Skip to content

Commit

Permalink
Add configuration to set minimum TLS version accepted by the metrics …
Browse files Browse the repository at this point in the history 
…server port. (#666)
  • Loading branch information
@bjosv
bjosv authored Jun 17, 2022
1 parent b5aa05e commit 980a974
Show file tree
Hide file tree
Showing 5 changed files with 30 additions and 9 deletions.
1 change: 1 addition & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -169,6 +169,7 @@ Prometheus uses file watches and all changes to the json file are applied immedi
| tls-server-key-file | REDIS_EXPORTER_TLS_SERVER_KEY_FILE | Name of the server key file (including full path) if the web interface and telemetry should use TLS |
| tls-server-cert-file | REDIS_EXPORTER_TLS_SERVER_CERT_FILE | Name of the server certificate file (including full path) if the web interface and telemetry should use TLS |
| tls-server-ca-cert-file | REDIS_EXPORTER_TLS_SERVER_CA_CERT_FILE | Name of the CA certificate file (including full path) if the web interface and telemetry should require TLS client authentication |
| tls-server-min-version | REDIS_EXPORTER_TLS_SERVER_MIN_VERSION | Minimum TLS version that is acceptable by the web interface and telemetry when using TLS, defaults to `TLS1.2` (supports `TLS1.0`,`TLS1.1`,`TLS1.2`,`TLS1.3`). |
| tls-ca-cert-file | REDIS_EXPORTER_TLS_CA_CERT_FILE | Name of the CA certificate file (including full path) if the server requires TLS client authentication |
| set-client-name | REDIS_EXPORTER_SET_CLIENT_NAME | Whether to set client name to redis_exporter, defaults to true. |
| check-key-groups | REDIS_EXPORTER_CHECK_KEY_GROUPS | Comma separated list of [LUA regexes](https://www.lua.org/pil/20.1.html) for classifying keys into groups. The regexes are applied in specified order to individual keys, and the group name is generated by concatenating all capture groups of the first regex that matches a key. A key will be tracked under the `unclassified` group if none of the specified regexes matches it. |
Expand Down
2 changes: 1 addition & 1 deletion contrib/docker-compose-for-tests.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ services:

redis7:
image: redis:7.0
command: "redis-server --protected-mode no --dbfilename dump7.rdb"
command: "redis-server --port 6384 --protected-mode no --dbfilename dump7.rdb"
ports:
- "16384:6384"

Expand Down
19 changes: 17 additions & 2 deletions exporter/tls.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package exporter
import (
"crypto/tls"
"crypto/x509"
"fmt"
"io/ioutil"

log "github.com/sirupsen/logrus"
Expand Down Expand Up @@ -33,15 +34,29 @@ func (e *Exporter) CreateClientTLSConfig() (*tls.Config, error) {
return &tlsConfig, nil
}

// CreateServerTLSConfig verifies configured files and return a prepared tls.Config
func (e *Exporter) CreateServerTLSConfig(certFile, keyFile, caCertFile string) (*tls.Config, error) {
var tlsVersions = map[string]uint16{
"TLS1.3": tls.VersionTLS13,
"TLS1.2": tls.VersionTLS12,
"TLS1.1": tls.VersionTLS11,
"TLS1.0": tls.VersionTLS10,
}

// CreateServerTLSConfig verifies configuration and return a prepared tls.Config
func (e *Exporter) CreateServerTLSConfig(certFile, keyFile, caCertFile, minVersionString string) (*tls.Config, error) {
// Verify that the initial key pair is accepted
_, err := LoadKeyPair(certFile, keyFile)
if err != nil {
return nil, err
}

// Get minimum acceptable TLS version from the config string
minVersion, ok := tlsVersions[minVersionString]
if !ok {
return nil, fmt.Errorf("configured minimum TLS version unknown: '%s'", minVersionString)
}

tlsConfig := tls.Config{
MinVersion: minVersion,
GetCertificate: GetServerCertificateFunc(certFile, keyFile),
}

Expand Down
14 changes: 9 additions & 5 deletions exporter/tls_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,25 +43,29 @@ func TestCreateServerTLSConfig(t *testing.T) {
e := getTestExporter()

// positive tests
_, err := e.CreateServerTLSConfig("../contrib/tls/redis.crt", "../contrib/tls/redis.key", "")
_, err := e.CreateServerTLSConfig("../contrib/tls/redis.crt", "../contrib/tls/redis.key", "", "TLS1.1")
if err != nil {
t.Errorf("CreateServerTLSConfig() err: %s", err)
}
_, err = e.CreateServerTLSConfig("../contrib/tls/redis.crt", "../contrib/tls/redis.key", "../contrib/tls/ca.crt")
_, err = e.CreateServerTLSConfig("../contrib/tls/redis.crt", "../contrib/tls/redis.key", "../contrib/tls/ca.crt", "TLS1.0")
if err != nil {
t.Errorf("CreateServerTLSConfig() err: %s", err)
}

// negative tests
_, err = e.CreateServerTLSConfig("/nonexisting/file", "/nonexisting/file", "")
_, err = e.CreateServerTLSConfig("/nonexisting/file", "/nonexisting/file", "", "TLS1.1")
if err == nil {
t.Errorf("Expected CreateServerTLSConfig() to fail")
}
_, err = e.CreateServerTLSConfig("/nonexisting/file", "/nonexisting/file", "/nonexisting/file")
_, err = e.CreateServerTLSConfig("/nonexisting/file", "/nonexisting/file", "/nonexisting/file", "TLS1.2")
if err == nil {
t.Errorf("Expected CreateServerTLSConfig() to fail")
}
_, err = e.CreateServerTLSConfig("../contrib/tls/redis.crt", "../contrib/tls/redis.key", "/nonexisting/file")
_, err = e.CreateServerTLSConfig("../contrib/tls/redis.crt", "../contrib/tls/redis.key", "/nonexisting/file", "TLS1.3")
if err == nil {
t.Errorf("Expected CreateServerTLSConfig() to fail")
}
_, err = e.CreateServerTLSConfig("../contrib/tls/redis.crt", "../contrib/tls/redis.key", "../contrib/tls/ca.crt", "TLSX")
if err == nil {
t.Errorf("Expected CreateServerTLSConfig() to fail")
}
Expand Down
3 changes: 2 additions & 1 deletion main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,7 @@ func main() {
tlsServerKeyFile = flag.String("tls-server-key-file", getEnv("REDIS_EXPORTER_TLS_SERVER_KEY_FILE", ""), "Name of the server key file (including full path) if the web interface and telemetry should use TLS")
tlsServerCertFile = flag.String("tls-server-cert-file", getEnv("REDIS_EXPORTER_TLS_SERVER_CERT_FILE", ""), "Name of the server certificate file (including full path) if the web interface and telemetry should use TLS")
tlsServerCaCertFile = flag.String("tls-server-ca-cert-file", getEnv("REDIS_EXPORTER_TLS_SERVER_CA_CERT_FILE", ""), "Name of the CA certificate file (including full path) if the web interface and telemetry should require TLS client authentication")
tlsServerMinVersion = flag.String("tls-server-min-version", getEnv("REDIS_EXPORTER_TLS_SERVER_MIN_VERSION", "TLS1.2"), "Minimum TLS version that is acceptable by the web interface and telemetry when using TLS")
maxDistinctKeyGroups = flag.Int64("max-distinct-key-groups", getEnvInt64("REDIS_EXPORTER_MAX_DISTINCT_KEY_GROUPS", 100), "The maximum number of distinct key groups with the most memory utilization to present as distinct metrics per database, the leftover key groups will be aggregated in the 'overflow' bucket")
isDebug = flag.Bool("debug", getEnvBool("REDIS_EXPORTER_DEBUG", false), "Output verbose debug information")
setClientName = flag.Bool("set-client-name", getEnvBool("REDIS_EXPORTER_SET_CLIENT_NAME", true), "Whether to set client name to redis_exporter")
Expand Down Expand Up @@ -203,7 +204,7 @@ func main() {
if *tlsServerCertFile != "" && *tlsServerKeyFile != "" {
log.Debugf("Bind as TLS using cert %s and key %s", *tlsServerCertFile, *tlsServerKeyFile)

tlsConfig, err := exp.CreateServerTLSConfig(*tlsServerCertFile, *tlsServerKeyFile, *tlsServerCaCertFile)
tlsConfig, err := exp.CreateServerTLSConfig(*tlsServerCertFile, *tlsServerKeyFile, *tlsServerCaCertFile, *tlsServerMinVersion)
if err != nil {
log.Fatal(err)
}
Expand Down

0 comments on commit 980a974

Please sign in to comment.