add mtls client auth (#2)

client.go

@@ -14,13 +14,11 @@ type Client struct {
 	repository string
 }
 
-func NewClient(addresses []string, repository string, insecure bool) (*Client, error) {
+func NewClient(addresses []string, repository string, tlsClientConfig *tls.Config) (*Client, error) {
 	cfg := elasticsearch.Config{
 		Addresses: addresses,
 		Transport: &http.Transport{
-			TLSClientConfig: &tls.Config{
-				InsecureSkipVerify: insecure,
-			},
+			TLSClientConfig: tlsClientConfig,
 		},
 	}
 

main.go

@@ -55,9 +55,14 @@ var (
 	repository = kingpin.Flag("repository",
 		"Elasticsearch snapshot repository name.",
 	).Default("s3-backup").String()
-	insecure = kingpin.Flag("insecure",
-		"Allow insecure server connections when using SSL.",
-	).Default("false").Bool()
+	cacert = kingpin.Flag("ca-cert", "Path to PEM file that contains trusted Certificate Authorities for the Elasticsearch connection.").
+		Default("").String()
+	clientcert = kingpin.Flag("client-cert", "Path to PEM file that contains the corresponding cert for the private key to connect to Elasticsearch.").
+			Default("").String()
+	clientkey = kingpin.Flag("client-key", "Path to PEM file that contains the private key for client auth when connecting to Elasticsearch.").
+			Default("").String()
+	insecure = kingpin.Flag("insecure", "Skip SSL verification when connecting to Elasticsearch.").
+			Default("false").Bool()
 	threads = kingpin.Flag("threads",
 		"Number of concurrent http requests to Elasticsearch.",
 	).Default("2").Int()
@@ -148,7 +153,8 @@ func main() {
 
 func getMetrics() error {
 	log.Info("Fetching data from: ", *address)
-	client, err := NewClient([]string{*address}, *repository, *insecure)
+	tlsClientConfig := createTLSConfig(*cacert, *clientcert, *clientkey, *insecure)
+	client, err := NewClient([]string{*address}, *repository, tlsClientConfig)
 	if err != nil {
 		return fmt.Errorf("error creating the client: %v", err)
 	}
@@ -229,7 +235,8 @@ func getLabelValues(snapshot map[string]interface{}) (values []string) {
 }
 
 func connectionCheck() error {
-	client, err := NewClient([]string{*address}, *repository, *insecure)
+	tlsClientConfig := createTLSConfig(*cacert, *clientcert, *clientkey, *insecure)
+	client, err := NewClient([]string{*address}, *repository, tlsClientConfig)
 	if err != nil {
 		return fmt.Errorf("error creating the client: %v", err)
 	}

tls.go

@@ -0,0 +1,68 @@
+// Copyright 2021 The Prometheus Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package main
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"io/ioutil"
+)
+
+func createTLSConfig(pemFile, pemCertFile, pemPrivateKeyFile string, insecureSkipVerify bool) *tls.Config {
+	tlsConfig := tls.Config{}
+	if insecureSkipVerify {
+		// pem settings are irrelevant if we're skipping verification anyway
+		tlsConfig.InsecureSkipVerify = true
+	}
+	if len(pemFile) > 0 {
+		rootCerts, err := loadCertificatesFrom(pemFile)
+		if err != nil {
+			log.Fatalf("Couldn't load root certificate from %s. Got %s.", pemFile, err)
+			return nil
+		}
+		tlsConfig.RootCAs = rootCerts
+	}
+	if len(pemCertFile) > 0 && len(pemPrivateKeyFile) > 0 {
+		// Load files once to catch configuration error early.
+		_, err := loadPrivateKeyFrom(pemCertFile, pemPrivateKeyFile)
+		if err != nil {
+			log.Fatalf("Couldn't setup client authentication. Got %s.", err)
+			return nil
+		}
+		// Define a function to load certificate and key lazily at TLS handshake to
+		// ensure that the latest files are used in case they have been rotated.
+		tlsConfig.GetClientCertificate = func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
+			return loadPrivateKeyFrom(pemCertFile, pemPrivateKeyFile)
+		}
+	}
+	return &tlsConfig
+}
+
+func loadCertificatesFrom(pemFile string) (*x509.CertPool, error) {
+	caCert, err := ioutil.ReadFile(pemFile)
+	if err != nil {
+		return nil, err
+	}
+	certificates := x509.NewCertPool()
+	certificates.AppendCertsFromPEM(caCert)
+	return certificates, nil
+}
+
+func loadPrivateKeyFrom(pemCertFile, pemPrivateKeyFile string) (*tls.Certificate, error) {
+	privateKey, err := tls.LoadX509KeyPair(pemCertFile, pemPrivateKeyFile)
+	if err != nil {
+		return nil, err
+	}
+	return &privateKey, nil
+}