fix: Couchbase insecure certificate validation (#9458)

2021-09-29 14:39:46 -07:00 · 2021-09-29 14:39:46 -07:00 · 872b29bf95
parent e615534620
commit 872b29bf95
3 changed files with 49 additions and 4 deletions
--- a/plugins/inputs/couchbase/README.md
+++ b/plugins/inputs/couchbase/README.md
@ -20,6 +20,14 @@ This plugin gets metrics for each Couchbase node, as well as detailed metrics fo

  ## Filter bucket fields to include only here.
  # bucket_stats_included = ["quota_percent_used", "ops_per_sec", "disk_fetches", "item_count", "disk_used", "data_used", "mem_used"]
+
+  ## Optional TLS Config
+  # tls_ca = "/etc/telegraf/ca.pem"
+  # tls_cert = "/etc/telegraf/cert.pem"
+  # tls_key = "/etc/telegraf/key.pem"
+  ## Use TLS but skip chain & host verification (defaults to false)
+  ## If set to false, tls_cert and tls_key are required
+  # insecure_skip_verify = false
 ```

 ## Measurements:
--- a/plugins/inputs/couchbase/couchbase.go
+++ b/plugins/inputs/couchbase/couchbase.go
@ -11,6 +11,7 @@ import (

 	"github.com/influxdata/telegraf"
 	"github.com/influxdata/telegraf/filter"
+	"github.com/influxdata/telegraf/plugins/common/tls"
 	"github.com/influxdata/telegraf/plugins/inputs"
 )

@ -20,6 +21,9 @@ type Couchbase struct {
 	BucketStatsIncluded []string `toml:"bucket_stats_included"`

 	bucketInclude filter.Filter
+	client        *http.Client
+
+	tls.ClientConfig
 }

 var sampleConfig = `
@ -36,10 +40,17 @@ var sampleConfig = `

  ## Filter bucket fields to include only here.
  # bucket_stats_included = ["quota_percent_used", "ops_per_sec", "disk_fetches", "item_count", "disk_used", "data_used", "mem_used"]
+
+  ## Optional TLS Config
+  # tls_ca = "/etc/telegraf/ca.pem"
+  # tls_cert = "/etc/telegraf/cert.pem"
+  # tls_key = "/etc/telegraf/key.pem"
+  ## Use TLS but skip chain & host verification (defaults to false)
+  ## If set to false, tls_cert and tls_key are required
+  # insecure_skip_verify = false
 `

 var regexpURI = regexp.MustCompile(`(\S+://)?(\S+\:\S+@)`)
-var client = &http.Client{Timeout: 10 * time.Second}

 func (cb *Couchbase) SampleConfig() string {
 	return sampleConfig
@ -369,7 +380,7 @@ func (cb *Couchbase) queryDetailedBucketStats(server, bucket string, bucketStats
 		return err
 	}

-	r, err := client.Do(req)
+	r, err := cb.client.Do(req)
 	if err != nil {
 		return err
 	}
@ -387,6 +398,24 @@ func (cb *Couchbase) Init() error {

 	cb.bucketInclude = f

+	tlsConfig, err := cb.TLSConfig()
+	if err != nil {
+		return err
+	}
+
+	cb.client = &http.Client{
+		Timeout: 10 * time.Second,
+		Transport: &http.Transport{
+			MaxIdleConnsPerHost: couchbaseClient.MaxIdleConnsPerHost,
+			TLSClientConfig:     tlsConfig,
+		},
+	}
+
+	couchbaseClient.SetSkipVerify(cb.ClientConfig.InsecureSkipVerify)
+	couchbaseClient.SetCertFile(cb.ClientConfig.TLSCert)
+	couchbaseClient.SetKeyFile(cb.ClientConfig.TLSKey)
+	couchbaseClient.SetRootFile(cb.ClientConfig.TLSCA)
+
 	return nil
 }

--- a/plugins/inputs/couchbase/couchbase_test.go
+++ b/plugins/inputs/couchbase/couchbase_test.go
@ -2,6 +2,7 @@ package couchbase

 import (
 	"encoding/json"
+	"github.com/influxdata/telegraf/plugins/common/tls"
 	"net/http"
 	"net/http/httptest"
 	"testing"
@ -26,8 +27,12 @@ func TestGatherServer(t *testing.T) {
 		}
 	}))

-	var cb Couchbase
-	cb.BucketStatsIncluded = []string{"quota_percent_used", "ops_per_sec", "disk_fetches", "item_count", "disk_used", "data_used", "mem_used"}
+	cb := Couchbase{
+		BucketStatsIncluded: []string{"quota_percent_used", "ops_per_sec", "disk_fetches", "item_count", "disk_used", "data_used", "mem_used"},
+		ClientConfig: tls.ClientConfig{
+			InsecureSkipVerify: true,
+		},
+	}
 	err := cb.Init()
 	require.NoError(t, err)

@ -105,6 +110,9 @@ func TestGatherDetailedBucketMetrics(t *testing.T) {
 			var err error
 			var cb Couchbase
 			cb.BucketStatsIncluded = []string{"couch_total_disk_size"}
+			cb.ClientConfig = tls.ClientConfig{
+				InsecureSkipVerify: true,
+			}
 			err = cb.Init()
 			require.NoError(t, err)
 			var acc testutil.Accumulator