DataDog · hithwen · Mar 13, 2020 · Mar 12, 2020 · Mar 12, 2020 · Mar 12, 2020
@@ -77,6 +77,9 @@ def __init__(self, name, init_config, instances):
         port = int(self.instance.get('port', 3000))
         tls_name = self.instance.get('tls_name')
         self._host = (host, port, tls_name) if tls_name else (host, port)
+        self._tls_config = self.instance.get('tls_config', None)
+        if self._tls_config:
+            self._tls_config['enable'] = True
 
         # https://www.aerospike.com/apidocs/python/client.html#aerospike.Client.connect
         self._username = self.instance.get('username')
@@ -198,8 +201,11 @@ def get_datacenters(self):
         return datacenters
 
     def get_client(self):
+        client_config = {'hosts': [self._host]}
+        if self._tls_config:
+            client_config['tls'] = self._tls_config
         try:
-            client = aerospike.client({'hosts': [self._host]}).connect(self._username, self._password)
+            client = aerospike.client(client_config).connect(self._username, self._password)
         except Exception as e:
             self.log.error('Unable to connect to database: %s', e)
             self.service_check(SERVICE_CHECK_CONNECT, self.CRITICAL, tags=self._tags)

@@ -23,9 +23,33 @@ instances:
     ## @param tls_name - string - optional
     ## This must match the tls-name specified in the node’s server
     ## configuration file and match the server’s CA certificate.
+    ##
+    ## Note: TLS usage requires Aerospike Enterprise Edition
     #
     # tls_name: <TLS_NAME>
 
+    tls a dict of optional TLS configuration parameters.
+
+    ## @param tls_config - list of key:value elements - optional
+    ## Note TLS usage requires Aerospike Enterprise Edition
+    ## Key value pairs with a choice of the following elements:
+    ##
+    ##  cafile: Path to a trusted CA certificate file. By default TLS will use system standard trusted CA certificates
+    ##  capath: Path to a directory of trusted certificates.
+    ##  protocols: Specifies enabled protocols. If not specified the client will use “-all +TLSv1.2”.
+    ##  cipher_suite: Specifies enabled cipher suites. Defaults to the OpenSSL default cipher suite.
+    ##  keyfile: Path to the client’s key for mutual authentication. By default mutual authentication is disabled.
+    ##  keyfile_pw: Decryption password for the client’s key for mutual authentication. By default the key is assumed not to be encrypted.
+    ##  cert_blacklist: Path to a certificate blacklist file.
+    ##  certfile: Path to the client’s certificate chain file for mutual authentication. By default mutual authentication is disabled.
+    ##  crl_check: (True, False) Enable CRL checking for the certificate chain leaf certificate. An error occurs if a suitable CRL cannot be found. By default CRL checking is disabled.
+    ##  crl_check_all: (True, False): Enable CRL checking for the entire certificate chain. An error occurs if a suitable CRL cannot be found. By default CRL checking is disabled.
+    #
+    # tls_config:
+    #     cafile: <CA_FILE>
+    #     certfile: <CERT_FILE>
+    #     keyfile: <KEY_FILE>
+
     ## @param timeout - integer - optional - default: 10
     ## The read timeout in seconds.
     #

@@ -1,3 +1,5 @@
+import copy
+
 import mock
 import pytest
 
@@ -46,3 +48,18 @@ def mock_get_info(command, separator=";"):
     check.check(common.INSTANCE)
     for metric in METRICS:
         aggregator.assert_metric(metric)
+
+
+def connection_uses_tls():
+    instance = copy.deepcopy(common.INSTANCE)
+    tls_config = {'cafile': 'my-ca-file', 'certfile': 'my-certfile', 'keyfile': 'my-keyfile'}
+    instance['tls_config'] = copy.deepcopy(tls_config)
+
+    check = aerospike.AerospikeCheck('aerospike', {}, [common.INSTANCE])
+    tls_config['enable'] = True
+
+    assert check._tls_config == tls_config
+
+    with mock.patch('aerospike.client') as client:
+        check.get_client()
+        assert client.called_with({'host': check._host, 'tls': tls_config})