNvfQN1FmT3EWf4IMdO2MNat/1If0g= ------END CERTIFICATE-----` - serviceKeyPEM = `-----BEGIN RSA PRIVATE KEY----- -MIICXQIBAAKBgQCwlGyzVp9cqtwiNCgCnaR0kilPZhr4xFBcnXxvQ8/uzOHaWKxj -XWR38cKR3gPh5+4iSmzMdo3HDJM5ks6imXGnp+LPOA5iNewnpLNs7UxA2arwKH/6 -4qIaAXAtf5jE46wZIMgc2EW9wGL3dxC0JY8EXPpBFB/3J8gADkorFR8lwwIDAQAB -AoGBAJaFHxfMmjHK77U0UnrQWFSKFy64cftmlL4t/Nl3q7L68PdIKULWZIMeEWZ4 -I0UZiFOwr4em83oejQ1ByGSwekEuiWaKUI85IaHfcbt+ogp9hY/XbOEo56OPQUAd -bEZv1JqJOqta9Ug1/E1P9LjEEyZ5F5ubx7813rxAE31qKtKJAkEA1zaMlCWIr+Rj -hGvzv5rlHH3wbOB4kQFXO4nqj3J/ttzR5QiJW24STMDcbNngFlVcDVju56LrNTiD -dPh9qvl7nwJBANILguR4u33OMksEZTYB7nQZSurqXsq6382zH7pTl29ANQTROHaM -PKC8dnDWq8RGTqKuvWblIzzGIKqIMovZo10CQC96T0UXirITFolOL3XjvAuvFO1Q -EAkdXJs77805m0dCK+P1IChVfiAEpBw3bKJArpAbQIlFfdI953JUp5SieU0CQEub -BSSEKMjh/cxu6peEHnb/262vayuCFKkQPu1sxWewLuVrAe36EKCy9dcsDmv5+rgo -Odjdxc9Madm4aKlaT6kCQQCpAgeblDrrxTrNQ+Typzo37PlnQrvI+0EceAUuJ72G -P0a+YZUeHNRqT2pPN9lMTAZGGi3CtcF2XScbLNEBeXge ------END RSA PRIVATE KEY-----` - clientRootPEM = serviceRootPEM - clientCertPEM = `-----BEGIN CERTIFICATE----- -MIIBzjCCATegAwIBAgIBAjANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDDAtUZWxl -Z3JhZiBDQTAeFw0xNzExMDQwNDMxMDdaFw0yNzExMDIwNDMxMDdaMBMxETAPBgNV -BAMMCHRlbGVncmFmMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDP2IMqyOqI -sJjwBprrz8WPzmlrpyYikQ4XSCSJB3DSTIO+igqMpBUTj3vLlOzsHfVVot1WRqc6 -3esM4JE92rc6S73xi4g8L/r8cPIHW4hvFJdMti4UkJBWim8ArSbFqnZjcR19G3tG -LUOiXAUG3nWzMzoEsPruvV1dkKRbJVE4MwIDAQABoy8wLTAJBgNVHRMEAjAAMAsG -A1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOB -gQCHxMk38XNxL9nPFBYo3JqITJCFswu6/NLHwDBXCuZKl53rUuFWduiO+1OuScKQ -sQ79W0jHsWRKGOUFrF5/Gdnh8AlkVaITVlcmhdAOFCEbeGpeEvLuuK6grckPitxy -bRF5oM4TCLKKAha60Ir41rk2bomZM9+NZu+Bm+csDqCoxQ== ------END CERTIFICATE-----` - clientKeyPEM = `-----BEGIN RSA PRIVATE KEY----- -MIICXAIBAAKBgQDP2IMqyOqIsJjwBprrz8WPzmlrpyYikQ4XSCSJB3DSTIO+igqM -pBUTj3vLlOzsHfVVot1WRqc63esM4JE92rc6S73xi4g8L/r8cPIHW4hvFJdMti4U -kJBWim8ArSbFqnZjcR19G3tGLUOiXAUG3nWzMzoEsPruvV1dkKRbJVE4MwIDAQAB -AoGAFzb/r4+xYoMXEfgq5ZvXXTCY5cVNpR6+jCsqqYODPnn9XRLeCsdo8z5bfWms -7NKLzHzca/6IPzL6Rf3vOxFq1YyIZfYVHH+d63/9blAm3Iajjp1W2yW5aj9BJjTb -nm6F0RfuW/SjrZ9IXxTZhSpCklPmUzVZpzvwV3KGeVTVCEECQQDoavCeOwLuqDpt -0aM9GMFUpOU7kLPDuicSwCDaTae4kN2rS17Zki41YXe8A8+509IEN7mK09Vq9HxY -SX6EmV1FAkEA5O9QcCHEa8P12EmUC8oqD2bjq6o7JjUIRlKinwZTlooMJYZw98gA -FVSngTUvLVCVIvSdjldXPOGgfYiccTZrFwJAfHS3gKOtAEuJbkEyHodhD4h1UB4+ -hPLr9Xh4ny2yQH0ilpV3px5GLEOTMFUCKUoqTiPg8VxaDjn5U/WXED5n2QJAR4J1 -NsFlcGACj+/TvacFYlA6N2nyFeokzoqLX28Ddxdh2erXqJ4hYIhT1ik9tkLggs2z -1T1084BquCuO6lIcOwJBALX4xChoMUF9k0IxSQzlz//seQYDkQNsE7y9IgAOXkzp -RaR4pzgPbnKj7atG+2dBnffWfE+1Mcy0INDAO6WxPg0= ------END RSA PRIVATE KEY-----` - basicUsername = "test-username-please-ignore" basicPassword = "super-secure-password!" ) var ( - initClient sync.Once - client *http.Client - initServiceCertFiles sync.Once - allowedCAFiles []string - serviceCAFiles []string - serviceCertFile string - serviceKeyFile string + pki = testutil.NewPKI("../../../testutil/pki") ) func newTestHTTPListener() *HTTPListener { @@ -132,74 +57,25 @@ func newTestHTTPAuthListener() *HTTPListener { } func newTestHTTPSListener() *HTTPListener { - initServiceCertFiles.Do(func() { - acaf, err := ioutil.TempFile("", "allowedCAFile.crt") - if err != nil { - panic(err) - } - defer acaf.Close() - _, err = io.Copy(acaf, bytes.NewReader([]byte(clientRootPEM))) - allowedCAFiles = []string{acaf.Name()} - - scaf, err := ioutil.TempFile("", "serviceCAFile.crt") - if err != nil { - panic(err) - } - defer scaf.Close() - _, err = io.Copy(scaf, bytes.NewReader([]byte(serviceRootPEM))) - serviceCAFiles = []string{scaf.Name()} - - scf, err := ioutil.TempFile("", "serviceCertFile.crt") - if err != nil { - panic(err) - } - defer scf.Close() - _, err = io.Copy(scf, bytes.NewReader([]byte(serviceCertPEM))) - serviceCertFile = scf.Name() - - skf, err := ioutil.TempFile("", "serviceKeyFile.crt") - if err != nil { - panic(err) - } - defer skf.Close() - _, err = io.Copy(skf, bytes.NewReader([]byte(serviceKeyPEM))) - serviceKeyFile = skf.Name() - }) - listener := &HTTPListener{ - ServiceAddress: "localhost:0", - TlsAllowedCacerts: allowedCAFiles, - TlsCert: serviceCertFile, - TlsKey: serviceKeyFile, - TimeFunc: time.Now, + ServiceAddress: "localhost:0", + ServerConfig: *pki.TLSServerConfig(), + TimeFunc: time.Now, } return listener } func getHTTPSClient() *http.Client { - initClient.Do(func() { - cas := x509.NewCertPool() - cas.AppendCertsFromPEM([]byte(serviceRootPEM)) - clientCert, err := tls.X509KeyPair([]byte(clientCertPEM), []byte(clientKeyPEM)) - if err != nil { - panic(err) - } - client = &http.Client{ - Transport: &http.Transport{ - TLSClientConfig: &tls.Config{ - RootCAs: cas, - Certificates: []tls.Certificate{clientCert}, - MinVersion: tls.VersionTLS12, - MaxVersion: tls.VersionTLS12, - CipherSuites: []uint16{tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, - Renegotiation: tls.RenegotiateNever, - InsecureSkipVerify: false, - }, - }, - } - }) - return client + tlsConfig, err := pki.TLSClientConfig().TLSConfig() + if err != nil { + panic(err) + } + return &http.Client{ + Transport: &http.Transport{ + TLSClientConfig: tlsConfig, + }, + } } func createURL(listener *HTTPListener, scheme string, path string, rawquery string) string { @@ -214,14 +90,14 @@ func createURL(listener *HTTPListener, scheme string, path string, rawquery stri func TestWriteHTTPSNoClientAuth(t *testing.T) { listener := newTestHTTPSListener() - listener.TlsAllowedCacerts = nil + listener.TLSAllowedCACerts = nil acc := &testutil.Accumulator{} require.NoError(t, listener.Start(acc)) defer listener.Stop() cas := x509.NewCertPool() - cas.AppendCertsFromPEM([]byte(serviceRootPEM)) + cas.AppendCertsFromPEM([]byte(pki.ReadServerCert())) noClientAuthClient := &http.Client{ Transport: &http.Transport{ TLSClientConfig: &tls.Config{ diff --git a/plugins/inputs/http_response/README.md b/plugins/inputs/http_response/README.md index 69b477ed4d561..4ccd236a508f8 100644 --- a/plugins/inputs/http_response/README.md +++ b/plugins/inputs/http_response/README.md @@ -32,11 +32,11 @@ This input plugin checks HTTP/HTTPS connections. # response_string_match = "ok" # response_string_match = "\".*_status\".?:.?\"up\"" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## HTTP Request Headers (all values must be strings) diff --git a/plugins/inputs/http_response/http_response.go b/plugins/inputs/http_response/http_response.go index 9dcf9394ae690..1f1f687070f11 100644 --- a/plugins/inputs/http_response/http_response.go +++ b/plugins/inputs/http_response/http_response.go @@ -16,6 +16,7 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" ) @@ -29,15 +30,7 @@ type HTTPResponse struct { Headers map[string]string FollowRedirects bool ResponseStringMatch string - - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Use SSL but skip chain & host verification - InsecureSkipVerify bool + tls.ClientConfig compiledStringMatch *regexp.Regexp client *http.Client @@ -74,11 +67,11 @@ var sampleConfig = ` # response_string_match = "ok" # response_string_match = "\".*_status\".?:.?\"up\"" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## HTTP Request Headers (all values must be strings) @@ -113,8 +106,7 @@ func getProxyFunc(http_proxy string) func(*http.Request) (*url.URL, error) { // CreateHttpClient creates an http client which will timeout at the specified // timeout period and can follow redirects if specified func (h *HTTPResponse) createHttpClient() (*http.Client, error) { - tlsCfg, err := internal.GetTLSConfig( - h.SSLCert, h.SSLKey, h.SSLCA, h.InsecureSkipVerify) + tlsCfg, err := h.ClientConfig.TLSConfig() if err != nil { return nil, err } diff --git a/plugins/inputs/httpjson/README.md b/plugins/inputs/httpjson/README.md index e3ef83c87f21f..19fe014457734 100644 --- a/plugins/inputs/httpjson/README.md +++ b/plugins/inputs/httpjson/README.md @@ -34,11 +34,11 @@ Deprecated (1.6): use the [http](../http) input. # "my_tag_2" # ] - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## HTTP Request Parameters (all values must be strings). For "GET" requests, data diff --git a/plugins/inputs/httpjson/httpjson.go b/plugins/inputs/httpjson/httpjson.go index bfa35752bcb6e..c7324dee4330a 100644 --- a/plugins/inputs/httpjson/httpjson.go +++ b/plugins/inputs/httpjson/httpjson.go @@ -12,6 +12,7 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/parsers" ) @@ -29,15 +30,7 @@ type HttpJson struct { ResponseTimeout internal.Duration Parameters map[string]string Headers map[string]string - - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Use SSL but skip chain & host verification - InsecureSkipVerify bool + tls.ClientConfig client HTTPClient } @@ -100,11 +93,11 @@ var sampleConfig = ` # "my_tag_2" # ] - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## HTTP parameters (all values must be strings). For "GET" requests, data @@ -133,8 +126,7 @@ func (h *HttpJson) Gather(acc telegraf.Accumulator) error { var wg sync.WaitGroup if h.client.HTTPClient() == nil { - tlsCfg, err := internal.GetTLSConfig( - h.SSLCert, h.SSLKey, h.SSLCA, h.InsecureSkipVerify) + tlsCfg, err := h.ClientConfig.TLSConfig() if err != nil { return err } diff --git a/plugins/inputs/influxdb/README.md b/plugins/inputs/influxdb/README.md index 8523931659455..2bab123f81c0e 100644 --- a/plugins/inputs/influxdb/README.md +++ b/plugins/inputs/influxdb/README.md @@ -20,11 +20,11 @@ InfluxDB-formatted endpoints. See below for more information. "http://localhost:8086/debug/vars" ] - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## http request & header timeout diff --git a/plugins/inputs/influxdb/influxdb.go b/plugins/inputs/influxdb/influxdb.go index 811f4ce56bcaf..0bb3ead5ee642 100644 --- a/plugins/inputs/influxdb/influxdb.go +++ b/plugins/inputs/influxdb/influxdb.go @@ -10,21 +10,14 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" ) type InfluxDB struct { - URLs []string `toml:"urls"` - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Use SSL but skip chain & host verification - InsecureSkipVerify bool - + URLs []string `toml:"urls"` Timeout internal.Duration + tls.ClientConfig client *http.Client } @@ -45,11 +38,11 @@ func (*InfluxDB) SampleConfig() string { "http://localhost:8086/debug/vars" ] - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## http request & header timeout @@ -63,8 +56,7 @@ func (i *InfluxDB) Gather(acc telegraf.Accumulator) error { } if i.client == nil { - tlsCfg, err := internal.GetTLSConfig( - i.SSLCert, i.SSLKey, i.SSLCA, i.InsecureSkipVerify) + tlsCfg, err := i.ClientConfig.TLSConfig() if err != nil { return err } diff --git a/plugins/inputs/jolokia2/README.md b/plugins/inputs/jolokia2/README.md index 283c4a5e50bf8..441ede2260bc9 100644 --- a/plugins/inputs/jolokia2/README.md +++ b/plugins/inputs/jolokia2/README.md @@ -18,14 +18,14 @@ The `jolokia2_agent` input plugin reads JMX metrics from one or more [Jolokia ag paths = ["Uptime"] ``` -Optionally, specify SSL options for communicating with agents: +Optionally, specify TLS options for communicating with agents: ```toml [[inputs.jolokia2_agent]] urls = ["https://agent:8080/jolokia"] - ssl_ca = "/var/private/ca.pem" - ssl_cert = "/var/private/client.pem" - ssl_key = "/var/private/client-key.pem" + tls_ca = "/var/private/ca.pem" + tls_cert = "/var/private/client.pem" + tls_key = "/var/private/client-key.pem" #insecure_skip_verify = false [[inputs.jolokia2_agent.metric]] @@ -55,15 +55,15 @@ The `jolokia2_proxy` input plugin reads JMX metrics from one or more _targets_ b paths = ["Uptime"] ``` -Optionally, specify SSL options for communicating with proxies: +Optionally, specify TLS options for communicating with proxies: ```toml [[inputs.jolokia2_proxy]] url = "https://proxy:8080/jolokia" - ssl_ca = "/var/private/ca.pem" - ssl_cert = "/var/private/client.pem" - ssl_key = "/var/private/client-key.pem" + tls_ca = "/var/private/ca.pem" + tls_cert = "/var/private/client.pem" + tls_key = "/var/private/client-key.pem" #insecure_skip_verify = false #default_target_username = "" diff --git a/plugins/inputs/jolokia2/client.go b/plugins/inputs/jolokia2/client.go index aa9a8f87bfc95..9f5de15d832a2 100644 --- a/plugins/inputs/jolokia2/client.go +++ b/plugins/inputs/jolokia2/client.go @@ -10,7 +10,7 @@ import ( "path" "time" - "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" ) type Client struct { @@ -20,15 +20,11 @@ type Client struct { } type ClientConfig struct { - ResponseTimeout time.Duration - Username string - Password string - SSLCA string - SSLCert string - SSLKey string - InsecureSkipVerify bool - - ProxyConfig *ProxyConfig + ResponseTimeout time.Duration + Username string + Password string + ProxyConfig *ProxyConfig + tls.ClientConfig } type ProxyConfig struct { @@ -100,8 +96,7 @@ type jolokiaResponse struct { } func NewClient(url string, config *ClientConfig) (*Client, error) { - tlsConfig, err := internal.GetTLSConfig( - config.SSLCert, config.SSLKey, config.SSLCA, config.InsecureSkipVerify) + tlsConfig, err := config.ClientConfig.TLSConfig() if err != nil { return nil, err } diff --git a/plugins/inputs/jolokia2/jolokia_agent.go b/plugins/inputs/jolokia2/jolokia_agent.go index 1042da9d93f10..f1d58e6817682 100644 --- a/plugins/inputs/jolokia2/jolokia_agent.go +++ b/plugins/inputs/jolokia2/jolokia_agent.go @@ -6,6 +6,7 @@ import ( "time" "github.com/influxdata/telegraf" + "github.com/influxdata/telegraf/internal/tls" ) type JolokiaAgent struct { @@ -18,10 +19,7 @@ type JolokiaAgent struct { Password string ResponseTimeout time.Duration `toml:"response_timeout"` - SSLCA string `toml:"ssl_ca"` - SSLCert string `toml:"ssl_cert"` - SSLKey string `toml:"ssl_key"` - InsecureSkipVerify bool + tls.ClientConfig Metrics []MetricConfig `toml:"metric"` gatherer *Gatherer @@ -39,10 +37,10 @@ func (ja *JolokiaAgent) SampleConfig() string { # password = "" # response_timeout = "5s" - ## Optional SSL config - # ssl_ca = "/var/private/ca.pem" - # ssl_cert = "/var/private/client.pem" - # ssl_key = "/var/private/client-key.pem" + ## Optional TLS config + # tls_ca = "/var/private/ca.pem" + # tls_cert = "/var/private/client.pem" + # tls_key = "/var/private/client-key.pem" # insecure_skip_verify = false ## Add metrics to read @@ -101,12 +99,9 @@ func (ja *JolokiaAgent) createMetrics() []Metric { func (ja *JolokiaAgent) createClient(url string) (*Client, error) { return NewClient(url, &ClientConfig{ - Username: ja.Username, - Password: ja.Password, - ResponseTimeout: ja.ResponseTimeout, - SSLCA: ja.SSLCA, - SSLCert: ja.SSLCert, - SSLKey: ja.SSLKey, - InsecureSkipVerify: ja.InsecureSkipVerify, + Username: ja.Username, + Password: ja.Password, + ResponseTimeout: ja.ResponseTimeout, + ClientConfig: ja.ClientConfig, }) } diff --git a/plugins/inputs/jolokia2/jolokia_proxy.go b/plugins/inputs/jolokia2/jolokia_proxy.go index c9474871fc068..40909dcce4e5b 100644 --- a/plugins/inputs/jolokia2/jolokia_proxy.go +++ b/plugins/inputs/jolokia2/jolokia_proxy.go @@ -4,6 +4,7 @@ import ( "time" "github.com/influxdata/telegraf" + "github.com/influxdata/telegraf/internal/tls" ) type JolokiaProxy struct { @@ -16,13 +17,10 @@ type JolokiaProxy struct { DefaultTargetUsername string Targets []JolokiaProxyTargetConfig `toml:"target"` - Username string - Password string - SSLCA string `toml:"ssl_ca"` - SSLCert string `toml:"ssl_cert"` - SSLKey string `toml:"ssl_key"` - InsecureSkipVerify bool - ResponseTimeout time.Duration `toml:"response_timeout"` + Username string + Password string + ResponseTimeout time.Duration `toml:"response_timeout"` + tls.ClientConfig Metrics []MetricConfig `toml:"metric"` client *Client @@ -47,10 +45,10 @@ func (jp *JolokiaProxy) SampleConfig() string { # password = "" # response_timeout = "5s" - ## Optional SSL config - # ssl_ca = "/var/private/ca.pem" - # ssl_cert = "/var/private/client.pem" - # ssl_key = "/var/private/client-key.pem" + ## Optional TLS config + # tls_ca = "/var/private/ca.pem" + # tls_cert = "/var/private/client.pem" + # tls_key = "/var/private/client-key.pem" # insecure_skip_verify = false ## Add proxy targets to query @@ -117,13 +115,10 @@ func (jp *JolokiaProxy) createClient() (*Client, error) { } return NewClient(jp.URL, &ClientConfig{ - Username: jp.Username, - Password: jp.Password, - ResponseTimeout: jp.ResponseTimeout, - SSLCA: jp.SSLCA, - SSLCert: jp.SSLCert, - SSLKey: jp.SSLKey, - InsecureSkipVerify: jp.InsecureSkipVerify, - ProxyConfig: proxyConfig, + Username: jp.Username, + Password: jp.Password, + ResponseTimeout: jp.ResponseTimeout, + ClientConfig: jp.ClientConfig, + ProxyConfig: proxyConfig, }) } diff --git a/plugins/inputs/kafka_consumer/README.md b/plugins/inputs/kafka_consumer/README.md index 695001274c124..67dbb539eef5b 100644 --- a/plugins/inputs/kafka_consumer/README.md +++ b/plugins/inputs/kafka_consumer/README.md @@ -22,11 +22,11 @@ and use the old zookeeper connection method. ## Offset (must be either "oldest" or "newest") offset = "oldest" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## Optional SASL Config diff --git a/plugins/inputs/kafka_consumer/kafka_consumer.go b/plugins/inputs/kafka_consumer/kafka_consumer.go index 4e4715617c9f4..bf74dd5abaae5 100644 --- a/plugins/inputs/kafka_consumer/kafka_consumer.go +++ b/plugins/inputs/kafka_consumer/kafka_consumer.go @@ -7,7 +7,7 @@ import ( "sync" "github.com/influxdata/telegraf" - "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/parsers" @@ -23,14 +23,7 @@ type Kafka struct { Cluster *cluster.Consumer - // Verify Kafka SSL Certificate - InsecureSkipVerify bool - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` + tls.ClientConfig // SASL Username SASLUsername string `toml:"sasl_username"` @@ -67,11 +60,11 @@ var sampleConfig = ` ## topic(s) to consume topics = ["telegraf"] - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## Optional SASL Config @@ -116,8 +109,7 @@ func (k *Kafka) Start(acc telegraf.Accumulator) error { config := cluster.NewConfig() config.Consumer.Return.Errors = true - tlsConfig, err := internal.GetTLSConfig( - k.SSLCert, k.SSLKey, k.SSLCA, k.InsecureSkipVerify) + tlsConfig, err := k.ClientConfig.TLSConfig() if err != nil { return err } diff --git a/plugins/inputs/kapacitor/README.md b/plugins/inputs/kapacitor/README.md index ae5b365da94fd..2ff4eab88af57 100644 --- a/plugins/inputs/kapacitor/README.md +++ b/plugins/inputs/kapacitor/README.md @@ -15,11 +15,11 @@ The Kapacitor plugin will collect metrics from the given Kapacitor instances. ## Time limit for http requests timeout = "5s" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ``` diff --git a/plugins/inputs/kapacitor/kapacitor.go b/plugins/inputs/kapacitor/kapacitor.go index ea0ca055b9cbe..f20b98774aebd 100644 --- a/plugins/inputs/kapacitor/kapacitor.go +++ b/plugins/inputs/kapacitor/kapacitor.go @@ -9,6 +9,7 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" ) @@ -17,18 +18,9 @@ const ( ) type Kapacitor struct { - URLs []string `toml:"urls"` - + URLs []string `toml:"urls"` Timeout internal.Duration - - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Use SSL but skip chain & host verification - InsecureSkipVerify bool + tls.ClientConfig client *http.Client } @@ -48,11 +40,11 @@ func (*Kapacitor) SampleConfig() string { ## Time limit for http requests timeout = "5s" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ` } @@ -82,8 +74,7 @@ func (k *Kapacitor) Gather(acc telegraf.Accumulator) error { } func (k *Kapacitor) createHttpClient() (*http.Client, error) { - tlsCfg, err := internal.GetTLSConfig( - k.SSLCert, k.SSLKey, k.SSLCA, k.InsecureSkipVerify) + tlsCfg, err := k.ClientConfig.TLSConfig() if err != nil { return nil, err } diff --git a/plugins/inputs/kubernetes/kubernetes.go b/plugins/inputs/kubernetes/kubernetes.go index 9d07d6a427803..870524a80317d 100644 --- a/plugins/inputs/kubernetes/kubernetes.go +++ b/plugins/inputs/kubernetes/kubernetes.go @@ -11,6 +11,7 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" ) @@ -21,18 +22,11 @@ type Kubernetes struct { // Bearer Token authorization file path BearerToken string `toml:"bearer_token"` - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Use SSL but skip chain & host verification - InsecureSkipVerify bool - // HTTP Timeout specified as a string - 3s, 1m, 1h ResponseTimeout internal.Duration + tls.ClientConfig + RoundTripper http.RoundTripper } @@ -46,11 +40,11 @@ var sampleConfig = ` ## Set response_timeout (default 5 seconds) # response_timeout = "5s" - ## Optional SSL Config - # ssl_ca = /path/to/cafile - # ssl_cert = /path/to/certfile - # ssl_key = /path/to/keyfile - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = /path/to/cafile + # tls_cert = /path/to/certfile + # tls_key = /path/to/keyfile + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ` @@ -101,7 +95,7 @@ func (k *Kubernetes) gatherSummary(baseURL string, acc telegraf.Accumulator) err var token []byte var resp *http.Response - tlsCfg, err := internal.GetTLSConfig(k.SSLCert, k.SSLKey, k.SSLCA, k.InsecureSkipVerify) + tlsCfg, err := k.ClientConfig.TLSConfig() if err != nil { return err } diff --git a/plugins/inputs/mesos/README.md b/plugins/inputs/mesos/README.md index 46df267aad2f6..b18908b8a3b9a 100644 --- a/plugins/inputs/mesos/README.md +++ b/plugins/inputs/mesos/README.md @@ -36,11 +36,11 @@ For more information, please check the [Mesos Observability Metrics](http://meso # "messages", # ] - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ``` diff --git a/plugins/inputs/mesos/mesos.go b/plugins/inputs/mesos/mesos.go index 5b0697cabaa56..15e2bfccb6bdb 100644 --- a/plugins/inputs/mesos/mesos.go +++ b/plugins/inputs/mesos/mesos.go @@ -14,7 +14,7 @@ import ( "time" "github.com/influxdata/telegraf" - "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" jsonparser "github.com/influxdata/telegraf/plugins/parsers/json" ) @@ -33,15 +33,7 @@ type Mesos struct { Slaves []string SlaveCols []string `toml:"slave_collections"` //SlaveTasks bool - - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Use SSL but skip chain & host verification - InsecureSkipVerify bool + tls.ClientConfig initialized bool client *http.Client @@ -83,11 +75,11 @@ var sampleConfig = ` # "messages", # ] - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ` @@ -216,8 +208,7 @@ func (m *Mesos) Gather(acc telegraf.Accumulator) error { } func (m *Mesos) createHttpClient() (*http.Client, error) { - tlsCfg, err := internal.GetTLSConfig( - m.SSLCert, m.SSLKey, m.SSLCA, m.InsecureSkipVerify) + tlsCfg, err := m.ClientConfig.TLSConfig() if err != nil { return nil, err } diff --git a/plugins/inputs/mongodb/README.md b/plugins/inputs/mongodb/README.md index 48c01a5905719..a78d7b9542f7d 100644 --- a/plugins/inputs/mongodb/README.md +++ b/plugins/inputs/mongodb/README.md @@ -14,11 +14,11 @@ ## When true, collect per database stats # gather_perdb_stats = false - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ``` diff --git a/plugins/inputs/mongodb/mongodb.go b/plugins/inputs/mongodb/mongodb.go index e6b811e54bf19..895667dee9fd3 100644 --- a/plugins/inputs/mongodb/mongodb.go +++ b/plugins/inputs/mongodb/mongodb.go @@ -12,7 +12,7 @@ import ( "time" "github.com/influxdata/telegraf" - "github.com/influxdata/telegraf/internal" + tlsint "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" "gopkg.in/mgo.v2" ) @@ -22,15 +22,7 @@ type MongoDB struct { Ssl Ssl mongos map[string]*Server GatherPerdbStats bool - - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Use SSL but skip chain & host verification - InsecureSkipVerify bool + tlsint.ClientConfig } type Ssl struct { @@ -49,11 +41,11 @@ var sampleConfig = ` ## When true, collect per database stats # gather_perdb_stats = false - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ` @@ -134,7 +126,7 @@ func (m *MongoDB) gatherServer(server *Server, acc telegraf.Accumulator) error { var tlsConfig *tls.Config if m.Ssl.Enabled { - // Deprecated SSL config + // Deprecated TLS config tlsConfig = &tls.Config{} if len(m.Ssl.CaCerts) > 0 { roots := x509.NewCertPool() @@ -149,8 +141,7 @@ func (m *MongoDB) gatherServer(server *Server, acc telegraf.Accumulator) error { tlsConfig.InsecureSkipVerify = true } } else { - tlsConfig, err = internal.GetTLSConfig( - m.SSLCert, m.SSLKey, m.SSLCA, m.InsecureSkipVerify) + tlsConfig, err = m.ClientConfig.TLSConfig() if err != nil { return err } diff --git a/plugins/inputs/mqtt_consumer/README.md b/plugins/inputs/mqtt_consumer/README.md index 2889bde5924ca..df7869a862091 100644 --- a/plugins/inputs/mqtt_consumer/README.md +++ b/plugins/inputs/mqtt_consumer/README.md @@ -36,11 +36,11 @@ The plugin expects messages in the # username = "telegraf" # password = "metricsmetricsmetricsmetrics" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## Data format to consume. diff --git a/plugins/inputs/mqtt_consumer/mqtt_consumer.go b/plugins/inputs/mqtt_consumer/mqtt_consumer.go index 6903f654d3560..58074af79e32c 100644 --- a/plugins/inputs/mqtt_consumer/mqtt_consumer.go +++ b/plugins/inputs/mqtt_consumer/mqtt_consumer.go @@ -9,6 +9,7 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/parsers" @@ -33,15 +34,7 @@ type MQTTConsumer struct { PersistentSession bool ClientID string `toml:"client_id"` - - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Use SSL but skip chain & host verification - InsecureSkipVerify bool + tls.ClientConfig sync.Mutex client mqtt.Client @@ -83,11 +76,11 @@ var sampleConfig = ` # username = "telegraf" # password = "metricsmetricsmetricsmetrics" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## Data format to consume. @@ -236,8 +229,7 @@ func (m *MQTTConsumer) createOpts() (*mqtt.ClientOptions, error) { opts.SetClientID(m.ClientID) } - tlsCfg, err := internal.GetTLSConfig( - m.SSLCert, m.SSLKey, m.SSLCA, m.InsecureSkipVerify) + tlsCfg, err := m.ClientConfig.TLSConfig() if err != nil { return nil, err } diff --git a/plugins/inputs/mysql/README.md b/plugins/inputs/mysql/README.md index a190c600d04aa..564d75e614046 100644 --- a/plugins/inputs/mysql/README.md +++ b/plugins/inputs/mysql/README.md @@ -82,10 +82,10 @@ This plugin gathers the statistic data from MySQL server ## Some queries we may want to run less often (such as SHOW GLOBAL VARIABLES) interval_slow = "30m" - ## Optional SSL Config (will be used if tls=custom parameter specified in server uri) - ssl_ca = "/etc/telegraf/ca.pem" - ssl_cert = "/etc/telegraf/cert.pem" - ssl_key = "/etc/telegraf/key.pem" + ## Optional TLS Config (will be used if tls=custom parameter specified in server uri) + tls_ca = "/etc/telegraf/ca.pem" + tls_cert = "/etc/telegraf/cert.pem" + tls_key = "/etc/telegraf/key.pem" ``` #### Metric Version diff --git a/plugins/inputs/mysql/mysql.go b/plugins/inputs/mysql/mysql.go index 6e5a89e3bf541..063452b7cbe5c 100644 --- a/plugins/inputs/mysql/mysql.go +++ b/plugins/inputs/mysql/mysql.go @@ -11,7 +11,7 @@ import ( "time" "github.com/influxdata/telegraf" - "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs/mysql/v1" @@ -38,10 +38,8 @@ type Mysql struct { GatherFileEventsStats bool `toml:"gather_file_events_stats"` GatherPerfEventsStatements bool `toml:"gather_perf_events_statements"` IntervalSlow string `toml:"interval_slow"` - SSLCA string `toml:"ssl_ca"` - SSLCert string `toml:"ssl_cert"` - SSLKey string `toml:"ssl_key"` MetricVersion int `toml:"metric_version"` + tls.ClientConfig } var sampleConfig = ` @@ -118,10 +116,12 @@ var sampleConfig = ` ## Some queries we may want to run less often (such as SHOW GLOBAL VARIABLES) interval_slow = "30m" - ## Optional SSL Config (will be used if tls=custom parameter specified in server uri) - ssl_ca = "/etc/telegraf/ca.pem" - ssl_cert = "/etc/telegraf/cert.pem" - ssl_key = "/etc/telegraf/key.pem" + ## Optional TLS Config (will be used if tls=custom parameter specified in server uri) + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification + # insecure_skip_verify = false ` var defaultTimeout = time.Second * time.Duration(5) @@ -161,7 +161,7 @@ func (m *Mysql) Gather(acc telegraf.Accumulator) error { m.InitMysql() } - tlsConfig, err := internal.GetTLSConfig(m.SSLCert, m.SSLKey, m.SSLCA, false) + tlsConfig, err := m.ClientConfig.TLSConfig() if err != nil { return fmt.Errorf("registering TLS config: %s", err) } diff --git a/plugins/inputs/nginx/README.md b/plugins/inputs/nginx/README.md index 819501ea7f005..7b5215dc3fdb0 100644 --- a/plugins/inputs/nginx/README.md +++ b/plugins/inputs/nginx/README.md @@ -8,11 +8,11 @@ ## An array of Nginx stub_status URI to gather stats. urls = ["http://localhost/server_status"] - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## HTTP response timeout (default: 5s) diff --git a/plugins/inputs/nginx/nginx.go b/plugins/inputs/nginx/nginx.go index 3880dd91dbcd4..1a1a115d3a1e3 100644 --- a/plugins/inputs/nginx/nginx.go +++ b/plugins/inputs/nginx/nginx.go @@ -13,34 +13,28 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" ) type Nginx struct { - // List of status URLs - Urls []string - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to client cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Use SSL but skip chain & host verification - InsecureSkipVerify bool + Urls []string + ResponseTimeout internal.Duration + tls.ClientConfig + // HTTP client client *http.Client - // Response timeout - ResponseTimeout internal.Duration } var sampleConfig = ` # An array of Nginx stub_status URI to gather stats. urls = ["http://localhost/server_status"] - # TLS/SSL configuration - ssl_ca = "/etc/telegraf/ca.pem" - ssl_cert = "/etc/telegraf/cert.cer" - ssl_key = "/etc/telegraf/key.key" + ## Optional TLS Config + tls_ca = "/etc/telegraf/ca.pem" + tls_cert = "/etc/telegraf/cert.cer" + tls_key = "/etc/telegraf/key.key" + ## Use TLS but skip chain & host verification insecure_skip_verify = false # HTTP response timeout (default: 5s) @@ -87,8 +81,7 @@ func (n *Nginx) Gather(acc telegraf.Accumulator) error { } func (n *Nginx) createHttpClient() (*http.Client, error) { - tlsCfg, err := internal.GetTLSConfig( - n.SSLCert, n.SSLKey, n.SSLCA, n.InsecureSkipVerify) + tlsCfg, err := n.ClientConfig.TLSConfig() if err != nil { return nil, err } diff --git a/plugins/inputs/openldap/README.md b/plugins/inputs/openldap/README.md index 44e751f5ee8e6..aac60021988b0 100644 --- a/plugins/inputs/openldap/README.md +++ b/plugins/inputs/openldap/README.md @@ -20,7 +20,7 @@ To use this plugin you must enable the [monitoring](https://www.openldap.org/dev insecure_skip_verify = false # Path to PEM-encoded Root certificate to use to verify server certificate - ssl_ca = "/etc/ssl/certs.pem" + tls_ca = "/etc/ssl/certs.pem" # dn/password to bind with. If bind_dn is empty, an anonymous bind is performed. bind_dn = "" diff --git a/plugins/inputs/openldap/openldap.go b/plugins/inputs/openldap/openldap.go index e413ecbed9718..8a423ba5146d1 100644 --- a/plugins/inputs/openldap/openldap.go +++ b/plugins/inputs/openldap/openldap.go @@ -8,7 +8,7 @@ import ( "gopkg.in/ldap.v2" "github.com/influxdata/telegraf" - "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" ) @@ -36,7 +36,7 @@ const sampleConfig string = ` insecure_skip_verify = false # Path to PEM-encoded Root certificate to use to verify server certificate - ssl_ca = "/etc/ssl/certs.pem" + tls_ca = "/etc/ssl/certs.pem" # dn/password to bind with. If bind_dn is empty, an anonymous bind is performed. bind_dn = "" @@ -85,7 +85,11 @@ func (o *Openldap) Gather(acc telegraf.Accumulator) error { var l *ldap.Conn if o.Ssl != "" { // build tls config - tlsConfig, err := internal.GetTLSConfig("", "", o.SslCa, o.InsecureSkipVerify) + clientTLSConfig := tls.ClientConfig{ + SSLCA: o.SslCa, + InsecureSkipVerify: o.InsecureSkipVerify, + } + tlsConfig, err := clientTLSConfig.TLSConfig() if err != nil { acc.AddError(err) return nil diff --git a/plugins/inputs/prometheus/README.md b/plugins/inputs/prometheus/README.md index ac7405014a8ce..227f3f737fffc 100644 --- a/plugins/inputs/prometheus/README.md +++ b/plugins/inputs/prometheus/README.md @@ -20,11 +20,11 @@ in Prometheus format. ## Specify timeout duration for slower prometheus clients (default is 3s) # response_timeout = "3s" - ## Optional SSL Config - # ssl_ca = /path/to/cafile - # ssl_cert = /path/to/certfile - # ssl_key = /path/to/keyfile - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = /path/to/cafile + # tls_cert = /path/to/certfile + # tls_key = /path/to/keyfile + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ``` diff --git a/plugins/inputs/prometheus/prometheus.go b/plugins/inputs/prometheus/prometheus.go index 2a8a6b284b206..23709790f6573 100644 --- a/plugins/inputs/prometheus/prometheus.go +++ b/plugins/inputs/prometheus/prometheus.go @@ -13,6 +13,7 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" ) @@ -30,14 +31,7 @@ type Prometheus struct { ResponseTimeout internal.Duration `toml:"response_timeout"` - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Use SSL but skip chain & host verification - InsecureSkipVerify bool + tls.ClientConfig client *http.Client } @@ -55,11 +49,11 @@ var sampleConfig = ` ## Specify timeout duration for slower prometheus clients (default is 3s) # response_timeout = "3s" - ## Optional SSL Config - # ssl_ca = /path/to/cafile - # ssl_cert = /path/to/certfile - # ssl_key = /path/to/keyfile - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = /path/to/cafile + # tls_cert = /path/to/certfile + # tls_key = /path/to/keyfile + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ` @@ -167,8 +161,7 @@ var client = &http.Client{ } func (p *Prometheus) createHttpClient() (*http.Client, error) { - tlsCfg, err := internal.GetTLSConfig( - p.SSLCert, p.SSLKey, p.SSLCA, p.InsecureSkipVerify) + tlsCfg, err := p.ClientConfig.TLSConfig() if err != nil { return nil, err } diff --git a/plugins/inputs/rabbitmq/README.md b/plugins/inputs/rabbitmq/README.md index 5dae5e091ed1b..ae6dac6f1e4c9 100644 --- a/plugins/inputs/rabbitmq/README.md +++ b/plugins/inputs/rabbitmq/README.md @@ -16,11 +16,11 @@ For additional details reference the [RabbitMQ Management HTTP Stats](https://cd # username = "guest" # password = "guest" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## Optional request timeouts diff --git a/plugins/inputs/rabbitmq/rabbitmq.go b/plugins/inputs/rabbitmq/rabbitmq.go index e0d12c3db31d3..49dabe1b590ad 100644 --- a/plugins/inputs/rabbitmq/rabbitmq.go +++ b/plugins/inputs/rabbitmq/rabbitmq.go @@ -11,6 +11,7 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/filter" "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" ) @@ -37,14 +38,7 @@ type RabbitMQ struct { Name string Username string Password string - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Use SSL but skip chain & host verification - InsecureSkipVerify bool + tls.ClientConfig ResponseHeaderTimeout internal.Duration `toml:"header_timeout"` ClientTimeout internal.Duration `toml:"client_timeout"` @@ -175,11 +169,11 @@ var sampleConfig = ` # username = "guest" # password = "guest" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## Optional request timeouts @@ -223,8 +217,7 @@ func (r *RabbitMQ) Description() string { // Gather ... func (r *RabbitMQ) Gather(acc telegraf.Accumulator) error { if r.Client == nil { - tlsCfg, err := internal.GetTLSConfig( - r.SSLCert, r.SSLKey, r.SSLCA, r.InsecureSkipVerify) + tlsCfg, err := r.ClientConfig.TLSConfig() if err != nil { return err } diff --git a/plugins/inputs/socket_listener/socket_listener.go b/plugins/inputs/socket_listener/socket_listener.go index 076e1f4b8756c..daab8495208f1 100644 --- a/plugins/inputs/socket_listener/socket_listener.go +++ b/plugins/inputs/socket_listener/socket_listener.go @@ -16,6 +16,7 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/internal" + tlsint "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/parsers" ) @@ -161,14 +162,12 @@ func (psl *packetSocketListener) listen() { } type SocketListener struct { - ServiceAddress string `toml:"service_address"` - MaxConnections int `toml:"max_connections"` - ReadBufferSize int `toml:"read_buffer_size"` - ReadTimeout *internal.Duration `toml:"read_timeout"` - TLSAllowedCACerts []string `toml:"tls_allowed_cacerts"` - TLSCert string `toml:"tls_cert"` - TLSKey string `toml:"tls_key"` - KeepAlivePeriod *internal.Duration `toml:"keep_alive_period"` + ServiceAddress string `toml:"service_address"` + MaxConnections int `toml:"max_connections"` + ReadBufferSize int `toml:"read_buffer_size"` + ReadTimeout *internal.Duration `toml:"read_timeout"` + KeepAlivePeriod *internal.Duration `toml:"keep_alive_period"` + tlsint.ServerConfig parsers.Parser telegraf.Accumulator @@ -259,7 +258,7 @@ func (sl *SocketListener) Start(acc telegraf.Accumulator) error { l net.Listener ) - tlsCfg, err := internal.GetServerTLSConfig(sl.TLSCert, sl.TLSKey, sl.TLSAllowedCACerts) + tlsCfg, err := sl.ServerConfig.TLSConfig() if err != nil { return nil } diff --git a/plugins/inputs/socket_listener/socket_listener_test.go b/plugins/inputs/socket_listener/socket_listener_test.go index b647e724fcedc..65ee0db94531c 100644 --- a/plugins/inputs/socket_listener/socket_listener_test.go +++ b/plugins/inputs/socket_listener/socket_listener_test.go @@ -9,12 +9,13 @@ import ( "testing" "time" - "github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/testutil" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) +var pki = testutil.NewPKI("../../../testutil/pki") + // testEmptyLog is a helper function to ensure no data is written to log. // Should be called at the start of the test, and returns a function which should run at the end. func testEmptyLog(t *testing.T) func() { @@ -32,16 +33,14 @@ func TestSocketListener_tcp_tls(t *testing.T) { sl := newSocketListener() sl.ServiceAddress = "tcp://127.0.0.1:0" - sl.TLSCert = "testdata/server.pem" - sl.TLSKey = "testdata/server.key" - sl.TLSAllowedCACerts = []string{"testdata/ca.pem"} + sl.ServerConfig = *pki.TLSServerConfig() acc := &testutil.Accumulator{} err := sl.Start(acc) require.NoError(t, err) defer sl.Stop() - tlsCfg, err := internal.GetTLSConfig("testdata/client.pem", "testdata/client.key", "testdata/ca.pem", true) + tlsCfg, err := pki.TLSClientConfig().TLSConfig() require.NoError(t, err) secureClient, err := tls.Dial("tcp", sl.Closer.(net.Listener).Addr().String(), tlsCfg) @@ -55,16 +54,15 @@ func TestSocketListener_unix_tls(t *testing.T) { sl := newSocketListener() sl.ServiceAddress = "unix:///tmp/telegraf_test.sock" - sl.TLSCert = "testdata/server.pem" - sl.TLSKey = "testdata/server.key" - sl.TLSAllowedCACerts = []string{"testdata/ca.pem"} + sl.ServerConfig = *pki.TLSServerConfig() acc := &testutil.Accumulator{} err := sl.Start(acc) require.NoError(t, err) defer sl.Stop() - tlsCfg, err := internal.GetTLSConfig("testdata/client.pem", "testdata/client.key", "testdata/ca.pem", true) + tlsCfg, err := pki.TLSClientConfig().TLSConfig() + tlsCfg.InsecureSkipVerify = true require.NoError(t, err) secureClient, err := tls.Dial("unix", "/tmp/telegraf_test.sock", tlsCfg) diff --git a/plugins/inputs/socket_listener/testdata/ca.pem b/plugins/inputs/socket_listener/testdata/ca.pem deleted file mode 100644 index d3b6d9a14080c..0000000000000 --- a/plugins/inputs/socket_listener/testdata/ca.pem +++ /dev/null @@ -1,31 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFVTCCAz2gAwIBAgIJAOhLvwv6zUf+MA0GCSqGSIb3DQEBCwUAMEExCzAJBgNV -BAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsG -A1UECgwEVGVzdDAeFw0xODA0MTcwNDIwNDZaFw0yMTAyMDQwNDIwNDZaMEExCzAJ -BgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEN -MAsGA1UECgwEVGVzdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKwE -Xy814CDH03G3Fg2/XSpYZXVMzwp6oq/bUe3iLhkOpA6C4+j07AxAAa22qEPlvYkb -W7oxVJiL0ih1od2FeAxvroBTmjG54j/Syb8OeQsZaJLNp1rRmwYGBIVi284ScaIc -dn+2bfmfpSLjK3SbU5XygtwIE3gh/B7x02UJRNJmJ1faRT2CfTeg/56xnTE4bcR5 -HRrlojoN5laJngowLWAEAvWljCR8oge+ciNYB3xoK8Hgc9+WgTy95G1RBCNkaFFI -73nrcHl6dGOH9UgIqfbHJYxNEarI3o/JAr8DIBS0W4r8r4aY4JQ4LoN3bg4mLHQq -THKkVW5hyBeWe47qmlL0m4F6/+mzVi95NAWG2BQDCZJAWJNc+PbSRHi81838m7ff -O4rixd/F53LUUas8/zVca3vtv+XjOHZzIQLIy1bM4MhzpHlRcSmS9kqxxZ3S70e3 -ZIWFdM0iRrtlBbJeoHIJRDpgPRYIWdRc6XotljTTi6/lN4Bj/0NK4E3iONcDsscN -kiqEHRAWZ4ptCqdVPgYR0S096Fx6OaC3ASODE0Cjb18ylZQRsQi8TiYSihGzuoio -wJwSLdIifDbbSUkjT1384cA/HsOjFQ9xHXYa6cQnAg3TUZyG1lAMJyFWYke+rxmG -srfL/EtIzgbzmEOC5anQjA2pdgUO9Pk2SinJaMApAgMBAAGjUDBOMB0GA1UdDgQW -BBQNJctDLjj8bVKNCYANaOcboPQnmzAfBgNVHSMEGDAWgBQNJctDLjj8bVKNCYAN -aOcboPQnmzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQATSr26Kc8g -3l2zuccoKWM57DQcgRmzSYwEOKA2jn3FWmrAdwozEIkLaTK0OXz0zh2dZxh9V3GR -w0WFCynbGNy/9s33MSi+zIWJOU/MZvt6zGE5CTcTgZ+u5IZyvSubMkPcwQi3Yvcg -AHmWzpF42kT2J5C5MfrSU65hrhPX7hT/CUoV3gN7oxFzj+/ED4kgNorO8SUUJCmq -DJNFbjgsD63EhnvAhn1AeM35GmKdl2enEKqcZsRkE4ZLpU7ibrThEm1aOQuJUtHk -gDAx49QMdQpWnxWxnfoiwpLu7ufR7ls8O9oA8ZJux/SVHEmtkOdRsuMtY5MElFZg -dANlQsdFWDko4ixaxFYzppuPNnRlqjGNnaEFJrNc2KR0Dxgmp28Yh2VyLd4r3fLT -nLVBYF8KzFchUdXYYPNBXwAf/N52jGfugDx8snLxOfzxoUZ4y64qMCpYhntGgBJ1 -Rrk2trcn3Dw19gi8p3ylbdoz/Ch1INDDrO35pd0bZpcwASc/UNU72W5v2kGL0H7o -nJzgtrqeHcoIzNBmBhHlMlnTF5GMfrYGsf5d30KyKv7UL6qJTvT641dpKpB/FFrk -y3AQbKmKRDI+aVzeOlwdy/eJAwt7FikD4bR9GZ4PBX9n9jd4u/PHZNfxtgzplqo1 -oy7kJv0cB/vRKOblmn/vPUfTFtAX7M3GkQ== ------END CERTIFICATE----- diff --git a/plugins/inputs/socket_listener/testdata/client.key b/plugins/inputs/socket_listener/testdata/client.key deleted file mode 100644 index 285a2747825b4..0000000000000 --- a/plugins/inputs/socket_listener/testdata/client.key +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAmRuY+9Gg5V4e9hCd2mYek1jKeoaZijz89EPvox78XzoGdxPf -RoukUcTVS9VWN7HyJBjRA9P+KuHI9dX47skxyxH53uXZvRmGQAJBY4cE07JHvGkZ -eK1heXoWlBzYtivckha7bLBfn1ttAzcFCblUfJdzsn9XDuC4Jfn4oSaKn1o8Rzy1 -KRvyLgvsYxMA/XzhyBzVMyoUOulye7EZx4f+AwSNmNHD4OgtxxPofrrMOtXZ2tC6 -xNOexIZXbsB9dyrUW+4pWXYaadU7fl2V+arAJj+NVxV+3tmGGjmd1MiIypPx6BbP -g7xH20nJ/Y0U6V7gklZpYO1i84RbtR/kqBgi9QIDAQABAoIBAEONJJM+KyHnw/tG -246HbcgO7c7fYhDW1bgj3S/4NNsC6+VP1Dv40nftQzphFtgd37rDZDyvJL3gvlyQ -mnMoO5rgBIGuocHH6C6HkDgMUznft7zOFhnjTVVeY2XX0FmXwoqGEw1iR940ZUV8 -2fEvXrJV1AsWGeALj9PZlTPsoE6rv5sUk9Lh3wCD73m7GSg7DzBRE+6bBze8Lmwn -ZzTvmimhgPJw8LR5rRpYbDbhAJLAfgA7/yPgYEPxA/ffry6Ba4epj8tVNUNOAcOf -PURF+uuIF7RceI2PkdvoNuQyVR5oxQUPUfidfVK5ClUmnHECSgb/FFnYC+nU2vSi -IAnmC6ECgYEAyrUFHyxxuIQAiinjBxa0OQ3ynvMxDnF/+zvWe8536Y61lz9dblKb -0xvFhpOEMfiG/zFdZdWJ+xdq7VQVNMHu4USoskG8sZs5zImMTu50kuDNln7xYqVf -SUuN1U7cp7JouI1qkZAOsytPfAgZN/83hLObd07lAvL44jKYaHVeMmkCgYEAwVxZ -wKXpboHwQawA+4ubsnZ36IlOk21/+FlGJiDg/LB643BS+QhgVNxuB2gL1gOCYkhl -6BBcIhWMvZOIIo5uwnv4fQ+WfFwntU9POFViZgbZvkitQtorB7MXc/NU2BDrNYx2 -TBCiRn/9BaZ4fziW8I3Fx3xQ3rKDBXrexmrJQq0CgYEAvYGQYT12r47Qxlo0gcsL -AA/3E/y9jwgzItglQ6eZ2ULup5C4s0wNm8Zp2s+Mlf8HjgpDi9Gf5ptU/r1N+f2Y -awd6QvRMCSraVUr+Xkh1uV7rNNhGqPd75pT460OH7EtRtb+XsrAf3gcOjyEvGnfC -GpCjNl4OobwvS6ELdRTM1IkCgYAHUGX4uo3k5zdeVJJI8ZP3ITIR8retLfQsQbw8 -jvvTsx1C4ynQT7fNHfVvhEkGVGWnMBPivlOt2mDTfvQkUnzwEF5q5J8NnzLFUfWu -LNSnBVVRNFCRec0s4mJduXOZJLKw+No0sGBjCE5a21wte8eB2+sCS7qHYftAxtAM -c1eflQKBgQDGTFsMvpM8BEPTreinTllFBdjeYchcdY/Ov9DZ3mMVopjAWRD81MKM -zM1RCqwLkgv9FvF79B1FLJ1Inr8e/XIGdcrhE1a4sZdIWdqTWQ4xFrlDgxCquq66 -da09WVBRdvq2kVLAMaBViH2/GP1G4ZV9a8+JHuWKj+Arrr52Qeazjw== ------END RSA PRIVATE KEY----- diff --git a/plugins/inputs/socket_listener/testdata/client.pem b/plugins/inputs/socket_listener/testdata/client.pem deleted file mode 100644 index d741e6518964e..0000000000000 --- a/plugins/inputs/socket_listener/testdata/client.pem +++ /dev/null @@ -1,24 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEEjCCAfoCCQCmcronmMSqXTANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJV -UzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM -BFRlc3QwHhcNMTgwNDE3MDQyNDMwWhcNNDUwOTAyMDQyNDMwWjBVMQswCQYDVQQG -EwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xITAfBgNV -BAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQAD -ggEPADCCAQoCggEBAJkbmPvRoOVeHvYQndpmHpNYynqGmYo8/PRD76Me/F86BncT -30aLpFHE1UvVVjex8iQY0QPT/irhyPXV+O7JMcsR+d7l2b0ZhkACQWOHBNOyR7xp -GXitYXl6FpQc2LYr3JIWu2ywX59bbQM3BQm5VHyXc7J/Vw7guCX5+KEmip9aPEc8 -tSkb8i4L7GMTAP184cgc1TMqFDrpcnuxGceH/gMEjZjRw+DoLccT6H66zDrV2drQ -usTTnsSGV27AfXcq1FvuKVl2GmnVO35dlfmqwCY/jVcVft7Zhho5ndTIiMqT8egW -z4O8R9tJyf2NFOle4JJWaWDtYvOEW7Uf5KgYIvUCAwEAATANBgkqhkiG9w0BAQsF -AAOCAgEACJkccOvBavtagiMQc9OLsbo0PkHv7Qk9uTm5Sg9+LjLGUsu+3WLjAAmj -YScHyGbvQzXlwpgo8JuwY0lMNoPfwGuydlJPfOBCbaoAqFp6Vpc/E49J9YovCsqa -2HJUJeuxpf6SiH1Vc1SECjzwzKo03t8ul7t7SNVqA0r9fV4I936FlJOeQ4d5U+Wv -H7c2LmAqbHi2Mwf+m+W6ziOvzp+szspcP2gJDX7hsKEtIlqmHYm2bzZ4fsCuU9xN -3quewBVQUOuParO632yaLgzpGmfzzxLmCPO84lxarJKCxjHG2Q2l30TO/wA44m+r -Wd17HpCT3PkCDG5eSNCSnYqfLm8DE1hLGfHiXxKmrgU94q4wvwVGOlcYa+CQeP9Q -ZW3Tj0Axz0Mqlg1iLLo12+Z/yocSY2nFnFntBFT4qBKNCeD0xH3PxC0HJdK66xBv -MVDE/OE2hBtTTts+vC9yjx4W8thtMSA4VCOgtt5sHjt3ZekiYYh5VZK47Bx/a0uc -8CouRdyppWyPp/cNC+PcGW3YnXpAkxe/bSY/qgfK5kmbeOf+HzvZAIwAH/d9VK0g -AoLNp46eP6U2E2lVvtc/HJ1C/gsiC/1TSIq/kBbYtuIJjhhH3u6IVet7WSD22Akv -o5gOpcoKwy8IPDRC5lJEAAVYUKt7ORo2en3OVg6I4FaQmeBFp5s= ------END CERTIFICATE----- diff --git a/plugins/inputs/socket_listener/testdata/server.key b/plugins/inputs/socket_listener/testdata/server.key deleted file mode 100644 index 4ad8e642f6952..0000000000000 --- a/plugins/inputs/socket_listener/testdata/server.key +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEAzkEDLijGOqXNQPAqUjOz5TLuM28SENauknLtcfIyEN/N6PwZ -re5DjokxtDPp+c9yP/9qtn7+dBfdUXg2Mu7HQz8lAKniir2ZH+axkjp5LUE6vYJd -I1W8lOOc0kXDjozBetgriE0jkgc3v9oDBbLhN5waKR86jpQaNkfnI7/4U3yrlymK -yaT3uD6L1ldUJubdQ/xc1HxdmX8VewBnkK1urYyiRbju2iL9YmtSM72yWXvFsD1O -I4fP/XuiaymicBmXKL4cu6KYdfn1qeLAV3U35xG597M031WmR5o67rc63sqs+Q// -V3dbGqnFXRMkLhoOnuKK0DD28ujY1kctbNQWVQIDAQABAoIBAHFxFJy41H7BXulO -rxhTU6jGoHktqBQW4CGwkKTRf3QEhK6WqlEd8Y5eKzZgL1q1HLPSehEyPCYCUjpT -EgxlhLeZ7XI1/mIs8iG3swconimj7Pj60Nt0dqq1njWRJYQsKua0Kw1m0B+rVKBy -+qKRxondlA32HTD6iIg+eAUTuzO/KzimZcyL9hiT/g6aN9k0H5+qURi8dO7VV8fD -zvP8Y+oOGLwW2ccp+ZjFQizjTOkL4lgldr0hsGQXZJNHL94fA7jPdAxAUbnTicMJ -oXM++L3eCwIVabipGxxlqCMj9Dn8yfbQvRGzP2e76QDeROYZHX4osH6vLcZEjx9i -tJ4J+ekCgYEA82kKzkSKmFo4gZxnqAywlfZ2X2PADuMmHdqdiDFwt54orlMlKf/b -wVSvN/djLXwvFHuyzFmJeMFSHKFkYVTOsh8kPSETAIGkcJEMHD3viYn7DwjkQudY -vB/FpBWSiDT0T7qDUCzW3iMbx/JvTUSp7uO4ZuwOu6t6v3PEZwIChQ8CgYEA2Ov9 -FXHmm7sS54HgvZd6Wk8zLMLIDnyMmECjtYOasJ9c40yQHpRlXsb+Dzn/2xhMMwth -Bln2hIiJ/e+G0bzFu4x0cItRPOQeRNyz5Pal8EsATeUwcX4KRKOZaUpDkV6XV1L0 -r/HSk/wed+90B74sGoJY1qsFflOATIUVs7SIllsCgYEAwhGSB/sl9WqZet1U1+um -LyqeHlfNnREGJu9Sgm/Iyt1S2gp4qw/QCkiWmyym6nEEqHQnjj4lGR4pdaJIAkI3 -ulSR9BsWp2S10voSicHn5eUZQld4hs8lNHiwf66jce2mjJrMb3QQrHOZhsWIcDa6 -tjjhoU28QWzrJRIMGYTEtYkCgYA17NSJlDsj06mra5oXB6Ue9jlekz1wfH3nC4qn -AQRfi/5ncw0QzQs2OHnIBz8XlD69IcMI9SxXXioPuo/la+wr54q6v6d+X6c2rzb5 -YGd4CO0WcDdOv2qGDbWBezi41q8AwlqZsqAKsc5ROnG5ywjjviufkfxXnyJx41O1 -zNd3qQKBgGEy+EwUXD5iGeQxdCDnd6iVu14SoBscHO5SpIeDu3DIhnu+7gPq2VMg -Vp9j/iNVtEA3HyYCOeXc2rz9Di1wwt3YijED4birLAkC5YW6YB9rmLMfCNc1EyLh -BKAkUQN3D+XCN4pXdbKvbkOcfYRUHoD+pPBjRYH020OtPBUc6Wkl ------END RSA PRIVATE KEY----- diff --git a/plugins/inputs/socket_listener/testdata/server.pem b/plugins/inputs/socket_listener/testdata/server.pem deleted file mode 100644 index 96cfa0b00a4ca..0000000000000 --- a/plugins/inputs/socket_listener/testdata/server.pem +++ /dev/null @@ -1,25 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEJjCCAg4CCQCmcronmMSqXDANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJV -UzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM -BFRlc3QwHhcNMTgwNDE3MDQyNDAwWhcNNDUwOTAyMDQyNDAwWjBpMQswCQYDVQQG -EwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xITAfBgNV -BAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDESMBAGA1UEAwwJMTI3LjAuMC4x -MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzkEDLijGOqXNQPAqUjOz -5TLuM28SENauknLtcfIyEN/N6PwZre5DjokxtDPp+c9yP/9qtn7+dBfdUXg2Mu7H -Qz8lAKniir2ZH+axkjp5LUE6vYJdI1W8lOOc0kXDjozBetgriE0jkgc3v9oDBbLh -N5waKR86jpQaNkfnI7/4U3yrlymKyaT3uD6L1ldUJubdQ/xc1HxdmX8VewBnkK1u -rYyiRbju2iL9YmtSM72yWXvFsD1OI4fP/XuiaymicBmXKL4cu6KYdfn1qeLAV3U3 -5xG597M031WmR5o67rc63sqs+Q//V3dbGqnFXRMkLhoOnuKK0DD28ujY1kctbNQW -VQIDAQABMA0GCSqGSIb3DQEBCwUAA4ICAQCVgzqFrehoRAMFLMEL8avfokYtsSYc -50Yug4Es0ISo/PRWGeUnv8k1inyE3Y1iR/gbN5n/yjLXJKEflan6BuqGuukfr2eA -fRdDCyPvzQLABdxCx2n6ByQFxj92z82tizf35R2OMuHHWzTckta+7s5EvxwIiUsd -rUuXp+0ltJzlYYW9xTGFiJO9hAbRgMgZiwL8F7ayic8GmLQ1eRK/DfKDCOH3afeX -MNN5FulgjqNyhXHF33vwgIJynGDg2JEhkWjB1DkUAxll0+SMQoYyVGZVrQSGbGw1 -JhOLc8C8bTzfK3qcJDuyldvjiut+To+lpu76R0u0+sn+wxQFL1uCWuAbMJgGsJgM -ARavu2XDeae9X+e8MgJuN1FYS3tihBplPjMJD3UYRybRvHAvQh26BZ7Ch3JNSNST -AL2l5T7JKU+XaWWeo+crV+AnGIJyqyh9Su/n97PEoZoEMGH4Kcl/n/w2Jms60+5s -K0FK2OGNL42ddUfQiVL9CwYQQo70hydjsIo1x8S6+tSFLMAAysQEToSjfAA6qxDu -fgGVMuIYHo0rSkpTVsHVwru08Z5o4m+XDAK0iHalZ4knKsO0lJ+9l7vFnQHlzwt7 -JTjDhnyOKWPIANeWf3PrHPWE7kKpFVBqFBzOvWLJuxDu5NlgLo1PFahsahTqB9bz -qwUyMg/oYWnwqw== ------END CERTIFICATE----- diff --git a/plugins/inputs/tomcat/README.md b/plugins/inputs/tomcat/README.md index 3baf68556b935..1399a3157199c 100644 --- a/plugins/inputs/tomcat/README.md +++ b/plugins/inputs/tomcat/README.md @@ -19,11 +19,11 @@ See the [Tomcat documentation](https://tomcat.apache.org/tomcat-9.0-doc/manager- ## Request timeout # timeout = "5s" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ``` diff --git a/plugins/inputs/tomcat/tomcat.go b/plugins/inputs/tomcat/tomcat.go index dd3c03ce37ab9..40ae7de816658 100644 --- a/plugins/inputs/tomcat/tomcat.go +++ b/plugins/inputs/tomcat/tomcat.go @@ -10,6 +10,7 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" ) @@ -63,11 +64,7 @@ type Tomcat struct { Username string Password string Timeout internal.Duration - - SSLCA string `toml:"ssl_ca"` - SSLCert string `toml:"ssl_cert"` - SSLKey string `toml:"ssl_key"` - InsecureSkipVerify bool + tls.ClientConfig client *http.Client request *http.Request @@ -84,11 +81,11 @@ var sampleconfig = ` ## Request timeout # timeout = "5s" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ` @@ -191,8 +188,7 @@ func (s *Tomcat) Gather(acc telegraf.Accumulator) error { } func (s *Tomcat) createHttpClient() (*http.Client, error) { - tlsConfig, err := internal.GetTLSConfig( - s.SSLCert, s.SSLKey, s.SSLCA, s.InsecureSkipVerify) + tlsConfig, err := s.ClientConfig.TLSConfig() if err != nil { return nil, err } diff --git a/plugins/inputs/zookeeper/README.md b/plugins/inputs/zookeeper/README.md index 99abbc2276693..d54caae44471b 100644 --- a/plugins/inputs/zookeeper/README.md +++ b/plugins/inputs/zookeeper/README.md @@ -18,11 +18,11 @@ The zookeeper plugin collects variables outputted from the 'mntr' command ## Timeout for metric collections from all servers. Minimum timeout is "1s". # timeout = "5s" - ## Optional SSL Config + ## Optional TLS Config # enable_ssl = true - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" ## If false, skip chain & host verification # insecure_skip_verify = true ``` diff --git a/plugins/inputs/zookeeper/zookeeper.go b/plugins/inputs/zookeeper/zookeeper.go index 1c60e368aacb9..20e7aee01fc43 100644 --- a/plugins/inputs/zookeeper/zookeeper.go +++ b/plugins/inputs/zookeeper/zookeeper.go @@ -13,6 +13,7 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/internal" + tlsint "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/inputs" ) @@ -21,11 +22,9 @@ type Zookeeper struct { Servers []string Timeout internal.Duration - EnableSSL bool `toml:"enable_ssl"` - SSLCA string `toml:"ssl_ca"` - SSLCert string `toml:"ssl_cert"` - SSLKey string `toml:"ssl_key"` - InsecureSkipVerify bool `toml:"insecure_skip_verify"` + EnableTLS bool `toml:"enable_tls"` + EnableSSL bool `toml:"enable_ssl"` // deprecated in 1.7; use enable_tls + tlsint.ClientConfig initialized bool tlsConfig *tls.Config @@ -42,11 +41,11 @@ var sampleConfig = ` ## Timeout for metric collections from all servers. Minimum timeout is "1s". # timeout = "5s" - ## Optional SSL Config - # enable_ssl = true - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" + ## Optional TLS Config + # enable_tls = true + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" ## If false, skip chain & host verification # insecure_skip_verify = true ` @@ -65,7 +64,7 @@ func (z *Zookeeper) Description() string { func (z *Zookeeper) dial(ctx context.Context, addr string) (net.Conn, error) { var dialer net.Dialer - if z.EnableSSL { + if z.EnableTLS || z.EnableSSL { deadline, ok := ctx.Deadline() if ok { dialer.Deadline = deadline @@ -81,8 +80,7 @@ func (z *Zookeeper) Gather(acc telegraf.Accumulator) error { ctx := context.Background() if !z.initialized { - tlsConfig, err := internal.GetTLSConfig( - z.SSLCert, z.SSLKey, z.SSLCA, z.InsecureSkipVerify) + tlsConfig, err := z.ClientConfig.TLSConfig() if err != nil { return err } diff --git a/plugins/outputs/amqp/README.md b/plugins/outputs/amqp/README.md index 834074436073b..ea17fe769abde 100644 --- a/plugins/outputs/amqp/README.md +++ b/plugins/outputs/amqp/README.md @@ -42,11 +42,11 @@ For an introduction to AMQP see: ## to 5s. 0s means no timeout (not recommended). # timeout = "5s" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## Data format to output. diff --git a/plugins/outputs/amqp/amqp.go b/plugins/outputs/amqp/amqp.go index fed1edfe45338..f2bfb7ac74d70 100644 --- a/plugins/outputs/amqp/amqp.go +++ b/plugins/outputs/amqp/amqp.go @@ -10,6 +10,7 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/outputs" "github.com/influxdata/telegraf/plugins/serializers" @@ -43,14 +44,7 @@ type AMQP struct { // Valid options are "transient" and "persistent". default: "transient" DeliveryMode string - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Use SSL but skip chain & host verification - InsecureSkipVerify bool + tls.ClientConfig sync.Mutex c *client @@ -99,11 +93,11 @@ var sampleConfig = ` ## to 5s. 0s means no timeout (not recommended). # timeout = "5s" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## Data format to output. @@ -137,8 +131,7 @@ func (q *AMQP) Connect() error { var connection *amqp.Connection // make new tls config - tls, err := internal.GetTLSConfig( - q.SSLCert, q.SSLKey, q.SSLCA, q.InsecureSkipVerify) + tls, err := q.ClientConfig.TLSConfig() if err != nil { return err } diff --git a/plugins/outputs/elasticsearch/README.md b/plugins/outputs/elasticsearch/README.md index b0d2e6f9b9818..11f3c1385fd5c 100644 --- a/plugins/outputs/elasticsearch/README.md +++ b/plugins/outputs/elasticsearch/README.md @@ -180,11 +180,11 @@ This plugin will format the events in the following way: # default_tag_value = "none" index_name = "telegraf-%Y.%m.%d" # required. - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## Template Config @@ -230,4 +230,4 @@ Integer values collected that are bigger than 2^63 and smaller than 1e21 (or in The correct field mapping will be created on the telegraf index as soon as a supported JSON value is received by Elasticsearch, and subsequent insertions will work because the field mapping will already exist. -This issue is caused by the way Elasticsearch tries to detect integer fields, and by how golang encodes numbers in JSON. There is no clear workaround for this at the moment. \ No newline at end of file +This issue is caused by the way Elasticsearch tries to detect integer fields, and by how golang encodes numbers in JSON. There is no clear workaround for this at the moment. diff --git a/plugins/outputs/elasticsearch/elasticsearch.go b/plugins/outputs/elasticsearch/elasticsearch.go index 326def1d1e25d..56169135ac3be 100644 --- a/plugins/outputs/elasticsearch/elasticsearch.go +++ b/plugins/outputs/elasticsearch/elasticsearch.go @@ -11,6 +11,7 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/outputs" "gopkg.in/olivere/elastic.v5" ) @@ -28,11 +29,9 @@ type Elasticsearch struct { ManageTemplate bool TemplateName string OverwriteTemplate bool - SSLCA string `toml:"ssl_ca"` // Path to CA file - SSLCert string `toml:"ssl_cert"` // Path to host cert file - SSLKey string `toml:"ssl_key"` // Path to cert key file - InsecureSkipVerify bool // Use SSL but skip chain & host verification - Client *elastic.Client + tls.ClientConfig + + Client *elastic.Client } var sampleConfig = ` @@ -69,11 +68,11 @@ var sampleConfig = ` # default_tag_value = "none" index_name = "telegraf-%Y.%m.%d" # required. - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## Template Config @@ -96,7 +95,7 @@ func (a *Elasticsearch) Connect() error { var clientOptions []elastic.ClientOptionFunc - tlsCfg, err := internal.GetTLSConfig(a.SSLCert, a.SSLKey, a.SSLCA, a.InsecureSkipVerify) + tlsCfg, err := a.ClientConfig.TLSConfig() if err != nil { return err } diff --git a/plugins/outputs/graphite/README.md b/plugins/outputs/graphite/README.md index 1b173962f8bbd..216c09ca01063 100644 --- a/plugins/outputs/graphite/README.md +++ b/plugins/outputs/graphite/README.md @@ -20,42 +20,10 @@ via raw TCP. ## timeout in seconds for the write connection to graphite timeout = 2 - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ``` - -Parameters: - - Servers []string - Prefix string - Timeout int - Template string - - // Path to CA file - SSLCA string - // Path to host cert file - SSLCert string - // Path to cert key file - SSLKey string - // Skip SSL verification - InsecureSkipVerify bool - -### Required parameters: - -* `servers`: List of strings, ["mygraphiteserver:2003"]. -* `prefix`: String use to prefix all sent metrics. -* `timeout`: Connection timeout in seconds. -* `template`: Template for graphite output format, see -https://github.com/influxdata/telegraf/blob/master/docs/DATA_FORMATS_OUTPUT.md -for more details. - -### Optional parameters: - -* `ssl_ca`: SSL CA -* `ssl_cert`: SSL CERT -* `ssl_key`: SSL key -* `insecure_skip_verify`: Use SSL but skip chain & host verification (default: false) diff --git a/plugins/outputs/graphite/graphite.go b/plugins/outputs/graphite/graphite.go index 7bad4be07bb70..4346c50d8a9b3 100644 --- a/plugins/outputs/graphite/graphite.go +++ b/plugins/outputs/graphite/graphite.go @@ -10,7 +10,7 @@ import ( "time" "github.com/influxdata/telegraf" - "github.com/influxdata/telegraf/internal" + tlsint "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/outputs" "github.com/influxdata/telegraf/plugins/serializers" ) @@ -22,18 +22,7 @@ type Graphite struct { Template string Timeout int conns []net.Conn - - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Skip SSL verification - InsecureSkipVerify bool - - // tls config - tlsConfig *tls.Config + tlsint.ClientConfig } var sampleConfig = ` @@ -49,11 +38,11 @@ var sampleConfig = ` ## timeout in seconds for the write connection to graphite timeout = 2 - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ` @@ -67,9 +56,7 @@ func (g *Graphite) Connect() error { } // Set tls config - var err error - g.tlsConfig, err = internal.GetTLSConfig( - g.SSLCert, g.SSLKey, g.SSLCA, g.InsecureSkipVerify) + tlsConfig, err := g.ClientConfig.TLSConfig() if err != nil { return err } @@ -82,8 +69,8 @@ func (g *Graphite) Connect() error { // Get secure connection if tls config is set var conn net.Conn - if g.tlsConfig != nil { - conn, err = tls.DialWithDialer(&d, "tcp", server, g.tlsConfig) + if tlsConfig != nil { + conn, err = tls.DialWithDialer(&d, "tcp", server, tlsConfig) } else { conn, err = d.Dial("tcp", server) } diff --git a/plugins/outputs/influxdb/README.md b/plugins/outputs/influxdb/README.md index 74f33748ddf85..aed96e4630441 100644 --- a/plugins/outputs/influxdb/README.md +++ b/plugins/outputs/influxdb/README.md @@ -44,11 +44,11 @@ This InfluxDB output plugin writes metrics to the [InfluxDB](https://github.com/ ## UDP payload size is the maximum packet size to send. # udp_payload = 512 - ## Optional SSL Config for use on HTTP connections. - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config for use on HTTP connections. + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## HTTP Proxy override, if unset values the standard proxy environment diff --git a/plugins/outputs/influxdb/influxdb.go b/plugins/outputs/influxdb/influxdb.go index d34e9e3e8916e..f80722bc318f3 100644 --- a/plugins/outputs/influxdb/influxdb.go +++ b/plugins/outputs/influxdb/influxdb.go @@ -11,6 +11,7 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/outputs" "github.com/influxdata/telegraf/plugins/serializers/influx" ) @@ -46,15 +47,7 @@ type InfluxDB struct { ContentEncoding string `toml:"content_encoding"` SkipDatabaseCreation bool `toml:"skip_database_creation"` InfluxUintSupport bool `toml:"influx_uint_support"` - - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Use SSL but skip chain & host verification - InsecureSkipVerify bool + tls.ClientConfig Precision string // precision deprecated in 1.0; value is ignored @@ -104,11 +97,11 @@ var sampleConfig = ` ## UDP payload size is the maximum packet size to send. # udp_payload = 512 - ## Optional SSL Config for use on HTTP connections. - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config for use on HTTP connections. + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## HTTP Proxy override, if unset values the standard proxy environment @@ -245,8 +238,7 @@ func (i *InfluxDB) udpClient(url *url.URL) (Client, error) { } func (i *InfluxDB) httpClient(ctx context.Context, url *url.URL, proxy *url.URL) (Client, error) { - tlsConfig, err := internal.GetTLSConfig( - i.SSLCert, i.SSLKey, i.SSLCA, i.InsecureSkipVerify) + tlsConfig, err := i.ClientConfig.TLSConfig() if err != nil { return nil, err } diff --git a/plugins/outputs/influxdb/influxdb_test.go b/plugins/outputs/influxdb/influxdb_test.go index eeef9761894bc..3ec10989e8033 100644 --- a/plugins/outputs/influxdb/influxdb_test.go +++ b/plugins/outputs/influxdb/influxdb_test.go @@ -8,6 +8,7 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/metric" "github.com/influxdata/telegraf/plugins/outputs/influxdb" "github.com/stretchr/testify/require" @@ -104,8 +105,10 @@ func TestConnectHTTPConfig(t *testing.T) { HTTPHeaders: map[string]string{ "x": "y", }, - ContentEncoding: "gzip", - InsecureSkipVerify: true, + ContentEncoding: "gzip", + ClientConfig: tls.ClientConfig{ + InsecureSkipVerify: true, + }, CreateHTTPClientF: func(config *influxdb.HTTPConfig) (influxdb.Client, error) { actual = config diff --git a/plugins/outputs/kafka/README.md b/plugins/outputs/kafka/README.md index 93182ba08def9..196e2e9148fcd 100644 --- a/plugins/outputs/kafka/README.md +++ b/plugins/outputs/kafka/README.md @@ -68,11 +68,11 @@ This plugin writes to a [Kafka Broker](http://kafka.apache.org/07/quickstart.htm ## until the next flush. # max_retry = 3 - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## Optional SASL Config diff --git a/plugins/outputs/kafka/kafka.go b/plugins/outputs/kafka/kafka.go index 8094d43347b96..716e06c44a3d9 100644 --- a/plugins/outputs/kafka/kafka.go +++ b/plugins/outputs/kafka/kafka.go @@ -6,7 +6,7 @@ import ( "strings" "github.com/influxdata/telegraf" - "github.com/influxdata/telegraf/internal" + tlsint "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/outputs" "github.com/influxdata/telegraf/plugins/serializers" @@ -36,7 +36,7 @@ type ( // MaxRetry Tag MaxRetry int - // Legacy SSL config options + // Legacy TLS config options // TLS client certificate Certificate string // TLS client key @@ -44,15 +44,7 @@ type ( // TLS certificate authority CA string - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - - // Skip SSL verification - InsecureSkipVerify bool + tlsint.ClientConfig // SASL Username SASLUsername string `toml:"sasl_username"` @@ -135,11 +127,11 @@ var sampleConfig = ` ## until the next flush. # max_retry = 3 - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## Optional SASL Config @@ -201,13 +193,12 @@ func (k *Kafka) Connect() error { // Legacy support ssl config if k.Certificate != "" { - k.SSLCert = k.Certificate - k.SSLCA = k.CA - k.SSLKey = k.Key + k.TLSCert = k.Certificate + k.TLSCA = k.CA + k.TLSKey = k.Key } - tlsConfig, err := internal.GetTLSConfig( - k.SSLCert, k.SSLKey, k.SSLCA, k.InsecureSkipVerify) + tlsConfig, err := k.ClientConfig.TLSConfig() if err != nil { return err } diff --git a/plugins/outputs/mqtt/README.md b/plugins/outputs/mqtt/README.md index beb8dd4253b52..ab1d7dbc13401 100644 --- a/plugins/outputs/mqtt/README.md +++ b/plugins/outputs/mqtt/README.md @@ -22,12 +22,12 @@ This plugin writes to a [MQTT Broker](http://http://mqtt.org/) acting as a mqtt ## Timeout for write operations. default: 5s # timeout = "5s" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## Batch messages sent on a topic in a flush interval @@ -53,4 +53,8 @@ This plugin writes to a [MQTT Broker](http://http://mqtt.org/) acting as a mqtt * `ssl_key`: SSL key * `insecure_skip_verify`: Use SSL but skip chain & host verification (default: false) * `batch`: Batch messages sent on a topic within a flush interval (default: false) +* `tls_ca`: TLS CA +* `tls_cert`: TLS CERT +* `tls_key`: TLS key +* `insecure_skip_verify`: Use TLS but skip chain & host verification (default: false) * `data_format`: [About Telegraf data formats](https://github.com/influxdata/telegraf/blob/master/docs/DATA_FORMATS_OUTPUT.md) diff --git a/plugins/outputs/mqtt/mqtt.go b/plugins/outputs/mqtt/mqtt.go index e63a24d6a7c29..db46115566e0d 100644 --- a/plugins/outputs/mqtt/mqtt.go +++ b/plugins/outputs/mqtt/mqtt.go @@ -8,6 +8,7 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/outputs" "github.com/influxdata/telegraf/plugins/serializers" @@ -32,11 +33,11 @@ var sampleConfig = ` ## client ID, if not set a random ID is generated # client_id = "" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## Data format to output. @@ -47,25 +48,17 @@ var sampleConfig = ` ` type MQTT struct { - Servers []string `toml:"servers"` - Username string - Password string - Database string - Timeout internal.Duration - TopicPrefix string - QoS int `toml:"qos"` - ClientID string `toml:"client_id"` + Servers []string `toml:"servers"` + Username string + Password string + Database string + Timeout internal.Duration + TopicPrefix string + QoS int `toml:"qos"` + ClientID string `toml:"client_id"` + tls.ClientConfig BatchMessage bool `toml:"batch"` - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Use SSL but skip chain & host verification - InsecureSkipVerify bool - client paho.Client opts *paho.ClientOptions @@ -188,8 +181,7 @@ func (m *MQTT) createOpts() (*paho.ClientOptions, error) { opts.SetClientID("Telegraf-Output-" + internal.RandomString(5)) } - tlsCfg, err := internal.GetTLSConfig( - m.SSLCert, m.SSLKey, m.SSLCA, m.InsecureSkipVerify) + tlsCfg, err := m.ClientConfig.TLSConfig() if err != nil { return nil, err } diff --git a/plugins/outputs/nats/nats.go b/plugins/outputs/nats/nats.go index d97c4688dc177..a664bc1bbb6b3 100644 --- a/plugins/outputs/nats/nats.go +++ b/plugins/outputs/nats/nats.go @@ -6,7 +6,7 @@ import ( nats_client "github.com/nats-io/nats" "github.com/influxdata/telegraf" - "github.com/influxdata/telegraf/internal" + "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/outputs" "github.com/influxdata/telegraf/plugins/serializers" ) @@ -19,15 +19,7 @@ type NATS struct { Password string // NATS subject to publish metrics to Subject string - - // Path to CA file - SSLCA string `toml:"ssl_ca"` - // Path to host cert file - SSLCert string `toml:"ssl_cert"` - // Path to cert key file - SSLKey string `toml:"ssl_key"` - // Use SSL but skip chain & host verification - InsecureSkipVerify bool + tls.ClientConfig conn *nats_client.Conn serializer serializers.Serializer @@ -42,11 +34,11 @@ var sampleConfig = ` ## NATS subject for producer messages subject = "telegraf" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## Data format to output. @@ -79,8 +71,7 @@ func (n *NATS) Connect() error { } // override TLS, if it was specified - tlsConfig, err := internal.GetTLSConfig( - n.SSLCert, n.SSLKey, n.SSLCA, n.InsecureSkipVerify) + tlsConfig, err := n.ClientConfig.TLSConfig() if err != nil { return err } diff --git a/plugins/outputs/socket_writer/README.md b/plugins/outputs/socket_writer/README.md index 8e28c5f88ddbe..149cda2a6c543 100644 --- a/plugins/outputs/socket_writer/README.md +++ b/plugins/outputs/socket_writer/README.md @@ -19,11 +19,11 @@ It can output data in any of the [supported output formats](https://github.com/i # address = "unix:///tmp/telegraf.sock" # address = "unixgram:///tmp/telegraf.sock" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## Period between keep alive probes. diff --git a/plugins/outputs/socket_writer/socket_writer.go b/plugins/outputs/socket_writer/socket_writer.go index 382aad266630d..7c4660bc8f070 100644 --- a/plugins/outputs/socket_writer/socket_writer.go +++ b/plugins/outputs/socket_writer/socket_writer.go @@ -10,17 +10,15 @@ import ( "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/internal" + tlsint "github.com/influxdata/telegraf/internal/tls" "github.com/influxdata/telegraf/plugins/outputs" "github.com/influxdata/telegraf/plugins/serializers" ) type SocketWriter struct { - Address string - KeepAlivePeriod *internal.Duration - SSLCA string - SSLCert string - SSLKey string - InsecureSkipVerify bool + Address string + KeepAlivePeriod *internal.Duration + tlsint.ClientConfig serializers.Serializer @@ -45,11 +43,11 @@ func (sw *SocketWriter) SampleConfig() string { # address = "unix:///tmp/telegraf.sock" # address = "unixgram:///tmp/telegraf.sock" - ## Optional SSL Config - # ssl_ca = "/etc/telegraf/ca.pem" - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Use SSL but skip chain & host verification + ## Optional TLS Config + # tls_ca = "/etc/telegraf/ca.pem" + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Use TLS but skip chain & host verification # insecure_skip_verify = false ## Period between keep alive probes. @@ -76,7 +74,7 @@ func (sw *SocketWriter) Connect() error { return fmt.Errorf("invalid address: %s", sw.Address) } - tlsCfg, err := internal.GetTLSConfig(sw.SSLCert, sw.SSLKey, sw.SSLCA, sw.InsecureSkipVerify) + tlsCfg, err := sw.ClientConfig.TLSConfig() if err != nil { return err } diff --git a/testutil/pki/cacert.pem b/testutil/pki/cacert.pem new file mode 100644 index 0000000000000..b0a47334e83fe --- /dev/null +++ b/testutil/pki/cacert.pem @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIB0TCCATqgAwIBAgIJAMgbq6rkA4b/MA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV +BAMMEFRlbGVncmFmIFRlc3QgQ0EwHhcNMTgwNTAzMDEwNTI5WhcNMjgwNDMwMDEw +NTI5WjAbMRkwFwYDVQQDDBBUZWxlZ3JhZiBUZXN0IENBMIGfMA0GCSqGSIb3DQEB +AQUAA4GNADCBiQKBgQDTySxyXeyQQjCOtNQ/7cKtXN91sp4B1k7whPKBO6yXEFFR +rYaw76xY5CTTPTJaAPBJ+amHPdPGfmGq6yX10tjAaWQQYV26Axngfpti6F14ci0/ +X/sTay8ii/4Du5DRr9f9rHVimPASR1fkgK+IFhXnONn1R+pNbHYmGS4OVNyoPwID +AQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsF +AAOBgQA9v3eMU33q+bGPEd65kKQcVddPEFdSqmuUJMeO2VQmUFc/ejkP48u42eDK +Y1GAR+209XgkuWItEBH8HJysOU2plunuIPXpnPcxyP30tpFVLaWzWTQvUehhYpfQ +C0v9Re3jdLfLORxiaAPyyKogMpAQrjGX+u1aMSOCkcTD2Hjvbw== +-----END CERTIFICATE----- diff --git a/testutil/pki/cakey.pem b/testutil/pki/cakey.pem new file mode 100644 index 0000000000000..3606c89beface --- /dev/null +++ b/testutil/pki/cakey.pem @@ -0,0 +1,16 @@ +-----BEGIN PRIVATE KEY----- +MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBANPJLHJd7JBCMI60 +1D/twq1c33WyngHWTvCE8oE7rJcQUVGthrDvrFjkJNM9MloA8En5qYc908Z+Yarr +JfXS2MBpZBBhXboDGeB+m2LoXXhyLT9f+xNrLyKL/gO7kNGv1/2sdWKY8BJHV+SA +r4gWFec42fVH6k1sdiYZLg5U3Kg/AgMBAAECgYA2PCtssk7Vdo3WzcoZAPs8yC7V +hkNedxJKF9G+dJizKtOYVhbLEuWQ8gPYMLDHSbw/RXc7kgK8rzq1uXhEJpWo4THD +CUUlxGRu3gt94202hbnEnV93Kix4hP98qpv1jPErlx2KywsRPTegMnUAZ2xeI564 +yYwDITqXALa/PqRqSQJBAPPZQeRDtBSfEjZFJS3IgUkmN3RJn4rJz+6D0ahgXPga +YAYVe8SJyj2epLJP2aOBzrqBSUVkVGg8qOG5w+ibebsCQQDeVuUzYOffthO5f1Hl +LvdEmfaHjXI0Q+grOnDjNRcvQaCDYYkC9JewBQmnpFrd85rN/Leo0gQ5Yyxp/ja5 +gPFNAkAFwn/38FF0mz1G4uM57Z6AJ9LvgD2wfYvXym1NWNlZUuYpvqApyEdqpTCm +tZQidJJ5fUxJw1DrFWO30Td7axC5AkEAjSbRX6rXyhiHsS35SexlInI0Jp5PsIqj +7D2vyS69R0z8oCvdlbi+TAsGtB0Navbqgnc8Cbs630vsuGWhTGdlyQJBAKqQ2gYw ++WeXH77FP8yDQOjpFw80tSyXVykT0Am75RF3sQ1OIn0o0DLhE+he0crb2n8g3FJh +WyxmGkbTDelSG20= +-----END PRIVATE KEY----- diff --git a/testutil/pki/clientcert.pem b/testutil/pki/clientcert.pem new file mode 100644 index 0000000000000..9e5b608078231 --- /dev/null +++ b/testutil/pki/clientcert.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB+TCCAWKgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDDBBUZWxl +Z3JhZiBUZXN0IENBMB4XDTE4MDUwMzAxMDUyOVoXDTI4MDQzMDAxMDUyOVowHTEb +MBkGA1UEAwwSY2xpZW50LmxvY2FsZG9tYWluMIGfMA0GCSqGSIb3DQEBAQUAA4GN +ADCBiQKBgQDX7Plvu0MJtA9TrusYtQnAogsdiYJZd9wfFIjH5FxE3SWJ4KAIE+yR +WRqcqX8XnpieQLaNsfXhDPWLkWngTDydk4NO/jlAQk0e6+9+NeiZ2ViIHmtXERb9 +CyiiWUmo+YCd69lhzSEIMK9EPBSDHQTgQMtEfGak03G5rx3MCakE1QIDAQABo0sw +STAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgglsb2NhbGhvc3SH +BH8AAAEwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADgYEAVry0 +L07oTN+FMLncY/Be9BzFB3b3mnbxbZr58OgI4WHuOeYBuvDI033FIIIzpwb8XYpG +HJkZlSbviqq19lAh/Cktl35BCNrA6Uc+dgW7QWhnYS2tZandVTo/8FFstJTNiiLw +uiz/Hr3mRXUIDi5OygJHY1IZr8hFTOOJY+0ws3E= +-----END CERTIFICATE----- diff --git a/testutil/pki/clientkey.pem b/testutil/pki/clientkey.pem new file mode 100644 index 0000000000000..cc11e20eaca1e --- /dev/null +++ b/testutil/pki/clientkey.pem @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXAIBAAKBgQDX7Plvu0MJtA9TrusYtQnAogsdiYJZd9wfFIjH5FxE3SWJ4KAI +E+yRWRqcqX8XnpieQLaNsfXhDPWLkWngTDydk4NO/jlAQk0e6+9+NeiZ2ViIHmtX +ERb9CyiiWUmo+YCd69lhzSEIMK9EPBSDHQTgQMtEfGak03G5rx3MCakE1QIDAQAB +AoGAOjRU4Lt3zKvO3d3u3ZAfet+zY1jn3DolCfO9EzUJcj6ymcIFIWhNgrikJcrC +yZkkxrPnAbcQ8oNNxTuDcMTcKZbnyUnlQj5NtVuty5Q+zgf3/Q2pRhaE+TwrpOJ+ +ETtVp9R/PrPN2NC5wPo289fPNWFYkd4DPbdWZp5AJHz1XYECQQD3kKpinJxMYp9F +Q1Qj1OkxGln0KPgdqRYjjW/rXI4/hUodfg+xXWHPFSGj3AgEjQIvuengbOAeH3qo +wF1uxVTlAkEA30hXM3EbboMCDQzNRNkkV9EiZ0MZXhj1aIGl+sQZOmOeFdcdjGkD +dsA42nmaYqXCD9KAvc+S/tGJaa0Qg0VhMQJAb2+TAqh0Qn3yK39PFIH2JcAy1ZDL +fq5p5L75rfwPm9AnuHbSIYhjSo+8gMG+ai3+2fTZrcfUajrJP8S3SfFRcQJBANQQ +POHatxcKzlPeqMaPBXlyY553mAxK4CnVmPLGdL+EBYzwtlu5EVUj09uMSxkOHXYx +k5yzHQVvtXbsrBZBOsECQBJLlkMjJmXrIIdLPmHQWL3bm9MMg1PqzupSEwz6cyrG +uIIm/X91pDyxCHaKYWp38FXBkYAgohI8ow5/sgRvU5w= +-----END RSA PRIVATE KEY----- diff --git a/testutil/pki/servercert.pem b/testutil/pki/servercert.pem new file mode 100644 index 0000000000000..8862195179889 --- /dev/null +++ b/testutil/pki/servercert.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB+TCCAWKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDDBBUZWxl +Z3JhZiBUZXN0IENBMB4XDTE4MDUwMzAxMDUyOVoXDTI4MDQzMDAxMDUyOVowHTEb +MBkGA1UEAwwSc2VydmVyLmxvY2FsZG9tYWluMIGfMA0GCSqGSIb3DQEBAQUAA4GN +ADCBiQKBgQDTBmLJ0pBFUxnPkkx38sBnOKvs+OinVqxTnVcc1iCyQJQleB37uY6D +L55mSsPvnad/oDpyGpHt4RVtrhmyC6ptSrWLyk7mraeAo30Cooqr5tA9A+6yj0ij +ySLlYimTMQy8tbnVNWLwKbxgT9N4NlUzwyqxLWUMfRzLfmefqzk5bQIDAQABo0sw +STAJBgNVHRMEAjAAMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATALBgNVHQ8E +BAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADgYEATNnM +ol0s29lJ+WkP+HUFtKaXxQ+kXLADqfhsk2G1/kZAVRHsYUDlJ+GkHnWIHlg/ggIP +JS+z44iwMPOtzJQI7MvAFYVKpYAEdIFTjXf6GafLjUfoXYi0vwHoVJHtQu3Kpm9L +Ugm02h0ycIadN8RdWAAFUf6XpVKUJa0YYLuyaXY= +-----END CERTIFICATE----- diff --git a/testutil/pki/serverkey.pem b/testutil/pki/serverkey.pem new file mode 100644 index 0000000000000..363f5d9af5725 --- /dev/null +++ b/testutil/pki/serverkey.pem @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXQIBAAKBgQDTBmLJ0pBFUxnPkkx38sBnOKvs+OinVqxTnVcc1iCyQJQleB37 +uY6DL55mSsPvnad/oDpyGpHt4RVtrhmyC6ptSrWLyk7mraeAo30Cooqr5tA9A+6y +j0ijySLlYimTMQy8tbnVNWLwKbxgT9N4NlUzwyqxLWUMfRzLfmefqzk5bQIDAQAB +AoGBALWQAgFJxM2QwV1hr59oYnitPudmBa6smRpb/q6V4Y3cmFpgrdN+hIqEtxGl +9E0+5PWfI4o3KCV2itxSdlNFTDyqTZkM+BT8PPKISzAewkdqnKjbWgAmluzOJH4O +hc1zBfIOuT5+cfx5JR5/j9BhWVC7BJ+EiREkd/Z8ZnAMeItVAkEA8bhcC+8luiFQ +6kytXx2XfbKKh4Q99+KEQHqSGeuHZOcnWfjX99jo67CIxpwBRENslpZOw78fBmi4 +4kf8j+dgLwJBAN99zyRxYzKc8TSsy/fF+3V/Ex75HYGGS/eOWcwPFXpGNA63hIa8 +fJ/2pDnLzCqLZ9vWdBF39NtkacJS7bo6XSMCQQCZgN2bipSn3k53bJhRJga1gXOt +2dJMoGIiXHR513QVJSJ9ZaUpNWu9eU9y6VF4m2TTQMLmVnIKbOi0csi2TlZrAkAi +7URsC5RXGpPPiZmutTAhIqTYWFI2JcjFfWenLkxK+aG1ExURAW/wh9kOdz0HARZQ +Eum8uSR5DO5CQjeIvQpFAkAgZJXAwRxuts/p1EoLuPCJTaDkIY2vc0AJzzr5nuAs +pyjnLYCYqSBUJ+3nDDBqNYpgxCJddzmjNxGuO7mef9Ue +-----END RSA PRIVATE KEY----- diff --git a/scripts/tls-certs.sh b/testutil/pki/tls-certs.sh similarity index 81% rename from scripts/tls-certs.sh rename to testutil/pki/tls-certs.sh index b37d6541a23aa..55075df4bd1b7 100644 --- a/scripts/tls-certs.sh +++ b/testutil/pki/tls-certs.sh @@ -46,21 +46,31 @@ keyUsage = keyCertSign, cRLSign [ client_ca_extensions ] basicConstraints = CA:false keyUsage = digitalSignature +subjectAltName = @client_alt_names extendedKeyUsage = 1.3.6.1.5.5.7.3.2 +[ client_alt_names ] +DNS.1 = localhost +IP.1 = 127.0.0.1 + [ server_ca_extensions ] basicConstraints = CA:false -keyUsage = keyEncipherment +subjectAltName = @server_alt_names +keyUsage = keyEncipherment, digitalSignature extendedKeyUsage = 1.3.6.1.5.5.7.3.1 + +[ server_alt_names ] +DNS.1 = localhost +IP.1 = 127.0.0.1 EOF -openssl req -x509 -config ./openssl.conf -days 3650 -newkey rsa:1024 -out ./certs/cacert.pem -keyout ./private/cakey.pem -subj "/CN=Telegraf CA/" -nodes && +openssl req -x509 -config ./openssl.conf -days 3650 -newkey rsa:1024 -out ./certs/cacert.pem -keyout ./private/cakey.pem -subj "/CN=Telegraf Test CA/" -nodes && # Create server keypair openssl genrsa -out ./private/serverkey.pem 1024 && -openssl req -new -key ./private/serverkey.pem -out ./certs/servercsr.pem -outform PEM -subj "/CN=localhost/O=server/" && +openssl req -new -key ./private/serverkey.pem -out ./certs/servercsr.pem -outform PEM -subj "/CN=server.localdomain/O=server/" && openssl ca -config ./openssl.conf -in ./certs/servercsr.pem -out ./certs/servercert.pem -notext -batch -extensions server_ca_extensions && # Create client keypair openssl genrsa -out ./private/clientkey.pem 1024 && -openssl req -new -key ./private/clientkey.pem -out ./certs/clientcsr.pem -outform PEM -subj "/CN=telegraf/O=client/" && +openssl req -new -key ./private/clientkey.pem -out ./certs/clientcsr.pem -outform PEM -subj "/CN=client.localdomain/O=client/" && openssl ca -config ./openssl.conf -in ./certs/clientcsr.pem -out ./certs/clientcert.pem -notext -batch -extensions client_ca_extensions diff --git a/testutil/tls.go b/testutil/tls.go new file mode 100644 index 0000000000000..4f7fc012aef90 --- /dev/null +++ b/testutil/tls.go @@ -0,0 +1,86 @@ +package testutil + +import ( + "fmt" + "io/ioutil" + "os" + "path" + + "github.com/influxdata/telegraf/internal/tls" +) + +type pki struct { + path string +} + +func NewPKI(path string) *pki { + return &pki{path: path} +} + +func (p *pki) TLSClientConfig() *tls.ClientConfig { + return &tls.ClientConfig{ + TLSCA: p.CACertPath(), + TLSCert: p.ClientCertPath(), + TLSKey: p.ClientKeyPath(), + } +} + +func (p *pki) TLSServerConfig() *tls.ServerConfig { + return &tls.ServerConfig{ + TLSAllowedCACerts: []string{p.CACertPath()}, + TLSCert: p.ServerCertPath(), + TLSKey: p.ServerKeyPath(), + } +} + +func (p *pki) ReadCACert() string { + return readCertificate(p.CACertPath()) +} + +func (p *pki) CACertPath() string { + return path.Join(p.path, "cacert.pem") +} + +func (p *pki) ReadClientCert() string { + return readCertificate(p.ClientCertPath()) +} + +func (p *pki) ClientCertPath() string { + return path.Join(p.path, "clientcert.pem") +} + +func (p *pki) ReadClientKey() string { + return readCertificate(p.ClientKeyPath()) +} + +func (p *pki) ClientKeyPath() string { + return path.Join(p.path, "clientkey.pem") +} + +func (p *pki) ReadServerCert() string { + return readCertificate(p.ServerCertPath()) +} + +func (p *pki) ServerCertPath() string { + return path.Join(p.path, "servercert.pem") +} + +func (p *pki) ReadServerKey() string { + return readCertificate(p.ServerKeyPath()) +} + +func (p *pki) ServerKeyPath() string { + return path.Join(p.path, "serverkey.pem") +} + +func readCertificate(filename string) string { + file, err := os.Open(filename) + if err != nil { + panic(fmt.Sprintf("opening %q: %v", filename, err)) + } + octets, err := ioutil.ReadAll(file) + if err != nil { + panic(fmt.Sprintf("reading %q: %v", filename, err)) + } + return string(octets) +}