lib/promauth: properly parse string contents for ca, cert and key fields at tls_config

Previously yaml parser wasn't accepting string values for these fields,
because it was mistakenly expecting a list of uint8 values instead.

docs/CHANGELOG.md

@@ -11,6 +11,7 @@ The following `tip` changes can be tested by building VictoriaMetrics components
 
 ## v1.93.x long-time support release (LTS)
 
+* BUGFIX: [vmagent](https://docs.victoriametrics.com/vmagent.html): properly parse `ca`, `cert` and `key` options at `tls_config` section inside [http client settings](https://docs.victoriametrics.com/sd_configs.html#http-api-client-options). Previously string values couldn't be parsed for these options, since the parser was mistakenly expecting a list of `uint8` values instead.
 * BUGFIX: [vmagent](https://docs.victoriametrics.com/vmagent.html): properly drop samples if `-streamAggr.dropInput` command-line flag is set and `-remoteWrite.streamAggr.config` contains an empty file. See [this issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/5207).
 * BUGFIX: [vmagent](https://docs.victoriametrics.com/vmagent.html): do not print redundant error logs when failed to scrape consul or nomad target. See [this pull request](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/5239).
 

lib/promauth/config.go

@@ -71,11 +71,11 @@ func (s *Secret) String() string {
 //
 // See https://prometheus.io/docs/prometheus/latest/configuration/configuration/#tls_config
 type TLSConfig struct {
-	CA                 []byte `yaml:"ca,omitempty"`
+	CA                 string `yaml:"ca,omitempty"`
 	CAFile             string `yaml:"ca_file,omitempty"`
-	Cert               []byte `yaml:"cert,omitempty"`
+	Cert               string `yaml:"cert,omitempty"`
 	CertFile           string `yaml:"cert_file,omitempty"`
-	Key                []byte `yaml:"key,omitempty"`
+	Key                string `yaml:"key,omitempty"`
 	KeyFile            string `yaml:"key_file,omitempty"`
 	ServerName         string `yaml:"server_name,omitempty"`
 	InsecureSkipVerify bool   `yaml:"insecure_skip_verify,omitempty"`
@@ -89,9 +89,9 @@ func (tc *TLSConfig) String() string {
 	if tc == nil {
 		return ""
 	}
-	caHash := xxhash.Sum64(tc.CA)
-	certHash := xxhash.Sum64(tc.Cert)
-	keyHash := xxhash.Sum64(tc.Key)
+	caHash := xxhash.Sum64([]byte(tc.CA))
+	certHash := xxhash.Sum64([]byte(tc.Cert))
+	keyHash := xxhash.Sum64([]byte(tc.Key))
 	return fmt.Sprintf("hash(ca)=%d, ca_file=%q, hash(cert)=%d, cert_file=%q, hash(key)=%d, key_file=%q, server_name=%q, insecure_skip_verify=%v, min_version=%q",
 		caHash, tc.CAFile, certHash, tc.CertFile, keyHash, tc.KeyFile, tc.ServerName, tc.InsecureSkipVerify, tc.MinVersion)
 }
@@ -689,14 +689,14 @@ func (tctx *tlsContext) initFromTLSConfig(baseDir string, tc *TLSConfig) error {
 	tctx.serverName = tc.ServerName
 	tctx.insecureSkipVerify = tc.InsecureSkipVerify
 	if len(tc.Key) != 0 || len(tc.Cert) != 0 {
-		cert, err := tls.X509KeyPair(tc.Cert, tc.Key)
+		cert, err := tls.X509KeyPair([]byte(tc.Cert), []byte(tc.Key))
 		if err != nil {
 			return fmt.Errorf("cannot load TLS certificate from the provided `cert` and `key` values: %w", err)
 		}
 		tctx.getTLSCert = func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
 			return &cert, nil
 		}
-		h := xxhash.Sum64(tc.Key) ^ xxhash.Sum64(tc.Cert)
+		h := xxhash.Sum64([]byte(tc.Key)) ^ xxhash.Sum64([]byte(tc.Cert))
 		tctx.tlsCertDigest = fmt.Sprintf("digest(key+cert)=%d", h)
 	} else if tc.CertFile != "" || tc.KeyFile != "" {
 		tctx.getTLSCert = func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
@@ -717,7 +717,7 @@ func (tctx *tlsContext) initFromTLSConfig(baseDir string, tc *TLSConfig) error {
 	}
 	if len(tc.CA) != 0 {
 		tctx.rootCA = x509.NewCertPool()
-		if !tctx.rootCA.AppendCertsFromPEM(tc.CA) {
+		if !tctx.rootCA.AppendCertsFromPEM([]byte(tc.CA)) {
 			return fmt.Errorf("cannot parse data from `ca` value")
 		}
 	} else if tc.CAFile != "" {

lib/promscrape/discovery/kubernetes/kubeconfig.go

@@ -223,7 +223,7 @@ func (cfg *Config) buildKubeConfig() (*kubeConfig, error) {
 				if err != nil {
 					return nil, fmt.Errorf("cannot base64-decode certificate-authority-data from config %q at context %q: %w", clusterInfoName, contextName, err)
 				}
-				tlsConfig.CA = ca
+				tlsConfig.CA = string(ca)
 			}
 			tlsConfig.CertFile = configAuthInfo.ClientCertificate
 			tlsConfig.KeyFile = configAuthInfo.ClientKey
@@ -233,14 +233,14 @@ func (cfg *Config) buildKubeConfig() (*kubeConfig, error) {
 				if err != nil {
 					return nil, fmt.Errorf("cannot base64-decode client-certificate-data from %q: %w", authInfoName, err)
 				}
-				tlsConfig.Cert = cert
+				tlsConfig.Cert = string(cert)
 			}
 			if len(configAuthInfo.ClientKeyData) > 0 {
 				key, err := base64.StdEncoding.DecodeString(configAuthInfo.ClientKeyData)
 				if err != nil {
 					return nil, fmt.Errorf("cannot base64-decode client-key-data from %q: %w", authInfoName, err)
 				}
-				tlsConfig.Key = key
+				tlsConfig.Key = string(key)
 			}
 		}
 		if len(configAuthInfo.Username) > 0 || len(configAuthInfo.Password) > 0 {

lib/promscrape/discovery/kubernetes/kubeconfig_test.go

@@ -30,9 +30,9 @@ func TestParseKubeConfigSuccess(t *testing.T) {
 			expectedConfig: &kubeConfig{
 				server: "https://localhost:6443",
 				tlsConfig: &promauth.TLSConfig{
-					CA:   []byte("authority"),
-					Cert: []byte("certificate"),
-					Key:  []byte("key"),
+					CA:   "authority",
+					Cert: "certificate",
+					Key:  "key",
 				},
 			},
 		},