From de355b76d6697f42336b9ac9df09c78697d711dc Mon Sep 17 00:00:00 2001
From: Daniel Nelson <daniel@wavesofdawn.com>
Date: Fri, 4 May 2018 16:33:23 -0700
Subject: [PATCH] Simplify testing with TLS (#4095)
---
CHANGELOG.md | 4 +
etc/telegraf.conf | 335 +++++++++---------
internal/internal.go | 92 -----
internal/tls/config.go | 130 +++++++
internal/tls/config_test.go | 226 ++++++++++++
plugins/inputs/amqp_consumer/README.md | 10 +-
plugins/inputs/amqp_consumer/amqp_consumer.go | 24 +-
plugins/inputs/apache/README.md | 10 +-
plugins/inputs/apache/apache.go | 23 +-
plugins/inputs/consul/README.md | 10 +-
plugins/inputs/consul/consul.go | 26 +-
plugins/inputs/dcos/README.md | 8 +-
plugins/inputs/dcos/client_test.go | 19 +-
plugins/inputs/dcos/dcos.go | 18 +-
plugins/inputs/docker/README.md | 10 +-
plugins/inputs/docker/docker.go | 19 +-
plugins/inputs/elasticsearch/README.md | 10 +-
plugins/inputs/elasticsearch/elasticsearch.go | 42 +--
plugins/inputs/graylog/README.md | 10 +-
plugins/inputs/graylog/graylog.go | 25 +-
plugins/inputs/haproxy/README.md | 10 +-
plugins/inputs/haproxy/haproxy.go | 30 +-
plugins/inputs/http/README.md | 10 +-
plugins/inputs/http/http.go | 24 +-
plugins/inputs/http_listener/http_listener.go | 45 +--
.../http_listener/http_listener_test.go | 154 +-------
plugins/inputs/http_response/README.md | 10 +-
plugins/inputs/http_response/http_response.go | 24 +-
plugins/inputs/httpjson/README.md | 10 +-
plugins/inputs/httpjson/httpjson.go | 24 +-
plugins/inputs/influxdb/README.md | 10 +-
plugins/inputs/influxdb/influxdb.go | 26 +-
plugins/inputs/jolokia2/README.md | 16 +-
plugins/inputs/jolokia2/client.go | 19 +-
plugins/inputs/jolokia2/jolokia_agent.go | 25 +-
plugins/inputs/jolokia2/jolokia_proxy.go | 33 +-
plugins/inputs/kafka_consumer/README.md | 10 +-
.../inputs/kafka_consumer/kafka_consumer.go | 24 +-
plugins/inputs/kapacitor/README.md | 10 +-
plugins/inputs/kapacitor/kapacitor.go | 27 +-
plugins/inputs/kubernetes/kubernetes.go | 24 +-
plugins/inputs/mesos/README.md | 10 +-
plugins/inputs/mesos/mesos.go | 25 +-
plugins/inputs/mongodb/README.md | 10 +-
plugins/inputs/mongodb/mongodb.go | 27 +-
plugins/inputs/mqtt_consumer/README.md | 10 +-
plugins/inputs/mqtt_consumer/mqtt_consumer.go | 24 +-
plugins/inputs/mysql/README.md | 8 +-
plugins/inputs/mysql/mysql.go | 18 +-
plugins/inputs/nginx/README.md | 10 +-
plugins/inputs/nginx/nginx.go | 29 +-
plugins/inputs/openldap/README.md | 2 +-
plugins/inputs/openldap/openldap.go | 10 +-
plugins/inputs/prometheus/README.md | 10 +-
plugins/inputs/prometheus/prometheus.go | 23 +-
plugins/inputs/rabbitmq/README.md | 10 +-
plugins/inputs/rabbitmq/rabbitmq.go | 23 +-
.../inputs/socket_listener/socket_listener.go | 17 +-
.../socket_listener/socket_listener_test.go | 16 +-
.../inputs/socket_listener/testdata/ca.pem | 31 --
.../socket_listener/testdata/client.key | 27 --
.../socket_listener/testdata/client.pem | 24 --
.../socket_listener/testdata/server.key | 27 --
.../socket_listener/testdata/server.pem | 25 --
plugins/inputs/tomcat/README.md | 10 +-
plugins/inputs/tomcat/tomcat.go | 20 +-
plugins/inputs/zookeeper/README.md | 8 +-
plugins/inputs/zookeeper/zookeeper.go | 24 +-
plugins/outputs/amqp/README.md | 10 +-
plugins/outputs/amqp/amqp.go | 23 +-
plugins/outputs/elasticsearch/README.md | 12 +-
.../outputs/elasticsearch/elasticsearch.go | 21 +-
plugins/outputs/graphite/README.md | 42 +--
plugins/outputs/graphite/graphite.go | 33 +-
plugins/outputs/influxdb/README.md | 10 +-
plugins/outputs/influxdb/influxdb.go | 24 +-
plugins/outputs/influxdb/influxdb_test.go | 7 +-
plugins/outputs/kafka/README.md | 10 +-
plugins/outputs/kafka/kafka.go | 33 +-
plugins/outputs/mqtt/README.md | 18 +-
plugins/outputs/mqtt/mqtt.go | 24 +-
plugins/outputs/nats/nats.go | 25 +-
plugins/outputs/socket_writer/README.md | 10 +-
.../outputs/socket_writer/socket_writer.go | 22 +-
testutil/pki/cacert.pem | 12 +
testutil/pki/cakey.pem | 16 +
testutil/pki/clientcert.pem | 13 +
testutil/pki/clientkey.pem | 15 +
testutil/pki/servercert.pem | 13 +
testutil/pki/serverkey.pem | 15 +
{scripts => testutil/pki}/tls-certs.sh | 18 +-
testutil/tls.go | 86 +++++
92 files changed, 1246 insertions(+), 1360 deletions(-)
create mode 100644 internal/tls/config.go
create mode 100644 internal/tls/config_test.go
delete mode 100644 plugins/inputs/socket_listener/testdata/ca.pem
delete mode 100644 plugins/inputs/socket_listener/testdata/client.key
delete mode 100644 plugins/inputs/socket_listener/testdata/client.pem
delete mode 100644 plugins/inputs/socket_listener/testdata/server.key
delete mode 100644 plugins/inputs/socket_listener/testdata/server.pem
create mode 100644 testutil/pki/cacert.pem
create mode 100644 testutil/pki/cakey.pem
create mode 100644 testutil/pki/clientcert.pem
create mode 100644 testutil/pki/clientkey.pem
create mode 100644 testutil/pki/servercert.pem
create mode 100644 testutil/pki/serverkey.pem
rename {scripts => testutil/pki}/tls-certs.sh (81%)
create mode 100644 testutil/tls.go
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9216cb76..d109ad09 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,10 @@
an [example configuration](./plugins/inputs/jolokia2/examples) to help you
get started.
+- For plugins supporting TLS, you can now specify the certificate and keys
+ using `tls_ca`, `tls_cert`, `tls_key`. These options behave the same as
+ the, now deprecated, `ssl` forms.
+
### New Inputs
- [fibaro](./plugins/inputs/fibaro/README.md) - Contributed by @dynek
diff --git a/etc/telegraf.conf b/etc/telegraf.conf
index 2ef4fe2e..97a14727 100644
--- a/etc/telegraf.conf
+++ b/etc/telegraf.conf
@@ -121,11 +121,11 @@
## UDP payload size is the maximum packet size to send.
# udp_payload = 512
- ## Optional SSL Config for use on HTTP connections.
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config for use on HTTP connections.
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
## HTTP Proxy override, if unset values the standard proxy environment
@@ -184,11 +184,11 @@
# ## to 5s. 0s means no timeout (not recommended).
# # timeout = "5s"
#
-# ## Optional SSL Config
-# # ssl_ca = "/etc/telegraf/ca.pem"
-# # ssl_cert = "/etc/telegraf/cert.pem"
-# # ssl_key = "/etc/telegraf/key.pem"
-# ## Use SSL but skip chain & host verification
+# ## Optional TLS Config
+# # tls_ca = "/etc/telegraf/ca.pem"
+# # tls_cert = "/etc/telegraf/cert.pem"
+# # tls_key = "/etc/telegraf/key.pem"
+# ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false
#
# ## Data format to output.
@@ -284,11 +284,11 @@
# # default_tag_value = "none"
# index_name = "telegraf-%Y.%m.%d" # required.
#
-# ## Optional SSL Config
-# # ssl_ca = "/etc/telegraf/ca.pem"
-# # ssl_cert = "/etc/telegraf/cert.pem"
-# # ssl_key = "/etc/telegraf/key.pem"
-# ## Use SSL but skip chain & host verification
+# ## Optional TLS Config
+# # tls_ca = "/etc/telegraf/ca.pem"
+# # tls_cert = "/etc/telegraf/cert.pem"
+# # tls_key = "/etc/telegraf/key.pem"
+# ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false
#
# ## Template Config
@@ -327,11 +327,11 @@
# ## timeout in seconds for the write connection to graphite
# timeout = 2
#
-# ## Optional SSL Config
-# # ssl_ca = "/etc/telegraf/ca.pem"
-# # ssl_cert = "/etc/telegraf/cert.pem"
-# # ssl_key = "/etc/telegraf/key.pem"
-# ## Use SSL but skip chain & host verification
+# ## Optional TLS Config
+# # tls_ca = "/etc/telegraf/ca.pem"
+# # tls_cert = "/etc/telegraf/cert.pem"
+# # tls_key = "/etc/telegraf/key.pem"
+# ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false
@@ -420,11 +420,11 @@
# ## The total number of times to retry sending a message
# max_retry = 3
#
-# ## Optional SSL Config
-# # ssl_ca = "/etc/telegraf/ca.pem"
-# # ssl_cert = "/etc/telegraf/cert.pem"
-# # ssl_key = "/etc/telegraf/key.pem"
-# ## Use SSL but skip chain & host verification
+# ## Optional TLS Config
+# # tls_ca = "/etc/telegraf/ca.pem"
+# # tls_cert = "/etc/telegraf/cert.pem"
+# # tls_key = "/etc/telegraf/key.pem"
+# ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false
#
# ## Optional SASL Config
@@ -536,11 +536,11 @@
# ## client ID, if not set a random ID is generated
# # client_id = ""
#
-# ## Optional SSL Config
-# # ssl_ca = "/etc/telegraf/ca.pem"
-# # ssl_cert = "/etc/telegraf/cert.pem"
-# # ssl_key = "/etc/telegraf/key.pem"
-# ## Use SSL but skip chain & host verification
+# ## Optional TLS Config
+# # tls_ca = "/etc/telegraf/ca.pem"
+# # tls_cert = "/etc/telegraf/cert.pem"
+# # tls_key = "/etc/telegraf/key.pem"
+# ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false
#
# ## Data format to output.
@@ -560,11 +560,11 @@
# ## NATS subject for producer messages
# subject = "telegraf"
#
-# ## Optional SSL Config
-# # ssl_ca = "/etc/telegraf/ca.pem"
-# # ssl_cert = "/etc/telegraf/cert.pem"
-# # ssl_key = "/etc/telegraf/key.pem"
-# ## Use SSL but skip chain & host verification
+# ## Optional TLS Config
+# # tls_ca = "/etc/telegraf/ca.pem"
+# # tls_cert = "/etc/telegraf/cert.pem"
+# # tls_key = "/etc/telegraf/key.pem"
+# ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false
#
# ## Data format to output.
@@ -695,11 +695,11 @@
# # address = "unix:///tmp/telegraf.sock"
# # address = "unixgram:///tmp/telegraf.sock"
#
-# ## Optional SSL Config
-# # ssl_ca = "/etc/telegraf/ca.pem"
-# # ssl_cert = "/etc/telegraf/cert.pem"
-# # ssl_key = "/etc/telegraf/key.pem"
-# ## Use SSL but skip chain & host verification
+# ## Optional TLS Config
+# # tls_ca = "/etc/telegraf/ca.pem"
+# # tls_cert = "/etc/telegraf/cert.pem"
+# # tls_key = "/etc/telegraf/key.pem"
+# ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false
#
# ## Period between keep alive probes.
@@ -928,11 +928,11 @@
# ## Maximum time to receive response.
# # response_timeout = "5s"
#
-# ## Optional SSL Config
-# # ssl_ca = "/etc/telegraf/ca.pem"
-# # ssl_cert = "/etc/telegraf/cert.pem"
-# # ssl_key = "/etc/telegraf/key.pem"
-# ## Use SSL but skip chain & host verification
+# ## Optional TLS Config
+# # tls_ca = "/etc/telegraf/ca.pem"
+# # tls_cert = "/etc/telegraf/cert.pem"
+# # tls_key = "/etc/telegraf/key.pem"
+# ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false
@@ -1112,11 +1112,11 @@
# ## Data centre to query the health checks from
# # datacentre = ""
#
-# ## SSL Config
-# # ssl_ca = "/etc/telegraf/ca.pem"
-# # ssl_cert = "/etc/telegraf/cert.pem"
-# # ssl_key = "/etc/telegraf/key.pem"
-# ## If false, skip chain & host verification
+# ## Optional TLS Config
+# # tls_ca = "/etc/telegraf/ca.pem"
+# # tls_cert = "/etc/telegraf/cert.pem"
+# # tls_key = "/etc/telegraf/key.pem"
+# ## Use TLS but skip chain & host verification
# # insecure_skip_verify = true
@@ -1173,10 +1173,10 @@
# ## Maximum time to receive a response from cluster.
# # response_timeout = "20s"
#
-# ## Optional SSL Config
-# # ssl_ca = "/etc/telegraf/ca.pem"
-# # ssl_cert = "/etc/telegraf/cert.pem"
-# # ssl_key = "/etc/telegraf/key.pem"
+# ## Optional TLS Config
+# # tls_ca = "/etc/telegraf/ca.pem"
+# # tls_cert = "/etc/telegraf/cert.pem"
+# # tls_key = "/etc/telegraf/key.pem"
# ## If false, skip chain & host verification
# # insecure_skip_verify = true
#
@@ -1261,11 +1261,11 @@
# docker_label_include = []
# docker_label_exclude = []
#
-# ## Optional SSL Config
-# # ssl_ca = "/etc/telegraf/ca.pem"
-# # ssl_cert = "/etc/telegraf/cert.pem"
-# # ssl_key = "/etc/telegraf/key.pem"
-# ## Use SSL but skip chain & host verification
+# ## Optional TLS Config
+# # tls_ca = "/etc/telegraf/ca.pem"
+# # tls_cert = "/etc/telegraf/cert.pem"
+# # tls_key = "/etc/telegraf/key.pem"
+# ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false
@@ -1317,11 +1317,11 @@
# ## "breaker". Per default, all stats are gathered.
# # node_stats = ["jvm", "http"]
#
-# ## Optional SSL Config
-# # ssl_ca = "/etc/telegraf/ca.pem"
-# # ssl_cert = "/etc/telegraf/cert.pem"
-# # ssl_key = "/etc/telegraf/key.pem"
-# ## Use SSL but skip chain & host verification
+# ## Optional TLS Config
+# # tls_ca = "/etc/telegraf/ca.pem"
+# # tls_cert = "/etc/telegraf/cert.pem"
+# # tls_key = "/etc/telegraf/key.pem"
+# ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false
@@ -1428,11 +1428,11 @@
# username = ""
# password = ""
#
-# ## Optional SSL Config
-# # ssl_ca = "/etc/telegraf/ca.pem"
-# # ssl_cert = "/etc/telegraf/cert.pem"
-# # ssl_key = "/etc/telegraf/key.pem"
-# ## Use SSL but skip chain & host verification
+# ## Optional TLS Config
+# # tls_ca = "/etc/telegraf/ca.pem"
+# # tls_cert = "/etc/telegraf/cert.pem"
+# # tls_key = "/etc/telegraf/key.pem"
+# ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false
@@ -1456,11 +1456,11 @@
# ## field names.
# # keep_field_names = false
#
-# ## Optional SSL Config
-# # ssl_ca = "/etc/telegraf/ca.pem"
-# # ssl_cert = "/etc/telegraf/cert.pem"
-# # ssl_key = "/etc/telegraf/key.pem"
-# ## Use SSL but skip chain & host verification
+# ## Optional TLS Config
+# # tls_ca = "/etc/telegraf/ca.pem"
+# # tls_cert = "/etc/telegraf/cert.pem"
+# # tls_key = "/etc/telegraf/key.pem"
+# ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false
@@ -1497,11 +1497,11 @@
# ## Tag all metrics with the url
# # tag_url = true
#
-# ## Optional SSL Config
-# # ssl_ca = "/etc/telegraf/ca.pem"
-# # ssl_cert = "/etc/telegraf/cert.pem"
-# # ssl_key = "/etc/telegraf/key.pem"
-# ## Use SSL but skip chain & host verification
+# ## Optional TLS Config
+# # tls_ca = "/etc/telegraf/ca.pem"
+# # tls_cert = "/etc/telegraf/cert.pem"
+# # tls_key = "/etc/telegraf/key.pem"
+# ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false
#
# ## Amount of time allowed to complete the HTTP request
@@ -1541,11 +1541,11 @@
# # response_string_match = "ok"
# # response_string_match = "\".*_status\".?:.?\"up\""
#
-# ## Optional SSL Config
-# # ssl_ca = "/etc/telegraf/ca.pem"
-# # ssl_cert = "/etc/telegraf/cert.pem"
-# # ssl_key = "/etc/telegraf/key.pem"
-# ## Use SSL but skip chain & host verification
+# ## Optional TLS Config
+# # tls_ca = "/etc/telegraf/ca.pem"
+# # tls_cert = "/etc/telegraf/cert.pem"
+# # tls_key = "/etc/telegraf/key.pem"
+# ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false
#
# ## HTTP Request Headers (all values must be strings)
@@ -1581,11 +1581,11 @@
# # "my_tag_2"
# # ]
#
-# ## Optional SSL Config
-# # ssl_ca = "/etc/telegraf/ca.pem"
-# # ssl_cert = "/etc/telegraf/cert.pem"
-# # ssl_key = "/etc/telegraf/key.pem"
-# ## Use SSL but skip chain & host verification
+# ## Optional TLS Config
+# # tls_ca = "/etc/telegraf/ca.pem"
+# # tls_cert = "/etc/telegraf/cert.pem"
+# # tls_key = "/etc/telegraf/key.pem"
+# ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false
#
# ## HTTP parameters (all values must be strings). For "GET" requests, data
@@ -1613,11 +1613,11 @@
# "http://localhost:8086/debug/vars"
# ]
#
-# ## Optional SSL Config
-# # ssl_ca = "/etc/telegraf/ca.pem"
-# # ssl_cert = "/etc/telegraf/cert.pem"
-# # ssl_key = "/etc/telegraf/key.pem"
-# ## Use SSL but skip chain & host verification
+# ## Optional TLS Config
+# # tls_ca = "/etc/telegraf/ca.pem"
+# # tls_cert = "/etc/telegraf/cert.pem"
+# # tls_key = "/etc/telegraf/key.pem"
+# ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false
#
# ## http request & header timeout
@@ -1771,10 +1771,10 @@
# # password = ""
# # response_timeout = "5s"
#
-# ## Optional SSL config
-# # ssl_ca = "/var/private/ca.pem"
-# # ssl_cert = "/var/private/client.pem"
-# # ssl_key = "/var/private/client-key.pem"
+# ## Optional TLS config
+# # tls_ca = "/var/private/ca.pem"
+# # tls_cert = "/var/private/client.pem"
+# # tls_key = "/var/private/client-key.pem"
# # insecure_skip_verify = false
#
# ## Add metrics to read
@@ -1796,10 +1796,10 @@
# # password = ""
# # response_timeout = "5s"
#
-# ## Optional SSL config
-# # ssl_ca = "/var/private/ca.pem"
-# # ssl_cert = "/var/private/client.pem"
-# # ssl_key = "/var/private/client-key.pem"
+# ## Optional TLS config
+# # tls_ca = "/var/private/ca.pem"
+# # tls_cert = "/var/private/client.pem"
+# # tls_key = "/var/private/client-key.pem"
# # insecure_skip_verify = false
#
# ## Add proxy targets to query
@@ -1828,11 +1828,11 @@
# ## Time limit for http requests
# timeout = "5s"
#
-# ## Optional SSL Config
-# # ssl_ca = "/etc/telegraf/ca.pem"
-# # ssl_cert = "/etc/telegraf/cert.pem"
-# # ssl_key = "/etc/telegraf/key.pem"
-# ## Use SSL but skip chain & host verification
+# ## Optional TLS Config
+# # tls_ca = "/etc/telegraf/ca.pem"
+# # tls_cert = "/etc/telegraf/cert.pem"
+# # tls_key = "/etc/telegraf/key.pem"
+# ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false
@@ -1852,11 +1852,11 @@
# ## Set response_timeout (default 5 seconds)
# # response_timeout = "5s"
#
-# ## Optional SSL Config
-# # ssl_ca = /path/to/cafile
-# # ssl_cert = /path/to/certfile
-# # ssl_key = /path/to/keyfile
-# ## Use SSL but skip chain & host verification
+# ## Optional TLS Config
+# # tls_ca = /path/to/cafile
+# # tls_cert = /path/to/certfile
+# # tls_key = /path/to/keyfile
+# ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false
@@ -1948,11 +1948,11 @@
# # "messages",
# # ]
#
-# ## Optional SSL Config
-# # ssl_ca = "/etc/telegraf/ca.pem"
-# # ssl_cert = "/etc/telegraf/cert.pem"
-# # ssl_key = "/etc/telegraf/key.pem"
-# ## Use SSL but skip chain & host verification
+# ## Optional TLS Config
+# # tls_ca = "/etc/telegraf/ca.pem"
+# # tls_cert = "/etc/telegraf/cert.pem"
+# # tls_key = "/etc/telegraf/key.pem"
+# ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false
@@ -1978,11 +1978,11 @@
# ## When true, collect per database stats
# # gather_perdb_stats = false
#
-# ## Optional SSL Config
-# # ssl_ca = "/etc/telegraf/ca.pem"
-# # ssl_cert = "/etc/telegraf/cert.pem"
-# # ssl_key = "/etc/telegraf/key.pem"
-# ## Use SSL but skip chain & host verification
+# ## Optional TLS Config
+# # tls_ca = "/etc/telegraf/ca.pem"
+# # tls_cert = "/etc/telegraf/cert.pem"
+# # tls_key = "/etc/telegraf/key.pem"
+# ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false
@@ -2061,10 +2061,12 @@
# ## Some queries we may want to run less often (such as SHOW GLOBAL VARIABLES)
# interval_slow = "30m"
#
-# ## Optional SSL Config (will be used if tls=custom parameter specified in server uri)
-# ssl_ca = "/etc/telegraf/ca.pem"
-# ssl_cert = "/etc/telegraf/cert.pem"
-# ssl_key = "/etc/telegraf/key.pem"
+# ## Optional TLS Config (will be used if tls=custom parameter specified in server uri)
+# # tls_ca = "/etc/telegraf/ca.pem"
+# # tls_cert = "/etc/telegraf/cert.pem"
+# # tls_key = "/etc/telegraf/key.pem"
+# ## Use TLS but skip chain & host verification
+# # insecure_skip_verify = false
# # Provides metrics about the state of a NATS server
@@ -2124,10 +2126,11 @@
# # An array of Nginx stub_status URI to gather stats.
# urls = ["http://localhost/server_status"]
#
-# # TLS/SSL configuration
-# ssl_ca = "/etc/telegraf/ca.pem"
-# ssl_cert = "/etc/telegraf/cert.cer"
-# ssl_key = "/etc/telegraf/key.key"
+# ## Optional TLS Config
+# tls_ca = "/etc/telegraf/ca.pem"
+# tls_cert = "/etc/telegraf/cert.cer"
+# tls_key = "/etc/telegraf/key.key"
+# ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
#
# # HTTP response timeout (default: 5s)
@@ -2190,7 +2193,7 @@
# insecure_skip_verify = false
#
# # Path to PEM-encoded Root certificate to use to verify server certificate
-# ssl_ca = "/etc/ssl/certs.pem"
+# tls_ca = "/etc/ssl/certs.pem"
#
# # dn/password to bind with. If bind_dn is empty, an anonymous bind is performed.
# bind_dn = ""
@@ -2341,11 +2344,11 @@
# ## Specify timeout duration for slower prometheus clients (default is 3s)
# # response_timeout = "3s"
#
-# ## Optional SSL Config
-# # ssl_ca = /path/to/cafile
-# # ssl_cert = /path/to/certfile
-# # ssl_key = /path/to/keyfile
-# ## Use SSL but skip chain & host verification
+# ## Optional TLS Config
+# # tls_ca = /path/to/cafile
+# # tls_cert = /path/to/certfile
+# # tls_key = /path/to/keyfile
+# ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false
@@ -2365,11 +2368,11 @@
# # username = "guest"
# # password = "guest"
#
-# ## Optional SSL Config
-# # ssl_ca = "/etc/telegraf/ca.pem"
-# # ssl_cert = "/etc/telegraf/cert.pem"
-# # ssl_key = "/etc/telegraf/key.pem"
-# ## Use SSL but skip chain & host verification
+# ## Optional TLS Config
+# # tls_ca = "/etc/telegraf/ca.pem"
+# # tls_cert = "/etc/telegraf/cert.pem"
+# # tls_key = "/etc/telegraf/key.pem"
+# ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false
#
# ## Optional request timeouts
@@ -2798,11 +2801,11 @@
# ## Request timeout
# # timeout = "5s"
#
-# ## Optional SSL Config
-# # ssl_ca = "/etc/telegraf/ca.pem"
-# # ssl_cert = "/etc/telegraf/cert.pem"
-# # ssl_key = "/etc/telegraf/key.pem"
-# ## Use SSL but skip chain & host verification
+# ## Optional TLS Config
+# # tls_ca = "/etc/telegraf/ca.pem"
+# # tls_cert = "/etc/telegraf/cert.pem"
+# # tls_key = "/etc/telegraf/key.pem"
+# ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false
@@ -2886,11 +2889,11 @@
# ## Timeout for metric collections from all servers. Minimum timeout is "1s".
# # timeout = "5s"
#
-# ## Optional SSL Config
-# # enable_ssl = true
-# # ssl_ca = "/etc/telegraf/ca.pem"
-# # ssl_cert = "/etc/telegraf/cert.pem"
-# # ssl_key = "/etc/telegraf/key.pem"
+# ## Optional TLS Config
+# # enable_tls = true
+# # tls_ca = "/etc/telegraf/ca.pem"
+# # tls_cert = "/etc/telegraf/cert.pem"
+# # tls_key = "/etc/telegraf/key.pem"
# ## If false, skip chain & host verification
# # insecure_skip_verify = true
@@ -2919,11 +2922,11 @@
# ## described here: https://www.rabbitmq.com/plugins.html
# # auth_method = "PLAIN"
#
-# ## Optional SSL Config
-# # ssl_ca = "/etc/telegraf/ca.pem"
-# # ssl_cert = "/etc/telegraf/cert.pem"
-# # ssl_key = "/etc/telegraf/key.pem"
-# ## Use SSL but skip chain & host verification
+# ## Optional TLS Config
+# # tls_ca = "/etc/telegraf/ca.pem"
+# # tls_cert = "/etc/telegraf/cert.pem"
+# # tls_key = "/etc/telegraf/key.pem"
+# ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false
#
# ## Data format to consume.
@@ -2994,11 +2997,11 @@
# ## topic(s) to consume
# topics = ["telegraf"]
#
-# ## Optional SSL Config
-# # ssl_ca = "/etc/telegraf/ca.pem"
-# # ssl_cert = "/etc/telegraf/cert.pem"
-# # ssl_key = "/etc/telegraf/key.pem"
-# ## Use SSL but skip chain & host verification
+# ## Optional TLS Config
+# # tls_ca = "/etc/telegraf/ca.pem"
+# # tls_cert = "/etc/telegraf/cert.pem"
+# # tls_key = "/etc/telegraf/key.pem"
+# ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false
#
# ## Optional SASL Config
@@ -3124,11 +3127,11 @@
# # username = "telegraf"
# # password = "metricsmetricsmetricsmetrics"
#
-# ## Optional SSL Config
-# # ssl_ca = "/etc/telegraf/ca.pem"
-# # ssl_cert = "/etc/telegraf/cert.pem"
-# # ssl_key = "/etc/telegraf/key.pem"
-# ## Use SSL but skip chain & host verification
+# ## Optional TLS Config
+# # tls_ca = "/etc/telegraf/ca.pem"
+# # tls_cert = "/etc/telegraf/cert.pem"
+# # tls_key = "/etc/telegraf/key.pem"
+# ## Use TLS but skip chain & host verification
# # insecure_skip_verify = false
#
# ## Data format to consume.
diff --git a/internal/internal.go b/internal/internal.go
index 3227832c..d86b32d2 100644
--- a/internal/internal.go
+++ b/internal/internal.go
@@ -4,11 +4,7 @@ import (
"bufio"
"bytes"
"crypto/rand"
- "crypto/tls"
- "crypto/x509"
"errors"
- "fmt"
- "io/ioutil"
"log"
"math/big"
"os"
@@ -112,94 +108,6 @@ func RandomString(n int) string {
return string(bytes)
}
-// GetTLSConfig gets a tls.Config object from the given certs, key, and CA files
-// for use with a client.
-// The full path to each file must be provided.
-// Returns a nil pointer if all files are blank and InsecureSkipVerify=false.
-func GetTLSConfig(
- SSLCert, SSLKey, SSLCA string,
- InsecureSkipVerify bool,
-) (*tls.Config, error) {
- if SSLCert == "" && SSLKey == "" && SSLCA == "" && !InsecureSkipVerify {
- return nil, nil
- }
-
- t := &tls.Config{
- InsecureSkipVerify: InsecureSkipVerify,
- }
-
- if SSLCA != "" {
- caCert, err := ioutil.ReadFile(SSLCA)
- if err != nil {
- return nil, errors.New(fmt.Sprintf("Could not load TLS CA: %s",
- err))
- }
-
- caCertPool := x509.NewCertPool()
- caCertPool.AppendCertsFromPEM(caCert)
- t.RootCAs = caCertPool
- }
-
- if SSLCert != "" && SSLKey != "" {
- cert, err := tls.LoadX509KeyPair(SSLCert, SSLKey)
- if err != nil {
- return nil, errors.New(fmt.Sprintf(
- "Could not load TLS client key/certificate from %s:%s: %s",
- SSLKey, SSLCert, err))
- }
-
- t.Certificates = []tls.Certificate{cert}
- t.BuildNameToCertificate()
- }
-
- // will be nil by default if nothing is provided
- return t, nil
-}
-
-// GetServerTLSConfig gets a tls.Config object from the given certs, key, and one or more CA files
-// for use with a server.
-// The full path to each file must be provided.
-// Returns a nil pointer if all files are blank.
-func GetServerTLSConfig(
- TLSCert, TLSKey string,
- TLSAllowedCACerts []string,
-) (*tls.Config, error) {
- if TLSCert == "" && TLSKey == "" && len(TLSAllowedCACerts) == 0 {
- return nil, nil
- }
-
- t := &tls.Config{}
-
- if len(TLSAllowedCACerts) != 0 {
- caCertPool := x509.NewCertPool()
- for _, cert := range TLSAllowedCACerts {
- c, err := ioutil.ReadFile(cert)
- if err != nil {
- return nil, errors.New(fmt.Sprintf("Could not load TLS CA: %s",
- err))
- }
- caCertPool.AppendCertsFromPEM(c)
- }
- t.ClientCAs = caCertPool
- t.ClientAuth = tls.RequireAndVerifyClientCert
- }
-
- if TLSCert != "" && TLSKey != "" {
- cert, err := tls.LoadX509KeyPair(TLSCert, TLSKey)
- if err != nil {
- return nil, errors.New(fmt.Sprintf(
- "Could not load TLS client key/certificate from %s:%s: %s",
- TLSKey, TLSCert, err))
- }
-
- t.Certificates = []tls.Certificate{cert}
- }
-
- t.BuildNameToCertificate()
-
- return t, nil
-}
-
// SnakeCase converts the given string to snake case following the Golang format:
// acronyms are converted to lower-case and preceded by an underscore.
func SnakeCase(in string) string {
diff --git a/internal/tls/config.go b/internal/tls/config.go
new file mode 100644
index 00000000..25c0678d
--- /dev/null
+++ b/internal/tls/config.go
@@ -0,0 +1,130 @@
+package tls
+
+import (
+ "crypto/tls"
+ "crypto/x509"
+ "fmt"
+ "io/ioutil"
+)
+
+// ClientConfig represents the standard client TLS config.
+type ClientConfig struct {
+ TLSCA string `toml:"tls_ca"`
+ TLSCert string `toml:"tls_cert"`
+ TLSKey string `toml:"tls_key"`
+ InsecureSkipVerify bool `toml:"insecure_skip_verify"`
+
+ // Deprecated in 1.7; use TLS variables above
+ SSLCA string `toml:"ssl_ca"`
+ SSLCert string `toml:"ssl_cert"`
+ SSLKey string `toml:"ssl_ca"`
+}
+
+// ServerConfig represents the standard server TLS config.
+type ServerConfig struct {
+ TLSCert string `toml:"tls_cert"`
+ TLSKey string `toml:"tls_key"`
+ TLSAllowedCACerts []string `toml:"tls_allowed_cacerts"`
+}
+
+// TLSConfig returns a tls.Config, may be nil without error if TLS is not
+// configured.
+func (c *ClientConfig) TLSConfig() (*tls.Config, error) {
+ // Support deprecated variable names
+ if c.TLSCA == "" && c.SSLCA != "" {
+ c.TLSCA = c.SSLCA
+ }
+ if c.TLSCert == "" && c.SSLCert != "" {
+ c.TLSCert = c.SSLCert
+ }
+ if c.TLSKey == "" && c.SSLKey != "" {
+ c.TLSKey = c.SSLKey
+ }
+
+ // TODO: return default tls.Config; plugins should not call if they don't
+ // want TLS, this will require using another option to determine. In the
+ // case of an HTTP plugin, you could use `https`. Other plugins may need
+ // the dedicated option `TLSEnable`.
+ if c.TLSCA == "" && c.TLSKey == "" && c.TLSCert == "" && !c.InsecureSkipVerify {
+ return nil, nil
+ }
+
+ tlsConfig := &tls.Config{
+ InsecureSkipVerify: c.InsecureSkipVerify,
+ Renegotiation: tls.RenegotiateNever,
+ }
+
+ if c.TLSCA != "" {
+ pool, err := makeCertPool([]string{c.TLSCA})
+ if err != nil {
+ return nil, err
+ }
+ tlsConfig.RootCAs = pool
+ }
+
+ if c.TLSCert != "" && c.TLSKey != "" {
+ err := loadCertificate(tlsConfig, c.TLSCert, c.TLSKey)
+ if err != nil {
+ return nil, err
+ }
+ }
+
+ return tlsConfig, nil
+}
+
+// TLSConfig returns a tls.Config, may be nil without error if TLS is not
+// configured.
+func (c *ServerConfig) TLSConfig() (*tls.Config, error) {
+ if c.TLSCert == "" && c.TLSKey == "" && len(c.TLSAllowedCACerts) == 0 {
+ return nil, nil
+ }
+
+ tlsConfig := &tls.Config{}
+
+ if len(c.TLSAllowedCACerts) != 0 {
+ pool, err := makeCertPool(c.TLSAllowedCACerts)
+ if err != nil {
+ return nil, err
+ }
+ tlsConfig.ClientCAs = pool
+ tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
+ }
+
+ if c.TLSCert != "" && c.TLSKey != "" {
+ err := loadCertificate(tlsConfig, c.TLSCert, c.TLSKey)
+ if err != nil {
+ return nil, err
+ }
+ }
+
+ return tlsConfig, nil
+}
+
+func makeCertPool(certFiles []string) (*x509.CertPool, error) {
+ pool := x509.NewCertPool()
+ for _, certFile := range certFiles {
+ pem, err := ioutil.ReadFile(certFile)
+ if err != nil {
+ return nil, fmt.Errorf(
+ "could not read certificate %q: %v", certFile, err)
+ }
+ ok := pool.AppendCertsFromPEM(pem)
+ if !ok {
+ return nil, fmt.Errorf(
+ "could not parse any PEM certificates %q: %v", certFile, err)
+ }
+ }
+ return pool, nil
+}
+
+func loadCertificate(config *tls.Config, certFile, keyFile string) error {
+ cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+ if err != nil {
+ return fmt.Errorf(
+ "could not load keypair %s:%s: %v", certFile, keyFile, err)
+ }
+
+ config.Certificates = []tls.Certificate{cert}
+ config.BuildNameToCertificate()
+ return nil
+}
diff --git a/internal/tls/config_test.go b/internal/tls/config_test.go
new file mode 100644
index 00000000..31a70d9a
--- /dev/null
+++ b/internal/tls/config_test.go
@@ -0,0 +1,226 @@
+package tls_test
+
+import (
+ "net/http"
+ "net/http/httptest"
+ "testing"
+ "time"
+
+ "github.com/influxdata/telegraf/internal/tls"
+ "github.com/influxdata/telegraf/testutil"
+ "github.com/stretchr/testify/require"
+)
+
+var pki = testutil.NewPKI("../../testutil/pki")
+
+func TestClientConfig(t *testing.T) {
+ tests := []struct {
+ name string
+ client tls.ClientConfig
+ expNil bool
+ expErr bool
+ }{
+ {
+ name: "unset",
+ client: tls.ClientConfig{},
+ expNil: true,
+ },
+ {
+ name: "success",
+ client: tls.ClientConfig{
+ TLSCA: pki.CACertPath(),
+ TLSCert: pki.ClientCertPath(),
+ TLSKey: pki.ClientKeyPath(),
+ },
+ },
+ {
+ name: "invalid ca",
+ client: tls.ClientConfig{
+ TLSCA: pki.ClientKeyPath(),
+ TLSCert: pki.ClientCertPath(),
+ TLSKey: pki.ClientKeyPath(),
+ },
+ expNil: true,
+ expErr: true,
+ },
+ {
+ name: "missing ca is okay",
+ client: tls.ClientConfig{
+ TLSCert: pki.ClientCertPath(),
+ TLSKey: pki.ClientKeyPath(),
+ },
+ },
+ {
+ name: "invalid cert",
+ client: tls.ClientConfig{
+ TLSCA: pki.CACertPath(),
+ TLSCert: pki.ClientKeyPath(),
+ TLSKey: pki.ClientKeyPath(),
+ },
+ expNil: true,
+ expErr: true,
+ },
+ {
+ name: "missing cert skips client keypair",
+ client: tls.ClientConfig{
+ TLSCA: pki.CACertPath(),
+ TLSKey: pki.ClientKeyPath(),
+ },
+ expNil: false,
+ expErr: false,
+ },
+ {
+ name: "missing key skips client keypair",
+ client: tls.ClientConfig{
+ TLSCA: pki.CACertPath(),
+ TLSCert: pki.ClientCertPath(),
+ },
+ expNil: false,
+ expErr: false,
+ },
+ {
+ name: "support deprecated ssl field names",
+ client: tls.ClientConfig{
+ SSLCA: pki.CACertPath(),
+ SSLCert: pki.ClientCertPath(),
+ SSLKey: pki.ClientKeyPath(),
+ },
+ },
+ }
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ tlsConfig, err := tt.client.TLSConfig()
+ if !tt.expNil {
+ require.NotNil(t, tlsConfig)
+ } else {
+ require.Nil(t, tlsConfig)
+ }
+
+ if !tt.expErr {
+ require.NoError(t, err)
+ } else {
+ require.Error(t, err)
+ }
+ })
+ }
+}
+
+func TestServerConfig(t *testing.T) {
+ tests := []struct {
+ name string
+ server tls.ServerConfig
+ expNil bool
+ expErr bool
+ }{
+ {
+ name: "unset",
+ server: tls.ServerConfig{},
+ expNil: true,
+ },
+ {
+ name: "success",
+ server: tls.ServerConfig{
+ TLSCert: pki.ServerCertPath(),
+ TLSKey: pki.ServerKeyPath(),
+ TLSAllowedCACerts: []string{pki.CACertPath()},
+ },
+ },
+ {
+ name: "invalid ca",
+ server: tls.ServerConfig{
+ TLSCert: pki.ServerCertPath(),
+ TLSKey: pki.ServerKeyPath(),
+ TLSAllowedCACerts: []string{pki.ServerKeyPath()},
+ },
+ expNil: true,
+ expErr: true,
+ },
+ {
+ name: "missing allowed ca is okay",
+ server: tls.ServerConfig{
+ TLSCert: pki.ServerCertPath(),
+ TLSKey: pki.ServerKeyPath(),
+ },
+ expNil: true,
+ expErr: true,
+ },
+ {
+ name: "invalid cert",
+ server: tls.ServerConfig{
+ TLSCert: pki.ServerKeyPath(),
+ TLSKey: pki.ServerKeyPath(),
+ TLSAllowedCACerts: []string{pki.CACertPath()},
+ },
+ expNil: true,
+ expErr: true,
+ },
+ {
+ name: "missing cert",
+ server: tls.ServerConfig{
+ TLSKey: pki.ServerKeyPath(),
+ TLSAllowedCACerts: []string{pki.CACertPath()},
+ },
+ expNil: true,
+ expErr: true,
+ },
+ {
+ name: "missing key",
+ server: tls.ServerConfig{
+ TLSCert: pki.ServerCertPath(),
+ TLSAllowedCACerts: []string{pki.CACertPath()},
+ },
+ expNil: true,
+ expErr: true,
+ },
+ }
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ tlsConfig, err := tt.server.TLSConfig()
+ if !tt.expNil {
+ require.NotNil(t, tlsConfig)
+ }
+ if !tt.expErr {
+ require.NoError(t, err)
+ }
+ })
+ }
+}
+
+func TestConnect(t *testing.T) {
+ clientConfig := tls.ClientConfig{
+ TLSCA: pki.CACertPath(),
+ TLSCert: pki.ClientCertPath(),
+ TLSKey: pki.ClientKeyPath(),
+ }
+
+ serverConfig := tls.ServerConfig{
+ TLSCert: pki.ServerCertPath(),
+ TLSKey: pki.ServerKeyPath(),
+ TLSAllowedCACerts: []string{pki.CACertPath()},
+ }
+
+ serverTLSConfig, err := serverConfig.TLSConfig()
+ require.NoError(t, err)
+
+ ts := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ w.WriteHeader(http.StatusOK)
+ }))
+ ts.TLS = serverTLSConfig
+
+ ts.StartTLS()
+ defer ts.Close()
+
+ clientTLSConfig, err := clientConfig.TLSConfig()
+ require.NoError(t, err)
+
+ client := http.Client{
+ Transport: &http.Transport{
+ TLSClientConfig: clientTLSConfig,
+ },
+ Timeout: 10 * time.Second,
+ }
+
+ resp, err := client.Get(ts.URL)
+ require.NoError(t, err)
+ require.Equal(t, 200, resp.StatusCode)
+}
diff --git a/plugins/inputs/amqp_consumer/README.md b/plugins/inputs/amqp_consumer/README.md
index 11084bed..a14e2c8b 100644
--- a/plugins/inputs/amqp_consumer/README.md
+++ b/plugins/inputs/amqp_consumer/README.md
@@ -32,11 +32,11 @@ The following defaults are known to work with RabbitMQ:
## Using EXTERNAL requires enabling the rabbitmq_auth_mechanism_ssl plugin as
## described here: https://www.rabbitmq.com/plugins.html
# auth_method = "PLAIN"
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
## Data format to consume.
diff --git a/plugins/inputs/amqp_consumer/amqp_consumer.go b/plugins/inputs/amqp_consumer/amqp_consumer.go
index c96272fa..48458a0b 100644
--- a/plugins/inputs/amqp_consumer/amqp_consumer.go
+++ b/plugins/inputs/amqp_consumer/amqp_consumer.go
@@ -10,7 +10,7 @@ import (
"github.com/streadway/amqp"
"github.com/influxdata/telegraf"
- "github.com/influxdata/telegraf/internal"
+ "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs"
"github.com/influxdata/telegraf/plugins/parsers"
)
@@ -31,14 +31,7 @@ type AMQPConsumer struct {
// AMQP Auth method
AuthMethod string
- // Path to CA file
- SSLCA string `toml:"ssl_ca"`
- // Path to host cert file
- SSLCert string `toml:"ssl_cert"`
- // Path to cert key file
- SSLKey string `toml:"ssl_key"`
- // Use SSL but skip chain & host verification
- InsecureSkipVerify bool
+ tls.ClientConfig
parser parsers.Parser
conn *amqp.Connection
@@ -78,11 +71,11 @@ func (a *AMQPConsumer) SampleConfig() string {
## described here: https://www.rabbitmq.com/plugins.html
# auth_method = "PLAIN"
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
## Data format to consume.
@@ -108,8 +101,7 @@ func (a *AMQPConsumer) Gather(_ telegraf.Accumulator) error {
func (a *AMQPConsumer) createConfig() (*amqp.Config, error) {
// make new tls config
- tls, err := internal.GetTLSConfig(
- a.SSLCert, a.SSLKey, a.SSLCA, a.InsecureSkipVerify)
+ tls, err := a.ClientConfig.TLSConfig()
if err != nil {
return nil, err
}
diff --git a/plugins/inputs/apache/README.md b/plugins/inputs/apache/README.md
index 0edac316..b8822ede 100644
--- a/plugins/inputs/apache/README.md
+++ b/plugins/inputs/apache/README.md
@@ -21,11 +21,11 @@ Typically, the `mod_status` module is configured to expose a page at the `/serve
## Maximum time to receive response.
# response_timeout = "5s"
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
```
diff --git a/plugins/inputs/apache/apache.go b/plugins/inputs/apache/apache.go
index a3df105b..a04d1bbb 100644
--- a/plugins/inputs/apache/apache.go
+++ b/plugins/inputs/apache/apache.go
@@ -13,6 +13,7 @@ import (
"github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal"
+ "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs"
)
@@ -21,14 +22,7 @@ type Apache struct {
Username string
Password string
ResponseTimeout internal.Duration
- // Path to CA file
- SSLCA string `toml:"ssl_ca"`
- // Path to host cert file
- SSLCert string `toml:"ssl_cert"`
- // Path to cert key file
- SSLKey string `toml:"ssl_key"`
- // Use SSL but skip chain & host verification
- InsecureSkipVerify bool
+ tls.ClientConfig
client *http.Client
}
@@ -46,11 +40,11 @@ var sampleConfig = `
## Maximum time to receive response.
# response_timeout = "5s"
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
`
@@ -98,8 +92,7 @@ func (n *Apache) Gather(acc telegraf.Accumulator) error {
}
func (n *Apache) createHttpClient() (*http.Client, error) {
- tlsCfg, err := internal.GetTLSConfig(
- n.SSLCert, n.SSLKey, n.SSLCA, n.InsecureSkipVerify)
+ tlsCfg, err := n.ClientConfig.TLSConfig()
if err != nil {
return nil, err
}
diff --git a/plugins/inputs/consul/README.md b/plugins/inputs/consul/README.md
index 7e68a493..42e1a133 100644
--- a/plugins/inputs/consul/README.md
+++ b/plugins/inputs/consul/README.md
@@ -27,11 +27,11 @@ report those stats already using StatsD protocol if needed.
## Data centre to query the health checks from
# datacentre = ""
- ## SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## If false, skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = true
```
diff --git a/plugins/inputs/consul/consul.go b/plugins/inputs/consul/consul.go
index bfd9b434..fe9bde1d 100644
--- a/plugins/inputs/consul/consul.go
+++ b/plugins/inputs/consul/consul.go
@@ -5,7 +5,7 @@ import (
"github.com/hashicorp/consul/api"
"github.com/influxdata/telegraf"
- "github.com/influxdata/telegraf/internal"
+ "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs"
)
@@ -16,15 +16,7 @@ type Consul struct {
Username string
Password string
Datacentre string
-
- // Path to CA file
- SSLCA string `toml:"ssl_ca"`
- // Path to host cert file
- SSLCert string `toml:"ssl_cert"`
- // Path to cert key file
- SSLKey string `toml:"ssl_key"`
- // Use SSL but skip chain & host verification
- InsecureSkipVerify bool
+ tls.ClientConfig
// client used to connect to Consul agnet
client *api.Client
@@ -47,11 +39,11 @@ var sampleConfig = `
## Data centre to query the health checks from
# datacentre = ""
- ## SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## If false, skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = true
`
@@ -89,9 +81,7 @@ func (c *Consul) createAPIClient() (*api.Client, error) {
}
}
- tlsCfg, err := internal.GetTLSConfig(
- c.SSLCert, c.SSLKey, c.SSLCA, c.InsecureSkipVerify)
-
+ tlsCfg, err := c.ClientConfig.TLSConfig()
if err != nil {
return nil, err
}
diff --git a/plugins/inputs/dcos/README.md b/plugins/inputs/dcos/README.md
index 967c376a..790590ae 100644
--- a/plugins/inputs/dcos/README.md
+++ b/plugins/inputs/dcos/README.md
@@ -54,10 +54,10 @@ your database.
## Maximum time to receive a response from cluster.
# response_timeout = "20s"
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
## If false, skip chain & host verification
# insecure_skip_verify = true
diff --git a/plugins/inputs/dcos/client_test.go b/plugins/inputs/dcos/client_test.go
index 3b8d93e3..1b563c63 100644
--- a/plugins/inputs/dcos/client_test.go
+++ b/plugins/inputs/dcos/client_test.go
@@ -9,26 +9,11 @@ import (
"testing"
jwt "github.com/dgrijalva/jwt-go"
+ "github.com/influxdata/telegraf/testutil"
"github.com/stretchr/testify/require"
)
-const (
- privateKey = `-----BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQCwlGyzVp9cqtwiNCgCnaR0kilPZhr4xFBcnXxvQ8/uzOHaWKxj
-XWR38cKR3gPh5+4iSmzMdo3HDJM5ks6imXGnp+LPOA5iNewnpLNs7UxA2arwKH/6
-4qIaAXAtf5jE46wZIMgc2EW9wGL3dxC0JY8EXPpBFB/3J8gADkorFR8lwwIDAQAB
-AoGBAJaFHxfMmjHK77U0UnrQWFSKFy64cftmlL4t/Nl3q7L68PdIKULWZIMeEWZ4
-I0UZiFOwr4em83oejQ1ByGSwekEuiWaKUI85IaHfcbt+ogp9hY/XbOEo56OPQUAd
-bEZv1JqJOqta9Ug1/E1P9LjEEyZ5F5ubx7813rxAE31qKtKJAkEA1zaMlCWIr+Rj
-hGvzv5rlHH3wbOB4kQFXO4nqj3J/ttzR5QiJW24STMDcbNngFlVcDVju56LrNTiD
-dPh9qvl7nwJBANILguR4u33OMksEZTYB7nQZSurqXsq6382zH7pTl29ANQTROHaM
-PKC8dnDWq8RGTqKuvWblIzzGIKqIMovZo10CQC96T0UXirITFolOL3XjvAuvFO1Q
-EAkdXJs77805m0dCK+P1IChVfiAEpBw3bKJArpAbQIlFfdI953JUp5SieU0CQEub
-BSSEKMjh/cxu6peEHnb/262vayuCFKkQPu1sxWewLuVrAe36EKCy9dcsDmv5+rgo
-Odjdxc9Madm4aKlaT6kCQQCpAgeblDrrxTrNQ+Typzo37PlnQrvI+0EceAUuJ72G
-P0a+YZUeHNRqT2pPN9lMTAZGGi3CtcF2XScbLNEBeXge
------END RSA PRIVATE KEY-----`
-)
+var privateKey = testutil.NewPKI("../../../testutil/pki").ReadServerKey()
func TestLogin(t *testing.T) {
ts := httptest.NewServer(http.NotFoundHandler())
diff --git a/plugins/inputs/dcos/dcos.go b/plugins/inputs/dcos/dcos.go
index 91370b81..e37bf996 100644
--- a/plugins/inputs/dcos/dcos.go
+++ b/plugins/inputs/dcos/dcos.go
@@ -13,6 +13,7 @@ import (
"github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/filter"
"github.com/influxdata/telegraf/internal"
+ "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs"
)
@@ -56,11 +57,7 @@ type DCOS struct {
MaxConnections int
ResponseTimeout internal.Duration
-
- SSLCA string `toml:"ssl_ca"`
- SSLCert string `toml:"ssl_cert"`
- SSLKey string `toml:"ssl_key"`
- InsecureSkipVerify bool `toml:"insecure_skip_verify"`
+ tls.ClientConfig
client Client
creds Credentials
@@ -107,10 +104,10 @@ var sampleConfig = `
## Maximum time to receive a response from cluster.
# response_timeout = "20s"
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
## If false, skip chain & host verification
# insecure_skip_verify = true
@@ -351,8 +348,7 @@ func (d *DCOS) init() error {
}
func (d *DCOS) createClient() (Client, error) {
- tlsCfg, err := internal.GetTLSConfig(
- d.SSLCert, d.SSLKey, d.SSLCA, d.InsecureSkipVerify)
+ tlsCfg, err := d.ClientConfig.TLSConfig()
if err != nil {
return nil, err
}
diff --git a/plugins/inputs/docker/README.md b/plugins/inputs/docker/README.md
index b93b4a03..87b5e65d 100644
--- a/plugins/inputs/docker/README.md
+++ b/plugins/inputs/docker/README.md
@@ -53,11 +53,11 @@ to gather stats from the [Engine API](https://docs.docker.com/engine/api/v1.24/)
## Which environment variables should we use as a tag
tag_env = ["JAVA_HOME", "HEAP_SIZE"]
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
```
diff --git a/plugins/inputs/docker/docker.go b/plugins/inputs/docker/docker.go
index b0b9b8cf..a59b9f7f 100644
--- a/plugins/inputs/docker/docker.go
+++ b/plugins/inputs/docker/docker.go
@@ -20,6 +20,7 @@ import (
"github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/filter"
"github.com/influxdata/telegraf/internal"
+ tlsint "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs"
)
@@ -43,10 +44,7 @@ type Docker struct {
ContainerStateInclude []string `toml:"container_state_include"`
ContainerStateExclude []string `toml:"container_state_exclude"`
- SSLCA string `toml:"ssl_ca"`
- SSLCert string `toml:"ssl_cert"`
- SSLKey string `toml:"ssl_key"`
- InsecureSkipVerify bool
+ tlsint.ClientConfig
newEnvClient func() (Client, error)
newClient func(string, *tls.Config) (Client, error)
@@ -115,11 +113,11 @@ var sampleConfig = `
docker_label_include = []
docker_label_exclude = []
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
`
@@ -136,8 +134,7 @@ func (d *Docker) Gather(acc telegraf.Accumulator) error {
if d.Endpoint == "ENV" {
c, err = d.newEnvClient()
} else {
- tlsConfig, err := internal.GetTLSConfig(
- d.SSLCert, d.SSLKey, d.SSLCA, d.InsecureSkipVerify)
+ tlsConfig, err := d.ClientConfig.TLSConfig()
if err != nil {
return err
}
diff --git a/plugins/inputs/elasticsearch/README.md b/plugins/inputs/elasticsearch/README.md
index 09ae15cc..e88c3f4d 100644
--- a/plugins/inputs/elasticsearch/README.md
+++ b/plugins/inputs/elasticsearch/README.md
@@ -38,11 +38,11 @@ or [cluster-stats](https://www.elastic.co/guide/en/elasticsearch/reference/curre
## "breaker". Per default, all stats are gathered.
# node_stats = ["jvm", "http"]
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
```
diff --git a/plugins/inputs/elasticsearch/elasticsearch.go b/plugins/inputs/elasticsearch/elasticsearch.go
index 1f548a0e..eee8d418 100644
--- a/plugins/inputs/elasticsearch/elasticsearch.go
+++ b/plugins/inputs/elasticsearch/elasticsearch.go
@@ -3,16 +3,18 @@ package elasticsearch
import (
"encoding/json"
"fmt"
- "github.com/influxdata/telegraf"
- "github.com/influxdata/telegraf/internal"
- "github.com/influxdata/telegraf/plugins/inputs"
- jsonparser "github.com/influxdata/telegraf/plugins/parsers/json"
"io/ioutil"
"net/http"
"regexp"
"strings"
"sync"
"time"
+
+ "github.com/influxdata/telegraf"
+ "github.com/influxdata/telegraf/internal"
+ "github.com/influxdata/telegraf/internal/tls"
+ "github.com/influxdata/telegraf/plugins/inputs"
+ jsonparser "github.com/influxdata/telegraf/plugins/parsers/json"
)
// mask for masking username/password from error messages
@@ -108,28 +110,26 @@ const sampleConfig = `
## "breaker". Per default, all stats are gathered.
# node_stats = ["jvm", "http"]
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
`
// Elasticsearch is a plugin to read stats from one or many Elasticsearch
// servers.
type Elasticsearch struct {
- Local bool
- Servers []string
- HttpTimeout internal.Duration
- ClusterHealth bool
- ClusterHealthLevel string
- ClusterStats bool
- NodeStats []string
- SSLCA string `toml:"ssl_ca"` // Path to CA file
- SSLCert string `toml:"ssl_cert"` // Path to host cert file
- SSLKey string `toml:"ssl_key"` // Path to cert key file
- InsecureSkipVerify bool // Use SSL but skip chain & host verification
+ Local bool
+ Servers []string
+ HttpTimeout internal.Duration
+ ClusterHealth bool
+ ClusterHealthLevel string
+ ClusterStats bool
+ NodeStats []string
+ tls.ClientConfig
+
client *http.Client
catMasterResponseTokens []string
isMaster bool
@@ -227,7 +227,7 @@ func (e *Elasticsearch) Gather(acc telegraf.Accumulator) error {
}
func (e *Elasticsearch) createHttpClient() (*http.Client, error) {
- tlsCfg, err := internal.GetTLSConfig(e.SSLCert, e.SSLKey, e.SSLCA, e.InsecureSkipVerify)
+ tlsCfg, err := e.ClientConfig.TLSConfig()
if err != nil {
return nil, err
}
diff --git a/plugins/inputs/graylog/README.md b/plugins/inputs/graylog/README.md
index 6d4aa613..6ab4a70c 100644
--- a/plugins/inputs/graylog/README.md
+++ b/plugins/inputs/graylog/README.md
@@ -44,11 +44,11 @@ Note: if namespace end point specified metrics array will be ignored for that ca
username = ""
password = ""
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
```
diff --git a/plugins/inputs/graylog/graylog.go b/plugins/inputs/graylog/graylog.go
index 6dcc9b97..8e580480 100644
--- a/plugins/inputs/graylog/graylog.go
+++ b/plugins/inputs/graylog/graylog.go
@@ -14,7 +14,7 @@ import (
"time"
"github.com/influxdata/telegraf"
- "github.com/influxdata/telegraf/internal"
+ "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs"
)
@@ -35,15 +35,7 @@ type GrayLog struct {
Metrics []string
Username string
Password string
-
- // Path to CA file
- SSLCA string `toml:"ssl_ca"`
- // Path to host cert file
- SSLCert string `toml:"ssl_cert"`
- // Path to cert key file
- SSLKey string `toml:"ssl_key"`
- // Use SSL but skip chain & host verification
- InsecureSkipVerify bool
+ tls.ClientConfig
client HTTPClient
}
@@ -111,11 +103,11 @@ var sampleConfig = `
username = ""
password = ""
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
`
@@ -132,8 +124,7 @@ func (h *GrayLog) Gather(acc telegraf.Accumulator) error {
var wg sync.WaitGroup
if h.client.HTTPClient() == nil {
- tlsCfg, err := internal.GetTLSConfig(
- h.SSLCert, h.SSLKey, h.SSLCA, h.InsecureSkipVerify)
+ tlsCfg, err := h.ClientConfig.TLSConfig()
if err != nil {
return err
}
diff --git a/plugins/inputs/haproxy/README.md b/plugins/inputs/haproxy/README.md
index 50bd4b3d..35b59524 100644
--- a/plugins/inputs/haproxy/README.md
+++ b/plugins/inputs/haproxy/README.md
@@ -28,11 +28,11 @@ or [HTTP statistics page](https://cbonte.github.io/haproxy-dconv/1.9/management.
## field names.
# keep_field_names = false
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
```
diff --git a/plugins/inputs/haproxy/haproxy.go b/plugins/inputs/haproxy/haproxy.go
index 81783cf2..19087a97 100644
--- a/plugins/inputs/haproxy/haproxy.go
+++ b/plugins/inputs/haproxy/haproxy.go
@@ -14,27 +14,18 @@ import (
"time"
"github.com/influxdata/telegraf"
- "github.com/influxdata/telegraf/internal"
+ "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs"
)
//CSV format: https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#9.1
type haproxy struct {
- Servers []string
-
- client *http.Client
-
+ Servers []string
KeepFieldNames bool
+ tls.ClientConfig
- // Path to CA file
- SSLCA string `toml:"ssl_ca"`
- // Path to host cert file
- SSLCert string `toml:"ssl_cert"`
- // Path to cert key file
- SSLKey string `toml:"ssl_key"`
- // Use SSL but skip chain & host verification
- InsecureSkipVerify bool
+ client *http.Client
}
var sampleConfig = `
@@ -56,11 +47,11 @@ var sampleConfig = `
## field names.
# keep_field_names = false
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
`
@@ -144,8 +135,7 @@ func (g *haproxy) gatherServer(addr string, acc telegraf.Accumulator) error {
}
if g.client == nil {
- tlsCfg, err := internal.GetTLSConfig(
- g.SSLCert, g.SSLKey, g.SSLCA, g.InsecureSkipVerify)
+ tlsCfg, err := g.ClientConfig.TLSConfig()
if err != nil {
return err
}
diff --git a/plugins/inputs/http/README.md b/plugins/inputs/http/README.md
index 2c044136..25d3d2b2 100644
--- a/plugins/inputs/http/README.md
+++ b/plugins/inputs/http/README.md
@@ -23,11 +23,11 @@ The HTTP input plugin collects metrics from one or more HTTP(S) endpoints. The
# username = "username"
# password = "pa$$word"
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
## Amount of time allowed to complete the HTTP request
diff --git a/plugins/inputs/http/http.go b/plugins/inputs/http/http.go
index 16e776cd..c9c3460b 100644
--- a/plugins/inputs/http/http.go
+++ b/plugins/inputs/http/http.go
@@ -11,6 +11,7 @@ import (
"github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal"
+ "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs"
"github.com/influxdata/telegraf/plugins/parsers"
)
@@ -24,15 +25,7 @@ type HTTP struct {
// HTTP Basic Auth Credentials
Username string
Password string
-
- // Path to CA file
- SSLCA string `toml:"ssl_ca"`
- // Path to host cert file
- SSLCert string `toml:"ssl_cert"`
- // Path to cert key file
- SSLKey string `toml:"ssl_key"`
- // Use SSL but skip chain & host verification
- InsecureSkipVerify bool
+ tls.ClientConfig
Timeout internal.Duration
@@ -62,11 +55,11 @@ var sampleConfig = `
## Tag all metrics with the url
# tag_url = true
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
## Amount of time allowed to complete the HTTP request
@@ -97,8 +90,7 @@ func (h *HTTP) Gather(acc telegraf.Accumulator) error {
}
if h.client == nil {
- tlsCfg, err := internal.GetTLSConfig(
- h.SSLCert, h.SSLKey, h.SSLCA, h.InsecureSkipVerify)
+ tlsCfg, err := h.ClientConfig.TLSConfig()
if err != nil {
return err
}
diff --git a/plugins/inputs/http_listener/http_listener.go b/plugins/inputs/http_listener/http_listener.go
index bda4ce46..595c74ed 100644
--- a/plugins/inputs/http_listener/http_listener.go
+++ b/plugins/inputs/http_listener/http_listener.go
@@ -5,9 +5,7 @@ import (
"compress/gzip"
"crypto/subtle"
"crypto/tls"
- "crypto/x509"
"io"
- "io/ioutil"
"log"
"net"
"net/http"
@@ -16,6 +14,7 @@ import (
"github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal"
+ tlsint "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs"
"github.com/influxdata/telegraf/plugins/parsers/influx"
"github.com/influxdata/telegraf/selfstat"
@@ -43,9 +42,7 @@ type HTTPListener struct {
MaxLineSize int
Port int
- TlsAllowedCacerts []string
- TlsCert string
- TlsKey string
+ tlsint.ServerConfig
BasicUsername string
BasicPassword string
@@ -158,7 +155,10 @@ func (h *HTTPListener) Start(acc telegraf.Accumulator) error {
h.acc = acc
h.pool = NewPool(200, h.MaxLineSize)
- tlsConf := h.getTLSConfig()
+ tlsConf, err := h.ServerConfig.TLSConfig()
+ if err != nil {
+ return err
+ }
server := &http.Server{
Addr: h.ServiceAddress,
@@ -168,7 +168,6 @@ func (h *HTTPListener) Start(acc telegraf.Accumulator) error {
TLSConfig: tlsConf,
}
- var err error
var listener net.Listener
if tlsConf != nil {
listener, err = tls.Listen("tcp", h.ServiceAddress, tlsConf)
@@ -372,38 +371,6 @@ func badRequest(res http.ResponseWriter) {
res.Write([]byte(`{"error":"http: bad request"}`))
}
-func (h *HTTPListener) getTLSConfig() *tls.Config {
- tlsConf := &tls.Config{
- InsecureSkipVerify: false,
- Renegotiation: tls.RenegotiateNever,
- }
-
- if len(h.TlsCert) == 0 || len(h.TlsKey) == 0 {
- return nil
- }
-
- cert, err := tls.LoadX509KeyPair(h.TlsCert, h.TlsKey)
- if err != nil {
- return nil
- }
- tlsConf.Certificates = []tls.Certificate{cert}
-
- if h.TlsAllowedCacerts != nil {
- tlsConf.ClientAuth = tls.RequireAndVerifyClientCert
- clientPool := x509.NewCertPool()
- for _, ca := range h.TlsAllowedCacerts {
- c, err := ioutil.ReadFile(ca)
- if err != nil {
- continue
- }
- clientPool.AppendCertsFromPEM(c)
- }
- tlsConf.ClientCAs = clientPool
- }
-
- return tlsConf
-}
-
func (h *HTTPListener) AuthenticateIfSet(handler http.HandlerFunc, res http.ResponseWriter, req *http.Request) {
if h.BasicUsername != "" && h.BasicPassword != "" {
reqUsername, reqPassword, ok := req.BasicAuth()
diff --git a/plugins/inputs/http_listener/http_listener_test.go b/plugins/inputs/http_listener/http_listener_test.go
index 7f6ab406..7c6cdf72 100644
--- a/plugins/inputs/http_listener/http_listener_test.go
+++ b/plugins/inputs/http_listener/http_listener_test.go
@@ -4,7 +4,6 @@ import (
"bytes"
"crypto/tls"
"crypto/x509"
- "io"
"io/ioutil"
"net/http"
"net/url"
@@ -34,86 +33,12 @@ cpu_load_short,host=server06 value=12.0 1422568543702900257
emptyMsg = ""
- serviceRootPEM = `-----BEGIN CERTIFICATE-----
-MIIBxzCCATCgAwIBAgIJAJb7HqN2BzWWMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV
-BAMMC1RlbGVncmFmIENBMB4XDTE3MTEwNDA0MzEwN1oXDTI3MTEwMjA0MzEwN1ow
-FjEUMBIGA1UEAwwLVGVsZWdyYWYgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
-AoGBANbkUkK6JQC3rbLcXhLJTS9SX6uXyFwl7bUfpAN5Hm5EqfvG3PnLrogfTGLr
-Tq5CRAu/gbbdcMoL9TLv/aaDVnrpV0FslKhqYmkOgT28bdmA7Qtr539aQpMKCfcW
-WCnoMcBD5u5h9MsRqpdq+0Mjlsf1H2hSf07jHk5R1T4l8RMXAgMBAAGjHTAbMAwG
-A1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4GBANSrwvpU
-t8ihIhpHqgJZ34DM92CZZ3ZHmH/KyqlnuGzjjpnVZiXVrLDTOzrA0ziVhmefY29w
-roHjENbFm54HW97ogxeURuO8HRHIVh2U0rkyVxOfGZiUdINHqsZdSnDY07bzCtSr
-Z/KsfWXM5llD1Ig1FyBHpKjyUvfzr73sjm/4
------END CERTIFICATE-----`
- serviceCertPEM = `-----BEGIN CERTIFICATE-----
-MIIBzzCCATigAwIBAgIBATANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDDAtUZWxl
-Z3JhZiBDQTAeFw0xNzExMDQwNDMxMDdaFw0yNzExMDIwNDMxMDdaMBQxEjAQBgNV
-BAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsJRss1af
-XKrcIjQoAp2kdJIpT2Ya+MRQXJ18b0PP7szh2lisY11kd/HCkd4D4efuIkpszHaN
-xwyTOZLOoplxp6fizzgOYjXsJ6SzbO1MQNmq8Ch/+uKiGgFwLX+YxOOsGSDIHNhF
-vcBi93cQtCWPBFz6QRQf9yfIAA5KKxUfJcMCAwEAAaMvMC0wCQYDVR0TBAIwADAL
-BgNVHQ8EBAMCBSAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQAD
-gYEAiC3WI4y9vfYz53gw7FKnNK7BBdwRc43x7Pd+5J/cclWyUZPdmcj1UNmv/3rj
-2qcMmX06UdgPoHppzNAJePvMVk0vjMBUe9MmYlafMz0h4ma/it5iuldXwmejFcdL
-6wWQp7gVTileCEmq9sNvfQN1FmT3EWf4IMdO2MNat/1If0g=
------END CERTIFICATE-----`
- serviceKeyPEM = `-----BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQCwlGyzVp9cqtwiNCgCnaR0kilPZhr4xFBcnXxvQ8/uzOHaWKxj
-XWR38cKR3gPh5+4iSmzMdo3HDJM5ks6imXGnp+LPOA5iNewnpLNs7UxA2arwKH/6
-4qIaAXAtf5jE46wZIMgc2EW9wGL3dxC0JY8EXPpBFB/3J8gADkorFR8lwwIDAQAB
-AoGBAJaFHxfMmjHK77U0UnrQWFSKFy64cftmlL4t/Nl3q7L68PdIKULWZIMeEWZ4
-I0UZiFOwr4em83oejQ1ByGSwekEuiWaKUI85IaHfcbt+ogp9hY/XbOEo56OPQUAd
-bEZv1JqJOqta9Ug1/E1P9LjEEyZ5F5ubx7813rxAE31qKtKJAkEA1zaMlCWIr+Rj
-hGvzv5rlHH3wbOB4kQFXO4nqj3J/ttzR5QiJW24STMDcbNngFlVcDVju56LrNTiD
-dPh9qvl7nwJBANILguR4u33OMksEZTYB7nQZSurqXsq6382zH7pTl29ANQTROHaM
-PKC8dnDWq8RGTqKuvWblIzzGIKqIMovZo10CQC96T0UXirITFolOL3XjvAuvFO1Q
-EAkdXJs77805m0dCK+P1IChVfiAEpBw3bKJArpAbQIlFfdI953JUp5SieU0CQEub
-BSSEKMjh/cxu6peEHnb/262vayuCFKkQPu1sxWewLuVrAe36EKCy9dcsDmv5+rgo
-Odjdxc9Madm4aKlaT6kCQQCpAgeblDrrxTrNQ+Typzo37PlnQrvI+0EceAUuJ72G
-P0a+YZUeHNRqT2pPN9lMTAZGGi3CtcF2XScbLNEBeXge
------END RSA PRIVATE KEY-----`
- clientRootPEM = serviceRootPEM
- clientCertPEM = `-----BEGIN CERTIFICATE-----
-MIIBzjCCATegAwIBAgIBAjANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDDAtUZWxl
-Z3JhZiBDQTAeFw0xNzExMDQwNDMxMDdaFw0yNzExMDIwNDMxMDdaMBMxETAPBgNV
-BAMMCHRlbGVncmFmMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDP2IMqyOqI
-sJjwBprrz8WPzmlrpyYikQ4XSCSJB3DSTIO+igqMpBUTj3vLlOzsHfVVot1WRqc6
-3esM4JE92rc6S73xi4g8L/r8cPIHW4hvFJdMti4UkJBWim8ArSbFqnZjcR19G3tG
-LUOiXAUG3nWzMzoEsPruvV1dkKRbJVE4MwIDAQABoy8wLTAJBgNVHRMEAjAAMAsG
-A1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOB
-gQCHxMk38XNxL9nPFBYo3JqITJCFswu6/NLHwDBXCuZKl53rUuFWduiO+1OuScKQ
-sQ79W0jHsWRKGOUFrF5/Gdnh8AlkVaITVlcmhdAOFCEbeGpeEvLuuK6grckPitxy
-bRF5oM4TCLKKAha60Ir41rk2bomZM9+NZu+Bm+csDqCoxQ==
------END CERTIFICATE-----`
- clientKeyPEM = `-----BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQDP2IMqyOqIsJjwBprrz8WPzmlrpyYikQ4XSCSJB3DSTIO+igqM
-pBUTj3vLlOzsHfVVot1WRqc63esM4JE92rc6S73xi4g8L/r8cPIHW4hvFJdMti4U
-kJBWim8ArSbFqnZjcR19G3tGLUOiXAUG3nWzMzoEsPruvV1dkKRbJVE4MwIDAQAB
-AoGAFzb/r4+xYoMXEfgq5ZvXXTCY5cVNpR6+jCsqqYODPnn9XRLeCsdo8z5bfWms
-7NKLzHzca/6IPzL6Rf3vOxFq1YyIZfYVHH+d63/9blAm3Iajjp1W2yW5aj9BJjTb
-nm6F0RfuW/SjrZ9IXxTZhSpCklPmUzVZpzvwV3KGeVTVCEECQQDoavCeOwLuqDpt
-0aM9GMFUpOU7kLPDuicSwCDaTae4kN2rS17Zki41YXe8A8+509IEN7mK09Vq9HxY
-SX6EmV1FAkEA5O9QcCHEa8P12EmUC8oqD2bjq6o7JjUIRlKinwZTlooMJYZw98gA
-FVSngTUvLVCVIvSdjldXPOGgfYiccTZrFwJAfHS3gKOtAEuJbkEyHodhD4h1UB4+
-hPLr9Xh4ny2yQH0ilpV3px5GLEOTMFUCKUoqTiPg8VxaDjn5U/WXED5n2QJAR4J1
-NsFlcGACj+/TvacFYlA6N2nyFeokzoqLX28Ddxdh2erXqJ4hYIhT1ik9tkLggs2z
-1T1084BquCuO6lIcOwJBALX4xChoMUF9k0IxSQzlz//seQYDkQNsE7y9IgAOXkzp
-RaR4pzgPbnKj7atG+2dBnffWfE+1Mcy0INDAO6WxPg0=
------END RSA PRIVATE KEY-----`
-
basicUsername = "test-username-please-ignore"
basicPassword = "super-secure-password!"
)
var (
- initClient sync.Once
- client *http.Client
- initServiceCertFiles sync.Once
- allowedCAFiles []string
- serviceCAFiles []string
- serviceCertFile string
- serviceKeyFile string
+ pki = testutil.NewPKI("../../../testutil/pki")
)
func newTestHTTPListener() *HTTPListener {
@@ -132,74 +57,25 @@ func newTestHTTPAuthListener() *HTTPListener {
}
func newTestHTTPSListener() *HTTPListener {
- initServiceCertFiles.Do(func() {
- acaf, err := ioutil.TempFile("", "allowedCAFile.crt")
- if err != nil {
- panic(err)
- }
- defer acaf.Close()
- _, err = io.Copy(acaf, bytes.NewReader([]byte(clientRootPEM)))
- allowedCAFiles = []string{acaf.Name()}
-
- scaf, err := ioutil.TempFile("", "serviceCAFile.crt")
- if err != nil {
- panic(err)
- }
- defer scaf.Close()
- _, err = io.Copy(scaf, bytes.NewReader([]byte(serviceRootPEM)))
- serviceCAFiles = []string{scaf.Name()}
-
- scf, err := ioutil.TempFile("", "serviceCertFile.crt")
- if err != nil {
- panic(err)
- }
- defer scf.Close()
- _, err = io.Copy(scf, bytes.NewReader([]byte(serviceCertPEM)))
- serviceCertFile = scf.Name()
-
- skf, err := ioutil.TempFile("", "serviceKeyFile.crt")
- if err != nil {
- panic(err)
- }
- defer skf.Close()
- _, err = io.Copy(skf, bytes.NewReader([]byte(serviceKeyPEM)))
- serviceKeyFile = skf.Name()
- })
-
listener := &HTTPListener{
- ServiceAddress: "localhost:0",
- TlsAllowedCacerts: allowedCAFiles,
- TlsCert: serviceCertFile,
- TlsKey: serviceKeyFile,
- TimeFunc: time.Now,
+ ServiceAddress: "localhost:0",
+ ServerConfig: *pki.TLSServerConfig(),
+ TimeFunc: time.Now,
}
return listener
}
func getHTTPSClient() *http.Client {
- initClient.Do(func() {
- cas := x509.NewCertPool()
- cas.AppendCertsFromPEM([]byte(serviceRootPEM))
- clientCert, err := tls.X509KeyPair([]byte(clientCertPEM), []byte(clientKeyPEM))
- if err != nil {
- panic(err)
- }
- client = &http.Client{
- Transport: &http.Transport{
- TLSClientConfig: &tls.Config{
- RootCAs: cas,
- Certificates: []tls.Certificate{clientCert},
- MinVersion: tls.VersionTLS12,
- MaxVersion: tls.VersionTLS12,
- CipherSuites: []uint16{tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
- Renegotiation: tls.RenegotiateNever,
- InsecureSkipVerify: false,
- },
- },
- }
- })
- return client
+ tlsConfig, err := pki.TLSClientConfig().TLSConfig()
+ if err != nil {
+ panic(err)
+ }
+ return &http.Client{
+ Transport: &http.Transport{
+ TLSClientConfig: tlsConfig,
+ },
+ }
}
func createURL(listener *HTTPListener, scheme string, path string, rawquery string) string {
@@ -214,14 +90,14 @@ func createURL(listener *HTTPListener, scheme string, path string, rawquery stri
func TestWriteHTTPSNoClientAuth(t *testing.T) {
listener := newTestHTTPSListener()
- listener.TlsAllowedCacerts = nil
+ listener.TLSAllowedCACerts = nil
acc := &testutil.Accumulator{}
require.NoError(t, listener.Start(acc))
defer listener.Stop()
cas := x509.NewCertPool()
- cas.AppendCertsFromPEM([]byte(serviceRootPEM))
+ cas.AppendCertsFromPEM([]byte(pki.ReadServerCert()))
noClientAuthClient := &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
diff --git a/plugins/inputs/http_response/README.md b/plugins/inputs/http_response/README.md
index 69b477ed..4ccd236a 100644
--- a/plugins/inputs/http_response/README.md
+++ b/plugins/inputs/http_response/README.md
@@ -32,11 +32,11 @@ This input plugin checks HTTP/HTTPS connections.
# response_string_match = "ok"
# response_string_match = "\".*_status\".?:.?\"up\""
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
## HTTP Request Headers (all values must be strings)
diff --git a/plugins/inputs/http_response/http_response.go b/plugins/inputs/http_response/http_response.go
index 9dcf9394..1f1f6870 100644
--- a/plugins/inputs/http_response/http_response.go
+++ b/plugins/inputs/http_response/http_response.go
@@ -16,6 +16,7 @@ import (
"github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal"
+ "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs"
)
@@ -29,15 +30,7 @@ type HTTPResponse struct {
Headers map[string]string
FollowRedirects bool
ResponseStringMatch string
-
- // Path to CA file
- SSLCA string `toml:"ssl_ca"`
- // Path to host cert file
- SSLCert string `toml:"ssl_cert"`
- // Path to cert key file
- SSLKey string `toml:"ssl_key"`
- // Use SSL but skip chain & host verification
- InsecureSkipVerify bool
+ tls.ClientConfig
compiledStringMatch *regexp.Regexp
client *http.Client
@@ -74,11 +67,11 @@ var sampleConfig = `
# response_string_match = "ok"
# response_string_match = "\".*_status\".?:.?\"up\""
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
## HTTP Request Headers (all values must be strings)
@@ -113,8 +106,7 @@ func getProxyFunc(http_proxy string) func(*http.Request) (*url.URL, error) {
// CreateHttpClient creates an http client which will timeout at the specified
// timeout period and can follow redirects if specified
func (h *HTTPResponse) createHttpClient() (*http.Client, error) {
- tlsCfg, err := internal.GetTLSConfig(
- h.SSLCert, h.SSLKey, h.SSLCA, h.InsecureSkipVerify)
+ tlsCfg, err := h.ClientConfig.TLSConfig()
if err != nil {
return nil, err
}
diff --git a/plugins/inputs/httpjson/README.md b/plugins/inputs/httpjson/README.md
index e3ef83c8..19fe0144 100644
--- a/plugins/inputs/httpjson/README.md
+++ b/plugins/inputs/httpjson/README.md
@@ -34,11 +34,11 @@ Deprecated (1.6): use the [http](../http) input.
# "my_tag_2"
# ]
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
## HTTP Request Parameters (all values must be strings). For "GET" requests, data
diff --git a/plugins/inputs/httpjson/httpjson.go b/plugins/inputs/httpjson/httpjson.go
index bfa35752..c7324dee 100644
--- a/plugins/inputs/httpjson/httpjson.go
+++ b/plugins/inputs/httpjson/httpjson.go
@@ -12,6 +12,7 @@ import (
"github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal"
+ "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs"
"github.com/influxdata/telegraf/plugins/parsers"
)
@@ -29,15 +30,7 @@ type HttpJson struct {
ResponseTimeout internal.Duration
Parameters map[string]string
Headers map[string]string
-
- // Path to CA file
- SSLCA string `toml:"ssl_ca"`
- // Path to host cert file
- SSLCert string `toml:"ssl_cert"`
- // Path to cert key file
- SSLKey string `toml:"ssl_key"`
- // Use SSL but skip chain & host verification
- InsecureSkipVerify bool
+ tls.ClientConfig
client HTTPClient
}
@@ -100,11 +93,11 @@ var sampleConfig = `
# "my_tag_2"
# ]
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
## HTTP parameters (all values must be strings). For "GET" requests, data
@@ -133,8 +126,7 @@ func (h *HttpJson) Gather(acc telegraf.Accumulator) error {
var wg sync.WaitGroup
if h.client.HTTPClient() == nil {
- tlsCfg, err := internal.GetTLSConfig(
- h.SSLCert, h.SSLKey, h.SSLCA, h.InsecureSkipVerify)
+ tlsCfg, err := h.ClientConfig.TLSConfig()
if err != nil {
return err
}
diff --git a/plugins/inputs/influxdb/README.md b/plugins/inputs/influxdb/README.md
index 85239316..2bab123f 100644
--- a/plugins/inputs/influxdb/README.md
+++ b/plugins/inputs/influxdb/README.md
@@ -20,11 +20,11 @@ InfluxDB-formatted endpoints. See below for more information.
"http://localhost:8086/debug/vars"
]
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
## http request & header timeout
diff --git a/plugins/inputs/influxdb/influxdb.go b/plugins/inputs/influxdb/influxdb.go
index 811f4ce5..0bb3ead5 100644
--- a/plugins/inputs/influxdb/influxdb.go
+++ b/plugins/inputs/influxdb/influxdb.go
@@ -10,21 +10,14 @@ import (
"github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal"
+ "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs"
)
type InfluxDB struct {
- URLs []string `toml:"urls"`
- // Path to CA file
- SSLCA string `toml:"ssl_ca"`
- // Path to host cert file
- SSLCert string `toml:"ssl_cert"`
- // Path to cert key file
- SSLKey string `toml:"ssl_key"`
- // Use SSL but skip chain & host verification
- InsecureSkipVerify bool
-
+ URLs []string `toml:"urls"`
Timeout internal.Duration
+ tls.ClientConfig
client *http.Client
}
@@ -45,11 +38,11 @@ func (*InfluxDB) SampleConfig() string {
"http://localhost:8086/debug/vars"
]
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
## http request & header timeout
@@ -63,8 +56,7 @@ func (i *InfluxDB) Gather(acc telegraf.Accumulator) error {
}
if i.client == nil {
- tlsCfg, err := internal.GetTLSConfig(
- i.SSLCert, i.SSLKey, i.SSLCA, i.InsecureSkipVerify)
+ tlsCfg, err := i.ClientConfig.TLSConfig()
if err != nil {
return err
}
diff --git a/plugins/inputs/jolokia2/README.md b/plugins/inputs/jolokia2/README.md
index 283c4a5e..441ede22 100644
--- a/plugins/inputs/jolokia2/README.md
+++ b/plugins/inputs/jolokia2/README.md
@@ -18,14 +18,14 @@ The `jolokia2_agent` input plugin reads JMX metrics from one or more [Jolokia ag
paths = ["Uptime"]
```
-Optionally, specify SSL options for communicating with agents:
+Optionally, specify TLS options for communicating with agents:
```toml
[[inputs.jolokia2_agent]]
urls = ["https://agent:8080/jolokia"]
- ssl_ca = "/var/private/ca.pem"
- ssl_cert = "/var/private/client.pem"
- ssl_key = "/var/private/client-key.pem"
+ tls_ca = "/var/private/ca.pem"
+ tls_cert = "/var/private/client.pem"
+ tls_key = "/var/private/client-key.pem"
#insecure_skip_verify = false
[[inputs.jolokia2_agent.metric]]
@@ -55,15 +55,15 @@ The `jolokia2_proxy` input plugin reads JMX metrics from one or more _targets_ b
paths = ["Uptime"]
```
-Optionally, specify SSL options for communicating with proxies:
+Optionally, specify TLS options for communicating with proxies:
```toml
[[inputs.jolokia2_proxy]]
url = "https://proxy:8080/jolokia"
- ssl_ca = "/var/private/ca.pem"
- ssl_cert = "/var/private/client.pem"
- ssl_key = "/var/private/client-key.pem"
+ tls_ca = "/var/private/ca.pem"
+ tls_cert = "/var/private/client.pem"
+ tls_key = "/var/private/client-key.pem"
#insecure_skip_verify = false
#default_target_username = ""
diff --git a/plugins/inputs/jolokia2/client.go b/plugins/inputs/jolokia2/client.go
index aa9a8f87..9f5de15d 100644
--- a/plugins/inputs/jolokia2/client.go
+++ b/plugins/inputs/jolokia2/client.go
@@ -10,7 +10,7 @@ import (
"path"
"time"
- "github.com/influxdata/telegraf/internal"
+ "github.com/influxdata/telegraf/internal/tls"
)
type Client struct {
@@ -20,15 +20,11 @@ type Client struct {
}
type ClientConfig struct {
- ResponseTimeout time.Duration
- Username string
- Password string
- SSLCA string
- SSLCert string
- SSLKey string
- InsecureSkipVerify bool
-
- ProxyConfig *ProxyConfig
+ ResponseTimeout time.Duration
+ Username string
+ Password string
+ ProxyConfig *ProxyConfig
+ tls.ClientConfig
}
type ProxyConfig struct {
@@ -100,8 +96,7 @@ type jolokiaResponse struct {
}
func NewClient(url string, config *ClientConfig) (*Client, error) {
- tlsConfig, err := internal.GetTLSConfig(
- config.SSLCert, config.SSLKey, config.SSLCA, config.InsecureSkipVerify)
+ tlsConfig, err := config.ClientConfig.TLSConfig()
if err != nil {
return nil, err
}
diff --git a/plugins/inputs/jolokia2/jolokia_agent.go b/plugins/inputs/jolokia2/jolokia_agent.go
index 1042da9d..f1d58e68 100644
--- a/plugins/inputs/jolokia2/jolokia_agent.go
+++ b/plugins/inputs/jolokia2/jolokia_agent.go
@@ -6,6 +6,7 @@ import (
"time"
"github.com/influxdata/telegraf"
+ "github.com/influxdata/telegraf/internal/tls"
)
type JolokiaAgent struct {
@@ -18,10 +19,7 @@ type JolokiaAgent struct {
Password string
ResponseTimeout time.Duration `toml:"response_timeout"`
- SSLCA string `toml:"ssl_ca"`
- SSLCert string `toml:"ssl_cert"`
- SSLKey string `toml:"ssl_key"`
- InsecureSkipVerify bool
+ tls.ClientConfig
Metrics []MetricConfig `toml:"metric"`
gatherer *Gatherer
@@ -39,10 +37,10 @@ func (ja *JolokiaAgent) SampleConfig() string {
# password = ""
# response_timeout = "5s"
- ## Optional SSL config
- # ssl_ca = "/var/private/ca.pem"
- # ssl_cert = "/var/private/client.pem"
- # ssl_key = "/var/private/client-key.pem"
+ ## Optional TLS config
+ # tls_ca = "/var/private/ca.pem"
+ # tls_cert = "/var/private/client.pem"
+ # tls_key = "/var/private/client-key.pem"
# insecure_skip_verify = false
## Add metrics to read
@@ -101,12 +99,9 @@ func (ja *JolokiaAgent) createMetrics() []Metric {
func (ja *JolokiaAgent) createClient(url string) (*Client, error) {
return NewClient(url, &ClientConfig{
- Username: ja.Username,
- Password: ja.Password,
- ResponseTimeout: ja.ResponseTimeout,
- SSLCA: ja.SSLCA,
- SSLCert: ja.SSLCert,
- SSLKey: ja.SSLKey,
- InsecureSkipVerify: ja.InsecureSkipVerify,
+ Username: ja.Username,
+ Password: ja.Password,
+ ResponseTimeout: ja.ResponseTimeout,
+ ClientConfig: ja.ClientConfig,
})
}
diff --git a/plugins/inputs/jolokia2/jolokia_proxy.go b/plugins/inputs/jolokia2/jolokia_proxy.go
index c9474871..40909dcc 100644
--- a/plugins/inputs/jolokia2/jolokia_proxy.go
+++ b/plugins/inputs/jolokia2/jolokia_proxy.go
@@ -4,6 +4,7 @@ import (
"time"
"github.com/influxdata/telegraf"
+ "github.com/influxdata/telegraf/internal/tls"
)
type JolokiaProxy struct {
@@ -16,13 +17,10 @@ type JolokiaProxy struct {
DefaultTargetUsername string
Targets []JolokiaProxyTargetConfig `toml:"target"`
- Username string
- Password string
- SSLCA string `toml:"ssl_ca"`
- SSLCert string `toml:"ssl_cert"`
- SSLKey string `toml:"ssl_key"`
- InsecureSkipVerify bool
- ResponseTimeout time.Duration `toml:"response_timeout"`
+ Username string
+ Password string
+ ResponseTimeout time.Duration `toml:"response_timeout"`
+ tls.ClientConfig
Metrics []MetricConfig `toml:"metric"`
client *Client
@@ -47,10 +45,10 @@ func (jp *JolokiaProxy) SampleConfig() string {
# password = ""
# response_timeout = "5s"
- ## Optional SSL config
- # ssl_ca = "/var/private/ca.pem"
- # ssl_cert = "/var/private/client.pem"
- # ssl_key = "/var/private/client-key.pem"
+ ## Optional TLS config
+ # tls_ca = "/var/private/ca.pem"
+ # tls_cert = "/var/private/client.pem"
+ # tls_key = "/var/private/client-key.pem"
# insecure_skip_verify = false
## Add proxy targets to query
@@ -117,13 +115,10 @@ func (jp *JolokiaProxy) createClient() (*Client, error) {
}
return NewClient(jp.URL, &ClientConfig{
- Username: jp.Username,
- Password: jp.Password,
- ResponseTimeout: jp.ResponseTimeout,
- SSLCA: jp.SSLCA,
- SSLCert: jp.SSLCert,
- SSLKey: jp.SSLKey,
- InsecureSkipVerify: jp.InsecureSkipVerify,
- ProxyConfig: proxyConfig,
+ Username: jp.Username,
+ Password: jp.Password,
+ ResponseTimeout: jp.ResponseTimeout,
+ ClientConfig: jp.ClientConfig,
+ ProxyConfig: proxyConfig,
})
}
diff --git a/plugins/inputs/kafka_consumer/README.md b/plugins/inputs/kafka_consumer/README.md
index 69500127..67dbb539 100644
--- a/plugins/inputs/kafka_consumer/README.md
+++ b/plugins/inputs/kafka_consumer/README.md
@@ -22,11 +22,11 @@ and use the old zookeeper connection method.
## Offset (must be either "oldest" or "newest")
offset = "oldest"
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
## Optional SASL Config
diff --git a/plugins/inputs/kafka_consumer/kafka_consumer.go b/plugins/inputs/kafka_consumer/kafka_consumer.go
index 4e471561..bf74dd5a 100644
--- a/plugins/inputs/kafka_consumer/kafka_consumer.go
+++ b/plugins/inputs/kafka_consumer/kafka_consumer.go
@@ -7,7 +7,7 @@ import (
"sync"
"github.com/influxdata/telegraf"
- "github.com/influxdata/telegraf/internal"
+ "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs"
"github.com/influxdata/telegraf/plugins/parsers"
@@ -23,14 +23,7 @@ type Kafka struct {
Cluster *cluster.Consumer
- // Verify Kafka SSL Certificate
- InsecureSkipVerify bool
- // Path to CA file
- SSLCA string `toml:"ssl_ca"`
- // Path to host cert file
- SSLCert string `toml:"ssl_cert"`
- // Path to cert key file
- SSLKey string `toml:"ssl_key"`
+ tls.ClientConfig
// SASL Username
SASLUsername string `toml:"sasl_username"`
@@ -67,11 +60,11 @@ var sampleConfig = `
## topic(s) to consume
topics = ["telegraf"]
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
## Optional SASL Config
@@ -116,8 +109,7 @@ func (k *Kafka) Start(acc telegraf.Accumulator) error {
config := cluster.NewConfig()
config.Consumer.Return.Errors = true
- tlsConfig, err := internal.GetTLSConfig(
- k.SSLCert, k.SSLKey, k.SSLCA, k.InsecureSkipVerify)
+ tlsConfig, err := k.ClientConfig.TLSConfig()
if err != nil {
return err
}
diff --git a/plugins/inputs/kapacitor/README.md b/plugins/inputs/kapacitor/README.md
index ae5b365d..2ff4eab8 100644
--- a/plugins/inputs/kapacitor/README.md
+++ b/plugins/inputs/kapacitor/README.md
@@ -15,11 +15,11 @@ The Kapacitor plugin will collect metrics from the given Kapacitor instances.
## Time limit for http requests
timeout = "5s"
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
```
diff --git a/plugins/inputs/kapacitor/kapacitor.go b/plugins/inputs/kapacitor/kapacitor.go
index ea0ca055..f20b9877 100644
--- a/plugins/inputs/kapacitor/kapacitor.go
+++ b/plugins/inputs/kapacitor/kapacitor.go
@@ -9,6 +9,7 @@ import (
"github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal"
+ "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs"
)
@@ -17,18 +18,9 @@ const (
)
type Kapacitor struct {
- URLs []string `toml:"urls"`
-
+ URLs []string `toml:"urls"`
Timeout internal.Duration
-
- // Path to CA file
- SSLCA string `toml:"ssl_ca"`
- // Path to host cert file
- SSLCert string `toml:"ssl_cert"`
- // Path to cert key file
- SSLKey string `toml:"ssl_key"`
- // Use SSL but skip chain & host verification
- InsecureSkipVerify bool
+ tls.ClientConfig
client *http.Client
}
@@ -48,11 +40,11 @@ func (*Kapacitor) SampleConfig() string {
## Time limit for http requests
timeout = "5s"
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
`
}
@@ -82,8 +74,7 @@ func (k *Kapacitor) Gather(acc telegraf.Accumulator) error {
}
func (k *Kapacitor) createHttpClient() (*http.Client, error) {
- tlsCfg, err := internal.GetTLSConfig(
- k.SSLCert, k.SSLKey, k.SSLCA, k.InsecureSkipVerify)
+ tlsCfg, err := k.ClientConfig.TLSConfig()
if err != nil {
return nil, err
}
diff --git a/plugins/inputs/kubernetes/kubernetes.go b/plugins/inputs/kubernetes/kubernetes.go
index 9d07d6a4..870524a8 100644
--- a/plugins/inputs/kubernetes/kubernetes.go
+++ b/plugins/inputs/kubernetes/kubernetes.go
@@ -11,6 +11,7 @@ import (
"github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal"
+ "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs"
)
@@ -21,18 +22,11 @@ type Kubernetes struct {
// Bearer Token authorization file path
BearerToken string `toml:"bearer_token"`
- // Path to CA file
- SSLCA string `toml:"ssl_ca"`
- // Path to host cert file
- SSLCert string `toml:"ssl_cert"`
- // Path to cert key file
- SSLKey string `toml:"ssl_key"`
- // Use SSL but skip chain & host verification
- InsecureSkipVerify bool
-
// HTTP Timeout specified as a string - 3s, 1m, 1h
ResponseTimeout internal.Duration
+ tls.ClientConfig
+
RoundTripper http.RoundTripper
}
@@ -46,11 +40,11 @@ var sampleConfig = `
## Set response_timeout (default 5 seconds)
# response_timeout = "5s"
- ## Optional SSL Config
- # ssl_ca = /path/to/cafile
- # ssl_cert = /path/to/certfile
- # ssl_key = /path/to/keyfile
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = /path/to/cafile
+ # tls_cert = /path/to/certfile
+ # tls_key = /path/to/keyfile
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
`
@@ -101,7 +95,7 @@ func (k *Kubernetes) gatherSummary(baseURL string, acc telegraf.Accumulator) err
var token []byte
var resp *http.Response
- tlsCfg, err := internal.GetTLSConfig(k.SSLCert, k.SSLKey, k.SSLCA, k.InsecureSkipVerify)
+ tlsCfg, err := k.ClientConfig.TLSConfig()
if err != nil {
return err
}
diff --git a/plugins/inputs/mesos/README.md b/plugins/inputs/mesos/README.md
index 46df267a..b18908b8 100644
--- a/plugins/inputs/mesos/README.md
+++ b/plugins/inputs/mesos/README.md
@@ -36,11 +36,11 @@ For more information, please check the [Mesos Observability Metrics](http://meso
# "messages",
# ]
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
```
diff --git a/plugins/inputs/mesos/mesos.go b/plugins/inputs/mesos/mesos.go
index 5b0697ca..15e2bfcc 100644
--- a/plugins/inputs/mesos/mesos.go
+++ b/plugins/inputs/mesos/mesos.go
@@ -14,7 +14,7 @@ import (
"time"
"github.com/influxdata/telegraf"
- "github.com/influxdata/telegraf/internal"
+ "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs"
jsonparser "github.com/influxdata/telegraf/plugins/parsers/json"
)
@@ -33,15 +33,7 @@ type Mesos struct {
Slaves []string
SlaveCols []string `toml:"slave_collections"`
//SlaveTasks bool
-
- // Path to CA file
- SSLCA string `toml:"ssl_ca"`
- // Path to host cert file
- SSLCert string `toml:"ssl_cert"`
- // Path to cert key file
- SSLKey string `toml:"ssl_key"`
- // Use SSL but skip chain & host verification
- InsecureSkipVerify bool
+ tls.ClientConfig
initialized bool
client *http.Client
@@ -83,11 +75,11 @@ var sampleConfig = `
# "messages",
# ]
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
`
@@ -216,8 +208,7 @@ func (m *Mesos) Gather(acc telegraf.Accumulator) error {
}
func (m *Mesos) createHttpClient() (*http.Client, error) {
- tlsCfg, err := internal.GetTLSConfig(
- m.SSLCert, m.SSLKey, m.SSLCA, m.InsecureSkipVerify)
+ tlsCfg, err := m.ClientConfig.TLSConfig()
if err != nil {
return nil, err
}
diff --git a/plugins/inputs/mongodb/README.md b/plugins/inputs/mongodb/README.md
index 48c01a59..a78d7b95 100644
--- a/plugins/inputs/mongodb/README.md
+++ b/plugins/inputs/mongodb/README.md
@@ -14,11 +14,11 @@
## When true, collect per database stats
# gather_perdb_stats = false
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
```
diff --git a/plugins/inputs/mongodb/mongodb.go b/plugins/inputs/mongodb/mongodb.go
index e6b811e5..895667de 100644
--- a/plugins/inputs/mongodb/mongodb.go
+++ b/plugins/inputs/mongodb/mongodb.go
@@ -12,7 +12,7 @@ import (
"time"
"github.com/influxdata/telegraf"
- "github.com/influxdata/telegraf/internal"
+ tlsint "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs"
"gopkg.in/mgo.v2"
)
@@ -22,15 +22,7 @@ type MongoDB struct {
Ssl Ssl
mongos map[string]*Server
GatherPerdbStats bool
-
- // Path to CA file
- SSLCA string `toml:"ssl_ca"`
- // Path to host cert file
- SSLCert string `toml:"ssl_cert"`
- // Path to cert key file
- SSLKey string `toml:"ssl_key"`
- // Use SSL but skip chain & host verification
- InsecureSkipVerify bool
+ tlsint.ClientConfig
}
type Ssl struct {
@@ -49,11 +41,11 @@ var sampleConfig = `
## When true, collect per database stats
# gather_perdb_stats = false
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
`
@@ -134,7 +126,7 @@ func (m *MongoDB) gatherServer(server *Server, acc telegraf.Accumulator) error {
var tlsConfig *tls.Config
if m.Ssl.Enabled {
- // Deprecated SSL config
+ // Deprecated TLS config
tlsConfig = &tls.Config{}
if len(m.Ssl.CaCerts) > 0 {
roots := x509.NewCertPool()
@@ -149,8 +141,7 @@ func (m *MongoDB) gatherServer(server *Server, acc telegraf.Accumulator) error {
tlsConfig.InsecureSkipVerify = true
}
} else {
- tlsConfig, err = internal.GetTLSConfig(
- m.SSLCert, m.SSLKey, m.SSLCA, m.InsecureSkipVerify)
+ tlsConfig, err = m.ClientConfig.TLSConfig()
if err != nil {
return err
}
diff --git a/plugins/inputs/mqtt_consumer/README.md b/plugins/inputs/mqtt_consumer/README.md
index 2889bde5..df7869a8 100644
--- a/plugins/inputs/mqtt_consumer/README.md
+++ b/plugins/inputs/mqtt_consumer/README.md
@@ -36,11 +36,11 @@ The plugin expects messages in the
# username = "telegraf"
# password = "metricsmetricsmetricsmetrics"
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
## Data format to consume.
diff --git a/plugins/inputs/mqtt_consumer/mqtt_consumer.go b/plugins/inputs/mqtt_consumer/mqtt_consumer.go
index 6903f654..58074af7 100644
--- a/plugins/inputs/mqtt_consumer/mqtt_consumer.go
+++ b/plugins/inputs/mqtt_consumer/mqtt_consumer.go
@@ -9,6 +9,7 @@ import (
"github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal"
+ "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs"
"github.com/influxdata/telegraf/plugins/parsers"
@@ -33,15 +34,7 @@ type MQTTConsumer struct {
PersistentSession bool
ClientID string `toml:"client_id"`
-
- // Path to CA file
- SSLCA string `toml:"ssl_ca"`
- // Path to host cert file
- SSLCert string `toml:"ssl_cert"`
- // Path to cert key file
- SSLKey string `toml:"ssl_key"`
- // Use SSL but skip chain & host verification
- InsecureSkipVerify bool
+ tls.ClientConfig
sync.Mutex
client mqtt.Client
@@ -83,11 +76,11 @@ var sampleConfig = `
# username = "telegraf"
# password = "metricsmetricsmetricsmetrics"
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
## Data format to consume.
@@ -236,8 +229,7 @@ func (m *MQTTConsumer) createOpts() (*mqtt.ClientOptions, error) {
opts.SetClientID(m.ClientID)
}
- tlsCfg, err := internal.GetTLSConfig(
- m.SSLCert, m.SSLKey, m.SSLCA, m.InsecureSkipVerify)
+ tlsCfg, err := m.ClientConfig.TLSConfig()
if err != nil {
return nil, err
}
diff --git a/plugins/inputs/mysql/README.md b/plugins/inputs/mysql/README.md
index a190c600..564d75e6 100644
--- a/plugins/inputs/mysql/README.md
+++ b/plugins/inputs/mysql/README.md
@@ -82,10 +82,10 @@ This plugin gathers the statistic data from MySQL server
## Some queries we may want to run less often (such as SHOW GLOBAL VARIABLES)
interval_slow = "30m"
- ## Optional SSL Config (will be used if tls=custom parameter specified in server uri)
- ssl_ca = "/etc/telegraf/ca.pem"
- ssl_cert = "/etc/telegraf/cert.pem"
- ssl_key = "/etc/telegraf/key.pem"
+ ## Optional TLS Config (will be used if tls=custom parameter specified in server uri)
+ tls_ca = "/etc/telegraf/ca.pem"
+ tls_cert = "/etc/telegraf/cert.pem"
+ tls_key = "/etc/telegraf/key.pem"
```
#### Metric Version
diff --git a/plugins/inputs/mysql/mysql.go b/plugins/inputs/mysql/mysql.go
index 6e5a89e3..063452b7 100644
--- a/plugins/inputs/mysql/mysql.go
+++ b/plugins/inputs/mysql/mysql.go
@@ -11,7 +11,7 @@ import (
"time"
"github.com/influxdata/telegraf"
- "github.com/influxdata/telegraf/internal"
+ "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs"
"github.com/influxdata/telegraf/plugins/inputs/mysql/v1"
@@ -38,10 +38,8 @@ type Mysql struct {
GatherFileEventsStats bool `toml:"gather_file_events_stats"`
GatherPerfEventsStatements bool `toml:"gather_perf_events_statements"`
IntervalSlow string `toml:"interval_slow"`
- SSLCA string `toml:"ssl_ca"`
- SSLCert string `toml:"ssl_cert"`
- SSLKey string `toml:"ssl_key"`
MetricVersion int `toml:"metric_version"`
+ tls.ClientConfig
}
var sampleConfig = `
@@ -118,10 +116,12 @@ var sampleConfig = `
## Some queries we may want to run less often (such as SHOW GLOBAL VARIABLES)
interval_slow = "30m"
- ## Optional SSL Config (will be used if tls=custom parameter specified in server uri)
- ssl_ca = "/etc/telegraf/ca.pem"
- ssl_cert = "/etc/telegraf/cert.pem"
- ssl_key = "/etc/telegraf/key.pem"
+ ## Optional TLS Config (will be used if tls=custom parameter specified in server uri)
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
+ # insecure_skip_verify = false
`
var defaultTimeout = time.Second * time.Duration(5)
@@ -161,7 +161,7 @@ func (m *Mysql) Gather(acc telegraf.Accumulator) error {
m.InitMysql()
}
- tlsConfig, err := internal.GetTLSConfig(m.SSLCert, m.SSLKey, m.SSLCA, false)
+ tlsConfig, err := m.ClientConfig.TLSConfig()
if err != nil {
return fmt.Errorf("registering TLS config: %s", err)
}
diff --git a/plugins/inputs/nginx/README.md b/plugins/inputs/nginx/README.md
index 819501ea..7b5215dc 100644
--- a/plugins/inputs/nginx/README.md
+++ b/plugins/inputs/nginx/README.md
@@ -8,11 +8,11 @@
## An array of Nginx stub_status URI to gather stats.
urls = ["http://localhost/server_status"]
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
## HTTP response timeout (default: 5s)
diff --git a/plugins/inputs/nginx/nginx.go b/plugins/inputs/nginx/nginx.go
index 3880dd91..1a1a115d 100644
--- a/plugins/inputs/nginx/nginx.go
+++ b/plugins/inputs/nginx/nginx.go
@@ -13,34 +13,28 @@ import (
"github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal"
+ "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs"
)
type Nginx struct {
- // List of status URLs
- Urls []string
- // Path to CA file
- SSLCA string `toml:"ssl_ca"`
- // Path to client cert file
- SSLCert string `toml:"ssl_cert"`
- // Path to cert key file
- SSLKey string `toml:"ssl_key"`
- // Use SSL but skip chain & host verification
- InsecureSkipVerify bool
+ Urls []string
+ ResponseTimeout internal.Duration
+ tls.ClientConfig
+
// HTTP client
client *http.Client
- // Response timeout
- ResponseTimeout internal.Duration
}
var sampleConfig = `
# An array of Nginx stub_status URI to gather stats.
urls = ["http://localhost/server_status"]
- # TLS/SSL configuration
- ssl_ca = "/etc/telegraf/ca.pem"
- ssl_cert = "/etc/telegraf/cert.cer"
- ssl_key = "/etc/telegraf/key.key"
+ ## Optional TLS Config
+ tls_ca = "/etc/telegraf/ca.pem"
+ tls_cert = "/etc/telegraf/cert.cer"
+ tls_key = "/etc/telegraf/key.key"
+ ## Use TLS but skip chain & host verification
insecure_skip_verify = false
# HTTP response timeout (default: 5s)
@@ -87,8 +81,7 @@ func (n *Nginx) Gather(acc telegraf.Accumulator) error {
}
func (n *Nginx) createHttpClient() (*http.Client, error) {
- tlsCfg, err := internal.GetTLSConfig(
- n.SSLCert, n.SSLKey, n.SSLCA, n.InsecureSkipVerify)
+ tlsCfg, err := n.ClientConfig.TLSConfig()
if err != nil {
return nil, err
}
diff --git a/plugins/inputs/openldap/README.md b/plugins/inputs/openldap/README.md
index 44e751f5..aac60021 100644
--- a/plugins/inputs/openldap/README.md
+++ b/plugins/inputs/openldap/README.md
@@ -20,7 +20,7 @@ To use this plugin you must enable the [monitoring](https://www.openldap.org/dev
insecure_skip_verify = false
# Path to PEM-encoded Root certificate to use to verify server certificate
- ssl_ca = "/etc/ssl/certs.pem"
+ tls_ca = "/etc/ssl/certs.pem"
# dn/password to bind with. If bind_dn is empty, an anonymous bind is performed.
bind_dn = ""
diff --git a/plugins/inputs/openldap/openldap.go b/plugins/inputs/openldap/openldap.go
index e413ecbe..8a423ba5 100644
--- a/plugins/inputs/openldap/openldap.go
+++ b/plugins/inputs/openldap/openldap.go
@@ -8,7 +8,7 @@ import (
"gopkg.in/ldap.v2"
"github.com/influxdata/telegraf"
- "github.com/influxdata/telegraf/internal"
+ "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs"
)
@@ -36,7 +36,7 @@ const sampleConfig string = `
insecure_skip_verify = false
# Path to PEM-encoded Root certificate to use to verify server certificate
- ssl_ca = "/etc/ssl/certs.pem"
+ tls_ca = "/etc/ssl/certs.pem"
# dn/password to bind with. If bind_dn is empty, an anonymous bind is performed.
bind_dn = ""
@@ -85,7 +85,11 @@ func (o *Openldap) Gather(acc telegraf.Accumulator) error {
var l *ldap.Conn
if o.Ssl != "" {
// build tls config
- tlsConfig, err := internal.GetTLSConfig("", "", o.SslCa, o.InsecureSkipVerify)
+ clientTLSConfig := tls.ClientConfig{
+ SSLCA: o.SslCa,
+ InsecureSkipVerify: o.InsecureSkipVerify,
+ }
+ tlsConfig, err := clientTLSConfig.TLSConfig()
if err != nil {
acc.AddError(err)
return nil
diff --git a/plugins/inputs/prometheus/README.md b/plugins/inputs/prometheus/README.md
index ac740501..227f3f73 100644
--- a/plugins/inputs/prometheus/README.md
+++ b/plugins/inputs/prometheus/README.md
@@ -20,11 +20,11 @@ in Prometheus format.
## Specify timeout duration for slower prometheus clients (default is 3s)
# response_timeout = "3s"
- ## Optional SSL Config
- # ssl_ca = /path/to/cafile
- # ssl_cert = /path/to/certfile
- # ssl_key = /path/to/keyfile
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = /path/to/cafile
+ # tls_cert = /path/to/certfile
+ # tls_key = /path/to/keyfile
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
```
diff --git a/plugins/inputs/prometheus/prometheus.go b/plugins/inputs/prometheus/prometheus.go
index 2a8a6b28..23709790 100644
--- a/plugins/inputs/prometheus/prometheus.go
+++ b/plugins/inputs/prometheus/prometheus.go
@@ -13,6 +13,7 @@ import (
"github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal"
+ "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs"
)
@@ -30,14 +31,7 @@ type Prometheus struct {
ResponseTimeout internal.Duration `toml:"response_timeout"`
- // Path to CA file
- SSLCA string `toml:"ssl_ca"`
- // Path to host cert file
- SSLCert string `toml:"ssl_cert"`
- // Path to cert key file
- SSLKey string `toml:"ssl_key"`
- // Use SSL but skip chain & host verification
- InsecureSkipVerify bool
+ tls.ClientConfig
client *http.Client
}
@@ -55,11 +49,11 @@ var sampleConfig = `
## Specify timeout duration for slower prometheus clients (default is 3s)
# response_timeout = "3s"
- ## Optional SSL Config
- # ssl_ca = /path/to/cafile
- # ssl_cert = /path/to/certfile
- # ssl_key = /path/to/keyfile
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = /path/to/cafile
+ # tls_cert = /path/to/certfile
+ # tls_key = /path/to/keyfile
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
`
@@ -167,8 +161,7 @@ var client = &http.Client{
}
func (p *Prometheus) createHttpClient() (*http.Client, error) {
- tlsCfg, err := internal.GetTLSConfig(
- p.SSLCert, p.SSLKey, p.SSLCA, p.InsecureSkipVerify)
+ tlsCfg, err := p.ClientConfig.TLSConfig()
if err != nil {
return nil, err
}
diff --git a/plugins/inputs/rabbitmq/README.md b/plugins/inputs/rabbitmq/README.md
index 5dae5e09..ae6dac6f 100644
--- a/plugins/inputs/rabbitmq/README.md
+++ b/plugins/inputs/rabbitmq/README.md
@@ -16,11 +16,11 @@ For additional details reference the [RabbitMQ Management HTTP Stats](https://cd
# username = "guest"
# password = "guest"
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
## Optional request timeouts
diff --git a/plugins/inputs/rabbitmq/rabbitmq.go b/plugins/inputs/rabbitmq/rabbitmq.go
index e0d12c3d..49dabe1b 100644
--- a/plugins/inputs/rabbitmq/rabbitmq.go
+++ b/plugins/inputs/rabbitmq/rabbitmq.go
@@ -11,6 +11,7 @@ import (
"github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/filter"
"github.com/influxdata/telegraf/internal"
+ "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs"
)
@@ -37,14 +38,7 @@ type RabbitMQ struct {
Name string
Username string
Password string
- // Path to CA file
- SSLCA string `toml:"ssl_ca"`
- // Path to host cert file
- SSLCert string `toml:"ssl_cert"`
- // Path to cert key file
- SSLKey string `toml:"ssl_key"`
- // Use SSL but skip chain & host verification
- InsecureSkipVerify bool
+ tls.ClientConfig
ResponseHeaderTimeout internal.Duration `toml:"header_timeout"`
ClientTimeout internal.Duration `toml:"client_timeout"`
@@ -175,11 +169,11 @@ var sampleConfig = `
# username = "guest"
# password = "guest"
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
## Optional request timeouts
@@ -223,8 +217,7 @@ func (r *RabbitMQ) Description() string {
// Gather ...
func (r *RabbitMQ) Gather(acc telegraf.Accumulator) error {
if r.Client == nil {
- tlsCfg, err := internal.GetTLSConfig(
- r.SSLCert, r.SSLKey, r.SSLCA, r.InsecureSkipVerify)
+ tlsCfg, err := r.ClientConfig.TLSConfig()
if err != nil {
return err
}
diff --git a/plugins/inputs/socket_listener/socket_listener.go b/plugins/inputs/socket_listener/socket_listener.go
index 076e1f4b..daab8495 100644
--- a/plugins/inputs/socket_listener/socket_listener.go
+++ b/plugins/inputs/socket_listener/socket_listener.go
@@ -16,6 +16,7 @@ import (
"github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal"
+ tlsint "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs"
"github.com/influxdata/telegraf/plugins/parsers"
)
@@ -161,14 +162,12 @@ func (psl *packetSocketListener) listen() {
}
type SocketListener struct {
- ServiceAddress string `toml:"service_address"`
- MaxConnections int `toml:"max_connections"`
- ReadBufferSize int `toml:"read_buffer_size"`
- ReadTimeout *internal.Duration `toml:"read_timeout"`
- TLSAllowedCACerts []string `toml:"tls_allowed_cacerts"`
- TLSCert string `toml:"tls_cert"`
- TLSKey string `toml:"tls_key"`
- KeepAlivePeriod *internal.Duration `toml:"keep_alive_period"`
+ ServiceAddress string `toml:"service_address"`
+ MaxConnections int `toml:"max_connections"`
+ ReadBufferSize int `toml:"read_buffer_size"`
+ ReadTimeout *internal.Duration `toml:"read_timeout"`
+ KeepAlivePeriod *internal.Duration `toml:"keep_alive_period"`
+ tlsint.ServerConfig
parsers.Parser
telegraf.Accumulator
@@ -259,7 +258,7 @@ func (sl *SocketListener) Start(acc telegraf.Accumulator) error {
l net.Listener
)
- tlsCfg, err := internal.GetServerTLSConfig(sl.TLSCert, sl.TLSKey, sl.TLSAllowedCACerts)
+ tlsCfg, err := sl.ServerConfig.TLSConfig()
if err != nil {
return nil
}
diff --git a/plugins/inputs/socket_listener/socket_listener_test.go b/plugins/inputs/socket_listener/socket_listener_test.go
index b647e724..65ee0db9 100644
--- a/plugins/inputs/socket_listener/socket_listener_test.go
+++ b/plugins/inputs/socket_listener/socket_listener_test.go
@@ -9,12 +9,13 @@ import (
"testing"
"time"
- "github.com/influxdata/telegraf/internal"
"github.com/influxdata/telegraf/testutil"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
+var pki = testutil.NewPKI("../../../testutil/pki")
+
// testEmptyLog is a helper function to ensure no data is written to log.
// Should be called at the start of the test, and returns a function which should run at the end.
func testEmptyLog(t *testing.T) func() {
@@ -32,16 +33,14 @@ func TestSocketListener_tcp_tls(t *testing.T) {
sl := newSocketListener()
sl.ServiceAddress = "tcp://127.0.0.1:0"
- sl.TLSCert = "testdata/server.pem"
- sl.TLSKey = "testdata/server.key"
- sl.TLSAllowedCACerts = []string{"testdata/ca.pem"}
+ sl.ServerConfig = *pki.TLSServerConfig()
acc := &testutil.Accumulator{}
err := sl.Start(acc)
require.NoError(t, err)
defer sl.Stop()
- tlsCfg, err := internal.GetTLSConfig("testdata/client.pem", "testdata/client.key", "testdata/ca.pem", true)
+ tlsCfg, err := pki.TLSClientConfig().TLSConfig()
require.NoError(t, err)
secureClient, err := tls.Dial("tcp", sl.Closer.(net.Listener).Addr().String(), tlsCfg)
@@ -55,16 +54,15 @@ func TestSocketListener_unix_tls(t *testing.T) {
sl := newSocketListener()
sl.ServiceAddress = "unix:///tmp/telegraf_test.sock"
- sl.TLSCert = "testdata/server.pem"
- sl.TLSKey = "testdata/server.key"
- sl.TLSAllowedCACerts = []string{"testdata/ca.pem"}
+ sl.ServerConfig = *pki.TLSServerConfig()
acc := &testutil.Accumulator{}
err := sl.Start(acc)
require.NoError(t, err)
defer sl.Stop()
- tlsCfg, err := internal.GetTLSConfig("testdata/client.pem", "testdata/client.key", "testdata/ca.pem", true)
+ tlsCfg, err := pki.TLSClientConfig().TLSConfig()
+ tlsCfg.InsecureSkipVerify = true
require.NoError(t, err)
secureClient, err := tls.Dial("unix", "/tmp/telegraf_test.sock", tlsCfg)
diff --git a/plugins/inputs/socket_listener/testdata/ca.pem b/plugins/inputs/socket_listener/testdata/ca.pem
deleted file mode 100644
index d3b6d9a1..00000000
--- a/plugins/inputs/socket_listener/testdata/ca.pem
+++ /dev/null
@@ -1,31 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFVTCCAz2gAwIBAgIJAOhLvwv6zUf+MA0GCSqGSIb3DQEBCwUAMEExCzAJBgNV
-BAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsG
-A1UECgwEVGVzdDAeFw0xODA0MTcwNDIwNDZaFw0yMTAyMDQwNDIwNDZaMEExCzAJ
-BgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEN
-MAsGA1UECgwEVGVzdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKwE
-Xy814CDH03G3Fg2/XSpYZXVMzwp6oq/bUe3iLhkOpA6C4+j07AxAAa22qEPlvYkb
-W7oxVJiL0ih1od2FeAxvroBTmjG54j/Syb8OeQsZaJLNp1rRmwYGBIVi284ScaIc
-dn+2bfmfpSLjK3SbU5XygtwIE3gh/B7x02UJRNJmJ1faRT2CfTeg/56xnTE4bcR5
-HRrlojoN5laJngowLWAEAvWljCR8oge+ciNYB3xoK8Hgc9+WgTy95G1RBCNkaFFI
-73nrcHl6dGOH9UgIqfbHJYxNEarI3o/JAr8DIBS0W4r8r4aY4JQ4LoN3bg4mLHQq
-THKkVW5hyBeWe47qmlL0m4F6/+mzVi95NAWG2BQDCZJAWJNc+PbSRHi81838m7ff
-O4rixd/F53LUUas8/zVca3vtv+XjOHZzIQLIy1bM4MhzpHlRcSmS9kqxxZ3S70e3
-ZIWFdM0iRrtlBbJeoHIJRDpgPRYIWdRc6XotljTTi6/lN4Bj/0NK4E3iONcDsscN
-kiqEHRAWZ4ptCqdVPgYR0S096Fx6OaC3ASODE0Cjb18ylZQRsQi8TiYSihGzuoio
-wJwSLdIifDbbSUkjT1384cA/HsOjFQ9xHXYa6cQnAg3TUZyG1lAMJyFWYke+rxmG
-srfL/EtIzgbzmEOC5anQjA2pdgUO9Pk2SinJaMApAgMBAAGjUDBOMB0GA1UdDgQW
-BBQNJctDLjj8bVKNCYANaOcboPQnmzAfBgNVHSMEGDAWgBQNJctDLjj8bVKNCYAN
-aOcboPQnmzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQATSr26Kc8g
-3l2zuccoKWM57DQcgRmzSYwEOKA2jn3FWmrAdwozEIkLaTK0OXz0zh2dZxh9V3GR
-w0WFCynbGNy/9s33MSi+zIWJOU/MZvt6zGE5CTcTgZ+u5IZyvSubMkPcwQi3Yvcg
-AHmWzpF42kT2J5C5MfrSU65hrhPX7hT/CUoV3gN7oxFzj+/ED4kgNorO8SUUJCmq
-DJNFbjgsD63EhnvAhn1AeM35GmKdl2enEKqcZsRkE4ZLpU7ibrThEm1aOQuJUtHk
-gDAx49QMdQpWnxWxnfoiwpLu7ufR7ls8O9oA8ZJux/SVHEmtkOdRsuMtY5MElFZg
-dANlQsdFWDko4ixaxFYzppuPNnRlqjGNnaEFJrNc2KR0Dxgmp28Yh2VyLd4r3fLT
-nLVBYF8KzFchUdXYYPNBXwAf/N52jGfugDx8snLxOfzxoUZ4y64qMCpYhntGgBJ1
-Rrk2trcn3Dw19gi8p3ylbdoz/Ch1INDDrO35pd0bZpcwASc/UNU72W5v2kGL0H7o
-nJzgtrqeHcoIzNBmBhHlMlnTF5GMfrYGsf5d30KyKv7UL6qJTvT641dpKpB/FFrk
-y3AQbKmKRDI+aVzeOlwdy/eJAwt7FikD4bR9GZ4PBX9n9jd4u/PHZNfxtgzplqo1
-oy7kJv0cB/vRKOblmn/vPUfTFtAX7M3GkQ==
------END CERTIFICATE-----
diff --git a/plugins/inputs/socket_listener/testdata/client.key b/plugins/inputs/socket_listener/testdata/client.key
deleted file mode 100644
index 285a2747..00000000
--- a/plugins/inputs/socket_listener/testdata/client.key
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAmRuY+9Gg5V4e9hCd2mYek1jKeoaZijz89EPvox78XzoGdxPf
-RoukUcTVS9VWN7HyJBjRA9P+KuHI9dX47skxyxH53uXZvRmGQAJBY4cE07JHvGkZ
-eK1heXoWlBzYtivckha7bLBfn1ttAzcFCblUfJdzsn9XDuC4Jfn4oSaKn1o8Rzy1
-KRvyLgvsYxMA/XzhyBzVMyoUOulye7EZx4f+AwSNmNHD4OgtxxPofrrMOtXZ2tC6
-xNOexIZXbsB9dyrUW+4pWXYaadU7fl2V+arAJj+NVxV+3tmGGjmd1MiIypPx6BbP
-g7xH20nJ/Y0U6V7gklZpYO1i84RbtR/kqBgi9QIDAQABAoIBAEONJJM+KyHnw/tG
-246HbcgO7c7fYhDW1bgj3S/4NNsC6+VP1Dv40nftQzphFtgd37rDZDyvJL3gvlyQ
-mnMoO5rgBIGuocHH6C6HkDgMUznft7zOFhnjTVVeY2XX0FmXwoqGEw1iR940ZUV8
-2fEvXrJV1AsWGeALj9PZlTPsoE6rv5sUk9Lh3wCD73m7GSg7DzBRE+6bBze8Lmwn
-ZzTvmimhgPJw8LR5rRpYbDbhAJLAfgA7/yPgYEPxA/ffry6Ba4epj8tVNUNOAcOf
-PURF+uuIF7RceI2PkdvoNuQyVR5oxQUPUfidfVK5ClUmnHECSgb/FFnYC+nU2vSi
-IAnmC6ECgYEAyrUFHyxxuIQAiinjBxa0OQ3ynvMxDnF/+zvWe8536Y61lz9dblKb
-0xvFhpOEMfiG/zFdZdWJ+xdq7VQVNMHu4USoskG8sZs5zImMTu50kuDNln7xYqVf
-SUuN1U7cp7JouI1qkZAOsytPfAgZN/83hLObd07lAvL44jKYaHVeMmkCgYEAwVxZ
-wKXpboHwQawA+4ubsnZ36IlOk21/+FlGJiDg/LB643BS+QhgVNxuB2gL1gOCYkhl
-6BBcIhWMvZOIIo5uwnv4fQ+WfFwntU9POFViZgbZvkitQtorB7MXc/NU2BDrNYx2
-TBCiRn/9BaZ4fziW8I3Fx3xQ3rKDBXrexmrJQq0CgYEAvYGQYT12r47Qxlo0gcsL
-AA/3E/y9jwgzItglQ6eZ2ULup5C4s0wNm8Zp2s+Mlf8HjgpDi9Gf5ptU/r1N+f2Y
-awd6QvRMCSraVUr+Xkh1uV7rNNhGqPd75pT460OH7EtRtb+XsrAf3gcOjyEvGnfC
-GpCjNl4OobwvS6ELdRTM1IkCgYAHUGX4uo3k5zdeVJJI8ZP3ITIR8retLfQsQbw8
-jvvTsx1C4ynQT7fNHfVvhEkGVGWnMBPivlOt2mDTfvQkUnzwEF5q5J8NnzLFUfWu
-LNSnBVVRNFCRec0s4mJduXOZJLKw+No0sGBjCE5a21wte8eB2+sCS7qHYftAxtAM
-c1eflQKBgQDGTFsMvpM8BEPTreinTllFBdjeYchcdY/Ov9DZ3mMVopjAWRD81MKM
-zM1RCqwLkgv9FvF79B1FLJ1Inr8e/XIGdcrhE1a4sZdIWdqTWQ4xFrlDgxCquq66
-da09WVBRdvq2kVLAMaBViH2/GP1G4ZV9a8+JHuWKj+Arrr52Qeazjw==
------END RSA PRIVATE KEY-----
diff --git a/plugins/inputs/socket_listener/testdata/client.pem b/plugins/inputs/socket_listener/testdata/client.pem
deleted file mode 100644
index d741e651..00000000
--- a/plugins/inputs/socket_listener/testdata/client.pem
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEEjCCAfoCCQCmcronmMSqXTANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJV
-UzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM
-BFRlc3QwHhcNMTgwNDE3MDQyNDMwWhcNNDUwOTAyMDQyNDMwWjBVMQswCQYDVQQG
-EwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xITAfBgNV
-BAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQAD
-ggEPADCCAQoCggEBAJkbmPvRoOVeHvYQndpmHpNYynqGmYo8/PRD76Me/F86BncT
-30aLpFHE1UvVVjex8iQY0QPT/irhyPXV+O7JMcsR+d7l2b0ZhkACQWOHBNOyR7xp
-GXitYXl6FpQc2LYr3JIWu2ywX59bbQM3BQm5VHyXc7J/Vw7guCX5+KEmip9aPEc8
-tSkb8i4L7GMTAP184cgc1TMqFDrpcnuxGceH/gMEjZjRw+DoLccT6H66zDrV2drQ
-usTTnsSGV27AfXcq1FvuKVl2GmnVO35dlfmqwCY/jVcVft7Zhho5ndTIiMqT8egW
-z4O8R9tJyf2NFOle4JJWaWDtYvOEW7Uf5KgYIvUCAwEAATANBgkqhkiG9w0BAQsF
-AAOCAgEACJkccOvBavtagiMQc9OLsbo0PkHv7Qk9uTm5Sg9+LjLGUsu+3WLjAAmj
-YScHyGbvQzXlwpgo8JuwY0lMNoPfwGuydlJPfOBCbaoAqFp6Vpc/E49J9YovCsqa
-2HJUJeuxpf6SiH1Vc1SECjzwzKo03t8ul7t7SNVqA0r9fV4I936FlJOeQ4d5U+Wv
-H7c2LmAqbHi2Mwf+m+W6ziOvzp+szspcP2gJDX7hsKEtIlqmHYm2bzZ4fsCuU9xN
-3quewBVQUOuParO632yaLgzpGmfzzxLmCPO84lxarJKCxjHG2Q2l30TO/wA44m+r
-Wd17HpCT3PkCDG5eSNCSnYqfLm8DE1hLGfHiXxKmrgU94q4wvwVGOlcYa+CQeP9Q
-ZW3Tj0Axz0Mqlg1iLLo12+Z/yocSY2nFnFntBFT4qBKNCeD0xH3PxC0HJdK66xBv
-MVDE/OE2hBtTTts+vC9yjx4W8thtMSA4VCOgtt5sHjt3ZekiYYh5VZK47Bx/a0uc
-8CouRdyppWyPp/cNC+PcGW3YnXpAkxe/bSY/qgfK5kmbeOf+HzvZAIwAH/d9VK0g
-AoLNp46eP6U2E2lVvtc/HJ1C/gsiC/1TSIq/kBbYtuIJjhhH3u6IVet7WSD22Akv
-o5gOpcoKwy8IPDRC5lJEAAVYUKt7ORo2en3OVg6I4FaQmeBFp5s=
------END CERTIFICATE-----
diff --git a/plugins/inputs/socket_listener/testdata/server.key b/plugins/inputs/socket_listener/testdata/server.key
deleted file mode 100644
index 4ad8e642..00000000
--- a/plugins/inputs/socket_listener/testdata/server.key
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAzkEDLijGOqXNQPAqUjOz5TLuM28SENauknLtcfIyEN/N6PwZ
-re5DjokxtDPp+c9yP/9qtn7+dBfdUXg2Mu7HQz8lAKniir2ZH+axkjp5LUE6vYJd
-I1W8lOOc0kXDjozBetgriE0jkgc3v9oDBbLhN5waKR86jpQaNkfnI7/4U3yrlymK
-yaT3uD6L1ldUJubdQ/xc1HxdmX8VewBnkK1urYyiRbju2iL9YmtSM72yWXvFsD1O
-I4fP/XuiaymicBmXKL4cu6KYdfn1qeLAV3U35xG597M031WmR5o67rc63sqs+Q//
-V3dbGqnFXRMkLhoOnuKK0DD28ujY1kctbNQWVQIDAQABAoIBAHFxFJy41H7BXulO
-rxhTU6jGoHktqBQW4CGwkKTRf3QEhK6WqlEd8Y5eKzZgL1q1HLPSehEyPCYCUjpT
-EgxlhLeZ7XI1/mIs8iG3swconimj7Pj60Nt0dqq1njWRJYQsKua0Kw1m0B+rVKBy
-+qKRxondlA32HTD6iIg+eAUTuzO/KzimZcyL9hiT/g6aN9k0H5+qURi8dO7VV8fD
-zvP8Y+oOGLwW2ccp+ZjFQizjTOkL4lgldr0hsGQXZJNHL94fA7jPdAxAUbnTicMJ
-oXM++L3eCwIVabipGxxlqCMj9Dn8yfbQvRGzP2e76QDeROYZHX4osH6vLcZEjx9i
-tJ4J+ekCgYEA82kKzkSKmFo4gZxnqAywlfZ2X2PADuMmHdqdiDFwt54orlMlKf/b
-wVSvN/djLXwvFHuyzFmJeMFSHKFkYVTOsh8kPSETAIGkcJEMHD3viYn7DwjkQudY
-vB/FpBWSiDT0T7qDUCzW3iMbx/JvTUSp7uO4ZuwOu6t6v3PEZwIChQ8CgYEA2Ov9
-FXHmm7sS54HgvZd6Wk8zLMLIDnyMmECjtYOasJ9c40yQHpRlXsb+Dzn/2xhMMwth
-Bln2hIiJ/e+G0bzFu4x0cItRPOQeRNyz5Pal8EsATeUwcX4KRKOZaUpDkV6XV1L0
-r/HSk/wed+90B74sGoJY1qsFflOATIUVs7SIllsCgYEAwhGSB/sl9WqZet1U1+um
-LyqeHlfNnREGJu9Sgm/Iyt1S2gp4qw/QCkiWmyym6nEEqHQnjj4lGR4pdaJIAkI3
-ulSR9BsWp2S10voSicHn5eUZQld4hs8lNHiwf66jce2mjJrMb3QQrHOZhsWIcDa6
-tjjhoU28QWzrJRIMGYTEtYkCgYA17NSJlDsj06mra5oXB6Ue9jlekz1wfH3nC4qn
-AQRfi/5ncw0QzQs2OHnIBz8XlD69IcMI9SxXXioPuo/la+wr54q6v6d+X6c2rzb5
-YGd4CO0WcDdOv2qGDbWBezi41q8AwlqZsqAKsc5ROnG5ywjjviufkfxXnyJx41O1
-zNd3qQKBgGEy+EwUXD5iGeQxdCDnd6iVu14SoBscHO5SpIeDu3DIhnu+7gPq2VMg
-Vp9j/iNVtEA3HyYCOeXc2rz9Di1wwt3YijED4birLAkC5YW6YB9rmLMfCNc1EyLh
-BKAkUQN3D+XCN4pXdbKvbkOcfYRUHoD+pPBjRYH020OtPBUc6Wkl
------END RSA PRIVATE KEY-----
diff --git a/plugins/inputs/socket_listener/testdata/server.pem b/plugins/inputs/socket_listener/testdata/server.pem
deleted file mode 100644
index 96cfa0b0..00000000
--- a/plugins/inputs/socket_listener/testdata/server.pem
+++ /dev/null
@@ -1,25 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEJjCCAg4CCQCmcronmMSqXDANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJV
-UzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM
-BFRlc3QwHhcNMTgwNDE3MDQyNDAwWhcNNDUwOTAyMDQyNDAwWjBpMQswCQYDVQQG
-EwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xITAfBgNV
-BAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDESMBAGA1UEAwwJMTI3LjAuMC4x
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzkEDLijGOqXNQPAqUjOz
-5TLuM28SENauknLtcfIyEN/N6PwZre5DjokxtDPp+c9yP/9qtn7+dBfdUXg2Mu7H
-Qz8lAKniir2ZH+axkjp5LUE6vYJdI1W8lOOc0kXDjozBetgriE0jkgc3v9oDBbLh
-N5waKR86jpQaNkfnI7/4U3yrlymKyaT3uD6L1ldUJubdQ/xc1HxdmX8VewBnkK1u
-rYyiRbju2iL9YmtSM72yWXvFsD1OI4fP/XuiaymicBmXKL4cu6KYdfn1qeLAV3U3
-5xG597M031WmR5o67rc63sqs+Q//V3dbGqnFXRMkLhoOnuKK0DD28ujY1kctbNQW
-VQIDAQABMA0GCSqGSIb3DQEBCwUAA4ICAQCVgzqFrehoRAMFLMEL8avfokYtsSYc
-50Yug4Es0ISo/PRWGeUnv8k1inyE3Y1iR/gbN5n/yjLXJKEflan6BuqGuukfr2eA
-fRdDCyPvzQLABdxCx2n6ByQFxj92z82tizf35R2OMuHHWzTckta+7s5EvxwIiUsd
-rUuXp+0ltJzlYYW9xTGFiJO9hAbRgMgZiwL8F7ayic8GmLQ1eRK/DfKDCOH3afeX
-MNN5FulgjqNyhXHF33vwgIJynGDg2JEhkWjB1DkUAxll0+SMQoYyVGZVrQSGbGw1
-JhOLc8C8bTzfK3qcJDuyldvjiut+To+lpu76R0u0+sn+wxQFL1uCWuAbMJgGsJgM
-ARavu2XDeae9X+e8MgJuN1FYS3tihBplPjMJD3UYRybRvHAvQh26BZ7Ch3JNSNST
-AL2l5T7JKU+XaWWeo+crV+AnGIJyqyh9Su/n97PEoZoEMGH4Kcl/n/w2Jms60+5s
-K0FK2OGNL42ddUfQiVL9CwYQQo70hydjsIo1x8S6+tSFLMAAysQEToSjfAA6qxDu
-fgGVMuIYHo0rSkpTVsHVwru08Z5o4m+XDAK0iHalZ4knKsO0lJ+9l7vFnQHlzwt7
-JTjDhnyOKWPIANeWf3PrHPWE7kKpFVBqFBzOvWLJuxDu5NlgLo1PFahsahTqB9bz
-qwUyMg/oYWnwqw==
------END CERTIFICATE-----
diff --git a/plugins/inputs/tomcat/README.md b/plugins/inputs/tomcat/README.md
index 3baf6855..1399a315 100644
--- a/plugins/inputs/tomcat/README.md
+++ b/plugins/inputs/tomcat/README.md
@@ -19,11 +19,11 @@ See the [Tomcat documentation](https://tomcat.apache.org/tomcat-9.0-doc/manager-
## Request timeout
# timeout = "5s"
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
```
diff --git a/plugins/inputs/tomcat/tomcat.go b/plugins/inputs/tomcat/tomcat.go
index dd3c03ce..40ae7de8 100644
--- a/plugins/inputs/tomcat/tomcat.go
+++ b/plugins/inputs/tomcat/tomcat.go
@@ -10,6 +10,7 @@ import (
"github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal"
+ "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs"
)
@@ -63,11 +64,7 @@ type Tomcat struct {
Username string
Password string
Timeout internal.Duration
-
- SSLCA string `toml:"ssl_ca"`
- SSLCert string `toml:"ssl_cert"`
- SSLKey string `toml:"ssl_key"`
- InsecureSkipVerify bool
+ tls.ClientConfig
client *http.Client
request *http.Request
@@ -84,11 +81,11 @@ var sampleconfig = `
## Request timeout
# timeout = "5s"
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
`
@@ -191,8 +188,7 @@ func (s *Tomcat) Gather(acc telegraf.Accumulator) error {
}
func (s *Tomcat) createHttpClient() (*http.Client, error) {
- tlsConfig, err := internal.GetTLSConfig(
- s.SSLCert, s.SSLKey, s.SSLCA, s.InsecureSkipVerify)
+ tlsConfig, err := s.ClientConfig.TLSConfig()
if err != nil {
return nil, err
}
diff --git a/plugins/inputs/zookeeper/README.md b/plugins/inputs/zookeeper/README.md
index 99abbc22..d54caae4 100644
--- a/plugins/inputs/zookeeper/README.md
+++ b/plugins/inputs/zookeeper/README.md
@@ -18,11 +18,11 @@ The zookeeper plugin collects variables outputted from the 'mntr' command
## Timeout for metric collections from all servers. Minimum timeout is "1s".
# timeout = "5s"
- ## Optional SSL Config
+ ## Optional TLS Config
# enable_ssl = true
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
## If false, skip chain & host verification
# insecure_skip_verify = true
```
diff --git a/plugins/inputs/zookeeper/zookeeper.go b/plugins/inputs/zookeeper/zookeeper.go
index 1c60e368..20e7aee0 100644
--- a/plugins/inputs/zookeeper/zookeeper.go
+++ b/plugins/inputs/zookeeper/zookeeper.go
@@ -13,6 +13,7 @@ import (
"github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal"
+ tlsint "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/inputs"
)
@@ -21,11 +22,9 @@ type Zookeeper struct {
Servers []string
Timeout internal.Duration
- EnableSSL bool `toml:"enable_ssl"`
- SSLCA string `toml:"ssl_ca"`
- SSLCert string `toml:"ssl_cert"`
- SSLKey string `toml:"ssl_key"`
- InsecureSkipVerify bool `toml:"insecure_skip_verify"`
+ EnableTLS bool `toml:"enable_tls"`
+ EnableSSL bool `toml:"enable_ssl"` // deprecated in 1.7; use enable_tls
+ tlsint.ClientConfig
initialized bool
tlsConfig *tls.Config
@@ -42,11 +41,11 @@ var sampleConfig = `
## Timeout for metric collections from all servers. Minimum timeout is "1s".
# timeout = "5s"
- ## Optional SSL Config
- # enable_ssl = true
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
+ ## Optional TLS Config
+ # enable_tls = true
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
## If false, skip chain & host verification
# insecure_skip_verify = true
`
@@ -65,7 +64,7 @@ func (z *Zookeeper) Description() string {
func (z *Zookeeper) dial(ctx context.Context, addr string) (net.Conn, error) {
var dialer net.Dialer
- if z.EnableSSL {
+ if z.EnableTLS || z.EnableSSL {
deadline, ok := ctx.Deadline()
if ok {
dialer.Deadline = deadline
@@ -81,8 +80,7 @@ func (z *Zookeeper) Gather(acc telegraf.Accumulator) error {
ctx := context.Background()
if !z.initialized {
- tlsConfig, err := internal.GetTLSConfig(
- z.SSLCert, z.SSLKey, z.SSLCA, z.InsecureSkipVerify)
+ tlsConfig, err := z.ClientConfig.TLSConfig()
if err != nil {
return err
}
diff --git a/plugins/outputs/amqp/README.md b/plugins/outputs/amqp/README.md
index 83407443..ea17fe76 100644
--- a/plugins/outputs/amqp/README.md
+++ b/plugins/outputs/amqp/README.md
@@ -42,11 +42,11 @@ For an introduction to AMQP see:
## to 5s. 0s means no timeout (not recommended).
# timeout = "5s"
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
## Data format to output.
diff --git a/plugins/outputs/amqp/amqp.go b/plugins/outputs/amqp/amqp.go
index fed1edfe..f2bfb7ac 100644
--- a/plugins/outputs/amqp/amqp.go
+++ b/plugins/outputs/amqp/amqp.go
@@ -10,6 +10,7 @@ import (
"github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal"
+ "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/outputs"
"github.com/influxdata/telegraf/plugins/serializers"
@@ -43,14 +44,7 @@ type AMQP struct {
// Valid options are "transient" and "persistent". default: "transient"
DeliveryMode string
- // Path to CA file
- SSLCA string `toml:"ssl_ca"`
- // Path to host cert file
- SSLCert string `toml:"ssl_cert"`
- // Path to cert key file
- SSLKey string `toml:"ssl_key"`
- // Use SSL but skip chain & host verification
- InsecureSkipVerify bool
+ tls.ClientConfig
sync.Mutex
c *client
@@ -99,11 +93,11 @@ var sampleConfig = `
## to 5s. 0s means no timeout (not recommended).
# timeout = "5s"
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
## Data format to output.
@@ -137,8 +131,7 @@ func (q *AMQP) Connect() error {
var connection *amqp.Connection
// make new tls config
- tls, err := internal.GetTLSConfig(
- q.SSLCert, q.SSLKey, q.SSLCA, q.InsecureSkipVerify)
+ tls, err := q.ClientConfig.TLSConfig()
if err != nil {
return err
}
diff --git a/plugins/outputs/elasticsearch/README.md b/plugins/outputs/elasticsearch/README.md
index b0d2e6f9..11f3c138 100644
--- a/plugins/outputs/elasticsearch/README.md
+++ b/plugins/outputs/elasticsearch/README.md
@@ -180,11 +180,11 @@ This plugin will format the events in the following way:
# default_tag_value = "none"
index_name = "telegraf-%Y.%m.%d" # required.
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
## Template Config
@@ -230,4 +230,4 @@ Integer values collected that are bigger than 2^63 and smaller than 1e21 (or in
The correct field mapping will be created on the telegraf index as soon as a supported JSON value is received by Elasticsearch, and subsequent insertions will work because the field mapping will already exist.
-This issue is caused by the way Elasticsearch tries to detect integer fields, and by how golang encodes numbers in JSON. There is no clear workaround for this at the moment.
\ No newline at end of file
+This issue is caused by the way Elasticsearch tries to detect integer fields, and by how golang encodes numbers in JSON. There is no clear workaround for this at the moment.
diff --git a/plugins/outputs/elasticsearch/elasticsearch.go b/plugins/outputs/elasticsearch/elasticsearch.go
index 326def1d..56169135 100644
--- a/plugins/outputs/elasticsearch/elasticsearch.go
+++ b/plugins/outputs/elasticsearch/elasticsearch.go
@@ -11,6 +11,7 @@ import (
"github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal"
+ "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/outputs"
"gopkg.in/olivere/elastic.v5"
)
@@ -28,11 +29,9 @@ type Elasticsearch struct {
ManageTemplate bool
TemplateName string
OverwriteTemplate bool
- SSLCA string `toml:"ssl_ca"` // Path to CA file
- SSLCert string `toml:"ssl_cert"` // Path to host cert file
- SSLKey string `toml:"ssl_key"` // Path to cert key file
- InsecureSkipVerify bool // Use SSL but skip chain & host verification
- Client *elastic.Client
+ tls.ClientConfig
+
+ Client *elastic.Client
}
var sampleConfig = `
@@ -69,11 +68,11 @@ var sampleConfig = `
# default_tag_value = "none"
index_name = "telegraf-%Y.%m.%d" # required.
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
## Template Config
@@ -96,7 +95,7 @@ func (a *Elasticsearch) Connect() error {
var clientOptions []elastic.ClientOptionFunc
- tlsCfg, err := internal.GetTLSConfig(a.SSLCert, a.SSLKey, a.SSLCA, a.InsecureSkipVerify)
+ tlsCfg, err := a.ClientConfig.TLSConfig()
if err != nil {
return err
}
diff --git a/plugins/outputs/graphite/README.md b/plugins/outputs/graphite/README.md
index 1b173962..216c09ca 100644
--- a/plugins/outputs/graphite/README.md
+++ b/plugins/outputs/graphite/README.md
@@ -20,42 +20,10 @@ via raw TCP.
## timeout in seconds for the write connection to graphite
timeout = 2
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
```
-
-Parameters:
-
- Servers []string
- Prefix string
- Timeout int
- Template string
-
- // Path to CA file
- SSLCA string
- // Path to host cert file
- SSLCert string
- // Path to cert key file
- SSLKey string
- // Skip SSL verification
- InsecureSkipVerify bool
-
-### Required parameters:
-
-* `servers`: List of strings, ["mygraphiteserver:2003"].
-* `prefix`: String use to prefix all sent metrics.
-* `timeout`: Connection timeout in seconds.
-* `template`: Template for graphite output format, see
-https://github.com/influxdata/telegraf/blob/master/docs/DATA_FORMATS_OUTPUT.md
-for more details.
-
-### Optional parameters:
-
-* `ssl_ca`: SSL CA
-* `ssl_cert`: SSL CERT
-* `ssl_key`: SSL key
-* `insecure_skip_verify`: Use SSL but skip chain & host verification (default: false)
diff --git a/plugins/outputs/graphite/graphite.go b/plugins/outputs/graphite/graphite.go
index 7bad4be0..4346c50d 100644
--- a/plugins/outputs/graphite/graphite.go
+++ b/plugins/outputs/graphite/graphite.go
@@ -10,7 +10,7 @@ import (
"time"
"github.com/influxdata/telegraf"
- "github.com/influxdata/telegraf/internal"
+ tlsint "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/outputs"
"github.com/influxdata/telegraf/plugins/serializers"
)
@@ -22,18 +22,7 @@ type Graphite struct {
Template string
Timeout int
conns []net.Conn
-
- // Path to CA file
- SSLCA string `toml:"ssl_ca"`
- // Path to host cert file
- SSLCert string `toml:"ssl_cert"`
- // Path to cert key file
- SSLKey string `toml:"ssl_key"`
- // Skip SSL verification
- InsecureSkipVerify bool
-
- // tls config
- tlsConfig *tls.Config
+ tlsint.ClientConfig
}
var sampleConfig = `
@@ -49,11 +38,11 @@ var sampleConfig = `
## timeout in seconds for the write connection to graphite
timeout = 2
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
`
@@ -67,9 +56,7 @@ func (g *Graphite) Connect() error {
}
// Set tls config
- var err error
- g.tlsConfig, err = internal.GetTLSConfig(
- g.SSLCert, g.SSLKey, g.SSLCA, g.InsecureSkipVerify)
+ tlsConfig, err := g.ClientConfig.TLSConfig()
if err != nil {
return err
}
@@ -82,8 +69,8 @@ func (g *Graphite) Connect() error {
// Get secure connection if tls config is set
var conn net.Conn
- if g.tlsConfig != nil {
- conn, err = tls.DialWithDialer(&d, "tcp", server, g.tlsConfig)
+ if tlsConfig != nil {
+ conn, err = tls.DialWithDialer(&d, "tcp", server, tlsConfig)
} else {
conn, err = d.Dial("tcp", server)
}
diff --git a/plugins/outputs/influxdb/README.md b/plugins/outputs/influxdb/README.md
index 74f33748..aed96e46 100644
--- a/plugins/outputs/influxdb/README.md
+++ b/plugins/outputs/influxdb/README.md
@@ -44,11 +44,11 @@ This InfluxDB output plugin writes metrics to the [InfluxDB](https://github.com/
## UDP payload size is the maximum packet size to send.
# udp_payload = 512
- ## Optional SSL Config for use on HTTP connections.
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config for use on HTTP connections.
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
## HTTP Proxy override, if unset values the standard proxy environment
diff --git a/plugins/outputs/influxdb/influxdb.go b/plugins/outputs/influxdb/influxdb.go
index d34e9e3e..f80722bc 100644
--- a/plugins/outputs/influxdb/influxdb.go
+++ b/plugins/outputs/influxdb/influxdb.go
@@ -11,6 +11,7 @@ import (
"github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal"
+ "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/outputs"
"github.com/influxdata/telegraf/plugins/serializers/influx"
)
@@ -46,15 +47,7 @@ type InfluxDB struct {
ContentEncoding string `toml:"content_encoding"`
SkipDatabaseCreation bool `toml:"skip_database_creation"`
InfluxUintSupport bool `toml:"influx_uint_support"`
-
- // Path to CA file
- SSLCA string `toml:"ssl_ca"`
- // Path to host cert file
- SSLCert string `toml:"ssl_cert"`
- // Path to cert key file
- SSLKey string `toml:"ssl_key"`
- // Use SSL but skip chain & host verification
- InsecureSkipVerify bool
+ tls.ClientConfig
Precision string // precision deprecated in 1.0; value is ignored
@@ -104,11 +97,11 @@ var sampleConfig = `
## UDP payload size is the maximum packet size to send.
# udp_payload = 512
- ## Optional SSL Config for use on HTTP connections.
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config for use on HTTP connections.
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
## HTTP Proxy override, if unset values the standard proxy environment
@@ -245,8 +238,7 @@ func (i *InfluxDB) udpClient(url *url.URL) (Client, error) {
}
func (i *InfluxDB) httpClient(ctx context.Context, url *url.URL, proxy *url.URL) (Client, error) {
- tlsConfig, err := internal.GetTLSConfig(
- i.SSLCert, i.SSLKey, i.SSLCA, i.InsecureSkipVerify)
+ tlsConfig, err := i.ClientConfig.TLSConfig()
if err != nil {
return nil, err
}
diff --git a/plugins/outputs/influxdb/influxdb_test.go b/plugins/outputs/influxdb/influxdb_test.go
index eeef9761..3ec10989 100644
--- a/plugins/outputs/influxdb/influxdb_test.go
+++ b/plugins/outputs/influxdb/influxdb_test.go
@@ -8,6 +8,7 @@ import (
"github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal"
+ "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/metric"
"github.com/influxdata/telegraf/plugins/outputs/influxdb"
"github.com/stretchr/testify/require"
@@ -104,8 +105,10 @@ func TestConnectHTTPConfig(t *testing.T) {
HTTPHeaders: map[string]string{
"x": "y",
},
- ContentEncoding: "gzip",
- InsecureSkipVerify: true,
+ ContentEncoding: "gzip",
+ ClientConfig: tls.ClientConfig{
+ InsecureSkipVerify: true,
+ },
CreateHTTPClientF: func(config *influxdb.HTTPConfig) (influxdb.Client, error) {
actual = config
diff --git a/plugins/outputs/kafka/README.md b/plugins/outputs/kafka/README.md
index 93182ba0..196e2e91 100644
--- a/plugins/outputs/kafka/README.md
+++ b/plugins/outputs/kafka/README.md
@@ -68,11 +68,11 @@ This plugin writes to a [Kafka Broker](http://kafka.apache.org/07/quickstart.htm
## until the next flush.
# max_retry = 3
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
## Optional SASL Config
diff --git a/plugins/outputs/kafka/kafka.go b/plugins/outputs/kafka/kafka.go
index 8094d433..716e06c4 100644
--- a/plugins/outputs/kafka/kafka.go
+++ b/plugins/outputs/kafka/kafka.go
@@ -6,7 +6,7 @@ import (
"strings"
"github.com/influxdata/telegraf"
- "github.com/influxdata/telegraf/internal"
+ tlsint "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/outputs"
"github.com/influxdata/telegraf/plugins/serializers"
@@ -36,7 +36,7 @@ type (
// MaxRetry Tag
MaxRetry int
- // Legacy SSL config options
+ // Legacy TLS config options
// TLS client certificate
Certificate string
// TLS client key
@@ -44,15 +44,7 @@ type (
// TLS certificate authority
CA string
- // Path to CA file
- SSLCA string `toml:"ssl_ca"`
- // Path to host cert file
- SSLCert string `toml:"ssl_cert"`
- // Path to cert key file
- SSLKey string `toml:"ssl_key"`
-
- // Skip SSL verification
- InsecureSkipVerify bool
+ tlsint.ClientConfig
// SASL Username
SASLUsername string `toml:"sasl_username"`
@@ -135,11 +127,11 @@ var sampleConfig = `
## until the next flush.
# max_retry = 3
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
## Optional SASL Config
@@ -201,13 +193,12 @@ func (k *Kafka) Connect() error {
// Legacy support ssl config
if k.Certificate != "" {
- k.SSLCert = k.Certificate
- k.SSLCA = k.CA
- k.SSLKey = k.Key
+ k.TLSCert = k.Certificate
+ k.TLSCA = k.CA
+ k.TLSKey = k.Key
}
- tlsConfig, err := internal.GetTLSConfig(
- k.SSLCert, k.SSLKey, k.SSLCA, k.InsecureSkipVerify)
+ tlsConfig, err := k.ClientConfig.TLSConfig()
if err != nil {
return err
}
diff --git a/plugins/outputs/mqtt/README.md b/plugins/outputs/mqtt/README.md
index 21987c30..53483d96 100644
--- a/plugins/outputs/mqtt/README.md
+++ b/plugins/outputs/mqtt/README.md
@@ -22,12 +22,12 @@ This plugin writes to a [MQTT Broker](http://http://mqtt.org/) acting as a mqtt
## Timeout for write operations. default: 5s
# timeout = "5s"
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
## Data format to output.
@@ -45,8 +45,8 @@ This plugin writes to a [MQTT Broker](http://http://mqtt.org/) acting as a mqtt
* `password`: The password to connect MQTT server.
* `client_id`: The unique client id to connect MQTT server. If this paramater is not set then a random ID is generated.
* `timeout`: Timeout for write operations. default: 5s
-* `ssl_ca`: SSL CA
-* `ssl_cert`: SSL CERT
-* `ssl_key`: SSL key
-* `insecure_skip_verify`: Use SSL but skip chain & host verification (default: false)
+* `tls_ca`: TLS CA
+* `tls_cert`: TLS CERT
+* `tls_key`: TLS key
+* `insecure_skip_verify`: Use TLS but skip chain & host verification (default: false)
* `data_format`: [About Telegraf data formats](https://github.com/influxdata/telegraf/blob/master/docs/DATA_FORMATS_OUTPUT.md)
diff --git a/plugins/outputs/mqtt/mqtt.go b/plugins/outputs/mqtt/mqtt.go
index eea7b608..1c700332 100644
--- a/plugins/outputs/mqtt/mqtt.go
+++ b/plugins/outputs/mqtt/mqtt.go
@@ -8,6 +8,7 @@ import (
"github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal"
+ "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/outputs"
"github.com/influxdata/telegraf/plugins/serializers"
@@ -32,11 +33,11 @@ var sampleConfig = `
## client ID, if not set a random ID is generated
# client_id = ""
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
## Data format to output.
@@ -55,15 +56,7 @@ type MQTT struct {
TopicPrefix string
QoS int `toml:"qos"`
ClientID string `toml:"client_id"`
-
- // Path to CA file
- SSLCA string `toml:"ssl_ca"`
- // Path to host cert file
- SSLCert string `toml:"ssl_cert"`
- // Path to cert key file
- SSLKey string `toml:"ssl_key"`
- // Use SSL but skip chain & host verification
- InsecureSkipVerify bool
+ tls.ClientConfig
client paho.Client
opts *paho.ClientOptions
@@ -174,8 +167,7 @@ func (m *MQTT) createOpts() (*paho.ClientOptions, error) {
opts.SetClientID("Telegraf-Output-" + internal.RandomString(5))
}
- tlsCfg, err := internal.GetTLSConfig(
- m.SSLCert, m.SSLKey, m.SSLCA, m.InsecureSkipVerify)
+ tlsCfg, err := m.ClientConfig.TLSConfig()
if err != nil {
return nil, err
}
diff --git a/plugins/outputs/nats/nats.go b/plugins/outputs/nats/nats.go
index d97c4688..a664bc1b 100644
--- a/plugins/outputs/nats/nats.go
+++ b/plugins/outputs/nats/nats.go
@@ -6,7 +6,7 @@ import (
nats_client "github.com/nats-io/nats"
"github.com/influxdata/telegraf"
- "github.com/influxdata/telegraf/internal"
+ "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/outputs"
"github.com/influxdata/telegraf/plugins/serializers"
)
@@ -19,15 +19,7 @@ type NATS struct {
Password string
// NATS subject to publish metrics to
Subject string
-
- // Path to CA file
- SSLCA string `toml:"ssl_ca"`
- // Path to host cert file
- SSLCert string `toml:"ssl_cert"`
- // Path to cert key file
- SSLKey string `toml:"ssl_key"`
- // Use SSL but skip chain & host verification
- InsecureSkipVerify bool
+ tls.ClientConfig
conn *nats_client.Conn
serializer serializers.Serializer
@@ -42,11 +34,11 @@ var sampleConfig = `
## NATS subject for producer messages
subject = "telegraf"
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
## Data format to output.
@@ -79,8 +71,7 @@ func (n *NATS) Connect() error {
}
// override TLS, if it was specified
- tlsConfig, err := internal.GetTLSConfig(
- n.SSLCert, n.SSLKey, n.SSLCA, n.InsecureSkipVerify)
+ tlsConfig, err := n.ClientConfig.TLSConfig()
if err != nil {
return err
}
diff --git a/plugins/outputs/socket_writer/README.md b/plugins/outputs/socket_writer/README.md
index 8e28c5f8..149cda2a 100644
--- a/plugins/outputs/socket_writer/README.md
+++ b/plugins/outputs/socket_writer/README.md
@@ -19,11 +19,11 @@ It can output data in any of the [supported output formats](https://github.com/i
# address = "unix:///tmp/telegraf.sock"
# address = "unixgram:///tmp/telegraf.sock"
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
## Period between keep alive probes.
diff --git a/plugins/outputs/socket_writer/socket_writer.go b/plugins/outputs/socket_writer/socket_writer.go
index 382aad26..7c4660bc 100644
--- a/plugins/outputs/socket_writer/socket_writer.go
+++ b/plugins/outputs/socket_writer/socket_writer.go
@@ -10,17 +10,15 @@ import (
"github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/internal"
+ tlsint "github.com/influxdata/telegraf/internal/tls"
"github.com/influxdata/telegraf/plugins/outputs"
"github.com/influxdata/telegraf/plugins/serializers"
)
type SocketWriter struct {
- Address string
- KeepAlivePeriod *internal.Duration
- SSLCA string
- SSLCert string
- SSLKey string
- InsecureSkipVerify bool
+ Address string
+ KeepAlivePeriod *internal.Duration
+ tlsint.ClientConfig
serializers.Serializer
@@ -45,11 +43,11 @@ func (sw *SocketWriter) SampleConfig() string {
# address = "unix:///tmp/telegraf.sock"
# address = "unixgram:///tmp/telegraf.sock"
- ## Optional SSL Config
- # ssl_ca = "/etc/telegraf/ca.pem"
- # ssl_cert = "/etc/telegraf/cert.pem"
- # ssl_key = "/etc/telegraf/key.pem"
- ## Use SSL but skip chain & host verification
+ ## Optional TLS Config
+ # tls_ca = "/etc/telegraf/ca.pem"
+ # tls_cert = "/etc/telegraf/cert.pem"
+ # tls_key = "/etc/telegraf/key.pem"
+ ## Use TLS but skip chain & host verification
# insecure_skip_verify = false
## Period between keep alive probes.
@@ -76,7 +74,7 @@ func (sw *SocketWriter) Connect() error {
return fmt.Errorf("invalid address: %s", sw.Address)
}
- tlsCfg, err := internal.GetTLSConfig(sw.SSLCert, sw.SSLKey, sw.SSLCA, sw.InsecureSkipVerify)
+ tlsCfg, err := sw.ClientConfig.TLSConfig()
if err != nil {
return err
}
diff --git a/testutil/pki/cacert.pem b/testutil/pki/cacert.pem
new file mode 100644
index 00000000..b0a47334
--- /dev/null
+++ b/testutil/pki/cacert.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB0TCCATqgAwIBAgIJAMgbq6rkA4b/MA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV
+BAMMEFRlbGVncmFmIFRlc3QgQ0EwHhcNMTgwNTAzMDEwNTI5WhcNMjgwNDMwMDEw
+NTI5WjAbMRkwFwYDVQQDDBBUZWxlZ3JhZiBUZXN0IENBMIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQDTySxyXeyQQjCOtNQ/7cKtXN91sp4B1k7whPKBO6yXEFFR
+rYaw76xY5CTTPTJaAPBJ+amHPdPGfmGq6yX10tjAaWQQYV26Axngfpti6F14ci0/
+X/sTay8ii/4Du5DRr9f9rHVimPASR1fkgK+IFhXnONn1R+pNbHYmGS4OVNyoPwID
+AQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsF
+AAOBgQA9v3eMU33q+bGPEd65kKQcVddPEFdSqmuUJMeO2VQmUFc/ejkP48u42eDK
+Y1GAR+209XgkuWItEBH8HJysOU2plunuIPXpnPcxyP30tpFVLaWzWTQvUehhYpfQ
+C0v9Re3jdLfLORxiaAPyyKogMpAQrjGX+u1aMSOCkcTD2Hjvbw==
+-----END CERTIFICATE-----
diff --git a/testutil/pki/cakey.pem b/testutil/pki/cakey.pem
new file mode 100644
index 00000000..3606c89b
--- /dev/null
+++ b/testutil/pki/cakey.pem
@@ -0,0 +1,16 @@
+-----BEGIN PRIVATE KEY-----
+MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBANPJLHJd7JBCMI60
+1D/twq1c33WyngHWTvCE8oE7rJcQUVGthrDvrFjkJNM9MloA8En5qYc908Z+Yarr
+JfXS2MBpZBBhXboDGeB+m2LoXXhyLT9f+xNrLyKL/gO7kNGv1/2sdWKY8BJHV+SA
+r4gWFec42fVH6k1sdiYZLg5U3Kg/AgMBAAECgYA2PCtssk7Vdo3WzcoZAPs8yC7V
+hkNedxJKF9G+dJizKtOYVhbLEuWQ8gPYMLDHSbw/RXc7kgK8rzq1uXhEJpWo4THD
+CUUlxGRu3gt94202hbnEnV93Kix4hP98qpv1jPErlx2KywsRPTegMnUAZ2xeI564
+yYwDITqXALa/PqRqSQJBAPPZQeRDtBSfEjZFJS3IgUkmN3RJn4rJz+6D0ahgXPga
+YAYVe8SJyj2epLJP2aOBzrqBSUVkVGg8qOG5w+ibebsCQQDeVuUzYOffthO5f1Hl
+LvdEmfaHjXI0Q+grOnDjNRcvQaCDYYkC9JewBQmnpFrd85rN/Leo0gQ5Yyxp/ja5
+gPFNAkAFwn/38FF0mz1G4uM57Z6AJ9LvgD2wfYvXym1NWNlZUuYpvqApyEdqpTCm
+tZQidJJ5fUxJw1DrFWO30Td7axC5AkEAjSbRX6rXyhiHsS35SexlInI0Jp5PsIqj
+7D2vyS69R0z8oCvdlbi+TAsGtB0Navbqgnc8Cbs630vsuGWhTGdlyQJBAKqQ2gYw
++WeXH77FP8yDQOjpFw80tSyXVykT0Am75RF3sQ1OIn0o0DLhE+he0crb2n8g3FJh
+WyxmGkbTDelSG20=
+-----END PRIVATE KEY-----
diff --git a/testutil/pki/clientcert.pem b/testutil/pki/clientcert.pem
new file mode 100644
index 00000000..9e5b6080
--- /dev/null
+++ b/testutil/pki/clientcert.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB+TCCAWKgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDDBBUZWxl
+Z3JhZiBUZXN0IENBMB4XDTE4MDUwMzAxMDUyOVoXDTI4MDQzMDAxMDUyOVowHTEb
+MBkGA1UEAwwSY2xpZW50LmxvY2FsZG9tYWluMIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQDX7Plvu0MJtA9TrusYtQnAogsdiYJZd9wfFIjH5FxE3SWJ4KAIE+yR
+WRqcqX8XnpieQLaNsfXhDPWLkWngTDydk4NO/jlAQk0e6+9+NeiZ2ViIHmtXERb9
+CyiiWUmo+YCd69lhzSEIMK9EPBSDHQTgQMtEfGak03G5rx3MCakE1QIDAQABo0sw
+STAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgglsb2NhbGhvc3SH
+BH8AAAEwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADgYEAVry0
+L07oTN+FMLncY/Be9BzFB3b3mnbxbZr58OgI4WHuOeYBuvDI033FIIIzpwb8XYpG
+HJkZlSbviqq19lAh/Cktl35BCNrA6Uc+dgW7QWhnYS2tZandVTo/8FFstJTNiiLw
+uiz/Hr3mRXUIDi5OygJHY1IZr8hFTOOJY+0ws3E=
+-----END CERTIFICATE-----
diff --git a/testutil/pki/clientkey.pem b/testutil/pki/clientkey.pem
new file mode 100644
index 00000000..cc11e20e
--- /dev/null
+++ b/testutil/pki/clientkey.pem
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQDX7Plvu0MJtA9TrusYtQnAogsdiYJZd9wfFIjH5FxE3SWJ4KAI
+E+yRWRqcqX8XnpieQLaNsfXhDPWLkWngTDydk4NO/jlAQk0e6+9+NeiZ2ViIHmtX
+ERb9CyiiWUmo+YCd69lhzSEIMK9EPBSDHQTgQMtEfGak03G5rx3MCakE1QIDAQAB
+AoGAOjRU4Lt3zKvO3d3u3ZAfet+zY1jn3DolCfO9EzUJcj6ymcIFIWhNgrikJcrC
+yZkkxrPnAbcQ8oNNxTuDcMTcKZbnyUnlQj5NtVuty5Q+zgf3/Q2pRhaE+TwrpOJ+
+ETtVp9R/PrPN2NC5wPo289fPNWFYkd4DPbdWZp5AJHz1XYECQQD3kKpinJxMYp9F
+Q1Qj1OkxGln0KPgdqRYjjW/rXI4/hUodfg+xXWHPFSGj3AgEjQIvuengbOAeH3qo
+wF1uxVTlAkEA30hXM3EbboMCDQzNRNkkV9EiZ0MZXhj1aIGl+sQZOmOeFdcdjGkD
+dsA42nmaYqXCD9KAvc+S/tGJaa0Qg0VhMQJAb2+TAqh0Qn3yK39PFIH2JcAy1ZDL
+fq5p5L75rfwPm9AnuHbSIYhjSo+8gMG+ai3+2fTZrcfUajrJP8S3SfFRcQJBANQQ
+POHatxcKzlPeqMaPBXlyY553mAxK4CnVmPLGdL+EBYzwtlu5EVUj09uMSxkOHXYx
+k5yzHQVvtXbsrBZBOsECQBJLlkMjJmXrIIdLPmHQWL3bm9MMg1PqzupSEwz6cyrG
+uIIm/X91pDyxCHaKYWp38FXBkYAgohI8ow5/sgRvU5w=
+-----END RSA PRIVATE KEY-----
diff --git a/testutil/pki/servercert.pem b/testutil/pki/servercert.pem
new file mode 100644
index 00000000..88621951
--- /dev/null
+++ b/testutil/pki/servercert.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB+TCCAWKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDDBBUZWxl
+Z3JhZiBUZXN0IENBMB4XDTE4MDUwMzAxMDUyOVoXDTI4MDQzMDAxMDUyOVowHTEb
+MBkGA1UEAwwSc2VydmVyLmxvY2FsZG9tYWluMIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQDTBmLJ0pBFUxnPkkx38sBnOKvs+OinVqxTnVcc1iCyQJQleB37uY6D
+L55mSsPvnad/oDpyGpHt4RVtrhmyC6ptSrWLyk7mraeAo30Cooqr5tA9A+6yj0ij
+ySLlYimTMQy8tbnVNWLwKbxgT9N4NlUzwyqxLWUMfRzLfmefqzk5bQIDAQABo0sw
+STAJBgNVHRMEAjAAMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATALBgNVHQ8E
+BAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADgYEATNnM
+ol0s29lJ+WkP+HUFtKaXxQ+kXLADqfhsk2G1/kZAVRHsYUDlJ+GkHnWIHlg/ggIP
+JS+z44iwMPOtzJQI7MvAFYVKpYAEdIFTjXf6GafLjUfoXYi0vwHoVJHtQu3Kpm9L
+Ugm02h0ycIadN8RdWAAFUf6XpVKUJa0YYLuyaXY=
+-----END CERTIFICATE-----
diff --git a/testutil/pki/serverkey.pem b/testutil/pki/serverkey.pem
new file mode 100644
index 00000000..363f5d9a
--- /dev/null
+++ b/testutil/pki/serverkey.pem
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQDTBmLJ0pBFUxnPkkx38sBnOKvs+OinVqxTnVcc1iCyQJQleB37
+uY6DL55mSsPvnad/oDpyGpHt4RVtrhmyC6ptSrWLyk7mraeAo30Cooqr5tA9A+6y
+j0ijySLlYimTMQy8tbnVNWLwKbxgT9N4NlUzwyqxLWUMfRzLfmefqzk5bQIDAQAB
+AoGBALWQAgFJxM2QwV1hr59oYnitPudmBa6smRpb/q6V4Y3cmFpgrdN+hIqEtxGl
+9E0+5PWfI4o3KCV2itxSdlNFTDyqTZkM+BT8PPKISzAewkdqnKjbWgAmluzOJH4O
+hc1zBfIOuT5+cfx5JR5/j9BhWVC7BJ+EiREkd/Z8ZnAMeItVAkEA8bhcC+8luiFQ
+6kytXx2XfbKKh4Q99+KEQHqSGeuHZOcnWfjX99jo67CIxpwBRENslpZOw78fBmi4
+4kf8j+dgLwJBAN99zyRxYzKc8TSsy/fF+3V/Ex75HYGGS/eOWcwPFXpGNA63hIa8
+fJ/2pDnLzCqLZ9vWdBF39NtkacJS7bo6XSMCQQCZgN2bipSn3k53bJhRJga1gXOt
+2dJMoGIiXHR513QVJSJ9ZaUpNWu9eU9y6VF4m2TTQMLmVnIKbOi0csi2TlZrAkAi
+7URsC5RXGpPPiZmutTAhIqTYWFI2JcjFfWenLkxK+aG1ExURAW/wh9kOdz0HARZQ
+Eum8uSR5DO5CQjeIvQpFAkAgZJXAwRxuts/p1EoLuPCJTaDkIY2vc0AJzzr5nuAs
+pyjnLYCYqSBUJ+3nDDBqNYpgxCJddzmjNxGuO7mef9Ue
+-----END RSA PRIVATE KEY-----
diff --git a/scripts/tls-certs.sh b/testutil/pki/tls-certs.sh
similarity index 81%
rename from scripts/tls-certs.sh
rename to testutil/pki/tls-certs.sh
index b37d6541..55075df4 100644
--- a/scripts/tls-certs.sh
+++ b/testutil/pki/tls-certs.sh
@@ -46,21 +46,31 @@ keyUsage = keyCertSign, cRLSign
[ client_ca_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature
+subjectAltName = @client_alt_names
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
+[ client_alt_names ]
+DNS.1 = localhost
+IP.1 = 127.0.0.1
+
[ server_ca_extensions ]
basicConstraints = CA:false
-keyUsage = keyEncipherment
+subjectAltName = @server_alt_names
+keyUsage = keyEncipherment, digitalSignature
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
+
+[ server_alt_names ]
+DNS.1 = localhost
+IP.1 = 127.0.0.1
EOF
-openssl req -x509 -config ./openssl.conf -days 3650 -newkey rsa:1024 -out ./certs/cacert.pem -keyout ./private/cakey.pem -subj "/CN=Telegraf CA/" -nodes &&
+openssl req -x509 -config ./openssl.conf -days 3650 -newkey rsa:1024 -out ./certs/cacert.pem -keyout ./private/cakey.pem -subj "/CN=Telegraf Test CA/" -nodes &&
# Create server keypair
openssl genrsa -out ./private/serverkey.pem 1024 &&
-openssl req -new -key ./private/serverkey.pem -out ./certs/servercsr.pem -outform PEM -subj "/CN=localhost/O=server/" &&
+openssl req -new -key ./private/serverkey.pem -out ./certs/servercsr.pem -outform PEM -subj "/CN=server.localdomain/O=server/" &&
openssl ca -config ./openssl.conf -in ./certs/servercsr.pem -out ./certs/servercert.pem -notext -batch -extensions server_ca_extensions &&
# Create client keypair
openssl genrsa -out ./private/clientkey.pem 1024 &&
-openssl req -new -key ./private/clientkey.pem -out ./certs/clientcsr.pem -outform PEM -subj "/CN=telegraf/O=client/" &&
+openssl req -new -key ./private/clientkey.pem -out ./certs/clientcsr.pem -outform PEM -subj "/CN=client.localdomain/O=client/" &&
openssl ca -config ./openssl.conf -in ./certs/clientcsr.pem -out ./certs/clientcert.pem -notext -batch -extensions client_ca_extensions
diff --git a/testutil/tls.go b/testutil/tls.go
new file mode 100644
index 00000000..4f7fc012
--- /dev/null
+++ b/testutil/tls.go
@@ -0,0 +1,86 @@
+package testutil
+
+import (
+ "fmt"
+ "io/ioutil"
+ "os"
+ "path"
+
+ "github.com/influxdata/telegraf/internal/tls"
+)
+
+type pki struct {
+ path string
+}
+
+func NewPKI(path string) *pki {
+ return &pki{path: path}
+}
+
+func (p *pki) TLSClientConfig() *tls.ClientConfig {
+ return &tls.ClientConfig{
+ TLSCA: p.CACertPath(),
+ TLSCert: p.ClientCertPath(),
+ TLSKey: p.ClientKeyPath(),
+ }
+}
+
+func (p *pki) TLSServerConfig() *tls.ServerConfig {
+ return &tls.ServerConfig{
+ TLSAllowedCACerts: []string{p.CACertPath()},
+ TLSCert: p.ServerCertPath(),
+ TLSKey: p.ServerKeyPath(),
+ }
+}
+
+func (p *pki) ReadCACert() string {
+ return readCertificate(p.CACertPath())
+}
+
+func (p *pki) CACertPath() string {
+ return path.Join(p.path, "cacert.pem")
+}
+
+func (p *pki) ReadClientCert() string {
+ return readCertificate(p.ClientCertPath())
+}
+
+func (p *pki) ClientCertPath() string {
+ return path.Join(p.path, "clientcert.pem")
+}
+
+func (p *pki) ReadClientKey() string {
+ return readCertificate(p.ClientKeyPath())
+}
+
+func (p *pki) ClientKeyPath() string {
+ return path.Join(p.path, "clientkey.pem")
+}
+
+func (p *pki) ReadServerCert() string {
+ return readCertificate(p.ServerCertPath())
+}
+
+func (p *pki) ServerCertPath() string {
+ return path.Join(p.path, "servercert.pem")
+}
+
+func (p *pki) ReadServerKey() string {
+ return readCertificate(p.ServerKeyPath())
+}
+
+func (p *pki) ServerKeyPath() string {
+ return path.Join(p.path, "serverkey.pem")
+}
+
+func readCertificate(filename string) string {
+ file, err := os.Open(filename)
+ if err != nil {
+ panic(fmt.Sprintf("opening %q: %v", filename, err))
+ }
+ octets, err := ioutil.ReadAll(file)
+ if err != nil {
+ panic(fmt.Sprintf("reading %q: %v", filename, err))
+ }
+ return string(octets)
+}
--
GitLab