fix(outputs.opensearch): Expose TLS setting correctly (#14340)

2023-11-27 16:15:06 +01:00 · 2023-11-27 16:15:06 +01:00 · 68f787c0ba
parent a9bb6038d0
commit 68f787c0ba
3 changed files with 39 additions and 23 deletions
--- a/plugins/outputs/opensearch/README.md
+++ b/plugins/outputs/opensearch/README.md
@ -30,7 +30,7 @@ See the [CONFIGURATION.md][CONFIGURATION.md] for more details.
  ## Target index name for metrics (OpenSearch will create if it not exists).
  ## This is a Golang template (see https://pkg.go.dev/text/template)
  ## You can also specify
-  ## metric name (`{{.Name}}`), tag value (`{{.Tag "tag_name"}}`), field value (`{{.Field "feild_name"}}`) 
+  ## metric name (`{{.Name}}`), tag value (`{{.Tag "tag_name"}}`), field value (`{{.Field "field_name"}}`)
  ## If the tag does not exist, the default tag value will be empty string "".
  ## the timestamp (`{{.Time.Format "xxxxxxxxx"}}`).
  ## For example: "telegraf-{{.Time.Format "2006-01-02"}}-{{.Tag "host"}}" would set it to telegraf-2023-07-27-HostName
@ -63,9 +63,17 @@ See the [CONFIGURATION.md][CONFIGURATION.md] for more details.
  # auth_bearer_token = ""
  ## Optional TLS Config
-  # tls_ca = "/etc/telegraf/ca.pem"
+  ## Set to true/false to enforce TLS being enabled/disabled. If not set,
-  # tls_cert = "/etc/telegraf/cert.pem"
+  ## enable TLS only if any of the other options are specified.
-  # tls_key = "/etc/telegraf/key.pem"
+  # tls_enable =
  ## Trusted root certificates for server
  # tls_ca = "/path/to/cafile"
  ## Used for TLS client certificate authentication
  # tls_cert = "/path/to/certfile"
  ## Used for TLS client certificate authentication
  # tls_key = "/path/to/keyfile"
  ## Send the specified TLS server name via SNI
  # tls_server_name = "kubernetes.example.com"
  ## Use TLS but skip chain & host verification
  # insecure_skip_verify = false
--- a/plugins/outputs/opensearch/opensearch.go
+++ b/plugins/outputs/opensearch/opensearch.go
@ -5,7 +5,6 @@ import (
 	"bytes"
 	"context"
 	"crypto/sha256"
 	"crypto/tls"
 	_ "embed"
 	"encoding/json"
 	"fmt"
@ -23,7 +22,7 @@ import (
 	"github.com/influxdata/telegraf"
 	"github.com/influxdata/telegraf/config"
 	"github.com/influxdata/telegraf/internal/choice"
-	httpconfig "github.com/influxdata/telegraf/plugins/common/http"
+	"github.com/influxdata/telegraf/plugins/common/tls"
 	"github.com/influxdata/telegraf/plugins/outputs"
 )
@ -50,14 +49,14 @@ type Opensearch struct {
 	HealthCheckTimeout  config.Duration `toml:"health_check_timeout"`
 	URLs                []string        `toml:"urls"`
 	Log                 telegraf.Logger `toml:"-"`
 	tls.ClientConfig
-	pipelineName  string
+	pipelineName string
-	indexTmpl     *template.Template
+	indexTmpl    *template.Template
-	pipelineTmpl  *template.Template
+	pipelineTmpl *template.Template
-	onSucc        func(context.Context, opensearchutil.BulkIndexerItem, opensearchutil.BulkIndexerResponseItem)
+	onSucc       func(context.Context, opensearchutil.BulkIndexerItem, opensearchutil.BulkIndexerResponseItem)
-	onFail        func(context.Context, opensearchutil.BulkIndexerItem, opensearchutil.BulkIndexerResponseItem, error)
+	onFail       func(context.Context, opensearchutil.BulkIndexerItem, opensearchutil.BulkIndexerResponseItem, error)
-	configOptions httpconfig.HTTPClientConfig
+	osClient     *opensearch.Client
 	osClient      *opensearch.Client
 }
 //go:embed template.json
@ -158,16 +157,17 @@ func (o *Opensearch) newClient() error {
 	}
 	defer password.Destroy()
 	tlsConfig, err := o.ClientConfig.TLSConfig()
 	if err != nil {
 		return fmt.Errorf("creating TLS config failed: %w", err)
 	}
 	clientConfig := opensearch.Config{
 		Addresses: o.URLs,
 		Username:  username.String(),
 		Password:  password.String(),
-	}
+		Transport: &http.Transport{
-
+			TLSClientConfig: tlsConfig,
-	if o.configOptions.InsecureSkipVerify {
+		},
 		clientConfig.Transport = &http.Transport{
 			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
 		}
 	}
 	header := http.Header{}
--- a/plugins/outputs/opensearch/sample.conf
+++ b/plugins/outputs/opensearch/sample.conf
@ -10,7 +10,7 @@
  ## Target index name for metrics (OpenSearch will create if it not exists).
  ## This is a Golang template (see https://pkg.go.dev/text/template)
  ## You can also specify
-  ## metric name (`{{.Name}}`), tag value (`{{.Tag "tag_name"}}`), field value (`{{.Field "feild_name"}}`) 
+  ## metric name (`{{.Name}}`), tag value (`{{.Tag "tag_name"}}`), field value (`{{.Field "field_name"}}`)
  ## If the tag does not exist, the default tag value will be empty string "".
  ## the timestamp (`{{.Time.Format "xxxxxxxxx"}}`).
  ## For example: "telegraf-{{.Time.Format "2006-01-02"}}-{{.Tag "host"}}" would set it to telegraf-2023-07-27-HostName
@ -43,9 +43,17 @@
  # auth_bearer_token = ""
  ## Optional TLS Config
-  # tls_ca = "/etc/telegraf/ca.pem"
+  ## Set to true/false to enforce TLS being enabled/disabled. If not set,
-  # tls_cert = "/etc/telegraf/cert.pem"
+  ## enable TLS only if any of the other options are specified.
-  # tls_key = "/etc/telegraf/key.pem"
+  # tls_enable =
  ## Trusted root certificates for server
  # tls_ca = "/path/to/cafile"
  ## Used for TLS client certificate authentication
  # tls_cert = "/path/to/certfile"
  ## Used for TLS client certificate authentication
  # tls_key = "/path/to/keyfile"
  ## Send the specified TLS server name via SNI
  # tls_server_name = "kubernetes.example.com"
  ## Use TLS but skip chain & host verification
  # insecure_skip_verify = false