Skip to content

Commit

Permalink
Add Google Cloud Platform support (elastic#13598)
Browse files Browse the repository at this point in the history
This PR introduces the support for Google Cloud Platform to Functionbeat. This branch is located in the `elastic/beats` repository, so anyone on our team has access to it. 

### Manager

#### Authentication

To use the API to deploy, remove and update functions, users need to set the environment variable `GOOGLE_APPLICATION_CREDENTIALS`. This variable should point to a JSON file which contains all the relevant information for Google to authenticate.

(About authentication for GCP libs: https://cloud.google.com/docs/authentication/getting-started)

#### Required roles

* Cloud Functions Developer 
* Cloud Functions Service Agent
* Service Account User
* Storage Admin
* Storage Object Admin

Note: Cloud Functions Developer role is in beta. We should not make GCP support GA, until it becomes stable.

#### Configuration

```yaml
# Configure functions to run on Google Cloud Platform, currently, we assume that the credentials
# are present in the environment to correctly create the function when using the CLI.
#
# Configure which region your project is located in.
functionbeat.provider.gcp.location_id: "europe-west1"
# Configure which Google Cloud project to deploy your functions.
functionbeat.provider.gcp.project_id: "my-project-123456"
# Configure the Google Cloud Storage we should upload the function artifact.
functionbeat.provider.gcp.storage_name: "functionbeat-deploy"

functionbeat.provider.gcp.functions:
```

#### Export

Function templates can be exported into YAML. With this YAML configuration, users can deploy the function using the [Google Cloud Deployment Manager](https://cloud.google.com/deployment-manager/).

### New functions

#### Google Pub/Sub

A function under the folder `pkg/pubsub` is available to get events from Google Pub/Sub.

##### Configuration

```yaml
  # Define the list of function availables, each function required to have a unique name.
  # Create a function that accepts events coming from Google Pub/Sub.
  - name: pubsub
    enabled: false
    type: pubsub

    # Description of the method to help identify them when you run multiples functions.
    description: "Google Cloud Function for Pub/Sub"

    # The maximum memory allocated for this function, the configured size must be a factor of 64.
    # Default is 256MiB.
    #memory_size: 256MiB

    # Execution timeout in seconds. If the function does not finish in time,
    # it is considered failed and terminated. Default is 60s.
    #timeout: 60s

    # Email of the service account of the function. Defaults to {projectid}@appspot.gserviceaccount.com
    #service_account_email: {projectid}@appspot.gserviceaccount.com

    # Labels of the function.
    #labels:
    # mylabel: label

    # VPC Connector this function can connect to.
    # Format: projects/*/locations/*/connectors/* or fully-qualified URI
    #vpc_connector: ""

    # Number of maximum instances running at the same time. Default is unlimited.
    #maximum_instances: 0

    trigger:
      event_type: "providers/cloud.pubsub/eventTypes/topic.publish"
      resource: "projects/_/pubsub/myPubSub"
      #service: "pubsub.googleapis.com"

    # Optional fields that you can specify to add additional information to the
    # output. Fields can be scalar values, arrays, dictionaries, or any nested
    # combination of these.
    #fields:
    #  env: staging

    # Define custom processors for this function.
    #processors:
    #  - dissect:
    #      tokenizer: "%{key1} %{key2}"
```

#### Google Cloud Storage

A function under the folder pkg/storage is available to get events from Google Cloud Storage.

##### Configuration
```yaml
 # Create a function that accepts events coming from Google Cloud Storage.
 - name: storage
   enabled: false
   type: storage

   # Description of the method to help identify them when you run multiples functions.
   description: "Google Cloud Function for Cloud Storage"

   # The maximum memory allocated for this function, the configured size must be a factor of 64.
   # Default is 256MiB.
   #memory_size: 256MiB

   # Execution timeout in seconds. If the function does not finish in time,
   # it is considered failed and terminated. Default is 60s.
   #timeout: 60s

   # Email of the service account of the function. Defaults to {projectid}@appspot.gserviceaccount.com
   #service_account_email: {projectid}@appspot.gserviceaccount.com

   # Labels of the function.
   #labels:
   # mylabel: label

   # VPC Connector this function can connect to.
   # Format: projects/*/locations/*/connectors/* or fully-qualified URI
   #vpc_connector: ""

   # Number of maximum instances running at the same time. Default is unlimited.
   #maximum_instances: 0

   # Optional fields that you can specify to add additional information to the
   # output. Fields can be scalar values, arrays, dictionaries, or any nested
   # combination of these.
   #fields:
   #  env: staging

   # Define custom processors for this function.
   #processors:
   #  - dissect:
   #      tokenizer: "%{key1} %{key2}"
```

### Vendor
* `cloud.google.com/go/functions/metadata`
*  `cloud.google.com/go/storage`
  • Loading branch information
kvch authored Jan 14, 2020
1 parent dd553b3 commit e8e18d0
Show file tree
Hide file tree
Showing 88 changed files with 61,581 additions and 230 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -616,6 +616,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Make `bulk_max_size` configurable in outputs. {pull}13493[13493]
- Add `index` option to all functions to directly set a per-function index value. {issue}15064[15064] {pull}15101[15101]
- Add monitoring info about triggered functions. {pull}14876[14876]
- Add Google Cloud Platform support. {pull}13598[13598]

*Winlogbeat*

Expand Down
7 changes: 7 additions & 0 deletions dev-tools/mage/gotool/go.go
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,13 @@ func ListPackages(pkgs ...string) ([]string, error) {
return getLines(callGo(nil, "list", pkgs...))
}

// ListDeps calls `go list -dep` for every package spec given.
func ListDeps(pkg string) ([]string, error) {
const tmpl = `{{if not .Standard}}{{.ImportPath}}{{end}}`

return getLines(callGo(nil, "list", "-deps", "-f", tmpl, pkg))
}

// ListTestFiles lists all go and cgo test files available in a package.
func ListTestFiles(pkg string) ([]string, error) {
const tmpl = `{{ range .TestGoFiles }}{{ printf "%s\n" . }}{{ end }}` +
Expand Down
25 changes: 14 additions & 11 deletions libbeat/common/transport/tlscommon/tls_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -131,8 +131,8 @@ func TestApplyEmptyConfig(t *testing.T) {
}

cfg := tmp.BuildModuleConfig("")
assert.Equal(t, int(tls.VersionTLS11), int(cfg.MinVersion))
assert.Equal(t, int(tls.VersionTLS13), int(cfg.MaxVersion))
assert.Equal(t, int(TLSVersionDefaultMin), int(cfg.MinVersion))
assert.Equal(t, int(TLSVersionDefaultMax), int(cfg.MaxVersion))
assert.Len(t, cfg.Certificates, 0)
assert.Nil(t, cfg.RootCAs)
assert.Equal(t, false, cfg.InsecureSkipVerify)
Expand Down Expand Up @@ -163,8 +163,8 @@ func TestApplyWithConfig(t *testing.T) {
assert.NotNil(t, cfg.RootCAs)
assert.Equal(t, true, cfg.InsecureSkipVerify)
assert.Len(t, cfg.CipherSuites, 2)
assert.Equal(t, int(tls.VersionTLS11), int(cfg.MinVersion))
assert.Equal(t, int(tls.VersionTLS13), int(cfg.MaxVersion))
assert.Equal(t, int(TLSVersionDefaultMin), int(cfg.MinVersion))
assert.Equal(t, int(TLSVersionDefaultMax), int(cfg.MaxVersion))
assert.Len(t, cfg.CurvePreferences, 1)
assert.Equal(t, tls.RenegotiateOnceAsClient, cfg.Renegotiation)
}
Expand All @@ -188,8 +188,8 @@ func TestServerConfigDefaults(t *testing.T) {
assert.Len(t, cfg.CurvePreferences, 0)
// values set by default
assert.Equal(t, false, cfg.InsecureSkipVerify)
assert.Equal(t, int(tls.VersionTLS11), int(cfg.MinVersion))
assert.Equal(t, int(tls.VersionTLS13), int(cfg.MaxVersion))
assert.Equal(t, int(TLSVersionDefaultMin), int(cfg.MinVersion))
assert.Equal(t, int(TLSVersionDefaultMax), int(cfg.MaxVersion))
assert.Equal(t, tls.NoClientCert, cfg.ClientAuth)
})
t.Run("when CA is explicitly set", func(t *testing.T) {
Expand All @@ -214,8 +214,8 @@ func TestServerConfigDefaults(t *testing.T) {
assert.Len(t, cfg.CurvePreferences, 0)
// values set by default
assert.Equal(t, false, cfg.InsecureSkipVerify)
assert.Equal(t, int(tls.VersionTLS11), int(cfg.MinVersion))
assert.Equal(t, int(tls.VersionTLS13), int(cfg.MaxVersion))
assert.Equal(t, int(TLSVersionDefaultMin), int(cfg.MinVersion))
assert.Equal(t, int(TLSVersionDefaultMax), int(cfg.MaxVersion))
assert.Equal(t, tls.RequireAndVerifyClientCert, cfg.ClientAuth)
})
}
Expand All @@ -227,14 +227,17 @@ func TestApplyWithServerConfig(t *testing.T) {
certificate_authorities: [ca_test.pem]
verification_mode: none
client_authentication: optional
supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
cipher_suites:
- "ECDHE-ECDSA-AES-256-CBC-SHA"
- "ECDHE-ECDSA-AES-256-GCM-SHA384"
curve_types: [P-384]
`
var c ServerConfig
config, err := common.NewConfigWithYAML([]byte(yamlStr), "")
for i, ver := range TLSDefaultVersions {
config.SetString("supported_protocols", i, ver.String())
}

if !assert.NoError(t, err) {
return
}
Expand All @@ -254,8 +257,8 @@ func TestApplyWithServerConfig(t *testing.T) {
assert.NotNil(t, cfg.ClientCAs)
assert.Equal(t, true, cfg.InsecureSkipVerify)
assert.Len(t, cfg.CipherSuites, 2)
assert.Equal(t, int(tls.VersionTLS11), int(cfg.MinVersion))
assert.Equal(t, int(tls.VersionTLS13), int(cfg.MaxVersion))
assert.Equal(t, int(TLSVersionDefaultMin), int(cfg.MinVersion))
assert.Equal(t, int(TLSVersionDefaultMax), int(cfg.MaxVersion))
assert.Len(t, cfg.CurvePreferences, 1)
assert.Equal(t, tls.VerifyClientCertIfGiven, cfg.ClientAuth)
}
Expand Down
55 changes: 0 additions & 55 deletions libbeat/common/transport/tlscommon/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -99,25 +99,6 @@ var tlsRenegotiationSupportTypes = map[string]tlsRenegotiationSupport{
"freely": tlsRenegotiationSupport(tls.RenegotiateFreelyAsClient),
}

// TLSVersion type for TLS version.
type TLSVersion uint16

// Define all the possible TLS version.
const (
TLSVersionSSL30 TLSVersion = tls.VersionSSL30
TLSVersion10 TLSVersion = tls.VersionTLS10
TLSVersion11 TLSVersion = tls.VersionTLS11
TLSVersion12 TLSVersion = tls.VersionTLS12
TLSVersion13 TLSVersion = tls.VersionTLS13
)

// TLSDefaultVersions list of versions of TLS we should support.
var TLSDefaultVersions = []TLSVersion{
TLSVersion11,
TLSVersion12,
TLSVersion13,
}

type tlsClientAuth int

const (
Expand All @@ -132,24 +113,6 @@ var tlsClientAuthTypes = map[string]tlsClientAuth{
"required": tlsClientAuthRequired,
}

var tlsProtocolVersions = map[string]TLSVersion{
"SSLv3": TLSVersionSSL30,
"SSLv3.0": TLSVersionSSL30,
"TLSv1": TLSVersion10,
"TLSv1.0": TLSVersion10,
"TLSv1.1": TLSVersion11,
"TLSv1.2": TLSVersion12,
"TLSv1.3": TLSVersion13,
}

var tlsProtocolVersionsInverse = map[TLSVersion]string{
TLSVersionSSL30: "SSLv3",
TLSVersion10: "TLSv1.0",
TLSVersion11: "TLSv1.1",
TLSVersion12: "TLSv1.2",
TLSVersion13: "TLSv1.3",
}

// TLSVerificationMode represents the type of verification to do on the remote host,
// `none` or `full` and we default to `full`, internally this option is transformed into the
// `insecure` field in the `tls.Config` struct.
Expand All @@ -166,24 +129,6 @@ const (
// VerifyCertificate
)

func (v TLSVersion) String() string {
if s, ok := tlsProtocolVersionsInverse[v]; ok {
return s
}
return "unknown"
}

//Unpack transforms the string into a constant.
func (v *TLSVersion) Unpack(s string) error {
version, found := tlsProtocolVersions[s]
if !found {
return fmt.Errorf("invalid tls version '%v'", s)
}

*v = version
return nil
}

var tlsVerificationModes = map[string]TLSVerificationMode{
"": VerifyFull,
"full": VerifyFull,
Expand Down
41 changes: 41 additions & 0 deletions libbeat/common/transport/tlscommon/versions.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
// Licensed to Elasticsearch B.V. under one or more contributor
// license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright
// ownership. Elasticsearch B.V. licenses this file to you under
// the Apache License, Version 2.0 (the "License"); you may
// not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.

package tlscommon

import "fmt"

// TLSVersion type for TLS version.
type TLSVersion uint16

func (v TLSVersion) String() string {
if s, ok := tlsProtocolVersionsInverse[v]; ok {
return s
}
return "unknown"
}

//Unpack transforms the string into a constant.
func (v *TLSVersion) Unpack(s string) error {
version, found := tlsProtocolVersions[s]
if !found {
return fmt.Errorf("invalid tls version '%v'", s)
}

*v = version
return nil
}
70 changes: 70 additions & 0 deletions libbeat/common/transport/tlscommon/versions_default.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
// Licensed to Elasticsearch B.V. under one or more contributor
// license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright
// ownership. Elasticsearch B.V. licenses this file to you under
// the Apache License, Version 2.0 (the "License"); you may
// not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.

// +build go1.13

package tlscommon

import "crypto/tls"

// Define all the possible TLS version.
const (
TLSVersionSSL30 TLSVersion = tls.VersionSSL30
TLSVersion10 TLSVersion = tls.VersionTLS10
TLSVersion11 TLSVersion = tls.VersionTLS11
TLSVersion12 TLSVersion = tls.VersionTLS12
TLSVersion13 TLSVersion = tls.VersionTLS13

// TLSVersionMin is the min TLS version supported.
TLSVersionMin = TLSVersionSSL30

// TLSVersionMax is the max TLS version supported.
TLSVersionMax = TLSVersion13

// TLSVersionDefaultMin is the minimal default TLS version that is
// enabled by default. TLSVersionDefaultMin is >= TLSVersionMin
TLSVersionDefaultMin = TLSVersion11

// TLSVersionDefaultMax is the max default TLS version that
// is enabled by default.
TLSVersionDefaultMax = TLSVersionMax
)

// TLSDefaultVersions list of versions of TLS we should support.
var TLSDefaultVersions = []TLSVersion{
TLSVersion11,
TLSVersion12,
TLSVersion13,
}

var tlsProtocolVersions = map[string]TLSVersion{
"SSLv3": TLSVersionSSL30,
"SSLv3.0": TLSVersionSSL30,
"TLSv1": TLSVersion10,
"TLSv1.0": TLSVersion10,
"TLSv1.1": TLSVersion11,
"TLSv1.2": TLSVersion12,
"TLSv1.3": TLSVersion13,
}

var tlsProtocolVersionsInverse = map[TLSVersion]string{
TLSVersionSSL30: "SSLv3",
TLSVersion10: "TLSv1.0",
TLSVersion11: "TLSv1.1",
TLSVersion12: "TLSv1.2",
TLSVersion13: "TLSv1.3",
}
66 changes: 66 additions & 0 deletions libbeat/common/transport/tlscommon/versions_legacy.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
// Licensed to Elasticsearch B.V. under one or more contributor
// license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright
// ownership. Elasticsearch B.V. licenses this file to you under
// the Apache License, Version 2.0 (the "License"); you may
// not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.

// +build !go1.13

package tlscommon

import "crypto/tls"

const (
TLSVersionSSL30 TLSVersion = tls.VersionSSL30
TLSVersion10 TLSVersion = tls.VersionTLS10
TLSVersion11 TLSVersion = tls.VersionTLS11
TLSVersion12 TLSVersion = tls.VersionTLS12

// TLSVersionMin is the min TLS version supported.
TLSVersionMin = TLSVersionSSL30

// TLSVersionMax is the max TLS version supported.
TLSVersionMax = TLSVersion12

// TLSVersionDefaultMin is the minimal default TLS version that is
// enabled by default. TLSVersionDefaultMin is >= TLSVersionMin
TLSVersionDefaultMin = TLSVersion10

// TLSVersionDefaultMax is the max default TLS version that
// is enabled by default.
TLSVersionDefaultMax = TLSVersionMax
)

// TLSDefaultVersions list of versions of TLS we should support.
var TLSDefaultVersions = []TLSVersion{
TLSVersion10,
TLSVersion11,
TLSVersion12,
}

var tlsProtocolVersions = map[string]TLSVersion{
"SSLv3": TLSVersionSSL30,
"SSLv3.0": TLSVersionSSL30,
"TLSv1": TLSVersion10,
"TLSv1.0": TLSVersion10,
"TLSv1.1": TLSVersion11,
"TLSv1.2": TLSVersion12,
}

var tlsProtocolVersionsInverse = map[TLSVersion]string{
TLSVersionSSL30: "SSLv3",
TLSVersion10: "TLSv1.0",
TLSVersion11: "TLSv1.1",
TLSVersion12: "TLSv1.2",
}
14 changes: 0 additions & 14 deletions libbeat/outputs/transport/tls.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,20 +35,6 @@ type TLSConfig = tlscommon.TLSConfig
// TLSVersion type for TLS version.
type TLSVersion = tlscommon.TLSVersion

// Define all the possible TLS version.
const (
TLSVersionSSL30 = tlscommon.TLSVersionSSL30
TLSVersion10 = tlscommon.TLSVersion10
TLSVersion11 = tlscommon.TLSVersion11
TLSVersion12 = tlscommon.TLSVersion12
)

// Constants of the supported verification mode.
const (
VerifyFull = tlscommon.VerifyFull
VerifyNone = tlscommon.VerifyNone
)

func TLSDialer(forward Dialer, config *TLSConfig, timeout time.Duration) (Dialer, error) {
return TestTLSDialer(testing.NullDriver, forward, config, timeout)
}
Expand Down
19 changes: 19 additions & 0 deletions vendor/cloud.google.com/go/functions/metadata/doc.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit e8e18d0

Please sign in to comment.