gitlab-exporter 11.15.2 → 11.17.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5d0a0ae02ed20a88844dab048496ad7f6d5aad588627a39abd380506ced488c4
-  data.tar.gz: 7452e058c911f6f32c4803bc8a37b694f2a9d604531a5f9b1ec467082e3a5fc8
+  metadata.gz: c6ccef6882054ab76a7ae363221460936a3183ed9055b3b0df775373eac4865f
+  data.tar.gz: e940486956e6d8a32f6c10f696d7baebf27c16d7654e43446325a647e8281143
 SHA512:
-  metadata.gz: 133f534a5a51bc55910b4e06c5d6f7f12cee338952ce92567972e83c5ab4cd95d94cd00336f790b92a66db48ad7c1d31ddcdd9734a15e602986d28c765034671
-  data.tar.gz: 37b8a8a952d9b3352e5bfe458984a4fb2ea7b27dda687e25b42c5c52ba16476f8ebe69e59ab19dfd95492599918cf0967576315554fbbe2b76929835bd9327a2
+  metadata.gz: d9c4f7f435a0460cf5e068ee1d2840500ef12f3324e779aebcd04fe2cd42e98df18602851d25caedf0c49a91956fd7cb9a62a635eb6269a80d7fdf4b93e2010d
+  data.tar.gz: dc5e84fd8acd9568c924a5e51a753df3ad85b2efdea1b6e626fa8ed4e604fb5e05c040ec5700e3e85accf52734aa4cd34c37d3bd2549c35cb2e25808a337b04d

data/.gitlab-ci.yml

@@ -12,6 +12,7 @@ variables:
 stages:
   - test
   - dast
+  - publish
 
 default:
   image: ruby:${RUBY_VERSION}
@@ -57,3 +58,16 @@ gemnasium-dependency_scanning:
 
 secret_detection:
   rules: *workflow_rules
+
+publish_to_rubygems:
+  stage: publish
+  script:
+    - mkdir -p ~/.gem
+    - 'echo ":rubygems_api_key: ${RUBYGEMS_API_KEY}" > ~/.gem/credentials'
+    - chmod 0600 ~/.gem/credentials
+    - gem build gitlab-exporter.gemspec --output=gitlab-exporter.gem
+    - gem push gitlab-exporter.gem
+  before_script: *before_scripts
+  rules:
+    # Only push to RubyGems.org when we tag a new version
+    - if: '$CI_COMMIT_TAG'

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    gitlab-exporter (11.15.2)
+    gitlab-exporter (11.17.1)
       connection_pool (= 2.2.5)
       faraday (~> 1.8.0)
       pg (= 1.2.3)
@@ -10,7 +10,7 @@ PATH
       redis (= 4.4.0)
       redis-namespace (= 1.6.0)
       sidekiq (= 6.4.0)
-      sinatra (~> 2.1.0)
+      sinatra (~> 2.2.0)
 
 GEM
   remote: https://rubygems.org/
@@ -37,7 +37,7 @@ GEM
     faraday-net_http_persistent (1.2.0)
     faraday-patron (1.0.0)
     faraday-rack (1.0.0)
-    multipart-post (2.1.1)
+    multipart-post (2.2.3)
     mustermann (1.1.1)
       ruby2_keywords (~> 0.0.1)
     nio4r (2.5.8)
@@ -48,8 +48,8 @@ GEM
     puma (5.6.2)
       nio4r (~> 2.0)
     quantile (0.2.1)
-    rack (2.2.3)
-    rack-protection (2.1.0)
+    rack (2.2.4)
+    rack-protection (2.2.0)
       rack
     rainbow (3.0.0)
     redis (4.4.0)
@@ -87,10 +87,10 @@ GEM
       connection_pool (>= 2.2.2)
       rack (~> 2.0)
       redis (>= 4.2.0)
-    sinatra (2.1.0)
+    sinatra (2.2.0)
       mustermann (~> 1.0)
       rack (~> 2.2)
-      rack-protection (= 2.1.0)
+      rack-protection (= 2.2.0)
       tilt (~> 2.0)
     tilt (2.0.10)
     unicode-display_width (1.7.0)

data/config/gitlab-exporter.yml.example

@@ -6,11 +6,15 @@ db_common: &db_common
 
 # Web server config
 server:
-  name: puma # cf. https://github.com/sinatra/sinatra#available-settings
+  name: webrick # cf. https://github.com/sinatra/sinatra#available-settings
   listen_address: 0.0.0.0
   listen_port: 9168
   # Maximum amount of memory to use in megabytes, after which the process is killed
   memory_threshold: 1024
+  # TLS settings
+  tls_enabled: false
+  tls_cert_path: /tmp/server.crt
+  tls_key_path: /tmp/server.key
 
 # Probes config
 probes:

data/gitlab-exporter.gemspec

@@ -28,7 +28,7 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency "redis", "4.4.0"
   s.add_runtime_dependency "redis-namespace", "1.6.0"
   s.add_runtime_dependency "sidekiq", "6.4.0"
-  s.add_runtime_dependency "sinatra", "~> 2.1.0"
+  s.add_runtime_dependency "sinatra", "~> 2.2.0"
 
   s.add_development_dependency "rspec", "~> 3.7.0"
   s.add_development_dependency "rspec-expectations", "~> 3.7.0"

data/lib/gitlab_exporter/tls_helper.rb

@@ -0,0 +1,39 @@
+# Contains helper methods to generate TLS related configuration for web servers
+module TLSHelper
+  CERT_REGEX = /-----BEGIN CERTIFICATE-----(?:.|\n)+?-----END CERTIFICATE-----/.freeze
+
+  def validate_tls_config(config)
+    %i[tls_cert_path tls_key_path].each do |key|
+      fail "TLS enabled, but #{key} not specified in config" unless config.key?(key)
+
+      fail "File specified via #{key} not found: #{config[key]}" unless File.exist?(config[key])
+    end
+  end
+
+  def webrick_tls_config(config)
+    # This monkey-patches WEBrick::GenericServer, so never require this unless TLS is enabled.
+    require "webrick/ssl"
+
+    certs = load_ca_certs_bundle(File.binread(config[:tls_cert_path]))
+
+    {
+      SSLEnable: true,
+      SSLCertificate: certs.shift,
+      SSLPrivateKey: OpenSSL::PKey.read(File.binread(config[:tls_key_path])),
+      # SSLStartImmediately is true by default according to the docs, but when WEBrick creates the
+      # SSLServer internally, the switch was always nil for some reason. Setting this explicitly fixes this.
+      SSLStartImmediately: true,
+      SSLExtraChainCert: certs
+    }
+  end
+
+  # In Ruby OpenSSL v3.0.0, this can be replaced by OpenSSL::X509::Certificate.load
+  # https://github.com/ruby/openssl/issues/254
+  def load_ca_certs_bundle(ca_certs_string)
+    return [] unless ca_certs_string
+
+    ca_certs_string.scan(CERT_REGEX).map do |ca_cert_string|
+      OpenSSL::X509::Certificate.new(ca_cert_string)
+    end
+  end
+end

data/lib/gitlab_exporter/version.rb

@@ -1,5 +1,5 @@
 module GitLab
   module Exporter
-    VERSION = "11.15.2".freeze
+    VERSION = "11.17.1".freeze
   end
 end

data/lib/gitlab_exporter/web_exporter.rb

@@ -1,5 +1,8 @@
 require "sinatra/base"
 require "English"
+require "cgi"
+
+require_relative "tls_helper"
 
 module GitLab
   module Exporter
@@ -51,6 +54,8 @@ module GitLab
       end
 
       class << self
+        include TLSHelper
+
         DEFAULT_WEB_SERVER = "webrick".freeze
 
         def setup(config)
@@ -74,8 +79,47 @@ module GitLab
           config ||= {}
 
           set(:server, config.fetch(:name, DEFAULT_WEB_SERVER))
-          set(:bind, config.fetch(:listen_address, "0.0.0.0"))
           set(:port, config.fetch(:listen_port, 9168))
+
+          # Depending on whether TLS is enabled or not, bind string
+          # will be different.
+          if config.fetch(:tls_enabled, "false").to_s == "true"
+            set_tls_config(config)
+          else
+            set(:bind, config.fetch(:listen_address, "0.0.0.0"))
+          end
+        end
+
+        def set_tls_config(config) # rubocop:disable Naming/AccessorMethodName
+          validate_tls_config(config)
+
+          web_server = config.fetch(:name, DEFAULT_WEB_SERVER)
+          if web_server == "webrick"
+            set_webrick_tls(config)
+          elsif web_server == "puma"
+            set_puma_tls(config)
+          else
+            fail "TLS not supported for web server `#{web_server}`."
+          end
+        end
+
+        def set_webrick_tls(config) # rubocop:disable Naming/AccessorMethodName
+          server_settings = {}
+          server_settings.merge!(webrick_tls_config(config))
+
+          set(:bind, config.fetch(:listen_address, "0.0.0.0"))
+          set(:server_settings, server_settings)
+        end
+
+        def set_puma_tls(config) # rubocop:disable Naming/AccessorMethodName
+          listen_address = config.fetch(:listen_address, "0.0.0.0")
+          listen_port = config.fetch(:listen_port, 8443)
+          tls_cert_path = CGI.escape(config.fetch(:tls_cert_path))
+          tls_key_path = CGI.escape(config.fetch(:tls_key_path))
+
+          bind_string = "ssl://#{listen_address}:#{listen_port}?cert=#{tls_cert_path}&key=#{tls_key_path}"
+
+          set(:bind, bind_string)
         end
 
         def setup_probes(config)

metadata

@@ -1,11 +1,11 @@
 --- !ruby/object:Gem::Specification
 name: gitlab-exporter
 version: !ruby/object:Gem::Version
-  version: 11.15.2
+  version: 11.17.1
 platform: ruby
 authors:
 - Pablo Carranza
-autorequire:
+autorequire: 
 bindir: bin
 cert_chain: []
 date: 2016-07-27 00:00:00.000000000 Z
@@ -128,14 +128,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.1.0
+        version: 2.2.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.1.0
+        version: 2.2.0
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -204,6 +204,7 @@ files:
 - lib/gitlab_exporter/prometheus.rb
 - lib/gitlab_exporter/ruby.rb
 - lib/gitlab_exporter/sidekiq.rb
+- lib/gitlab_exporter/tls_helper.rb
 - lib/gitlab_exporter/util.rb
 - lib/gitlab_exporter/version.rb
 - lib/gitlab_exporter/web_exporter.rb
@@ -224,7 +225,7 @@ homepage: http://gitlab.com
 licenses:
 - MIT
 metadata: {}
-post_install_message:
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -240,7 +241,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubygems_version: 3.1.6
-signing_key:
+signing_key: 
 specification_version: 4
 summary: GitLab metrics exporter
 test_files: