Merge pull request kbudde#143 from SilentEight/master

Add support for loading client certificate and key file
chicknsoup · Sep 18, 2019 · 4b85bef · 4b85bef
2 parents 0e9ca10 + 8bb0891
commit 4b85bef
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -41,6 +41,8 @@ PUBLISH_ADDR | "" | Listening host/IP for the exporter
 OUTPUT_FORMAT | TTY | Log ouput format. TTY and JSON are suported
 LOG_LEVEL | info | log level. possible values: "debug", "info", "warning", "error", "fatal", or "panic"
 CAFILE | ca.pem | path to root certificate for access management plugin. Just needed if self signed certificate is used. Will be ignored if the file does not exist
+CERTFILE | client-cert.pem | path to client certificate used to verify the exporter's authenticity. Will be ignored if the file does not exist
+KEYFILE | client-key.pem | path to private key used with certificate to verify the exporter's authenticity. Will be ignored if the file does not exist
 SKIPVERIFY | false | true/0 will ignore certificate errors of the management plugin
 SKIP_VHOST | ^$ |regex, matching vhost names are not exported. First performs INCLUDE_VHOST, then SKIP_VHOST
 INCLUDE_VHOST | .* | regex vhost filter. Only queues in matching vhosts are exported

diff --git a/config.go b/config.go
@@ -19,6 +19,8 @@ var (
 		PublishAddr:        "",
 		OutputFormat:       "TTY", //JSON
 		CAFile:             "ca.pem",
+		CertFile:           "client-cert.pem",
+		KeyFile:            "client-key.pem",
 		InsecureSkipVerify: false,
 		ExcludeMetrics:     []string{},
 		SkipQueues:         regexp.MustCompile("^$"),
@@ -40,6 +42,8 @@ type rabbitExporterConfig struct {
 	PublishAddr        string
 	OutputFormat       string
 	CAFile             string
+	CertFile           string
+	KeyFile            string
 	InsecureSkipVerify bool
 	ExcludeMetrics     []string
 	SkipQueues         *regexp.Regexp
@@ -125,6 +129,12 @@ func initConfig() {
 	if cafile := os.Getenv("CAFILE"); cafile != "" {
 		config.CAFile = cafile
 	}
+	if certfile := os.Getenv("CERTFILE"); certfile != "" {
+		config.CertFile = certfile
+	}
+	if keyfile := os.Getenv("KEYFILE"); keyfile != "" {
+		config.KeyFile = keyfile
+	}
 	if insecureSkipVerify := os.Getenv("SKIPVERIFY"); insecureSkipVerify == "true" || insecureSkipVerify == "1" || insecureSkipVerify == "TRUE" {
 		config.InsecureSkipVerify = true
 	}

diff --git a/main.go b/main.go
@@ -53,6 +53,8 @@ func main() {
 		"RABBIT_CAPABILITIES": formatCapabilities(config.RabbitCapabilities),
 		"RABBIT_EXPORTERS":    config.EnabledExporters,
 		"CAFILE":              config.CAFile,
+		"CERTFILE":            config.CertFile,
+		"KEYFILE":             config.KeyFile,
 		"SKIPVERIFY":          config.InsecureSkipVerify,
 		"EXCLUDE_METRICS":     config.ExcludeMetrics,
 		"SKIP_QUEUES":         config.SkipQueues.String(),

diff --git a/rabbitClient.go b/rabbitClient.go
@@ -6,6 +6,7 @@ import (
 	"errors"
 	"io/ioutil"
 	"net/http"
+	"os"
 	"time"
 
 	log "github.com/sirupsen/logrus"
@@ -38,6 +39,20 @@ func initClient() {
 		},
 	}
 
+	_, errCertFile := os.Stat(config.CertFile)
+	_, errKeyFile := os.Stat(config.KeyFile)
+	if errCertFile == nil && errKeyFile == nil {
+		log.Info("Using client certificate: " + config.CertFile + " and key: " + config.KeyFile)
+		if cert, err := tls.LoadX509KeyPair(config.CertFile, config.KeyFile); err == nil {
+			tr.TLSClientConfig.ClientAuth = tls.RequireAndVerifyClientCert
+			tr.TLSClientConfig.Certificates = []tls.Certificate{cert}
+		} else {
+			log.WithField("certFile", config.CertFile).
+				WithField("keyFile", config.KeyFile).
+				Error("Loading client certificate and key failed: ", err)
+		}
+	}
+
 	client = &http.Client{
 		Transport: tr,
 		Timeout:   time.Duration(config.Timeout) * time.Second,