gitlab-exporter 11.15.1 → 11.17.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cc907a56d817f1dffc5afdf08211684b354ec21c5fdee7abdfa759bce75de833
-  data.tar.gz: 13d79cf16be242b746e609ced0166420c1e1a4ccd2aebd34805bc1a8fd35736a
+  metadata.gz: 513416303a50799c69f2ece3bf3062e1a004fb0def6c0a53b781faf1b136c9af
+  data.tar.gz: 4534bc4312933d7bdf69b3949bf9aca49a647b767ab2ce239997c5afdadb3839
 SHA512:
-  metadata.gz: 69fce170e3b138cc0f2431fedcfb4b3485414cd9620dbbd6d9d56b13f4d1cc10d3406a7036a9b8555f12073ce968bdf896e070aabbd8500ed11cffbe0861a8a5
-  data.tar.gz: 5101ebb164656364dee6a6053c0e6128488e72d674df7ea15326c5b80090a565a138dd27fcf959057a94258b992f7785052ab32be3fbbd38986465262512d4a7
+  metadata.gz: 19895651f79c79b0aac530cdac7286b7a4f29b14dc5e7c580d543c2efe892f5c432d5a9319bbf2ba49da0ee14b90159060869e0673dc750c318faf99c7ee601a
+  data.tar.gz: 8b42d035c9953ef162e30381ad06b616b153d293f36dd2436ebdbe5b2b147f4166ab7d91ca0c221b19bbcb541998437ccd2ab40f81d3b8a4c65d81d8c7514122

data/.gitlab-ci.yml

@@ -12,6 +12,7 @@ variables:
 stages:
   - test
   - dast
+  - publish
 
 default:
   image: ruby:${RUBY_VERSION}
@@ -57,3 +58,16 @@ gemnasium-dependency_scanning:
 
 secret_detection:
   rules: *workflow_rules
+
+publish_to_rubygems:
+  stage: publish
+  script:
+    - mkdir -p ~/.gem
+    - 'echo ":rubygems_api_key: ${RUBYGEMS_API_KEY}" > ~/.gem/credentials'
+    - chmod 0600 ~/.gem/credentials
+    - gem build gitlab-exporter.gemspec --output=gitlab-exporter.gem
+    - gem push gitlab-exporter.gem
+  before_script: *before_scripts
+  rules:
+    # Only push to RubyGems.org when we tag a new version
+    - if: '$CI_COMMIT_TAG'

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    gitlab-exporter (11.15.1)
+    gitlab-exporter (11.17.0)
       connection_pool (= 2.2.5)
       faraday (~> 1.8.0)
       pg (= 1.2.3)
@@ -10,7 +10,7 @@ PATH
       redis (= 4.4.0)
       redis-namespace (= 1.6.0)
       sidekiq (= 6.4.0)
-      sinatra (~> 2.1.0)
+      sinatra (~> 2.2.0)
 
 GEM
   remote: https://rubygems.org/
@@ -37,7 +37,7 @@ GEM
     faraday-net_http_persistent (1.2.0)
     faraday-patron (1.0.0)
     faraday-rack (1.0.0)
-    multipart-post (2.1.1)
+    multipart-post (2.2.3)
     mustermann (1.1.1)
       ruby2_keywords (~> 0.0.1)
     nio4r (2.5.8)
@@ -48,8 +48,8 @@ GEM
     puma (5.6.2)
       nio4r (~> 2.0)
     quantile (0.2.1)
-    rack (2.2.3)
-    rack-protection (2.1.0)
+    rack (2.2.4)
+    rack-protection (2.2.0)
       rack
     rainbow (3.0.0)
     redis (4.4.0)
@@ -87,10 +87,10 @@ GEM
       connection_pool (>= 2.2.2)
       rack (~> 2.0)
       redis (>= 4.2.0)
-    sinatra (2.1.0)
+    sinatra (2.2.0)
       mustermann (~> 1.0)
       rack (~> 2.2)
-      rack-protection (= 2.1.0)
+      rack-protection (= 2.2.0)
       tilt (~> 2.0)
     tilt (2.0.10)
     unicode-display_width (1.7.0)

data/config/gitlab-exporter.yml.example

@@ -6,11 +6,15 @@ db_common: &db_common
 
 # Web server config
 server:
-  name: puma # cf. https://github.com/sinatra/sinatra#available-settings
+  name: webrick # cf. https://github.com/sinatra/sinatra#available-settings
   listen_address: 0.0.0.0
   listen_port: 9168
   # Maximum amount of memory to use in megabytes, after which the process is killed
   memory_threshold: 1024
+  # TLS settings
+  tls_enabled: false
+  tls_cert_path: /tmp/server.crt
+  tls_key_path: /tmp/server.key
 
 # Probes config
 probes:

data/gitlab-exporter.gemspec

@@ -28,7 +28,7 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency "redis", "4.4.0"
   s.add_runtime_dependency "redis-namespace", "1.6.0"
   s.add_runtime_dependency "sidekiq", "6.4.0"
-  s.add_runtime_dependency "sinatra", "~> 2.1.0"
+  s.add_runtime_dependency "sinatra", "~> 2.2.0"
 
   s.add_development_dependency "rspec", "~> 3.7.0"
   s.add_development_dependency "rspec-expectations", "~> 3.7.0"

data/lib/gitlab_exporter/database/row_count.rb

@@ -182,7 +182,7 @@ module GitLab
           container_repositories_import_done_free: {
             select: :container_repositories,
             where: <<~SQL
-              migration_state = 'import_done'
+              (migration_state = 'import_done' OR created_at >= '2022-01-23 00:00:00')
               AND (migration_plan IN ('free', 'early_adopter')
                 OR migration_plan IS NULL)
             SQL

data/lib/gitlab_exporter/tls_helper.rb

@@ -0,0 +1,39 @@
+# Contains helper methods to generate TLS related configuration for web servers
+module TLSHelper
+  CERT_REGEX = /-----BEGIN CERTIFICATE-----(?:.|\n)+?-----END CERTIFICATE-----/.freeze
+
+  def validate_tls_config(config)
+    %i[tls_cert_path tls_key_path].each do |key|
+      fail "TLS enabled, but #{key} not specified in config" unless config.key?(key)
+
+      fail "File specified via #{key} not found: #{config[file]}" unless File.exist?(config[key])
+    end
+  end
+
+  def webrick_tls_config(config)
+    # This monkey-patches WEBrick::GenericServer, so never require this unless TLS is enabled.
+    require "webrick/ssl"
+
+    certs = load_ca_certs_bundle(File.binread(config[:tls_cert_path]))
+
+    {
+      SSLEnable: true,
+      SSLCertificate: certs.shift,
+      SSLPrivateKey: OpenSSL::PKey.read(File.binread(config[:tls_key_path])),
+      # SSLStartImmediately is true by default according to the docs, but when WEBrick creates the
+      # SSLServer internally, the switch was always nil for some reason. Setting this explicitly fixes this.
+      SSLStartImmediately: true,
+      SSLExtraChainCert: certs
+    }
+  end
+
+  # In Ruby OpenSSL v3.0.0, this can be replaced by OpenSSL::X509::Certificate.load
+  # https://github.com/ruby/openssl/issues/254
+  def load_ca_certs_bundle(ca_certs_string)
+    return [] unless ca_certs_string
+
+    ca_certs_string.scan(CERT_REGEX).map do |ca_cert_string|
+      OpenSSL::X509::Certificate.new(ca_cert_string)
+    end
+  end
+end

data/lib/gitlab_exporter/version.rb

@@ -1,5 +1,5 @@
 module GitLab
   module Exporter
-    VERSION = "11.15.1".freeze
+    VERSION = "11.17.0".freeze
   end
 end

data/lib/gitlab_exporter/web_exporter.rb

@@ -1,5 +1,8 @@
 require "sinatra/base"
 require "English"
+require "cgi"
+
+require_relative "tls_helper"
 
 module GitLab
   module Exporter
@@ -51,6 +54,8 @@ module GitLab
       end
 
       class << self
+        include TLSHelper
+
         DEFAULT_WEB_SERVER = "webrick".freeze
 
         def setup(config)
@@ -74,8 +79,47 @@ module GitLab
           config ||= {}
 
           set(:server, config.fetch(:name, DEFAULT_WEB_SERVER))
-          set(:bind, config.fetch(:listen_address, "0.0.0.0"))
           set(:port, config.fetch(:listen_port, 9168))
+
+          # Depending on whether TLS is enabled or not, bind string
+          # will be different.
+          if config.fetch(:tls_enabled, "false").to_s == "true"
+            set_tls_config(config)
+          else
+            set(:bind, config.fetch(:listen_address, "0.0.0.0"))
+          end
+        end
+
+        def set_tls_config(config) # rubocop:disable Naming/AccessorMethodName
+          validate_tls_config(config)
+
+          web_server = config.fetch(:name, DEFAULT_WEB_SERVER)
+          if web_server == "webrick"
+            set_webrick_tls(config)
+          elsif web_server == "puma"
+            set_puma_tls(config)
+          else
+            fail "TLS not supported for web server `#{web_server}`."
+          end
+        end
+
+        def set_webrick_tls(config) # rubocop:disable Naming/AccessorMethodName
+          server_settings = {}
+          server_settings.merge!(webrick_tls_config(config))
+
+          set(:bind, config.fetch(:listen_address, "0.0.0.0"))
+          set(:server_settings, server_settings)
+        end
+
+        def set_puma_tls(config) # rubocop:disable Naming/AccessorMethodName
+          listen_address = config.fetch(:listen_address, "0.0.0.0")
+          listen_port = config.fetch(:listen_port, 8443)
+          tls_cert_path = CGI.escape(config.fetch(:tls_cert_path))
+          tls_key_path = CGI.escape(config.fetch(:tls_key_path))
+
+          bind_string = "ssl://#{listen_address}:#{listen_port}?cert=#{tls_cert_path}&key=#{tls_key_path}"
+
+          set(:bind, bind_string)
         end
 
         def setup_probes(config)

metadata

@@ -1,11 +1,11 @@
 --- !ruby/object:Gem::Specification
 name: gitlab-exporter
 version: !ruby/object:Gem::Version
-  version: 11.15.1
+  version: 11.17.0
 platform: ruby
 authors:
 - Pablo Carranza
-autorequire:
+autorequire: 
 bindir: bin
 cert_chain: []
 date: 2016-07-27 00:00:00.000000000 Z
@@ -128,14 +128,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.1.0
+        version: 2.2.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.1.0
+        version: 2.2.0
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -204,6 +204,7 @@ files:
 - lib/gitlab_exporter/prometheus.rb
 - lib/gitlab_exporter/ruby.rb
 - lib/gitlab_exporter/sidekiq.rb
+- lib/gitlab_exporter/tls_helper.rb
 - lib/gitlab_exporter/util.rb
 - lib/gitlab_exporter/version.rb
 - lib/gitlab_exporter/web_exporter.rb
@@ -224,7 +225,7 @@ homepage: http://gitlab.com
 licenses:
 - MIT
 metadata: {}
-post_install_message:
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -240,7 +241,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubygems_version: 3.1.6
-signing_key:
+signing_key: 
 specification_version: 4
 summary: GitLab metrics exporter
 test_files: