diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index f9b5ca0981..137fb3a1d0 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -20,6 +20,7 @@ The following tip changes can be tested by building VictoriaMetrics components f * FEATURE: [vmagent](https://docs.victoriametrics.com/vmagent.html): improve service discovery speed for big number of scrape targets. This should help when `vmagent` discovers big number of targets (e.g. thousands) in Kubernetes cluster. The service discovery speed now should scale with the number of CPU cores available to `vmagent`. * FEATURE: [vmagent](https://docs.victoriametrics.com/vmagent.html): add ability to attach node-level labels and annotations to discovered Kubernetes pod targets in the same way as Prometheus 2.35 does. See [this feature request](https://github.com/prometheus/prometheus/issues/9510) and [this pull request](https://github.com/prometheus/prometheus/pull/10080). * FEATURE: [vmagent](https://docs.victoriametrics.com/vmagent.html): add support for `tls_config` and `proxy_url` options at `oauth2` section in the same way as Prometheus does. See [oauth2 docs](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#oauth2). +* FEATURE: [vmagent](https://docs.victoriametrics.com/vmagent.html): add support for `min_version` option at `tls_config` section in the same way as Prometheus does. See [tls_config docs](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#tls_config). * FEATURE: [vmalert](https://docs.victoriametrics.com/vmalert.html): add support for DNS-based discovery for notifiers in the same way as Prometheus does. See [these docs](https://docs.victoriametrics.com/vmalert.html#notifier-configuration-file) and [this feature request](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/2460). * FEATURE: allow specifying TLS cipher suites for incoming https requests via `-tlsCipherSuites` command-line flag. See [this feature request](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/2404). * FEATURE: allow specifying TLS cipher suites for mTLS connections between cluster components via `-cluster.tlsCipherSuites` command-line flag. See [these docs](https://docs.victoriametrics.com/Cluster-VictoriaMetrics.html#mtls-protection). diff --git a/lib/promauth/config.go b/lib/promauth/config.go index 92177cb88e..e9bafbc355 100644 --- a/lib/promauth/config.go +++ b/lib/promauth/config.go @@ -9,6 +9,7 @@ import ( "fmt" "net/http" "net/url" + "strings" "sync" "github.com/VictoriaMetrics/VictoriaMetrics/lib/fasttime" @@ -72,6 +73,7 @@ type TLSConfig struct { KeyFile string `yaml:"key_file,omitempty"` ServerName string `yaml:"server_name,omitempty"` InsecureSkipVerify bool `yaml:"insecure_skip_verify,omitempty"` + MinVersion string `yaml:"min_version,omitempty"` } // Authorization represents generic authorization config. @@ -229,6 +231,7 @@ type Config struct { TLSRootCA *x509.CertPool TLSServerName string TLSInsecureSkipVerify bool + TLSMinVersion uint16 getTLSCert func(*tls.CertificateRequestInfo) (*tls.Certificate, error) tlsCertDigest string @@ -259,8 +262,8 @@ func (ac *Config) GetAuthHeader() string { // String returns human-readable representation for ac. func (ac *Config) String() string { - return fmt.Sprintf("AuthDigest=%s, TLSRootCA=%s, TLSCertificate=%s, TLSServerName=%s, TLSInsecureSkipVerify=%v", - ac.authDigest, ac.tlsRootCAString(), ac.tlsCertDigest, ac.TLSServerName, ac.TLSInsecureSkipVerify) + return fmt.Sprintf("AuthDigest=%s, TLSRootCA=%s, TLSCertificate=%s, TLSServerName=%s, TLSInsecureSkipVerify=%v, TLSMinVersion=%d", + ac.authDigest, ac.tlsRootCAString(), ac.tlsCertDigest, ac.TLSServerName, ac.TLSInsecureSkipVerify, ac.TLSMinVersion) } func (ac *Config) tlsRootCAString() string { @@ -302,6 +305,7 @@ func (ac *Config) NewTLSConfig() *tls.Config { tlsCfg.RootCAs = ac.TLSRootCA tlsCfg.ServerName = ac.TLSServerName tlsCfg.InsecureSkipVerify = ac.TLSInsecureSkipVerify + tlsCfg.MinVersion = ac.TLSMinVersion return tlsCfg } @@ -439,6 +443,7 @@ func NewConfig(baseDir string, az *Authorization, basicAuth *BasicAuthConfig, be tlsCertDigest := "" tlsServerName := "" tlsInsecureSkipVerify := false + tlsMinVersion := uint16(0) if tlsConfig != nil { tlsServerName = tlsConfig.ServerName tlsInsecureSkipVerify = tlsConfig.InsecureSkipVerify @@ -470,11 +475,19 @@ func NewConfig(baseDir string, az *Authorization, basicAuth *BasicAuthConfig, be return nil, fmt.Errorf("cannot parse data from `ca_file` %q", tlsConfig.CAFile) } } + if tlsConfig.MinVersion != "" { + v, err := parseTLSVersion(tlsConfig.MinVersion) + if err != nil { + return nil, fmt.Errorf("cannot parse `min_version`: %w", err) + } + tlsMinVersion = v + } } ac := &Config{ TLSRootCA: tlsRootCA, TLSServerName: tlsServerName, TLSInsecureSkipVerify: tlsInsecureSkipVerify, + TLSMinVersion: tlsMinVersion, getTLSCert: getTLSCert, tlsCertDigest: tlsCertDigest, @@ -484,3 +497,18 @@ func NewConfig(baseDir string, az *Authorization, basicAuth *BasicAuthConfig, be } return ac, nil } + +func parseTLSVersion(s string) (uint16, error) { + switch strings.ToUpper(s) { + case "TLS13": + return tls.VersionTLS13, nil + case "TLS12": + return tls.VersionTLS12, nil + case "TLS11": + return tls.VersionTLS11, nil + case "TLS10": + return tls.VersionTLS10, nil + default: + return 0, fmt.Errorf("unsupported TLS version %q", s) + } +}