gitlab-exporter 11.16.0 → 11.17.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile.lock +3 -3
  3. data/config/gitlab-exporter.yml.example +5 -1
  4. data/lib/gitlab_exporter/tls_helper.rb +39 -0
  5. data/lib/gitlab_exporter/version.rb +1 -1
  6. data/lib/gitlab_exporter/web_exporter.rb +45 -1
  7. metadata +2 -1
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 59972832ceb5628be0928d0b307c129838ba6ebe5c2c96ad700ea28a8b153db7
4
- data.tar.gz: 3fd4e095c416f2dbbea0c9f5901f1d8fe3d9006eda4f8b4a522a4802cdb2a924
3
+ metadata.gz: 513416303a50799c69f2ece3bf3062e1a004fb0def6c0a53b781faf1b136c9af
4
+ data.tar.gz: 4534bc4312933d7bdf69b3949bf9aca49a647b767ab2ce239997c5afdadb3839
5
5
  SHA512:
6
- metadata.gz: 8b68d888728ea5316c91e8a3ca26383dd8161544db55df677fc58fcb3c6ed5771c9154235462c3a0decee89b9dd31c6ffbef424d4106d8b534c6d9b015dbc0a4
7
- data.tar.gz: 4402cac5d98a53b077a1832c4d933a1ed93f49cc498a739396ec96f99ab361bb2a3f07e01c58bd4095c100ea77fbe3931fd645e1e4a4d37b5c8fccf99d43d644
6
+ metadata.gz: 19895651f79c79b0aac530cdac7286b7a4f29b14dc5e7c580d543c2efe892f5c432d5a9319bbf2ba49da0ee14b90159060869e0673dc750c318faf99c7ee601a
7
+ data.tar.gz: 8b42d035c9953ef162e30381ad06b616b153d293f36dd2436ebdbe5b2b147f4166ab7d91ca0c221b19bbcb541998437ccd2ab40f81d3b8a4c65d81d8c7514122
data/Gemfile.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- gitlab-exporter (11.16.0)
4
+ gitlab-exporter (11.17.0)
5
5
  connection_pool (= 2.2.5)
6
6
  faraday (~> 1.8.0)
7
7
  pg (= 1.2.3)
@@ -37,7 +37,7 @@ GEM
37
37
  faraday-net_http_persistent (1.2.0)
38
38
  faraday-patron (1.0.0)
39
39
  faraday-rack (1.0.0)
40
- multipart-post (2.1.1)
40
+ multipart-post (2.2.3)
41
41
  mustermann (1.1.1)
42
42
  ruby2_keywords (~> 0.0.1)
43
43
  nio4r (2.5.8)
@@ -48,7 +48,7 @@ GEM
48
48
  puma (5.6.2)
49
49
  nio4r (~> 2.0)
50
50
  quantile (0.2.1)
51
- rack (2.2.3.1)
51
+ rack (2.2.4)
52
52
  rack-protection (2.2.0)
53
53
  rack
54
54
  rainbow (3.0.0)
data/config/gitlab-exporter.yml.example CHANGED
@@ -6,11 +6,15 @@ db_common: &db_common
6
6
 
7
7
  # Web server config
8
8
  server:
9
- name: puma # cf. https://github.com/sinatra/sinatra#available-settings
9
+ name: webrick # cf. https://github.com/sinatra/sinatra#available-settings
10
10
  listen_address: 0.0.0.0
11
11
  listen_port: 9168
12
12
  # Maximum amount of memory to use in megabytes, after which the process is killed
13
13
  memory_threshold: 1024
14
+ # TLS settings
15
+ tls_enabled: false
16
+ tls_cert_path: /tmp/server.crt
17
+ tls_key_path: /tmp/server.key
14
18
 
15
19
  # Probes config
16
20
  probes:
data/lib/gitlab_exporter/tls_helper.rb ADDED
@@ -0,0 +1,39 @@
1
+ # Contains helper methods to generate TLS related configuration for web servers
2
+ module TLSHelper
3
+ CERT_REGEX = /-----BEGIN CERTIFICATE-----(?:.|\n)+?-----END CERTIFICATE-----/.freeze
4
+
5
+ def validate_tls_config(config)
6
+ %i[tls_cert_path tls_key_path].each do |key|
7
+ fail "TLS enabled, but #{key} not specified in config" unless config.key?(key)
8
+
9
+ fail "File specified via #{key} not found: #{config[file]}" unless File.exist?(config[key])
10
+ end
11
+ end
12
+
13
+ def webrick_tls_config(config)
14
+ # This monkey-patches WEBrick::GenericServer, so never require this unless TLS is enabled.
15
+ require "webrick/ssl"
16
+
17
+ certs = load_ca_certs_bundle(File.binread(config[:tls_cert_path]))
18
+
19
+ {
20
+ SSLEnable: true,
21
+ SSLCertificate: certs.shift,
22
+ SSLPrivateKey: OpenSSL::PKey.read(File.binread(config[:tls_key_path])),
23
+ # SSLStartImmediately is true by default according to the docs, but when WEBrick creates the
24
+ # SSLServer internally, the switch was always nil for some reason. Setting this explicitly fixes this.
25
+ SSLStartImmediately: true,
26
+ SSLExtraChainCert: certs
27
+ }
28
+ end
29
+
30
+ # In Ruby OpenSSL v3.0.0, this can be replaced by OpenSSL::X509::Certificate.load
31
+ # https://github.com/ruby/openssl/issues/254
32
+ def load_ca_certs_bundle(ca_certs_string)
33
+ return [] unless ca_certs_string
34
+
35
+ ca_certs_string.scan(CERT_REGEX).map do |ca_cert_string|
36
+ OpenSSL::X509::Certificate.new(ca_cert_string)
37
+ end
38
+ end
39
+ end
data/lib/gitlab_exporter/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module GitLab
2
2
  module Exporter
3
- VERSION = "11.16.0".freeze
3
+ VERSION = "11.17.0".freeze
4
4
  end
5
5
  end
data/lib/gitlab_exporter/web_exporter.rb CHANGED
@@ -1,5 +1,8 @@
1
1
  require "sinatra/base"
2
2
  require "English"
3
+ require "cgi"
4
+
5
+ require_relative "tls_helper"
3
6
 
4
7
  module GitLab
5
8
  module Exporter
@@ -51,6 +54,8 @@ module GitLab
51
54
  end
52
55
 
53
56
  class << self
57
+ include TLSHelper
58
+
54
59
  DEFAULT_WEB_SERVER = "webrick".freeze
55
60
 
56
61
  def setup(config)
@@ -74,8 +79,47 @@ module GitLab
74
79
  config ||= {}
75
80
 
76
81
  set(:server, config.fetch(:name, DEFAULT_WEB_SERVER))
77
- set(:bind, config.fetch(:listen_address, "0.0.0.0"))
78
82
  set(:port, config.fetch(:listen_port, 9168))
83
+
84
+ # Depending on whether TLS is enabled or not, bind string
85
+ # will be different.
86
+ if config.fetch(:tls_enabled, "false").to_s == "true"
87
+ set_tls_config(config)
88
+ else
89
+ set(:bind, config.fetch(:listen_address, "0.0.0.0"))
90
+ end
91
+ end
92
+
93
+ def set_tls_config(config) # rubocop:disable Naming/AccessorMethodName
94
+ validate_tls_config(config)
95
+
96
+ web_server = config.fetch(:name, DEFAULT_WEB_SERVER)
97
+ if web_server == "webrick"
98
+ set_webrick_tls(config)
99
+ elsif web_server == "puma"
100
+ set_puma_tls(config)
101
+ else
102
+ fail "TLS not supported for web server `#{web_server}`."
103
+ end
104
+ end
105
+
106
+ def set_webrick_tls(config) # rubocop:disable Naming/AccessorMethodName
107
+ server_settings = {}
108
+ server_settings.merge!(webrick_tls_config(config))
109
+
110
+ set(:bind, config.fetch(:listen_address, "0.0.0.0"))
111
+ set(:server_settings, server_settings)
112
+ end
113
+
114
+ def set_puma_tls(config) # rubocop:disable Naming/AccessorMethodName
115
+ listen_address = config.fetch(:listen_address, "0.0.0.0")
116
+ listen_port = config.fetch(:listen_port, 8443)
117
+ tls_cert_path = CGI.escape(config.fetch(:tls_cert_path))
118
+ tls_key_path = CGI.escape(config.fetch(:tls_key_path))
119
+
120
+ bind_string = "ssl://#{listen_address}:#{listen_port}?cert=#{tls_cert_path}&key=#{tls_key_path}"
121
+
122
+ set(:bind, bind_string)
79
123
  end
80
124
 
81
125
  def setup_probes(config)
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: gitlab-exporter
3
3
  version: !ruby/object:Gem::Version
4
- version: 11.16.0
4
+ version: 11.17.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Pablo Carranza
@@ -204,6 +204,7 @@ files:
204
204
  - lib/gitlab_exporter/prometheus.rb
205
205
  - lib/gitlab_exporter/ruby.rb
206
206
  - lib/gitlab_exporter/sidekiq.rb
207
+ - lib/gitlab_exporter/tls_helper.rb
207
208
  - lib/gitlab_exporter/util.rb
208
209
  - lib/gitlab_exporter/version.rb
209
210
  - lib/gitlab_exporter/web_exporter.rb