Prometheus: add support for HTTPS

3 new parameters are added to the prometheus configuration to support https on the Prometheus endpoint
exoscale · Dec 17, 2019 · 1a525bc · 1a525bc
1 parent 3b47eed
commit 1a525bc
Show file tree

Hide file tree

Showing 2 changed files with 70 additions and 6 deletions.
diff --git a/metrics/config_test.go b/metrics/config_test.go
@@ -59,6 +59,28 @@ func TestUnmarshalConfiguration(t *testing.T) {
  Subsystem: "bar",
  },
  },
+
+ {
+ in: `
+- prometheus:
+ listen: 127.0.0.1:7653
+ interval: 10s
+ namespace: foo
+ subsystem: bar
+ certfile: /tmp/foo
+ keyfile: /tmp/bar
+ cacertfile: /tmp/baz
+`,
+ want: PrometheusConfiguration{
+ Listen: config.Addr("127.0.0.1:7653"),
+ Interval: config.Duration(10 * time.Second),
+ Namespace: "foo",
+ Subsystem: "bar",
+ CertFile: config.FilePath("/tmp/foo"),
+ KeyFile: config.FilePath("/tmp/bar"),
+ CacertFile: config.FilePath("/tmp/baz"),
+ },
+ },
  }
  for _, c := range cases {
  var got Configuration
@@ -80,7 +102,22 @@ func TestUnmarshalIncompleteConfiguration(t *testing.T) {
  `- file: {interval: 10m}`,
  `- file: {path: /var/log/project...}`,
  `- collectd: {}`,
- `- prometheus: {}`,
+ `
+- prometheus:
+ listen: 127.0.0.1:7653
+ interval: 10s
+ namespace: foo
+ subsystem: bar
+ keyfile: /tmp/bar
+`,
+ `
+- prometheus:
+ listen: 127.0.0.1:7653
+ interval: 10s
+ namespace: foo
+ subsystem: bar
+ certfile: /tmp/foo
+`,
  }
  for _, c := range cases {
  var got Configuration

diff --git a/metrics/prometheus.go b/metrics/prometheus.go
@@ -2,6 +2,9 @@ package metrics
 
 import (
  "context"
+ "crypto/tls"
+ "crypto/x509"
+ "io/ioutil"
  "net"
  "net/http"
  "time"
@@ -17,10 +20,13 @@ import (
 // PrometheusConfiguration is the configuration for exporting metrics to
 // files.
 type PrometheusConfiguration struct {
- Listen config.Addr
- Interval config.Duration
- Namespace string
- Subsystem string
+ Listen config.Addr
+ Interval config.Duration
+ Namespace string
+ Subsystem string
+ CertFile config.FilePath
+ KeyFile config.FilePath
+ CacertFile config.FilePath
 }
 
 // UnmarshalYAML parses the configuration from YAML.
@@ -42,6 +48,11 @@ func (c *PrometheusConfiguration) UnmarshalYAML(unmarshal func(interface{}) erro
  if raw.Interval == config.Duration(0) {
  return errors.Errorf("missing interval value for prometheus configuration")
  }
+
+ if (raw.CertFile != "" || raw.KeyFile != "" || raw.CacertFile != "") &&
+ (raw.CertFile == "" || raw.KeyFile == "" || raw.CacertFile == "") {
+ return errors.Errorf("certfile, keyfile and cacertfile should be configured")
+ }
  *c = PrometheusConfiguration(raw)
  return nil
 }
@@ -78,7 +89,23 @@ func (c *PrometheusConfiguration) initExporter(metrics *Metrics) error {
  }
 
  metrics.t.Go(func() error {
- server.Serve(listener)
+ if c.CertFile == "" && c.KeyFile == "" && c.CacertFile == "" {
+ server.Serve(listener)
+ } else {
+ cacert, err := ioutil.ReadFile(string(c.CacertFile))
+ if err != nil {
+ return err
+ }
+ certpool := x509.NewCertPool()
+ certpool.AppendCertsFromPEM(cacert)
+
+ tlsConfig := &tls.Config{
+ ClientAuth: tls.RequireAndVerifyClientCert,
+ ClientCAs: certpool,
+ }
+ server.TLSConfig = tlsConfig
+ server.ServeTLS(listener, string(c.CertFile), string(c.KeyFile))
+ }
  return nil
  })