Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(inputs/kube_inventory): set TLS server name config properly #9975

Merged
merged 1 commit into from
Dec 7, 2021

Conversation

slai
Copy link
Contributor

@slai slai commented Oct 21, 2021

The TLS config currently always sets the ServerName to the same as the baseURL. A URL is not a valid value, e.g. https://kubernetes.example.com:6443 is not a valid ServerName value; the matching ServerName value should be kubernetes.example.com.

This results in an error like -

2021-10-21T12:15:40Z E! [inputs.kube_inventory] Error in plugin: Get "https://kubernetes.example.com:6443/apis/apps/v1/namespaces/default/deployments": x509: certificate is valid for kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster.local, localhost, kubernetes.example.com, not https://kubernetes.example.com:6443

The ServerName value is not read from config, so I'm not sure why this currently works for anyone using HTTPS, unless they disable TLS verification through the insecure_skip_verify setting. (Or if SNI is not required?)

The fix is to set ServerName to the tls_server_name config value if set, otherwise leave it blank, in which case, it will automatically use the hostname (https://github.com/kubernetes/client-go/blob/master/rest/config.go#L219).

I can confirm that the inputs/kubernetes plugin does this (although it doesn't use the k8s client-go library), and it works properly by passing through the tls_server_name value or leaving it blank.

@telegraf-tiger telegraf-tiger bot added the fix pr to fix corresponding bug label Oct 21, 2021
The TLS config currently always sets the ServerName to the same as the baseURL. A URL is not a valid value, e.g. `https://kubernetes.example.com:6443` is not a valid ServerName value; the matching ServerName value should be `kubernetes.example.com`.

This results in an error like -

```
2021-10-21T12:15:40Z E! [inputs.kube_inventory] Error in plugin: Get "https://kubernetes.example.com:6443/apis/apps/v1/namespaces/default/deployments": x509: certificate is valid for kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster.local, localhost, kubernetes.example.com, not https://kubernetes.example.com:6443
```

The ServerName value is not read from config, so I'm not sure why this currently works for anyone, unless they disable TLS verification through the `insecure_skip_verify` setting.

The fix is to set ServerName to the `tls_server_name` config value if set, otherwise leave it blank, in which case, it will automatically use the hostname (https://github.com/kubernetes/client-go/blob/master/rest/config.go#L219).

I can confirm that the inputs/kubernetes plugin does this (although it doesn't use the k8s client-go library), and it works properly by passing through the `tls_server_name` value or leaving it blank.
@slai slai force-pushed the kube_inventory_tls_server_name branch from d49b19f to fa60fb9 Compare October 21, 2021 21:49
@telegraf-tiger
Copy link
Contributor

⚠️ This pull request increases the Telegraf binary size by 3.25 % for linux amd64 (new size: 131.4 MB, nightly size 127.2 MB)

📦 Looks like new artifacts were built from this PR.

Expand this list to get them here! 🐯

Artifact URLs

DEB RPM TAR GZ ZIP
amd64.deb aarch64.rpm darwin_amd64.tar.gz windows_amd64.zip
arm64.deb armel.rpm freebsd_amd64.tar.gz windows_i386.zip
armel.deb armv6hl.rpm freebsd_armv7.tar.gz
armhf.deb i386.rpm freebsd_i386.tar.gz
i386.deb ppc64le.rpm linux_amd64.tar.gz
mips.deb s390x.rpm linux_arm64.tar.gz
mipsel.deb x86_64.rpm linux_armel.tar.gz
ppc64el.deb linux_armhf.tar.gz
s390x.deb linux_i386.tar.gz
linux_mips.tar.gz
linux_mipsel.tar.gz
linux_ppc64le.tar.gz
linux_s390x.tar.gz
static_linux_amd64.tar.gz

Copy link
Contributor

@sspaink sspaink left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for fixing this, lgtm!

@sspaink sspaink added the ready for final review This pull request has been reviewed and/or tested by multiple users and is ready for a final review. label Dec 3, 2021
@MyaLongmire MyaLongmire merged commit 2fdf223 into influxdata:master Dec 7, 2021
MyaLongmire pushed a commit that referenced this pull request Dec 8, 2021
phemmer added a commit to phemmer/telegraf that referenced this pull request Feb 18, 2022
* origin/master: (133 commits)
  chore: restart service if it is already running and upgraded via RPM (influxdata#9970)
  feat: update etc/telegraf.conf and etc/telegraf_windows.conf (influxdata#10237)
  fix: Handle duplicate registration of protocol-buffer files gracefully. (influxdata#10188)
  fix(http_listener_v2): fix panic on close (influxdata#10132)
  feat: add Vault input plugin (influxdata#10198)
  feat: support aws managed service for prometheus (influxdata#10202)
  fix: Make telegraf compile on Windows with golang 1.16.2 (influxdata#10246)
  Update changelog
  feat: Modbus add per-request tags (influxdata#10231)
  fix: Implement NaN and inf handling for elasticsearch output (influxdata#10196)
  feat: add nomad input plugin (influxdata#10106)
  fix: Print loaded plugins and deprecations for once and test (influxdata#10205)
  fix: eliminate MIB dependency for ifname processor (influxdata#10214)
  feat: Optimize locking for SNMP MIBs loading. (influxdata#10206)
  feat: Add SMART plugin concurrency configuration option, nvme-cli v1.14+ support and lint fixes. (influxdata#10150)
  feat: update configs (influxdata#10236)
  fix(inputs/kube_inventory): set TLS server name config properly (influxdata#9975)
  fix: Sudden close of Telegraf caused by OPC UA input plugin (influxdata#10230)
  fix: bump github.com/eclipse/paho.mqtt.golang from 1.3.0 to 1.3.5 (influxdata#9913)
  fix: json_v2 parser timestamp setting (influxdata#10221)
  fix: ensure graylog spec fields not prefixed with '_' (influxdata#10209)
  docs: remove duplicate links in CONTRIBUTING.md (influxdata#10218)
  fix: pool detection and metrics gathering for ZFS >= 2.1.x (influxdata#10099)
  fix: parallelism fix for ifname processor (influxdata#10007)
  chore: Forbids "log" package only for aggregators, inputs, outputs, parsers and processors (influxdata#10191)
  docs: address documentation gap when running telegraf in k8s (influxdata#10215)
  feat: update etc/telegraf.conf and etc/telegraf_windows.conf (influxdata#10211)
  fix: mqtt topic extracting no longer requires all three fields (influxdata#10208)
  fix: windows service - graceful shutdown of telegraf (influxdata#9616)
  feat: update etc/telegraf.conf and etc/telegraf_windows.conf (influxdata#10201)
  feat: Modbus support multiple slaves (gateway feature) (influxdata#9279)
  fix: Revert unintented corruption of the Makefile from influxdata#10200. (influxdata#10203)
  chore: remove triggering update-config bot in CI (influxdata#10195)
  Update changelog
  feat: Implement deprecation infrastructure (influxdata#10200)
  fix: extra lock on init for safety (influxdata#10199)
  fix: resolve influxdata#10027 (influxdata#10112)
  fix: register bigquery to output plugins influxdata#10177 (influxdata#10178)
  fix: sysstat use unique temp file vs hard-coded (influxdata#10165)
  refactor: snmp to use gosmi (influxdata#9518)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
fix pr to fix corresponding bug ready for final review This pull request has been reviewed and/or tested by multiple users and is ready for a final review.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants