Output plugin that supports sending metrics into Google CloudRun

[raider111111]

Feature Request

Opening a feature request kicks off a discussion.

Proposal:

An output plugin that supports sending metrics into a Wavefront proxy located in the Google CloudRun environment including handling the access token handshakes.

Current behavior:

Not aware that this is available.

Desired behavior:

An output plugin that supports sending metrics into a Wavefront proxy located in the Google CloudRun environment including handling the access token handshakes.

Use case:

This doesn't appear to be available from Telegraf.
In order to send metrics into the CloudRun Wavefont proxy you need to write custom code to handle the handshakes

[raider111111]

For reference,
This is what I'm using now:

package main

import (
	"crypto/rsa"
	"crypto/x509"
	"encoding/json"
	"encoding/pem"
	"errors"
	"fmt"
	"io"
	"io/ioutil"
	"net/http"
	"net/url"
	"time"

	"cloud.google.com/go/compute/metadata"
	"golang.org/x/oauth2/google"
	"golang.org/x/oauth2/jws"
)

// makeGetRequest makes a GET request to the specified Cloud Run endpoint in
// serviceURL (must be a complete URL) by authenticating with the ID token
// obtained from the Metadata API.
func makeGetRequest(serviceURL string) (*http.Response, error) {
	// query the id_token with ?audience as the serviceURL
	tokenURL := fmt.Sprintf("/instance/service-accounts/default/identity?audience=%s", serviceURL)
	idToken, err := metadata.Get(tokenURL)
	if err != nil {
		return nil, fmt.Errorf("metadata.Get: failed to query id_token: %+v", err)
	}
	req, err := http.NewRequest("GET", serviceURL, nil)
	if err != nil {
		return nil, err
	}
	req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", idToken))
	return http.DefaultClient.Do(req)
}

func generateJWT(saKeyfile, saEmail, audience string, expiryLength int64) (string, error) {
	now := time.Now().Unix()
	gcpauth := "https://www.googleapis.com/oauth2/v4/token"
	// Build the JWT payload.

	jwt := &jws.ClaimSet{
		Iat: now,
		// expires after 'expiraryLength' seconds.
		Exp: now + expiryLength,
		// Iss must match 'issuer' in the security configuration in your
		// swagger spec (e.g. service account email). It can be any string.
		Iss: saEmail,
		// Aud must be either your Endpoints service name, or match the value
		// specified as the 'x-google-audience' in the OpenAPI document.
		Aud: gcpauth,
		// Sub and Email should match the service account's email address.
		Sub:           saEmail,
		PrivateClaims: map[string]interface{}{"target_audience": audience},
	}
	jwsHeader := &jws.Header{
		Algorithm: "RS256",
		Typ:       "JWT",
	}

	// Extract the RSA private key from the service account keyfile.
	sa, err := ioutil.ReadFile(saKeyfile)
	if err != nil {
		return "", fmt.Errorf("Could not read service account file: %v", err)
	}
	conf, err := google.JWTConfigFromJSON(sa)
	if err != nil {
		return "", fmt.Errorf("Could not parse service account JSON: %v", err)
	}

	block, _ := pem.Decode(conf.PrivateKey)
	parsedKey, err := x509.ParsePKCS8PrivateKey(block.Bytes)
	if err != nil {
		return "", fmt.Errorf("private key parse error: %v", err)
	}

	rsaKey, ok := parsedKey.(*rsa.PrivateKey)
	// Sign the JWT with the service account's private key.
	if !ok {
		return "", errors.New("private key failed rsa.PrivateKey type assertion")
	}

	return jws.Encode(jwsHeader, jwt, rsaKey)
}

func getGoogleID(jwtToken string) (string, error) {
	var accessToken GoogleID
	googleidurl := "https://www.googleapis.com/oauth2/v4/token"
	responseBody, err := callAPIEndpoint("POST", googleidurl, jwtToken, nil)
	if err != nil {
		return "", err
	}
	err = json.Unmarshal(responseBody, &accessToken)
	if err != nil {
		return "", err
	}
	return accessToken.Token, err
}
func main() {
	token, err := generateJWT("PATH_TO_dev-svc-wf-proxy-cr.json", "CLOUD_RUN_SERVICE_ACCOUNT",
		"URL_TO_CLOUD_RUN", TOKEN_DURATION)

	if err != nil {
		println(err.Error())
	}
	//fmt.Printf("Token: %s\n", token)

	accessToken, err := getGoogleID(token)
	if err != nil {
		println(err.Error())
	}
	fmt.Printf("From GoogleToken: %s\n", accessToken)
}

// CallAPIEndpoint Makes a call to a specified endpoint taking parameters method, url token and some payload
func callAPIEndpoint(method string, urls string, token string, payload io.Reader) ([]byte, error) {

	granttype := "urn:ietf:params:oauth:grant-type:jwt-bearer"

	res, err := http.PostForm(urls, url.Values{"grant_type": {granttype}, "assertion": {token}})
	if err != nil {
		return []byte{}, err
	}
	defer res.Body.Close()
	body, _ := ioutil.ReadAll(res.Body)
	if res.StatusCode >= 400 {
		return []byte{}, fmt.Errorf("error generating google id token jwt")
	}
	return body, nil
}

type GoogleID struct {
	Token string `json:"id_token"`
}

I can use the token in outputs.http but the problem is that the token expires after an hour (maximum time it allows for).

# A plugin that can transmit metrics over HTTP
[[outputs.http]]
  ## URL is the address to send metrics to
    url = 'CLOUD_RUN_URL'

  ## Timeout for HTTP message
    timeout = "20s"

  ## HTTP method, one of: "POST" or "PUT"
    method = "POST"
    data_format = "wavefront"
   #convert_paths = false
  ## HTTP Content-Encoding for write request body, can be set to "gzip" to
  ## compress body or "identity" to apply no encoding.
  # content_encoding = "identity"

  ## Additional HTTP headers
    [outputs.http.headers]
  #   # Should be set manually to "application/json" for json data_format
    Content-Type = "application/octet-stream"
    Accept = "application/json"
    Authorization = "Bearer TOKEN

Thoughts?

Thanks!

[crflanigan]

Current code can be found here:
https://github.com/homedepot/telegraf