From c873a406f310728bf18976254d16e1c6a25ac854 Mon Sep 17 00:00:00 2001
From: Victor Garcia <vgarcia@thousandeyes.com>
Date: Tue, 21 Jun 2016 18:04:34 +0200
Subject: [PATCH] x509 certs authentication now supported for Prometheus input
 plugin

---
 plugins/inputs/prometheus/README.md     | 20 ++++++++++++++++
 plugins/inputs/prometheus/prometheus.go | 32 +++++++++++++++++++++++++
 2 files changed, 52 insertions(+)

diff --git a/plugins/inputs/prometheus/README.md b/plugins/inputs/prometheus/README.md
index 3aa8c8afdc8ab..473f125db5b00 100644
--- a/plugins/inputs/prometheus/README.md
+++ b/plugins/inputs/prometheus/README.md
@@ -30,6 +30,26 @@ to filter and some tags
     kubeservice = "kube-apiserver"
 ```
 
+```toml
+# Authorize with a bearer token skipping cert verification
+[[inputs.prometheus]]
+  # An array of urls to scrape metrics from.
+  urls = ["http://my-kube-apiserver:8080/metrics"]
+  bearer_token = '/path/to/bearer/token'
+  insecure_skip_verify = true
+```
+
+```toml
+# Authorize using x509 certs
+[[inputs.prometheus]]
+  # An array of urls to scrape metrics from.
+  urls = ["https://my-kube-apiserver:8080/metrics"]
+
+  tls_ca = '/path/to/cafile'
+  tls_cert = '/path/to/certfile'
+  tls_key = '/path/to/keyfile'
+```
+
 ### Measurements & Fields & Tags:
 
 Measurements and fields could be any thing.
diff --git a/plugins/inputs/prometheus/prometheus.go b/plugins/inputs/prometheus/prometheus.go
index 1c60a363e3f3d..174c61e2b6999 100644
--- a/plugins/inputs/prometheus/prometheus.go
+++ b/plugins/inputs/prometheus/prometheus.go
@@ -2,6 +2,7 @@ package prometheus
 
 import (
 	"crypto/tls"
+	"crypto/x509"
 	"errors"
 	"fmt"
 	"github.com/influxdata/telegraf"
@@ -20,6 +21,13 @@ type Prometheus struct {
 	InsecureSkipVerify bool
 	// Bearer Token authorization file path
 	BearerToken string `toml:"bearer_token"`
+
+	// CA certificate file path
+	TlsCA string `toml:"tls_ca"`
+
+	// Cert and key pair file paths
+	TlsCert string `toml:"tls_cert"`
+	TlsKey  string `toml:"tls_key"`
 }
 
 var sampleConfig = `
@@ -30,6 +38,10 @@ var sampleConfig = `
   # insecure_skip_verify = false
   ## Use bearer token for authorization
   # bearer_token = /path/to/bearer/token
+  ## Use x509 cert authentication
+  # tls_ca = /path/to/cafile
+  # tls_cert = /path/to/certfile
+  # tls_key = /path/to/keyfile
 `
 
 func (p *Prometheus) SampleConfig() string {
@@ -78,6 +90,24 @@ func (p *Prometheus) gatherURL(url string, acc telegraf.Accumulator) error {
 	var token []byte
 	var resp *http.Response
 
+	caCertPool := x509.NewCertPool()
+	if p.TlsCA != "" {
+		caCert, err := ioutil.ReadFile(p.TlsCA)
+		if err != nil {
+			return err
+		}
+		caCertPool.AppendCertsFromPEM(caCert)
+	}
+
+	certificates := []tls.Certificate{}
+	if p.TlsCert != "" && p.TlsKey != "" {
+		cert, err := tls.LoadX509KeyPair(p.TlsCert, p.TlsKey)
+		if err != nil {
+			return err
+		}
+		certificates = []tls.Certificate{cert}
+	}
+
 	var rt http.RoundTripper = &http.Transport{
 		Dial: (&net.Dialer{
 			Timeout:   5 * time.Second,
@@ -86,6 +116,8 @@ func (p *Prometheus) gatherURL(url string, acc telegraf.Accumulator) error {
 		TLSHandshakeTimeout: 5 * time.Second,
 		TLSClientConfig: &tls.Config{
 			InsecureSkipVerify: p.InsecureSkipVerify,
+			RootCAs:            caCertPool,
+			Certificates:       certificates,
 		},
 		ResponseHeaderTimeout: time.Duration(3 * time.Second),
 	}