fix(inputs/kube_inventory): set TLS server name config properly #9975
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The TLS config currently always sets the ServerName to the same as the baseURL. A URL is not a valid value, e.g. `https://kubernetes.example.com:6443` is not a valid ServerName value; the matching ServerName value should be `kubernetes.example.com`. This results in an error like - ``` 2021-10-21T12:15:40Z E! [inputs.kube_inventory] Error in plugin: Get "https://kubernetes.example.com:6443/apis/apps/v1/namespaces/default/deployments": x509: certificate is valid for kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster.local, localhost, kubernetes.example.com, not https://kubernetes.example.com:6443 ``` The ServerName value is not read from config, so I'm not sure why this currently works for anyone, unless they disable TLS verification through the `insecure_skip_verify` setting. The fix is to set ServerName to the `tls_server_name` config value if set, otherwise leave it blank, in which case, it will automatically use the hostname (https://github.com/kubernetes/client-go/blob/master/rest/config.go#L219). I can confirm that the inputs/kubernetes plugin does this (although it doesn't use the k8s client-go library), and it works properly by passing through the `tls_server_name` value or leaving it blank.
slai
force-pushed
the
kube_inventory_tls_server_name
branch
from
d49b19f to
fa60fb9
Compare
|
📦 Looks like new artifacts were built from this PR. Expand this list to get them here! 🐯Artifact URLs |
sspaink
approved these changes
Dec 3, 2021
sspaink
added
the
ready for final review
MyaLongmire
approved these changes
Dec 7, 2021
MyaLongmire
pushed a commit
that referenced
this pull request
Dec 8, 2021
(cherry picked from commit 2fdf223)
powersj
pushed a commit
to powersj/telegraf
that referenced
this pull request
Jan 21, 2022
phemmer
added a commit
to phemmer/telegraf
that referenced
this pull request
Feb 18, 2022
* origin/master: (133 commits) chore: restart service if it is already running and upgraded via RPM (influxdata#9970) feat: update etc/telegraf.conf and etc/telegraf_windows.conf (influxdata#10237) fix: Handle duplicate registration of protocol-buffer files gracefully. (influxdata#10188) fix(http_listener_v2): fix panic on close (influxdata#10132) feat: add Vault input plugin (influxdata#10198) feat: support aws managed service for prometheus (influxdata#10202) fix: Make telegraf compile on Windows with golang 1.16.2 (influxdata#10246) Update changelog feat: Modbus add per-request tags (influxdata#10231) fix: Implement NaN and inf handling for elasticsearch output (influxdata#10196) feat: add nomad input plugin (influxdata#10106) fix: Print loaded plugins and deprecations for once and test (influxdata#10205) fix: eliminate MIB dependency for ifname processor (influxdata#10214) feat: Optimize locking for SNMP MIBs loading. (influxdata#10206) feat: Add SMART plugin concurrency configuration option, nvme-cli v1.14+ support and lint fixes. (influxdata#10150) feat: update configs (influxdata#10236) fix(inputs/kube_inventory): set TLS server name config properly (influxdata#9975) fix: Sudden close of Telegraf caused by OPC UA input plugin (influxdata#10230) fix: bump github.com/eclipse/paho.mqtt.golang from 1.3.0 to 1.3.5 (influxdata#9913) fix: json_v2 parser timestamp setting (influxdata#10221) fix: ensure graylog spec fields not prefixed with '_' (influxdata#10209) docs: remove duplicate links in CONTRIBUTING.md (influxdata#10218) fix: pool detection and metrics gathering for ZFS >= 2.1.x (influxdata#10099) fix: parallelism fix for ifname processor (influxdata#10007) chore: Forbids "log" package only for aggregators, inputs, outputs, parsers and processors (influxdata#10191) docs: address documentation gap when running telegraf in k8s (influxdata#10215) feat: update etc/telegraf.conf and etc/telegraf_windows.conf (influxdata#10211) fix: mqtt topic extracting no longer requires all three fields (influxdata#10208) fix: windows service - graceful shutdown of telegraf (influxdata#9616) feat: update etc/telegraf.conf and etc/telegraf_windows.conf (influxdata#10201) feat: Modbus support multiple slaves (gateway feature) (influxdata#9279) fix: Revert unintented corruption of the Makefile from influxdata#10200. (influxdata#10203) chore: remove triggering update-config bot in CI (influxdata#10195) Update changelog feat: Implement deprecation infrastructure (influxdata#10200) fix: extra lock on init for safety (influxdata#10199) fix: resolve influxdata#10027 (influxdata#10112) fix: register bigquery to output plugins influxdata#10177 (influxdata#10178) fix: sysstat use unique temp file vs hard-coded (influxdata#10165) refactor: snmp to use gosmi (influxdata#9518) ...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The TLS config currently always sets the ServerName to the same as the baseURL. A URL is not a valid value, e.g.
https://kubernetes.example.com:6443is not a valid ServerName value; the matching ServerName value should bekubernetes.example.com.This results in an error like -
The ServerName value is not read from config, so I'm not sure why this currently works for anyone using HTTPS, unless they disable TLS verification through the
insecure_skip_verifysetting. (Or if SNI is not required?)The fix is to set ServerName to the
tls_server_nameconfig value if set, otherwise leave it blank, in which case, it will automatically use the hostname (https://github.com/kubernetes/client-go/blob/master/rest/config.go#L219).I can confirm that the inputs/kubernetes plugin does this (although it doesn't use the k8s client-go library), and it works properly by passing through the
tls_server_namevalue or leaving it blank.