fluent-plugin-prometheus_pushgateway 0.0.1 → 0.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 83aa882961dd332a23b4081ad6332b4c25f07f828d9f4923085d92fb405d695e
-  data.tar.gz: edd979ab479a66165491a52d4337eed6d362ef19281778dcb6ae014f5ca691e5
+  metadata.gz: 6ed0d4b03ca33b58ea2329fb9af3b66d139a4f569c063cb02d9f9b2c01b0f453
+  data.tar.gz: '097fdd8eb62233042b1ebd64aaf734ba93b9db8ac6cffd87183239050621ba06'
 SHA512:
-  metadata.gz: 8d4feb7afaab1261ecf3ee750d556858214ee89c294d42251e66df26abe00fd7b7d97f2325e928e5064b0fea98fc1e5c93e260747999674e624d172784a26a53
-  data.tar.gz: 5adee7d6662867a22d424e3ad4cda9b19687fdc63ad85aaf29ce146303cab91fbf3437a6a5fee78a3afcf7287b5f5db916e38086916f57d4cd31b17a4ad61344
+  metadata.gz: 828cf255662867a97aa8ded33e34e7aa4868f44359b56ec263bfe01b67494b7d6fcf48b293c52d96bee9b8ba5b231ca83dba34885fcc8803e2b1cb99377e6ede
+  data.tar.gz: a7215235075497dd73b745e206b1e6b815c47477f3028e6d18aba91e5e16db7808c6d3b6fe425194842956c65ed7d5fbd6b29ae568759426cc3fbb4f27b47d02

data/README.md

@@ -42,6 +42,16 @@ More configuration parameters:
 - `instance`: instance name (default: nil)
 - `push_interval`: the interval of pushing data to pushgateway (default: 3)
 
+these parameters are used when `gateway` starts with 'https'
+
+- `tls_ca_cert_path`: The CA certificate path for TLS (default nil)
+- `tls_client_cert_path`: The client certificate path for TLS (default nil)
+- `tls_private_key_path`: The client private key path for TLS (default nil)
+- `tls_private_key_passphrase`: The client private key passphrase for TLS (default nil)
+- `tls_verify_mode`: The verify mode of TLS (default :peer)
+- `tls_version`: The default version of TLS (default :TLSv1_2)
+- `tls_ciphers`: The cipher configuration of TLS (default ALL:!aNULL:!eNULL:!SSLv2)
+
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.

data/fluent-plugin-prometheus_pushgateway.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |spec|
   spec.name          = "fluent-plugin-prometheus_pushgateway"
-  spec.version       = "0.0.1"
+  spec.version       = "0.0.2"
   spec.authors       = ["Yuta Iwama"]
   spec.email         = ["ganmacs@gmail.com"]
 

data/lib/fluent/plugin/out_prometheus_pushgateway.rb

@@ -17,6 +17,14 @@
 require 'prometheus/client/push'
 require 'fluent/plugin/output'
 
+begin
+  require 'fluent/tls'
+rescue LoadError
+  # compatible layer for fluentd v1.9.1 or earlier
+  # https://github.com/fluent/fluentd/pull/2802
+  require_relative 'prometheus_pushgateway/tls'
+end
+
 module Fluent
   module Plugin
     class PrometheusPushgatewayOutput < Fluent::Plugin::Output
@@ -33,6 +41,21 @@ module Fluent
       desc 'the interval of pushing data to pushgateway'
       config_param :push_interval, :time, default: 3
 
+      desc 'The CA certificate path for TLS'
+      config_param :tls_ca_cert_path, :string, default: nil
+      desc 'The client certificate path for TLS'
+      config_param :tls_client_cert_path, :string, default: nil
+      desc 'The client private key path for TLS'
+      config_param :tls_private_key_path, :string, default: nil
+      desc 'The client private key passphrase for TLS'
+      config_param :tls_private_key_passphrase, :string, default: nil, secret: true
+      desc 'The verify mode of TLS'
+      config_param :tls_verify_mode, :enum, list: %i[none peer], default: :peer
+      desc 'The default version of TLS'
+      config_param :tls_version, :enum, list: Fluent::TLS::SUPPORTED_VERSIONS, default: Fluent::TLS::DEFAULT_VERSION
+      desc 'The cipher configuration of TLS'
+      config_param :tls_ciphers, :string, default: Fluent::TLS::CIPHERS_DEFAULT
+
       def initialize
         super
 
@@ -47,6 +70,21 @@ module Fluent
         super
 
         @push_client = ::Prometheus::Client::Push.new("#{@job_name}:#{fluentd_worker_id}", @instance, @gateway)
+
+        use_tls = gateway && (URI.parse(gateway).scheme == 'https')
+
+        if use_tls
+          # prometheus client doesn't have an interface to set the HTTPS options
+          http = @push_client.instance_variable_get(:@http)
+          if http.nil?
+            log.warn("prometheus client ruby's version unmatched. https setting is ignored")
+          end
+
+          # https://github.com/ruby/ruby/blob/dec802d8b59900e57e18fa6712caf95f12324aea/lib/net/http.rb#L599-L604
+          tls_options.each do |k, v|
+            http.__send__("#{k}=", v)
+          end
+        end
       end
 
       def start
@@ -60,6 +98,48 @@ module Fluent
       def process(tag, es)
         # nothing
       end
+
+      private
+
+      def tls_options
+        opt = {}
+
+        if @tls_ca_cert_path
+          unless File.file?(@tls_ca_cert_path)
+            raise Fluent::ConfigError, "tls_ca_cert_path is wrong: #{@tls_ca_cert_path}"
+          end
+
+          opt[:ca_file] = @tls_ca_cert_path
+        end
+
+        if @tls_client_cert_path
+          unless File.file?(@tls_client_cert_path)
+            raise Fluent::ConfigError, "tls_client_cert_path is wrong: #{@tls_client_cert_path}"
+          end
+
+          opt[:cert] = OpenSSL::X509::Certificate.new(File.read(@tls_client_cert_path))
+        end
+
+        if @tls_private_key_path
+          unless File.file?(@tls_private_key_path)
+            raise Fluent::ConfigError, "tls_private_key_path is wrong: #{@tls_private_key_path}"
+          end
+
+          opt[:key] = OpenSSL::PKey.read(File.read(@tls_private_key_path), @tls_private_key_passphrase)
+        end
+
+        opt[:verify_mode] = case @tls_verify_mode
+                            when :none
+                              OpenSSL::SSL::VERIFY_NONE
+                            when :peer
+                              OpenSSL::SSL::VERIFY_PEER
+                            end
+
+        opt[:ciphers] = @tls_ciphers
+        opt[:ssl_version] = @tls_version
+
+        opt
+      end
     end
   end
 end

data/lib/fluent/plugin/prometheus_pushgateway/tls.rb

@@ -0,0 +1,82 @@
+#
+# Fluentd
+#
+#    Licensed under the Apache License, Version 2.0 (the "License");
+#    you may not use this file except in compliance with the License.
+#    You may obtain a copy of the License at
+#
+#        http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS,
+#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#    See the License for the specific language governing permissions and
+#    limitations under the License.
+#
+
+require 'openssl'
+require 'fluent/config/error'
+
+# copy from https://github.com/fluent/fluentd/blob/9d113029d4550ce576d8825bfa9612aa3e55bff0/lib/fluent/tls.rb
+
+module Fluent
+  module TLS
+    DEFAULT_VERSION = :TLSv1_2
+    SUPPORTED_VERSIONS = if defined?(OpenSSL::SSL::TLS1_3_VERSION)
+                           %i[TLSv1_1 TLSv1_2 TLSv1_3 TLS1_1 TLS1_2 TLS1_3].freeze
+                         else
+                           %i[TLSv1_1 TLSv1_2 TLS1_1 TLS1_2].freeze
+                         end
+    ### follow httpclient configuration by nahi
+    # OpenSSL 0.9.8 default: "ALL:!ADH:!LOW:!EXP:!MD5:+SSLv2:@STRENGTH"
+    CIPHERS_DEFAULT = 'ALL:!aNULL:!eNULL:!SSLv2'.freeze # OpenSSL >1.0.0 default
+
+    METHODS_MAP = begin
+                    map = {
+                      TLSv1: OpenSSL::SSL::TLS1_VERSION,
+                      TLSv1_1: OpenSSL::SSL::TLS1_1_VERSION,
+                      TLSv1_2: OpenSSL::SSL::TLS1_2_VERSION
+                    }
+                    map[TLSv1_3] = OpenSSL::SSL::TLS1_3_VERSION if defined?(OpenSSL::SSL::TLS1_3_VERSION)
+                    MIN_MAX_AVAILABLE = true
+                    map.freeze
+                  rescue NameError
+                    # ruby 2.4 doesn't have OpenSSL::SSL::TLSXXX constants and min_version=/max_version= methods
+                    map = {
+                      TLS1: :TLSv1,
+                      TLS1_1: :TLSv1_1,
+                      TLS1_2: :TLSv1_2,
+                    }.freeze
+                    MIN_MAX_AVAILABLE = false
+                    map
+                  end
+    private_constant :METHODS_MAP
+
+    # Helper for old syntax/method support:
+    # ruby 2.4 uses ssl_version= but this method is now deprecated.
+    # min_version=/max_version= use 'TLS1_2' but ssl_version= uses 'TLSv1_2'
+    def set_version_to_context(ctx, version, min_version, max_version)
+      if MIN_MAX_AVAILABLE
+        case
+        when min_version.nil? && max_version.nil?
+          min_version = METHODS_MAP[version] || version
+          max_version = METHODS_MAP[version] || version
+        when min_version.nil? && max_version
+          raise Fluent::ConfigError, "When you set max_version, must set min_version together"
+        when min_version && max_version.nil?
+          raise Fluent::ConfigError, "When you set min_version, must set max_version together"
+        else
+          min_version = METHODS_MAP[min_version] || min_version
+          max_version = METHODS_MAP[max_version] || max_version
+        end
+        ctx.min_version = min_version
+        ctx.max_version = max_version
+      else
+        ctx.ssl_version = METHODS_MAP[version] || version
+      end
+
+      ctx
+    end
+    module_function :set_version_to_context
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: fluent-plugin-prometheus_pushgateway
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.0.2
 platform: ruby
 authors:
 - Yuta Iwama
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-02-13 00:00:00.000000000 Z
+date: 2020-02-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: fluent-plugin-prometheus
@@ -105,6 +105,7 @@ files:
 - examples/pushgateway.conf
 - fluent-plugin-prometheus_pushgateway.gemspec
 - lib/fluent/plugin/out_prometheus_pushgateway.rb
+- lib/fluent/plugin/prometheus_pushgateway/tls.rb
 homepage: https://github.com/fluent/fluent-plugin-prometheus_pushgateway
 licenses:
 - Apache-2.0