Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Prometheus Remote Write Exporter for Cortex] Add TLS Support and Default HTTP Client #255

Merged
merged 27 commits into from
Aug 26, 2020
Merged

[Prometheus Remote Write Exporter for Cortex] Add TLS Support and Default HTTP Client #255

Show file tree
Hide file tree
Changes from 23 commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
024d0c7
Start buildClient for creating a default HTTP client
Aug 21, 2020
65ac7da
Add TestBuildClient and first subtest
Aug 21, 2020
3b8c061
Update TestBuildClient with TLS server, TLS Config, and Proxy URL
Aug 21, 2020
d42defe
Add methods for loading user-supplied certificates
Aug 21, 2020
39b0b43
Add buildTLSConfig for creating a new TLS Config struct
Aug 21, 2020
635bffc
Add TLS Config and Proxy URL to buildClient, and update TestBuildClient
Aug 21, 2020
53325bc
Add additional tests for TestBuildClient
Aug 21, 2020
b2e8a4e
Add helper function for generating certificate files
Aug 21, 2020
dd4a485
Add helper function for generating CA certificate files
Aug 21, 2020
74a1b06
Add helper function for generating serving certificate files
Aug 21, 2020
70194fe
Add helper function for generating client certificate files
Aug 21, 2020
ce97a6b
Add part of integration test with certificate creation and TLS server
Aug 21, 2020
7cabc6f
Add helper function for creating the test server's TLS Config struct
Aug 21, 2020
65f62cb
Update TestMutualTLS by adding TLS Config to server and client
Aug 21, 2020
b219481
Run make precommit and fix lint errors
Aug 21, 2020
e65ddca
Adjust test for BuildClient
Aug 22, 2020
7a402e9
Change certificate loading functions into inline conditionals
Aug 26, 2020
c400d7a
Change ProxyURL to be a url.URL instead of a string
Aug 26, 2020
6b8d132
Add check for InsecureSkipVerify to avoid parse errors
Aug 26, 2020
1c66c0a
Change client Transport to use http.DefaultTransport as base
Aug 26, 2020
1a9495e
Change require.Nil to require.NoError for error checks
Aug 26, 2020
802f074
Change require.Error to assert.Error in some areas
Aug 26, 2020
23bb6d3
Write certificate and key files directly instead of to memory first
Aug 26, 2020
d698aae
Merge branch 'master' of github.com:open-telemetry/opentelemetry-go-c…
Aug 26, 2020
baebbc3
Update DialContext timeout and KeepAlive for retrying CI test
Aug 26, 2020
456e234
Merge branch 'master' of github.com:open-telemetry/opentelemetry-go-c…
Aug 26, 2020
da06f40
Revert increase to DialContext timeout and keepalive to retry CI test
Aug 26, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
91 changes: 91 additions & 0 deletions exporters/metric/cortex/auth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,14 @@
package cortex

import (
"crypto/tls"
"crypto/x509"
"fmt"
"io/ioutil"
"net"
"net/http"
"strconv"
"time"
)

// ErrFailedToReadFile occurs when a password / bearer token file exists, but could
Expand Down Expand Up @@ -88,3 +93,89 @@ func (e *Exporter) addBearerTokenAuth(req *http.Request) error {

return nil
}

// buildClient returns a http client that uses TLS and has the user-specified proxy and
// timeout.
func (e *Exporter) buildClient() (*http.Client, error) {
// Create a TLS Config struct for use in a custom HTTP Transport.
tlsConfig, err := e.buildTLSConfig()
if err != nil {
return nil, err
}

// Create a custom HTTP Transport for the client. This is the same as
// http.DefaultTransport other than the TLSClientConfig.
transport := &http.Transport{
Proxy: http.ProxyFromEnvironment,
DialContext: (&net.Dialer{
Timeout: 30 * time.Second,
KeepAlive: 30 * time.Second,
DualStack: true,
}).DialContext,
ForceAttemptHTTP2: true,
MaxIdleConns: 100,
IdleConnTimeout: 90 * time.Second,
TLSHandshakeTimeout: 10 * time.Second,
ExpectContinueTimeout: 1 * time.Second,
TLSClientConfig: tlsConfig,
}

// Convert proxy url to proxy function for use in the created Transport.
if e.config.ProxyURL != nil {
proxy := http.ProxyURL(e.config.ProxyURL)
transport.Proxy = proxy
}
ercl marked this conversation as resolved.
Show resolved Hide resolved

client := http.Client{
Transport: transport,
Timeout: e.config.RemoteTimeout,
}
return &client, nil
}

// buildTLSConfig creates a new TLS Config struct with the properties from the exporter's
// Config struct.
func (e *Exporter) buildTLSConfig() (*tls.Config, error) {
tlsConfig := &tls.Config{}
if e.config.TLSConfig == nil {
return tlsConfig, nil
}

// Set the server name if it exists.
if e.config.TLSConfig["server_name"] != "" {
tlsConfig.ServerName = e.config.TLSConfig["server_name"]
}

// Set InsecureSkipVerify. Viper reads the bool as a string since it is in a map.
if isv, ok := e.config.TLSConfig["insecure_skip_verify"]; ok {
var err error
if tlsConfig.InsecureSkipVerify, err = strconv.ParseBool(isv); err != nil {
return nil, err
}
}

// Load certificates from CA file if it exists.
caFile := e.config.TLSConfig["ca_file"]
if caFile != "" {
caFileData, err := ioutil.ReadFile(caFile)
if err != nil {
return nil, err
}
certPool := x509.NewCertPool()
certPool.AppendCertsFromPEM(caFileData)
tlsConfig.RootCAs = certPool
}

// Load the client certificate if it exists.
certFile := e.config.TLSConfig["cert_file"]
keyFile := e.config.TLSConfig["key_file"]
if certFile != "" && keyFile != "" {
cert, err := tls.LoadX509KeyPair(certFile, keyFile)
if err != nil {
return nil, err
}
tlsConfig.Certificates = []tls.Certificate{cert}
}

return tlsConfig, nil
}
Loading