From a6305406c4738e8ff7ca42eef1bfb59872b89084 Mon Sep 17 00:00:00 2001
From: Julia Simon <611228+hithwen@users.noreply.github.com>
Date: Mon, 15 Jul 2019 14:21:06 +0200
Subject: [PATCH] Add RequestsWrapper to envoy

---
 .../envoy/data/conf.yaml.example              | 74 +++++++++++++++----
 envoy/datadog_checks/envoy/envoy.py           | 14 ++--
 envoy/tests/test_envoy.py                     | 14 ++--
 3 files changed, 72 insertions(+), 30 deletions(-)

diff --git a/envoy/datadog_checks/envoy/data/conf.yaml.example b/envoy/datadog_checks/envoy/data/conf.yaml.example
index 7b3b9a963d40d..95893248171df 100644
--- a/envoy/datadog_checks/envoy/data/conf.yaml.example
+++ b/envoy/datadog_checks/envoy/data/conf.yaml.example
@@ -41,7 +41,7 @@ instances:
     # cache_metrics: true
 
     ## @param username - string - optional
-    ## Enter your username if the stats page is behind basic auth.
+    ## The username to use if services are behind basic auth.
     ## Note: The Envoy admin endpoint does not support auth until:
     ## https://github.com/envoyproxy/envoy/issues/2763
     ## For an alternative, see:
@@ -50,7 +50,7 @@ instances:
     # username: <USERNAME>
 
     ## @param password - string - optional
-    ## Enter your password if the stats page is behind basic auth.
+    ## The password to use if services are behind basic or NTLM auth.
     ## Note: The Envoy admin endpoint does not support auth until:
     ## https://github.com/envoyproxy/envoy/issues/2763
     ## For an alternative, see:
@@ -58,23 +58,69 @@ instances:
     #
     # password: <PASSWORD>
 
-    ## @param verify_ssl - boolean - optional - default: true
-    ## The verify_ssl parameter instructs the check to validate SSL
-    ## certificates when connecting to Envoy. Set to false if
-    ## you want to disable SSL certificate validation.
-    #
-    # verify_ssl: true
-
     ## @param skip_proxy - boolean - optional - default: false
-    ## The (optional) skip_proxy parameter bypasses any proxy
-    ## settings enabled and attempt to reach Envoy directly.
+    ## If set to true, this makes the check bypass any proxy
+    ## settings enabled and attempt to reach services directly.
     #
     # skip_proxy: false
 
-    ## @param timeout - integer - optional - default: 20
-    ## Specify a custom timeout in seconds for the check connection.
+    ## @param tls_verify - boolean - optional - default: true
+    ## Instructs the check to validate the TLS certificate of services.
+    #
+    # tls_verify: true
+
+    ## @param tls_ignore_warning - boolean - optional - default: false
+    ## If `tls_verify` is disabled, security warnings are logged by the check.
+    ## Disable those by setting `tls_ignore_warning` to true.
+    #
+    # tls_ignore_warning: false
+
+    ## @param tls_cert - string - optional
+    ## The path to a single file in PEM format containing a certificate as well as any
+    ## number of CA certificates needed to establish the certificate’s authenticity for
+    ## use when connecting to services. It may also contain an unencrypted private key to use.
+    #
+    # tls_cert: <CERT_PATH>
+
+    ## @param tls_private_key - string - optional
+    ## The unencrypted private key to use for `tls_cert` when connecting to services. This is
+    ## required if `tls_cert` is set and it does not already contain a private key.
+    #
+    # tls_private_key: <PRIVATE_KEY_PATH>
+
+    ## @param tls_ca_cert - string - optional
+    ## The path to a file of concatenated CA certificates in PEM format or a directory
+    ## containing several CA certificates in PEM format. If a directory, the directory
+    ## must have been processed using the c_rehash utility supplied with OpenSSL. See:
+    ## https://www.openssl.org/docs/manmaster/man3/SSL_CTX_load_verify_locations.html
+    #
+    # tls_ca_cert: <CA_CERT_PATH>
+
+    ## @param headers - list of key:value elements - optional
+    ## The headers parameter allows you to send specific headers with every request.
+    ## You can use it for explicitly specifying the host header or adding headers for
+    ## authorization purposes.
+    ##
+    ## This overrides any default headers.
+    #
+    # headers:
+    #   Host: <ALTERNATIVE_HOSTNAME>
+    #   X-Auth-Token: <AUTH_TOKEN>
+
+    ## @param timeout - integer - optional - default: 10
+    ## The timeout for connecting to services.
+    #
+    # timeout: 10
+
+    ## @param log_requests - boolean - optional - default: false
+    ## Whether or not to debug log the HTTP(S) requests made, including the method and URL.
+    #
+    # log_requests: false
+
+    ## @param persist_connections - boolean - optional - default: false
+    ## Whether or not to persist cookies and use connection pooling for increased performance.
     #
-    # timeout: 20
+    # persist_connections: false
 
     ## @param tags - list of key:value string - optional
     ## List of tags to attach to every metric and service check emitted by this integration.
diff --git a/envoy/datadog_checks/envoy/envoy.py b/envoy/datadog_checks/envoy/envoy.py
index 906f2048433b0..f346ee9456d34 100644
--- a/envoy/datadog_checks/envoy/envoy.py
+++ b/envoy/datadog_checks/envoy/envoy.py
@@ -13,6 +13,7 @@
 
 
 class Envoy(AgentCheck):
+    HTTP_CONFIG_REMAPPER = {'verify_ssl': {'name': 'tls_verify'}}
     SERVICE_CHECK_NAME = 'envoy.can_connect'
 
     def __init__(self, name, init_config, agentConfig, instances=None):
@@ -40,13 +41,6 @@ def check(self, instance):
             self.log.error(msg)
             return
 
-        username = instance.get('username', None)
-        password = instance.get('password', None)
-        auth = (username, password) if username and password else None
-        verify_ssl = instance.get('verify_ssl', True)
-        proxies = self.get_instance_proxy(instance, stats_url)
-        timeout = int(instance.get('timeout', 20))
-
         if self.whitelist is None:
             whitelist = set(re.sub(r'^envoy\\?\.', '', s, 1) for s in instance.get('metric_whitelist', []))
             self.whitelist = [re.compile(pattern) for pattern in whitelist]
@@ -59,9 +53,11 @@ def check(self, instance):
             self.caching_metrics = instance.get('cache_metrics', True)
 
         try:
-            response = requests.get(stats_url, auth=auth, verify=verify_ssl, proxies=proxies, timeout=timeout)
+            response = self.http.get(stats_url)
         except requests.exceptions.Timeout:
-            msg = 'Envoy endpoint `{}` timed out after {} seconds'.format(stats_url, timeout)
+            msg = 'Envoy endpoint `{}` timed out after {} seconds'.format(
+                stats_url, timeout=int(instance.get('timeout', 20))
+            )
             self.service_check(self.SERVICE_CHECK_NAME, AgentCheck.CRITICAL, message=msg, tags=custom_tags)
             self.log.exception(msg)
             return
diff --git a/envoy/tests/test_envoy.py b/envoy/tests/test_envoy.py
index 1843f3cc01cd7..37cbae11d10a1 100644
--- a/envoy/tests/test_envoy.py
+++ b/envoy/tests/test_envoy.py
@@ -14,7 +14,7 @@ class TestEnvoy:
 
     def test_success(self, aggregator):
         instance = INSTANCES['main']
-        c = Envoy(self.CHECK_NAME, None, {}, [instance])
+        c = Envoy(self.CHECK_NAME, {}, {}, [instance])
         c.check(instance)
 
         metrics_collected = 0
@@ -25,7 +25,7 @@ def test_success(self, aggregator):
 
     def test_success_fixture(self, aggregator):
         instance = INSTANCES['main']
-        c = Envoy(self.CHECK_NAME, None, {}, [instance])
+        c = Envoy(self.CHECK_NAME, {}, {}, [instance])
 
         with mock.patch('requests.get', return_value=response('multiple_services')):
             c.check(instance)
@@ -40,7 +40,7 @@ def test_success_fixture(self, aggregator):
 
     def test_success_fixture_whitelist(self, aggregator):
         instance = INSTANCES['whitelist']
-        c = Envoy(self.CHECK_NAME, None, {}, [instance])
+        c = Envoy(self.CHECK_NAME, {}, {}, [instance])
 
         with mock.patch('requests.get', return_value=response('multiple_services')):
             c.check(instance)
@@ -50,7 +50,7 @@ def test_success_fixture_whitelist(self, aggregator):
 
     def test_success_fixture_blacklist(self, aggregator):
         instance = INSTANCES['blacklist']
-        c = Envoy(self.CHECK_NAME, None, {}, [instance])
+        c = Envoy(self.CHECK_NAME, {}, {}, [instance])
 
         with mock.patch('requests.get', return_value=response('multiple_services')):
             c.check(instance)
@@ -60,7 +60,7 @@ def test_success_fixture_blacklist(self, aggregator):
 
     def test_success_fixture_whitelist_blacklist(self, aggregator):
         instance = INSTANCES['whitelist_blacklist']
-        c = Envoy(self.CHECK_NAME, None, {}, [instance])
+        c = Envoy(self.CHECK_NAME, {}, {}, [instance])
 
         with mock.patch('requests.get', return_value=response('multiple_services')):
             c.check(instance)
@@ -70,7 +70,7 @@ def test_success_fixture_whitelist_blacklist(self, aggregator):
 
     def test_service_check(self, aggregator):
         instance = INSTANCES['main']
-        c = Envoy(self.CHECK_NAME, None, {}, [instance])
+        c = Envoy(self.CHECK_NAME, {}, {}, [instance])
 
         with mock.patch('requests.get', return_value=response('multiple_services')):
             c.check(instance)
@@ -79,7 +79,7 @@ def test_service_check(self, aggregator):
 
     def test_unknown(self):
         instance = INSTANCES['main']
-        c = Envoy(self.CHECK_NAME, None, {}, [instance])
+        c = Envoy(self.CHECK_NAME, {}, {}, [instance])
 
         with mock.patch('requests.get', return_value=response('unknown_metrics')):
             c.check(instance)