TLS certificates (#143)

It adds options and the eventual usage for client certificates. It is useful for supporting the mTLS use case. Check the following docs for the details: - https://prometheus.io/docs/guides/tls-encryption - https://www.cloudflare.com/learning/access-management/what-is-mutual-tls --------- Co-authored-by: Raoel Oomen <Raoel.Oomen@topicus.nl>

Author: codebien

pkg/remotewrite/config.go

@@ -41,6 +41,16 @@ type Config struct {
 // Password is the Password for the Basic Auth.
 Password null.String `json:"password"`
 
+// ClientCertificate is the public key of the SSL certificate.
+// It is expected the path of the certificate on the file system.
+// If it is required a dedicated Certifacate Authority then it should be added
+// to the conventional folders defined by the operating system's registry.
+ClientCertificate null.String `json:"clientCertificate"`
+
+// ClientCertificateKey is the private key of the SSL certificate.
+// It is expected the path of the certificate on the file system.
+ClientCertificateKey null.String `json:"clientCertificateKey"`
+
 // BearerToken if set is the token used for the `Authorization` header.
 BearerToken null.String `json:"bearerToken"`
 
@@ -92,6 +102,14 @@ func (conf Config) RemoteConfig() (*remote.HTTPConfig, error) {
 InsecureSkipVerify: conf.InsecureSkipTLSVerify.Bool, //nolint:gosec
 }
 
+if conf.ClientCertificate.Valid && conf.ClientCertificateKey.Valid {
+cert, err := tls.LoadX509KeyPair(conf.ClientCertificate.String, conf.ClientCertificateKey.String)
+if err != nil {
+return nil, fmt.Errorf("failed to load the TLS certificate: %w", err)
+}
+hc.TLSConfig.Certificates = []tls.Certificate{cert}
+}
+
 if len(conf.Headers) > 0 {
 hc.Headers = make(http.Header)
 for k, v := range conf.Headers {
@@ -150,6 +168,14 @@ func (conf Config) Apply(applied Config) Config {
 copy(conf.TrendStats, applied.TrendStats)
 }
 
+if applied.ClientCertificate.Valid {
+conf.ClientCertificate = applied.ClientCertificate
+}
+
+if applied.ClientCertificateKey.Valid {
+conf.ClientCertificateKey = applied.ClientCertificateKey
+}
+
 return conf
 }
 
@@ -242,6 +268,14 @@ func parseEnvs(env map[string]string) (Config, error) {
 c.Password = null.StringFrom(password)
 }
 
+if clientCertificate, certDefined := env["K6_PROMETHEUS_RW_CLIENT_CERTIFICATE"]; certDefined {
+c.ClientCertificate = null.StringFrom(clientCertificate)
+}
+
+if clientCertificateKey, certDefined := env["K6_PROMETHEUS_RW_CLIENT_CERTIFICATE_KEY"]; certDefined {
+c.ClientCertificateKey = null.StringFrom(clientCertificateKey)
+}
+
 envHeaders := getEnvMap(env, "K6_PROMETHEUS_RW_HEADERS_")
 for k, v := range envHeaders {
 c.Headers[k] = v
@@ -324,6 +358,11 @@ func parseArg(text string) (Config, error) {
 //c.TrendStats = strings.Split(v, ",")
 //}
 
+case "clientCertificate":
+c.ClientCertificate = null.StringFrom(v)
+case "clientCertificateKey":
+c.ClientCertificateKey = null.StringFrom(v)
+
 default:
 if !strings.HasPrefix(key, "headers.") {
 return c, fmt.Errorf("%q is an unknown option's key", r[0])

pkg/remotewrite/config_test.go

@@ -86,6 +86,19 @@ func TestConfigRemoteConfig(t *testing.T) {
 assert.Equal(t, exprcc, rcc)
 }
 
+func TestConfigRemoteConfigClientCertificateError(t *testing.T) {
+t.Parallel()
+
+config := Config{
+ClientCertificate: null.StringFrom("bad-cert-value"),
+ClientCertificateKey: null.StringFrom("bad-cert-key"),
+}
+
+rcc, err := config.RemoteConfig()
+assert.ErrorContains(t, err, "TLS certificate")
+assert.Nil(t, rcc)
+}
+
 func TestGetConsolidatedConfig(t *testing.T) {
 t.Parallel()
 
@@ -369,6 +382,41 @@ func TestOptionBasicAuth(t *testing.T) {
 }
 }
 
+func TestOptionClientCertificate(t *testing.T) {
+t.Parallel()
+
+cases := map[string]struct {
+arg string
+env map[string]string
+jsonRaw json.RawMessage
+}{
+"JSON": {jsonRaw: json.RawMessage(`{"clientCertificate":"client.crt","clientCertificateKey":"client.key"}`)},
+"Env": {env: map[string]string{"K6_PROMETHEUS_RW_CLIENT_CERTIFICATE": "client.crt", "K6_PROMETHEUS_RW_CLIENT_CERTIFICATE_KEY": "client.key"}},
+}
+
+expconfig := Config{
+ServerURL: null.StringFrom("http://localhost:9090/api/v1/write"),
+InsecureSkipTLSVerify: null.BoolFrom(false),
+PushInterval: types.NullDurationFrom(5 * time.Second),
+Headers: make(map[string]string),
+TrendStats: []string{"p(99)"},
+ClientCertificate: null.StringFrom("client.crt"),
+ClientCertificateKey: null.StringFrom("client.key"),
+StaleMarkers: null.BoolFrom(false),
+}
+
+for name, tc := range cases {
+tc := tc
+t.Run(name, func(t *testing.T) {
+t.Parallel()
+c, err := GetConsolidatedConfig(
+tc.jsonRaw, tc.env, tc.arg)
+require.NoError(t, err)
+assert.Equal(t, expconfig, c)
+})
+}
+}
+
 func TestOptionTrendAsNativeHistogram(t *testing.T) {
 t.Parallel()
 
@@ -417,8 +465,6 @@ func TestOptionPushInterval(t *testing.T) {
 }{
 "JSON": {jsonRaw: json.RawMessage(`{"pushInterval":"1m2s"}`)},
 "Env": {env: map[string]string{"K6_PROMETHEUS_RW_PUSH_INTERVAL": "1m2s"}},
-//nolint:gocritic
-//"Arg": {arg: "pushInterval=1m2s"},
 }
 
 expconfig := Config{