mirror of
https://github.com/VictoriaMetrics/VictoriaMetrics.git
synced 2025-01-10 15:14:09 +00:00
lib/promauth: add support for tls_config
section at oauth2
config in the same way as Prometheus does
This commit is contained in:
parent
c2b13e6a04
commit
4ade8511e2
2 changed files with 21 additions and 2 deletions
|
@ -19,6 +19,7 @@ The following tip changes can be tested by building VictoriaMetrics components f
|
||||||
* FEATURE: [vmagent](https://docs.victoriametrics.com/vmagent.html): reduce `-promscrape.config` reload duration when the config contains big number of jobs (aka [scrape_config](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config) sections) and only a few of them are changed. Previously all the jobs were restarted. Now only the jobs with changed configs are restarted. This should reduce the probability of data miss because of slow config reload. See [this issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/2270).
|
* FEATURE: [vmagent](https://docs.victoriametrics.com/vmagent.html): reduce `-promscrape.config` reload duration when the config contains big number of jobs (aka [scrape_config](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config) sections) and only a few of them are changed. Previously all the jobs were restarted. Now only the jobs with changed configs are restarted. This should reduce the probability of data miss because of slow config reload. See [this issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/2270).
|
||||||
* FEATURE: [vmagent](https://docs.victoriametrics.com/vmagent.html): improve service discovery speed for big number of scrape targets. This should help when `vmagent` discovers big number of targets (e.g. thousands) in Kubernetes cluster. The service discovery speed now should scale with the number of CPU cores available to `vmagent`.
|
* FEATURE: [vmagent](https://docs.victoriametrics.com/vmagent.html): improve service discovery speed for big number of scrape targets. This should help when `vmagent` discovers big number of targets (e.g. thousands) in Kubernetes cluster. The service discovery speed now should scale with the number of CPU cores available to `vmagent`.
|
||||||
* FEATURE: [vmagent](https://docs.victoriametrics.com/vmagent.html): add ability to attach node-level labels and annotations to discovered Kubernetes pod targets in the same way as Prometheus 2.35 does. See [this feature request](https://github.com/prometheus/prometheus/issues/9510) and [this pull request](https://github.com/prometheus/prometheus/pull/10080).
|
* FEATURE: [vmagent](https://docs.victoriametrics.com/vmagent.html): add ability to attach node-level labels and annotations to discovered Kubernetes pod targets in the same way as Prometheus 2.35 does. See [this feature request](https://github.com/prometheus/prometheus/issues/9510) and [this pull request](https://github.com/prometheus/prometheus/pull/10080).
|
||||||
|
* FEATURE: [vmagent](https://docs.victoriametrics.com/vmagent.html): add support for `tls_config` option at `oauth2` section in the same way as Prometheus does.
|
||||||
* FEATURE: [vmalert](https://docs.victoriametrics.com/vmalert.html): add support for DNS-based discovery for notifiers in the same way as Prometheus does. See [these docs](https://docs.victoriametrics.com/vmalert.html#notifier-configuration-file) and [this feature request](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/2460).
|
* FEATURE: [vmalert](https://docs.victoriametrics.com/vmalert.html): add support for DNS-based discovery for notifiers in the same way as Prometheus does. See [these docs](https://docs.victoriametrics.com/vmalert.html#notifier-configuration-file) and [this feature request](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/2460).
|
||||||
* FEATURE: allow specifying TLS cipher suites for incoming https requests via `-tlsCipherSuites` command-line flag. See [this feature request](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/2404).
|
* FEATURE: allow specifying TLS cipher suites for incoming https requests via `-tlsCipherSuites` command-line flag. See [this feature request](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/2404).
|
||||||
* FEATURE: allow specifying TLS cipher suites for mTLS connections between cluster components via `-cluster.tlsCipherSuites` command-line flag. See [these docs](https://docs.victoriametrics.com/Cluster-VictoriaMetrics.html#mtls-protection).
|
* FEATURE: allow specifying TLS cipher suites for mTLS connections between cluster components via `-cluster.tlsCipherSuites` command-line flag. See [these docs](https://docs.victoriametrics.com/Cluster-VictoriaMetrics.html#mtls-protection).
|
||||||
|
|
|
@ -7,6 +7,7 @@ import (
|
||||||
"crypto/x509"
|
"crypto/x509"
|
||||||
"encoding/base64"
|
"encoding/base64"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"net/http"
|
||||||
"net/url"
|
"net/url"
|
||||||
"sync"
|
"sync"
|
||||||
|
|
||||||
|
@ -116,6 +117,7 @@ type OAuth2Config struct {
|
||||||
Scopes []string `yaml:"scopes,omitempty"`
|
Scopes []string `yaml:"scopes,omitempty"`
|
||||||
TokenURL string `yaml:"token_url"`
|
TokenURL string `yaml:"token_url"`
|
||||||
EndpointParams map[string]string `yaml:"endpoint_params,omitempty"`
|
EndpointParams map[string]string `yaml:"endpoint_params,omitempty"`
|
||||||
|
TLSConfig *TLSConfig `yaml:"tls_config,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// String returns string representation of o.
|
// String returns string representation of o.
|
||||||
|
@ -144,6 +146,7 @@ type oauth2ConfigInternal struct {
|
||||||
mu sync.Mutex
|
mu sync.Mutex
|
||||||
cfg *clientcredentials.Config
|
cfg *clientcredentials.Config
|
||||||
clientSecretFile string
|
clientSecretFile string
|
||||||
|
ctx context.Context
|
||||||
tokenSource oauth2.TokenSource
|
tokenSource oauth2.TokenSource
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -168,7 +171,17 @@ func newOAuth2ConfigInternal(baseDir string, o *OAuth2Config) (*oauth2ConfigInte
|
||||||
}
|
}
|
||||||
oi.cfg.ClientSecret = secret
|
oi.cfg.ClientSecret = secret
|
||||||
}
|
}
|
||||||
oi.tokenSource = oi.cfg.TokenSource(context.Background())
|
ac, err := o.NewConfig(baseDir)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("cannot initialize TLS config for OAuth2: %w", err)
|
||||||
|
}
|
||||||
|
c := &http.Client{
|
||||||
|
Transport: &http.Transport{
|
||||||
|
TLSClientConfig: ac.NewTLSConfig(),
|
||||||
|
},
|
||||||
|
}
|
||||||
|
oi.ctx = context.WithValue(context.Background(), oauth2.HTTPClient, c)
|
||||||
|
oi.tokenSource = oi.cfg.TokenSource(oi.ctx)
|
||||||
return oi, nil
|
return oi, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -195,7 +208,7 @@ func (oi *oauth2ConfigInternal) getTokenSource() (oauth2.TokenSource, error) {
|
||||||
return oi.tokenSource, nil
|
return oi.tokenSource, nil
|
||||||
}
|
}
|
||||||
oi.cfg.ClientSecret = newSecret
|
oi.cfg.ClientSecret = newSecret
|
||||||
oi.tokenSource = oi.cfg.TokenSource(context.Background())
|
oi.tokenSource = oi.cfg.TokenSource(oi.ctx)
|
||||||
return oi.tokenSource, nil
|
return oi.tokenSource, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -291,6 +304,11 @@ func (pcc *ProxyClientConfig) NewConfig(baseDir string) (*Config, error) {
|
||||||
return NewConfig(baseDir, pcc.Authorization, pcc.BasicAuth, pcc.BearerToken.String(), pcc.BearerTokenFile, nil, pcc.TLSConfig)
|
return NewConfig(baseDir, pcc.Authorization, pcc.BasicAuth, pcc.BearerToken.String(), pcc.BearerTokenFile, nil, pcc.TLSConfig)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// NewConfig creates auth config for the given o.
|
||||||
|
func (o *OAuth2Config) NewConfig(baseDir string) (*Config, error) {
|
||||||
|
return NewConfig(baseDir, nil, nil, "", "", nil, o.TLSConfig)
|
||||||
|
}
|
||||||
|
|
||||||
// NewConfig creates auth config from the given args.
|
// NewConfig creates auth config from the given args.
|
||||||
func NewConfig(baseDir string, az *Authorization, basicAuth *BasicAuthConfig, bearerToken, bearerTokenFile string, o *OAuth2Config, tlsConfig *TLSConfig) (*Config, error) {
|
func NewConfig(baseDir string, az *Authorization, basicAuth *BasicAuthConfig, bearerToken, bearerTokenFile string, o *OAuth2Config, tlsConfig *TLSConfig) (*Config, error) {
|
||||||
var getAuthHeader func() string
|
var getAuthHeader func() string
|
||||||
|
|
Loading…
Reference in a new issue