mirror of
https://github.com/VictoriaMetrics/VictoriaMetrics.git
synced 2024-12-14 16:12:15 +01:00
lib/promauth: add support for min_version
option at tls_config
section in the same way as Prometheus does
This commit is contained in:
parent
808a2f3b61
commit
4c3cd96db5
@ -20,6 +20,7 @@ The following tip changes can be tested by building VictoriaMetrics components f
|
||||
* FEATURE: [vmagent](https://docs.victoriametrics.com/vmagent.html): improve service discovery speed for big number of scrape targets. This should help when `vmagent` discovers big number of targets (e.g. thousands) in Kubernetes cluster. The service discovery speed now should scale with the number of CPU cores available to `vmagent`.
|
||||
* FEATURE: [vmagent](https://docs.victoriametrics.com/vmagent.html): add ability to attach node-level labels and annotations to discovered Kubernetes pod targets in the same way as Prometheus 2.35 does. See [this feature request](https://github.com/prometheus/prometheus/issues/9510) and [this pull request](https://github.com/prometheus/prometheus/pull/10080).
|
||||
* FEATURE: [vmagent](https://docs.victoriametrics.com/vmagent.html): add support for `tls_config` and `proxy_url` options at `oauth2` section in the same way as Prometheus does. See [oauth2 docs](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#oauth2).
|
||||
* FEATURE: [vmagent](https://docs.victoriametrics.com/vmagent.html): add support for `min_version` option at `tls_config` section in the same way as Prometheus does. See [tls_config docs](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#tls_config).
|
||||
* FEATURE: [vmalert](https://docs.victoriametrics.com/vmalert.html): add support for DNS-based discovery for notifiers in the same way as Prometheus does. See [these docs](https://docs.victoriametrics.com/vmalert.html#notifier-configuration-file) and [this feature request](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/2460).
|
||||
* FEATURE: allow specifying TLS cipher suites for incoming https requests via `-tlsCipherSuites` command-line flag. See [this feature request](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/2404).
|
||||
* FEATURE: allow specifying TLS cipher suites for mTLS connections between cluster components via `-cluster.tlsCipherSuites` command-line flag. See [these docs](https://docs.victoriametrics.com/Cluster-VictoriaMetrics.html#mtls-protection).
|
||||
|
@ -9,6 +9,7 @@ import (
|
||||
"fmt"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"strings"
|
||||
"sync"
|
||||
|
||||
"github.com/VictoriaMetrics/VictoriaMetrics/lib/fasttime"
|
||||
@ -72,6 +73,7 @@ type TLSConfig struct {
|
||||
KeyFile string `yaml:"key_file,omitempty"`
|
||||
ServerName string `yaml:"server_name,omitempty"`
|
||||
InsecureSkipVerify bool `yaml:"insecure_skip_verify,omitempty"`
|
||||
MinVersion string `yaml:"min_version,omitempty"`
|
||||
}
|
||||
|
||||
// Authorization represents generic authorization config.
|
||||
@ -229,6 +231,7 @@ type Config struct {
|
||||
TLSRootCA *x509.CertPool
|
||||
TLSServerName string
|
||||
TLSInsecureSkipVerify bool
|
||||
TLSMinVersion uint16
|
||||
|
||||
getTLSCert func(*tls.CertificateRequestInfo) (*tls.Certificate, error)
|
||||
tlsCertDigest string
|
||||
@ -259,8 +262,8 @@ func (ac *Config) GetAuthHeader() string {
|
||||
|
||||
// String returns human-readable representation for ac.
|
||||
func (ac *Config) String() string {
|
||||
return fmt.Sprintf("AuthDigest=%s, TLSRootCA=%s, TLSCertificate=%s, TLSServerName=%s, TLSInsecureSkipVerify=%v",
|
||||
ac.authDigest, ac.tlsRootCAString(), ac.tlsCertDigest, ac.TLSServerName, ac.TLSInsecureSkipVerify)
|
||||
return fmt.Sprintf("AuthDigest=%s, TLSRootCA=%s, TLSCertificate=%s, TLSServerName=%s, TLSInsecureSkipVerify=%v, TLSMinVersion=%d",
|
||||
ac.authDigest, ac.tlsRootCAString(), ac.tlsCertDigest, ac.TLSServerName, ac.TLSInsecureSkipVerify, ac.TLSMinVersion)
|
||||
}
|
||||
|
||||
func (ac *Config) tlsRootCAString() string {
|
||||
@ -302,6 +305,7 @@ func (ac *Config) NewTLSConfig() *tls.Config {
|
||||
tlsCfg.RootCAs = ac.TLSRootCA
|
||||
tlsCfg.ServerName = ac.TLSServerName
|
||||
tlsCfg.InsecureSkipVerify = ac.TLSInsecureSkipVerify
|
||||
tlsCfg.MinVersion = ac.TLSMinVersion
|
||||
return tlsCfg
|
||||
}
|
||||
|
||||
@ -439,6 +443,7 @@ func NewConfig(baseDir string, az *Authorization, basicAuth *BasicAuthConfig, be
|
||||
tlsCertDigest := ""
|
||||
tlsServerName := ""
|
||||
tlsInsecureSkipVerify := false
|
||||
tlsMinVersion := uint16(0)
|
||||
if tlsConfig != nil {
|
||||
tlsServerName = tlsConfig.ServerName
|
||||
tlsInsecureSkipVerify = tlsConfig.InsecureSkipVerify
|
||||
@ -470,11 +475,19 @@ func NewConfig(baseDir string, az *Authorization, basicAuth *BasicAuthConfig, be
|
||||
return nil, fmt.Errorf("cannot parse data from `ca_file` %q", tlsConfig.CAFile)
|
||||
}
|
||||
}
|
||||
if tlsConfig.MinVersion != "" {
|
||||
v, err := parseTLSVersion(tlsConfig.MinVersion)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("cannot parse `min_version`: %w", err)
|
||||
}
|
||||
tlsMinVersion = v
|
||||
}
|
||||
}
|
||||
ac := &Config{
|
||||
TLSRootCA: tlsRootCA,
|
||||
TLSServerName: tlsServerName,
|
||||
TLSInsecureSkipVerify: tlsInsecureSkipVerify,
|
||||
TLSMinVersion: tlsMinVersion,
|
||||
|
||||
getTLSCert: getTLSCert,
|
||||
tlsCertDigest: tlsCertDigest,
|
||||
@ -484,3 +497,18 @@ func NewConfig(baseDir string, az *Authorization, basicAuth *BasicAuthConfig, be
|
||||
}
|
||||
return ac, nil
|
||||
}
|
||||
|
||||
func parseTLSVersion(s string) (uint16, error) {
|
||||
switch strings.ToUpper(s) {
|
||||
case "TLS13":
|
||||
return tls.VersionTLS13, nil
|
||||
case "TLS12":
|
||||
return tls.VersionTLS12, nil
|
||||
case "TLS11":
|
||||
return tls.VersionTLS11, nil
|
||||
case "TLS10":
|
||||
return tls.VersionTLS10, nil
|
||||
default:
|
||||
return 0, fmt.Errorf("unsupported TLS version %q", s)
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user