diff --git a/aerospike/datadog_checks/aerospike/aerospike.py b/aerospike/datadog_checks/aerospike/aerospike.py index 89d6c376e6ffb..8c407e19090ee 100644 --- a/aerospike/datadog_checks/aerospike/aerospike.py +++ b/aerospike/datadog_checks/aerospike/aerospike.py @@ -77,6 +77,9 @@ def __init__(self, name, init_config, instances): port = int(self.instance.get('port', 3000)) tls_name = self.instance.get('tls_name') self._host = (host, port, tls_name) if tls_name else (host, port) + self._tls_config = self.instance.get('tls_config') + if self._tls_config: + self._tls_config['enable'] = True # https://www.aerospike.com/apidocs/python/client.html#aerospike.Client.connect self._username = self.instance.get('username') @@ -198,8 +201,11 @@ def get_datacenters(self): return datacenters def get_client(self): + client_config = {'hosts': [self._host]} + if self._tls_config: + client_config['tls'] = self._tls_config try: - client = aerospike.client({'hosts': [self._host]}).connect(self._username, self._password) + client = aerospike.client(client_config).connect(self._username, self._password) except Exception as e: self.log.error('Unable to connect to database: %s', e) self.service_check(SERVICE_CHECK_CONNECT, self.CRITICAL, tags=self._tags) diff --git a/aerospike/datadog_checks/aerospike/data/conf.yaml.example b/aerospike/datadog_checks/aerospike/data/conf.yaml.example index dce568c8b51b7..00d35a43564d6 100644 --- a/aerospike/datadog_checks/aerospike/data/conf.yaml.example +++ b/aerospike/datadog_checks/aerospike/data/conf.yaml.example @@ -23,9 +23,31 @@ instances: ## @param tls_name - string - optional ## This must match the tls-name specified in the node’s server ## configuration file and match the server’s CA certificate. + ## + ## Note: TLS usage requires Aerospike Enterprise Edition # # tls_name: + ## @param tls_config - list of key:value elements - optional + ## Note TLS usage requires Aerospike Enterprise Edition + ## Key value pairs with a choice of the following elements: + ## + ## cafile: Path to a trusted CA certificate file. By default TLS will use system standard trusted CA certificates + ## capath: Path to a directory of trusted certificates. + ## protocols: Specifies enabled protocols. If not specified the client will use “-all +TLSv1.2”. + ## cipher_suite: Specifies enabled cipher suites. Defaults to the OpenSSL default cipher suite. + ## keyfile: Path to the client’s key for mutual authentication. By default mutual authentication is disabled. + ## keyfile_pw: Decryption password for the client’s key for mutual authentication if needed. + ## cert_blacklist: Path to a certificate blacklist file. + ## certfile: Path to the client’s certificate chain file for mutual authentication if needed. + ## crl_check: (True, False) Enable CRL checking for the certificate chain leaf certificate. + ## crl_check_all: (True, False): Enable CRL checking for the entire certificate chain. + # + # tls_config: + # cafile: + # certfile: + # keyfile: + ## @param timeout - integer - optional - default: 10 ## The read timeout in seconds. # diff --git a/aerospike/tests/test_unit.py b/aerospike/tests/test_unit.py index 335a3a97e1546..82d1a93afd597 100644 --- a/aerospike/tests/test_unit.py +++ b/aerospike/tests/test_unit.py @@ -1,3 +1,5 @@ +import copy + import mock import pytest @@ -46,3 +48,18 @@ def mock_get_info(command, separator=";"): check.check(common.INSTANCE) for metric in METRICS: aggregator.assert_metric(metric) + + +def connection_uses_tls(): + instance = copy.deepcopy(common.INSTANCE) + tls_config = {'cafile': 'my-ca-file', 'certfile': 'my-certfile', 'keyfile': 'my-keyfile'} + instance['tls_config'] = copy.deepcopy(tls_config) + + check = aerospike.AerospikeCheck('aerospike', {}, [common.INSTANCE]) + tls_config['enable'] = True + + assert check._tls_config == tls_config + + with mock.patch('aerospike.client') as client: + check.get_client() + assert client.called_with({'host': check._host, 'tls': tls_config})