From ca379f3700fa566994b7b1f73a296dddca85edfb Mon Sep 17 00:00:00 2001 From: bwplotka Date: Thu, 16 Jan 2025 09:24:05 +0000 Subject: [PATCH 1/3] http_config: Allow customizing TLS config and settings. Signed-off-by: bwplotka --- config/http_config.go | 35 ++++++++++++++++++++++++++++------- 1 file changed, 28 insertions(+), 7 deletions(-) diff --git a/config/http_config.go b/config/http_config.go index 57ec252a..8ea320ab 100644 --- a/config/http_config.go +++ b/config/http_config.go @@ -453,13 +453,14 @@ func (a *BasicAuth) UnmarshalYAML(unmarshal func(interface{}) error) error { type DialContextFunc func(context.Context, string, string) (net.Conn, error) type httpClientOptions struct { - dialContextFunc DialContextFunc - keepAlivesEnabled bool - http2Enabled bool - idleConnTimeout time.Duration - userAgent string - host string - secretManager SecretManager + dialContextFunc DialContextFunc + keepAlivesEnabled bool + http2Enabled bool + idleConnTimeout time.Duration + userAgent string + host string + secretManager SecretManager + extendTLSConfigFunc TLSConfigExtension } // HTTPClientOption defines an option that can be applied to the HTTP client. @@ -515,6 +516,17 @@ func WithHost(host string) HTTPClientOption { }) } +// TLSConfigExtension modifies the given tls config and settings. +type TLSConfigExtension func(*tls.Config, TLSRoundTripperSettings) (*tls.Config, TLSRoundTripperSettings, error) + +// WithTLSConfigExtension allows to insert extension function that can freely modify +// TLSConfig and TLSRoundTripperSettings used for the round tripper creation. +func WithTLSConfigExtension(extendTLSConfigFunc TLSConfigExtension) HTTPClientOption { + return httpClientOptionFunc(func(opts *httpClientOptions) { + opts.extendTLSConfigFunc = extendTLSConfigFunc + }) +} + type secretManagerOption struct { secretManager SecretManager } @@ -679,6 +691,15 @@ func NewRoundTripperFromConfigWithContext(ctx context.Context, cfg HTTPClientCon if err != nil { return nil, err } + + // Allow customizing the TLS config and settings, if specified in opts. + if opts.extendTLSConfigFunc != nil { + tlsConfig, tlsSettings, err = opts.extendTLSConfigFunc(tlsConfig, tlsSettings) + if err != nil { + return nil, err + } + } + if tlsSettings.immutable() { // No need for a RoundTripper that reloads the files automatically. return newRT(tlsConfig) From 072259e3a0eedd51ee510129baf21f5385e53f8b Mon Sep 17 00:00:00 2001 From: bwplotka Date: Thu, 16 Jan 2025 12:09:18 +0000 Subject: [PATCH 2/3] Switched to newTLSConfigFunc Signed-off-by: bwplotka --- config/http_config.go | 57 ++++++++++++++++++++++--------------------- 1 file changed, 29 insertions(+), 28 deletions(-) diff --git a/config/http_config.go b/config/http_config.go index 8ea320ab..644698c5 100644 --- a/config/http_config.go +++ b/config/http_config.go @@ -452,15 +452,18 @@ func (a *BasicAuth) UnmarshalYAML(unmarshal func(interface{}) error) error { // by net.Dialer. type DialContextFunc func(context.Context, string, string) (net.Conn, error) +// NewTLSConfigFunc returns new tls.Config. +type NewTLSConfigFunc func() (*tls.Config, error) + type httpClientOptions struct { - dialContextFunc DialContextFunc - keepAlivesEnabled bool - http2Enabled bool - idleConnTimeout time.Duration - userAgent string - host string - secretManager SecretManager - extendTLSConfigFunc TLSConfigExtension + dialContextFunc DialContextFunc + newTLSConfigFunc NewTLSConfigFunc + keepAlivesEnabled bool + http2Enabled bool + idleConnTimeout time.Duration + userAgent string + host string + secretManager SecretManager } // HTTPClientOption defines an option that can be applied to the HTTP client. @@ -474,13 +477,22 @@ func (f httpClientOptionFunc) applyToHTTPClientOptions(options *httpClientOption f(options) } -// WithDialContextFunc allows you to override func gets used for the actual dialing. The default is `net.Dialer.DialContext`. +// WithDialContextFunc allows you to override the func gets used for the dialing. +// The default is `net.Dialer.DialContext`. func WithDialContextFunc(fn DialContextFunc) HTTPClientOption { return httpClientOptionFunc(func(opts *httpClientOptions) { opts.dialContextFunc = fn }) } +// WithNewTLSConfigFunc allows you to override the func that creates the TLS config +// from the prometheus http config. +func WithNewTLSConfigFunc(newTLSConfigFunc NewTLSConfigFunc) HTTPClientOption { + return httpClientOptionFunc(func(opts *httpClientOptions) { + opts.newTLSConfigFunc = newTLSConfigFunc + }) +} + // WithKeepAlivesDisabled allows to disable HTTP keepalive. func WithKeepAlivesDisabled() HTTPClientOption { return httpClientOptionFunc(func(opts *httpClientOptions) { @@ -516,17 +528,6 @@ func WithHost(host string) HTTPClientOption { }) } -// TLSConfigExtension modifies the given tls config and settings. -type TLSConfigExtension func(*tls.Config, TLSRoundTripperSettings) (*tls.Config, TLSRoundTripperSettings, error) - -// WithTLSConfigExtension allows to insert extension function that can freely modify -// TLSConfig and TLSRoundTripperSettings used for the round tripper creation. -func WithTLSConfigExtension(extendTLSConfigFunc TLSConfigExtension) HTTPClientOption { - return httpClientOptionFunc(func(opts *httpClientOptions) { - opts.extendTLSConfigFunc = extendTLSConfigFunc - }) -} - type secretManagerOption struct { secretManager SecretManager } @@ -682,6 +683,14 @@ func NewRoundTripperFromConfigWithContext(ctx context.Context, cfg HTTPClientCon return rt, nil } + if opts.newTLSConfigFunc != nil { + tlsConfig, err := opts.newTLSConfigFunc() + if err != nil { + return nil, err + } + return newRT(tlsConfig) + } + tlsConfig, err := NewTLSConfig(&cfg.TLSConfig, WithSecretManager(opts.secretManager)) if err != nil { return nil, err @@ -692,14 +701,6 @@ func NewRoundTripperFromConfigWithContext(ctx context.Context, cfg HTTPClientCon return nil, err } - // Allow customizing the TLS config and settings, if specified in opts. - if opts.extendTLSConfigFunc != nil { - tlsConfig, tlsSettings, err = opts.extendTLSConfigFunc(tlsConfig, tlsSettings) - if err != nil { - return nil, err - } - } - if tlsSettings.immutable() { // No need for a RoundTripper that reloads the files automatically. return newRT(tlsConfig) From 7ece29f8487ebf5697a518b1b024c49a23002828 Mon Sep 17 00:00:00 2001 From: bwplotka Date: Thu, 16 Jan 2025 14:21:38 +0000 Subject: [PATCH 3/3] Addressed comments. Signed-off-by: bwplotka --- config/http_config.go | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/config/http_config.go b/config/http_config.go index 644698c5..63809083 100644 --- a/config/http_config.go +++ b/config/http_config.go @@ -52,7 +52,8 @@ var ( http2Enabled: true, // 5 minutes is typically above the maximum sane scrape interval. So we can // use keepalive for all configurations. - idleConnTimeout: 5 * time.Minute, + idleConnTimeout: 5 * time.Minute, + newTLSConfigFunc: NewTLSConfigWithContext, } ) @@ -452,8 +453,8 @@ func (a *BasicAuth) UnmarshalYAML(unmarshal func(interface{}) error) error { // by net.Dialer. type DialContextFunc func(context.Context, string, string) (net.Conn, error) -// NewTLSConfigFunc returns new tls.Config. -type NewTLSConfigFunc func() (*tls.Config, error) +// NewTLSConfigFunc returns tls.Config. +type NewTLSConfigFunc func(context.Context, *TLSConfig, ...TLSConfigOption) (*tls.Config, error) type httpClientOptions struct { dialContextFunc DialContextFunc @@ -487,6 +488,7 @@ func WithDialContextFunc(fn DialContextFunc) HTTPClientOption { // WithNewTLSConfigFunc allows you to override the func that creates the TLS config // from the prometheus http config. +// The default is `NewTLSConfigWithContext`. func WithNewTLSConfigFunc(newTLSConfigFunc NewTLSConfigFunc) HTTPClientOption { return httpClientOptionFunc(func(opts *httpClientOptions) { opts.newTLSConfigFunc = newTLSConfigFunc @@ -683,15 +685,7 @@ func NewRoundTripperFromConfigWithContext(ctx context.Context, cfg HTTPClientCon return rt, nil } - if opts.newTLSConfigFunc != nil { - tlsConfig, err := opts.newTLSConfigFunc() - if err != nil { - return nil, err - } - return newRT(tlsConfig) - } - - tlsConfig, err := NewTLSConfig(&cfg.TLSConfig, WithSecretManager(opts.secretManager)) + tlsConfig, err := opts.newTLSConfigFunc(ctx, &cfg.TLSConfig, WithSecretManager(opts.secretManager)) if err != nil { return nil, err }