lib/promauth: properly parse string contents for ca, cert and key fields at tls_config

Previously yaml parser wasn't accepting string values for these fields,
because it was mistakenly expecting a list of uint8 values instead.

docs/CHANGELOG.md

@@ -64,6 +64,7 @@ The sandbox cluster installation is running under the constant load generated by
 * BUGFIX: [vmbackup](https://docs.victoriametrics.com/vmbackup.html): fix error when creating an incremental backup with the `-origin` command-line flag. See [this issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/5144) for details.
 * BUGFIX: [vmagent](https://docs.victoriametrics.com/vmagent.html): fix vmagent ignoring configuration reload for streaming aggregation if it was started with empty streaming aggregation config. Thanks to @aluode99 for the [pull request](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/5178).
 * BUGFIX: [vmagent](https://docs.victoriametrics.com/vmagent.html): don't send requests if there is wrong auth config in `scrape_configs` and `remoteWrite` section, previously will send requests without auth header. See [this pull request](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/5153).
+* BUGFIX: [vmagent](https://docs.victoriametrics.com/vmagent.html): properly parse `ca`, `cert` and `key` options at `tls_config` section inside [http client settings](https://docs.victoriametrics.com/sd_configs.html#http-api-client-options). Previously string values couldn't be parsed for these options, since the parser was mistakenly expecting a list of `uint8` values instead.
 * BUGFIX: [vmagent](https://docs.victoriametrics.com/vmagent.html): properly drop samples if `-streamAggr.dropInput` command-line flag is set and `-remoteWrite.streamAggr.config` contains an empty file. See [this issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/5207).
 * BUGFIX: [vmstorage](https://docs.victoriametrics.com/Cluster-VictoriaMetrics.html): prevent deleted series to be searchable via `/api/v1/series` API if they were re-ingested with staleness markers. This situation could happen if user deletes the series from the target and from VM, and then vmagent sends stale markers for absent series. Thanks to @ilyatrefilov for the [issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/5069) and [pull request](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/5174).
 

lib/promauth/config.go

@@ -70,11 +70,11 @@ func (s *Secret) String() string {
 //
 // See https://prometheus.io/docs/prometheus/latest/configuration/configuration/#tls_config
 type TLSConfig struct {
-	CA                 []byte `yaml:"ca,omitempty"`
+	CA                 string `yaml:"ca,omitempty"`
 	CAFile             string `yaml:"ca_file,omitempty"`
-	Cert               []byte `yaml:"cert,omitempty"`
+	Cert               string `yaml:"cert,omitempty"`
 	CertFile           string `yaml:"cert_file,omitempty"`
-	Key                []byte `yaml:"key,omitempty"`
+	Key                string `yaml:"key,omitempty"`
 	KeyFile            string `yaml:"key_file,omitempty"`
 	ServerName         string `yaml:"server_name,omitempty"`
 	InsecureSkipVerify bool   `yaml:"insecure_skip_verify,omitempty"`
@@ -88,9 +88,9 @@ func (tc *TLSConfig) String() string {
 	if tc == nil {
 		return ""
 	}
-	caHash := xxhash.Sum64(tc.CA)
-	certHash := xxhash.Sum64(tc.Cert)
-	keyHash := xxhash.Sum64(tc.Key)
+	caHash := xxhash.Sum64([]byte(tc.CA))
+	certHash := xxhash.Sum64([]byte(tc.Cert))
+	keyHash := xxhash.Sum64([]byte(tc.Key))
 	return fmt.Sprintf("hash(ca)=%d, ca_file=%q, hash(cert)=%d, cert_file=%q, hash(key)=%d, key_file=%q, server_name=%q, insecure_skip_verify=%v, min_version=%q",
 		caHash, tc.CAFile, certHash, tc.CertFile, keyHash, tc.KeyFile, tc.ServerName, tc.InsecureSkipVerify, tc.MinVersion)
 }
@@ -698,14 +698,14 @@ func (tctx *tlsContext) initFromTLSConfig(baseDir string, tc *TLSConfig) error {
 	tctx.serverName = tc.ServerName
 	tctx.insecureSkipVerify = tc.InsecureSkipVerify
 	if len(tc.Key) != 0 || len(tc.Cert) != 0 {
-		cert, err := tls.X509KeyPair(tc.Cert, tc.Key)
+		cert, err := tls.X509KeyPair([]byte(tc.Cert), []byte(tc.Key))
 		if err != nil {
 			return fmt.Errorf("cannot load TLS certificate from the provided `cert` and `key` values: %w", err)
 		}
 		tctx.getTLSCert = func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
 			return &cert, nil
 		}
-		h := xxhash.Sum64(tc.Key) ^ xxhash.Sum64(tc.Cert)
+		h := xxhash.Sum64([]byte(tc.Key)) ^ xxhash.Sum64([]byte(tc.Cert))
 		tctx.tlsCertDigest = fmt.Sprintf("digest(key+cert)=%d", h)
 	} else if tc.CertFile != "" || tc.KeyFile != "" {
 		tctx.getTLSCert = func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
@@ -726,7 +726,7 @@ func (tctx *tlsContext) initFromTLSConfig(baseDir string, tc *TLSConfig) error {
 	}
 	if len(tc.CA) != 0 {
 		tctx.rootCA = x509.NewCertPool()
-		if !tctx.rootCA.AppendCertsFromPEM(tc.CA) {
+		if !tctx.rootCA.AppendCertsFromPEM([]byte(tc.CA)) {
 			return fmt.Errorf("cannot parse data from `ca` value")
 		}
 	} else if tc.CAFile != "" {

lib/promscrape/discovery/kubernetes/kubeconfig.go

@@ -223,7 +223,7 @@ func (cfg *Config) buildKubeConfig() (*kubeConfig, error) {
 				if err != nil {
 					return nil, fmt.Errorf("cannot base64-decode certificate-authority-data from config %q at context %q: %w", clusterInfoName, contextName, err)
 				}
-				tlsConfig.CA = ca
+				tlsConfig.CA = string(ca)
 			}
 			tlsConfig.CertFile = configAuthInfo.ClientCertificate
 			tlsConfig.KeyFile = configAuthInfo.ClientKey
@@ -233,14 +233,14 @@ func (cfg *Config) buildKubeConfig() (*kubeConfig, error) {
 				if err != nil {
 					return nil, fmt.Errorf("cannot base64-decode client-certificate-data from %q: %w", authInfoName, err)
 				}
-				tlsConfig.Cert = cert
+				tlsConfig.Cert = string(cert)
 			}
 			if len(configAuthInfo.ClientKeyData) > 0 {
 				key, err := base64.StdEncoding.DecodeString(configAuthInfo.ClientKeyData)
 				if err != nil {
 					return nil, fmt.Errorf("cannot base64-decode client-key-data from %q: %w", authInfoName, err)
 				}
-				tlsConfig.Key = key
+				tlsConfig.Key = string(key)
 			}
 		}
 		if len(configAuthInfo.Username) > 0 || len(configAuthInfo.Password) > 0 {

lib/promscrape/discovery/kubernetes/kubeconfig_test.go

@@ -30,9 +30,9 @@ func TestParseKubeConfigSuccess(t *testing.T) {
 			expectedConfig: &kubeConfig{
 				server: "https://localhost:6443",
 				tlsConfig: &promauth.TLSConfig{
-					CA:   []byte("authority"),
-					Cert: []byte("certificate"),
-					Key:  []byte("key"),
+					CA:   "authority",
+					Cert: "certificate",
+					Key:  "key",
 				},
 			},
 		},