mirror of
https://github.com/VictoriaMetrics/VictoriaMetrics.git
synced 2024-11-21 14:44:00 +00:00
lib/promauth: add support for tls_config section at oauth2 config in the same way as Prometheus does
This commit is contained in:
Aliaksandr Valialkin
parent
6f79b2b68b
commit
18b14aad8e
2 changed files with 21 additions and 2 deletions
|
|
@ -19,6 +19,7 @@ The following tip changes can be tested by building VictoriaMetrics components f
|
|||
* FEATURE: [vmagent](https://docs.victoriametrics.com/vmagent.html): reduce `-promscrape.config` reload duration when the config contains big number of jobs (aka [scrape_config](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config) sections) and only a few of them are changed. Previously all the jobs were restarted. Now only the jobs with changed configs are restarted. This should reduce the probability of data miss because of slow config reload. See [this issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/2270).
|
||||
* FEATURE: [vmagent](https://docs.victoriametrics.com/vmagent.html): improve service discovery speed for big number of scrape targets. This should help when `vmagent` discovers big number of targets (e.g. thousands) in Kubernetes cluster. The service discovery speed now should scale with the number of CPU cores available to `vmagent`.
|
||||
* FEATURE: [vmagent](https://docs.victoriametrics.com/vmagent.html): add ability to attach node-level labels and annotations to discovered Kubernetes pod targets in the same way as Prometheus 2.35 does. See [this feature request](https://github.com/prometheus/prometheus/issues/9510) and [this pull request](https://github.com/prometheus/prometheus/pull/10080).
|
||||
* FEATURE: [vmagent](https://docs.victoriametrics.com/vmagent.html): add support for `tls_config` option at `oauth2` section in the same way as Prometheus does.
|
||||
* FEATURE: [vmalert](https://docs.victoriametrics.com/vmalert.html): add support for DNS-based discovery for notifiers in the same way as Prometheus does. See [these docs](https://docs.victoriametrics.com/vmalert.html#notifier-configuration-file) and [this feature request](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/2460).
|
||||
* FEATURE: allow specifying TLS cipher suites for incoming https requests via `-tlsCipherSuites` command-line flag. See [this feature request](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/2404).
|
||||
* FEATURE: allow specifying TLS cipher suites for mTLS connections between cluster components via `-cluster.tlsCipherSuites` command-line flag. See [these docs](https://docs.victoriametrics.com/Cluster-VictoriaMetrics.html#mtls-protection).
|
||||
|
|
|
|||
|
|
@ -7,6 +7,7 @@ import (
|
|||
"crypto/x509"
|
||||
"encoding/base64"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"sync"
|
||||
|
||||
|
|
@ -116,6 +117,7 @@ type OAuth2Config struct {
|
|||
Scopes []string `yaml:"scopes,omitempty"`
|
||||
TokenURL string `yaml:"token_url"`
|
||||
EndpointParams map[string]string `yaml:"endpoint_params,omitempty"`
|
||||
TLSConfig *TLSConfig `yaml:"tls_config,omitempty"`
|
||||
}
|
||||
|
||||
// String returns string representation of o.
|
||||
|
|
@ -144,6 +146,7 @@ type oauth2ConfigInternal struct {
|
|||
mu sync.Mutex
|
||||
cfg *clientcredentials.Config
|
||||
clientSecretFile string
|
||||
ctx context.Context
|
||||
tokenSource oauth2.TokenSource
|
||||
}
|
||||
|
||||
|
|
@ -168,7 +171,17 @@ func newOAuth2ConfigInternal(baseDir string, o *OAuth2Config) (*oauth2ConfigInte
|
|||
}
|
||||
oi.cfg.ClientSecret = secret
|
||||
}
|
||||
oi.tokenSource = oi.cfg.TokenSource(context.Background())
|
||||
ac, err := o.NewConfig(baseDir)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("cannot initialize TLS config for OAuth2: %w", err)
|
||||
}
|
||||
c := &http.Client{
|
||||
Transport: &http.Transport{
|
||||
TLSClientConfig: ac.NewTLSConfig(),
|
||||
},
|
||||
}
|
||||
oi.ctx = context.WithValue(context.Background(), oauth2.HTTPClient, c)
|
||||
oi.tokenSource = oi.cfg.TokenSource(oi.ctx)
|
||||
return oi, nil
|
||||
}
|
||||
|
||||
|
|
@ -195,7 +208,7 @@ func (oi *oauth2ConfigInternal) getTokenSource() (oauth2.TokenSource, error) {
|
|||
return oi.tokenSource, nil
|
||||
}
|
||||
oi.cfg.ClientSecret = newSecret
|
||||
oi.tokenSource = oi.cfg.TokenSource(context.Background())
|
||||
oi.tokenSource = oi.cfg.TokenSource(oi.ctx)
|
||||
return oi.tokenSource, nil
|
||||
}
|
||||
|
||||
|
|
@ -291,6 +304,11 @@ func (pcc *ProxyClientConfig) NewConfig(baseDir string) (*Config, error) {
|
|||
return NewConfig(baseDir, pcc.Authorization, pcc.BasicAuth, pcc.BearerToken.String(), pcc.BearerTokenFile, nil, pcc.TLSConfig)
|
||||
}
|
||||
|
||||
// NewConfig creates auth config for the given o.
|
||||
func (o *OAuth2Config) NewConfig(baseDir string) (*Config, error) {
|
||||
return NewConfig(baseDir, nil, nil, "", "", nil, o.TLSConfig)
|
||||
}
|
||||
|
||||
// NewConfig creates auth config from the given args.
|
||||
func NewConfig(baseDir string, az *Authorization, basicAuth *BasicAuthConfig, bearerToken, bearerTokenFile string, o *OAuth2Config, tlsConfig *TLSConfig) (*Config, error) {
|
||||
var getAuthHeader func() string
|
||||
|
|
|
|||
Loading…
Reference in a new issue